Poll: MN Operators, please respond

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)


  • Total voters
    72

David

Well-known Member
Jun 21, 2014
618
628
163
I suspect there's general support for this though I fear the core team will try their best to down vote it. But I want to try anyway. If someone could submit this proposal for me, I'll gladly reimburse the five dash. Please, anyone?
No disrespect intended, but regardless of the passage of a proposal, you cannot compel another person/group to write code.
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
2,960
1,140
1,183
No disrespect intended, but regardless of the passage of a proposal, you cannot compel another person/group to write code.
Yeah I guess, but they didn't mind asking to up the block size.. if we had said no, could we of forced them not to?
 
  • Like
Reactions: TroyDASH

David

Well-known Member
Jun 21, 2014
618
628
163
Yeah I guess, but they didn't mind asking to up the block size.. if we had said no, could we of forced them not to?
True...but the block size hasn't yet been increased. They haven't written and deployed the code yet. When they do, the masternode network essentially votes again: they either update, or they don't. So to answer your question: yes, an overall "no" vote would effectively have been binding (not through voting, but through not updating).

In any event, this topic has been discussed at length previously, and Evan said it was effectively impossible to run the MN network over Tor/I2P:

https://dashtalk.org/threads/which-masternode-model-should-we-implement.4115/

Tech may have changed since then, but at least at the time, it was a non-starter technically.

P.S. I agree with you in principle...I wish it was possible (and hope it one day will be) for masternodes to be completely anonymous. Feds knocking on the doors of people running Tor exit servers...that's some scary stuff.
 
  • Like
Reactions: UdjinM6

n00bkid

New Member
Oct 25, 2015
26
38
13
The best way not to have a target on your back is for lots and lots of other people to be doing the same thing you're doing.

There are 3700+ masternode instances around the world on public IPs. The best way to protect yourself is for that number to grow, not shrink.

Dash on a slow anonymizing network will be the end of digital cash. Anything which slows down payments will end much of Dash's competitive advantage.

If you're not willing to take on some risk to bring digital cash to the world -- and to profit massively from it in return -- you needn't run a masternode at all.
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
2,960
1,140
1,183
The best way not to have a target on your back is for lots and lots of other people to be doing the same thing you're doing.

There are 3700+ masternode instances around the world on public IPs. The best way to protect yourself is for that number to grow, not shrink.

Dash on a slow anonymizing network will be the end of digital cash. Anything which slows down payments will end much of Dash's competitive advantage.

If you're not willing to take on some risk to bring digital cash to the world -- and to profit massively from it in return -- you needn't run a masternode at all.
3700 MNs but 52% are sitting on just four cloud services.. that's centralisation.

For me, it's not a matter of risk, I simply wanted a better system for all of us. I'm not particularly bothered if dash does transform into a plc, goes legal, starts to do AML, blocking transactions and so on.. if that's the way it goes then so be it because I still have choice. But I am pointing out that dash is at risk of selling out and forgetting it's roots.
 

David

Well-known Member
Jun 21, 2014
618
628
163
3700 MNs but 52% are sitting on just four cloud services.. that's centralisation.

For me, it's not a matter of risk, I simply wanted a better system for all of us. I'm not particularly bothered if dash does transform into a plc, goes legal, starts to do AML, blocking transactions and so on.. if that's the way it goes then so be it because I still have choice. But I am pointing out that dash is at risk of selling out and forgetting it's roots.
Please read the link I posted above. Dash isn't selling anything out--what you are wanting, while it would be wonderful to have, is technologically impossible (or at least it was a year and a half ago).
 

tungfa

Grizzled Member
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,902
6,737
1,283
3700 MNs but 52% are sitting on just four cloud services.. that's centralisation.

For me, it's not a matter of risk, I simply wanted a better system for all of us. I'm not particularly bothered if dash does transform into a plc, goes legal, starts to do AML, blocking transactions and so on.. if that's the way it goes then so be it because I still have choice. But I am pointing out that dash is at risk of selling out and forgetting it's roots.
I would not call this centralised
http://178.254.23.111/~pub/Dash/Dash_Info.html
 

tungfa

Grizzled Member
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,902
6,737
1,283
Try selecting the "Distr. per ISP" tab...

17.48 + 15.67 + 11.92 + 7.40 = 52.47%
Choopa, OVH SAS, Amazon Technologies, Digital Ocean are all cloud services

Four providers for more than half of all MNs
sure but that is the chicken / egg thing
cheapest best providers will get most , this changes by time as we have seen over the last year , back in the day it was all Amazon and everybody screamed centralised (good reason) , now we have 4 (you are saying) , give it another year and it will be 8 and so on ... tech catches up and hosting gets cheaper :rolleyes: and so more distributed
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
2,960
1,140
1,183
sure but that is the chicken / egg thing
cheapest best providers will get most , this changes by time as we have seen over the last year , back in the day it was all Amazon and everybody screamed centralised (good reason) , now we have 4 (you are saying) , give it another year and it will be 8 and so on ... tech catches up and hosting gets cheaper :rolleyes: and so more distributed
That's not really the point. Even if you distribute between 8 cloud services, they're all sitting on public IPs and mostly on US soil. What would it take to effectively take 3700 servers offline? - not much. If they were operating over tunnelled services then at least it wouldn't be immediately obvious which servers they were coming from; we'd be buying some valuable time. It's no different when people say bitcoin mining is centralised in China.. so here we have a critical network doing pretty much the same thing.

Don't misunderstand me, I'm not anti-dash, I'm hoping for a better system for all involved. And I don't particularly care if dash takes this direction. I made this suggestion in the hope we can balance out our goals and not forget out roots, because right now it seems we sold our soul to fiat. At this point, I think there's a real chance that dash really will become Dash plc; putting profits before principles.

Anyway, regardless, it seems it's not technically possible so unfortunately we'll just have to make do with what we have.
 

crowning

Well-known Member
May 29, 2014
1,414
1,997
183
Alpha Centauri Bc
That's not really the point. Even if you distribute between 8 cloud services, they're all sitting on public IPs and mostly on US soil. What would it take to effectively take 3700 servers offline? - not much.
They could, with some serious efforts, take the 1200 US-based servers offline, which, by the way, could move somewhere else if needed. Maybe some more if you count US-based hosting companies.

The other 2000-something servers are outside of the US.

And, even when Americans often forget this, US-law does not apply in most of the civilized world.
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
2,960
1,140
1,183
They could, with some serious efforts, take the 1200 US-based servers offline, which, by the way, could move somewhere else if needed. Maybe some more if you count US-based hosting companies.

The other 2000-something servers are outside of the US.

And, even when Americans often forget this, US-law does not apply in most of the civilized world.
Yes I agree. When I setup my MNs, I purposely diversified and I didn't put them on cloud services, and I also spent a long time trying to find reliable hosts, even though that means less profit... and finding reliable hosts is so much harder than it sounds.
 

Otaci

Member
Mar 5, 2016
46
49
58
Obviously fortunate enough to of not experienced bad hosts...
Uh, actually I have. I used a really, really, cheap provider. As soon as I realized there was a problem writing to disk, I deleted it and spun up a new server in another provider
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I am not a Master Node, but I voted.

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *
    Yes, all MNs anonymized
    14 vote(s)
    35.9%
  2. Yes, but MNOs choose IP based or anonymous
    13 vote(s)
    33.3%
  3. No, all MNs should run on public IPs
    12 vote(s)
    30.8%

The only way to compel core developers is to run Master Nodes that do not run their software, but (of course) they are complient to the Dash protocol.

Which means that Master Nodes should ΝΟΤ respect the decision:

"Masternode operators SHOULD be running 0.12.0.56 or greater!"
 
Last edited by a moderator:

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I'm completely for MN anonymization in principle but I'm not sure if this is actually doable. Imo to do so we'd have to move the whole network to i2p (not sure if tor is applicable for this purpose at all). I mean not only (some of) masternodes but every single node/wallet out there because otherwise hidden part of the network will not be reachable by normal users (i.e. it will be useless for them) afaik. Of course we could use some bridges sitting on the edge of two networks and relaying messages back and forth but that would weaken network imo - instead of heaving 3500 connection points you'd end up with.. how many? 20? 200? Who will maintain them and why? You can't run them on masternodes because this will make no sense in terms of MNs' anonymization so there should be some volunteers who run them. Or should they be "sponsored" via blockchain maybe? Anyway, having that small number of reachable nodes... You know what will happen then? "DASH IS CENTRALIZED!!" and all that kind of stuff ;)
I don't know of any good solution so far.

Those who voted in favor of Master node anonymization, they have to answer the above quote.
Otherwise, even if a decision in favor of anonymity is taken, this decision cannot be implemented.

The core developer does not know any good solution so far. Does anyone know?
 
Last edited by a moderator:

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Although I voted for complete anonymity, I think the solution is:

Yes, but MNOs choose IP based or anonymous

And the IP based Masternodes should be forced by the protocol to behave also as reverse proxies to the anonymous nodes.

Of course we could use some bridges sitting on the edge of two networks and relaying messages back and forth but that would weaken network imo - instead of heaving 3500 connection points you'd end up with.. how many? 20? 200? Who will maintain them and why? You can't run them on masternodes because this will make no sense in terms of MNs' anonymization so there should be some volunteers who run them.
So the answer is, of course we can run them on masternodes! Developers should create two types of masternodes, the anonymous ones and the IPbased ones (that are forced by the protocol to behave as reverse proxies to the anonymous ones).

It is important always to maintain both anonymous and IPbased Master nodes. Because in case the IPbased master nodes are attacked somehow, the network will remain alive and will be able to recover.
You could even force by the protocol for a percentage to be anonymous, and for another percentage to be IP based (but of course in that case masternode owners will not be total free to decide the type of their node, they will be relatively free within a boundary)
 
Last edited by a moderator:

crowning

Well-known Member
May 29, 2014
1,414
1,997
183
Alpha Centauri Bc
I've had a second though on this, and, aside from the fact that I'd help implement whatever will be decided, I think it's quite paradox to have a protocol running on a public network which itself heavily relies on public information (IPs, routing, broadcasting, etc.) and then try to hide exactly this information from the network.

Possible? Yes.
Easy or straightforward? Certainly not.

You can drive your car from A to B and destroy all traffic cameras and innocent bystanders who might remember your license-plate and which highway you were driving on, but the obvious solution would be to not use your car and public roads. Just sayin' ...
 
  • Like
Reactions: AndyDark

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I've had a second though on this, and, aside from the fact that I'd help implement whatever will be decided, I think it's quite paradox to have a protocol running on a public network which itself heavily relies on public information (IPs, routing, broadcasting, etc.) and then try to hide exactly this information from the network.

Possible? Yes.
Easy or straightforward? Certainly not.

You can drive your car from A to B and destroy all traffic cameras and innocent bystanders who might remember your license-plate and which highway you were driving on, but the obvious solution would be to not use your car and public roads. Just sayin' ...

This is not the real case, your case is wrongly presented.

The case is that you regularly use public roads, but just in case someone prohibits you to circulate, you must have some hidden roads as a backup. This is the reason why some anonymous masternodes are necessary to exist into the dash network, together with the IPbased nodes of course.

I think the best solution is to have a constant poll, and decide dynamically the percentage of the anonymous and IPbased masternodes. And according to this voted percentage, some masternodes (selected randomly) must be forced to change anonymity state in the runtime and become IPbased masternodes (and vice versa) having a reverse proxy functionality that points to the hidden network. The poll of course should be protected, decentralized and mirrored into all the anonymous section of the dash network.

It is very crucial to select randomly the IPbased and the anonymous masternodes in the runtime (according to the result of the appropriate poll that is always active, so that we can change the percentage of anonymous and IPbased masternodes in the runtime, according to the extend of the attack beeing made at the public dash network) because this randomness makes much more difficult the task of prohibiting the public dash network. The randomness can be calcutated using appropriate cryptographic protocols, among masternode owners.

For example, lets suppose that the current result of this supposed permanent poll is the below:

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *Yes, all MNs anonymized 15 vote(s) 37.5%
  2. Yes, but MNOs choose IP based or anonymous 13 vote(s) 32.5%
  3. No, all MNs should run on public IPs 12 vote(s) 30.0%
So we should have 37.5% of anonymous nodes, 32.5% free to choose by the MNO, and 30% IPbased nodes. The IPbased and the anonymous nodes should be selected by the protocol randomly according to the current vote result, and the lucky (or unlucky) MNOs should be forced (by the protocol) to respect the decision of the protocol.


I don't know of any good solution so far.
I gave a solution above, so what about it? What do you think?

UdjinM6, If you like my proposition, send me 0.00100000 dash here:

XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

I would like my first duffs into my wallet to be send by you.
 
Last edited by a moderator:

UdjinM6

Official Dash Dev
Core Developer
Dash Core Team
May 20, 2014
3,639
3,537
1,183
...
I gave a solution above, so what about it? What do you think?
...
I think it won't work because even though at some point of a time only some % of MNs are IP-based but since selection is randomized it should actually cover all MNs in a period of time and every MN will be effectively de-anonymized after a while.
 
  • Like
Reactions: demo and AndyDark

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I think it won't work because even though at some point of a time only some % of MNs are IP-based but since selection is randomized it should actually cover all MNs in a period of time and every MN will be effectively de-anonymized after a while.
You are right. Especially for static IPs. I ll come back with another proposition.
Do you consider dynamic IPs also as non anonymous?
 

UdjinM6

Official Dash Dev
Core Developer
Dash Core Team
May 20, 2014
3,639
3,537
1,183
You are right. Especially for static IPs. I ll come back with another proposition.
Do you consider dynamic IPs also as non anonymous?
I doubt you can get dynamic IP for a VPS instance. And even if you could you can't just get IP you like - they are provided from (ISP provider's) pool of IPs afaik and IP is linked to the user at the time session is started so it easy to find out who is/was behind some IP at some point of a time imo.

Few more thoughts on the issue itself - you provide some billing info to pay for VPS you use to run MN and basically that's how MN operators are identified. Some services allow you to pay via crypto though and that can be considered a bit more anonymous way for MN operator already imo, we just need more of them to accept crypto to solve our issue ;)
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I doubt you can get dynamic IP for a VPS instance. And even if you could you can't just get IP you like - they are provided from (ISP provider's) pool of IPs afaik and IP is linked to the user at the time session is started so it easy to find out who is/was behind some IP at some point of a time imo.
Ok. Dynamic IP is not anonymous also.

So I consider that as long as you are baptized by the protocol to become an anonymous master node, there is no return. You always remain anonymous and your IP should never be revealed, if you keep your desire to remain an anonymous one.

I consider this as cornerstone specification, for my next proposal that will follow.
 

crowning

Well-known Member
May 29, 2014
1,414
1,997
183
Alpha Centauri Bc
This is not the real case, your case is wrongly presented.The case is that you regularly use public roads, but just in case someone prohibits you to circulate, you must have some hidden roads as a backup. This is the reason why some anonymous masternodes are necessary to exist into the dash network, together with the IPbased nodes of course.
No.
As long as you use public TCP/IP networks you don't have hidden roads. Socket = IP+port. No way around that.

Existing anonymization implementations put a blanket over your head while driving, or change your car and/or license plate often, or let someone else drive with her car and hope she tells no one, or use a different road each day, or put your car on a truck to take it to a different place, or disassembles you body parts and transports each arm, leg etc. on a different road, or all of these together.

Like I said, it certainly CAN be done this way, but it's paradox to do it so.
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
No.
As long as you use public TCP/IP networks you don't have hidden roads. Socket = IP+port. No way around that.

Existing anonymization implementations put a blanket over your head while driving, or change your car and/or license plate often, or let someone else drive with her car and hope she tells no one, or use a different road each day, or put your car on a truck to take it to a different place, or disassembles you body parts and transports each arm, leg etc. on a different road, or all of these together.

Like I said, it certainly CAN be done this way, but it's paradox to do it so.
No, you are presenting an inaccurate and confused case. Lets be accurate of what anonymous means.

Existing anonymization trip disassembles your car into several parts, it transports those parts into visible trucks (but opaque trucks so nobody can see what they carry inside) through public roads, but each truck follows a different public road. And then at the destination of the trip all trucks arrive not in the same time, they unload the part of your car they carry into your own room so nobody can see that part, and then you personally assemble the car.

This is the excact case of an anonymous trip. This is how anonymous drive their car.
 
Last edited by a moderator:

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
2,960
1,140
1,183
No, you are presenting a wrong, inaccurate and confused case.

Existing anonymization disassembles your car into several parts, it transports those parts into visible trucks (opaque trucks so nobody can see what they carry inside) through public roads, but each truck follows a different public road , and then at the end of the trip all trucks arrive not in the same time, they unload the part of your car they carry into the night so nobody can see it, they put those parts into your own room, and then you personally assemble the car.

This is the excact case of an anonymous trip.
Yeah, but it sounds better to say, "or disassembles you body parts and transports each arm, leg etc. on a different road". The most someone can find is one leg of the journey, which is completely armless
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
This is my revised proposition.

I think the best solution is to have a constant poll, and decide dynamically the percentage of the anonymous and IPbased masternodes. And according to this voted percentage, new masternodes (selected randomly) must be forced to become anonymous and other new masternodes must be forced to behave as reverse proxies to the hidden network. The poll of course should be protected, decentralized and mirrored into all the anonymous section of the dash network.

It is very crucial to select randomly the IPbased and the anonymous new masternodes (according to the result of the appropriate poll that is always active, so that we can change the percentage of anonymous and IPbased new masternodes , according to the extend of the attack beeing made at the public dash network) because this randomness makes much more difficult the task of prohibiting the public dash network. The randomness can be calcutated using appropriate cryptographic protocols, among masternode owners.

The old mastenodes, as long as they are baptized and randomly toοκ their anonymous state, they can remain (or even they are forced to remain) anonymous for ever.

For example, lets suppose that the current result of this supposed permanent poll is the below:

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *Yes, all MNs anonymized 15 vote(s) 37.5%
  2. Yes, but MNOs choose IP based or anonymous 13 vote(s) 32.5%
  3. No, all MNs should run on public IPs 12 vote(s) 30.0%
So we should have 37.5% of anonymous nodes, 32.5% free to choose by the MNO, and 30% IPbased nodes. The IPbased and the anonymous nodes should be selected by the protocol randomly according to the current vote result, and the new arriving lucky (or unlucky) MNOs should be forced (by the protocol) to respect the decision of the protocol.

In our currenct case 100% of the nodes are currently in public IPs, so all new arriving MN should be forced to become anonymous, until the precentage 37.5%-32.5%-30% is reached.



I gave a solution above, so what about it? What do you think?
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
2,960
1,140
1,183
This is my revised proposition.

I think the best solution is to have a constant poll, and decide dynamically the percentage of the anonymous and IPbased masternodes. And according to this voted percentage, new masternodes (selected randomly) must be forced to become anonymous and other new masternodes must be forced to behave as reverse proxies to the hidden network. The poll of course should be protected, decentralized and mirrored into all the anonymous section of the dash network.

It is very crucial to select randomly the IPbased and the anonymous new masternodes (according to the result of the appropriate poll that is always active, so that we can change the percentage of anonymous and IPbased new masternodes , according to the extend of the attack beeing made at the public dash network) because this randomness makes much more difficult the task of prohibiting the public dash network. The randomness can be calcutated using appropriate cryptographic protocols, among masternode owners.

The old mastenodes, as long as they are baptized and randomly taken their anonymous state, they can remain like that.

For example, lets suppose that the current result of this supposed permanent poll is the below:

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *Yes, all MNs anonymized 15 vote(s) 37.5%
  2. Yes, but MNOs choose IP based or anonymous 13 vote(s) 32.5%
  3. No, all MNs should run on public IPs 12 vote(s) 30.0%
So we should have 37.5% of anonymous nodes, 32.5% free to choose by the MNO, and 30% IPbased nodes. The IPbased and the anonymous nodes should be selected by the protocol randomly according to the current vote result, and the new arriving lucky (or unlucky) MNOs should be forced (by the protocol) to respect the decision of the protocol.



I gave a solution above, so what about it? What do you think?
I think part of the problem is that MNs on the hidden network will see noticeably lower returns, which is perfectly okay if it's a completely free choice but not going to work for those seeking a higher return. Some people, such as myself, would accept lower returns, but not everyone.

Whatever happens, I think the devs should maybe take a closer look at this issue because this sample poll, albeit very small, is suggesting that 70% of MNOs want some kind of improvement to anonymity. And maybe they should try to modify how Evolution utilizes IPs just in case a technical solution is found sometime in the future.
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I think part of the problem is that MNs on the hidden network will see noticeably lower returns, which is perfectly okay if it's a completely free choice but not going to work for those seeking a higher return. Some people, such as myself, would accept lower returns, but not everyone.

Whatever happens, I think the devs should maybe take a closer look at this issue because this sample poll, albeit very small, is suggesting that 70% of MNOs want some kind of improvement to anonymity. And maybe they should try to modify how Evolution utilizes IPs just in case a technical solution is found sometime in the future.

I dont think this is a problem. Anonymous nodes could receive by the protocol some extra returns just for being anonymous. The percentage of the compensation for being anonymous could be defined in the protocol, or alternatively voted among the masternode onwners.