[dmitriid]

> nodes have persistent connections; disconnection is indistinguishable from long latency

> An urbit instance can't boot without an identity

Does this mean that urbit requires an always-on connection at all times?

> this means no urbit app or service needs to deal with logins or passwords or crypto.

This also means that all apps have full access to all your money, private info, bank accounts etc.?

[hocwyn]

No, Urbit doesn't require an always-on connection. It does work better with an always-on connection, since its peers will send it a lot of events to process as soon it reappears after a long absence.

> This also means that all apps have full access to all your money, private info, bank accounts etc.?

If you wanted to write or install an app that had access to a hot wallet stored on your Urbit ship, for example, you could. It doesn't have access to secrets you haven't intentionally stored on your Urbit. When you say "all apps have full access" - what do you mean? For example you could write an app that is both a display case for POAPs and also spies on your private messages, but the actual app that is a display case for POAPs is written to have no way to access your messages: is this the question you were asking?

[dmitriid]

> When you say "all apps have full access" - what do you mean?

I mean this: "this means no urbit app or service needs to deal with logins or passwords or crypto.". If apps don't need to deal with that, they have access to your info, doesn't it?

[hocwyn]

I think you're turning the question around the wrong way - there are hundreds of thousands of apps and services on the internet that all force you to make an account with their service to use their software, access data you've uploaded to their service, and interact with other users. That's the thing that is a huge hassle and also, increasingly (with web3 and on-chain applications growing in popularity) a huge security problem because of the attack surfaces those services' front ends offer. On Urbit none of this is necessary, because the "account" (i.e. network identity and keys) of your ship is already baked into all your interactions with the network.

As far as the apps having access to cryptographic secrets you store elsewhere on your Urbit ship: the apps are all installed and running on your ship, so just like other software running on a computer you control they can have access to other local data if you intentionally give them permissions, or they can have no access, or they can have access conditional on some additional safeguard. It depends how you write the app. But an app always knows the Urbit identity of the ship it is installed and running on, and that is baked into messages the app sends to other ships.

You also have the ability to spin up 4 billion virtual identities ("moons") per primary identity ("planet"), and it is a standard use case to run an app/service you don't want to interact with the rest of your ship on one of your moons. The main value currently is, if you host a high-traffic groups or distribute a popular app, these would make your primary ship run slow so you stick them on a moon. But the reason Urbit was designed to associate each identity with 4B virtual identities was so that your IoT devices can communicate with the network without having access to your personal computer.

[dmitriid]

> It depends how you write the app. But an app always knows the Urbit identity of the ship it is installed and running on

So, it has all the access necessary to go ahead and steal my money, right? Because, quote, "network identity and keys are already baked into all your interactions with the network"

[hn_urbit_thr123]

Urbit is an OS, apps have access to whatever you give them access to. If you want one app (say, a dating profile) to not have access to data stored by another app (say, your bitcoin wallet), you run them under separate sub-identities as described above.

That has nothing to do with the thing you quoted ("network identity and keys are already baked into all your interactions with the network"), which describes how urbit nodes talk to each other. Whatever identity you run an app under, all traffic from that app will be cryptographically signed by that identity.

[dmitriid]

> If you want one app (say, a dating profile) to not have access to data stored by another app (say, your bitcoin wallet), you run them under separate sub-identities as described above

You're dancing around the issue.

So:

1. By default all apps have access to everything.

2. In order for apps to not have access to everything, you have to set up a different identity which is magically different from having to set up different identities now because it has cute names like "spin a moon away from your ship"?

3. The burden is still placed on the user: to set up and manage all these different identities and subidentities to just make sure that a chat app doesn't have the ability to steal all my money

3.1 And when in the current systems the burden is to keep track of logins and passwords, in Urbit it's the burden of understanding all the technical mumbo jumbo and going the trouble of spinning new servers (which I assume are not free) just to run a banking app.