I met David Duccini (aka Little Duke) at Coins in the Kingdom, where we chatted about Bitcoin scams at a bar with Chris DeRose and Joshua Unseth until 2am. He seemed bright and talked about Ethereum's trivializing the problem of reputation. This was the first thorough critique I had heard on Ethereum and I followed up with him weeks later to hear more.Duccini is also the Executive Director of the Strength in Numbers Foundation.
Ruben Alexander: Could you give a run down of your thoughts on the 2.0 platforms out today? (Bitshares, Ethereum, Counterparty, Mastercoin, and NXT?)
David Duccini: I think the 2.0 moniker has really yet to be defined or claimed. I think much in the same way the Web moved from static content to a hyrid client-side execution is likely a good reference model. In a lot of ways, Bitshares, Counterparty and Mastercoin are really bridge technologies -- dare I say Bitcoin 1.5? Mastercoin is interesting as a proof of concept, especially with regard to a possible colored coin implementation -- it’s hard to take its trade system too seriously as it can only support sell-side transactions and any market needs to have a buy-side in order to operate efficiently from a pricing standpoint. NXT is much further along and the jury is still out on whether Ethereum will deliver (full disclosure: I did acquire some pre-sale Ether).
Amazon’s EC2 and other cloud providers are already showing what “infrastructure as a service” can mean for resilient and scalable systems. I mean if you have ever watched a Xenserver or VMWare hypervisor do a “live migration” you’ll know how truly mind-blowing the state of the art is.
Many of the nextgen platforms are “pay to play” in that they are closed sandboxes that require either continued inputs or the ability to generate new tokens within the system. In a MMORPG that’s done through various Proof of Quests…
I’m still not sure and no one has been able to adequately explain to me how in Ethereum a distributed application is going to have access to private keys. Because fundamentally the code is going to require Ether to execute to get it started and then somehow either generate additional Ether to make it sustainable or “put another nickel in” to keep it running -- this is what I mean by “pay to play” -- it’s interesting, but not very compelling.
The reality is that it’s ridiculously cheap to acquire VPS services that allow unlimited execution on most private infrastructures.In the 1990s I did some work on distributed systems based on the CORBA messaging bus in concert with Smalltalk (there’s an interesting turing complete, message passing language that should be considered) -- a better use of resources is not having parallel execution resulting in consensus driven finite state machine outcomes. Resource discovery and object utilization through network bound contracts seems to be a better use of distributed resources IMHO. I’ve often wondered if the real promise of an object-mesaging bus would mean smaller operating system deployments?
I mean how many copies of the desktop calculator app does the world need? Imagine doing an app discovery much in the way the Apple Bonjour protocol can find and provision hardware resources on your network. I would like to think in a decentralized app platform world that multiple competing interests could advertise capabilities with certain performance specs for micro-contract execution. Think of a model where software developers produce libraries, widgets and plugins and get paid per use -- a model that rewards them for ongoing development. I think an ecosphere around PHP in Drupal is ripe for exploration.
I think in order to really claim the crown for 2.0 we’re going to have to agree on what capabilities and especially what problems they are going to solve. And this the essence of my primary message to all ALTS -- you have to solve some problem other than the transaction coin -- Bitcoin does that and Litecoin made it only slightly faster. Other than a brand, no ALT is going to survive purely for the benefit of miners and investors -- this is the message I have been beating the drum to with the Karma community that seems to fall on deaf ears. Also, there should be some basic market education in place -- the naivety demonstrated is truly dizzying -- the kind of people who think that if they if they “hash harder the price will rise”.It’s clear that any 2.0 technology is going to have to somehow solve the race conditions in trustless exchanges.
The best implementation I ever saw was in the Everquest MMORPG (I’m sure others have similar implementations) where parties that wished to do trade could examine each other’s items and then both were required to acknowledge the exchange. People like to use eBay and Amazon as model systems, but they are discounting the role that having the repudiation support of their card processor essentially lulls them into a false sense of security.
Could you elaborate on some nuances to human reputation systems, talk about Ethereum's approach, and follow with how you would handle reputation systems?
To talk about reputation we have to look at human nature. Social Engineering attacks are the most effective means of exploiting systems. Want to get into a building? Just approach a busy entrance at a secured building with a sheet cake in your hands and a bunch of balloons tied to your waist. Kevin Mitnick proved this out time and time again by carrying a telephone around (for a humorous example to watch Big Trouble in Little China where Jack Burton walks into the Wing Kong Exchange with a telephone in his hands :-)
I’ve only read through the Ethereum whitepaper. I find it quite candidly a bit naive in its approach. There is absolutely no sense of repudiation or redemption. It talks about reputation as a static quantity to be acquired over time. In a lot of ways it looks like FICO score. Reputational events need to have vetted stakeholders. I’m very cautious about putting any trust into a system that simultaneously allows for anonymous feedback combined with the irrevocable nature of a blockchain that does not allow an individual to cast that feedback in terms of the context provided by a Web of Trust.Fundamentally we need to be VERY suspicious of anonymous feedback.
Certainly there are use cases for it to be sure, but it’s not on the 80/20 side of the utility curve in my opinion.It’s why we are looking at potentially moving our IDCoins reputation events to a side chain that could support “garbage collection” -- in effect you could create a system that had a “predictable hard fork” that would periodically run through the chain, tally the outputs and regenerate the genesis block based on the viable addresses and events. Certainly the prior copies of the chain would be available, but as an “authoritative system of record” we would only put stock in the latest incarnation. In a lot of ways this is what Namecoin is doing under the hood, sans the collection/purge and regen.
Events of sufficient low reputation or requests to revoke could be purged. The consensus mechanism is about finding and supporting an authoritative current state. Not everything we do needs to be permanently stored in a secured revision control system IMHO.
What are some of the more complex aspects of reputation systems that you still have yet to solve?
I think the hardest part of reputation systems is dealing with Repudiation, Remediation and Redemption.
Actually it's even more stupid simpler than that -- how do you account for spelling mistakes? The block chain is forever. Here’s a side story that had some pretty dramatic consequences:One of my co-workers had a typo on her Drivers License -- someone at the DMV or the company that prints the cards had spelled “STREET” as “STRETE” -- the TSA gave her ALL kinds of grief every time she travelled!
After countless times of trying to explain that there was some mix up which only delayed her transit further, she finally would just roll her eyes and exclaim loudly, “obviously I know how to spell street! Clearly not all government contractors do!” -- to which she would get a “have a good day ma’am”.
In the real world we allow people to ‘cure’ their breaches, often without bias or prejudice. Most of the reputation models are naive, static summation scores that are irrevocable. It’s as if they were designed by someone who never had to explain a late payment on a student loan.
What is missing from most reputation models is the notion of CONTEXT. For example, my libertarian, atheistic and and often buddhistic leaning friends might be amused by my latest rant about some religious ad Facebook thought might be relevant to me -- while simultaneously offending some of my deeply spiritual conservative christian friends by the way I characterized the very same advertisement such as “Jesus heals all wounds!”:
“The blond-haired blued-eyed Jesus who vaguely looks like a long-haired Matt Damon complete with bleeding stigmata palms claims to “heal all wounds” -- my first thought is, “wow, it’s been 2,000+ years and he still hasn’t put a bandaid on those holes in his hands -- maybe he should take care of those first before dispensing advice to others...”
The same event has multiple outcomes, reputationally speaking. Facebook only offers us the ability to “Like” something or “comment” if we dissent. Which is wholly inequitable if you ask me. It gives the potential silent majority a free pass to click to endorse -- which in a lot of ways that “Like” button should just say “Ditto” -- and forcing the dissenting minority view to defend itself.
In reality there is a full spectrum of support from tacit agreement or disagreement to explicit often violent concurrence or dissent.
And here’s the kicker:
every sentiment expressed is both true and false at the same time.
Think about what I said earlier about “normative behavior” -- there is another more subtle factor at work, and that’s our propensity to “seek confirming evidence” especially for deeply held beliefs while simultaneously discounting or dismissing anything that does not support it. Global warming ring a bell?
Therefore we cannot be described as a single and likely immutable number like a FICO score. We are multidimensional persona, temperamental and imperfect who do stupid things that deserve to be forgotten. In effect we are all a “portfolio of reputations” -- much in the same way a company might own title to a bunch of brand-name products.
“One person’s 'freedom fighter' is another’s insurgent.”
Anonymity is also a hard problem
Especially given the fact that coin flows in a public ledger can be easily tracked. My sense is that coins could be generated through Proof of Staking at an exchange and then offered for acquisition. My hope is that anyone who does end up hosting an exchange system will register their receipt addresses or at least nominally sign any deposit accounts created so that the Web of Trust can at least determine that a coin transited an exchange at some point.
It is precisely the power of being able to track coin-flows that helps us in our battle against the Sybil army. We can in theory detect astroturfing of any content by watching coin-flows. Sybil can acquire coins and try to use them upvote or downvote content all she wants -- but so long as we are vigilant about our key-signing we can expose the Sybil Islands in the WoT. We can look at the address of any reputational event and determine where the coins came from and if any of those sources are known to us (or anyone within whatever degree of separation from us that we set to filter).
In our model the act of signing someone’s key is in and of itself a “reputational event”. If Sybil signs my key I can simply ignore it, or I can publicly disavow that transaction by dusting the address created for the event and sending a large percent of coins to the miners.
Lastly, there is the problem of “grade inflation” in reputation systems -- whereby participants are shamed into only providing positive feedback as we see in eBay and Amazon. Most systems seem to center on the collusion of bad actors, but in reality, most people tacitly are complicit with the seller in terms of inflating the grade. And few people have fortitude to offer even a Neutral rating in the face of overwhelming positive feedback. We’re working to make Neutral safe again. The current model leverages a normalized rating scale of 0-1 (actually .00000001 to 1.0) as the sentiment and then at least 1 whole coin in the TXFEE to represent the magnitude. So, a neutral rating of .5 and 1 coin is the default -- “satisfied” whereas if you want to give a “five star” rating, 1.0 coin to the address and 5 coins as the TXFEE. The same holds true on the flip side.
A negative rating costs as much as a positive rating. Dust the address and send 100 coins if you want to leave REALLY negative feedback. The overall model is designed to make the cost nominal and redistribute the rewards.
Can you describe your IDcoins project? And share the progress you've made up to now?
This story actually starts about two years ago. I got ripped off on a bitcoin classifieds site. I thought I was buying a high end video card at the time for the “value price” of only 44 BTC -- you already know where this story is going right?
I realized at that moment that if it was not safe for me to transact with cryptocurrencies that it wasn’t going to be safe for my mom. We had to “out” the bad actors. “Sunshine is the best disinfectant.” So I started looking around at Identity and Reputation systems. It turns out that Proofs of Identity isn’t even the hard part of the equation, either online or in the real world -- it’s reputation.
We’re told time and again that “word of mouth” advertising is the most powerful form of endorsement -- but what does that mean practically? It means we ask people we trust what they think! It’s basic “normative behavior” at work -- if you’re in a room and a fire breaks out -- you look around to see how others are reacting? If everyone is calm you tend to mimic them.
In the extreme its called the “Genovese syndrome” after the poor young woman who was brutally murdered in the mid 1960s in her New York apartment tenement despite crying out for help, all her neighbors assumed someone else had called the authorities -- it's commonly known as the “by-stander effect.” The modern-day version of that is the email blast with a ton of people in the To: and the Cc: lines -- the more people listed, the less responsibility any one person feels about taking ownership of the request.
In security awareness training they tell you “if you see something? say something” and in a Rescue Diver or a Red Cross CPR class -- you’re trained to stand up and start giving orders.
Proofs of Identity are relatively simple to demonstrate. We have tokens that we carry or have access to. In the RW we have identification cards with names, addresses, and sometimes recent photos. In the digital world we have accounts, such as email addresses we can demonstrate positive control over or social network sites we can permit limited access to in order to prove ownership. Again, the identity aspect is not, in my opinion, that interesting.
Web of Trust -- downgrading the value of anonymous feedback and ways of ignoring Sybil and her friends.
We need to use “security awareness training” principles in concert with technical mitigating controls. It’s important to understand that vetting someone’s identity is NOT the same as endorsing their behavior. Just because you meet a Bernie Madoff and are willing to confirm he has presented sufficient credentials to you that you’re willing to attest that his public key belongs to him does not mean you have to endorse that he’s a trustworthy guy. This is why I believe that key signing should be detached objects and have a limited lifespan on their validity.
Non-unique name spaces are important -- it eliminates cybersquatting when everyone on the planet can have their own disney dot com -- you begin to navigate the world through your web of trust -- ultimately settling on the site that has the highest reputation based on your own criteria.This has a profound effect on “search” -- when we change the way we surf the Internet based on the way our web of trust ranks content -- it's disruptive. Suddenly all those business models that keep search engines in business have to change. You could essentially decentralize Google and Facebook. With a browser plugin, much in the same way Namecoins is meant to truly operate, you could create your own social network like system just by tagging content. And again, in theory, this could be done without any active participation of any content creator! You hash the URL, post an address and start staking reputation events. Certainly website holders could claim Proof of Control by embedding an IDCoin in their sites metadata.
When will we be able to see a working usable version of IDcoins?
We just wrapped a successful bootstrapping crowdfunding on StartJOIN.com raising over $600 to fund the sandbox and testnet system through the generous donations of nearly 30 individuals. I am working to finish the whitepaper and open it up for a 30-60 day comment period. Instead of doing the “slow reveal” or the grand unveiling, I’m taking an agile development approach while compiling the nearly two years of research and hundreds of hours of conversations and [I've] moved it to Google docs, easily found at here.
The current plan is to have the first cut of the whitepaper “released” on or around December 1st at the same time we put our Sandbox v1 online -- a simple server to accept PGP and minilock.io ECC keys and perform simple Proof of Human tests by sending encrypted emails to registrants in order to have them navigate a CAPTCHA style maze in order to have their public key accepted by the server and in doing so earn their first IDCoins -- which can be used for reputational events.
We are planning for an extended modeling period of at least six months to work through the use cases to make sure that the protocol can support them.One of the explicit goals of the project is to create a system that helps the world's unbanked population develop verifiable credit worthiness outside of the control of a for profit credit reporting agency. I’d like to see IDCoins be used to help someone taking out a microloan like on Kiva.org and then demonstrating that they can repay it.
We will be soliciting mobile application development partners to help build simple key-signing applications for IOS and Android while we also look to solve the problem for the more simpler “feature phones” that the world's population carry. I envision a model where people can scan each other's QR-Codes either phone-to-phone or from business cards.
The goal is to plan and host a simultaneous global key-signing party where we generate the Genesis block with all the public keys of the participants, our first Digital Notaries to go forward into the world and build the web of trust.
Have there been any other bitcoin/altcoin wallet developers or 2.0 platforms that have shown interest in incorporating your solutions?
Chris Ellis of the Bitnation / World Citizen Passport fame has been trading tweets on collaborating -- David Mondrus at BlockChainFactory has expressed strong interest in leveraging the system as cornerstone for some of their projects. We were cited as a possible reference implementation in the Bitnation dev paper. I’ve received inquires from a microfinance company that is looking for an independent reputation model for their members. Fundamentally I’d like to see a system that is “blockchain agnostic” -- in fact with the design we have in mind, you could even stake reputational claims about the jerk who parked next to you and dinged your car door! The model allows for arbitrary text keys which could easily represent a license plate or a geo location.
I’ve also recently been engaged by Rosa Shores & Gabe Higgins to explore the potential for leveraging the platform in support of their Clearvoter project that they are collaborating with Lucas Overby on. From those conversations we have added additional use cases to our model that would extend our concept of a “reputational event” to a potentially time & group bound vote. The basic model would leverage the Web of Trust to verify that a sender's address had been signed by a given group or organization in order to accept its transactional vote on the chain. Basically what it means for Clearvoter is you could have an election judge essentially certify your IDCoin as being valid in a particular jurisdiction which would then grant it privileges to send IDCoins to specific restricted events. It’s a great idea and has broad applications, where you could essentially host everything from a member based community service groups voting on projects to having corporations hold shareholder votes on the IDCoin chain.
Could you share how you became involved in software development?
This story, like most of my high wire acts, all my life is about impressing a girl…7th grade English class, an end of year trip to the school library to play Oregon Trail, a buffer overflow, a helpful librarian, the man behind the curtain, and some Basic BASIC. I was playing Oregon Trail with a friend and we were goofing around answering the “Y/N” questions with things like “ya sure you betcha” when the program crashed. I asked the librarian how to restart it -- and she said it was something like “list” or “run” -- I typed list and suddenly all the Applesoft BASIC started scrolling by -- for me that was my “meeting the man behind the curtain moment” -- I checked out the only programming book the library had, “Basic BASIC” -- and then had to beg, borrow and steal time on the school’s computers including getting student access on the Gustavus Adolphus College mainframe to teach myself how to code. By the time I hit college I was already coding in Pascal and C and nearly avoided a disastrous career in MIS.
I had just completed a first class in COBOL and was standing in line to register for COBOL II when I had a mini “midlife crisis” at age 21 -- I jumped out of line and called my advisor who agreed to meet me to talk me off the ledge as it were. I wanted to know what kind of life I could expect with a concentration in MIS and after hearing about insurance companies and AS/400’s we decided that a “Systems Engineering” tract was more to my speed.
Hello compilers and operating systems! It was that day I decided that I wanted to start my own company, based in part on the idea that wearing a suit and tie and carrying a briefcase were not my M.O. The humble “backpack” was for me a symbol of freedom so I registered BackPack Software, Inc with my Secretary of State the day after, Sept 1, 1989. In fact I still own the domain backpack.com and plan to auction it off soon with the proceeds of the sale going into Strength in Numbers Foundation.