Engineering Update: DDoS, Wallet, SteemDAO

in #steem6 years ago (edited)

Hello Steemians, welcome to our latest Steemit Engineering Update. You can view our last engineering update here.

DDoS

Last night we disclosed the existence of a DDoS attack against steemit.com which is still resulting in intermittent inaccessibility of steemit.com, but which has no impact on the blockchain or any other Steem apps. While unpleasant, this actually highlights the unique advantage of building applications on top of the Steem blockchain, which is that one site being down is just an opportunity for Steem users to explore other amazing Steem apps like steemmonsters.com or drugwars.io. ;)

We have already implemented a number of mitigation efforts and are continuing to explore and execute new solutions. For now the situation seems to have been resolved. We will update you if the situation changes.

Condenser/Wallet Split

Since our last update we successfully released the stand-alone wallet application which you can now find by navigating to steemitwallet.com. The community has already provided valuable feedback about the wallet and we hope you keep it coming! We are extremely happy that the feedback relating to the user experience of the application is largely positive and the number of bugs users have encountered has been minimal.

We also received some feedback that was critical of our decision with respect to the use of wallet.steemit.co. After taking that great feedback into consideration, we decided to switch the domain to steemitwallet.com. Thanks again to everyone who contributed their valuable feedback and for helping to make the Steemit experience as good as it can be. Those who go to wallet.steemit.co will be redirected to steemitwallet.com.

Why Steemitwallet.com?

The reason we chose to use steemitwallet.com (as opposed to steemwallet.com) is that it's a companion product that is intended to run alongside steemit.com and is designed to be a relatively seamless experience that users of steemit.com are already used to, but better. Having users jump between a Steemit branded application and a Steem branded application could also exacerbate the already significant confusion around the distinction between Steemit and Steem.

The primary benefits that will accrue from this change are:

  1. Since Social Condenser won’t be handling high value keys, it will be much easier to add new features to the social media side without as much security review. This will also make it easier to approve community code contributions.
  2. It will be more cost effective and efficient.
  3. It will be an excellent opportunity for education regarding key handling and Steem’s unique hierarchical key system in steem.

DTube Integration?

A good example of a community contribution that will be easier to approve post-split is a long standing PR which would allow dtube videos to play in-blog. We never merged this in because it required opening up the Content Security Policy (CSP) to another domain and relaxing security standards is something we refuse to do as an organization. Essentially the only times we are willing to relax security is in those cases where it significantly improves the user experience, and where the impact of a highly-unlikely worst-case scenario (e.g. hack) is minimal and/or quickly reversible.

After we make these changes, we could implement such changes more rapidly because simply by splitting these two apps we will dramatically reduce the negative impact that would result from a potential worst-case scenario. There are many similar cases in which things that we could not do before due to security concerns we will soon be able to do. Many of these things are features that average users have come to expect from social media in 2019. We're on the road to making a better steemit.com and this is one of the first stops on that road.

Ads

It is important to acknowledge that a big part of the reason for this change is that it makes it safer for us to run ads on steemit.com. At Steemit we love releasing free software and providing free services like access to our nodes. But services that are free for others are never free those rendering them, and displaying ads is the least obtrusive means of generating revenue in a way that seems to be acceptable to our users who ultimately have the choice to use other interfaces that display the same information. Unlike Facebook, we do not have monopoly control over your data, and when it comes to displaying ads, that makes a big difference.

MIRA

Most of the work we have been doing as of late has been aimed at generating state files using MIRA. We are extremely excited to announce that MIRA is now consistently generating state files around every 2 hours and we have now accomplished a record streak in terms of regular state file generation! MIRA branches are now building and we will deploy to our development environment very soon. This is a big milestone on the path toward using MIRA in production which is why we are now shifting our strategy discussions toward how best to complete the MIRA project!

SteemDAO

Development of the SteemDAO has moved to testing which is why we are dedicating some of our time to reviewing their code and leaving feedback. Our goal is to leverage our expertise in dealing with the Steem blockchain to ensure that the code being submitted can be approved as efficiently as possible once it is complete. Our primary motivation is always the safety and scalability of the Steem blockchain.

Be sure to follow @steemitblog if you would like to see more engineering updates like these!

The Steemit Team

Sort:  

Transparency is key and you’ve been good at that

That's not true. Steem Inc has never stated where all of their Steem is stored. They are sending Steem to exchanges to hide them.

that is pretty risky on their end...

But services that are free for others are never free those rendering them, and displaying ads is the least obtrusive means of generating revenue in a way that seems to be acceptable to our users

This seems very unobtrusive alright.

I am for ads if it strengthens the blockchain. It makes good sense to use both new and old ways of generating revenue. I think we just have to be careful that the pages remain streamline (no pop ups) and the ads not become overbearing. Nothing worse than going to a page and having to wait while the ads load before content can be read. I think with ads, less is definitely more. To the DDos attack. I find it interesting Facebook and Instagram​ also experience difficulties yesterday.

I find that interesting as well about FB and instagram!

Hi!

Hi Ross:)

i agree with you.....

Maybe if they weren't this bad.

So what about these SMTs????

Thank you for you feedback regardind the DDOS issue and all the running projects.
It's great to see such an improved communication from Steemit inc.

Thanks!

Got into account with master key at the new wallet site, but

does not reveal keys when you re-enter your password.

I also had issues with key chrome addon,
it did not recognize the account or password.

So its still a little buggy. This is very important.
I suspect we are going to lose a LOT of accounts in this split.

Do you have the particulars posted anywhere about how you are hosting the website, like what anti-ddos strategies you are currently using, to what extent you are load balancing, etc.?

Posted using Partiko Android

Thank you for giving this update. It's good to know about why you're doing different things and that security is a primary concern. I wasn't aware of the particulars of why the wallet was being de-integrated. It makes sense now.

It also means that in the future different interfaces can avoid implementing a wallet and just integrate steemitwallet, possibly lowering their risk.

I'm not a security expert myself, and yet the level of risk exposure that we're put under on so many websites worries me. We have so many adverts with flash and javascript. I don't know how these people can just have arbitrary code running on their sites, exposing all of their users. If something were to happen, I can't see how they wouldn't be liable. It would be like a car company installing parts from random companies with no testing whatsoever and not even any research on what they're installing.

thanks for the update.

Appreciate the update

The reason we chose to use steemitwallet.com (as opposed to steemwallet.com) is that it's a companion product that is intended to run alongside steemit.com and is designed to be a relatively seamless experience that users of steemit.com are already used to, but better.

How could it get any more seamless than currently being integrated into Steemit? You are separating 2 related things from eachother and saying they are designed to be seamless... Does that honestly make any sense to anybody? Just leave it where it is, and it will be as seamless as it could be.

obviously they have no real idea about how this should all look since its all brands new,....and so in a sense they are just winging it as this has never been done so its ok.. we need them to do this tho bro, its beren planned for a while, this is all scheduled and old news obviously u just havent ben keeping up with the updates and need to seperate out wallet and blogging functions... just do more reseatch before u question this bruh

its like ur onew of those people asking why steemirt inc needed to chgange logos lol or someo3en whod oenst get why steem and steemit are different :D

I was here for Steemit’s logo change... I was just hung up on the usage of the word seamless.

Because of the other reasons mentioned, security concerns when opening up to other domains like dtube. "Seamless" in regards to having it separated, not like it is now.

B2401BF6-AF94-405F-B483-62869D922328.jpeg

Just saying. I think it’s a bit ironic choice of words because they are creating that seam/gap/space 🤣

In the context of how it was used, seamless refers to the experience of how to use the wallet, not where the wallet is hosted. They named it "Steemit"wallet.com because the behavior of the wallet is "seamless" in regards to the existing user experience on the wallet page on steemit.com.

I guess I didn’t know there were that many complaints about the wallet page we’ve had. My only real complaint was that they removed the sbd conversion option which used to be under the SBD dropdown menu.

Posted using Partiko iOS

The complaint is that things like embedded dtube content that plays in the interface was not possible because it compromised security. Once the separation is made, many types of developments are more possible as there is no security risk to the wallet as it is separated. As they said, when it comes to Wallet security they are very strict. I am glad about it too.

Ok I see what you guys mean now. I go by the “don’t fix it if it’s not broken” which is why I reacted like this. Looking forward to the finished product in the future (:

!dramatoken