Author

Topic: Thoughts on the compromise of Casascius coin holograms (Read 6193 times)

sr. member
Activity: 434
Merit: 250
Loose lips sink sigs!
This would work, it's just like signing over a check to a third party by endorsing it on the back and then handing it over to the third party.

Nubbins, how did you extend the chain of custody on your coin?

Easy peasy. I take Mike's signed document, append text after his signature that identifies the new buyer, and sign the whole thing with my key.

For sake of illustration, Mike's original document is in blue, and mine is in red.

---Begin PGP doc---
- ---Begin PGP doc---

I, Mike Caldwell, sent coins a,b,c to nubbins,
and his PGP fingerprint is ABCD EFGH.

See attached document scanned-coins.pdf
with MD5 checksum blahblah

- ---Begin PGP sig---
234C%#@4fv524 <---PGP signature for Mike's key
- ---End PGP sig---


I, nubbins, sent coin b to zipmaster,
and his PGP fingerprint is IJKL MNOP.

---Begin PGP sig---
@%$Y#H/Rgef4e <---PGP signature for my key (ABCD EFGH)
---End PGP sig---


Then I just take this block of text and scanned-coins.pdf and send them along to the new owner.
legendary
Activity: 1554
Merit: 1009
Nubbins, how did you extend the chain of custody on your coin?

Easy peasy. I take Mike's signed document, append text after his signature that identifies the new buyer, and sign the whole thing with my key.

For sake of illustration, Mike's original document is in blue, and mine is in red.

---Begin PGP doc---
- ---Begin PGP doc---

I, Mike Caldwell, sent coins a,b,c to nubbins,
and his PGP fingerprint is ABCD EFGH.

See attached document scanned-coins.pdf
with MD5 checksum blahblah

- ---Begin PGP sig---
234C%#@4fv524 <---PGP signature for Mike's key
- ---End PGP sig---


I, nubbins, sent coin b to zipmaster,
and his PGP fingerprint is IJKL MNOP.

---Begin PGP sig---
@%$Y#H/Rgef4e <---PGP signature for my key (ABCD EFGH)
---End PGP sig---


Then I just take this block of text and scanned-coins.pdf and send them along to the new owner.
member
Activity: 85
Merit: 10
Nubbins, how did you extend the chain of custody on your coin?
legendary
Activity: 1554
Merit: 1009
Mike, I disagree. You wouldn't be performing the role of a bank. Guaranteeing the chain of ownership of the coins is a logical extension of your "trust in Mike Caldwell" product. Furthermore, following with the educational philosophy, you'd be incentivizing people to accept and understand the fundamental concept of a digital signature: a "technology" foundational to the premise of bitcoin itself.

Of all the coins I've sold (and there have been many), only ONE buyer has taken me up on the offer to extend the chain of custody.

Bank or not, what you're asking him to do is pour tens of thousands of dollars and countless hours of effort into something that most people don't even want.

Buyers who want a chain of custody can find a seller that provides it -- I can think of several off the top of my head. Buyers who don't want a chain of custody can carry on as usual. It's not Mike's responsibility to track down every coin he's sold through a labyrinth of ownership in order to provide a service that most people don't care about.
member
Activity: 85
Merit: 10
Mike, I disagree. You wouldn't be performing the role of a bank. Guaranteeing the chain of ownership of the coins is a logical extension of your "trust in Mike Caldwell" product. Furthermore, following with the educational philosophy, you'd be incentivizing people to accept and understand the fundamental concept of a digital signature: a "technology" foundational to the premise of bitcoin itself.

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Mike, I feel like the best thing to do would be to implement on your website a proof of ownership system of the coins.

Keep in mind that the purpose of a Casascius Coin is an educational tool and functional proof of concept, aside from the collectible the market has decided it also is... and not intended to be money or a currency.  Although "trust in Mike Caldwell" is an important element of my product, the trust extends to my assertion that the coin contains the only copy of the correct private key as promised (and that I've taken adequate steps to ensure the keys are unreproducible, sufficiently random, and not duplicated).  I'm not a bank, and I feel implementing a system like that is far out of scope of my project.
member
Activity: 85
Merit: 10
Mike, I feel like the best thing to do would be to implement on your website a proof of ownership system of the coins.

All coins should also list a Mike Caldwell signed PGP key of their original buyer. When an original coin owner then sells his coins to someone else, they can sign the PGP key of the new buyer and have the site be updated with the new owner's PGP key.

This won't help against tampering of Casascius coins per se but would certainly render counterfeiting impossible since, for a given coin address, it is impossible to know what the private key of the real owner is. Ultimately, only Mike could counterfeit the coins.

This doesn't eliminate trust. What it does is keep trust over Casascius coins what it has always been: trust in Mike Caldwell.

It would certainly be a hassle to implement this mechanism for past coins since all original owners would have to be contacted and, furthermore, some coins have already traded hands so people would have to play catch-up on the PGP chain. However, the hassle would be very much worthwhile to many proud Casascius owners.

Furthermore, the whole mechanism could be automated on the website so that any coin sales can update the PGP chain. Within this framework, new buyers would conclude a sale by having their PGP key signed by the coin's previous owner and updated on the website.

This should seriously be taken under consideration for the benefit of both your business and the overall Casascius community. 
sr. member
Activity: 431
Merit: 261
I think the publicized hack adds uncertainty to a buyer's mind. So I would think the average price (in BTC) of resold coins will creep down a bit, more so with the coins that show the least evidence of tampering. It will be interesting to see.

I am attracted to Casascius coins as a longterm collectible, and as a very cool physical embodiment of the idea of Bitcoin. I don't plan on selling the couple I own, at least not in the near future. But if I were sitting on a lot of coins with the intention of selling them, I would not be happy about an additional perceived risk in the minds of buyers that the coins could be drained of value after they were purchased.

Another concern I have for the coins is that someone will simply create great duplicates of the holographic stickers. If people can counterfeit governmental currencies, I assume they can counterfeit one of these stickers.
full member
Activity: 238
Merit: 100
Love the Bitcoin.
Don't use physical BTC - that was never the intention..   Lips sealed
hero member
Activity: 625
Merit: 501
x
Johnnie,

with sellers potentially having the means to discover the inner code, one could:
-Extract and record that information
-Sell the coin with the bits intact
-Redeem the coin's Bitcoins, after having sold the coin

Buyers will not purchase a coin just to instantly redeem it, so they could pull that trigger minutes, or months afterwards.

The tampering is evident, so one can still buy safely. It just requires more work, and my guess is that for those coins in a 'vulnerable' state, this will lead to a decrease in demand (because it is more of a pain to obtain them), and this will result in a decrease in premiums obtained for those coins.  I further speculate that those would-be-buyers are more likely to find an equivalent buy, than to give up and buy nothing.  If I were still looking to obtain more of the rare, collectible coins, I would shop exclusively from:
-Sellers, with an established web of trust, asserting a chain of custody through only trusted sellers.
-Coins sealed (ANACS graded) prior to known tamper-evident-trick.
-Coins graded post-tamper-trick, calling out the authenticity of the coin.

The first means that each sale will make the subsequent resale harder, as the custodial chain becomes longer.
The second is a pretty tiny club (of which I believe you are a fellow member, Mr. Walker!)
The third will first require ANACS to be educated on how to identify the tampering/exploit. This is not a guarantee, but given my conversations with them around the Casacius error, I think they'll be amenable to this.

So I see this being non-impactful to the majority of the coins out there, I do anticipate this will have effects on the higher end collectible market.  Guess we'll see!
legendary
Activity: 896
Merit: 1000
Being a numismatist, it is VERY easy to recognize a fake coin. The same would apply here. Casascius was smart enough to plan ahead-his coins (like the laser-cut holograms) have distinct features.

Also, I don't know if I'm missing something, but what about just confirming via FirstBits?
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
Back in May I was able to remove and re-apply holographic stickers from a paper wallet, as mentioned here:
https://bitcointalksearch.org/topic/m.2031469

Perhaps naively, I viewed my hack (similarly based on a particular solvent) as trivial, and convinced myself that Casascius coins must have been tested against this vulnerability.

Euro and dollar bills are similarly compromised by counterfeiting. The difference today is in the threat of ugly and violent consequences for the perpetrators. Not that I am implying Mike should take action, but... Wink

As pointed out above, if chain of custody can be ascertained with sufficient trust, old Casascius coins are still functional.
legendary
Activity: 1554
Merit: 1009
I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

It would be easy to do but hard for the user to verify, only because when you copy text from PDF to the clipboard, how it looks when you paste it is a crapshoot, and it must be perfect to verify properly.  But I could secondarily PGP-sign the entire (Adobe-signed) PDF file as a binary (creating a separate signature file that GPG recognizes)

Signing PDFs also allows for easy signing of the embedded photos.  I have scanned all of the silver coins and most of the recent brass coins.


Secondary PGP-signing of the PDF would be great! The pictures are a great addition, as well, as they would clearly show the old holograms.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

It would be easy to do but hard for the user to verify, only because when you copy text from PDF to the clipboard, how it looks when you paste it is a crapshoot, and it must be perfect to verify properly.  But I could secondarily PGP-sign the entire (Adobe-signed) PDF file as a binary (creating a separate signature file that GPG recognizes)

Signing PDFs also allows for easy signing of the embedded photos.  I have scanned all of the silver coins and most of the recent brass coins.
legendary
Activity: 1554
Merit: 1009
Would many graders have the know-how to verify such a message, I wonder? I can see many balking at the idea.

I can also digitally sign PDF, which Adobe Acrobat will recognize and validate without any hassle to the user.  May come in handy.  Though it's a paid hardware signing module that is not really that suitable for signing batches of documents in bulk, it remains an option for one-off requests.

I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

I'd be more than happy with one signed document per roll, listing the coins contained therein. I can envision silkscreening some nice certificates of authenticity with the PGP-signed messages, reminiscent of old 19th century bearer bonds Cheesy

Given that the final count of 0.5s with series 2 holograms is apparently only 45(!), I'm quite eager to get the "stamp of approval" on them!
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Would many graders have the know-how to verify such a message, I wonder? I can see many balking at the idea.

I can also digitally sign PDF, which Adobe Acrobat will recognize and validate without any hassle to the user.  May come in handy.  Though it's a paid hardware signing module that is not really that suitable for signing batches of documents in bulk, it remains an option for one-off requests.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
On the flip-side, there are plenty of imperfections in the laser cut edge as well which could make it easier to conceal the tampering,  so we won't know for sure until somebody tries.

This will get better when my coins fit the stickers better.  Either new stickers at a smaller diameter, or coins without the little cross hatches.

When I place the sticker, the cross hatches curl the sticker up.  The laser obliterates the contact point, but the curled portion doesn't reliably settle on to the coin.

If I decide on lasering as a permanent thing I do to all the coins, stickers that properly fit the coins won't be so delicate.
hero member
Activity: 630
Merit: 500
The laser cut edge on the holograms for the silver coins is incredibly fragile, I suspect the exploit method would leave noticeable evidence.

On the flip-side, there are plenty of imperfections in the laser cut edge as well which could make it easier to conceal the tampering,  so we won't know for sure until somebody tries.
full member
Activity: 224
Merit: 100
Everyone just needs to chill out. If a coin is TRULY untouched and mint, a buyer can just request very high res images and even the most careful tampering risks leaving 'some' mark. All this really does is make the true mint condition high value coins and 2-fac bars more valuable.

Also, everything mentioned in the hack can be thwarted by the manufacturer for example adding a thin layer of epoxy or liquid plastic to new coins sold, making it virtually impossible to 'crack' with any solution combination.
hero member
Activity: 625
Merit: 501
x
EDIT: This was originally a long post trying to clarify I was talking about my assumed impact to the collectible aftermarket, and not the coins in general.  But I since read that formally speaking, this was not an exploit, as the tampering was evident.  Now, I used 'exploit' all over in that post, and re-writing it to be appropriate would have mangled it.  The last thing I want to do is mislead people or create confusion, especially around a product with such great support.

(see http://casascius.wordpress.com/2013/08/04/def-con-21-preliminary-results-from-sunday/ for a great example of this.)

Thanks for your tireless support and advancement of Bitcoin, Mike.
legendary
Activity: 1554
Merit: 1009
I have much more faith in humanity than to consider my product broken.  Sure, the world is full of bad guys, but the idea of trust going out of style I think is a bit overrated.  Someone saying "all Casascius coins should be considered compromised" should also never shop in a grocery store or eat in a restaurant, as there's a similar possibility that someone poisoned all the food.


True, although there's much less motivation to poison food as there is to get free money.

With respect to the idea of me refunding 1BTC instead of funding the coins... I don't believe that's what the buyers want.  They want the intact coin with the bitcoin loaded as promised when they bought it.  If they want the bitcoin off of it with the coin intact, they can try and "compromise" it themselves... if they can.

Personally, if I was buying a coin from a reseller, I'd rather buy an unfunded silver round for 1.5 BTC than a possibly funded one for 2.5 BTC, but you may be correct in believing me to be in the minority. To make such a drastic move would require complete consensus, which I don't think would be possible to achieve.

Regarding grading... there's a subjective nature to it.  A person submitting a coin for grading who also happens to be in possession of a PGP-signed message from me confirming they were the original buyer is going to pass outside analysis better than joe blow.  Or on the other hand, the graders may throw up their hands and say we're not messing with this, making those graded ones that much more unique.

I fully agree, and I think the PGP-signed messages are a good idea. Would many graders have the know-how to verify such a message, I wonder? I can see many balking at the idea.

Just to be clear, I'm still very pleased with my purchase. This being my first silver buy, I was shocked at the size and heft of the 1oz rounds! Smiley
legendary
Activity: 1386
Merit: 1004
I am suddenly soooooooo thankful I got mine graded and hard-cased (ANACS) months before this exploit was discovered.
It seems to me that we've just further split the already-rare, collectible Casascius coins into two camps - potentially compromised and almost-certainly-uncompromised.

Short of the already-graded coins (alongside documentation of date-of-grading, preceding this exploit)...I cannot think of any outstanding coins whose legitimacy would not rely in part on the trust of the integrity of the seller.

I was holding onto these tight before this news broke. Now...the phrase cold, dead hands springs to mind :-P


Am I missing something?   Why would grading them stop the exploiting?  If you exploited them they would still look the same.   The chemicals they use do not change the grade or look of the metal.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
I have much more faith in humanity than to consider my product broken.  Sure, the world is full of bad guys, but the idea of trust going out of style I think is a bit overrated.  Someone saying "all Casascius coins should be considered compromised" should also never shop in a grocery store or eat in a restaurant, as there's a similar possibility that someone poisoned all the food.

My product is primarily an educational tool, a proof of concept.  The possibility of it being physically compromised has always been assumed to be present, just look at the terms and conditions I have you agree to when you order.  Casascius Coins weren't created to be tamper-proof money - if that's what you need, the best physical bitcoin you can get for the purpose is the paper wallet you print offline by yourself.  What a Casascius Coin is, I trust that most people still understand it is what it is.  Further, there is no such thing as a truly physically secure tamper evident product, period.  The laser rim on the silver coin that was undefeated at DefCon will be defeated if the dude who did it has unlimited more chances to try and refine his attack.  Proper perspective is key.

A lot of people who have bought my coins have taken me up on my offer to PGP-sign a statement acknowledging that they are the original purchaser of their coins.  This way they can convey to a secondary buyer that they are the only people who have handled the coins.  (I say taken me up, while acknowledging I haven't delivered more than a few by hand, due to how many I'd need to produce; I'm thinking of producing these PGP-signed acknowledgments in a sort of automated batch with a script, and then manually taking care of those who believe my automated acknowledgment doesn't meet their needs).

With respect to the idea of me refunding 1BTC instead of funding the coins... I don't believe that's what the buyers want.  They want the intact coin with the bitcoin loaded as promised when they bought it.  If they want the bitcoin off of it with the coin intact, they can try and "compromise" it themselves... if they can.

Regarding grading... there's a subjective nature to it.  A person submitting a coin for grading who also happens to be in possession of a PGP-signed message from me confirming they were the original buyer is going to pass outside analysis better than joe blow.  Or on the other hand, the graders may throw up their hands and say we're not messing with this, making those graded ones that much more unique.
legendary
Activity: 1554
Merit: 1009
I am suddenly soooooooo thankful I got mine graded and hard-cased (ANACS) months before this exploit was discovered.

Emphasis mine. I think you mean "before this exploit was published".

Who's to say that you didn't discover a similar exploit, weeks or months before you got your coins graded and hard-cased?  Wink
hero member
Activity: 625
Merit: 501
x
I am suddenly soooooooo thankful I got mine graded and hard-cased (ANACS) months before this exploit was discovered.
It seems to me that we've just further split the already-rare, collectible Casascius coins into two camps - potentially compromised and almost-certainly-uncompromised.

Short of the already-graded coins (alongside documentation of date-of-grading, preceding this exploit)...I cannot think of any outstanding coins whose legitimacy would not rely in part on the trust of the integrity of the seller.

I was holding onto these tight before this news broke. Now...the phrase cold, dead hands springs to mind :-P

legendary
Activity: 1554
Merit: 1009
It definitely makes it tough to resell the coin without subtracting the face value from the price -- once you start having to trust two people (casascius as well as the reseller), there's no way of knowing which party to blame if a coin gets defunded. The trust problem also grows each time the coin changes hands.

It's too bad the coins couldn't remain unfunded and have the face value returned to the purchaser; the problem with this scenario is that you'd then have a bunch of unfunded coins floating around alongside the funded ones, which makes all of them fall under suspicion.

EDIT: I just realized that NONE of the 2013 silver rounds are funded yet -- or at least, I don't think so. If all of the silver rounds remained unfunded, the original purchasers could receive a refund for the face value of the coins. Word would spread quickly that all of the 2013 silvers are unfunded, and any future buyers would be aware of this when the coins are resold in the future.

Seems like a win-win situation...?
legendary
Activity: 1554
Merit: 1009
As reported by Mike Caldwell (http://casascius.wordpress.com/2013/08/04/defcon-21-successful-compromise-of-the-hologram-reported/), the hologram on Casascius physical bitcoins was compromised a few days ago by security researchers at DefCon 21.

While I've seen many people react to this news with dismay that their coins have lost all resale value, I'd like to offer a differing opinion, in the hopes of getting a discussion going.

Let's use the 1oz / 1 BTC silver round as an example.

Currently, this coin can be bought directly from Casascius for BTC2.5. Since the face value is BTC1, one could make the assumption that the rest of the coin (the silver round itself, plus the intact hologram) has a nominal value of BTC1.5.

Redeeming the face value of the coin by removing the hologram would destroy the BTC1.5 nominal value of the coin, as collectors don't want to purchase coins that are no longer in mint condition. It's not hard to imagine that the removal of (or visible tampering with) the hologram would cause a steep decrease in the nominal value of the coin: say, from BTC1.5 to BTC0.5 (essentially, spot price of silver plus a premium for the scarcity of the rounds).

I can think of only three reasons for removal or tampering of the hologram:

(1) curiosity (some people want to know what it looks like underneath),
(2) honest redemption (some people may wish to spend the BTC contained within), and
(3) fraud (some people may wish to redeem the BTC and then resell the coin as if it were intact).

For the purposes of the argument, we're really only interested in (3). Situations (1) and (2) would result in a visibly tampered (most likely fully removed) hologram.

Situation (3) is a more interesting situation, in that it's impossible to know when purchasing a coin from a third party whether or not they possess the private key -- that is, until you check the balance and find that it's been transferred to another address.

Now, a coin which has been successfully tampered with (i.e. no evidence of tampering is present) still retains a nominal value of BTC1.5, even without the added BTC1 face value.

Given that the holograms will likely be given an upgrade in the near future, the value of existing coins as collectibles will likely increase; but by how much?

For numismatic purposes, a successful, no-evidence tamper would not result in any decrease in value from a non-tampered, unredeemed coin; or would it?

I'm much less worried about this situation than I originally was, but I'd still love to get the opinions of other people on the subject.

Thoughts?
Jump to: