University College London, better known as UCL has officially terminated its ties with the IOTA Foundation as a response to the legal threats made by IOTA foundation against cybersecurity researchers.
Patrick McCorry, a security researcher at UCL’s Initiative for CryptoCurrencies and Contracts, revealed the official statement from UCL which emphasized researchers should not fall victim to lawsuits for disclosing their findings and added that other universities and colleges should follow UCL and terminate ties with foundations that threaten researchers with lawsuits.
From UCL’s official statement:
“UCL Centre for Blockchain Technologies is no longer associated with the IOTA Foundation. In relation to recent news report, we reaffirm our support for open security research, as a prerequisite for understanding the assurances provided by any blockchain technology. It is inappropriate for security researchers to be subject to threats of legal action for disclosing their results.”
In February, Boston University’s Ethan Heilman along with a team of researchers at the Digital Currency Initiative (DCI) released a report exposing a flaw in IOTA’s hash function called Curl. The report, entitled “IOTA Vulnerability Report: Cryptanalysis of the Curl Hash Function Enabling Practical Signature Forgery Attacks on the IOTA Cryptocurrency,” said that the cryptography used by IOTA leaves the network vulnerable to forged signatures and potentially to stolen funds.
Almost immediately after the report was released, IOTA Co-founder Sergey Ivancheglo confirmed on social media that a team of lawyers is working to challenge the researchers and their findings.
Dan Guido, the security research firm CEO of Trail of Bits, told IEEE’s Morgen Peck that the emails sent by the IOTA Foundation were embarrassing for the project, as it lacked maturity and motivation for the foundation to improve their project and the vulnerabilities found in the IOTA protocol.
“I think the emails were extremely embarrassing for the IOTA project. They should convince anyone that IOTA lacks the technical leadership or, simply, the maturity to build their product,” said Guido.
However, in an interview with CCN.com, IOTA Foundation confirmed that it had never threatened any researchers and that it encourages research within the cryptocurrency sector. More importantly, the IOTA Foundation noted that that while Sergey Ivancheglo is a co-founder of IOTA, he is not involved at all with the IOTA foundation.
“First of all I would like to clarify that IOTA Foundation is not involved at all, it is a personal business between me and Heilman. This is an important detail and in the future, talking about the matter, mention it, please,” Ivancheglo stated in the past on his blog post.
In response to the report written by Peck and the statements of Guido and Dudley, IOTA co-founder Ivancheglo said that only one side was told in the report of Peck and the IOTA Foundation does not agree with the assessment that it did not attack researchers.
Steven Murdoch, a security researcher at the University College London and VASCO, emphasized that it is not acceptable for any organization or project to threaten researchers with lawsuits for disclosing their findings.
“As someone who has been on the receiving end of legal threats for my research, I consider it important to be clear that it is unacceptable to intimidate researchers for disclosing security flaws in good faith,” said Murdoch.
When CCN.com reached out to IOTA, the IOTA Foundation stated that it stands by the statement made by IOTA founder David Sønstebø, which read:
“100% agree with you. I denounce such acts entirely and the IOTA Foundation has condemned it repeatedly. Another unacceptable act is to willfully drive a false narrative such as Patrick McCorry is doing here for his own agenda.”
“An unfortunate side effect of the great promise from Distributed Ledger technologies and one of its applications (crypto) is a constant rivalry between projects for sheer profit, this permeates the entire space at the present and render legitimate topics as an afterthought,” added Sønstebø.
The misunderstanding in the case of UCL and IOTA derives from the misinterpretation of the involvement of IOTA co-founder Ivancheglo in the IOTA Foundation. IOTA co-founders are not a part of the foundation, which is a non-profit organization, and the IOTA Foundation has emphasized that it is open to research and constructive criticism.
Featured Image from Shutterstock
Last modified: May 20, 2020 8:47 PM UTC