The Ai-Fi Bug Bounty Program

General

Program

If you have read the below mumble jumble previously and is only looking for the bounty program to try you luck again, go directly to the webpage here.

Introduction

Ai-Fi.net, as a service provider, offers a treasure trove of privacy-centric secure tools and solutions for its users. The demo/prototype release V. 2.0 includes some popular applications, the value of which is immediately recognizable, such as secure emails, password/notes manager, HomeCloud on your "personal" servers at home, remote desktop, photo upload/sync/backup, IoT device "deadbolt", etc.. The follow-on releases will offer many more useful functions that mobilize your private devices and already-paid-for on-ramp bandwidth in order for you to maximize self-sufficiency and to survive in the increasingly treacherous Internet environment. It helps you utilize the following defenses, some of which are often overlooked:

In addition to take full advantage of your network assets above, it also includes a few foundational utilities that are so revolutionary that some users consider them unproven and hesitate to adopt. The Ai-Fi Incognito Cloud is one of those offerings which is counter-intuitive at first, to say the least. How could a data file stored out in the open in the public cloud be private and secure?

We are here to offer a bug bounty program to demonstrate our confidence that the Ai-Fi Incognito Cloud is indeed private, secure, and much more protective than any Bitcoin accounts on the public blockchain.

Functionality and UI

To indicate their singular characteristic as a protective and yet private file storage in the public cloud, we've coined the term "Krypton Tokens" in referring to them. They are no ordinary files in the cloud traditionally registered under a specific user account. They are "hidden in plain sight" and unidentifiable, by staying visible in a setting that masks their ownership without obvious ties to any user account. Actually, Ai-Fi is totally account-less, for that matter. It renders its services "over the counter" through on-the-spot cash/cryptocurrency payments without requiring accounts or tying to any PII (personally identifiable Information).

The actual function and user interface for Krypton Tokens are documented here. Simply put, a Krypton Tokens represents a blob of bits identifiable and decryptable only through their originating passphrase and the accompanied randomizing salt. It is so anonymized and fortified, Ai-Fi.net recommends applying it even in protecting the seed passphrases for your cryptocurrency wallets. Those wallet "seeds" are the crypto equivalents of hot potatoes that can put a large sum of cryptocurrencies in jeopardy if not well cared for.

The Bug Bounty Program

The Program

This bug bounty program is quite straightforward. Discover the Portable Krypton Token we've placed into the Ai-Fi Incognito Cloud and decrypt its content to find the bug bounty of 10K Stellar Lumens. Within the offered Krypton Token file is the first 4 words of the 24-word passphrase for the Stellar account containing that 10K XLMs.

Any individual successfully found and hacked the token can contact Ai-Fi, describe the hacking approach, render the Toke ID from the original set of tokens, prove the possession of the corresponding private key, and claim the bug bounty. Ai-Fi.net will supplies the rest of the 20 words so the bounty Stellar account can be accessed and awarded to the winner.

(Please see the fine print of caveats.)

The Proof of Existence

However, due to the inbuilt stealth nature of Krypton Tokens, there is no easy way for us to prove that we have actually created the token in the Ai-Fi Cloud, as the feedback for any attempt to discover the token ID is a simple yes or no, with the "no" response also including the case that there is no such file existing in the Ai-Fi Cloud.

To prove that Ai-Fi.net actually created the said file containing the keys for the bug bounty, we concocted a rather simple scheme (which actually weakens the strength of our Krypton Token, in the competitors' favor though.)

A list of Krypton Token IDs is published at the onset of the Bounty Program (6/26/2020) on the Ai-Fi.net web site. This list is signed and time-stamped to guarantee its authenticity. The number of this set of published tokens is about 65,536, or 16 bits of entropy, a lot less than the actual Ai-Fi Incognito Cloud. One of those token is the "solution token". The aim of the program is to be the first in discovering this solution token and decrypting its content. At the end of the competition or on reception of the "solution token", the successfully identified token will be published to prove its existence. It must have appeared in the originally published collection of token IDs. Anyone who has collected a copy of the original list may attest the existence of this solution toke before this bounty program is launched.

Note that some file names published in the initial list of the bug bounty program may not actually exist in the Ai-Fi Incognito Cloud. This actually works out in favor of the participants for the bug bounty program if taken as helpful hint.

The bounty program runs continuously until someone wins the reward by discovering and cracking the "solution token". After the termination of the program, which hopefully leads to the repair of bugs or weakness discovered in the then current version of software, a new bounty program will be launched again in lockstep with a bigger reward as the effort required to crack the newer and stronger system also grows hopefully.

For a Limited Time Only

To further incentivize your participation, for a limited time only, we will generously chop off a few more entropy bits to ease the hacking effort of your participating in the Ai-Fi Bug Bounty program. We hereby publish the Krypton Token ID for the file that contains the bounty:

"GCTOCZYDJCQ5X5HNDUWLN5Y2YCEZEXRMSTPFKMZMFYE56DDBY3ROJ3O4"

Hack, while we are at it, we will throw in the Token file content itself as well:

"LCJULTXEROPBNMZT5GKB35IGGE2H3SUL34DWS2UGLQSAJGPLI3GRZF2E7ZANB6NCEWVUR4G2SAAQPWMQKUV322QCT7NLVJJMBTZAVG673YA43YFBF22GOLYNKPBKO2DAWN7ED2VVM76FFQTASWXMCWJ5PYZZZGSRDVMPAXUPMC3BBTY24CEA===="

This token file contains the contact information and a PIN code for claiming your bounty if it is successfully cracked. It is what we store in our database in the Incognito Cloud verbatim. So don't bother to launch an attack on us. You already have all you need to do the offline hacking.

A simple browser-based program is offered for your enjoyment of hacking for our bounty. The source code is published as well. Note that ordinarily the recommended access to the Ai-Fi Incognito Cloud is through the mobile app Ai-Fi Central, not through other platforms, especially not through the browsers that are just too public to secure. For winning the bounty, however, you actually do not need to do it online. It is much more efficient to just use the open source and launch the offline "attack" for discovering the private key to match the token ID as published above. Also note that the final version of Krypton Token function will require a small fee to access, which is to ward off spamming or DDoS attacks.

The Design of the Bug Bounty Program

The Uncrackability of Krypton Tokens

There are two hurdles to overcome if a hacker is to crack a Krypton Token:

  1. Discovering the name of the Krypton Token, which is generated from a passphrase plus the accompanied Entropy Salt, and hashed in an large number of iterations requiring tremendous memory resources.
  2. Decrypt the content of the token, which requires the hacker to crack the corresponding private key and the encryption key.

As a matter of fact, if a hacker is capable of unraveling the challenge of item 2 above algorithmically, it would have shaken the technological foundation of all cryptocurrencies and exposed all Bitcoin accounts on the Bitcoin blockchain. The Ai-Fi Incognito Cloud manages to uplift the protection strength an extra-notch higher by hiding the file name, unlike Bitcoins of which their public IDs are on the blockchain. This adds an arbitrary amount of entropy tunable by adjusting the file storage capacity. Once a Krypton Token is created, the originating owner is the only person who knows of the file name.

To target a user of Ai-Fi Incognito Cloud and to steal their token content, the hacker must first infiltrate the cloud firewall in order to obtain the list of all token files so offline attack can be conducted. To boost the interest in this bounty program, we have watered down the defense mechanism of Ai-Fi Krypton Tokens by voluntarily publishing the list of token IDs, which not only make offline attacks possible but also effectively reduces the entropy by a large amount, and more importantly, dismantles the network protection so the hacking can be launched offline in favor of the participants.

On top of our concession in giving up the online firewall protection, which enlarges the attack surface tremendously, the original entropy of the Portable Krypton Token scheme is still substantial and computationally infeasible to break (or the current foundation of all Blockchains crumbles into dust) :

Otherwise put, Ai-Fi Incognito Cloud is not going to be an attractive target for hacking. Considering its super simple function set, with the clients carrying all the heavy lifting, even the DDoS is less an issue with Ai-Fi Incognito Cloud. Collecting service payment when users request for Krypton services is another effective approach to ward off DDoS.

Caveats

The following conditions would disqualify the offending participant: