It's not really any different than how existing deterministic wallets work now. They all implement some kind of look ahead window that moves as payments are received.

With extended public keys there's no reason to ever reuse addresses, so software that implements them should not do that. For general cases there's also no reason for a payor's client to do anything other than start at index 1 (0?) and send each transaction to the next address in sequence.

There's always the possibility that broken software won't do this, so the payee's client should have a way to manually locate a payment that was sent to an unexpected address.

Why not just use different address types for the pathological cases?

If you assume that the sender is never permitted to generate new structure and is expected to send payments by strictly incrementing the index that would make it simple to implement now and open up a large number of use cases.

Allowing the sender to create new structure is something that anyone wanting to do could be expected to write custom software for now.

Is the serialization format mentioned in BIP32 not sufficient for this?

6 days: April 7-11 and 24.

Bitcoin derives its value from the predetermined issuance rules, and the fact that possessing the appropriate private key is both necessary and sufficient to spend a UTXO.

Changing any of those things destroys the long term value of the currency.

Because when Satoshi first coded the wallet he took a quick shortcut instead of implementing a proper solution and we've been paying for it ever since.

It depends on the velocity of money at the time and how quickly they are spent. If somebody cracks an ancient private key that's equal to a substantial fraction of the previously circulating BTC supply nothing happens right away. It's only when they spend it that anything changes.

Given the risk of somebody suddenly owning decades worth of world economic output all of a sudden, I'd expect that once ancient weak key cracking approached feasibility large numbers of people (millions) would form a pools to crack them that would distribute the recovered bitcoins as dividends.

If it ever turned out to be a huge threat, then the people alive at that time would have a huge incentive to solve the problem.

oops.

The highest post-bubble close is $165. We hit a daily high of $166.43 on April 24th, but closed at $154.20.

Top four daily closing prices ever:

2013-04-09: $230.00
2013-04-08: $187.50
2013-04-10: $165.00
2013-04-07: $162.30

1) New bitcoin user decides to start off by purchasing a 4 or 5 figure sum of bitcoin (in USD terms).
2) User wants to be extra special careful, so they spend some time creating a brain wallet and move their funds there.
3) Weeks or months later, they start to worry about forgetting the key, so they import it into a desktop client.
4) They forget that a sizable fraction of their stash is held in a weak key since they never moved those funds to a new address.
5) Bitcoin appreciates an order of magnitude or two.
6) Brainwallet key is eventually cracked.

Volume is clearly picking up, and this doesn't even account for all of the Chinese exchanges:

http://data.bitcoinity.org/#caaadadgaa

One of these bubbles is going to be the last one.

The last bubble won't pop, because it's going to represent the final flight away from fiat.

The effect will be underwhelming. The abandoned/lost bitcoins will not be found all at once and the miners who recover them aren't going to immediately turn around and spend the entire find the next day. By that time the economy will be large enough that it only causes a mild effect, if it's even noticeable at all.

Whether it's via some yet-unknown mathematical weakness or quantum computers that makes the private keys recoverable, it will only gradually become possible. So I imagine it will be done by investors combining their resources in order to build machines capable of doing it, much like present pool mining. Any old balances recovered this way will thus not go to a single entity but will get spread out among a large group of shareholders.

You still get too freaked out over the concept of a currency that nobody controls. It's not going to become a problem in practise - modern cryptographic algorithms don't go from no known weaknesses to being trivially broken overnight. There will be plenty of advance notice and bitcoin holders will adapt ahead of time. It will be priced in long before it happens.

(hint: spreadsheets with conditional formatting make them easier to find)

On which exchange? Mt Gox closed at $162.30, 187.50, $230, and $165 April 7-10 respectively. It also reached intraday highs of $166.42 and $162 on April 24th and 25th.

That's better than not having one, but not as secure as routing through an anonymization network.

In that case running in a VM isn't doing anything at all in terms of obscuring your "real" IP address.

If you want to submit transactions anonymously, you need to make sure your node can only communicate with the network via Tor or I2P.

A VM can possibly help you there, because you can set the appropriate firewall rules at the host level which restrict the ability of the guest machine to communicate outside a limited set of endpoints.

So you could run a Tor node in one VM and a Bitcoin-Qt node in another, configure Bitcoin-Qt to use Tor, then use firewalling tools on the host to block all packets coming out of the Bitcoin VM except communication to and from the SOCKS listen port on the Tor VM.

Then you're safe as long as your Tor node, or your host OS, isn't compromised.

But again, getting everything right is a bit like getting surgery right. It's difficult to explain the process via a forum post.