To be clear:  Do you speak of putting a price on rank itself, or selling the ability to wear a large, flashy signature?  The ability to affix a colourful billboard to each post is the only practical (as opposed to social) “privilege” of the highest ranks.

I argued vehemently against the purchase of rank when mine was at “Newbie” level; here quoting myself in full:

Thanks.  Ah, but you don’t know me!  When I am nasty, the wrath of my pen is unequivocal; and I never make excuses for it.  Why, just the day before yesterday, I insulted a man so badly that he gave me +50 merits.  I believe that to have been an historic forum first.

Here, I know that I myself fell to the same error as OP apparently does—spent years and decades repeatedly and perpetually living that error.  What I told OP is some version of a much longer, far harsher speech I wish I could go back in time and give myself.  (The version I would give my past self may involve screaming, cursing, and violent shaking by the lapels.)  Had I followed the advice I here stated, my life would now be much different and much better.


That sounds much like me.  Unfortunately.

Such creativity is a rare gift; but all too oft is it wasted.  From a population of many millions of people, yes, there must be some thousands who have within them the sparks of what could become good ideas.  Yet it is only but the few and the rare who have the requisite studiousness, willpower, passion, and focus to capture such a spark, kindle it, stoke it, feed its fire, and grow it to the brilliant flame of a working invention.

I yearn for the boundless energy of youth, combined with the fortitude granted by hard experience—and by the regrets of hindsight.  I could have been—could have done—but I did not, therefore am not.  Perhaps will yet be, someday—but am not, now.

It is through such experience that I encourage people who claim ideas to put their alleged ideas to the only test that counts:  Brush up your skills where needed, work hard, and—well, most of you will find that your precious ideas were actually stupid, and you are not nearly as smart as you thought you were.  Statistically, most of you.  But a few of you may succeed in building something brilliant.


Bitcoin is more original than you give credit for.  From Chaum forward, feasible ideas for digital currencies always required a trusted authority.  (Chaum’s solution had much more privacy than Bitcoin does; but it was designed to be issued by a bank, and that’s actually why it failed!  Most banks did not want to issue digital cash which could be passed privately, without identifying counterparties or revealing transaction details to the bank.)  And the need for a trusted authority always most of all boiled down to the double-spend problem.  Digital bits can be copied, after all.

Satoshi solved a problem nobody else has ever adequately solved, not before and not since:  How to create a decentralized, trustless Byzantine agreement for the ordering of transactions.  Thus was solved double-spend.  His solution to this is what we call “mining”—though Satoshi himself did not use that word; he called it “generating”.

The tools he used for this purpose were not original to him.  He repurposed Adam Back’s Hashcash, which he credited in his original whitepaper.  But the way he put it together was original—and brilliant!

So as for double-spend; so as for the totality.  In the whole of the system, the parts are not original to him; but the whole is more than the sum of the parts.

If you want to better understand the numerous pieces which Satoshi borrowed from others, and the original way he fit them together into a new system, I recommend this article:

Narayanan, A; Clark, J.  “Bitcoin's Academic Pedigree”.  ACM Queue, vol. 15 issue 4 (2017-08-29)

You misunderstood.  I am not using Bitcoin Core to generate the keys—what?  Through the JSON-RPC interface?  That would be absurdly slow, and quite stupid.  Rather, I am using Core’s “Optimized C library for EC operations on curve secp256k1”.  Speed-wise, it runs circles around OpenSSL for ECC key operations.  On the slow test machine, with OpenSSL, I could never get over about 1500 trials per second per CPU core.  With Core’s library, I can get up to around 10000 t/s/c; and the speed of my platform’s regex library seems to become a serious bottleneck.

The probability is negligible that any of your computers could be slower than mine are.


I have no Windows in my house.  The idea I’d floated is using mingw to create a Microsoft Windows binary from a non-Windows system.

Before publicly distributing such a thing with my name on it, I would need to work with tester(s) who have Windows systems available.  It’d be good to know if anybody would be interested in doing that (cough).


Off-topic:  I smell a potential issue of EFI vs. MBR.  You said your computers are slow; therefore, I presume they are old.  I suspect you may have downloaded something which uses EFI, and does it in a manner wholly incompatible with older systems.  This question is way off-topic here; should you be interested in discussing it, feel free to PM or e-mail me.  PGP mail is most preferred.

I presume universal suffrage, and a strictly ochlocratic democratic rule of “one account, one vote”.

Thereupon, I wrack my brains:  Who would advocate a vote amongst a population which has been invaded by large masses of spammers, and still much larger masses of spammers’ farmed alt accounts?

Cui bono?

Too bad, I am not smart enough to figure this out.  I suppose that my abysmal lack of intelligence is why I need to whine about the merit system and scheme to undermine it, instead of undertaking the impossible task of writing posts which people like.

---

There you go, the Legendaries’ oligarchic old boys’ club locking out downtrodden new users like me.  When do I get to also be actmyname, Lauda, aTriz, DarkStar_, hilariousandco, and theymos?  You Legendaries are all the same person scratching each others’ (singular) back, and pushing down users who have a RIGHT to be imagined to be your alter ego in whackjob theories by users who got caught doing something bad.

STOP THE PREJUDICE.  WE ARE ALL YOU.  ACTMYNAME = LAUDA = ATRIZ = DARKSTAR_ = HILARIOUSANDCO = THEYMOS = US!

I will save newbies the trouble here:  THE TRUTH is that this forum has exactly one user, “theymos”, who runs bots to create good posts, bad posts, spam posts, and arguments between putative spammers and putative antispammers.  If you join this forum, then you will become one of theymos’ bots, too.  And you shall.  I know this because the proved scientific of solipsism has proved that you are all figments of my imagination.  Thus, you are all... me.

What platform are you on?  In late December, I wrote a Segwit “Bravo Charlie addresses” (Bech32) and also P2SH-nested (“3” addresses).  It can search for both at once, which is beneficial because key generation is expensive.  This was used to generate both the Bitcoin addresses you see in my signature:  The address starting with “3NULL”, and the address starting with “bc1qcash”.

It is written in C.  I’ve been intending to clean up the code, test-test-test, and put it on Github; but somehow, that keeps getting pushed down the TODO list.  It is UNIX/Linux only, though I’ve mulled trying to compile Windows binaries with mingw if there were demand.  (I do not have any Windows systems.)

My generator is not derived from Vanitygen or any other vanity address generator.  At present, and in any foreseeable initial release, it does not use the point addition trick which Vanitygen uses; for each key tried, it reads a new private key off /dev/urandom and creates a public key from that using Core’s secp256k1 library.  Thus, it is relatively slow.  On an ancient airgap laptop with a very slow CPU, it can try a maximum of about 10k keys per second per core.  I just leave it running with a pattern; it has been running for weeks, as of now (I should check on it!).  Based on comparisons of how long a FreeBSD buildworld takes, I guesstimate that a newer CPU might get close to 100k keys/second/core.  A major speedup was obtained by using Core’s library; it is 5x–7x faster with Core’s secp256k1 than with libcrypto (OpenSSL), so I ripped out the code for using the latter.


Beware, Segwit requires that addresses be generated from compressed public keys.  Vanitygen does not support compressed keys; I saw a patch somewhere on Github for that, with ensuing discussion pointing out that the patch had a serious bug.  (Aside, this also means that Vanitygen users are paying even more unnecessary fees than they are for not using Segwit.)

All the Bitcoin software I write uses only compressed public keys.  Also, I pay careful attention to avoiding release of any money-losing bugs.  This is one reason I am sometimes slow with these things.  Testing can take longer than coding.

And... done!  From the trust page for #1443762 “lovepale”:


Also reported to moderators with the message:  “Ipso facto merit farming:  Begged for merit.  Flagrantly.  Amidst a discussion of why begging for merit is a reprehensible abuse of the system, nuke on sight.”

Let this be made an example.

---

I know my tagging will have little direct effect at present, other than sending a crystal-clear message.  But it’s important to establish the precedent for declaring merit-beggars untrustworthy.  That, they are!  I hope to see DT members doing same, which will really have some bite.

As for moderation, I’m not a mod, either; but hereto (not including this report), I “have reported 158 posts with 100% accuracy”.  Mods need people to help them clean up the garbage.  By making earlier methods of spamming/farming unprofitable and thus stemming the flow of garbage at its source, the merit system should ultimately result in less garbage to begin with.  The merit system must not be corrupted.

There was recently a discussion of how even some Hero Members were newly learning Bitcoin history due to the awarding of merit to Laszlo (inactive account) for the famous pizza post.  Amidst that, and in agreement with it, I made an impassioned plea to bring all the old technical discussion gems to the surface—and “perhaps even slowly revive the forum to those glory days!”

For my part, those archival posts represent the forum I wish I could now experience.  Seizing the moment when people are fired up about the merit system itself, I thought it might be an opportunity to induce people to read those old posts—to interact with them, in a way—to be inspired by them, as I am.  Broken windows and spammy garbage posts are infectious to neighbourhoods.  I’d hoped that superlative quality would be, too.

Of course, that post of mine seems to have been mostly ignored.  You may be right.  I’ll have to think about it.


Sure there is!  Of course, there’s much difference between Bitcoin having fresh stuff, and the Bitcoin Forum having fresh stuff.

As to the latter, I really think it depends on your interests.  I rarely go anywhere besides Development & Technical Discussion and Meta.  On the development forum, the S/N ratio is disappointing but passable; of course, the real action is on bitcoin-dev (a strictly moderated list) and Github.  I’ve been intending to explore other forums; but last I really tried, I found myself wading from one cesspool to another, and promptly gave up.  I hope the merits system will improve the situation.

---

FOR SHAME.  I actually did once award merit to someone who begged me for it.  That person did not need it, was obviously not really seeking it, pulled it off in a genuinely ironic manner amidst witty discussion—and did it in Latin.  By contrast, you are a pathetic freak.  There’s no room for you here:  This village has enough idiots.  *plonk*


...whilst locked in a pillory, being shamed and pelted with rotten vegetables.

As trust is transitive, so is shame.  Giving merit for utter trash is an antivoucher which should operate as the precise inverse of vouching.

---

I am a living counterexample to that statement.  The strict majority (78/151 = 51.7%) of the merit I have thus far received was in “Development & Technical Discussion”, plus 1/151 = 0.00662% in “Bitcoin Discussion”.  If you exclude the +50 I got from some whackjob when I insulted him in Meta (an historic forum first!), the current proportion I have received outside Meta rises to 78.2% (78/101).

Those who who complain about the merit system either aren’t smart, or aren’t working hard on their posts—or both.  Some of my best posts take hours to write, edit, proofread, gather links for, etc.  I expended the level of effort in December.  (I will let my post history speak for me as to smarts.)  You will understand if I take a very dim view of the whiners.


...which is why we need the merit system:  Those who are now screaming in pain are precisely those who so should be.

---

Touché.  (Said by me because I gave +1 to that post.)

(Aside, I think that the merit threshold for achieving Legendary status should be drastically raised—at least doubled or trebled.  Some back-of-the-envelope calculations show that reaching the current merit threshold within the time needed to accrue requisite activity is far too easy; whereas attaining the top rank of anything should be disproportionately difficult.  Nevertheless, I tend to sympathize with decent posters who were this close to the lower activity bound.)

---

I like your approach.  Consider report-and-tag to be my new policy.  I’d still suggest also public shaming—but only occasionally, where appropriate.  That generates noise, just as any other reply to spam.  I think that it’s certainly appropriate to make a public example for others, when somebody begs for merit in a thread condemning merit-begging.


Thought I just had:  I sometimes find interesting threads by looking at the post history of someone whose posts I like.  Perhaps it would be wise to keep track of where quality posters spend their time—a sort of benign quasi-stalking.

---

Earlier on this thread, I cut this part of my self-quote for brevity:


I disagree with theymos here.  As I said, asking for merit is akin to a student asking a professor for an A.  Lauda is right:  Begging for merit is inchoate trust farming, by definition.  It is solicitation of corrupted approval.  It poisons the whole system.  It must be condemned unequivocally.

FOR SHAME.  DO NOT BEG FOR MERIT.

That was ironically stupid, too.  The rest of your post expressed something I myself had wanted to post.  I may have given it merit.  Well, instead, welcome to my ignore list.  You are the first; I usually don’t believe in ignore lists, but begging for merit deserves it.  *plonk*

Begging for merit is revolting, reprehensible.  In part, it can be addressed through the forum’s technical features as you just said, or as hilariousetc said:


(Thanks; I will keep that in mind with my trigger finger on the “Report to moderator” button.)  ...or, as Lauda said:


However, begging for merit is a social problem; and social problems need social solutions.  Quoting part of what I myself said on the subject a few days ago:


Thus, I find this idea meritorious (boldface added):


If you find people begging for merit, trading merit, or farming merit, then you should name them, shame them!  Ridicule, insult, and humiliate them!  Make of them an object lesson not only to them, but also for all to see that such disgusting behaviour is NOT WELCOME HERE.

All functioning societies have both positive and negative feedback mechanisms for regulating members’ behaviour.  Here, the merit system itself is a positive feedback mechanism; and I believe it should stay that way.  (Much though I might sometimes wish to issue demerits, I also realize how such a thing would chill the expression of thoughtful but unpopular opinions.)  In the category of negative feedback mechanisms, shame and its sister shunning are the timeless classics which enforce the boundaries of social acceptability.  No community can long live without shame, just as no community can prosper without some basic notions of honour.

In a written medium, the pen is the sword.  Wield it wisely—and where needed, mercilessly.

---

Copypaste is already permaban actionable.  Problem solved!

---

I am strictly opposed to those threads.  I urge the people making those giveaways to reconsider.  Awards of merit should and must be an organic process.

Here and elsewhere, I disagree with you about the question of awarding merit to old posts.  The archives of this forum contain a hidden library of knowledge, especially in the “Development & Technical Discussion” section.  Awarding merit to old posts helps highlight them; where the authors are still active, such belated recognition also has direct utility.  The first merit I awarded to any post older than a month or so was for the post which first brought me to fully realize the problems with DHTs, and why Bitcoin does not and will not use a DHT.  I could not exclude such classics from consideration for merit awards.

This is wrong.  “likely possible”?  Is that how you give cryptography advice?  Is it, or isn’t it?  Can you do it?  Have you done it?  What can you demonstrate about the security properties of the results?

Back up one moment.

I could explain why I trust my system’s CSPRNG, in terms which reduce to my security assumptions about the properties of certain things (such as hash functions).  It may come out a bit muddled, and much less rigorous than a professional cryptographer would do.  But I could explain in some detail why I think my computer’s CSPRNG is secure.  (It would be a waste of my time and readers’ time; read something rigorous by an actual cryptographer if you want that level of detail.)

Can you explain what you said?  You made a positive assertion of “serious defects”.  Can you identify what they are?

This is an important question.  What you said encourages homebrew.  In crypto, almost invariably that results in a festival of foot-shooting.  (Are those hexadecimal gaming dice really well balanced?  Are you sure?  Also, are you aware of the research literature finding biases in actual flips of actual coins?)  Worse, you waved your hands and said it’s “likely possible” to cook up some homebrew electronic randomness gadget.  For anybody who lacks deep expertise in both maths and physics, this is a guaranteed security disaster.  (I linked to John Denker’s site.  He’s a physicist.  He has enough knowledge to design his own stateless random symbol generator based on thermodynamic noise in analogue circuits—still not using any home manufacture, either; just an ordinary computer soundcard.  I don’t have that knowledge; I am pretty sure that you don’t, either.)  Worst of all, deterring people from reliance on a good CSPRNG is sending them in the wrong direction.  That’s bad advice!

Also, I should emphasize, you said “library functions”.  I spoke above about the kernel, which has access to the hardware and can seed its PRNG until it contains not less than 256 bits of unpredictable interal state.  “Use /dev/urandom”.  I am not here saying that library functions are flawed!  Some are excellent; but they, too, must be seeded from somewhere—that is, from the kernel via the random device.

It is.  Lots of people have ideas.  All of them are oh so valuable.


Stop worrying about somebody stealing your precious idea.  Your idea is worthless, and it’s not very good.

Hold on.  I am not trying to be nasty.  I will tell you a little story—the much abbreviated version.

In 2006, I had an idea for a cryptography-based digital currency.  (That doesn’t say much.  People have been trying to build those since the 80s, the seminal early work being Chaum’s.  What we now call “cryptocurrency” is the realization of a cypherpunk dream of the 90s.)  I knew that at the time, I lacked the requisite skillset for building it myself.  Thus, I did nothing.  I did suffer the delusion that my idea was valuable.

In 2008–09, Satoshi Nakamoto published the Bitcoin whitepaper and a working prototype.  His idea was so much better than mine, the comparison is laughable; and that’s no coincidence, for he knew how to build his idea.  If you don’t know enough to put an idea to practical effect, then you don’t know enough to have a good idea in the first instance.

Please.  You say you’re a civil engineer.  What would you say if I were to tell you that I have a valuable breakthrough innovation in your domain of expertise, but I don’t know enough civil engineering to build it?  If you’re really a civil engineer, you’d laugh at me.

Ideas from people who have the knowledge are a dime a dozen.  It’s the implemented ones which are valuable.  And ideas dreamt up without adequate knowledge are absolutely worthless.


Oh, that’s more or less exactly what I told myself in 2006!

Either get moving fast, or forget about it.  In the former case, you may have a chance of success if you’re smart and hardworking.  In the latter case, you will save yourself many wistful sighs.

(On the third hand, if you are independently wealthy, you could try to hire other people.  You would need much luck for it to not be a disastrous financial sinkhole.  Think, again:  Could somebody without civil engineering expertise competently select a competent civil engineer?  Many “consultants” more or less deliberately take advantage of this peculiar problem, but that’s another topic.)

These two links should help give a conceptual grasp of what Schnorr signatures do and why you’d want them.  I myself want them so badly I can taste them, so to speak.  Though no, you are correct, it would be as yet quite impractical to wait for them.

https://medium.com/@SDWouters/why-schnorr-signatures-will-help-solve-2-of-bitcoins-biggest-problems-today-9b7718e7861c

https://medium.com/@nopara73/privacy-and-schnorr-signatures-e2175d27f022


Oh, I strongly encourage you to bump that up the list!  If you use nested “3” addresses, that’s a drop-in replacement for what you use now.  If you use Electrum, I could walk you step by step through setup of either type of wallet; I took a bunch of screenshots and planned a guide, but never quite got around to assembling it.  That’s probably the easiest option right now.

Core v0.16 is coming soon, with Segwit support in the GUI and change addresses.

In a number of threads, I have observed confusion over the security level of the of the secp256k1 elliptic curve used by Bitcoin’s public keys.  Following is an image of Table 1 at page 8 of the pertinent standard (PDF).  I have added a red arrow pointing to the line matching what Bitcoin uses.  The two most important columns here are “Strength”, representing the security level of the algorithm, and “Size”, the actual key size in bits.  The strength equivalence to RSA/DSA is a vexed estimate I would prefer to mostly ignore here.


Thus, as you can see, Bitcoin’s public-key crypto uses 256-bit keys but is deemed to have a 128-bit security level.  I will briefly explain what that means.

If an attacker were to use a bruteforce attack, trying keys one by one, that would require on the order of 2²⁵⁶ work.  (I here ignore the restrictions on valid secp256k1 keys, which reduces that to about 2^255.5; the difference would be negligible in practical terms, and it’s anyway not here relevant.)

However, no serious attacker would ever try to bruteforce elliptic-curve crypto.  Rather, it is estimated that breaking Bitcoin’s 256-bit keys with the best known attacks should require around 2¹²⁸ work to solve the ECDLP and thus calculate the private key from the public key.  In practical terms, it is therefore considered to have security equivalent to that of a 128-bit cipher for which the best known attack is bruteforce.

Similar security-level estimates are used for other public-key crypto, such as RSA.  However, RSA security level estimates are so vexed and unreliable that I quite mistrust them.  I remember when 1024-bit RSA was oftentimes claimed to be oh so secure—um, no.  The above table estimates that Bitcoin’s public-key crypto has an equivalent strength to 3072-bit RSA.  I suppose that sounds reasonable—maybe.

For comparison, Ed25519 is also considered to have a 128-bit security level; and Ed448-goldilocks is considered to have a 224-bit security level.  NIST P256 is claimed to have a 128-bit security level, and NIST P521 is claimed to have a 256-bit security level, although nobody sane uses NIST curves anymore.

In layman’s terms, a 128-bit security level is very, very strong.  It is what buzzword-lovers usually refer to as “military-grade security”.  Those who seek better than “military-grade security” (or wish to make fun of that idiotic term) may instead seek “‘Spinal Tap grade’ security”.

How strong is a 128-bit security level?  For reference, at current hashrate, it would take the entire Bitcoin mining network more than one trillion (10¹²) years to perform 2¹²⁸ work—and that’s with SHA-256 ASICs, which can’t be repurposed to do other calculations.  Performing 2¹²⁸ calculations of any kind is what I call “boil the oceans” security:  The energy required would actually do that, and worse.  It is unreasonable to suppose that it could ever be humanly possible to do 2¹²⁸ work.

Thus, Bitcoin’s public-key security is humanly impossible to break now and for the foreseeable future.  It could only be broken in one of two cases:  Either a new mathematical advance drastically reduces the work required for the best known attack, say to 2⁸⁰ or less; or there is constructed that mythical quantum computer which doesn’t exist, and may or may not be possible.  Very smart people have spent many years trying to do each of these tasks.  Research in these fields usually tends to be incremental; so if (if) they ever succeed, we will probably have at least a few years’ warning.

The usual reasons for seeking a 256-bit security level are (0) to provide an extra security margin against unforeseen mathematical breakthroughs, and (1) because for most use cases, the extra cost is relatively small; so why not have the security of something which is twice as impossible to break?  (Well, if you need to store keys in transaction outputs on the Bitcoin blockchain, the size difference would cause higher fees—for one problem, a real and immediate cost to users.)

But setting aside the potential of such unlikely events, the upshot is that Bitcoin’s public keys are plenty strong enough to protect the monetary value equivalent of hundreds of billions of dollars.  Or trillions.  Or all the money on Earth.

I strongly recommend that anybody not deeply involved in developing Bitcoin’s long-term security should absolutely not worry about the strength of Bitcoin’s public-key security.  It’s worse than useless worry:  It is a distraction from real problems.  Worry instead about your computer security, your operational security, and your financial privacy.  (Nobody can target you for theft or coercion if nobody knows you have anything significant to take.)

It is as if many people are keeping their coins in a safe with an unbreakable door (the cryptography—all of it) and walls made of tissue paper (the malware-infested PC, privacy leaks which may allow thieves to identify you and know what money you have, etc., etc.).  Then, they obsessively worry about the security of the door!  Don’t do that.

Jet Cash, at 01:08:46 UTC today, I sent you one of my (then relatively few) sMerits as to your complaint about your status on another thread; it was not the first one I’d sent you in that thread, either.  You may presume that I understand your situation.  I also have spent some time lurking in your threads in Serious Discussion and Ivory Tower.  You may presume that I appreciate good posts and good posters.

I am also presuming here:  I presume that you are referring to me.  Correct me if I’m wrong.

Thereupon, I invite you to peruse my post history from start to finish, and also the list of recent merits awarded to me.  Most of both are in Development & Technical Discussion, which should give you a hint.  So should this:

• For personal reasons, I was inactive between 2018-01-05 02:24:31 and 2018-01-29 23:58:40.  Thus, I was inactive for almost the first five days of the merit system; and I have now only been active for less than 48 hours of it.
• Since I had previously made quality posts which people remembered, I accrued 17 merits whilst completely inactive.  After I became active again, my older posts accrued not less than another 19 merits.  All of those were in Development & Technical Discussion.  All were technical in nature.  5 points at once were for one of my posts in a discussion of Bech32 involving one of BIP 173’s authors.
• Within my first 24 hours of renewed activity, I earned 22 merits for new posts.  Most were in Development & Technical Discussion.  Most were for technical posts.
• I could continue, but I think I made my point.

Now, generally, am I one who should be said to make “average or worse posts”?

In this thread, I was given quite ordinary merits by multiple persons earlier on.  I kept up with this thread as it heated up, because I loathe forum garbage, and I don’t want to see the new merits system wrecked by farmers.  I pushed soniclord’s buttons, deliberately.  He first responded by spilling forth some pertinent investigative information, as I expected and desired; that better established the timeline.

Then, he responded by simultaneously throwing 50 merits in my face and negative-trusting me.  That, I could have neither expected, nor even imagined.

At first, I was actually upset by the merit points.  I want to earn those, and do it in a natural manner by continuing to write quality posts.  I do put in considerable effort and time; frankly, I also want some measure of how valuable my posts are to others who simply have nothing to say in reply; in December, I’d oft wondered about that.  Now, I am unapologetically proud at my aptitude for earning merits; in a matter of days, I had earned merit points almost equalling my activity level.  I had 79 merits, purely on the merits!  I did not want a dump of 50 merits tossed in due to getting into a flamewar with a whack job who has bizarre ideas of revenge.

Then, as I said above, I realized that I fully, meritoriously earned these, too:


I wrote that before I saw your post.  (I prepare all my posts in a text editor, not a browser textarea, and archive them on my local disk.)

If your derisive remark was directed at me, I invite you to look to the substance of I’ve posted.  I am comfortable standing on that.

---

Edit:  P.S., to give you an idea of how much I detest spam:  My mod report stats currently say, “You have reported 151 posts with 100% accuracy”.  Almost all of that occurred in the month of December.  I started actively using this account on 1 December 2017, and was absent for most of January.

“So, so, so...  Well, well, well,” again.  I stepped away briefly due to other immediate obligations, then took up other replies which I’d been neglecting—and now, what have we here?  I don’t actually shoot from the hip; and this took a little while to figure out:

soniclord has treated me both as he treated Lauda, by throwing 50 merits at me, and as he treated actmyname, by giving me retaliatory negative trust feedback.  I must be doing doubly right!


I am thrilled at this endorsement.  I would be honoured to frame it and hang it on my wall.  Also, I am laughing so uncontrollably that I find it difficult to type this post.

Ahem—

soniclord, I was wrong:  You are not either stupid or crazy.  You are both stupid and crazy.

The 50 merits temporarily befuddled me; I didn’t know what to do with them.  I place great pride in earning merits by meritorious action.  Then I realized, I did earn these.  If I am being treated as actmyname and Lauda combined, I fully deserve +50.

The negative trust will have no effect on me whatsoever—as is known to anybody who understands how this forum’s trust system works.

As for you, you started this thread with a desire to be relieved of one negative trust feedback.  Now you have two, from actmyname and Lauda.  Congratulations.  No, make that three:  After I post this, I will add mine, too.  It will have no practical effect on you now.  But I will do this just in case I someday in the future become widely trusted.


Now that you’ve torched your career of shady, spammy forum dealings, I do expect that you have a new job option:  Write the definitive manual on how best and fastest to ruin your reputation, humiliate yourself, and totally destroy your Bitcoin Forum Legendary account.  It may not be a best-seller; the market is such a small niche.  But your expertise on the subject is incisive.

HTH, HAND.

Well put about trust.  I began writing a long post here.  Rather than much delay my reply, and to better stimulate active discussion, I hope to address your questions a bit more concisely—if much less elegantly:

On a brief skim, I see some problems with that Calomel.org page:  0. It places too much reliance on statistical tests.  As I said above, statistical testing can prove that RNG is flawed, but can never prove it to be sound.  Experts faced this problem with the Intel RDRAND/NSA BULL RUN fiasco.  Try encrypting the output of /dev/zero with AES-CBC, approximately `dd if=/dev/zero bs=1m count=1 | openssl enc -e -aes-256-cbc`, and running the statistical tests on that; all tests will pass!  1. It gives advice on tuning your software RNG and also on hardware entropy gathering, all of which must be carefully audited.  2. It is outdated.  For example, I have not kept up with the latest in OpenBSD development; but I am under the impression they completely ripped out the flawed ARC4 cipher, replaced it with some ChaCha variant (one of djb’s stream ciphers), and deprecated /dev/arandom.  The Calomel page (wrongly) recommends symlinking all other random devices to /dev/arandom.  (Not sure about these things.  I’m not an OpenBSD user.  Please double-check.)

An excellent link in my prior post to which I should have given more attention is John Denker’s Turbid.  I do not know the exact status of its software implementation; but the Turbid paper will answer many of your questions much better than I could.

I do think that most modern “unixoide” systems (as you put it) will have adequately secure kernel random devices.  (I think I may borrow that terminology from you!)  Thus my repeated advice, read() off /dev/urandom.  If you have only one takeaway from this thread, please let it be that.

How is this linked to Bitcoin?  In brief:  If your randomness generator is flawed, then you risk losing all your money.  There are people who scan the blockchain for evidence of coins they can snatch this way.  Solution:  Use a good PRNG!  Most importantly, don’t break an expertly designed and implemented kernel RNG by trying to improve it.  Most Bitcoin users don’t get their coins stolen due to a bad PRNG; this should put things in better perspective.

If you need to generate some Bitcoin keys yourself, read() off /dev/urandom.  That’s what I do; see e.g. the sources of easyseed (forum thread).  If you run Core, then let Core do its job; there are Core developers who could run circles around me on this subject, and they pay careful attention to these issues.  (I don’t trust much other Bitcoin software; most of all, I explicitly distrust the popular save-a-webpage Javascript Bitcoin tools.)

Finally, please note:  I myself am not a cryptographer.  I wish to make that absolutely clear.  I am a programmer strongly oriented toward privacy and security; and I believe myself to be crypto-savvier than most.  I trust myself to tinker with my kernel’s PRNG—mostly because I know enough to know the limits of my own knowledge, so I know which parts of the code I must not touch.  I do trust myself to choose between cipher implementations; I do not attempt to write my own cipher implementations.  Likewise, wherever I feel my knowledge may be shaky on any subject, I will say so rather than risk giving you bad information.  I have already done so in this thread.

---

You refer to “modulo bias”.  It is one of those subtle DIY crypto dangers of which most people are totally unaware; props to you for even knowing about it.  I will later write another post explaining this, with a little quoted code snippet for avoiding the bias.


I tend to feel that way, too; but I recognize that it is a superstition, at least on properly designed and implemented system.  Your randomness generator should have two pertinent states, seeded and not seeded.  As soon as it reaches the former, it’s as good as it will ever get.⁰  Before that, it is in the latter state—and it should block, refusing to give any output.

Unfortunately, the Linux random/urandom system is not designed this way.  I am strongly critical of this.  Violating what I said above, the one time you should avoid using urandom instead of random is during or soon after the boot sequence.  urandom will give output, even when the generator as a whole has never been properly seeded.  This is only a concern if you run Linux.

---

0. I here wholly omit discussion of recovering from state compromise.  In the context of a kernel RNG of a running system, I am of the school of thought that this is somewhat ridiculous:  An attacker who can read your kernel’s internal state can probably grab your keys from userspace, too.  However, I may consider this opinion in view of Meltdown and Spectre; thanks for giving me the impetus to think it over.

To start with, I think that soniclord shot himself in the foot by first trying to retaliate with negative trust, then waiting three days, then PMing actmyname—and then waiting only three hours for a reply before posting this thread!  (This was apparently in the late evening in actmyname’s time zone, too.)

Add to this that to exonerate himself of guilt, soniclord would need to prove that he has an IQ not exceeding 75.  I think that is the functional requirement for innocently awarding 50 merits as a “test” to a random (pinky-swear! random!) post which just so happened to be in a scamcoin airdrop thread.  Well, either severe mental retardation—or a state of insanity, replete with psychotic delusions.  There can be no other way for someone to actually do that innocently.  It is implausible, improbable, impossible.

Another exemplary object lesson on why we don’t need the merits system:  Posts like this are excellent!

No, wait—sorry, I got that backwards.  Posts like this are garbage.  This is exactly why we needs the merits system.

+0

So, wow, let me get this straight—taking here what you post at face value:

• You attempted to retaliate with negative trust against actmyname three days before contacting him.
• You PMed actmyname at “12:08:51 PM”.  According to your forum profile page, you appear to be in time zone +10:00; thus, this time works out to 02:08:51 UTC.
• You then posted this thread complaining that actmyname “ignores” you at 05:08:33 UTC—just under three hours after you PMed him.

N.b. that according to actmyname’s profile, he appears to be in the -05:00 time zone.  Therefore, you PMed him at 21:08:51 in his time zone; and you absolutely, positively expected his response by just after midnight (!).

Again, this was three days after you attempted retaliatory action against him.

Did I get that right, now?  I am asking nicely.  Please advise if I be mistaken about anything.

(Protip for the peanut gallery:  Shake a guy like this enough, and he will usually cough up something interesting!)

Do I look like an admin to you?  You do look like an idiot to me.

(I was proud to rank up from Jr. Member just yesterday.  The forum is totally my toy!)