I'm just brainstorming/spitballing ideas here,  but maybe you can use it as some kind of site to provide information about fake ico's, scams, joke projects,... Since toiletpapertokes was, in fact, a joke, using your site for such purposes might be fine.

If you keep on adding useful content and build some loyal traffic, you might even publicize some clean, fact-checked ads to monetize your traffic.

You should be OK... I've seen studies and they all come to the conclusion that after 72 hours out of the body, the virus particles break down and are no longer infectious (even in "normal" ideal conditions and on "normal" ideal materials...).

If you buy a miner, i'd just accept the package from the carrier, place it in an unused room for 72 hours (wash your hands after accepting the package, make sure you don't touch any doorknobs with "potentially dirty" hands) and only open it once those 72 hours are over. Do NOT place the package in the freezer, as this will protect the virus.

Placing the box into direct sunlight for a couple of hours is also a good idear, as most coronaviruses don't survive uv ratiation.

The only downside is that you cannot check the package for damage as soon as you accept it, this might be a liability problem. Maybe talk to the seller/shipment company first and make sure they understand you won't check the package for damage the first 72 hours after receiving it.

PS: i'm not a doctor. I have a master in sciences so i do think i can understand how to read standard studies, but i'm not specialised in this stuff (anymore). I'm just telling you what i would do if i was faced with this issue. If you want to be 100% certain, you should contact your governement.

As soon as you deposit your USDT from whatever wallet you're using to the exchange, it's in the exchange's wallet.
The exchange creates some kind of virtual wallet for you, you no longer hold any USDT (the exchange does). You just have a record in their database crediting you some of the USDT they hold in THEIR wallet.

If you exchange your USDT to BTC, you'll have a new virtual wallet with the exchange, now with BTC credit.

If the exchange is honest, they'll allow you to withdraw your BTC to an address generated by a wallet of your choice. At this point you'll have BTC in a wallet where you controll the private keys (hopefully), so now it's your BTC.

I don't really understand why you'd be forced to sell your BTC back for USDT here...

I'm afraid i'd have to agree...
7 letters, hypen, .de tld, no history. The resale value is close to $0.

However, i've bought domains in the past myself (not going to disclose them, since not all of them are whois protected) and i do think that if you're going to invest a lot of time and effort into your blog, any domain can be a hit, it's just the domain name itself being worth nothing at this moment.

01 - mocacinno

thanks

You are right, as soon as your private key touches a device that's been online, you should consider your paper wallet to be compromised.

If you have multiple unspent outputs funding the address on your paper wallet, you should use them all...

Make a new paper wallet, import the private key of your paper wallet into electrum (for example, do check electrum's signature before using it, download only from the official site), create a new transaction spending all unspent outputs, pay whoever you have to pay and send the change to the NEW paper wallet.

If you're really security-contious you can even use an airgapped setup: create a watch-only online wallet where you import the ADDRESS, create the transaction spending all unspent outputs funding this address (change going to a NEW paper wallet that was created in a SECURE fashion), then install electrum on an offline machine where you import your private key, transport the unsigned tx from the online machine to the offline machine for signing, and back to the online machine for broadcasting.

I'm having a meeting right now, i'll try to answer any extra questions in ~0.5-1 hr.

Ok, 6 characters is a LOT less impressive... That's what i did with a simple cpu vanitygen in a couple of hours aswell when i generated my vanity address in the first place... If i would have had a couple GPU's it would have been done in far less time, so matching 6 characters proves very little.

Mistakes are possible, but this does come over as somebody being called on a bluff... First telling us you have the private key for an address matching the first 13 characters, but when being called out only being able to produce a pk for an address matching 6 characters does sounds a bit fishy, don't you agree?

If you want a vouch that you indeed have a rainbow table of private keys => addresses containing 10% of the address space, i propose the following:
I generate 500 addresses, completely random, and post them here. You run your algo against these 500 addresses, and if you're able to find between 25 and 75 of the private keys which public key hashes are equal to the addresses posted in my list, i'll give you a vouch which you can use when you're trying to monetize your service.

13 characters is already quite a lot, but defenately not enough to backup your claim of having a rainbow table with 10% of the adress space's private key... But still...
I didn't see any real proof tough. Everybody can claim they have a private key.. Please sign this message with the private key belonging to the address that starts with 1MocACiWLM8bYn


By the way, your OP was quite hard to read, i take it you're not a native speaker... This isn't a problem, but you're throwing all kinds of numbers around... 84.000.000.000, 12.000.000, 21.000.000...

Even if you have a database with 84.000.000.000 private keys next to their public key hashes's, the total address keyspace is 2^160.
84.000.000.000 is far from 10% of 2^160.

In reality, even if you have a rainbow table with 84 billion records, that's only 0.000000000000000000000000000000000006% of the total address space...

Well, it's either an april fools joke, a scam attempt, or somebody that scanned 0.00000000001% of the address space and thinks he has any chance of finding a private key of a funded address... Or we're dealing with somebody from the future that's running a cluster of quantum computers.

But ok, for the sake of the forum, i'll bite:
-----BEGIN BITCOIN SIGNED MESSAGE-----
Username: mocacinno
Address: 1MocACiWLM8bYn8pCrYjy6uHq4U3CkxLaa
-----BEGIN SIGNATURE-----
1MocACiWLM8bYn8pCrYjy6uHq4U3CkxLaa
HOVbE2ZNoYpAnJiFtZie+1J4XGRktFfRs9rk097Rc1pqI+xqatKkiGJcvZbqAcEm+Iobo4lejVDfzIwVvtq4EaE=
-----END BITCOIN SIGNED MESSAGE-----



Now, encrypt my private key with my pgp key found here: https://keybase.io/mocacinno/pgp_keys.asc
them PM me the encrypted private key.

If it's correct, i'll vouch for you... If not, i won't... I *might* even declare this a scam attempt...

I will not send you part of the private key, i will not sign anything that's not drafted by me, i will not open any website, i will not install any app,... As a matter of fact, i'll ignore any message you send me,  you claim to have a rainbow table, let's see if that's true.

@realdawgguy, you only made two posts, the second one does need some clarification


Did you mean you filled the address you imported? Like "Funded" this address, send funds to the imported address you scanned from a barcode on the internet???


or, as nc50lc already asked:
In this case, you might be in trouble... You created a watch-only wallet by imported the address. You cannot spend any funds that are funding said address since you don't have the private key. Any funds sent to the address you found on the internet are only spendable by whoever generated that barcode (if he still possesses the private key).

If you did this, start by saving your browser history and find out where you found the barcode. Maybe it's an example barcode and the seed, xprv or private key is printed in the vicinity? Maybe there's an owner you can contact and explain what happened (if he's an honest person, he might reimburse you).

I just hope this worst case scenario isn't the reality...

There is (yet) another reason why people would keep on mining even when it's unprofitable as long as they BELIEVE the price is going to rise again (or the diff is going to drop).

If you own a big mining farm in a western country (>1000 ASIC's) you most likely need a staff of 3 or 4 people (guys that have crypto backgrounds, guys that have technical backgrounds, security,...). Next to this you're renting a serverroom.

Your fixed costs each month include (guesstimations):
A writeoff of your ASIC's (€60.000/month for the ASIC's since i estimate they need to be replaced at least once every 4 years, and they cost > $1000/piece)
A writeoff of other equipment
A fixed wage of your employees (4 employees @ €5000/month = €20.000/month)
A fixed cost for your serverroom (€100/U/month. 4U/ASIC=  €400.000/month)
The fixed cost is almost €500.000/month in this fictional example. This cost remains the same whether the owner is mining or not...

Offcourse, at these costs nobody could ever run a mining farm anymore... Most mining farms probably have less employees, or use crappy serverrooms instead of professional. The main point still remains tough: even with few employees and a crappy serverroom, you'll have fixed costs (the writeoff of the ASIC's for example)

These are fixed costs. The premise of this excercise is a western mining room owner that is currently mining at a loss, but believes it's only a small dip. If he turns off the machines, he might get some discount from the serverroom owner since he's no longer using power... But he'll still have to pay for the writeoff of the ASIC's, the writeoff of the other equipment, the employees and PART of the cost of the serverroom.
If the income he gets from mining is bigger than the discount he gets from the serverroom owner, it's better to keep on mining at a loss, since the net loss will be smaller than stopping altogether.
And it doesn't matter if i grossly overestimated the costs, if it's a one man operation,... There are always fixed costs and variable costs. The variable costs decrease when you turn off your ASIC's, the fixed cost remains. As long as you mine more than the variable costs, it's a good idear to keep mining.

Do realise that this situation can only exist if the owner of the farm believes it's a temporary dip in price, and if he has reserves or can get a loan. I know there are also countries with almost no protection for the employees so it's easyer to fire them over there...

Well, miners don't set the price.

Bitcoin price is just supply and demand (and manipulation). If a miner can no longer mine while remaining profitable, he can:

• Stop mining, sell his hardware
• Stop mining, keep his hardware in case the price goes up or the diff goes down
• Keep mining at a loss, hodl the mined BTC
• Keep mining at a loss, sell the mined BTC

There is no way to know what the actual mining cost is... Some miners in China have big "factories" and pay pennies per Kwh, have a direct link with the ASIC manufacturer (without customs charges or big shipping costs) and pay their workers only a fraction of what a western worker would cost. For them, the actual "cost" of one bitcoin is pretty low.

Compare this with a miner in my country, where the power costs 0.27€/kwh, where you have to pay big bucks to get an ASIC into the country, where the minimum wage is >1500€/month. For this miner, the actual "cost" is pretty high. It's only when the diff falls really low, and the odds of a 51% attack rises, the price can actually be influenced by miners. Offcourse, miners do have some indirect effect on the price: whenever they start a mining war, or decide not to mine 0 fee transactions, they push down the price due to the negative press.


So, it's basically the other way around: the market dictates the price, the miner decides if he can mine at the current price, or if he has to shut down his operation.

debug.log is the log written by default when using bitcoin core...
For electrum, you can enable stdout debug logging on the terminal by adding the -v argument.

@OP: depending on your OS, the path to the debug.log can be found on this wiki entry: https://en.bitcoin.it/wiki/Data_directory
The log does not contain your private key, nor seed... Nobody can rob you just by reading your debug.log, so from a security point of view, it should be safe to post it's content. However, by sharing the log, you might decrease some of your privacy

How much did you pay?

If it was in the >$6000/BCH range, you were scammed... If it was in the >$200/BCH range you were misleaded but not scammed in the strict sense of the word...

You can exchange your BCH for BTC, but you'll lose value, since exchanging requires you to deposit BCH to the exchange (you'll lose a transaction fee), then exchanging BCH to BTC (you'll lose the exchange fee), the withdrawing the BTC (you'll lose the withdrawal fee).

So, it seems slot #2 gets a second chance at claiming his/her prize, a 24 hour window to follow the procedure listed the first time a winner was drawn.

Well... Because of the problems i had, the final raffle was delayed for a week... But sure, i'll hold it one last time. However, this time i won't disclose if the raffle winner has claimed his/her price.  It's the final time i re-run the raffle, so there is no need to publicly declare if the winner stepped up or not. If there is a winner, i hope he/she creates a new, anonymous, account and posts a picture of his/her keychain after he/she receives it... But that's completely up to him/her.

If i have time, and if there's any demand, i wouldn't mind writing down my experiences in Theymos's original thread. He made a nice system that adds a big layer of privacy, and my experience would help other's wanting to benefit from my experience, but if there's no demand, i probably won't bother (but if there IS demand, i wouldn't mind doing a writeup)

So...  Let's roll one final time:
We're currently @ block #623 591
Let's roll with block number #623 593

How old are your kids? My daughter is 11, and as a lockdown activity, i'm teaching her the basics of programming.

She's pretty quick on picking up the basics of python, she's currently working on exercise 5 of https://www.practicepython.org/.

When she starts with excercises about reading/writing flat text files, i'd like to teach her the basics of relational databases (if she's still interested).

After this, a very small basic walktrough on the absolute beginnings of cryptography might be next (basic stuff like hashing, symmetric encryption, asymmetric encryption). She's only 11, so it will only be an explanation of the concepts, nothing in-depth.

At this point, i hope she's prepared to hear the fundamentals of blockchain technology... But i figured before she at least had a taste of scripting, cryptography and relational databases, there was no point in filling her head with blockchain tech (let alone crypto currencies).

@MyCryptoMixer: i've read your reply, and i'm happy you'll be looking into the issues i wrote down

There are some extra remarks i do want to give, and 2 small apologys i need to make:

The apology (1):
I'm a guy that has, at any given time, at least 20 open tabs on my browser. Next to MyCryptoMixer.com, there was a tab open with an exchange i sometimes use that uses the exact same color scheme as your site. The exchange had an option to get notified of deposits by mail, phone, sms, push notification, telegram bot,... They had contact options via mail, ticketing system, facebook, skype, whatsapp, telegram,... I accidentally clicked their tab instead of yours, that's why i wrote the part about not needing so many contact options. It was an honest mistake, and i'll remove this mistake from my review (i'll scratch it).

The apology (2):
After re-reading my initial post, i do come of as quite harsh. I forgot to clearly mention there are loads of good things about your site (layout, security, workflow design,...), but i figure you'll always have tons of people telling you the positive things because they want that payment. That's why i tend to bring up the "bad" things that are fixable instead of focussing on how nice feature "x" is, or how good it is you added header "y", or that you've cleaned up the server signature. Don't read my post as: "this guy thinks my mixer is all bad", but rather as "this guy is bringing up some things i might need to look into to make my service even better"

The extra remarks:
I get that your SEO guy needs those stats, but instead of giving your visitor's data to google, have you tought about Matomo? I've used it's predecessor (piwik) on privacy-centered sites for many times. They give you about the same info as google analytics, but they're just a free (open source) php/mysql script that runs on your own server, keeping all your visitor's info with you (and there even is an anonimizing function included).

About cloudflare: i do get why people use cloudflare. Don't get me wrong, they do a great job and for any site where privacy isn't so very important, i wouldn't mind seeing the use of cloudflare's cdn, ssl certificates, dns services,... I realise you're defenately not the only one using cloudflare for a mixer, but every time i see a mixer using cloudflare, i raise exactly this point. What people seem to miss is that, eventough it looks like you're using a secure connection, cloudflare actually acts like a MITM. This means the data is encrypted between your browser and cloudflare with cloudflare's cert, cloudflare DECRYPTS the data (they now know everything, including the deposit address, the letter of guarantee, the withdrawal address, the user's ip, browser fingerprint, timestamp,..). They have ALL tools in hand to completely de-anonimise the mixing session. Sure, they re-encrypt this data with your cert before they foreward the package to your server, but nothing is stopping them from sharing the complete de-anonimised mixing session with the CIA, FBI, ATF, DOD,...
I get you need a WAF, i get you need DDOS protection, i get that it's only the clearnet... But a lot of your users won't know what tor is, they just want privacy and they're looking at you to provide them with this privacy. The very least you should do (in my opinion) is print a very big, bold warning on the clearnet version telling your users that, eventough their coins will be safe from bad guys, their session *might* be monitored by law enforcement unless they use the tor version.

There are a couple of hosts that offer Ddos protected dedicated servers. If you combine this with a decent setup and a letsencrypt certificate, you're much safer than you are now (security wise).

Last but not least: i messed up some of the header recommandations. I have a couple of secure setups i'm involved with (but not that many) and i have a messy checklist to verify if everything is more or less correct. Sometimes this checklist is not up-to-date and headers that are no longer best practices are still on the list. You've given me something to think about, and if you are correct, i'll remove those headers both from the services i'm involved with and my checklist... Thanks

BTW, i'll send you a PM with an address, so i can review the rest of your setup

If you think those are the only usecases for privacy ( being a spy or being a dissident) you won't mind if i ask you the following privacy-invading info:

• Your name
• Your address
• Your phone number
• Your birthdate
• How much money is in your wallet right now, where did you get it and where are you going to spend this money
• The complete list of your bank account numbers and a big record of all transactions made to/from these bank accounts
• A list of valuable items in your house

Will you give me the answers? No? I tought so... You'd have to be really careless if you'd answer these questions...
Why woudn't you give me an anwer to these questions: simple: because this would invade your privacy, and they put you at risk for being robbed. It's nobody's business who you are, how much money you have and where it's stored... Why would you make an exception for digital cash?
If you give away your KYC info to anybody, and you don't mix/coinjoin your coins, anybody will potentially know who you are and how much funds you hold... Not an ideal situation.

Disclaimer 0: this is a work-in-progress.... It'll be updated soon

Disclaimer 1: i only read the posts by the owner of the mixer, i did not read the posts of other testers in order not to be influenced.
   
Disclaimer 2: I have not actually used your mixer, i'll only test it out with my own funds AFTER i get the confirmation i'll be getting payed. I'm not going to throw my own money at this project, and lose mixing and miner's fees, if i'm not 100% sure i'll be getting refunded. If i get a confirmation of payment, i'll test out the mixer and update this review EDIT: received some testing funds and actually ran a mixing session

Disclaimer 3: i'm holding you to a higher standard than i hold myself... You are delivering a mixing service, you should be helt to the highest standards.

Disclaimer 4: there are many things i like... But i think you'll have more added value from the topics that need improvement

Security
There are several remarks i'd like to have fixed if i would ever have to consider using the mixer:

• You use cloudflare's SSL... Cloudflare acts as a MITM... They DECRYPT every package between the browser and their servers, then POTENTIALLY re-encrypt this data using your server's ssl cert. Cloudflare is a US based company, if a 3 letter agency requests data, they'll give all unencrypted data (no doubt in my mind). The sollution is as easy as ditching them and moving to a letsencrypt x3 certificate... They even have a certbot to make life easy for you
• You are not enforcing HSTS
• You are loading external javascript from googletagmanager.com, they'll be able to inject js on your page, and they'll be able to track your visitors. Google is a US based company... Same as cloudflare
• You are loading external javascript from google-analytics.com, they'll be able to inject js on your page, and they'll be able to track your visitors. Google is a US based company... Same as cloudflare
• You are not enabling DNSSEC
• HPKP is not enabled
• Your domain does not have clientUpdateProhibited set
• Your CSP header is not set
• X-Content-Type-Options header was not set
• XFO header was not set
• X-XSS-Protection header was not set
• X-Frame-Options header was not set
• You have a robots.txt file set, this is often used to crawl your site and find vulnerable scripts
• Referrer-Policy header was not set
• Feature-Policy header was not set
• Your server support TLS 1.0 and TLS 1.1., miminum is 1.2
• mymixerxtukle6mo.onion is a V2 address... It's as easy as setting HiddenServiceVersion 3 in your torrc. You can even run V2 next to V3 if you really want
• Access-Control-Allow-Origin header was not set
• Public-Key-Pins header was not set
• Public-Key-Pins-Report-Only header was not set
• What's with all these methods to either contact you or get push notifications... You're a mixer, don't offer to send sms's or phone calls, don't have so many contact options...Your presence on bitcointalk and an email address suffices EDIT: misclicked... I was looking at the wrong tab when i wrote this
• Limit your attack vectors... Why would you run a blog on the same tld? Why such a big help center? The more scripting, the more potential attack vectors. If you want a blog and a ticketing system: fine... Rent two extra dedicated servers from a different provider, add an a-record for blog.mycryptomixer.com and for tickets.mycryptomixer.com, link to these subdomains instead of your main domain. If your blog contains a vulerability, the hackers will only learn info about those visitors that visited your blog... If there is a sql injection, they only mess up your blog's db, if they succeed in elevating permissions they now have access to a completely isolated server running only your blog...

Design

• Don't use any techology that won't work on Lynx or w3m... To start: no javascript... Not all browsers support this, and (as noted above) you'll be tempted to link to external librarys
• I'm not a fan of scrolling... Your main page fills several screens, it contains starting mixing sessions, but also a salespitch, a faq, a bigger-than-need to be header and footer
• I get you can change the service fee between 0.5 and 5%, but why is it always set to high >4% by default? I'd either chose a lower range (1-2%) or set no default and let the user chose by himself
• Why wouldn't you go with a native segwit wallet? It makes you likeable in the community... Don't overload the first mb of those blocks if it's not necessary

Workflow/Usability

• I'd like a bit more emphasis on the button to start a mixing session... I mean, it's a big button with the bitcoin symbol on it, but it might not be 100% clear that this button starts a mixing session
• the slider for the time delay and the div where the time delay is actually shown are seperated by the button to add new addresses. This makes it a bit confusing
• I've verified the letter of guarntee, and it checks out (i realise i'm invalidating my own mixing session this way, since an exact timestamp is shown, but i used funds that could be tied to me anyways, and a lot of people know i speak dutch... So whatever) However, i'd like to have a message signed with an address. I already have my wallet open to send the to-be-mixed funds, so it's just easyer to verify a signed message using my already open wallet
• For me, it's clear what the order ID and mycryptocode means, but for others this might be confusing
• It's nice to push updates, however, i'd still urge you not to use technology that's not supported on all browsers... Maybe you can have a "simple" version where the user will need to refresh his order-page manually but where you cut out all non-essential code next to a "full featured" version where you use ajax, jquery,... Whatever floats your boat?
• The 0.25 mBtc fee per address was a bit harder to find... I chose a fee between 0.5 and 0.75 and mixed between 0.004 and 0.01, and ended up paying >5%. I know why these funds are asked, but some newbie might not know about fees, so he might feel scammed if you don't make it more obvious that on top of the 0.5-5%, the user is going to have to pay the miner's fee aswell...

Taint analysis
It's really hard to do a real taint analysis without using specialised algo's and parsing the whole blockchain and putting it in a relational database... However, i did do some manual checks (following the inputs/outputs chain) and without going in depth, everything seemed fine to me