Erinn Atwater

0) first, my rules of engagement. i will automatically mute clear astroturfer/bot accounts. i will mute ad hominem attacks. i will ignore empty "do more research" and "read the whitepaper" responses. i may take time to respond but will argue in good faith.

1) above all, the community is toxic. any honest criticism is met with coordinated brigading, which includes attempts to discredit experts' credentials, get them fired, and hack their accounts. i've been very hesitant over whether to share any of my thoughts/findings.

2) iota has no roadmap for scaling to the level they envision. PoW is currently done by wallets, not centralized miners, and research suggests their security does not hold unless all users near-24/7 do PoW. obviously this presents a scalability issue.

3) the plan to address this is to replace PoW with some sort of proof-of-resource-utilization (which either doesn't scale or admits sybil attacks) or proof-of-locality (which can't be propagated through the network, by definition).

an alternate solution to PoRU or PoL supposedly is in the works, but i'm extremely skeptical it can exist based on the links i've been given (such as radio resource testing, which is PoL and does not propagate). this is where the argument comes to an impasse.

4) the existing solution is to use a central 100% trusted authority called the "coordinator", which issues "milestones" and "snapshots" to issue consensus and defend vs attacks on tip selection. this is called "training wheels" or "beta".

the coordinator currently cannot be disabled without a solution for 2/3, which is not known at this time.

5) some people have suggested distributing the milestone coordinator. if you have a consensus mechanism for milestones, just use that instead. delegation runs into a similar problem, eg @sarahjamielewis's notes:https://twitter.com/SarahJamieLewis/status/1016505522231508993 …

6) blockchains have some cool non-currency usecases like secure auditing and longterm identity verificaton (eg CT). snapshots drop the ledger. it can theoretically be kept but requires powerful nodes (currently it grows at ~5GB/week) and thus induces centralization.

thus, any startup currently trying to sell you decentralized secure auditing, ID verification etc. based on this structure is essentially a sham with no roadmap to fulfilling its promises, per 3b. this is also the problem with "local snapshots".

7) obviously iota should be allowed to solve nascent technical challenges/growing pains, but i have strong misgivings about a "beta" product being listed on live exchanges, esp with no viability plan. people are going to lose their life savings and pensions to these things.

8) per 1, the iota community is toxic and i advise everyone to steer clear of it for that reason alone, including security researchers who would do responsible disclosure via private channels. /thread

ok, this thread got attention so it's addendum time. i'm going to talk a little bit about my process, and why i think it took off. side note, i'm sorry but responses are coming so fast i can barely read them, and i certainly can't respond to all, but i'll try

when i first started talking about iota on twitter, i was inundated with what were obviously troll and astroturfer accounts. mostly accounts that are 5+ years old and tweeted once or only ever RTd, suddenly brought online to badger me. lots of eggs coming out of nowhere.

i should add that this isn't my first time at the twitter rodeo, and i'm accustomed to what level of vitriol to expect from it on a typical day. this was something more than that.

i looked it up and computer-assisted astroturfing works like this: bots "age" accounts for *years* to make them look legitimate, then when a campaign is purchased a human running special software is assigned them to use. these people are paid per not-taken-down post

they turned out to be a weirdly useful resource; they clearly have some sort of flowchart of responses to common criticisms. by engaging with them, you can explore the state space and see where the arguments end (and they all end).

they're mostly about performing for The Audience, which is nicely summarized in this guide for ordinary iota trolling: http://web.archive.org/web/20180702004148/https://medium.com/@dan_47238/the-guide-to-effectively-fighting-fud-417d2340678a …

(my favourites from this include "label label label label mock," "don't respond to technical criticism," and "go after their employer; take a pound of flesh")

once you know their flowchart, you can avoid their traps and shut them down pretty quickly. i (sadly) got pretty good at this, the brigading channels i infiltrated banned people from responding to me (many were infuriated), and things got nice and quiet again.

then, i wrote my post above, designed explicitly to pre-empt the flowchart (hence my "rules of engagement" because i'm honestly done with the toxic vicious trolls). all of my concerns are my legitimate understanding of the state of the system.

why were people so infuriated that i wanted to discuss iota in a not-perfectly-postive light? twitter is not a peer-reviewed academic venue (a standard many seem to think should apply here) and discussing the merits of technical projects seems like a perfectly good use of it

beyond the obvious "protecting their investment," two explanations i suspect are 1) any honest criticism gets met with so much toxicity that people just give up and the debate never gets explored properly, 2) it's so obfuscated and undocumented that it's hard to catch up

both of these combined mean cryptographic and security experts stop criticizing iota pretty quickly. the community hasn't had the advantage of experience discussing the nuances of the debate, and the technical arguments (at least in public) are in their infancy.

none of my conclusions above are new. it took a week's worth of free time to research relevant existing work and find where technical arguments come to an impasse. a project of this size should have had these conversations a long time ago.

i hope this illustrates how shutting down criticism like this prevents you from getting legitimate and free technical analysis of your projects. some very bright minds have tried, and given up due to the reactions. /thread (take two)

alrighty, first is this "gish gallop" thing about the asymmetry of me using my platform to criticize. i think the initial swarm of trolls harassing me disputes this idea, and the ratio of responses to my tweets also disputes it. trolls have canned answers and it takes me ages ..

..to formulate responses to all of them. i hope that if you look at my engagement before this replystorm, you'll see that i was arguing in good faith. i honestly tried to respond to everything that wasn't insulting or from trolls i've already had problems with.

i also don't see anything wrong with pointing out technical flaws in "beta" projects, especially if my honest intention was to find smart/experienced people to explore the argument with and see if it has a solution. twitter gives me quick access to very smart people for this.