Development of alert system

I’ve been working on writing the alert system.  Alerts are broadcast through the network and apply to a range of version numbers.  Alert messages are signed with a private key that only I have.

Nodes can do two things in response to an alert:

• Put a warning message on the status bar.
• Make the money handling methods of the json-rpc interface return an error.

In cases like the overflow bug or a fork where users may not be able to trust received payments, the alert should keep old versions mostly safe until they upgrade.  Manual users should notice the status bar warning when looking for received payments, and the json-rpc safe mode stops automated websites from making any more trades until they’re upgraded.

The json-rpc methods that return errors during an alert are: sendtoaddress getbalance getreceivedbyaddress getreceivedbylabel listreceivedbyaddress listreceivedbylabel

If you’re so paranoid that you’re getting hysterical over this, then surely you’re paranoid enough that if a warning message displays on the status bar, you’ll check the website and forum.

I think if another bug like the overflow bug occurs, it’s important that automated websites stop trading until their admins can check out what’s going on and decide what to do.  If you decide it’s a false alarm and want to take your chances, you can use the “-disablesafemode” switch.

This is in SVN rev 142 as version 0.3.11.

It can’t do arbitrary actions remotely.  Maybe some of you are responding to other posters who suggested the alert system should do more?

If there is an alert, the following json-rpc methods return an error: sendtoaddress getbalance getreceivedbyaddress getreceivedbylabel listreceivedbyaddress listreceivedbylabel

The remaining 14 methods function as normal.

I believe the safer option should be enabled by default.  If you want your server to keep trading and ignore an alert saying the money its receiving might be like the money from the overflow bug, then you can use the switch and not blame anyone else if you lose your money.

Worst case if you leave alerts enabled, your site stops trading until you upgrade or add the -disablesafemode switch.

Getting surprised by some temporary down time when your node would otherwise be at risk is better than getting surprised by a thief draining all your inventory.

Someday when we haven’t found any new bugs for a long time and it has been thoroughly security reviewed without finding anything, this can be scaled back.  I’m not arguing that this is the permanent way of things forever.  It’s still beta software.

I changed the switch name to -disablesafemode.

Quote from: jimbobway on August 25, 2010, 04:45:22 PMQuote from: BioMike on August 23, 2010, 05:15:43 AM@mizerydearia, I think the quote button is easier to find then the reply one.

So, theoretical this is a first control system where can arrest satoshi and demand that he hands over his key (or get it from his computer) and shut down the complete network?

Or is that not possible? How far would get?

A few rhetorical questions for satoshi:

Can you resist waterboarding? Can you endure electric shock? All forms of torture? Lastly, are you Jack Bauer by any chance?   Seriously. WRT the alert system, who cares?  The most the key can do is temporarily disable six json-rpc commands until the site owners either add the -disablesafemode switch or upgrade.  All nodes keep running and generating, the network stays up.  If I’m not available, any script kiddie can figure out how to add two characters and make a new version that disables the alert system.  It would be a temporary inconvenience only.

Quote from: BioMike on August 23, 2010, 05:15:43 AMSo, theoretical this is a first control system where can arrest satoshi and demand that he hands over his key (or get it from his computer) and shut down the complete network? This is what makes me think the people objecting don’t know what they’re talking about.  It can’t “shut down the complete network”.

Quote from: nelisky on August 25, 2010, 01:28:32 AMSo what kind of warning do admins get from bitcoind? Is there something we can grep from debug.log? Or will rpc calls raise some specific error? Is there a way to locally force this to happen, for unittesting services? getinfo has a new field that shows any alert messages or other errors that would be displayed on the status bar.

The rpc methods return a json-rpc error with the error description “Safe mode: ” followed by additional text specified by the alert.

I added the switch “-testsafemode” for you.  SVN rev 145.

This stuff is very new and may still be subject to change.

Quote from: mizerydearia on August 25, 2010, 12:11:50 AMI just discovered http://www.bitcoin.org/wiki/doku.php?id=man_page and don’t see any reference to -disablesafemode.  Perhaps it should be added!  Also others liek -4way should be added as well. Many switches are intentionally undocumented, like if their functionality is still under construction or I haven’t settled on their name yet, or just test code not intended for release.

-4way should eventually be replaced by an auto-detect.

Quote from: BioMike on August 25, 2010, 06:23:45 PMQuote from: satoshi on August 25, 2010, 04:56:15 PMQuote from: BioMike on August 23, 2010, 05:15:43 AMSo, theoretical this is a first control system where can arrest satoshi and demand that he hands over his key (or get it from his computer) and shut down the complete network?

Or is that not possible? How far would get? This is what makes me think the people objecting don’t know what they’re talking about.  It can’t “shut down the complete network”. I’ve never objected this change/idea, just asking if this was possible and to what extent. What’s wrong with getting informed? My apologies, your post was indeed a question not a statement.