> Michael says he was lucky that he lost the password years ago because, otherwise, he would have sold off the bitcoin when it was worth $40,000 a coin and missed out on a greater fortune.
Yes but stocks are usually tied to a business producing some sort of service that people want, and therefore have value. Crypto is tied to, checks notes nothing.
I’m no shill for crypto, but you can’t with a straight face claim that all non-crypto financial instruments are ‘tied to … some sort of service that people want’.
There’s a whole world of shady crap going on in the ‘legitimate’ financial space.
But crypto bros are often delusional about what intrinsical value exists in the normal market, compared to crypto coins where they invent the value. Therefore manipulation of value compared to real world markets becomes a lot more abstract.
Young's literal translation is pretty good for those who don't read Koine Greek or otherwise aren't eager to break out a copy of Strong's concordance. It's interesting to see the minor difference between "a root" and "the root" for example:
9 and those wishing to be rich, do fall into temptation and a snare, and many desires, foolish and hurtful, that sink men into ruin and destruction,
10 for a root of all the evils is the love of money, which certain longing for did go astray from the faith, and themselves did pierce through with many sorrows;
So you can use it to conduct illegal cross border money transfers... of course most cryptos aren't anonymous and even those are you still need to transfer it to a local currency etc. for that functionality to be useful.
Getting payment is crypto is excellent if you live in a third world country like me. And a lot of services are enabling crypto payments so illegal stuff isn’t really all of it. One example is grab app which is huge in asian market. Getting payment and transferring to local currency takes about 20 mins included manual clicks for me. Comparing this to bank system which takes a week and has at least 30x cost, it is obviously a huge improvement.
but you can't. you can't send Bitcoin or Eth around the world for "next to nothing" today. not in a reasonable time frame. and that isn't accounting at all for the massive power wastage in the Bitcoin case.
It will currently cost you $1 to send any amount of ETH to another address and that transaction will take 3 minutes. For $1.30, that same transaction will take 30 seconds.
You can do those same transfers cheaper and faster on an Ethereum layer 2.
Which requires KYC in most places, and then you're going to start getting asked about the source of those funds. You'll also need to claim it on taxes, which if lied about will cause additional issues.
So, yeah, the "no questions asked" part is wrong. You can send money to anyone on earth, after a middleman takes a cut on your fiat exchange, the transfer, and the next fiat exchange, with questions asked, public for the world to see.
It's not. It's way easier and cheaper to send a bank transfer or wire. Bank transfers and wires also offer more privacy.
Unless you're actually going to directly use the cryptocurrency (which is generally impossible), it needs to be converted to/from fiat, which requires a bank transfer.
For you maybe, but not for me. Wire is 15 usd on receiving end fixed + some percentage of the amount sent. An ethereum transfer is 2 usd or so into my exchange and exchange charges nothing for withdrawal. Wire transfer takes 3-4 days in best case and bank calls me for some bs after 10 days in the worst case and I have to talk to them to approve it.
So after 20 mins of clicking some buttons I get my fiat currency in my bank account. And it costs 2 usd + some negligible amount.
Dollars are also tied to nothing. A towel with the logo of a sports team also has zero intrinsic value. Same with a shiny lump of useless metal.
That's because being tied to something, or having intrinsic value is not how things gain value.
Things, crypto, dollars, gold, and towels, have value because people WANT them. That's it.
You even touched on it: "some sort of service that people want, and therefore have value" - crypto provides a service people want, therefore by your own words it has value.
If US dollars can be backed by a military, crypto is backed by mining networks.
The mining network is a lot more productive than the US military which has vastly negative economic output. At least ASICs doesn't wander around wrecking countries in a semi-random fashion. The mining network even operates at a profit, which is much better than the US government by a huge margin. Someone thinks they are worth the money.
Article 12 – dealing directly with the acquisition and disposition of interests (including security interests) in “controllable electronic records,” which would include Bitcoin, Ether, and a variety of other digital assets ... Control under Article 12 is designed to be a technology-neutral functional equivalent of “possession.” It generally encompasses circumstances when a party has the “private key”
Let's be realistic here, most of dictators evading sanctions do it (i) with good ol' bags of $/€/CHF/£, (ii) gold/platinum/diamonds/..., (iii) whatever ad-hoc currency satisfies the two parties (promises, shares, goods, ...); in short everything but traceable-in-the-open digital currencies where most of the in/egress feature mandatory KYC.
If you believe e.g. that the US/EU firms still doing business in Russia are doing it in ETH/BTC, I have a port in Serbia to sell you.
That's why I specified 'electronic'. Moving physical items around the globe is obviously within the ability of an independent state, but it has logistical overhead. ETH/BTC is comparatively cheap to move.
But dictators don't want electronic things – especially the one whose very design imply them being fully traceable such as ETH/BTC.
If you are in the circles where having to move $10M illegally is a common occurrence, paying a guy $10k to take a train between Russia and China with a bag of cash and bribe the border guards another $10k is much better than trying to weasel your way through the KYC process of Coinbase.
I'm not sure if you're being "technically correct, the best kind of correct" or trying to actually specify the definition.
Actual definition:
In the Western world, a "criminal" is any person tried and convicted of breaking the law.
Your definition is, however, correct for how it sometimes works and how "they" would like it to work. (where your use of the word "mandate" means "whichever direction the wind is currently blowing").
Oh god this gets trotted out every time someone points out the evil that crypto facilitates. Give it a rest. It pales in comparison and there are many other solutions that your argument conveniently ignores.
> For example, illegal transactions, scams and gambling together make up less than 3% of volume.
Sure there's the odd dumb criminal who doesn't understand the prosecutorial implications of an immutable public ledger. But it pales in comparison, according to the actual data.
Yes, because most of the transfers happening are speculative investment trades, arbitrage, etc. People moving money around, without paying for anything.
That source says, when it comes to the demand in terms of spending crypto for goods or services:
> 46% of transactions are due to illegal transactions
If Bob transfers $10 back and forth between both of his bank accounts 99 times and then buys $10 worth of crack, would you say that 1% of Bobs money was used for illegal purposes or 100% of it was used for illegal purposes? Depends on what specifically you're trying to measure.
There are two things here that are simultaneously true:
1. A small percent of BTC transactions are for illicit purposes.
2. A large percentage of the goods and services purchased with BTC are illicit.
Moving the goalposts. GP was only talking about illegal activity. But since you brought it up -
Global GDP is $101T. Global yearly forex volume is $2738T. So by this logic you should conclude that 96% of transaction volume in the traditional financial system is also not tied to economically meaningful activities. You're going to be disappointed if you want to believe society as a whole is any less financialized than bitcoin.
What do you think would be an acceptable percentage of speculation?
I think it's absurd to say that only say 3% of crypto transactions are criminal, if the majority of other transactions are meaningless.
Surely what we actually care about is how many useful, legal, meaningful transactions there are.
For example if for every 1 legal transaction there is 3 illegal transactions and 96 speculative or maintenance transactions... it starts looking like this is predominantly for criminal uses even though only 3% of transactions are criminal.
Part of the reason that the US Government has been trying for the last few years to squash it is because it's threatening the US Dollar's hegemony in, cough, international trade.
If you're buying illegal black market shit, you're darn well gonna do it using the Red, White, and Blue's Green!
This is also proof of cryptocurrency's use-case as a method of value transfer (ie. currency). Crime and porn are the traditional testing grounds for new disruptive technologies. I remember this thing called the Internet...
You're making this up. Doing illegal transactions on a public ledger where the off ramps are all KYC makes it easier for them to trace criminal activity than the traditional international banking systems.
Stocks arent tied to company performance unless they have divendends. Which would mean most stocks are also tied to nothing. Except stocks have recognizable logos I guess.
Cryto is excellent for keeping money and transfers. Especially if you don’t live in eu our us. Big coins are getting very stable and are good long term investments depending on how you see it will go :)
Bank system is terribly inefficient comparatively and it is a huge market
Yikes. Terrible video that showcases what's wrong with modern youtube and anti-informative entertainment videos. It could have been a three paragraph blog.
I had to stop watching because of all the cringy tweenertainment funny faces and jerky body movements and hands waving all over the place.
Highly recommended, didn't think I'd watch the whole thing but the production quality was great and it explains everything much better than the wired article.
After your reco after the GP's reco, I would have to agree. This is well done. However, coming from a coding/dev background, it was easy to follow and it all makes sense.
However, it goes to show why hacking will never be made interesting in movies without a bunch of fake nonsense like hacking the Gibson's 3D virtual environment.
“Hackers” is interesting because there’s two depictions of hacking in the same movie.
One is flying through the holographic city of files.
The other depiction is quite realistic: they show the protagonist spending all night reading through many pages of assembly to reverse engineer a virus, people do social engineering, etc. “Hackers” made this seem cool too!
Sneakers had them going through the trash, setting up a mark on a fake date, and staking out a building and the security company it used with all sorts of stuff not once looking at a computer screen to "hack" three years earlier.
I like Hackers for the campy side of things, but Sneakers will still take a higher spot on my list.
The best and worst examples were in the same movie, IMO: Nedry's finger-wagging admonishment and all hell breaking loose, then later, "it's a Unix system, I know this!" and some exotic file manager visualization.
Mr Robot has some decent hacking scenes. At least they put up prompt windows with commands that are generic enough to not be hackTheGibson.exe type lame.
I used to work with a couple of the guys who consulted on the technical aspects of Mr Robot. From what I recall, the general idea was to use realistic hacks, but speed through the boring parts to keep the show interesting.
Are you thinking of the one shown in Jurassic park? The scene in hackers was much more CGI, and while I don't doubt it was inspired by fsn, I'd be very surprised if it actually was fsn.
Nearly every crypto wallet I've created, I've initiated a transfer the same day. With the public ledger I can look up the first transaction for one of my wallet addresses and know with near certainty when that wallet was created. I wouldn't be surprised if this was the case for most people.
Who is he in that sentence? Do you mean the owner of the wallet who is absouletly very lucky, or the hackers that did a lot of investigating and reverse engineering to learn that the datetime was the seed. Was that luck or l337skillz?
It was both, like it usually is. All that investigating and reverse engineering would have been for nought if the program didn't have the problems in the first place. Hard work is often how you capitalize on luck. Sometimes the work is enough by itself, and sometimes it's not and the luck is integral.
Seems like they all were lucky that he luckily used a vulnerable password manager and knew the approximate parameters and time it was created. If he didn't get lucky, they might not have been paid.
That is super lucky. They didn’t break the crypto, they broke the PRNG. Amateur wallet design. Any security programmer with a passing knowledge of NIST entropy requirements 800-90 a/b/c would have never done this.
Almost all cryptosystems are broken by implementation issues, not attacks on the algorithms themselves. This may be a particularly straightforward attack, but crypto is hard. There's a lot of details you have to get right and a single mistake can destroy all the effort, regardless of how much else you got right.
Combine the time with some other incremental hard-to-predict inputs.
Start with the time, in the milliseconds (not seconds, i.e. epoch time). Use that seed to create a random number. That random number is now your master_seed.
Once every 10 seconds, measure the temperature of the CPU, and every other temperature sensor in the system, and put that into a new random seed. Create a random number using this seed. XOR it with the mast_seed and store it as the new masted_seed.
Every time someone moves a mouse, use the timestamp and the pixel offset to update the master_seed similarly as above.
Every time a packet comes into the ethernet interface, use the timestamp and a hash of the packet contents, and update the random seed.
XOR the contents of the video buffer.
Track the timing of keyboard clicks.
There are lots of sources of entropy that you can use to make the seed effectively unguessable.
just like anything else with cryptography, please don't roll your own. all major OSes and programming languages provide primitives to generate cryptographically strong random numbers- use that instead.
Seed? Use a TRNG. Every embedded processor (nearly) has a NIST qualified TRNG. Ring-oscillator for entropy, plus conditioning (whitening), there's your seed. Sometimes amplified thermal noise, but the ROSC is the easiest to manufacture.
From a developers point of view- if you are given an option to provide a seed value, you’re using the wrong api. Libraries exist to provide cryptographically appropriate rngs in every major programming language- use those instead.
I was completely engrossed throughout the entire article, and by the end, I was left eagerly wanting to know what the password was. I guess I've watched too many movies.
So Roboform has almost certainly thousands (of not millions) of users with weak passwords, and not only didn't they tell anyone, all they give is a shrug when asked about it.
Anyway the major benefit of using a password manager isn't generating difficult to guess passwords.
It's being able to generate unique passwords so when you're details end up on https://haveibeenpwned.com people can't take the password that's leaked and try it on all the other services you've used.
I mean how weak are they really? These guys knew the algo and still struggled and pestered the user over and over for the other parameters. They also had what I would describe as an extreme motivation to crack this.
The constraint is knowing when the password was created. If you know that within a day or so, that makes the problem much more tractable and you can instead focus on number of characters and the other parameters.
Sniffing traffic (yes even encrypted) would be enough to see if you’re going through the login or initial user establishment flow, and that would give you a precise time when the password was generated.
Security people overusing the words serious and critical have really watered down the terms. At this point when I get told something is a serious risk, I file it next to being hit by lightning or eaten by sharks.
sorry to hear that. I don't exaggerate, but the unfortunate part is there is a lot of FUD out there- I just had a friend install nordvpn because someone sent her a gift card scam email to her business email address. So there's a lot of misinformation out there, mostly from folks selling product.
Password management is one of those fundamental security foundations- essentially serving as the 'root of trust' for your own personal digital life. If you mess that up, you're in for a world of hurt. I don't mess around with passwords. Taking your analogy, would you intentionally stand outside under a tree in a thunderstorm, figuring that the risk of getting hit by lightning is so small?
In this situation, the attacker had to know you were using this particular password manager, know roughly when the password was generated, reverse engineer and replicate the password generation algorithm, and make millions of login attempts somehow (almost never possible other than on crypto wallets).
Yes it’s obviously not good that they used the date as a seed, but the realistic risk is pretty much non existent. Even in this case where literal millions of dollars were on the line the “attackers” still had to collaborate heavily with the owner to narrow down the search space. On their own they likely would never crack it.
Absolutely no one is going through all this to get in to your Facebook account when they can just call up some grandma and ask them to transfer a $1000.
You've shifted the goalposts here. You're right that this all comes down to economics. You're not going to go to these lengths to break into a Facebook account -- however -- you have to remember that there is a lot of transitive trust nowadays.
So that Facebook account may allow you federated login to something you do care about. Or your Facebook account is the front page for your business, where a defacement or outage could cost you thousands of $$$. Or you reused your Facebook account's password as the password for your email, which probably was the recovery email for every online account you have... meaning you can now log into every service given access to your email.
Real security is about threat modeling and risk mitigation. Risk mitigation is simply the application of a rough economic model of both the attacker and defender to find a median where you are comfortable. Essentially a fancy way of determining how fast you need to run so that the bear eats the slower person first. Your example is apt- the grandma who is scammed out of $1000 is running much slower than the grandmas who were not, all things being equal.
So when it's "just" a Facebook account on the line, yes, nobody is going to go through massive effort to crack it. But that's not what the original post was about - it was about unlocking millions of $$ worth of Bitcoin. That's worth some effort. Remember also that, in this story, the person who retrieved the password does not end up with 100% of the proceeds, as you would in an adversarial scenario. In the adversarial scenario, the adversary's risk calculus is vastly different and they would be willing to spend a lot more effort (time, money, resources) into cracking that password.
The fact that a password could be cracked at all means it was very weak. Strong passwords can't be cracked with any realistic amount of resources or motivation.
I used the absolute language "can't" intentionally, because frankly, in most contexts outside pure math it's more misleadling to state guessing a sufficiently long truely random password is possible than to say it's impossible. Humans can't really intuitively handle probabilities so small. It's the same reason we say heat "always" flows from higher to lower temerature.
Hard to say without details; but now that the weakness is known it may become a lot easier. It's one thing if you think it may work if you have the correct parameters but aren't sure, and quite another if you know it will work.
Password managers are kind of a "defence in depth" thing; practical speaking, a passwords.txt opened with notepad is probably fine for many people. No one is in your computer checking your files. You have a password manager for when that does happen, just in case. And usually this tends to be a targetted attack, which can range from some country's secret service to a jealous spouse to a trolling sibling. If that extra protection is ineffective ... yeah, that's not great.
This really is "better safe than sorry" type territory. Password managers (including Roboform) already do this by notifying users a password may be insecure after a leak. A lot of the time that's not really needed if your password is sufficiently secure, but "better safe than sorry". This is not all that different.
If it had a default creation setting, it would be much easier to crack most user's passwords. There's still a motivation issue, but that's not a solid defense.
A lot of security processes are not designed for say state actors with library of 0- days or monopoly on violence(i.e. $5 wrench) that doesn’t make them bad.
Security is a spectrum, perhaps some subset users needed a more secure system most probably still benefited from this tool ?
They are supposed to disclose the vulnerability after fixing it, so their users know they need to take action. That's what the original commenter rightly complained about.
People have bank passwords, social media accounts (which can be used in all sorts of nefarious ways), etc. Some may be 2FA protected, some may not be. Some may be protected by bad faux-2FA.
Just because there aren't million at stake doesn't mean you can't bring someone to ruin.
Most users are going to be already logged in on their phone apps so they won’t be affected. And the inconvenience is most likely going to be chucking up a captcha to prevent automated attempts.
Crypto doesn’t change the game. Products that generate passwords should do so securely.
You may be using it to protect extremely sensitive information that could have people killed - that’s more important than a few million dollars in imaginary money
Last I checked my lost-password fortune was about $8k.
Now, had I spend the same amount of money on bitcoin that I did on the janky underpowered miner setup I put together by not quite understanding the math, my lost-password fortune would approach $1MM.
It's not clear how datetime was used and why that became a weakness? Doesn't it improve the password security by taking some bytes from /dev/random and salting it with <timestamp>?
The roboform password manager used datetime value as the seed of the pseudorandom generator, meaning that it would always generate the same password if the system clock time was the same. They managed to crack the wallet by reverse engineering the password manager and feeding its pseudonumber generator all datetime values between certain dates that were thought to be near the time when the original wallet owner had generated the password.
"Michael... now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin."
What the ? You presumably go from not a millionaire to having $3,000,000, and you decide to risk it to triple it? That's some next level greed right there.
FYI he's not gambling the bitcoin, he's holding onto it, and given it's history, which is the sub-story, it seems to be the smart thing to do not the risky/ dumb thing to do, especially in the current stage of the cycle.
Not if you're the sort of person who dismisses it out of hand, no.
In the context of understanding that Bitcoin is the best performing asset over its admittedly small lifetime, then it just sorta kinda might just start the process of making sense to unthaw a little.
This justification is only valid for certain time-scales however, and once you get into a discussion of that it can easily degenerate into cherry-picking and misaligned points - and I can be accused of cherry picking in limiting my judgement to "over it's admittedly small lifetime".
Basically, it comes down to a difference of opinion in the long-term value of an asset that hasn't existed long-term. If using the only available data, being short-term, as a guide, then it could be predicted to be a great investment.
Past performance is not a guarantee of future returns. True of everything. I guess you and me both are just showing our different colours based on, potentially, the exact same reference data (although I'm going to assume my reference data set is larger and/or more varied than yours).
Alternate comprehension of your comment:
He's not gambling his Bitcoin, he's holding it. At the "end" he will still have the same number of Bitcoin. I believe your misunderstanding is that it may represent a smaller US dollar value and therefore he's gambling his bitcoin, however this means he's actually gambling the value of his bitcoin - which I specifically didn't say.
> FYI he's not gambling the bitcoin, he's holding onto it
This is the type of cultish speak that makes it insufferable to listen to your sermons.
Yes, he is "holding onto" his Bitcoin. But based on the interview it represents something like >90% of his net wealth. Putting >90% of your net wealth onto an extremely volatile asset like Bitcoin can fairly be called "gambling". Some gambles have positive expected values and some gambles have negative expected values, but taking risks of such level should be called "gambling".
There is very little meaningful distinction between "holding onto" Bitcoin and "buying" Bitcoin. The fact that he already owns the Bitcoin doesn't make it any less gamble-y.
> At the "end" he will still have the same number of Bitcoin.
Nobody here claimed otherwise. You're attacking some kind of weird strawman argument.
> What the ? You presumably go from not a millionaire to having $3,000,000, and you decide to risk it to triple it? That's some next level greed right there.
This implied selling btc to get dollars is less risky than holding BTC. I replied to that statement. You will likely lose more value holding dollars than holding BTC. Neither is an investment, they are both an asset.
At no point in the story did the person "have" 3 million dollars worth of USD. They had Bitcoin worth 3 million dollars. The letters "$3,000,000" refer to the USD-denominated value of the Bitcoin. When they talk about "risking it", they refer to the idea of keeping the Bitcoin, as opposed to selling the Bitcoin and then doing something else with the money. It's not specified how exactly one might invest 3 million dollars, but no reasonable person would keep the whole amount in a bank account.
Nobody implied that holding 3 million USD in a bank would be a good idea.
Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin.
Math is mixed up. He's got 43.6 BTC. Currently worth $68K each, for a total of $2.9 mil. He's waiting for it to be worth $4.4 mil.
I'm betting his retirement math worked out to $4.4 mil before taxes. And, $100k is a human-bias round number that BTC is widely expected to hit in the next year.
Considering bitcoin call options for March 2025 are going for only about 12k, I think it's fair to say the consensus is that bitcoin exceding 100k in about a year is unlikely.
You want him to swap absolutely scarce Bitcoin for something that can be printed infinitely out of thin air? Swapping to dollars would be the risk here.
Only since crypto boom I see people (crypto aficionados) thinking of money as an investment. And that makes no sense, as you explain yourself.
Dollars are much less volatile and thus less risky than any crypto currency I know. A perfect intermediate step before investing in some equity or some other thing that produces value.
I think it makes sense to consider money as an investment. Its somewhere you're deciding to hold value. Holding cash is a bad investment due to inflation so you need to spend it or store the value somewhere else. Its one of those things where deciding not to invest your money somewhere is a decision to invest it in money.
You know what else is absolutely scarce? Litecoin. And Solana. And XRP. And Cardano. And Avalanche. And Chainlink. And Bitcoin Cash. And Tron. And Ethereum Classic. And Stellar. And VeChain. And AlgoRand. And an infinite amount of other coins that anyone can invent at a moments notice.
Bitcoin only has value because someone else is willing to pay for it. That can hold true until it suddenly doesn't. If Bitcoin disappeared today, the world would go on without blinking. Nothing would stop functioning. That is of how little use it actually is.
That said, I'm a great believer in the meme value of Bitcoin and the greater fools. I hold several, with the belief that someday enough other fools will pay me a lot more fiat money to allow me to retire in style.
True, but if he were looking for guaranteed returns he picked the wrong investment. I presume this person is has some level of risk tolerance far exceeding zero.
"Michael... now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin."
Can someone help me understand this? If his 30 BTC are now worth $3 million, that comes down to $100,000 per coin. But he's waiting for the value to rise to... $100,000 per coin?
Time for a new investment strategy that involves buying whatever (index funds?) then losing your password to force a hold till the encryption algo has been cracked or compute power makes it easy to brute-force.
An interesting but not entirely practical offshoot of this idea is a fund that buys (collects legally?) wallets with lots of crypto & lost passwords and tries to crack them over time.
Or just buy random used digital storage devices in bulk and scan them for potential wallets, or other marketable data. Half the "broken" USB drives out there still have plenty of retrievable data on them. It would be like the "Storage Wars" show, but digital.
(Fyi, one very marketed video tape was discovered when the contents of a certain celeb's storage locker was put up for auction. Imagine the possibilities if one collected all the storage devices thrown away in a particular LA neighborhood. Or DC.)
This is already done. The feds and hackers have huge troves of wallets and files that they are trying to crack, either by finding holes in the encryption method used or brute force.
Bitcoin has a locktime opcode[1] which allows you to set a time when the transaction output can be spent, effectively locking the funds irrevocably for a fixed amount of time.
This is already how bitcoin mining works. Compute is used to calculate partial hash collisions via brute force. The number of bits required in the collision adjusts dynamically based on the duration of the last 2016 blocks. If you're the first to find a valid collision for the next block, you get 3.125 BTC.
