Hello!
When I was creating a CTF for a conference, I’ve finally got to learn about how blockchain and smart contracts actually works in practice, and the whole concept is simply brilliant. A quick introduction for those unfamiliar with it would be in this summary, but just to summarize how I basically understand it, blockchain is simply a VM that runs code (smart contracts) a both the code, and result of every execution of it is calculated by a bunch of users (so, mining is basically running a VM) and appended into the blockchain based on some kind of consensus and proof of work. This means that you get a single source of truth and history of every execution of a smart contract that is decentralized and you can rely on it.
But, almost every use of blockchain or smart contracts I have seen has pretty large issues either in sustainability in the long term, or in cases where you simply need some form of an authority to prevent and punish misuse. While I’m not really that much familiar with every use of blockchain so far, I will first list what I’ve already thought about or seen, and the main issues that I think are a deal-breaker for choosing blockchain for that kind of tasks. It’s possible that some of the issues are wrong or have already been solved, so please correct me if I’m wrong - my knowledge of blockchain isn’t really that in-depth.
First and the most common use is the one you are probably most aware of - cryptocurrencies. If I ignore the biggest and most unfortunate issue of cryptocurrencies turning into an investment-only product, with hugely volatile and inflated price that is not backed by any kind of real value (sure, you can pay with BTC, but it’s slow, expensive and super volatile to be useful, so the only real use is to literally sell it to others for a profit - which also basically means you are scamming someone out of their money down the line), I see the following problems with using blockchain for currencies:
- Longevity - The ledger size is already getting massive, only after a few year. It’s not sustainable, and it will eventually be really hard to keep the whole ledger at a large enough number of places to not run into problems of integrity. It’s growing exponentionally, and is at around 500Gb after around 10 years.
- Gas cost - It’s getting harder and harder to mine and confirm new transactions, which increases the cost while also making less people able to mine new transactions without being at a loss. This will only get worse, and eventually lead to the 50% problem (if someone controls 50%+ of mining nodes, he can confirm fake transactions or do whatever he wants with the blockchain) being a real issue.
- Lack of moderation - This may be one of the more controversial issues, because it goes directly against the whole idea of cryptocurrencies, but is one of the biggest problems I see that are in the way of crypto being able to be considered for wider use. We live in a world where some people are dicks that are not afraid to steal and cheat, and something like a currency simply has to be moderatable. You need to be able to punish criminals, and take back what they have stolen. If someone doesn’t pay their debts and owns me money, the government should be able to just take the money if they have them. If someone uses an account for scamming and stealing, it should be possible to freeze it.
The last issue will eventually show in most of the other uses of blockchain as well, and while I have included it, I’m still not sure how I feel bout it. In an ideal world, you would not have to deal with something like this. I would also really like to have an option to do my transactions privately, without anyone being able to profile my behavior and data, but such a system would have to allow for some safeguards against missuse to be widely adoptable. (Which is an interresting off-topic question - would it be possible to create a system that is private, but also has the possibility for trusted authorities to freeze accounts and force transactions?) And the more that I think about it, the more I’m certain that I’d rather have a centralized system where you can punish criminals and scammers, than a system where lives of people are regularly ruined by someone stealing all of their savings unpunished. But it is a thin line - I only say that because I live in a country that is all-right and I can trust my government - for now. But I definitely agree that such a private unmoderated option should exist - but can’t be considered for widespread use, which I’ve heard some people say that “crypto will replace cash in a few years”. And this is why it never will, IMO. But this discussion shouldn’t be about whether this is a good opinion or not - but more about “what blockchain is a good tool for”.
Next one are NFTs. I will just quickly gloss over them, because they are even bigger scam than crypto is. Ever heard someone say “Someone has copied and minted my NFT?”. Well, it’s a shame that there isn’t some kind of centralized authority that could, you know, not allow them to do that.
Another use I’ve heard someone praise as “the future” was lending money. I’m not sure what were they talking about, but the whole point was that you can… Escrow an amount you are borrowing, and then borrow the same amount? It didn’t make any sense, so I guess I’m missing something, but then again - we have the same issues as above, while also it being just a bizare idea - why simply not use the amount you already have? The person tried to explain it to me, but it just feels gimmicky. And if you escrow a lesser amount, you then have the same problem with moderation as above - nothing can force you to return the money (unless it is already escrowed, but then, why??)
So far, every use of blockchain I have heard about would be better done in a centralized fashion, especially as far as longevity is concerned. The growing ledger size and increasing gas cost, along with the 50% problem simply makes most of these kind of uses too impractical to work on a larger scale.
But I really like the concept and idea of smart contracts, and I’m sure there has to be some kind of use that is not as “revolutionary” or large scale. I’m just having hard time coming up with any.
I have only one - voting, and maybe transparent randomization (i.e lottery). Smart contracts are an amazing way to collect votes transparently but privately, since you can be sure that no-one can cheat, if you set it up properly. It’s also something that doesn’t suffer from the longevity problem, because it’s more of a one-shot use of blockchain, rather than something ongoing - which also justifies the price.
(tl;dr feel free to start here:) Which is what I’m interested in - does any of you have similar ideas for use of smart contracts and blockchain, that would be practical in a daily live? Be it one-shot smart contracts for a small task, such as voting or random winner selection, maybe some kind of escrow. It doesn’t have to be a “society changing system”, or something revolutionary. A common small code snippets or apps that would solve the trust issue inherent to a centralized task is what I’m after - but have hard time coming up with.
And just a disclaimer - I don’t plan on building anything and am not fishing for the next blockchain thing, I barely even understand it. I would just like to incorporate blockchain into my programming repertoire as a tool, because the concept feels so clever, but is also misused or misunderstood due to hype, but it has to have it’s uses that are overshadowed by people jumping on the blockchain bandwagon without considering whether it’s really the best tool for the job.
But is has to be a good tool for some kind of problems, right? And I would like to start a discussion about what would that be, without it being affected by the hype and reputation surrounding blockchain. I feel like that would be an interesting though exercise, and I’m sure we can come up with some interesting little uses here and there, without it being gimmicky but actually the best tool for the job.
Thank you!
EDIT: And I’d like to add that I never got into the blockchain hype, and my opinion on how it’s used so far is mostly negative. If a product mentions blockchain, I usually just avoid it as a gimmick. But that’s why I’m genuinely interested in this discussion - I don’t judge a tool about how people misuse it.
Blockchain and/or smart contracts try to solve problems that were already solved in multiple ways by adding a ton of overhead that makes them unable for large scale deployment and long term usage.
Here’s what’s stupid about the people who say that blockchain will revolutionize the financial sector: why add a blockchain and all the computing power to store transactions when you can take the obviously efficient route and simply store transactions on a SQL database? Before anyone screams the word “decentralization” do you really think banks will cease to exist? NO. The most likely scenario - if people keep pushing this bullshit - will be to have some kind of closed blockchain that banks use to transact money, so it essentially becomes the same thing we’ve now with added overhead, environmental impact and technical complexity. We have efficient system in place with safeguards, operations can be tracked, reversed etc.
Frankly it would be a better use of everyone’s time, money and effort to simply fix the REAL problems in the banking industry, such as the fact that the US still doesn’t have a decently working, standardized digital system to transfer money between account holders in different banks. Europe has this with SWIFT/IBAN and people can transfer money between accounts, banks and countries almost instantly by just providing the amount they want to transfer and an IBAN number (nothing else required). Now tell me, how many people in the US have bank account with IBAN numbers? Most likely only millionaires. The majority of people use a combination of poorly structured system of account and routing numbers that often fail and lead to delays. Oh btw Russia has a similar system to IBAN.
There are tons of other weaknesses in the US banking system around the way credit and debit cards work, for instance why would anyone on their right mind assume that a system where you can provide your credit cards number and CVV/CVC code over a phone to make a transfer wouln’t be abused to scam people and steal money? Then, after decades of fraud, to “alleviate” the issue they decided to create a bunch of companies that offer virtual credit cards with limits. Now let this how with works in most European countries: banks will, most likely, refuse any attempt at charging a physical credit card unless its made on a physical payment terminal with the card actually physical inserted on the thing an a 4 digit PIN code typed in. If you want to buy shit over the internet simply open your bank’s app or website and they’ll have a function to create a single use virtual credit card for the transaction. Way more secure isn’t it? :) Either way most European countries also other systems to handle those kinds of payments eg. the online stores provides you with a specific code and you then can go into any ATM or your Bank’s App, insert the code and make the payment.
As you can see making the banking system efficient and having fast, secure and usable things isn’t about blockchain bullshit, its usually more about common sense and creating standards that companies, such as banks, have to comply with.
Great post.
One of the big things all the crypto shills constantly said was that banks are bad and crypto was the saviour because of the decentralised nature. Then they realised that it was complete shit to use without some sort of centralisation, so they made exchanges……which are just banks with less regulations………and then those exchanges went bust and everyone lost their money and started calling for more regulation 😂
There’s no real world need for blockchain tech.
You don’t need many of the features you listed to make a blockchain. Its basic form is a Merkle tree. For which there are many practical uses, some of which predate Bitcoin, and which you’re probably familiar with.
Git is a blockchain. It’s one of the most important tools for free and open software, which in turn powers huge parts of internet and technology.
Most of the extra stuff (proof of work etc ) were added specifically for crypto.
Many people don’t consider Git to be a blockchain because it lacks more than just proof of work. No argument against merkle tree, but a blockchain is more than a merkle tree, otherwise it would just be called a merkle tree. Part of the issue is I don’t think there’s any real accepted definition for just a simple blockchain.
For example, you can absolutely undo a commit (it’s messy, yes). This is counter to how blockchain operates. Each commit does not rewrite every previous commit.
So git is sort of a precursor to blockchain. Distributed ledger, sure. Blockchain, no.
A blockchain is extremely difficult (virtually impossible) to intentionally tamper with. Git is not. Well, relatively speaking.
You can tamper all you want with a blockchain if you hold the only copy. You just replace it with an earlier state and evolve it into a different direction. Which also applies to git.
Blockchains and git repos are only tamper resistant when they’re distributed.
Blockchain is the generic idea of a distributed, tamper-resistant, independently verified ledger. Git is a practical implementation with specific goals. Merkle trees are the theoretical model. They all refer to the same concept.
You can tamper all you want with git even if you aren’t the only holder. You can make it to any other repos cant merge back in. If you waste a lot of time, you can make commits that will erase known work on other repos. You don’t need to replace it. You can just rewind. Blockchain requires each block to contain a hash of the previous. Git doesn’t really do this. It’d be extremely inefficient. Imagine every commit changes every previous commit.
Blockchains are more than merkle trees. Blockchains is a technology from 2008. Git is much older and again, this is obvious as Torvalds isn’t credited with the invention of blockchain.
Git is not tamper resistant.
I haven’t heard anyone ever refer to git as a blockchain. The main point of “blockchains” is to have a trustless security mechanism, which git doesn’t have. I don’t think blockchain and merkle trees are the same thing at all, even if blockchain uses merkle trees under the hood.
This right here is really the spirit of the post. Yes there’s many impractical applications. Much like there are many impractical applications for RDBMSs, but the tech has such a stank on it, it’s important to remember it’s just a tool that can be useful despite the hype cycle.
Blockchains don’t really have a “stank” on it. It’s just that it’s a technology in search of a problem. Not many issues have been answered with “a complicated linked list across the internet will fix this.” Blockchains are incredibly specific in implementation that you really need something that needs those things. Like someone else mentioned, audit logs actually benefit from the properties of blockchains. You can’t just delete a record without needing to then literally modify every single record before and after it. Blockchain offers security for transactions. It works for finance in the scope of cryptocurrency. But it’s missing many features of other currencies that are provided by central authorities. So it’s essentially incompatible with those other currency systems. Blockchains are great for tracking ownership of a digital thing within its own ecosystem. It sucks at tracking ownership of a thing that exists outside it’s ecosystem (digital or otherwise). This is put on full display with NFTs. Within the world of NFTs it’s easy to prove ownership. Outside that system, I can easily post copies of that digital item. Cryptocurrency is better in that it has no value/representation outside its own system.
So that’s why blockchain is a fairly old technology (relatively speaking) with very little real-world use outside crypto and NFT.
Sorry, I didn’t mean to be dismissive. I wholeheartedly agree with you. What I meant was that it’s a shame I, as an engineer in the year 2023, would have a hard time pitching a blockchain solution to a non-crypto problem to paying customers no matter how fitting the solution might be. I don’t think that’s very disputable. Now this attitude is entirely driven by the last decade of unsubstantiated crypto hype and associated bad faith actors. It has nothing to do with the technology as it is.
There is actually a system in the works called FedNow that banks here can sign up to be a part of to allow national money transfer between any two people. Probably a lot of banks aren’t taking part yet since it’s barely a couple weeks old, but it’s promising.
Just an FYI for those that don’t know - outside of America everyone has been able to transfer money between any 2 people’s banks whenever they want without issue for decades.
Tbf, this isn’t entirely true (it’s as true as it would be for the US). This is more about the time required. Europe has had instant transfers for approximately a decade.
Edit: to be clear, I’m just refuting the plural of the word decade. The US is still behind by quite a bit though.
When we’re getting technical about it being one or two decades behind something as simple as this, we’re at the point where the distinction is irrelevant.
I mean, it’s not. Exaggeration is still lying. 10 years behind technologically is worlds away from 20 years behind. Especially in the government world, regardless of government. It’s still bad. You don’t have to lie and make it look worse. It undermines your own argument when your cited number is off by a 100%.
Australia has instant transfers for 20 years+.
Uh, Australia got them in 2018.
Edit: The NPP was introduced in 2018 which allowed instant transfers in Australia.
See, the other reason I’d like to point these out is that, even in the US, we have “instant transfers” but the banks are actually just covering it essentially. And I think a lot of folks are getting confused with that.
Yes it is, and I hope it actually fixes the issue. But I’m not sure how it works in detail and it doesn’t seem to actually replace the mess that banks made but instead just add a bandage. At least is seem to use ISO 200022 message standards but as I said would it be THAT hard to simply ditch all the crap and model a baking system around what the EU/Russia does? Actually I don’t get why the US can’t just adopt the internationally used SWIFT system and the IBAN improvements that is used by 77 countries world wide for their national and international transfers. This system won’t make the US dependent on anyone as it is mostly a bunch of technical standards and recommendations on how to transfer money between banks.
The US can and does use SWIFT for international transfers. SWIFT doesn’t automatically make something instant. Nor does IBAN since that is just a code.
Standards are as you stated, just standards on defining how to record a transaction. It doesn’t define a system to process these transactions. It’s like a file format. You still need something to process/transfer that file. The EU (currently) relies on SEPA for instant transfers. And it requires both endpoints to use euros.
Instant transfers are not as simple as everyone thinks and most folks don’t actually know what is behind them or how they work. I am far from an expert but I’m just trying to point out it is sort of esoteric stuff and most people don’t even know if the transfer they’re performing is even actually instant or not.
Blockchain would also make it very difficult to have disputes where one must be forced to pay another. It assumes everyone is “equal” and one can’t forcefully take money from another. You can believe that’s great, but garnishment and repossession of funds is a thing that all countries will need to be able to do. That’s a fundamental break in how blockchain effectively works. It works against it.
Edit: I also just realized you’re not pro-blockchain for finance, but my points still stand for the concept in general.
Banks in the EU are required to implement SWIFT and also follow the PSD2 directive that includes the means for “instant transactions”.
My previous posts weren’t about saying that because there’s SWIFT/IBANs the EU has instant transactions, but about the fact that US institutions made a very fragmented mess out of money transactions and the quickest way to get out of it is to adopt the SWIFT/IBAN standards that everyone else use. Why have different messaging standards for national and international transfers? SWIFT/IBAN standards are proven and used by a large number of countries and fixed a ton of messes.
After they clear the account identification scheme mess, they can, then, easily roll out a US version of SEPA. The first step is always standardization and simplification and luckily for the US most of the world has been testing, using and improving the standards for a while.
I agree and share your concerns about blockchain for finance and I know the systems we’ve were designed to avoid those same concerns and get the job done.
Again, US banks do. But SWIFT and IBAN are used almost exclusively for international transactions, EU included. It’s their whole purpose. SEPA exists alongside SWIFT and does not rely on SWIFT. It’s why is so much more restrictive and can only do euro to euro.
The US banks are standardized. That’s not the problem. It’s really control and cost. Like right now, FedNow still costs 4 cents per transaction which is expensive. ACH costs about half that. But it’s also controlled by NACHA instead of the government.
In any case, I’m about as far down this rabbit hole as I’d like to go. We at least agree on blockchains… “usefulness”.
US banks are standardized. That’s not the problem
https://www.tiktok.com/@mel.octavia/video/7264977051441040672
You were saying… :P
I am not on TikTok and it won’t play the whole video, so this does nothing. Its not a useful rebuttal. I’m fine if you want to cite your argument, but this is useless. Who goes around using TikTok as damn evidence. “Hey, look at this random stranger say something.”
Edit: transfers don’t generally fail unless there’s a lack of funds. And that isn’t the definition of standard anyway. Standards can be unreliable. And what is wrong with routing and account? Put together it contains much of the same info as an IBAN.
The US banks are standardized
Are they? Routing and account numbers, transactions that fail often and people complaining all the time. Is that enough standardization, most likely not.
I live in Europe and have some direct experience with how the banking system works (I was pentesting the system that shares transaction data between banks over their closed intranet), and I had no idea that US doesn’t have something like that. That’s interesting, that sounds like a lot of inconveniences.
A closed blockchain doesn’t need or use expensive hashing nor is expensive hashing required for a public blockchain.
Every rant about how blockchains are bad SQL databases is ignorant of the actual, novel uses of a decentralized blockchain and whatever system it uses as proof to find the current block’s validator.
Blockchains allow for the synchronization of many actors up to the agreement of the majority of actors. They eliminate a class of corruption. Which is at least those where the authority over a log of data uses that authority to alter the log outside the will of the majority of those who use said log.
You can make all the arguments you want about the usefulness of that ability, you can make arguments that the cost of adding that ability being too high vs the reward.
You vague argued that its complicated and it wont end banks so its pointless. Neither of which is much of an argument. Also, the blockchain replaces central banks, not member banks.
Is that worth doing? Likely not at the current state of the technology.
Blockchains are only useful in cases where non-repudiability (the ability to prevent users from denying that an event happened) is more important than any other factor. And there are preciously few cases where this is the case, the vast majority being related to audit - tracking receipts, votes, certificates, or similar attestations in an environment where no single party can be trusted. Disclaimer, I’ve worked in the past in projects related to the aforementioned - fortunately all of them related to the field of audit.
Notabaly most of these use cases probably don’t benefit from a public ledger though, in the sense that anyone with enough stake / hardware could be a validator. Exposes you to way too much uncertainty about whether validators will screw you over with Maximal Extractable Value tomfoolery, edit: and is obviously slow and very expensive compared to PoA
Fair enough that! I’m surprised to see so few companies saving up their money and processing time, and just using a private distributed ledger among all parties (plus maybe an arbiter node or two). Probably because Ethereum is better supported commercially (guess why!)
You can run Ethereum in PoA mode though, or at least it used to be possible but I dunno whether they’ve kept the option around (probably?) I think the problem is that many people who set these systems up don’t even know that’s possible, or they’re distribution maximalists who balk at the idea of having a private blockchain where some “higher authority” (gasp!) says who can validate blocks and it’s not just based on how much ETH you have.
I mean, not even I knew that Ethereum could be run in an intranet via Proof of Authority, today I learned something new!
I’m an odd breed of (thankfully former) blockchain consultant in that I’ve got a healthy skepticism about the tech and don’t think that slapping a public blockchain on to everything will magically make it better, so I made my business by having a more in-depth understanding of the various options and what they’re really suitable for. I used to joke that my first advice was always “don’t”, and the second was “no seriously, don’t.”
And an important note is that… For decades we have had paper trails fairly locked down given enough incentive. The technology isn’t the problem with performing audits.
buying drugs and scamming people
oh, and throwing gasoline at an already burning planet
Stop using FIAT then.
lol. lmao
It’s true lol.
Want to explain your rational?
Buying drugs, scamming people is the same use case of FIAT.
Blockchain? Oh, hah, no no… none of us were ever hyping up a tech we didn’t understand as the solution to literally any problem.
Say, have you heard about AI? It’s a revolutionary technology that’s the solution to any problem!
I mean, machine learning can theoretically approximate any computable function given enough time and resources…
I still find the ai program that infers your age based on your age pretty funny :p and it never really get’s it completely.
The only useful use case I’ve seen is for when you absolutely MUST be able to track historic data and ensure edits don’t destroy the original. Blockchain “solves” this by never allowing saved data to be edited.
The only place I’ve seen it actually being used properly for that was within Brazil’s medical vaccine tracking (ptbr article), which is what allowed them to confirm that Bolsonaro falsified his vaccination card. It doesn’t offer details on what kind of protocol it uses, but it could just be a “decentralized, distributed” database, for all intents and purposes.
We’ve had that for literally 40+ years though with CQRS, which is used in every banking system (it’s why your bank can show you every transaction that has happened on your account). It’s also used by airports and airlines. It’s incredibly common tech that doesn’t require a blockchain or decentralization.
I think you are saying the same thing, but it’s less that history can’t be changed and more than all changes are collectively acknowledged. The Brazilian vaccine record shows why that can be a highly desirable attribute; it prevents a class of corruption while also automating the tasks that could have been corrupted.
Blockchains are “just” distributed databases with a guarantee about transaction ordering (doesn’t have to be totally ordered like regular literal chain-of-blocks but eg. some sort of DAG). Then on top of that you have your consensus-forming mechanism like PoW, PoS or PoA (Proof-of-Authority), most of which are designed to work in a network where you don’t trust the participants, except for PoA where nodes that eg. have a cert signed by a specific authority can do validation.
I could see PoA networks being useful for eg. banks, real estate related stuff, DNS (like @jet@hackertalks.com mentioned) etc. Anything where you’d be interested in having all parties agree on some order of transactions, and where validation is only done by trusted actors. DNS-like systems could maybe even be done with public validation, but PoW is out of the question because of the W part, and most PoS-like systems (well, PoW and PoS but still) have lots of problems with validators being incentivized to order transactions in a certain way (“Maximal Extractable Value” et al) that can actually be detrimental to the network (or even consensus) and to the users.
I’m not really super sold on the idea of public blockchain networks where anyone (well, anyone with the means, which is not a small barrier) can be a validator, they mostly seem a bit like a solution looking for a problem. I can easily envision blockchains becoming something like Linux in the sense that they could be used “in the background” in many contexts, but so that us plebs rarely actually have to deal with them (the majority of the Internet runs on some flavor of Linux, but most people don’t “consciously” use it apart from Android which does its damndes to pretend not to be Linux).
Your comment pivoted from smart contracts to the foundations of why blockchains are useful. If we’re going down to strictly what a blockchain can be used for, replacing the web of trust for certificate validation.
Monero is a good example of what digital money should look like. Fungible, not an open ledger, usable like cash is.
If we ever put an authority in a position where they can surgically change things on a distributed ledger. It’s much more efficient to simply have a central ledger controlled by that same authority.
It does get interesting when we look at partitionable blockchains with Central oversight but those are pretty rare. But if you do have a partition will blockchain your the government functions could keep operating if there’s some network partition government event natural disaster communication interruption or say colonies on different planets. That could be interesting.
Yeah my comment was all over the place, but I hope not too much to be totally worthless.
PoA doesn’t mean the validators can change history, at least unless the network is specifically designed for that – which most aren’t, although I’d argue there’s potential use cases for allowing to eg. “undo” transactions, like what your bank does if your credit card number gets stolen.
Re. partitionable chains, it’d be fun to think about how to manage transactions when some nodes are potentially light years away. We already have the “interplanetary file system” after all 😄
Well we kind of already have historical examples of partitionable ledgers. It’s all about the merge. So historical documents written in far off offices merge or central offices. And they just kind of ignored conflict effects.
So if you have a very partitionable environment and we are using a distributed blockchain we might have to do something like record authority moving between partitions. That could be really interesting
Eventual consistency would be really eventual, heh.
And if the network is generally partitioned (or DAG-like I guess?), how do you handle eg. someone hopping on a (slower-than-light! I don’t believe in that FTL nonsense) ship and going from eg. Earth to live on Alpha Centauri? Do they have to bring a part of the DAG with them (or some sort of zk proof of it anyhow) in some form, so that it can be “transplanted” into the consensus on the other end when they arrive?
I can only imagine in such an environment you would have packetized network updates. You wouldn’t try to run a globally consistent ledger. You would bake in the partition network. And if you know somebody’s going to transit from network aid to network b you might sign something you might do a key you might give some sort of authority for this record to now get updated in a different partition. And if that traveled with a human all the better.
I imagine the partitions would also keep best effort consistent copies of other partitions, but they wouldn’t consider them you know up to date for any logistical purpose. So if you had a record that dealt with partition a but you were in partition b you would leverage as much data in partition be as possible and send an update record to a who would be the authority to do the thing and then send you the result.
But that’s a very very very naive approach. I’m sure we could come up with something more interesting. A distributed eventually consistent ledger with very sparse updates. Could get interesting
And this is exactly what I meant when I said that this sort of interstellar networking stuff is super fun to think about 😄
Audit logs and Access control paper trails.
Security event logging has to be:
- Broadly accessible
- Write-protected
- offering some proof of completeness.
These three requirements are tricky and often conflicting. Block-chain might be an inefficient way to achieve these, but the glove does fit quite neatly.
Logistical paperwork
- Purchase Orders/Invoices and packing slips
- Waybills/Bills of lading and CMR’s
These kinds of documents require multiple stages of matching and approval by untrusted 3rd parties. There are dozens of ecosystems of interacting systems that support processing these documents, but most people still use paper. Paper is more reliable when you need to deliver a container full of diapers from Poland to North Sudan. It’s more reliable but incredibly prone to fraud and forgery. Having all of these approvals and transactions tracked on a blockchain and letting different systems interact with the same chain, would make it possible without each ERP having a rest API to each other ERP.
I fail to see what blockchain can provide in the realm of audit logging?
Fundamentally, you need to trust the systems which are logging events to log the correct events at the correct time. How does blockchain change this?
Yeah the problem isn’t the veracity of the logs, it’s providing a mechanism for third parties of proving that the sequence of events in your log hasn’t been tampered with after the fact
Any system which publishes the log to third parties as they are written would do that.
Yeah you’re not wrong, that would be more efficient. Again a blockchain is not an efficient way to do it. But it would be effective.
In practice audit logs are used by and for auditors. Non-technicals that need evidence that would hold up to argument. Yes you could send your logs to a third party. Now you have to prove that third parties trustworthiness twice a year to the standards of each legal entity you operate in. And lawyers are more expensive than blockchain devs haha :p
Having a private blockchain that you can share with several changing parties that can subscribe to it. Without having to update anything about your infrastructure is a benefit.
Even though I’ve lived through several iso 27001 certifications, I’m still walking on thin ice when I say that it would probably easier to explain the blockchain in practice than any other proof of completeness method. Because the public is more aware of it. On the other hand the public is also more skeptical of crypto so it could also backfire :p
How does a private blockchain work? It is my impression that the security of the block chain comes from the difficulty of mining a new block. This in turns depends on having many entities competing for mining the next block because they get some type of financial incentive.
Wouldn’t a private block chain just essentially be like git? In git I can easily rewrite the entire history of my “log” by just rehashing everything. It is just git rebase. For anybody to verify I had not done this, they would always need the newest commit/log entry. So until the time I choose to publish a log entry, I am free to rewrite it and everything after it. Which is exactly the same as if I didn’t use a blockchain.
It just seems like the blockchain solution depends on publishing log entries to a third party as they happen, but once you do that, the problem is already solved and you don’t need a blockchain.
But I might not properly understand how private blockchains work?
The security comes from consensus. Everyone needs to agree about what the truth is. The burden of proof is proportional to the number of peers that need to agree. Public chains require a lot of work to create consensus amongst hundreds of thousands of peers. Let’s say your chain consists of 12 companies all using the same chain to validate and verify each other’s transactions so they are ready for an audit.
Yes, it’s easier to have 12 peers conspire to manipulate the chain than to have 200 000 peers. But making 12 businesses conspire to cook the books is already several orders of magnitude more difficult than the checks and balances we have in place now.
So it is not really private to one business, but shared between a couple handfuls. The consensus of this group is then trusted.
In that case, to write a log entry I would have to publish the log into some mempool shared among the group as it is logged. At this point, each member can just store the log entry and then later verify it of asked. Again, it seems like the entire block chain part of this system is redundant and what is really providing utility is the idea of storing your logs with someone else as you create them so you cannot later claim something didn’t happen.
But just to understand the idea of private blockchains better. Would this be some kind of hardcore “code is law” arrangement where each Company is competing on hash power with all the others to prevent them from rewriting the logs to their advantage (and in the best case being able to rewrite the log to their advantage).
Or is there some a priori agreement on what a reasonable amount of hash power is, that you just hope one company doesn’t choose to outspent by a factor 100 the day they really need to rewrite the log?
I guess in that case it will be clear to everybody what has happened. But if you choose to act on this common sense version of events instead of the “truth of the blockchain consensus” you are, once again, undermining the entire idea of using a block chain.
It’s more about tampering with the audit log. “Company A provided their audit logs to prove their innocence.” Did they? Well. Maybe. How do we know it’s the full log. How do we know it wasn’t altered? Sure, the company can digitally sign it, but what does that prove?
Then sign and send the audit log in realtime to the authority which A provided their logs to. Same effect no blockchain.
You could also encrypt and publish it. But realistically there is always going to be some entity actually responsible for enacting the consequences for non-compliance and they are the only entity that really ever needs to check these logs.
I am not sure I understand what the incentives to “mine” this blockchain would be. Without a certain block difficulty, which requires many miners, it will be trivial to rewrite the entire chain.
Most auditing and insurance companies don’t have a webhook where you can arbitrarily send your logs to. They have humans with eyes and fingers holding risk management and law degrees called auditors. That you need to, with words and arguments,convince of your process integrity. And What happens if you switch insurer or certifier? You probably have to do a ton of IT work to change the format and destination of your logs. And how do you prove that your process was not manipulated during the transition?
What you describe are digital notary services and it’s billion-dollar industry. All they do is be a trusted third party that records process integrity. IAM, change logs, RFCs, financial transactions, incident detection, and response are all sent in real time so you are ready for certification or M&A. Most small and mid-sized enterprises can’t afford that kind of service and are often locked out of certain certifications or insurances or take a huge price cut when acquired.
Something like pooling together resources to a provable immutable log trail isn’t unreasonable.
I’ve given it some though and wouldn’t the fact that the blockchain is public by design be a problem in regard to forward secrecy (I’m not sure I’m using the term right here, but I suppose you get the idea)? If your keys would leak, you are then stuck with a lot of private data leaked without any way how to pull them back.
Not every log needs that kind of security and a chain does not need to be public. You download blocks from peers and do your own accounting.
Nothing is preventing you from only giving access to your chain to a trusted circle of peers.
Something you could do is encrypt your logs and push them to a chain shared by a number of peers who do they same with their own keys. Now you have a pool of accountability buddies, because if someone tries to tamper with the logs, you all hang together.
If you’re doing some spooky stuff and need to prove a high degree of integrity is you could push encrypted logs to a chain. The auditor then can appoint several independent parties whose only job it is to continuously prove the integrity of your logs. After that is proven you can release your keys to the auditor who can inspect your logs knowing that they have been complete and untampered during the audit period.
Again I understand it’s not the most efficient system, but there are less efficient and less flexible systems out there in enterprise land haha
I’m not really well versed in how private blockchains work, but wouldn’t that mean that you also have to mine it yourself (or create your own private mining network), thus making the 50% problem a lot more prominent?
Let’s say a country mandates their Telecom sector to audit it’s transactions. The idea would be to share the network with several peers, your telecoms. In this case “mining” would be verifying the integrity if the chain and can be done by anyone of the peers. The government or auditing authority could also be a peer in the network and they are all capable of verifying the integrity of the chain through “mining”. You are right that it’s easier to have a small group of peers conspire to manipulate the chain. But it’s a lot harder for several telecoms to conspire than for one rogue CFO to cook the books.
In this application you’re not generating ‘valuable’ tokens in the sense bitcoin does it, but the value is the integrity of the chain. People value the proof that no one has redacted or injected any transactions.
The audit logging sounds interesting. If you combine it with some kind of encryption, then I can imagine it working pretty well. Aside from the logistical problems/gas cost, that is.
There is no incentive for adding the friction of gas or PoW for these types of systems.
The parties involved can have a shared log and private keys for signing entries. Party A provides a thing and Party B signs an entry that says they were provided with the thing. Party A can wait for that signed entry before releasing the goods, etc. The problem with block chain to track physical stuff is that that handoffs are not instantaneous, so there’s always lag between the real state of the world and what the log says. In practice, this may be a few seconds, and a human might wait for confirmation before physically granting access to a recipient.
To put it another way, the party that is signing is not incentivized to forge that they have received an object from someone else, as that is effectively the fulfillment of the obligation. They’re only going to sign an entry if they get the object.
Yeah it’s not ideal, but you only need to pay the gas cost when you need to prove integrity and that’s alot cheaper than having to constantly be in sync with the world.
Git
Git is Blockchain and it’s pretty much the only use of the tech I actually see make sense. Most other uses add too much expense where we could just used a trusted ledger. I know people are all about zero trust but the cost benefit of Blockchain doesn’t pan out for almost anything. It’s not hard to develop cheaper ways to trust an actor, such as laws. Which is how we create trust today. When’s the last time your westernized bank stole money from you?
Git is not blockchain. Git is a distributed ledger. You can rewind a git commit if you know what you’re doing. If fit were a blockchain, removing the last commit would corrupt the entire chain. Every transaction is part of building that trust.
Your conclusion of uses of blockchain is spot on though. I also feel it’s extremely expensive and complicated when there are much cheaper and more efficient ways outside of it.
When did this become a thing where people started calling git a blockchain? Git is much older than blockchain. I don’t see anyone giving Torvalds credit for inventing blockchain. Because he didn’t. And git isn’t blockchain. It’s sort of useful as an illustration of how blockchain almost works, except it’s much more efficient because it doesn’t do all the things that blockchain requires.
Well, if you remove a commit in the chain it will disrupt the chain. It’s a DAG where the next commit requires the previous commit to be unchanged. So Git does use essentially a cryptographic chain.
The thing is we don’t care about guessing the next part of the chain, which is where the mining aspect of Blockchain comes into play. So Git does not include validation in it’s process. But if someone does modify something in Git I assure you all of the people who have cloned that repository are able to validate a change happened.
Nobody credits Linus with it because signing things was never a novel idea. The part where you’re mining the next hash is the interesting part of Blockchain that’s not in Git. And that’s also the wasteful silly part.
Not really. You can’t remove the last chain in a blockchain without effecting every single other block. Each block is modified every single time to include the hash of its child. Git is the other way. Each commit includes a hash of its parent. So you can always remove the last one and the branch would be none the wiser.
So git is the exact opposite direction in regards to hashing. It’s a chain, just not in the same way. That’s part of why blockchain transactions are so expensive and git commits are so cheap.
Removed by mod
When NFTs were invented, people imagined them being used for things like titles/deeds. Instant transfer and verifiability would be a huge thing. especially in places that have real estate scams due to the slow/corrupt bureaucracy.
The only use that I’ve thought of over the years is event logging where you need a very high confidence that no one has tampered with the logs.
A good while back I read a paper, blog post…I read something somewhere a while back that laid out an interesting use case involving vehicular service records for fleet vehicles. And I know exactly about as much about blockchain then, as I do now, but I did spend some time in fleet logistics for a large scale service company with about 20+ field vans and at the time, the notion seemed compelling and interesting on the face of it.
After a very brief google, it seems the topic has been widely written about but nothing in depth compared to the piece I read all those years ago (which felt more like a full on white-paper). Looking around and will edit the comment if I find it so the people in the room who are smarter than I am can weigh in.
I don’t know much about the topic in depth, but I can tell you the greatest problem with using a blockchain for such record keeping: there is no way to ensure that the service that was recorded in the blockchain actually matches the service that was performed. And this is the same problem that every single record keeping system has, so it’s not unique, but simply because of this all the greater reliability of the blockchain is meaningless.
gitIts backing store is an (immutable) merkle tree, which is a chain of crypographically signed object (commits, trees and blob), aka a chain of block, aka a blockchain.
Name lookups. Like DNS.
If you have a trusted Oracle on whatever chain you’re using, then your smart contracts can start working with real world data. And that opens up lots of possibilities. Of course it puts a lot of faith in oracles. But for instance you could have an inheritance scheme that triggers on the death of a relative. You could do life insurance. You could affect any sort of contract was transaction money or currency.
To your points about central control, I think it’s anthema to the idea of a distributed system. If your resistant to malicious actors you have to be resistant to censorship. Because it’s only a matter of time until the central authority becomes a malicious actor. At least for some of the population.
Trust is a fundamental thing in human life an society. It get around the abuses by having checks designed into the system and smart ways to stop corruption. If you can’t trust a company to deliver a service after payment why would you even work with them? This is the “issue” that smart contracts allegedly fix.
You can make the same argument against escrow services. But they’re absolutely fundamental to housing transactions. Where the risk of a downside is unacceptable.
I can, and I do and that’s exactly the point. An escrow service from the environmental standpoint is way more efficient than any smart contract based solution.
Maybe when we have AGIs making contracts with each other and current legal system just does not work for them?
