Two researchers from University College Dublin investigate the the 500K theft.

[hugolp]

You only have to see the reaction on the forums about your original blog post. The reaction was: so what? this was alredy known.

Yeah, but that's always easy to say.

So you dish the reaction of the community to your paper because somehow you dont like to believe it is the reaction of the community to your paper, and preffer to mention as "proof" a website outside the community and a lot of the reports on Bitcoin. Let me tell you that the press on Bitcoin has been highly inncaccurate and not only regarding anonimity. I have not seen something reported with more mistakes than Bitcoin. The community tried to correct them for a while, but ended up giving up. You can see the comments in the press thread.

Look, you and I (and everybody) know what its going on. Your paper is cool and the work is great, but you decided to give it a bit of dramatism accusing the community of things you should not have, to get more recognition and more press. And that is dishonest from your part. For example, even before your paper, the word pseudo-anonymous was removed from the main website to avoid confussion (even when the word pseudo-anonymous is accurate). The community knows how Bitcoin works  and your accusations are false and only looking to get press. You should not do that, its dishonest from your part.

[fergalr]

1) Active attacks on anonymity, on the bitcion network.
There's some people using mixers.  But how do you know your coins are really mixed?
Lets say you trust the mixer.

But what if your coin is mixed with a bunch of other coins, all of which belong to an adversary?
If I was interested in actively attacking Bitcoin, I'd be flooding mixers all the time.

I could make it appear to another user that their coins were mixed, when in actual fact, I controlled all of the coins they were mixed with, and could tell for sure what the incoming and outgoing coins were.
Obviously, as the mixer takes a fee, there's a cost, in Bitcoins, to doing this.

But, while I've seen a lot of talk on mixers out there, I haven't seen this sort of threat mentioned (maybe I'm missing something - this is something to consider, not something I've thought about in depth.

If the mixer is designed well, and if the operator of the mixer is trustworthy, then it doesn't matter much what coins you get back, the same ones, or different ones.

Is this definitely true, though?
Like, imagine if you go and use a mixer - and, from what I read, they currently have a fairly low volume - and I'm there, flooding the mixer with bitcoins, from lots of different addresses.  You come away with some of my Bitcoins.  I know you got them from the mixer.  I come away with the address that the mixer gave me, which I know belongs to someone else that just used the mixer.  If its just you and me using the mixer, you might think your coins have been mixed, when they really haven't.

I guess a lot depends on the design of the mixer, the time lags it supports, etc - but there's no real way of telling, with an attacker that's really willing to flood the mixer, if all the other bitcoins your bitcoins were 'mixed' with, are controlled by a single party.

I've not really thought about this - I imagine someone has done the math - but I guess its pretty important that lots of people are using mixers, for them to be secure -- and you can't really measure that simply by coin throughput.

It'd surely be better if mixing was built into the protocol - but thats easy to say...

  The crypto community probably already has a pretty good idea of which properties the mixer needs to have.  I bet that the cypherpunks list probably even had detailed discussions on how to create a distributed system that didn't rely on the trustworthiness of any particular subset of mixer operators.  We just don't know which thread to look in, because they didn't know they were talking about bitcoin at the time, they thought they were talking about an email mixer, or how to protect an onion router from traffic analysis attacks, or something.

Yeah, great point - this stuff is probably well trodden ground, in different contexts; probably makes more sense to read up on it, than to just speculate.

I liked the paper, by the way.

I always consider claims of anonymity to be false until shown true.  And even then I'm still cautious.  I remember well that the first few things I had read about bitcoin made claims about anonymity that (surprise!) later turned out to be less than true.  I tend to blame journalists for bad journalism, but in this case I might be willing to cut them some slack.  Bitcoin is hard.

I would say that by now, most people in the community (at least in the threads that I read) have a fairly good idea of the level of privacy actually available for various types of transactions.  Of course, an attacker with the ability to aggregate data from a lot of places can overcome casual efforts at partitioning and end up knowing a hell of a lot.

Some day, there will be a simple web based tool, like blockexplorer, but much more sinister.  You'll be able to punch in an address, and it will track things forwards, backwards and sideways.  It will magically divine every address in your wallet that you have ever received money from, and if you've ever used or sent to a static address, it will be able to tell you a lot about yourself and what you like to spend your coins on.

The good news is that places that generate new addresses for every transaction will make it much less accurate.  And hopefully a network of decent mixmasters will provide hard edges, or at least plausible ones.

Most people don't know how serious white collar investigations work, so they don't realize just how much effort it will be for someone to keep those edges solid.  Real investigations cast a wide net.  They look at someone, then they look at everyone around that person, and then everyone around all of them, and so forth.  They look for coincidences first, and then patterns, and then evidence.  Honestly, if you let it get to the evidence stage, you've already lost.

I see a lot of people on these forums that say things like "well, they can't prove <this step>".  It doesn't matter.  They don't need to prove that step, they just need to see the pattern, and then find some other step that they can prove.  Where there is a pattern, there will also be evidence of something, something that they can use.  They are professionals, and you are an amateur.  They are much better at finding evidence than you are at hiding it.

For anyone seriously considering hiding some crime behind bitcoins, I offer this advice.  Don't.  And if you ignore that part, try to avoid coincidences, and make damn sure you don't leave patterns.  Be many different people, with different personalities, different habits, different patterns.  And if you must transfer money from a wallet that can be linked to you (and this is any wallet that you haven't taken great pains to keep apart from yourself), to an illicit wallet, make sure it is for something legitimate, with paperwork, and hopefully eyewitnesses that really think that they saw you buy or sell something.  Don't try to launder funds more than once, unless you have a legitimate, documented, witnessed sequence of transactions that will look completely normal and mundane.  And finally, make damn sure that you lose a hell of a lot of money along the way.  If 50,000 bitcoins leaves one side, 50,000 bitcoins had better not pop up on the other side, not even months or years apart and from totally different directions.

Sorry.  This is long, rambling, and I think I veered offtopic a bit.  Fun though.

Great stuff - I think your points about anonymity are spot on - there are just so many different channels and patterns to look at.

[fergalr]

Thanks for your reply Fergalr.  I give much respect to your well thought out comments and honesty regarding the extent of your capabilities and knowledge.  I've been thinking about this subject a lot because it really stunned me that despite all the "highly technical" users claims that bitcoin was not anonymous, no one has solved any of the big thefts. 

Its true that the thefts haven't been solved - at least not that we are publicly aware of - and maybe they never will be, maybe the thieves were careful to isolate their off-bitcoin actions.

But also, I'm not aware of any public serious activity, by technically skilled law enforcement, to investigate these events.
It might be the case that with the help of a few subpoenas, they could solve it.
If Bitcoin is ever used for something *really bad* and high profile in future, or if it becomes much more popular, these things will become apparent.
I think determined parties, will the ability to access exchange data, Mt. Gox, myBitcoin and so on will be able to analyze a huge amount of traffic.

2) The IP layer work that Dan Kaminsky did - could that be put together with Bitcoin layer work like we did?

I asked him in his thread how much it would cost to put together a tool but it must have freaked him and the others in the thread out because the thread immediately died.  https://bitcointalk.org/index.php?topic=34383.msg436871#msg436871.  And DK hasn't posted since.  That was not my intention at all 

He might just be busy - the SSL certs thing is happening at the moment - dunno.

Anyway, you seem to be a smart and talented programmer enough to be able to replicate kaminsky's work for the conference and get a working tool going in a reasonable timeframe.  And I get the feeling that unlike him, my direct and public approach will not be scary to you or kill this thread.  It could be merged with your already existing tool like this (not sure if feasible):

a) run your address tracing and linking tool to find all the coins that were stored through the Mybitcoin portal.  You can start with my address info here: https://bitcointalk.org/index.php?topic=34225.msg428519#msg428519.  That should give you all their coins with current address locations.  Also see if any forum user can be linked to it.

b) run the real-time ip monitoring tool targeting those addresses to harvest the ips + any other scrape-able info when the coins are moved

c) use your tools to see what they are doing with the coins.  By now you should know what wallets are exchange wallets, so if they are cashing out through an exchange bingo fire up the subpoenas.  If they are using dead drop or in-person cash-out then go back to dktool do geolocation on the IP, see what can be done... harder road but at least we know we're on it at that point.

But the key is b.  Hmm thinking about how much it would cost.  A database of every transaction made with IPs would be nice to start collecting, could be valuable in the future.  Of course, with DK's you don't get very many IP addresses because some users are a few hops away from an inbound node  He wasn't too clear on that point in his slides and I was not at the conference.

Another potentially profitable use for your work: We do need a tool to keep pool operators honest.  If the stolen block storage node and the pool general fund node can be linked, tool could monitor that.  Right now it is very easy for them to sneak blocks, and we miners have to guess if they are doing it or not by comparing pool luck to expected luck.  Vladimir's self defense for miners thread talks about this.

Those are interesting suggestions - I don't think I'll be embarking on a big engineering project like that, though; I've got to focus on more research oriented angles, as a research student.  But there's nothing to stop other people building such infrastructure, and I suspect they will, in time, if adoption increases.

[fergalr]

You only have to see the reaction on the forums about your original blog post. The reaction was: so what? this was alredy known.

Yeah, but that's always easy to say.

So you dish the reaction of the community to your paper

Hey, that's kind of harsh.
I don't believe I 'dish' anyone.

I actually think the reaction to our work has overall been really positive, and I'm really happy with that.  I was  surprised, and happy, that its gotten some people talking about Bitcoin, and especially privacy in Bitcoin.

Its true that some posters here have been dismissive of the work, and dismissed it as 'that was already known'.
In one sense, I'm happy for these people - they are unlikely to have any privacy problems!

But I stand by the point that while its easy to say 'bitcoin is traceable' - it does bring a lot of clarity, and information, to have a go at tracing it, as an experiment, and see how you get on in practice, and publish your results; which is what we did.
Even if you stood on the more paranoid 'it can all be traced' end of the fence, I think seeing an analysis still adds a lot of value.
I do say that in the rest of the post you took that sentence from, and it is in the context of 'experiments add value' that I wrote 'its easy to say'.

because somehow you dont like to believe it is the reaction of the community to your paper, and preffer to mention as "proof" a website outside the community and a lot of the reports on Bitcoin. Let me tell you that the press on Bitcoin has been highly inncaccurate and not only regarding anonimity. I have not seen something reported with more mistakes than Bitcoin. The community tried to correct them for a while, but ended up giving up.

This is purely a personal 0.02 cents, but I don't think thats a reasonable thing for people that identify as the 'bitcoin community' to do.
Like, if you are going to campaign for the adoption of bitcoin (and there are threads here where people do, and award bounties), then I think you also have to continue to campaign for accuracy in how its portrayed.  I dont think its good to just give up on correcting things like the wikileaks donate page - and I presume you'd agree?
Now, I'm not judging anyone. Whatever we agree or disagree with, there's clearly a lot of voluntary, open-source, work going on, and thats really cool, so who is to tell people they should do more - not me - but I respectfully disagree with that idea.

You can see the comments in the press thread.

Look, you and I (and everybody) know what its going on. Your paper is cool and the work is great,

Hey, cheers - thats very positive of you - even your reaction isn't all bad!

but you decided to give it a bit of dramatism accusing the community of things you should not have, to get more recognition and more press.

Em, are you sure about that?
You know, I had a look back at the blog, and paper, to try and find somewhere where we 'accused the community of things we should not have', and I really don't see that at all.

The blog doesn't really have anything on it like you are talking about, and its what most people will read, and probably what any press/bloggers would have picked up on.


Looking at the paper, the sentence I can find thats most like what you are saying, is this one from the paper: "While there is an understanding amongst Bitcoin’s technical users that anonymity is not a prominent design goal of the system, we believe that this awareness is not shared throughout the community. For example, WikiLeaks, an international organization for anonymous whistleblowers, recently advised its Twitter followers that it now accepts anonymous donations via Bitcoin [etc]"

And in our conclusion, we say "Technical members of the Bitcoin community have cautioned that strong anonymity is not a prominent design goal of the Bitcoin system. However, casual users need to be aware of this, especially when sending Bitcoins to users and organizations they would prefer not to be publicly associated with."


Now, look, we make the point twice that most technical users know, and have said, that anonymity isn't a design goal.  (I guess you could quibble with the word 'prominent' - but I think its fine in that context of academic language, and in the context of a community implemented system, and doesn't mislead anyone).
We are quite clear that casual users are confused.
And they are, as we have shown many times.

You could always define everyone but those who know the most about anonymity, to not be part of the 'community'; but thats a tautology.
I think what we wrote is clear, and not misleading.

I think it got press, primarily because of the previous unclarity out there, among the people sharing it, of quite how anonymous bitcoin was - not because we 'accused' anyone of anything.  (Ok, we say that wikileaks isn't doing a good job of describing the anonymity situation - but thats a fair enough point, right?)

And that is dishonest from your part. For example, even before your paper, the word pseudo-anonymous was removed from the main website to avoid confussion (even when the word pseudo-anonymous is accurate). The community knows how Bitcoin works  and your accusations are false and only looking to get press. You should not do that, its dishonest from your part.

Again, I really don't see these false 'accusations' that you say we make.

Like, while its important to listen to your concerns about our work, and while I'm genuinely appreciative of you taking the time to communicate them, your comments about us being dishonest are so wrong, they are hard to engage with.

We tried our very best to present things as accurately as we could.  Anonymity in Bitcoin is complicated, and a subtle issue (as the first line of our abstract says: "Anonymity in Bitcoin, a peer-to-peer electronic currency system, is a complicated issue").

Its not easy to try and communicate these subtleties accurately.  
We put a lot of effort into making sure it was as accurate as possible, and that people understood what we were, and weren't saying - as you can see from the fact that I'm here, now, trying to clarify this

You can say you believe we were inaccurate - and I've tried to explain how I understand things, and to counter that belief.
But I don't really think you can credibly say there's anything dishonest going on with our work.

I guess we'll probably agree to differ on these issues; but I hope I've clarified a little more the angle we are coming from.

[defxor]

I actually think the reaction to our work has overall been really positive, and I'm really happy with that.

The difference lies in understanding how knowledge from research needs to be built from many stepping stones allowing you to infer something with certainty. If you're not used to that thinking people do expect you to close the loop in a very different way than what you set out to do (and which was the correct thing to do).

Someone else could, if they want to, build upon your work since they now know what results they can with good measure expect to get. Before your paper it was perhaps expected, but not to a degree where no one could've said with certainty that the results would turn out exactly the way they did.

For those who like their things a little more concrete:

Before this paper I knew a lot of people who didn't hesitate at all posting one of their public keys for everyone to see (donations, usually)

After, some of them consider it to be unnecessary leakage of information.

Great work.

[coinonymous]

Pretty vector art ITT.  I wish more .pdf's had interesting shit buried at the [100*(2^~5)]% zoom level like this!   

+1

[hugolp]

You can see the comments in the press thread.

Look, you and I (and everybody) know what its going on. Your paper is cool and the work is great,

Hey, cheers - thats very positive of you - even your reaction isn't all bad!

Yes, I think your article is very interesting. I have even pointed to it in other threads because I think its a good read and I am happy someone did it. I think it adds to Bitcoin.

What I am not happy about is the way you have chosen to promote it. And I know how the college ambient work so I know how you manage to get attention. I think the way you did it was dishonest.

[fergalr]

Thanks everyone for all the kind comments.


@defxor: Its great to hear that its been useful.

@coinonymous: We try and do vector graphics whenever we can - can be a pain to get the images produced right, but leads to smaller sizes, and its clearer, and as you point out, people can zoom way in and check out the details.




@hugolp:
Thanks for your positive comments.

What I am not happy about is the way you have chosen to promote it. And I know how the college ambient work so I know how you manage to get attention. I think the way you did it was dishonest.

I think we'll just have to agree to differ on this.
 
I cant really parse that 'college ambient work' bit.  If you are saying that, in general, there are problems with why people do research in academia, well, speaking personally, I'd agree that there sometimes are, and you do sometimes see people overselling things, supposedly because it helps them get funding (this generally happens somewhere above the level of the lowly research student though!)

I don't want to get sidetracked into this big debate about the relative merits of academia.  The credit and funding systems definitely have flaws (which differ country by country - Im in Ireland).

But academia is huge.  There's a selection bias here - you are more likely to read about the people who oversell things.  There's a lot of good people, doing good work, and in a lot of cases, the profit motives and conflicts of interest, are probably less than in most industry positions. (And arguably less, if you want to talk about conflicts, than in a system like Bitcoin, where there are a lot of early adopters who have a lot of Bitcoins, which must surely have some influence to see Bitcoin portrayed in a positive light!)

But anyway, yeah, there are conflicts everywhere, and you've got to be careful of them, and it pays to be a little skeptical that research you are reading might be oversold.

But, its just as wrong to think research is always oversold, just because people are trying to get it out there. In general, I'd be more likely to trust in the good faith of people doing research, than people in a lot of other positions.


So, that's speaking generally.  Speaking specifically, I know I've no nefarious motives here (though I guess that doesn't help you).
And I've spent a while answering your specific criticisms here - I think satisfactorily, but you are welcome to disagree - think that's all I can do!