Pages:
Author

Topic: Two researchers from University College Dublin investigate the the 500K theft. (Read 4226 times)

newbie
Activity: 15
Merit: 0
Thanks everyone for all the kind comments.


@defxor: Its great to hear that its been useful.

@coinonymous: We try and do vector graphics whenever we can - can be a pain to get the images produced right, but leads to smaller sizes, and its clearer, and as you point out, people can zoom way in and check out the details.




@hugolp:
Thanks for your positive comments.

What I am not happy about is the way you have chosen to promote it. And I know how the college ambient work so I know how you manage to get attention. I think the way you did it was dishonest.
I think we'll just have to agree to differ on this.
 
I cant really parse that 'college ambient work' bit.  If you are saying that, in general, there are problems with why people do research in academia, well, speaking personally, I'd agree that there sometimes are, and you do sometimes see people overselling things, supposedly because it helps them get funding (this generally happens somewhere above the level of the lowly research student though!)

I don't want to get sidetracked into this big debate about the relative merits of academia.  The credit and funding systems definitely have flaws (which differ country by country - Im in Ireland).

But academia is huge.  There's a selection bias here - you are more likely to read about the people who oversell things.  There's a lot of good people, doing good work, and in a lot of cases, the profit motives and conflicts of interest, are probably less than in most industry positions. (And arguably less, if you want to talk about conflicts, than in a system like Bitcoin, where there are a lot of early adopters who have a lot of Bitcoins, which must surely have some influence to see Bitcoin portrayed in a positive light!)

But anyway, yeah, there are conflicts everywhere, and you've got to be careful of them, and it pays to be a little skeptical that research you are reading might be oversold.

But, its just as wrong to think research is always oversold, just because people are trying to get it out there. In general, I'd be more likely to trust in the good faith of people doing research, than people in a lot of other positions.


So, that's speaking generally.  Speaking specifically, I know I've no nefarious motives here (though I guess that doesn't help you).
And I've spent a while answering your specific criticisms here - I think satisfactorily, but you are welcome to disagree - think that's all I can do!
legendary
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
You can see the comments in the press thread.

Look, you and I (and everybody) know what its going on. Your paper is cool and the work is great,
Hey, cheers - thats very positive of you - even your reaction isn't all bad!

Yes, I think your article is very interesting. I have even pointed to it in other threads because I think its a good read and I am happy someone did it. I think it adds to Bitcoin.

What I am not happy about is the way you have chosen to promote it. And I know how the college ambient work so I know how you manage to get attention. I think the way you did it was dishonest.
newbie
Activity: 32
Merit: 0
Pretty vector art ITT.  I wish more .pdf's had interesting shit buried at the [100*(2^~5)]% zoom level like this!   Cool

+1
hero member
Activity: 530
Merit: 500
I actually think the reaction to our work has overall been really positive, and I'm really happy with that.

The difference lies in understanding how knowledge from research needs to be built from many stepping stones allowing you to infer something with certainty. If you're not used to that thinking people do expect you to close the loop in a very different way than what you set out to do (and which was the correct thing to do).

Someone else could, if they want to, build upon your work since they now know what results they can with good measure expect to get. Before your paper it was perhaps expected, but not to a degree where no one could've said with certainty that the results would turn out exactly the way they did.

For those who like their things a little more concrete:

Before this paper I knew a lot of people who didn't hesitate at all posting one of their public keys for everyone to see (donations, usually)

After, some of them consider it to be unnecessary leakage of information.

Great work.

newbie
Activity: 15
Merit: 0
You only have to see the reaction on the forums about your original blog post. The reaction was: so what? this was alredy known.

Yeah, but that's always easy to say.

So you dish the reaction of the community to your paper

Hey, that's kind of harsh.
I don't believe I 'dish' anyone.

I actually think the reaction to our work has overall been really positive, and I'm really happy with that.  I was  surprised, and happy, that its gotten some people talking about Bitcoin, and especially privacy in Bitcoin.

Its true that some posters here have been dismissive of the work, and dismissed it as 'that was already known'.
In one sense, I'm happy for these people - they are unlikely to have any privacy problems!

But I stand by the point that while its easy to say 'bitcoin is traceable' - it does bring a lot of clarity, and information, to have a go at tracing it, as an experiment, and see how you get on in practice, and publish your results; which is what we did.
Even if you stood on the more paranoid 'it can all be traced' end of the fence, I think seeing an analysis still adds a lot of value.
I do say that in the rest of the post you took that sentence from, and it is in the context of 'experiments add value' that I wrote 'its easy to say'.


because somehow you dont like to believe it is the reaction of the community to your paper, and preffer to mention as "proof" a website outside the community and a lot of the reports on Bitcoin. Let me tell you that the press on Bitcoin has been highly inncaccurate and not only regarding anonimity. I have not seen something reported with more mistakes than Bitcoin. The community tried to correct them for a while, but ended up giving up.

This is purely a personal 0.02 cents, but I don't think thats a reasonable thing for people that identify as the 'bitcoin community' to do.
Like, if you are going to campaign for the adoption of bitcoin (and there are threads here where people do, and award bounties), then I think you also have to continue to campaign for accuracy in how its portrayed.  I dont think its good to just give up on correcting things like the wikileaks donate page - and I presume you'd agree?
Now, I'm not judging anyone. Whatever we agree or disagree with, there's clearly a lot of voluntary, open-source, work going on, and thats really cool, so who is to tell people they should do more - not me - but I respectfully disagree with that idea.



You can see the comments in the press thread.

Look, you and I (and everybody) know what its going on. Your paper is cool and the work is great,
Hey, cheers - thats very positive of you - even your reaction isn't all bad!

but you decided to give it a bit of dramatism accusing the community of things you should not have, to get more recognition and more press.

Em, are you sure about that?
You know, I had a look back at the blog, and paper, to try and find somewhere where we 'accused the community of things we should not have', and I really don't see that at all.

The blog doesn't really have anything on it like you are talking about, and its what most people will read, and probably what any press/bloggers would have picked up on.


Looking at the paper, the sentence I can find thats most like what you are saying, is this one from the paper: "While there is an understanding amongst Bitcoin’s technical users that anonymity is not a prominent design goal of the system, we believe that this awareness is not shared throughout the community. For example, WikiLeaks, an international organization for anonymous whistleblowers, recently advised its Twitter followers that it now accepts anonymous donations via Bitcoin [etc]"

And in our conclusion, we say "Technical members of the Bitcoin community have cautioned that strong anonymity is not a prominent design goal of the Bitcoin system. However, casual users need to be aware of this, especially when sending Bitcoins to users and organizations they would prefer not to be publicly associated with."


Now, look, we make the point twice that most technical users know, and have said, that anonymity isn't a design goal.  (I guess you could quibble with the word 'prominent' - but I think its fine in that context of academic language, and in the context of a community implemented system, and doesn't mislead anyone).
We are quite clear that casual users are confused.
And they are, as we have shown many times.

You could always define everyone but those who know the most about anonymity, to not be part of the 'community'; but thats a tautology.
I think what we wrote is clear, and not misleading.

I think it got press, primarily because of the previous unclarity out there, among the people sharing it, of quite how anonymous bitcoin was - not because we 'accused' anyone of anything.  (Ok, we say that wikileaks isn't doing a good job of describing the anonymity situation - but thats a fair enough point, right?)


And that is dishonest from your part. For example, even before your paper, the word pseudo-anonymous was removed from the main website to avoid confussion (even when the word pseudo-anonymous is accurate). The community knows how Bitcoin works  and your accusations are false and only looking to get press. You should not do that, its dishonest from your part.

Again, I really don't see these false 'accusations' that you say we make.

Like, while its important to listen to your concerns about our work, and while I'm genuinely appreciative of you taking the time to communicate them, your comments about us being dishonest are so wrong, they are hard to engage with.

We tried our very best to present things as accurately as we could.  Anonymity in Bitcoin is complicated, and a subtle issue (as the first line of our abstract says: "Anonymity in Bitcoin, a peer-to-peer electronic currency system, is a complicated issue").

Its not easy to try and communicate these subtleties accurately.  
We put a lot of effort into making sure it was as accurate as possible, and that people understood what we were, and weren't saying - as you can see from the fact that I'm here, now, trying to clarify this Smiley

You can say you believe we were inaccurate - and I've tried to explain how I understand things, and to counter that belief.
But I don't really think you can credibly say there's anything dishonest going on with our work.

I guess we'll probably agree to differ on these issues; but I hope I've clarified a little more the angle we are coming from.
newbie
Activity: 15
Merit: 0
Thanks for your reply Fergalr.  I give much respect to your well thought out comments and honesty regarding the extent of your capabilities and knowledge.  I've been thinking about this subject a lot because it really stunned me that despite all the "highly technical" users claims that bitcoin was not anonymous, no one has solved any of the big thefts. 

Its true that the thefts haven't been solved - at least not that we are publicly aware of - and maybe they never will be, maybe the thieves were careful to isolate their off-bitcoin actions.

But also, I'm not aware of any public serious activity, by technically skilled law enforcement, to investigate these events.
It might be the case that with the help of a few subpoenas, they could solve it.
If Bitcoin is ever used for something *really bad* and high profile in future, or if it becomes much more popular, these things will become apparent.
I think determined parties, will the ability to access exchange data, Mt. Gox, myBitcoin and so on will be able to analyze a huge amount of traffic.


2) The IP layer work that Dan Kaminsky did - could that be put together with Bitcoin layer work like we did?


I asked him in his thread how much it would cost to put together a tool but it must have freaked him and the others in the thread out because the thread immediately died.  https://bitcointalksearch.org/topic/m.436871.  And DK hasn't posted since.  That was not my intention at all  Cry


He might just be busy - the SSL certs thing is happening at the moment - dunno.

Anyway, you seem to be a smart and talented programmer enough to be able to replicate kaminsky's work for the conference and get a working tool going in a reasonable timeframe.  And I get the feeling that unlike him, my direct and public approach will not be scary to you or kill this thread.  It could be merged with your already existing tool like this (not sure if feasible):

a) run your address tracing and linking tool to find all the coins that were stored through the Mybitcoin portal.  You can start with my address info here: https://bitcointalksearch.org/topic/m.428519.  That should give you all their coins with current address locations.  Also see if any forum user can be linked to it.

b) run the real-time ip monitoring tool targeting those addresses to harvest the ips + any other scrape-able info when the coins are moved

c) use your tools to see what they are doing with the coins.  By now you should know what wallets are exchange wallets, so if they are cashing out through an exchange bingo fire up the subpoenas.  If they are using dead drop or in-person cash-out then go back to dktool do geolocation on the IP, see what can be done... harder road but at least we know we're on it at that point.

But the key is b.  Hmm thinking about how much it would cost.  A database of every transaction made with IPs would be nice to start collecting, could be valuable in the future.  Of course, with DK's you don't get very many IP addresses because some users are a few hops away from an inbound node  Huh He wasn't too clear on that point in his slides and I was not at the conference.

Another potentially profitable use for your work: We do need a tool to keep pool operators honest.  If the stolen block storage node and the pool general fund node can be linked, tool could monitor that.  Right now it is very easy for them to sneak blocks, and we miners have to guess if they are doing it or not by comparing pool luck to expected luck.  Vladimir's self defense for miners thread talks about this.

Those are interesting suggestions - I don't think I'll be embarking on a big engineering project like that, though; I've got to focus on more research oriented angles, as a research student.  But there's nothing to stop other people building such infrastructure, and I suspect they will, in time, if adoption increases.
newbie
Activity: 15
Merit: 0
1) Active attacks on anonymity, on the bitcion network.
There's some people using mixers.  But how do you know your coins are really mixed?
Lets say you trust the mixer.

But what if your coin is mixed with a bunch of other coins, all of which belong to an adversary?
If I was interested in actively attacking Bitcoin, I'd be flooding mixers all the time.

I could make it appear to another user that their coins were mixed, when in actual fact, I controlled all of the coins they were mixed with, and could tell for sure what the incoming and outgoing coins were.
Obviously, as the mixer takes a fee, there's a cost, in Bitcoins, to doing this.

But, while I've seen a lot of talk on mixers out there, I haven't seen this sort of threat mentioned (maybe I'm missing something - this is something to consider, not something I've thought about in depth.

If the mixer is designed well, and if the operator of the mixer is trustworthy, then it doesn't matter much what coins you get back, the same ones, or different ones.

Is this definitely true, though?
Like, imagine if you go and use a mixer - and, from what I read, they currently have a fairly low volume - and I'm there, flooding the mixer with bitcoins, from lots of different addresses.  You come away with some of my Bitcoins.  I know you got them from the mixer.  I come away with the address that the mixer gave me, which I know belongs to someone else that just used the mixer.  If its just you and me using the mixer, you might think your coins have been mixed, when they really haven't.

I guess a lot depends on the design of the mixer, the time lags it supports, etc - but there's no real way of telling, with an attacker that's really willing to flood the mixer, if all the other bitcoins your bitcoins were 'mixed' with, are controlled by a single party.

I've not really thought about this - I imagine someone has done the math - but I guess its pretty important that lots of people are using mixers, for them to be secure -- and you can't really measure that simply by coin throughput.

It'd surely be better if mixing was built into the protocol - but thats easy to say...

  The crypto community probably already has a pretty good idea of which properties the mixer needs to have.  I bet that the cypherpunks list probably even had detailed discussions on how to create a distributed system that didn't rely on the trustworthiness of any particular subset of mixer operators.  We just don't know which thread to look in, because they didn't know they were talking about bitcoin at the time, they thought they were talking about an email mixer, or how to protect an onion router from traffic analysis attacks, or something.

Yeah, great point - this stuff is probably well trodden ground, in different contexts; probably makes more sense to read up on it, than to just speculate.


I liked the paper, by the way.

I always consider claims of anonymity to be false until shown true.  And even then I'm still cautious.  I remember well that the first few things I had read about bitcoin made claims about anonymity that (surprise!) later turned out to be less than true.  I tend to blame journalists for bad journalism, but in this case I might be willing to cut them some slack.  Bitcoin is hard.

I would say that by now, most people in the community (at least in the threads that I read) have a fairly good idea of the level of privacy actually available for various types of transactions.  Of course, an attacker with the ability to aggregate data from a lot of places can overcome casual efforts at partitioning and end up knowing a hell of a lot.

Some day, there will be a simple web based tool, like blockexplorer, but much more sinister.  You'll be able to punch in an address, and it will track things forwards, backwards and sideways.  It will magically divine every address in your wallet that you have ever received money from, and if you've ever used or sent to a static address, it will be able to tell you a lot about yourself and what you like to spend your coins on.

The good news is that places that generate new addresses for every transaction will make it much less accurate.  And hopefully a network of decent mixmasters will provide hard edges, or at least plausible ones.

Most people don't know how serious white collar investigations work, so they don't realize just how much effort it will be for someone to keep those edges solid.  Real investigations cast a wide net.  They look at someone, then they look at everyone around that person, and then everyone around all of them, and so forth.  They look for coincidences first, and then patterns, and then evidence.  Honestly, if you let it get to the evidence stage, you've already lost.

I see a lot of people on these forums that say things like "well, they can't prove ".  It doesn't matter.  They don't need to prove that step, they just need to see the pattern, and then find some other step that they can prove.  Where there is a pattern, there will also be evidence of something, something that they can use.  They are professionals, and you are an amateur.  They are much better at finding evidence than you are at hiding it.

For anyone seriously considering hiding some crime behind bitcoins, I offer this advice.  Don't.  And if you ignore that part, try to avoid coincidences, and make damn sure you don't leave patterns.  Be many different people, with different personalities, different habits, different patterns.  And if you must transfer money from a wallet that can be linked to you (and this is any wallet that you haven't taken great pains to keep apart from yourself), to an illicit wallet, make sure it is for something legitimate, with paperwork, and hopefully eyewitnesses that really think that they saw you buy or sell something.  Don't try to launder funds more than once, unless you have a legitimate, documented, witnessed sequence of transactions that will look completely normal and mundane.  And finally, make damn sure that you lose a hell of a lot of money along the way.  If 50,000 bitcoins leaves one side, 50,000 bitcoins had better not pop up on the other side, not even months or years apart and from totally different directions.

Sorry.  This is long, rambling, and I think I veered offtopic a bit.  Fun though.

Great stuff - I think your points about anonymity are spot on - there are just so many different channels and patterns to look at.
legendary
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
You only have to see the reaction on the forums about your original blog post. The reaction was: so what? this was alredy known.

Yeah, but that's always easy to say.

So you dish the reaction of the community to your paper because somehow you dont like to believe it is the reaction of the community to your paper, and preffer to mention as "proof" a website outside the community and a lot of the reports on Bitcoin. Let me tell you that the press on Bitcoin has been highly inncaccurate and not only regarding anonimity. I have not seen something reported with more mistakes than Bitcoin. The community tried to correct them for a while, but ended up giving up. You can see the comments in the press thread.

Look, you and I (and everybody) know what its going on. Your paper is cool and the work is great, but you decided to give it a bit of dramatism accusing the community of things you should not have, to get more recognition and more press. And that is dishonest from your part. For example, even before your paper, the word pseudo-anonymous was removed from the main website to avoid confussion (even when the word pseudo-anonymous is accurate). The community knows how Bitcoin works  and your accusations are false and only looking to get press. You should not do that, its dishonest from your part.
sr. member
Activity: 332
Merit: 250
Thanks for your reply Fergalr.  I give much respect to your well thought out comments and honesty regarding the extent of your capabilities and knowledge.  I've been thinking about this subject a lot because it really stunned me that despite all the "highly technical" users claims that bitcoin was not anonymous, no one has solved any of the big thefts. 


2) The IP layer work that Dan Kaminsky did - could that be put together with Bitcoin layer work like we did?


I asked him in his thread how much it would cost to put together a tool but it must have freaked him and the others in the thread out because the thread immediately died.  https://bitcointalksearch.org/topic/m.436871.  And DK hasn't posted since.  That was not my intention at all  Cry

Anyway, you seem to be a smart and talented programmer enough to be able to replicate kaminsky's work for the conference and get a working tool going in a reasonable timeframe.  And I get the feeling that unlike him, my direct and public approach will not be scary to you or kill this thread.  It could be merged with your already existing tool like this (not sure if feasible):

a) run your address tracing and linking tool to find all the coins that were stored through the Mybitcoin portal.  You can start with my address info here: https://bitcointalksearch.org/topic/m.428519.  That should give you all their coins with current address locations.  Also see if any forum user can be linked to it.

b) run the real-time ip monitoring tool targeting those addresses to harvest the ips + any other scrape-able info when the coins are moved

c) use your tools to see what they are doing with the coins.  By now you should know what wallets are exchange wallets, so if they are cashing out through an exchange bingo fire up the subpoenas.  If they are using dead drop or in-person cash-out then go back to dktool do geolocation on the IP, see what can be done... harder road but at least we know we're on it at that point.

But the key is b.  Hmm thinking about how much it would cost.  A database of every transaction made with IPs would be nice to start collecting, could be valuable in the future.  Of course, with DK's you don't get very many IP addresses because some users are a few hops away from an inbound node  Huh He wasn't too clear on that point in his slides and I was not at the conference.

Another potentially profitable use for your work: We do need a tool to keep pool operators honest.  If the stolen block storage node and the pool general fund node can be linked, tool could monitor that.  Right now it is very easy for them to sneak blocks, and we miners have to guess if they are doing it or not by comparing pool luck to expected luck.  Vladimir's self defense for miners thread talks about this.
kjj
legendary
Activity: 1302
Merit: 1026
1) Active attacks on anonymity, on the bitcion network.
There's some people using mixers.  But how do you know your coins are really mixed?
Lets say you trust the mixer.

But what if your coin is mixed with a bunch of other coins, all of which belong to an adversary?
If I was interested in actively attacking Bitcoin, I'd be flooding mixers all the time.

I could make it appear to another user that their coins were mixed, when in actual fact, I controlled all of the coins they were mixed with, and could tell for sure what the incoming and outgoing coins were.
Obviously, as the mixer takes a fee, there's a cost, in Bitcoins, to doing this.

But, while I've seen a lot of talk on mixers out there, I haven't seen this sort of threat mentioned (maybe I'm missing something - this is something to consider, not something I've thought about in depth.

If the mixer is designed well, and if the operator of the mixer is trustworthy, then it doesn't matter much what coins you get back, the same ones, or different ones.  The crypto community probably already has a pretty good idea of which properties the mixer needs to have.  I bet that the cypherpunks list probably even had detailed discussions on how to create a distributed system that didn't rely on the trustworthiness of any particular subset of mixer operators.  We just don't know which thread to look in, because they didn't know they were talking about bitcoin at the time, they thought they were talking about an email mixer, or how to protect an onion router from traffic analysis attacks, or something.

I liked the paper, by the way.

I always consider claims of anonymity to be false until shown true.  And even then I'm still cautious.  I remember well that the first few things I had read about bitcoin made claims about anonymity that (surprise!) later turned out to be less than true.  I tend to blame journalists for bad journalism, but in this case I might be willing to cut them some slack.  Bitcoin is hard.

I would say that by now, most people in the community (at least in the threads that I read) have a fairly good idea of the level of privacy actually available for various types of transactions.  Of course, an attacker with the ability to aggregate data from a lot of places can overcome casual efforts at partitioning and end up knowing a hell of a lot.

Some day, there will be a simple web based tool, like blockexplorer, but much more sinister.  You'll be able to punch in an address, and it will track things forwards, backwards and sideways.  It will magically divine every address in your wallet that you have ever received money from, and if you've ever used or sent to a static address, it will be able to tell you a lot about yourself and what you like to spend your coins on.

The good news is that places that generate new addresses for every transaction will make it much less accurate.  And hopefully a network of decent mixmasters will provide hard edges, or at least plausible ones.

Most people don't know how serious white collar investigations work, so they don't realize just how much effort it will be for someone to keep those edges solid.  Real investigations cast a wide net.  They look at someone, then they look at everyone around that person, and then everyone around all of them, and so forth.  They look for coincidences first, and then patterns, and then evidence.  Honestly, if you let it get to the evidence stage, you've already lost.

I see a lot of people on these forums that say things like "well, they can't prove ".  It doesn't matter.  They don't need to prove that step, they just need to see the pattern, and then find some other step that they can prove.  Where there is a pattern, there will also be evidence of something, something that they can use.  They are professionals, and you are an amateur.  They are much better at finding evidence than you are at hiding it.

For anyone seriously considering hiding some crime behind bitcoins, I offer this advice.  Don't.  And if you ignore that part, try to avoid coincidences, and make damn sure you don't leave patterns.  Be many different people, with different personalities, different habits, different patterns.  And if you must transfer money from a wallet that can be linked to you (and this is any wallet that you haven't taken great pains to keep apart from yourself), to an illicit wallet, make sure it is for something legitimate, with paperwork, and hopefully eyewitnesses that really think that they saw you buy or sell something.  Don't try to launder funds more than once, unless you have a legitimate, documented, witnessed sequence of transactions that will look completely normal and mundane.  And finally, make damn sure that you lose a hell of a lot of money along the way.  If 50,000 bitcoins leaves one side, 50,000 bitcoins had better not pop up on the other side, not even months or years apart and from totally different directions.

Sorry.  This is long, rambling, and I think I veered offtopic a bit.  Fun though.
k
sr. member
Activity: 451
Merit: 250
thanks, lots of food for thought here.

you could probably try to correlate bitcoin movements with the historical price record and see if there is anything interesting there.
The public permanent ledger nature of bitcoin really makes lots of interesting things possible.

newbie
Activity: 15
Merit: 0
While we're speculating, I'd like to say that some other things that would be very interesting to look at are:

1) Active attacks on anonymity, on the bitcion network.
There's some people using mixers.  But how do you know your coins are really mixed?
Lets say you trust the mixer.

But what if your coin is mixed with a bunch of other coins, all of which belong to an adversary?
If I was interested in actively attacking Bitcoin, I'd be flooding mixers all the time.

I could make it appear to another user that their coins were mixed, when in actual fact, I controlled all of the coins they were mixed with, and could tell for sure what the incoming and outgoing coins were.
Obviously, as the mixer takes a fee, there's a cost, in Bitcoins, to doing this.

But, while I've seen a lot of talk on mixers out there, I haven't seen this sort of threat mentioned (maybe I'm missing something - this is something to consider, not something I've thought about in depth.

2) The IP layer work that Dan Kaminsky did - could that be put together with Bitcoin layer work like we did?

3) There's whole classes of timing and statistical attacks we didn't consider.
newbie
Activity: 15
Merit: 0
Hi fergalr,

thanks for your paper and your responses here. Welcome to the forum.
Thanks!

Have you given any thought to other applications these tools and this type of network analysis could be used for - for example could it be used somehow to estimate the real size of the bitcoin economy, i.e. differentiate the purchase of goods and services from just shifting bitcoins to different addresses owned by the same person?


These are really interesting questions.

We thought briefly about these issues, although our main focus was on anonymity, and once it became clear to us that users were less anonymous than we expected, on making our analysis public.

So, there is a large connected component (http://en.wikipedia.org/wiki/Connected_component_%28graph_theory%29)  of Bitcoin addresses - i.e. a set of addresses that are all connected via other addresses, where 2 addresses are connected if they have exchanged bitcoins.

Bitcoins in accounts outside that large connected component could probably be discarded from any attempt to estimate the velocity of money (http://en.wikipedia.org/wiki/Velocity_of_money).
There are definitely examples of this - where someone consolidates a large bunch of mined bitcoins, but then doesn't do anything else with them.  You'd really want these consolidation events to not show up in an analysis of the velocity of money, and hence the size of the economy - so you could probably do some work on this - a crude first pass being to just look at Bitcoins within the large connected component.


So, that's one type of analysis you could do.
The other thing is that we typically 'link' all the addresses that the block chain reveals are controlled by a single user (because their private key parts are used in a single transaction).  This collapses many addresses together - from something like 1.2M unique addresses down to to .8M 'collapsed nodes'.
Now, there is an issue here, that occasionally some key management services, like myBitcoin, where the private keys are controlled centrally, show up as a single node, in this graph - and obviously can have a lot of different users. 
So you basically lose transactions that occur within a single 'virtual' service, that are backed onto the Bitcoin network.

But for the vast majority of nodes, you get a network that much more resembles the user->user transaction network.
So, its not perfect - there will definitely be accounts that are controlled by a single user, that still show up as multiple accounts, and there'll be some accounts, where users use a service that shares their private keys, that now look like a single account - but it's certainly a different, and interesting, view of the network, on which to do economic analysis.

From looking at it, I'd say its a better view, and that things like velocity of money calculated on this network, would be more accurate.

The other thing I should say is that there were some forum users here that built a 'bitcoin days destroyed' metric that is also interesting.
Some combination of the two ideas might be beneficial, in terms of analysing the economy.



You could probably build further heuristic methods - to look at the volume of Bitcoins that flow a certain distance, through the resolved nodes, and use this as a better barometer of the current market activity.


Or identify the different exchanges and see the flow of bitcoins to them and thus if you see a larger than normal flow of bitcoins to a particular exchange it might indicate that a sell-off is likely and predict a price drop before it happens?

That sort of stuff is very interesting - things like that are probably possible.
Like, if nothing else, you can look at large volume movements that happen outside exchanges - its probably possible to correlate such movements with increased probability of near future volatility, if nothing else.


Maybe nothing like this is possible, just thinking out load and wondering about possible other uses for this type of analysis.

thanks
k

From my point of view, while we've thought a little in that direction, it is a whole other research topic!

But it definitely sounds like a very interesting one - especially if Bitcoin gains momentum, and people start doing serious trading on it - I like the direction you are thinking in.

k
sr. member
Activity: 451
Merit: 250
Hi fergalr,

thanks for your paper and your responses here. Welcome to the forum.

Have you given any thought to other applications these tools and this type of network analysis could be used for - for example could it be used somehow to estimate the real size of the bitcoin economy, i.e. differentiate the purchase of goods and services from just shifting bitcoins to different addresses owned by the same person? Or identify the different exchanges and see the flow of bitcoins to them and thus if you see a larger than normal flow of bitcoins to a particular exchange it might indicate that a sell-off is likely and predict a price drop before it happens? Maybe nothing like this is possible, just thinking out loud and wondering about possible other uses for this type of analysis.

thanks
k
newbie
Activity: 15
Merit: 0
Quote
We think that the graphing, and analysis, that we did, shows its substantially easier to trace these things than we'd have a priori thought possible.

Then you had thought wrong and that is YOUR problem and not the problem of Bitcoin.

What do you mean 'the problem of Bitcoin'?
I mean, the technology itself doesn't care, that's the technology.

But the users may care.
Look what it says on the Wikileaks site:
"Bitcoin is a secure and anonymous digital currency. Bitcoins cannot be easily tracked back to you, and are safer and faster alternative to other donation methods. You can send BTC to the following address:"
Do you think those sentences are true?  I think they are quite misleading.  But there they are.
I think this is very clear evidence that something is going wrong, with the Bitcoin community's understanding of the limits of anonymity in Bitcoin.


Imagine its 5 years time, and Bitcoin is very widely adopted; and that I live in a really repressive regime, and had made a substantial donation to wikileaks.
The secret police come to my door - I'm confused, because I thought it was anonymous.  I donated from an address I'd never previously used.  I didn't realise that, a year later, when a piece of change (say) from that donation was also used in my weekly online grocery shop, with some other currency from my public 'donate to my blog' address, then I had inadvertently published, irrevocably, on the open Internet, that I previously made a donation to wikileaks.  Now I'm talking to the secret police, I'm wondering what it means for Bitcoin to be 'a secure and anonymous digital currency.' and I'm a little confused, because it actually turned out to be very easy for the Bitcoins to be tracked back to me.

Like, we could say 'its not the problem of bitcoin' - but I think the technology, as its used in the real world, does sort of have a problem, if scenarios like that arise.

Don't get me wrong, Bitcoin is a really cool system.
But it *does* have a real problem, when a substantial subset of its users think its anonymous, but it isn't.

When we looked, we could identify many users, by their user names here, who donated to wikileaks.  Maybe they are happy for that to be in the open- but maybe some of them aren't.  This could be a very real problem for some of them.  Does the Bitcoin community care?  I think they should.  

There were campaigns on this forum to get various organisations to accept Bitcoin donations.
So where's the campaign to correct that wikileaks page?




Bitcoin members always stated the nature of Bitcoin and how under certain circumstances the transactions could be linked to the person. There is absolutely nothing new on what you are saying. It had all been said by the Bitcoin community already.

There are differing levels of technical sophistication in the Bitcoin community.
Some people - the more technical people - state that Bitcoin provides no guarantee of anonymity.
We do acknowledge that in our paper.
But I think the Bitcoin community are doing a very bad job of disseminating that information.


And I think the reason for this is clear:
Its really easy to say that 'Bitcoin is not anonymous, all the transactions are there in the blockchain'.  But all it means is that someone said that.

Users will wonder 'Ok, so the information is there - but surely you can't actually follow transactions around the place?' - there are many threads on this forum where users are wondering exactly what can be done in practice.

Until our analysis, I had seen no one actually try and follow these things, or apply network analysis to it.

I mean, I saw the response to the 'allinvain' alleged theft - and the whole thread is there, and I've read it all - where they tried trace the Bitcoin flows - but they didn't have good tools, and they didn't get very far.
If you want, you can dig out the addresses they got to, and see where they are on the SVG we have - I've done that.
Its completely understandable, because they hadn't got purpose built tools.
But we actually built the tools, and had a go, and found you could follow Bitcoins much further.
And I think, as a (very casual) user of Bitcoin, that that is an important piece of information, and is well worth knowing.




You only have to see the reaction on the forums about your original blog post. The reaction was: so what? this was alredy known.

Yeah, but that's always easy to say.

Before doing this research, I had read up what was out there in the community, and the message I got was that the most technical users were saying 'Look, dont count on anonymity, you probably dont have it' and were saying that it might be possible to do network analysis.  But there were loads of people wondering how much anonymity you had in practice, and whether it was really possible to make sense of the transaction history.
And I honestly didn't know which to believe, because I could find no examples of where people had traced flows through the network.  

We didn't know whether we'd find clusters of nodes, and we were totally taken by surprise by how much information the account linking revealed.
So, actually going and trying to do some network analysis, told us a lot we didn't know - that these problems were real, in practice, as well as in theory.
We had to build a fair few tools, and tweak them, before we could properly see the structure in the network - it wasn't trivial.
I mean, if I'm wrong, send me a link to similar existing analysis.  (as opposed to a stated opinion, correct though it might be).

And that's just from the point of view of the most technical users - there are reams of less technical users out there, confused about the anonymity.
A lot of people read our blog - hopefully that will result in these people not thinking bitcoin is inherently anonymous, when it really isnt.


Do you want me to dig up examples of the differing opinions that are out there?
There's the wikileaks 'donate' page I mentioned.
There's loads of stuff on these forums.
There's blogs (by really very technically sophisticated people) like this: http://www.forbes.com/sites/timothylee/2011/07/14/advanced-bitcoin-anonymity/
and really, what they say isn't really wrong, though I'd expect them to be surprised by how much can be uncovered.


There's some good posts around by users such as jgarzik which I would say maybe even slightly over estimate the network analysis that is conducted on Bitcoin - but he's certainly making the point, many times, that it shouldn't be labelled as anonymous.
But there's lots of other users that disagree with that view, or aren't as technical as the core dev team.
And I think there's an extent to which these are just opinions - educated, though they may be - until someone goes and tries to do that kind of analysis.

So I think contribute a lot by having a go at doing an analysis towards the type jgarzik mentions, and actually seeing how well we get on.


The problem is that you are claiming the Bitcoin community was saying the contrary and its very dishonest from your part.

Well, I've shown examples of the differing confused opinions that are out there - I guess it depends what you mean by 'community'.
Is whoever wrote that wikileaks page part of the community?  (I dont like constantly picking on wikileaks here - but they are an organisation that is supposed to be all about protecting anonymity, so I guess its ok to hold them to a high standard).


As to the claim that I'm being dishonest - look, I'm a research student, I've no axe to grind here, I've no short financial position on Bitcoin; we're really interested in the currency, and chose to spend time on this, as opposed to other possible projects, because its interesting.  We're doing our best to publish our work out in the open, blog about it, engage with people in forums.  There's a sentence or two in the paper, and on the blogs, where we acknowledge that the technical users know anonymity was never designed in, and I think we do a good job of addressing the subtleties of the definition of 'anonymity' in the comments.

So, like, its really obvious there's nothing dishonest here.


And the biggest problem is that I went to your blog post to point exactly this to you in a nice and educated way, but you keep going around with the same dishonest claims, so you are clearly doing it on purpose. If you are acting on good faith you should stop your claims that the Bitcoin community has publicited anything different. What you are saying is nothing special or new. It was well known.

I've tried to address these concerns above.



I guess we can agree to differ on what exactly 'the Bitcoin community' thinks.  You think they know exactly what the limits of anonymity are (i.e. its not anonymous).  I think there's a lot of confusion out there, and uncertainty over how anonymous it is in practice.  

Now I think my position is well supported by simply googling 'bitcoin anonymous' and seeing all the articles that call it anonymous - but look, at the end of the day, as long as people don't think its obscuring their tracks, when its not, we are both happy, right?

And our research adds an actual attempt to investigate and quantify this, rather than just make unsubstantiated - though educated - claims.  Depending on how much of a scientist one is, the attempt to actually try it has a greater or lessor merit - I put a lot of stock in that sort of thing.


We aren't in the business of exposing thefts, so we didn't go down that road as far as we could.

Why not? If you really can prove it as you claim why not do it?

Dealt with this in my previous post.


Thanks for the feedback, btw - appreciate you taking the time to disagree with me, even if I don't agree with your disagreement  Tongue
newbie
Activity: 15
Merit: 0
Thank you for the study.  Nice chart porn!  You're right about the definition of "anonymous" being the key. 

No one has yet volunteered to be an expert witness for the plaintiffs in any court for the allinvain larceny or the mybitcoin class action, despite this being worth tens of thousands of dollars.  Gavin has even said in these forums that he doesn't want to be involved in helping the police or private investigators find or target individual users of the bitcoin client.  Thinks it would be unethical. 

That's a position I have a lot of sympathy for - I can see why you'd have to think about the ethics before actually going and deanonymising individual users - I guess a lot would depend on the context.

In my experience it always kills these "bitcoin is not anonymous" discussion to point out that despite what Garzik, Gavin, and dan kaminsky claim about the lack of anonymity, not one of them has been able to solve a single stolen bitcoin case.  Tens of thousands of dollars just sitting there for the taking if they do, not to mention justice for the victims!

Maybe you can do better ferglar, but I doubt you can do anything beyond expound theory in obtuse academic language either.  If you really can link the mybitcoin coins to forum user names, then out with it!

Well, first off, just to be clear, the theft in question wasn't of the mybitcoin coins - it was a separate alleged theft, as reported by the forum user allinvain, on this forum.
Although, there was an indication of a link between the two events.

There are a couple of 'nodes' (addresses which are bound together, using the 'linking' information leakage) which receive Bitcoins, which we believe it looks extremely likely came from the alleged theft, which we can identify as forum users.

This doesn't mean those users had anything to do with the theft - in fact, I'd say its considerably more likely that they didn't and that they either received just donations, or sold goods/services.  But I don't know.
We chose not to publish those usernames on our blog.

There wasn't a huge case either way for this decision - the data was all public, and the analysis not *that* hard to re-create; but its not really our role to be doing this sort of thing.
Its not that important to us, analyzing privacy in bitcoin, who the users are - what's important is that we could find them.


Do you know who the thieves are, or not.

We don't know who the thieves are.
Its probably fair to say that we don't even really want to know who the thieves are.


If the thieves were very careful, and kept all the bitcoin activity at arms length from themselves - e.g. they did all their bad stuff though TOR, (assuming a secure exit node) or through a computer that cannot be traced to them; and if they didn't use any of the Bitcoins they stole to buy or sell anything that could be traced to them (e.g. they left no traceable IP on any webserver of anyone they paid in bitcoins), and if they have no connection to any of the users the transferred accounts to, and if they used the myBitcoin service completely anonymously, and left no logs or payment details or IPs on it, then I believe they are completely anonymous, and won't be found.
I've no idea how they planned on getting the Bitcoins out - maybe there's a service out there where someone will leave $500K in a dead drop box, in exchange for bitcoins - I don't know.


But, if on the other hand, they believed that Bitcoin was sufficiently inherently anonymous, that their transactions would get lost in all that goes on in the Bitcoin network (a reasonable belief), or if they did things like bought traceable goods or services from the users that they sent bitcoins to, or if they left any traces of payment trail on myBitcoin - which we can see that it looks like they sent BTC to - that could be subpoena'd, then they are probably not anonymous.

Our point is that their actions in the Bitcoin network are not getting lost in the noise, and there are links there that people could investigate.

Our point is further, that if Bitcoin grows in adoption, in future, like a lot of the people on this forum want, then as things currently stand, with current software, casual users of Bitcoin will leak a lot of information, and leave large traces of their activity behind them, which it'll be possible to follow in an automated fashion.

Currently, a large exchange could probably label an awful lot of bitcoin transactions and flows, with whatever account details the exchange has access to.


  What is your % degree of certainty and can you be an expert witness?
I'm pretty certain of what I just said.

As I said, I couldn't directly provide the identity of the thieves, because I don't know it, and couldn't know it without other pieces of information, such as logs of various services, or information from other users.
Maybe even then it's not available; or maybe it is; thats a question for someone working on solving the theft to worry about. I'm not working on solving thefts, so I'm not likely to be an expert witness for anyone, any time soon.
member
Activity: 61
Merit: 10
Unless the 25k BTC thieves use a public exchange to sell the coins (where they might submit personally identifying information), how do these graphs help?
hero member
Activity: 630
Merit: 500
Posts: 69
fergalr, well done paper, thanks for taking the time to put it out there, helps me understand a few aspects of Bitcoin I did not before.   Also, I agree with hugolp,

If you really can prove it as you claim why not do it?
hero member
Activity: 530
Merit: 500
We think the fact that the supposedly seperate streams re-converge shows the addresses used were still controlled by a single party, for quite a while after the theft.

That was about the supposed allinvain theft.

There are definitely transactions going on, that are linked, in ways that the users don't think are linked.  No question about that.

But is this too, or is it about Bitcoin more generally?

legendary
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
We aren't in the business of exposing thefts, so we didn't go down that road as far as we could.

Why not? If you really can prove it as you claim why not do it?
Pages:
Jump to: