Minetopics

Sunday, March 10, 2013

Ultimate Bitcoin Security

We'll discuss how to safely create and
spend from offline Bitcoin accounts.

In current events, the dreaded sequester (a round of across-the-board cuts in U.S. Federal discretionary spending) has kicked in, but US stocks have nevertheless attained new highs - despite troubling signs about global warming and the fragility of the boom in nontraditional crude oil extraction. One wonders if stock market investors are again indulging in "irrational exuberance."

There's another class of investment that is also at an all-time high, and that has been performing even better than stocks: Namely, the electronic currency Bitcoin. There are good reasons for this:

Bitcoin is gaining in mainstream acceptance, as the largest exchange (Mt. Gox) moves its trading operations to the U.S., in affiliation with an actual bank (Silicon Valley Bank), in preparation to meet demand from Wall Street investors for better-regulated access to the Bitcoin economy. Also, a licensed Bitcoin hedge fund is opening up in Malta.
The underlying fundamentals of Bitcoin remain strong, with an underlying cryptographic protocol that still has never been hacked, and that will likely remain unhackable for the foreseeable future; Bitcoin remains the most secure and lowest-cost medium for the digital storage and transmission of wealth.

In previous posts, I have described how individuals can realize Bitcoin's secure-storage capabilities for themselves through the use of brain wallets and offline paper wallets. However, one limitation of the techniques I described previously was that, in order to send Bitcoins stored in this way to another account, you had to enter your private key information into an online client program; this could expose you to a risk of having your coins stolen if the online computer had been hacked at some point.

The most secure Bitcoin accounts
or "wallets" are ones that are never
exposed to the Internet at all.

It turns out there is a safer way. It is possible to generate a bitcoin transaction order (basically, an electronic cheque) entirely offline, which means that, during this process, you can make it virtually impossible for any of your private key information stored in the offline computer to escape to the outside world, even if that computer has been hacked previously and is running some malware. Then, the generated transaction only -- which does not itself contain any private information -- can be moved to an online computer (via removable media such as an SD card or USB drive, say), and from there transmitted to the Bitcoin network. (To be extra careful, you should verify the contents of the removable media on another, independent offline computer before you expose it to a network-connected computer.)

This then provides a means for a relatively technically unsophisticated user to remain 100% confident that his stash of Bitcoins remains safe from theft, while still retaining the ability to spend or transfer portions of that store of liquid wealth on demand, as needed.

In this post, I will describe this process.

Part I. Creating an Unhackable Offline Wallet

One of the major premises of the method I'll describe here is "trust nobody." If you plan to store large amounts of wealth in Bitcoin, and you expect the value of those Bitcoins to grow significantly in the future, and you are paranoid about somebody, someday, stealing that wealth, then you want to make extra-sure that it is totally unhackable.

The first step in this process is creating an offline Bitcoin account, that is, one where the critical private information required to access that account never touches any computer that is connected to the Internet. This precludes your private data (and thus, your Bitcoins in that account) from being stolen by any electronic means - including compromised software.

Even so, you will need to use some software to run the algorithms required to compute your public Bitcoin address from a (typically randomly-generated) private key. If the software you use for this purpose is not trustworthy, then it could do things like instead generate fake "predefined" accounts built into the software, where the authors of the software already have the keys to that account. Given this risk, how can you make sure that your new Bitcoin account is generated as securely as possible?

The most essential requirement is that the random data that goes into selecting a key is truly randomly generated, and cannot be corrupted or influenced by an attacker so as to make it come out one way rather than another. Once you have the initial random data, with confidence that it is secure, you can verify that it is being transformed to a Bitcoin account correctly by redundantly performing this standard transformation with several different pieces of software (on an offline computer), making sure that they all return the same result. If they do then it becomes very unlikely that all those pieces of software were corrupted in the same way to give you a fake address.

This is a totally secure and unhackable
random-number generator.

Now, good random number generators are complex pieces of software, which would generally be difficult for the lay user to verify (to make sure they are generating high-quality, not-predictable random numbers). Therefore, what I recommend is: don't generate your random numbers using a computer at all. Instead, use a simple physical method, such as flipping coins or rolling dice. In this post, I will assume that you have access to at least one ordinary, 6-sided die. A pack of these can be purchased at many convenience stores.

Armed with a die, you are now ready to generate the truly random, private data needed to securely create a new Bitcoin account. This can be done by hand, using a procedure which I will describe; however, to simplify and partially automate the steps of the process, I have written a little program to help you. This program is simple enough that, if you know anything about computer programming at all, a quick look through it can convince you that it is not doing anything insecure.

First, I will describe how to download and run the program; then, I will take you through what the program is doing, so you can verify the code for yourself or (if you're not confident in your ability to do that), go through the steps by hand.

I(A). Downloading and Running the Dice-Wallet Program

GitHub is a popular site
for hosting open-source
programming projects.

I have stored this program on the online source code repository GitHub, at the web address https://github.com/mikepfrank/dice-wallet. GitHib is a popular site for sharing code and allowing users to propose improvements. (However, I, as the original author of the dicewallet program, have the final say over whether any proposed change is integrated into the online copy.)

To download the program, you can either click the ZIP button (if you know how to unzip a file), or (perhaps easier), download the files individually, by, one file at a time, clicking on the file name and then clicking the "Raw" button, then selecting "Save as..." in your browser. Save them all to the same folder.

Python is a popular and easy-to-use
programming language.

Now, the program dicewallet.py is written in the Python programming language; if you do not have Python yet, you can download the latest copy from http://www.python.org/download/releases/. It's free. Make sure you get version 3.x.x (a version number starting with 3), not version 2.x.x - the script will not work with Python 2.

Note that using the Python language technically means you have to trust it. But, if you don't even trust Python, which is one of the most popular and beloved of all computer languages, then may God have mercy on your soul. (Anyway, you can always verify the program's output by hand if you're suspicious.)

How to run the program may vary with your operating system. In Windows, double-clicking the dicewallet icon should be enough to start it, if Python has been installed successfully. It should bring up a window that looks something like this (you may have to expand it and scroll to see the full contents):

Initial window contents when you run the dicewallet.py program.

At this point you have a menu with three options, to select what size you want your randomly-generated data to be, measured in bits or binary digits. The choices are:

64 bits' worth of random data. This is relatively quick to generate, since it requires only 25 rolls of a 6-sided die. The random information is translated for you by the program into a 5-word passphrase. This is relatively easy to memorize, but it also might be cracked more quickly by a determined hacker.
128 bits' worth of random data. This takes twice as long to generate (50 rolls), and (at 10 words long) is at least twice as difficult to memorize accurately. However, it is much more difficult to hack
256 bits' worth of random data. This takes twice as long again to generate (100 rolls) as the 128-bit option, at at 20 words is a challenge to memorize. But it is virtually impossible to hack, and is at the very highest level of security that the Bitcoin system currently supports.

You might want to create dice wallets of several sizes (measured in terms of the amount of random data used to generate them), with short, easily-memorized ones for everyday use, and a very large (256 bit) one to store your life savings. However, personally, even if you are good at memorizing, I don't recommend you rely on your memory alone; instead, you'll want to also print out copies of your random data, and store them in several secure locations (in a fireproof safe, or in a safety deposit box at a bank, etc.). More on this later.

Let's now illustrate what happens when you enter option 3:

Dicewallet console after selecting option 3 (max amount of random data).

Note the program displays some information about your selected choice, and then loads the diceware dictionary. This is a plain-text file which you should examine; it provides an English word or symbol corresponding to each of the 7,776 possible sequences of 5 die rolls. The top portion of it looks like this:

-----BEGIN PGP SIGNED MESSAGE-----

11111 a

11112 a&p

11113 a's

11114 aa

11115 aaa

11116 aaaa

11121 aaron

11122 ab

11123 aba

11124 ababa

...

And so on. At the very bottom of the file is a PGP signature which you can use, if you're really paranoid, to verify that the word list has not been modified; here's some information about where to get PGP by its original author. GPG is a good substitute for most purposes. Here's the signature in my copy:

-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv

iQCVAwUBOn7XUmtruC2sMYShAQHp4AQAh5x14GkCvdpz1RyXkywa/nBlmVNrcect

i/8z4jvFsBOJQgzRC/BdwDuFv2NVPbEjE33e8YXcOP6dnyCqzF0nmKpqNchMPHS3

QICqA9fIs9azxl/0Zro4fxzl3ewRxldyW8TY9Vj6uayNAqy+mYUXC5FZFSX3kOHo

bgR/yfB40fA=

=c65y

-----END PGP SIGNATURE-----

I downloaded the word list file originally from this link and some additional information about Diceware can be found on this page. I'll sum it up below.

IMPORTANT: For security, you need to go OFFLINE before doing this next step. Unplug your computer from the Internet, turn off your router, disable its network interface - whatever you have to do. The very safest thing would be to run the program on a computer that was set up from the original factory settings and was NEVER connected to the Internet. However, even if it has never been connected to the Internet before, as long as it never WILL BE connected to the Internet in the future, you know your private data can't be hacked. So, really paranoid users may want to reserve a dedicated computer for this sort of thing.

I(B). Rolling the Dice

So next, you just need to start rolling your die, and entering the numbers, five at a time, into the program. To save time, you could roll 5 dice at once, but if you do this, you should make sure they are different colors, or otherwise distinguishable, so that you can input them in a definite sequence. If you didn't do this, and you subconsciously entered the results in some order that was correlated with the die values (say smallest to largest), you could bias the results, and reduce the randomness of your data. Short of coloring the die, one simple way is to read off the dice in some definite order (left-to-right, say) across your field of view.

Let's show the screen after the first 25 rolls:

Diceware interface after entering 1st chunk of dice-roll data for a 4-chunk passphrase.

Note that the data entry is broken into "chunks" of 5 dicewords each (corresponding to 25 die rolls); each of these providing about 64 bits' worth of random data. This is just done for organizational purposes.

Note the program is doing two things here: Converting the die rolls to a number in base 6 (from 00000 to 55555), which will be used in a later step; and looking up the Diceware word corresponding to each group of 5 die rolls. You can see that, for this first chunk, the 5 word sequence selected was "11 other porto wow nice." If this was a 64-bit run, we would be finished with data entry at this point, and would have an easy-to-remember passphrase.

However, this is a 256-bit run, so we have 3 other chunks worth of die rolls (75 more rolls) to enter. I'll skip the gory details of that process, and just show you the final result. At the conclusion of the process, the final output is as follows (and this would look better on a wider terminal):

Final output of Dicewallet for a 256-bit random key.

Here is what the output would look like, with the same data, if the application is run within the IDLE editor that comes with Python: You may find that a little easier to read since the long data strings aren't wrapping around. (To get this in Windows, right-click the dicewallet icon, select "Edit with IDLE", then in that window, hit function key F5 or select Run --> Run Module from the menu.)

Dicewallet output in the IDLE environment.

So, a couple of things to note about the output here:

The entered chunk of random data is displayed in several forms. You may use any of these to generate a Bitcoin account. The passphrase (sequence of words/symbols) might be the easiest to remember and to communicate to others. But the decimal and hexadecimal passcodes (which are mathematically equal to the base-6 number derived from the die rolls) may be faster to type. You might want to omit the commas when typing the decimal code.
Since the entered data was actually a little more than 256 bits' worth, we can also generate a 256-bit hexadecimal Bitcoin private key directly by just taking the last 256 bits (64 hex characters, 32 bytes) of the hexadecimal passcode, and use that directly. That is, this would not need to be put through a brainwallet key-generation algorithm to turn it into a private key - it is already a private key.

I(C). Making Your Public Address

Now that you have a randomly-generated passphrase or private key, how do you convert it to a public Bitcoin address that people can send money to?

As I've discussed in previous posts, perhaps the easiest way to do this currently is to download the HTML source code to the website bitaddress.org, store it on your offline computer, and run it (without being connected to the network). It is self-contained JavaScript in a single HTML file, and will run without needing to connect to any servers. To verify that it is working correctly, you may want to compare the output with that produced by some other offline tool, such as an offline copy of http://brainwallet.org/, or the Casascius Bitcoin Address Utility. (Or, compare output with an online tool such as blockchain.info, but with a "test" key that you are not planning to actually use.)

As an example, here's what bitaddress.org shows for the above passphrase (here I'm using it online, just for demonstration purposes, but it works the same offline):

BitAddress.org after entering our 20-word random Diceware passphrase.

And, for comparison, here is brainwallet.org with the same input:

BrainWallet.org after entering the same 20-word random Diceware passphrase.

As you can see, both sites come up with the same account information, namely:

Public Bitcoin address: 1FuKeiWSyu6gAxFvWXs1hPzJRpUm5vBLQC
Private key (WIF format): 5J3rXKZWszMKgwdMUHbjNLN2XA9cW8jzkQDQCmtGat49g1BnsPi

So, both tools are working OK, and if we're still not sure, we can compare with a third tool. (All offline of course.)

At this point, it's essential that you make multiple backups (paper and/or offline electronic) of this derived account data, or at minimum the passphrase that was used to generate it, to make sure that you will be able to recover any Bitcoins put into this account. Again, I recommend paper backups in multiple secure locations that you have physical control over. If you encrypt your electronic backups, be careful - this raises a sort of chicken-and-egg problem, where now you have to worry about forgetting the encryption passphrase, if it's sufficiently strong, so now you have to make backups of it, and you haven't really solved the problem.

In the next section, we'll discuss: Now that you have this nice safe offline Bitcoin account, how can you securely send money from it, without needing to risk exposure of your private key data?

Part II. Spending from Offline Accounts

In this part, I'll discuss: Now that you have this nice safe offline Bitcoin account, how can you securely send money from it, without needing to ever risk exposure of your private key data?

The StrongCoin service proves a simple tool which you can run offline to generate your transaction details. You can download it here. To use it, you have to look up the transaction history for the Bitcoin address you are trying to spend coins from. This can be done from the "mytransactions" query service at Blockexplorer.com, using a URL starting with "http://blockexplorer.com/q/mytransactions/" followed by the address. I'll illustrate this process, step-by-step, for an actual example below. I actually was forced to go through this process today to retrieve some coins from a paper wallet, because other clients were not accepting its private key for some reason.

Step 1. Create Offline Wallet

I previously used BitAddress.org.html (offline) to generate a paper wallet with the following details (safe for me to give out, now that the coins are emptied from it):

Private key: 5KVkdnmRqbiRvuvzQdMpiUbCyGrxJUzUpU83HNcbMK3tRT1BPqN
Public address: 1CrkvauazZGd7cegyYkw2PK4M9MMNmVNek

Step 2. Fund Wallet

At some point, I sent 10 BTC to this address from another account, and then used Blockchain.info to send 2 BTC from it to Mt. Gox, with a 0.001 BTC transaction fee, and sent the 7.999 BTC change back to the same paper wallet.

However, a little later, I ran into problems, because a temporary glitch in blockchain.info's transaction database prevented me from spending any of the remaining balance. Fortunately, I still had my paper wallet printout, so I tried importing the private key into Electrum, as well as the official "Satoshi" client, now called Bitcoin-Qt (v0.8). Unfortunately, these did not work either! (I still don't know why yet.) So, I decided to try out this offline spending method instead.

Step 3. Find Account's Transaction History.

The next step is to obtain the complete transaction history of your account, in a certain format. This can be done by going to http://blockexplorer.com/q/mytransactions/ followed by your account address, in my case http://blockexplorer.com/q/mytransactions/1CrkvauazZGd7cegyYkw2PK4M9MMNmVNek. The complete output from this was:

{
  "53a602149fc54b72d5e0b6fb888451014c30237c45fc1ee1c3701cf73cc4e4d1":{
    "hash":"53a602149fc54b72d5e0b6fb888451014c30237c45fc1ee1c3701cf73cc4e4d1",
    "ver":1,
    "vin_sz":2,
    "vout_sz":2,
    "lock_time":0,
    "size":440,
    "in":[
      {
        "prev_out":{
          "hash":"66aa708e2c3ba7884d99e7e57a686846a662bcc397e12ca6af72d0a8d78a078b",
          "n":1
        },
        "scriptSig":"3046022100fa94cb6ce0810ad37972df074aa9f4477fd246e84731d6325e14a232f1fbab69022100fc531111e2dd49c2d8550c61fe0d1aca4de1b3f7158d07c55ee79fb7bb6e56db01 049da190afa6511f738d695b5c5178e890ff04e4f85b1ad7b83fa97d538b232c1067c9679facb04fea4120e0bb878871e5aeca02f11ebd1222938b616f1c938d82",
        "address":"18drA1GCocJ3FVcSj4bqeTmUDmg479XC8m"
      },
      {
        "prev_out":{
          "hash":"e4ee8b473f08cf0fa985ee357bbd8f096043d692c6e236fba3bcf8570e2bf814",
          "n":1
        },
        "scriptSig":"3046022100a3ec31eb91a945f0288c5b5a8d055665800a5d279bec2104d38fe9f5ecf013cb022100820a2d203bd6f44120cd8b2f24604d6f3685392871048ab84eab26fa3f5559be01 0466f9e3fea3b01035369c2615a2546a74e0ee660814f5d540975c840aafb970c03f01424fee9b05b3966c33296b5150cedca602fcd35814e846af0b9dbf7d8e30",
        "address":"1Lg1XqLo7pvTqoa49NXXewGfMnPztMVhFs"
      }
    ],
    "out":[
      {
        "value":"10.14810000",
        "scriptPubKey":"OP_DUP OP_HASH160 b7bbc94f4810f4b2baf5458d46ffe680668f082a OP_EQUALVERIFY OP_CHECKSIG",
        "address":"1HkVcjN7vobUetiW89f79P9HouXNweSJvg"
      },
      {
        "value":"10.00000000",
        "scriptPubKey":"OP_DUP OP_HASH160 82126e7a2729c87a7ddd75577c87cc170429857a OP_EQUALVERIFY OP_CHECKSIG",
        "address":"1CrkvauazZGd7cegyYkw2PK4M9MMNmVNek"
      }
    ],
    "block":"00000000000000af338999746c3a8c08d75d848d8d8bbd223058ee16eea6175f",
    "blocknumber":"223674",
    "time":"2013-03-01 01:26:21"
  },
  "87e6e5b30ce286fa50389391fe7d6cb547d1817dd1194ac5ff4017b15a672b5b":{
    "hash":"87e6e5b30ce286fa50389391fe7d6cb547d1817dd1194ac5ff4017b15a672b5b",
    "ver":1,
    "vin_sz":1,
    "vout_sz":2,
    "lock_time":0,
    "size":257,
    "in":[
      {
        "prev_out":{
          "hash":"53a602149fc54b72d5e0b6fb888451014c30237c45fc1ee1c3701cf73cc4e4d1",
          "n":1
        },
        "scriptSig":"304402206bd8e1bbde33ba97a702e93286c764db4d1cdec8448c96b6d419d4055ca1756902206a78a3bb81db0a7d7a16d8f388de5f5b33e93f0418d3968ee9bb3596f9a053f201 04ee17f6e9f51926d9d07d19cd1d1bb73c993fb190fedbc2c6f1b8fa05d04682b62043076036e642fc80b176e3645edad73d8ff5bb5f2e4f571f620b2fd0fc4e44",
        "address":"1CrkvauazZGd7cegyYkw2PK4M9MMNmVNek"
      }
    ],
    "out":[
      {
        "value":"2.00000000",
        "scriptPubKey":"OP_DUP OP_HASH160 305d8de76154bc34281c0fd582e652eae6f73d6b OP_EQUALVERIFY OP_CHECKSIG",
        "address":"15QjWUaFwP4nU8qZbVziLRgkvBgNNZ1S5W"
      },
      {
        "value":"7.99900000",
        "scriptPubKey":"OP_DUP OP_HASH160 82126e7a2729c87a7ddd75577c87cc170429857a OP_EQUALVERIFY OP_CHECKSIG",
        "address":"1CrkvauazZGd7cegyYkw2PK4M9MMNmVNek"
      }
    ],
    "block":"0000000000000103673aad34c8073127549c27ccb9e98460d1598c5bdefaa37e",
    "blocknumber":"224766",
    "time":"2013-03-08 01:52:32"
  }
}

You can see, near the end, where I previously sent out two coins and sent myself back the 7.999 BTC change.

Step 4. Generate Offline Transaction

Then, on your offline machine, you run StrongCoin's offlineTransaction.html page, and fill in the various fields (hitting the Parse button after the top two to verify your balance), and then hit the Generate button. Then the tool gives you, in the last field, a long hexadecimal string which is the digitally-signed transaction order. In my case, the screen looked like this:

StrongCoin's offlineTransaction.html tool, with fields filled in.

Step 5. Move Signed Transaction Back to Online Computer

You can do this using an SD card, USB flash drive, or other removable media. For safety, I recommend a bare card with no other data on it. To be extra-safe, you should make sure that there really is no other data on the card by checking it on yet another offline computer that you trust has not been compromised. If you are extremely paranoid, you can even avoid digital media, and just write down the transaction code on paper - that way, you know that no malware is stowing away your private key data in a hidden file somewhere on the media.

Step 6. Insert Transaction Order into Bitcoin Network

This last step is very easy, but requires running a client that can handle raw transactions. The default Bitcoin-Qt client does this, through its Debug console interface. I used version 0.8.0 of the client. Select menu Help --> Debug window, and click the "Console" tab. The debug window then looks like this:

Bitcoin-Qt (0.8) Debug Console

At this point, all you have to do is type the necessary command name "sendrawtransaction" at the prompt, followed by a space, and paste your transaction data copied from the last field of the offlineTransaction tool, which in this case gives me:

sendrawtransaction 01000000015b2b675ab11740ffc54a19d17d81d147b56c7dfe91933850fa86e20cb3e5e687010000008a473044022028d0ecf4101826b3c9890480ff9e291fe22aa8b00d877d139b420027f4ab82800220d0197fc20a0bf96c3b660a01bd5ae06eb366e873d36d5736c146fa53dd5d85e8014104ee17f6e9f51926d9d07d19cd1d1bb73c993fb190fedbc2c6f1b8fa05d04682b62043076036e642fc80b176e3645edad73d8ff5bb5f2e4f571f620b2fd0fc4e44ffffffff01c0faab2f000000001976a9147781393fa77a8e3abc472bd430ca3f9424ba933688ac00000000

And hit enter. The transaction (if properly formatted and verified) will then be immediately injected into the Bitcoin network. You have to wait several minutes for block confirmation(s), as usual. (Note that you cannot re-enter this same transaction, because those coins have already been spent; if you want to practice, you'll have to make your own!)

Or, even easier (and, this way, you don't have to wait for your full node to catch up to the block chain) - just visit https://blockchain.info/pushtx and paste your transaction data there. (Thanks to Eric Heaney for the tip!)

That's it for now! Have fun playing with your offline wallets and offline transactions!

Saturday, March 2, 2013

Ripples in the Ocean of Liquid Assets

In today's world, banks dominate the issuing of credit (loans), and debt-backed paper money. The banks accept promises to pay back the loan from loan recipients, and in return give them credit in a loan account, which is essentially a promise to pay out bank notes on demand, and the bank notes themselves represent promises from the Federal Reserve to... (it's not clear what - it used to be "pay out gold on demand," but not since Nixon closed the gold window in 1971). Basically, a U.S. Federal Reserve Note represents some slice of the "full faith and credit" of the United States federal government, but only in some rather vague and ill-defined sense. But in any case, it, too, is basically an I.O.U., a token of obligation (borne by future taxpayers, presumably).

But really, since long before banks were invented, in fact, ever since the dawn of trade itself, any individual has been able to issue a promise to pay (an IOU, whether verbal or recorded), and anyone who trusts that person has been free to accept that I.O.U., in exchange for goods and services, if they want. The only problem is, personal IOUs are not very liquid or transferable, since only people who already know and trust the issuer will accept them. It's possible that, if I trust you to owe me $100, and my friend John (who doesn't know you) trusts me to owe him $100, I can facilitate a loan of $100 from John to you by acting as an intermediary. But keeping track of such "chained debts" by hand is a cumbersome and inefficient process. People usually find it simpler and easier to use centralized issuers of credit, such as banks and credit unions.

Unfortunately, this centralization has created a problem in the world today where banks, by virtue of their effective monopoly on the issuance of credit, effectively dominate and control the world. These days, no large new project can get accomplished unless its proponents can borrow the required liquid capital from a bank or other large financial institution. Well, one can also issue stock (which is another kind of promise - a promise that the buyer will retain a share of the equity in the venture, and that the officers of the company will exercise fiduciary responsibility in maintaining shareholder value), but usually the underwriters or initial buyers of shares in an IPO will be large financial entities such banks and hedge funds - so effectively in this case it's still these large centralized entities that permit such large promises to be made.

Well, to be fair, these days are a few exceptions, such as crowdfunding through websites like Kickstarter and RocketHub, But these are best suited to funding flashy, exciting, original projects, not necessarily to meeting the everyday needs of small businesses and individuals that need access to credit for miscellaneous reasons, such as to renovate their premises, or buy a new appliance, or a car, or a home. If the "common man" wants to protest against unfair bank policies, and "vote with his feet," as it were, there are few practical alternatives to big financial institutions today.

A solution to the near-monopoly that the banking industry
has today on the issuance of credit.

But, a brand-new, revolutionary electronic credit system called Ripple aims to solve this problem. Ripple solves the problem mentioned earlier of identifying and tracking chains of person-to-person obligations, by keeping track of all these obligations in a distributed electronic system. It effectively allows participating individuals to serve as banks for each other.

In Ripple, any user can "grant trust" to any other.
This is like giving them a new credit line or loan account.
You can create it out of thin air, just like the banks do!

If I trust my best friend Alice, say, to borrow $1,000 from me (i.e., if I will accept an IOU up to $1,000 from her), I can input this information into the Ripple system; then if another person (my cousin Bob) trusts me to borrow $1,000 from him, then Alice can effectively borrow $1,000 from Bob by issuing me a $1,000 IOU, and then I issue Bob a $1,000 IOU. Then Bob has an IOU he trusts, and in exchange for it, he can give Alice $1,000 (or some resource he is selling for $1,000) without worrying about whether he needs to trust Alice. The beauty of the Ripple system is that it finds these linkages automatically through the network, and keeps track of the resulting IOU balances for you. Later, the IOUs can be canceled out (the debts repaid) by another chain of IOUs going in the opposite direction.

Ripple automatically chains together trust relationships, so that you can
accept IOUs with confidence even from people you don't know directly.

IOUs in Ripple differ from bank loans in two important respects:

They do not inherently carry any interest.
There is no specific deadline by which they have to be paid back.

A $100 bill is essentially just an IOU
from the US Federal Reserve System.

Therefore, in this sense, Ripple IOUs are more like bank notes (standard paper currency, representing bank debt) than they are like your typical loan agreement from a financial institution. A bank note (a $100 bill, say) declares that the issuing bank (which, these days in the U.S., is ultimately a Federal Reserve bank) owes the holder $100. (That amount used to be payable in gold and silver; now at best you could get a bank account balance with it, or use it to defray a tax obligation.) But, the issuer of those notes (again, the Fed) doesn't have to pay the holder of the note any interest, nor can the holder demand settlement of the note at any specific time. It's like an indefinite-period, interest-free loan. I suppose it's conceivable that the Fed could pay off all its notes by, for example, offering convertibility to dollar-denominated precious-metal coins, say, but I doubt I'll see this happen within my lifetime.

Anyway, the point is, by generating and sending an IOU (denominated, typically, in some existing currency) to another party via the Ripple network, you are effectively creating your own new paper money, in the same way that banks do when they create loan accounts. Ripple IOUs are backed by the underlying social web of trust that they are based on - i.e., by their users' statements, within the system, that they trust each other to repay those IOUs, up to the specified limits.

Ripple makes it easy for anyone to exchange
IOUs for "real" money, or convert between
currencies. BitStamp is an existing entity that
provides these services for Ripple users.

Another benefit of Ripple is that it facilitates the creation of automatic, distributed currency exchanges. Using Ripple, anyone can act as an exchange, and facilitate currency trades via reciprocal trust relationships between themselves (as the exchange) and the individual buyers and sellers of currencies. One existing exchange that you can use with Ripple already is BitStamp.net. BitStamp will allow you to do deposits of "real money" (US dollars or Bitcoins, say) with them, and take out withdrawals in the form of IOUs issued from them to you within the Ripple network. Then, once you have some IOU value inside the Ripple network, you can also set up BitStamp as your base currency issuer for any particular currency you wish to trade (BTC, or USD, say). (If you want to try this, BitStamp's Ripple address, for exchange purposes, is rvYAfWj5gh67oV6fW32ZzP3Aw4Eubs59B.) With that capability in place, you can then easily and automatically convert IOUs between different currencies in the process of sending them to another party. So if I trust you for dollars, I can loan you Bitcoins, or vice-versa.

One limitation of Ripple (in its current implementation at Ripple.com) is that there is a small transaction fee for sending IOUs or making currency trades; this is denominated in XRP ("ripples"), which you can think of as postage stamps used for delivering transactions. XRPs are pretty cheap; lately the exchange rate for them through Bitstamp.net has been hovering in the general neighborhood of 10,000 - 50,000 XRP / BTC, meaning that each XRP only costs around 0.000'02 - 0.000'1 BTC (i.e., two to ten milli-bitcents), or about US$0.000'7 - $0.003'5, that is, in the ballpark of one-tenth of a cent. Someone has to give you some XRPs in order for you to get started using Ripple -- you need to keep a balance of at least 300 XRP (about a dollar's worth, or less) on hand to use all features of the system -- but, once you have some XRP, you can always buy more at market prices by going through the trading interface. Also, Ripple.com has been hosting various XRP "giveaways", such as one for Bitcoin Forum users.

It's important to note that, even if you don't transfer a lot of "real money" into Ripple through a gateway like BitStamp.net, as long as you have some XRP on hand for executing transactions, you can use Ripple to manage and track IOUs between yourself and your friends/family/neighbors/customers/clients in any amount you want. If you trust your brother to borrow $1,000 from you, there is nothing to prevent you from granting him $1,000 worth of trust within the Ripple system, and then he can generate an IOU in the amount $1,000 to you "out of thin air," as it were, and send it to you in the Ripple network, in exchange for your giving him $1,000 of money in the "real world." When he pays you back, you send him an IOU in Ripple for $1,000 to cancel out his debt. In this way, you are using Ripple to track the debts in your social circle. And, as long as a chain of trust exists from you to any other party, even someone you just met who you don't know directly, you can use Ripple to automatically generate the chain of IOUs that secures a new loan that you issue to them.

A new Ripple currency unit: 1 LMR.

You can also make up and use entirely new "currencies" within Ripple, to represent not just dollars or Bitcoins, but anything you want. Let's say your neighbor wants to borrow your lawnmower. You could agree to use a new made-up currency unit of "1 LMR" to represent the lawnmower; then you could grant your neighbor a trust for 1 LMR, and then he could send you an IOU valued at 1 LMR in exchange for your actual lawnmower. When he returns the lawnmower, you give him the IOU back. Thus, Ripple can be used to track any kind of obligation you want. If you are exchanging labor with friends in volunteer activities, you could use "1 PHR" to represent one person-hour worth of labor. Etc., etc. Except for the special unit XRP that's used to pay the system's transaction fees, the Ripple network does not know or care what the currency units represent, and you can choose them to represent anything of value that you and your friends agree on.

The beauty of Ripple is that it allows the easy creation
and spread of liquidity. Anyone can create liquid wealth
that ripples from person to person through the network.

I only just started learning about Ripple within the last week or so, but already I'm convinced that it could be the key to finally free mankind from our virtual enslavement by the big banks, by giving us a way to generate and distribute our own credit to each other, based on webs of trust between individuals. If enough of us sign up to use Ripple, and grant trust within it to all the people we know and trust in their lives, there will soon be a "network effect" resulting in almost everyone in the world becoming able to use Ripple to loan, borrow or transfer value, represented by Ripple IOUs, to/from each other, almost anywhere in the world, even if they do not already know each other. With money readily transferable, and credit obtainable, by individuals, without needing to go through banks, many of the big banks, with their high fees, will quickly lose business and collapse - and good riddance to them! Ripple could easily become the basis for overthrowing the entire global banking system, and unshackling us all from the cold and self-serving control of the global financial elites.

Therefore, I urge you to sign up for and begin using Ripple today. If you have friends who already use it, ask them to give you a few XRP to help you get started. Or if you're an established user of Bitcoin forum, get some free XRP in the giveaway (I got 40,000). Eventually, there will be ways to directly buy XRP on an exchange even if you don't already have some, and then everyone in the world can get involved. At the moment, availability of XRP is more limited - I think they are trying to grow the system gradually, to avoid growing pains.

But, I, for one, am very much looking forward to the day when almost everyone in the world uses Ripple to track their obligations; then we can all just create our own money as needed, in the form of IOUs backed by our existing networks of social capital, and, best of all, we can collectively give a giant "screw you" to the big banks, who have been funding the destruction of our planet's habitability through pollution of the commons, privatizing their profits while socializing their losses through "too big to fail" bailouts (which they can only extort from lawmakers to begin with because the bankers have such exclusive control over the issuing of credit today that they can threaten to crash the global economy by withdrawing it), and sucking up all of our wealth through their control of the present global monetary systems.

By collectively adopting Ripple, and using it to issue credit to each other directly, the world's people can (finally!) successfully "vote with our feet" and tell the big bankers, NO MORE we will put up with your malevolent, greedy control and manipulation of our human economy for your own enrichment! WE ARE FREE!

"Screw you, you rich bastard banksters!"

P.S. Just in case anyone would like to grant me a trust, my own Ripple address is: rnfLDQaxN7isxzWZuc6BM8jeiCb2WSGpdG

Saturday, February 23, 2013

Super-Easy Offline Bitcoin Wallets

In a previous post, I discussed Bitcoin brain wallets and described a way to generate them offline using the Casascius Bitcoin Address Utility.

Since then, I have learned about a much easier way to create brain wallets (and paper wallets) offline, by downloading a tool called BitAddress.org. In this post I describe, step-by-step, how to download and use this tool offline.

Now, you can also just use BitAddress.org right there in your web browser while online. But, the potential risk there is that if there was some malware on your computer (or if the BitAddress.org page itself were corrupted), it might send your secret brain-wallet passphrase or private key over the Internet to some attacker who might later steal any Bitcoins you later transfer into the accounts that you created while online.

To prevent this, you can download the source code to BitAddress.org, disconnect your computer from the Internet entirely, and then run the code offline to generate all the brain wallets and/or randomly-generated paper wallets that you need without any network exposure.

After you have printed out any backup copies you want, saved them to encrypted virtual drives on USB sticks, or what-not, you can then reboot your computer (or to be really, really safe, wipe its hard disk and reinstall its O/S), and then safely reconnect it to the Internet without having to worry about your private keys (and your Bitcoins) potentially getting stolen.

Thankfully, BitAddress.org makes it super-easy to run its code offline. Here's how you do it:

While connected to the Internet, go to http://bitaddress.org in your web browser.
Near the lower-right corner of the page, there is a link to "GitHub Repository." Click it.
The resulting page shows two files, a README text file, and a file called bitaddress.org.html which contains the HTML and embedded JavaScript source code. Click the latter filename, and you will see a listing of the file contents (with line numers).
Now click the "Raw" button, and you will see the raw (unformatted) source file (with no line numbers or any other page decorations).
Right-click on any blank (whitespace) area in that raw listing and select "Save As..." (in Chrome; or the equivalent action in your browser).
In the save dialog, navigate to a convenient save location - your Desktop will do for now, although you might want to make an archival copy of the file somewhere else for later use.
After the file is downloaded, disconnect your computer entirely from the internet.
Then, drag-and-drop the file onto your web browser (onto an open window or the browser application icon). Or you can select "Open File..." within the browser's menus and navigate to the file. The browser should open a new tab pointing at a "file://" URL and load the page contents.
Now, you are running the BitAddress.org page entirely offline! Wiggle your mouse around a little bit right away, to generate some random bits to seed the random-number generator.

The page contents will then look something like this (although with different random data, of course):

BitAddress.org page (online or offline), after wiggling mouse to generate randomness.

Now, if you want to create a brain wallet, simply click the "Brain Wallet" tab. Click the "Show" checkbox (for ease of typing - but make sure no one is spying on your first), type your passphrase, and click View to see the public address and private key for that brainwallet account. For example:

Brain Wallet generation tab, after typing a passphrase and clicking the View button.

When satisfied, you can click the "Print" button to make a paper printout for safekeeping. You can also scan the QR codes into your smartphone, or just write down the public address and/or private key. Or, you could just write down your passphrase - since you can always regenerate the private key from it. Note that if you REALLY trust your memory for your passphrase, you might not need to record anything at all right now, except for the public Bitcoin address, which you will require in order to receive any Bitcoins into this brainwallet. (You will have to give that address to whoever is sending you the Bitcoins.)

Another very useful feature of BitAddress.org which you can use offline is its paper wallet generation feature. Click the "Paper Wallet" tab, and it will auto-generate for you several new Bitcoin accounts represented as beautiful "bit-bills." They look like this:

A "bit-bill" generated by BitAddress.org's "paper wallet" option.

Isn't that just beautiful? You can print these out, as many as you want, and make multiple photocopies of them as backups. You could also cut out the credit-card sized left third ("Load & Verify" part, with the Bitcoin Address) of one of your copies, and carry it around with you, so that you can give that address out to people that you want to receive Bitcoins from. At any time, you can receive Bitcoins to the address on the left, then write down how many you received in the "Amount" field, and whenever you are ready to spend, you can import the private key on the right into your favorite Bitcoin client to spend it. (I recommend Blockchain.info and Electrum for casual users.) And, even before you're ready to spend, you can import the address into a client like Blockchain.info as a "watch-only" address, to securely monitor the contents of the account (without risk of losing them).

These kinds of private keys, generated offline using a high-quality, non-repeatable random source, and subsequently stored only on paper, are utterly (at least, until you import them into a client to spend them) unhackable by any electronic means. (And actually, for added security, you can even spend coins in an offline manner by following the instructions here.) These offline Bitcoins could only be stolen by physically stealing (or copying, or photographing) the private key. You can keep them in safes, safety deposit boxes, bury them in your back yard, behind a brick in your Mom's basement, wherever you like. You can make them as safe from accidental discovery or theft as you want them to be. You can burn all paper copies and keep just a brainwallet passphrase in your brain (if you trust your memory that well; for good security your brainwallet passphrase must be VERY LONG).

One caveat: To be totally confident in the security, you might want to examine the source code in the bitaddress.org.html file, to convince yourself that it is really using high-quality nonrepeatable random numbers, and that it isn't storing a copy of your private information on the computer's hard drive (in a browser cookie, say) where it might be retrieved later. (As I mentioned earlier, if you're worried about the second possibility, you could always wipe your hard drive after generating your brainwallet or paper wallet.)

If you do keep a brain wallet, for maximum security it should ideally contain a full 256 bits' worth of true randomness. This Facebook note describes a method that can be used for memorizing that amount of random data. But for max security, you should probably generate your random data offline. Here is one method for doing that using dice.

Friday, February 22, 2013

Rebalancing Your Liquid Assets

It seems ironically amusing, and almost symbolic, that the Pope will be stepping down on the same day (Feb. 28, 2013) that the clock will run out on the sequester, after which many U.S. Federal government programs will be operating at substantially lower spending levels than previously, which many people (rightly) worry may nudge the U.S. (and the world?) into a newly-resurgent recession. The more theologically (or conspiratorially) minded among us might even wonder whether the period of "many tribulations" prophesied for the next papacy might end up being brought into being by the resulting economic struggles.

One of many authors who have pointed out the
"perfect storm" of resource crises that mankind
will face in this century.

I personally am highly skeptical when it comes to such theories, but nevertheless, I do often worry about the long-term prospects for avoiding the collapse of (let alone growing) the world economy in the face of peak resource flows of various kinds (cheap oil, fresh water, phosphorus, arable land, etc., etc.). Traditional economic arguments that "the market will always provide," due to higher prices stimulating investment into developing more efficient technologies that will extend the planet's productivity, in terms of the amount of human economic activity it can support, may no longer hold true in a world wherein many key resources are peaking all at once, while simultaneously we are getting pummeled by the impacts of rapid climate change along with various other manifestations of the degradation of Earth's ecosystems which we are causing through our civilization's over-development, and its resulting excessive resource draw-downs and polluting waste flows. At some point, the spiraling complexities of multiple, cascading resource shortages and environmental crises may simply grow faster than our ability to cope, and the whole system could come crashing down like a house of cards. Yet despite these enormous systemic risks, our politicians waste time arguing with each other uselessly about speculative trivia such as how to deal with naively-extrapolated Medicare costs 25 years from now, a time by which point, vast, rapid changes in our environment and our economy in the meantime most likely will have rendered the present debates on this topic almost entirely irrelevant.

In any event, during a period such as today when no sane person who is paying attention to the world can have much (if any) confidence in the ability of our so-called "leaders" to navigate a safe course through the dangerous shoals humanity is facing, it pays to hedge one's bets. And, one way to hedge against the failure of the existing regimes of governmental and financial oversight (by nation-states, central banks, etc.) is to invest in forms of wealth that are more or less immune to having their value destroyed by what we can anticipate will be future desperate maneuvers by political and financial leaders who will, sooner or later, find themselves rapidly losing control of an increasingly untenable global situation, as (for example) increases in agricultural and energy productivity eventually become unable to keep up with what is needed to sustain world population. It world only take a year or two of, say, climate-change-induced crop failures in several major "breadbasket" regions around the world to exhaust all grain reserves and plunge billions of people in poor countries into severe famine conditions. In such an environment, scenarios such as a devastating world war over resources between major powers become not at all unlikely.

For this reason, among others, I plan to maintain a significant chunk of my personal wealth (pitiful as it is at the moment) in the safest possible form, so that, if worse comes to worst, I will retain access to it even in a rapidly-deteriorating situation.

The world's safest, most convenient form of liquid wealth.

As I have argued in previous posts, one of the safest, and perhaps the safest, place to stash a "rainy-day fund" of liquid wealth is in the global electronic crypto-currency known as Bitcoin. This is because of several desirable properties that Bitcoin holds, compared to other asset classes:

Unlike sovereign currencies such as the US dollar, it cannot be debased (its supply hyperinflated to worthlessness) by possible future irresponsible actions by governments, central banks, or anyone;
Unlike precious metals, it cannot be debased through advances in mining technology, asteroid mining, and nuclear synthesis;
It can be transmitted electronically, in minutes, anywhere in the world, with very low fees, without needing to go through a bank or other third party;
It does not require trusting any other party to hold it for you (and give you access to it when you need it);
It can be held (and redeemed) anonymously;
It can be made as secure from loss or theft as you wish it to be; it can be backed up in multiple locations, and hidden away in the safest places you can imagine (you can even store it in your brain if you are so inclined).

The one risk in holding Bitcoins, which it shares with most other forms of money, is that its market value may someday fall to next to nothing if it becomes increasingly unpopular, which could happen if (for example) a clearly technologically superior alternative to it should arise. However, even if this did happen, the new technology would probably be adopted only gradually, and this would give most people time to migrate their liquid wealth out of Bitcoins (and into the new currency) before Bitcoin's value falls too far. In the meantime, a large and growing installed base of Bitcoin-based applications and services will ensure that the currency retains a relatively stable value for some time. For the last year at least, the Bitcoin value has remained fairly stable, and has mostly risen (see below chart).

The price of 1 Bitcoin in US dollars has remained fairly stable, or risen steadily, for most of the past year.

It is interesting to note that the present value of 1 Bitcoin is US$30, close to its all-time high, and greater than the value of an ounce of silver.

You can buy one of these for less than 1 BTC already.

Further, we can argue that the value of Bitcoin has a lot more upside growth potential than the value of silver, or gold, or other precious metals. This is because, relatively speaking, not very many people hold Bitcoin yet, since it is relatively new, and a lot of people haven't learned about it yet.

Furthermore, the total number of Bitcoins in existence is limited, by mathematical algorithms that cannot be changed except by a consensus of most users, to never be more than 21 million.

For comparison: Just the amount of silver that has already been mined has been estimated at about 43 billion ounces. This means that, if eventually Bitcoin becomes merely equally widely held to silver (despite its clear practical advantages over silver), that is, with an equal amount of wealth stored in it, 1 Bitcoin will at that point be worth more than 2,000 ounces of silver, or in other words, more than $60,000 in today's dollars.

So, for those who are already convinced that Bitcoin is the cat's meow, how should one proceed?

One could put one's entire personal wealth into Bitcoins, but that would probably be unwise, just in case someday there it suffers a systemic failure (e.g., if the cryptographic algorithms underlying it were found to have weaknesses - although most experts strongly believe this is not the case).

A more conservative approach, like in traditional portfolio management, is to simply maintain some fraction of one's wealth in Bitcoins (or any given form, for that matter). This allows you to see some upside if the value of that asset appreciates, while limiting your losses to the fraction of your savings that is stored in that form.

Rebalancing your portfolio periodically can help you
hedge against risks from over- and under-investment.

Furthermore, if you periodically rebalance your portfolio to maintain the desired distribution of assets, then this has an effect similar to dollar-cost averaging, in that it causes you to purchase more of the asset when its price is low, and less when the price is high, so that the net effect is the "buy low, sell high" behavior that is the essence of good investing.

As an example, suppose initially you had $400, and decided to invest 1/4th of it in Bitcoin, and at that time the cost of 1 bitcoin was $10. Then you have 10 BTC ($100 worth) and $300 in dollars. Now, suppose that subsequently, the price of Bitcoin repeatedly fluctuates up to $100/BTC and back down to $10/BTC, and suppose you rebalance your portfolio each time the price hits these targets.

The result of this strategy would be, your wealth would increase by 3.25x (225% gain) each time the Bitcoin price goes up by 10x, then you rebalance, and then your wealth decreases by 1.29x (22.5% loss) each time the price goes down by 10x. But the net result of each cycle is an increase in your total wealth by 2.52x (152% rise). After just 3 of these up-down cycles, you would be about 16x wealthier overall than when you started. See this spreadsheet for the calculations.

It is not really necessary to rebalance at particular price targets - you still can gain (although not as much) if you simply rebalance your savings periodically - e.g., after each paycheck. As long the price is repeatedly fluctuating, up and down, you will still gain overall from applying this approach. So, you can relax, and not worry about having to constantly watch the price and react instantly to price changes.

There is a simple formula you can use to determine how many Bitcoins to buy or sell each time you want to rebalance your portfolio. Let us make the following definitions:

p = The percentage of your wealth that you want to keep in Bitcoin, expressed as a fraction (e.g., p=0.25 for 25%).
B = The number of Bitcoins that you have currently.
D = The number of dollars (or whatever your "home currency" is) that you have currently.
e = The current market exchange rate for Bitcoins in terms of your home currency (e.g., dollars per Bitcoin).
b = The number of Bitcoins you should buy (or if negative, sell) to rebalance your portfolio.

With these definitions, the number of Bitcoins b that you should buy, right now, to balance your portfolio to attain the desired percentage p in Bitcoin is:

Number of Bitcoins b to buy to balance your portfolio.

(When b comes out negative, that just means to sell |b| Bitcoins, rather than buy.) This strategy thus becomes very easy to implement if you just track your assets and the Bitcoin price in a spreadsheet; each time you want to rebalance, just buy or sell according to the formula.

It takes discipline to maintain a portfolio-balancing strategy, though. There is a temptation, when an asset price has been rising, to put more of your money into that asset, rather than less, and there is a temptation, when the price has been falling, to take your money out of that asset. But, for an asset with a cyclical price pattern, that would be exactly the wrong thing to do. (Since it would lead to "buy high/sell low" behavior, which is never a winning strategy.)

The price of Bitcoin might not turn out to be cyclical, it is true - but even if the price is steadily rising, rebalancing is safe to do - since that just means, if the price rises faster than your USD savings, so that "b" comes out negative, that you are taking out a dividend for yourself from your BTC investment - you still gain somewhat from the rise (although admittedly, perhaps not as much as if you did not rebalance).

The only scenario in which rebalancing is not safe is if the value of the asset is falling, indefinitely, towards zero - in which case you could end up losing all your wealth by this strategy. So, it is probably a good idea to have a cutoff - a price where, if the asset value falls below that price, you will not throw any more "good money after bad" by investing it in that asset. Personally, I would probably give up rebalancing my savings into Bitcoin if its price fell below, say, parity with the dollar, for any significant length of time. But I do not expect that to happen, at least, not any time soon. More likely, I think, is that its price will continue to rise significantly each year, for quite some time.

UPDATE 4/9/2013:

Since writing this post, I have been periodically rebalancing my BTC/USD portfolio. Initially I rebalanced using the above formula whenever my %BTC rose one or two percentage points above or below my target percentage (which was 25%). However, I soon realized this was inefficient (since this happened too often) and that my average gains would most likely be greater if I only rebalanced on larger swings, such as +/- 5%. I designed a spreadsheet that would calculate automatic buy/sell thresholds that I could enter on Mt. Gox to automatically rebalance my portfolio whenever the %BTC strayed outside that range (20-30%). I later increased my nominal %BTC to 30%, with the same tolerance of +/- 5% so that my range was 25-35%. This strategy has been successful, although in the last couple of weeks, the Bitcoin price has risen so quickly that I have still had to rebalance about 5 times! I have posted an example of a spreadsheet that can do all these rebalancing calculations for you at THIS LINK, feel free to download a copy and use it yourself!