About leaving the IOTA Foundation

Edit 07.01.2023:

Besides twitter, here is another reference to some of my work I did for the IOTA Foundation (of course they pushed every IOTA related project to delete my references, but the Internet doesn’t forget): https://web.archive.org/web/20200807035018/https://iotaarchive.com/foundation/philipp-blum
Edit 23.02.2021:

The IOTA Foundation deleted my welcome post. So, here a link to another source:https://web.archive.org/web/20210425062347/https://twitter.com/iota/status/1106650448688267269

Edit 13.02.2021:

It has been a year and some things have changed. So I need to update the article.
1. The vision page has changed and IOTA doesn’t mention “backbone of IoT” anymore. Unfortunately, there isn’t a version on the web archive. The what is IOTA page still mentions the “backbone of IoT”

2. The IOTA Foundation fired David Sønstebø. While David responded with “I will however, demand that you[Dominik] no longer refer to yourself as a co-founder of IOTA since you had no part in its founding.” to Dominik.

End of the update

Before we dive into it, I want to make one fact clear.

I am not angry, neither do I want to damage the IOTA Foundation. They have some really good engineers and people. I would rather like to see a thriving IF than a broken or even dying one. We need more technologies with these core attributes in this space.

It is hard to write these things down, but I value transparency a lot. I think the IOTA community needs to have all information. I think the world needs more transparent and open companies. I also hate it, when companies lay people off in order to balance the book. We are all humans and we should care more about each other. Especially in the current situation. I know, I sound like a Hippie, but it is true. Laying people off creates an atmosphere of mistrust. People will not longer feel safe in their working environment. Innovation is risky. To have a working environment where people can be innovative, they have to feel safe. Even, if you have to let people go, this is probably the worst way to do it. But this is another topic by itself. So, let’s dive into the topic of this article.

Who am I?

The developer in the IOTA community know me already. But for the people who don’t know me, there is a short welcome post on the IOTA blog.

Transparency

Open source is just one part. You have to be transparent as well. With your plans, with the progress, with everything. Sorry to tell you one fact, the IOTA Foundation is not as transparent as they should be. Of course, I cannot leak internal information. But the public data give a good impression on the situation. Just take a look on the EDF fund tracker. It is supposed to show the recent grants in a transparent matter.
As of writing this article, the last update was in July 2019. We already have mid May 2020. When you follow the transactions in the EDF fund tracker, you can find the current address. There are only 16.87 Ti available, as of writing this article, while the tracker still says 19.22 Ti. The difference is ~940.000 USD. This is a big mismatch. The last transaction on the EDF fund was on April 23. 2020 . So, they are actively using the funds, but people don’t have any idea what the funds are used for. We get an impression by the blog articles, but we cannot check, if the funds are really used for these projects. We have to trust the IOTA Foundation. Trust has to be earned and I think the IOTA Foundation is not in a good position to lose even more trust.
Another transparency issue is David Sonstebo, one of the founder of IOTA. Yes, CfB’s behavior isn’t nice either. So, I will definitely not pick a side, even if both are trying to get people behind them. It’s not my point who is right and who is not. It is probably something in the middle. This whole Jinn topic is the dubious funding story of IOTA. Like a project build on drug money or something. While CfB wrote a medium article on his perspective, David also had a take on his perspective. To be honest, I do not care about this anymore. There is just one big question which stuck in my mind. When David considers these Jinn assets as donations, why isn’t the IOTA Foundation owning them? It is the resulting entity of Jinn. Not in a legal way, but from the technology perspective. For sake of transparency, the IF should share all information. What will David do with the assets? Just wait until everyone forgets? From my point of view, David and Cfb have a fiduciary duty. They both don’t own the assets, the Jinn investors do.

Another transparency point are the funds of the IOTA Foundation. I am still waiting for a financial report. I think the token holder deserve to know what the IOTA Foundation is using the funds for and how many assets the Foundation has. The current address and the burning rate shows that the IOTA Foundation will run out of money in 13 months. The situation is currently not that bad. We already worst situation. (9–10 months) At the moment, the IOTA Foundation has to be sustainable within one year. They have to finalize the Coordicide protocol. They also have to provide the necessary infrastructure within this time frame. All the necessary libraries etc. And, of course, they need enough companies which are using the technology and paying for it. I would really like to get a report on the current financial situation. How many companies do pay? How much do they pay etc.? Having great partnerships is one point, getting paid contributions is another topic.

IoT

So, let’s talk about the core of IOTA. Overall IOTA is supposed to be the protocol for the machine economy, right? At least it is the vision of IOTA.
Unfortunately the reality looks a bit different. The IOTA Foundation is barely working on IoT topics. There is some little progress. Like the crypto core created by Thomas.
On the other side, the FPGA alone costs 50 USD. So, this is probably nothing somebody would use in an environment where every penny counts. And there is also Honeycomb OS. A great distro made with Yocto. It is also really helpful to deploy nodes in a professional way. You can simply build your own image, if you need to. So, there is some progress for SBCs/Gateways. But, when it comes to constrained devices, there is barely some progress. Sam started writing a platformIO integration for the iota.c library.
I also documented this library and wrote some examples for it. As you can read in the “Microcontroller support” table, the support for MCUs isn’t great. microcontroller like the nRF52832 or STM32F103C6 are not able to sign transactions with this lib. The library, we ,as a community, wrote 2 years ago, is able to sign transactions on these microcontroller. Even more, it’s way faster as I demonstrated. The community library lacks of necessary features, no doubt. It does not have an integration for POSIX sockets. Therefore, there is no API to send the transactions to a node. But all in all, this library is a great basis for further development. I still don’t understand why the engineers of the IF didn’t forked this library. The license is fine and not restrictive at all. It just doesn’t make sense. Instead, they developed a whole new library an wasted a lot of time. If the iota.c library would be better, it would make sense to write a new one. Problem is just, the iota.c library isn’t better for constrained devices. It’s the opposite. The library is not usable for constrained devices. 7 seconds for generating a bundle with 3 tx on the community library is already bad. I never thought it can be even worse, but it is. At least they will also support Ed25519 in the future, which will make things faster. Even though, I also question this decision. Ed25519 is a great and fast for computers, but it is still a lot of computing for constrained devices. This is what you have crypto ICs for. Unfortunately crypto ICs for the Ed25519 are still not available. Why should they? ECDSA is still not broken and crypto ICs for ECDSA are available for a reasonable price. Currently ~0.7 cent per IC. The fun part is, that even Thomas uses this crypto IC in the crypto core module in order to store the keys. Even more, he also mentioned the fact that the algorithm (Keccak) is not supported by the IC. “Secure Processors are not new — for instance ST Micro has some which also are used on the Nano Ledger Wallet. Often they have dedicated hardware which speed up calculations of e.g. SHA256 or ECDSA significantly — but there is no Secure Processor which has support for algorithms used in IOTA.”
Don’t get me wrong, he did an amazing job. This is the best Keccak implementation for a FPGA you can find. The IOTA Foundation could just avoid a 50 USD FPGA, if they would just switch to ECDSA instead of Ed25519.
There are even more issues. It is one point tinkering with hardware and sending some transactions on an insecure channel. I also do and did this. There are a lot of examples of tinkering on the hackster page. This is great for getting people into IOTA, no doubt. But having a production ready and secure protocol is a completely different topic. The IOTA Foundation has no idea how to integrate the protocol into other important IoT protocols. They are not even working on this. Just to name a few important protocols: web of things, 6LoWPAN and RPL. There are still a lot of fundamental issues which are not solved. One example: When I have a gateway, how do I know that this Gateway is telling me the truth? As a constrained device, it is my only access to the Internet and therefore to the tangle. Or: How do I integrate IOTA in these kind of networks? These issues are solvable, for sure. But the Foundation is not even working on it. The general focus is not IoT, even though they are claiming it. Maybe they will eventually care about constrained devices, but they currently do not. They are more focused on the web rather than IoT.

Technology

There is Hornet, Bee, goshimmer and IRI. These are only the IOTA nodes. They even had cIRI, which they finished, but didn’t released. There is the industrial marketplace, streams, did, smart contracts and the permanode. The permanode is even the worst story of all of them. They released it, just to rewrite it in another programming language.
But it’s not like they are stopping there. They just added IOTA Access to the Zoo and called this “Aiming for Simple”. And there are also all the libraries for interacting with the IOTA nodes. I understand the reasons behind all these nodes, libraries and features. But it’s just too much. You are not able to maintain this with a couple of engineers. Some projects are only maintained by one person. What, if this person leaves the IOTA Foundation? These projects will eventually be abandoned. I am not sure, if this is an ideal strategy. There is a missing focus. All other DLT projects work on their core technology and don’t add features on it, while the core isn’t working.

Partnerships

Partnerships are great when both parties are benefiting from it. Over the time I realized that a lot of community members don’t understand the partnerships the IOTA foundation does. First of all, the IOTA Foundation prefers MIT or Apache as their license. You just need to look into the source code of all the projects. This is an important fact. If one of the partnership companies makes changes on their version of the tangle, they are not forced to publish these changes. This means they can benefit from improvements on the main branch, while they don’t have to publish their improvements for the software. The license topic itself is debatable, true. I think the Foundation is there to benefit all people. Not only a selected group of people or companies. Some companies are part of the Tangle EE standardization. So, there is some progress at this front. The most important thing to understand, is the fact that most partnership companies are not interested in supporting the main tangle or the token. For most use-cases it is better to use a private tangle instead the main one. Let’s take an example: supply chain tracking for the automotive industry. Instead of asking every company to be on the main tangle, all these companies can just form their own private tangle. A tangle for their purpose: supply chain tracking. With this model, they don’t have to mess with all the other transactions. Why should they, if there is another good option available? They just keep a database with supply chain tracking data and don’t have the overhead of unnecessary transactions. You might think: Yes, but the network is not big enough to be trustworthy. If a lot of automotive companies agree on using this DLT, it will be. And why should they use the main tangle? You also have to convince the other automotive companies to participate on the main tangle to make it work. It is more simple to convince big cooperates to contribute to this private network instead of a public one. Most token holders will think that this will eventually benefit the token, because the companies will utilize it, right? To be honest: I wouldn’t. I would take the DLT, make my own supply chain tracking and would use a faster and better cryptocurrency. This model is exactly what BiiLabs already expressed in a Tweet. BiiLabs is one of the biggest contributor to the IOTA tangle.

Security

Probably everyone knows what I will talk about. The big “Trinity hack”. Boy, had I sleepiness nights and a lot of conversations with people. But, at the same time, I was really happy that I wasn’t effected by it. More on this topic later. It is nice that David wants to compensate the losses and it was definitely the right thing to do.
The bad part is, that this incident was barely a hack.
It is basic knowledge how to protect against these kind of XSS attacks. It is not complicated knowledge only the best security experts in the world have. It’s knowledge you get when you write your first professional Javascript code.
The interesting part is, that the IOTA Foundation released this kind of feature without having a security audit on it. Everybody can see that this feature involves some risks. It involves credit card information. The security audit on the Trinity wallet was only done once and it didn’t include the Moonpay feature.
I don’t say that Moonpay is fine and the haven’t done any mistakes. In fact, they did. It’s always something in the middle. Just one information for you: There are also other wallets which integrated Moonpay at this time. It’s interesting that nobody else was effected by this “hack”. I was a bit angry about myself when it comes to this topic. I didn’t raised any red flags. I didn’t even care about this feature at all. I barely cared about the Trinity wallet in general. It’s a nice looking wallet, but this old crappy wallet is more developer friendly than Trinity. So, I barely used it in the first place. This whole topic is also a learning for myself. I need to care about security relevant features like this one. Moreover this, I need to raise red flags when I discover something like this. This is definitively an experience I take with me.

Privacy

The IOTA Foundation is big in marketing and promising high. They published an article in 2018 with the headline “Privacy is not a currency”.
They even said “IOTA as an enabler for privacy”. But when we take a look into the reality we see that the IOTA Foundation actually doesn’t care that much about privacy. In comparison to the security topic, I actually raised a red flag before I started working for the IOTA Foundation.
We can argue if Google Fonts is needed for the website functionality and therefore comply with GDPR. But using DoubleClick, Google Analytics and hotjar.com is against GDPR, if you haven’t asked the user for permission. So, they even haven’t tried. You visit the websites and they throw all these cookies and requests at you. It’s also not like it’s just an accident and only one page. It’s on the iota.org website, on the iota docs page or the ecosystem page. Every website of the IOTA Foundation violates GDPR. But the truth is also that there are still enough companies violating GDPR.

What will I do now?

I am really happy to be free now. It was a nice ride and great experience, for sure. I will still be available for the community. Especially for all community members in Berlin. For Meetups as well as Workshops. While I was working for the IOTA Foundation, I moved the ownership of the Berlin Meetup to Felix. He does an amazing job. I will be always there to support him, if needed. I still think that IOTA and Nano are the DLTs with the most potential. I have to say that Nano has currently the better technology. My focus will be IoT again. I am currently contributing to RIOT OS. Especially web of things will be my focus for a couple of weeks.

So, feel free to follow me on Twitter to see the progress.

Have a nice day and week :) Btw: You can eat the grammar mistakes etc. ^^ :D

best regards
Philipp