Sheep Marketplace -- a Bitcoin-based market that grew sharply after Silk Road shuttered -- was the target of a 96,000 Bitcoin (~£60m) hack last weekend. It turns out that laundering that much Bitcoin is very tricky, and the denizens of r/sheepmarketplace on Reddit have been taking countermeasures against the thieves (or thief) to track and de-anonymize the Bitcoin as it moves through various "tumblers" -- services that obfuscate the origin and destination of Bitcoin fractions. It's an exciting chase across the darknet, full of math, intrigue, and crime.
Read the rest
Researchers at Malwarebytes have discovered that some programs covertly install Bitcoin-mining software on users' computers, papering over the practice by including sneaky language in their license agreements allowing for "computer calculations, security."
The malicious programs include YourFreeProxy from Mutual Public, AKA We Build Toolbars, LLC, AKA WBT. YourFreeProxy comes with a program called Monitor.exe, which repeatedly phones home to WBT, eventually silently downloading and installing a Bitcoin mining program called "jhProtominer."
Read the rest
"Kristoffer Koch invested 150 kroner ($26.60) in 5,000 bitcoins in 2009, after discovering them during the course of writing a thesis on encryption. He promptly forgot about them until widespread media coverage of the anonymous, decentralised, peer-to-peer digital currency in April 2013 jogged his memory." -- The Guardian — Mark
Brian Krebs is a security expert and investigative journalist who has published numerous ground-breaking stories about the online criminal underground, much to the consternation of the criminal underground. Krebs has been the victim of much harassment, including a dangerous SWATting (where someone called a SWAT team to Krebs's door, having told them that an armed gunman was inside).
Most recently, a Russian crook called Flycracker crowdfunded the purchase of a gram of heroin on the Silk Road, which he mailed to Krebs, having first called the cops to alert them that Krebs was a narcotics trafficker. Luckily for Krebs, he lurks in the same forums in which this was planned, and knew of it in advance and tipped off the local cops and the FBI.
Read the rest
I wrote yesterday
about Dan Kaminsky's excellent thoughts on BitCoin, and wished aloud for comparable work from Ben Laurie. It turns out such work exists: here's Ben's critique of BitCoin
, and here's his proposal
for an alternative. Both are short, clear, excellent reads.
Ever since BitCoin appeared, I've been waiting for two security experts to venture detailed opinions on it: Dan Kaminsky and Ben Laurie. Dan has now weighed in, with a long, thoughtful piece on the merits and demerits of BitCoin as a currency and as a phenomenon.
Bitcoin’s fundamental principle of fraud management is one of denial. If we drop our wallet on the street, the U.S. government is not going to compensate us for our lost cash. Bitcoin attempts to make the same deal, to the point where it calls its stores of keys, “wallets.” If we drop our wallet on the street — heck, if someone picks it out of our pockets — the money’s gone.
There have been bitcoin thefts. A few years ago, I tried to break Bitcoin, and failed quite gloriously. The system and framework itself is preternaturally sound. But it too is built on the foundation of buggy technologies we call the internet, and so Bitcoin must experience failures from the code around it. Hackers don’t care whose code they broke on their way to bitcoin, any more than pickpockets care that they’re exploiting the manufacturer of one’s jeans or leather wallet. So they break the server below the money, or the web interface above it. They still win.
At least, that’s the theory. Reality is more complicated. Of all the millions of dollars of purloined bitcoin that’s floating around out there, not one Satoshi of it has been spent. That’s because while most other stolen property becomes relatively indistinguishable from its legitimate brethren, everybody knows the identity of this particular stolen wealth, and can track it until the end of time.
Bitcoin Is Not as Secure, Unregulated, or Lucrative as You Might Think
Joey deVilla joined a Bitcoin mining pool (where people collectively contribute their spare computer CPUs and share the Bitcoins they mine).
Since Saturday he's made about 4 cents mining Bitcoins and about $40 dollars from ads running on his article about mining Bitcoins.
"To summarize: I made 1000 times more money by writing about mining Bitcoins as I did by mining Bitcoins."
Which makes more money: mining Bitcoins or writing about mining Bitcoins?
Gwern's "Using Silk Road" is a riveting, fantastically detailed account of the theory and practice of Silk Road, a Tor-anonymized drugs-and-other-stuff marketplace where transactions are generally conducted with BitCoins. Gwern explains in clear language how the service solves many of the collective action problems inherent to running illicit marketplaces without exposing the buyers and sellers to legal repercussions and simultaneously minimizing ripoffs from either side. It's a tale of remix-servers, escrows, economics, and rational risk calculus -- and dope.
But as any kidnapper knows, you can communicate your demands easily enough, but how do you drop off the victim and grab the suitcase of cash without being nabbed? This has been a severe security problem forever. And bitcoins go a long way towards resolving it. So the additional security from use of Bitcoin is nontrivial. As it happened, I already had some bitcoins. (Typically, one buys bitcoins on an exchange like Mt.Gox; the era of easy profitable "mining" passed long ago.) Tor was a little more tricky, but on my Debian system, it required simply following the official install guide: apt-get install the Tor and Polipo programs, stick in the proper config file, and then install the Torbutton. Alternately, one could use the Tor browser bundle which packages up the Tor daemon, proxy, and a web browser all configured to work together; I’ve never used it but I have heard it is convenient. (I also usually set my Tor installation to be a Tor server as well - this gives me both more anonymity, speeds up my connections since the first hop/connection is unnecessary, and helps the Tor network & community by donating bandwidth.)
Using Silk Road
(via O'Reilly Radar)
Bitcoin-based casinos are reporting pretty serious, six-figure profits on a series of games wherein players' apopheniac tendencies cause them to hallucinate non-randomness in the performance of a pseudorandom-number generator. The casinos claim that their financial numbers can be trusted because of BitCoin's shared logfile, which can be parsed to show their earnings.
SatoshiDice, which has servers based in Ireland, is a pseudo-random number generator game where players choose a number and then bet on the likelihood that a “rolled number” is greater than the one they’ve selected. If the rolled number is greater, then they win. The house has a 1.9 percent edge—which is where the profit comes in.
The online dice game has returned profits to the tune of ฿33,310 ($596,231) during 2012—an average actual profit of ฿135.96 ($2,416) per day from May through December 2012. During that period, players put down a total of 2,349,882 bets. That’s still minuscule by Las Vegas standards, but respectable.
bitZino, by contrast, released its figures in early January and seems to be doing a decent pace of business too (bitZino's bookkeeping only measures June 9 to December 31, 2012). The online casino—hosted in the US, offering online poker, blackjack, craps, and roulette—did not publish a profit and loss statement. bitZino did say it had paid out ฿28,986 ($495,000)—and that 3.2 million wagers were made during H2 2012.
Bitcoin-based casino rakes in more than $500,000 profit in six months
Ben Laurie is a respected cryptographer (he maintains OpenSSL and is in charge of security research for Google) and he's skeptical of BitCoin, a virtual, cryptography-based currency that has attracted a lot of attention. Ben has written three posts describing his objection to "proof-of-work" as a basis for a virtual currency, and they're great reading, as are the followups from his readers. I don't have the crypto chops to have a strong opinion one way or another on this, and in situations like that, watching people a lot smarter than me arguing is my best strategy for getting smarter myself:
Also, for what its worth, if you are going to deploy electronic coins, why on earth make them expensive to create? That's just burning money - the idea is to make something unforgeable as cheaply as possible. This is why all modern currencies are fiat currencies instead of being made out of gold.
Bitcoins are designed to be expensive to make: they rely on proof-of-work. It is far more sensible to use signatures over random numbers as a basis, as asymmetric encryption gives us the required unforgeability without any need to involve work. This is how Chaum's original system worked. And the only real improvement since then has been Brands' selective disclosure work.
If you want to limit supply, there are cheaper ways to do that, too. And proof-of-work doesn't, anyway (it just gives the lion's share to the guy with the cheapest/biggest hardware).
, Bitcoin 2
, Bitcoin is Slow Motion