The only thing that stops a miner from crafting a chain in private is the cost associated with running the mining equipment and not claiming the block rewards. If they have >50% hash power, then they have a near 100% chance of having the longer chain and making back the block rewards as well as their double spend. It is very possible that a government or some large entity could mine a longer chain in private and release it to disrupt the network. I'm not sure why you think this is not possible with PoW.
You are probably right, my last post was not correct in this aspect - in PoW the "private mining" of an attack chain for a long time to be released later is also possible and probably the best option for a profitable 50% attack.
But there are other aspects why PoS long-range attacks are regarded as very dangerous: If the attacker manages to get (via a double spend/50% attack) more than 50% of the total coin supply (or at least a large part, e.g. 30%, so that he always will be the biggest "staker" because 100% never stake) then he can control the network. Only a hard fork can save the coin then. With PoW, the attacker would have to conserve his 50% and continue to pay electricity costs, so disrupting the coin heavily would be more complicated.
I'm not sure which attack is more expensive, but that's also why I'm interested in Peercoin and PoS - a PoS attack may be, if you add all costs, more expensive than a PoW 50% attack. But it could also be easier to make it profitable (see next paragraph).
When selling coins before the double spend, you sap the network of its value by tanking the price right before you try to extort it for value.
In my scenario, the double spend is recorded at the miner's attack chain at a block height before the sale of the coins - but is "released to the public" afterwards. So the price would tank even more after Evil Attacker sold the coins and the double spend becomes known - and so he can probably even try to lend more coins while he sells and short sell them. An "extortion" (e.g. for political reasons, or for a ransom) is not necessarily part of this attack.
You can argue about the economics of this, but I do think you are missing my point about selling the hardware after attacking a PoW coin. In either model you can recover some of the liquidity used to attack the chain.
Probably yes, but what you cannot recover is the electricity costs, and you will not recover a big part of the attack costs. The only way to profit from a 51% attack in a PoW currency is, in my opinion, a complex (and expensive) strategy involving market manipulation, a really big double spend, and short selling just before the attack is publicly known.
In a PoS currency, the attacker can try the attack again and again once he has had his coins on his wallet (if he's caught he can mix the coins and repeat) because he isn't forced to use large amounts of electricity.
That is, I think, the second reason why PoS has so many detractors: because once you get the important part of the attack done (possess a large stash of coins) then you can attack many times - until the next hard checkpoint. With reorg depth limit or soft checkpointing, you have only a short timeframe.
I'll get back to you on whether or not there's a reorg depth limit.
That would be cool, thanks!