Which bitcoin privacy enhancing tool are you most optimistic about in the future?
Roger, first-off, thanks for hosting this for our community.
Right now one of the biggest privacy risks is the liquidity of bitcoins within privacy tools.
Between things like coinjoin, BC.i's "shared send", bitcoin fog, and many other coin tumblers, there's no shortage of tools to enhance privacy with bitcoin. Unfortunately, each of these tools have fairly small amounts of coins trickling through them which reduces their effectiveness.
The % of the global population who use Bitcoin is low, and the % of bitcoin users who use these tools is even lower. This makes heuristic analysis much easier when tracing coins through privacy enhancing tools.
I'm not currently excited about any tools on the horizon because I don't know of any. Share if you do
Which side do you expect to win the arms race, the privacy enhancing tools, or the bitcoin tracking tools?
I think it will oscillate like a pendulum. Battles will be won on both sides, but the war will rage on... but that battle won't rage within Bitcoin alone.
Bitcoin itself is very trackable by design. Its counterfeit mechanisms depend on knowing the source of all funds. I think the real privacy battles will take place on some other sidechain, blockchain, or altcoin that does things much differently.
How is adoption going in Canada? I know Canada is quite the hub for financial tech and IT. Is cryptocurrency catching on?
Hi Jamie, thanks for your post.
Canadian adoption of bitcoin is slow but steady, just like we see online. There are pockets of huge interest across the country where multiple stores accept it and ATMs compete for fees with their competitors down the street.
It's easier than ever to buy bitcoins since our exchanges can be linked to our bank accounts here via Interac and bank transfers... and there's no shortage of sellers on localbitcoins.com. Earlier this year I was surprised to see a Bitcoin ATM in a restaurant here in Toronto, and that they accepted bitcoin for payments!
Now that banks are taking a serious look at the technology, I think it's just a matter of time.
Canada has typically been on the forefront of financial technology. We accepted chip-and-pin payments via Interac for years before our American neighbours did, and it's still being implemented in some states down there. I imagine this trend will continue when Canadian merchants begin accepting Bitcoin en masse
Hey Michael, have you heard of my tool,
Bitcoin Trivia? Would you consider collaborating together to cross market each other's applications to help educate the bitcoin ecosystem?
Frankenmint, no I have not seen your tool. Neat!
Yes C4 would consider collaborating with anyone that can help our mission
C4 is asked regularly: "What can I do to prepare to take the CBP or CBX exams?"
I usually point them to
the blog post that Josh McDougall wrote on the subject.
You've piqued my interest. I'll take your trivia challenge and if the questions cover similar content as the CBP or CBX, I will happily point people your way for some sample questions.
We will regularly be rolling questions out of our exams as new ones are added. It might make sense to give you these "spent questions" since many of them are still relevant but were removed simply because we added Qs and don't want people posting answer keys online
As a security expert, can you explain what you see as the biggest threat today to bitcoin? in the next 3 years?
How often do business or government bodies contact you or C4 for expertise, and what types of questions are they interested in learning?
Hi Timryan, thanks for your Q.
In my opinion, the biggest threat to bitcoin is the perception people have of the technology. This may not be a technical one, but it's a strong risk nonetheless.
Technically, it's quite difficult to shut down the Bitcoin network by blocking ports or shutting down nodes because of Bitcoin's distributed nature. Legal attacks on Bitcoin are also ineffective since other countries' laws don't apply. Bitcoin is protocol like email, which is a language for communicating information. Trying to ban Bitcoin is like trying to ban people from speaking French... you just can't stop peers communicating however they like.
But if people perceive bitcoin as "bad" - for whatever reason - they will choose not to use it themselves. Right now there are thousands of us who know Bitcoin is a great tool, but there are many uninformed or misinformed people out there who think "Bitcoin is only used for drugs" and don't see the rest of the good Bitcoin can do. If this negative perception were to propagate across the population and positive perceptions are suppressed, Bitcoin will have very little use amongst a very small group of people.
As Andreas has said in the past, money is a "shared delusion" - it only has value because we all agree it has value. It's mind over matter in the purest form. This shared delusion - this perception of value - is the reason why Bitcoin works, and is the biggest risk to bitcoin and the US dollar, and all other types of currency.
TL;DR: my opinion is that perception is the biggest risk to Bitcoin.
Finally, people contact me fairly regularly for help with bitcoin, blockchains, security, investigations, or other related things.
I've been involved with bitcoin since 2010, began consulting in 2012, and left my job to consult for a living in 2014.
It's become somewhat common for people to contact C4 looking for CCSS audits to ensure their system is architected securely. I have to explain to them that C4 is a non-profit standards body, not an auditing body - we just publish the guidelines for anyone to use.
To address this, C4 is in the middle of developing a registry of CCSS auditors that will be available on
https://cryptoconsortium.org. This will allow anyone to register as an auditor to advertise their services, and allow anyone to search for an auditor to conduct their security audit. We are planning for these features to be available when CCSS is ratified as a formal standard.
What would you say is the best language-agnostic way to study for the technical exam? In other words, is the exam centered around bitcoin code in a certain language (C++, python, javascript, etc...)? Multiple languages? Best practices from the
CryptoCurrency Security Standard itself?
Great questions.
The CBX exam question database is undergoing final review by Andreas M. Antonopoulos and a group of technical people he's asked to join his committee. I was a part of the exam building process so I'm familiar with what it covers and how.
The exam questions are all language-agnostic by design. The questions cover the various protocols and algorithms used by bitcoin under the hood without touching any language that may use bitcoin. For example, on the scripting side it covers the API interface, the API calls and how they are used together to achieve goals (building simple and complex transactions, signing them, broadcasting them, etc.).
On the mining side it covers the usage of GetBlockTemplate, the Stratum protocol, and how mining works under-the-hood (block header building, double-sha256 hashes, the nonce, and which specific fields are hashed). As for Bitcoin itself, the exam covers the structure of all Bitcoin primitives including block header fields, transaction fields, and Bitcoin scripts on both sides of txouts and txins. Familiarity with every single script operation is required.
The practical portion of the CBX exam will ask you to perform tasks with bitcoin primitives with whichever language you like. If you're a Python guy you can use python-bitcoinlib or pycoin. If you're a .NET guy you can use a .NET library. If you're a C++ guy, use C++. As long as you know how to use your language of choice to complete the exam questions, it doesn't matter which language you choose.
The CCSS is an easy one to study: memorize all 32 controls on all 10 aspects and how they relate to each other so that if you were to grade the security of a system, you'd be able to do it without hesitation.
Thanks for the question, The_Void.
The article you've linked has a few good pieces of advice, but largely represents more risks than safety when it comes to security.
Putting aside the numerous typos and grammar mistakes (authors should always have someone else proofread their work before publication!), and concentrating solely on the substance of the article, the biggest security concern in the article is regarding the "password algorithm" suggestion.
The author recommends readers create a password algorithm to use for creating passwords for a variety of websites. This is NOT a secure method of generating passwords, and can lead to the compromise of every website that uses the reader's algorithm. If one of those websites is breached and a list of users' passwords is retrieved (even if they're encrypted), the attacker can use a brute-force cracker on all of the passwords to identify your one password that was created with an algorithm. Simply looking at that password will identify the algorithm, allowing the attacker to then log into every website that uses that algorithm.
I would not recommend this article to people asking for security advice.
--MP