I think I start to see what you mean. You're saying that I'd need to win against the rest of the internet's difficulty in order to make a valid block. And that no block is valid unless it follows the difficulty function, which is historically validated down the chain.

Interesting. I'd read about the difficulty heuristic but hadn't thoroughly understood it or realized the implications. In fact you have come up with an entirely new and fairly huge problem for bitcoin that I hadn't considered. Since the difficulty function is not real-time, bitcoin could suffer the same problem that namecoin suffered. It could, in fact, kill the entire thing far more acutely. All you need is a sufficient fluctuation in CPU volume. Right?

So you should be quite afraid of DoS attacks - but far more of changing market conditions. If something causes people to start to leave the network a little too quickly, and it slows down, causing a further exodus, then you have a runaway condition, and the entire thing is doomed for a "temporary" period long enough to kill it, effectively. No?

I think you can see my point about the ease of segmentation - and that it is irrelevant to the attack that the block chain can be reconstructed from a single leak, since there would be no leaks in a likely attack. And, agreed - quite academic in light of the issue you raise about faking blocks.

Transactions are a chain. In the case of bitcoin, you have perfect and transparent recordkeeping of this chain as a precondition to the system working. Once a link is made, for any reason, you can never break it. You can have many wallets, but at scale you can't keep them separate. At any scale, you still need to have your various accounts exchanging funds sooner or later (and so will any laundry). You can try to create huge volumes of noise, break transactions and amounts up, and make many intermediate fake accounts, but none of those games are particularly resistant to analysis. Hence the example I linked to earlier.

We haven't even started to talk about the guts of P2P routing yet. From Freenet to Gnutella, the ideals of distributed computation never once met the realities. What happens when nodes in Bitcoin's mesh misbehave in different ways? Make too many connections? Route data in valid but esoteric ways? Spam bad data at neighbors, and blame it on other neighbors? And so forth...? The P2P substrate is actually a terribly difficult design problem that is usually inseparable from the higher-level goals of the network, and I've heard relatively little about how the protocol itself works.

Here's the main thread: http://slashdot.org/comments.pl?sid=3595715&cid=43313163

I had a longer response that was just eaten by the browser. Now unfortunately I have to be brief:

It has to be easier if you isolate someone from the network. Imagine if all the computers but yours disappeared tomorrow. Are you saying your computer could not now win a race of 1? Or that there is any difference between a communications cutoff and lack of existence?

If I am intercepting your communications, it is less complex to intercept everything rather than some things. Confirmations will be quite speedy, since they will come from me as well.

For the rest, I would suggest reviewing the Anonymity page bitcoin themselves puts up.

The Weaknesses page puts it succinctly: "Tracing a coin's history can be used to connect identities to addresses."

Here's Kaminsky: http://www.slideshare.net/dakami/bitcoin-8776098

Scammers and legitimate entrepreneurs make these same arguments, and try as hard as they can to sound the same. Of course if you worked a little at something and it seemed vaguely original to you, you are the lifeblood of capitalism and no amount of reward seems too much. If it went south later and screwed everyone downstream, who could have ever foreseen it? Just be careful your arguments would sound convincing to a jury when all the downstream people come calling.

As a side note I am quite sure the mining difficulty explosion was expected. The entire design expects it, and the papers explain this clearly. It's necessary for the system to work.

We actually are very hesitant for the law to protect people from their investment decisions, rightly so, and I think it would take our society quite a while to come up with any kind of response, let alone protections surrounding, these decentralized financial systems. I believe, don't get me wrong, that they have an important future. But in the meantime, buyer beware.

I think the Kaminsky analysis coupled the astoundingly rich rewards for early adopters - which dwarf most comparable things in the world of commerce (you could make what is now worth $90 at a very high rate with a cheap CPU, and they did this for many years before mining got tough), with the extremely poor chances faced by later adopters who arrive before the sell-offs, scandals, and centralization necessary for scale, to reach the "Ponzi-like properties" statement. I suspect the insider's horde, mined when the difficulty was low and the payoff was rich, is worth more today than $75m, or at least I should hope it would be, for their sake?

Put differently, if you can create a fake currency, convince enough people it's real for it to be worth something, and then dump your holdings of it before it all crashes down?

Yeah, that's shady, bordering on criminal. Of course, the people who lose their shirts are the sucker investors, who are supposed to be parted from their money if they're fools, but there are limits to that philosophy embodied in common law. If Bitcoin's creators and insiders falsely represented their system as part of the scheme, they could go to prison (and they have been careful not to, though mixed messages are an old scam long recognized in law, and you cannot be entirely covered by disclaimers about how experimental and likely to fail bitcoin is if you also say some less careful things too).

All that said, I imagine this was a well-intentioned experiment from the start, though I can't know. It's just one of the interesting risks you run, in that position.

Actually I replied to gox and have many concerns remaining at this point. He is making good arguments, though.

I think he's particularly off base on the anonymity issue.

If you can link to Bruce Schneier endorsing bitcoin's security, I would love to read it. You can't though, because he hasn't.

Kaminsky shredded it as well - links to his deck from 2011 are all over this discussion, but I can provide one if you like. In conclusion he said it had "Ponz-like properties" - though he refused to charge it as such directly, yet. His words, not mine.

Your comment about white hats turning black - I think you are suggesting that people who found flaws in bitcoin might keep them to themselves, and use them to profit rather than disclose them? I agree with you - though that rather cuts against bitcoin's credibility than for it.

I don't see how that follows yet. Rolling back transactions or double spending is more than enough to sink everything. I merely need to fool you for long enough to engage in another transaction - perhaps including converting the currency out of bitcoins. Bitcoin's own vulnerability FAQ (which openly discloses several fatal looking flaws I hadn't thought of besides this one) indicates segmentation is not a practical attack because "any leakage" will carry the whole network state. Which I don't understand at all - because in many scenarios it is more work to create segmentation with leakage than without?

The attack presumes I can control your communications with the rest of the world - indeed, for most internet users this is the status quo via several entities, such as their ISP and their repressive government (leaving aside the various other ways it can happen). A split sounds like a good term - splinter, probably more accurate. In such a case, the difficulty of the attack must be reducible, or how can the rest of the world, which we are not communicating with (for long enough for me to defraud you) still be a factor in the CPU spend for the attack? Shannon will wake from his grave to hear the explanation.

Once I have my stolen cash, I'm perfectly happy for the splinter to heal - in fact, I want it to, so I can steal from you again later.

In discussions I am having here today, this is still news to others, I'm afraid. In fact I think it is hardly redundant. For instance, I would like to address your assertion that, If you wish to remain anonymous, trusted 3rd parties have any relevance.

First of all, the concept is enormously troubling on its face - enough so that no one seriously advising others about anonymity should speak of it. But let us say there are really 3rd parties you would like to trust, and you have a desire to perform anonymous transactions.

I think we need to make it clear what we are talking about here: Bitcoin is the least anonymous, most transparent currency ever invented. Nothing else in existence is more law-enforcement-friendly.

Your trusted third party scenario is my dream if I am an FBI agent. As an intermediary for someone else, you buy something with account Y. Associating your real identity with your cryptographic identity is policework - let us admit that it can and will be done. From there on out I can see every transaction you have ever made with Y. You may make multiple identities - so much the better. With surveillance of your net connection (which even in the US I can do without a warrant) I will learn any identity you use to conduct business. That's leaving aside that, soon, wallet Y will be empty and wallet X will be full. What will you do then? It is impossible to indefinitely segment your payables from your receivables, for reasons found in elementary accounting.

You have all the same problems as a traditional money launderer and many new ones that no money launderer has ever had before.

Anyone who wishes to perform anonymous transactions (the right of every hard cash holder since the invention of money) should run screaming from Bitcoin.

If I cannot tell who owns what, then I can double-spend. If I can tell, then I can see transaction data. No amount of complex dressing can hide this simple wound.

In fact the chain is exactly the transaction data I need, unless I have totally misunderstood the chain, and so did the many security researchers that have been creating transaction graphs from it, i.e. http://eprint.iacr.org/2012/584

I do not buy that there has been adequate review of the system - at least, that is not what I see when I look at the public discussion.

A billion-dollar bounty? Who will pay me a billion dollars? I would like a link on that specious claim, please. Do you imagine anyone could recoup the capitalization of an entire market by finding a flaw in the market?

I'll point at my more specific concerns here:

http://slashdot.org/comments.pl?sid=3595715&cid=43317603

I don't think the lack-of-inflation argument is bitcoin's problem.

I agree brute force attacks would be impractical - this is really what the entire design preoccupies itself with.

If I had to guess, it would be the use of communication interrupts and/or denial of service attacks, or man-in-the-middle attacks (more practical for a high-tech police state like China), to dramatically reduce the computational power needed to mount an attack. For instance, I can steal your coins if I can convince you of an incorrect chain being the longest. It is not necessary for me to keep up with the world's CPU power - merely to prevent you (and enough others) from accurately seeing the world at the right times. Then I have created splits which would be quite disruptive. As the network scales, so would the disruption. When enough people are losing their money, the lack of confidence spreads like a virus, and that is how you destroy a currency/bank/nation/etc.

This simple "communication starvation" attack seems elementary and effective to me that I feel like I must be missing something. But what? I don't buy the "paranoia" argument - that it hasn't happened yet is simply because a state or network-level actor hasn't yet gotten involved. Were the system to succeed, such involvement seems inevitable to me. Prior to the dramatic success of bitcoin (which perhaps we are on track for?), the lack of such problems also makes sense.

Regarding anonymity, I'm afraid I don't follow how this currency isn't an NSA/FBI wet dream yet. Even the traditional banking system is not this transparent. If I can prevent double-spending, I can see what you did with your bitcoins, regardless of how many addresses you use. If I can hide my identity by changing addresses, then money can magically move from one identity to another without a transaction, and I can double-spend. How could it be possible for it to be any other way? And since the chain must necessarily be public, the entire world must (or at least should) have the same information - about every transaction.

If tumblers can launder money, all they can do is take on criminal liability in this highly transparent system - so it is unclear why anyone would want to be a tumbler in that world, but perhaps you can argue that people will host them in "areas with poor law enforcement." However, if double-spending prevention is successful, and there is a clear transaction chain, why it is not entirely straightforward (if merely computationally intensive) to unravel all tumbling activity using the chain? That would make tumblers a dangerous bit of theater.

I'm saying every transaction in the network is likely completely transparent, and no games with tumblers and one-time addresses will help you. I'm saying it is likely the NSA and FBI's wet dream for people to use this currency. Even the banking system is less transparent.

I don't believe you. If I can prevent double-spending, I can see what you did with your bitcoins, regardless of how many addresses you use. If I can hide my identity by changing addresses, then money can magically move from one identity to another without a transaction, and I can double-spend.

If tumblers can launder money, all they can do is take on criminal liability in this highly transparent system. Even so it is likely possible to unravel the entire tumble using the chain.

http://news.slashdot.org/comments.pl?sid=3595715&cid=43313163

What makes you think people who learn about flaws usually publish them?

Only a minority of people who learn about security exploits in software publish. And those aren't as direct an equivalent to cash.

...and, by the way, the argument about bubbles holds for currencies, stocks, bonds, commodities, real property, or anything you can exchange. So saying "it isn't stock" misses the point being made.

I read the Nakamoto paper. Here are my concerns.

The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes, or so it is hoped. But pervasive communications are also assumed so that chain length can be measured, for the CPU-power argument to be possible to begin with. Consider how many key elements in the protocol require extensive communication, for instance to determine chain length. Between botnets, transparent proxies, ASICs, domestic and foreign powers with extensive eavesdropping, intercept, and computational resources... who by the way might be rather put out at having their currencies threatened... do you really want to trust any hard earned cash to this system? Or... if it is easy to make or get bitcoins without hard work, how much can they really be worth?

Meanwhile, is it anonymous, or has this massively transparent electronic P2P currency been designed to keep a particularly difficult to erase record of every transaction completed with it? From the paper:

...aaaaaaand, the section ends. So good luck, silk-road purchasers.