49 comments

[ 3.4 ms ] story [ 569 ms ] thread
Makes you think though. Setup a site take the lot, blame it on a robbery == Millionaire.
Seems to be an issue of his age there. He claims to be much older on Bitcointalk. He owns a $750k house and previously rented a $500/week apartment too, so I highly doubt he is truly 18.
Why do you question his age, but apparently accept that he owns a $750k house etc? Not being snarky, but has he provided evidence etc?

I'm not sure how the ABC got to talk to him but he sounds young on the radio interview, for what it's worth.

This kid is 18? And people trusted a million dollars in untraceable money to him?
A kid offering spamming and hacked twitter accounts using the same account on the forums too, so I doubt anybody did any real research into this person before sending him money.
Zhou Tong was 17, when his Bitcoin project was hacked (this is the thread where he announced the project, and was astutely pointed out (concernedly, not mockingly) that he was destined for spectacular failure: https://news.ycombinator.com/item?id=2973301 ).

I really don't know why we keep trusting very young individuals on things that require implementation of _really_ good security. This is one of the places where ageism probably /should/ exist in some ways -- but the other way around from how we know it, because experience is one of the things that is really important here.

Age isn't the only factor in experience, though. Reputation and relevant experience is the key. There are people I would trust at 35 (for 15 years of experience) where I wouldn't trust someone at 45 (for 3 years of experience).

And then remember, John McAfee started McAfee in 1987 and left in 1994. He's 68 years old and I wouldn't trust him to tie my shoes.

indeed

upside of Bitcoin: no banks needed. or, anybody can run their own bank. innovate

downside of Bitcoin: anyone will run their own "bank". They will put Fortress in the name. It will be their first or second Rails app. They will live in their parent's basement. They will be experiencing puberty. But their stuff will be "secure" because they use "https://" on a few of their pages. Yeah.

| "And the more of it that is out there, the more thieves will be drawn to it.

Bitcoin will eventually be the defacto valuable item to steal, however I see the community is in its early days and perhaps Bitcoin will lead to even safer computing as our operating systems will need to be more secure.

Theres a lot of things we can learn.

A while back PG asked "what motive could a government actor have to create bitcoin?"

Could the long game answer be "To teach the masses of idiot developers basic info security"? If you take a step back the whole thing is a pretty neat experiment in punishing poor security practices.

As a soon to graduate computer science graduate, learning the in's and out's of bitcoin in the hope of making money has taught me way more about application security and the underlying crypto than four years of state schooling did.

Call me a luddite if you like, and I will probably be left behind in work and life, but I really can't shake the feeling that Bitcoin is an unworkable bad idea. Taking into account the risks of theft, the risk of government legislation, the risk of the system being gamed, the risk of wild fluctuations in value without rhyme or reason....
How are the risks any different than with cash? Leave your cash in an unsecure location and it will be stolen as well. I would argue that the risk of government legislation is greater with fiat currencies (capital controls) than with Bitcoin, because regulations are inherently more difficult to actually enforce.

Currencies also have fluctuations in value (which central banks try to manage as best they can).

If you don't mind me being a bit pedantic ...

The primary difference is that a person in a far away land is unable able steal my actual currency without putting a lot of their own funds at risk. Which is to say they would have to fly out here, find my house and/or wallet, take out money, leave, and then fly home. Its the same reason cash is more secure than a debit card. Debit card readers can be hacked with skimmers, nothing to 'skim' with cash.

So the risks with BitCoin are that from far away people can steal it from where it is being kept. These are the same risks as having cash in a banking instituion, except the bank has regulations that it has to meet in terms of being able to guarantee that even if they lose my funds they will replace them. Without the equivalent of the FDIC for BitCoin is qualifies as "higher risk."

A person in a far away land is unlikely to be able to steal funds you put in a physical BitCoin wallet generated offline that has never had any transaction outputs. Less likely than the cash analogy.

They can get my debit card number and steal money remotely though.

Let's address your fears.

"risks of theft": cash is also at high risk of theft, yet cash works alright in the real world. So why not Bitcoin? Web wallets need to develop excellent security procedures, like banks, and the best ones have done so: MtGox, Coinbase, etc.

"risk of government legislation": so far governments have been welcoming to Bitcoin. A US Federal Judge have ruled Bitcoin is real money [1]. The US Treasury Department FinCEN said Bitcoin "hold greats promise" to the US economy [2]. The German financial regulatory agency, BaFin, has officially classified Bitcoin as a commodity. Australia said they would investigate Bitcoin thefts with the same thoroughness as cash thefts. China is tacitly approving Bitcoin as government-controlled China Central Television is increasing its coverage of Bitcoin, with a surprisingly positive tone(!) Canada is very Bitcoin-friendly (hence the first ATM located there). Etc. And keep in mind it only takes a handful of countries to be friendly to Bitcoin for it to have a safe base to rely on. It is highly unlikely that ALL the countries in the world will ALL be hostile toward Bitcoin.

"risk of the system being gamed": there are no such risk. That's the one thing about Bitcoin you can trust: the protocol is ruled by cryptography and algorithms. It has been reviewed by many security experts. There is no known way to "game" the system. Some theoretical attacks exist but are never practical (eg. require investing half a billion dollars in mining hardware!).

"risk of wild fluctuations": true. But on the long term, as trading volume increase, volatility will reduce.

[1] http://www.forbes.com/sites/kashmirhill/2013/08/07/federal-j... [2] http://www.fincen.gov/news_room/speech/pdf/20130613.pdf

> risk of theft

There are key distinctions between cash and Bitcoin theft: Physically robbing large amounts of cash is really hard. Most people don't carry suitcases full of money, and bank robbers usually end up in jail or worse.

Electronic theft is difficult as well. If a bank believes a wire transaction was fraudulent, it can reverse it. And because bank accounts are generally not anonymous, fraud detection is a lot easier. By contrast, Bitcoin nodes can't undo a cryptographically valid transaction if evidence later shows it was fraudulent.

In addition, most bank deposits are insured up to a point by the government. Granted, you could privately insure Bitcoin deposits, but it's difficult to get the same scale of insurance that the Fed offers. Maybe at some point, but I'm not sure there's enough data points yet for an actuary to comfortable estimate the risks here. In addition, because insurance requires scale, the market for bitcoin insurance would probably consolidate into a small number of players very quickly, which raises the question of what happens if one of them collapses AIG-style.

In BitCoin I do believe the irreversible nature of transactions is seen as a feature, not a flaw. My bank has fraud protection but if I use my debit card and the transaction goes through, it is very unlikely I will ever see those funds again.

Also important to note, the Fed doesn't protect your value or purchasing power, they just insure (to a degree) the balance, but they also have the power to erode purchasing power at will.

"My bank has fraud protection but if I use my debit card and the transaction goes through, it is very unlikely I will ever see those funds again"

Why would you think that? My wife had a couple of fraudulent transactions on her debit card earlier this year, and they were refunded the same day we reported them.

It is possible to apply to Bitcoin the same security procedures that we apply to cash. Eg: web wallets employing fraud teams reviewing large outgoing transfers; private keys storage physically protected with safes, armored guards, alarms, etc.

Plus a lot more security mechanisms can be implemented with Bitcoin that is just plainly impossible with cash. Eg: M-of-N ECDSA signatures could require a thief to steal the hardware wallets of 2 business partners at once to access their shared coins.

Right now Bitcoin is in its infancy and people are still trying to figure out how to best protect wallets. There is no doubt that the security landscape of Bitcoin will be a lot safer a few years from now as its usage and value continue to increase.

however, all that happens already with the traditional government/banking/fiat based system

don't make us start citing all the recessions, depressions, shenanigans, thefts, bubbles, Ponzi schemes, snake oil salesmen, gambling, front running, short selling, bankruptcies, inflations, deflations, monopolies, defaults, perpetual-inability-to-balance-a-budget, carry profiting, spying, overly-complex-taxes-riddled-with-loopholes, usury, special treatment, insider trading, counterfeiting, etc that have occurred, and, will likely continue to occur, in that economic system.

Bitcoin is not without risks. But at least it's run by engineers in a way and to a degree that can't be said about DC and Wall Street.

"Bitcoin is not without risks. But at least it's run by engineers in a way and to a degree that can't be said about DC and Wall Street."

You are comparing apples with oranges. Currency vs. Banking system.

I think I'm comparing fruit to fruit. :-)

Look closely at fiat currency and government-backed banking and you may see just how closely they are intertwined.

Say what you like about 'fiat money' and 'taxation is theft' and big gov't and etcetcetc but if somebody robs my bank it doesn't cost me anything directly.
Same with Bitcoin.

When Bitcoin exchange MtGox was hacked on June 19, 2011, the attacker stole 2000 coins (worth $0.6 million today), but MtGox covered the losses with their own funds. Customers lost nothing.

Large, reputable, mature businesses will cover losses for you, no matter if it is USD or BTC.

Banks have some kind of regulation (even in the financial wild west that is the USA), and deposit insurance covers their customers against theft.

This jackass has said he isn’t likely to even report the theft to police.

That another bit coin exchange was able to cover the losses from a theft out of its own pocket is more likely good luck than good planning.

So what about if the government decides to devalue the currency by printing more money? Hasn't that 'quantitive easing' eroded your stored value? Your balance might be the same but the purchasing power and thus value isn't. Best bit is you won't know till after its done, way after.

It might be a nice incentive for investing money to keep value ahead of inflation but to the man-on-the-street its a bit like robbery in some sense in that it deprives you of the full expected value of your funds.

Well in actual fact, despite all the flack the feds get about monetary policy, core inflation is very very low. I remember the inflation of the late 70s/early 80s, and we are absolutely not seeing that now.

Oil prices are obviously much higher than they were fifteen years ago, which has follow-on effects for transport and food and similar, and is why I specified 'core' inflation. How would a bitcoin economy deal with these sorts of spikes in commodity prices?

Incidents like this are good. They will teach idiots not to trust "online wallets". Why on earth would you entrust a 3rd party service with your coins when you can keep your private key safe on your own and never have to worry about this?

When will people finally learn that since Bitcoin is decentralized by nature, that there is no need to re-invent these online "banks" to store coins?

Serves them right.

Well you're making the assumption that people can protect their wallets better than a bank.

I hope I'm not making a crazy statement to say that people in general aren't that great at security. Unless you have the wisdom to keep your wallets offline or secured with a password longer than 20+ (or whatever) charactes, it's only a matter of time before a worm or virus gathers up hundreds of insecure wallets.

Secondly, there's nothing intrinsically wrong with banks. Banks help the supply of money and keep economies going through investment. Banks can build green addresses for instant purchases which Bitcoin needs to be successful.

Bitcoin wasn't designed to get rid of banks. Bitcoin was designed to give banks and people a common way of transferring money without expensive accounting auditing, secret protocols, and government centralization.

In addition to worms and viruses, consider the risk of good old fashioned data loss. Everyone knows they should back up their hard-drive but many (if not most) users do a piss-poor job of it. Storing your bitcoins online somewhere increases the risk they'll be compromised by an online attacker, but it reduces the risk that you'll lose everything in a fire.
I keep my wallet.dat in Dropbox. It's versioned and they have 2 factor authentication. I also trust their security more (they have a dedicated security team: https://www.dropbox.com/help/27/en) than some John Doe on a Bitcoin forum.

Just use online wallets as your hot wallet and keep most your coins offline.

People who've kept their wallets in Dropbox have found them mysteriously emptied in the past, from what I recall.
I would argue your wallet.dat should't be accessible from the internet all the time to begin with just put it on a old USB stick that you can store in a safe place.

If you're worried it can disappear in a fire you can always make a copy of it put it on another USB stick and give it to your grandma or other trusted person.

If you are paranoid you can always just encrypt the file before saving it on the USB stick.

Treating them like the keys to your house should offer more security than any bank can give you. For one thing it makes it less profitable for any thief to target you.

There's only 1 problem with this. You should always check the computer you're about to load your wallet file into for malicious software.

Although I would argue a live CD with a Linux distro would probably be the best choice in this case. Quickly transfer some funds to your regular use account if you need while keeping the bulk of your funds in a safe place.

That was pre-2-factor authentication if I recall correctly.
As someone who works for a bank I can say with some confidence that the only thing protecting your funds is the fact that transactions are reversable and insured.

I would not trust a bank with my bitcoins.

I agree that Bitcoin banks would need insurance to be successful. As it is, it's pretty much just giving them to a anonymous stranger over the internet.
openssl aes-256-cbc -a -salt -in privateKey.txt -out privateKey.aes

It's that simple to do cold storage. Do it from an offline live CD boot, save the file to USB, and print it on a piece of paper just to be safe. So much confusion around something which is essentially protecting a string of text.

Problem with incidents like these is that they keep happening.

This means two things. One, there exists real demand for a secure online wallet, because just like most people are not comfortable storing massive amounts of cash at home, they are not comfortable storing Bitcoin in their paper wallets, brain wallets, etc. There is the convenience factor, as well.

Two, online wallets entail a number of risks, and seem inherently unsafe.

How do you reconcile the two?

In some kind of very weird way, these incidents give me more confidence in bitcoin-the-currency.

There are so many attacks on "bitcoin infrastructure" it is pretty clear that it is seen as a target by criminals (of various degrees of skill).

And yet there is no evidence of any critical break in bitcoin itself. They still haven't worked out how to print money.

I'm still a bitcoin cynic, but I'm slowly gaining confidence in it as a store of value.

Like I said: Weird.

Guys help me here. It seems that I don't understand and maybe don't really know how bitcoin works. How can it be stolen? A change in the logs? A pseudo-transaction?
(comment deleted)
If you know the private key for a wallet, you can transfer all the coins out to another wallet (i.e. make a real transaction).

Anyone holding BitCoins for someone else should protect the private key for the wallets holding the coins strongly - for example, by moving most coins to a 'cold wallet' where the private key is kept on an airgapped computer encrypted with a long secure password, and only occasionally accessed when the hot wallet runs out of funds, and protecting the computer with the hot wallet strongly as well (with multiple layers of defense and controls to detect and stop activity that might represent an attack).

It seems to me the gold analogy is more applicable when storing BTC than the cash one. I might be OK storing my gold with some institutions, especially ones with a proven track record and insurance policy, but other than those few institutions, I'd probably opt for a fire proof safe (a safe rated to protect the amount of money stored).

If one were to use BTC to store vast sums of money, you can store your BTC with a traditional bank. Simply generate a wallet offline on new hardware with a relatively secure USB bootable OS, write the keys down on a piece of old fashioned paper (use carbon paper and store the copy, destroying the original) and cover with some sort of tamper proof seal. Lock inside a lead box and then put it in a safety deposit box.

Please excuse my ignorance, but why would you use carbon paper and store the copy rather than the original?
Paranoid overkill really. Suppose you didn't have access to a locked lead box and stored your extremely large sum in an envelope, you would feel silly in 10 years when you realized someone was able to steam the envelope and use the raised letters from the pressure when writing to reveal the key without removing the tamper proof seal.

There are better, more modern methods of applying a seal or printing but it increases the attack surface so for the truly paranoid, they should probably be avoided (unless using something like Shamirs Secret Sharing Algorithm).