Cryptographic vulnerabilities in IOTA: A Biased Hit Piece

Posted Under: In-depth
1 month ago

Cryptographic vulnerabilities in IOTA: A Biased Hit Piece is not a technical discussion; for tech oriented responses by the IOTA founders scroll to the bottom of this analysis.

Undisclosed Conflict of Interest

A conflict of interest (COI) is a serious issue, not to be taken lightly. COI is a situation in which a person or organization is involved in multiple interests, financial or otherwise, one of which could possibly corrupt the motivation or decision-making of that individual or organization. Given that Dr. Neha Narula is Director of the Digital Currency Initiative at the MIT Media Lab, let us review MIT policy regarding COI: “MIT requires that researchers disclose certain financial interests, which disclosure enables MIT to determine if a financial interest creates a conflict of interest or the appearance of a conflict of interest.”

The legislators are concerned about COI as well. In the speech by SEC Staff titled “Analysts Conflicts of Interest: Taking Steps to Remove Bias,” SEC states: “Given the serious concerns about the conflicts of interest analysts face that may taint or bias their advice, last fall the NASD and NYSE, following a call from the SEC and Congress, began to work together to craft new rules that would aim to restore investor confidence in the analysts’ work.”

Sergey Ivancheglo, in his rebuttal to the research in case wrote:  “Neha Narula’s team provided the following interest disclosure, “Ethan Heilman is involved in cryptocurrency work with the Paragon Foundation and Commonwealth Crypto Inc. Madars Virza is a Science Advisor at the Zcash company,” and goes on commenting:  “Paragon Foundation works on a technology which aims to compete with IOTA in the future. Zcash’s main feature is anonymity which is threatened by Repudiation and Mixing features of IOTA. Neha Narula and Thaddeus Dryja did not disclose their interest, I leave it to the readers to find out if they work on projects attempting to compete with IOTA.”

So, let us put Ethan Heilman and Madars Virza aside and focus on Dryja for the moment.

The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments white paper states what everyone knows: “The Bitcoin blockchain holds great promise for distributed ledgers,  but the  blockchain  as  a  payment  platform,  by  itself,  cannot  cover  the  world’s commerce anytime in the near future,” thusly tackling Bitcoin’s key problems: Scalability & Fees. Further down, the White Paper proposes a solution: A Network of Micropayment Channels Can Solve Scalability.

What are IOTA’s key advantages over the Bitcoin’s Blockchain Scalability Problem? Simply put:
— infinite scalability
— fee-less transactions.

Who is co-author of the The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments paper? No other but Thaddeus Dryja, one of the Cryptographic vulnerabilities in IOTA researchers. His own work directly competes with IOTA’s solutions. Using the Narula’s language, that represents a glaring conflict of interest, something the researchers inexcusably neglected to mention.

Thaddeus Dryja IOTA Conflict of Interest

Thaddeus Dryja & Conflict of Interest re: IOTA research

Hiding Behind Authority

Cryptographic vulnerabilities in IOTA, is an article published by Neha Narula, Ph.D. in Computer Science on Medium. While Medium is an online platform, “a place where everyone has a story to share,” Dr. Narula has arguably a much more authoritative platform, The Digital Currency Initiative at the MIT University’s Media Lab itself.

However, while Dr. Narula has chosen to publish her article on a free platform instead on her own academic one, she uses her title as the Director, Digital Currency Initiative at the MIT Media Lab to identify herself on Medium. Such approach gives an impression of a highly respectable academic institution being behind the research. As Forbes picks up her work, it titles it as, not the “Medium Freelancers Uncover Critical Security Flaw In $2B Cryptocurrency IOTA” but as the “MIT And BU (Boston University) Researchers Uncover Critical Security Flaw In $2B Cryptocurrency IOTA.”

“MIT And BU Researchers Uncover…” has therefore became a regurgitating theme for all the copy / paste crypto experts promulgating this, as it seems, highly bias research. In reality, neither Boston University’s Center for Finance, Law & Policy that explores digital currencies, nor MIT feature Narula et.al. IOTA research.

One can reasonably guess MIT’s own Conflict of Interest policy would require of Narula and her team to disclose their conflicts of interests, so they opted to publish on Medium.

Hiding Behind the Legend

Dr. Narula, herself a Ph.D. in Computer Science felt compelled to quote Bruce Schneier, an internationally renowned security technologist, called a “security guru” by The Economist, to give additional authority to her and her team’s research:

I’m too old not to have enormous respect for a legend like Bruce Schneier so I reached out to him. He elaborated this quote saying: “I can tell you that anyone who doesn’t use standard algorithms is such an amateur that I wouldn’t trust anything they did,” but I ask myself, haven’t “standard algorithms” been prototypes at some point in time as well? “One of the great commandments of science is, “Mistrust arguments from authority.” … Too many such arguments have proved too painfully wrong. Authorities must prove their contentions like everybody else.” — Dr. Carl Sagan.

I fear the researchers are hiding behind Schneier’s authority. After all, it’s safe to assume he is an enormously busy man, so he had no time to research IOTA in-depth or hack it himself. Could, at this juncture, one say that his comments are somehow general statements, carefully placed in the research to make a point that has not been scientifically proven?

I will leave you with Richard Feyman, one of the rarest geniuses the world of science and drumming has ever seen, to employ a well-known logical fallacy myself, appeal to authority as its speaks about authority: “Have no respect whatsoever for authority; forget who said it and instead look what he starts with, where he ends up, and ask yourself, “Is it reasonable?”

When I reached out to Sergey Ivancheglo for a comment on Schneier’s take he answered that this is his “personal opinion, no references to papers proving his point of view.” Ask yourself, is it reasonable to try to crush a nascent, exciting technology by a biased research? Especially if it has been conducted by the people seriously impacted by their own agenda and conflicts of interest?

Manipulation Reeking of Dishonesty

Dr. Neha Narula states in her report that “none of IOTA’s partners raised these concerns about a glaring vulnerability” and concludes the article with these ominous words: “Large organizations and well-known individuals should not lend their names and reputation to technology they have not vetted.”

Ask yourself:
— how does she KNOW that no one raised questions, is she privy to dialogue IOTA has with its partners?
— how does she KNOW that they have not vetted IOTA’s technology?

A serious academic should not be deliberately suggestive and misleading in her statements. She offers no proof, just her personal opinions.

But what reeks to me is the very fact the report states, in unequivocal terms: “The current version of IOTA does not have the vulnerabilities we found,” much less “glaring vulnerabilities” one could safely conclude. Has this research been much ado about nothing, a hit piece aimed at discrediting IOTA? No known vulnerabilities left, no monies have ever been stolen (compare that with Bitcoin or Ethereum networks where hundred of millions have been stolen repeatedly), nothing but malicious suggestions.

There are billions at stake in Bitcoin, Ethereum and other blockchains. If IOTA is successful these billions could evaporate and move toward it.

The whole research looks like inflated stuff to make for a juicy, albeit injurious, looking paper. Researchers complaint with IOTA is simple: they tried to write the security hash functions themselves, they also put in a security flaw to prevent copies of the coin, they’re currently fixed, and there’s no current known issue with IOTA. The rest is just a speculative, often quite dishonest, FUD.

IOTA Founders Reactions

Curl disclosure, beyond the headline by David Sønstebø, co-founder of IOTA.
Tech response by Sergey Ivancheglo, co-founder of IOTA.
Integrity question for Sergey Ivancheglo and the rest of the Iota team on Reddit.

- Click to Read and Post Comments Total Comments: 3
  • Jorge

    MIT guys really messed this one up, quite seriously. Great article.

    6
    0
  • pl_oli

    Totally agree, I'm pretty sure, that the blog post from Dr. Neha Narula's will hit her hard like a boomerang which will damage her own reputation.

    5
    0
  • Omur Gulec

    Actually this is the only article i can find about IOTA's so called security vulnarability. Great analyse and saying what is right or wrong, the article leades the reader to self-thinking. 2B marcet cap and i doubt too many people reading this.

    1
    0
Post Comment