The Ai-Fi Bug Bounty Program

General

Program

If you have read the below mumble jumble previously and are only looking for the bounty program to try your luck again, go directly to the webpage here.

Introduction

Ai-Fi.net, as a service provider, offers a treasure trove of privacy-centric secure tools and solutions for its users. The demo/prototype release V. 2.0 includes some popular applications, the value of which is immediately recognizable, such as secure emails, password/notes manager, HomeCloud on your "personal" servers at home, remote desktop, photo upload/sync/backup, IoT device "deadbolt", etc.. The follow-on releases will offer many more useful functions that mobilize your private devices and already-paid-for on-ramp bandwidth in order for you to maximize self-sufficiency and to survive in the increasingly treacherous Internet environment. It helps you utilize the following defenses, some of which are often overlooked:

In addition to taking full advantage of your network assets above, it also includes a few foundational utilities that are so revolutionary that some users consider them unproven and hesitate to adopt. The Ai-Fi Incognito Cloud is one of those offerings which is counter-intuitive at first, to say the least. How could a data file stored out in the open in the public cloud be private and secure?

We are here to offer a bug bounty program to demonstrate our confidence that the Ai-Fi Incognito Cloud is indeed private, secure, and much more protective than any Bitcoin accounts on the public blockchain.

Functionality and UI

To indicate their singular characteristic as a protective and yet private file storage in the public cloud, we've coined the term "Crypton" in referring to them. They are no ordinary files in the cloud traditionally registered under specific user accounts. They are "hidden in plain sight" and unidentifiable, by staying visible in a setting that masks their ownership without obvious ties to any user account. Actually, Ai-Fi is totally account-less, for that matter. It renders its services "over the counter" through on-the-spot cash/cryptocurrency payments without requiring accounts or tying to any PII (personally identifiable Information).

The actual function and user interface for Cryptons are documented here. Simply put, a Cryptons represents a blob of bits identifiable and decryptable only through their originating passphrase and the accompanying randomizing salt. It is so anonymized and fortified, Ai-Fi.net recommends applying it even in protecting the seed passphrases for your cryptocurrency wallets. Those wallet "seeds" are the crypto equivalents of hot potatoes that can put a large sum of cryptocurrencies in jeopardy if not well cared for.

The Bug Bounty Program

The Program

This bug bounty program is quite straightforward. Discover the Portable Crypton we've placed into the Ai-Fi Incognito Cloud and decrypt its content to find the bug bounty of a thousand Stellar Lumens. Within the offered Crypton file are the first 4 words of the 24-word passphrase for the Stellar account containing that a thousand XLMs.

Any individual successfully found and hacked the Crypton can contact Ai-Fi, describe the hacking approach, render the Crypton ID from the original set of Cryptons, prove the possession of the corresponding private key, and claim the bug bounty. Ai-Fi.net will supply the rest of the 20 words so that the bounty Stellar account can be accessed and awarded to the winner.

(Please see the fine print of caveats.)

The Proof of Existence

However, due to the inbuilt stealth nature of Cryptons, there is no easy way for us to prove that we have actually created the Crypton in the Ai-Fi Cloud, as the feedback for any attempt to discover the Crypton ID is a simple yes or no, with the "no" response also including the case that there is no such file existing in the Ai-Fi Cloud.

To prove that Ai-Fi.net actually created the said file containing the keys for the bug bounty, we concocted a rather simple scheme (which actually weakens the strength of our Crypton, in the competitors' favor though.)

A list of Crypton IDs is published at the onset of the Bounty Program (6/26/2020) on the Ai-Fi.net web site. This list is signed and time-stamped to guarantee its authenticity. The number of this set of published Cryptons is about 65,536, or 16 bits of entropy, a lot less than the actual Ai-Fi Incognito Cloud. One of those Cryptons is the "solution token". The aim of the program is to be the first in discovering this solution token and decrypting its content. At the end of the competition or on reception of the "solution token", the successfully identified Crypton will be published to prove its existence. It must have appeared in the originally published collection of Crypton IDs. Anyone who has collected a copy of the original list may attest the existence of this solution toke before this bounty program is launched.

Note that some file names published in the initial list of the bug bounty program may not actually exist in the Ai-Fi Incognito Cloud. This actually works out in favor of the participants for the bug bounty program if taken as helpful hint.

The bounty program runs continuously until someone wins the reward by discovering and cracking the "solution token". After the termination of the program, which hopefully leads to the repair of bugs or weaknesses discovered in the then current version of software, a new bounty program will be launched again in lockstep with a bigger reward as the effort required to crack the newer and stronger system also grows hopefully.

For a Limited Time Only

To further incentivize your participation, for a limited time only, we will generously chop off a few more entropy bits to ease the hacking effort of your participating in the Ai-Fi Bug Bounty program. We hereby publish the Crypton ID for the file that contains the bounty:

"GCTOCZYDJCQ5X5HNDUWLN5Y2YCEZEXRMSTPFKMZMFYE56DDBY3ROJ3O4"

Hack, while we are at it, we will throw in the Crypton file content itself as well:

"LCJULTXEROPBNMZT5GKB35IGGE2H3SUL34DWS2UGLQSAJGPLI3GRZF2E7ZANB6NCEWVUR4G2SAAQPWMQKUV322QCT7NLVJJMBTZAVG673YA43YFBF22GOLYNKPBKO2DAWN7ED2VVM76FFQTASWXMCWJ5PYZZZGSRDVMPAXUPMC3BBTY24CEA===="

This Crypton file contains the contact information and a PIN code for claiming your bounty if it is successfully cracked. It is what we store in our database in the Incognito Cloud verbatim. So don't bother to launch an attack on us. You already have all you need to do offline hacking.

A simple browser-based program is offered for your enjoyment of hacking for our bounty. The source code is published as well. Note that ordinarily the recommended access to the Ai-Fi Incognito Cloud is through the mobile app Ai-Fi Central, not through other platforms, especially not through the browsers that are just too public to secure. For winning the bounty, however, you actually do not need to do it online. It is much more efficient to just use the open source and launch the offline "attack" for discovering the private key to match the Crypton ID as published above. Also note that the final version of Crypton function will require a small fee to access, which is to ward off spamming or DDoS attacks.

The Design of the Bug Bounty Program

The Uncrackability of Cryptons

There are two hurdles to overcome if a hacker is to crack a Crypton:

  1. Discovering the name of the Crypton, which is generated from a passphrase plus the accompanied Entropy Salt, and hashed in a large number of iterations requiring tremendous memory resources.
  2. Decrypt the content of the Crypton, which requires the hacker to crack the corresponding private key and the encryption key.

As a matter of fact, if a hacker is capable of unraveling the challenge of item 2 above algorithmically, it would have shaken the technological foundation of all cryptocurrencies and exposed all Bitcoin accounts on the Bitcoin blockchain. The Ai-Fi Incognito Cloud manages to uplift the protection strength an extra-notch higher by hiding the file name, unlike Bitcoins of which their public IDs are on the blockchain. This adds an arbitrary amount of entropy tunable by adjusting the file storage capacity. Once a Crypton is created, the originating owner is the only person who knows of the file name.

To target a user of Ai-Fi Incognito Cloud and to steal their Crypton content, the hacker must first infiltrate the cloud firewall in order to obtain the list of all Crypton files so offline attack can be conducted. To boost the interest in this bounty program, we have watered down the defense mechanism of Ai-Fi Cryptons by voluntarily publishing the list of Crypton IDs, which not only make offline attacks possible but also effectively reduces the entropy by a large amount, and more importantly, dismantles the network protection so the hacking can be launched offline in favor of the participants.

On top of our concession in giving up the online firewall protection, which enlarges the attack surface tremendously, the original entropy of the Portable Crypton scheme is still substantial and computationally infeasible to break (or the current foundation of all Blockchains crumbles into dust) :

Otherwise put, Ai-Fi Incognito Cloud is not going to be an attractive target for hacking. Considering its super simple function set, with the clients carrying all the heavy lifting, even the DDoS is less of an issue with Ai-Fi Incognito Cloud. Collecting service payment when users request for Crypton services is another effective approach to ward off DDoS.

Caveats

The following conditions would disqualify the offending participant:

We reserve the right to correct any errors, inaccuracies or omissions, and to change, update or cancel program rules if any information in the Service or on any related website is inaccurate at any time without prior notice.