Ok, that sounds reasonable enough (from what I understand). So the way it's derived is:
nextprime(2^256 - 2^32 - 2^10)
This makes me more confident that there's "nothing up my sleeve" than 2^256 - 2^32 - 977 or 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1. Thanks!

2^256-2^32-x is prime for the following positive x: 263, 359, 361, 487, 739, 949, 977, 1049, 1057, 1339, ...
This explanation doesn't make sense to me: there are larger x, and smaller x. Either it's outright wrong, or not explained very clearly. Can you clarify?

In the field F₂₃, -1 = 22, -2 = 21, etc. For simplicity, the canonical way we refer to them is usually as natural numbers, but it wouldn't be incorrect to think of 22 as -1. The symmetry of DeathAndTaxes's graph is more apparent if you do this: imagine the labels going from -1, -2, .. -11, 11, .. 2, 1. This makes it clear why the symmetry is around 11.5, and e.g. why the reflection of 10, -10, is equal to 13 (-10 = 13 mod 23).

Warpwallet uses 2^18 rounds of scrypt and 2^16 rounds of pbkdf2 (takes a few seconds in the browser). It makes brute forcing very difficult: an 8-character alphanumeric (47.6 bit) password has a 20 BTC bounty on it, expires over two years after it was created, and is still not expected to be cracked (via brute force).

In a decentralized, trustless manner? No. That's the job of the blockchain, which requires being online and waiting for 1 or more confirmations.
There are all sorts of discussions about how Bitcoin can be used instantly (usually by trusting an intermediary), to make it a little more palatable for in-store use for both parties, but bitcoins are fundamentally online.
Physical bitcoins, like Casascius or printed paper wallets, come close to being offline. But you're still having to trust that the coin/paper is really worth what they're saying it is.

What a silly point of view. Even if it's entirely independent and people aren't exchanging fiat for Bitcoin, there'd be a buying power equivalency that'd be sensible to discuss. Can you show that was actually Satoshi's view?

Bingo. It can be a success for that regardless of whether you can call it "using only Bitcoin". Even the places that accept BTC online typically convert 100% of it to fiat immediately on purchase, so it's rare that you find a totally-Bitcoin transaction with a company.

It's a nice experiment that shows the current state of the Bitcoin economy as it relates to traveling the US: you can do everything you need to with Bitcoin, if you go a bit out of your way to book places and buy gift cards in advance. But the companies are usually only interested in holding the fiat, so it'll be converted sooner (when you buy the gift card) or later (when the company accepts your BTC and converts it immediately).

Unless you repurchase the same amount of BTC that you spend. Which further departs this from the idea of "using only Bitcoin"...
Bitcoin could be great as currency between two parties who use Bitcoin. When one (or both) of the parties is only interested in holding the fiat equivalent, though, it's hard to classify the transaction along the lines of "using only Bitcoin". Then it's just another way to transfer the fiat, which may or may not be worse than traditional transfer schemes (credit, debit, cash, etc.), depending on the buy/sell gaps and fees you're dealing with when converting BTC to/from fiat.

Doing one MD5 hash is far easier than creating a transaction and paying a fee to have someone else do it for you. The only way I can even see this being remotely plausible is if you made the tasks fairly difficult, e.g. by specifying a pattern that contains thousands/millions of things to be hashed.

People complain about the blockchain size of Bitcoin, a paltry ~20GB. Rainbow tables can easily reach 200GB or 2000GB. Rainbow tables that are distributed and where people are rewarded for doing low-interest hashes would grow fast. I for one wouldn't want to buy many TBs in order to have an MD5 lookup table/coin.

What if we found a way to harness the entire mass-energy of the Sun, not just the portion burned through by its natural fusion? Because that would certainly give you enough energy to count to 2^256. I'm using data from http://en.wikipedia.org/wiki/Orders_of_magnitude_(energy) that the minimum energy to change state at the lowest temperature yet achieved (100 picokelvins) is ~10^-33 J, and the mass-energy of the sun is ~10^47 J. 10^47 / 10^-33 ~= 2^266, so you might be able to count close to 1000 times 2^256 with the mass-energy of the sun. If you take the milky way with its dark matter/energy, you're looking at ~2^306 information changes.

In fact, since addresses are "only" 160 bits, you "only" need ~10^15 J (~400 gigawatt-hours; the world uses more electricity each hour) to enact 2^160 information changes at 100 picokelvins. Granted, RIPEMD160(SHA256(priv * G)) is much harder than 1 information change, but maybe not "burn out the sun trying" hard.

Don't get me wrong: I know that we'll not get even close to this being an issue for a very long time. But I think that image is highly inaccurate about how secure Bitcoin is. It takes best-case scenarios in some things (energy change, 1 flip = 1 hash), nearsighted ones in others (only one sun, can only get energy by letting it burn naturally), and completely ignores that 2^160 is the weak point of the current system, not 2^256. It's also very light on the science behind its claims.

With extremely high probability, no. The network hash rate recently passed 100 PH/s. If we had been mining at 100 PH/s for 1 year, we would've done about 10^21.5 hashes (actual total number is probably lower than this, but will exceed it soon enough). There's a table on the Wikipedia article about the Birthday attack, which shows that for a 256-bit hash (assuming no known weaknesses), you'd need over 10^38 hashes to have a >1% chance of a collision.
So at 100 PH/s, we'd need to hash for around 10^16.5, or 31 quadrillion years. Even with increasing computer speed, I don't think we practically have to worry about a collision...unless maybe we find a way to harness the mass-energy of entire suns and galaxies, all for the purpose of finding a SHA256 collision.

Yes, a split is possible, and is called a hardfork. This has happened before, but AFAIK there's never been different groups claiming both branches should continue: rather, a code change in the core client causes a fork, and there is consensus on which chain should continue.

Sustaining a split would probably mean that Bitcoin Core is forked, so we have more than one maintained reference implementation: each chain might still like to call themselves "Bitcoin" and claim themselves as the "true" child of the original vision of Bitcoin, but by necessity one or both will have some identifier added to the name it's popularly known by.

Note that transaction outputs from before the fork would be spendable in both chains, while those after the fork would be spendable in only one chain. The effects of this would be interesting...I think it'd be highly destabilizing, discouraging the sustained use of the smaller of the two forks.

Conversion of uBTC or mBTC to BTC is not hard. It's trivial. That's why we're using the metric standards instead of charging in 1/16,384 BTC increments.
Converting into fiat does take a little research or knowledge, but using m/uBTC doesn't make this any harder.

I voted for the millibit/mBTC option. Why? Because at the current value, and since I'm used to dealing with figures in USD, it makes the most sense. (by thinking in millibits, I can easily see figures like 0.019 BTC ~= $10, 0.5 BTC ~= $300, 0.0000132 BTC is insignificant, etc) If bitcoins become more valuable, we might move to microBTC/uBTC/bits (which is just a lousy word for microBTC - the metric system was invented for a reason!), satoshi, or nanoBTC/nBTC (if the protocol changes to allow values so small). Someone in Japan might prefer to see uBTC today, because they're used to dealing with the larger numbers in Yen.
We don't need just one standard abbreviation, but options are good. Flexibility is good, as long as we always have a straightforward way to convert back to a basic unit, i.e. bitcoins. Fixing into one unit besides bitcoins, or trying to imagine that bits is always going to be the "right" unit is silly.

If the cost of mining a block today is 25 BTC, and 1 year ago the difficulty was 10 times lower (as implied by the hashrate being 10 times lower), then the cost to mine the fake year-old blocks would be 2.5 BTC per block. Since this involves forging at least 10 blocks (you were a little fuzzy on the "a couple of blocks before" part, so let's take the worst-case scenario: the TX happened in the very next block), the cost is 10*2.5=25 BTC. As long as Alice's lie isn't worth over 25 BTC (~$15,000 today), Bob should be safe.

Unless a difficulty change happens to be within those 10 blocks, Alice can't modify the difficulty to reduce this cost, and Bob could see that such a change is suspicious. Instead, to minimize the chance of detection, Alice should try to make everything else about the blocks realistic - the block timestamps should be the same as the real chain (if you were including more than the block header, I'd say to include real transactions, too).

Note that Bob could guard against this risk by connecting to the network, even only as a lite client for a short time.

Also note that Bob has no proof that this TX is unspent, only that it occurred at some point.

A significant amount of work can go into finding a vanity address. It could take a prohibitively long time to refind the vanity address (with JS on the CPU, no less) every time you want to access the wallet.

I'd want to include the end count, at least to a little precision, in the brain wallet. You could encode this as a passphrase. E.g. let's say that the JS can try 10k per second to brute force the vanity pattern, and the vanity pattern you wanted was the 57,434,567th thing tried. The program would find the index to remember is "5743", which it encodes as "maybe inside" (with a list like Electrum's, you can have over 2.6 million two-word combos); if you tell it your passphrase along with "maybe inside", the JS can find it within a second. If not, then you have to let it start from 0 to find it.

Or, just take the resulting private key and encode that (with diceware/Electrum-style encoding) as a series of words, and use that as your brainwallet. It would be twice as long as an Electrum seed, unfortunately, which would make for a pretty tough-to-remember brainwallet.

No, it's not at all possible to do that. The signature, created using your private key, specifies where the bitcoins are going. If someone modified that, the signature and transaction would be invalid. Transaction malleability can create confusion, especially when someone tries to use a transaction that's not in a block yet, but this will never result in "I signed this tx, and then the address on it changed without me resigning it".

I'm not sure what happened with you and MtGox; the most likely scenario is that you were confused about what address you were sending to, or confused your change address and your MtGox address.

Bitcoins aren't illegal, and they are valuable. Just like seized cash, houses, and cars that were used in crime, there is no good reason to destroy them when they can keep or sell them. It would be incredibly wasteful, even for a gov't, to do so. They're not showing greed, they're showing a bit of common sense.

Back on topic, though: there's no foolproof solution to a rubber hose attack, but a safe deposit box at a bank would be a good start. If possible, instruct the bank that (except in the event of your death) only you, unaccompanied, are permitted to access the box. This would mean that your attacker would have to leave you alone in the bank, giving you an opportunity to alert the police, or escape him completely.

If you lose your (old-fashioned) wallet, someone else can spend your cash. If you lose your (Bitcoin) phone-wallet without a password protecting it, someone else can spend your bitcoins. The only difference is that if you have a backup, you might be able to spend your bitcoins first, whereas with cash it's gone (unless an honest person finds your wallet and can return it to you).

You shouldn't be carrying around more unprotected bitcoins than you would cash, and for the same reasons. Since entering a long (read: secure) password on a phone is such a pain, un- or slightly-protected bitcoins will probably be the norm.

I'll give you the fact that the current credit card/financial system is great for fraud protection. But that's not really possible in a no-trust scenario like Bitcoin.

FTFY