SYBILing nodes! 😱 Exploiting IC Network... Community Attention Required!

I believe that there is mounting evidence to suggest that the IC node provider community has been infiltrated by actor(s) actioning a drawn out sybil attack, to extract value while putting the IC at risk.

Sybil attacks are where multiple fake identifies are used to progressively gain more and more control over a network. Node providers are incentivised to onboard nodes under fake identifies in order maximise the number of nodes they can control and therefore maximise the rewards that they can receive. In addition, there are incentives to make nodes appear as though they’re located in desirable countries for improving network topology. This improves the chances of fake NPs being onboarded to the IC.

I believe @tina23, @geeta23, @paul23, @GAbassad and @GeoNodes are all very likely to be the same person, masquerading as the Geeta Kalwani NP, the Bianca-Martina Rohner NP, the GeoNodes LLC NP, and the George Bassadone NP (at least). These are just the cases that stand out. More info here (be sure to also check out and cross-reference the formal documentation for @tina23 and @GeoNodes).

Given that there hasn’t been much attention to covering one’s tracks, I don’t think it’s unlikely that they’re operating more accounts and NPs (and these are just the ones that slipped through the cracks / the tip of the iceberg).

The IC is in need of mechanisms for:

1. Reliably establishing the true location of nodes (to at least country precision)
2. Making NP sybil attacks too risky for the NP to see it as a cost-effective strategy

The NNS also needs to step up its game when it comes to evaluating and onboarding new node providers. @timk11, @quint, are there any measures that are currently used to combat this problem during the process of onboarding new nodes (ones that would have caught the cases above)? I’m keen to get involved with this NNS topic at the next opportunity.

@SvenF are you able to share any information about the triangulation-based geolocation approach that is being worked on? How far away is a proof of concept? Presumably this solution would be based on node response latency?

@katiep have you had any more thoughts about our proof of stake discussion? For the node machines themselves to act as the stake you have described them to be, the NNS would need to be capable of confiscating the nodes and reallocating ownership in response to significant offenses (such as above).

@sat given that there’s a smoking gun in the formal documentation for onboarding @tina23 and @GeoNodes, and ‘tina’ has clearly been operating the @GeoNodes account (at times), do you agree that the DRE decentralisation tooling should be updated to keep track of outed sybiling NPs (such that no more than 1 of a sybiling group of NPs should reside in the same subnet)? This would be similar to how the various DFINITY NPs are a special case, with special business rules.

Everybody, what are your thoughts on this? Are you concerned? What do you think should be done to address these problems, and what do you think should be done to handle offenders?

This is a problem that affects all of us - the safety and sanctity of the IC, its potential to succeed, and the security of our stake, now and in the future. We should all have an opinion on this.

Hello Lorimer!

Please note:

• There aren’t any rules against NPs working together or assisting each other, as Tina, George, and Bianca are doing.
• There aren’t any rules against NPs running some nodes under their own personal identity and also under a business identity.

Both of these situations have existed since Genesis. We recognize that it could be considered a risk, but no more a risk than:

• Our self-declaration process would be very easy to fake.
• There is nothing to stop a bunch of NPs from giving access (for technical support or any other reason) to the same person… and no one would ever know unless they were honest and open about it, as @louisevelayo is.

But I am not saying that it’s NOT a risk. It is. I’m just more concerned about those who I don’t already know are working together than I am these whom I know are working together.

We know that George is involved in business with Tina and GeoNodes (GeoNodes’ self-declaration shows that he is not trying to hide it) and we have told him that we—DFINITY—would not vote in support of him running more than 42 nodes no matter how many businesses it is or people that he’s assisting. I’ve met Tina and she’s very involved in trying to increase security with the IC in our technical working groups, etc. I have not had the pleasure of meeting Bianca yet. George and Tina are also involved in other ecosystem projects.

You’re right that this is an area of security that could/should be improved, and it also reflects an added layer of complication to decentralization. We welcome the community’s thoughts on how that might be achieved. The Technical Working Group has also been discussing possible methods of verifying who people really are, such as independent KYC requirements. A good solution has yet to be found!

• Katie

ETA: Evidently Tina’s legal name is Bianca, but there is absolutely nothing wrong by going by a nickname, so this does not bother me. Katie is not my legal name, and yet I go by it everywhere, including on this forum. Tina has correctly stated that she is not running nodes under her nickname, but her legal name, which is correct and honest. I see now that she actually announced this on the forum back in 2023 here, but I missed that forum post, which is not surprising since I was not watching the forums closely back then and I met her after that.

Her name is Bianca-Martina. If you’d been keeping track you’d know that @tina23 is Bianca. What about @geeta23 and @paul23? Have you had the pleasure of meeting them yet?

If these partnerships are being diligently tracked, can I ask why they’re not factored into the IC Target Topology or the DRE decentralisation tooling? Why is significant effort put into enforcing decentralisation thresholds that are apparently permissibly meaningless?

You’re describing a logical fallacy known as Appeal to Futility. If something is illegal, but is easy enough to do, it may as well be legal? I’m not sure about you but I’m happy there’s a lock on my door. I’d be upset if the landlord removed it based on that sort of reasoning.

In any case, I’m glad you’re trying to track this. For the community’s benefit could you share all of the partnerships and multiple identities that you’re currently aware of? I’ll plan to factor these into my tooling for reviewing Subnet Management proposals

What exactly are the rules? How many pseudonyms are too many?

There’s been a popular and effective solution to the more general problem this falls under for quite a while. It’s called proof of stake, and it’s about making the risk/reward trade-off uneconomical for the majority of would-be offenders.

And nobody can see the blocks and transactions - or at least the result of each proposal (what was the % of nodes that agreed to add a block to the chain).

If those nodes commit collusion, who will know?

Lorimer,

First, a disclaimer… I am speaking here of my own thoughts, not stating any official DFINITY position.

That said, I am not at all saying that because something is easy to do, it should be legal. Forgive me if it sounded like that. I was merely trying to put the potential problem in perspective… that it is part of something that is MUCH bigger and not easy to solve. I am NOT saying that it shouldn’t be solved.

Another point that I personally think needs to be considered is that if you make something more difficult for honest people to do than for dishonest people, then you inheritantly attract mostly dishonest people. This is a basic truth and fact of life.

Regarding how many psudonyms is too many… you can read the wiki for yourself and see the existence (and absence) of rules. I personally believe that an ideal world would permit people to have nodes running under different entities if it makes more business sense, but there should be some way to consider them as one NP as far as decentralization goes. That said, I also believe that a rule is only effective if, when it’s created, there exists a means of enforcing the rule… and that is precisely what makes this so complicated.

I hope I have clarified my statements a little. I do not know what others in DFINITY think about proof of stake, nor do I know what the community at large thinks. My opinion matters very little, and I am not expert in this area.

• Katie

Great lorimer you are on point
Just wondering did you vote yes with those nodes onboarding after 48 months under different pseudonym

At least you do research before voting unlike some of your fellow grant recipients that apear to be paid to adopt

Dfinity now when we finally decentralized the edge
Lets implement slashing for fake kyc, nodes have no skin on the game especially after 48 months

Dear @Lorimer, I see you have found all the information you are looking for, as we have properly disclosed everything on the wiki according to the rules in place at the time. For the avoidance of doubt, my node provider declaration is under my full legal name, which is Bianca-Martina Rohner, and there is no node provider declaration under just my nickname which is “Tina”. I definitely do not use any pseudonyms. There is no requirement about forum names that people create, anybody can create a forum name and desired forum names may not be available. I note that Lorimer is also not your legal name.

I am indeed an active participant of the node provider working group and also involved in an ecosystem project. The node provider working group meets regularly, the next meeting is in February, date to be determined. The link to the meeting and the time is always shared on this forum and anyone is welcome to join, not just node providers. Topics such as decentralisation, performance based node rewards and node audits are all on the agenda. I do not quite follow your point about IP address, however I recall that during the working group we discussed node audits and I believe it was said that IP address may not be an accurate way of determining the physical location of a node, and several alternate approaches are being discussed. I assure you our nodes are where they are declared to be.

Note that the following sequence of comments were migrated to this thread by @Severin from this thread (these were written before this thread was in fact created). See top right timestamps. The last post of the migrated batch is this one.

Edit by @Severin: I missed some messages, and moving them now will mess up ordering. These messages are also related to the moved ones

• Subnet Management - yinp6 (Application) - #35 by Lorimer
• Subnet Management - yinp6 (Application) - #36 by MalithHatananchchige
• Subnet Management - yinp6 (Application) - #39 by Lorimer
• Subnet Management - yinp6 (Application) - #41 by Lorimer
• Subnet Management - yinp6 (Application) - #42 by tina23
• Subnet Management - yinp6 (Application) - #44 by geeta23

Thanks @tina23, thanks @geeta23. I’m interested in understanding more about node providers in general, and you both stand out as interesting cases. Looks like you also both onboarded as node providers at more or less the same time

If I understand correctly, your countries of residence are South Africa and Austria. Do you mind me asking why you chose Columbia and Panama for the location of your nodes (or did you purchase them while they were already there or something)?

@geeta23, would you be kind enough to provide a link to the old account that you no longer have credentials for?

Similarly, @tina23 do you and/or have you operated any other accounts on this forum?

Ah, I found the answer…

I think the motivation for operating multiple accounts (and onboarding as multiple node providers) is present in your cookie cutter onboarding statements. More nodes can be onboarded if they appear to have greater decentralisation metrics.

In fact, the commonality that led me to you focus on your node providers under @tina23 and @geeta23 is that their nodes are declared to be in one country, but all IP address geolocation services that I checked indicated that they may be located in another country.

Are you referring to @Geetakal (Geeta Kalwani)? This account was created on the same day as @geeta23. I can imagine it’s easy to forget credentials within 24 hours when your operating numerous accounts.

Are there any more?

Lorimer, when you say “IP address geolocation services that I checked indicated that they may be located in another country,” are you talking about the IP addresses for them or for their nodes?

I would say that a full 50% of the NPs live in countries separate from where they run nodes.

I guess this explains where @Lorimer is heading with this line of questioning…

The nodes, of course

Except that several of us have seen George and Tina standing side by side, in the same room that we are standing in, so they can’t possibly be the same person.

Yes, I think there is plenty of reason to trust that DFINITY knows who is who in the node provider community. I’m sure there are a few reasonable concerns that Alex has identified here that I believe DFINITY has already mentioned in the past and hopes to address long term, but mostly Alex just seems to be putting together something of a conspiracy theory based on limited information and a very hefty sense of distrust (or at least a fundamental principal that he shouldn’t have to trust anyone). Maybe there is value in going through that exercise at this time. I guess we will see. I’ll be interested to learn if this train of thought spawns any changes in the work processes surrounding node providers. I’m sure there is always room for improvement.

In blockchains we don’t trust, its clear that kyc can be faked and locations also , the talk should be how to improve

The above post is the last of the ones that were migrated from this thread (see timestamps)

There’s great tooling for this sort of stuff that’s being progressively developed.

image1242×292 12.8 KB

Thanks @Txo. My aim with this thread is to spark constructive discussion, some more technical discovery aided by the community, and ultimately to lead to more robust systems, processes, checks and balances.

These onboarding proposals were before my time on the IC. I’m planning to put myself forward as a formal reviewer for this topic at the next batch of elections (if there will be any).

I think you’re focusing on the wrong things here, aren’t you? Aside from the fact that there are more accounts/NPs involved than just the two - this thread is about a broader problem for which there is no obvious solution (bad incentives with no clear disincentive). I think you’ve also confused matters by trying to explain this all away as okay.

Do you see a problem? (maybe worth waiting to establish DFINITY’s official stance this time)