Pages:
Author

Topic: Mike Hearn, Foundation's Law & Policy Chair, is pushing blacklists right now - page 14. (Read 84410 times)

legendary
Activity: 3430
Merit: 3080

Mike Hearn is participating in the same sort of thing that the Bush Administration did in 2001. He is proposing that Bitcoin businesses voluntarily help the US Government seize worldwide control of Bitcoin for the mere perception that something is being done about CryptoLocker. Meanwhile, there are obvious ulterior motives in play. To achieve a critical mass that would harm all users of Bitcoin, he only needs to get BitPay and Coinbase on board.


Take a deep breath, remove the tinfoil hat.

Please read my previous post. Mike started a discussion about what is effectively a reputation service for coins. He didn't even propose that the Bitcoin Foundation adopt promoting the idea of one as policy, or that he himself is convinced a redlist is a good idea.

They're going to spring up regardless of Mike's proposal, though. Some bitcoin services will use them, some won't. They'll be full of holes and cannot, by the nature of bitcoin, be 100% effective.

A reputation system is a way for individuals and entities (companies, whatever) to communicate information to each other. I thought we're about free speech here, and freedom of individuals and entities to transact (money, information, etc) with each other?



It politicises the use of coins. My political opinion is that your coins should be redlisted, I don't like people like you, just because. There's your free speech.
legendary
Activity: 1162
Merit: 1007
So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us?

This seems disingenuous.  Gold and cash are worth lots too.  If you advertise the fact that you have a big hoard under your bed, and then leave your doors unlocked, then, yeah, you'll be a target.  

Just like gold or $, if you don't want to secure your money, pay a service that will.  

The beauty of bitcoin is that everyone is free to make the choice that is right for them.

The fact is that it already is advertised who has a big stash. Anyone could be analyzing the blockchain as we speak and connecting those wallet accounts to email addresses. An unregulated exchange could collect email addresses and wallet addresses to put into their database. That exchange could then be hacked or perhaps the government sponsored hackers put the malware on that exchange. Perhaps the exchange itself is merely a front, a honeypot to attract high net worth Bitcoin holders to capture intelligence (which can then allow the database owner to sell the database for Bitcoins to hackers).

Once intelligence has been captured then you know how many coins are in certain addresses and you have their email addresses. So what stops you from sending them attachments with malware? What stops you from targeting them for scams or phishing for more information for even better targeted advanced persistent threats, malware or ransomware?

When you're talking about someone with a million dollars in their wallet and their email address is public information because its associated with an exchange, why wouldn't hackers target that email address? Why wouldn't hackers be looking for personally identifiable information? The same way KYC can be used by regulated exchanges nothing stops unregulated exchanges from collecting information about users and then hacking them.


Thank you for the civilized response, Luckybit.  

I would argue that your last points are only likely if you're "not locking your doors," if I may extend my previous analogy.  Since bitcoin is so new, we don't fully know what it takes to "securely lock your doors," but we are slowly learning.  

It is my opinion that trying to "regulate-away" this learning curve would just create a more catastrophic problem down the road. 

I view this learning curve as an opportunity to create more secure ways to store and transact with bitcoin!
hero member
Activity: 714
Merit: 510

Mike Hearn is participating in the same sort of thing that the Bush Administration did in 2001. He is proposing that Bitcoin businesses voluntarily help the US Government seize worldwide control of Bitcoin for the mere perception that something is being done about CryptoLocker. Meanwhile, there are obvious ulterior motives in play. To achieve a critical mass that would harm all users of Bitcoin, he only needs to get BitPay and Coinbase on board.


Take a deep breath, remove the tinfoil hat.

Please read my previous post. Mike started a discussion about what is effectively a reputation service for coins. He didn't even propose that the Bitcoin Foundation adopt promoting the idea of one as policy, or that he himself is convinced a redlist is a good idea.

They're going to spring up regardless of Mike's proposal, though. Some bitcoin services will use them, some won't. They'll be full of holes and cannot, by the nature of bitcoin, be 100% effective.

A reputation system is a way for individuals and entities (companies, whatever) to communicate information to each other. I thought we're about free speech here, and freedom of individuals and entities to transact (money, information, etc) with each other?



The point I'm trying to make is that you're right they will exist either way and will be used by everyone. Hackers could create target lists of people who have a high net worth in Bitcoin. So even if we didn't have corporations doing the redlist and blacklist nothing would stop underground hacker groups from doing it and the result would be just as bad.

Honestly I don't want these lists to destroy Bitcoin but I also do not want hackers to destroy Bitcoin. If you say no corporation can create a known list then you still have to deal with the possibility of unknown secret lists floating around among hacker networks. I don't think these coin taint lists will do anything to protect us from randomware and I think the best ideas so far are Keyhotee and the Bitcoin identity protocol. This could allow the user to selectively identify themselves to clear themselves if there is an investigation. It is also necessary to allow users to access services without them having to give their email address or identity. You cannot trust every service. Finally it is important to allow users to have a trusted list of businesses, that part of the idea I do support. I need to know I'm contacting a trusted business and that they really are who they claim to be. No more shit like Inputs.io or Labcoin.

It's not a fake problem at all. If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher. Malware will be written by the best of the best and you wont be able to detect it with any sort of virus scanner software or countermeasure. Nothing can be done to stop undetectable malware attacks, randomware attacks, or anything else. The best idea we have from the community is the Trezor wallet and they are taking too long to make it.
Now you're trying to play the bait and switch game.

Fixing the catastrophe that is PC security, or at least figuring out decent workarounds, is not the topic at hand.

It's related. If your PC is insecure then you only have the illusion of privacy. Instead of big corporations spying on you through the web and tying your email address and password to your real world identity to sell to whomever now you're at the mercy of foreign hackers who will have databases of their own, potentially with lists of their own, and they exchange information too.

When thinking about privacy and security you have to think about the whole picture and not just the Bitcoin client but the operating system it runs on and the PC that operating system runs on. A security vulnerability in any of that and all privacy is removed.
legendary
Activity: 1400
Merit: 1013
It's not a fake problem at all. If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher. Malware will be written by the best of the best and you wont be able to detect it with any sort of virus scanner software or countermeasure. Nothing can be done to stop undetectable malware attacks, randomware attacks, or anything else. The best idea we have from the community is the Trezor wallet and they are taking too long to make it.
Now you're trying to play the bait and switch game.

Fixing the catastrophe that is PC security, or at least figuring out decent workarounds, is not the topic at hand.
newbie
Activity: 26
Merit: 0

Well, Mike's a very smart guy, and an expert in security, so I may not understand his proposal with precision, but I'm pretty sure the outrage on this thread is a result of people just flying off the handle for no good reason. To be very clear, he's calling it a red list specifically because it's not the same as a blacklist. He's not proposing auto-filtering out 'tainted' coins. Here's the short summary:

"Consider an output that is involved with some kind of crime, like a theft or extortion. A "redlist" is an automatically maintained list of outputs derived from that output, along with some description of why the coins are being tracked. When you receive funds that inherit the redlisting, your wallet client would highlight this in the user interface. Some basic information about why the coins are on the redlist would be presented. You can still spend or use these coins as normal, the highlight is only informational. To clear it, you can contact the operator of the list and say, hello, here I am, I am innocent and if anyone wants to follow up and talk to me, here's how. Then the outputs are unmarked from that point onwards. For instance, this process could be automated and also built into the wallet."

This is basically a reputation service. There could be many of them, though it's a network on top of a network, so I'd have to imagine the network effect is pretty huge in terms of winner-takes-all.


You have to make a lot of assumptions to conclude that this "redlist" won't behave exactly like a blacklist. Especially when government joins in on it by punishing people for accepting coins they "should have known" were used for illegal activity. What you'll end up with is an ecosystem where nobody accepts "red"listed coins as payment, even if the network will still let you move them around. If you are innocent, sure, you can contact the operator of the list, but the operator will have no obligation to assume you're innocent. You'll be expected to prove your innocence to the operator's satisfaction.
member
Activity: 98
Merit: 10
nearly dead

snip snip

So when people say I'm being paranoid it might be because I know a lot about this subject and have reason to be.

Hate to go even more offtopic here, but the ones that know something would never bother adding the words "I know a lot about this" for reasons such as not needing to tell they know a lot about the subject, and by knowing that they have a lot to learn.
member
Activity: 62
Merit: 10

Mike Hearn is participating in the same sort of thing that the Bush Administration did in 2001. He is proposing that Bitcoin businesses voluntarily help the US Government seize worldwide control of Bitcoin for the mere perception that something is being done about CryptoLocker. Meanwhile, there are obvious ulterior motives in play. To achieve a critical mass that would harm all users of Bitcoin, he only needs to get BitPay and Coinbase on board.


Take a deep breath, remove the tinfoil hat.

Please read my previous post. Mike started a discussion about what is effectively a reputation service for coins. He didn't even propose that the Bitcoin Foundation adopt promoting the idea of one as policy, or that he himself is convinced a redlist is a good idea.

They're going to spring up regardless of Mike's proposal, though. Some bitcoin services will use them, some won't. They'll be full of holes and cannot, by the nature of bitcoin, be 100% effective.

A reputation system is a way for individuals and entities (companies, whatever) to communicate information to each other. I thought we're about free speech here, and freedom of individuals and entities to transact (money, information, etc) with each other?

hero member
Activity: 714
Merit: 510
So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us?

This seems disingenuous.  Gold and cash are worth lots too.  If you advertise the fact that you have a big hoard under your bed, and then leave your doors unlocked, then, yeah, you'll be a target.  

Just like gold or $, if you don't want to secure your money, pay a service that will.  

The beauty of bitcoin is that everyone is free to make the choice that is right for them.

The fact is that it already is advertised who has a big stash. Anyone could be analyzing the blockchain as we speak and connecting those wallet accounts to email addresses. An unregulated exchange could collect email addresses and wallet addresses to put into their database. That exchange could then be hacked or perhaps the government sponsored hackers put the malware on that exchange. Perhaps the exchange itself is merely a front, a honeypot to attract high net worth Bitcoin holders to capture intelligence (which can then allow the database owner to sell the database for Bitcoins to hackers).

Once intelligence has been captured then you know how many coins are in certain addresses and you have their email addresses. So what stops you from sending them attachments with malware? What stops you from targeting them for scams or phishing for more information for even better targeted advanced persistent threats, malware or ransomware?

When you're talking about someone with a million dollars in their wallet and their email address is public information because its associated with an exchange, why wouldn't hackers target that email address? Why wouldn't hackers be looking for personally identifiable information? The same way KYC can be used by regulated exchanges nothing stops unregulated exchanges from collecting information about users and then hacking them.

hero member
Activity: 714
Merit: 510
I don't think -anybody- at the Foundation is happy about even having to have this discussion. But the discussion has to happen, because Cryptolocker is a real issue that's going to become a lot bigger soon. There are very few vectors of attack against Cryptolocker (and inevitable copycats), whereas stuff like Silk Road is almost guaranteed to fail long-term due to the huge number of vectors for law enforcement to use against it. Unfortunately, one of those very few vectors usable against Cryptolocker is bitcoin.
Cryptolocker is not Bitcoin's issue any more than it's Ford's issue if a bank robber drives off in one of models.

If somebody should be thrown under the bus here it should be Microsoft for being unable or unwilling to build secure operating systems.

Anyone who says they are worried about Cryptolocker's effect on Bitcoin adoption is lying. By every objective measure: transaction rate, blockchain.info wallets, frequency of conferences, exchange rate, etc, growth is exponential and shows not the slightest sign of being negatively affected by Cryptolocker.

This idea of a Cryptolocker backlash is a fake problem used to scare the community into accepting a compromise that's against their best interests. These plans have been in the works for years, as evidenced on this very forum, and the proponents have just been waiting for a suitable excuse the put their plans into effect.

It's not a fake problem at all. If in 6 months magically Bitcoins are $100,000 each then the incentive to target users is now much much higher. Malware will be written by the best of the best and you wont be able to detect it with any sort of virus scanner software or countermeasure. Nothing can be done to stop undetectable malware attacks, randomware attacks, or anything else. The best idea we have from the community is the Trezor wallet and they are taking too long to make it.

It will be interesting to see how secure the Trezor actually is and whether or not it can pass the security checks but if it does then that is part of it. The point is that not enough time and effort is being put into protecting the users of Bitcoin from being targets of hackers precisely because a lot of the old time Bitcoin users are security experts who can tell newbies to compile their Bitcoin wallet, to put their Bitcoins in cold storage, to use a 25 character password or a brain wallet. Let's be honest here and admit that security is not easy even for the experts. The more you know about security the more paranoid you tend to be.

So when people say I'm being paranoid it might be because I know a lot about this subject and have reason to be.
member
Activity: 62
Merit: 10

Ransomwares are as old as internet. They've always been around, and they have no more power than they had before bitcoin.

It's not as old as the internet, but you're right that it is pretty old - the first was in 1989. They have far more power now though, because of bitcoin.

Typically, the best way to shut down ransomware criminals is to use the payment method as an attack vector. Shut down the payment vector, shut down the motivation for the person or organization trying to extort people that way. Cryptolocker currently accepts bitcoin and Greendot Moneypak. The latter vector is going to get shut down, because it's via a centralized system owned by a company that has executives who don't want to go to jail for money laundering.

You can't just shut down the bitcoin vector in the same way though, as we all know. And that makes bitcoin the not-so-secret weapon that ransomware is going to exploit to hell and back. Just think for a minute how many people's computers are zombie'd/slaved or otherwise infected with viruses. Now add a very lucrative, direct way to collect money from individual victims, in an essentially anonymous way (if they're careful). I don't know about you, but I think that sound in the distance is half the black hat hackers in the world's drool collectively hitting the floor.

Quote
And even if you are right, Ipsum, can you PLEASE explain to me how redlisting coins would help fighting CryptoLocker copycats ?

Well, Mike's a very smart guy, and an expert in security, so I may not understand his proposal with precision, but I'm pretty sure the outrage on this thread is a result of people just flying off the handle for no good reason. To be very clear, he's calling it a red list specifically because it's not the same as a blacklist. He's not proposing auto-filtering out 'tainted' coins. Here's the short summary:

"Consider an output that is involved with some kind of crime, like a theft or extortion. A "redlist" is an automatically maintained list of outputs derived from that output, along with some description of why the coins are being tracked. When you receive funds that inherit the redlisting, your wallet client would highlight this in the user interface. Some basic information about why the coins are on the redlist would be presented. You can still spend or use these coins as normal, the highlight is only informational. To clear it, you can contact the operator of the list and say, hello, here I am, I am innocent and if anyone wants to follow up and talk to me, here's how. Then the outputs are unmarked from that point onwards. For instance, this process could be automated and also built into the wallet."

This is basically a reputation service. There could be many of them, though it's a network on top of a network, so I'd have to imagine the network effect is pretty huge in terms of winner-takes-all.

He had written more about it here earlier: https://bitcointalk.org/index.php?topic=157130.60

And to be clear, he's not even proposing it. He's just pointing out that there is a potentially huge problem with cryptolocker and other methods of clear crime (I don't know anyone who thinks extortion is ok, vs Silk Road, where there's legitimate debate) where what bitcoin does is completely shut down the attack vector law enforcement can most easily use to shut down the incentive to commit the crime.

Neither I nor Mike nor anyone else know what the solution (if there is one) to the problem is, but it certainly deserves discussion, and redlisting is one idea. That's all his post was. A discussion. Blacklisting (distinct from and way worse than redlisting) would be completely off the table for everyone I know in the Foundation, for what it's worth.

sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
No it's not easy to defend yourself against extortion or identity theft. It's almost impossible to be sure your computer is malware/spyware free and if a government wants to spy they can see everything.

Can we stay on-topic, please? We're talking about redlisting bitcoins as a solution to kill CryptoLocker copycats, here, not your current doubts about internet security.
legendary
Activity: 1162
Merit: 1007
So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us?

This seems disingenuous.  Gold and cash are worth lots too.  If you advertise the fact that you have a big hoard under your bed, and then leave your doors unlocked, then, yeah, you'll be a target.  

Just like gold or $, if you don't want to secure your money, pay a service that will.  

The beauty of bitcoin is that everyone is free to make the choice that is right for them.
newbie
Activity: 26
Merit: 0

So it's a very serious problem which I think people on this forum are underestimating. Cryptolocker could destroy Bitcoin just like the blacklist can.

Mike's core concern, based on the thread on the Foundation forums, is that Cryptolocker is a serious problem, and because it's such a demonically simple way to extort cash from people, it's going to become a huge problem. There will be many, many copycats soon, and you get enough non-techies getting ripped off and having their first experience with bitcoin this way, and suddenly govs around the world become very hostile to bitcoin (vs barely caring about it, and figuring out how they feel about it as is the case now). And then (or perhaps before), you can kiss any hope of business acceptance of bitcoin (something we all dream of, I'd imagine, so that we can transact in bitcoin without having to resort to exchanges) goodbye.


The moral panic has long been a powerful weapon in the arsenal of authority. Let's look at a similar "serious problem" from recent history: 9/11. It was so "demonically simple" to hijack airliners and fly them into buildings, that Something Had To Be Done. Similar to Mike Hearn's proposal, the US Government took the opportunity to "temporarily" severely curtail our freedom and massively expand police authority. They also used 9/11 as an excuse to get into some wars that they wanted to fight anyway, even though these wars obviously had nothing to do with 9/11. "Temporarily" has since proven to be "permanently." Bush is long gone, yet the government still hasn't rolled back its expanded powers.

Mike Hearn is participating in the same sort of thing that the Bush Administration did in 2001. He is proposing that Bitcoin businesses voluntarily help the US Government seize worldwide control of Bitcoin for the mere perception that something is being done about CryptoLocker. Meanwhile, there are obvious ulterior motives in play. To achieve a critical mass that would harm all users of Bitcoin, he only needs to get BitPay and Coinbase on board.
legendary
Activity: 1162
Merit: 1007
If somebody should be thrown under the bus here it should be Microsoft for being unable or unwilling to build secure operating systems.

+1

The problem is 50% Microsoft and 50% people not being as careful as they should.
hero member
Activity: 714
Merit: 510
So you're telling me that if each Bitcoin is worth $1 million dollars ransomware or other sophisticated malware and spyware wont be developed to target Bitcoin users? This isn't paranoia it's common sense. Governments may or may not have hit any of us already with advanced persistent threats. Do you think they'll tell us?

You're a persistent one.
I'm just telling you that ransomware will not magically become more efficient than it is now just because people acknowledge bitcoin being worth more than murrikan dollar.

Ransomware today is a pain. Ransomware tomorrow will be a pain. Ransomware won't be more dangerous tomorrow than it is today.
Your coins are safe as long as you have a backup+strong passphrase or cold wallets.
Just smile and go to sleep.
I think Keyhotee is part of the solution to some of these problems. Look at this:
https://www.youtube.com/watch?feature=player_detailpage&v=3pZaTdEtK-8
The other idea I heard which was very good was the Bitcoin identity protocol. Both of those ideas need to be implemented immediately.

And I don't assume my coins are safe enough. I don't trust hardware or software but at this point we have to because this is all we have. Bitcoins are not currently worth enough money for sophisticated and targeted attacks and I don't have a lot of Bitcoins anyway to be worth attacking. But some people have 1000 coins or 10,000 coins and they'll be in danger today. In the future people having just a few coins will have to worry about being cyber robbed.

No it's not easy to defend yourself against extortion or identity theft. It's almost impossible to be sure your computer is malware/spyware free and if a government wants to spy they can see everything. We can only do the best we can with our software implementations and use stuff like raspberry pi for hardware. Paranoia is actually necessary to defend valuable information which is why we typically pay experts to do it.

legendary
Activity: 1400
Merit: 1013
I don't think -anybody- at the Foundation is happy about even having to have this discussion. But the discussion has to happen, because Cryptolocker is a real issue that's going to become a lot bigger soon. There are very few vectors of attack against Cryptolocker (and inevitable copycats), whereas stuff like Silk Road is almost guaranteed to fail long-term due to the huge number of vectors for law enforcement to use against it. Unfortunately, one of those very few vectors usable against Cryptolocker is bitcoin.
Cryptolocker is not Bitcoin's issue any more than it's Ford's issue if a bank robber drives off in one of models.

If somebody should be thrown under the bus here it should be Microsoft for being unable or unwilling to build secure operating systems.

Anyone who says they are worried about Cryptolocker's effect on Bitcoin adoption is lying. By every objective measure: transaction rate, blockchain.info wallets, frequency of conferences, exchange rate, etc, growth is exponential and shows not the slightest sign of being negatively affected by Cryptolocker.

This idea of a Cryptolocker backlash is a fake problem used to scare the community into accepting a compromise that's against their best interests. These plans have been in the works for years, as evidenced on this very forum, and the proponents have just been waiting for a suitable excuse the put their plans into effect.
legendary
Activity: 1162
Merit: 1007
The fact that cryptolocker was not the first instance of ransomware does not make my statement false.

It does not, indeed.
If you agree explaining to me how redlisting coins would help, and how bitcoin make you more vulnerable to ransomware...
I'll tell you a nice story called Reveton.

What I said had nothing to do with red-listing coins!  I was just pointing out two things:

1. That after meeting a CryptoLocker victim in person, I could tell that they did not relate bitcoin to CryptoLocker.  She thought the virus was "evil Russian hackers" and that bitcoins were these things she could buy from the Robocoin ATM in downtown Vancouver.  

2.  That CryptoLocker, in a twisted sense, may actually be teaching mankind an important lesson in computer security. 

I think any change to bitcoin based on "CryptoLocker" would be unwise ridiculous.  
I think any change to bitcoin based on "CryptoLocker" would be unwise ridiculous.
I think any change to bitcoin based on "CryptoLocker" would be unwise ridiculous Bitcoin is great as is.
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
The fact that cryptolocker was not the first instance of ransomware does not make my statement false.

It does not, indeed.
If you agree explaining to me how redlisting coins would help, and how bitcoin make you more vulnerable to ransomware...
I'll tell you a nice story called Reveton.
legendary
Activity: 1162
Merit: 1007
CryptoLocker is forcing people to rethink their computer security.

no, No, NO, NO.
Ransomware have existed before most bictoiners were born.
This is old news.

So if you or someone you know was a victim of cryptolocker, you wouldn't rethink your computer security?  I know the old lady and I both re-thought our computer security (https://bitcointalksearch.org/topic/so-i-went-down-to-the-bitcoin-atm-today-330720)

The fact that cryptolocker was not the first instance of ransomware does not make my statement false.

Haha: CryptoLocker: not the first, just the best.
sr. member
Activity: 322
Merit: 250
This is just the beginning.
Satoshi would be ashamed.

its so sad too, because Satoshi reached out to Mike to get him more involved (as I understand it). Now he appears to be looking to effectively kill the whole thing.

Q: I'm not technically savvy, but wouldn't the solution be CryptoLocker counter-measures on client computers?
A: (Mike's own words) "That's certainly a solution yes, but unfortunately it's sort of like saying the solution to burglary is having locks ondoors and windows, so we don't need the police."

And this guy is important for bitcoin? SMDH.

(edit: source: https://jumpshare.com/v/FCGnW40vMhG8ETE8i57h?b=rJU3YwFcBYWUD5X0bbqR)
Pages:
Jump to: