I did this a while back with my laser machine.  It's a one-off, not something I'm selling.  Was kind of freaky how the plastic window on this Trader Joe's mint tin turned this unusual shade of orange when hit with the laser.

Here is a feature request that I think would help assuage people's fears about random number generation, which have become more valid the more we hear about NSA-rigged RNG.

Right now, the script collects entropy by way of mouse movements.

I propose that the script also collect some additional entropy by way of the keyboard.

When the script generates new private keys, the private key should be SHA256(user-entered-string | prng-generated-string) (where | is concatenation).  Further, the string provided to SHA256 should be optionally printed somewhere on the note as an "audit code" (it could be invisible unless the user decides to click something to make it visible).

The purpose of the audit code is to allow anybody to reproduce the private key by hashing the string.  If it can be proven that the user-entered-string is part of the entropy that went into the private keys, then any user sophisticated enough to actually provide enough entropy via the keyboard can be reasonably assured that even if the prng is defective (whether by design or accident), that his keys are secure.

A side benefit is it also allows for easier practical auditing of forks.  Someone who is rightfully paranoid that a fork created to add feature X could also contain a weakened PRNG can satisfy his fear by making up for it in the form of extra entropy typed into the box.

Yeah, I still have it on the radar.  We're gettin' there.

Just about any random 256-bit number constitutes a valid private key.  All you need to do, then, is calculate the bitcoin address for it.

https://en.bitcoin.it/wiki/Technical_background_of_Bitcoin_addresses

They are now online!  9 BTC for a roll of 20, and they turned out SWEET.

I also had a professional photographer come and take pictures of the whole set.  Assuming no copyright barriers, I'd love to include a burned CD of high quality imagery with future orders!  Until I get the full files of the shoot, here is a quick shot I took with my iPhone of one of the setups we did.

The coin looks great and I'm looking forward to see what you (and the artist, by extension) achieve!

Are you suggesting you've successfully achieved unbreakable physical security?

When you engrave characters to metal, this changes the metal's shape, making the characters clearly readable with pretty much any sort of reflective radiation.  The tamper proof case may look great but what if tampering is unnecessary because any physician can take it to work and see through the case with medical imaging gear?  An engraved secret in a metal coin is also going to be vulnerable to magnetic imaging techniques.


Not even the maker of the coin?

This will usher in a new paradigm of being hacked: having your QR tattoo made unusable for payment due to a compromise of the corresponding private key.

Sweet, ευχαριστώ!

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

Μια μικρή ερώτηση από μένα που έμεινα στην Ελλάδα για 2 χρόνια και μιλαω και καταλαβαίνω ελληνικά, αλλά οχι αρκετά να καταλάβω τι φωνάζουν σε ενα συγκεκριμενο τραγουδι.

Στο τραγούδι «Zhou Tonged Cyprus Anthem», στην αρχή, φωναζουν κατι που για μενα μοιαζει «εχε παλι η ωρα δικη σας παν αγορα» αλλα φανερα δεν εχει καμια σημασια και ειναι καπως λανθασενο.  Μήπως καποιος μπορεί να μου πει ακριβως τι λενε;  Thanks in advance

http://www.youtube.com/watch?v=XetrFDhXit4

You and others may be interested to know that the way you have described these, they are not "legit" keys.  This may be an unintentional misrepresentation.  A better term might be "working" keys.

MSDN subscriptions provide working keys to developers for development purposes.  They don't use technical enforcement to prevent you from giving the keys away, they use the honor system.  They are legit only when used by the developer they are licensed to, and even then, the usage is restricted.
  Someone who wants a key that "works" will probably be satisfied by these keys (perhaps more than satisfied, most MSDN keys will work for 5-10 activations).  Someone who wants their software to be properly licensed for whatever reason won't be getting what they probably think they were promised, as legally, their software is equivalent to being pirated.

Breaking a hash doesn't just mean recovering the original data.  It also includes being able to find alternate data that hashes to the same result (which is guaranteed to exist, it's just presumed impossible to find).

This risk is already mitigated for any bitcoin address that has not been used for spending (i.e. its public key is not yet known).

Even if ECDSA is broken wide open, it doesn't really matter with respect to bitcoins that have been received at addresses that have never been used for spending, because the corresponding ECDSA public key is not known and cannot be determined without also breaking both RIPEMD160 and SHA256 simultaneously.

I believe bitcoin is vulnerable to a well-funded 51% attack, for no other reason than the awareness that the productivity of ASICs scales more exponentially than linearly as funding increases.

I believe bitcoin would quickly recover from a successful 51% attack as "proof of stake tiebreaker" is introduced as a remedy.  For example, a remedy that would bring instant results might be a new rule that allows known entities as well as past miners (via their coinbase keys) to publish endorsement signatures on blocks they see/create.  These blocks are given a much greater weight than ones without such a signature.  Entities doing a good job of endorsing blocks would have their signatures weighted more, and any entities creating disruptive signatures (or at least their public keys) would quickly be banished by the community.  The disruption would be days, and at the most, weeks.  After the disrtuption, Bitcoin will be permanently stronger.

As an end unto itself, engaging in a 51% attack would be so futile as to not be worth it.  As always, a 51% attack constitutes nothing more than the ability to prevent transactions from confirming as well as reversing them... not stealing or creating bitcoins (other than via mining).

But being able to cause the days/weeks disruption at a time of one's choosing may be a very valuable tool for a state's (or banking industry) arsenal.  There's value in temporarily disrupting the network to somebody, and that value is in the eye of the beholder.

To that end, that's where I'd think of what the NSA (or any other state actor) may have put effort.

The question is, does someone, somewhere, have a lot of dormant mining power sitting there just in case?  I say it's safe to assume yes, and it's just a matter of when will it be worth it for them to use that to cause a temporary disruption to Bitcoin.  If you have only got one chance to rock the world of Bitcoin, it's reaosnable to assume you're going to want to time it for maximum value.

Even if so, I don't think anyone's bitcoins sitting in safe wallets (consisting of properly-generated properly-stored offline addresses that have never been used for sending payments) are at risk... only thing at risk is the temporary loss in confidence and in turn the USD/BTC value if/when such an entity decides to pull off such an attack.

Of course - just have either of the two people be the escrow agent.

The only drawback is if the payer and payee fail to agree, the only alternative is nobody gets the funds.  That advantage could be used by the payer to extort something from the payee beyond the goods he has already received.

Yep, that was indeed me.  I created a transaction that moved the funds directly from a gravity-damaged coin to its replacement.

Presumably no relationship to the forum user "candoo", with whom I've traded and who probably wouldn't do something like this.

Quoting for the record.

I ordered twice and got what I expected, both times, via Registered Mail