Actually I've now realized that this makes Bitcoin run extremely slowly, so I don't recommend this.  Instead, it's better to use a data directory on your main hard drive, but have wallet.dat be a symbolic link to a wallet file on an encrypted thumb drive.

One more point.  With the approach you've outlined above, you need to protect buckets.txt from tampering.  You could store it on an encrypted drive and/or digitally sign it.  If someone can overwrite buckets.txt with a set of addresses they own, then you'd start sending money to them rather than to you without your even realizing it.

Here's one more tip.  Every time I run Bitcoin, I use the -datadir option so that the data directory is on an encrypted thumb drive which I have mounted.  That way, my wallet is never ever written to my main hard drive.  If you do this when you create your initial wallet, you shouldn't have to worry that any trace of it will remain on your main drive.

Thanks for posting your long backup regimen - there are some good ideas here.

I would definitely encrypt each thumb drive at the drive level.  That's super easy to do in Ubuntu: right click the drive and choose Format, then choose the type "Encrypted, compatible with Linux".  If you do that and choose a reasonably long passphrase, nobody is going to be able to read the drive without your passphrase.  If you're confident that nobody else knows the passphrase, you could even skip the stenography, I think (but it sounds like you want to be supremely cautious).

How sure are you that the information in the thumb drives will last indefinitely?  I haven't been able to find much online about how long they will retain information - there is some speculation that it's about 10 years, but if a drive fails you could lose a lot of money  I would definitely copy each wallet onto at least 2 and possibly 3 drives.  Alternatively, you could back up your wallet to paper.  I've considered doing the following:

1. Create a file F1 with random data.  This will be a one-time pad.
2. Create a file F2 by XOR-ing your wallet with F1.
3. Generate a QR image from F1 and print it out.
4. Generate a QR image from F2 and print it out.
5. Store the two paper images in separate secure locations.

Either paper image is useless by itself.  If you scan in both images into files and then XOR them together, you'll have your wallet back.

Thanks for this proposal.  I was the one who started the recent similar thread asking why Satoshi didn't use a continuous reward decline in the first place.


Probably it would be if we were starting over.  I personally think the Bitcoin economy will be robust enough to survive the reward decrease, but it will be an interesting and perhaps slightly scary moment.  In general I think that Bitcoin will be volatile enough already without shocks to the system like this one.

On the other hand, one advantage to the current scheme is that everything stays constant for 4 years at a time.  Once the reward transition happens, miners will know that the reward (relative to difficulty) won't change for 4 years, which may help their long-term planning and bring in 4 more years of stability.


No.  In the absence of any devastating flaws, I think we should remain true to the model that Satoshi proposed.  Everyone has been aware of that model all along, after all, and has planned their investments based on it.  As long as at least one block chain remanis true to that model, it will have a legitimacy above all others which will encourage the community to stay unified.  If you don't like this model, you're free to start again with your own block chain. 

I'm aware of the scripting system and it's great that it allows multiple addresses to be specified.  I don't see how this can be used to solve the trust problem, though - can you elaborate?

I've been thinking a lot recently about the challenges of creating a secure and trustworthy Bitcoin bank.  I think this is a hard problem and one which presents a challenge for the wider adoption of Bitcoin.

WHY BANKS ARE NEEDED

Storing bitcoins safely is challenging even for technically savvy individuals (who have to think about multiple backups, wallet size, password strength and the like) and even harder for everyone else.  If Bitcoin is to be adopted widely, most people will want to (and should) store bitcoins somewhere other than their own hard drive and/or a flash drive buried in their garden.  Furthermore, it would be challenging to scale Bitcoin to encompass all transactions between invididuals.  So it seems likely that most people will store bitcoins in banks and that most transactions will be resolved between these banks without using the Bitcoin protocol itself.  At the end of the day, banks could use the actual protocol to resolve any balance discrepancy.  Of course, the cautious can still hold their bitcoins buried in their garden.  And as I argue below, there are many reasons to be cautious.

WHAT I WANT FROM A BITCOIN BANK

If I want to store a large sum in a Bitcoin bank, then of course I want security, reliabiliy and possibly anonymity.  There's an additional feature that's of paramount importance to me but I rarely see discussed here: a daily withdrawal limit.  I want the bank to guarantee that it won't give me money all at once, even if I ask for it.  The reason is simple: if someone can grab my password using a keylogger, root kit or other hack, I don't want them to be able to extract all my BTC in a heartbeat.  I'd like to be able to set the withdrawal limit myself.  Changes to the withdrawal limit must themselves take several days to complete and must themselves be accompanied by email notifications so I can find out if they're happening unexpectedly.

HOW TO IMPLEMENT A SECURE BANK

Today, the de facto Bitcoin banks are Mt Gox and MyBitcoin.  Neither of these sites call themselves banks, but I'm sure that each of them is holding many tens of thousands of BTC on behalf of lots of individuals, who (for now) trust them to return their money.  Let's suppose that we want to implement a Bitcoin bank which can securely hold BTC worth, say, $50M USD.  How can that be done?

The naive approach is to simply hold the BTC on highly secured computers on the bank's internal network, protected by passwords known only to a small number of trusted individuals.  Knowing what we know about computer security, I think this approach is far too insecure for an asset of this value.  If someone inside or outside the bank can hack that machine (e.g. using social engineering and/or a keylogger to grab a password), the $50M suddenly disappears and nobody will know where it went.  It's also possible that someone could walk into the bank with a gun and demand a transfer.

So could the bank simply convert most BTC to USD, which they could then store at some other bank?  That won't work, since the BTC/USD exchange rate is highly volatile and so the bank could sustain an enormous loss if it's guaranteeing to return BTC to any depositor.

The bank could store most BTC in a vault in a physically secure location (think guards with guns, security cameras).  Transferring BTC into the vault is easy: simply send to an address in any wallet in the vault.  Once every day or so, the bank might need to withdraw a certain amount of BTC from the vault in order to cover any outstanding liabilities.  If vault is filled with flash drives each containing a wallet, the daily trip to the vault might involve just extracting one or more of these drives.  Still, the vault is a single point of attack.

Alternatively, the blank might store 100 different flash drives in 100 different locations which are somewhat secure (e.g. safe deposit boxes in another bank), send money to them as needed, and just fetch one or two of these each day to cover withdrawals.  This seems like the most secure approach to me if the bank doesn't want to trust anyone else.  Even then, there's still plenty to worry about: an untrustworthy programmer on the inside could conceivably hack the bank's software so that everything looks OK on official reports, but cash is actually being siphoned off to somewhere else.

Of course, if a network of banks trust each other, then only one of them needs a (centralized or distributed) vault of this nature; the others can simply trust that loans to or from that bank are good.  But, still, the bank which runs that vault will need to fetch BTC from that vault on a regular basis.

CAN ANY BANK BE TRUSTWORTHY?

Suppose that a bank is backed by a major company and implements all the precautions above.  Can we reasonably convert a significant fraction of our life savings to BTC, store them in the bank and sleep easily at night?

The question is somewhat absurd today because holding a large sum of BTC today is enormously risky in and of itself: Bitcoin is young, and BTC could simply drop to zero for any number of reasons.  In other words, if a signficant fraction of your savings are in BTC then you shouldn't be sleeping well anyway.  But let's assume that BTC stabilize and/or that a depositor is willing to accept the currency risk.  The question remains: can the bank be trusted?

I maintain that even if the bank's management is trustworthy and responsible, a large loss of BTC stored at the bank is a plausible event - with probability greater than 1-2% per year, say.  I believe this because I think computer security is fundamentally that hard, and when bits equal dollars they are likely to be under attack.   

So, now: suppose that a bunch of us store our life savings in BTC in a bank and one day the bank's managers make a dreadful announcement: the worst has happened and the bits have somehow disappeared.  They say can't figure out whether it was an inside job or a clever virus from outside that penetrated the bank (think Stuxnet), but the money is gone and the bank is bankrupt.  What should happen next?

Should the bank managers go to jail, or (as perhaps some crypto-anarchists might advocate) be hunted down by vigilantes?  There's certainly plenty of reason for us to suspect that they simply took the money.  But I think it's also plausible that they acted in good faith and a hacker nevertheless slipped through the many controls they implemented.  Some might argue that even if they acted in good faith, they still deserve to be punished (by losing their life savings, or by going to jail).  But in that case I think nobody would ever want to be a manager of such a bank, because they'd be assuming enormous personal risk for a hard computer security problem.  And exactly who should be punished here?  All the bank's managers?  What if there are 12 members on its board - do they all go to jail?  It's entirely possible that a couple of them are crooked and the rest are innocent.

For all these reasons I find it difficult to advocate harsh punishment for the managers of a failed Bitcoin bank.  Unfortunately, the lack of such punishment increases their incentive to act in a dishonest way, so I think this is a significant ethical dilemma.  After all, if the bank fails, it's also hard to imagine simply shrugging our shoulders and tell the depositors: oh, well.  You should have chosen a bank that had a better reputation, and at least that bank will never borrow from anyone again.  Perhaps some free-market libertarians might view the loss this way, though.

The alternative is to say that governments should regulate such banks, audit their internal practices, and bail them out if the BTC are lost.  That seems pretty unlikely in the case of Bitcoin.  And if enough BTC are lost (say, actually destroyed rather than stolen), even a major government could not possibly bail them out: if the bank had more than 50% of outstanding BTC then it would be mathematically impossible to refund the depositors' original amounts.

IMPLICATIONS FOR USE OF BITCOIN

All of the above leads me to question whether we'll ever be able to put BTC in a bank without assuming a risk of total loss of, say, 1-3% percent per year.  In this sense I've started to think of BTC (even if the currency stabilizes) like junk bonds: probably worth something, but with a significant risk of total loss, no matter who you trust to store it.  Fundamentally I think this is because it's hard for anyone to store BTC securely, and hard to know whether they are lying if they say that they have failed to do so.

And given that, at the moment I think most people and businesses may not ever want to store a significant fraction of their savings in BTC.  So it may be that we still use traditional currency for savings, but BTC are a useful medium of exchange - exactly like paper cash today.  And that would be fine, but this conclusion is a still a bit disappointing to me, because it means we must constantly convert between dollars and bitcoins, and because many of us have hoped for an even larger future for Bitcoin.

Or am I wrong?  Do people on this forum believe that banks will be able to store BTC without this risk of loss?

The scariest moment for Bitcoin in the near-term future will be the first block reward decrease, namely from 50 BTC to 25 BTC some time toward the end of 2012.  There's been plenty of speculation about how this will affect miners.  It's conceivable that those who are dissatisfied with the reward decrease could attempt to fork the protocol and/or block chain at that point.  I personally am not *too* worried about that, but still - it's a scary moment.

So I personally wish that Satoshi had instead implemented a *continuous* block reward decrease.  With that approach, the reward will decrease ever-so-slightly with each successive block but still converge to 21 million.  That would avoid potentially disruptive discontinuities.  It's too late to change that now but, still, does anyone know why he chose a block reward function that looks like a staircase rather than a smooth curve?