I am the Mayor of this receipt for a 64 digit hash!

Platonic Solid Snake:

Every time I think about NFT art I just get angry again at how stupid the whole thing is, not like stupid as in "new faddish stuff may not hold water", stupid as in literally the entire premise is fucking idiotic, you're paying for a receipt that says "i paid money" and that's it.

ME: "give me twenty dollars and I will say the word 'the' to you"
YOU: deal
ME: "the"
YOU: great, thanks man
YOU: so now I own Josh saying "the" that one time
THEM:  so he can't say "the" anymore?
YOU: no he can, but
THEM:  but he can't say it for $?
YOU: no he can, but
THEM:  but he can't say it like thaaaat, exactly?
YOU: no, he can but
THEM:  oh, but only you control that one moment when he said it like that, you have exclusive rights to that!
YOU: no, he filmed himself and posted it on his youtube
TEHM: What...did you...buy?
YOU: it! With $.
THEM:  so what's the point of buying it when it's free and you don't have any control over it?
YOU: it's non-fungible, no one else can buy it, it's mine
THEM:  what is
YOU: the record of the event of me having paid money for having a record of the event
THEM:  okay i guess you really just like having been there in person for him saying "the", that's--
YOU: oh, I wasn't there, it's just the url of the youtube video he posted
THEM:  he sold you a URL
YOU: well I don't actually know if it was Josh who sold it to me
THEM:  uh
THEM:  so his, like, broker sold it to you?
YOU: maybe? I mean, SOMEONE sold it to me. I have no idea if they know him.
THEM:  uh
YOU: or had the "rights" to sell it to me
THEM:  uh
YOU: anyway I'll sell it to you, the receipt, for a hundred dollars

I have somewhat simplified the mechanics and details of the process in this set of tweets because it really really doesn't fucking impact how fundamentally stupid and money-wasting the entire thing is, it's blockchain stupidity colliding with art speculation & theft stupidity

Postscript: the issue isn't lack of sufficient control over purchased art. Art as a commodity that rich people throw money at to make artists knife-fight over a living wage or a rare rare lottery win is a shitty situation! But NFT art purchasing does nothing to fix that.

The core of the NFT art sales development is: what if the art speculator whales were primarily wealthy tech bros? What if the artist's actual control over their work was further eroded? What if sale of digital art was no easier but WAS tied to a specific wasteful cryptocurrency?

You want to revolutionize the nature of artmaking, establish a fucking universal basic income and let people make whatever art they want to because they're not grinding under the wheel of late capitalism. Cryptocurrency and art speculation don't do shit for artists writ large.

Previously, previously, previously, previously.

Tags: , , , , , ,

32 Responses:

  1. I really don't get why anyone falls for it. But apparently they do.

    • Mike Qtips says:

      It's not that hard to understand. They heard about a guy who sold crap at Christie's for $62mil, and think it's going to happen to them too, only without them having to go to the trouble of having a secret business partnership beforehand with an NFT entrepreneur who has $62mil free to spend on a wash sale to promote their mutual NFT business to fools like them.

  2. Zippington T. Whatsit says:

    This is the take I was looking for.

  3. David Blume says:

    Are NFTs another blockchain that gets more and more expensive to sign? Another reason to hate them if so. They're actively bad.

  4. Andrew says:

    When I first heard of NFT, it reminded me of Tulip Mania, but without the tulip. Much like Bitcoin as commodity speculation without the commodity.

    • Lemke says:

      Tulip Mania was also without the tulip, to be fair.

      They sold paintings of what the bulbs MIGHT become.

  5. Elusis says:

    You want to revolutionize the nature of artmaking, establish a fucking universal basic income and let people make whatever art they want to because they're not grinding under the wheel of late capitalism. Cryptocurrency and art speculation don't do shit for artists writ large.

    Hear, hear.

    So... I have some small subfraction of a Bitcoin (is that a "bittie?") sitting in a wallet where I stashed it in like 2010 or 2011. It was worth something like $70 at the time and is worth around $500 or $600 bucks right now. What should I... do with it? Hold onto it longer so I can eventually take more money from some asshole? Dump it like cursed pirate treasure?

    • Big says:

      It might be worth double checking that.

      In 2011 Bitcoin peaked at ~$15. It’s now “worth” over $55k.

      If you’re lucky, and your old recollections are correct, you could have around 5BTC, which some planet burning ponzi scheme idiot would pay you close to a quarter of a million bucks for today...

      (If it’s really only 5 or 6 hundred 2021 dollars, then the right answer is obliviously “hookers and blow”...)

      • Elusis says:

        I do check Coinbase now and then hoping I'll see a lot more 0s but unless I'm reading it wrong, I think it's just "hookers and blow" money. I wish I were wrong - would sure solve my Seattle condo shopping problem right now.

        (I think I'll pass on the actual hookers and blow, as 1) pandemic and 2) not my bag, but donating it to some sex worker friends who've been really impacted by pandemic is a decent idea. I just have the same "do it now or hope it grows zeroes?" problem.)

  6. Nate says:

    It's fun to point and laugh, and fine to get mad about the implicit environmental destruction that's only incrementally better than dumping mercury-filled mining tailings into waterways. But yeah, how many of us have bought houses or funded dream businesses by selling 'shares' of 'ownership' in a toddler-aged company that offers a vague possibility of paying dividends at some point far in the future? I have. It'd also be interesting to stack up the terawatt hours burned to twiddle blockchains vs fuck-if-I-know-how-this-works attempts at using AI to divine patterns in the Brownian motion of the stock market and execute trades in picoseconds.

  7. Karellen says:

    It's a well made point, but fuck if Twitter isn't a literally the worst medium possible for making blog-post length points.

  8. jcurious says:

    My understanding is that some of these NFT are essentially signed hashes.

    I'd love to see someone create a file that produces a collision of one of the overpriced NFT's hash; create and NFT of that; claim that the overpriced NFT is theirs ; the creator of the fake would claim that "real" owner of the expensive NFT; and also claim that the "real" owner of the expensive NFT is actually the owner of the fake.

    • Nick Lamb says:

      I will break my rule just to explain briefly, since this is a misunderstanding that keeps happening so obviously we can't explain it often enough...

      Being able to make Collisions does not enable Second Pre-Images. Collision allows you to make two special documents A1 and A2 such that hash(A1) = hash(A2) and so you can abuse a confusion between A1 and A2. But if somebody else just innocently made a document B1, Collision doesn't allow you to conjure up some other document B2 such that hash(B1) = hash(B2). To do that you would need a Second Pre-Image attack.

      No practical Second Pre-Image attack exists for any vaguely modern cryptographic hash. Not even the long obsolete MD5.

      If it helps, imagine Collisions as being like Palindromes. The word "civic" is a palindrome. Having chosen "civic" if I write the letters in reverse order, it's still the same word, "civic". But knowing how to do this doesn't allow me to do this trick on just any word other people pick, if I reverse "obvious" I get "suoivbo" even though I knew about palidromes, because to make that trick work I need to pick the word.

      You have to create both documents in the Collision.

      • Ingvar says:

        Wasn't the MD5 certificate collision a second pre-image attack? Albeit with a relatively small set of possible pre-images.

        • Nick Lamb says:

          No, the collision was a collision.

          We of course do not know all the details of how the NSA and/or Mossad created their collision to attack Microsoft (on the path to trashing an Iranian weapons programme) so I presume you are referring to the certificate created for the Chaos Communication Congress in 2008 by an international team.

          X.509 certificates consist of a document (the to-be-signed certificate or tbsCertificate) plus a signature. So if you can create two tbsCertificates, A1 and A2 as I explained previously, with the same hash, a hash-based signature scheme will result in signatures for A1 also being valid for A2. That's a collision.

          RapidSSL (and several other CAs in the Web PKI) were at that time issuing certificates using MD5 hashes. This was definitely a bad idea. We will see in a moment that there were also other problems.

          The CCC team knew that if they could come up with two collided tbsCertificates, one of which they got RapidSSL to sign, the other would then in effect be signed too. So then the problem is, why should RapidSSL sign this weird document you've made?

          Since they're doing the work, they get to choose what the colliding documents look like. As with my palindrome analogy, they can't just make anything, but they have some room, I could have chosen "kook" or "level" or "rotator" but not "elephant". Their two documents need to be the same length (length is a factor in MD5) and to some extent RapidSSL is going to choose what the A1 document is like.

          RapidSSL has certain things it's just always going to do. All the certificates it issues are going to say CA:False at the end, because they don't want to issue you a CA certificate. They're all going to say they were issued by RapidSSL (duh) and a bunch of other tedious boilerplate. The team knew all this.

          To be useful of course some of the other elements of the certificate are set by those requesting it. There's a 2048-bit RSA public key, chosen by the CCC team, and there's an FQDN (i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org) repeated several times, also chosen by them.

          Finally, some elements change over time. The certificates issued tomorrow will have tomorrow's date in them, and indeed RapidSSL would automatically fill out the precise date-time in each certificate to the second. And each certificate has a serial number, RapidSSL's approach was to take the words "serial number" at face value, each certificate would be issued with a successively incremented serial number.

          So, the end result is that if the CCC team can predict exactly when a specific serial numbered certificate is next, they can pay RapidSSL to issue a certificate with that serial number to them at a specific moment, having calculated a collision such that the certificate they actually request is A1 while they also have A2 which is somehow exploitative. Since they are researchers not bad guys, their A2 is a CA:TRUE certificate which has already expired and so is useless except to make a point.

          How do they achieve their prediction? They estimate the rate of issuance for RapidSSL by buying one or two certificates once in a while, and they pick an exact date/ time. They create the collision for this precise time, with a serial number that they expect will be slightly higher than RapidSSL will actually have issued. Then, as the time approaches they start buying certificates, they spend a few hundred dollars, and then they just cross their fingers that nobody happens to buy a certificate in the few seconds between them buying the last one before the number they've planned on, and them sending over the request for the A1 certificate at the exact second necessary. They got lucky (if not I guess they'd be out a few hundred bucks and try again in a few days)

          The collision calculations they did aren't easy - their RSA public key for example is not from a randomly generated good key pair, it's just plausible enough that RapidSSL aren't likely to realise it's bogus, and is actually part of their collision attack because an RSA key is a whole pile of arbitrary bits, useful for collision algorithms that don't produce nice ASCII text. And the similar-but-not-identical bits in the A2 document obviously won't even work as an RSA public key, so those are actually tucked inside a Netscape X.509 comment, allowing them to take any value without it causing problems. It took them about one day (with a room full of gear) to make the colliding pair given the above constraints. If you did this commercially it would likely cost more than the certificates, but they had research labs.

          The correct countermeasure for this attack (beyond obviously not using known-bad hash algorithms for X.509 certificate signatures) is to randomize the serial number field. Today this is required to have at least 64-bits of randomness, so the attackers would need to guess a different 64-bit number each time they attempt the attack, good luck with that.

          • Ingvar says:

            OK, the one I recall was a cert with the expiry date set multiple years in the past, with an expected serial number range of ~256 different numbers. I may be mis-remembering, though. But, pretty sure that one was a group of academics, not CCC.

            • Nick Lamb says:

              I referred to them as the "CCC team" above because they don't have a single affiliation and the notable thing they did with this work at first was present it to CCC, but yes, these aren't the CCC organisers or anything - there's a bunch of academics (including from UCB and Eindhoven) in that group as well as what I guess we'd call "white hat" hackers, and commercial researchers. I actually don't know the history of why they were working together, maybe they're old friends, or it may be as simple as they all agreed that since MD5 is broken it was crazy people were still relying on it and it was time to provide a proof-of-concept demonstration.

              Anyway, it's a collision, that expected range is driven to one by the effective strategy of just buying all the certificates with the lower serial numbers (and hoping nobody buys the one you wanted) and you must choose the entire document in advance, you don't get to pick a document somebody else had signed and do this trick, so it isn't a pre-image.

      • tfb says:

        So I'm probably just being stupid here (I've just had the CV19 vaccination and ... well it's like being a little drunk for a couple of days in terms of thinking) but is this sort-of why a superficially absurdly weak hash is OK for things like git? In order to fake a commit you not only have to find another commit which has the same hash but that imposter commit needs to make some kind of sense in its own right: it can't just be line noise, it needs to be a syntactically-valid commit and further, to be useful, it really needs to inject something useful to you into the chain of commits. And that makes the problem absurdly hard.

        • Nick Lamb says:

          For me the vaccination caused flu symptoms, then a powerful craving for a kebab (while I live in a city it's not the kind of city where you can order a decent kebab for delivery at 0500 so too bad) but no noticeable intellectual degradation. However I had the Chimp Adenovirus [that's what ChAd stands for in ChAdOx1] based shot whereas I'm guessing you had an mRNA shot, very different platforms so likely to cause somewhat different side effects.

          No, the use of a known broken hash (SHA-1) for git isn't OK at all. It is bad that they used this bad hash in a relatively modern system, and then it's also bad that they've dragged their feet on actually fixing it properly after SHAttered.

          But again you'd need a collision because there is no second pre-image attack for SHA-1. There is no way to just "find another commit which has the same hash". Instead an attacker would prepare two commits with the same hash - which yes both need to be syntactically valid, but that is easier than you might imagine - and then they need you to accept one of those commits.

          For example maybe a bad guy prepares a PR for a "fix" to the binary firmware blob for a common piece of hardware in a popular driver. The expert taking the PR has tools that enable them to verify the hardware performs as expected with this fixed blob and they accept the pull. But alas, the bad guy has a commit with the same hash but a different blob, and they're able to have people building popular binaries use their blob instead, relying on the expert's confidence that this fix works. If the expert saw this other blob, they'd soon realise it injects a gross security vulnerability into affected systems, but the one they saw doesn't do this.

          Is that far-fetched? Well, it's not something a bored teenager is going to do to Rickroll your KPOP fandom podcast. But it is definitely something that say, a government sponsored hacker might attempt to screw up a foreign power's electrical grid.

          The good news is that even though git hasn't really put the desired amount of effort into properly fixing this yet, they did land a mitigation. An approach to attack Merkle–Damgård hashes (like MD5 and SHA-1 and indeed SHA-2) is well understood and we are confident bad guys would use the same approach (we have evidence from that NSA/Mossad attack on MD5) so we can detect situations that are likely to break the hash and abort or generate a non-standard result in this situation at a cost of reducing the performance of the hash function we use. If you aren't running a horribly outdated git then you are protected by this mitigation.

          • Ingvar says:

            I guess at the time of initial Git release, using SHA1 was actually pretty sensible. But I was surprised to learn that "the hash algorithm" is just in the code, not in the storage. Sure, it saves something like 1-4 bytes per hash (depending on how many hash algorithms you expect to be able to need, over the entire lifespan of "git as a thing"), making it essentially impossible to change after the fact.

          • tfb says:

            Thanks. No, I had the ChAdOx1 one as well. The side-effects weren't unpleasant but they were quite noticeable. Of course since I just spent 45 minutes in a (large, well-venrilated,well-separated) indoor space with a lot of other people for the first time in more than a year it's possible I caught something, but that seems unlikely.

  9. Peter says:

    A friend bought me a signed Ted Williams jersey, which came with a certificate of authenticity that has a cool hologram on it. I have no idea if he really signed it, one of his PR people did, or it was entirely faked. And I guess that doesn't matter, but what matters is if it was done in such a way that other people believe he signed it.

    Aren't NFTs essentially the same thing?

  10. Aidan Gauland says:

    It's been almost two months since this was posted, and I still have to come back and re-read this whenever I hear about another art NFT being "minted" to remind myself that, no, I am not crazy, this whole concept really is as stupid as it sounds.

  • Previously