Hive Keychain Independent Audit Proposal

in LeoFinance2 months ago

image.png

Everyone loves Hive Keychain, it is the only way to use many of the Hive Dapps and still feel safe.

One thing that has always concerned me of Hive Keychain is it has never been audited by a third party. There are many situations that may arise that put users of the Hive Keychain extension at risk. Some of these don't even involve the developers of the extension themselves.

Hive Keychain relies on a lot of trust that it is safe and remains safe. Most users store their posting, memo, and even active keys in Hive Keychain.

I have consulted a few crypto software auditing companies to get a rough idea what it would cost to audit Hive Keychain for secuity issues and it isn't cheap. When you start trying to audit every release, it gets even more prohibitively expensive.

The cheapest I have found is $24,000 for an initial audit, with a 10% discount on future audits as code changes. That's another $21,600 for each release of Hive Keychain.

This proposal would provide one year of auditing of Hive Keychain, which I would do personally. I have first hand knowledge of the Hive Blockchain and experience in information security (it is in fact my career).

My offer

What I am offering is an initial and complete audit on the Hive Keychain extension on both Google and Firefox web stores. Once this is complete, I will monitor all future updates of the extension and audit the changes for potential issues. I will decompile and audit the actual released version of the extension to ensure I am looking at the code actually deployed in case for whatever reason it differs from the Github repository.

This audit is security focused only and will not look for bugs or optimizations.

I would ask for 61 HBD/day for 365 days, renewed yearly. To submit this proposal will cost 1 HBD/day beyond 60 days, the additional 1 HBD/day would be used to reimburse this cost. 60 HBD/day would be compensation for my time throughout the year. This would result in a total of 21,900 HBD, a few thousand under the lowest offer to only audit the extension once. I will provide that as well as future reviews in a reasonable time after new releases.

I believe it is critical a third party reviews Hive Keychain (me or otherwise) not only once but on an ongoing basis to ensure it remains a safe option for Hive users. This proposal would offer a independent and ongoing audit of the most critical critical piece of software used by most Hive users on a daily basis.

There is currently no active proposal for this audit, but if the community feels this is something they would support, I will draft it up and update this post.

Posted Using LeoFinance Beta

Sort:  

What credentials do you have as an auditor ? The value these audit companies bring is not really code review but in depth knowledge about everything related to computer security.
IHMO I'd rather see an audit company where it's their bread and butter perform the audit instead of you (no offense), and where you take a cut and provide assistance with your hive-specific knowledge

 last month (edited)

What credentials do you have as an auditor? The value these audit companies bring is not really code review but in depth knowledge about everything related to computer security.

Been running an Information Security company for over 15 years as I said elsewhere. I haven't formally audited software as business, but I know code, I know security, and I know Hive. It's more someone should do it, and it is constantly changing and would be really expensive to have a professional orgnization do it when it is updated.

To be honest, with Keychain approaching $400K in DHF funding, third party auditing should be baked in, it is used by almost everyone and has ultimate access to keys.

To be honest, with Keychain approaching $400K in DHF funding, third party auditing should be baked in, it is used by almost everyone and has ultimate access to keys.

According to a quick search on HiveSQL, we've received 111,561.960 HBD so far (+16k SBD before HF). I don't know how you got to 400k.
Our current funding is 9k/month, an external audit at the rates you've presented would have set us back several months in development at each release.

 last month 

It’s on the third year of the proposal.

i found him to be someone that refused to debate

don't care if you believe it or not, i have come to see

the earth is indeed flat, markymark made a post decrying the opposite and then didn't engage my comment

https://hive.blog/science/@klevn/qjf4zz

those with closed minds often have an agenda

and they aren't sharing, and that is not secure

i also suspect he got steemflagrewards to downvote me, as it was received almost immediately upon posting

who runs them if he doesn't and why was this post downvoted by them? did i say something offense other than to ask for proof?

BAHAHAHAHA

That's the funniest shit I read today.

I know am late at the party but still funny ass shit. Your flat earth reply that is.


Posted via proofofbrain.io

typical zero content flat earth denial reply.

can't refute anything specific, can't be debated

seek the reactionary and hope people ignore and refuse to engage

LOL You some kinda funny as shit.

Was there a documentary made by flat earthers once where they had these instruments that proved their theory debunked?

there have been many attempts to provide 'flat earthers' being debunked

but none have actually gone after Eric Dubay.

here is a real documentary

here is a real website from and by flat earthers

https://ifers.123.st/

wonder why flat earth society exists, is referenced by obama, and yet is actually considered a fraud by flat earthers? that is how big this lie is .. all the way to the president of the united states

smoke and mirrors that is all I am seeing right now and emus with their heads in the sand.

Galileo was held in confinement for arguing that the earth was round some 2 centuries or so ago and here you are today trying to revive an archaic belief that the earth is flat.

Kinda reminds me of the magic Mormon glasses.

proof is proof .. a man confined is not proof

debate using reason and logic or not at all

ironic is it not .. that you are the one arguing without these things

while claiming my understanding is the archaic one

 last month Reveal Comment

I would gladly support auditing Keychain, we are usually posting very frequent updates, which would make repeated external audits very expensive.

After reading the comments section, I do have a few remarks and questions though:

  1. The project started small and grew fast, and that led me to decide to start a refactor a few months back, that will hopefully be ready by year end. We are rewriting the entire code base using React.js, is it a library you are comfortable with? Also, this means that depending on when you start, you'd have to review the entire code twice.

  2. Yes, Keychain Mobile is 100% open source: https://github.com/stoodkev/hive-keychain-mobile

  3. I would also like to see the question of your credentials being addressed. Not that I don't trust you have to skills to do this, as you put it, you've built a reputation here. However our ecosystem is growing faster than ever and your reputation won't mean much to new comers. Could you include a list of relevant projects that you've reviewed/audited in your proposal?

I would not support such a proposal as you have presented it to us.

You refer to "external prices" to support your valuation but do not provide any information about them (company names, offers, ...). It would be nice to know more about the proposals you received.

You also do not provide an estimate on the volume of work that such an audit represents. It might be good to know how often Keychain undergoes updates, either to adapt to the change of the blockchain code (hardfork) or to integrate new functionalities. Have you ever inquired about this?

More important is the timing of your audit. Did you know Keychain is under heavy refactoring? It would be quite wasteful work to do an audit before this major overhaul has been done and released.

I'm also surprised you do not plan to audit Keychain Mobile and wrote in a reply you do not know if it is open-source. Yet it is easy to find (https://github.com/stoodkev/hive-keychain-mobile) as it is the last and most updated repository from @stoodkev on Github.
It would be a shame to do things halfway. While I understand that it is difficult to certify that the executed code of an application is the same as that of the repository, it would still be good to ensure that the available code is safe.

Add to this that @stoodkev does not hesitate to present himself publicly, which is not your case, and him having as good a reputation as yours, we can have good reason to trust him that he doesn't cheat when he pushes the app to the stores.

Finally, I would find it more appropriate to make a proposal to fund the initial audit once it is done and to proceed in the same way when there are updates to Keychain. If the quality of the first one is there, there should be no problem approving the following ones.

  1. Can you elaborate more on your IT security background? I have a similar background, and others on the blockchain do too, so it would be good if we can get a sense of your experience in this area.

  2. How do you think this proposal compares with something like putting together a budget for bug bounties to incentivize security researchers to find issues?

Can you elaborate more on your IT security background?

Been doing IT since high school when I started a company at around 15. I have been running an information security company for over 15 years.

How do you think this proposal compares with something like putting together a budget for bug bounties to incentivize security researchers to find issues?

Bug bounties are typically a lot more than what I'm asking for and generally have a much larger user base to work with. They don't have to be mutually exclusive.

I like this idea and while some would ask why you, the fact you have so much at stake actually give me confidence. Somy major question is ... what if you do find something? What will be done and what would your proposal be?

 2 months ago (edited)

I would immediately cease using it and report it publiclly. The risk exposure is huge if there are any issues, but I don't suspect to find anything to be honest.

Thanks for the reply, actually one more reason I would suggest you do it over a third party, your reach would mean people would pay attention

!BEER


Hey @themarkymark, here is a little bit of BEER from @crypto-is-a-scam for you. Enjoy it!

Did you know that you can use BEER at dCity game to **buy dCity NFT cards** to rule the world.

This is a great point and it would be good to outline before work begins what types of actions would be taken in different scenarios.

Who would access the severity 9f the risks. Etc. If you find something how is it communicated to the community.?

This is an excellent proposal and I will support it.
We are so reliant on Hive keychain and as more and more new Hive based apps come out I want to be able to sign into them using keychain without worrying that some new app might be an exploit of some keychain weakness.

I had blind faith in hive keychain. Never knew that it was not audited. Where can we check all the active proposals ?

!BEER


Hey @themarkymark, here is a little bit of BEER from @crypto-is-a-scam for you. Enjoy it!

Learn how to earn FREE BEER each day by staking your BEER.

I'd support this.

If anyone should do it, it should be you. I was just chatting with @bleepcoin last night and told him that you have given me a few good security recommendations, with my favourite being Bitdefender.

Anyway, you have my vote mate.

Cg

A couple semi-hostile questions in anticipation of a real proposal, so you can head them off:

  1. Who are you, anyway, and why should we care? Why would the community support and trust your audit specifically?

  2. What is the state of the Hive Keychain code? Is it open-source, and if not, could it be better to make the Hive Keychain code open-source for better community audits, perhaps after an initial audit as you propose?

 2 months ago (edited)

Who are you, anyway, and why should we care?

I am Marky. I've built a reputation here, that I believe speaks for itself, love or hate it.

Why would the community support and trust your audit specifically?

Someone should do it, it has been left undone for far too long. It should be someone with no ties or incentive from the original team. I have neither.

What is the state of the Hive Keychain code?

It is open source but unreviewed (as far as I know).

In my opinion, it is highly used and if something were to go wrong could potentially cause catastophic results.

Yes, I can verify that Marky is well known and has a substantial reputation on Hive.

I may not agree with him all the time but he certainly knows his code.

I know who he is. I've been supporting him as witness for ages.

I am Marky. I've built a reputation here, that I believe speaks for itself, love or hate it.

I know this. I would hope others do. But it's something you still should note in any official proposal. At least a couple lines.

... if something were to go wrong could potentially cause catastophic results.

Agreed. I think it is worth the effort.

!BEER


Hey @themarkymark, here is a little bit of BEER from @crypto-is-a-scam for you. Enjoy it!

Do you want to win SOME BEER together with your friends and draw the BEERKING.

I'd support this proposal, good idea

If I remember correctly listening to one of your interviews, there was actually a bug in hive keychain that caused your power down to reset in the steem/Hive split.. and that cost you some cash as your steem was confiscated.

Do I have that right? and is that bug fixed? that would be the first place you should look.

I am supportive of an Audit, but I would have thought if there is a vulnerability it would have been exploited by now, given the market cap of Hive is in the 100m+. Its more for the reassurance that future updates and that's why I am supportive.


Posted via proofofbrain.io

If I remember correctly listening to one of your interviews, there was actually a bug in hive keychain that caused your power down to reset in the steem/Hive split.. and that cost you some cash as your steem was confiscated.

Yes, I had actually started my powerdown shortly after the Justin Sun and Ned Scott "ask me nothing" show. I knew at that point Steem was fucked. I would have had 90-100% of my Steem powered down by the time they came around to steal it. Instead, about halfway through my power down was canceled due to a bug in the earlier build of Hive Keychain that sent transactions to Steem by mistake.

Do I have that right? and is that bug fixed? that would be the first place you should look.

Long since fixed.

I never thought about all the risk involved in that and I had no idea Hive Keychain was not audited.

I think it's good that this is coming from someone with a lot of skin in the game so it has my support

Posted Using LeoFinance Beta

I would support this. I think we have seen at least in the DeFi space how important audits can be. With the number of people using Keychain and the amount of money in transactions that take place every day via the extension, it is important to make sure it is secure. Draft it up! I will vote!

Posted Using LeoFinance Beta

I would support this rather than an outside organisation as I believe in trust based systems. All I know of Marky is he has a swimming pool and writes knowledgeably on issues of IT security.

We use trust, perhaps more than we realise here and its a foundation of humanity that needs encouraging and as a Yorkshireman, saving a few quid is somewhat appealing!

All I know of Marky is he has a swimming pool and writes knowledgeably on issues of IT security.

I also have a cat.

unnamed.jpg

😍

@themarkymark, well, I love cats, so sold🙌😜Seriously though, I think you've made an excellent point on the need to audit the keychain. I'm an accountant and we go through the audit drill a couple of times a year. If there is a security flaw to find, it's far better that an audit uncovers it than it be exploited by someone looking to make a quick buck at the expense of everyone who has worked so hard and diligently to create an incredibly rewarding social and financial hub here on Hive. I am not always one to look immediately for the cheaper option to resolve issues but I am one for being realistic about the spending capacity available (I'm super familiar with budgeting lol) My view is that if we can't afford the sky-high prices of external audit firms then we need to decide whether we want to continue with no auditing controls in place (and stick our heads in the sand, fingers crossed that the software will remain immune to attack in a world where every hacker wants to lay their hands on the wealth of others) or whether we want to think a bit outside the box and make use of the resources available to us eg: Marky alone and/or giving out the task to perhaps Marky and one other (as a collaborative duo - although not sure if this is something Marky would be open to), who together may have the combined IT audit experience and technical insights and experiential history with Hive to produce an audit result that instills confidence in all. Alternatively, we give Marky a shot at a first audit and go from there... what have we got to lose, besides a few Hive. Better than losing the entire house IMHO. Can anyone explain how long the current defactoring process is expected to take? Are we prepared to have the keychain in its current form unaudited until such changes take place? How does the funding to keychain work, as in who funds it? Being short-sighted when it comes to issues of importance like this is not an ideal approach. If we aren't prepared to pay to protect the keys to our house, we can't come crying when the burglars break in and steal our life savings. So, yes I would support the proposal.

I would support this, but what I would like to see as well is, that you let this company do an external audit of the hive-keychain code once per year as well. The more eyes on the code, the better. Maybe even combine this into one proposal? Or make two.

You are correct that the keychain-app is of utmost importance and a critical security hole could have catastrophic consequences. Going forward I think we should use our funds to assure that this nightmare scenario never happens.

I would support this, but what I would like to see as well is, that you let this company do an external audit of the hive-keychain code once per year as well.

If someone wants to pay the $24K for it, by all means.

Good proposal.

Some questions:

Does it include the mobile version? ( i don't use, but i expect some do).

Is the reference worth something? So can we tell it is reviewed and safu? Like the Defi protocols?

And IMO Keychain was simple in most parts ( from key storage). I think transactions and things like that can be easier manipulated. But keys should be safe because is open source and on the browser (local) pretty decentral.

If a website can access it, it must be also encrypted. I think the most easy scam is, you post something and the website sends a transfer massage. Missclick = lost funds (if active is in it).

And does it really help? I ask because of updates.

Today safe, it doesn't mean after someone accesses Mozilla or google account, it can not change.

Most Apps on those stores become problems ( from security) after the owner changes/updates.

Posted Using LeoFinance Beta

Does it include the mobile version?

No, I don’t think it’s open source but not 100% sure. I also have no way of confirming what code is running on the device.

Ok,

I see the biggest risk in updates and not in the current code. Only manual no update installations are safu IMO.

But that is really unrealistic for everyone :)

The mobile version is 100% open source and can be found at https://github.com/stoodkev/hive-keychain-mobile

I suspected it may be, but I honestly didn't check as the user base is much smaller than the browser extension and there is no way to know for sure what version is running.

It will certainly get my support (even though that's not much). I use the keychain daily and it would be nice to know someone is looking at the code to make such it is safe

On a side note, how safe is the kiwi browser? (If you've come across it). It is a browser that always mobile users use google extensions like hive keychain on their phone

On a side note, how safe is the kiwi browser? (If you've come across it)

I have heard of it, but I have not used it. I haven't really had a need to run extensions on mobile. I run very few extensions personally.

Yeah, I remember your post on web extensions and the security risk they pose which is why I use very few myself.

I was using hivesigner before. I just started using hive keychain. I was wondering how safe it is. I saw that many of people I know and trust on Hive recommend it. Based on my trust on these people and on hive block chain in general I decided to trust the keychain. But it is an excellent idea to have it audited. I will support the proposal.

The audit report would have to have your company name or at least your name and credentials/certs on it to be taken seriously. It can't just say "prepared by themarkymark". Are you prepared to disclose this level of information?

Hi Marky this is a no brainer as if this doesn't happen it could be seriously bad. We are talking many users who use this and as Hive goes up in value plus the stakes are getting bigger. $21K is nothing compared to what could be lost. I will back this proposal and I am sure others would to. I am glad you are around as how many times have you helped me already.

Posted Using LeoFinance Beta

I'd support you. Not sure my support means much—I've been here nearly as long as you have, but I am neither as invested nor as well networked. Regardless, I'd support your proposal.

Overall chain sentiment would be effected if Keychain is compromised.

  • what ever happened to the white hats

Not sure the question, Hive is filled with white hats, gray hats, and black hats just like any other community.

I think it should be more of a community driven project. I think you raise a great point though. A lot of companies also fund hackathons.

hi,

my question is have any/all of the other keysigners been audited in the past?? or would they need to as well?

None have as far as I understand.

I think that this proposal is very interesting, is important to have our security standards high but I'm confused, shouldn't be the Keychain team who has to hire that auditory?. They could make their own proposal, or afford it directly. After all is their service the one that will have the benefit of it.

I think that I'll support this anyways but any answer is welcome.

shouldn't be the Keychain team who has to hire that auditory?

The idea is having an independent part that is not in anyway part of the same team.

Well that's the expected when you hire an auditory, wouldn't have sense otherwise but I get your point.

We're running on a 9k/month budget, it would mean consuming over 2 months budget every time, we push an update (and push a lot of those to always keep it secure and up to date), So, this wouldn't be feasible for us at this stage.

Would have been enough with another specific proposal for the auditory then. Is good that someone else cared to do it though.

I would support it. It is something which needs done

Nice idea

!BEER

You got my vote

Sounds good but... after reading the comments, as a random hive user willout any influence at all, i find your lack of reponse to some of them a bit weird. Still im ok with this and find it as something that is needed right now.

I'm not caught up with all the messages, but I'm doing a jam right now trying to knock out a product by the end of the weekend.

This is a great proposal and i support the audit.

It would make it more valuable to the hive community if an independent agency was also involved at some level in addition to your work.

Would this be possible?

I'd trust @themarkymark to do the job better and be even more trustworthy than unknown outsiders.

The simple truth is this stuff isn't easy to check and paying for someone who already knows Hive intimately means we get that back knowledge for free instead of paying 10's of 1,000's for someone new to come up to speed.

Couldn't agree more as he is a godsend helping others on here and is 1000% trustworthy. I would say it is an advantage to have someone on Hive look at it as they know all the ins and outs of where weaknesses could be and if there are any threats.

Posted Using LeoFinance Beta

 2 months ago (edited)

If you want to pay another $24,000+ per audit, sure.

Make it happen Marky! I will support the proposal.

Posted Using LeoFinance Beta

Audits are important ways of checking the safety of blockchain, I believe @hivekeychain got this covered but the intiative is good and would encourage a follow up with the team players or a write to support, this might just be the right step to a positive direct.. 💪💯

I have the same trust or distrust in you or devs. I don't know any of you, so for me is just a waste of time and resources.

Posted Using LeoFinance Beta

That's perfectly fine mate.

TNO is a point of view, but it doesn't get much done in the end.

Eventually we all have to make a decision and trust someone unless you're doing the crypto-maths to sign every post on Hive by hand.

Good work,

I would support this. !BBH

Because this is such an awesome post, here is a BBH Tip for you. . Keep up the fantastic work

For what it is worth, my support is on this proposal.

Posted Using LeoFinance Beta

Yes, I'd suport this idea

I think audit should be done ✅
Agreed


Hello @themarkymark… I have chosen your post about “-Hive Keychain Independent Audit Proposal-” for my daily initiative to re-blog - vote and comment…
09.jpg
Let's keep working and supporting each other to grow at Hive!...

I love the idea!


Hey @themarkymark, here is a little bit of BEER from @crypto-is-a-scam for you. Enjoy it!

Learn how to earn FREE BEER each day by staking your BEER.

Sure, why not. We are not giving enough money away at this point for Keychain,

An audit?? Sounds cool to to me now there'll be a check on every financial record.


Posted via proofofbrain.io

Wow