It has been another busy week for those of us spending our metaverse time in BitClout!
TLDR: Deep analysis was attempted. Source is obfuscated and not open yet. diamondhands says obfuscation is temporary for security audits to protect all users. Mining is not yet functional. Global feed is manually curated. “Shadowbanning” exists. Mentions of different nodes at exchanges. More is likely coming. Decentralization is moving forward and doesn’t happen immediately.
It wasn’t that long ago that the BitClout Block Explorer was uploaded to GitHub, and we began the process of downloading and evaluating the code line-by-line for a full report.
Before we even had a chance to complete our full line-by-line audit and report the folks over at BitClout gave us, even more, to be excited about with the launch of the BitClout Node software on GitHub.
BitClout Run was released on GitHub and allows those who set it up to run a BitClout node themselves.
The announcement came from @diamondhands and a new set of documents on The BitClout Guide maintained by members of the BitClout.com team and the community.
Nodes are what make the BitClout underlying protocol so amazing. Nodes enable the full downloading of the entire BitClout blockchain without permission from the BitClout.com team.
Node operators have full access to the full BitClout “firehose” of data and information. This means that every action being taken on the blockchain is accessible to the node. Node operators can select which content receives priority on a global feed, charge fees for various functions, and in the future mine BitClout blockchain blocks.
You should know: I’m not offering advice regarding security.
I’m not a security expert. I don’t play one of TV. I don’t play one on the Internet. I’m just a guy.
You should always do your own research, and decide what level of risk is comfortable to you. I set my BitClout node up on a secondary computer and isolated it on a network security appliance to create this data. I include my personal observations regarding what I have seen so far regarding the BitClout node software. This should not be seen as a guarantee.
I’ve spent nearly 26 hours working through various files inside the three containers that make up the BitClout Run software. This has involved downloading the various binary files inside the containers and if they are known files checking the hashes. I’ve also spent a great deal of the last day reviewing logs of data transferred by the node that I collected.
Some of the source code for BitClout node software is currently obfuscated at this time. Much of the code running inside the Docker environment is not currently accessible for an independent audit by me.
Code can be obfuscated or hidden by using encryption or other means to prevent tampering, prevent theft, or keep areas under lock and key while they are being actively completed. Obfuscation is very common in software development.
Most projects in our shoes would not release anything until all the audits were done.
Obfuscation can also be used as a means for protecting source code. CloutPress reached out to BitClout leader @diamondhands to explain the obfuscation and received the following explanation:
Currently, all of the code is being audited to make sure that it’s free of security vulnerabilities for when we make it fully public.
If we were to make the source code fully public before the auditors found all the low-hanging fruit, it could expose all the BitClout users to potential exploits from people all over the world. Most projects in our shoes would not release anything until all the audits were done.
But we felt comfortable enough with the security of the system to release binaries early, and we added the obfuscation just as an extra security measure to minimize the likelihood that someone is able to find some kind of vulnerability before the audits are complete.
And once they’re complete, all the code will be fully public.
Even with the source code being obfuscated we can still glean a lot of data from the BitClout node software via the network interface of the Docker image.
I closely monitored the BitClout node software at multiple levels.
I captured data using my professional-grade SonicWall Network Security Appliance that logged the encrypted packets being transmitted by the BitClout node software along with all of the relevant meta-data as to where those packets were going.
I also reviewed a list of over 250 IP addresses that the node established connections with at various points. I ran whois queries on the various IP addresses to return owner information to determine which ISPS were being used to host BitClout nodes or if the IP addresses were for something else. The bulk of nodes that remained online for the most time during my collection are those operated by community members who have also assigned domain names and began looking at further development.
None of the metadata for any of the outside connections seemed nefarious. I did not observe the node software opening large connections to strange services or IP addresses. Checking the various IP addresses that responded upon a follow-up ping by me showed they were operating the BitClout node software or another element of the BitClout software.
I did observe several attempted connections to node addresses at various exchanges but none of those assigned domain names actually return to a server inside those exchanges. Binance did return a generic response as they use a wildcard DNS system for domains.
I also observed connections being made to Blockchain.com, BlockCypher, and other services that have been used to power the BitClout blockchain and protocol. I fully expected to see these connections being made based on my limited understanding of how the protocol functions.
Blockchain.com is queried to get the current price of Bitcoin while BlockCypher connections are established (if you put in an API token) to help prevent double-spends.
Many of the community-managed nodes that I connected with during the initial twelve hours were frequently connecting and disconnecting. I believe this is due to the large hardware requirements for getting the node started with the initial sync. The number of nodes seemed to have stabilized as more time passed during my analysis.
The Node will require a reliable internet connection, as it will be in a constant state of communication with other nodes on the network. The initial syncing of the node also requires a computer with at least 32 gigabytes of RAM.
Once the initial syncing of the blockchain is completed you’ll find that resource usage (primarily RAM will go down some).
Once a node is fully synced the node owner can login to the software and begin accessing the BitClout firehose of data as if they are surfing on BitClout.com.
The posts screen of the BitClout backend shows all of the posts in real-time directly from the blockchain as your node syncs them. If you wanted to see a raw feed of every single post being made on the BitClout blockchain this is the location you’d do it from.
I’ve found many new creators just by watching this real-time fire-hose feed.
You’ll also note that an ‘Add to global feed’ button exists on the admin backend for BitClout.
The BitClout.com website has featured a curated global feed. Many users did suspect this and it has been met with mixed feelings. Node operators will have the choice on who they surface to the global feed.
Imagine a node for CloutShow that features all of the data from the BitClout blockchain – but with all of the creators who have been interviewed, as the whitelisted global users.
You can imagine a world where nodes exist for a variety of organizations, charities, groups, and subjects.
In the Profiles section of the administration, you’ll find a section dedicated to Profiles.
This section can graylist, blacklist, or whitelist users. Node operators can effectively silence users from being displayed in search results and other locations. This means that moderation tools for protecting communities currently exist. This is functionality I will explore more in the near future.
Whitelisted users can have up to five posts per day automatically appear on the global feed. Operators will be able to change this number in the future.
Controls that interact with the Twilio API also exist. Connecting a node to Twilio will allow node operators to verify the phone numbers of users and then award them with currency much as @merlin currently does on BitClout. This functionality requires a Twilio account.
The BitClout Network options screen features information about the BitClout Node Miner (not functioning at this time), the nodes you are currently connected with, and the Bitcoin nodes you are currently connected with.
This section can be helpful during the initial sync. It allows an operator to review that everything is working, and ensure that your node is staying in sync.
The Mempool section gives node operators important insights regarding the state of the Mempool for the BitClout blockchain. The mempool is where data is stored until it is written to a block on the blockchain.
I’m going to editorialize for a moment here.
Popular cryptocurrency Cardano featured centralized nodes and did not become fully decentralized until just March of this year.
It is my opinion that we are still very early in the decentralization game.
Do we know everything to know about BitClout yet? We do not.
Many will criticize the decision to obfuscate the source code for the node software – but it is important to note that BitClout is still a very young product. Look at our Timeline. Not very long yet.
One thing I’ve observed over many years of working in the tech industry is that it moves at a breakneck pace. A week in BitClout can feel like months. This is mirrored in the cryptocurrency industry as well.
True growth isn’t immediate. It takes time.
Popular cryptocurrency Cardano featured centralized nodes and did not become fully decentralized until just March of this year. So it isn’t unheard of for a decentralized project to not be decentralized right off the bat.
BitClout has already seen large sums of money being exchanged on the platform. A new platform, trying to decentralize something that has always been very centralized.
BitClout has been available to most users for less than a month.
Think about that… less than thirty days.
Sure, other decentralized social networks have existed – BitClout is still a different beast. It has different underlying technologies and concepts for how information can be freely shared between operators of traditionally siloed social media endpoints.
I’m willing to keep seeing where this goes and how it plays out.
Decentralization is key to the metaverse.
As of right now, the future certainly seems bright.