MtGox database leak: why you should always mix your coins.

[Rampion]

After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community.

Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either:

a) totally brainwashed/incredibly naive
b) just stupid.

Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address.

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

EDIT FOR CLARIFICATION:

Bitcoin is pseudoanonymous: as soon as someone links one of your addresses to you (because you made a payment to him, or because a database of a service such as Gox is leaked) then he can learn your total BTC balance - or at least the total BTC balance of the wallet to which that address belongs - with trivial blockchain analysis.

By mixing your coins you make that task much more difficult, and thus you eliminate yourself from the list of easy targets in a situation as per the Gox database leak.

Said with other words: by not mixing your coins you are revealing your whole balance to the recipient of every transaction you make... And that is an important privacy breach.

[1714045279]

1714045279

[1714045279]

1714045279

[1714045279]

1714045279

[domob]

Got any good suggestions for trustless and low-fee mixers?  I think all the P2P mixer projects are not yet fully ready, as far as I know.

[Rampion]

Got any good suggestions for trustless and low-fee mixers?  I think all the P2P mixer projects are not yet fully ready, as far as I know.

While it is not the best solution in terms of obfuscation, coinjoin is a pretty good system that IMO everybody should use. It's not perfect, but IMO it gives enough protection against the casual "let's see how much money this guy has" situation. A prepared and determined opponent will probably end up finding up your total balance, but it will take him more resources and time, which normally is something the casual criminal wants to avoid when looking for targets.

Summing up: By using coinjoin you avoid being the low hanging fruit, which is usually enough protection against a potential dangerous situation similar to what happened with the leak of the Gox database. The criminals won't be able to easily check your current BTC balance, so you will probably be discarded as a target.

Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time.

[domob]

Got any good suggestions for trustless and low-fee mixers?  I think all the P2P mixer projects are not yet fully ready, as far as I know.

While it is not the best solution in terms of obfuscation, coinjoin is a pretty good system that IMO everybody should use. It's not perfect, but IMO it gives enough protection against the casual "let's see how much money this guy has" situation. A prepared and determined opponent will probably end up finding up your total balance, but it will take him more resources and time, which normally is something the casual criminal wants to avoid when looking for targets.

Summing up: By using coinjoin you avoid being the low hanging fruit, which is usually enough protection against a potential dangerous situation similar to what happened with the leak of the Gox database. The criminals won't be able to easily check your current BTC balance, so you will probably be discarded as a target.

Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time.

Yes, I think CoinJoin should be a very good start.  But do any really decentralised and fully working implementations of CoinJoin exist already?  I don't think so and would be interested to know if they are.

[dserrano5]

Yes, I think CoinJoin should be a very good start.  But do any really decentralised and fully working implementations of CoinJoin exist already?  I don't think so and would be interested to know if they are.

I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect.

[WhatTheGox]

mix coins because why?

[devthedev]

Nah, never used Gox, lol.

[justusranvier]

mix coins because why?

To protect yourself from cybercriminals.

[gollum]

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.
Noobs should use a trustworthy VPN instead.
The optimal solution is VPN + Tor.

[Gabi]

Now, if the zerocoin concept would be implemented in bitcoin, it would be cool.

[crazy_rabbit]

After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community.

Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either:

a) totally brainwashed/incredibly naive
b) just stupid.

Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address.

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

Morale of the story so far would read more like: User Mixed their BTC on the previous largest mixer out there- Silk Road. User got goxed. Or use TOR with Mt.Gox and as they explicitly forbid this, ban your account and never respond again to your support messages: Get Goxed again.

It's a good idea in theory, but in reality we don't have good enough privacy tools for BTC yet.

[LiteCoinGuy]

Now, if the zerocoin concept would be implemented in bitcoin, it would be cool.

that will never happen in my view, zerocoin will be on its own.

https://bitcointalk.org/index.php?topic=362468.msg3878992#msg3878992

[phillipsjk]

Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.
Noobs should use a trustworthy VPN instead.
The optimal solution is VPN + Tor.

Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well.

[Rampion]

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.

I disagree, with a caveat: do not use Tor to access stuff linked with your real name, and always use end to end encryption to avoid eavesdropping.

[AnonyMint]

Listen up please to learn some new technical information...

Got any good suggestions for trustless and low-fee mixers?  I think all the P2P mixer projects are not yet fully ready, as far as I know.

...

Tumblers like bitcoinfog provide better obfuscation, but the (huge) trade-off is that you should trust an unknown third party. I'd never risk more than 1% of my holdings to such services, but I think the service they provide is necessary and should be used, albeit with care and with just a very minor portion of ones funds at a time.

Problem is there is no way to know if a centralized service (VPN, exchange, mixer, tumbler, laundry) is hacked, under NSA gag order, dishonest, buggy, etc..

Also using the centralized (VPN, mixer, tumbler, laundry) identifies you as someone that deserves extra monitoring by the authorities.

A decentralized solution is always best, as it should look like regular transactions.

Yes, I think CoinJoin should be a very good start.  But do any really decentralised and fully working implementations of CoinJoin exist already?  I don't think so and would be interested to know if they are.

I'm not aware of any either but don't let that deter you from using one of the already existing solutions even if they aren't perfect.

A decentralized CoinJoin will have difficulty forming transactions (including unequal or equal transaction amounts) that look like this if anyone can join:

https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b?show_adv=true

A sharedcoin transaction will look something like this: https://blockchain.info/tx/e4abb15310348edc606e597effc81697bfce4b6de7598347f17c2befd4febf3b (picked at random). As you can see multiple inputs and outputs make the determining the actual sender and receiver more difficult.

The server does not need to keep any logs and transactions are only kept in memory for a short time. However If the server was compromised or under subpoena it could be force...

Because the way it must work is the users sign the transaction first with their requested outputs, then in the second round they sign their payments as inputs to the transaction. If the payment inputs are less than the total, then the transaction is invalid. There is no way to determine who cheated and rate limit them. Thus the saboteur can stomp on every attempt to create a CoinJoin transaction and destroy the decentralized system.

DarkCoin says they can solve this by charging a fee, but you will see I originally proposed that idea in the CoinJoin thread and the requirement is all the participants must be permanently identified and then must use divide-and-conquer to whittle down to who was the saboteur. But identification defeats the mixing!

Thus I have not yet seen a workable decentralized CoinJoin that can scale. And I don't expect one.

I posted this to the CoinJoin thread to get their technical peer-review of my statement.

Now, if the zerocoin concept would be implemented in bitcoin, it would be cool.

Just forget zerocoin even in an altcoin it won't work. Because it requires a trusted person to hold the private key that can unlock everything including taking all the zerocoins. This can't be fixed (contrary to ruminations otherwise), it is a fundamental mathematical property of the way zero knowledge proofs work when combined with an accumulator.

Also zerocoin has to be dedicated to preset transactions amounts (e.g. 1 BTC) else the anonymity set can be trivially collapsed by comparing input and output transaction amounts.

Never recommend noobs to use Tor, it's a honeypot where they are worse off than not using Tor at all.
Noobs should use a trustworthy VPN instead.
The optimal solution is VPN + Tor.

Not if you stay in-network. Unfortunately, my services (bitcoin node) are not tor-enabled yet. Namecoin has the potential to facilitate this with human-readable addresses as well.

Not true. Tor is always subject to timing analysis by an entity such as the NSA (which is recording ans storing nearly all global encrypted traffic in Utah) which can see the encrypted packets running between Tor nodes.

Popular VPNs are also very likely all honeypots and unpopular ones give only a small anonymity set.

Currently the only known way to be reliably anonymous is use a connection to the internet that can't be traced to you, e.g. netcafe without cameras any where and don't drive your car as that has secret tracking built-in according to CEO of Ford, a throw-away mobile device and simm that doesn't have your id registered and used for no other activity, etc.

[Rampion]

Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc...

We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough.

[AnonyMint]

Anonymint: we are not discussing being safe against a global adversary such as the NSA, we all know that mixers + Tor is probably not enough to defeat them because of honeypots, timing attacks, deep packet inspection, etc...

We are discussing using basic security procedures in order not to be "the low hanging fruit" and thus being reasonably safe against the casual hacker/criminal doing trivial blockchain and network analysis to easily link identities to BTC balances. For that purpose running your wallet through Tor and using a decentralized and trustless mixer such as coinjoin should be enough.

The government and the criminals are sometimes one in the same.

But (uninformed) trust is all that is holding up the $150 trillion in fractional reserves, so you won't find too many people that subscribe to my view (yet). They will learn by 2020.

And you did not address my technical point about CoinJoin, which has nothing to do with the NSA.

In short, we are pretty well f8cked approaching the 2016ish global conflagrapocalpyse.


Adam Back (the creator of Hashcash which Bitcoin is based on) explains the anonymity problem (jump to 24:25 mins into the video).

[AnonyMint]

And here is our friendly Bitcoin csore developer...

AnonMint, Every post you've made here has been error and confusion.

Keep your ad hominem attacks out of it please. I asked kindly for technical comments.

The very first post in the thread points out that decentralized versions take more work because of the anti-DOS proofing.

And my post to which you are replying is in fact explaining the DOS (denial-of-service) is insoluble if you can't identify the participants in order to rate-limit them.

[A couple posts down](https://bitcointalk.org/index.php?topic=279249.msg2984051#msg2984051) I give some examples of how it can be done.

And again in that post you admit there is a DOS problem. You didn't solve it. And you can't solve it in a decentralized setting unless you have non-ephemeral identification of the participants. Which is precisely the point of my prior post to which you are replying

You're presuming a broken model that I don't believe anyone here has ever suggested.

Incorrect. What I wrote is functionally equivalent to what you described. The point is the transaction can be jammed in the final round.

Since you didn't see the equivalence let me explain it. I thought you were smart enough to deduce such things. I chose to let the signatures of inputs go in the second and final round and point to a transaction because I envisioned using ring signatures. And the transaction won't be valid (blockchain will reject it) if the inputs are less than the outputs, so my version is just as safe as yours. And the DOS problem is equivalent. Come on you are a math guy, you can surely see that without me needing to explain it you.

And if you think about it a while you will realize, by inverting the operations and using a ring signature, mine has advantages suchas that not all have to sign in the first round before proceeding to the second round (they get excluded from second round too). Yet the DOS issue remains in the final.

You'd always being the protocol by specifying the inputs in which you intend to sign. Signature authority over inputs is the principle scarcity that allows you to may the system dos-attack resistant. After the inputs are signed, outputs can be specified in a cheat proof way, and then the only avenue for disruption is refusing to sign which can be addressed by blacklisting your inputs (and other rate limiting tokens) and restarting.

Well now you see your error. You can reread my post again, and admit I was correct.

From your upthread post:

If a party fails to sign, everyone else is convinced that its because they are jamming the process (intentionally or maliciously) and then can all ban (ignore in the future) whatever costly identity they used to enter the mix, or — if there is no other mechanism— that particular txin which they used.

And exactly how do you propose to identify that adversary in a decentralized setting?  My point is you can't, at least not without breaking anonymity, and anonymity was the entire point of mixing.

[Beef Supreme]

After the Gox dabatase leak the names and home addresses of pretty much everybody involved in BTC are now public, at least among the criminal community.

Those singing the song that goes "I don't mix my coins because I have nothing to hide" are either:

a) totally brainwashed/incredibly naive
b) just stupid.

Even if you mined the vast majority of your coins and used an exchange just to cash out a minor part of your holdings, your total BTC balance can be discovered by trivial blockchain analysis, following the links with just one deposit/withdrawal address.

Morale of the story: Everybody should ALWAYS mix their coins and use Tor for BTC related activities. Information is power. Never give it away.

LOL, yeah but, didn't those same users just lose their ass and are now broke?

[AnonyMint]

LOL, yeah but, didn't those same users just lose their ass and are now broke?

The OP is also about people who cashed out before the Mt.Gox problems, yet their data may still have been leaked after the cash out event.