Faketoshis' fraud has had several phases.

• Phase 1. R&D refundable credit and GST refund tax fraud.
• Phase 2. Spanish prisoner / Nigeran prince con: I am the deposed creator of Bitcoin and need money to pay back tax officials but will pay you with my bitcoin fortune later.
• Phase 3a. Blockchain impersonation:  Convince funders that bitcoin knockoff BSV will replace Bitcoin in the eyes of the public, sell 'em a pig in a poke.
• Phase 3b. Big con: Convince his billionayre funder(s) that with their support Mr. Wright convince the courts to order bitcoin developers to magically grant them >$21 billion dollars worth of Bitcoin, and has convinced his marks that this is even possible.  (and that they can intimidate and harass into the dirt anyone that stands in their way.)

Hodlonaut's trial is mostly a holdover from 3a.  His his two lawsuits against former/current Bitcoin developers are soundly 3b.  His recent exchange lawsuits might be in between 3a and 3b-- AFAIK no one has seen the claims yet. Phase 1/2 seem to be complete and he's mostly now claiming that documents he used in 1/2 are forgeries planted by hackers (even when they're recent scans of supposedly old paper documents, covered in his handwriting).

The statement you're referring to from the trial was an effort at a self-serving remark in the furtherance of the 3b scheme.  Note that 3b doesn't require Wright himself to think jacking Satoshi's coins is possible, nor does it require his funders to think he's Satoshi. The mark thinks he's going to spend a few tens of millions and get a few tens of billions. All the litigation targets are just collateral damage, but it helps Mr. Wright that they're 'enemies' that have stood in his way by refusing to go along or be silent about his fraudulent claims.  Mr. Wright's goal would just be to keep the litigation going forever while his mark foots the bill -- from the very beginning Mr. Wright's has probably just been one desperate forced move after another to keep the whole thing from crashing down around him, it's unclear what kind of consequences he may face if it fails given that he's taken money from some apparently unscrupulous people.

Intelligence agencies have been known to recruit people like Wright, the loose cannon grandiose narcissist pathological liar fantasist free agent type -- they're totally deniable as kooks and cons if things go wrong and they are easily controlled via copious dirt and their propensity for a 'fast' lifestyle.  But if it's true for Mr. Wright, we'll never know so I think it's not very useful to speculate about other than this:  Because it *could* be a state actor, we ought to fight it with all the vigor we'd fight an attack by a state actor.


Ayre. This isn't speculation, e.g. https://www.cswarchive.info/sites/default/files/2021-08/2020_04_22%20Filing%20-%20Amended%20Reply.pdf  page 4 paragraph 4b. "it is admitted that the Claimant is being funded by a third party in these proceedings, namely Calvin Ayre. The Claimant has taken out a Bitcoin SV denominated commercial loan against the Claimant's and the Tulip Trust's Bitcoin and Bitcoin SV holdings, that will be be paid back to Mr Ayre."

There should be plenty of details on nchain elsewhere in the evidence too.

There may be others, I could speculate but I'd rather just give the one I'm absolutely sure of.

Well he got money from his bamboozled sponsors to pay back AU which probably moved him to a lower priority.  If you look at news announcements for similar convictions you'll see that it took them a decade to prosecute other similar tax frauds, so Mr. Wright may just be waiting his turn.

Ayre had a bit of his own fantasist blogging about being a secret agent or something.  Likely bullshit similar to Wright's "I was offline for much of January 2011. During the time, I had travelled to Venezuela where I was working with a “Jawbreaker” team. The work was focused on stopping the trafficking of humans for the sex trade. I was in “prevention.” I did not bring people to justice, I worked with teams to stop things, permanently.".  I wouldn't put much weight into it.

As Franky1 says-- we should work smarter, and that much I agree. On that mark: The varrious more speculative theories might be true or not, but I think they're of no use in dealing with the situation unless we stumbled into some evidence that actually proves one of them-- and then it wouldn't be a speculative theory anymore.

In any case, what I really came here to post was:

Mr. Wright's "revolutionary" "2007 Bitcoin Whitepaper" << click the link
(transcribed from the handwritten version in the Hodl trial evidence)

You may have seen the first page/paragraph when it was transcribed on reddit after being shown on screen in court.  Now experience the entire uncut masterpiece in quadraphonic legible text!  Flex your faketoshi history by determining a likely true authorship date of the document based on Mr. Wrights inability to resist adding anachronistic grandstanding in support of whatever pathetic argument he was presently engaged. Marvel at how anyone could be convinced by any of this. Laugh, cry, and most of all blush with embarrassment on his behalf because, unlike Mr. Wright, your mental model of other people is more expansive than just coming up with ways of ripping them off.

(Or, if you're a true masochist Wright debunker, check out the original 78 page illegible version here or as part of the full archive.  The original also contains the *forbidden names of bitcoin* b-side content, not included in the top-post's translation into legiblease).


Don't just take my word for it, here's what the audience says:

* "Astounding, One cuil short of timecube!"
* "It should be written on the outside of a van that an unmedicated schizophrenic lives in, not submitted as evidence to a court of law"
* "Meh. Continuity errors, incorporated the cryddit 2013 timeline in the prior chapter but didn't bother including its parameters in this latest installment"

With all due respect Franky,  "he just wants attention, don't mention him" is exactly how we ended up in the situation we're in today.  It's also just not true: he flies into a blind rage about anyone speaking negatively of him-- he absolutely can't tolerate it, he has screamed at people in interviews, he even threw a book in court once.  It's part of the reason that he keeps making the same mistakes even after the public has caught on and called them out: he can't stand reading people criticizing him so he doesn't always know which lies have been blown apart.  He usually only sees what bitcoiners are saying about him once the comments have been filtered through his supporters and neutralized.

He does like coverage that treats his claims seriously-- as in that they're merely disputed rather than thoroughly disproved but that isn't what anyone here is doing. It is, however, what the media does reflexively.

Edit (to avoid a double-post):  LOL  Mr. Wright's "evidence" is out: https://www.reddit.com/r/bsv/comments/xp5qy9/fresh_from_oslo_craig_wrights_submitted_evidence/

The binary is so awesomely fake.  In particular, I love seeing that when he made strings shorter because the offsets needed to be preserved he space padded them... either because he didn't know better or because his hatred of me prevented him from using the much more plausible null character instead of spaces.

Fundamentally, I think the issue is just with how brazen these creeps have become.  They're not worried about losing a lawsuit here or there because they think (correctly?) they're immune. The people they're attacking don't have that comfort.

They will take money from the rubes on twitter for sure-- but most of those folks aren't a rounding error in terms of the cost of their litigation. They are spending many millions on litigation.  Do the math on what they're likely getting from the rabble.  Pretending to just be trolls that want attention is part of the disguise that creates an ineffective response to the attack.

To be fair, that change alone would be consistent with it being a "draft" that he supposedly fixed.  What blows that up is that it's the correct symbol in the other font.  So it was impossible for it to be an error, the wrong character had to come from being substituted with a font that didn't exist until long after the paper's supposed date. Same issue that lambda has.  It is funny that when checking his forgery wright didn't even notice wingdings replacing his mathmatics.

Ironically, the theology degree is almost certainly the fakest of them all. It looks like the situation there was that he wanted varrious masters degrees for self promotion purposes and learned that his crackerjack school would grant credit for IT certificates (which are done via computer based testing, which presumably he cheated at). But a problem he should have faced there is that he had no undergraduate degree to meet the prerequisites. So he cooked up a fake theology degree because who the heck is going to check on that?


I think harassment and intimidation is clearly a primary motivation-- he's pretty much said so himself in some of his more unhinged rants on his public slack (during hodl he was falsely alleging that the slack was private: Not so, not any more than a newspaper you have to pay for a subscription to is private).

Mr. Wright himself must know that he has zero chance in court-- even where he might have the chance of a massively confused court he manages to submit enough easily beyond-a-reasonable-doubt-provable-forgeries that his eventual loss is guaranteed.   But the same may not be true for the people financing him (and paying for his lifestyle).  I think it's likely that he's suckered various high-wealth-low-scruples people into thinking that they're going to "won all the cases" and get a jackpot of tens of billions of dollars.

It's really just a new take on a very classic con:  I convince you that I'm a card hustling savant but down on my luck because I got caught by the last casino (AU tax office) and now I can't finance my big comeback. The mark gets the idea of financing me so I can take down the big win (convince some court to magically award Satoshis Bitcoin), and I accept a split with the mark.  I pretend to work with the mark to get the big score, but I'm really just pocketing as much of the mark's money as I can while I keep dragging out the conclusion.   The fact that I can use the process to harass and intimidate anyone who gets in my way is just a super bonus.

God knows what they could pull off if they really did manage to silence and intimidate everyone.

Before being the target of litigation I really didn't appreciate how taxing it is.  Especially being in a prolonged situation where you can count on any word you speak being heavily misconstrued, where you have no hope of a gain only a hope of minimizing losses,  where your future schedule is dictated by what is by all appearances an organized crime group directed by a madman. Where you don't know if you will be hit with millions of dollars in costs if donors run into issues or be forced to abandon a competent defense if you can't pay them. Lately they've been trying like hell to silence me off the internet completely.

It's like how people romanticize war, but war is not romantic-- it's hell.  While I'm sure being the target of litigation is not comparable to war,  there are some similarities-- your future being taken out of your hands, the constant powerless *waiting* for the next disaster to strike commanding a immediate emergency response, and the fact that any misstep could guarantee your loss, even against a generally incompetent opponent. Lots of people want to help but there is really little anyone else can do except sending supplies... And while normally litigation doesn't involve the risk of death, when dealing with a criminal cartel that thinks you're in the way of billions of dollars in profit that risk can't be discounted completely (certainly there have been enough threats, including by wright himself).





FWIW, I was on the webex for most of the trial and so I directly heard all the parts in English --there were quite a few that haven't been published-- and had some other translation of much of the rest.  Based on the twitter feeds I think Hodlo's position is looking good, but my impression from the trial was even stronger.  There were a number of cases where I was disappointed to not hear Holdonaut's lawyer press a witness only for the *judge* to turn around and do so.

There were a number of cases of perjury that should be prosecutable but experience says that just won't happen.

In general the Norwegian courts came across as very ... soft. Not pressing witnesses into corners when it seemed likely that doing so would yield an admission or a contradiction,  I guess we'll see if that translates into an equally soft rulings.  The judge very much was paying attention and asked many highly intelligent questions.

On the BSV supporters,  I'd suggest going through some threads on r/BSV and see how it works out there.

I think in general a small amount of BSV supporters coming into a space with experienced BSV debunkers does little but harm the scam:  They show up and have their claims tested against facts, get pressured to justify their positions, and -- in short -- get ripped apart.  When they're not too obnoxious they're a lot of fun to debunk, and it keeps the conversation going during the long lulls.   Though because of this, it seldom happens even when it's permitted.

The situation is different though when active BSV debunkers don't outnumber them.

One of the really good contributors to rBSV is even a former BSV investor (though he never was one of the clowns out spreading pro-Wright lies-- AFAIK not a single one of those has ever been flipped, they just disappear from the internet if they get convinced that it's not real).

The biggest problem they've created on reddit is that interacting with them gives them more opportunities to file false reports and get accounts suspended.

r/bsv does eventually ban them but only when they're outright disruptive and harassing people or doing stuff that might get the subreddit in trouble, not because they're promoting the scam.  The assumption is that >95% of the readers in rbsv are well enough informed that they're already immune to the scam (or soon will be) so the only risk to worry about is that they become annoying instead of fun for the honest participants.


Back in 2017 I circulated a message to people to see if I could get a lot of long time bitcoiners to sign onto a message saying:


Enough people replied along the lines of 'Wright is just a troll, that no one will ever believe him, all we'd be doing is giving him free attention, we should just ignore him', that I felt the effort wouldn't be successful and dropped it.  (To be clear, the only person to respond saying that Wright was *legit* was Roger Ver... he since got a clue...)

Unfortunately, now that he's sued me for billions of dollars I fear that if I were to spearhead such a message that it would get explained away as an action of a defendant trying to escape a much deserved lawsuit or something.   But I still think such a message would be incredibly powerful, it would just be better driven by someone who he isn't suing.  Though it's really hard to overcome Gavin's continued unwillingness to retract his endorsement-- I think doing so requires enough of everyone else to sign on to make it clear that he's alone (or close to it).

I don't think though that people showing up on BCT are the ones that need to hear this-- if you've made it to bitcointalk you're probably much more clueful than the average joe.

As far as BitCoinDream's comments go-- the "ignore it and hope it goes away" approach is what the Bitcoin community adopted previously.  It's been a disaster.  Go plug in Satoshi or Craig Wright into google news.  He already controls the media narrative.  His representatives appear to be taking as many (if  not more!) meetings with heads of state to speak about "Bitcoin",  his story with a minor amount of tempering is usually what's being told by the press.  Adding to it that there are bitcoiners fighting back wouldn't help them-- they're already on the way to a false consensus that no one seriously opposes them.

Apply some art of war to your thinking: I don't care if the opposition thinks that I'm scared or weak or whatever. I care that they aren't successful.   BCT is already a pretty obscure corner of even the bitcoin universe much less the entire internet (as unfortunate as that is)-- if the profile here were 100x more visible than Wright's you'd have more of a point about giving them attention they wouldn't otherwise get.  The bitcoin community *is* strong, it just needs to be mobilized.

All that said, your alternative suggestion is mostly what I'd been thinking before making the post--  though a big problem with that kind of diffuse response is that it's not good for bringing more participants into Bitcointalk who are primarily interest in dealing with the con because they threads will be lost in a sea of stuff they aren't interested in.  I've found here that when some wright apologist or BSV promoter wades into a thread on BCT it's not uncommon that the arguments against them end up close to 1:1 instead of many against one, with the other thread participants just irritated that you're helping the troll take things offtopic by debunking them.  I can tell you first hand that fighting misinformation 1:1 against a paid shill or a dedicated cultist feels rather sisyphean, while many against one feels like a nice game of golf.   When you're 1:1 they keep diverting the substantive discussion to making it all about you personally.

My apologies.  I have the utmost respect for the people of Nigeria-- but few people know what advanced fee fraud is, and the particular brand of spanish-prisoner-con (apologies to spaniards) is known to essentially all english speakers as a nigerian price scam.  To this day I receive frequent nigerian prince scam messages though they're finally starting to be outnumbered by tech support and amazon refund scams originating out of India.  Every one of us lives with negative things done by some few scammers in our countries.  I can only promise you that I know that the actions of a relatively small population of scammers in Nigeria doesn't really reflect negatively on the rest, and I'm confident that most people feel the same way.

Wright's scamming does has an African connection-- but it's by way of a conspirator in Kenya, not Nigeria.

LOL I agree on the name.  Really I'd even leave BSV out-- without Wright it's just another irrelevant altcoin-- except the two are hopelessly intertwined and often people who need to hear about Wright are looking for info on BSV, since BSV is one of the ways they monetize the scam.  Increasingly so as they've now agreed in court that BSV will now be handing over "his" coins.


The outspoken people are just outright paid liars (like any of their spokespeople or 'media personalities' such as wuckert)-- the rest you hear from are just what you say-- brainwashed and hoping to recover from their massive losses:  They bought BSV at $400 and since then bitcoin has gone up 6x in price while BSV has dropped to $50.   They'd rob their own mothers at this point (and if you listen to Wuckert's mother-- at least one of them has done pretty much that!).


It's obviously hitting him hard, if you look at pictures of him now vs a few years ago especially when he's not sussed up for the camera, he looks like he's in his 70s now.

You're absolutely right though-- people see how absurdly incompetent about the stuff he claims to be good at-- personally I love the bullshit etymologies he comes up with on the spot even more than his bullshit technical explanations-- and conclude that he's an idiot.  He's not an idiot, he's a con man, and an astoundingly successful one.

Last we hear their criminal investigation was still ongoing.  It sounds like they're similar to US federal prosecutions-- they take their sweet time.  There was recently someone convinced of some similar rebate fraud in AU, and their fraud took place a decade before they were charged.  Wright is coming up on a similar timeframe.   Everyone of of these dumb court cases also ends up with him making claims and exposing information that should make things easier for the criminal prosecution.

So I'm hopeful there, but at the same time-- the ATO is going to chase their own interests and so we can't count on them to protect the public at large.

I agree that the only thing which will actually stop him is criminal charges... but for our purposes we don't really need him to stop:  he just has to be discredited to the point where he can be ignored and where he isn't suckering in newbies (esp governments) at a rate much greater than other bitcoin-attacking scamcoiners.  A lot of that is taking the nearly universal view in the bitcoin community that he's a joke and making it clear to the broader public, while playing the tactical defense to mitigate his damage before we get to that point.


Nearly all of the quite powerful discrediting used against him in court so far has come from the community.  Truth has the property that it's reproducible by others. So when community members find information which disproves Mr. Wright, we're able to point the lawyers at it for validation and reproduction.  This is essential because replacing the public's efforts in isolating the conflicts and contradictions with paid experts at hundreds of dollars per hour would be utterly ruinously expensive.   Your mental model of "well-funded individuals (presumably who have been subjected to the kind of harassment described in the OP)" is just off base.  They do not exist.   Wright and his conspirators are legitimately well funded: They expect billions in return.  All his opponents can do is hope to mitigate losses (unless they flip and accept his bribes,  I've heard that he's offered as much as $10 million dollars to people for supporting his efforts), even where they technically have the means to pay for the litigation it's with a heavy heart because it comes at a great personal cost with no hope of a benefit from it other than Bitcoin's continued health.

The fight in court is also a public information war more than you realize.  When some professional-- a lawyer, a press person, a ghost writer, etc--   is contacted by Wright to take Wright on as a client and effectively become a paid conspirator in his scheme they have to decide if they're going to be able to plausibly deny knowing it was fraud to protect their reputation later after it collapses (and potentially avoid criminal charges themselves).  The more limited Wright is in his selection the less successful he'll be.  What the rules say and what the practice on the ground is are two distinct things: even judges in the US absolutely do look at what's said in public, even informally, and are going to take a second read of things which might end up making them look like idiots in the future.  Some of the arguments -- like general impossibility of Wright's efforts to force a coin stealing backdoor onto the network-- are themselves directly a question about the public temperature on the subject of his demands and several times already mass media articles have show up as evidence in court cases as evidence of the public's perception of the subject.

But also the fight in court is also only one element of dealing with this fraud-- it's the most obnoxious because its the one where "just ignore it and let him scam people" is not a realistic option (at least for the targets), but his attack does go beyond court.   For example, Wright's conspirators have been meeting with heads of state in many parts of the world pitching their agenda (which involves outlawing bitcoin and adopting their Bitcoin knockoff).  The only way they're getting these meetings is that whatever overworked staffer is vetting the schedule does a quick search and doesn't find information that exposes what a big reputation risk an association with this conman and his con would be.

Lol, I had intended to edit the title before posting.  But ... now I can just pretend it was a really brilliant piece of click bait.



There are global mods and whatnot.   I think on reddit on r/bsv we've needed relatively little moderation except for some BSV promoters that have become too abusive --- one possibility would be to draw moderators from the participants there.  In particular, there are people who have been moderating r/bsv and doing a good job (I think in general rbsv is moderated in a way that is generally compatible with the generally lax hand approach of BCT moderation). I have no idea what the level of interest would be there: It may not be very high unless use of the subforum really takes off.

Would people be supportive of creating a sub-forum for investigating/exposing Craig Wright and his BSV scam for the protection of Bitcoin and Bitcoiners?

Most of the people doing this work have been coordinating on twitter and reddit,  but BSV scammers have been flooding the platforms with false reports and have successfully knocked out more than a couple account thanks to idiotic and/or artificially-idiotic (AI) report processing. There is also a real risk that the scammers simply buy off the platforms (e.g. in the case of reddit) or their staff (e.g. in the case of twitter) to achieve their end. 

Moving a community around can be really hard but it doesn't necessarily need to happen:  If it's clear to the attackers that at most all their attack will do is switch the URL people are collaborating at then they may just give up on the attack.

I'd say we could post in some existing subforum but part of maintaining a community around a subject that is protracted as one involving a decade long scam and a dozen court cases (each of which has months between each event) ... involves a bunch of lulz and shitposting,  traffic that is basically only interesting to people working on the subject, mocking the latest forgeries, etc.  While the big events in faketoshi land are of general interest to most forum members most of the day to day traffic is only interesting to faketoshi debunkers and people following the ongoing train wreak(s).

If it's not obvious to you why this is important to Bitcoin, here is some background:

As anyone not living under a rock probably knows by now:  The most infamous faktoshi, conman par-excellence Craig Wright, has been creating a rather substantial nuisance of himself by piling lawsuit after lawsuit against Bitcoin community members, journalists, developers, and former developers.  For example, he's sued me and a dozen other bitcoin developers and former devlopers demanding ~6 billion dollars in damages, and has a second lawsuit filed naming us that we haven't even seen yes.  His court case in norway with hodlnaut has been in the news lately.

Over time his necessity has evolved from a simple (although high value) tax rebate scam to an advanced fee fraud (nigerian prince) to what is, hopefully, its final form: an impersonation scam with a target of a >$20 billion dollar payoff:   Their plan is to steal a mountain of early bitcoins by fraudulently claiming to have owned them and lost the keys, then demanding bitcoin developers write and bitcoin users deploy a cryptographic back door to reassign those coins to them.  I say "their" because the real scam here is that likely Wright has convinced wealthy funders that together they're partners in a scheme which is going to rob the world/Satoshi but really Wright knows it won't work and his goal is just to scam the funders.

It's *very* common for cons to take the structure of the conman convincing a mark that they're really going to rob a third party, when in fact the third party is in on it, or doesn't even exist and it's the mark getting robbed.  The story however, helps keep the mark from getting good advice, explains the con's sketchy behavior, and answers varrious microeconomic questions the mark would already have ("Why are you sharing this windfall with me? -- because I need your help to pull off the con.")

Anyone with a reasonable Bitcoin background knows that Bitcoin doesn't really work that way-- if developers (or whomever) were trusted to not steal coins bitcoin could have just skipped the whole ledger thing and had them run servers like paypal.  Unfortunately, even if Wright was only able to convince his true mark that they have just a small -- say 1% -- chance of success then it would make economic sense to spend tens or hundreds of millions on the effort and that's exactly what is happening.

To put it in non-Bitcoin terms:  Mr. Bumblecharm has convinced Duke creepycal that with Bumblecharm's long history of obvious forgeries they'll be able to convince the world that Mr. Bumblecharm is true heir to the royal throne, and should property be awarded control of the empire along with its vast estates and accounts which he'll share with creepycal in exchange for funding the enterprise.  To accomplish this they're harassing, intimidating, and litigating against any visible person that disagrees in public or otherwise stands in their way.  Duke creepycal likely believed the story in the past (in the earlier nigerian prince phase) but likely doesn't believe it now (though it doesn't much matter if he does or doesn't-- he's in it for the payoff).

If this really were about royalty the public would laugh it off the stage, but since it's about something new and technical people's eyes glaze over and their reason goes out the window.  Large parts of the media is complicit because "maybe" makes a better story and a reduced lawsuit risk than "this is an obvious joke as was proved years ago"-- so even as wright get caught over and over again with utterly indisputable forgeries they're able to keep carrying to the public that this his claim is merely 'disputed by some'.  This translates into courts and professional services (like PR agencies, and lawfirms) having at enough plausible deniability that they're willing to participate in the con in exchange for payment.

His highly funded lawsuits have already cost people millions of dollars defending them and if carried to trial are expected to cost ten to tens of millions of dollars more, and there is little to limit him filing more of them.  Stopping him requires casting a light on his actions so clear and stark that no one can ignore the facts -- we need to get to a state where his lawsuits are laughed out of court and where prosecutors feel pressured to take action against an obvious fraud.

Some Bitcoiner's I've encountered say things like "I see why this is personally tragic for the people being targeted, but I don't see why this matters to Bitcoin: He can't get people to run a backdoor and devs can go anon".  But I think both this is anoverly narrow perspective.

It's true that no one can force people to adopt some hardfork like Wright wants-- but it's only because the community speaks out against it that people will know to not run it and avoid being bamboozled into it.  Bitcoin's non-cryptographic security comes from its users defending their own interests. There is no authority charged with protecting Bitcoin: it's in the hands of each and every user and owner of Bitcoins.  And as the say-- 'The price of freedom is eternal vigilance'.  So it's not a proper response to someone pointing out an attack to say "don't bother doing something, bitcoin is strong against attacks" when we're taking about strength that exists specifically because people will do something.

The specific pressure against developers may create a bias toward developers that are more reckless or even ones that have bad motivations (why worry that you're going to get sued by Wright if your real goal was to get your own backdoor in).   Anonymity is an additive tool some may use, but unless your involvement is to toss a patch or a post over a wall and quickly disappear it's basically impossible to stay strongly anonymous against a competent and concerted attacker: every word you say risks leaking things about you.  Satoshi is anonymous, sure, but he left in 2011 before anyone was really paying attention to bitcoin.  Anyone who participates anonymously should be assuming their identity will be exposed eventually that, at best, it's an additional security measure. Anyone who thinks anonymity is a serious fix has not given a lot of thought on what it takes to be strongly anonymous.

While Bitcoin can handle losing any particular developers but developers are a resource bitcoin uses to fight other attacks, and so it's easier for Bitcoin to be wounded or disrupted in the future if competent developers are chased out.  So while wright's attack probably can't kill bitcoin on its own, it's not inconceivable that it could weaken it enough that some future attack does much more harm.  And sure, while kill bitcoin completely is a pretty unrealistic idea-- a bitcoin that was barely used by anyone, outlawed many places, and/or unreliable would be much less valuable and useful to the world.  It might not be "totally dead" but that would still be a sorry outcome.  I worry a lot that an attack of this approach evades Bitcoin's immune response.  I think if a state were to do what Wright is doing there would be a very strong reaction-- but if the attack is disguised as a joke many people go 'meh'.

Wright's attacks are also against individual bitcoin advocates, journalists, and Bitcoin companies-- not just developers.  Even if you ignore the direct harm, they divert tremendous amounts of resources that could otherwise be spent improving bitcoin or hardening it against other attacks.  So I think that although Mr. Wright himself is an obvious joke, the harm he's causing and can cause the ecosystem is a serious concern.

So given that I think this is a subject worth at least a little attention from every serious Bitcoin-- and it's certainly worth making sure people that have picked up the mantle here have a place they can discuss their efforts without being silenced by Wright and his conspirators.

We could obviously setup a separate forum but there is a lot of work that goes into maintaining something like that which is already done by Bitcointalk.

Cheers

You have that backwards.  Wright alleges that the whitepaper wasn't released under a free license, even though it's part of the accompanying documentation specifically called out in the license grant.  The free licenses is a big part of the only reason that the bitcoin whitepaper is available on anything but darknet/pirate sites right now.

No one sane would give away software without a hard disclaimer of liability, to do so would be financial suicide.  If Wright gets his way it'll be financial suicide even with a hard disclaimer.

There is *tons* of commercial use of GPLed software, and concerns like lawsuits are essentially non-existence in the wider world of free software (with a few narrow examples of utterly flagrant violators).  I don't believe there is a single identifiable business in Bitcoin today that would be materially impeded by the bitcoin software itself being GPLed -- particularly because cryptocurrency software almost always has to be free software for pure security reasons (if someone else controls your cryptocurrency software then can potentially take your funds hostage).

But regardless of the underlying truth-- some people would think that they couldn't use it commercially or would think there would be some relevant liability.  And just the fact that people would think it would be a reason to go about making more implementations which is not good for the security and stability of the network. Perceptions matter too, even when they are wrong.

I was a contributor to the Vorbis royalty free audio codec, and when we first created it we asked RMS for input on licensing and RMS advised using a three-clause BSD (MIT style license)-- his reasoning went along the lines of 'the proprietary world already has acceptable codecs, denying them this one wouldn't advance the cause of free software significantly,  but because codecs benefit significantly from network effect, having them use a codec that is available to free software would advance the cause significantly'.

I think that same logic would apply to Bitcoin, but even more so because the existence of many re-implementations is a significant cost to the bitcoin ecosystem, and while compatibility issues arise for codecs too they're much less severe.

It seems like it was a good decision-- we haven't seen too much abuse of the communities generosity:  There have been some altcoins that have built their system on 95%+ code written by the bitcoin community but then adopted proprietary licenses specifically engineered to prohibit bitcoin from using their code.  But it turns out that the kind of people who do stuff like this typically have nothing of their own of value to offer.  Code itself is pretty cheap too-- if you want a re-implementation of bitcoin you can just insert some money and have someone do it.  The insights that go into varrious design features are more valuable but much less protected by copyright in any case.  

Stuff like 'exodus' would still exist-- I believe they're not even directly using any bitcoin code to begin with. The protection against closed wallets is and must be that the community of users is well informed enough to not use them.

If the bitcoin community does come to regret the permissive license they could switch to using different licensing for future work.  But if that happens I expect really the only cause would be something like one of those scammy altcoins using their proprietary licensing as an excuse to spin up harassment lawsuits against bitcoin developers for 'copying' fixes or simple features that were in actuality independently developed (the fact that their codebase is 95%+ taken from bitcoin makes it somewhat likely that some similar changes would get made independently). ... but if someone wants to spin up harassment lawsuits it's unclear how much licenses can really block them.

The latter: recent versions don't use OpenSSL at all (or didn't last I checked), and it hasn't been used for consensus since 0.12 in 2016.

Back when Bitcoin was written OpenSSL had been very stable for a looong time and had a good track record of preserving legacy interfaces and behaviors when it changed.  Satoshi could be forgiven for thinking it was sufficiently stable, particularly because it was far from clear how tricky consensus consistency was.  Your use of the word "minimize" makes it clear you know, but it wasn't always quite so obvious how truly difficult it was.

In 2015/2016-ish a number of concerning vulnerabilities were found in OpenSSL and a lot of attention was put on the project massively reworking things, making incompatible interfaces changes, and putting out giant updates (I seem to recall one of their diffs was like 400k lines...).  They managed to make changes in signature validation that would have been utterly consensus breaking for Bitcoin, and did so without even release note-ing the change.

Fortunately by then Bitcoin had mostly completed the move off of it and had deployed a soft-fork to restrict the set of accepted signatures going forward enough that their consensus break wouldn't matter for newly created blocks, as a result of an openssl consensus consistency vulnerability we'd discovered.  Though there is a window of openssl versions + bitcoin versions where it will compile and run without issue then reject some older blocks due to openssl's changes, this footgun is mostly avoided due to the fact that openssl broke their api a number of times around the same time.

It could have been quite a mess, had the openssl behavior changed before bitcoin devs realized it was a potential source of issues. Today AFAIK bitcoin uses no external dependencies in consensus beyond the programming language itself. Maybe some small amount of boost usage still exists in consensus, though there was a long term effort to eliminate it, simply because the authors of external code can't be expected to manage the very special requirements of consensus consistency.

The patches people use to use modern openssl with old bitcoin code paper over the major known consensus change in openssl, but there isn't any guarantee that there haven't been other ones or that its a complete fix (since even at the time openssl made those changes the 'fix' was to upgrade to bitcoin that didn't use it for consensus).  Not that I think it's too likely that there will be extra issues, but if the exercise is to tell if old versions would work, you should reconize that if you use an inauthentic openssl you're only getting an approximate answer.  

Because post-BIP66 bitcoin is very exacting in the signature encodings it will accept, I think it's unlikely that any new signatures have been accepted that really old openssl would reject-- though not impossible: we did also find bugs in openssl's bignums, just none that we could find a way to exploit for a consensus split.  It's more likely that if there were issues it would be of the form of more modern openssl being even more picky and rejecting the chain when old openssl wouldn't have.

It's probably better to run with an old openssl... god knows what other consensus relevant changes they've made.

Full index of address usage adds >> 1TB of storage (as of a couple years ago, it's probably >2TB now) and an according amount of sync indexing time.  Not exactly ideal if you're already slow on a spinning disk.   You need both payments and spends indexed for a wallet, since you need to know if a coin you were paid has already been spent by another copy of the wallet.

The challenge there is that even if such an index is viable for you today, it likely won't be viable for you in the not too distant future because the resources grow faster than those required to run a node.

The history of people using indexes is that they set up their usage to require one, and then when it's too burdensome switch to using a trusted third party to provide it (e.g. when their node crashes and they're facing a week of indexing before their business is back online, or when they need more storage than their hosting provider offers without the high cost of a dedicated high storage server).  If TTP is where you're ultimately going to end up, perhaps its best to be honest with your security model and do so now and in the meantime not encourage people who could do without the index with a bit more development effort (instead loading watching keys, etc.)  from building  infra that will inevitably push them onto a third party service.

If you do really want indexes there are some open source block explorer programs that will provide them.

Because if you want that you can just encrypt the file or the volume.  If you don't the other files in the wallet like the debug log will leak this data anyways.

Every feature of the software comes with cost and risk.  Encrypting just the keys is something that the OS cannot do, so it's justified. Encrypting the whole thing is something that it can, so it's not justified.

Also if you encrypt everything it means you will have to enter the key on every use-- even just to see if you've been paid.  It means a key will have to be in memory at all times the software is running, not just when you spend.  If the same passphrase is used for both view and spend then these will increase your risk to shoulder surfing, key logging, and other malware (which otherwise you might be saved from if you realize you are compromised before you spend).  If different passphrases are used for each the risk of key loss is increased.

Keep in mind that it's likely that far more funds are lost due to accident and forgetting than are lost to coin thieves already, so anything that makes it easier to lose access is probably increasing the total amount of coins lost rather than decreasing it.  Arguably developers of Bitcoin software already have a small conflict of interest to make choices that error in the direction of taking coins out of circulation, since every coin forever lost makes everyone elses coins more valuable.

ETFbitcoin's point on scan when unlock is great too-- it takes a long time to scan months worth of blocks, big usability annoyance.

Mobile wallets are on platforms where things like encrypted volumes are less available-- you usually just get a whole device or not.  They're often also written with much more of an eye towards marketing rather than security and have liberally provided pretexual "features" in the past that only undermined the user's security, or just features that weren't justified based on the effort required to actually do them right.   I don't think it's correct to say that the Bitcoin node software only has 'basic' features, it just don't waste effort on snake oil and there is a lot of bitcoin wallet snake oil out there.

Encrypting the whole file isn't snakeoil but it provides relatively narrow benefits vs the costs. And at least on desktops where it's not too hard to use an encrypted volume the marginal benefit would be pretty small indeed.

0.7.x will do so too, you can see me mention it in my post above.

Good to see confirmation!  and indeed, it's a brutal wait.

As NotATether  says, OP_SUCCESS makes a forced success.

The idea of OP_VER at least so far as anyone is able to infer was to be able to write scripts with rules enforced by new versions of the script evaluator but which would be accepted by old versions.   But this is vulnerable if you imagine that the script author could be malicious and intentionally trying to crack the consensus.

OP_SUCCESS accomplishes the same end, but it guarantees that a malicious script author can't use it to write a consensus cracking script that passes on 'new' nodes but not old ones.

This means that bitcoin could today just easily add operations in any of the values used by OP_SUCCESS now, with whatever semantics are sensible (e.g. doesn't have to be a _VERIFY style opcode that produces no output and can only fail the transaction) and without a whole bunch of cautious analysis about how they'll be evaluated by older code.

That's all.

I think that at some point people even discussed being able to have a set of script blocks whos success was logically ANDed, where some could use 'future' opcodes while others didn't, which would be even closer to the non-attack functionality of OP_VER (e.g. allowing partial rules for nodes that supported them). But it wouldn't be easy to make a case for taking on a lot of complexity since it's not really clear what use it would have.

There had also been some suggestions a while back of generalized taproot that let you have a tree where each node potentially had key with a potentially hidden script, and then in that case the script could use future (OP_SUCCESS) rules while older nodes would still validate the key's signature, but not the script. This structure was motivated by making signature aggregation still work with softforks-- so the extra complexity would be justified on that basis and the extra 'partial validation' would be a very minor side benefit.

I tested the oldest that would run at all for me.  But I know that prior to 0.8 that you will have to do something about the BDB locks situation,
I also know that the BDB locks fix shared around back in 2013 will only take you up to 2016 or 2017 or something and then it still runs out of BDB locks.

Part of the reason that the community fixed the BDB issue rather than figuring out a rule that would mandate blocks that were always be valid to all nodes and softforking it in was that BDB was complicated enough that it seemed infeasible to come up with such a rule.

For my purposes I wanted to validate how far back you could go with an utterly stock node, unattended, unconfigured, no debate over what constitutes a hardfork or not.   I was checking this because faketoshi sued myself and a dozen other current and former Bitcoin developers demanding that we write backdoored node software which will hand him control over the huge stash of coins he claims to own (but claims to have "lost" to "hackers"), or otherwise pay him billions of dollars in damages.  We pointed out that even the people who are still developers lack the ability to help him pull off his heist because users simply wouldn't run the backdoored version in any quantity.  Faketoshi countered that users have no choice but to run the latest version.  Part of our reply was 'Users can and do run old versions or completely independent versions, in fact the most recent isn't even the most popular and in fact versions from about ten years ago just work.' So I wanted to make absolutely sure that 0.8.x did work and that the nodes on the p2p network claiming to be 0.8.x were actually working and not fake or something.

For a long time while I was working on Bitcoin I kept a fleet of older versions running specifically to monitor compatibility, but I haven't worked on Bitcoin in quite some time,  and efforts like keeping old nodes running kinda fell by the wayside as the environment become more hostile which switched Bitcoin from being something I loved working on to something I worked on to avoid letting my friends down.


Some recent versions like maybe 0.18+ also get angry at some older versions in the 0.7.x region at least and tend to disconnect them because there were some limits added to some messages like getheaders and 0.7.x will respond with too many.  This isn't a consensus change but would get in the way of doing a test.  Interestingly, running a sufficiently OLDER version would still work (at least for that reason) because they don't produce the messages that anger the recent code.

I think basically 0.8 is as far back as you can go before there starts being a lot of difficulty and asterisks.  It's also hard to impossible to find binaries older than that (as they got taken off hosting sites due to security issues with them) unless you already have them,  so you basically need an old operating system to build them from source.

My belief is that if you work around/fix the BDB locks issue then its likely code all the way back to where Satoshi added NOPs in script will validate the blocks, but anything prior to Satoshi's changes in 0.3.7 in 2010 are likely latently hardfork incompatible due to the verifyscript split.  By latent incompatible I mean that they'll likely accept the current chain, but someone could craft a special transaction today that would be accepted but they'd reject-- so a hardfork but not triggered yet.

(and I say 'likely' because I haven't seen it actually tested. Sometimes something you think would be a consensus break is actually prevented by different code, so there is no replacement for actually testing)

It's pretty clear that Satoshi didn't *initially* have a comprehensive understanding of the criteria needed for consensus stability as people do today.  You can see him figuring it out through changes like eliminating OP_VER are introducing OP_NOPx,  so he made a number of changes early on without much care if they created latent hardforks.  At the time he was doing this stuff, no one else really understood it at all, so there isn't any discussion about the details (at least not in public).   Because the hardforks were latent though you could continue to run the old code, making it appear completely compatible even when it wasn't, so it's only been through careful historical analysis that people have gone and figured out exactly what changed where in what ways.

The definition of "hardfork" has also shifted a bit over time:  Three major kinds of "hardfork" come to mind,  from weakest to strongest:

(1) A latent hardforking consensus change:  This is a rule where a node will accept transactions that the 'prior' code wouldn't accept.

(2) A triggered hardforking consensus change:  This is a latent change where a triggering transactions actually exists in the most work change.

(3) A hardforked chain:  This is a triggered hardforking change that was triggered at a time when enough usage of the 'prior' version existed that a separate chain formed and consensus was actually split in practice.

I think the original usage of "hardfork" tended to be mostly refer to the last type or rarely the others,  but in modern usage the meaning has shifted more to the first type-- largely because a focus on not accidentally creating latent hardforks is how you avoid a hardforked chain.

It's only the last type that has an active impact on users, and this is part of why you'll find quite confident messages from people (myself included) that say that Bitcoin has never had a hardfork except maybe if you want to count that BDB issue.  Yet today you can also find threads like this one where I'm pointing out latent (and maybe triggered) hardforks created by Satoshi (accidentally in some cases, maybe in all cases).

You could also come up with some levels between 2 and 3 that would be interesting and relevant:  Even if a forked chain didn't form were any users forced off software they preferred to use.   If some hereto unknown latent hardfork from 0.3.x days got triggered today it would likely be completely unnoticed and not disrupt anyone.  But if a hereto unknown latent hardfork from 0.11.x were triggered today it wouldn't form a split but it would almost certainly disrupt some users, cause some problems, and maybe leave some people unable to use their favorite choice in software.

Then there are other things like-- is removing a checkpoint that fixes the hash of block 1 a hardfork?  -- in one sense it's a latent hardforking change but one that could ONLY ever be triggered if the entire chain was erased with a gigantic reorg, rendering the entire system unusable and pointless.  Personally I think it's worthless to consider such things as hardforks. I think it's best to only consider things that could have at some point could have credibly created a hardforked chain in an otherwise working system to be hardforks.   If the definition is expanded too broadly it loses its power to aid understanding.   Like, e.g. Bitcoin should be extremely careful about introducing hardforking changes: But should it be extremely careful about removing ancient checkpoints? No.  Only careful to the extent that they might be providing protection against something, not for consensus stability reasons.

If your interest is mostly in 0.3.10 - 0.8  if you want to deal with the BDB and P2P issues then I'm quite confident you'd find the consensus rules are completely compatible.  And if you found that they were incompatible it would be a new and interesting discovery that might inform software development practices-- because if it's not compatible (for reasons other than BDB) it would be due to a yet unknown accidental triggered hardfork.  I'd make a sizable bet no such thing exists though.  If your interest goes much older, I'm less confident but also because of self-inconsistencies like BDB and OP_VER I think it's just less interesting: old enough versions were too broken to be treated as a viable consensus system.

You cannot. BCash and BSV have hardfork changes and accept (and mandate) transactions that were never valid in Bitcoin, and their chains contain these things and not even even with configuration changes can you get old Bitcoin nodes to accept them.

In particular, they changed the consensus rules to mandate that every signature use the segwit signature scheme that the Bitcoin community created to solve the O(N^2) hashing problems.  The result of this is to Bitcoin software (of any version) these altcoin blocks look invalid.  In Bitcoin that new hasher also exists, but it only applies to coins that opt-in, so that they still validate under the old rules.  These altcoins are also are invalid from a proof of work perspective because they changed the difficulty update rules to allow them to "instamine" about 100k coins in a short period when the fork was created.  There are a bunch of other deeply incompatible changes in them, none of which can be configured out.  To a Bitcoin node (of any version ever) every Bcash or BSV block looks like it's entirely full of transactions stealing coins with completely invalid signatures and will reject it (except for the fact that it would have also rejected it for invalid proof of work and never processed it because it has vastly less work than the Bitcoin).

Looking at this old thread I think more modern understanding has improved-- there were some changes made by Satoshi that were likely latent hardforks in that someone could craft a transaction that would be valid today but not under the very first release, but those transactions didn't exist then and maybe haven't yet been created.  Though only Satoshi has ever made such changes, and it's not even clear how intentional the compatibility break.

The closest Bitcoin has come to a hardfork after Satoshi is that prior to 0.8 all bitcoin nodes would 'randomly' fail to accept blocks that processed too many inputs the too many threshold was specific to each and every computer, though it started being an issue with blocks >500KB in size.  0.8 fixed the bug (accidentally, because it wasn't even known to exist at the time, only somewhat after 0.8 was released when Hearn pressured miners to produce larger blocks). As such if you want to run versions prior than 0.8 from 2013 (almost a decade ago) you need to get around this random failure issue, which at least for a while could be accomplished with just a configuration setting.  Some people call fixing that bug a hardfork, though from that perspective every node on prior versions was hardfork-incompatible with every other node. The whole idea of a hardfork doesn't really make sense when talking about a system that doesn't form a coherent consensus with *itself*.  And even then, it wasn't even an intentional change but an accidental one.

A couple months ago I synced a totally stock 0.8 release binary from early 2013 all the way to the current tip, with no special configuration or anything-- it just worked (though very slowly).  This test lets you easily be absolutely confident that there have been no triggered hardforks in the last decade. (Latent hardforks, though, can only be found with careful code review-- certainly there have been no intentional ones since Satoshi, maybe never)

Testing older than 0.8 is harder because really old binaries don't work right on current systems and building the old code with a modern operating systems also doesn't work right.  Satoshi also made an incompatible P2P change in 0.2.10 with a time delay that didn't activate until 2012-ish, so any node older than that requires modification or a custom gateway to get connected to more modern nodes.  Back in 2016-ish I'd also taken a 0.2.10 era node up to current then, but now it's too much of a pain to try (and without config changes it *will* get stuck on BDB locks, so its not clear what purpose the exercise would have).

It's also the case that _every_ version prior to the deactivation of OP_VER was latent a hardfork with every other version due to its design being flawed.  Of note: Taproot finally reintroduced the op_ver functionality without the flaw.

Why don't you try asking what you're actually trying to ask?   If you just want to know if Bitcoin is backwards compatible:  Well you can easily check for yourself that it is backwards compatible for a decade, simply by running a 0.8 node.  Going further back, if you do something about the BDB locks glitch, you can go back as far as the last time Satoshi changed the consensus rules, it's likely that you can go further back-- because most of his changes were softforks and whatever were hardforks are still mostly latent rather than triggered.

I think this level of backwards compatibility is both good and important since pretty much no one can say they were ever forced off their preferred node software by compatibility changes.  The same can't be said for numerous altcoins with constant forced hardforks, for example: In Bcash there used to be many alternative nodes "bcoin" "bitcoin-classic" "Bitcoin-xt" and several others, which were all forced off the network by hardforks even though they were actively used and their users were left forced to use software they didn't like (or write their own).

So long as the wallet was unencrypted and the data still exists this tool will recover it https://bitcointalk.org/index.php?topic=25091.0  and can be pointed at a raw disk image.

Hm? having a whole extra tree of nCr(N,K) will add 32 bytes to the signatures if the root musig1 k-of-k isn't used, but the output will always remain 32 bytes.  Or do you just mean the fully expanded tree size (that never gets communicated with anyone explicitly) will double?  The 32 bytes is no big deal if you're talking about a 15 of 20, but it's a bit expensive for a 2 of 3. That's why I said it's a trade-off to include the sub leaves.

In fact, for a 2 of 3, I think it's never worth it to include the seperate subtree of musig k of k because the extra tree size matches the savings if the k of k is used.

The musig1 top level root k-of-k is free itself-- so it's always a win to have it. My isn't used comment above is because it lets you skip exposing the tree entirely, so if you will be normally using it the average cost of having that extra hash is very low. 

While speaking about the expanded tree size-- One thing that probably deserves special consideration:  with large N it becomes computationally difficult to enumerate the nCr(N,K) branches (unless K is very small or very large).  N larger than 16 or so is probably annoyingly slow with python or JS code, and N larger than 20 is probably visibly slow with native code. A small hardware wallet might be unusable slow with N>12 if it has to enumerate the tree but I think support could be designed there so the host always does that work.  And regardless of speed, you need to use special hashing code to build the tree or otherwise memory usage to build it crosses a gigabyte at around N=28 (with proper hashing code that works incrementally, the memory needed is log(n) so not an issue).

This is why the checksigadd approach still exists-- doing a tree of K of Ks will always be smaller but it would be straight up intractable to do a 50 of 100 that way.

Thought technically a bip doesn't need to describe an optimized implementation if your design is such that implementer will get thrown by them (and maybe even think the whole proposal is worthless) it can be a good idea to at least raise the issue and point out that solutions exist.