Topic: [FORBES] How Private Are Bitcoin Transactions? (Read 3720 times)

http://xuie7qspblyer5ms.onion/

That's not entirely true, right? If you have a large sum of money you could overwhelm the launderer and end up receiving some of your own coins back. Even ONE would be enough to trip you up.

You could get a new "identity" by dumping all your coins in a laundering service and killing all your old addresses. if you needed you could use tor for all BC related stuffs.

I'm not sure I understand the article completely.

Dont people tend to use multiple addys? I know it seems to be a noob mistake to think that your old addys are no good as it changes right after you receive some coin.

and how can you link someones receive addresses with their send ones?

or is he just saying, if you collect your poker winnings with one address dont use that same address in your forum sigs?

if people only used one address for their questionable activity and then one for everything else, what else would the authories know besides money is traveling between a known illegal addy like silk road and and an address that a user only uses for that purpose? 

I guess their are links between addies and IPs?

how can you be sure that your browser was not involved in a man in the middle attack and that its certs were not tampered with. the only way you can know 100% sure the person you talk with on the internet is if you exchange keys in person.

Yes, as long as you can be sure that the certificate actually belongs to the site that you think it does. But if the certificate is self-signed then you have to figure this out for yourself. Most people do not have the technical expertise (or the patience!) to do this.

With unsigned certificates my question isn't concerning trust unless security is totally depend on 3rd party trusted authorities. So the question is: is unsigned certificate provides same level of security as a signed one?  Whether browser trusts it or not doesn't matter as long as unsigned cert provides same safe encrypted channel for transmitting data.

i like, i want some.

But.... but.... http://www.youtube.com/watch?v=3nbEeU2dRBg !!!

HTTPS includes authentication, because without it man-in-the-middle attacks are trivial.

Encryption isn't magic security pixie dust. Without authentication, the attacker can simply set up two encrypted sessions: one to the user, and one to the server being impersonated.

the whole https thing seems silly to me. who thought it was a good idea to combine https with verifying who you are talking to is who you are talking to. it makes doing this more difficult for less technically inclined people to think that who they are talking to is automatically bad. I believe these 2 things should be completely separate so we don't have to buy certs from some moron who thinks they have more trust than someone else.

I don't fully understand what is being said here.  How did I end up with a selection of addresses whose balances add up to only slightly more than the sum I wish to pay?  Do I need to spend time sending and receiving to myself to have these?  Also, I thought the client chooses randomly across addresses which ones take the hit for an outgoing payment (true?).  If yes, how do I control which addresses take the hit?

The problem is that your browser trusts a lot of signing authorities. Many will let you a buy a certificate that in turn lets you sign your own certificates. That means if your attacker has money, they can easily impersonate any website they want by signing a certificate in their name. Source: Certificate Patrol Website

Edit: You also need to be a company with over 5 million in assets, 5 Million in insurance and has clear audited policies on how you use the certificates. For the GeoTrust root anyway.

I only started caring about ubiquitous encryption over the past 3 months or so. I am dismayed how prudent sending everything is clear-text really appears to be: HTTPS can easily give a false sense of security. I have not had time to tease out a list of best practices. My own website does not support HTTPS at the moment.

Edit: I have an interest in the gopher protocol. I may investigate using IPSec for encryption or authentication. I currently care more about authentication. Authentication can never be automated and easy: That is the situation we have with Certificate authorities. Users need to exchange information out-of-band: over the phone, in person, or by letter mail.

I always thought that self-signed certs were as secure just could not be verified by trusted CAs which would trigger unsigned cert message in browsers other than that they should be functioning same as signed ones or am I misunderstanding?

I've heard that there was some sort of venerability with OpenSSL certs, but other than that are signed certs by well known organizations safe? I mean could a middle man such as an ISP intercept handshake and public keys and eavesdrop inside secure channel passing packets or is it impossible?

The Forbes blogger posted a follow-up to the original:

http://blogs.forbes.com/timothylee/2011/07/14/advanced-bitcoin-anonymity/

See the latest update on Open Transactions developments:

http://forum.bitcoin.org/index.php?topic=28565.msg363945#msg363945

There is a BitLaunder Tor hidden service (http://xuie7qspblyer5ms.onion/). It's listed on the wiki.

The problem with something as simple as bitcoinlaundry is that simple network analysis undoes your anonymity. If Alice wants to send Bob 3.14 BTC without it being traceable, bitcoinlaundry says "hand it to Charlie and have Charlie hand it to Bob" which, in the context of bitcoin, is a good start because at least it keeps your address off the books and all someone could conceivably discover is that you sent coins to Charlie, right?

Problem #1: if Dave has the ability to watch what Charlie sends and receives, he can pretty easily see that Alice sent in 3.14 BTC and soon after Charlie sent that exact amount to Bob - unless your transaction is an amount that a huge volume of others will be sending (1 BTC even perhaps) it is easily identified. Charlie could also be scrutinized by watching the timing of several known transactions and then observing the money in/out timing of unknown transactions.

Problem #2: Since Charlie operates on the open internet under his real name his equipment (and wallet) could be seized by the authorities quite easily. It's very difficult to do this sort of thing properly without keeping at least temporary records of where money came from and where it is destined.

Problem #3: Even if you solve problem 1 and 2, chances are that Charlie isn't performing enough transactions each day to properly disguise who sent what to whom. Even if he is, such data is not made available and neither Alice nor Bob have any way of knowing whether their transaction will be securely hidden among the transactions of others. Charlie could easily generate many fake transactions to hide the valid ones, but I don't know how similar testnet (or namecoin or any blockchain branch really) traffic looks to valid BTC traffic when sniffed offhand, I may be barking up the wrong tree on this one.

Much like running an exchange the security and thought process that must go into a coin washer are NOT trivial. Unlike an exchange, the first time one of these gets hacked it'll probably be by the government and people will probably go to jail as a result, so if anyone takes this and runs with it - DO IT RIGHT.

Yes, bitcoinlaundry.com sounds interesting. When you wish to conduct a transaction that you'd prefer to be more private simply pay the bill through this account. From what I've read elsewhere the more people that use this service the less likely you are to receive the same coins back. Maybe we should start sending more payments through here - even if it's just to help others mix up their coins. Would that work or would it be too easy to match the amounts paid in and the amounts paid out?

never used it but think this is something like that http://bitcoinlaundry.com/

can listen to more about it here http://agoristradio.com/?p=407