00:36:45nsh:petertodd, did your blockchain run finish?
00:47:05nsh:yo ens
00:47:38ens:hi nsh
00:48:03nsh:(see next door)
01:00:52andytoshi:Luke-Jr: i'll be in austin on the 5 and 6, text me if you're downtown 5124504323. i'm not gonna register for the conference tho
01:01:18Luke-Jr:andytoshi: ⁈
01:01:20Luke-Jr:why not
01:02:00justanotheruser:is pizzacoin off topic?
01:02:33nsh:not in the context of its notable innovations in cryptocurrency technology...
01:03:12nsh:(so, probably, yes)
01:04:15andytoshi:Luke-Jr: it's a hundred dollars and i have to be at school those days
01:04:19justanotheruser:Okay. So I have a concern with bitcoin 0.9 (and Bitcoin in general). With the new small fees, it will cost about $3k/day to DoS the network. This seems like a good way to dump and pump
01:05:06Luke-Jr:justanotheruser: off-topic here
01:05:07justanotheruser:Or if dump and pump doesn't make sense, just substitute it with manipulate the market
01:05:21justanotheruser:Luke-Jr: sorry, I'll post it in #bitcoin?
01:05:31Luke-Jr:#bitcoin-dev usually, but read ML first
01:05:41justanotheruser:Luke-Jr: ML?
01:05:57Luke-Jr:the mailing list
01:06:19justanotheruser:Luke-Jr: okay, I'll re-sub.
01:14:38Luke-Jr:andytoshi: if it was just $, I could probably get you in :/
01:21:28andytoshi:Luke-Jr: how much notice would you need? i'm unsure of my schedule those days but there's a decent chance i'll be free after 2-3PM
01:23:03Luke-Jr:andytoshi: I don't know.
01:28:24andytoshi:no worries, i'll let you know when i know and we'll figure something out
01:39:29austinhill:austinhill has left #bitcoin-wizards
02:04:53Luke-Jr:Anyone want to moderate the altcoin panel in Texas? Or at least suggest some reasonable questions for them?
02:14:29justanotheruser:Luke-Jr: "Normally when a program is modified to have a different name or graphics it doesn't take off because of the support. Altcoins are an different because a clone with a changed name can be used as a speculative tool. Is there any thing that separates from being just a speculative tool?"
02:14:56justanotheruser:s/doesn't take off because of the support/doesn't take off because it has little reason to exist
02:15:07justanotheruser:s/are an different/are different
02:19:38amiller:does anyone collect stale blocks
02:19:55amiller:suppose i wanted to collect a set of stale valid blocks for innocent purposes like to have a museum, where could i go
02:24:39amiller:https://blockchain.info/orphaned-blocks i guess this is what i want
02:41:15comboy:MUSEUM OF ORPHANED BLOCKS "this one is from 2010, notice the nonce, very interesting exhibit, one of a kind"
02:51:52comboy:so if I'm checking correctly out of 84M txouts 2.6M have at least one (pkscript,value) duplicate, wow
02:59:17andytoshi:* andytoshi imagines amiller sculpting images of his orphan blocks for his museum
03:00:12amiller:we don't say "wow" here, dogecoin museum is next door
03:00:35Luke-Jr:* Luke-Jr says, "very sculpted"
03:37:09c--O-O:;;ticker --market all
03:37:14gribble:MtGox BTCUSD last: 135.0, vol: 0.00000000 | Bitstamp BTCUSD last: 549.99, vol: 107799.32198253 | BTC-E BTCUSD last: 546.8, vol: 66052.24497 | Bitfinex BTCUSD last: 552.25, vol: 83792.50384978 | BTCChina BTCUSD last: 556.709296, vol: 26107.70000000 | Volume-weighted last average: 550.533044228
03:40:14nsh:dullest armageddon ever
03:45:01phantomcircuit:gmaxwell, out of curiosity what do you suppose the lower bound is on hashes/joule
03:45:33maaku:phantomcircuit: physical lower bound?
03:45:44phantomcircuit:maaku, right
03:45:50maaku:way, way, way lower
03:46:12maaku:i assume you mean reversible drexlarian computation?
03:46:19phantomcircuit:maaku, im thinking millions of time lower
03:46:44phantomcircuit:maaku, i dont even know what that is
03:46:47phantomcircuit:thus questions
03:48:02tacotime_:self-assembling nanoscale circuits? like those self-assembling DNA pieces that do stuff like solve the hamiltonian math problem?
03:48:16tacotime_:er path
03:48:52tacotime_:That's what I was thinking but maybe maako meant something else
03:49:10phantomcircuit:maaku, i was thinking more like what the finite number of state changes was
03:51:21andytoshi:phantomcircuit: in the limit if you can compute irreversibly you can do infinity hashes/J. but that limit is as your hashtime goes to infinity....if you are talking normal (irreversible) computing then Landauer's principle applies https://en.wikipedia.org/wiki/Landauer%27s_principle
03:51:45maaku:phantomcircuit: what andytoshi said
03:52:00maaku:physical limits of computation are crazy small
03:52:32phantomcircuit:oh right
03:52:46phantomcircuit:yeah obviously im assuming an sha256d circuit is irreversible :)
03:52:52phantomcircuit:otherwise we might have issues
03:53:59maaku:phantomcircuit: different definition of irreversibility
03:54:13tacotime_:Now I'm reading the nature paper cited in that wiki heh
03:54:21phantomcircuit:maaku, ah ok then
03:54:35phantomcircuit:i should probably read more about this
03:54:39phantomcircuit:but who has the time
03:54:48phantomcircuit:* phantomcircuit looks around at everybody who does
03:55:32maaku:nah, i was a physics major back in the day
03:55:40maaku:otherwise this stuff is pretty useless
03:55:44tacotime_:It's nice to see optical tweezers seeing (somewhat) practical uses
03:56:09andytoshi:if SHA256 takes 10000 bit changes, then by Landauer's principle (the equation on that wiki page) you can get roughly 3.5e16 hashes per joule. at 350W that is 1.2e19 hashes/sec. the BFL monarch is 350W and does 6e11 hashes/sec
03:56:54andytoshi:that's IMO amazingly close, if anyone has a better number than 10000 i'd be interested in it
03:56:54maaku:but most of those state changes could probably be made reversible
03:59:03phantomcircuit:maaku, ah i see, so the idea is that if the state goes from A->B->A then there has been no change in entropy
03:59:52maaku:only when you destructively change state need you expend energy
03:59:56phantomcircuit:however you're likely doubling the length of the path the electrons are running
03:59:58tacotime_:Is that like a chemical equilibrium?
04:00:06phantomcircuit:which means you're doublign resistive losses
04:00:11phantomcircuit:but i cant imagine that matters much
04:00:13maaku:but still, we're just talking an extra order of magnitude or two, on top of 1.2e19h/s :)
04:00:27maaku:phantomcircuit: superconductors
04:00:39phantomcircuit:maaku, oh right
04:00:45maaku:there's zero resistive losses at the limits of computation :)
04:00:48phantomcircuit:so you could be doing computation essentially for free
04:01:03phantomcircuit:or at least a few orders of magnitude cheaper than otherwise
04:01:15phantomcircuit:maaku, that's neat
04:01:31maaku:yes, only irreversible/destructive computation "counts", everything else is free
04:02:00maaku:modulo slight constant cost due to the fact that you can't actually reach absolute zero
04:02:19copumpkin:clearly just encode sha256 in a logic language and run it backwards >_>
04:02:37maaku:copumpkin: right, except sha256 is not a one-to-one function
04:02:46copumpkin:it doesn't need to be
04:02:54maaku:it does for reversible computation
04:03:01copumpkin:I'm saying something like prolog
04:03:10copumpkin:it'd probably take forever
04:06:19phantomcircuit:maaku, sha256 isn't 1:1 but smaller parts of it are right?
04:06:23phantomcircuit:i think so
04:06:51copumpkin:try encoding it in prolog!
04:28:46justanotheruser:justanotheruser is now known as just[dead]
04:34:36just[dead]:just[dead] is now known as justanotheruser
04:38:43maaku:phantomcircuit: yeah, it's been a while but in principle each step should be 1:1
04:38:53maaku:you just throw away bits equal to the length of the message
04:39:05maaku:(rounded up to the next block size)
04:39:37maaku:irreversible transforms are actually very hard to analyze, so i would be very surprised if sha256 was constructed that way
04:54:06phantomcircuit:maaku, sha256 involves a bunch of xor operations
04:54:19phantomcircuit:im pretty sure that is irreversible without one of the inputs
04:55:36copumpkin:my suggestion doesn't need it to be reversible :P
04:59:13maaku:copumpkin: it is, trust me
04:59:51justanotheruser:justanotheruser is now known as just[dead]
05:00:36maaku:copumpkin: your emulation suggestion is orthogonal to the issue of reversibility
05:01:13tacotime_:tacotime_ is now known as tt_away
05:01:22copumpkin:I'm suggesting emulating it?
05:01:24maaku:phantomcircuit: do you throw away both the inputs?
05:01:41maaku: try encoding it in prolog!
05:02:00copumpkin:do you understand what I'm advocating?
05:02:06maaku:copumpkin: aparantly not
05:02:16copumpkin:have you used prolog?
05:02:54maaku:but how does it relate to reversible computation?
05:02:56phantomcircuit:maaku, yes you do
05:04:54maaku:yeah you're right
05:05:12maaku:so figure out how man xor computations, *32bits
05:05:47maaku:for which the input isn't reused
05:06:21just[dead]:just[dead] is now known as justanotheruser
05:08:16phantomcircuit:maaku, it's basically all of the computations
05:11:16maaku:phantomcircuit: not really, notice from the diagram how 6 of the 8 input registers simply shift to a new position
05:11:20maaku:those don't count against you
05:11:23copumpkin:maaku: you specify the relational form of your program and ask it to solve for a given output. You don't need 1:1, and it'll just show you an input that fits. Different logic languages do this differently, and I'm not actually claiming that it'll magically figure out how to invert sha256 in our lifetimes, but in principle I don't see why not
05:11:31jcorgan:jcorgan has left #bitcoin-wizards
05:11:58maaku:copumpkin: it can't and won't - there's information loss
05:12:09maaku:but that's a fundamentally different issue
05:12:20maaku:reversible computation is about using reversible physical processes for computation
05:12:29copumpkin:I know there's information loss :P
05:12:31maaku:very little to do with the actual algorithms
05:12:51copumpkin:I'm just saying it is specifying the entire equivalence class of inputs that produce a given output
05:13:02copumpkin:utterly incomputable, but still conceptually there
05:13:33maaku:no, not conceptually there at all
05:13:50maaku:when you reduce a 512 bit block to a 256 bit hash, you fundamentally eliminate 256 bits
05:14:09maaku:the reverse is a 1 : 2^256 mapping
05:14:54copumpkin:are you contradicting me?
05:22:13justanotheruser:justanotheruser is now known as just[dead]
05:27:40copumpkin:anyway, I'll take my impracticality elsewhere and get out of your discussion :P
05:31:24just[dead]:just[dead] is now known as justanotheruser
05:49:36justanotheruser:petertodd: when breaking coinbases consensus, did you just make complex tx and hope it would break it, or did you have a more complex method?
05:55:09maaku:maaku is now known as Guest62160
05:58:39ghtdak:ghtdak has left #bitcoin-wizards
06:04:03jgarzik:amiller, I would be highly amused if you published the dakami thing on storify.com
06:04:22amiller:* amiller will figure out wtf that means and do it immediately
06:09:42copumpkin:jgarzik: yes please :)
06:09:44copumpkin:I don't have context
06:23:11amiller:it takes fucking 30 minutes to pg-down throuhg dan kaminsky's twitter timeline, i don't know any fatser way
06:23:50amiller:nope, it ends at sep 2013
06:24:18amiller:bet i can scroll throuhg jeffs easier
06:24:43copumpkin:except it doesn't scroll automatically :)
06:24:51copumpkin:there are probably other third-party sites that archive them though
06:25:40amiller:ok well i'll race you, you try the third parties and i'll try twitter/jef
06:26:37copumpkin:what do I look for?
06:26:50amiller:first instance of the best?
06:27:10amiller:i basically have https://twitter.com/jgarzik/status/336210942717214720
06:29:25copumpkin:another option is for jgarzik to request his tweet history archive
06:32:19copumpkin:amiller: https://twitter.com/jgarzik/status/335877664030212096
06:33:09amiller:yeah ok i got all those
06:33:28amiller:this is coming along just fine, i'm making it look nice like a celebrity gossip article with lots of bold phrases and hhyperinlks
06:33:44amiller:i drank just enough scotch for this task tonight, i wasn't going to get anything else done anyway
06:34:46copumpkin:* copumpkin goes to sleep :)
06:47:06austinhill:playing host to tons of #bitcoin-wizards sounds fund until they are all on your couch tired & screaming about mt. god killing their day
06:48:20austinhill:actually its still fun - just complicated ;)
06:53:52Luke-Jr:austinhill: lol
06:54:33amiller:copumpkin, here you go https://twitter.com/socrates1024/status/438566986835312640
07:21:18justanotheruser:justanotheruser is now known as just[dead]
09:36:13sipa:austinhill: haha
11:00:33qwertyoruiop_:qwertyoruiop_ is now known as qwertyoruiop
13:28:28jgarzik:jgarzik is now known as home_jg
14:09:55stonecoldpat:guys, was mtgox malleability issue that they were accepted transactions too quickly? (that later became invalid)
14:20:53gmaxwell:stonecoldpat: To the best of my understanding their 'malleability issue', wasn't really one— they were reissuing transactions without conflicting the originals, making it possible for both to go through. This is unsafe— malleabilitys role, apparently, was that they'd check to see if the original had gone through— still unsafe since it could go through at the same time or later— and wouldn't detect mutated versions of the ...
14:21:00gmaxwell:... transaction.
14:21:58gmaxwell:However, since they've never actually pointed out any of the theft transactions, it's hard to be sure how accurate that is. The claimed losses don't really plausably follow from that pattern.
14:23:27gmaxwell:If they really did lose that much coin then I would think it likely that there were additional vectors.
14:27:45stonecoldpat:i understand, so if mtgox issued t1, then later issued t2 (as t1 has got held up), t2 never invalidated t1, and so both would go through.
14:28:06stonecoldpat:to loose the coins they did, that would need to have happened for a long time :/ so it cant be the sole reason
14:31:03wumpus:if so many coins were stolen it must be abused on a pretty large scale, it's strange that we don't hear anyone gloating who abused this, even anonymously
14:32:04gmaxwell:stonecoldpat: I can't say that it couldn't be the sole reason. E.g. if someone got an account that could make 10k in withdraws per day and they constantly cycled funds through it, they potentially could trigger this hundreds of times over many many months by automating the attack. It's probably possible.
14:32:22gmaxwell:Almost all great disasters involve layered faults.
14:32:50gmaxwell:Though it seems likely to me if the claims are correct there probably are other reasons.
14:34:06gmaxwell:... and if the situation was really bad enough that they could have huge ongoing losses without noticing, then who knows if they even know all the causative issues.
14:35:05wumpus:so one person/party discovered this and abused it over a long time, syphoning all of mtgox's coins away without being discovered by anyone... somehow it just doesn't add up to me
14:35:57wumpus:if these are due to duplicated transactions: he has to have withdrawn half of mtgox's total coins to get all of them
14:36:45comboy:I did a histogram of number of duplicates of (pkscript,value) pairs over distance in blocks between them
14:36:49wumpus:in volume, at least, of course they can have bounced the same coins from/to mtgox all the time... but come on
14:37:03comboy:and there is a clear bump around 150 blocks, but that's probably some daily payments
14:38:04comboy:if mtgox would be reissuing transactions automagically, I would expect not a smooth bump but some sharp edge at some block diff (presumably associated with if tx not in block after X blocks then...)
14:39:29stonecoldpat:i suppose the bump / sharp edge would only happen if there were a lot of duplicates? did you check the amount of coins being transferred per duplicate?
14:39:52stonecoldpat:in your 150 block bump
14:40:19stonecoldpat:as wumpus mentioned, it would require access to at least half of mtgox's coins at some point
14:40:40stonecoldpat:close to half*
14:42:02gmaxwell:comboy: it's hard to analyize the data, mtgox had daily withdraw limits on accounts...
14:42:24comboy:yeah I have it over value too, but it seems more noisy because probably exchanges cold storage moves and whales, one sec
14:42:30gmaxwell:I can point you to addresses that had recieved >10k btc in repeated payments from mtgox, but it looked like they were just grinding against daily limits.
14:43:30comboy:gmaxwell: agreed, but if it would be automated I would expect some bump at specific value
14:44:18comboy:I just started doing this after waking up not long ago so I don't want to share some bs data which it may be, but this is hist over count of duplicates, not value: http://i.imgur.com/Y3M7OiP.png
14:45:11comboy:(I skipped values under 0.01 btc, total number of dups 2.6M so it would be under 26k anyway)
14:45:36gmaxwell:if the attack had low success rate— which I'd expect it to if it were based on reissues— you'd expect the traffic to mostly reflect the withdraw limits.
14:46:22comboy:yeah that's true, I don't know how it could be approached to filter it better
14:46:32gmaxwell:interesting graph. I wonder if you could plot that graph for tx sent by addresses in my mtgox address list (which I'd guess is at best 1/3rd of their addresses) vs all.
14:46:41epscy:that looks cool
14:47:58comboy:gmaxwell: just give me list of addrs (hash160 prefered)
14:49:16stonecoldpat:also comboy, is that duplicates in the same block? or is it duplicates found within a certain radius of blocks? (so two similar transactions found within the past 10 blocks)? (duplicate criteria is value of transaction i imagine?)
14:49:16gmaxwell:https://people.xiph.org/~greg/goxaddrs.txt.gz (sorry, base58... I had scriptpubkeys at first and everone complained, sadily I overwrote them after converting)
14:49:46gmaxwell:stonecoldpat: the graph is showing the 'radius' effectively, if I understand it.
14:49:59comboy:yes, radius is on x axis
14:50:28comboy:stonecoldpat: duplicate criteria pkscript matches and value matches
14:52:32gmaxwell:comboy: what is the total value duplicated?
14:53:30comboy:didn't even check but between radius 100 and 220 it's 3.7M
14:53:52gmaxwell:yea, figured.
14:54:15gmaxwell:mtgox txn could be filtered futher with fee policy, once they made their high fees mandatory you can exclude other txn... not sure how useful this would be since it wasn't made mandatory all that long ago.
14:54:55gmaxwell:well— I'm relatively confident that all hits on that address list are mtgox, but I don't know how to match more than that beyond fees.
14:56:14epscy:gmaxwell: thoughts on this? www.reddit.com/r/Bitcoin/comments/1yyrkz/well_technically_speaking_its_not_lost_just_yet/
14:57:39gmaxwell:epscy: very doubtful.
14:58:19gmaxwell:it's a pretty longshot extrapolation from a minor comment.
14:58:37epscy:that was my take too
14:58:51epscy:think people are grasping at straws
14:59:55gmaxwell:I think it makes a nice joke, not a serious theory. The comment was more like 'not lost just temp unavailable' ... 'because I plan on saving the ship and paying everyone back.'
15:01:04pigeons:i wish instead of asking how accurate the document was they asked him how accurate the number was
15:01:30gmaxwell:I suspect he wouldn't have answered that
15:02:05pigeons:likely they dont know how much they lost
15:03:22epscy:pigeons: yup, my read is that the updates are so sparse because tux doesn't know yet what will happen next
15:04:22nly:A lot of angry people are going to persue legal action through whatever means they have at their disposal
15:04:25nly:just a guess
15:05:03pigeons:cant get blood from a turnip
15:18:18ens_:ens_ is now known as ens
15:21:16comboy:I need to go afk for a at least 2h, running query against these gox addrs will take me a moment anyway, if anybody wants to play with just txouts here's the list of (pkscript,value) duplicates with value > 0.01 http://tesuji.pl/dupsmall2.csv.bz2 (~100M, value, block height, hash160)
15:23:22gmaxwell:reddit post: "I have trained my ferret to memorize a 256 character numeric string. On command he'll take a pen and scribble it down on a piece of paper. Is this a safe way to store bitcoins?"
15:23:49sipa:what if your ferret dies?
15:26:28nanotube:obviously you must train multiple ferrets and store them in geographically disparate locations.
15:26:42nanotube:and have them teach the string to their offspring upon reproduction
15:27:07sipa:i think you should apply shamir secret sharing on the ferrets
15:27:35gmaxwell:Mustelidae signature transactions.
15:37:42sl01:so what's the conensus here, did they really lose all but 2k BTC to txmal ?
15:38:04sipa:sl01: not here, please
15:55:48shesek:what services/softwares do you know that uses multi-signature transactions?
15:56:25jgarzik:shesek, few if any of the "big guys"
15:56:42jgarzik:shesek, BitPay does internally. blockchain.info offers (used to offer?) a manual multi-sig builder.
15:56:57jgarzik:A couple startups are just starting to roll over services.
15:57:01shesek:used to, its gone for a while now
15:57:12shesek:anything operational that you know of?
15:57:32shesek:other than using it internally to store funds, something that exposes interesting functionality to users in some way
15:57:39jgarzik:shesek, some operational startups
15:57:50jgarzik:don't know the site addresses off the top of my head
15:57:52sl01:gmaxwell: regarding 10k daily withdrawal limit, at max verification level you could withdraw 100k at a time
15:58:06shesek:jgarzik, do you remember what they're doing with it?
15:58:11shesek:perhaps I could look it up
16:04:16pigeons:shesek: https://www.bitrated.com/
16:04:35shesek:pigeons, yeah, heh, that one is mine :)
16:04:43shesek:I'm looking for some other examples
16:05:11shesek:I'm doing a talk on multi-signature, seems odd to only mention my own thing as an example...
16:06:52pigeons:i havent checked out that i2p market that suppoosedly uses multisig
16:07:25pigeons:not the best publicity for your talk
16:09:13shesek:yeah... and it kinda sucks too
16:09:22shesek:they ask you for your private key and sign server-side
16:09:37shesek:which kinda defeats the purpose
16:09:45kanzure:do they realize that they sound like dorks asking for that?
16:09:53kanzure:or is it intentional malice
16:10:13stonecoldpat:gmaxwell: i was looking for your idea about a merkle tree to verify exchange balances, is there a link available?
16:10:52kanzure:stonecoldpat: well, ther'es https://github.com/olalonde/blind-solvency-proof
16:11:03kanzure:stonecoldpat: and https://iwilcox.me.uk/v/nofrac
16:13:29stonecoldpat:ok gonna have a read, but i was thinking, may be possible to use something like commitcoin in the process too, store in the transaction its origion and when the coins are moved, attach commitment to new transaction, in such a way where the real owner could use a 'password' to verify the commitment, but it does not reveal all owners
16:14:17stonecoldpat:so as long as exchange publish all their transactions, a simple script could search over valid outputs and check if its still there
16:23:30epscy:sl01: 100k?, this could explain why gox lost so much in a short amount of time
16:24:20gmaxwell:unless its technical and helps us advance the ecosystem the gox stuff really should move elsewhere (uh, where I don't have a suggestion, mtgox-chat is a wall of noise)
16:28:12stonecoldpat:having just sat in mtgox-chat for 2 minutes, i think the gox stuff fits in there perfectly to add more noise to it
16:30:13mus1cb0x:what is a proper daily withdrawl limit for an exchange to hvae?
16:32:03epscy:#mtgox-signal is probably the best place
16:32:33epscy:mus1cb0x: perhaps a percentage of your hot wallet?
16:32:49epscy:with your hot wallet being a percentage of your total coins?
16:33:12andytoshi:please, this is a business q, let's keep -wizards to research
16:33:14mus1cb0x:i was thinking a % of the exchange's volume entotale, but your idea is probably better
16:33:20sl01:epscy: yep, required the apostillized stuff and then manually requesting that limit
16:33:24mus1cb0x:it is?
16:33:43mus1cb0x:i mean it is a business question i guess, but... i don't even know how to respond
16:33:58mus1cb0x:well nvm then
16:34:04epscy:yeah this is a bit offtopic, i recommend #mtgox-signal
16:34:07shesek:gmaxwell, any chance you're aware of someone using multi signature in an active service/software?
16:34:13mus1cb0x:mus1cb0x has left #bitcoin-wizards
16:34:19shesek:other than me, that is :P
16:38:57gmaxwell:shesek: there was someone talking about one of those underground markets doing something in that space, but I dunno anything about it. There have been a lot more multisig on the network recently... but for all I know it's all you.
16:41:43flotsamuel:Yea, darknet markets considering it as an alternative to PHP developers trying to secure an escrow service.
16:47:22shesek:gmaxwell, there's one black marketplace that uses it
16:48:00shesek:but it kinda sucks... I saw some screenshots of it, they ask users to provide their private key to release the funds and sign it server-side :-\
16:48:42kanzure:gmaxwell: it would be nice if it was a property of private keys to somehow make users feel uneasy or suspicious when stuff like that is requested of them
16:48:55kanzure:i suppose the word private is not strong enough
16:49:05gmaxwell:kanzure: I was about to point that out... :P
16:49:18kanzure:i will turn off my telepathy helmet
16:49:28gmaxwell:Finally a use for brain wallets, require users to include embarassing personal information in their private keys.
16:49:58wumpus:also very stealthy if a black market is the only one using such transactions :)
16:51:20andytoshi:it would be nice if we had schnorr sigs, split-key signatures are so easy (and innoculous looking) :(
16:51:23kanzure:maybe just annoying messages around all private keys. WARNING. CRITICAL.
16:51:37gmaxwell:I'd hoped that things like trezor would always be used in a multisig capacity so you didn't have to worry about the device leaking your keys in a covert channel, but sadly they didn't see value in going that route.
16:51:42andytoshi:kanzure: that's not a bad idea, if the import/export format had a bunch of required noise in it
16:52:12kanzure:that would be ignored
16:52:41andytoshi:kanzure: not if you couldn't import keys without it, and make the casing depend on the private key so that it's hard to recreate
16:52:47gmaxwell:user factors are hard.
16:53:07kanzure:oh, so make the armor mandatory. hrm.
16:53:21kanzure:well, it would still be ignored
16:53:49gmaxwell:a lot of the problem reduces to "If I didn't trust this site, I wouldn't be using it."
16:54:09kanzure:"trust is good for you" is the common response i get
16:54:31kanzure:there are many advantages to not needing trust that don't seem to be easy to communicate
16:55:02gmaxwell:trusting and not needing to trust are also not mutually exclusive. Verification doesn't mean distrust.
16:55:11gmaxwell:But that seems hard to express to people.
16:55:33kanzure:which part is the verification in the "paste your private keys here plz" example?
16:55:33sl01:gmaxwell: what format was the goxaddrs.txt in ?
16:55:36gmaxwell:Also a lot of service operators instantly get offended when you suggest their service should be provable.
16:55:54gmaxwell:sl01: gziped text of base58 encoded bitcoin addresses one per line.
16:56:28sl01:ah weird, i had to double unzip it thx
16:58:01nly:I discovered today I've been using -j and -z with tar for years unnecessarily... if the file extension is right it detects it automatically :(
16:58:08nly:well not today, a few days ago
16:58:58nly:come to think of it, it probably doesn't even depend on the extension
17:01:56rastapopuloto:rastapopuloto has left #bitcoin-wizards
17:10:10nly:nly is now known as HM2
17:14:00sl01:gmaxwell: what's the provenance of those mtgox addresses?
17:14:26flotsamuel:flotsamuel is now known as Dizzle
17:14:34just[dead]:just[dead] is now known as justanotheruser
17:21:55home_jg:home_jg is now known as jgarzik
17:24:53gmaxwell:sl01: they're extracted from the assumption that if a TX has signatures for addresses A, B, C and B is known as an mtgox address A and C are too, which isn't a safe general assumption but it matches mtgox's operating practices to the best of my knoweldge.
17:25:09gmaxwell:sl01: It was also spot verified by using MTGox's api.
17:25:32gmaxwell:About half the addresses return true as a customer deposit address— which is about what you'd expect, when considering change.
17:27:27sl01:gmaxwell: thx
17:32:31phantomcircuit:gmaxwell, that's a silly thing to get offended about
17:32:37phantomcircuit:gmaxwell, id be interested in doing that for intersango
17:32:39phantomcircuit:maybe people would leave me alone afterwards
17:41:22justanotheruser:justanotheruser is now known as just[dead]
17:42:22just[dead]:just[dead] is now known as justanotheruser
17:46:59austinhill:adam3us and I having a breakfast conversation about the incompentence of BTC
17:48:29jgarzik:austinhill, It is my opinion that BTC is too easy to use, if you are a programmer. So seductively easy to transfer money, that you do not think about the wider difficulties and attack landscape involved in securing millions in value.
17:48:55jgarzik:The more value you secure, the more bad actors are attracted, the more important security becomes.
17:49:49jgarzik:Also, "first generation" bitcoin attracted [lovingly!!] naive libertarians and crypto-anarchists who like the theoretical, pure idea of anonymous digital money
17:50:33jgarzik:People have to re-learn the basics of money and trust
17:50:35jgarzik:all over again
17:50:50jgarzik:bitcoin community is slowly re-learning lessons known hundreds of years ago
17:54:38wumpus:incompetence of BTC in comparison to what?
17:54:41austinhill:jgarzik: Yeah btc is too easy to use … the incompentence of Mt gox shows us all that
17:54:59austinhill:sorry meant incompentence of Mt Gox not btc
17:55:20wumpus:it's baffling indeed
17:56:16gmaxwell:I'm concerned the details will never be made public, ... which would be sad because we need to learn from their mistakes.
17:56:27gmaxwell:It would be foolish to assume other people couldn't make the same ones.
17:57:20jgarzik:Prediction: details will never be made public
17:57:29Persopolis:do you still hold the belief that gox was incompetence rather than fraudulant?
17:57:40jgarzik:I think Mark tried to do it all himself
17:57:45helo:yeah ^
17:57:49gmaxwell:I agree with that prediction, though perhaps more will be made public just to defend against claims of outright fraud.
17:57:52phantomcircuit:gmaxwell, im pretty sure i have a complete picture of what went wrong
17:58:17phantomcircuit:i believe their client failed to mark transactions which they had generated as unspendable
17:58:31phantomcircuit:which meant they had what looked like unspent outputs in an amount much larger than they did
17:58:54phantomcircuit:im pretty sure all of their auditing procedures were proper and everything, but their client was simply giving them the wrong balance
17:59:07austinhill:if we solved transaction scalability and had a better a blockchain we could improve the situation
17:59:07gmaxwell:considering the transfer limits, it's not clear to me how the losses could have been so large considering that. Or how they could have simultaniously kept refilling from cold while thinking they had the funds in hot
17:59:32phantomcircuit:gmaxwell, that last part is something i haven't been able to figure out
17:59:44phantomcircuit:and possibly is something we will never know
17:59:55phantomcircuit:because im sure it will be a pointed issue in some form of litigation
17:59:58Luke-Jr:it sounds like the wallet probably semi-automated transfers from the cold wallet, just telling people when it needed access
18:00:14gmaxwell:austinhill: I don't agree with this idea that you've repeated several times that all the exchanges transactions could be in the blockchain. I don't think it's reasonable, because of privacy and scaling— no matter how well you make things scale. Nor does it cover their USD side obligations so it's still incomplete.
18:00:29jgarzik:Yah, hot wallet top-off becomes a routine task, even though human intervention is required
18:00:34jgarzik:no inspection into "why"
18:01:04gmaxwell:Right but why would the system ask if it thought it had coins? ... and then wouldn't the hot balance claim 700k coins?
18:01:16gmaxwell:I propose a theory: there was no cold wallet.
18:01:20Luke-Jr:gmaxwell: hmm, true
18:01:21jgarzik:austinhill: agree w/ gmaxwell. Off-chain transactions systems are to be encouraged, even.
18:01:31jgarzik:perhaps will be numerous, in the future
18:02:08Persopolis:i find it incomprehinsible that something of this scale could have happened in a short period of time, and if it didn't how they could not notice
18:02:09jgarzik:gmaxwell, I'd bet at least there were separate wallets
18:02:19jgarzik:with the one being less hot
18:02:24gmaxwell:austinhill: mtgox's peak transaction rates I think hit many hundreds of transactions per second. Thats not reasonable in a global consensus system. They could have some kind of audiable system, indeed... but I can't see getting that into the one blockchain to rule them all.
18:02:28Luke-Jr:who was it that was promoting off-chain transactions in San Jose again? <.<
18:02:50phantomcircuit:Persopolis, the time period is more likely months to years
18:02:57jgarzik:Persopolis, period of time is years
18:03:10jgarzik:Luke-Jr, :)
18:03:13gmaxwell:well we can give a minumum bound on the time using comboy's data extraction..
18:03:36Persopolis:so how could it be possible that they don't notice that they were losing money
18:04:05helo:Persopolis: mark was the only one in a position to notice, and he assumed it wasn't possible
18:04:14phantomcircuit:Persopolis, like i said, their client was likely lying to them about it's balance
18:04:25adam3us:gmaxwell: trustless exchange implies atomic swap of colored or tagged usdcoins for bitcoins. order match on server, or direct. scaling is the problem. but for example aside from gox you said u did not trust your coins to exchanges. therefore you already used it in this pattern. deposit, trade, withdraw. all your btc transactions were on blockchain.
18:04:29helo:so didn't implement or use rigorous auditing
18:05:06gmaxwell:adam3us: but I wasn't one of the thousands of parties providing constant liquidity to the market.
18:05:21Persopolis:phantomcircuit - and he never checked his actual wallets in all that period?
18:05:34phantomcircuit:Persopolis, his actual wallet was their client
18:05:52phantomcircuit:a wallet is merely a collection of unspent transaction outputs and private keys
18:06:16phantomcircuit:i believe their client was simply failing to mark unspent transaction outputs as unspendable
18:06:17jgarzik:a wallet is a keyring
18:06:20austinhill:adam3usrustless exchange implies atomic swap of colored or tagged usdcoins for bitcoins.  order match on server, or direct.  scaling is the problem.  but for example aside from gox you said u did not trust your coins to exchanges.  therefore you already used it in this pattern.  deposit, trade, withdraw.  all your btc transactions were on blockchain.
18:06:23Luke-Jr:* Luke-Jr wonders if n00bs are starting to flood -wizards :|
18:06:30adam3us:gmaxwell: u do have the counter party risk of the usd.. but the issuing key can be offline
18:06:39phantomcircuit:jgarzik, it's not very useful w/o a list of utxo to spend though :P
18:06:45gmaxwell:adam3us: even there I seldom sold a bunch of coin all in a single transaction, and the trades often went to a half dozen different people (just based on the repeated entries in my sale data at different prices)
18:07:04adam3us:gmaxwell: it seems to me much of that "liquidity' is wash trade and other forms of blatant bot / price manipulation which is illegal in most jurisdictions
18:07:08jgarzik:phantomcircuit, agree, but that data may be obtained/derived as needed
18:07:14jgarzik:phantomcircuit, it's secondary
18:07:27phantomcircuit:austinhill, that's great and all except that there is no real liquidity in such a system, you're effectively arguing for an RFQ system vs CLOB
18:07:30adam3us:gmaxwell: true, but partly because of this ongoing washtrade... just look at the tickers
18:07:44phantomcircuit:localbitcoins.com and friends are RFQ
18:07:54phantomcircuit:there is a reason that there is far more liquidity on the CLOB exchanges
18:07:56adam3us:gmaxwell: but overall... yes the scalability issue is a killer.
18:08:03phantomcircuit:jgarzik, central limit order book
18:08:12Persopolis:so would transaction not start failing when his client's view of unspent outputs mismatched that of the network?
18:08:29Luke-Jr:Persopolis: they DID
18:09:11phantomcircuit:jgarzik, most of the us securities markets actually operate on a request for quote system, which is why high frequency trading is so prevalent, they can literally make money with zero meaningful logic simply by front running other participants
18:09:22phantomcircuit:with a CLOB HFT is essentially pointless
18:09:56adam3us:again on the gox incompetence: how could they not just spot check their cold outputs with different clients over different channels. I do that.
18:10:10Luke-Jr:uh, how?
18:10:18Luke-Jr:wallets are completely unportable right now
18:10:56phantomcircuit:Luke-Jr, well.... he could have checked his db against the reference client with getrawtransaction
18:10:56jgarzik:bah. nothing is "completely unportable" ;p
18:11:20phantomcircuit:and then only counted confirmed stuff as spent/spendable
18:11:48phantomcircuit:but to be fair the reference client has a similar but substantially less dangerous issue around reporting for zero confirmations
18:11:55Luke-Jr:phantomcircuit: getrawtransaction doesn't report a spent flag
18:12:11phantomcircuit:the principle difference being that he wasn't marking them as unspendable
18:13:06phantomcircuit:Luke-Jr, no but it does fail when the transaction is no longer spendable because of a conflict
18:13:18phantomcircuit:(yeah yeah relying on unintended behaviour etc etc)
18:13:18adam3us:Luke-Jr: but just like paste a list of wallet addresss though wget bc.i/ | awk
18:13:35phantomcircuit:adam3us, pretttty sure that wouldn't have worked
18:13:38adam3us:Luke-Jr: i mean the Karpeles guy is nominally a programmer
18:13:39phantomcircuit:they had lots of addresses
18:13:45adam3us:phantomcircuit: so?
18:13:50phantomcircuit:which is why they had their own client to begin with
18:14:02phantomcircuit:adam3us, millions of addresses in fact
18:14:12phantomcircuit:something tells me bc.i would have cried foul
18:14:15adam3us:phantomcircuit: so?
18:14:40Luke-Jr:or asked for payment :P
18:15:00gmaxwell:bc.i often has junk data, plus they block you after you pull a few thousand in a short time (apparently) unless you use the api key they leaked in the shared send sourcecode.
18:15:01wumpus:or using a local block chain and an address index
18:15:27Luke-Jr:probably a significant part of the problem was that Mark didn't fix the problem with immature coins when he learned about it
18:15:34phantomcircuit:wumpus, which is probably a more correct way of doing it
18:15:38gmaxwell:A screenshot someone sent me of some of my hijinx: https://people.xiph.org/~greg/21mbtc.png
18:15:39Luke-Jr:instead, he just decided to try to avoid it
18:15:55Luke-Jr:which means when transactions failed occasionally, he just assumed it was that issue
18:16:22phantomcircuit:Luke-Jr, if their wallet code handled it correctly
18:16:28phantomcircuit:then those issues were just an annoyance
18:16:38gmaxwell:I think MT thought it was just normal for txn to fail or not go through... thus the reissuing, thus the higher and higher fees.
18:16:48phantomcircuit:the problem is that they gave an attacker a big giant window
18:17:13Luke-Jr:I don't consider transparency part of the problem :x
18:17:22adam3us:surely there were some accidental ones or honest researchers who told them - hey you paid me twice
18:17:33gmaxwell:As I keep pointing out, if you look at the history of industrial disaster there are always layered faults...
18:17:53phantomcircuit:adam3us, there actually were a handful of reports in #mtgox over the past year
18:17:54Luke-Jr:adam3us: yeah, that's one of the things I wonder about..
18:18:00phantomcircuit:i fielded at least 3 of them
18:18:05Persopolis:I guess we've all heard of fiat based businesses run worse than that, no reason the same couldn't happen on btc
18:18:10phantomcircuit:but none of them seemed particularly credible
18:18:13gmaxwell:adam3us: I heard from someone recently who had been paid twice via USD and reported it and basically had to fight with mtgox to fix it.
18:18:17phantomcircuit:they do now
18:18:33gmaxwell:people have reported doubled btc payments, not many, not sure if they were correct or whatever... but there were reports.
18:18:48phantomcircuit:however 2-3 people over the course of a year is hardly something that would trigger a panic for me
18:19:00adam3us:gmaxwell: yep i've seen (and found) a few mmulti-fails myself (outside of bitcoin) often they involve like 3 or 4 simultaneous and very stupid failures, with ignored indicators.
18:19:07gmaxwell:esp because users do daft things like withdraw again and forget it.
18:19:16Luke-Jr:unfortunately, there are enough idiots out there that without at least a screenshot, I can see ignoring a few claims
18:19:33phantomcircuit:Luke-Jr, they were all marginally technical
18:19:40phantomcircuit:and without access to the mtgox database
18:19:45phantomcircuit:they seemed wrong
18:19:53gmaxwell:Luke-Jr: people have erroniously claimed eligius bogusly paid them— because they were confused about backpay when they'd stopped mining
18:20:08Luke-Jr:gmaxwell: exactly
18:20:55Luke-Jr:on the other hand, when multiple people were making reports of double-payout a month or so ago, we *did* take note and find it
18:21:02Luke-Jr:so I guess that's comforting
18:21:04adam3us:i just dont buy that anyone remotely competent running an exchange would not get nervous enough to run a batch job using another client and check their balance. you would think the #1 thing on your mind as custodian of that much btc, would be to check your position frequently
18:21:46Luke-Jr:I'd be scared to death to run an exchange. :x
18:21:48phantomcircuit:adam3us, in general the most dangerous part of an exchange is the database of balances
18:22:05phantomcircuit:at the end of the day everything else is reliant on those numbers
18:22:14helo:so if someone was to define best practices for a cold wallet, a naive approach prohibit any inbound data to avoid the chance of attack code infiltrating the machine
18:22:19phantomcircuit:and yet bizarrely i've yet to see any exchange get ruined that way
18:23:27adam3us:well even the usd balance can be edited on the exchange and then cashed out via btc. even happens to banks now and then. probably undisclosed bank insider apart from the $45m prepaid balance hac.
18:25:22wumpus:phantomcircuit: wasn't mtgox hacked that way once? not a database hack, but selling non-existent coins using an admin account, dropping the price to <$1
18:26:03orperelman:Yes I think I remember that - in the 22 dollar rise
18:26:04andytoshi:adam3us: in 'The unbearable lightness of PIN cracking' the authors explain some easy hacks switch operators can do to steal funds, and suggest this as an explanation for phantom withdrawls
18:26:09orperelman:than they fucked again in the 255 mark
18:26:10Luke-Jr:wumpus: yes, using jed's codebase
18:26:25Luke-Jr:orperelman: what happened at 255?
18:26:32orperelman:They had lagging problems
18:26:35orperelman:if I recall
18:27:02orperelman:and it caused panic
18:27:13orperelman:266 yes
18:27:16orperelman:sorry, my bad
18:27:44Luke-Jr:"oh noes, lag"
18:28:37orperelman:Luke-Jr, I remember the price couldn't been seen for hrs
18:28:59Luke-Jr:somehow I cannot take it serious that you are comparing this to losing money
18:29:16orperelman:and they stopped the trading back than at one point as well - no that's not my point
18:29:16Persopolis:i worry that any evidence of what actually happened might not get secured
18:29:20orperelman:not comparing both cases ofcourse
18:31:50Persopolis:if it is genuinely a case of negligence, then it would be beneficial to gox if there was no evidence to support that
18:31:54phantomcircuit:wumpus, actually yeah so i guess it's happened once
18:32:38ens:gmaxwell: i had to deal with that kind of fault once
18:33:22ens:gmaxwell: tv station went kaputt, over 50% of it's material couldn't tx and all the stuff on the music channel was stopping after exactly 1 minute of playout.
18:33:39ens:it was layer upon layer of faults triggering faults all under _just_ the right conditions.
18:39:41Persopolis:Persopolis has left #bitcoin-wizards
18:41:47gmaxwell:adam3us: scared only lasts so long before it wears out, and I'm sure mtgox had a lot of other things to be scared of...
18:47:16phantomcircuit:gmaxwell, scared isn't really the right emotion either
18:47:21phantomcircuit:it's not a visceral fear
18:47:34phantomcircuit:it's not like you're going to be eaten by a bear or something
18:47:47phantomcircuit:it's more like you wake up at 3am and check things just because
18:47:58adam3us:any thoughts on this speculation that mtgox may still have some coins just with dodgy key management and some work to recover?
18:48:01phantomcircuit:you literally cannot do it for very long
18:48:56adam3us:i thought Karpeles basically admitted the leaked doc was mostly legit, that being the mos scary stat in it - that they had only 2k btc left out of 744k
18:49:19gmaxwell:he didn't appear to comment on the stats, so who knows.
18:49:43phantomcircuit:adam3us, the doc was probably written before their database had completely finished reindexing
18:50:15phantomcircuit:it appears to be a worst case scenario plan of action with ideas just thrown at the wall
18:50:31phantomcircuit:it's unfortunate that it was leaked because im sure it's not their actual plan
18:50:43phantomcircuit:but contains some things which are
18:50:52phantomcircuit:which will mean people will assume it is all accurate
19:00:31jgarzik:he also seemed to note that the doc was written by a third party
19:01:52gmaxwell:my theory is that it was written by someone who recieved inside information as part of mtgox's effort to find a buyer... either as a genuine proposal, or as truthy disinformation.
19:03:40midnightmagic:might be a disinformation training campaign
19:07:31adam3us:now if we had mtgox chain code, presuming they were using an hd wallet for cold storge, maybe we could do some public analysis
19:08:22jgarzik:I do agree w/ sipa that we should get some HD basics into upstream sooner rather than later
19:11:50TD:i'd love for exchanges to start charging people to hold deposits
19:11:56TD:these huge piles of money need to be dispersed
19:12:42Guest62160:phantomcircuit: mark says the doc was not written by mt gox and the wording of it confirms this
19:13:21gmaxwell:TD: they _want_ to hold them alas.
19:13:23Guest62160:reasonable speculation is that it was a proposed plan by potential buyers / investors looking to bail out and take over, and assuming worst-case
19:13:46Guest62160:Guest62160 is now known as maaku
19:13:56TD:what makes you think that?
19:14:16maaku:maaku is now known as Guest31062
19:14:35Guest31062:Guest31062 is now known as maaku
19:15:29gmaxwell:makes it easier to trade, they've all generally implemented some amount of wallet functionality. (e.g. look at the mtgox green addresses as a high profile example)... bitstamp has a whole gigantic Bitcoin IOU thing with ripple.
19:15:35maaku:TD: they make money on trades, trades only occur with funds on balance
19:15:48gmaxwell:pigeons: Can you count up how much bitstamp btc exists in ripple?
19:16:41TD:the vast majority of customer funds end up in cold wallets, i.e. they are not being used for trading
19:16:42gmaxwell:several of them charge high fees to take funds out. E.g. I think BTC-E charges 0.001— and this isn't a bitcoin transaction fee, it's a fee to them.
19:16:53TD:these huge cold wallets pose significant risk for the operators and yet earn nothing
19:16:54gmaxwell:cold wallet funds are used for trading.
19:17:22gmaxwell:e.g. speculators churning funds back and forth are just churning database entries, until someone withdraws the funds are sitting in a cold wallet.
19:18:40TD:yeah, i was thinking of "real economy" trading. but sure, if those funds are actually mostly moving then it'd be difficult to disperse for sure
19:18:54TD:if they're being basically held long term on deposit though ...
19:19:04TD:it really depends on the velocity of money inside an exchange, which i do not know
19:19:49gmaxwell:and the distribution of the velocity. I think on average its quite high, (go look at gox historical volume)... but I suspect there is a lot of deadweight funds.
19:20:12gmaxwell:Still, so long as you underestimate the risk of holding those funds, you'd rather have them with you than— say— with the compeition.
19:20:21jgarzik:It does seem like people holding millions should charge for deposit security
19:20:29jgarzik:a management and storage fee
19:20:49jgarzik:That's not a winning business model when everyone else is zero fee, of course
19:20:59gmaxwell:people get spazzy about fees too.
19:21:18jgarzik:bitcoin community seems to prefer "zero fee + high centralization risk" :(
19:21:26gmaxwell:e.g. the right thing to do is charge the fee conditionally on inactivity. But then people will mentally chalk it up as a constant fee.
19:21:42gmaxwell:and then, having no better way to evaluate choices, chose the zero fee comptition.
19:22:07orperelman:It seems people care more about comfortability and zero fees than about security.
19:22:18orperelman:I mean look at how BTC-E is so successful.
19:22:19gmaxwell:plus, having to way an hour to deposit encourages keeping balances if you think you _might_ trade.
19:22:21TD:we don't really know what they prefer, given that no existing exchanges levy storage fees
19:22:46gmaxwell:They've had negative storage fees.
19:22:59jgarzik:I think smart people assume average people reason about their choices far more than they actually do... a lot of times this boils down to (a) it's easy and/or (b) that's what Joe Nerd showed me
19:23:06gmaxwell:orperelman: It's like what I said previously: People wouldn't use a service if they didn't think they trusted it.. so since they trust it…
19:23:16TD:i suspect a lot of it is also driven by a reasonable fear of being your own bankk
19:23:25TD:it's easy to assume money in an exchange is safer than money on your laptop
19:23:25gmaxwell:TD: bitcoinica and bitfinex and I think one other place have had negative fees on deposits.
19:23:30TD:and this may or may not be correct, i guess
19:23:37TD:gmaxwell: they gave you money for depositing?
19:23:51midnightmagic:Very old people consider money in coffee tins to be safer than in a bank.
19:23:53jgarzik:Bucket Shop.
19:24:00TD:"negative fee", interesting way to phrase it :)
19:24:16orperelman:It's amazing though - how can you trust a service which you don't know who runs it + coins getting disappeared from wallets all the time?
19:24:27TD:calculated risk i guess
19:24:29gmaxwell:orperelman: everyone else uses it
19:24:34TD:people put a bit of money in, value goes up a lot
19:24:41midnightmagic:orperelman: "social proof"
19:24:49jgarzik:TD, that's a big part of it too
19:24:52TD:seems easier to just keep it there rather than learn about running your own wallet
19:24:58jgarzik:700,000 BTC sounds like a lot today
19:25:03TD:i'd like to see exchanges team up with the trezor guys
19:25:12gmaxwell:I dunno, I use btc-e to sell namecoins and I'm personally convinced they have to be fractional (because they've had some amazing compromises that cost them coins and just kept running)
19:25:15TD:if exchanges sold trezors, this would solve several problems simultaneously (with some tweaks to the trezor itself)
19:25:24jgarzik:I'd like the exchanges to be SPOF-proof, including key men
19:25:50TD:1) trezors could be given a private key + cert at manufacturing time, allowing them to generate payment protocol requests for themselves that are verified by the exchange. allowing money to move from exchange to trezor inbound, safely, even with a compromised host
19:25:51midnightmagic:gmaxwell: That seems to me to be more a sign of something else to me.
19:25:58TD:2) it educates users and gets the hardware in front of them
19:26:33TD:3) if the trezor hardware was secure enough, it could sign the Payment messages submitted to exchanges for outbound sends, and the exchange could use that as a trust signal that double spending was unlikely, so allow faster deposits
19:26:53TD:jgarzik: i don't think it's possible. i was pondering the kidnapping problem lately.
19:27:02orperelman:Gmaxwell - you sold your namecoins and left your bitcoins there?
19:27:07jgarzik:DAMMIT. Someone already got bitcoin.tips and bitcoins.tips (now gTLD)
19:27:09orperelman:or moved your bitcoins back to your wallet?
19:27:11gmaxwell:TD: yea, PT had jumped on trezor early on to ask it to be able to display and sign arbritary messages so you could authorize logins and withdraws and stuff, and he got an out-of-scope reponse. .. but V1.
19:27:24gmaxwell:orperelman: no I don't _leave_ anything there of course.
19:27:35jgarzik:TD, you can reduce it with multi-sig, A/B teams
19:27:35TD:jgarzik: currently we get a lot of herd immunity, and it doesn't make sense to kidnap/extort exchange operators for huge amounts because to convert them into dollars and buy all the juicy stuff you'd have to immediately go sell them back on the same exchange
19:27:40TD:jgarzik: no. doesn't work.
19:27:42gmaxwell:orperelman: except maybe for a day or two while a limit order executes.
19:28:06TD:jgarzik: CEO's daughter is kidnapped. kidnapper sends video via Tor saying he'll kill her within 72 hours if there isn't a 10,000 BTC transfer to the given address. people believe him.
19:28:09TD:jgarzik: result: all parties sign
19:28:24orperelman:gmaxwell - that's a good point - so alot of people use BTC-E just to exchange alts immediatly cashout.
19:28:28jgarzik:TD, it's not a binary work/doesn't work. it makes the attack more difficult.
19:28:31gmaxwell:TD: I think you would have no problem showing up someplace and saying "I have a million bitcoin that you can't sell for a decade or so, who wants to buy it for 10cts on the dollar" You'll get buyers.
19:28:33TD:we're hard-wired to value human life above any amount of money. multi-sig is useful in some situations like when someone is compromised and trying to hide it. but not in this case
19:29:04jgarzik:TD, ideally there is a multi-organization or algorithm-driven multi-sig that is even more resistant... but that is accordingly harder to build
19:29:34TD:whilst people are involved, i'm not sure it can work. it's very very hard to get people, even in institutions, to willingly let other people die over money.
19:29:46TD:though i hate to say it, the british government is one such institution that's willing to do that
19:29:59TD:it has a "no paying kidnappers" policy and victims have in fact been killed as a result of it.
19:30:29TD:very difficult ethical dilemmas here.
19:30:58gmaxwell:Paying kidnappers just encourages more kidnapping. Often people believe the person will be killed regardless of the payment anyways— usually safer for the kidnappers.
19:31:07TD:of course
19:31:46TD:it's easy to see why it's done. hard to enforce though. governments can make such a policy for themselves. enforcing a "no pay" law on citizens would be very hard though. people would end up victimised twice.
19:31:57midnightmagic:The chances of retrieving a son, on the other hand, will cause a parent to pay. Also, companies will often pay ransom for their operators, and the process is insured.
19:31:58jgarzik:That's why some real world systems feature gadgets like time locks
19:31:58TD:i think secure hardware might be a part of a solution
19:32:10jgarzik:Time locks are a simple example of proving that humans are out of the loop
19:32:10TD:jgarzik: indeed
19:32:35TD:smartcard chips could enforce a variety of rules that no human can overrule
19:32:44TD:at least not in any reasonable amount of time
19:32:53HM2: we're hard-wired to value human life above any amount of money.
19:33:04HM2:except the people who take human life for money?
19:33:32TD:er, context matters :) obviously i was talking about the lives of people very close to you
19:33:36gmaxwell:well not just smartcards but N of M smartcards in varrious seperate locations.
19:33:36TD:not random strangers
19:33:42zooko:Not really on-topic, but still maybe relevant: https://www.eff.org/deeplinks/2014/02/open-letter-to-tech-companies
19:33:45zooko:Just came out.
19:34:26TD:i think the rules for such smartcards would be interesting. simple time locks are too inflexible - you still need to be able to spend your money when you want it
19:34:32TD:and kidnappers can hold people for a while
19:35:08TD:possibly, some kind of "can spend if the receiver meets criteria X,Y,Z and can do a 'cash withdrawal' of K coins per month" etc
19:35:13TD:so perhaps emulating bank policies in hardware
19:35:15zooko:Does anyone here have experience buying or operating HSMs?
19:35:44TD:i've never found a crisp definition of what makes something an HSM, actually
19:35:50zooko:By the way, I'm currently looking for someone with experience in real adversarial network-, info-, operational- security.
19:36:21zooko:I.e., if you could tell stories of actual info attacks you've experienced, then you would do well in a job interview.
19:36:37zooko:Or if you know someone like that, please introduce me.
19:36:46zooko:TD: hi there! Nice to see you.
19:36:59TD:hey zooko :)
19:37:03zooko:TD: I know what you mean about the definition of HSM.
19:37:23zooko:So, I'm thinking of buying and operating HSMs for the same reason I'm looking to hire an experienced opsec person.
19:37:28TD:i can tell many interesting attack stories, unfortunately, they're all confidential .....
19:37:37TD:so by "can" i really mean "can't"
19:37:39zooko:TD: well, you personally just took a new job didn't you?
19:37:56TD:i'm currently an unemployed person
19:38:02sipa:so sad
19:38:17zooko:Sometimes known as funemployed!
19:38:34TD:it's been pretty fun so far :)
19:38:50sipa:i was unemployed for a year; i spent some time rewriting bitcoind then :p
19:38:59TD:albeit, because 50% of my unemployment has been spent on holiday :)
19:39:07gmaxwell:the IBM cryptocards show up on ebay pretty cheap from time to time, I plan to get a few sometime after the second or third hour-in-a-day expanders.
19:39:25TD:the IBM cards are great, but my understanding is, also discontinued
19:39:27orperelman:Sipa, core dev is like a rock star nowdays ;)
19:39:36GabNet:In case of you are interested in other invest metode... https://leancy.com/~GabNet .... Promisel 5% daily income. Greetings.
19:39:38GabNet:GabNet has left #bitcoin-wizards
19:39:39zooko:TD: I sent you private messages just now.
19:39:40TD:next gen intel chips will also have hardware security (that might actually work). unfortunately no ship dates have been announced
19:39:48TD:oops, so you did
19:39:51TD:* TD resizes window
19:39:51jgarzik:and better RNG seeding
19:40:15jgarzik:though, amusingly, "better" is defined operationally as "running the same speed, but failing more often"
19:40:51TD:gmaxwell: my understanding is that to get the dev kit, you have to take out an IBM support contract :(
19:41:01TD:so .... not sure if you can locate the stuff needed in other ways. Hal used to have one
19:41:06gmaxwell:I have never been unemployed since I was first employed 18 years ago, unless you count a weekened once where my employment was scheduled to begin on the following monday.
19:41:12zooko:So, there are these products that are used by CA's, I think.
19:41:23zooko:And maybe private-CA's.
19:41:38gmaxwell:TD: yea, I actually tried asking hal if he still had the developer tools and his card some time ago, but I guess it didn't cross the threshold of getting a reply. :(
19:41:44jgarzik:zooko, nice! the EFF mentions reproducible builds! :)
19:41:47zooko:This sort of thing: https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules
19:41:50TD:i wonder if he's even still alive :(
19:41:50zooko:jgarzik: yeah!
19:42:09zooko:The topic of Hal's illness and probable imminent mortality makes me sad.
19:42:10TD:iirc the ibm cards were made for banks
19:42:23TD:not sure CA's use them. they use other things, i think
19:42:33sipa:it's been a while since i read anything about hal
19:43:02zooko:TD: I know a guy who has done a lot of CA work, and he emphatically insisted that HSMs are de rigeur.
19:43:16zooko:But, I haven't found anybody (else) who has hands-on experience with them.
19:43:25zooko:And that guy isn't available to hire...
19:43:29TD:yes, i think it might actually be a CA/B requirement
19:43:37gmaxwell:zooko: I've seen the HSMs that verisign was using.. uh. if I think for a bit I can remember the brand.. in any case I'd looked them up at the time and thought they were too fixed function to be interesting.
19:43:39zooko:TD: Oh yeah, it is. I remember looking that up, now.
19:43:53zooko:Yeah, me too.
19:44:00TD:i know CA's use things called "HSMs" but i'm not sure they're the same thing as the IBM cards. also, i'm not sure how it helps. "secure hardware" that signs whatever it's asked to seems ...... not secure
19:44:06TD:there has to be a way to run custom business logic on them
19:44:19TD:and then they're just normal computers, perhaps that are tougher to open and attach logic analyzers to
19:44:40zooko:But now I have a
19:44:43zooko:Wow! This is cool: http://antonopoulos.com/2014/02/25/coinbase-review/
19:45:12gmaxwell:TD: yea... well it would at least potentially rate limit your access. The IBM cards were something special though. still not perfect. But if you combine ibm cards (like devices) with distributed control.. you get the "wait, you want me to drill my signer device .... uhhh lemme get back to you on that"
19:45:16zooko:Okay, well I've gotta get moving to get to a meweting.
19:45:26gmaxwell:zooko: I think it's exactly the opposite of cool.
19:45:46gmaxwell:Thats the same trust me security crap that Roger Ver did for mtgox a few months back with the "mtgox's problems are the banks" video.
19:45:46zooko:If you think of someone who has practical opsec experience and might be available to hire, please email zooko@LeastAuthority.com.
19:45:55TD:yes. i liked the IBM cards too. was sad when i read that they weren't available any more
19:45:56zooko:gmaxwell: I understand your point.
19:46:00zooko:Okay, bye for now folks!
19:46:18gmaxwell:If 1/5th of coinbases coins were unspendable due to corrupted private keys, his test would be overwhelmingly unlikely to uncover that.
19:46:33jgarzik:gmaxwell, yeah, it was a silly, gimmicky test
19:46:43TD:that's true, however, it is better than no audit at all
19:47:26TD:got to start somewhere
19:47:41TD:i think the bar will only be raised from here
19:47:43jgarzik:leveldb code < bitcoind code
19:47:44gmaxwell:There are places offering to pay for statements like that FWIW, if you're looking to make a buck.
19:47:55gmaxwell:But they are not interested in real audits.
19:48:01gmaxwell:So good luck with that.
19:48:01sipa:jgarzik: how so?
19:48:25jgarzik:sipa, subjectively, I think our code is better
19:48:36sipa:ok :)
19:48:59TD:jgarzik: errrrrrrrrrr ... :) ok .... :) if you say so
19:49:14sipa:let me respectfully completely disagree :)
19:49:57HM2:bitcoind code isn't the best C++ code I've ever seen, but I've seen a lot lot worse
19:50:56TD:perhaps i got warped by years of working with google-style c++ but i much prefer the leveldb code to bitcoin's
19:51:23sipa:even regardless of style, it's cleanly separated into modules, classes that hide access to their members, ...
19:51:51sipa:bitcoin has a few places that are like that, but the majority is still very chaotic
19:52:55HM2:but bitcoind isn't a library
19:53:06sipa:not very relevant
19:53:17HM2:it doesn't need to worry about maintaining a stable API internally or binary compatbility, leveldb does
19:53:23HM2:in theory?
19:53:37TD:i don't think leveldb commits to a stable api or abi. it's designed to be statically linked into other apps
19:53:40TD:(specifically, into chrome)
19:53:44sipa:stability of APIs is less important perhaps indeed
19:53:59sipa:but having APIs for the different pieces to communicate with eachother is
19:54:06sipa:separation of concerns etc
19:55:08HM2:I dislike a lot of Google C++ codebases, some of it is just style friction
19:55:11HM2:they're very conservative
19:55:43HM2:I like that Facebook have embraced modern C++ style and practice
19:55:54HM2:much of libraries like folly are well-written imho
19:56:15TD:there's a lot of ex-googlers at facebook these days ... it used to all be PHP over there :)
19:56:39TD:but by the time i left google3 was modernising quite fast. c++11 features were being whitelisted all the time. so i think you'll see more modern c++ in new releases
19:56:48HM2:Andrei is championing modern C++ there and D now
19:57:32TD:i remember when i cared about D
19:57:36BlueMatt:wait, I thought we were just listing letters
19:57:51HM2:D still has a chance
19:58:03sipa:oh? i think we were listing the first character of android releases
19:58:06HM2:newer C++ standards are going to squeeze that chance out though
19:58:27HM2:there's a lot of blowback on features like traits
20:03:57orperelman:Bluematt - lol
20:18:56phantomcircuit_:phantomcircuit_ is now known as phantomcircuit
20:36:21jron:/lastlog leaked 10
20:45:50pigeons:gmaxwell: bitstamp (rvYAfWj5gh67oV6fW32ZzP3Aw4Eubs59B) has issued 3,521.6586376551745 BTC in ripple, 261.47741227315123 BTC of that is held by their "hotwallet" (rrpNnNLKrartuEqfJGpqyDwPj1AFPg9vn1) that sends the ripple payments.
20:47:23justanotheruser:justanotheruser is now known as just[dead]
20:47:48mike4:mike4 is now known as c--O-O
20:48:41gmaxwell:pigeons: thanks. :)
20:49:41gmaxwell:TD: ^ so for example, bitstamp has 3,521.65 in bitcoin they're holding (hopefully) just to back people trading around via the ripple network. This isn't suggestive to me of someone who is trying to avoid holding other people's funds. :)
20:50:37phantomcircuit:pigeons, that is a comically small amount compared to the size of their trading volume
20:50:51pigeons:there isnt a lot of action on ripple
20:50:59phantomcircuit:i know
20:51:05phantomcircuit:and it fills my heart with happyness
20:55:39pigeons:offtopic, but bitstamp disabled their "bitcoin bridge" which is opaquely integrated into the ripple labs client for sending real bitcoins to bitcoin addresses when mtgox disabled their btc withdrawals, and it is still not enabled. you can still make a ripple payment to your bitstamp account and withdraw the btc from the bitstamp site. it is assumed bitstamp is too busy with recent events to re-enable
20:56:11michagogo|cloud:21:27:10 DAMMIT. Someone already got bitcoin.tips and bitcoins.tips (now gTLD)
20:56:27michagogo|cloud:Someone in Estonia and India, respectively... I wonder what they're planning to use them for
20:56:37phantomcircuit:pigeons, sounds like maybe they had btc on mtgox
20:56:41TD:selling them, i imagine
20:56:45phantomcircuit:although i cant understand why
20:56:48michagogo|cloud:21:39:09 the IBM cryptocards show up on ebay pretty cheap from time to time, I plan to get a few sometime after the second or third hour-in-a-day expanders.
20:56:48michagogo|cloud:What are hour-in-a-day expanders?
20:57:37michagogo|cloud:bitcoins.tips has an email address from http://msourceone.com/companyoverview.html
20:58:11michagogo|cloud:The other may just be some individual
20:58:43michagogo|cloud:Ah, bitcoin.tips is bought for resale
20:58:57michagogo|cloud:And bitcoins.tips is just parked
20:59:32TD:gmaxwell: do you know why eli et al didn't release any code yet?
21:01:14gmaxwell:TD: No, thought I've talked to them some on various technical things I've not bothered them for a code release because I don't want to do that unless I can say in the message that I'll personally do something with it. ... though maybe I should just code up a blind proof of owning a coin, and then I'll be able to at least tell them that I'll try it.
21:01:49gmaxwell:I think, fundimentally, the problem is that they don't need to publish code to publish papers. :)
21:02:01TD:yeah. i was thinking the same thing. i want to play with such things, but then, i got a threshold RSA implementation from some other researchers and then never used it .....
21:02:26TD:probably also they want to do big rewrites and/or don't want to do tech support except for other researchers
21:02:49gmaxwell:It's likely that the implemention is crap, bubblegum and duct tape. But you have to start somewhere.
21:03:12TD:well that'd be fitting for anything bitcoin related
21:06:01gmaxwell:Mostly I'd want it for technology demos. Actual production use will take years of maturation which needs to start with being aware of the possibilities.
21:11:49TD:i think we can find uses for it already that are purely additive, that is, if it fails completely and turns out to be worthless, we're in no worse position than where we started
21:12:21jgarzik:new wallet, https://test.greenaddress.it/en/
21:14:46gmaxwell:TD: the various flavors of the cryptographic backend stuff have different tradeoffs between zero-knoweldge and soundness. Some of them (like the CRS GGPR'12 stuff in most of the publications) has information theoretic zero knoweldge— even if the scheme is broken it very likely won't leak data— but only cryptographic soundness,— you can get fake proofs if the crypto turns out to be weak.
21:15:24gmaxwell:Other ones flip that around: the ZK is only computationally sound, but the soundness is without crypto assumptions (if it were unsound it would be due to software bugs).
21:15:47gmaxwell:so if you align the usecase with the weaknesses you can get better purely additive effects.
21:15:48TD:jgarzik: well that's an impressive list of features
21:16:24gmaxwell:Hack proof!
21:16:46TD:jgarzik: i see no mention of their revenue model
21:17:06TD:also where did you find this? it appears to be a half finished website
21:17:34gmaxwell:"GreenAddressIT Ltd takes no responsibility for and will not be liable for any financial loss arising from the use of our wallet service including any of the following." "Financial loss due to server hacks" ... but they said it was hack proof!
21:18:26TD:it's obviously not hack proof against bogus software updates, and i'm sure they know it
21:18:55TD:i tried creating a wallet and it isn't working
21:19:02phantomcircuit:gmaxwell, if they dont have your private key
21:19:03TD:but then it is a test site, i guess
21:19:08phantomcircuit:then how can they set transaction limits
21:19:09gmaxwell:phantomcircuit: it's a webwallet.
21:19:14gmaxwell:phantomcircuit: multisig.
21:19:33phantomcircuit:great so they lose their half of the key and everybody is boned
21:19:45TD:still, if/when it launches, that could be a very impressive wallet
21:19:51phantomcircuit:at least it's iteratively better than bc.i
21:21:10gmaxwell:The hyperbole needs to go though. Part of the reason that we don't get better solutions is that existing ones mislead people about their security.
21:21:35BCB:BCB is now known as Guest38327
21:21:46gmaxwell:If they want to claim this stuff, they can give me the server software and start using a wallet I host for their own usage— I get to keep whatever coins I can steal. :P
21:21:58TD:i don't know about that. the costs of wallet development are just going up beyond what volunteers can do. so then people look for ways to fund it. it's much easier to get funding for making a web service than a regular app, i guess
21:22:42TD:investors feel like they "get" web service based business models, whereas pure downloadable software just gets pirated a lot
21:22:49phantomcircuit:TD, building a reasonably secure shared webwallet costs takes approximately 4 hours of competent developer time
21:23:17Luke-Jr:phantomcircuit: I don't agree.
21:23:21TD:i look forward to seeing the competitive phantomcircuit wallet written in 4 hours
21:23:26gmaxwell:I don't begrudge them making a living, or even making a webservice... but they should try to not mislead about what they can offer.
21:23:29Luke-Jr:but I have high standards for "reasonably secure"
21:23:55phantomcircuit:TD, i cant run it since im in the us and that would be money transmitting
21:24:21TD:good excuse. if you don't have access to customer funds then you are not transmitting the money, according to any legal interpretation i'm aware of
21:24:25phantomcircuit:TD, you forget that i've essentially run intersango for 3+ years now with losses less than 0.01% of total value
21:24:57phantomcircuit:TD, that interpretation is misguided and whomever gave it to you should have their head checked
21:25:15phantomcircuit:TD, the vast majority of money transmitters are merely transmitting payment instructions
21:28:36TD:i think it's your interpretation that's misguided, but you could still prove your claim by making a wallet for testnet coins with no real risk
21:29:10phantomcircuit:TD, looking at all of the past failures they all have two things in common
21:29:18phantomcircuit:either the operator stole the funds
21:29:41phantomcircuit:(no existing javascript wallet protects against an active attack here, the bc.i plugin thing is bullshit)
21:29:56phantomcircuit:or their hot wallet server was compromised
21:30:12phantomcircuit:generally speaking if your wallet server is compromised the web server is also
21:30:19phantomcircuit:in which case goto 1
21:31:05phantomcircuit:realistically what keeps these services actually secure is auditing and correct accounting of records
21:31:15phantomcircuit:but that's actually difficult
21:31:25phantomcircuit:so instead people try to do multisig whatever gizmose
21:32:26phantomcircuit:but you know that's just my opinion...
21:33:43iddo_:iddo_ is now known as iddo
21:37:24aksyn:aksyn is now known as Guest59861
21:38:01imsaguy: TD, you forget that i've essentially run intersango for 3+ years now with losses less than 0.01% of total value << are you still incrementing that age? I hadn't heard the name intersango in so long, I figured it was shut down.
21:38:39phantomcircuit:imsaguy, intersango still holds a pretty significant amount of btc which is customers
21:38:56phantomcircuit:im actually working on an orderly process for returning it all
21:39:04phantomcircuit:but it's taking a while to get legal stuff sorted for it
21:39:06imsaguy:you've halted the wallet
21:39:27imsaguy:so there's not much security risk at this time.
21:39:28phantomcircuit:imsaguy, for about 2 months
21:39:48imsaguy:so they don't count
21:39:49phantomcircuit:imsaguy, the value of what was being held rose about 100x
21:39:58phantomcircuit:so allowing password resets via email and etc wasn't safe compared to the value anymore
21:40:15phantomcircuit:(especially with effectively zero revenue)
21:40:21imsaguy:phantomcircuit: that all depends on which exchange you compare the price to.. in gox dollars, its like 10%
21:40:34imsaguy:and in today's gox, its 0
21:40:47phantomcircuit:imsaguy, regardless of that
21:41:11phantomcircuit:this was all written and designed when all bitcoins in existence were worth < 100m usd
21:43:18imsaguy:Do you have provable reserves?
21:43:51phantomcircuit:imsaguy, you mean do we have reserves which have been proven
21:43:55phantomcircuit:or which could be proven
21:43:58phantomcircuit:very different questions
21:46:40HM:is the liquidity still too low for any of the 'real'/established financial institutions to run an exchange?
21:46:42imsaguy:Proving reserves 6 months ago vs proving reserves now are two very different things by your own statement.
21:47:02imsaguy:I asked if you have probable reserves, which I thought was pretty clear to mean present tense.
21:48:32phantomcircuit:imsaguy, the phrasing of the sentence could mean either thing
21:48:58phantomcircuit:which is why i asked :)
22:04:38imsaguy:phantomcircuit: Do you, at this present time, have total bitcoins stored by the exchange or elsewhere but dedicated only to the exchange, equal to the total number of bitcoins deposited there by all users?
22:04:53phantomcircuit:imsaguy, yes
22:05:07phantomcircuit:and the people for whom it really matters are by and large not mad
22:05:27imsaguy:I'm not looking to start crap, I just figured it was worth asking.
22:06:52gmaxwell:FWIW, phantomcircuit has expressed interest in implementing that obligations/liabilities scheme I've described on several occasions going back a year or so.
22:08:15imsaguy:gmaxwell: Judging by pc's claim that it'd only take 4 hours to write a good web wallet and any "good" web wallet would be able to prove assets and liabilities, I would assume it'd take less than 4 hours. Why hasn't it been implemented yet?
22:09:45phantomcircuit:being able to prove assets/liabilities w/o a trusted auditor is hardly something i would expect a good web wallet to do at this time
22:10:04phantomcircuit:it's simply not something that has been worked through enough
22:10:39gmaxwell:imsaguy: because no one gives a shit, you ask the operators of services about this stuff (as I have, as have others— e.g. iwilcox) you get a long explination about how trustworthy they are.
22:10:57imsaguy:gmaxwell: I know. My question to you was already answered in my head.
22:11:01gmaxwell:and if you press you insult them even if you take care to specify that you're thinking about things like rogue employees are hacks.
22:11:10gmaxwell:and the users do not demand it.
22:11:48gmaxwell:go watch in #bitcoin ... you'll frequently see n00bs telling other n00bs that bc.i is highly secure because only you have your private keys... or mtgox is secure because you can get a yubi.
22:12:11imsaguy:gmaxwell: I idle in there, but I'm usually not actively reading it.
22:12:18HM:it's the same outside of bitcoin
22:12:29gmaxwell:In Bitcoin we can do something about it.
22:12:35HM:companies don't go out of their way to prove they are trustworthy via technical means
22:12:36imsaguy:gmaxwell: see pm
22:12:37gmaxwell:(and we have more need to)
22:12:41sipa:gmaxwell: it's an amazingly prevalent idea
22:13:04sipa:"the key never leaves my computer" - "which code guarantees that?" - "theirs!"
22:13:36HM:that applies to pretty much every program or app anyone uses
22:14:03gmaxwell:sipa: Roger Ver was plugging exactly that like on — I assume facebook— luke commented about that and he deleted his comment. There are real reasons why improving the security model is hard, but it irritates me that people running these services are not frank (if not quite deceptive) about the limitations.
22:14:43sipa:there is an actual difference though: with a client-side in-browser key, they still can't still all accounts at the same time
22:14:47imsaguy:gmaxwell: that's pretty much what keeps getting these exchanges in trouble by the 3 letter agencies. If they'd just be frank about the risks, it'd go a long way towards being 'legit'.
22:15:02sipa:but i've often warned that thinking that the key is theirs is a false sense of security
22:15:31gmaxwell:HM: window of exposure is a bit different... give me a bump in the wire in front of BC.i's servers for a few weeks and I bet I could steal a substantial fraction of their users funds. Hell, I'd put up a sizable bet on that.
22:16:04DBordello:HM, blockchain.info
22:16:09gmaxwell:blockchain.info (very popular web wallet)
22:16:30midnightmagic:blockchain.info, a really not-friendly network participant that confuses lots of people and gets them in trouble with law enforcement
22:16:44gmaxwell:The fact that strongcoin actually clawed back stolen funds successfully using this capability seems to have no opened anyone's eyes.
22:16:53DBordello:midnightmagic, how does BC.i get people in trouble with law enforcement?
22:17:14DBordello:gmaxwell, I was just thinking that. The ozcoin fiasco should have scared everyone away
22:17:23phantomcircuit:DBordello, they operate a service for the express purpose of money laundering
22:17:36gmaxwell:midnightmagic: still not sure that wasn't trolling... :( but yea.
22:17:40phantomcircuit:they fraudulently claim to delete the records, which they do not
22:17:41DBordello:The mixer? I thought they shut that down
22:17:54phantomcircuit:DBordello, they just changed the name to shared send
22:18:01HM:the web makes it easy to hide your incompetance on the server side. as long as your frontend is pretty. 300 million stolen passwords leaked again recently from some site yet to to be identified
22:18:05midnightmagic:DBordello: LE supposedly busted down someone's door because bc.i didn't specify in their "tx originated here" geolocation that it's completely inaccurate.
22:18:06phantomcircuit:and got rid of the giant picture of the guy with the v mask
22:18:30DBordello:midnightmagic, yikes
22:18:47DBordello:phantomcircuit, Interesting, thank you.
22:18:49imsaguy:that's also a pretty weak search warrant
22:18:56imsaguy:a good lawyer would tear that apart
22:19:59phantomcircuit:imsaguy, great you can sue the state for busting down your door and maybe get compensation for fixing it
22:20:04phantomcircuit:otoh they might have shot you
22:20:10phantomcircuit:but they didn't
22:20:15phantomcircuit:so no harm no damages right?
22:20:17HM:christ, i'm out of the loop. i thought blockchain.info was reputable
22:20:24midnightmagic:gmaxwell: I don't suppose you could hint at the issue number could you? I can't find it anymore.
22:20:29imsaguy:you're always at risk of being shot by LE
22:20:33midnightmagic:HM: It *never* has been, it's brutal.
22:20:41imsaguy:if you comply with their directives, you greatly reduce that risk.
22:21:00gmaxwell:midnightmagic: https://github.com/bitcoin/bitcoin/issues/2653
22:21:17Luke-Jr:I'd probably shoot back.
22:21:21midnightmagic:gmaxwell: Thank you. DBordello ^^
22:21:26imsaguy:lol Luke-Jr
22:21:31imsaguy:you probably would.
22:21:36Luke-Jr:unless they gave me time to call 911 and verify
22:22:05imsaguy:Actually, so long as you aren't destroying what they consider to be evidence, they'll give you time to verify
22:22:26gmaxwell:The US is weird, federally its lawful to use deadly force to stop an unlawful arrest, presuming lesser means have already failed. .. uh.. though ... probably not wise to depend on this.
22:22:39Luke-Jr:imsaguy: it's when they suddenly break in unannounced that I'm concerned about..
22:22:49DBordello:What if they knocked politely?
22:23:21Luke-Jr:my door has a flap I can open to talk through
22:23:35gmaxwell:in any case, this isn't #bitcoin-gunnuts. :P
22:23:43Luke-Jr:I won't open it until I've verified they're legit, and have a right to be there
22:23:47Luke-Jr:open the door*
22:23:57gmaxwell:the take away is that it harm is done by unwelcome attention, no matter how things turn out.
22:24:17HM:I opened the door to a policewoman the other day who 'just called to see everything was OK'
22:24:26HM:I asked if anything was up in the neighbourhood and she said no
22:24:30HM:I am now suspicious
22:25:25gmaxwell:meh, no use being suspicious.
22:25:47Luke-Jr:coulda been a thief checking if you were home
22:27:10HM:Last year there were some shifty looking windows salesmen selling super secure windows and doors. few nights later there were some attempted breakins and damage to doors and windows
22:27:23midnightmagic:Sounds shifty.
22:27:40DBordello:They should have came a few days later
22:27:51Dizzle:HM: how recently was this? If a friend knew you had goxcoins or something, they might have called the cops to come check on you.
22:28:08imsaguy:See, I didn't lose any coins to gox
22:28:14imsaguy:I keep them all safely at mybitcoin.com
22:28:29DBordello:I have mine in deep storage at bitcoinica. No need to ever check up on them
22:28:41HM:Dizzle, if I had Goxcoins I'd want to be committed.
22:29:04Guest38327:I'm still waiting for coins back from mybitcoin.com
22:29:23Guest38327:Guest38327 is now known as BCB
22:30:07imsaguy:BCB: SASL ftw
22:30:28BCB:imsaguy: ???
22:30:39phantomcircuit:HM, that is quite possibly the most suspicious thing i have ever heard
22:30:45midnightmagic:Luke-Jr: This might make you happy. http://m.torontosun.com/comment/columnists/alan_shanoff/2010/05/14/13956236.html :)
22:30:54BCB:Simple Authentication and Security Layer
22:30:57midnightmagic:Come to Canada.. it's nice up here. We have lots of trees.
22:30:59HM:phantomcircuit, it seemed more suspicious before i typed it
22:31:03imsaguy:BCB: http://freenode.net/sasl/
22:31:25BCB:imsaguy: english
22:31:33HM:phantomcircuit, i live in a road full of elderly, since i moved here a few years back it's been stunning how many coldcallers there are
22:31:55HM:door salesmen
22:32:03midnightmagic:BCB: You should connect to freenode *with your account name and password as the server password*. You wouldn't have the issue then where you just revealed your IP address to us all.
22:32:13imsaguy:BCB, it auths you before you completely join freenode so that it doesn't show you was guest and it also applies your cloak before joining channels so you don't leak your info
22:32:31BCB:I'm using znc on a server
22:32:39imsaguy:so your znc would need to use sasl
22:32:41imsaguy:most support it
22:32:41BCB:with Chatzilla
22:32:50BCB:too fucking complicated
22:32:53midnightmagic:imsaguy: Or it can just use SSL and supply the user:pass as the server pass.
22:33:02imsaguy:midnightmagic: true
22:33:11BCB:I probably rebooted my server and didn't rest the config
22:33:37HM:midnightmagic, might be less secure. not sure if znc encrypts server passwords in its config file
22:34:02BCB:what the the linux cmd to check the size of all the files on your server
22:34:14BCB:(before I join #linux to ask)
22:34:20HM:du -sh
22:34:25HM:or df -h
22:34:27midnightmagic:HM: Doesn't really matter: there's no way his client can verify the connection anyway.
22:34:41BCB:HM I'm looking for individual large files not total
22:35:04HM:BCB. find
22:35:31HM:midnightmagic, you could presumably cache the certificate after you accept it?
22:35:44imsaguy:each freenode server has its own wildcard cert
22:35:47imsaguy:its annoying as hell
22:36:00BCB:hm find list all the file in the current dir
22:36:14sipa:this is not #unix101
22:36:15imsaguy:and they're only good for a year, so you spend the first few weeks each refresh verifying and accepting new cets
22:36:26BCB:sipa sorry
22:36:28andytoshi:guys, please try to keep this channel to research
22:36:42HM:I use ZNC as well, i haven't bothered to check anything except all the links at SSL :S
22:36:48HM:i guess it just autoaccepts anything
22:37:05HM:hurray for false sense of security ^_^
22:37:15midnightmagic:HM: No, I mean BCB himself has no way to verify the znc is behaving normally, so if someone broke into the server, it wouldn't matter if znc encrypted the password or not.
22:37:42HM:normally how?
22:40:54HM:ah i always connect to the same freenode server
22:41:11midnightmagic:HM: Verifying the SSL cert, not short-circuiting to some localhost socat redirector for ease of sniffing, not recompiled and/or modified to divulge nickserv passwords automatically, etc.
22:46:59just[dead]:just[dead] is now known as justanotheruser
22:53:44HM:midnightmagic, i think that gets back to what we were saying about clientside crypto in web wallets
22:53:59HM:if someone gets in to your irc bouncer you're boned from then on
22:54:10HM:but the conversation we had yesterday about taking over the world is safe
22:54:22HM:and if i'm not connected it's pretty useless
22:54:33HM:but if they obtain my nick password they can impersonate you
22:55:17midnightmagic:andytoshi: Since the channel itself, and connecting to it, are important parts of participating in the channel, I thought it topical or at least important.
23:00:19justanotheruser:justanotheruser is now known as just[dead]
23:06:58roasbeef_:roasbeef_ is now known as roasbeef
23:30:24gmaxwell:gah, this guy is driving me nuts: http://www.reddit.com/r/Bitcoin/comments/1yzil4/i_implemented_gmaxwells/cfpkthi
23:31:38gmaxwell:he really doesn't get it and he's obsessing over "negative balances" in private messages, and when I told him that I wasn't going to discuss it anymore until he went and read the original IRC log his response was to just go post his somewhat broken scheme in public. ::sigh::
23:44:03HM:hash trees. hash trees everywhere