>"The possibility that a Libra node run by Mastercard or Andressen Horrowitz would suddenly start running malicious code is such a bizarre scenario to plan for and is better solved by simply enforcing protocol integrity and through non-technical (i.e. legal) means."

In regards to that, I don't think it's any more bizarre than a SCADA system in an Iranian nuclear enrichment plant suddenly running malicious code. Cyberattacks against financial systems are a very real worry.

In the history of computing, there have been countless times when people casually dismissed a security concern only for it to bite them years later. And oftentimes, trying to add security after the fact is much less successful that designing it to be secure from the get-go. I'm not a fan of Facebook Libra, but I do think that it's misguided to criticize it for having a robust security model with properties that can be reasoned about mathematically.

To the best of my knowledge, no deployed banking system relies on immutable ledgers. They all rely on detection and revision of ledgers. Libra has chosen to do something fundamentally different, and the author is asking why.

The ledgers are officially immutable. Revisions are done as separate entries from the errors and both are expected to stay registered there.

We do: https://blog.griffin.sh/2019/10/23/the-immutable-bank/

Adding to the other posters, Monzo's ledger is immutable (this is in fact a design requirement, since Monzo's Cassandra environment makes it impossible to update rows atomically).

> The possibility that a Libra node run by Mastercard or Andressen Horowitz would suddenly start running malicious code is such a bizarre scenario

It doesn't seem like a bizarre scenario at all. Consider:

- Real-time control system nodes in Iran's nuclear energy project suddenly started running malicious code, destroying a large number of their centrifuges.

- Crypto AG cipher machines sold to embassies around the world were always running malicious code (or perhaps malicious circuits), giving the US a major advantage in 20th-century diplomacy.

- Google's and Facebook's data centers suddenly started running malicious code as part of the PRISM attack carried out by the NSA.

- Municipalities regularly pay ransomware ransoms because their computers have suddenly started running malicious code.

- Numerous nonprofits organizing conferences have discovered to their dismay that the code running on Paypal's servers is malicious to them, opportunistically freezing their accounts because they have recently received a lot of payments.

- We saw an article last week about how WeChat runs malicious code in their chat application to censor politically controversial images.

- What was the name of that popular NPM package for building pipelines that suddenly started running malicious code on everybody's servers looking for Bitcoin wallets? Was that this year or last year?

I don't think it's at all far-fetched to suggest that if Mastercard or Andreessen Horowitz is in a position to decide how much of other people's money they're entitled to, they might decide that the answer is "all of it". Paypal and Google do this on a regular basis. Here in Argentina, the banking system decided that the answer was "75% of it" in 2001, with respect to dollars; in the US, the Federal Government did precisely the same thing in 1933 with gold.

"Regulators" and "courts" and "legislatures" are indeed among the parties that might decide to confiscate the holdings of participants in some kind of financial system, using various rationalizations. (And that's why "simply enforcing protocol integrity…through legal means" is a less effective solution, as you say.) But they are far from the only ones.

Still, it seems like if that's Fecebutt's motivation, it would just back Bitcoin.

> I don't think it's at all far-fetched to suggest that if Mastercard or Andreessen Horowitz is in a position to decide how much of other people's money they're entitled to, they might decide that the answer is "all of it". Paypal and Google do this on a regular basis. Here in Argentina, the banking system decided that the answer was "75% of it" in 2001, with respect to dollars; in the US, the Federal Government did precisely the same thing in 1933 with gold.

The consensus model of blockchain would at least require Mastercard, Andreessen Horowitz and other validator nodes to be in agreement about stealing / being entitled to the money, which seems less likely. That said, this is one of the flaws of having only a few nodes validating transactions. Libra went this route instead of Bitcoin's proof of work consensus model. With Bitcoin's proof of work consensus, 51% of the miners in the world would have to collude in order to steal funds.

All of the comments I see that say blockchain has no use case, seem to miss another point you raise, in that Bitcoin can not be seized, even by government (like the US government did with Gold), unless they had miner control and the public didn't continue to operate and spin up new miner nodes. This seems unlikely considering that the miners could lose their funds, if they did not prevent a counterparty having 51% control of the network. This is a protection that Bitcoin has, that Libra does not. The government could go to corporations in the Libra association and tell them to do what they want.

In terms of other use cases, I think having an immutable ledger, that can't be changed by one party, or even a few parties with DB access, also seems like a compelling use case for blockchain / cryptocurrency. Libra isn't really a cryptocurrency by this standard though, although Bitcoin is.

Also, just to put it out there, Mastercard, PayPal, Stripe, Visa and a few others already have left the Libra association.

> The consensus model of blockchain would at least require Mastercard, Andreessen Horowitz and other validator nodes to be in agreement about stealing / being entitled to the money, which seems less likely.

Right, I think you, I, and Libra's developers are in agreement about this being a significant risk and one that using a blockchain effectively mitigates, in precisely the way you say, but Diehl and Green aren't.

+ FWIW, 51% of the mining power only allows you to double-spend, not arbitrarily modify the existing ledger.

+ Since Libra uses a HotStuff variant, you need to control 2/3+ of the voting power to violate safety, i.e., double-spend. In exchange, however, you only need to control 1/3+ to halt progress (liveness).

If you can halt progress, you can make any particular person's holdings impossible to spend (if you can identify them), by refusing to include any blocks that include transactions from them. That isn't quite as lucrative as simply confiscating someone's holdings, but it's close; you can demand a ransom of a sufficient fraction of their holdings, perhaps 5% to 50%, depending on human nature.

I wouldn't say it is quite the same threat model, but certainly a powerful attack vector if you happen to control 1/3+ of the voting power. In the unlikely event that someone does compromise 1/3+ of the voting power, the remaining validators can always hard fork to a new quorum, though this is an expensive and highly synchronized affair.

There was this story from a month ago:

https://news.ycombinator.com/item?id=21120956

A street vendor in canada was selling cuban coffee. They used "square canada" as a payment processor. Square canada, in turn, used the US bank JPMorgan as a back end. JPMorgan is required to enforce an embargo on money going into cuba. The seller and all the buyers were in canada, but because the money passed through a US bank, they vendor was locked out of thousands of dollars.

We live in a more globally connected world. That should not mean that everyone is (potentially) subject to every nation's laws. It also should not mean that no one is subject to any nation's laws. But enforcing the laws at boundaries seems a whole lot better than enforcing it at every checkpoint along the way. I will not, for example, get out of paying taxes because I received all my money over a blockchain. The sky won't fall.

Havinga bunch of US corporations run the global payment system won't solve this problem.

> The purpose here is simply to evade and arbitrage different regulatory regimes. The plan is to build a ledger that no single party (or coalition of parties in a single legal jurisdiction) has the capacity to edit or alter, and to make such alterations so technically challenging that it's beyond the capacity of any single court or legislature to do so.

If they respond to a legal demand saying “Our software won't let us comply”, do you really think that the answer will be “oh well, guess the law doesn't apply to you” and not “halt operations until you are in compliance with the law”?

That is precisely what Libra is banking on. We'll see if they're right.

You certainly aren't wrong to describe it as potentially horrifying.

Or, you know, legislators just ban it entirely until the changes are made.

Edit: Its also pretty ironic that the crypto currency is banking on "too big to fail."

North Korea has been trying that approach, but it has its drawbacks, as attractive as it seems in theory.

> The plan is to build a ledger that no single party (or coalition of parties in a single legal jurisdiction) has the capacity to edit or alter, and to make such alterations so technically challenging that it's beyond the capacity of any single court or legislature to do so.

I'm not seeing why they need a new cryptocurrency for this. If you grow Bitcoin (or any other existing cryptocurrency) to be "too big to fail", it would also have all these properties. Is starting from scratch with zero users easier?

Bitcoin has some pretty significant drawbacks. The main one being that it is severely limited in the number of on chain transactions that it can do.

And that the proposed "solutions", such as the Lightning Network, to this are nowhere near completed (and have indeed suffered from doomsday "someone can steal all my money" type bugs as of recently)

I think the idea is to have a US-controlled currency before some chinese-controlled currency catches on , particularly in Africa

If the US supported cryptocurrency, particularly Bitcoin, instead of considering regulation, we could keep up with innovation at least, instead of having other countries leave us in the dust in terms of developing the technology.

If Libra is integrated into Facebook Messenger as planned it would have more users on day one than Bitcoin has after a decade.

I get that, but if Bitcoin is integrated into Facebook messenger then it would also see a huge boost in users.

Therein lies a problem: there are no facts of nature. The only things that could be said to be a fact in nature is to describe how you observe something to work. The observations may change, how it works may change, and neither of these things force nature to be a certain way.

It would not be impossible for someone to change the observations of the blockchain, manipulate its inputs and outputs, or even change how it operates, as software and hardware are imperfect, along with how we use them. Furthermore, even if the system were technically perfect, political and economic systems do not have to abide by their rules. An oppressive state can simply decide not to deal with them, as the world is in no way bound to being purely rational at all times.

It's like trying to "fix" a painting by using philosophy. One is a series of logical arguments, and the other is paint on canvas; certainly they can influence each other, but they can't solve each other's problems.

Thank you.

Well said and paints a clear lack of understanding from OP on the value this provides.