Whoops, that's a bit embarrassing... I fixed it.

The merit is not undone if the post is deleted.


Right. There are about 35 right now.

Fixed, thanks. It might take up to 24 hours for the cache to clear.

There is currently no decay, but if hoarding seems to become a problem, I might add it.


If they don't have a source: how would they? Unless they are a source, they have to get the merit from somewhere. A group of accounts without a source can't generate merit without making good posts; they can only inefficiently spread it out among the accounts.

If they do have a source, then that's something that we'll need to detect. The merit transfers are public, so it shouldn't be that difficult. There are also various limits in place which would help to limit the damage from that.

In addition to activity, everyone now has a merit score, and you need both a certain activity level and a certain merit score in order to reach higher member ranks. The required scores are:

Rank	Required activity	Required merit
Brand new	0	0
Newbie	1	0
Jr Member	30	1
Member	60	10
Full Member	120	100
Sr. Member	240	250
Hero Member	480	500
Legendary	Random in the range 775-1030	1000

You get merit points when someone sends you some for one of your posts. Additionally, when someone sends you merit points, half of those points can be sent by you to other people.

Certain users are designated as "merit sources". They can create new merit out of nothing, up to a limited number per month (which differs per source). I will not be posting a definitive list of merit sources (so that people don't bug them too much), though you'll soon figure out who they are if you pay attention.

There is currently no such thing as a "demerit". I'm hoping that the positive merits alone will be fine. I could add demerits pretty easily later on if necessary, though.

I'm hoping that this system will increase post quality by:
 - Forcing people to post high-quality stuff in order to rank up. If you just post garbage, you will never get even 1 merit point, and you will therefore never be able to put links in your signature, etc.
 - Highlighting good posts with the "Merited by" line.

While we will not be directly moderating this, I encourage people to give merit to posts that are objectively high-quality, not just posts that you agree with.

Do not beg for merit excessively.

Useful infographics

Forum users have helpfully created some infographics to explain the merit system:
paxmao's infographic
ibminer's infographic
8Habits's infographic
JetSet11's infographic
zentdex's infographic
alia_armelle's infographic

If you want to be a merit source:

 1. Be a somewhat established member.
 2. Collect TEN posts written in the last couple of months by other people that have not received nearly enough merit for how good they are, and post quotes for them all in a new Meta thread. The point of this is to demonstrate your ability to give out merit usefully.
 3. We will take a look at your history and maybe make you a source.

I am especially eager to have merit sources in sub-communities such as the local sections.

Trivia:

For current members, your initial merit score is equal to the minimum required to your rank. Of that, a certain amount (less than the usual half) is spendable. The spendable amount was calculated based on your current rank and the number of activity points you earned in the last year. A Legendary member who hasn't posted in the last year would still be Legendary, but would not have any spendable merit.

If someone sends you 1 merit, the 0.5 sMerit is not wasted; it is just not shown until you get another merit point.

There are stats here, and you can find someone's merit summary by clicking the "merit" link on their profile.

Jr Members can no longer have signature links.

The forum sells ad space in the area beneath the first post of every topic page. This income is used primarily to cover hosting costs and to pay moderators for their work (there are many moderators, so each moderator gets only a small amount -- moderators should be seen as volunteers, not employees). Any leftover amount is typically either saved for future expenses or otherwise reinvested into the forum or the ecosystem.

Ads are allowed to contain any non-annoying HTML/CSS style. No images, JavaScript, or animation. Ads must appear 3 or fewer lines tall in my browser (Firefox, 900px wide). Ad text may not contain lies, misrepresentation, or inappropriate language. Ads may not link directly to any NSFW page. No ICOs, banks, or funds; I may very rarely make exceptions if you convince me that you are ultra legit, but don't count on it. Ads may be rejected for other reasons, and I may remove ads even after they are accepted.

There are 10 total ad slots which are randomly rotated. So one ad slot has a one in ten chance of appearing. Nine of the slots are for sale here. Ads appear only on topic pages with more than one post, and only for people using the default theme.

Duration

- Your ads are guaranteed to be up for at least 7 days.
- I usually try to keep ads up for no more than 8 or 9 days.
- Sometimes ads might be up for longer, but hopefully no longer than 12 days. Even if past rounds sometimes lasted for long periods of time, you should not rely on this for your ads.

Stats

Exact historical impression counts per slot:
https://bitcointalk.org/adrotate.php?adstats

Info about the current ad slots:
https://bitcointalk.org/adrotate.php?adinfo

Ad blocking

Hero/Legendary members, Donators, VIPs, and moderators have the ability to disable ads. I don't expect many people to use this option. These people don't increase the impression stats for your ads.

I try to bypass Adblock Plus filters as much as possible, though this is not guaranteed. It is difficult or impossible for ABP filters to block the ad space itself without blocking posts. However, filters can match against the URLs in your links, your CSS classes and style attributes, and the HTML structure of your ads.

To prevent matches against URLs: I have some JavaScript which fixes links blocked by ABP. You must tell me if you want this for your ads. When someone with ABP and JavaScript enabled views your ads, your links are changed to a special randomized bitcointalk.org URL which redirects to your site when visited. People without ABP are unaffected, even if they don't have JavaScript enabled. The downsides are:
- ABP users will see the redirection link when they hover over the link, even if they disable ABP for the forum.
- Getting referral stats might become even more difficult.
- Some users might get a warning when redirecting from https to http.

To prevent matching on CSS classes/styles: Don't use inline CSS. I can give your ad a CSS class that is randomized on each pageload, but you must request this.

To prevent matching against your HTML structure: Use only one <a> and no other tags if possible. If your ads get blocked because of matching done on something inside of your ad, you are responsible for noticing this and giving me new ad HTML.

Designing ads

Make sure that your ads look good when you download and edit this test page:
https://bitcointalk.org/ad_test.html
Also read the comments in that file.

Images are not allowed no matter how they are created (CSS, SVG, or data URI). Occasionally I will make an exception for small logos and such, but you must get pre-approval from me first.

The maximum size of any one ad is 51200 bytes.

I will send you more detailed styling rules if you win slots in this auction (or upon request).

Auction rules

You must be at least a Jr Member to bid. If you are not a Jr Member and you really want to bid, you should PM me first. Tell me in the PM what you're going to advertise. You might be required to pay some amount in advance. Everyone else: Please quickly PM newbies who try to bid here to warn them against impersonation scammers.

If you have never purchased forum ad space before, and it is not blatantly obvious what you're going to advertise, say what you're going to advertise in your first bid, or tell me in a PM.

Post your bids in this thread. Prices must be stated in BTC per slot. You must state the maximum number of slots you want. When the auction ends, the highest bidders will have their slots filled until all nine slots are filled.

So if someone bids for 9 slots @ 5 BTC and this is the highest bid, then he'll get all 9 slots. If the two highest bids are 9 slots @ 4 BTC and 1 slot @ 5 BTC, then the first person will get 8 slots and the second person will get 1 slot.

The notation "2 @ 5" means 2 slots for 5 BTC each. Not 2 slots for 5 BTC total.

- When you post a bid, the bids in your previous posts are considered to be automatically canceled. You can put multiple bids in one post, however.
- All bid prices must be evenly divisible by 0.02.
- The bidding starts at 0.02.
- I will end the auction at an arbitrary time. Unless I say otherwise, I typically try to end auctions within a few days of 10 days from the time of this post, but unexpected circumstances may sometimes force me to end the auction anytime between 4 and 22 days from the start. I have a small bias toward ending auctions on Fridays, Sundays, and Mondays.
- If two people bid at the same price, the person who bid first will have his slots filled first.
- Bids are considered invalid and will be ignored if they do not specify both a price and a max quantity, or if they could not possibly win any slots

If these rules are confusing, look at some of the past forum ad auctions to see how it's done.

I reserve the right to reject bids, even days after the bid is made.

You must pay for your slots within 24 hours of receiving the payment address. Otherwise your slots may be sold to someone else, and I might even give you a negative trust rating. I will send you the payment information via forum PM from this account ("theymos", user ID 35) after announcing the auction results in this thread. You might receive false payment information from scammers pretending to be me. They might even have somewhat similar usernames. Be careful.

Sorry, no ICOs.

Auction ended, final result:
Slots BTC/Slot Person
1 0.20 blackbitum
4 0.20 ChipMixer
4 0.18 FortuneJack

I'm imagining something like:
 - PoS voting goes from Feb 1 - Feb 7. Assume the result of the vote is "issue 100 BCI with a duration of 3 months".
 - From Feb 7-28, people can stick their BCI into the interest pool created by the above vote. (You could also optionally do on-chain limit bids so that people only add their BCI to the pool if there will be less than ___ BCI in the pool at the end.)
 - Everyone who put their BCI in the pool before Feb 28 has their BCI in the pool locked up for the voted-on period of 3 months. At the end, everyone gets their BCI back plus their proportional share of the 100 BCI that was created.
 - PoS voting for the next pool round goes from Mar 1 - Mar 7. And so on for every month. So there can be multiple ongoing pool rounds of different durations. It's like bond auctions.

Tech-wise, you'd probably do this by having:
 1. On-chain transactions with inputs but no outputs, voting on a pool round's parameters. Each pool round would be identified with a number.
 2. On-chain transactions which look like normal, but each output would have an an extra integer field (or script ops) saying, "this output belongs to the specified pool round, and will not be spendable until that round has matured". Such outputs would have undefined value until the round is over, since you don't know in advance how many people are going to join it.

(This sort of on-chain voting is horribly inefficient and can also be manipulated by miners, BTW, but it's the easiest way to do it.)

I don't think that there's any particular need for miners to explicitly send/dedicate BCI to the interest pools, since everyone knows everything about the pools and what they should be paying anyway.

For the PoS voting, you could instead have people vote on the values of facts like "what is the current BCI price?" and then use an algorithm to translate that into appropriate round parameters, like Milton Friedman's idea of computer-controlled inflation. Maybe you could even have a mechanism for punishing people who lie about such facts. But this all gets very complicated, especially in an adversarial environment.

I don't usually comment on these things, but I was looking into this one for forum ads, and I had some thoughts on the interest mechanic. It's potentially an interesting and fun idea, though I suspect that it will not be useful in any wider sense.

The interest pool concept is extremely similar to the bond auctions done by ~all fiat central banks constantly in order to affect interest and inflation rates. Generally you'd expect the issuance of bonds to promote deflation in the short-term while creating money (and therefore inflation) in the longer-term. But I think that these effects come mainly from changes in policy rather than the policy itself, and so I don't think that the fixed-total-coupon pools in BCI will have any effect on inflation/deflation beyond the obvious effect of the subsidy itself, especially since money does not actually get tied up in BCI pools.

Since BCI in pools is not really tied up, there's no reason whatsoever for people not to pool-deposit their BCI as much as possible. Combined with the fixed total-coupon supply, I'd expect very low interest rates which do not really reflect the time-value of money in any meaningful way.

I think it'd be far more interesting (though IMO still inferior to BTC) if:

 - Money in pools was actually tied up. Then interest rates would legitimately reflect the time-value of money to some extent, and deflation might be encouraged.
 - The amount of BCI created for the interest pools and pool duration was adjusted by a "central bank" (maybe actually a PoS vote or something) with the goal of maintaining somewhat steady prices, similar to fiat central banks. This would be especially interesting because mainstream economists would find such a system far more attractive than inflexibly-deflationary cryptocurrencies like BTC; it could be seen as a test of economic theories.

(Note: I see various other technical problems with BCI, I do not agree with ever naming an altcoin "Bitcoin _____", and I do not plan on buying any BCI.)

KryptoKash requests to advertise a new Bitcoin fork, "Bitcoin Interest". The ads will be oriented toward attracting miners.

I feel that all altcoins named "Bitcoin _____" are inherently somewhat deceptive because they are not Bitcoin despite having Bitcoin as part of their name, and forum ads are not allowed to be deceptive. However, especially since this particular set of ads will be targeted at miners rather than buyers, I think that this case is borderline. What does the community think about this? Should ads for Bitcoin Interest be accepted?

The well-known timing attack which allows you to completely deanonymize the user if you control the guard and the server (or server's ISP) does not require JS. For example, if the NSA wanted to know everyone who visits antiwar.com regularly, they'd observe antiwar.com's ISP and set up Tor non-exit relays such that you have a 5-10% chance of choosing one of the NSA's relays as a guard every time you start Tor. Over time they'd build a complete list of all IPs for Tor users who visit antiwar.com. It's almost trivial. I'd be surprised if the NSA is not doing this already, possibly for large sections of the entire Internet (especially centralized things like Cloudflare).

VPN/HTTP proxy: a little lock on a diary
Tor: A Master lock. (Note: look up lockpicking videos for Master locks.)

There is currently no anonymity technology which is secure in the way that Bitcoin is secure (against different attacks). Anonymity research is weak, and implementation is even worse. For example, there's something from academia called Riffle which fixes some of Tor's many problems, but nobody's bothered implementing it in a usable form even years after it was published.

I see two transactions from you, both for 0.00018580 BTC. 0.00018580*2 = 0.0003716 BTC, which is less than the 0.00208333 BTC copper membership.

A year or two ago I was researching fingerprinting techniques that'd work against pretty much anyone with JavaScript enabled, and I found several promising leads on that front. But then it occurred to me that I don't really want bitcointalk.org to be known as the #1 forum on the leading edge of de-anonymization technology, so I stopped pursuing it seriously...

IMO The most interesting idea I had was that you could probably fingerprint based on latency even via Tor using long-term data collection. A Tor connection looks like:


The latencies of connections A, B, and A+B are good fingerprint values; ISPs should have statistically-significant differences in latency to the server if the latency can be determined with enough accuracy. Latency will also uniquely vary over time; ie. latency will go up slightly when your ISP is busy, the schedule of which will be distinguishing. Additionally, Tor selects a handful of guards when it starts and then uses only those, so if you can figure out the complete list of guards, this fingerprints a long-term Tor session across sites and logins.

Connection E can be directly measured, as can A+B+C+D+E if JS is enabled. That alone may be enough for fingerprinting A+B if you collect data over a long period of time. You'd roughly model the random latency distribution of C+D across the entire Tor network (which is not that large and is predictable in several non-obvious ways); then since you have a whole bunch of A+B+C+D+E and E measurements, you can get a good idea of A+B.

You might be able to do even better by taking into account these facts: Tor changes to a new random Mid and Exit every 10 minutes, but it only affects new TCP connections. So you can usually control the timing exactly by opening TCP connections via JS. And it chooses a random Guard only from a small set, with that set being chosen only at the start of the long-term Tor session. So you might be able to get the guard identities (or a fingerprint of the guard identities) and info about the latencies by collecting latency data every 10 minutes via JS and looking at the clusters formed by the handful of different guards.

On a MITM attack, you can do even better. If you control both Mid and the server, then you know C, D, E, and the Guard identity. A+B is then trivial to calculate. There are only about 6000 Tor nodes, so if you only run one Tor non-exit node, you have something like a 1/6000 chance every 10 minutes to fingerprint the user this way. (That's a really rough estimate; the odds are better because you can exploit Tor behaviors like its IP-space diversity requirements, but worse because selection is not random, and is also based on things like seniority and bandwidth.) Additionally, if a user happens to choose your node as a guard when he starts his Tor session (so a smallish chance ~per day rather than per 10 minutes), then you can completely deanonymize him (ie. get his IP address) when he visits the site; this is a well-known attack which the NSA & friends are probably doing all the time on a very large scale.

If a newbie is stopped from sending a PM due to this, they get get:

And if you try to PM a newbie while you're ignoring newbies, you get:

So I think that it should be rare for people to be unaware of it. If a newbie posts a trading thread, then they'll have people posting to remind them.

The name is supposed to be fun. I don't actually mean that people who post in the section are "living in an ivory tower".


How about I rename it to Le café d'or, then?

Someone should create a poll.

I just made it so that everyone who has sent a PM to a newbie in the last 30 days is already "opted in". Does that fix your issue?


I didn't do that because I think that only a certain subset of users (maybe a minority) want to ever receive PMs from newbies, so it seemed to make more sense for such people to opt in.

In response to the annoying PM spam, you now have to opt into receiving PMs from newbies. The option is in your PM preferences. You also can't send PMs to newbies if you haven't opted in. Copper members are exempt, but only if you're wearing the copper membership.

You should opt into receiving newbie PMs if you post offers in the marketplace, if you like answering newbie questions, if you're a moderator, etc.

To start with, if you sent a PM to a newbie in the last 30 days, you're already "opted in".

Some things that come to mind:

 - There's been some academic success in getting the encryption keys from a computer via sound analysis. Computers can make different sounds depending on the data they're operating upon.
 - AFAIK both public wifi (ie. wifi where the attacker has the wifi password) and mobile-data protocols are completely broken security-wise. Wifi via arp spoofing and such, and mobile-data due to various attacks against inherently insecure protocols. So you should probably assume that the attacker controls your Internet connection completely.
 - If an attacker controls your Internet connection completely, then they can do things like preventing legit blocks from reaching you, preventing you from seeing conflicting transactions, giving you only their blocks, etc. If you get a few confirmations, you'll know that someone put a lot of effort into mining them, but you won't be able to confirm that they're the longest chain, since the attacker may be blocking the longest chain.
 - I wouldn't rely 100% on HTTPS, but it's not exactly trivial to defeat. Properly-configured ssh or OpenVPN are even better.

I think I'd do something like keeping all Bitcoin keys off of the laptop, and instead use ssh to connect to my real Bitcoin node. And then if you're really paranoid, change your laptop's ssh key right afterward.

And/or you could use an OpenVPN VPN, either purchased (in which case you're trusting the VPN service not to MITM you) or by setting up your own OpenVPN server somewhere. Then evil wifi can only block you, not interfere or monitor. But you have to make sure that it's configured correctly, since most VPN setups will by default switch to your native connection whenever it can't connect to the VPN. There are iptables rules that will prevent this.

Probably that's not possible. Biometrics is like symmetric (ie. "password-based") encryption. It's like you translate your biometric features into a key which is then shared with someone. There's no way AFAICT to translate biometrics into an asymmetric setting, which is what you want.

I think that nowadays biometrics has mostly been discredited for serious authentication. It just tends to be too easy to fool: eg. you can get someone's fingerprint off of a glass (or off of the readings of a compromised biometrics device) and then make a copy in a 3D printer or something. I think that nowadays biometrics is used mostly in niche settings where people can't be trusted to create a secure password, but yet you can't force them to learn how to create secure passwords. In those cases, using biometrics (maybe plus some other stuff) is at least a bit better than having people use "love123" as their password.