Use only clients that are open source. Use the most widely used and supported open source client to ensure that many, many eyes are looking specifically at that part of the code. Use only official releases or build from the source yourself so as to ensure nothing slips in.
I totally agree with this, and it allays some of my concerns. The difficulty - and problem - is in implementing that advice in a fool-proof way. It needs to be clear exactly which versions of "...the most widely used and supported open source clients..." have been vetted by the community. That's why one of my suggestions was to have one version that we all sick with for a while. The 'switcharoo' attack, where someone tinkers with the Armory website and sticks a bunk, nasty version, that looks pretty much the same as the old code, except for one critical change. The key pairs would actually come from a predetermined list which the attack would have a copy of. Even if this mistake was corrected within hours, there could be many people how downloaded the bad version and not even know. The attacker could even just make the swap for a few minutes and then pull the bad version themselves, knowing that addresses would be created well into the future by those few, corrupt downloads. Edited to remove random strike through
|
|
|
I know this has been brought up countless times, but as the value of bitcoin rises, so do the threats facing our money! How should I have confidence that someone is not going to slip a weakness into one of the many pieces of code that purport to securely generate key pairs? I think the way to most easily bypass the 'offline' approach is to use a non-random seed for the generation private key. Would it be easier and more secure if there was 'one' generation solution that was locked down, who's version number remained the same for years, was singed by all sorts of pgp keys and such, and was by the community to be the standard?
Having very few lines of code would help make it audit-able. Would it be more secure to use keyboard mashing techniques instead of a psudo-random number generators? That way you could know for sure that the private key was directly your input. I think in this case easy and secure have to go hand in hand, since the more complicated the approach, the more able an attacker would be to slip something by. I consider myself an advanced computer user but I'm not enough of a programmer to vet complicated code.
Do folks feel your current security measures adequate to safeguard a million-dollar wallet? I think it would be wise for an attacker to let lots of time pass before cashing in on their exploit, so I don't think we are safe yet.
|
|
|
As likely as I think it may be that we will go below $40 at somepoint in the future, I can't bring myself to sell a single coin. But I don't think I am going to buy any more either.
|
|
|
There are only two appropriate responses to this madness:
Watch and Hold.
|
|
|
This may be a silly question, but is BIT not possible?
|
|
|
rnMXYBCq4QfLxKdWzeWD6M3Pr86g3uBneV
|
|
|
I'm guessing you haven't seen the Ripple order book? Hmmmmm, looking into ripple, I am now just confused.
|
|
|
No reason it can't hit 0.
I am the reason BTC will never hit zero. I'll offer $.01 per 1000 BTC no matter what!
|
|
|
A clear weak point in the current system are the exchanges. They need to interface with banks and thus operate under the thumb of various governments. They could easily be shut down, indicted, etc. While that wouldn't kill bitcoin, it would obviously be a major blow to is current adoption rate. It only makes things worse that most trade is handled through just one exchange.
Development of an independent backhaul system though which different exchanges could share their data I think would help to fix this weakness. It would not be an exchange itself, so it would no be as easy to shut down / attack, but it would facilitate the creation of other exchanges.
The backhaul system ideally would be fast and low-latency, encrypted and redundant, and it's servers hidden by VPN's
I would be interested in your thoughts on the effectiveness and necessity of this proposal, and if you all think it would be worthwhile, does anyone want to join me in its implementation?
|
|
|
Coinlab will need to build trust. But, please, if you hold MtGox in high esteem and trust them with your private data, well, they just sold it to Coinlab. Also, Coinlab will be subject to US laws and lawsuits, so if they wrong you, you will at least have some hope of recourse.
Assume all of your USD transactions are tracked, that MtGox's have been, and Coinlab's will be. Assume they are both fonts run by the CIA. The important thing is that you have the ability to be discreet once you are in BTC. Just cause I may have bought $3 million worth of coins doesn't mean I still have them. Maybe I lost my private key =(. Prove it.
|
|
|
CoinLab will ask customers for their info.. hey if US gov't get a hold of that info, they'd want to take half of your profits!
CoinLab having the info would make it that much easier for the US gov't to get the info, but its best to assume they already have it if you use Mt. Gox. If you use a paper wallet that was generated offline, once you send your funds out of the exchange to that paper address, well there is NO WAY FOR ANYBODY to know who is the owner of that paper address. in 99.9% of the cases that would be the owner of the gox account the coins were sent from. to leave no trail you would have to use a mixing service. Agreed - to use a mixing service, tor, etc. to leave no trail. But a trail and plausible deniable are two completely different things. So yes, 99.9% of it would be the same owner, but how can anyone prove you hadn't sold or gifted those coins. Or lost the key. The trail would point to you though, so if the coins became worth millions in the future, you can bet that address would have a government microscope on it. It would be public knowledge what date the coins arrived on the address, and the capital appreciation would also be public knowledge. You would have to take some serious precautions at that point if you wanted to redeem any of those coins and not reveal yourself as the owner. Keeping less than $5,000 worth of coins per address should might help to avoid unwanted scrutiny. If BTC keep going up, you would have to keep dividing your coins, and though that might be a pain in the ass, it would also be a great problem to have.
|
|
|
I have an extra code that I am selling for .4 BTC . If you have posted a bunch, I will give you the code first and then you can pay me. If your a noob, it will be the other way around. I'm kinda noob myself, I know.
|
|
|
Someone is making MtGox Live dizzy again! There were many small buys in quick succession. I think we are seeing some new kind of HFT testing out the system (just a guess). Uploaded with ImageShack.us
|
|
|
I wonder if the large jump over the old high was spontaneous enthusiasm, or a carefully controlled test by a government or investment bank to test market depth.
Wouldn't be to test market depth. That's a visable metric. Perhaps then to test if the visible metric could accurately predict the price change of a given (LARGE) sized inflow, structure in a particular way?
|
|
|
No. It wouldn't happen. As soon as a fork occurred the fx rate of new coins mined on the "weaker" chain would collapse to a few cents as all the major businesses, websites, miners, exchanges would automatically side with the "stronger" chain. If anyone thinks that they can double-spend bitcoins on different websites, after a few hours, (some accepting one fork, some the other) then they are living in dreamland.
So you think there is room for one and only one crypto-currency in the world? I disagree.
|
|
|
APMEX isn't a gold future exchange but they sell and buy a LOT of gold as a broker.
APMEX = American Precious Metals Exchange, Inc I don't know anything about them, but they do call themselves an exchange.
|
|
|
Coinbase isn't an exchange (and doesn't claim to be one). They don't allow the creation of bids and asks. They simply offer a quote with a fixed margin from spot. What spot price ... MtGox's ticker. That always requires an outside pool of liquidity.
Just because they are a broker does not mean they aren't an exchange. Just Google "Exchange broker". I agree they don't present themselves the same way that Mt.Gox does, but just because they have a simplified trading interface with only a 'market order' option doesn't mean they not an exchange either. That Mt.Gox doesn't have trailing stop and OCO orders doesn't mean they are not an exchange. **Edited for Grammer
|
|
|
I didn't realize Coinbase was an exchange.
Any place where you can convert currency from one form to another is an exchange. Coinbase allows exchange between USD and BTC, both ways.
|
|
|
|