Memo to Ethereum Foundation Council: impudence begins with calling your investors “donors”

Kelley Becker, deputy assistant to Jeffrey Wilkes of the Ethereum Foundation Council, just called ethereum investors “donors” in a skype chat leaked by (former?) ethereum employee Matt Liston.  Tellingly, Becker did this “straight” — no humor intended.

Backstory: (skype chat transcript) (reddit peanut gallery commenting on chat transcript)

From the skype pasta:

[5/15/15, 11:58:16 AM] Matt Liston: Ethereum has plenty of investors
[5/15/15, 11:58:35 AM] Kelley Becker: Donors
[5/15/15, 11:58:39 AM] Kelley Becker: Not investors

Kelley is assistant to Jeffrey Wilcke, who sits on the foundation council, the “boss” here, who later in the thread called Matt out for impudence and ejected him from the thread.

Ethereum’s own wikipedia page contradicts this “donation” language, calling the ethereum crowdfund what it is… a sale: *

Or, from first principles: a donation is when you give something and don’t get anything back.  In a sale you get something back.  This was a crowd sale.  It’s common in prostitution also to call the payment a “donation.”  But squirmy tricks with language don’t actually change the meaning of the language.

Ethereum foundation needs a competent PR agency, if they have any bitcoin left.  But it is probably be too late at this point.

If the idea behind ethereum has any merit I suppose the useful aspects will survive in some form, perhaps with the code migrating into a side chain in some hand-wavy future.

But unless the leadership can pull a rabbit out of an increasingly deflated hat, the token known as “ethereum” at this point is pretty much done.

Perhaps the same can be said of alt-mined dev tokens as a class.

* “In order to raise funds for development of Ethereum to the release of the genesis block and beyond, the Ethereum foundation conducted a sale of Ether to the public, during which anyone could buy Ether in exchange for Bitcoin at a rate of 1337 to 2000 ETH per BTC, with earlier purchasers getting better rates.”

Posted in Uncategorized | 1 Comment

How secure is Trezor’s restore process?

A consulting client wanted to know if it was safe to do the trezor restore process on a possibly virus infested computer.  Here’s my answer.

Trezor hardware wallets start with a bip39 24 word seed with 256 bits of entropy.

(2048 words in the dictionary -> 11 bits of entropy
11 * 24 = 264. The 8 additional bits are a checksum.

If you lose the device, the restore process involves typing the words in to a possibly non-secure computer.  Trezor scrambles the words.

If the computer you used for the restore was hacked, how hard would it be for the hacker to steal the wallet?

There are 24 factorial possible orderings.  This is 79 bits of entropy.

logBase 2 ( factorial 24) => about 79

But there’s an 8 bit checksum, so only 1/256 of these orderings would pass the checksum. This leaves us with 71 bits of entropy, down from 256.  We leaked 185 bits of entropy… ouch.


Our attacker now has 2^71 xprivkeys to search for possible live bitcoin addresses, so he can steal the wallet.  Each xprivkey has an unlimited number of possible addresses in the bip32 tree, but let’s simplify and say the attacker checks only 1.  This involves at least 1 sha256 operation.

2^71 is about 10^21

According to

One can buy hashing power for $0.5/gigahash second. Round down to $0.1/ghs.

10^21 is a trillion gigahashes.

So, a napkin estimation on lower bound on cracking the trezor after the entropy leakage of a restore process is a hundred billion dollars.  Probably secure enough.

That being said, trezor could avoid the leakage by having users enter the 24 word passphrase by entering four digit codes (1-2048) from a dictionary, using the pin pad entry trick where the numbers are scrambled.  This would be more tedious, but more secure, but then again maybe overkill.  Perhaps it could be made available as an option.

Please correct my math if I missed anything!

Posted in Uncategorized | 4 Comments

How to Steal Funds out of a Cold Wallet: Address Tampering

In the wake of the mtgox fiasco, we are seeing some overdue attention paid to exchange security, which reduces to wallet security when you are thinking about the building blocks.

The ultimate security in bitcoin world is a cold wallet, usually a file on an unconnected computer, possibly with a fresh operating system install for added security; and just software for bitcoin signing running on it, nothing else. Keys are kept in bank vaults, with the highest value keys split among multiple banks with shamir sharing so even the banks can’t steal the funds out of their own safe deposit boxes unless they collude with the other banks, whose identity they don’t even know.

How does one steal funds from such a veritable bitcoin fort knox?

Lots of ways!

The attacks all boil down to, don’t worry about how securely the cold funds are locked down.  You don’t need to  use dynamite and liquid nitrogen on the lock if you can walk in through the screen door out back.

The key is to confuse the operator into withdrawing their own funds in an insecure way. Since the operator is presumed to be operating a compromised Windows ME machine running kazaa and various other porn downloading utilities, and flash games in the browser, this is where our attacker should be concentrating their efforts.

The recent attack on mtgox used a technique called transaction malleability to trick mtgox operators (aka bank tellers) into thinking that withdrawals had failed when in fact they had succeeded but with a changed transaction id. MtGox operators would then re-issue the withdrawal. This could be done many times, and the end result seems to be that their cold wallet funds were drained. No one is sure yet how much (maybe not even mtgox) but I guess we will know soon whether mtgox is bankrupt or just playing around.

Assuming mtgox is solvent, I think they will slowly build up their reputation again as a place that “has survived every hack.” People new to bitcoin will continue to make their initial bitcoin buys there because “it is so cheap!” So mtgox will be around in 2015 to deliver unto bitcoin yet another lesson in cyber security, along with a buying opportunity for the patient as the bitcoin price tanks with headlines “Mtgox hacked again!”

How will the next big hack work?

My money is on address tampering, where the attacker substitutes an address they control for the real address.

There are a lot of variants of this attack, and they are really tricky to stop.

Here are some variants.

Simplest one: merchant has a sticker with his bitcoin address at his shop. Attacker slaps a similar looing sticker over it. Funds sent to merchant are now sent to attacker. Lesson: don’t use stickers, don’t reuse addresses.

Slight variant: Merchant uses a vanity address instead with merchants name munged in the address. Attacker can use same attack, but now they have to spend some money to generate a fake vanity address. Lesson: there is some deterrent effect of using a vanity address, but it’s not foolproof. Don’t use stickers, don’t re-use addresses.

Attack on mtgox cold bitcoin: compromise computer that generates transactions to be signed, do address substitution there.

Mitigation: Human operators must manually verify signed transactions before rebroadcasting.

Problem: Humans are fallible.


looks a lot like


(1 character changed.)

Well, that second one probably isn’t a valid address, since I just changed a character at whim, but the problem for the attacker reduces to generating a vanity address on the fly that can confuse a human operator. This can be done with rainbow tables I think.

A really evil attacker (perhaps an insider) would attack the mtgox accounting system, so that the funds flowing into the bad address would show up as funds going into the real mtgox online warm wallet, and it would appear that nothing is wrong, until user withdrawals start failing. (Similar feel to transaction malleability attack.)

Ultimate mitigation:

Cold computers should be loaded up with signing keys of recipient computers, where the identity of recipients is known; at least for recipients getting high value payments. (You need to do this anyway for AML/KYC.)

Recipient computers should generate signed payment requests. The cold computer can check these payment requests against the transactions to be signed, to verify that on tampering took place. If somehow a thieving transaction slips through the cracks and is signed by the cold computer, the attacker had to create a fake identity with a signing key to get the funds, which increases the cost of the attack.

Another nice thing about signed payment requests is that if a user computer is compromised  (a mtgox depositor in this scenario), the user is still protected against address substitution. Just like mtgox could require cold computer only send funds to payment requests from vetted (mtgox warm) recipients; mtgox could validate withdrawals only to payment requests that have been signed by vetted merchants.

Anyway the good news is there is a lot that could be done to prevent address tampering; but the bad news is we’re not currently doing it.

So what will probably happen is some huge heist will happen with address tampering (most likely at mtgox) and then there will be a mad scramble to stop this after the fact.

I will try to resist crying “Told ya!” when this happens. People hate that.

Meanwhile… to the moon!


Note: StandardCrypto security officer Mike Klein and I have had a number of conversations about gaming cold wallet security, so I’d like to give Mike credit concerning where a lot of these ideas originated. Especially the really evil ones.

Posted in Uncategorized | Tagged , , , | Leave a comment

CoinValidation is coming to china (pure speculation)

This is just speculation, I have no basis for making this prediction other than thinking about the situation.

But I think, for everyone asking what is going on in china, what we may see before the end of the month is some kind of law requiring bitcoin traders to register bitcoin addresses with the chinese government. You will not be able to withdraw from an exchange except to addresses that the government knows belongs to you. And when you spend from these addresses, there will (often) be a tax hit or some kind of tariff. Unless you are spending to yourself, but in that case you will have to register each new address, possibly up to some limit. Maybe there will even be a fee for registering each btc address. Chinese will be instructed to use wallets that send change back to originating address, so there won’t be a thousand addresses in a single chinese person’s wallet muddling tracking.

This would allow bitcoin for speculation, but it would prevent divesting money overseas, at least not without paying some excise tax or the government knowing about it.

Chinese businesses that transact in bitcoin would then be visible not only to the chinese government but also (likely) to their competition and the general public. This would discourage local adoption without seeming too heavy handed, and allow bitcoin investment as pure forex. Forget about privacy, but you can still make money as a trader if you pay the tariff, or whatever they come up with.

Essentially, I’m predicting coin validation but with a chinese twist which is probably even more intrusive than many privacy advocates fear in the west.

I think if my prediction comes true it’s mildly bullish in the short term, but it also gives coinvalidation/registration a lot more teeth (including in the US and Europe) if a giant part of the bitcoin market is going with it.

Medium term might be bearish, especially if the only reason for buying btc is to convert yuan to usd without the government knowing. This would pretty much put a stop to that; only long term investors would be in the game, and tax shenanigans would not be feasible.

I think china is likely to allow localbitcoin as a sort of gray market thing. They might occasionally bust someone to make an example, but they’ll tolerate it by and large, as long as it doesn’t get too big. So you could still get unregistered bitcoin that way if you don’t mind going back alley.

By the way, I think this pattern is likely to repeat in other countries with capital controls and high inflation, such as Argentina, syria, etc. It is just free enough to pacify the population, while leaving the government largely in control.

If it takes hold there, it might some day take hold in the USA and Europe, especially if bitcoin grows to the point that it challenges fiat currency.

We will be living in interesting times.

Posted in Uncategorized | Tagged , , , | Leave a comment

Dogecoin / PPCoin Timezone Arbitrage Bot


StandardCrypto is doing a dogecoin / short ppcoin timezone arbitrage bot.

China wakes up, long doge, long btc drags ppcoin down. Play the spreads on bitfinex, cash out to gox, and do goxbux otc to scared chinese that just want to unload their bitcoin because they’re afraid of a total ban.

The doge gets swept by reddit/4chan hft tipbots, and you can trade the karma for portugese krugerand futures on amagi.

So far this strategy has a 7% return after 24 hours.

If you would like more information, please contact

UPDATE: I am not sure if the investor queries are a joke…

Just in case… to be clear, this was a parody post.

Posted in Uncategorized | Leave a comment

Skip Millibitcoin and Go Straight to Micro

There is a conversation going on now encouraging bitcoin users to switch from talking about BTC to milli bitcoin, or thousands of a bitcoin (mBTC), as the default unit for every day life.

This emphasizes the fact that bitcoin are massively divisible (up to a hundred million times), which many people unfamiliar with bitcoin are unaware of. And it might encourage more fiat buyers to buy small amounts of bitcoin, making it seem cheaper even if only psychologically.

I think these are good reasons.

But why not skip millibitcoin and go straight to micro (millionths)?

A microbitcoin (uBTC) is 2 hundredths of a US penny. That’s a unit of value that has meaning in the macroscopic domain of everyday life. 0.02c USD is about 3.6 seconds of retail electric power, at 20 cents an hour. It’s 20 megabytes of monthly amazon ec2 storage.

5000 micro bits are a dollar. 10,000 is a slice of pizza.

A uBTC is a small amount of value, but it’s not a ridiculously small amount.

By going micro, one could also emphasize the fact that bitcoin can be utilized for metered micro transactions at the very small scale, like the examples I mentioned, or pay for the wifi by the packet, or tiny gambling transactions.

Best of all, it spares us another lengthy conversation about switching default units yet again, when the bitcoin price melts up again and reaches 10,000 USD.

Mostly kidding, folks 😉

Aw, heck.

To the moon!

Posted in Uncategorized | Tagged | 5 Comments

Neo&Bee Cyprus Bitcoin Bank is Stealth Bitcoin ETF

Neo&Bee, a bitcoin financial company based in Cyprus, is having its IPO today.

I was initially very excited to see a consumer bank embracing bitcoin. But as the situation unfolded I became more and more uncomfortable with the business proposition.

What it boils down to is that Neo bank will be taking customer deposits in euros, and performing normal banking operations such as lending and paying interest on time accounts. It walks like a euro bank, and it quacks like a euro bank. But deposits will be kept in bitcoin.

This is presented as a feature. I cannot understand why.

The problem is the same problem that a euro savings bank would have if it kept its deposits in gold, or petroleum futures. If the underlying asset tanks, there will be a run on the bank and it will fail.

Cypriot depositors, burned hard by the banking system meltdown, want their deposits safe. This is about moving money out from mattresses and back into the banking systems where it can be used.

Instead, Neo bank will buy bitcoin with their euro deposits. We are assured the euro value will be preserved in the case of a sharp fall in the price of bitcoin, by a sophisticated  proprietary hedging operation that is the Neo secret sauce.

Proprietary means never explained.

If the price of bitcoin increases, Neo bank wins huge, and its depositors get single digit interest.

If bitcoin/euro falls Cyprus depositors get burned. Again.

But this time by bitcoin.

If I was a savvy central banker that wanted to see bitcoin fail, I would covertly support Neo bank so that it can be killed later and used as an excuse to to over-regulate bitcoin and block it from interacting fluidly with fiat financial system. I doubt central bankers are that machiavellian, but who knows.

In short, Neo bank is an ETF being marketed as a savings and loan. That’s not an honest value proposition.

Proposed Winklevoss ETF: you deposit in dollars, the dollars are converted to bitcoin. If the value of bitcoin crashes, you lose. That’s honest, because investors expect the risk.

Cyprus Neo Bank: You deposit in euros, the euros are converted to bitcoin. If the value of bitcoin crashes, you lose. It’s not honest, because it’s supposed to be a savings bank.

I can’t conceive of Neo getting a banking license, but with the political situation in cyprus as screwed up as it is, who knows what happens behind closed doors.

This problem is discussed on reddit at

including response from cryptocyprus, spokesperson for Neo&Bee bank. The justification isn’t too encouraging.

More of same here:

I also received a non-explanation of the hedging strategy from cryptocyprus (Neo PR) at

that wasn’t even grammatical, yet alone informational.

Bitcoin needs adoption by the mainstream financial community, but the Neo offering is a heads I win, tails you lose scenario that deserves to be rejected.

Bitcoin IPO fever means their ongoing IPO will propably succeed. And if bitcoin value doesn’t tank, the Neo bank could succeed as well.

But it will all be a lie built on the exploitation of a cypriot population that has already been badly traumatized.

I think Neo bank means well, but they are blinded by the bitcoins.

By contrast, CFIG is doing it right. No lending, and they are not a bank, just a platform that plays nicely with banks.

I am not buying the Neo&Bee IPO.

Posted in Uncategorized | 7 Comments