DeSo is basically created to develop web3 application and it focuses on content creators etc.
Late Sunday (January 9) DeSo founder Nader al-Naji announced that his "decentralized social media" service would renew its much-criticized inflow. However, experts are pretty much the same as saying that the update will significantly worsen the security of DeSo users - and will even break security in the new Web 3 landscape.
DeSo (formerly BitClout) is basically an example of how Web 3 can become. The system is based on a symbol economy and aims to help content creators get paid for their work and to help users manage their DeSo assets with digital wallets similar to MetaMask or Samourai. Other "Creator Token" systems, notably roll and rally, follow a similar model. However, critics have previously noted that DeSo encourages users to engage in a very strange and dangerous behavior: they must enter their wallet "put phrase" through the web interface to log into their DeSo web account. The opening phrase, sometimes called the "recovery phrase", gives anyone who knows it full access to the contents of the wallet and cannot be changed or revoked if compromised.
Because they are so sensitive, it's generally accepted to work with opening sentences so really never enter them into internet-related interfaces, with websites probably the worst option. Individual portfolio management responsibilities are key to the Web 3 concept, and training users on good security will be key to the success of the entire initiative. But instead of tackling the big problem of using greetings as web logins, DeSo seems to have doubled down: this new feature will encourage users to send their greetings to Google Drive.
This can't be true
This alleged change has received fierce scorn from cryptocurrency seniors, engineers, and investors – insults fermented by a cynical suspicion that, yes, the alleged $200 million Web-3 operation by Andreessen Horowitz and other blue web 3 chip backers actually did this. . . Key figures including Matthew Graham, CEO of Sino Global Capital, seem to agree: Using the cloud to store opening sentences controlling hundreds of thousands of dollars of potential crypto assets is foolish at first glance. Perhaps the loudest roar in response to DeSo's new "feature" came from Taylor Monahan, cybersecurity expert and CEO of portfolio developer MyCrypto.
What is a seed phrase?
Why is it so bad to ask users to enter the opening line from a crypto wallet into a web extension? In software portfolios such as Exodus or Electrum, the opening line is very similar to a "private key" that gives direct control over a single Bitcoin account in a chain. It's created by an automated system, and unlike Google passwords, for example, even portfolio developers can't see phrases - either reset them or recover them if they're lost.
And once someone has the opening line in their wallet, they can steal the contents — what al-Naji admitted on Sunday was exactly what happened to the early 10% of DeSo users. Therefore, in terms of cybersecurity, the opening sentence is almost as sensitive as biometrics. Biometrics form the security backbone of another highly flawed pseudo-crypto project, Sam Altman's WorldCoin, which has been heavily criticized on its model by experts including Edward Snowden. As Snowden points out, biometrics are dangerous because they cannot be replaced once compromised. Crypto unlock phrases can be replaced in a number of ways after expiration, but it's a complex process that involves setting up an entirely new wallet - and by the time you do, your compromised wallet may already be emptied.
In a narrower sense, this means that logging in with DeSo's opening phrase poses a great and constant risk to users of the system itself. In particular, phishing attacks that mimic official login pages to capture cryptographic credentials are very common. This has resulted in huge exchanges between users of platforms like OpenSea and Coinbase. But even hosted wallets are much more difficult to damage when used properly. Al-Naji, critics say, will make his own user portfolio vulnerable. (Questions to the DeSo team about the specific role of the opening line on the DeSo platform were re-entered into Al-Naji's Sunday thread.)
Al-Naji's narcissistic approach to the matter no doubt irritates people even more. His tweets make the completely wrong choice of "asking users to do better" or offer a much less security stream. But the initial problem was just DeSo's design, not consumer laziness. The new "solution" appears to have been chosen based on optics and not efficiency: Al-Naji and his team don't want to annoy users by downloading a secure software portfolio, but they shouldn't make the mistake of canceling it themselves beforehand. make design decisions. Instead, we got classic doubling.
UX is a security issue
As much as DeSo is dancing with its own demons here, the much bigger problem for critics seems to be their entry-level stream with opening phrases training users in poor security practices. This could lead to more misunderstandings and tragedies in the emerging Web 3 ecosystem. “DeSo infuriates me that they acknowledge portfolio responsibility while deliberately ignoring all the key best practices in this book,” Monahan told me as I sought more information. “Not only do they keep secrets in browsers in an insecure way or teach users that keeping secrets on old websites is a good thing, but this is the time they need to protect their malicious actions.
"This raises the question: If customer service is not a priority, what is DeSo's real motivation in the Web 3 ecosystem?" This is a particularly harsh criticism because DeSo is so closely tied to the issue itself that it aims to bring "Web 3" into the mainstream (or at least make money off of its efforts). In its early incarnation, DeSo raised funds from at least 19 sources while operating and selling tokens like BitClout, including Blockchain.com Capital, Arrington XRP Capital, Winklevoss Capital, and most importantly Andreessen Horowitz. Andresen Horowitz supported Web 3, even during Jack Dorsey's recent attack against Web 3.
Of course, these funds do not directly control the choice of founders or the companies they invest in. But this isn't the first time DeSo has threatened to embarrass his supporters.
The Google Drive disaster comes after another DeSo move that many have seen with skepticism or suspicion. At the top of the list is DeSo's ingenious initial fundraising design, which it did as BitClout. The initial sale of the CLOUT token used a so-called “bridging curve” which, according to critics, was an unusually generous payment to private investors prior to the sale (even by crypto standards).
BitClout also disappoints in what some consider a reckless disregard for individual property rights and privacy. To create an account on the first version of the product, BitClout searched Twitter for user profile photos and other assets. This then encourages users to pay for the privilege of taking control of BitClout accounts created without their permission and using their own intellectual property.
Some users think they are imitating a scratched profile. The former head of marketing at Google, Adam Singer, described the practice as a "consumer-friendly dark BS model". As part of DeSo's rebranding, the CLOUT token has now been replaced by deso. BitClout itself is now billed as a single application based on the DeSo blockchain. However, given the widespread response to BitClout on these and other topics, there is substantial reason to believe this was a renaming for convenience. It's also worth noting that, as Protos Media explains, the rebranding has been misreported in some cases because DeSo raised new funds when it transferred the same $200 million it raised under the BitClout name.
As a positive development, Al-Naji seemed somewhat embarrassed by the reaction to his remarks on Sunday. He's since joined Twitter, asking almost sincerely for better options for "full self-service, completely private (no PII), low friction, mobile friendly, and no expansion needed." The insistence on avoiding extensions or another layer of protection with a firewall, I personally think is wrong. Al-Naji rightly points out that downloading and installing extensions is a pain for some users - but downloading streaming apps to your Roku and Netflix also seems to work fine. There may be some tradeoffs involved in adding new users, but key management is an inherent feature of Web 3 and not a nuisance. At this stage of the game, it is the startup's responsibility to train future Web 3 users to improve it.
The decision to allow users to slowly bypass Web 3's core architecture could fuel the growth of individual operations like DeSo in the short term. But by teaching the wrong lessons, such practices add to risk for consumers and, in turn, undermine the foundations of other ecosystem projects. This helps explain precisely why so many people are going crazy: The DeSo vulnerability is, ironically, a kind of theft of Web 3's greater overhead.