Linky.On June 8, 2011, the same day Ars Technica ran its first story about Bitcoin, the peer-to-peer digital currency's value jumped to an all-time high of $32. Bitcoins had been worth less than $1 just two months earlier, and that day proved to be the peak of the bubble. The value of a Bitcoin fell below $20 within a week, and by November it had fallen to $2.
But since it hit bottom late last year, the cryptocurrency has defied skeptics (including me) who predicted it would prove to be a passing fad. The currency regained some of its lost value, and the price has become much more stable in recent months. In the last three months, the value of a Bitcoin fluctuated in a narrow band from $4.50 to $5.50. As this is being written, the currency has just hit a 3-month high of $5.60.
...
|
|
|
This all seems even riskier than bitcoinica, no offense.
Ah, but Pirate doesn't hold your funds hostage. lol Bitcoinica didn't either...for a while.
|
|
|
This all seems even riskier than bitcoinica, no offense.
|
|
|
I still don't understand what's going on here. Ok, so I've got 500BTC I'm willing to play with. What's next?
|
|
|
Wow. Somebody just bought 5000 or so over 5000 bitcoins.
|
|
|
I used strongcoin for a time and when blockchain.info messes up you are left unable to move funds. This happened for about a week and a half before I got a paper backup into Armory. If it isn't going to be a main wallet either would work well. But I like having everything on my end of things.
I use blockchain.info as a small wallet with the addresses I use backed up in Armory and on paper. If blockchain.info goes down, I still have access to those bitcoins, assuming somebody doesn't somehow get access to private keys in blockchain.info. But even if that happens, I don't keep more than $100 worth of bitcoins in blockchain.info wallets.
|
|
|
Well, I did my part today.
|
|
|
No one can short BTC anymore. That is, without doubt, the biggest likely reason for a BTC rally.
Then any rally from here out is probably not going to end well once shorting is brought back. Exactly. As soon as people start shorting again, those extra (arguably artificial) sells are going to push the price down. But what do I know. Every time I sell coins, the market moves up. If shorting really does affect the price this way, then once it's back I don't think it's unreasonable to expect prices back down below $5. Certainly possible... Don't be negative! It's going all the way to $10/BTC!!!!!!! If we all believe it, it will happen. Right, and then shorting comes online again and it comes right back down - world laughs.
|
|
|
No one can short BTC anymore. That is, without doubt, the biggest likely reason for a BTC rally.
Then any rally from here out is probably not going to end well once shorting is brought back. Exactly. As soon as people start shorting again, those extra (arguably artificial) sells are going to push the price down. But what do I know. Every time I sell coins, the market moves up. If shorting really does affect the price this way, then once it's back I don't think it's unreasonable to expect prices back down below $5.
|
|
|
No one can short BTC anymore. That is, without doubt, the biggest likely reason for a BTC rally.
Then any rally from here out is probably not going to end well once shorting is brought back.
|
|
|
Well, this bothers me on two fronts then. If there are rentable hashing resources with as much as 100x as much computing power as a RigBox, then it doesn't seem implausible to me to see rentable resources in the next decade that could, within a reasonable amount of time, get a private bitcoin key from a public key. No? What am I missing?
No, because every additional character exponentially increases the effort required to break the key. But, in 10 years? Imagine that in 10 years a single RigBox is 100x as powerful as today's, and that I can rent 100 of them. That much compute power still isn't enough to get a private key in, say, a few weeks? Nope not in a 1000 years either. Large numbers can mess with people's minds but this might help. A random 10 digit password (95 possible values per digit) is ~ 2^64 or 64 bit. 256 bit isn't 4x as large it is 6,277,101,735,386,680,000,000,000,000,000,000,000,000,000,000,000,000,000,000 as large (roughly excel needs to round). If you could crack brute force all possible 64 bit keys in 1 second it would still take roughly 19,904,559,029,003,900,000,000,000,000,000,000,000,000,000,000 centuries to have a 1% chance of brute forcing a private key. Another way to look at is our sun doesn't have enough energy remaining to power a computer that could count from 0 to 2^256 much less brute force a specific key. That is you build a computer who could use the sun's complete energy output and operated at 100% efficiency it still couldn't count to 2^256 before our star burned out. So the only risk to a private key is if the SHA-256 algorithm is broken or more likely degraded. By degraded I mean some flaw is discovered that allows you to take a "shortcut" and thus eliminate trillions or quadrillions of keys simultaneously. Even degraded it would likely be very difficult (maybe only of academic interest) to brute force a private key but that would be a good sign to upgrade Bitcoin (and everything else which uses SHA-2) to a stronger algorithm. Got it. Thank you!
|
|
|
Well, this bothers me on two fronts then. If there are rentable hashing resources with as much as 100x as much computing power as a RigBox, then it doesn't seem implausible to me to see rentable resources in the next decade that could, within a reasonable amount of time, get a private bitcoin key from a public key. No? What am I missing?
No, because every additional character exponentially increases the effort required to break the key. But, in 10 years? Imagine that in 10 years a single RigBox is 100x as powerful as today's, and that I can rent 100 of them. That much compute power still isn't enough to get a private key in, say, a few weeks?
|
|
|
I understand that they didn't salt and that that makes it easier to get the passwords. I guess what's worrisome is that from what I've read there were some reasonably secure passwords whose hashes were decrypted - passwords along the lines of "34IDdka]o43';s/A". I don't think passwords like that can be decrypted in a few days, even using a bunch of GPUs. So, are we to understand that passwords like that are in some giant rainbow table? That's what's bothering me about this. Yes. It should bother you. Without salt it is easy to precompute and store passwords years in advance. When you get a hacked password database you simply "look them up". The hash of an input will never change so the hash of "34IDdka]o43';s/A was "7c6fbf7e2bfceb28c7be5e5e669864a8f0fb079b in 1992, it is still the same today, and it will still be the same in 2099. Now with salt they can't precompute the passwords but they can still brute force them much much easier than many people think if the hashing algorithm is fast. A rig box = 50 billion hashes per second. To put that into perspective, to brute force SHA-256 hashed passwords even with a 64 bit random per password salt would only take:<1 sec to attempt a database of 20 million (known, leaked, common, and dictionary based) passwords. <15 seconds to attempt all 6 digit or smaller passwords (A-Z,a-z,0-9, and all printable symbols). < 30 minutes to attempt all 7 digit passwords. < 2 days to attempt all 8 digit passwords. Now that is with a single RigBox. Botnets can easily be 10x, or even 20x more powerful. A hacker which needs password fast (before users change them) can rent 100x as much computing power. Hell if you need a metric the Bitcoin network is ~10TH/s. If "rented out" it has the computing power to brute force all 9 digit and smaller passwords in less than a day. A strong password is not enough. Three elements are required (and sadly even some in the Bitcoin community treat it as optional): 1) A strong password (which means website checking new password against lists of know and compromised passwords) 2) A slow hashing function (bcrypt, scrypt, pbkdf2, etc) 3) A large random per record (64 bit) salt Anything less is insecure. How insecure varies (from trivial to tough) but it can and will be broken given enough time and resources. On edit: clarified a few points and fixed some horrible spelling. Well, this bothers me on two fronts then. If there are rentable hashing resources with as much as 100x as much computing power as a RigBox, then it doesn't seem implausible to me to see rentable resources in the next decade that could, within a reasonable amount of time, get a private bitcoin key from a public key. No? What am I missing?
|
|
|
I don't understand how so many long and seemingly secure LinkedIn passwords have been brute-forced? Will somebody help me understand how they're decrypting 20+ character passwords? Last I read over 60% of the leaked hashes have been decrypted. I can understand that being the case if most of them were really short and simple passwords, but it looks like a lot of them followed password security standards pretty well. Help me understand.
Rainbow tables. Longer answer. By not using salt they made passwords deterministic. The SHA-1 of "password" will ALWAYS be 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8. The password can be precomputed. It is made worse by the fact that SHA-1 (and SHA-256) are insanely fast. A single GPU can has up to a billion passwords per second. In a year one can pre-hash and store 31 quadrillion passwords with a single HD 5970. The use of a fast hash algorithm & no salt dooms even the longest and most complex passwords. They are already "pre-cracked" the hackers are simply looking them up in a lookup table. Now using salt changes that. The SHA-1 hash of "password" with a salt prefix of "123456789" is aa2cc735aa01f661a39d6a03214d2e551eb0d8ad The SHA-1 hash of "passwrod" with a salt prefix of "123456780" is 5571911de78b7bdffcfa11ef75d93a6cab3d6540 Precomputation becomes impossible. Now SHA-1 is still very very fast algorithm (which is bad) but salt at least makes the attacker work "in real time" which gives users with more complex passwords time to change them. Using "slow multi-round password function" (like bcrypt) AND a pre record salt eliminates all the short cuts. The only option is to sllllllllllllllllloooooooooooooooooooooowwwwwwwwwllllllllllly brute force the passwords one record at a time. That means exhaustively trying say all 8 digit passwords for a single account takes weeks if not months. All but the weakest of the weak are just not economical to even attempt to attack" I understand that they didn't salt and that that makes it easier to get the passwords. I guess what's worrisome is that from what I've read there were some reasonably secure passwords whose hashes were decrypted - passwords along the lines of "34IDdka]o43';s/A". I don't think passwords like that can be decrypted in a few days, even using a bunch of GPUs. So, are we to understand that passwords like that are in some giant rainbow table? That's what's bothering me about this.
|
|
|
I don't understand how so many long and seemingly secure LinkedIn passwords have been brute-forced? Will somebody help me understand how they're decrypting 20+ character passwords? Last I read over 60% of the leaked hashes have been decrypted. I can understand that being the case if most of them were really short and simple passwords, but it looks like a lot of them followed password security standards pretty well. Help me understand.
|
|
|
What an absolute cluster eff. On the bright side, it's a testament to how far along bitcoin has come since last year that the price hasn't fallen off a cliff.
You aren't looking upside down enough... Huh?
|
|
|
a corresponding timesstamp would be nice
Hmmm... aren't the messages on the forum time-stamped already? Yes, but he posted images that he'd taken hours or days before he started the thread, I believe.
|
|
|
@proudhon I think the market just prices in a myriad of scams and hacks now per default. So perhaps when we have a few months of no major scam/hack, the price could rise. Haha, I hope that's the case.
|
|
|
|