Ask Me Anything Re: Bitcoin technicalties

Discussion in 'Apex Lounge' started by Envrin, Mar 3, 2016.

Share This Page

  1. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    Not sure if this is appropriate for this forum, and mods, feel free to remove thread if desired.

    Nonetheless, felt like offering my expertise regarding Bitcoin technicalities to anyone seeking it. Regarding the politics, promotion, marketing, price projections, and so on, I have no idea. You can ask 200 different people about that, and get 200 different answers.

    However, when it comes to the technicalities of implementing bitcoin, and the security of your funds, I'm probably one of the best to talk to. I've been at it for 3 years now, first year was basically a self-imposed internship while I became well versed in both the protocol and online security in general. In 3 years, I have yet to have a single dollar stolen from me personally. However, during the first year while I was knew, some clients did get hacked to hell and back, hence I quickly became well versed in online security. No clients have funds stolen these days.

    Nonetheless, if anyone by chance has any questions, feel free to ask, and I'll do my best to answer.

    If you do get into bitcoin, please realize that's it's a different playground than you're used to. Hacking your Wordpress sites and switching out things like affiliate URLs is cute and all, but that's nothing compared to what you will face in the bitcoin space. The hackers in this space are highly intelligent, ambitious, and plentiful.
     
    ..., cardine, megodon and 2 others like this.
  2. slayerment

    slayerment New Member

    Joined:
    Feb 24, 2016
    Messages:
    10
    Likes Received:
    12
    What kind of bitcoin businesses are you involved in? In what way were your clients hacked?
     
  3. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    I'm strictly software development, but client sites are a wide range. Wallets, exchanges, coin mixers, debit cards, gambling, escorts, job boards (ala Fiverr), and more. I'm just finishing up an almost perfect rendition of LBC that I'm quite pleased with, then have an auction site after that.

    My main client is a bit of a serial entrepreneur, so he never runs out of ideas, and keeps having sites developed as fast as I can get them done. Most end up being misses, but he gets a good hit here and there, which more than covers costs of the misses.

    When I first started in this space I had zero knowledge of bitcoin, so like most newcomers, I went with the blockchain.info API. Naturally, that didn't work out worth a shit. Then we moved to bitcoind / wallet.dat file, and now are on HD BIP32 wallets thankfully.

    Hacks were numerous and never ending. It was about a straight year of getting hacked almost daily. Things like they'd get into the servers and replace the wallet.dat file with their own, or get into database and replace user's deposit addresses with their own, or get into the templates and replace the merge field for user's deposit addresses with their own addresses, they would decrypt the wallet.dat file at times, and tons more. Then we had others try sneaky things, like shift the decimal point by one in the amounts, so they'd deposit 0.05 BTC, but make it appear 0.5 BTC.

    Thankfully, we seem to be locked down pretty well now. Not saying it's impossible to hack us, but we seem to have enough layers and stop measures in place to keep the vast majority at bay. One of the things that helped back in the day was we managed to flip a couple of the hackers, and brought them on as paid security consultants, so that helped loads.
     
    slayerment likes this.
  4. slayerment

    slayerment New Member

    Joined:
    Feb 24, 2016
    Messages:
    10
    Likes Received:
    12
    Great feedback, appreciate the response.
     
  5. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    For another example of hackers in this space. Our most recent hack was about 4 months ago, but they never managed to get any funds. What they did manage to do though was figure out who my client's VPN provider was, hacked the VPN, and hijacked an open session.

    Due to this and since my client was logged in as root via SSH at the time, they managed to get root to one of the servers. Now this is a pain, because they only need root for about 5 seconds to spread hundreds of various scripts all across the filesystem. Things like rkhunter are cool and all, but they don't catch every root kit or trojan. So when you get breached in this manner, you basically have no choice but to shrug your shoulders, format the HD, and start from scratch using the most recent clean backup you have.

    On the flip side, it actually put a smile on my face. If they're having to resort to hijacking open VPN sessions, then quite obviously I'm doing my job properly of keeping them out of the servers. :)
     
    slayerment and megodon like this.
  6. cardine

    cardine Administrator Staff Member

    Joined:
    Dec 9, 2015
    Messages:
    1,064
    Likes Received:
    1,026
    Are my bitcoins safe in Coinbase? If not, what potential risks are there and what could I do to mitigate them?

    Also, thanks for doing the AMA @Envrin!
     
  7. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    With Coinbase, for all intents and purposes you're probably fine, simply because they're well funded. Even if a theft occurs, they have VCs behind them that I'm assuming will cover the losses.

    From a technical standpoint though, not a chance I would leave funds sitting there. I would use Coinbase as an intermediary to transfer between BTC / USD, but would never use them as an actual bank account and leave funds with them. They allow instant sends, which means hot wallet, which means private key(s) are online in some fashion. If the software has access to the funds, then potentially hackers do as well.

    Obviously, I'm not familiar with the back-end infrastructure of Coinbase though. There are ways to mitigate this risk, but nonetheless, be wary of any web wallets for actual storage. If you need to actually store funds, for desktop I can recommend https://electrum.org/ -- I use my own wallet software, but Electrum is basically what all my clients use. It's well tested, proven, and secure.

    Within the Bitcoin space, you just simply assume people are going to root your server and dump your database. You go into the projects knowing that, then design your security policies / layers around that, so even when it does happen they don't have access to any funds. At most, they have access to some usernames and e-mail addresses.
     
    Last edited: Mar 4, 2016
    cardine likes this.
  8. ...

    ... Established Member

    Joined:
    Jan 11, 2016
    Messages:
    166
    Likes Received:
    73
    How do bitcoins even work? What stops me from copying and pasting one bitcoin and having two bitcoins? What exactly is happening when you mine bitcoins and how do bitcoins get mined in order or in whatever order they are in?

    These questions make me realize that despite what my grandma thinks I am pretty ignorant about how bitcoins and the blockchain work where even a basic introduction on how all this magic happens would help a lot.
     
  9. cardine

    cardine Administrator Staff Member

    Joined:
    Dec 9, 2015
    Messages:
    1,064
    Likes Received:
    1,026
    Everything you said is pretty awesome and informative. I do have one follow up question regarding this:
    Does Coinbase actually have individual bitcoins reserved for individual users, or is it more like they know how many bitcoins each user has, they have a pool of bitcoins, and if a person does a transfer they just pick any bitcoin from that pool and transfer it over?

    If it is the second one, Coinbase would only need to have the number of bitcoins in hot storage as there are bitcoins being instantly sent each day which would mean that the vast majority of bitcoins would be in cold storage somewhere.

    Does that change anything regarding the potential security of Coinbase?
     
  10. slayerment

    slayerment New Member

    Joined:
    Feb 24, 2016
    Messages:
    10
    Likes Received:
    12
    From my understanding Coinbase splits their own DB ledger from the Blockchain ledger. They'll give you addresses that they control that you can receive to, but when funds are sent they log it in their DB and then sweep (move) the funds to cold storage. Coinbase has majority of their funds in cold. They wrote a blog post about this a while back: https://blog.coinbase.com/2012/10/09/coinbase-now-storing-87-of-customer-funds-offline/. It looks like they now store 98% in cold: https://www.coinbase.com/security?locale=en.

    Sorry, don't want to hijack the thread but I've been working in the Bitcoin world heavily for like 3 years now and have been through much of the same stuff as OP :). Good times in the Wild West.
     
    Envrin and cardine like this.
  11. slayerment

    slayerment New Member

    Joined:
    Feb 24, 2016
    Messages:
    10
    Likes Received:
    12
    Envrin, I know you said you have no idea, but I'd like to get your take on the push for Bitcoin XT. Good or bad for bitcoin?
     
  12. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    XT is already old news, and doesn't even deserve the time to talk about it. Mike and Gavin had a self imposed deadline of Jan 2016 for the majority of the network to switch over to XT. That didn't happen in the slightest measure and thank fuck for that, because they can both go fuck themselves.

    They wanted to impose things like black lists, denying Tor nodes, and other measures to ensure it became a centralized system they could control. This is only what they publicly mentioned, let alone what they were planning behind the scenes. Thankfully they fell flat on their face, so good riddens.

    Yes, block size is getting to be a problem, and a solution needs to come soon. We're currently at about 800KB blocks, with a 1MB limit, so something needs to happen soon. Nonetheless, trying a "hostile takeover" of the entire network / currency like Mike & Gavin did obviously isn't the right way to go about it. They tried using fear to push their own agenda, it failed miserably, and thank fuck for that.

    Currently, Greg Maxwell is basically the man in charge of the Bitcoin Github repository. He's highly intelligent, and from what I know, seems like a great guy, excellent moral compass, and seems to have his head screwed on straight. I'm happy to see him in the position he's in.
     
    slayerment and cardine like this.
  13. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    Bitcoin is basically nothing more than a bunch of specifically formatted messages with cryptographic signatures being passed around a P2P network. Just so happens a bunch of us humans decided those messages are worth some money, which spawned an entire industry that currently has a market cap of ~$6 billion.

    Our friends SHA256, RIPEMD160, and ECDSA secp256k1 curve. In order to "break" bitcoin, you need to break all 3 algorithms at the same time, which just isn't going to happen. If it ever gets found out one of the algorithms has been compromised, the core devs will just switch it out with a new algorithm, and off we go with a slightly different transaction format.

    I honestly don't really know. I'm software / merchant side, and never got into the mining thing. Maybe slayerment knows? As far as I'm concerned, basically you buy a warehouse in China due to cheaper electricity costs, fill it up with a bunch of ASICs (specialized computers for mining bitcoin), they run the same algorithm over & over. When they randomly guess the right answer to the math problem, they get awarded 25 BTC (will be 12.5 BTC in a few months).

    This is what keeps the bitcoin network alive. All those ASICs running are what confirm & validate transactions. They're running all those ASICs, because it's profitable to do so, as they're getting 25 BTC every time they solve a block. That's basically all I know about mining. Maybe slayerment went into the mining side of things, and can shed some light.
     
    ... likes this.
  14. mstchr

    mstchr Active Member

    Joined:
    Dec 10, 2015
    Messages:
    54
    Likes Received:
    69
    Say I want to buy some bitcoin right now. What are the steps I would take?

    Download electrum...to a flash drive? Hard drive?
    Buy some bitcoin...where?
    Put it in this electrum locker...how?

    [​IMG]
     
    megodon likes this.
  15. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    Yep, just grab Electrum and install on your HD. If you're paranoid, then sure, install on a flash drive works well too, albeit more inconvenient. Then within Electrum you can easily generate new payment addresses, view transaction history, etc.

    Then depends on what you're country in, but I think you're US based, right? In that case, I've heard nothing but good things about Coinbase. A couple sites I regularly use are http://localbitcoins.com/ and http://advcash.com/, simply because they don't require ID. I generally stay away from the exchanges because most require KYC/AML info, and well, fuck them. As far as I'm concerned, how much I make, where it comes from, and what I spend it on is nobody's business but my own.

    Once you've purchased some BTC, just send it to your Electrum wallet. General rule of thumb, never use web wallets for storage. I'm sure Cardine's funds are fine sitting in Coinbase, but why let a 3rd party company hold onto your money, when you can just as easily (and more securely) hold onto it yourself? Definitely use folks like Coinbase, but only temporarily as an intermediary when you need to transfer between BTC / USD.

    Other side note, address re-use is generally discouraged. Meaning, generate a new payment address each time you receive funds. Don't let multiple deposits hit the same address. I know a lot of people do it, but for security and privacy reasons, the practice is discouraged. There's no known security vulnerabilities right now, but there was a few years ago that allowed hackers to wipe your funds if you used the same address too much, hence there's always the chance another vulnerability exists that simply hasn't been found yet.
     
    Last edited: Mar 6, 2016
    mstchr likes this.
  16. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    Coinbase would have a general pool, same as a conventional bank, so they're in control of all user's funds. Like slayerment said though, they keep majority of their funds offline, so for all intents and purposes, your funds are fine with them. Even when they do get hacked, I'm sure they'll cover the losses. And I'm sure they've been hacked more times than we know about, as I doubt they publicly announce that information.

    But yes, you are right. The better way to do a web wallet is to compartmentalize user's funds, and encrypt the private key(s) with a wallet password only the user knows. This way, even when (not if, when) someone dumps your database, all they get is a bunch of strings of text heavily encrypted with multiple iterations of various encryption algorithms. Hackers will probably be capable of brute forcing some of the private keys, but as long as the user's use a strong password (which you can require), then they're not going to get much more than some usernames and e-mail addresses. The caveat to this though is, even the site owner doesn't have access to any user deposits, so whether or not it's the right solution depends on the business model.

    But yes, your funds are fine in Coinbase. Again, I personally wouldn't let my funds sit online with a 3rd party like that, but I'm sure they're fine.
     
    cardine likes this.
  17. cardine

    cardine Administrator Staff Member

    Joined:
    Dec 9, 2015
    Messages:
    1,064
    Likes Received:
    1,026
    If you do this, what happens if your HD fails or gets reformatted or your laptop gets stolen? Is it just as simple as having two copies of Electrum installed on two different computers?
     
  18. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    Yep, exactly. Majority of wallet software these days uses HD BIP32 wallets, so when you install something like Electrum, it's going to generate you a key-pair that looks similar to:

    PUBLIC -- xpub6AHA9hZDN11k2ijHMeS5QqHx2KP9aMBRhTDqANMnwVtdyw2TDYRmF8PjpvwUFcL1Et8Hj59S3gTSMcUQ5gAqTz3Wd8EsMTmF3DChhqPQBnU
    PRIVATE -- xprv9wHokC2KXdTSpEepFcu53hMDUHYfAtTaLEJEMyxBPAMf78hJg17WhL5FyeDUQH5KWmGjGgEb2j74gsZqgupWpPbZgP6uFmP8MYEy5BNbyET

    The public key allows for the generation of just over 2.1 billion payment addresses, and the private key obviously controls any funds sent to those addresses. That private key can not be brute forced, so as long as you keep it safe and out of the hands of hackers, you will never lose a dollar.

    Backup your private key and keep it safe. If something happens like your HD fails, you can just install Electrum (or whatever wallet software) again, import the private key, it will search the blockchain for any unspent funds, and you'll pickup right where you left off.

    Personally, I use 2-of-3 multisig, but that's because I'm weird. It means I have 3 of those above key-pairs, and I keep them in different locations. So one private key can get lost / compromised, and I don't lose access to any funds.
     
    Last edited: Mar 7, 2016
    cardine likes this.
  19. ...

    ... Established Member

    Joined:
    Jan 11, 2016
    Messages:
    166
    Likes Received:
    73
    How does that stop me from creating two copies of a bitcoin and spending both of them?
     
  20. Envrin

    Envrin Active Member

    Joined:
    Dec 18, 2015
    Messages:
    91
    Likes Received:
    65
    1.) Each payment address consists of a public / private key-pair. For example:

    2.) Every transaction contains a series of inputs and outputs. The inputs are funds you're putting into the transaction (ie. previously sent to you), and outputs and where the funds are going (ie. who you're paying).

    3.) If someone sends you funds, it'll be added to the pool of UTXOs (unspent outputs), which basically all full nodes keep track of.

    4.) When you want to spend those funds, they get added to a new transaction as an input. In order for that transaction to validate / confirm, be accepted by the miners and get added to the blockchain, you must have that private key in order to generate the appropriate cryptographic signature.

    5.) So once a transaction hits with that properly signed input, they're removed from the UTXO pool, and can not be spent again.

    There's various other stop-measures in place to prevent double spending, but that's basically how it works.