tag:blogger.com,1999:blog-8764541874043694159.post2859172702725943134..comments2024-03-28T07:33:46.151+00:00Comments on Coppola Comment: The Fat Controller of the Lightning NetworkFrances Coppolahttp://www.blogger.com/profile/09399390283774592713noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-8764541874043694159.post-12738759886952751472018-04-12T14:12:44.822+01:002018-04-12T14:12:44.822+01:00No, that's why specific legislation was passed...No, that's why specific legislation was passed to cover temporary appropriation of vehicles. (Sec 178 Road Traffic Act 1988). It's commonly called "Taking without Consent". because the Theft law can't be applied to a taking a vehicle when there is only an intention to Joy Ride and later dump the vehicle.<br />Theft of a motor vehicle (under the Theft Act 1968) is usually charged for cases where the vehicle is stolen for resale or export, ie. where there is an intention to permanently deprive.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-87321350951032679712018-04-11T23:01:27.616+01:002018-04-11T23:01:27.616+01:00Taking someone's car without their agreement, ...Taking someone's car without their agreement, even temporarily, is theft. That is how it is regarded in legal systems throughout the world. Why do you think coins should be different from cars?Frances Coppolahttps://www.blogger.com/profile/09399390283774592713noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-81584774866280165192018-04-11T20:13:44.755+01:002018-04-11T20:13:44.755+01:00Taking someone else's coins without their agre...Taking someone else's coins without their agreement, even momentarily, is theft.<br /><br />No it isn't. Theft is:<br />"Dishonest appropriation with the intention to permanently deprive property belonging to another"<br />Momentarily is not permanent.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-16845440201091505252018-01-22T23:43:27.310+00:002018-01-22T23:43:27.310+00:00I think it is good to stress the point that there ...I think it is good to stress the point that there is, at this point anyway, no formal distinction between fat nodes/hubs and 'normal' or user nodes. A hub is just a node as any other node, but with larger funding and lots of connections. So hubs are emergent: they can come into existence, even maybe for a few days or hours, and then shrink again to lesser nodes, or completely disappear. There's a gliding scale between the smallest node and the biggest hub. Any size in between in possible. The market will dictate the optimal distribution of node sizes.<br />Maybe in the future LN software _will_ make the formal distinction between different kind of nodes (a bit like the current Master Nodes of Dash). Interesting to see how that will play out.TeringNeringhttps://twitter.com/@teringneringnoreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-27665405147939015512018-01-19T15:10:46.679+00:002018-01-19T15:10:46.679+00:00I'm afraid the sender does need agreement from...I'm afraid the sender does need agreement from every single one of the participating nodes in order to proceed with a multi-hop payment. That is what I was told by a Lightning dev yesterday. <br /><br />It is blindingly obvious why remote nodes require a legal agreement with the sender, and I explained it in the post. The design as it stands is a money launderer's paradise. Intermediate nodes are blindly forwarding money whose source they don't know to a destination they don't know. If the design were coercive as I discussed in this post, then they could at least argue they had no choice but to forward the payment. But as they can choose whether or not to process the payment, they would be held legally responsible if the funds they forwarded turned out to be fraudulent. Therefore, they need a legal agreement that the sender bears all responsibility in the event of a lawsuit. "I didn't know the money was dirty" is not a defence. <br /><br />There is a second reason why remote nodes need a legal agreement with the sender, and that is the fact that they are committing funds which will be encumbered until the final payment is made. They can't make a reasonable decision whether or not to commit their funds unless they know who the sender is, the recipient is and the length of the chain. Blinding the intermediate nodes destroys their ability to make a reasoned choice. It might as well be coercion. Frances Coppolahttps://www.blogger.com/profile/09399390283774592713noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-88047871846438584372018-01-19T14:13:06.122+00:002018-01-19T14:13:06.122+00:00> You do not have any legal agreement with node...> You do not have any legal agreement with nodes 10 steps removed. I pointed that out in my original piece. You don't have any right to construct a path that coerces remote nodes with which you have no agreement to forward your payment without their consent.<br /><br />Why would you need a legal agreement with a node 10 steps removed? You do not need node 10's consent; only node 9 needs node 10's consent. You need to have an agreement with node 1 (your channel partner), who has an agreement with node 2 (their channel partner), who has an agreement with node 3, and so on. If node 10 inexplicably denies the request from its preexisting channel partner node 9 (which I think would require modified software), then of course the path fails and a new route must be found.dominionhttps://www.blogger.com/profile/15306351897354434039noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-90313108132849139372018-01-19T13:26:37.413+00:002018-01-19T13:26:37.413+00:00> "Risk is never zero."
There's ...> "Risk is never zero."<br /><br />There's no counterparty risk in the usual sense though, because the protocol guarantees atomicity of transfers i.e. the protocol only allows two outcomes, either the transaction (and all adjustments/whatever inbetween) happens, or nothing happens. There will never be a situation where one or more intermediary nodes are sitting on pending balances or similar, waiting for the ultimate recipient to receive payment, for example.<br /><br />There is always the risk that the protocol itself is broken/has bugs, of course.dominionhttps://www.blogger.com/profile/15306351897354434039noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-24778516695651951082018-01-19T09:05:07.820+00:002018-01-19T09:05:07.820+00:00It is indeed analogous. It is also somewhat curiou...It is indeed analogous. It is also somewhat curious that Tor is allowed. Technically it can be banned, using the same processes as used for say taking down child porn hosts (as there is a global consensus, anyone doing it openly gets shut down). <br /><br />It seems that so far the powers that be in enough Western countries have decided that a little bit of child porn and drug trading (a drop in the ocean compared to street dealing anyway) is worth paying for the positive uses of Tor as a weapon against censorship-prone regimes.<br /><br />It's not obvious that they'd be as tolerant of underground payment systems... If LN takes off it's likely there will quickly be 2 of them: because the channels involves trust and trust is transitive, it will only take a few major players within the KYC-sphere for transitively everybody in the network being taken in, excluding dark net use, which is still the main use case for cryptocurrencies. <br /><br />Next step is a second LN network (no technical reason to have a single instance) that is the opposite: where nodes get kicked out if they are known to collaborate with the clear world. But then the dark-only LN is an easy thing to ban (make it illegal for clear shops to interact with it, possibly criminalise use by punters).cighttp://commentisglee.wordpress.com/noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-62452509403240844562018-01-19T03:41:47.126+00:002018-01-19T03:41:47.126+00:00Tering Nering,
Risk is never zero. It is extreme...Tering Nering, <br /><br />Risk is never zero. It is extremely foolish to assume that it is. Developers are not gods. They do not know everything. If developers assume there is no risk, they will not defend against that risk, and that can be disastrous. They should defend against risks they don't expect ever to happen, simply because in some state of the world they could happen. Financial systems should be built to defend against all identifiable risks, however unlikely they appear. I speak as a former financial systems designer and developer. <br /><br />On your other point: I agree that network routers are "blind" to the content they transfer. But Lightning goes beyond that. It deliberately conceals participants from other participants. That amounts to designing money laundering facilities into the system. Frances Coppolahttps://www.blogger.com/profile/09399390283774592713noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-46681608861086733712018-01-19T03:05:14.736+00:002018-01-19T03:05:14.736+00:00Hi Stephen,
I do now! I have been talking to Lig...Hi Stephen, <br /><br />I do now! I have been talking to Lightning devs. It seems my first post was broadly correct: senders may choose the path, but they can't force nodes to participate. If nodes don't participate, the payment fails and the sender must choose another path. <br /><br />Mapping and testing the route up front eliminates the recursion and "wandering" problems that I identified in my first post, but it doesn't eliminate the "no viable path" problem. Clearly the fallback position must be for the payment to go via the blockchain if no path can be found, but you are the only person who has said that this could be automated. I am wondering if the Lightning development community is a tad divided on this, or whether they simply haven't yet taken on board the fact that they need to plan for such exceptions. <br /><br />There is potentially another issue too, which is rather more serious. If the effect of nodes declining to participate results in multiple attempts to make payments and payment routes becoming longer and more complex, then I would expect network performance to be degraded, possibly seriously so. I discussed this at some length in the first post, with a somewhat playful example to help people understand. Again, I have not so far seen any constructive discussion about this. Some people suggested that network performance could improve as the number of channels increases. I don't necessarily disagree, though this must depend on transaction volumes and channel choices as well as number of channels, but it doesn't address my point. Do you have a view on this?<br /><br />The thesis in this post, that the network is essentially coercing people into committing their funds without their knowledge, is wrong. But it was based on criticisms of my previous post (link at the head of this post) from people who claimed to be knowledgeable about Lightning but actually did not understand the functionality - as indeed some people commenting on this post don't, see dominion's comment above. What I've learned from that is that not many people really know how Lightning works. Understanding the technology is not the same as understanding the functionality. <br /><br />That said, even without the coercive element, the nodes are still lending. I don't think your analogy of post-dated cheques (note the spelling, I am British!) is accurate. Post-dated cheques don't show in a bank balance. They can't even be submitted to the bank for clearing. In contrast, intermediate payments encumber a channel balance. The balance includes the unclaimed payment, but it can't be spent. I think a better analogy is cheque processing. The ledger balance on the account is updated with the amount of the cheque as soon as it is presented to the bank, but the cleared balance - the amount you can spend - is not updated until payment is received from the counterparty's bank. <br /><br />I don't think you can equate making a payment with submitting a bid. The first involves committing funds. The second does not. The key point of THIS post is that this distinction is crucial. Committing funds involves transferring property rights, even if only on a temporary basis. Encumbering part or all of the channel balance until the final payment is made means that the owner is temporarily deprived of their right to enjoy their property. That may (or may not) be a very short period of time, but it is not zero. Legally, they have lent the coins. The smart contract must recognise this. Frances Coppolahttps://www.blogger.com/profile/09399390283774592713noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-19867464125960256692018-01-19T02:07:29.080+00:002018-01-19T02:07:29.080+00:00I agree with point #1. However, point #2 has a sma...I agree with point #1. However, point #2 has a small problem. Internet routers & TCP were not designed to intentionally obfuscate source and destination. Participating in a network of barter transactions which knowingly obfuscates the true parties in a transaction for profit is the definition of money laundering. I understand the feature's purpose (ala net neutrality), imho the transaction should deobfuscate at the point of resolution (I haven't checked this part yet, will look into if it does).Stephen Khttps://www.blogger.com/profile/10162227378864374081noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-33780267232691328272018-01-19T01:56:27.843+00:002018-01-19T01:56:27.843+00:00"You don't have any right to construct a ..."You don't have any right to construct a path that coerces remote nodes with which you have no agreement to forward your payment without their consent"<br /><br />Frances Coppola: You do understand LN works based on unresolved smart contracts, right? These are like post dated checks. Unless something has changed the idea was that before that future date if problems arose one could simply post to the actual block chain at a greater fee. If a node acknowledges receipt without intent to send, either it gets there first via another path, wasting their computation time (no profit), or stalls and gets posted on the blockchain, which then likely causes other nodes to severe ties where it stalled.<br /><br />These are essentially dynamic sidechains, and in contract terms more like the bid submittal process.Stephen Khttps://www.blogger.com/profile/10162227378864374081noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-72880736300435217132018-01-18T19:57:52.801+00:002018-01-18T19:57:52.801+00:00It's clear that the coercive element in Lightn...It's clear that the coercive element in Lightning goes far beyond simple mapping. I am standing by my use of the term Fat Controller. <br /><br />I'm not going to "correct" my previous piece because I am not discussing the tech, either in that piece or this one. The whole point of my piece is that Lightning's pathfinding problem is not simply a technical issue to be solved by some clever code. By trying to reduce it to that, you are missing the real issue, which is that the original functional design is unworkable. If I were doing a design review, I would demand that the original whitepaper be rewritten. Tech should not be expected to compensate for fundamental functional design flaws. Devs are getting WAY too big for their boots. <br /><br />You do not have any legal agreement with nodes 10 steps removed. I pointed that out in my original piece. You don't have any right to construct a path that coerces remote nodes with which you have no agreement to forward your payment without their consent. <br />Frances Coppolahttps://www.blogger.com/profile/09399390283774592713noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-38584392043647255152018-01-18T15:28:27.457+00:002018-01-18T15:28:27.457+00:00> The sender's ability to choose the route ...> The sender's ability to choose the route depends on there being an up-to-date and accurate network map. Who do you think maintains this?<br /><br />As a LN user, *you* build and maintain your own network map i.e. each person's node constructs and maintains a network map based on each other node broadcasting the availability of its channels and relaying the broadcasts of others. I don't think that constitutes a centralised figure or Fat Controller. Different nodes may well have different views of the network.<br /><br />> I am not going to "correct" my previous article. The tech design has moved on precisely because the devs are trying to solve the problems I described.<br /><br />The tech design moved on _before_ you wrote the article. You don't acknowledge that in your second article either (despite starting so promisingly with, "To be sure, I had made an incorrect assumption about Lightning.") It's your call, of course, but readers are likely to accept and run with the few bits of your article that are wrong.<br /><br />> I don't agree with you that the relationships with forward and backward nodes limit Lightning's use of funds. If it did, then every time node relationships change, nodes would need new legal agreements.<br /><br />The point being that no one can force your node to open a new channel with a hitherto unrelated node. They can only utilise the preexisting channels you have open (and advertise). In my view, any "legal agreement" you have with a channel partner necessarily provides (at the outset) that any channel partner may, at its option, commit funds to you (in its channel with you), plus an amount to cover fees (if any), and require you to commit an equal amount (plus or minus fees) to any one of your other (specified, preexisting) channel partners (the forward node), and pass on a message to that node. I think that makes for a perfectly valid agreement between you and your channel partner. In that sense, a multi-hop transaction is merely execution of a chain of preexisting agreements. Nothing unusual there. <br /><br />Re money laundering: points taken. It's an interesting problem (potentially -- but I don't think it can or should hold up development).dominionhttps://www.blogger.com/profile/15306351897354434039noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-80012765392043116402018-01-18T14:10:22.392+00:002018-01-18T14:10:22.392+00:00It is interesting Coppola keep challenging the Bit...It is interesting Coppola keep challenging the Bitcoin phenomenon on economic and legal dimensions. Some remarks:<br /><br />1. "and even though the risk of not getting the money back is small, it is not zero" - can the author point to the source in support of this statement? It is my understanding that risk is zero, by way of how the multi-signature transactions are used in the LN. Either the bitcoins you pledged into the LN channel are yours or the recipient's and the transfer happens in an atomic (indivisible) transaction, regardless of the number of hops between. And if you don't transfer funds over the LN, you can always get your bitcoins back just by closing the channel. <br /><br />2. The argument that a participant of the LN is helping money laundering can be extended to : all network routers in the world wide internet transfer child pornography too, routers are indifferent to the purpose of the packets they transfer. I've never heard someone claiming routers, that have similar roles as LN's nodes, must be held responsible for the content they relay. <br /><br /><br />TeringNeringhttps://twitter.com/@teringneringnoreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-10611838245779131452018-01-18T13:31:12.610+00:002018-01-18T13:31:12.610+00:00Many of your concerns seem to apply to TOR (The On...Many of your concerns seem to apply to TOR (The Onion Router) in a similar fashion.<br /><br />Who in their right mind would set up their router as a node in a network allowing connections to peers not of your choosing, and without knowledge of the content in the data packets - which could include illegal content! <br /><br />Surely no one would do this and it would invite government crackdown instantaneously?<br /><br />Empirically, those concerns didn't seem to pan out as expected, with many bridging and exit nodes across the world run mostly by people who believe in privacy and censorship resistance and no government able to stop the network.<br /><br />Is this a fair analogy with the money laundering concerns being in the same vein as the trafficking of illegal drug trades (and worse...) - which didn't stop the network? And one could argue that being a node in the Lightning Network is even less altruistic than participating in the Tor network, as at least the LN nodes can collect fees for their participation and benefit from instantaneous microtransaction capabilities? Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-30698452790751284212018-01-18T12:07:08.363+00:002018-01-18T12:07:08.363+00:00A warning or checkbox would be a good idea. People...A warning or checkbox would be a good idea. People notoriously don't read the small print when entering into legal agreements. Compensation awarded for mis-selling often arise from marketing information not making the legal implications clear. Lightning is steering dangerously close to this in my view. <br /><br />I don't agree with you that the relationships with forward and backward nodes limit Lightning's use of funds. If it did, then every time node relationships change, nodes would need new legal agreements. This is unworkable. Much more likely that there would be a blanket agreement that Lightning can use funds in channels to make payments in whatever way it chooses. That would ensure that a change in node relationships did not mean new legal agreements all over the network. <br /><br />You absolutely can be held accountable for funds laundered through your channels, whether or not you know about it. That's why KYC rules for banks now extend to KYCC (know your customer's customer). The banks used "I didn't know their customer was dodgy" as an excuse for facilitating money laundering. Governments have now cracked down on this. Not knowing is no defence. <br /><br />I would also point out that creating a system whose design encourages money laundering is just asking for government crack-down. <br /><br />The sender's ability to choose the route depends on there being an up-to-date and accurate network map. Who do you think maintains this?<br /><br />I am not going to "correct" my previous article. The tech design has moved on precisely because the devs are trying to solve the problems I described. I was behind the curve technically, but the pathfinding problem hasn't gone away. The tech design now is legally suspect for the reasons I describe in this post. It is laughable to create a legal agreement that requires people to commit their funds without their knowledge to payments about which they know nothing, while pretending this isn't lending. Let's have some honesty, please. <br />Frances Coppolahttps://www.blogger.com/profile/09399390283774592713noreply@blogger.comtag:blogger.com,1999:blog-8764541874043694159.post-59350410054717140802018-01-18T11:36:15.845+00:002018-01-18T11:36:15.845+00:00Some interesting thoughts but it seems to me that ...Some interesting thoughts but it seems to me that a warning or checkbox saying, "this channel and funds available to it may be used for routing payments on the network" would allay all your fears.<br /><br />I'm also not sure that's necessary. A user of LN necessarily gives her consent (otherwise why wouldn't they simply set up private bilateral payment channels not connected to LN?). Instead, they purposefully make their channels and funds available for routing; their nodes advertise that availability(!) and they can even charge a fee! There are no property rights issues when a person decides to do that.<br /><br />I also think "coins in the channel are effectively lent to the Lightning network, which can do whatever it likes with them" is a gross exaggeration. It ignores the preexisting relationships with both the preceding and forward nodes. Changing the balances of preexisting channels is a far stretch from "can do whatever it likes with them"! Similarly, the money laundering concern is overblown (or no worse than a normal person's existing web of financial relationships). I don't see how you could possibly be held accountable if your channels with Iza Kaminska and Chris Cook are used by one of Chris's dodgy friends to launder money.<br /><br />And how do you reach the conclusion that, "payment routes through a network are centrally controlled"? Who in your mind chooses the route for a payment? (I have not seen a correction to your previous article; has your opinion not changed at all, despite the feedback?)dominionhttps://www.blogger.com/profile/15306351897354434039noreply@blogger.com