Redlisting does not involve blacklisting or whitelisting coins. Think of it as attaching a breadcrumb trail to coins that someone suspects are illicitly gained. It doesn't stop anyone from accepting them or spending them. It does, however, provide kind of an informational bread crumb trail for law enforcement to later track if it's necessary.
If I sell something and get redlisted coins for it, then the bread crumb trail leads to me. I sure as hell wouldn't accept coins that could lead law enforcement to my doorstep, and nobody else wants law enforcement harassing them because they're suspected of being illicitly gained. Therefore, everyone will refuse to accept redlisted coins as soon as law enforcement starts getting search warrants against people who end up with them. To keep bitcoins fungible and valuable everyone with a stake in bitcoin should accept and redistribute tainted coins as much as possible, e.g. using CoinJoin. When everything is tainted, nothing is. Don't underestimate the irrationality of the federal government. They could always then claim everyone using Bitcoins which are tainted are guilty of a crime and then force everyone to use freshly mined coins or coin which have been purchased in a clean way with KYC etc. |
|
|
|
I don't think it's a good idea to start making lists unless you don't mind being on someones list. I think it can easily spin out of control here hackers have lists, law enforcement have lists, and everyone is caught in the middle of being scrutinized by both hackers and law enforcement.
If you want to be on a list it should be voluntary. The list idea needs to be more well thought out, that is all.
Yeah, that's how lists work. </sarcasm> Seriously, how do you expect to prevent other people from making lists? For all you know, I have a list. Maybe you are on it now. We can't. But we can do what we can to protect privacy and security of the user. We can make all lists voluntary. Part of that means we have to keep pseudo-anonymity because without that anyone who doesn't like you from anywhere on the Internet could put you on a "scam" or "hack' list. Law enforcement is no better and they could target people for political reasons like with Aaron Swartz. Don't forget that Mike Hearn works for G$$gle, which allegedly has close ties to NSA/CIA.
NSA's one known attack vector is to infiltrate protocol development committees and influence their decisions to compromise security.
if an intelligence agency wanted to hack Bitcoin they could infiltrate with malware. Why would they even have to make it known? They might always have backdoors. I'm sure if you're using closed source Windows that there could be a backdoor since you didn't inspect every line of code and can't trust Microsoft. Bitcoin could be infiltrated upon compilation. It's not really possible to stop the NSA when you're using pre-compiled software. If you compile it yourself then you have to trust the source. This is why Linux repositories have public keys. We probably need something like this for Bitcoin service businesses too. If you deal with a business in a trusted network then you're alright. If you take your chances then your take your chances. And the list should be compiled by the community of which businesses to trust and why. And no we wont agree on who makes each list. There will probably be lists of different businesses which are trusted by one faction of the community or another for various reasons. Trust is critical and so is reputation for business. I suggest an open wiki. |
|
|
|
Or maybe we should just use passive crime fighting? Law enforcement announces an address which is believed to be used to store illegal funds, then everyone participates in coin mixing can decide for himself if he is willing to mix his funds with that of a suspect, it can even be built into the clients, oh wait, law enforcement prefers to remain obscure, so forget about it....
There are a lot of technical solutions which could empower the community without dividing it. This idea you present actually isn't all that bad. If individual users want to set their client to only deal with other trusted users that actually would be an excellent feature. No one wants to get scammed to find out that they cannot trust. The principle is that it should be voluntary. |
|
|
|
Stay focused, please.
Discuss how redlisting coins will help fight crime, and especially CyptoLock copycats.
Redlisting does not help fight crime. Criminals already have databases and probably have lists which they are exploiting as we speak. If they have lists we should be discussing how to make their lists less effective by improving the privacy functionality so that they cannot track our money. We should also be discussing what we can do to protect users from being targeted in general. There are a lot of potential attacks and coin taint lists are just one. You've either not read or not understood what Mike wrote. Redlisting does not involve blacklisting or whitelisting coins. Think of it as attaching a breadcrumb trail to coins that someone suspects are illicitly gained. It doesn't stop anyone from accepting them or spending them. It does, however, provide kind of an informational bread crumb trail for law enforcement to later track if it's necessary. I don't think it's a good idea to start making lists unless you don't mind being on someones list. I think it can easily spin out of control where hackers have lists, law enforcement have lists, and everyone is caught in the middle of being scrutinized by both hackers and law enforcement. If you want to be on a list it should be voluntary. The list idea needs to be more well thought out, that is all. https://bitcointalk.org/index.php?topic=157130.0The idea Mike Hearn presents here has some merit but once again how to implement it in a way which is voluntary, preserves privacy, and does not give control to any centralized government or group? If each community had its own lists there would still be problems though. Some communities will do business with you while others wont. Also making a list of coins isn't smart. Why not just have verified users, trusted users, trusted accounts or trusted identities? Why do we need to track coins when the bad actors are the ones the community is concerned about? |
|
|
|
Stay focused, please.
Discuss how redlisting coins will help fight crime, and especially CyptoLock copycats.
Redlisting does not help fight crime. Criminals already have databases and probably have lists which they are exploiting as we speak. If they have lists we should be discussing how to make their lists less effective by improving the privacy functionality so that they cannot track our money. We should also be discussing what we can do to protect users from being targeted in general. There are a lot of potential attacks and coin taint lists are just one. |
|
|
|
If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher.
What does the BTC/USD ratio have to do with the incentive to target users? Do you really have to ask that question? Hackers typically go after the easiest targets. They don't and wont typically go after the security experts using cold storage (at least not at first). However they'll collect information on everyone and gather intel through services which will ask for information to help them with their scams. They will then use this intel as part of the recon so that when they do launch their attack they'll know exactly your strengths and weaknesses. If you're someone who likes to gamble and you log into a gambling site you could find that the whole site gets mysteriously hacked and shut down with all the coins missing. The whole event could have been planned as a honeypot to attract suckers into putting their money on the site and when enough money is given to the site the hackers could roll it all up and take all the money. The higher the price for BTC at the time the more incentive they'll have to do stuff like that. The more anonymous BTC is the more likely they'll do it thinking they can get away with it. I'd say you didn't answer the question at all. If USD/BTC is $400,000 instead of $400, surely people will keep less BTC lying around on their computers. That isn't the case. A lot of people including Mike Hearn have lost their BTC wallet from back when they first mined BTC. A lot of people who aren't paranoid about being hacked will leave some satoshi laying around. And not everyone is a security expert who even knows what the phase "cold storage" means. Why do we have to act like snobs about this? Sure we could start businesses to secure people's wallets for a fee but then we'd be acting like banks and would probably have to be regulated. |
|
|
|
If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher.
What does the BTC/USD ratio have to do with the incentive to target users? Do you really have to ask that question? Hackers typically go after the easiest targets. They don't and wont typically go after the security experts using cold storage (at least not at first). However they'll collect information on everyone and gather intel through services which will ask for information to help them with their scams. They will then use this intel as part of the recon so that when they do launch their attack they'll know exactly your strengths and weaknesses. If you're someone who likes to gamble and you log into a gambling site you could find that the whole site gets mysteriously hacked and shut down with all the coins missing. The whole event could have been planned as a honeypot to attract suckers into putting their money on the site and when enough money is given to the site the hackers could roll it all up and take all the money. The higher the price for BTC at the time the more incentive they'll have to do stuff like that. The more anonymous BTC is the more likely they'll do it thinking they can get away with it.
snip snip
So when people say I'm being paranoid it might be because I know a lot about this subject and have reason to be.
Hate to go even more offtopic here, but the ones that know something would never bother adding the words "I know a lot about this" for reasons such as not needing to tell they know a lot about the subject, and by knowing that they have a lot to learn. I know a lot but not everything. Someone here probably knows more. There is a lot of inherent risk involved in using Bitcoin services at this time, and while the client itself may be secure we don't vet third party services at all and that is a real problem. I'm not saying taint lists are a good solution. |
|
|
|
Mike Hearn is participating in the same sort of thing that the Bush Administration did in 2001. He is proposing that Bitcoin businesses voluntarily help the US Government seize worldwide control of Bitcoin for the mere perception that something is being done about CryptoLocker. Meanwhile, there are obvious ulterior motives in play. To achieve a critical mass that would harm all users of Bitcoin, he only needs to get BitPay and Coinbase on board.
Take a deep breath, remove the tinfoil hat. Please read my previous post. Mike started a discussion about what is effectively a reputation service for coins. He didn't even propose that the Bitcoin Foundation adopt promoting the idea of one as policy, or that he himself is convinced a redlist is a good idea. They're going to spring up regardless of Mike's proposal, though. Some bitcoin services will use them, some won't. They'll be full of holes and cannot, by the nature of bitcoin, be 100% effective. A reputation system is a way for individuals and entities (companies, whatever) to communicate information to each other. I thought we're about free speech here, and freedom of individuals and entities to transact (money, information, etc) with each other? The point I'm trying to make is that you're right they will exist either way and will be used by everyone. Hackers could create target lists of people who have a high net worth in Bitcoin. So even if we didn't have corporations doing the redlist and blacklist nothing would stop underground hacker groups from doing it and the result would be just as bad. Honestly I don't want these lists to destroy Bitcoin but I also do not want hackers to destroy Bitcoin. If you say no corporation can create a known list then you still have to deal with the possibility of unknown secret lists floating around among hacker networks. I don't think these coin taint lists will do anything to protect us from randomware and I think the best ideas so far are Keyhotee and the Bitcoin identity protocol. This could allow the user to selectively identify themselves to clear themselves if there is an investigation. It is also necessary to allow users to access services without them having to give their email address or identity. You cannot trust every service. Finally it is important to allow users to have a trusted list of businesses, that part of the idea I do support. I need to know I'm contacting a trusted business and that they really are who they claim to be. No more shit like Inputs.io or Labcoin. It's not a fake problem at all. If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher. Malware will be written by the best of the best and you wont be able to detect it with any sort of virus scanner software or countermeasure. Nothing can be done to stop undetectable malware attacks, randomware attacks, or anything else. The best idea we have from the community is the Trezor wallet and they are taking too long to make it. Now you're trying to play the bait and switch game. Fixing the catastrophe that is PC security, or at least figuring out decent workarounds, is not the topic at hand. It's related. If your PC is insecure then you only have the illusion of privacy. Instead of big corporations spying on you through the web and tying your email address and password to your real world identity to sell to whomever now you're at the mercy of foreign hackers who will have databases of their own, potentially with lists of their own, and they exchange information too. When thinking about privacy and security you have to think about the whole picture and not just the Bitcoin client but the operating system it runs on and the PC that operating system runs on. A security vulnerability in any of that and all privacy is removed. |
|
|
|
So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us?
This seems disingenuous. Gold and cash are worth lots too. If you advertise the fact that you have a big hoard under your bed, and then leave your doors unlocked, then, yeah, you'll be a target. Just like gold or $, if you don't want to secure your money, pay a service that will. The beauty of bitcoin is that everyone is free to make the choice that is right for them. The fact is that it already is advertised who has a big stash. Anyone could be analyzing the blockchain as we speak and connecting those wallet accounts to email addresses. An unregulated exchange could collect email addresses and wallet addresses to put into their database. That exchange could then be hacked or perhaps the government sponsored hackers put the malware on that exchange. Perhaps the exchange itself is merely a front, a honeypot to attract high net worth Bitcoin holders to capture intelligence (which can then allow the database owner to sell the database for Bitcoins to hackers). Once intelligence has been captured then you know how many coins are in certain addresses and you have their email addresses. So what stops you from sending them attachments with malware? What stops you from targeting them for scams or phishing for more information for even better targeted advanced persistent threats, malware or ransomware? When you're talking about someone with a million dollars in their wallet and their email address is public information because its associated with an exchange, why wouldn't hackers target that email address? Why wouldn't hackers be looking for personally identifiable information? The same way KYC can be used by regulated exchanges nothing stops unregulated exchanges from collecting information about users and then hacking them. |
|
|
|
I don't think -anybody- at the Foundation is happy about even having to have this discussion. But the discussion has to happen, because Cryptolocker is a real issue that's going to become a lot bigger soon. There are very few vectors of attack against Cryptolocker (and inevitable copycats), whereas stuff like Silk Road is almost guaranteed to fail long-term due to the huge number of vectors for law enforcement to use against it. Unfortunately, one of those very few vectors usable against Cryptolocker is bitcoin. Cryptolocker is not Bitcoin's issue any more than it's Ford's issue if a bank robber drives off in one of models. If somebody should be thrown under the bus here it should be Microsoft for being unable or unwilling to build secure operating systems. Anyone who says they are worried about Cryptolocker's effect on Bitcoin adoption is lying. By every objective measure: transaction rate, blockchain.info wallets, frequency of conferences, exchange rate, etc, growth is exponential and shows not the slightest sign of being negatively affected by Cryptolocker. This idea of a Cryptolocker backlash is a fake problem used to scare the community into accepting a compromise that's against their best interests. These plans have been in the works for years, as evidenced on this very forum, and the proponents have just been waiting for a suitable excuse the put their plans into effect. It's not a fake problem at all. If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher. Malware will be written by the best of the best and you wont be able to detect it with any sort of virus scanner software or countermeasure. Nothing can be done to stop undetectable malware attacks, randomware attacks, or anything else. The best idea we have from the community is the Trezor wallet and they are taking too long to make it. It will be interesting to see how secure the Trezor actually is and whether or not it can pass the security checks but if it does then that is part of it. The point is that not enough time and effort is being put into protecting the users of Bitcoin from being targets of hackers precisely because a lot of the old time Bitcoin users are security experts who can tell newbies to compile their Bitcoin wallet, to put their Bitcoins in cold storage, to use a 25 character password or a brain wallet. Let's be honest here and admit that security is not easy even for the experts. The more you know about security the more paranoid you tend to be. So when people say I'm being paranoid it might be because I know a lot about this subject and have reason to be. |
|
|
|
So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us?
You're a persistent one. I'm just telling you that ransomware will not magically become more efficient than it is now just because people acknowledge bitcoin being worth more than murrikan dollar. Ransomware today is a pain. Ransomware tomorrow will be a pain. Ransomware won't be more dangerous tomorrow than it is today. Your coins are safe as long as you have a backup+strong passphrase or cold wallets. Just smile and go to sleep. I think Keyhotee is part of the solution to some of these problems. Look at this: https://www.youtube.com/watch?feature=player_detailpage&v=3pZaTdEtK-8The other idea I heard which was very good was the Bitcoin identity protocol. Both of those ideas need to be implemented immediately. And I don't assume my coins are safe enough. I don't trust hardware or software but at this point we have to because this is all we have. Bitcoins are not currently worth enough money for sophisticated and targeted attacks and I don't have a lot of Bitcoins anyway to be worth attacking. But some people have 1000 coins or 10,000 coins and they'll be in danger today. In the future people having just a few coins will have to worry about being cyber robbed. No it's not easy to defend yourself against extortion or identity theft. It's almost impossible to be sure your computer is malware/spyware free and if a government wants to spy they can see everything. We can only do the best we can with our software implementations and use stuff like raspberry pi for hardware. Paranoia is actually necessary to defend valuable information which is why we typically pay experts to do it. |
|
|
|
Advanced persistent threats can exist in any and every one of our computer systems. At any time a government can flip a switch and force us to pay some tax in Bitcoins?
No, they cannot. And... Have you been hit by a ransomware before? Do you know anyone who have been? Quit being paranoid. Ransomware did exist, still exist, and will exist. With no more power than they had before, provided you have a safe backup of your wallet. So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us? http://en.wikipedia.org/wiki/GhostNet |
|
|
|
So it's a very serious problem which I think people on this forum are underestimating. Cryptolocker could destroy Bitcoin just like the blacklist can.
Come on... Ransomwares are old story. http://en.wikipedia.org/wiki/AIDS_%28trojan_horse%29Seriously, this is just anecdotal. Advanced persistent threats can exist in any and every one of our computer systems. At any time a government can flip a switch and force us to pay some tax in Bitcoins? Just because it's not a new concept it does not mean that governments around the world are not assembling cyber armies and militias to do exactly this kind of stuff. So if Bitcoin were made completely anonymous then what could we do to protect ourselves from government sponsored attacks on Bitcoin users whether by phishing, by bribery, by ransomware extortion, malware, or anything else? Remember this: http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandalSweeping the problem under the rug will not help Bitcoin go mainstream. People like us might be considered security experts but the vast majority of Bitcoin users of the future will not be and we don't want the reason for Bitcoin to fail to be that hackers can manipulate and target the users. |
|
|
|
Ok, re-reading it more calmly Mike isn't proposing it or taking any stance he's looking for ideas on any aspect of it. It already exists, it can be done using the just the blockchain so I'd guess discussion should be as much about possible ways of preventing tracking as about ways of implementing it. That works both ways, making it hard for a government to track coins and extort 50% of your holdings also makes it hard to track the those extorting coins out of the little old granny with cryptolocker. That makes it a lot bigger issue than it seems, tracking can already be done but for now its restricted to specialists.
The problem is that the government could be behind both of these instances. A government can create cryptolocker ransomware technologies and spread it viral to tax the entire Bitcoin community by preying on the weakest members. It will be something governments could sponsor and use to steal money and I would not be surprised if a government were behind cryptolocker. So it's a very serious problem which I think people on this forum are underestimating. Cryptolocker could destroy Bitcoin just like the blacklist can. |
|
|
|
Is there an alternative solution to dealing with these problems which do not involve a taint list?
Well, education in good practices using computers and the internet is the best solution to ransomware. It's never happened to me. Stolen funds can be very effectively dealt with by encouraging a culture of well designed hardware wallets. This increases the required sophistication of an effective attack enormously, a talented hacker would have to work hard, and any successful efforts would only be useful against a single hardware wallet firmware (which should be update capable to fix any exploitable bugs). Merchants that choose to insist on linking purchases to an identity can use the future Bitcoin Identity Protocol to do so. These ID's could be the most powerful identity information tool conceived, and when I say that, I mean powerful to the user, not to those that want to track your identity. Whole other topic, but I am impressed by the proposed scheme. Mike Hearn knows and explicitly advocates for all these approaches, apart possibly from the solution to ransomware, but who could honestly say don't endorse that. No amount of education will help once governments decide it's a good idea to sponsor the creation of randomware. I think you underestimate the level of sophistication this ransomware could take and underestimate the seriousness of the threat. I agree with the use of the Bitcoin identity protocol. That should be what they push and not this coin taint stuff. |
|
|
|
there are a lot of services out there which are a serious threat to privacy.
take Coinapult. This company has an enormous database of Bitcoin Addresses to Email Addresses. The NSA routinely buys such companies out(through their partner VC firms) and adds the database to their system for monitoring the populace.
But you can mask your email address fairly easily. I think a public key would work better than an email address because then the communications channel between you and the business would be entirely encrypted but also verifiable through a digital signature. Anyway there is probably a technological solution to this but right now everyone is reacting with angry and talking about trying to mix their coins. Mixing the coins will not solve this problem but it might help protect fungibility. |
|
|
|
You libertarians are just crazy, your whole focus on wrapping your self in secrecy and eliminating any accountability in society you create the very Dystopia you fear. To stretch a metaphor from TLOTR (a better work of fiction then anything Ann Rand ever wrote btw), your think passing out copies of the one ring will make the world a better place because the common man will somehow be 'equal' to elites. Equally unaccountable and equally likely to abuse that power I think (you know even Frodo succumbs to the temptation, because you know know power corrupts etc etc). If you want a world free of abuse of power then you can't fight fire with fire, you need universal accountability and transparency so abuse of power can be seen by everyone rather then fester in the shadows. And seriously of all the realms of our lives were privacy might be justified, out financial and business transactions are the last ones that are deserving of privacy. I would really expect more libertarians to understand how markets work, they require information and the more the better. Information asymmetry between two parties makes a fair meeting of the minds impossible and thus leads to market inefficiency. See David Brin (my favorite author btw) on the subject of privacy, http://en.wikipedia.org/wiki/The_Transparent_Society And http://www.metroactive.com/papers/metro/02.06.97/cover/brin1-9706.htmlPrivacy should exist everywhere but there should be a balance. A way to follow the money trail must exist to prevent institutional corruption. For this reason we cannot have secrecy in financial transactions. We can have privacy though. I don't think everyone needs to know what books everyone else is buying. But I want to know if a politician or police officer is being bribed because democracy depends on it. A free society depends on transparency. |
|
|
|
|
Show Posts
