How To Upgrade The Bitcoin Elliptic Curve

Posted by on

All cryptographers understand the difference between a standard elliptic curve which everybody uses and recommends (say NIST, NSA, NATO, Microsoft, EMV bank cards etc) and a bizarre elliptic curve which nobody ever uses and which no responsible crypto engineer would recommend, except strangely in bitcoin.

How to Upgrade

It would be incredibly easy to upgrade, it would require to modify just about 3 lines of code. Here is how:

  • accept both secp256k1 and secp256r1 for 1 year,
  • miners should implement a policy to mine signatures with secp256k1 X blocks later,
    when X months after the upgrade roll-out in bitcoin core client,
  • this will provide an increasing incentive for people to upgrade, without being too harsh,

Even if initially only some miners, not all implement this policy this will already make that the expected average approval time for transactions using the old elliptic curve would steadily grow with time, reaching rather unbearable levels in some distant future, yet really allowing plenty of time for everybody to upgrade.

Remark: Strangely enough bitcoin developers do NOT plan to listen to cryptographers.
It seems that an upgrade is out of the question according to Jeff Garzik, and the recent efforts to develop a super-specialized new library for bitcoin  will make that it even harder for bitcoin developers to accept to switch in the future.

Controversy Around Bitcoin Elliptic Curve

Posted by on

So many times we have learned about cryptography and security the hard way. One of the key problems is ignoring the advice and warnings, which are plainly written in the current crypto literature. This without the slightest ambiguity, so that there is very little doubt about what a reasonable and professional security practice is.

The Story of Dual_EC_DRBG

Everybody in crypto community knew that the Dual_EC_DRBG was a true disgrace, a monster ignoring almost everything which it is reasonably possible to know about security. Basically well-known crypto experts have for a long time made very clear  that Dual_EC_DRBG:

  • was “just plain bad random number generator all the way back in 2006”,
  • it was “dodgy in 2007, and still dodgy now”,
  • already in 2007, Shumow and Ferguson “raised the possibility of a backdoor”,
  • it was “hilariously slow”, RNGs are usually made with symmetric crypto which is much faster (however it would be much harder to embed a backdoor in a symmetric cryptography RNG)
  • to summarize, “no sensible cryptographer would go near the thing.”

Finally the NSA needed to plainly bribe a whole group of people with 10 million dollars in order for this utterly unprofessional solution to be used, and this by default. This was done in order to allow the NSA to spy on Internet connections when using RSA BSafe, a software tool which was expected to enhance the security, not degrade it.

canstock10713649

How does it Compare to the Bitcoin Elliptic Curve?

It is hard to believe that in bitcoin things could ever become as bad as above.
In bitcoin arguably, there is maybe no reason to panic yet, no efficient attack is known, nobody is yet quite sure if this curve could be broken. There just some vague very academic shortcut attacks and definite suspicion and a further more precise stronger security criterion with Field Discriminants which just happens to be incredibly low for the bitcoin secp256k1, and no other standard elliptic curve has ever done as bad.  However fundamentally this is just strong suspicion, and there is nothing solid.

Yet however there is the same definite pattern of totally ignoring any sort of expert, professional or informed security advice.

We do not release our report on this topic yet, to be released in the future, however the main points are again already widely known, see for example our presentation at the Catacrypt workshop on CATAstrophic events in CRYPTography, which took place in San Francisco on 29 October 2014, cf. our slides.

We need therefore to stress that again NO SENSIBLE CRYPTOGRAPHER we have ever heard about would approve of bitcoin using this super-dodgy elliptic curve.
Here is what Dan Brown, the chair of SECG, the very same industrial standards body which have proposed, specified and standardized this elliptic curve in the first place, have written about this back on 18 September 2013:

I did not know that BitCoin is using secp256k1.
I am surprised to see anybody use secp256k1 instead of secp256r1. 

In other words, bitcoin should not use it and nobody else should.

Bitcoin Developers and Secp256k1

It is very interesting to discover that apart from bitcoin nobody else uses this elliptic curve ever (cf. also these slides). This is probably because crypto developers usually understand that they are subject to professional and legal liability, which is particularly strong in the financial sector. It would clearly be a serious professional mistake to ignore what every single cryptographer would recommend, including the very people who introduced this curve in the first place.

Yet bitcoin developers seem to always find some excuses to continue using this k1 curve:

  • an anonymous founder who mandated it,
  • ridiculous claims that the NSA could not embed a backdoor in number 7, cf. for example here, while on the contrary, there is like 30 papers each year published in cryptographic literature in which cryptosystems fail exactly because many number theory problems (e.g. solving non-linear polynomial equations) with small integers are easier than with general (larger) numbers (and discrete logs on elliptic curves rely on exactly this: solving polynomial equations known as Semaev or summation polynomials),
  • incredible claims that r1 would be the insecure curve, and k1 is secure, as claimed by Vitalik Buterin,
  • a pretended cautious and conservative approach to change anything in the current source code,
  • unanimous allergic reactions when serious security questions are raised by uninvited academics
  • more recently setting a clear agenda in which 1) a preventive upgrade is out of the question according to Jeff Garzik, and 2) on the contrary, recent efforts to develop a new super-specialised dedicated library (which focuses on this specific elliptic curve) will make that it will be even harder for bitcoin developers to accept to switch in the future (because they spent so much effort on this curve).

In fact a real cautious and conservative approach and good security engineering practice should be to upgrade ASAP, in order not to take chances and precisely avoid legal liability in case of problems.
All this sounds like really bad news for bitcoin. In fact it is not that bad.

Solutions and Risk Mitigation

The main solutions to this problem are:

  • It is easy to upgrade and use another elliptic curve starting today, see this post.
  • We should further lobby the developers of bitcoin apps to implement stricter policies on not revealing our public keys ever,
    • maybe up to simply destroying every bitcoin address as long as it is used once
  • Great hopes are raised by moving our bitcoins to a sidechain which should allow at least some bitcoins a better protection.

On Professional Security Standards

It is bizarre to see such a  level of obstinateness in crypto currency developer circles about NOT changing the elliptic curve. I believe that  one cannot safely just dimiss the advice of the cryptographic community about the elliptic curves.  Not taking these questions seriously is bad, potentially a gross professional misconduct, and one could in theory even go to prison for that on the basis of some existing laws, for example safeguards rule in the US Gramm-Leach-Bliley Act [GLBA] from 1999.

On the Need For Elliptic Curve Agility

No one can guarantee that one elliptic curve is secure enough for a serious application such as bitcoin.
For this reason we need to switch, and switch again… We need crypto agility. It is important to switch once to be able to ever switch at all. It is like a security drill.

An industry-leading example of how to manage this process was explained to us by Alison Mankin, director of VeriSign Labs, during the same recent CataCrypt conference in San Francisco in October 2014. The example to imitate is  DNSSec where they mandate the roll-over between crypot algorithms. Every quarter you MUST switch and change the crypto algorithm. This is a great idea (though some people disagree with it). Forcing everybody to switch allows to make sure that everybody remains compatible wrt to future upgrades and the crypto CAN be changed and upgraded much more easily at ANY moment in the future. Otherwise you are NOT able to upgrade at all when there is a problem, for example just because many systems will stop working or some angry customers will complain.

Crypto currencies should embrace the same philosophy: change the elliptic curve more frequently, not because it will be broken soon, but in order that it CAN be changed at all WHEN there is a serious security alert in the future.

Recent Developments

ADDED in 2015:
Gregory Maxwell has written a long rebuttal for this paper and disputes several points here. There is no new argument or fact not previously discussed in known sources. We just rediscover the same key issues and we disagree all the same. Quick feedback:

  • It is claimed that our paper (this blog post here above) was written to address an “ignorant” audience. It is not easy to write for an ignorant audience. However much I try to discuss cryptographic questions which seem very important to me on this blog, I cannot claim to achieve this goal [other people with less technical focus do a lot more]. It is very frequent that cryptographers fail to convince people responsible for cryptography used by millions of users to upgrade their crypto, before something happens. Let’s hope this is not going to happen in bitcoin. The dominant cryptography  culture in cryptography is to err on the safe side. The startup and industry culture is sometimes just the opposite.
    The rebuttal does not admit that chief crypto standard manager and highly respected mathematician at Certicom, arguably the most prominent security company worldwide in the space of modern applied public key cryptography could have some reasons not to support the bitcoin curve (or not anymore). It could be because [we] cryptographers are excessively paranoid as a rule. Or because researchers in cryptography only understand well the arguments and motivations of other researchers in cryptography.
    I would be careful though, when cryptographers say something is probably secure, it is frequently broken nevertheless. When cryptographers have doubts like with bitcoin elliptic curve, I would think twice before putting all my eggs in my basket, sorry everybody’s bitcoins in one basket, even though officially there is only a tiny “insignificant” hole in this basket. In cryptography attacks get better each year, they rarely get worse.
  • In addition, in this rebuttal, our highly respected bitcoin crypto and development authority claims that it is reportedly very difficult to upgrade and that it requires a large consensus. Here we regret that by default the consensus is to be more careful about cryptography and have a backup solution in place. I believe that bitcoin users who don’t trust this elliptic curve should be allowed to use another curve. As soon as they are clearly at least some cryptographers on this planet who think that this form of cryptography is potentially dangerous and should not be used, developers should work produce fixes and alternatives.
  • It seems that the established bitcoin gurus and developers always know better, better again than most cryptographers, and better again than the NSANIST  NATO BSI and 99% of people who use elliptic curves worldwide etc. [yes bitcoin uses a peculiar elliptic curve which absolutely nobody else ever uses outside of bitcoin, that’s quite bizarre].
  • It is claimed that there are no good alternatives and we are stuck in a match of type bad vs. ugly, suspicious curve versus another suspicious curve both without a  real attack. In fact, we do have alternatives which are supported without reserves in the crypto community as far as I can see.
  • Maxwell specifically strongly objects our tentative recommendation from 2014 of using (for example) NIST P-256 as an immediate upgrade, repeating again some known “paranoid” arguments like NIST curves are those which are suspicious and may have been manipulated by the NSA.

I have limited sympathy to P-256 and it is no longer what cryptographers recommend nowadays either. A lot of things are happening in this space recently. All of the sudden NSA also stopped recommending P-256 and this curve is officially outdated, but not necessarily less secure than before, simply an upgrade P-384 in the same kind is now recommended. Clearly however even today the NSA said these curves are not so bad and the arguments has some weight. The NSA says that standard NIST elliptic curves are still maybe  a more secure choice than any other, simply because they have been extensively studied, see here. The bitcoin elliptic curve remains an ultra sectarian choice.

All the points in this controversy remain open and we recommend to study them as a good example of controversy about cryptographic standards. The debate is likely to get exacerbated even more in the near future (for example due to Microsoft FourQ proposal). Finally maybe one day we will discover some really serious attacks. If only one elliptic curve is weak, any of these, it will be a major worldwide security scandal [ADDED 2016: not anymore, because now we are warned in advance]. In the meantime users who want their bitcoins to be safe are politely asking for bitcoin developers not to gamble with their bitcoins in the name of a conservative choice.

RELATED TOPICS [added in 2020]

Suspicious choice of the base point in Bitcoin Elliptic Curve where if we halve this point, we get a unusally short integer

00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63

In fact the same integer is also obtained for secp224k1 and secp256k1 of bitcoin. This partly explains it yet it makes it not less suspicious. In both cases we have lot of leading zero bits in binary: in secp224k1 there are 50 leading zero bits, in secp256k1 there are 90 leading zero bits. It was suggested but there is no proof that this generator was obtained deterministically by a hash function. Some speculation about this.

New Powerful Attacks On ECDSA In Bitcoin Systems

Posted by on

There is a wave of new powerful cryptographic attacks on bitcoin systems.

canstock10713649

There are several types of attacks:

  1. Attacks which use poor random number events.
    • It has already happened hundreds of times in the bitcoin blockchain since 2012.
    • Now there is a recent massive outbreak of such events. Here is a recent example from 1 Nov 2014. And here is an example from 29 Nov 2014.
  2. More advanced new attacks in which randoms are not identical but related (see our paper).
  3. Further attacks in which the private keys are related (also studied in the same paper).
  4. Attacks which use vulnerabilities of popular key management solutions such as BIP032.
  5. And there are new deadly COMBINATION attacks.
    They combine all the above vulnerabilities and lead to several new families of attacks which allow to recover a lot more keys than each of the above vulnerabilities alone.

Impact

Which systems are concerned? We don’t know exactly but in our opinion, most existing bitcoin storage and management systems are concerned:

  • bitcoin exchanges,
  • cold storage systems,
  • payment and wallets software systems,
  • electronic commerce solutions,
  • business key management solutions, etc.

We should also add that we don’t know if there exists a truly robust bitcoin key management standard which would be secure against powerful combination attacks such as described in our paper. More or less all bitcoin systems which do some systematic key management solutions and achieve some sort of separation between keys which allow to spend funds and those which allow only to receive money or monitor transactions, are vulnerable to large scale attacks where all the bitcoins in the whole system can potentially be stolen. The current bitcoin key management standard BIP032 is such that in theory it can be secure, but it will break apart as soon a number of pretty insignificant events or incidents in operation happens in some remote corners of various systems.
Some of our attacks also work across different systems which share no common setup, code or keys. Yet under certain circumstances all bitcoins within the remit of ALL systems can be stolen. Interestingly such vulnerabilities and resulting attacks/thefts cannot be detected by examining just one system. Events in several systems must be examined in combination in order to see if they can be exploited.

Mitigation Points

There is a well-known solution to this problem, it is the RFC6979 by Thomas Pornin.

However on the flip side no current bitcoin system which does not apply RFC6979 can really feel secure against attacks such as described in our paper. They should both upgrade their software and systems and also move all their bitcoins to new addresses.

We wonder why bitcoin developers and bitcoin foundation have been as usual so negligent about security so that this patch has NOT YET BEEN applied in bitcoin core software for like 18 months since January 2013. The fix was already applied by many companies such as Trezor, but not yet by bitcoin core client. Why?
Blockchain.info also uses a ridiculous method of asking the web browser to generate random numbers which opens avenues for attacks (added: few weeks after we wrote this words 100,000 USD were stolen from Blockchain.info).

The impact of our attacks could also be mitigated by multisig, however as usual there will be secure and insecure ways of using multisig. Ironically a large percentage of bad random events in the recent outbreak come from multisig applications. There is a very small percentage of multisig events in the blockchain, like less than 1%, and among these events there is an large proportion of vulnerable signatures with bad random events.

 

Added in 2015: there are now better ways to do key management than BIP032 in bitcoin, see this paper.

 

How to Lose Your Bitcoins with Bitcoin Core Client

Posted by on

The answer is: just accept to receive a regular payment with bitcoin core client v0.9.2.1.
All your bitcoins may be lost! 

Here are the facts.

Today we have done  the following experience.

  1. I had my client synchronized and running on my laptop, then suddenly it hanged and I had to reboot it. Just few minutes before the experience.
  2. I have pressed the “Request payment button” which generates fresh addresses each time on the PC.
  3. Then I sent 0.01 BTC from my mobile phone wallet to the client.
  4. Then the client hanged several times during the day… with twice error messages like the hash of the block did not verify correctly (line 1738 in man.cpp).
  5. Then eventually at the end of the day after several reboots it went back to normal.

HOWEVER here is the catch.
Money were never received. Moreover the software has no recollection that it has generated a new receiving address this morning. Probably the reader will not believe us. Quite happily we have done it on camera and with a witness, and I have the full video!

detective-searching-investigates-searches-footprints-crime-scene-40878956

There is clearly a serious problem with bitcoin core client and money can be lost. Every single user should feel concerned about it.

Here are some further technical remarks:

  1. We used core client v0.9.2.1-g354c0f3-beta under Windows.
    Done on a PC running a F-SECURE antivirus fully active and up to date.
  2. This version runs OpenSSL 1.0.1h 5 June 2014 and is officially claimed immune to the famous Heartbleed exploit.
  3. However it might be vulnerable to bash exploits, yes, and also under Windows as explained here.
  4. At this moment we do not know if this problem was fixed in later releases.

This incident is currently under investigation. There are exactly two possibilities:

  1. Either the client has mismanaged the key management, and the money can be recovered later but the software is just too stupid to realize that it has requested this payment itself, and that it can compute the corresponding keys to see and spend this money.
  2. Or a hacker has been able to Bitcoin Core client in order to make it display HIS bitcoin address.

In other words, it is either lost or stolen. If your bitcoins are lost or stolen in the similar way, let us know.
We will know soon because in case 2. the money will be spent by the criminal sooner or later. We will see when this happens on the blockchain and will keep this blog post updated.

P.S. We dispose of other data of actual past criminal activity with much larger amounts involved. We are willing to share them with other researchers. Please also note that there will be a talk at UCL about tracing bitcoin activity on the blockhain this Thursday 16/10 at 5PM at MPEB room 1.02.

Can Cryptographers Challenge Bitcoin?

Posted by on

A paper at the Financial Cryptography 2012 conference explained that Bitcoin is a system which “uses no fancy cryptography, and is by no means perfect”. Cryptography can do much better than that.

Now what kind of bitcoin cryptographers are going to build?

Most current proposals are about making anonymous unlinkable untraceable etc etc currency. This is a bit disappointing. Research seems to focus exclusively on questions which interest libertarians, people obsessed with privacy and also well, criminals, drug dealers, terrorists etc.

anarchy-inside

In contrast mundane questions of speed and building a better payment network for ordinary people are not so popular among cryptographers. Not complicated enough I guess. Security questions on how to maybe break bitcoin are also less popular.

Arguably all these advanced super anonymous crypto-currencies designed by cryptographers will NEVER be able to challenge bitcoin in terms of popularity.
Ordinary people will simply use bitcoin, because they do not care that much about privacy.

Cryptographers will be cryptographers. For sure building advanced anonymous payment systems remains a big intellectual and practical challenge.

Current Systems

We list some major developments in this space. We focus on practical proposals which are likely to be used in practice by a lot of people:

  1. Zerocash[2014]:  anonymous provably secure, transactions are less than 1 kB and take under 6 ms to verify. It is claimed competitive with plain Bitcoin. Zerocoin is a very substantial improvement over an earlier Zerocoin system from 2013.
  2. CryptoNote is another major system proposed in 2013 by Nicolas van Saberhagen.
    We can remark that:

    • In contrast to the dodgy sub-standard elliptic curve in bitcoin they use a super efficient  Ed25519 signature scheme which is similar but NOT the same as using Curve25519 in Stellar/TOR, but it is a variant (both curves are isomorphic and equally secure).
    • Specialists point out  that CryptoNote is not strictly speaking Zero-Knowledge and therefore in theory it is NOT expected to be as secure and as advanced as Zerocash.
    • Overall the system has a very positive opinions of fellow cryptographers: the reviewer is highly supportive and writes “CryptoNote protocol is absolutely spectacular” and he claims that “The protocol looks secure and tight.”

There are serious ethical problems with highly anonymous crypto currencies. They are pretty scary and it is very hard to know what could be the legal and practical consequences of releasing such systems into the public domain.

  1. Zerocash currency has not been released yet. Previous version was rejected by bitcoin community and was not permitted to operate on the top of bitcoin.
  2. CryptoNote has been implemented in full but serves only as a demo: genesis block is re-created every two months and they strongly recommend all users to abstain from any serious use of their CryptoNoteCoin.

Paul Krugman, Nobel price in economics have once said that bitcoin was the “ anti-social network” and later he has also said that “bitcoin is evil”. Nothing is less true. The really problematic crypto currencies are yet to come.

ADDED in 2015: Actually possibly advanced cryptography can reconcile privacy and policing of organized crime and terrorism.

Saving Bitcoin Peer Network From Destruction

Posted by on

save_bear

Bitcoin peer network is in decline: number of network nodes has reached dangerously low levels.

Some causes of this problem (and possible solutions) are:

  1. There is no monetary incentive whatsoever to run bitcoin nodes. Satoshi just forgot to create some monetary incentive. The number of peer nodes is only around 5,000 which is much less than the number of active miners which is a larger group, in tens of thousands. Ironically even miners who live out of bitcoin do NOT support the bitcoin network and do not run peer network nodes. The current centralization of bitcoin is very dangerous.
    • Some solutions to create monetary incentives to run peer nodes are discussed here.
    • Other solutions could involve adding proof of stake to bitcoin.
  2. The current network is such that it is not profitable to handle bitcoin transactions. This is very surprising and needs explanation. Basically miners who include more transactions in their block are penalized by the current network: their block propagates slower in the network. Levin claims that rational miners should reject many transactions (if not all transactions!) because they increase the probability that their block will be discarded which leads to monetary loss. Wicked.

The Day On Which Bitcoin Has Become Centralized

Posted by on

Bitcoin is widely believed to be an open source egalitarian system that was designed and fully specified by Satoshi and which is decentralized and governed by some sort of majority rule.

The reality is very different. It isn’t any of these. Bitcoin is a murky shadowy system which obeys peculiar rules which nobody fully understands and which has been decided at strange places, sometimes totally outside of bitcoin foundation and developers. It has become excessively centralized and this has not happened overnight, it was a long process in which bitcoin has effectively ceased to resemble anything which Satoshi has imagined.

Satoshi has very clearly postulated in Section 5 of his paper that each bitcoin node should be collecting recent transactions and trying to create new blocks. The original paper is all about CPUs, which was very naive. In practice as soon as ASICs have replaced general-purpose hardware, mining has concentrated in the hands of a restricted group of people: miners. This group actually remains very large, tens of thousands of people which is good. However these people mine under the control of pools. They have relinquished their powers. How did that happen?

The Key Decision

Somewhere in early/mid 2012 a very important decision has been taken. The Stratum protocol was designed by a Czech developer Marek (slush) Palatinus, as an overlay protocol for bitcoin. It was needed in order to replace the old-time getwork method which was unable to handle higher speeds.

Startum took a very serious and deliberate decision to move the power of selecting which transactions are included in blocks from miners to pool managers.
The author has claimed that “99% of real miners don’t care about transaction selection anyway”, cf here.

At this moment bitcoin ceased being a decentralized democratic system.

We can observe that:

  • Nobody forced miners to mine in pools: the growing difficulty of mining and large standard deviation in this process made that majority of miners naturally adopted pooled mining.
  • People who buy ASIC miners are probably not even aware that they might be some alternatives.
  • This was a key point in history where bitcoin became more centralized AND miners lost control of what they mine.
  • This decision lies totally outside of Satoshi source code, and even totally outside of the circle of Bitcoin developers and the bitcoin foundation: to this day this widely used protocol was NOT standardised as a well-defined bitcoin BIP.
  • To this day it is maintained in the limbo, neither standardized as BIP, nor reformed/banned, in spite of being criticized as “developed behind closed doors […] resulting in various obvious problems”, see the section Criticism here.
  • In spite of the fact that according to the same web page, the bitcoin open community has developed another solution GBT (GetBlockTemplate) or BIP022/23 which was claimed more decentralized (is it actually more decentralized?).
  • However stratum’s was backed by a major mining pool and GBT adoption suffered.

The Emperor’s New Clothes

We see that:

  1. It is people who run pool managers which now decide which transactions are mined. 10 pool manager servers centralize 75% of the mining power.
  2. More importantly, we now have a cartel of two sorts of super highly centralized entities: designers of mining ASICs and people who run pool managers. These people together were able to impose a protocol which represents their interest, and which makes 1. above possible, possibly forever.

This was a sort of hold-up: at some moment in bitcoin history, bitcoin became maybe irreversibly centralized by adopting a protocol which shifts the power to pool managers.

octopusglobe

Irreversibly? Quite possibly yes, because for example tomorrow if all bitcoin software nodes adopt version 3 of bitcoin protocol, the pool managers can maintain the status quo by rejecting all blocks with version 3, possibly forever, as explained it his video, and if some miners accept them in their blocks, their blocks could be in turn rejected.

This unless a majority of miners revolt against this cartel, and switch to other pools which support another policy. However miners are passive, not always aware of the power they may have, and not well organized.

Private Money, Bitcoin and Legal Questions

Posted by on

The IBM Dollar

In 1994 Edward De Bono wrote a pamphlet called “The IBM Dollar”.
Dr. de Bono wrote that he looked forward to a time when:

“the successors to Bill Gates will have put
the successors to Alan Greenspan out of business”,
arguing in essence that it would be more efficient for companies to issue money than equity.
Edward de Bono argued that companies could raise money just as governments now do – by printing it.

Interestingly his original idea was that IBM dollar would be redeemable for IBM equipment. It would NOT be a fiat currency which by definition is redeemable for nothing.

gold_coins_in_a_stack_jo_01

For two decades everybody thought that the idea proposed by De Bono was just ridiculous.
20 years later suddenly people stopped laughing at it.

The Amazon Dollar

The invention and the rise of bitcoin creates a dangerous precedent for business. Some experts now think that companies such as Starbucks or Amazon are well placed in order to issue their own currency and run their own “shadow economies” with goods, benefits, services and savings which can be obtained with this money. These brands can very easily convince people that their currency has some solid intrinsic value (e.g. some coffee). This makes me think that Bitcoin is essentially just a well-known brand now, as the technological advancement of bitcoin is in fact very poor. As a brand, bitcoin will now have now to compete with other strong brands such as Amazon, Tesco or Orange.
The main route to get there is that quite possibly the boring business of loyalty points is likely to evolve into a real payment ecosystem. The Harvard Business Review had a paper about branded money in July 2013. Similarly Apple or mobile phone operators could easily convince young people to use their private currency: everybody understands that they can use it to get phone credit or with App store purchases.

Is It Legal?

Why wouldn’t governments just ban such private monetary anarchy?

  1. On the money side, it is probably very difficult to forbid creation of new forms of money nowadays.
    • Arguably  monetary diversity is a great thing to have as advocated by a renowned expert on monetary innovation Bernard Lietaer in this video (2011).
    • Try to forbid this: Switzerland the WIR complementary currency which has been in operation for 80 years. Or the UK Brixton pound, even though systems like this have serious limitations (while bitcoin has none). The market cap of WIR is about 3 billion USD.
    • Try to forbid bitcoin – well it is very difficult to forbid anything in the cyberspace. Moreover every country is looking at attracting some of these amazing bitcoin startups which we have. They want the future to happen on their territory.
    • Governments are weak, companies such as Starbucks and Amazon are strong, and they will probably obtain what they want through lobbying.
    • So nowadays people are openly encouraged rather than discouraged to run their homegrown currency in the same way other other people run blogs.
  2. In contrast, many jurisdictions will try to kill anything which has to do with stock markets.
    • Ironically private money which you can redeem for nothing, such as bitcoin, is acceptable.
    • However if this was equity or shares, well this is not OK, you are in trouble as discovered Voorhees, the creator of SatoshiDICE. It is NOT legal to actively solicit investors to buy shares in a company.
    • In spite of this some companies such as Overstock and Bitshare are nevertheless trying to find ways to legal issue shares through crypto currency and DAO mechanisms.
  3. Money or stocks, it is in general useful to recall the pump and dump and investment scams are illegal and one can go to prison for that.

Question: How does 2.  and 3. differ from encouraging people to buy bitcoins or Dogecoins? Isn’t it like selling a share in a distributed business which makes money by selling new coins to naive investors knowing that the monetary policy of these currencies is highly unorthodox and leads to serious problems? Maybe not. This however remains an interesting question which we will leave for now without answer.

 

Most Unix/Linux/Mac Computer Systems Open For Hackers

Posted by on

A critical vulnerability allows remote attackers to execute code on our computers.
Immediate patching of everything is recommended.

Some points:

  • As bad as Heartbleed, some people say it is worse: severity 10/10.
  • Existed for 22 years since 1992.
  • Not only Unix Linux, MacOS etc. but also Windows.
  • Yes, I have checked with my Cygwin installation under Windows and the attack works!
  • Checked under recent Linux Ubuntu x64 install, works!
  • Could also affect bitcoin because it was build with MinGW, which is not exactly like Cygwin but may also be vulnerable.

There is a simple test to check if any given system is vulnerable:
From a command line, type the following line:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
vulnerable
this is a test

Bitcoin Security and Cryptography: Reasons to Worry

Posted by on

Bitcoin has a toxic culture of NOT taking security and cryptography questions seriously ever. Being able to withstand expert criticism, champion best practices and anticipate the risks is crucial for any open source project.

canstock10713649

Unhappily we observe that:

Other crypto currencies, though smaller than bitcoin, seem to do much better:

  • For example Stellar has a head of Secure Computer Systems Group at Stanford University on board, and they do care about security: they decided to go for a so called “safe” elliptic curve Curve25519.
  • Ethereum has two superstar cryptographers Merkle and Koblitz, which are actually the people who have invented the very cryptographic technology which underpins bitcoin.