Many users visit websites by typing their name into a trusted search engine like Google (Which does support HTTPS). paypal.com.example.com won't come up in the first 10 results, but paypal.com will. Without HTTPS (or other authentication), it is possible for an attacker to use your real domain for their phishing site.

As I have pointed out, this is not a theoretical or difficult attack. Are you OK with my ISP injecting PayPal ads when I view your landing page?

PS: I know my own website does not support HTTPS or IPsec at the moment... I hope to change that eventually. IPsec should work for the gopher version too

For a cellphone, it may be easier to type a 20 character numeric password (66.4 bits of entropy if random). A 12 character password can't really have over 72 bits of entropy. Computers are getting stupidly fast these days. Anything with less than 64 bits of entropy is likely insecure. After 128 bits you are probably safe as long as the storage mechanism has no underlying weakness.

I plan on using the Pirate Party VPN for all HTTP traffic (at the router). I am also considering using a Swedish VPN provider that accepts bitcoins for my laptop.

The VPN tunnels are in response to Internet Surveillance Legislation and my ISP disclosing that they may tamper with my Internet access (27e). For my laptop a VPN tunnel is justified because I can never be sure how much to trust open access points.

Edit: I also plan on setting up an IPv6 tunnel with Hurricane electric since my ISP does not yet support IPv6, and the first IPv4 addresses will run out (in the Asia-Pacific region) by the end of the year.

Any attacker would set up their look-alike on a different domain as well. Have you seen the Upside-Down-Ternet page?

Intercepting HTTP is trivial. In some cases intercepting HTTPS is trivial as well.

Are $0.00 deposits allowed? The search space may be 11*11=121 ..So you only need to comprise 60.5 accounts (on average) Edit: Nevemind: "$0.12 or less" includes $.12.

If the main page is not secured via HTTPs, an attacker simply can replace it with a page pointing to their own "Secure" site. My ISP has even installed equipment that will allow them to do that automatically:
- Section 27e. Notice they support HTTPS.

So there is: 4.2GB. (Gedit tried to load the whole thing..)


I suppose that is what I get for running the "beta" version: It is saving a lot of debugging information. Log rotation would probably help, but I doubt it is a priority if only used for debugging.

I was using the "real" network with the official client in -gen mode.

I read fine-print. I can't use Paypal because even if I agreed to their terms of service, I can't fund my paypal account because I don't use credit cards or online banking..

Basically, if I try to pay somebody via Paypal, I have no assurance that both our accounts won't be frozen.

My test-node running for 55 days ran out of disk space today consuming 5.8GB, or about 105 MB/day. If I subtract my the directory sarting size of about 1GB, I get about 90MB/day. If I subtract the first two weeks (2.7GB listed above) I get about 76MB/day.

These numbers were with versions 0.2.22 and 0.2.23 of the official client (using the -gen option). During peak times my node had about 125 connections.

Edit: Most of the disk space (4.2GB) turns out to be used by a file called 'debug.log'. This is likely because I was running the Beta version of the client: extra debugging information was being saved. That means block-chain house-keeping is only about 700MB.

Update: see answer in second post. (Log rotation)

It is my understanding that the nodes save multiple copies of the block-chain in case of a split or one of the block-chains becomes the "longest" one. I have had a test-node running since June 9, 2011 (0.2.22 and 0.2.23) for a total of 55 days. It ran out of disk space today; consuming 5.8 GB. That works out to 105MB per day. Disk usage dropped to 4.9GB when the client exited. The client had 125 connections during peak times.

I cringe every time i hear people say "gay" as a synonym for "bad". It is insensitive at best, reinforcing hate at worst.

Not long ago, people would say things like:

It appalls me that (yet another) word has evolved to have two opposite meanings.. like inflammable.

The point you are missing is that Google is one big central authority. Google likes storing large amounts of information to see what they can datamine from it. There will be no way to have anonymous transactions if you are using Google Wallet.

As well. Google has been suspending accounts en-mass if the name does not look "real" enough.

Google Plus Deleting Accounts En Masse: No Clear Answers


There have been some reports that users have been locked out of all Google services

My favorite online password generation site is GRC's Ultra High Security Password Generator. Of course, you would have to trust them not to record every passphrase ever generated.

I also like converting a web-page that changes from time to time to text; then taking the MD5 hash. However, given that I am using public information, I have this nagging feeling that the entropy may no longer "count" as being over 128 bit. I have the feeling everything that has ever been published probably adds up to less than 64 bits of entropy. I have a local file that changes from time-to-time. If it has enough entropy built up, I will use that instead. Example: MD5 hash of the msn frontpage converted to text: 01ac3a67614d6a37ac1fc3731d4fd8d1.

Edit: entropy pool of the file that changes over time: 0; since I overwrote it with the text version of MSN.com and published the hash. New msn.com hash at the time of this writing: 2c822728666881b433ba27caccbc3c6d.

I was impressed by how well-researched this article was. At least 3 people were interviewed for the story (Jared Kenna (Trade Hill), Bruce Wagner (Bitcoin TV), and Lawrence White (a specialist in monetary theory at George Mason University in Virginia).

A Google search implies that Ari Altstedter is on a summer internship, expected to Graduate with a Master of Journalism from Carlton University in 2012.

Section 3 reminds me of the infamous BSD advertising clause that was eventually removed when it became too unwieldy.

That license looks like it has potential, but I am not totally comfortable with it. Not that it matters since I have not really contributed to the hardware design yet. I like how it explicitly says the firmware is under a different license.

Please don't use MD5 as a cryptographic hash function anymore.

It is still useful for detecting random file corruption though, or converting random data into a 128 bit number.

Only transaction addresses are stored in the blockchain, but that does not imply that those addresses can't be tied to specific people. One example would be "vanity" addresses. It is not clear what percentage of addresses have to stay anonymous for everybody else to stay anonymous.

My guess: Air bearings

My one-liner: Bitcoins are backed by proof-of-work and the public anonymized transaction history.

Disclaimer: "Anonymized" data really isn't—and here's why not