User talk:Luke-jr: Difference between revisions
No edit summary |
|||
(36 intermediate revisions by 15 users not shown) | |||
Line 1: | Line 1: | ||
* My comments on [[Tonal Bitcoin]] are not "trolling". They are my opinions, and you can discuss it on the talk page based on the merits. If you delete my comments again from a discuss page, I will ask the administrators to ban your account. That is not acceptable wikipedia behavior [[User:Lunokhod|Lunokhod]] ([[User talk:Lunokhod|talk]]) | |||
== Thanks for helping on the [[Heaven Sent Gaming]] article. == | |||
The bias was sloppy copyediting on my part, thanks for fixing it. [[User:Anon y Mouse|Anon y Mouse]] ([[User talk:Anon y Mouse|talk]]) 10:55, 24 August 2014 (UTC) | |||
== Headers == | |||
--[[User: | |||
Hi Luke, can you restore the [[Headers]] article please? It was useful for finding information about headers, and it's not obvious where people need to go without this reference article. There's already an article for [[block]]s, so I don't see why you needed to delete this, since it was useful. | |||
: There was no useful information, it was just a stub. Furthermore, headers are not a thing, they are just a part of a block... --[[User:Luke-jr|Luke-jr]] ([[User talk:Luke-jr|talk]]) 21:03, 5 September 2014 (UTC) | |||
== deep web == | |||
Luke-jr, bitcoin and deep web is closely related, as I previosly said... Your wiki contains bitcoin services as well as hidden wiki, it is only info ( nothing illegal) [[User:TheHiddenWiki|TheHiddenWiki]] ([[User talk:TheHiddenWiki|talk]]) 14:53, 11 September 2014 (UTC) | |||
== 247exchange == | |||
Hello Luke, | |||
is it possible to list our exchange service 247exchange.com here please: https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)? | |||
We accept credit/debit cards (Visa, MasterCard, Maestro) for instant buying Bitcoin. SWIFT and SEPA bank transfers are also accepted. All countries except USA (where we don't have the licenses yet) are supported. | |||
Our exchange is licensed, secure and easy-to-use. | |||
Thanks in advance! | |||
== Weighing in on my discussion with RyanC == | |||
Hi Luke, I've been discussing the pros/cons of Warpwallets with Ryan Castelluci on his [[User talk:Ryanc|talk page]]. Could you share your analysis? | |||
It's a long discussion so to reiterate my position: | |||
1) There is a [https://nakedsecurity.sophos.com/2013/08/12/android-random-number-flaw-implicated-in-bitcoin-thefts/ real problem] with the faithfulness of blackbox RNGs that is hard to solve. RyanC agrees with me on that point. | |||
2) It's unwise to trust systems we can't verify when the stakes are high. For example, we can recommend users verify they're running a trustworthy wallet on a clean computer. Sounds great but if you really want to be sure that's very hard even for an expert. We can recommend they verify their wallet is actually (not just "supposed to", according to the source) using a faithful CSPRNG to generate the seed but '''nobody''' knows how to do that. | |||
3) What I like about Warpwallet is that it provides a unique blend of [http://maxtaco.github.io/bitcoin/2014/01/16/how-jason-bourne-stores-his-bitcoin/ simplicity with security]. | |||
It's not idiot proof, but none of the other solutions are either. For some use cases it's a genuinely better recommendation than the more traditional alternatives, and if that's true we owe it to the non-experts who look up to us not to parrot old advice. When a new technique comes along, let's think it through. | |||
We also need to accept that different solutions have relative advantages and trade-offs. Computer security is hard. There's no way around nuance. There are no absolutes. Nothing we recommend will fully protect users from being stupid or negligent. Some users will always choose the dancing pigs. | |||
We can recommend they don't store large amounts in hot wallets, but they'll do that anyway. We can recommend they don't backup their "encrypted" wallet to the cloud, but of course they will. We can recommend a random passphrase and they'll use something from a dictionary or a famous quote. We can recommend they pay more for a hardware wallet from a trustworthy source, they won't be able to tell who's trustworthy and they'll just opt to pay less. They're lose their paper backups to the cleaning lady, fire and flood. They will forget their encryption passwords. | |||
We don't respond to that by treating everyone like stupid irresponsible babies. We accept personal responsibility and give those that want it the best advice we have. | |||
4) Warpwallet is mostly guilty by association with naive SHA256 Brainwallets. Putting the SHA256 technique in anything with a web interface was like leaving a loaded gun around. Of course people got hurt and that's tragic. | |||
I understand why the natural reaction to that is just to taboo the whole brainwallet concept after that, but using extreme key stretching together with salting is something qualitatively different. | |||
You can't just cut and paste the SHA256 brainwallet public service announcement on to the new thing because the stupid thing came first. That would be like giving SHA256 brainwallets a pass if Warpwallet came first. The devil is in the details. We need to re-evaluate based on evidence. Warpwallet changes the cost of attack so that there's no longer a weak central point of failure users are known to be notoriously bad at. | |||
Case in point, the Warpwallet challenge offered a $20,000 jackpot to crack an intentionally weak 8-character unsalted wallet and survived unclaimed for 2.5 years. RyanC has argued a large botnet running his software could crack the challenge in a year or so and I hope someone does that to prove him right. | |||
But if the challenge was modified to use an unknown e-mail salt, Ryanc's Brainflayer running on a 25M node botnet would never find it. The universe would end first. If Warpwallet challenge included a list of 1000 possible e-mail salts, it would take the botnet 9 years to crack. To search 10,000 suspected e-mail salts: 90 years. That's not my opinion, that's math. | |||
Maybe I'm missing something, but my conclusion is that if you use Warpwallet with a pretty good passphrase and your e-mail as salt, you're much more likely to get your coins stolen by someone beating you over the head with a $5 wrench than a Brainflayer botnet with millions of nodes running for decades. | |||
Don't you agree? If not, that's fine, but please help me understand why. | |||
== Nick Szabo == | |||
Hi Luke-jr. | |||
Would be great to have more info on why the [[Nick Szabo]] article was deleted. | |||
We have a number or articles referencing him -- it's hard to argue he doesn't deserve an article here. Was it just incomplete or low quality? | |||
Thanks, -- [[User:JonathanCross|JonathanCross]] ([[User talk:JonathanCross|talk]]) 23:33, 12 August 2019 (UTC) | |||
The deleted page was just copied off Wikipedia. --[[User:Luke-jr|Luke-jr]] ([[User talk:Luke-jr|talk]]) 16:12, 27 September 2019 (UTC) |
Latest revision as of 16:12, 27 September 2019
- My comments on Tonal Bitcoin are not "trolling". They are my opinions, and you can discuss it on the talk page based on the merits. If you delete my comments again from a discuss page, I will ask the administrators to ban your account. That is not acceptable wikipedia behavior Lunokhod (talk)
Thanks for helping on the Heaven Sent Gaming article.
The bias was sloppy copyediting on my part, thanks for fixing it. Anon y Mouse (talk) 10:55, 24 August 2014 (UTC)
Headers
Hi Luke, can you restore the Headers article please? It was useful for finding information about headers, and it's not obvious where people need to go without this reference article. There's already an article for blocks, so I don't see why you needed to delete this, since it was useful.
- There was no useful information, it was just a stub. Furthermore, headers are not a thing, they are just a part of a block... --Luke-jr (talk) 21:03, 5 September 2014 (UTC)
deep web
Luke-jr, bitcoin and deep web is closely related, as I previosly said... Your wiki contains bitcoin services as well as hidden wiki, it is only info ( nothing illegal) TheHiddenWiki (talk) 14:53, 11 September 2014 (UTC)
247exchange
Hello Luke, is it possible to list our exchange service 247exchange.com here please: https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)? We accept credit/debit cards (Visa, MasterCard, Maestro) for instant buying Bitcoin. SWIFT and SEPA bank transfers are also accepted. All countries except USA (where we don't have the licenses yet) are supported. Our exchange is licensed, secure and easy-to-use. Thanks in advance!
Weighing in on my discussion with RyanC
Hi Luke, I've been discussing the pros/cons of Warpwallets with Ryan Castelluci on his talk page. Could you share your analysis?
It's a long discussion so to reiterate my position:
1) There is a real problem with the faithfulness of blackbox RNGs that is hard to solve. RyanC agrees with me on that point.
2) It's unwise to trust systems we can't verify when the stakes are high. For example, we can recommend users verify they're running a trustworthy wallet on a clean computer. Sounds great but if you really want to be sure that's very hard even for an expert. We can recommend they verify their wallet is actually (not just "supposed to", according to the source) using a faithful CSPRNG to generate the seed but nobody knows how to do that.
3) What I like about Warpwallet is that it provides a unique blend of simplicity with security.
It's not idiot proof, but none of the other solutions are either. For some use cases it's a genuinely better recommendation than the more traditional alternatives, and if that's true we owe it to the non-experts who look up to us not to parrot old advice. When a new technique comes along, let's think it through.
We also need to accept that different solutions have relative advantages and trade-offs. Computer security is hard. There's no way around nuance. There are no absolutes. Nothing we recommend will fully protect users from being stupid or negligent. Some users will always choose the dancing pigs.
We can recommend they don't store large amounts in hot wallets, but they'll do that anyway. We can recommend they don't backup their "encrypted" wallet to the cloud, but of course they will. We can recommend a random passphrase and they'll use something from a dictionary or a famous quote. We can recommend they pay more for a hardware wallet from a trustworthy source, they won't be able to tell who's trustworthy and they'll just opt to pay less. They're lose their paper backups to the cleaning lady, fire and flood. They will forget their encryption passwords.
We don't respond to that by treating everyone like stupid irresponsible babies. We accept personal responsibility and give those that want it the best advice we have.
4) Warpwallet is mostly guilty by association with naive SHA256 Brainwallets. Putting the SHA256 technique in anything with a web interface was like leaving a loaded gun around. Of course people got hurt and that's tragic.
I understand why the natural reaction to that is just to taboo the whole brainwallet concept after that, but using extreme key stretching together with salting is something qualitatively different.
You can't just cut and paste the SHA256 brainwallet public service announcement on to the new thing because the stupid thing came first. That would be like giving SHA256 brainwallets a pass if Warpwallet came first. The devil is in the details. We need to re-evaluate based on evidence. Warpwallet changes the cost of attack so that there's no longer a weak central point of failure users are known to be notoriously bad at.
Case in point, the Warpwallet challenge offered a $20,000 jackpot to crack an intentionally weak 8-character unsalted wallet and survived unclaimed for 2.5 years. RyanC has argued a large botnet running his software could crack the challenge in a year or so and I hope someone does that to prove him right.
But if the challenge was modified to use an unknown e-mail salt, Ryanc's Brainflayer running on a 25M node botnet would never find it. The universe would end first. If Warpwallet challenge included a list of 1000 possible e-mail salts, it would take the botnet 9 years to crack. To search 10,000 suspected e-mail salts: 90 years. That's not my opinion, that's math.
Maybe I'm missing something, but my conclusion is that if you use Warpwallet with a pretty good passphrase and your e-mail as salt, you're much more likely to get your coins stolen by someone beating you over the head with a $5 wrench than a Brainflayer botnet with millions of nodes running for decades.
Don't you agree? If not, that's fine, but please help me understand why.
Nick Szabo
Hi Luke-jr. Would be great to have more info on why the Nick Szabo article was deleted. We have a number or articles referencing him -- it's hard to argue he doesn't deserve an article here. Was it just incomplete or low quality?
Thanks, -- JonathanCross (talk) 23:33, 12 August 2019 (UTC)
The deleted page was just copied off Wikipedia. --Luke-jr (talk) 16:12, 27 September 2019 (UTC)