Hive Keychain Independent Audit Proposal
Everyone loves Hive Keychain, it is the only way to use many of the Hive Dapps and still feel safe.
One thing that has always concerned me of Hive Keychain is it has never been audited by a third party. There are many situations that may arise that put users of the Hive Keychain extension at risk. Some of these don't even involve the developers of the extension themselves.
Hive Keychain relies on a lot of trust that it is safe and remains safe. Most users store their posting, memo, and even active keys in Hive Keychain.
I have consulted a few crypto software auditing companies to get a rough idea what it would cost to audit Hive Keychain for secuity issues and it isn't cheap. When you start trying to audit every release, it gets even more prohibitively expensive.
The cheapest I have found is $24,000 for an initial audit, with a 10% discount on future audits as code changes. That's another $21,600 for each release of Hive Keychain.
This proposal would provide one year of auditing of Hive Keychain, which I would do personally. I have first hand knowledge of the Hive Blockchain and experience in information security (it is in fact my career).
My offer
What I am offering is an initial and complete audit on the Hive Keychain extension on both Google and Firefox web stores. Once this is complete, I will monitor all future updates of the extension and audit the changes for potential issues. I will decompile and audit the actual released version of the extension to ensure I am looking at the code actually deployed in case for whatever reason it differs from the Github repository.
This audit is security focused only and will not look for bugs or optimizations.
I would ask for 61 HBD/day for 365 days, renewed yearly. To submit this proposal will cost 1 HBD/day beyond 60 days, the additional 1 HBD/day would be used to reimburse this cost. 60 HBD/day would be compensation for my time throughout the year. This would result in a total of 21,900 HBD, a few thousand under the lowest offer to only audit the extension once. I will provide that as well as future reviews in a reasonable time after new releases.
I believe it is critical a third party reviews Hive Keychain (me or otherwise) not only once but on an ongoing basis to ensure it remains a safe option for Hive users. This proposal would offer a independent and ongoing audit of the most critical critical piece of software used by most Hive users on a daily basis.
There is currently no active proposal for this audit, but if the community feels this is something they would support, I will draft it up and update this post.
Posted Using LeoFinance Beta
This is an excellent proposal and I will support it.
We are so reliant on Hive keychain and as more and more new Hive based apps come out I want to be able to sign into them using keychain without worrying that some new app might be an exploit of some keychain weakness.
I had blind faith in hive keychain. Never knew that it was not audited. Where can we check all the active proposals ?
https://peakd.com/me/proposals
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Learn how to earn FREE BEER each day by staking your
BEER.A couple semi-hostile questions in anticipation of a real proposal, so you can head them off:
Who are you, anyway, and why should we care? Why would the community support and trust your audit specifically?
What is the state of the Hive Keychain code? Is it open-source, and if not, could it be better to make the Hive Keychain code open-source for better community audits, perhaps after an initial audit as you propose?
I am Marky. I've built a reputation here, that I believe speaks for itself, love or hate it.
Someone should do it, it has been left undone for far too long. It should be someone with no ties or incentive from the original team. I have neither.
It is open source but unreviewed (as far as I know).
In my opinion, it is highly used and if something were to go wrong could potentially cause catastophic results.
Yes, I can verify that Marky is well known and has a substantial reputation on Hive.
I may not agree with him all the time but he certainly knows his code.
I know who he is. I've been supporting him as witness for ages.
I know this. I would hope others do. But it's something you still should note in any official proposal. At least a couple lines.
Agreed. I think it is worth the effort.
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Do you want to win SOME BEER together with your friends and draw the
BEERKING.I'd support this.
If anyone should do it, it should be you. I was just chatting with @bleepcoin last night and told him that you have given me a few good security recommendations, with my favourite being Bitdefender.
Anyway, you have my vote mate.
Cg
I'd support this proposal, good idea
I like this idea and while some would ask why you, the fact you have so much at stake actually give me confidence. Somy major question is ... what if you do find something? What will be done and what would your proposal be?
I would immediately cease using it and report it publiclly. The risk exposure is huge if there are any issues, but I don't suspect to find anything to be honest.
Thanks for the reply, actually one more reason I would suggest you do it over a third party, your reach would mean people would pay attention
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Did you know that you can use BEER at dCity game to **buy dCity NFT cards** to rule the world.
This is a great point and it would be good to outline before work begins what types of actions would be taken in different scenarios.
Who would access the severity 9f the risks. Etc. If you find something how is it communicated to the community.?
I have the same trust or distrust in you or devs. I don't know any of you, so for me is just a waste of time and resources.
Posted Using LeoFinance Beta
That's perfectly fine mate.
TNO is a point of view, but it doesn't get much done in the end.
Eventually we all have to make a decision and trust someone unless you're doing the crypto-maths to sign every post on Hive by hand.
Good work,
It will certainly get my support (even though that's not much). I use the keychain daily and it would be nice to know someone is looking at the code to make such it is safe
On a side note, how safe is the kiwi browser? (If you've come across it). It is a browser that always mobile users use google extensions like hive keychain on their phone
I have heard of it, but I have not used it. I haven't really had a need to run extensions on mobile. I run very few extensions personally.
Yeah, I remember your post on web extensions and the security risk they pose which is why I use very few myself.
I would support it. It is something which needs done
I think that this proposal is very interesting, is important to have our security standards high but I'm confused, shouldn't be the Keychain team who has to hire that auditory?. They could make their own proposal, or afford it directly. After all is their service the one that will have the benefit of it.
I think that I'll support this anyways but any answer is welcome.
The idea is having an independent part that is not in anyway part of the same team.
Well that's the expected when you hire an auditory, wouldn't have sense otherwise but I get your point.
We're running on a 9k/month budget, it would mean consuming over 2 months budget every time, we push an update (and push a lot of those to always keep it secure and up to date), So, this wouldn't be feasible for us at this stage.
Would have been enough with another specific proposal for the auditory then. Is good that someone else cared to do it though.
This is a great proposal and i support the audit.
It would make it more valuable to the hive community if an independent agency was also involved at some level in addition to your work.
Would this be possible?
If you want to pay another $24,000+ per audit, sure.
I'd trust @themarkymark to do the job better and be even more trustworthy than unknown outsiders.
The simple truth is this stuff isn't easy to check and paying for someone who already knows Hive intimately means we get that back knowledge for free instead of paying 10's of 1,000's for someone new to come up to speed.
Couldn't agree more as he is a godsend helping others on here and is 1000% trustworthy. I would say it is an advantage to have someone on Hive look at it as they know all the ins and outs of where weaknesses could be and if there are any threats.
Posted Using LeoFinance Beta
Good proposal.
Some questions:
Does it include the mobile version? ( i don't use, but i expect some do).
Is the reference worth something? So can we tell it is reviewed and safu? Like the Defi protocols?
And IMO Keychain was simple in most parts ( from key storage). I think transactions and things like that can be easier manipulated. But keys should be safe because is open source and on the browser (local) pretty decentral.
If a website can access it, it must be also encrypted. I think the most easy scam is, you post something and the website sends a transfer massage. Missclick = lost funds (if active is in it).
And does it really help? I ask because of updates.
Today safe, it doesn't mean after someone accesses Mozilla or google account, it can not change.
Most Apps on those stores become problems ( from security) after the owner changes/updates.
Posted Using LeoFinance Beta
No, I don’t think it’s open source but not 100% sure. I also have no way of confirming what code is running on the device.
Ok,
I see the biggest risk in updates and not in the current code. Only manual no update installations are safu IMO.
But that is really unrealistic for everyone :)
The mobile version is 100% open source and can be found at https://github.com/stoodkev/hive-keychain-mobile
I suspected it may be, but I honestly didn't check as the user base is much smaller than the browser extension and there is no way to know for sure what version is running.
Can you elaborate more on your IT security background? I have a similar background, and others on the blockchain do too, so it would be good if we can get a sense of your experience in this area.
How do you think this proposal compares with something like putting together a budget for bug bounties to incentivize security researchers to find issues?
Been doing IT since high school when I started a company at around 15. I have been running an information security company for over 15 years.
Bug bounties are typically a lot more than what I'm asking for and generally have a much larger user base to work with. They don't have to be mutually exclusive.
I would support this. !BBH
Because this is such an awesome post, here is a BBH Tip for you.
. Keep up the fantastic work
For what it is worth, my support is on this proposal.
Posted Using LeoFinance Beta
Yes, I'd suport this idea
I would support this rather than an outside organisation as I believe in trust based systems. All I know of Marky is he has a swimming pool and writes knowledgeably on issues of IT security.
We use trust, perhaps more than we realise here and its a foundation of humanity that needs encouraging and as a Yorkshireman, saving a few quid is somewhat appealing!
I also have a cat.
😍
@themarkymark, well, I love cats, so sold🙌😜Seriously though, I think you've made an excellent point on the need to audit the keychain. I'm an accountant and we go through the audit drill a couple of times a year. If there is a security flaw to find, it's far better that an audit uncovers it than it be exploited by someone looking to make a quick buck at the expense of everyone who has worked so hard and diligently to create an incredibly rewarding social and financial hub here on Hive. I am not always one to look immediately for the cheaper option to resolve issues but I am one for being realistic about the spending capacity available (I'm super familiar with budgeting lol) My view is that if we can't afford the sky-high prices of external audit firms then we need to decide whether we want to continue with no auditing controls in place (and stick our heads in the sand, fingers crossed that the software will remain immune to attack in a world where every hacker wants to lay their hands on the wealth of others) or whether we want to think a bit outside the box and make use of the resources available to us eg: Marky alone and/or giving out the task to perhaps Marky and one other (as a collaborative duo - although not sure if this is something Marky would be open to), who together may have the combined IT audit experience and technical insights and experiential history with Hive to produce an audit result that instills confidence in all. Alternatively, we give Marky a shot at a first audit and go from there... what have we got to lose, besides a few Hive. Better than losing the entire house IMHO. Can anyone explain how long the current defactoring process is expected to take? Are we prepared to have the keychain in its current form unaudited until such changes take place? How does the funding to keychain work, as in who funds it? Being short-sighted when it comes to issues of importance like this is not an ideal approach. If we aren't prepared to pay to protect the keys to our house, we can't come crying when the burglars break in and steal our life savings. So, yes I would support the proposal.
I never thought about all the risk involved in that and I had no idea Hive Keychain was not audited.
I think it's good that this is coming from someone with a lot of skin in the game so it has my support
Posted Using LeoFinance Beta
If I remember correctly listening to one of your interviews, there was actually a bug in hive keychain that caused your power down to reset in the steem/Hive split.. and that cost you some cash as your steem was confiscated.
Do I have that right? and is that bug fixed? that would be the first place you should look.
I am supportive of an Audit, but I would have thought if there is a vulnerability it would have been exploited by now, given the market cap of Hive is in the 100m+. Its more for the reassurance that future updates and that's why I am supportive.
Yes, I had actually started my powerdown shortly after the Justin Sun and Ned Scott "ask me nothing" show. I knew at that point Steem was fucked. I would have had 90-100% of my Steem powered down by the time they came around to steal it. Instead, about halfway through my power down was canceled due to a bug in the earlier build of Hive Keychain that sent transactions to Steem by mistake.
Long since fixed.
I would support this. I think we have seen at least in the DeFi space how important audits can be. With the number of people using Keychain and the amount of money in transactions that take place every day via the extension, it is important to make sure it is secure. Draft it up! I will vote!
Posted Using LeoFinance Beta
I would support this, but what I would like to see as well is, that you let this company do an external audit of the hive-keychain code once per year as well. The more eyes on the code, the better. Maybe even combine this into one proposal? Or make two.
You are correct that the keychain-app is of utmost importance and a critical security hole could have catastrophic consequences. Going forward I think we should use our funds to assure that this nightmare scenario never happens.
If someone wants to pay the $24K for it, by all means.
Nice idea
I think audit should be done ✅
Agreed
I was using hivesigner before. I just started using hive keychain. I was wondering how safe it is. I saw that many of people I know and trust on Hive recommend it. Based on my trust on these people and on hive block chain in general I decided to trust the keychain. But it is an excellent idea to have it audited. I will support the proposal.
hi,
my question is have any/all of the other keysigners been audited in the past?? or would they need to as well?
None have as far as I understand.
Hello @themarkymark… I have chosen your post about “-Hive Keychain Independent Audit Proposal-” for my daily initiative to re-blog - vote and comment…
Let's keep working and supporting each other to grow at Hive!...
Make it happen Marky! I will support the proposal.
Posted Using LeoFinance Beta
I'd support you. Not sure my support means much—I've been here nearly as long as you have, but I am neither as invested nor as well networked. Regardless, I'd support your proposal.
The audit report would have to have your company name or at least your name and credentials/certs on it to be taken seriously. It can't just say "prepared by themarkymark". Are you prepared to disclose this level of information?
I love the idea!
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Learn how to earn FREE BEER each day by staking your
BEER.I would not support such a proposal as you have presented it to us.
You refer to "external prices" to support your valuation but do not provide any information about them (company names, offers, ...). It would be nice to know more about the proposals you received.
You also do not provide an estimate on the volume of work that such an audit represents. It might be good to know how often Keychain undergoes updates, either to adapt to the change of the blockchain code (hardfork) or to integrate new functionalities. Have you ever inquired about this?
More important is the timing of your audit. Did you know Keychain is under heavy refactoring? It would be quite wasteful work to do an audit before this major overhaul has been done and released.
I'm also surprised you do not plan to audit Keychain Mobile and wrote in a reply you do not know if it is open-source. Yet it is easy to find (https://github.com/stoodkev/hive-keychain-mobile) as it is the last and most updated repository from @stoodkev on Github.
It would be a shame to do things halfway. While I understand that it is difficult to certify that the executed code of an application is the same as that of the repository, it would still be good to ensure that the available code is safe.
Add to this that @stoodkev does not hesitate to present himself publicly, which is not your case, and him having as good a reputation as yours, we can have good reason to trust him that he doesn't cheat when he pushes the app to the stores.
Finally, I would find it more appropriate to make a proposal to fund the initial audit once it is done and to proceed in the same way when there are updates to Keychain. If the quality of the first one is there, there should be no problem approving the following ones.
You got my vote
What credentials do you have as an auditor ? The value these audit companies bring is not really code review but in depth knowledge about everything related to computer security.
IHMO I'd rather see an audit company where it's their bread and butter perform the audit instead of you (no offense), and where you take a cut and provide assistance with your hive-specific knowledge
i found him to be someone that refused to debate
don't care if you believe it or not, i have come to see
the earth is indeed flat, markymark made a post decrying the opposite and then didn't engage my comment
https://hive.blog/science/@klevn/qjf4zz
those with closed minds often have an agenda
and they aren't sharing, and that is not secure
i also suspect he got steemflagrewards to downvote me, as it was received almost immediately upon posting
who runs them if he doesn't and why was this post downvoted by them? did i say something offense other than to ask for proof?
BAHAHAHAHA
That's the funniest shit I read today.
I know am late at the party but still funny ass shit. Your flat earth reply that is.
typical zero content flat earth denial reply.
can't refute anything specific, can't be debated
seek the reactionary and hope people ignore and refuse to engage
LOL You some kinda funny as shit.
Was there a documentary made by flat earthers once where they had these instruments that proved their theory debunked?
there have been many attempts to provide 'flat earthers' being debunked
but none have actually gone after Eric Dubay.
here is a real documentary
here is a real website from and by flat earthers
https://ifers.123.st/
wonder why flat earth society exists, is referenced by obama, and yet is actually considered a fraud by flat earthers? that is how big this lie is .. all the way to the president of the united states
smoke and mirrors that is all I am seeing right now and emus with their heads in the sand.
Galileo was held in confinement for arguing that the earth was round some 2 centuries or so ago and here you are today trying to revive an archaic belief that the earth is flat.
Kinda reminds me of the magic Mormon glasses.
proof is proof .. a man confined is not proof
debate using reason and logic or not at all
ironic is it not .. that you are the one arguing without these things
while claiming my understanding is the archaic one
Ahh so you want me to link websites as proof.
Ahh you want reading material which you probably won't read.
Ahh you want me to give you something that you will believe to be true if you read them?
Because I am not claiming anything here, your the one claiming the earth be flat like Kid's flat top.
Because I am not claiming anything that is already widely acknowledged as opposed to some dude claiming they know the secret.
Maybe if you save you money and build yourself a spaceship and go into space and show this proof of yours other than links to someone else's ramblings.
I think you need to lay off the drugs man. The hardcore drugs from links you feeding your brain with.
And yes your understanding is archaic.
look at all those words, and not an ounce of proof.
suez canal is 100 miles (straight line) .. it is level the entire distance
ball earth predicts 100+ ft of change .
you can't explain that, and your ball earth believing friends excuse this .. because your beliefs..
are the archaic ones
Here, hope you get a hard on because you managed to get me to find something as a reply.
makes zero sense.
i just said the canal was level, across 100 miles.
and you present me with a picture..
that has a bevel in it .. claiming that is just how it is
you have only proven you don't understand what level means
I think you think you some kind of smart person.
Picture shows what you just purported. The level LOL
Emu with its head in the sand. Ever heard of gravity? Newton? Apple falling from a tree? The gravity equation? Physics?
It's ok, you don't want to admit you are wrong, probably because you have invested so much of your time and effort. Along with purchasing what ever quack pot ideas these snake salesmen have sold you.
Science...
But then again I know what you really want. A free ticket up into space by arguing your point until someone wants to shut your mouth with the truth by paying for your fare up there.
Here so you can understand what it is that is level. Am sure you won't watch because it will just prove you wrong.
yup, and it is unprovable garbage
yup
ever seen an apple fall in water? what happened to your gravity?
equation of an apparent physical phenomena .. labeled to be something beyond boyancy with zero proof
passed college level physics
science is observation of physical reality. you are viewing reality thru a corporate lens that is profitable for many but actually fails to stand up to reality tests. right now there is a 70% failure to reproduce a scientific study .. your scientific world has walked away from reality around the time of Tesla .. in which he stating basically .. we have gone further and further from reality into a theoretical world.
no, i want to stop wasting BILLIONS everyday what returns nothing.
nasa has more cgi computers than hollywood. nasa uses more helium than pretty much anyone.
why? weather ballooons and cgi are what they do
that, and pay to people lie.. and force people that give conclusive evidence to go away
https://earth.nullschool.net/ <- this used to have a flat earth map that when viewed on a live map of live earth made it clear the reality made more sense as you saw the flow of consentric of temperature and wind around a north pole. THEY REMOVED THIS FROM THE WEBSITE .. DELETED IT FROM THE GITHUB .. and broke their own project .. yet never said why ..
i put the project back together and proved it was NOT accidentally broken.. but purposedly broken ..
archaic, false beliefs require removal, destruction of truth to survive.. and I have witnessed numerous take downs of flat earth ideas .. not by truth.. but censorship without reason.
Tesla's theory of ether was disproved by Einsteins 'special relativity' which says nothing is faster than light
this proves something is faster than light, disproving Einstein and proving Tesla correct
the scientific world still has not fixed this error.
the incredible number of lies we live with.
your 'science' is anything but trustworthy these days.
Dafuq. Did you pull that from your arse?
That's well out of left field and a total red herring.
Based on what you say you must be some kind of mystic then and flat earth is just a feeling and not founded on anything other than wanting a safe space.
literally nothing said above is mystical.
you are having trouble distinguishing reality.
you never miss an opportunity to put me down.
but it appears that is your entire defense..
the funny part is when folks actually investigate this for themselves and discover all the laughing was at them...
You are absolutely correct. I am putting you down as much as I can, not because it makes me feel good, its just because I think your reality is not the same as my reality. You living in a parallel dimension and have inadvertently arrived here in my reality.
And you not even looking at what you said that makes what you say mystical if I have to believe what you are spouting.
yet I point at mountains that can be seen from hundreds of miles .. all the way down to the base
the fact you don't understand the implications of this is not a fault in my presentation
but your inability to understand is directly related to your belief you are correct in the face of facts that defy your reality .
yet you literally have nothing that 'proves' your point..
you have nasa (big gov)
you have space x (big corp)
i have videos of bubbles in space
i have pictures of prop rocks present ON THE MOON from the official photography
you believe a man stepped onto soft moon dust after have landed using jet propulsion landing system .. that was only tested once and crashed during that test
literally nothing about your reality stands up to scrutiny.
still laughing at the suez canal picture you presented. literally stated the canal was 100% level and you present a picture with a curve ..
All good, am sure your staunch belief will hold you steady.
you ran away from providing the curvature of the earth formula
you lie and you know it
Would there be anything that could change your belief that the earth is not flat?
i looked vigorously for proof that the earth is a ball .. it was because my search failed that I became a flat earther
is there anything that could change your belief that the earth is a ball?
because we are spinning at 1000 MPH (supposedly) .. this would be our water .. gravity is unprovable but the force seen here flinging the water into the air .. is in fact very provable
because I have already given you multiple examples you fail to counter
suez canal is level for 100 miles and you provide a curved earth picture claiming that level is relative
no, level means level ..
source
relative level wouldn't provide a perfect mirror that we see here..
or long trail of the sun at sunset...
source
how many miles is that? yet it is a perfect unbroken line from you to the sun.
I listen and welcome all new information
information sources not accepted: big gov, big corp .. should be simple right?
So you searched out in space?
how many feet of concrete is require to make perfect vacuum?
10 feet, of reinforced concrete
and we have people going up in tin cans, thru the thermal sphere
the hilariousness of this is beyond funny, and you either understand it fully and are ignoring it .. or ignorant and blindly following lies given to you
the one time we tested a 'space suit' by putting the guy in the vacuum chamber .. the water on his tongue started to boil and he passed out
http://www.spacesafetymagazine.com/aerospace-engineering/space-suit-design/early-spacesuit-vacuum-test-wrong/
this is the first and last time they ever tested a suit in a vacuum .. how can this be?
Anyway, its been fun listening to your delusions. Am sure there are lots of you that have this delusion. I am calling it quits because frankly I have not found any value to your point other than you are anti establishment. Am sure you have had been screwed sometime in the past by something and therefore are this way.
So I bid you adieu, take care and hope you don't fall out of the cuckoos nest or the edge of the earth. Which ever one comes first.
curvature of the earth formula
you know you can't find it
you sir, are delusional or a liar
since you like things to be official, here is nasa
government documents refer to flat earth
There is such a thing as difference in opinion. Mine is just the truth and yours is just hot gas flowing coming out of your mouth.
the difference being you like to make snide comments
i provide proof that makes sense
gyroscope, once setup properly will remain constant in space .. we have videos of them spinning perfectly in place for over 24 hours
yet we are supposedly spinning at over 1000 mph, flying around the sun, and spinning around the galaxy, and flying away from 'the big bang'
link that video
haha holyshit they have all been replaced on youtube with flat earth denial videos.
https://hive.blog/video/@klevn/re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-terenceplizga-re-einarkuusk-0bl2cofu-20180123t233306790z
https://hive.blog/video/@klevn/re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-uvas-re-klevn-re-terenceplizga-re-einarkuusk-0bl2cofu-20180124t140414392z
i had posted them here, and now they are all actually ball earth videos. literally changed them.
you can clearly see by the follow-up comments that they are in fact what I say they are or the guy i was talking to would have laughed. (he was alot like you)
whatever, it is going to get harder and harder to prove what multi-trillion dollars wants to hide
i might have saved them, I will look later
Or here's another for you. Again you will just be like the bearded dude jumping up and down denying they are wrong LOL
Wiggle room to just make shit up. Head in the sand.
providing a commercialized video that exactly goes against what individuals have proven..
here is a $10,000 challenge.. why nobody has won yet?
literally the picture you showed is wrong, you are wrong.
we can see mountains we can see from over 100 miles away .. all the way down to the base
we can see the 'all day sun' at latitudes physically impossible for a 'ball'
please find curvature of the earth formula on wikipedia so we can both be clear..
that it doesn't exist
Been running an Information Security company for over 15 years as I said elsewhere. I haven't formally audited software as business, but I know code, I know security, and I know Hive. It's more someone should do it, and it is constantly changing and would be really expensive to have a professional orgnization do it when it is updated.
To be honest, with Keychain approaching $400K in DHF funding, third party auditing should be baked in, it is used by almost everyone and has ultimate access to keys.
According to a quick search on HiveSQL, we've received 111,561.960 HBD so far (+16k SBD before HF). I don't know how you got to 400k.
Our current funding is 9k/month, an external audit at the rates you've presented would have set us back several months in development at each release.
It’s on the third year of the proposal.
he has hacking and money taking for free skills
Hi Marky this is a no brainer as if this doesn't happen it could be seriously bad. We are talking many users who use this and as Hive goes up in value plus the stakes are getting bigger. $21K is nothing compared to what could be lost. I will back this proposal and I am sure others would to. I am glad you are around as how many times have you helped me already.
Posted Using LeoFinance Beta
Audits are important ways of checking the safety of blockchain, I believe @hivekeychain got this covered but the intiative is good and would encourage a follow up with the team players or a write to support, this might just be the right step to a positive direct.. 💪💯
Overall chain sentiment would be effected if Keychain is compromised.
Not sure the question, Hive is filled with white hats, gray hats, and black hats just like any other community.
I think it should be more of a community driven project. I think you raise a great point though. A lot of companies also fund hackathons.
Sure, why not. We are not giving enough money away at this point for Keychain,
I would gladly support auditing Keychain, we are usually posting very frequent updates, which would make repeated external audits very expensive.
After reading the comments section, I do have a few remarks and questions though:
The project started small and grew fast, and that led me to decide to start a refactor a few months back, that will hopefully be ready by year end. We are rewriting the entire code base using React.js, is it a library you are comfortable with? Also, this means that depending on when you start, you'd have to review the entire code twice.
Yes, Keychain Mobile is 100% open source: https://github.com/stoodkev/hive-keychain-mobile
I would also like to see the question of your credentials being addressed. Not that I don't trust you have to skills to do this, as you put it, you've built a reputation here. However our ecosystem is growing faster than ever and your reputation won't mean much to new comers. Could you include a list of relevant projects that you've reviewed/audited in your proposal?
An audit?? Sounds cool to to me now there'll be a check on every financial record.
Wow
Sounds good but... after reading the comments, as a random hive user willout any influence at all, i find your lack of reponse to some of them a bit weird. Still im ok with this and find it as something that is needed right now.
I'm not caught up with all the messages, but I'm doing a jam right now trying to knock out a product by the end of the weekend.
ok, even I hate you, I support this.
LOL audit from a guy who made money stealing from others using free bidbots not paying correctly back and hacking steem games
Making shit up now because you are getting flagged?
Can't say I'm surprised.
nah i knew it way before just never spoke. proof me (actually not me as thats others) wrong
plenty people here who can track you and your bot to see you never paid to get any of the HIVE/STEEM just got it free from the bots and hacking 1 game
@blocktrades @g2g @gandalf @aggroed @neoxian and others im sure u can scan for this to proove me wrong. despite im not but i didnt tag here people who are aware of this.
My penis. Suck it.
What game I hack?
Keychain stopped working last night for delegations? What's going on?
There is a blank there now?
Yeah we need an audit. Would be best if it was some 3rd party though, like these two!
I just did a delegation using it, and it worked fine.
Try restarting your browser, also check if you are using latest version of Keychain. Do a search on Chrome web store for 'hive keychain' and check version numbers.
O.K, good to know. Yeah must be my cache, or my version needs an update. I was about to try that next. Yeah I never have any problems with it before. Once last week it acted up, but besides that it's the best. Thanks
Nice
Audit's of this sort are never a bad thing.
This is especially beneficial if Hive ever wants to deal with a 3rd party. Financial institutions always demand some sort of SOC audit when doing business. It will make hive seem more legit.
Posted Using LeoFinance Beta
I'd support this.
Did this ever happen; would be good to see an audit.
No. It didn't seem in the cards.
Pity; this seems a no brainer for the community. Who does it is perhaps a separate debate but having it would seem essential to me.
Funny. That's all I can say. Let's see how it goes.
It didn’t.