
Is Bitcoin security worth $1B? - mriou
http://www.blockcypher.com/#!Multisig-API-Is-bitcoin-security-worth-1B/cw46/8F43399F-FD98-49E0-A41D-58291EB436AA
======
asdfaoeu
> Multiple signature (multisig) transactions would have prevented all of it.

Yeah, no, there's still a need for hot wallets which can be spent
automatically by a server and these were basically the only ones stolen. You
actually have to keep the keys separate for it to make a difference.

Also their api is borderline retarded. The server passes back a hash to sign
and the client is just supposed to blindly sign it. Sure I suppose it could
check it but then why wouldn't you just build it locally.

~~~
mriou
This is incorrect. You can have servers using multisig too, it increases the
overall security of the transactions, especially if the different private keys
are stored in different environments (different datacenters, different OS,
etc.).

Regarding the blind signature: yes, you can check it and in most cases it's
just checking a series of bytes at a given position in an array. One line of
code. Building a multisig transaction locally? Good-luck doing that.

Also I've heard many times arguments along the lines of "my security is better
than yours, I don't trust you". It's reminiscent of those arguments about
cloud providers like AWS, "my outages are better than yours". The point is we
are focusing solely on block chain infrastructure: the security,
performance,and reliability. It's our expertise. Is it yours?

~~~
asdfaoeu
> Regarding the blind signature: yes, you can check it and in most cases it's
> just checking a series of bytes at a given position in an array. One line of
> code. Building a multisig transaction locally? Good-luck doing that.

Code? Better yet include it on your examples.

~~~
mriou
Will do, thanks a lot for the feedback.

------
jimrandomh
Yes, multi-signature transactions can greatly improve security. But this idea
of using a third party to write your transactions for you is a very, very bad
idea. It introduces an additional point of failure for security: someone can
break into their server, and make it start generating transactions that send
coins somewhere other than where you said.

Writing software that uses this API would be negligence.

~~~
CatheryneN
Someone can also break into your servers and manipulate your transactions.
It's our business to run a secure and reliable service. Bitcoin infrastructure
is fairly complex and so the probably that you'll miss something are pretty
high. Isn't it better to focus on your own business rather that spend all your
time and money building and maintaining the backend piece?

~~~
nightpool
Then release/sell a library. Don't expect Bitcoin users (who, especially the
early adopters, are almost tautologically more likely to distrust centralized
services). Library code can be audited, and guaranteed to do what it
advertizes.

------
moe
Reminder: For anything but toy apps you do not want to relay your interactions
with the blockchain through a third party.

~~~
asdfaoeu
To be clear really relaying transactions through a server is probably fine.
The problem with this one is the api let's the server generate the transaction
and the client just blindly signs it. You are _completely_ trusting the server
in this scenario.

~~~
mriou
Not blindly, you see both the generated transaction and the data to sign, you
can validate either or both. And you are completely trusting a server in many
other situations.

------
Ryel
Because of the amount of real money invested, I would (somewhat jokingly) say
that securing Bitcoins is a business more valuable than Bitcoin itself.

------
matthewbauer
We already spend a total of $15 million dollars per day in energy costs[1]
making secure transactions in Bitcoin, so I think in a way we're already
spending more than $5 billion on Bitcoin security.

[1]:
[http://www.forbes.com/sites/timworstall/2013/12/03/fascinati...](http://www.forbes.com/sites/timworstall/2013/12/03/fascinating-
number-bitcoin-mining-uses-15-millions-worth-of-electricity-every-day/)

~~~
kordless
I ran the numbers on newer mining rigs a few weeks ago and came up with a PH/s
needing about 1 semi tractor trailer engine to run. The network is currently
doing about 130PH/s, so that's about 130 semis engines running. Not anything
to sneeze about, but also definitely not $15M a day.

------
FBT
A quick read of the title left me rather confused: Are they seriously asking
the question "Is Bitcoin worth 1฿?"

A tautology indeed. Only upon reading the article itself did I realize I
misread the title: I had both skipped over the word "security", and
misinterpreted the B as the Bitcoin symbol, rather than an abbreviation for a
billion.

~~~
collyw
prime numbers worth 1 billion....?

