RE: Vote selling hasn't been affected by the fall of minnowbooster
I yesterday voiced almost exact same concern to @andrarchy, public liaison for Stinc, and suggested 2FA, and/or captchas, as means of dramatically reducing bots.
I confess I am nonplussed by the lack of interest in the problem, and potential solutions, from Stinc - but for one detail. Witnesses control the code, and stake weighted voting selects which witnesses will do so.
A Sybil attack requiring only purchasing the vast mined stakes of the top whales would gain complete control of Steemit, Steem, and the blockchain, and the current stakeholders would float off into the sunset on their shiny, golden, parachutes.
That's the only thing I can think of that precludes some effort to change the attack vector on the witnesses, of which I've seen no sign of effort whatsoever.
And my response to you was that, though I am not a security expert, requiring that users enable 2FA during sign up would introduce yet another layer of friction when the most common complaints we get are around simplifying our sign up process. I've never heard anyone else on the platform suggest requiring 2FA and I am very curious to see if a significant number of users think that introducing a very, very serious barrier to the sign up process is a good idea. Many potential users would not even know what 2FA is. We are happy to examine all proposals, and anyone is free to submit PRs through github, but I do not believe a significant number of users will agree that we should make the sign up process harder instead of easier.
2FA may not have universal appeal, but neither does voting in a losing competition with bots. 2FA could be required for anyone wanting to vote and that would provide incentive. It's getting to be a cruel world and that's due to the bots and vote-selling. People cannot idly stand aside and allow computers to run Steem, so why not include 2FA as a way to make a statement? Simple as that: only real person votes count. Period.
If it's a user experience concern, how about making it optional? I can't speak for anyone else but it seems logical to me that those who have a lot at stake might appreciate the option?
Thanks for adding your position on 2FA. I also mentioned captchas. I expect the concerns you have over them are of similar effect as 2FA.
I also think that I am not the best mind to examine this issue, and that it is something of great import to the community.
Perhaps there might some useful response from the community to a request for input regarding bots, and means of restricting, reducing, or reasons not to do either, from Stinc.
Also, I've never received any comment regarding the vulnerability of the witnesses to economic Sybil attack. Does Stinc have a position on this matter?
Thanks for your measured and substantive response!
2FA and captchas do not prevent bots from operating. All you need to run a bot is to write some code that interacts with the blockchain directly without using a website. The blockchain cannot differentiate a transaction that was signed by a human or a bot.
So, what you're saying is that bots can interact with the blockchain via other interfaces, such as busy.org, MSPSteemit.com, etc...
Are you certain this isn't preventable? While Stinc allows unregulated interaction with the blockchain, AFAIK, is this necessarily the only policy?
Couldn't Stinc require an interface to be accepted?
None of us can differentiate between a vote from a bot, or a vote from a person - that's my problem with bots. They're not people, and shouldn't be impacting votes on social media IMHO.
But bots can't use 2fa, or solve captchas, and if most bots interact with the blockchain via Steemit, then most bots can be controlled via Steemit.
Thanks for pointing out the additional potential attack vectors bots present!
What I am saying is that you do not need a web interface to interact with the blockchain (if you know what you are doing). Steemit Inc does not own the blockchain so they cannot prevent anyone to interact with the blockchain (if they did then the platform would not be censorship resistant).
Bots do not use steemit or busy or chainbb or any other public app to interact with the blockchain (I think you misunderstand how bots work). I am not a programmer but even I can figure out how to use the code to build my own bot or interface (it's not going to be pretty but I think I can make it work).
Furthemore bots are not bad in and of themelves, they are just tools that can be used for good or bad. Take @cheeta for example. That is a bot that searches for content that is likely to be plagiarized.
It's undoubtedly true that I misunderstand how bots work.
What I see bots doing, however, indicates to me that the harm (IMHO) is dependent on interfacing with the community, particularly on Steemit, the only place I perceive them.
It is this interaction between bots and people, in particular the ability of bots to be employed to impact the choices made by the community as to content quality - votebots - that I am attempting to address.
Since your point, that the bots themselves need not interact with people on Steemit directly, and merely direct their voting as per interactions between people on Steemit mandate, establishes that neither 2FA nor captchas have potential to preclude bot votes, I deeply appreciate your explanation.
Nothing pleases me more than finding out I am wasting my time, because that enables me to change how I proceed.
Thanks!
The first post that I made on steemit (more than a year ago) was a complaint about voting bots. As I learned more about the platform and blockchains in general I realized that bots can't be stopped.
Over time I realized that the Steem blockchain is much more than steemit or the social media applications that are being built around it. A good example is utopian.io which is a platform that uses steem to reward contributions to open source projects.
With the upcoming launch of the Smart Media Tokens protocol a whole new avenue will open up for anyone bold and creative enough to build new applications on top of the Steem blockchain.
There is an old post from @dantheman that sheds some light as to what can be done with this technology (it opened my eyes...especially the part where it mentions that we don't need permission from steemit.inc):
https://steemit.com/steem/@dantheman/how-anyone-can-build-custom-apps-on-steem-right-now