
Bitcoin as a law enforcement/natsec honeypot: what is the evidence? - ianso
http://ianso.blogspot.be/2013/10/bitcoin-as-law-enforcementnatsec.html
======
josephagoss
This is a surprisingly good analysis that strengthens the argument that a
Government agency created Bitcoin (Much like what Paul Graham suggested)

The main point is the same one that PG brought up, that the transaction graph
is very easy to follow and if the gatekeepers are compromised then most of
transactions become transparent.

A novel point they make is that some group (probably the creators of Bitcoin)
control 25% of the money supply. I have not read the paper yet so cannot
comment but I was under the impression 95% of Satoshi's coins have never moved
since being mined. (If he does control them at all) Of course if they do
control 25% of all the circulated Bitcoins this would forever stunt its growth
as that actor would always be far too powerful.

Whilst I do not believe a Government created Bitcoin I welcome these articles
that counter my own views. This also re-emphasizes the work that needs to go
into coinjoin or zerocoin implementations as soon as possible. Also we need to
seriously fix the 7 tx/sec limit.

~~~
nwh
> _Bitcoin is, by design, highly vulnerable to network analysis._

By design as in, that's the only way the network could conceivably work. Each
node _must_ be able to verify that the chain is intact and valid, otherwise
they would have to be trusting a third party. There's ways of obfuscating this
anyway, which seem to work quite well in practise.

> _This is a surprisingly good analysis that strengthens the argument that a
> Government agency created Bitcoin_

It's not really. If the US government were to create something like this, they
wouldn't have risked releasing something as ridiculously buggy as the original
Satoshi client. You're talking massive remote exploits, people able to make
their own coins due to an integer overflow, just chaos in the code. It's truly
miraculous that it even took off at all, and the developers are still trying
to fix the issues that Satoshi unknowingly introduced. Bitcoin was not the
work of a skilled team.

> _I was under the impression 95% of Satoshi 's coins have never moved since
> being mined_

That's correct, though you can't even verifiably say that all the coins were
minted by Satoshi. I doubt they'll ever move, given that Satoshi made it very
clear that remaining part of the community is a bad idea. In their shoes, I
would have been mining to a bit bucket, which I imagine is the case here.

> This also re-emphasizes the work that needs to go into coinjoin or zerocoin
> implementations as soon as possible.

Coinjoin is well and good, but zerocoin is a no show at the moment. It's
immature, creates massive signatures, and is completely untested. There's no
way it would ever make it's way into the mainstream client in it's current
state, and the developers know that too.

> _Also we need to seriously fix the 7 tx /sec limit._

I'd go close to calling that one a myth. There's really nothing stopping 7
transactions a second at the moment, in fact it's intended to be tight for
block space in order to create a market in which people battle for transaction
fees. There's also nothing to stop the block limit from just being increased,
1MB is just arbitrary at the moment.

~~~
josephagoss
_> Bitcoin was not the work of a skilled team._

This is refreshing to hear, however the Government does not have a history of
writing good code (excluding NASA) I still feel like the Government argument
could be correct.

 _> I'd go close to calling that one a myth_

Well the limit is based on size, and 7tx/sec assumes an average transaction I
think.

 _> in fact it's intended to be tight for block space in order to create a
market in which people battle for transaction fees_

I remember reading Satoshi did not intend for limited blockchain space and
envisioned 500GB blocks.

 _> 1MB is just arbitrary at the moment._

A hard fork will be required, this will not be an issue if no one complains.

~~~
bunderbunder
> the Government does not have a history of writing good code

I'd love to hear more about that, because it goes against my own experience.
(And I'll go ahead and disclaim that I'm obviously speaking anecdotally here.)

Whenever I've run into software that was developed by the US government it's
generally been pretty competent. No worse, and maybe a little better, than
what I'm used to seeing come out of the companies I've worked with. Certainly
better than the stream of epic fails that seems to characterize what results
from outsourcing to private contractors.

~~~
gknoy
Partly that may be because they can (in theory) work closer to the true
customer, rather than having an additional contract/specification-based
interface to getting things made. When you don't find out for six months that
you completely misunderstood the client's needs, it's hard to build good stuff
-- frustrating for the client, and for the developers.

If, however, you ARE your own client, such as writing research code or
simulation/test code, you likely have a clearer idea of what needs to be done.

------
nl
_Bitcoin is at least one order of magnitude more complex than Tarsnap, or the
crypto used in v1 of the Amazon AWS API. We should have seen far more bugs of
varying severities if it was a one man band._

Is there any actual analysis to support the claim that it is an order of
magnitude more complex than AWS crypto or Tarsnap?

There have been numerous vulnerabilities in the software implementation[1],
and there has been (arguably) at least two bug in the algorithm[2][3].

I'd note that both the AWS & Tarsnap problems were implementation bugs, not
algorithmic problems. That is a much better record than both the Bittorrent
implementation and algorithmic record.

That's impressive, but doesn't seem superhuman.

Bittorrent (which was the work of one person AFAIK), for example has had no
real algorithmic changes to the core protocol since it was released[4], and it
is _much_ more widely used than Bitcoin. (Yes, I know about trackerless
.torrents, but that's more the discovery mechanism than the core transport
algorithm).

[1]
[https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposu...](https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures)

[2]
[http://sourceforge.net/p/bitcoin/mailman/message/25954806/](http://sourceforge.net/p/bitcoin/mailman/message/25954806/),
[https://bitcointalk.org/index.php?topic=822.msg9503#msg9503](https://bitcointalk.org/index.php?topic=822.msg9503#msg9503)

[3]
[http://en.wikipedia.org/wiki/Bitcoin#The_fork_of_March_2013](http://en.wikipedia.org/wiki/Bitcoin#The_fork_of_March_2013)

[4]
[http://bittorrent.org/beps/bep_0003.html](http://bittorrent.org/beps/bep_0003.html)
(note the change history are all clarifications)

~~~
mrb
_" Is there any actual analysis to support the claim that it is an order of
magnitude more complex than AWS crypto or Tarsnap?"_

I don't think so, and I personally disagree with this statement.

As a developer, I find bitcoin 0.1.0's code easy to read and understand (I had
requested a tarball of it about 2 years ago from one of the developers, as it
was not in source control). And even the number of lines of code is not
particularly impressive. Version 0.1.0 has only 13k lines of C++ code
(excluding GUI code):

    
    
         7 ./irc.h
        71 ./headers.h
       156 ./key.h
       177 ./sha.h
       182 ./market.h
       201 ./base58.h
       264 ./market.cpp
       265 ./irc.cpp
       373 ./util.cpp
       399 ./util.h
       420 ./db.h
       498 ./bignum.h
       554 ./sha.cpp
       597 ./script.h
       604 ./db.cpp
       750 ./uint256.h
       856 ./net.h
      1020 ./net.cpp
      1127 ./script.cpp
      1151 ./serialize.h
      1317 ./main.h
      2660 ./main.cpp
     13649 total
    

Plus 6k lines of (boilerplate) GUI code:

    
    
       417 ./ui.h
       720 ./uibase.h
      1806 ./uibase.cpp
      3228 ./ui.cpp
      6171 total
    

For comparison, many HN readers who are talented developers would consider 5k
LoC of C++ relatively easy to write in a span of 3-5 weeks, as a day job, for
a small project that they have a precise idea how to implement. So 13k lines
for a project that apparently spanned a few months of Satoshi's time is
absolutely plausible.

I believe Bitcoin was written by one man.

Source:
[http://www.zorinaq.com/pub/bitcoin-0.1.0.tgz](http://www.zorinaq.com/pub/bitcoin-0.1.0.tgz)

~~~
ianso
Hum, I think between you, nl, and nwg, point 1 is looking very shabby... I
think I'll revise it shortly.

------
junto
I've always found Satoshi's choice of email address interesting. Gmx.com
didn't launch until 2008, the same year Satoshi published his Bitcoin paper.

GMX is a German company and the @gmx.de email address is highly popular in
here, especially since Gmail was late to the party (legal action over
'gmail'). Web.de and Yahoo are the two other big players.

GMX uses geo-location to direct users to specific GMX TLDs. To use the .com
you would need to use Tor or a VPN. Without using some kind of geo-anonymising
tool, I am stuck with a GMX.de account.

Why choose GMX.com? Did he/she read about GMX launching in the US as he was
looking for a new email account provider specifically to be used for Bitcoin
correspondence? Was he/she based in Germany, knew of GMX and in using Tor or a
VPN from Germany exited in the US and got a GMX.com account?

It doesn't mean anything in itself, but I always thought the choice of gmx.com
was a curious one.

~~~
gwern
I have been told by people who received emails from Satoshi that he was
sending even his emails over Tor. Aren't most Tor exit nodes in the USA? That
could explain why he got a gmx.com address rather than gmx.de

------
rdl
I don't believe it is a honeypot, just a fundamental limitation for a
distributed protocol.

This is why I think in the long run a true blinded-signature form of ecash is
essential. Handle distribution by having millions+ of issuers, independent,
and then meta-currencies and realtime exchanges, just like real life, not a
single distributed currency.

I also think trusted computing is an essential component to safely handling
money which is fully anonymous, irrevocable, and for meaningful amounts, which
is why I've been working on that kind of stuff for a while. Sadly we're still
a few years off from practical currency-handling trusted computing, and
probably a decade from practical general-purpose trusted computing, but once
people can genuinely trust their devices to not be subverted, things will be
vastly more awesome.

Zerocoin remains an option, but it is complex (I like simple), and difficult
to implement. I didn't even think it was possible until Matt Green et al
published; blinded signatures, on the other hand, are awesome, but fairly
straightforward.

------
drcode
The main counterargument to this is that the bitcoin technology is so
unusually clever and its success such an incredible fluke anyway that you'd
have to assume the government to have an almost god-like intelligence and
foresight to pull this off.

~~~
VMG
And also take a huge risk of damaging itself in the process while pretending
that the author is motivated by libertarian motives.

This is a conspiracy theory.

~~~
antocv
No, a conspiracy theory would be that _this_ accusation is coming from a
government-shill so as to deter further usage of BitCoin.

What else can the g-men really do... now is a good time considering after SR
and all.

------
mcherm
I'll point out why I don't find this a credible hypothesis.

I imagine someone highly-placed in the NSA speaking to their superiors:

"Yes, we have built this alternative form of money. It can be used almost-
anonymously for the purchase of drugs or for online gambling, for the funding
of terrorists and anything else that people want to hide from the government.
It will allow users to skirt money-laundering laws and avoid payment of income
and sales taxes. But because of our ubiquitous surveillance, we think we can
(probably) track anyone using it... well, MOST people using it."

"It is a completely innovative idea -- few in the world have even had idle
speculation about the idea of a currency like this and no one is currently
working on building such a thing. Yes, it will probably spur development of
similar crypto-currencies."

"So, Mr. Director, can we have permission to release this into the wild?"

I cannot imagine someone in charge saying, "Yes: release it."

~~~
junto
On the flip side, this would give the CIA a fantastic opportunity to launder
their own drug money into black budgets. It also gives them a great way to
fund "freedom fighters" in countries that they don't like. No flying bags of
cash around anymore.

[http://www.google.com/hostednews/afp/article/ALeqM5j6QonBKKM...](http://www.google.com/hostednews/afp/article/ALeqM5j6QonBKKMo2gw1e3ql-
xUcQEZbVg?hl=en)

------
qnr
I think this is just as unlikely as the idea that Facebook is a law
enforcement honeypot to track terrorists' social graphs. Your arguments sound
somewhat plausible now, but back in 2009 bitcoin was just a cypherpunk's toy
and no one had any idea how big it was going to become.

I would argue that a conventional internet currency (like egold or liberty
reserve) would make a far better honeypot (easier to track, shutdown at any
time, cybercriminals were used to currencies like that)

------
nullc
Well, it's factually inaccurate from the very first paragraph. Bitcoin has had
several end-of-the-world vulnerabilities found and corrected.

e.g.

OP_RETURN bug (let anyone spend anyone elses coin)

Value overflow bug (let anyone produce billions of bitcoin)

Block merkle tree hash practically vulnerable to second preimage attacks
(allowed anyone to select and kill arbitrary blocks, and thus rewrite the
consensus)

Plus a mountain of smaller design bugs and more conventional software crashes
issues.

The overall design is highly idiosyncratic in many ways. Novel integer
serializations, random byte endianess.

------
peterwwillis
It makes more sense once you realize things like Tor were created specifically
for the USG intelligence community[1]. Bitcoin could, for example, be used to
trade money between drug traffickers and the CIA, whilst allowing DEA to track
the funds around the world. Fun!

[1] [http://www.networkworld.com/community/blog/no-conspiracy-
the...](http://www.networkworld.com/community/blog/no-conspiracy-theory-
needed-tor-created-us-go)

~~~
fiatmoney
The Navy was originally interested in techniques for decentralized
communication between ships in a fleet, in such a way that the flagship would
be unidentifiable. There are lots of applications for such a network that
different government organizations would be interested in; The Government
isn't a monolithic entity.

------
viraptor
> If one individual cryptographer had written Bitcoin, it would contain far
> more idiosyncracies than it does, not just in the cryptosystem design but
> also in the C++ code itself.

Well, it's not that uncommon for a single person to write a very secure and
minimal software that really works. Look at almost anything produced by DJB.

~~~
ianso
That's true, but then it's equally true that DJBs software, while absolutely
excellent, is definitely idiosyncratic. If DJB anonymously published code
using the same style, e.g. the configuration language, refusal to use standard
UNIX daemons, etc., anyone who read the code would know immediately that it
was him.

------
guard-of-terra
There is nothing you don't know _about_ Bitcoin - everything is public and
open source. However, you may not know who _uses_ Bitcoin and how.

Whether Bitcoin is or is not a natsec honeypoint can not affect any of Bitcoin
properties, therefore this question is meaningless.

------
triplesec
This is a brilliant troll that makes me reassess bitcoin. Exactly what good
security is. Because "it can't be, right?" I don't buy it, but we're going to
have to debunk this carefully!

------
devx
> Bitcoin is, by design, highly vulnerable to network analysis

Maybe it's time Zerocoin (by Matthew Green's students) got implemented into
Bitcoin:

[http://blog.cryptographyengineering.com/2013/04/zerocoin-
mak...](http://blog.cryptographyengineering.com/2013/04/zerocoin-making-
bitcoin-anonymous.html)

------
polemic
> _" Bitcoin was apparently designed by good cryptographers and peer-reviewed
> before it was released"_

I think this understates the effect of outliers. If you consider the
incredible ability of Srinivasa Ramanujan to, quite literally, dream up
ground-breaking theorems, then it becomes a lot more plausable that a single
dedicated, _highly unusual_ individual could produce Bitcoin.

The same argument applies to OpSec. 99.99% are lacking the means
(technologically or, more importantly, mentally) to maintain perfect cover.
But it's the 0.01% outlier we're interested in. Comparing to existing cases
is, by definition, invalid.

------
hwh
I realise that "evidence" is a term with a broader meaning. However, for most
of the points brought up, I fail to see how they support the hypothesis that
Bitcoin stems from a natsec background. Things like group efforts and
maintaining anonymous identities are not specific for that environment.

The Hezbollah reference was irritating and I would that consider a very remote
analogy, if at all.

Point 6 holds valid for a lot of financial services that allow to transfer
monetary value in a non-physical fashion.

Nevertheless, all points are probably either interesting knowledge about
Bitcoin or valid statements about it.

~~~
ianso
Yar, I realise the Hezbollah thingy is only tangentally applicable, but I
couldn't find a better example of a _single_ mistake compromising an identity
and thereby a network. I think that someone (maybe Cory Doctorow?) wrote a
better, at-length post about how hard it is to stay anonymous but I couldn't
find it, so I used this example instead.

Point 6 is my main stepping-stone from 'organised and capable' to
'government'. FWIW governments have deliberately set up 'dodgy banks' as a way
of attracting money launderers and then busting them, so I think it's valid.

~~~
hwh
I guess my perspective on this is blurred by me being German, or in a broader
context, European. Our institutions are not really known for laying such
"traps". I guess it's different in the world of the secret services (as
opposed to traditional law enforcement). And well, yes, in the US there's the
DEA, maybe the FBI, too, but I always thought that their ability to legally
create "dodgy banks" or similar are kind of a Hollywood thing.

In general, the US seems a lot more willing and capable to really invest
capacities in fighting money laundery than any agency I can imagine here in
the EU.

------
this_user
The article makes some good points, but I don't think goverment involvement is
the single most likely explanation for the facts we are able to observe. In my
opinion, it is equally likely that Bitcoin is simply an elaborate Ponzi-type
scheme.

Think about it. A group of people with probable backgrounds in mathematics,
cryptography, software development and economy bands together and creatse a
new kind of digital currency. They gain control of a large chunk of the total
money supply in the beginning when it is easy to do so. Then they wait and
hope for widespread adoption. Thanks to combination of the the hard limit on
money supply and general mass psychology their currency hugely appreciates in
value. They now have a large amount of money in their hands created from
nothing but the work they put into creating BTC. All that is left is to cash
out at some point. The latter is admittedly difficult to do without it being
detected, but that doesn't mean that it won't happen at some point.

~~~
oleganza
Ponzi scheme requires breaking trust in promises. Satoshi was not giving
anyone promises or taking anyone's money. Everyone voluntarily evaluates
safety of the protocol and decides to mine or buy bitcoins from others.

------
ferdo
If Bitcoin was a natsec honeypot, the NSA/NIST-approved secp256r1 algo would
have been used instead of secp256k1.

------
incompatible
Well, we know that bitcoin was developed by _someone_ , and that they've
managed to keep their identity(s) secret. The smaller the group, the easier it
is to keep secrets. It's likely that if the NSA was behind it, or knows who
is, then that would have come out in the Snowden leaks.

------
pteredactyl
I agree on the basis it hasn't been shut down. Rather, in a way, encouraged
through the media. Also, anyone ever meet this Silk Road person?

------
tocomment
I see coinjoin mentioned a couple of times in this thread. Would anyone be
able to explain it in simple terms?

~~~
jedunnigan
Sure. It's basically a transaction-level mixer.

When you are building a transaction, you can hand pick the inputs and outputs
you want to use. There are no constraints or limits. CoinJoin effectively
allows you to collude with multiple parties when generating a transaction
(take multiple inputs {see:unspent outputs} from the different parties), such
that it is difficult to follow the coins to their respective outputs.

Gmaxwell says it better than I:

>The signatures, one per input, inside a transaction are completely
independent of each other. This means that it's possible for Bitcoin users to
agree on a set of inputs to spend, and a set of outputs to pay to, and then to
individually and separately sign a transaction and later merge their
signatures. The transaction is not valid and won't be accepted by the network
until all signatures are provided, and no one will sign a transaction which is
not to their liking.[1]

[1][https://bitcointalk.org/index.php?topic=279249.0](https://bitcointalk.org/index.php?topic=279249.0)

~~~
tocomment
Interesting. So this is something that would be built into the client, and
happen automatically I guess?

~~~
jedunnigan
Well there would need to be a server/host to manage all the signatures, but it
could be built into a client. There is one implementation I know of so far:
[https://github.com/calafou/coinjoin](https://github.com/calafou/coinjoin)

I wouldn't recommend using it, not sure if it's complete or not.

------
stuaxo
Having had a lot of trouble with Amazon APIs, stopped reading ... it's just a
very apples - ... not even oranges comparison.

------
w_t_payne
I genuinely hope it _IS_ a honeypot.

I am attracted to BitCoin-as-a-currency by it's near-zero-transaction-cost
property.

I am attracted to the technology (for peer-to-peer trading), by it's potential
to disrupt traditional asset classes.

I am rather disinterested in the privacy/secrecy aspect of the technology.

Indeed, I would quite like to see ALL financial transactions made public; as
that would greatly assist the fight against corruption, and many many many
forms of wrongdoing.

~~~
jes
It would be helpful if you would clarify what you mean by "all financial
transactions."

What about transactions such as a teenage girl buying a pregnancy test kit?
Should the children in her high school be able to go to a website and see that
she purchased a pregnancy test?

What about the guy that is struggling with alcoholism? Should his purchases of
drugs such as Naltrexone be a matter of public record as well?

~~~
tedunangst
Assuming those people are purchasing their meds from multi product vendors,
you wouldn't have that level of detail. You've built a straw man.

But, yes, I believe the general idea is that there is a webpage where you
could see that little Sally spent $11.87 at the pharmacy on Saturday.

~~~
jes
w_t_payne did not specify the level of detail, so it's conceivable that s/he
intended that the transactions be sufficiently detailed so as to be able to
ascertain, for example, what products Sally purchased.

But even in your case, indicating anything about Sally's activities seems to
me to put her at the mercy of the tribe, such that they might start asking her
"So, what did you buy at the pharmacy, Sally? I see EPT test kits are $11.87,
when you include sales tax. I'll bet you're sexually active! Am I right?"

With respect, there are reasons that are both legitimate and moral to not have
to disclose one's activities to strangers, and compromising on this principle
isn't a good idea, in my view.

~~~
tedunangst
Maybe someday I'll learn not to clarify somebody else's post.

~~~
jes
I appreciated your comment and the opportunity to further discuss a topic
(privacy) that I think is important and under attack in our society today.
Thank you.

~~~
tedunangst
oh, no worries. i was more complaining about the person who downvoted me,
presumably on impulse.

------
slashdotaccount
It was I, N Bourbaki, working with Francis Bacon, William Shakespeare,
Grothendiek, and the sender of dreams, from our aecret Atlantis undersea
fortress.

