Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Researchers Find Problems With Rules of Bitcoin

retep No big surprise there (301 comments)

Ignoring game theory, it's easy to see how the model of mining being only paid by transaction fees doesn't make sense. After all, mining security is something that benefits all holders of Bitcoin, regardless of whether or not they perform transactions, so surely all Bitcoin holders should be contributing to that security.

How do you do that? Make everyone pay equally. Currently that is how Bitcoin works due to the inflation subsidy. (about ~10% per year right now, leading to a per transaction cost of about $50) Just keeping that subsidy indefinitely at some sane level, say 1%, is perfectly reasonable. There's other options too, but fundamentally people like a free lunch.

-Peter Todd, Bitcoin developer

about 6 months ago
top

Fake PGP Keys For Crypto Developers Found

retep Re:x.509 WTF? (110 comments)

Regarding binary and source code distribution, there's nothing to fix really - both source and binaries are already protected by X.509 certificates by virtue of being hosted on SSL-using websites: https://www.mail-archive.com/b... Secondly PGP keys are hosted on https://bitcoin.org/ which gives users a manual way to get them securely, verified by X.509. We should check that certificate pinning is being used, and it'd be good to have a second code repo beyond github, but we're in pretty good shape already. I'm willing to call a spade a spade: Mike's loud pronouncement about how this is proof that PGP sucks is trolling.

As for payment authentication, keep in mind I'm a consultant. I act as official Chief Scientist for Mastercoin, and unofficial "chief scientist" for a whole bunch of other projects. My job is to advise other people who are doing the actual work; if I tried to fix everything directly myself I'd be wasting my time. Heck, right now I'm writing an (private) email outlining some ideas on the specifics of OpenPGP/X.509 integration to one of my clients and I expect we'll start to see this stuff get actually implemented in the future. It won't be my code, but I'm happy to have done my part in guiding others building secure systems.

about 6 months ago
top

Fake PGP Keys For Crypto Developers Found

retep Re:The chain of trust is broken. (110 comments)

Agreed!

Personally I'm actually kind of excited to see the security requirements for Bitcoin usage and Bitcoin-related development push more developers and users to learn about and understand OpenPGP and the web-of-trust. It's been a real backwater for years now, but there's so much that can be done to improve UI's for understanding how the web-of-trust works and using it. That no-one has made even a simple "mass-and-springs" visualization tool for WoT signatures is sad, yet even something as simple as that would go a long way to helping developers use PGP properly.

Secondly, we have to remember our goal doesn't need to be "get grandma using PGP" - just "get developers using PGP" and "get professionals moving large amounts of money using PGP" is by itself a worthy and very attainable goal. It's totally OK if for low-security-applications like small value Bitcoin payments just outsource trust to centralized certificate authorities. What matters is that for the applications with high security requirements, like large Bitcoin payments and Bitcoin-related software development, have the tools to do the job right without blind single-point-of-failure reliance on any one authority.

about 6 months ago
top

Fake PGP Keys For Crypto Developers Found

retep Re:x.509 WTF? (110 comments)

Never mind that we don't need to switch to X.509, we can add X.509 certs to OpenPGP.

When you think about it, in the web-of-trust model centralized certificate authorities are just entities that a lot of people happen to trust; there's absolutely nothing stopping us from taking X.509 certs and adding them to OpenPGP keys as just another type of signature and the X.509 certificate providers have no (technical) means of stopping people from doing that.

I've argued before to the Bitcoin community that what we really want is a "best of both worlds" solution where we support centralized certificate authorities via X.509 and OpenPGP for applications with low security needs while maintaining the ability to use the WoT for those applications with higher needs. It's totally OK if average user just uses software that automatically checks the X.509 cert or OpenPGP signature issued by a certificate authority when they download some wallet software or make a payment to someone. Meanwhile advanced users, and particularly developers, can check all the signatures, WoT, certificate authority, whatever, to be sure they have the right software when they're downloading "clean" copies for their Bitcoin exchange, or making high-value payments.

What really amazes me is how people seem to think this is a binary decision, centralized PKI or WoT. It's not at all! Heck lots of organizations already apply the central certificate authority model with OpenPGP - just looks at all the Linux distributions that have master OpenPGP keys to sign packages. That's a certificate authority, but with OpenPGP technology.

Mike Hearn has been lately going on a bit of a war-path trying to push Bitcoin into a model of blind reliance on singular centralized PKI authorities and frankly it's just nuts. He's even gone as far as to strongly advocate that we don't even support multiple X.509 certs for applications, which would at least require an attacker to compromise more than one certificate authority. This is particularly crazy when at the same time he has advocated that websites, e.g. bitcointalk, reddit, slashdot, etc. sign cryptographic certificates linking usernames to identities. The idea here is if I want to pay "IamTheRealMike" my wallet software could have, say, slashdot's certificate pre-loaded and trusted, and then I'd tell it to give the funds to that username. But why would I do that? I want to pay Mike Hearn. I happen to know he's "IamTheRealMike" on slashdot.org, and "Mike Hearn" on bitcointalk, so obviously if it's a non-trivial sum of money I'd want to be able to check that both sites have stated that they're the same person, and maybe I'll check WoT too, and, say, his countries passport office. It just makes so much sense to give people options like that, but we're rather mysteriously seeing resistance. If anything, I think it's kinda insulting to the professionals in this space, both developers and finance people, to tell them "We're all too stupid to learn about anything more complex than trusting the magic green checkbox". If I was running a big Bitcoin-related business I sure as hell would want more assurance than that; when I'm writing software used by others I sure as hell want more assurance than that.

Anyway, in the OpenPGP world I'm really excited to see KeyBase pop up. It's not perfect - the functionality probably should have been just an add-on to OpenPGP rather than a website - but it's a great step in the right direction of giving flexibility and user-friendlyness to the WoT. It also works great as a local application, so if you choose to you aren't relying on their website/service for the guarantees it provides.

about 6 months ago
top

6TB Helium-Filled Hard Drives Take Flight

retep Re:Helium Leaks (297 comments)

Provided that atmospheric pressure works the fact that helium leaks is irrelevant: helium leaks into the harddrive just as easily as it leaks out of the harddrive. All you have to do is make sure that the harddrive is leak-tight for everything but helium - fortunately this is pretty easy to do as helium is the only gas that leaks as easily as it.

about a year ago
top

Malcolm Gladwell On Culture and Airplane Crashes

retep Re:but, back to root cause (423 comments)

If you don't practice manual landings you won't be able to manual land in severe weather.

about a year ago
top

Bitcoin Blockchain Forked By Backward-Compatibility Issue

retep Re:Old news. (351 comments)

He's talking about O(n^2) space, not propagation time.

about a year and a half ago
top

Bitcoin Blockchain Forked By Backward-Compatibility Issue

retep Re:Old news. (351 comments)

Sigh, I was hoping that guy had remembered enough of my posts to quote my rebuttal to that argument - I guess I'll have to add the link myself.

about a year and a half ago
top

New GPU Testing Methodology Puts Multi-GPU Solutions In Question

retep Re:You use GPUs for video games? (112 comments)

Keep in mind that for Bitcoin the individuals like you running tiny little mining setups that might not be actually profitable as a fun hobby are a very good thing. Bitcoin needs mining power to be as well distributed as possible to make it difficult to co-opt, so the hundreds or maybe even thousands of individuals like you help that goal. However, it's helped best if you actually validate your blocks properly, and that means mining with P2Pool right now.

Bitcoin is lucky that the costs to mine for a small rig, on a $/hash/sec basis, are probably actually less than larger setups because on a small enough scale you can ignore cooling issues and often ignore power issues too. (heating in the winter or free power) There is overhead of course, you have to setup your mining rig, but that's often written off as a fun hobby.

about a year and a half ago
top

Sandia Lab Celebrates Inventor of the Modern Clean Room

retep Re:Cleanrooms are obsolete (42 comments)

How is the equipment that handles the FOUPs assembled? I assume in a cleanroom, or is in-situ cleaning good enough that you can still do maintenance in a class 10,000 room then after maintenance clean the tool to the required class 10 standards?

about 2 years ago
top

Google Outage Shows Risk of Doing Business In China

retep Re:anyone else curious (113 comments)

This article refers to a different incident where Google was explicitly blocked prior to a leadership change in China. The Pakistan routing screw up is completely different.

about 2 years ago
top

Vast Bulk of BitCoins Are Hoarded, Not Used

retep Re:Money Laundering? (438 comments)

You're taking me too literally. At that point in time Bitcoin didn't have any value for which to launder. Now of course it does, and doing that again now would be money laundering if you were trying to obfuscate illegality. All your examples can be money laundering because you're using objects with value. No judge would buy the argument I was money laundering by sending a chain email with a promise to pray for their soul for instance, because that email has no value.

about 2 years ago
top

Vast Bulk of BitCoins Are Hoarded, Not Used

retep Re:Some are also destroyed/lost (438 comments)

It's well known that the vast majority of Bitcoin's created in the first half of the life of Bitcoin, back when they were totally worthless, are probably lost forever. This paper never even talks about that issue and assumes that every Bitcoin can still be spent.

In general it's a major flaw of the paper that they quote Bitcoin's in, well, Bitcoins everywhere, rather than talking about the value of the Bitcoins in USD for the transactions they're talking about.

about 2 years ago
top

Vast Bulk of BitCoins Are Hoarded, Not Used

retep Re:Money Laundering? (438 comments)

"We discovered that almost all these large transactions were the descendants of a single large transaction involving 90,000 Bitcoins which took place on November 8th 2010, and that the subgraph of these transactions contains many strange looking chains and fork-merge structures, in which a large balance is either transferred within a few hours through hundreds of temporary intermediate accounts, or split into many small amounts which are sent to different accounts only in order to be recombined shortly afterwards into essentially the same amount in a new account."

Not to imply that anything wrong was happening but isn't that the definition of money laundering?

Nov 8 2010 was about a month after Bitcoins had any value at all. If you look up the Mt. Gox prices for that time they were completely flat for ages with just a couple dollars a day of trading activity. Then they picked up a bit and by Nov 2010 they were looking at low hundreds of dollars a day. It was really early in Bitcoin history and that transaction was likely just someone playing around with transaction making code, who accidentally lost their wallet.

It's only money laundering if what you're laundering is money... at that time Bitcoins were just an experiment that didn't seem to be going anywhere.

Perhaps an individual experimenting with how effectively he can automatically clean BTC with temporary internet accounts being made for transactions leading back to a brand new account? But wouldn't the whole chain of ownership be shown on that final balance? What else could be the purpose of the mentioned exercise?

Exactly. Even then people understood that you couldn't hide coins by moving stuff around. I like the analogy of trying to walk across a large desert. If you enter the desert, walk all over your tracks over and over again, then exit, anyone can deduce that the tracks entering and exiting the desert was the same person.

Real attempts at hiding the source of Bitcoins always involve swapping your coins for someone elses, and even then, that's a quite legitimate thing to do for privacy given that every transaction is public. It's only money laundering if you're trying to launder illegitimate funds, keeping privacy for legit transactions is not illegal.

about 2 years ago
top

Why WikiLeaks' Spinoff OpenLeaks Failed

retep Re:It's pretty obvious (79 comments)

Tor isn't easy to use and doesn't interface well with the web. For example if someone wanted to post a TorButton on Slashdot to receive Anonymous leaks, is Tor secure enough or set up to do that? The other problem is Tor itself isn't perfect as a technology, it too can be compromised. And of course once again most people who are journalists want access to a Tor setup without having to be security experts. Tor is only accessible by security experts at this point and the problem is most journalists don't have the expertise to safely deal with it.

If you go to the Tor website, you're presented with some software to download. Click on that, installed the software, and go. Sorry, but this is frankly very easy. There aren't solutions that "work better with the web"; HTML5 doesn't allow Javascript to open connections to arbitrary hosts on the internet, so any "web" solution would still require trusting a server run by people you don't know. Similarly the connection to that server can still be "man-in-the-middled" in a direct, but difficult to detect way. At least with Tor you can download the software on a different computer, unconnected to you.

Any technology-based solution is going to require some knowledge to use safely. Tor is already pretty close to the least-knowledge solution out there, and it has the advantage of being widely used for all sorts of reasons, so use of it doesn't raise that many red-flags by itself.

The idea of Openleaks is good. Leaks should be decentralized and the technology should be an anonymous secure channel or secure pipeline.

And how do you propose this is going to work, yet not require technological competence? At least organizations like Wikileaks and traditional journalism can provide things like maildrops, a non-technological solution that is accessible to people without security expertise.

Maybe this is why Openleaks hasn't released any code: did they go into the project with high hopes, and realized that there didn't exist technological solutions to the problems they were trying to solve?

about 2 years ago
top

Intel Says Clover Trail Atom CPU Won't Work With Linux

retep Re:smart ploy! (434 comments)

They tried writing drivers themselves and again they sucked.

Dead wrong. Intel drivers are excellent and I and many others have had great success with them. They also usually work quite closely with the kernel community as a whole to make sure things work as expected; that's why what this article is saying seems to out of character for Intel. For instance, try searching for "intel.com" in the git commit log. Lots of kernel developers are on Intel's payroll, including core people like Alan Cox.

about 2 years ago
top

Why WikiLeaks' Spinoff OpenLeaks Failed

retep Re:It's pretty obvious (79 comments)

If you understand the Openleaks technology, the idea is you shouldn't have to trust Julian Assange or anyone else with your secrets. The hackers should build the technology not enter the spy war. Julian Assage has brought heat on hackers around the world because he's entering into the spy world and that makes it dangerous for everyone and anyone so Daniel has a point there.

Unfortunately Openleaks is vaporware and no code has been released. Unless he releases the code he deserves the bad reputation hes earning.

You also gotta wonder, what exactly is that technology supposed to be anyway? Tor is readily available, as are file uploading sites and message boards accessible with tor. If you have the technical know-how to use the "Openleaks technology" to publish your leak, you probably already have the know-how to use Tor anyway. Wikileaks also offered "mail-your-leak" dropboxes, a very secure option that has nothing to do with source-code.

The real thing Openleaks could add is vetted technology to remove things like embedded tracking of documents, for instance the metadata in jpegs and word documents, as well as technology to defeat stenographicly hidden per-file tracking codes. I haven't heard of anything from Openleaks even mentioning that stuff, yet defeating can be vital if a leaker wants to remain anonymous. It's a much harder problem than the actual publishing as well. It's also a problem more easily solved by human efforts, such as trusted individuals that re-word and summarize documents and publish the summaries rather than the originals directly.

What Openleaks can't do with technology is vet the leaks to ensure authenticity. For that an organization like Wikileaks makes much more sense, as does traditional journalism.

about 2 years ago
top

Why WikiLeaks' Spinoff OpenLeaks Failed

retep Re:"Open" (79 comments)

Journalist organizations are better set up for publishing leaks. Wikileaks just wasn't well designed as a journalist operation. They never had the critical mass of readership and the way Julian Assange was doing things he had to be in the center of everything and when you put the human in the center of everything it's not hard to corrupt any human and defeat the whole system.

What makes you think they never had that "critical mass of readership"? I'd argue their most important readership was other journalists, and pretty much every leak they've ever published has been picked up by the press in some form or another. That the general public can read the leaks easily is a side-effect, necessitated by the fact that they want to keep the journalists honest, and by the fact that the term "journalist" should be interpreted fairly inclusively.

about 2 years ago
top

WD Builds High-Capacity, Helium-Filled HDDs

retep Re:Why not a vacuum (356 comments)

It's better than that: sure helium can leak out of your hard drive enclosure, but it's also the only think that can leak into the enclosure as well. Helium is present in the atmosphere in small quantities, so the pressure in the hard drive will track atmospheric, albeit very slowly, yet still maintain a nearly pure helium atmosphere.

about 2 years ago

Submissions

retep hasn't submitted any stories.

Journals

retep has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?