Skeleton key? (was: Bitcoin press hits, notable sources)

[Spekulatius]

Don't Bank On Digital Currency 'Bitcoin' Replacing The Dollar

Ben DeMeter
2012-04-11

http://www.businessinsider.com/dont-bank-on-digital-currency-bitcoin-replacing-the-dollar-2012-4

What a nasty little piece of FUD this is:

It’s not just safety that has us concerned about Bitcoin, though. We’re also skeptical about how “decentralized” this digital currency can really be. Though the official wiki claims that the protocol is now mandated by community consensus, it’s impossible to ignore the power that the original developers have over the system.

They have a skeleton key that gives them control of the whole machine, any time they want.

diverting

Yeah, but isnt that true? Gavin Andresen and his other "trusted" developer have the power to implement any kind of backdoor in a coming update of the Bitcoin client and COULD just drain an arbitrary amount of bitcoins from the users, diverting them to their own adresses, or couldnt they?

[phatsphere]

Yeah, but isnt that true? Gavin Andresen and his other "trusted" developer have the power to implement any kind of backdoor in a coming update of the Bitcoin client and COULD just drain an arbitrary amount of bitcoins from the users, diverting them to their own adresses, or couldnt they?

first rule here: no discussions.

yes, if they conspire and put up a binary that is not identical with the source code its possible. but it could be theoretically fixed by creating a new hardcoded fork of the blockchain from an earlier point in time.

[Gavin Andresen]

Split from the press hits topic:

The only "skeleton key" I have is the private key for alert messages, that lets me sign messages that are broadcast and then displayed in the client (see https://en.bitcoin.it/wiki/Alerts for details, and the alerts that have been sent).

MAYBE he is saying that the core developers could slip in a change to the source code without anybody else noticing... but we've worked hard to make that impossible (with things like the gitian reproducible build system so people can verify that we are creating executables from the source code that anybody can look at).

Smells like plain-old FUD to me.

[rjk]

Don't Bank On Digital Currency 'Bitcoin' Replacing The Dollar

Ben DeMeter
2012-04-11

http://www.businessinsider.com/dont-bank-on-digital-currency-bitcoin-replacing-the-dollar-2012-4

What a nasty little piece of FUD this is:

It’s not just safety that has us concerned about Bitcoin, though. We’re also skeptical about how “decentralized” this digital currency can really be. Though the official wiki claims that the protocol is now mandated by community consensus, it’s impossible to ignore the power that the original developers have over the system.

They have a skeleton key that gives them control of the whole machine, any time they want.

diverting

Yeah, but isnt that true? Gavin Andresen and his other "trusted" developer have the power to implement any kind of backdoor in a coming update of the Bitcoin client and COULD just drain an arbitrary amount of bitcoins from the users, diverting them to their own adresses, or couldnt they?

Yeah sure, but so could anyone that feels like writing a virus and asking you to run it on your machine. The official client is scrutinized in every way all the time, and third parties often build binaries themselves to prove that nothing is wrong with the code. Any malicious code introduced would be pointed out quickly, and made known.

Additionally, this is the reason that there is NO automatic update facility in the official bitcoin client.

[finway]

It's open source, there are so many eyes ( i wish) watching, don't worry.

[evoorhees]

They have a skeleton key that gives them control of the whole machine, any time they want.

Ahhh I didn't realize the article was about the Federal Reserve!!

[JusticeForYou]

They have a skeleton key that gives them control of the whole machine, any time they want.

Read more: http://www.creditcardassist.com/blog/will-new-digital-currency-bitcoin-replace-the-dollar-20802/#ixzz1rsy7Ez5k

This is a strong accusation. Please make an effort to have it retracted or modified as to what the authors meaning was.


As to Gavin's 'skeleton key', the intent of it is understood but there is a hint of proprietary use there.

[Etlase2]

you're really expecting an unbiased viewpoint from a site called creditcardassist?

[JusticeForYou]

you're really expecting an unbiased viewpoint from a site called creditcardassist?

lol, touché. Probably not, but worth a shot.

[Etlase2]

ps - while your sig quote is nice, it is one of the many fake quotes attributed to prophetic dead people

http://www.snopes.com/quotes/lincoln.asp

[JusticeForYou]

ps - while your sig quote is nice, it is one of the many fake quotes attributed to prophetic dead people

http://www.snopes.com/quotes/lincoln.asp

You sir, are no sheep. Take that as a compliment.

I have found the earliest appearance of this quote yet.
Journal of United Labor
Vol 8, no. 20
Nov. 19, 1887
pg. 2


However, if the meaning is understood and believed, does it matter the status or position of the person who said it? i.e. Who says it shouldn't matter, if there is truth in the underlying idea.

[Spekulatius]

Honestly, the administrative structure and execution behind the developers team worries me. Could someone please shed some light on the mechanics/processes by which shall be prevented that the developers (or some of them) implement a hidden piece of code in a new update that allows anyone to steal large amounts of bitcoin from updated clients in short time? This bitcoinwiki article names 4 active developers: https://en.bitcoin.it/wiki/Developers
the bicoin.org frontpage names 6.

If someone knows and can answer some of those questions, please feel free to do so. Providing some links to this information would of course be appreciated as well.
Maybe a quick explanation adressing some of these points could be given:

- Who decides on who gets writing permits to the source code?
- Who decides on who has to hand off writing permits? How is this guaranteed?
- Who has access to the passwords, backups etc. (maybe some other entity, like github, sourceforge admins, googlemail..)?
- What safety procedures are in place to prevent abuse/theft outside manipulation of those writing/viewing permits?
- Are there rules in place that determine the steps undertaken to review and release an update/change to the source code?
- Is there some sort of outside review?
- How transparent are the decision making processes on who becomes active developer and who has to retire?

- Are there ways to improve the sefaty standards?

A proactive and transparent way to deal with those concerns will help to diminish doubt and false ideas surrounding the developers team and the bitcoin project in its whole.

Thx for clearing up (and pls excuse that I didnt reaaally search much before posting;)

[kokjo]

- Who decides on who gets writing permits to the source code?

Gavin(i think), have admin access to the mainstream repo.

- Who decides on who has to hand off writing permits? How is this guaranteed?

Gavin, or other developers. if you don't like it: go fork to code

- Who has access to the passwords, backups etc. (maybe some other entity, like github, sourceforge admins, googlemail..)?

doesn't matter. the developers signs the releases, if an external entity tried to change stuff, it would be notice big time.
 

- What safety procedures are in place to prevent abuse/theft outside manipulation of those writing/viewing permits?

can't be done, see above

- Are there rules in place that determine the steps undertaken to review and release an update/change to the source code?

no(i think), fork the code.

- Is there some sort of outside review?

its opensource, go review it yourself.

- How transparent are the decision making processes on who becomes active developer and who has to retire?

go read discussions on github

- Are there ways to improve the sefaty standards?

sure: fork the code.

https://github.com/bitcoin/bitcoin

[MysteryMiner]

The shitty Qt version was the skeleton key in action. Totally changing UI and introducing stability, security and usability issues is the biggest problem. If it works, don't fix it!

[jancsika]

Split from the press hits topic:

The only "skeleton key" I have is the private key for alert messages, that lets me sign messages that are broadcast and then displayed in the client (see https://en.bitcoin.it/wiki/Alerts for details, and the alerts that have been sent).

Yes, that's probably what the author was referring to (and what the author misunderstood).

MAYBE he is saying that the core developers could slip in a change to the source code without anybody else noticing... but we've worked hard to make that impossible (with things like the gitian reproducible build system so people can verify that we are creating executables from the source code that anybody can look at).

Slipping in an exploit by adding code that shouldn't be there in the first place is extremely unlikely for these reasons.
But slipping in an exploit by adding a feature that purports to do one thing but does another-- or does one thing except for a very specific edge case-- is very possible.  And the award for doing so is much bigger than, say, getting first place in the Underhanded C contest.

[grue]

* grue thinks the author is trying to spread FUD, and is basing it on a tiny sliver of truth (signed notifications).

[Gabi]

They have a skeleton key that gives them control of the whole machine, any time they want.

This is false. Isn't it defamation? Consider suing them