Banks don't create money out of thin air, only the central bank does. Just think for a millisecond, if Lehman had the power to print money, why didn't it use it to bail itself out ? Well, Lehman could not print itself out of trouble. That's because in order to print money, depositors need to enable the bank to do so, by letting it have their money. The depositors themselves create the money by treating the bank deposit as a money substitute: the "real" money are lent out, and the depositor is left with something of questionable liquidity depending on the bank's health.
Read that last line over and over if you are one the "banks print money out of thin air !" pinheads. The deposit you hold with the bank is not  money, you have purchased a highly liquid security that gives you a profit in exchange for accepting a risk of default, and that risk is much higher than we've commonly been led to believe. If you want to convince yourself that deposits are not money, just try to deposit your deposit at another bank (and that metadeposit at yet another bank, and so on up to infinite interest) . The other bank knows a deposit is not money, and will kick you out of the building.
This phenomenon happens just as well with a non-fiat currency: a gold receipt is not the same thing as gold, but the apparent gold quantity circulating in the economy can increase if people treat gold receipts as gold equivalents. Fractional reserve banking is not the product of fiat.

Not at all. They are colluding on the main chain, so they mine 100% of it's blocks (as empty, but it does not matter as far as the 25BTC reward is concerned). They are defending the alternate chain, so they earn close to 100% of blocks there. When non-rebel miners start to migrate to the alternate chain, resources can be reallocated there so as to keep the rebels share high without loosing control of the main thread. When all miners have migrated to the alternate chain the rebels will have 75% there, the exact starting situation. It's a win-win situation regardless of the outcome of the revolution, so they are not risking anything.


I can think of ways to combat this but a certain degree of centralisation would indeed kill the attack. In the extreme, a checkpointed blockchain published by the developers every day the attack continues. Any transaction would clear in at most a day despite the attack. However this would also require client upgrades, and set a dangerous precedent. Would you upgrade to the alternate but still distributed chain or to a centralised chain ?

The current fees per block  is around  0.05BTC. Keeping all other things the same, an 100 fold increase in the transaction number will bring the fees revenue to 5BTC per block. Even in this highly unlikely scenario, the miners still stand to loose 45% of their revenue when the algorithm hits (55 -> 30 BTC per block).


Why should miners drop out while their are still profitable ? You can argue that they are "morally prepared" for the upcoming onslaught, so they expect to pull the plug on the farm when the 25BTC hits. But to stop in proactive fashion ? That's not rational. The only way a smooth transition could happen is via a price increase as suggested by Littleshop: market anticipates the lower daily liquidity injections by the miners and increases prices, creating a temporary high profit margin. New miners are discouraged to seize this profit margin since they know new equipment can't recover it's cost before the fee drops. So the higher prices are not associated with a difficulty increase.


They can change  the algorithm to keep the 21 million limit, and the block reward close to 50BTC for the foreseeable future, for example by adopting Pieter Wuille's curve. Instead of halving to 25 the reward drops gradually to 44 BTC after a half a year, and 39 BTC after a year. So they skew the curve to mine the coins faster than normal, and leave a smaller profit for miners of the future.

Also, assuming the reward remains constant, an infinite expansion is not that bad. After 25 years of constant 50BTC/block expansion the total annual liquidity injected by miners falls bellow 4% of the outstanding monetary base, and that's much less than the FED is printing nowadays. The rebels could also implement a Friedmanian exponential expansion: 50 BTC for 25 years, and then 4% per year expansion after that: 52BTC in the 26th year, 54.1 in the 27 year, etc. This keeps the mining revenue a constant fraction of the monetary base and it's actually quite sound from a macro perspective, albeit inflationary.


That's the whole point: they don't need your collaboration, they can freeze the original blockchain for good. So it's either you "upgrade" or you walk away from your bitcoins and technical investment in the system. Most users and merchants would be economically forced to accept the rule change.


It's not exactly the same. When the difficulty doubles the miners have no option but to watch their profits margins erode. There's no way they can block new entrants in the game. When the difficulty remains the same and the reward drops they are fully equipped to fight it: by simply mining empty blocks they can keep the community hostage until their demands are met. Empty blocks fetch the same 25 BTC reward they would have earned anyway.

As you probably know, the block reward is set to halve somewhere around late 2012 - early 2013. It's impossible to say with precision when this will happen because block generation time is somewhat unpredictable, but the first block to feature a 25BTC reward has the number 209999.

We should expect that the mining market will be very mature by that time, the profit margins very thin and the price fairly stable. Since miners can't control the price on the market the halving of the block reward and thus of the mining revenue will be seen as a negative effect by the miners, many will no longer be able to cover their expenses. A period of cutthroat competition should follow, where the last man standing can hope to return to profitability, but not before the difficulty also drops by half. This is necessary since where you previously needed one mined block to cover your expenses, you now require two blocks, so a single block should twice as easy to found as before. In other words, half of the hardware will be tossed before the bloodshed is completed.

But it doesn't have to be this way. Since the miners are more or less unanimous that the change hurts their bottom line, they might chose to dissent from the planned schedule and keep the reward at 50BTC. If they simply patch their clients to remove the halving, it has little effect; as soon as the first fake 50 BTC is claimed the blockchain will split:
 

• the original blockchain will continue with a 25 BTC reward, as implemented by all clients, exchanges, merchants and other parties who have no incentive to patch the reward schedule; this chain will continue to be protected by the fraction of the miners that chose not to dissent and play by the rules
• the split chain of the mutineers with the fixed 50 BTC reward; since only the mutineers accept the patch, the coins mined here are not tradable on any exchange and are effectively worthless.

The revolution has failed and the miners are forced to return to the legitimate chain and cannibalize each other as planned by Sathoshi-san

This is where the plot gets thicker. Assuming a high fraction of miners decide to accept the patch, they can attempt to force everybody else to accept the change: they can fork the blockchain and attack the legitimate chain at the same time. The attack will consist of extending the original blockchain past block 209999 with empty blocks. The mutineers will hardcode their miners to refuse any reorganization and hammer away at extending the legitimate chain with empty blocks only. As we know, if they have 50%+1 of the computing power in the legitimate chain,  this will prevent any transaction from clearing in the original chain. Meanwhile a small fraction of mutineers will mine the alternate blockchain to keep it somewhat secure.

I would expect such a move to be widely advertised beforehand and alternate client builds to be made available so that users can "upgrade" to the fixed reward algorithm. If someone refuses or forgets to upgrade he will find that his client is no longer able to send or receive any transactions. Once most users and services have switched to the alternate chain, the attack on the original chain can decrease in intensity. The minority honest miners will eventually stop defending the original chain since they are unable to get any block they mine to stick in the chain - the majority evil miners refuse to extend their blocks.

What I like about this attack is that miners are not risking too much by attacking the original chain: if the revolution fails they have not wasted resources by mining empty blocks. They are anonymous and it's very hard to prove that mining for an empty block on purpose is a security attack from a legal p.o.v - it's certainly allowed by the protocol. There's also a strong incentive for miners to conspire to change the rules, the individual benefit is in line with the collective benefit, unlike the normal mining game. So if the mutineers can amass a  majority of the hashing power of the network, there's little doubt they can force a rule-change.

Ok, so what stops miners from doing this right now, and increase the block reward to 5000 ? Nothing really. I just believe the block 209999 shock to be a strong catalyst, maybe enough to make the majority of miners participate, and change the rules only slightly so as to maintain overall confidence in the system.

Do those people derive an utility proportional to the amount of BTC mined ? Are they willing to  dump thousands of dollars into mining equipment that does not recover it's cost, as opposed to some casual CPU mining ? Are they capable of covering this financial loss for a long period of time ? Do their wives agree ? Sure, hobby mining at a loss might continue, but I'd say it's has a negligible contribution to the difficulty.



When the revenue drops bellow the energy bill you must stop mining immediately. There's no point in buying overpriced bitcoins via your energy bill when you can buy them cheaper on the market. If you would eventually turn a profit by continuing mining, you stand to gain even more by stopping mining and buying coins on the market (because you can buy more for the same money spent on electricity; or buy the same amount as you would have mined, and pocket the dollar difference).

Profits from predicting the future price of bitcoins are speculative, the revenue for mining is simple arithmetic. Can't believe people still fail at this after the topic has been talked to death in hundreds of threads.

Without reading the source, I have to ask how can Tenebrix scale. I've actually thought about memory bound hash-cash myself for a Bitcoin-like system, and I dropped scrypt as unworkable.

In the field of memory hard pricing functions with which scrypt is related, there is the notion of a difference parameter or work ratio: the ratio between evaluating F() and F()^-1, how hard it is to do the proof of work versus the cost of evaluating the proof. For example for hash cash the ratio is exceptionally good: it takes a single hash to check for a huge amount of work, up to 2^128 work for a perfect 256 bit hash. Published memory bound functions achieve a quadratic factor for K in the 10-11 range so it takes one operation to evaluate 2^10 operations worth of work (ABADI et all). This feature is desirable because supposing there's a mail server that checks for spam, you want to force the spammers to do allot of work, and make the mail server do as little work as possible on checking proof of work stamps. Proof-of-work tokens should be easy to check, and hard to mint.

Back to scrypt, this memory hard function is not designed as an e-cash primitive,  but as a password derivation function: you set your password, the server does 1 second worth of work, and saves the hashed form. Each time you login the server does the same work for 1 second and checks the resulting hash against the database. Password derivation is designed to be irreversible, you can only compute F() at a high cost, and should have no chance at F()^-1 in a proper system. That is you have no way to extract the password from it's stored hash.

How does this affects Tenebrix ? Well, in order to use scrypt as a pricing function you can do it in two basic ways:
 - you make both the miners and those verifying their work compute a difficult variant of scrypt; each time a block is solved and advertised every node on the network must redo the work of the miner (in order to check it before broadcasting it as valid); this clearly does not scale, every node must have a processing power equal to the whole mining network
 - you make miners look for an iterated variant of hash-cash based on easy scrypt; it's easy to check a valid mined block however the easy scrypt primitive is no longer memory hard, and can probably be accelerated on a GPU. (I assume this is the solution chosen, since we are talking about hash rates in the K/sec/core)

So my first impression is that Tenebrix fails either at scaling or at being GPU-hostile, but maybe the designers can avert this impression by explaining how the security parameters were chosen so that the network can scale without failing pray to GPU optimized mining.

Yes.
No.

If the miners multiply in numbers, their individual "influence" is proportionally diminished so that the overall "influence" of the miners remains constant to what has been hard-coded into the protocol: a steady source of liquidity that is as hard to produce as bitcoins are valuable. The value of bitcoins is externally imposed by the market and the miner crowd reacts. The market is the dog, and the miners are the tail being wagged.


The emergence of miners is an entirely mechanic phenomenon, is there is value in mining someone will do it. Rational miners can't "press the 'stop' button and wipe out the whole thing". An individual miner can behave irrationally but his place will soon be taken by a rational miner. Hoarding at the miner level is inconsequential - the miner buys BTC with his resources. To affect the price he has to buy at a loss, to mine for hoarding when it's cheaper to buy on the market, in other words to behave irrationally.

To say miners can chose to stop Bitcoin is equivalent to saying that the drug cartel can end cocaine abuse. Sure, if all individual traffickers stop producing and selling cocaine, they could theoretically stop users from obtaining it. However as long as there's a demand someone will fill it, the drug cartel is a rational supplier for the existing drug demand.

If one of the people that owes you money dies, sure, the credit has vanished. But on the other hand one of the people you owe money to might also die so the net effect cancels out assuming you have a large social circle. Let's not forget large credits are usually backed by some sort of collateral, and the credit relation does not die together with the owner, it follows whoever inherits the asset. If it weren't for those pesky legal tender money that you are forced to accept instead of the collateral in a court of law, a healthy credit network is a pretty good store of value.


That external benchmark might not be a proper currency, or a practical currency, think rai stones. The ripple system enables uses that the asset in itself can't do, so it becomes a currency in the modern sense. There's no practical way to store work hours, and you typically can't use them beyond barter, they can't be called a currency. With Ripple you can store and transact work hours with people you don't know, and with which you don't have a coincidence of wants, besides credit Ripple enables the essential quality of money to work as a medium of exchange.

I do however have my own issues with Ripple. Ripple breaks the fungibility of money. A dollar is a dollar, a bitcoin is a bitcoin, money has no smell they say. Well, Ripple reeks - it's only as good as the person issuing it. You don't have a wallet full or ripple dollars, you have a collection of IOUs of a varying quality.
Suppose I want to sell my car to someone I met on eBay. I need to receive credit from someone that's not very trustworthy, and it can't clear because it's a large amount. Sure, I would prefer to not extend credit to that person, but I have to if I want to make the deal. The person might claim he has credit in his social network, and I might be able to verify that using some ripple tool that says "this guy is owed 10.000 ripple dollars from people in his social hub". However I have no idea how spendable is that credit. I can't assess the quality of his social connections. Maybe when I go tomorrow to buy groceries I find out that the credit he gave is not spendable - the supermarket can't clear on his credit. I end up with worthless "money" in exchange for my car, I've effectively extended credit to a bum. So I either extend credit to strangers or refuse to make the deal - Ripple disrupts trade outside of your social network.
In the normal world I can sell the car for 10.000$ cash and live on that for many months. In the Ripple world I have to either sell it to a friend (at a discount because I have much less friends than eBay has users), or keep the car and live on the charity of my friends by sucking dry the credit lines they issued me.

Everybody here agrees that a new GPU mining rig is a bad investment. However most people are not loosing money on the short run, they are making electricity and something extra - just read my numeric examples. This is the complete quote of the OP, the important part bolded for your reading pleasure:


The fact of the matter is they are still making profit (in the EBIDTA sense), low as it may be, and as long as this continue they can't stop mining(*). Some of them are still underwater because the unamortised initial hardware costs, but that's rather irrelevant - they continue mining to minimize the total loss.

(*) Truth be told, this analysis is incomplete if you don't factor the opportunity cost of liquidating your setup and selling the hardware on eBay. The decision to do that may or may not make sense depending on your personal present value of cash money and the anticipated resell value of hardware. Anyway, if you decide to liquidate you should do it sooner rather than later, and maybe sell it to some other sucker who wants to get in the mining game (sort of like the GPU ponzi scheme). My psychic powers predict a huge glut of graphic cards hitting eBay in about 6 months time - that's what under 1$ prices or ASICs or both can do.

I think you are oversimplifying a bit. Ripple is both a medium of exchange, and a store of value. The medium of exchange quality is clear. The store of value quality should be apparent if we think that each unit of ripple owned by someone is a debt someone else has to his friends, business partners and immediate family. In case of famine gold or dollars might prove uneatable, but the trust of your social network is an extremely valuable asset - these are exactly the people you would rely on when gold and dollars become worthless. It follows Ripple is a very good store of value.

So the only thing Ripple needs to work as money is the unit of account quality, an external benchmark on which to measure the issued credit. Sure, you could do it by pegging the value to a fully fledged currency, but you don't have to. For example you could express balances in time dollars (not that I like the idea of egalitarian constructions like time dollars, but they are simple to understand). What I'm trying to say is that you don't need the extra complexity of the Ithaca Hours you mention: a central ledger, standardized scrip, and all the things that make Ithaca Hours a currency. You just need the valuation benchmark, one hour of work in my behalf, something the participants can easily measure; the rest is handled by the Ripple system.

That aggressive tone is unwarranted - stopping from mining when you still earn enough to pay the electricity bill is a bad business decision. If you can't comprehend this simple fact then there's really nothing to talk about.

Indeed, continuing to mine when you can't cover current expenses is "throwing good money after bad" - what the Wikipedia article denotes as "Sunk cost fallacy". I thought you were implying that the whole notion of sunk cost is a fallacy.

There's a little something called sunk cost, and it's by no means a fallacy: when you've already committed a large budget of money and time on a mining project, you can't simply pull out if you are not "living the dream". It makes sense to keep mining for as long as you can pay the power bill, any extra is passive income that goes towards amortizing your sunk cost.

A 2Mhash/Joule, 2Ghash/second rig  draws 1KW (24KWh/day) and earns ฿1.15/day at current difficulty.There are places (Canada) where you can get a KWh for under 5c, so those people will still be mining at 1.2$/BTC, even if difficulty does not change. Conversely, people who have quality hardware but expensive electricity will (20c/KWh) should pull the plug below 4.8$/BTC.

On the other hand disruptive technology could arrive any day now (ASICs), and easily increase the difficulty by an order of magnitude with no price impact.

By all means you are free to contribute all you want, and you don't have to prove anything to me or the community. A good book is a proof in itself.
However you must realize you do need to be qualified in the subject at hand before you can expect to produce a good book. You can't make it up as you go along. Otherwise it's an exercise in futility, time better spent fixing the consistency problems of your database before you suffer the fate of bitomat.pl and the like. Take it as a friendly advice - you achieved much more than the average troll on these forums, better consolidate your position and do one thing right, than diversify into a myriad of flaky activities.

Judging by your posting history, it will be 300 pages of Bitcoinica plugs ? I haven't seen any insightful posts from you on the topic of Bitcoin, so I really have to ask what do you think qualifies you to explain the concept to others ?

I am clearly aware of key derivation - that's why I said "depending on the algorithm" and specified the attack scenario. In fact I went as far as as suggesting the best password derivation scheme at the moment - scrypt - to the bitcoin developers. That would have been even stronger than the dynamic round count they are currently using.

That said, you must realize that you have no control or information over what key derivation scheme sites you visit are using. A key derivation scheme that employs 1 second of CPU time is completely inadequate for a high traffic site - it will bog down the server CPU with a minuscule number of users currently logging in. That's why many sites use simply a salted hash, or a reduced-round variant like the md5crypt that only uses 5000 iterations. That's an extra 12 bits of entropy, but still not enough to protect a weak password.

The advantage of not having fees does not materialize for the client, so he's unlikely to care that the shop is saving money. The customer drives the demand for a payment method - the shops are forced to follow or loose market share. The shops would get rid of credit cards in a hart beat if they could get the customers to pay with cash.

So aside of the phony geek appeal, what does this system offer to the customer ? Credit cards offer interest free loans for up to 2 months, emergency funding past that period, and money back guarantee. Bitcoin offers final indisputable transactions  - why do you think customers will prefer it ? Don't even get me started on the clunky desktop client that kills your harddrive.

GRC claims that "p@$$w0rd[[[[[[[[[[[[[[[" is much more secure than "p@$$w0rd". Simply extending the password length with bogus and easy to remember characters is said to be a much stronger password. In fact, taking all possible padding characters (2^6.5), all lengths between 0 and 31 padding chars (5 bits) and all positions  of the padding block within a 16 char password (2^4) you only gain 15 bits of entropy. But you can get 13 extra bits that by simply adding 2 random characters to your password, without bothering to count bogus padding chars.

He goes as far as claiming that "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9" based simply on the length. That's preposterous ! The first password has 36 bits of entropy while the second has 150 bits, assuming a cracker aware of the "technique". Presuming that you are smarter than the attacker is the road to security hell.


It's quite possible, depending on the algorithm used and the size of the attacker. The key-space for 9 characters is 6.37 x 10^17 so assuming it's a SHA256 salted hash then the current bitcoin mining network at 15THash/sec will exhaust the keyspace in 12 hours. The US government can probably do it in minutes. You could rent the current mining network for a small multiple of t 6*50BTC*5$ = 1500$/hour, assuming a market for cracking SHA256 hashes would exist.
To escape even the US government use a 16 character random password not generated by a human (no inter-character memory, characters are statistically independent). That is indeed hard to remember.


With the exception of "toaster" all words are in the top 100 by frequency. "toaster" is maybe in the core 10K vocabulary. There's no need to use 100K words dictionaries if most users don't use words like "Lymphocytopenia" or "Synecdoche". So 7*7+10 = 59 bits, hard but crackable see above. A non naive lexical cracker will not throw words randomly in a sentence and the rules of the English language would allow it to massively prune the search space.

The idea of padding for increased security is laughable. Another GRC classic.

The comparison with PayPal is entirely relevant: here we have a massive company with 100 million of active customers and 70 billion annual turnover. They could easily build a mobile application that enables the bar to accept euros or yens from the user's PayPal account. Such an application would be thousands of times more interesting to the bar than Bit-Pay mobile, since thousands times more people have non-zero PayPal accounts than bitcoin balances. Yet what does PayPal do ? They issue their own credit card - they want a piece of the credit card action ! That's because even for PayPal the network effect is too faint for retailers to bother implementing their system.

Online and e-commerce is where ecurrency works. If it succeeds there, maybe, just maybe there's a chance in the retail world, but this product does not have, at the moment, any place in the market.

As for credit cards going away, let's not get ahead of ourselves. The physical aspect changed from carbon copy to magstripe to chip and now to NFC. But the same old credit card cartel gets to steal 3% of your purchase, represented by MasterCard in the case of Google Wallet.

As much as I like the 2girls1coin video, this product does not have a place in the market. PayPal barely scratched the surface of retail with millions of invested dollars. Credit cards are the IPv4 of retail, the industry workhorse that's always "just about" to be replaced.