
Here’s who probably did that $150 million Bitcoin transaction - rkudeshi
http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/23/heres-who-probably-did-that-massive-150000000-bitcoin-transaction/
======
rheide
I wonder if it ever becomes viable to try to brute-force the private key of
such a valuable address, rather than devoting the brute force power to mining.

Edit: got curious and found an answer:
[http://bitcoin.stackexchange.com/questions/2847/how-long-
wou...](http://bitcoin.stackexchange.com/questions/2847/how-long-would-it-
take-a-large-computer-to-crack-a-private-key)

If I understand correctly, it's still not viable even if you tried your brute-
forced keys on all addresses in the network.

~~~
meowface
It's completely infeasible (without quantum computers anyway).

However, in cases where the private key is generated from a hash of a
passphrase, like brainwallets, then it is far more feasible. There are people
running bruteforcers constantly looking for private keys corresponding to
brainwallet passphrases; that's their form of "mining".

To test it, if you make a brainwallet with a password of "password" and then
send 0.01 BTC into your account, you'll see it vanish in a few minutes (or a
few seconds).

~~~
waps
I don't think so. Brainwallets are generated as a hash. So if the input is
secure, the output is secure. It's not possible to generate the input from the
output. And frankly the connection between password -> private key and private
key -> public key is very similar in brainwallets. To crack a brainwallet,
given only the public key and sufficient bits in the password, is actually
harder than directly attacking the private key.

Plus you have to balance "my own fuckup" risk against "someone attacked me"
risk, right. Wallets depend on your backup habits, and you backup provider's
security. Going through the fora, I'd say "oops. I lot my wallet.dat" is a
much more serious threat to your bitcoins, on average, than someone got a hold
of your password. Both of those, for most people (including me) are ...
lacking. Brainwallets depend on my memory for passwords. A hardware
brainwallet would guarantee you're 100% not exposed.

As for ECSDA attacks. It's true that the algorithm itself is near-unhackable.
However, make one single transaction on a computer which chooses a non-random
k value, and you're exposed. So the risks don't end just because

~~~
sillysaurus2
_To crack a brainwallet, given only the public key and sufficient bits in the
password, is actually harder than directly attacking the private key._

It's incredible to see such misinformation on HN. I suggest you read this:
[https://dl.dropboxusercontent.com/u/315/articles/A%20Large-S...](https://dl.dropboxusercontent.com/u/315/articles/A%20Large-
Scale%20Study%20of%20Web%20Password%20Habits%20%5B2007%5D.pdf)

This is a 2007 study on web password habits. In it, they reveal the fact that
fewer than 1% of passwords have bitstrength >= 90 bits:
[http://i.imgur.com/8vSrx2E.png](http://i.imgur.com/8vSrx2E.png)

Achieving 128 bits of protection with a _user selectable and memorable
password_ is statistically unlikely (to put it mildly).

The fact that a brainwallet password is memorable means a computer can
bruteforce it in far fewer operations, too. I.e. the bitstrength is mostly
meaningless. Just ask the guy who runs
[http://www.cloudcracker.com](http://www.cloudcracker.com)

A memorable user-selectable password is incredibly unlikely to be as strong as
128 random bits.

~~~
tlrobinson
Brainwallets shouldn't be casually recommended without appropriate warnings,
but they certainly _can_ be secure.

Passphrases aren't limited by length, and your brainwallet can be derived from
your memory and publicly available information, so you can construct very
strong memorable passphrases, e.x. the 3rd sentence of the 8th chapter of your
favorite book concatenated with a moderately strong but memorable password.

Key stretching with PBKDF or scrypt helps a lot as well. Do you care if it
takes 1 minute to compute your keys from the passphrase? Probably not, and it
will make cracking much more difficult.

~~~
meowface
Even extending to a 1-second computation would make it completely infeasible
to crack. 1 minute would be way overkill.

~~~
tlrobinson
Well, whether it's overkill depends on how weak your passphrase is.

------
bradleysmith
Here's the cited paper from UCSD on bitcoin address analysis:

[http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf](http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf)

------
cheez
This is why I can't take Bitcoin seriously. The privacy implications are
insane.

~~~
josephagoss
Please stop with the privacy scaremongering. A lot of work is currently going
into trustless mixing/anonymising services that will largely stop this type of
tracking. (coinjoin/zerocoin)

A lot of us are investing with the expectation true anonymous transactions
eventually happen, because when they do Bitcoin will become even more
valuable.

~~~
gnaritas
> A lot of work is currently going into trustless mixing/anonymising

Call it what it is, money laundering.

~~~
fexl
The term "money laundering" originally referred to the practice of concealing
the movement of funds involved in a crime. Now they've redefined it so that
concealing the movement of funds is _itself_ a crime, even if the funds are
entirely legitimate and no other crime is involved.

~~~
consonants
Yes, because the motivations behind money laundering are driven almost
exclusively by crime. For purchases you wish to remain private, such as
personally embarrassing products, there are 'anonymizing' but traceable
services for you to save face with.

There are very few legitimate reasons to be concealing where you money came
from or is going from the IRS, and they well aware of the intent behind the
actions.

~~~
nazgulnarsil
>There are very few legitimate reasons to be concealing where you money came
from or is going from the IRS, and they well aware of the intent behind the
actions

Nice circular reasoning. Because everything that the IRS would disapprove of
is illegitimate? When did the IRS get ultimate moral authority?

~~~
superuser2
IRS doesn't care what the money is from or for, only that Uncle Sam gets what
he's owed. Income from criminal enterprises is not special: you have to pay
taxes on it like everything else. The _source_ of the income is kind of
don't-ask-don't-tell.

Spending on sex toys is not special, unless the national security apparatus
(or more likely your competitor in the private sector) already has a reason to
try to discredit you. Which is a valid concern for activists, but not most
people.

Investigations and enforcement actions by the IRS have nothing to do with the
morality of your checking account statement and everything to do with tax
evasion.

The largest threat to your financial privacy is private enterprise.
Underwriters, prospective employers, and others with a financial stake in your
"good behavior" are the most interested in judging the moral
acceptability/health/prudence of your financial choices.

~~~
exo762
> Spending on sex toys is not special, unless the national security apparatus
> (or more likely your competitor in the private sector) already has a reason
> to try to discredit you. Which is a valid concern for activists, but not
> most people.

Amazing.

Translation: "Rights are essential for small group of people, because everyone
else is not exercising them anyway. So lets just take the rights away".

~~~
superuser2
From where do you derive a right to hide your finances from a government whose
power to levy an income tax is explicitly codified in the Constitution?

~~~
exo762
1) Bitcoin is incredibly more transparent than banking system or tax system.
If anything, it is not convenient for tax evaders. HSBC, however, managed to
launder 200bln of drug money.

2) I'm a person. I have to pay taxes. Top500 corps - not so much, in practice.
What do you say about that?

3) Where the fuck did you get that I'm a tax evader? I was addressing your
point about people's rights and your evaluation of their need of having those
rights.

------
jgalt212
This reminds me of when actual users were identified from the "anonymous" AOL
search logs.

[http://www.nytimes.com/2006/08/09/technology/09aol.html?page...](http://www.nytimes.com/2006/08/09/technology/09aol.html?pagewanted=all&_r=0)

Anonymity is not privacy.

------
chubot
I haven't been following closely, but could it have been the FBI transferring
Silk Road funds to their own address? Given the timing that seems to make
sense.

~~~
sidko
They've always tagged the seized coins either with 'Silkroad seized coins' or
'DPR seized coins' in the past. e.g.
[https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5G...](https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX)

~~~
nawitus
Who did the tagging?

~~~
nwh
Users of blockchain.info. It's a little obvious, the amounts they transferred
are "FBI" when typed on a phone keyboard.

------
antonius
Once wallets become available that can mask this type of public exposure,
bitcoin popularity and usage will grow even more.

------
joshguthrie
Today's goals:

* Spend 100 million for supercomputers to compute this address's wallet in one day.

* Acquire said wallet.

* Reimburse my 100 million debt.

* Enjoy my 50 millions.

Anybody got supercomputers?

~~~
jamestnz
The numbers for this, sadly (or gladly, for holders of bitcoin), don't work
out. Even if you had the most powerful supercomputer in the world and could
try trillions upon trillions of keys per second, you'd need, on average, more
than the current age of the universe to brute-force the key.

From: [http://bitcoin.stackexchange.com/questions/22/is-it-
possible...](http://bitcoin.stackexchange.com/questions/22/is-it-possible-to-
brute-force-bitcoin-address-creation-in-order-to-steal-money/3205#3205)

 _In order to spend money sent to a Bitcoin address, you just need to find a
ECDSA public key that hashes to the same 160 bit value. That will take, on
average, 2 ^ 160 key generations._

 _Supposing you could generate a billion (2 ^ 30) per second, you need 2 ^ 130
seconds._

 _Doing this in parallel using a billion machines requires only 2 ^ 100
seconds._

 _Getting a billion of your richest friends to join you gets it down to only 2
^ 70 seconds._

 _There are about 2 ^ 25 seconds per year, so you need 2 ^ 45 years._

 _The age of the Universe is about 2 ^ 34 years so far—better get cracking!_

------
hbz
This type of "sophisticated analysis" will be useless whenever zerocoin is
proven as a viable addition to the protocol. True anonymity is scary from a
regulatory standpoint but extremely desirable to many others.

~~~
dllthomas
I would be unsurprised if use of zerocoin winds up being treated as money
laundering.

------
afs35mm
Very curious how Meiklejohn came to associate the 12sENw address with
Bitstamp...

------
ToastyMallows
Anyone know where I can get one of those bitcoin keychains in the picture? :)

Edit: Found it, [http://bkeychain.com/buy.html](http://bkeychain.com/buy.html)
($12??)

~~~
bhartzer
How many bit coins to get one of those?

