--- Log opened Fri Mar 22 00:00:01 2013 21:37 < jgarzik> so i built a tip bot for irc cause jgarzik suggested it, but im discouraged by all these legal issues. i may not deploy it 22:49 < petertodd> interesting 22:49 < petertodd> can he at least release the code? 22:52 < gmaxwell> run it as a testnet thing for development perhaps? 22:53 < jgarzik> He already disappeared off #bitcoin, where that was said, before I had a chance to say hi 22:54 * jgarzik was thinking about writing one, testing on testnet, and open sourcing the code... but not running it 22:54 < jgarzik> with real money 22:54 < petertodd> Ha, we all want to not run it. 22:54 < jgarzik> and even on testnet, zero deposits periodically 22:54 < petertodd> Yup, least testnet BTC suddenly have a value... 22:55 < gmaxwell> Right. I would expect limits on deposits and total value, and then someone in a favorable jurisdiction running it .. over tor. probably no problems, but I'm sure not going to do it. 22:55 < petertodd> I've been pondering TPM'd coins actually; would a remote attested private key swapping thing fall under FinCEN? 22:55 < gmaxwell> petertodd: god knows, we can probably find all kinds of regulatory corner cases very rapidly. 22:56 < gmaxwell> Testnet even is a funny example. Testnet is _clearly_ not money. not unless you want to call beaney babies money. 22:56 < petertodd> What's interesting there, is you can improve security of it by having central double-spend detection servers, yet those servers aren't "running" the scheme and you can have as many of them as you want. 22:56 < petertodd> gmaxwell: Yet the second testnet difficulty rises... 22:57 < gmaxwell> petertodd: well it can't we broke it. Testnet difficulty can be warped back to 1 at an time. 22:57 < gmaxwell> It's fundimentally broken. :) 22:57 < petertodd> gmaxwell: Right, so agree on more testnet checkpoints and it's money again... 22:58 < petertodd> Or fix the timewarp bug... 22:58 < gmaxwell> not just that. 22:58 < gmaxwell> if you mine a 20 minute block at a mod 2016-1 point the diff gets reset to 1. 22:58 < gmaxwell> well, 1-4 depending on the timestamps. 22:59 < gmaxwell> (the retarget uses the prior blocks actual difficulty) 22:59 < petertodd> Exactly, so if that bug gets fixed testnet can turn into money again on miner whim. 23:00 < gmaxwell> I suppose. But then why isn't my respect for you money? :P At some future whim I could convert it into bonds or something. :P 23:00 < petertodd> Anyway, my general point is it's good to have favorable legal rulings, but the law changes, and furthermore the interpretation of the law changes. 23:01 < petertodd> BTW you said you bought some TPM-capable hardware? 23:03 < petertodd> I was thinking of doing so too, and it'd be neat if we had what we had bought co-ordinated. 23:04 < jgarzik> TPM has an RNG too. Make sure to make use of that. 23:06 < petertodd> I dunno, I think RNG is easier than people make it out to be with yarrow and persistant applications. 23:06 < petertodd> For instance a perfectly reasonable RNG algorithm for something like a smartcard is to use a non-reversable counter with a secret seed. 23:07 < petertodd> *PRNG 23:07 * jgarzik was mainly thinking of its use to fill the kernel's entropy pool 23:08 < jgarzik> rngd will use TPM's RNG automatically, to do that 23:08 < jgarzik> then, /dev/[u]random are happier 23:08 < warren> I vaguely recall reading a paper about a smartcard that detected time-based attacks upon it by checking how much of SRAM had decayed into random bits during poweroff. I thought that was pretty clever. 23:09 < petertodd> warren: Interesting, although that'd make for an interesting testing problem at the factory. 23:09 < warren> I wondered at the time if that would be a good or bad way to get more entropy. 23:10 < petertodd> My point is, with secure storage you keep a pool that you are essentially adding entropy to the whole lifetime of the device, thus you don't actually need all that much, and it's perfectly reasonable for the factory to fill the pool with entropy per-device. 23:14 < warren> you're right, but you'd have to trust the factory 23:14 < petertodd> You already have to! 23:14 < warren> heh 23:15 < warren> Intel's new entirely digital hardware RNG is supposed to be pretty good. But the linux kernel developers don't trust intel, so they are feeding it as an input to the kernel prng instead. 23:16 < petertodd> As they should. Similarly software like Bitcoin shouldn't trust the kernel developers, and should feed their random numbers into our own PRNG 23:17 < warren> You're so screwed if you can't trust the kernel. 23:17 < petertodd> I proposed using the last privkey XOR /dev/urandom to create every privkey 23:18 < petertodd> oh, I forgot H(last privkey XOR /dev/urandom) 23:19 < petertodd> For Bitcoin PRNG mistakes are especially bad because the attacks can be done at leisure, so the usual standards of kernel development may not be enough. 23:21 < gmaxwell> petertodd: I already had a pair of X9SCL-F motherboards (i7 systems) which support the txt stuff but just need a tpm module. Getting actual TPM modules is hard. I found one which _may_ be compatible on ebay. I'll let you know when it shows up and I get a chance to test it. 23:21 < gmaxwell> warren: "trust but verify" 23:21 < gmaxwell> warren: if the kernel developers are malicious you're in trouble, if they make mistakes— well no need for bitcoin to be utterly brittle to weaknesses in the kernel rng. 23:22 < petertodd> gmaxwell: Cool. Yeah my mobo is an Acer and supports TPM modules, but good luck finding one. I was thinking I might just get a thinkpad laptop w/ TPM. 23:22 < gmaxwell> I have one of those but I use it. :P 23:23 < gmaxwell> petertodd: if you go that route: lenovo outlet store. 23:23 < gmaxwell> (or ebay) 23:23 < warren> gmaxwell: lenovo outlet doesn't have awesome deals anymore like a year or two ago 23:23 < gmaxwell> aww 23:23 < warren> gmaxwell: 3 of 11 laptops I bought from outlet were lemons 23:24 < warren> I think they gave up on the customer service for that and just dumped all of them with 3rd party outlets. 23:24 < petertodd> Yeah, I've got a few options - every laptop I've ever owned has been an older used thinkpad from a corporate lease. 23:24 < warren> You'll see them on newegg outlet along with random other brands. 23:25 < gmaxwell> petertodd: perhaps buy a thinkpad with a broken screen on ebay. :P one advantage of using laptops for this sort of thing is that if you wanted to come up with a design which would be cryptoanarchist compatible they could strip the laptops down to nothing but the motherboard and embed them in stuff. 23:25 < warren> That and if you can find a IBM employee, their ibmepp code lets you buy Thinkpads often cheaper than outlet. 23:26 < petertodd> gmaxwell: For sure. TPM 1.2 can do remote attestation just fine, it's just the lack of the infrastructure to convince others that your attestation is correct, but with some standardization I suspect that can be worked around. 23:26 < petertodd> gmaxwell: The JavaCard smartcard standard seems to be able to do it too, but documentation is scanty. 23:27 < gmaxwell> seperately from the bank stuff, a generic computational oracle would be interesting. 23:28 < petertodd> Yup. Not to mention secure remote servers is totally doable, especially if you add some anti-tamper sensors. 23:31 < gmaxwell> yea, well tampering can be made as hard as you like... make an anti-tamper nest of fine wires all around it and pot the darn thing... plus then its waterproof too. :P 23:33 < petertodd> Two other good ones are to use light sensors plus *light sources* in the box, and wipe the keys if the amount of light returned ever changes from the expected, along with vibration sensors. For the latter your only limitation is earthquakes. 23:33 < petertodd> I live on top of four billion year old rock so earthquakes aren't such a big deal. :P 23:33 < jgarzik> RE RNG and feeding... it's not about trusting the kernel but the hardware. Easier to put a big lump of FIPS testing and other fun in userspace. Easier to balance between competing consumers of hardware RNG entropy, if its bandwidth limited versus the application. 23:34 < jgarzik> a direct function call kernel->kernel isn't optimal for all situations 23:34 < jgarzik> including hardware RNG burp situation 23:37 < gmaxwell> petertodd: having something like accelerometer wipe and shutdown would be neat but kinda bad that you can never recover if someone just kicks it. 23:37 < jgarzik> gmaxwell: hah, neat idea 23:37 < gmaxwell> petertodd: I imagine it might be possible to drop a computer at the bottom of an abandoned gas well and fill it in. connected via fiber (both for power and comms) .... would be totally tamperproof. 23:39 < petertodd> gmaxwell: Depends on the threat model. Allegedly nuclear anti-proliferation sensors often are basically sealed computers in concrete filled holes, and seismic is an essential part of testban treaty monitoring anyway. 23:40 * jgarzik would love to see a modern day Johnny WifiNodeSeed 23:40 < jgarzik> toss them on rooftops, powered via solar 23:41 < petertodd> jgarzik: Ha, well my other hobby is cave exploration... maybe a microhydro turbine in a storm sewer? :P 23:42 * jgarzik wonders the size of the block header + largest transaction list seen to date 23:43 < jgarzik> having the full TX list can occasionally be more useful than just merkle root --- Log closed Sat Mar 23 00:00:02 2013