Bitcoin Bits taking a professional break

Hi all! I have to pause Bitcoin Bits for a bit (ha). I’m involved in a bitcoin-blockchain project now that includes an activity similar to publishing Bitcoin Bits, and I don’t want there to be any conflict of interest. Since I’m actually getting paid for that, it has to take priority.

I can’t tell you what the project is yet, but maybe soon. (wink)

I’m not abandoning the blog, though. Somehow I will find the time to continue with my research, and as you know, I enjoy sharing it with you. So there will still be new articles. Perhaps not as frequently (not that they were ever frequent, cough).

And Bitcoin Bits might well be back one day! I hope so, it was a lot of fun to do. My new job is a lot of fun, too though, and I look forward to talking more about it.

To end the weekend with a smile, this has nothing to do with anything blockchain, but you have to see this stunning photo of what must be the happiest looking caiman ever. 🙂

photo by Mark Cowan, via Colossal
photo by Mark Cowan, via Colossal – for more info, click on the photo

Back soon… (waves)

Bitcoin Bits: 11 September, 2016

The weekly roundup of crypto tidbits, opinions and currents that caught my attention:

— x —

Some Economists Really Hate Bitcoin: An Overview – by Kyle Torpey

This article had me rubbing my hands in glee. My theory (based on not much other than a nerdish fascination with economic history) is that if it is pissing off economists, it must be worth taking a look at.

Kyle reels off a list of well-known economists that have spoken out against bitcoin, although they have yet to demonstrate that they understand it. From Krugman’s labelling it a “scam” (really? And how’s that, Paul?) to Stiglitz declaring that the US government had managed to shut it down (a slip, no doubt, that will haunt him for many years), most seem to dismiss it as a peripheral fad or as something put in the market to annoy them.

An entertaining article with a gritty bunch of characters… I feel there’s a movie script in here waiting to come out.

— x —

A cryptocurrency thriller made for TV

On Tuesday, Sony released its new series “Startup”, streaming on Crackle, starring Martin Freeman and Adam Brody. It’s about bitcoin. Ok, not really, it’s about idealism and power and relationships and violence. And bitcoin. Only the protagonist is a currency called Gencoin, supposedly better than bitcoin, because bitcoin is open source and therefore susceptible to third party interference.

Hunh?? This article in Fortune has an intriguing excerpt (annoying that the only female VC at the table prefaces her first question with an apology, but that’s entirely off topic). And you’ll see that the arguments for Gencoin vs bitcoin are spurious at best. But whatever, this is TV, and it has Martin Freeman, so I might give it a chance.

— x —

Downside of Bitcoin: A Ledger That Can’t Be Corrected – by Richard Lumb, for the New York Times

Nice try, but no cookies. Richard Lumb from Accenture (the firm is plugged several times in the article – is this branded content?) tries to allege that blockchains are of no interest to financial services if they are immutable, if they can’t be “rewound”, if previous transactions can’t be erased or changed. And for someone from Accenture, who are actively positioning themselves in the pages of the New York Times, to conflate Bitcoin and the private blockchains that banks are looking at, is utterly bewildering.

“One thing is clear: If the financial services industry is to embrace a new technology, it cannot be one in which mischief and mistakes are immutable and fraudsters can defend their actions on spurious ideological grounds.”

This is a narrow way of looking at things. Immutable does not mean “not fixable”. Handing over cash is pretty immutable, right? If it’s in someone’s hands, it’s his? So, you go to the store and you pay for something with cash. You get home to find that it’s defective. You take it back to the store, and they give you your cash back. Immutable, but at the same time, fixable.

Laws. Public blockchains don’t have them, outside the basic functioning of the protocol. Private blockchains can. Fraudulent or erroneous transactions can be reversed without rewriting the blockchain. Just like in the store they can give you your money back without rewinding time.

“The financial services industry needs to face the question of how to balance the appeal of pristine accounting with the demands of the real world, where some things simply need to be struck from the records.”

Why do they “need” to be struck from the records? Again, I question the premise. The “right to be forgotten” ruling applies to information displayed publicly. It does not imply the complete erasure of that information. If someone committed a crime and did the time, that information is not going to be simply erased from all records everywhere, just because the person in question manages to get it struck from all public records and search engines. Private blockchains, such as those that financial services are looking at, can hold whatever information they want. They just can’t make it public. But since that is most likely not part of their business model, I don’t see the conflict.

No disrespect meant to the New York Times, but if they are going to blatantly plug a firm’s services in an op-ed, shouldn’t the veracity of the firm’s insight be vetted first? This article was harmless, but neither party came out looking good.

— x —

Blockchain Requires Radical Change, Not Compromise – by Frances Coppola for CoinDesk

An inspiring article by Frances Coppola, in my opinion one of the most insightful financial journalists out there.

“I was left wondering what was so great about a distributed ledger when it simply distributes the functions of the present system over multiple computers.”

In this article for CoinDesk, she points out that most blockchain applications are missing the big opportunity: to radically re-think how we do things. Most just to try to improve existing processes. Which is ok, unless you consider that once the processes are passed over to the blockchain, we won’t collectively get this thinking-outside-the-box opportunity again until the next technological revolution comes along.

“To use radical new technology effectively, you have to be radical – otherwise, all you end up with is a retro-fitted version of the present system.

The benefits of the new technology are watered down or overwhelmed by the need to maintain the practices associated with the old system – many of which only exist precisely because of its inefficiencies. The new technology can even seem less efficient than the old one, simply because it isn’t designed for use with processes from the past.”

So let’s not waste it.

“The real benefits from DLT will come not from re-engineering capital markets as they currently function, but from re-imagining capital markets for a radically different future.”

If only…

— x —

Nothing to do with cryptocurrencies, but I couldn’t resist sharing these with you… They’re cakes. Yes, cakes. Created by former architect and current genius Dinara Kasko, these are definitely way to amazing to eat.

by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet
by Dinara Kasko, via mymodernmet

Check out more (they’re all unbelievable) at

— x —

There’s a $500 billion remittance market, and Bitcoin startups want in on it – by Luis Buenaventura, for Quartz

Wow. Apparently about 20% of Korea-Philippine remittances are now done using bitcoin.

I wrote a while ago about how hard I thought it would be for bitcoin to make a dent in this lucrative and logistically difficult market. Which I thought was a great pity, given the potential to lower costs for people who really need it. But apparently the proliferation of smartphones is smoothing the way. That, combined with a flurry of startups looking to enter the space, is convincing people to give it a try. Especially since many of the current users don’t even know that it is bitcoin they’re using.

“Senders pay for their transactions in local currency, and the cash is converted into bitcoins before being transmitted to the destination country. Once there, the bitcoins are converted into the local currency of the beneficiary. The facilitating company takes a cut during the currency exchange, as with a traditional provider, and neither customer is necessarily aware that bitcoins were involved.”

We need to bear in mind that this article was written by the co-founder of one of the Philippines’ most prominent bitcoin remittance startups, but he left the startup and its parent company Satoshi Citadel Industries (briefly mentioned in the article) last year. He is currently working on blockchain and other tech solutions for remittance companies, and so it’s possible that his rosy-tinted view on the outlook for the remittance sector is influenced by his need for the outlook to be rosy. But, it’s also probably safe to assume that he has access to better information than most of us. And if he didn’t believe the outlook to be rosy, he wouldn’t be working in the sector. However, the prospects may be not quite so potentially lucrative for both sides of the table as he claims. The path to mainstream adoption will be difficult and bumpy, and that’s even before regulators decide to step in and take their slice. To Luis’ credit, he seems to recognize this:

“Because of their customers’ dependence on hard currency, remittance providers must also have cash-out partners in every town and district, which tacks on additional costs and introduces security risks. Digital currency can’t magically transform into paper money when you need to buy vegetables at the local market, or pay transit fare to get your kids to school.”

— x —

Enjoy what’s left of your weekend! And give ’em hell next week…

What is multisig security?

Since the Bitfinex hack we’ve been hearing the term “multisig security” thrown around as if it were supposed to be some sort of talisman that wards off the evil eye of bitcoin theft. So it’s time we took a look at how it works, so that maybe when we find out how the hack happened, we’ll understand (maybe).

by Kimson Doan for Unsplash - multisig
by Kimson Doan for Unsplash

A multisig transaction, as its name implies, requires several valid signatures for it to be accepted. Traditional, simple transactions involve me sending bitcoin to another address and signing with my private key. But what if my computer was hacked and my private key was copied? Then the hacker could create a transaction with my bitcoins and sign with my private key. How can I protect my funds against that happening?

I could establish a rule that more than one signature is necessary for a transaction. Instead of just one private key, my public address could have two private keys, one held by me and one held by a trusted third party. For the transaction to go through, it has to be signed by both private keys. That way, if someone does get hold of my private key and tries to send him- or herself my bitcoins with that signature, it won’t go through unless the second signature (with the second private key) is also applied. It’s a bit like the rule in some banks that two signatures are required for withdrawals. It puts a “check” in place, and makes it much, much harder for a thief to get at my account.

That sounds simple enough, but how do I know the third party won’t disappear or go offline? And what if I don’t want to give a third party that much access to what I do with my bitcoins? Isn’t one of the cryptocurrency’s main advantages independence and anonymity? Multisig transactions can be set up to be 2-of-3. Instead an address having two private keys, it has three. Two are held by me (one easy to access, the other in cold storage, for example), and one by the third party. Normally myself and the third party would sign. But if the third party refuses or can’t for whatever reason, and I really want to enable the transaction anyway, I can dig up my other key and commit the second signature with that.

Another potential application is that of e-commerce trust. What if I bought something with bitcoin, sent the transaction, signed it with my private key and then never received the merchandise? I can ask for my money back, but it’s unlikely I’ll get it. To make both myself and the vendor more comfortable, I could send the payment to an escrow account with multisig security, for which myself, the vendor and a trusted third party hold the private keys. The vendor sees I have done this, and releases the goods. When I receive the goods, I create the payment transaction, instruct the third party to add his or her signature, and everyone is happy. If I refuse to pay, the vendor could try to convince the third party that I am behaving badly. If the third party believes that the vendor should be paid, he or she and the vendor sign the payment transaction. Presumably I’m not happy, but at least the vendor isn’t out of pocket.

Although the term “multisig transaction” is often used, it’s actually the address that is multisig. Any movement of funds from that address needs to be co-signed. The address can be a one-time public key created for a specific transaction (in which case “multisig transaction” and “multisig address” are interchangeable). Or it can be a multisig wallet, from which all transactions require more than one signature. Most multisig wallets are HD (hierarchical deterministic), which means that a sequence of addresses can be generated from a “seed”. These addresses can be re-generated at any time from that seed, but it is impossible to determine the seed from one of the addresses. Each address generated in this way can in turn generate a series of corresponding private keys. This increases security even further, by allowing each transaction from a wallet to use a different address.

The most common configuration for co-signing is 2-of-3, in which three private keys are issued for an address, and any two of them are enough to authorize the transaction. But the combination could be anything: 5-of-7, 2-of-2, 6-of-10… And the multisig feature does not always have to involve a trusted third party. It could be your partner if you have a shared account. It could be you, your Treasurer and your COO for a company address. Or you could hold both keys, but on separate computers (or one online, one offline), to reduce the possibility of a hacker getting hold of both of them.

Multisig functionality was not part of the original bitcoin platform. It was added in BIP 11 (the first standard Bitcoin Improvement Proposal) in late 2011, but did not start to be widely used until 2014, as commercial services started to make it easier to configure. At the beginning of 2014, only 0.02% of all bitcoins were multisig protected. Today the figure is up to almost 12%. (Note the big slump end-July/beginning-August – yup, that’s the Bitfinex hack, the graph shows a significant amount of bitcoins being transferred out of multisig accounts).

from - multisig

The first multisig wallet was commercialized by BitGo in August 2013, and had the added feature of two-factor authentication. The BitGo server would send a one-time code to the user’s phone. If the user used the correct private key and accurately typed the code into the interface, then BitGo would use its private key to countersign the transaction. In 2014 it added the HD functionality. Since then, Armory, CryptoCorp, BitPay, Circle, Coinbase, Xapo, Electrum, Ciphrex and other bitcoin services have implemented multisig protection, and several large exchanges (Kraken, Bitstamp, Bitfinex, Tera Exchange) have incorporated the functionality through collaborations.

There is no universal configuration format – each business case has different requirements, and each collaboration shares different priorities. Armory, for instance, introduced fully decentralized multisig functionality in July 2014, in which the user generates as many private keys as he or she wishes (up to 7), and can distribute and protect them separately. There is no “trusted third party” unless the user specifically designates one. As a digital custodian, Circle controls all the keys, in physical isolation, for the multisig security it uses to protect the bitcoins it holds for others. Xapo Vaults require 3-of-5 signatures from different cold storage vaults around the world.

In the bitcoin lifespan, multisig transactions are old news. They have been possible for 2/3 of bitcoin’s history (BIP11 was accepted in December 2011). But even now, they are not very widely used. Why? I suspect that it’s largely because of added complications. We’re lazy, and until we have a scare, we don’t see the point of implementing extra security measures. The recent Bitfinex hack could be enough to jolt us out of complacency, and send us searching for a safer option for our wallets. And wallet service providers will most likely continue to iterate and improve on their interfaces and their security. So multisig will increasingly become a relatively easy option, and who knows, perhaps even ending up as the default.

But the fact remains that multisig, as we have seen over the past week, is not as safe as we were led to believe. Once we know more about how the hacker managed to compromise two private keys, we’ll be able to draw conclusions about multisig’s reliability and needed updates.

Some potential weaknesses of multisig technology that come to mind:

  • In many cases, the third party signing is automated, and flags are only raised in certain circumstances (large amounts, sudden high volume of transfers, etc.). It would be theoretically possible for a thief to siphon off bitcoins without raising any flags.
  • Insider collusion. A hacker happens to work for a multisig wallet provider. He or she gets hold of the user’s private key, and then double-signs with the wallet’s key, diverting funds to his or her own account. Or, a hacker could be working in collusion with an insider. Or, a government could force the multisig third party to act a certain way…
  • The keys could be copied at time of creation. In some cases, the user’s two keys are sent to him or her by email. How hard would it be for a hacker to access that email?
  • Multisig configurations in which 2-of-3 keys are held by the user do not protect the user from coercion (sign this transaction with both of your keys or I’ll…).
  • As with any wallet software, you are trusting it has no “back door” for a hacker to use. The hacker would have to be either in collaboration with the software provider, or have created a convincing replica that he or she gets you to download instead.

We can’t go through life fearing every eventuality. No system is completely infallible, and all of the above situations are extremely unlikely. But they are possible. And the Bitfinex hack has shown us that multisig isn’t always enough.

Uncertainty is never good for any ecosystem, especially when the economic risk is so high. But knowledge is power, and identifying weaknesses does lead to additional strength. Multisig is a cool feature. It’s obviously not perfect, but as with most code, it can be tweaked and worked on to become even stronger.

The incentive to steal is as old as time itself. The incentive to protect ourselves from that theft has given birth to today’s technology, society, political systems and way of life. The bitcoin community continues to pour considerable time and effort into innovating, improving and staying one step ahead of the bad guys. And they will continue to do so because they have more to gain than the bad guys. After all, safe bitcoin deposits that are also easy to transact with, that will extend the use of the cryptocurrency and encourage a reform of the way we handle value – that’s a pretty good incentive.

(This post was originally published on LinkedIn.)



Bitcoin Bits: 4 September, 2016

A roundup of some of the more interesting articles of the week (and it was difficult to choose, there’s a lot going on!):

— x —

How Bitcoin was brought down by its own potential—and the banks – by Luke Ryan, for Quartz

This enigmatic opening sets the tone for what follows:

“The best that can be said about Bitcoin right now is that it still exists.”

What follows is a sobering and narrow take on the outlook for a cryptocurrency that has people re-thinking economics and the role of money, that has innovators re-designing business processes, that has libertarians rubbing their hands in glee at the decentralizing potential and that has regulators realizing that they are hopelessly behind on technology.

“Split by internal divisions while its most useful aspects are harvested by the very financial behemoths it once hoped to destroy, Bitcoin is fast becoming the tech world’s version of Waiting for Godot, wherein a hermetically sealed community squabbles and bickers over arcane points of code and law as their world slowly crumbles around them. In the last 12 months, attempts made to produce a road map for the cryptocurrency’s future have come to naught, all while core developers abandon the project and opaque Chinese mining concerns wield outlandish power.”

And that’s just the warm-up. Apart from the mystifying claim that that bitcoin’s influence on fintech via the blockchain mechanism means that bitcoin has failed… Aside from the superficial assumption that internal bickering means chaos not caution… I would imagine the “world crumbling around them” might be mitigated by the Cambrian explosion of new businesses, and the fact that the price is 2.5x what it was a year ago. So a road map hasn’t been produced in the past 12 months, so what? It will be. Core developers abandon the project? Does anyone know of a project that has been going for 7 years that hasn’t had turnover? And “outlandish power” sounds marvellous, but I have no idea what it means.

That was fun. Next paragraph, please.

Don’t worry, I won’t go through the article paragraph by paragraph. It’s actually a very good read, beautifully written, whether you’re a bitcoin skeptic or not. If you are a skeptic, you’ll enjoy the drama. And if you’re not, well, you’ll enjoy the drama and probably have a good chuckle as well. Or feel like throwing your computer across the room. Whatever.

I like this part:

“In comparison to the almost $5 trillion traded on the international currency markets each and every day, Bitcoin’s $10 billion market cap is next best thing to a rounding error. It could vanish entirely and only a small cadre of true believers (and high-end drug dealers) would even mark its passing.”

What the author says in the article is not false. And his disappointments are presented with a flourish. But they miss the point. Bitcoin does not need to dominate the world to be a success. It does not need to replace banks, monopolize asset transfer nor claim the credit for the transformation of business. By putting control over one’s assets in users’ hands, by allowing new business models to grow and by introducing a new concept of value, bitcoin has earned its place in history. And a steadily growing faith in its usefulness in these times of financial turmoil could well push the price higher still. If not, even that doesn’t mean that the experiment was a failure.

The overblown hype in the early days was just that, overblown hype, which as the author points out, is endemic to virtually all revolutionary technologies. I’ve argued before that I don’t think that overblown hype is a bad thing. I think it’s a necessary and potentially useful phase.

And finally, can anyone point to an asset class that did not need to overcome obstacles at first? Especially the obstacle of public skepticism. Which, by the way, is healthy…

— x —

Spectacular and unintentional earth art: the solar panel field in Nevada. Amazing images by award-winning photographer Reuben Wu, via Colossal. Surreal. Beautiful. Disconcerting and hopeful at the same time.

image by Reuben Wu, via Colossal
image by Reuben Wu, via Colossal
image by Reuben Wu via Colossal
image by Reuben Wu via Colossal
image by Reuben Wu, via Colossal
image by Reuben Wu, via Colossal

(Anyone read “A Visit From the Goon Squad” by Jennifer Egan? These photos made me think of the short story told entirely in PowerPoint, in which they end up in a solar-panel field. “They remind me of robotic ninja warriors doing Tai Chi.” If you haven’t read it, I thoroughly recommend it – engrossing, clever and eye-opening, one of my favourite fiction reads from the past few years.)

— x —

Maybe blockchain really does have magical powers – by Elaine Ou, for Bloomberg

Walking us past the WEF’s much-talked-about blockchain report, and R3’s distributed ledger consortium approach, Elaine highlights the potential impact of the blockchain on settlement of trades.

“Clearing and settlement of trades — that is, making sure the cash and assets involved in the deals actually get to their new owners — is difficult because records are distributed across thousands of different institutions, each of which maintains its own accounts in its own unique format. Multiple players must somehow come to agreement on who owns what and who owes what to whom — a reconciliation process that requires a lot of time, money and human involvement.”

A situation that is obviously crying out for some applied efficiency. A sector that obviously needs some loving disruption. We have had the technology for some time. So why hasn’t it happened yet?

“…the only thing previously stopping the standardization of reconciliation processes was the unwillingness of financial institutions to collaborate. Financial institutions spend $65-80 billion on back office reconciliation every year. The employees working in back offices probably offered lots of excellent reasons why their roles couldn’t simply be standardized away.”

In spite of a considerable amount of hype, misdirection and confusion, it seems that progress is being made.

“Maybe one of the biggest effects of all the blockchain hype will be getting a bunch of security-conscious egoists to come to an agreement that benefits them all. That would truly be magical.”

— x —

‘Settlement Coin’ is All About Banks, Not Blockchain – by Frances Coppola, for CoinDesk

Almost as a response to the previous entry (but it’s not), here you have an excellent article on an exciting project: a consortium of banks (UBS, Deutsche Bank, Santander, BNY Mellon) have combined forces with settlement house ICAP and blockchain developer Clearmatics to create a “Utility Settlement Coin” to enable securities trading settlement on the blockchain.

“Getting industry-wide agreement on moving to same-day settlement is like pulling teeth (even moving to T + 2 has taken years to implement). So, it looks like our consortium banks want to take matters into their own hands. Blockchain gives them a technical excuse to bypass the existing moribund processes.

There is another reason, too. Reserves and collateral are low-yielding assets that clog up bank balance sheets. Banks would really like to find a means of settling without having to pledge collateral at central banks. In fact, ideally they would like not to have to use central bank money at all.”

Apart from the fact that 4 big banks have managed to agree on a protocol and a provider, which is newsworthy in itself, you have the compelling idea of using a “token” on the blockchain to represent cash payments for security settlement.

“Bank reserves can’t be used for settlement on a permissioned blockchain: they can only be used for settlement via a central bank RTGS system. In contrast, our Utilities Settlement coins – we assume – would be used for settlement on a permissioned blockchain collectively owned and managed by the consortium. A private settlement system for real-world currencies, effectively backstopped by central banks.”

How far can we take this “representation” of cash via tokens on a blockchain concept? And how could this impact/replace/leverage the creation of money supply through fractional reserve banking? Would it increase financial system fragility or decrease it? Told you it was exciting.

— x —

Cyber threat grows for bitcoin exchanges – by Gertrude Chavez-Dreyfuss, for Reuters

This is an interesting example of misdirect and incomplete reporting, that ends up performing a worthwhile public service.

“In the most recent study, the rate of closure for bitcoin exchanges in Moore’s research edged up to 48 percent among those operating from 2009 to March 2015. Hacking did not necessarily trigger the closure in each case.”

A risk and security analyst has called this high percentage “not acceptable”, which opens a layered series of philosophical debates (such as, how do you propose to prevent it?). “Unfortunate” would be a more appropriate word, because it is. It is not surprising, however. Bitcoin exchanges are startups. Startups fail, close to 90% of them, according to a report by Forbes. So, relatively speaking, bitcoin exchanges are doing pretty well, especially when you take into consideration that many of them operate in an unregulated sector.

“Profitability is a big problem for bitcoin exchanges, with many of them unable to generate enough volume to keep afloat.”

I do get that vulnerable exchanges are more of a potential menace to the public than vulnerable startups. Startups come and go, but usually don’t take our money with them. Investors’ money, yes, but that’s a risk that is clearly set out up front. With exchanges, not so much. We aren’t aware that we are “investing”, because technically we’re not, but our money is at risk anyway.

Unlike startups, bitcoin closures often result from hacks. You don’t as often hear of startups closing because of theft. A study funded by the US Department of Homeland Security revealed that between 2009-2015, 33% of all bitcoin exchanges were hacked. Yikes. It’s not that bitcoin exchanges are being particularly targeted:

“Among the world’s stock exchanges, however, security breaches are much higher, with hackers attracted to the large pools of cash moving in and out of these trading venues. The latest survey of 46 securities exchanges released three years ago by the International Organization of Securities Commissions and World Federation of Exchanges found that more than half had experienced a cyber attack.”

The public service part from this article comes from highlighting the vulnerability of bitcoin exchanges. We should be reminded of that often. And we should be shown alternative and secure ways of storing our bitcoin. We won’t solve the problem, we won’t stop hacking nor cash flow mismanagement, and we probably can’t do much about bad luck. But maybe we can reduce our personal vulnerability through more publicity about the potential risks and more knowledge about how to mitigate them.

— x —

Peaks, troughs and hacking: Why would anyone invest in bitcoin? – by Luke Graham, for CNBC

Bitcoin as a new asset class for investment portfolios, and a “safe haven” asset at that:

“Bitcoin provides a good option for a small percentage of someone’s portfolio to park their money in a place that’s completely uncorrelated to the rest of the capital market.” [quote from Chris Burniske, blockchain analyst at ARK Invest]

That in itself should generate a new use case, especially if regulatory support comes through.

“Like any new industry, the world of crypto is a wild west frontier with its fair share of failed experiments and bad actors,” said Hayter [founder and CEO of CryptoCompare]. “It’s only through this phase of experimentation and evolution that lessons are learned and practical solutions put in place. Regulation to protect consumers will be important, but too soon and it could snuff out the opportunity.”


What is Ethereum’s difficulty bomb?

With an alarming name for a relatively straightforward workaround (although in blockchain land, even straightforward things aren’t really), the “difficulty bomb” is an ingenious way to get all Ethereum miners to switch to another consensus system.

by Blake Richard Verdoorn for Unsplash - Ethereum
by Blake Richard Verdoorn for Unsplash

A bit of background: Ethereum currently uses the Proof of Work consensus algorithm, but has always planned to switch to a Proof of Stake system at some point in the future. Casper, as its Proof of Stake system will be called, is in development, and will be rolled out sometime in early 2017, according to the current plan.

One problem has been, as with every decentralized permissionless system, how to get everyone to switch over to the new system, to avoid split chains, replay attacks, etc. As we saw with the recent hard fork, there is always a strong possibility that some will stick with the old system, and there’s not much that the Foundation can do to coerce them into following everyone else.

Unless it’s in their interest to do so. Here’s the ingenious part: the difficulty of mining Ethereum blocks (= the time it takes to find the nonce that will, when combined with the block data, give a hash within a certain parameter) has been gradually increasing since August 2015, and will continue to do so with exponential increments.

What does that mean? That Ethereum blocks will gradually take longer and longer to mine. The time between bitcoin blocks is in theory about 10 minutes (although recently it’s more like 20 minutes). The time between Ethereum blocks is about 17 seconds. This is one of several aspects that makes Ethereum more attractive to some.

But that is likely to change when Ethereum blocks take longer to process than bitcoin blocks. And it will certainly change, for the miners especially, when Ethereum blocks are so “difficult” to process that it no longer is profitable to mine them, since the electricity consumed in the calculations costs more than the potential ether reward.

The “difficulty bomb” is a clever way to force miners to stop using one system and move to another. Rather than pressure through centralized control (“do this or else…”), it does so through decentralized incentives. No-one is told what to do. But the current Proof of Work algorithm has a built-in self-destruct function that, since it is part of the code, no-one can do anything about. You either move to the new system, or you go out of business. Your choice. No coercion.

Since the increase occurs very gradually, “bomb” is perhaps not the best word for the concept, since no explosions or sudden changes disrupt operations. But it does successfully imply the destructive intent of the code, and subliminally encourages everyone to jump over as soon as Casper becomes available. Ethereum developers call it the “difficulty adjustment algorithm” or the “difficulty adjustment scheme”, which are not nearly as dramatic.

It’s worth noting that the difficulty bomb was conceived as a way to get everyone to move over to Casper when the time came. But it could be used to get everyone to move over to a different hard fork. Ethereum has committed to moving to a version of Proof of Stake. But who knows? Change happens. There’s also no guarantee that Casper will be ready in time. What everyone jumps over to, is not yet “written in stone”, as they say. But they will be jumping over to something different.

It’s also worth noting that the difficulty increase could be modified in the upcoming hard fork that will introduce Metropolis, the next planned iteration of the Ethereum platform (expected in the fall of 2016). This type of modification has already happened once. With the Homestead release in mid-March, the difficulty adjustment algorithm was relaxed a bit. Could this indicate a delay in the release of Casper? With the adjusted system, blocks will become un-mineable by 2021, but the slowness will, according to the founder of Ethereum, become “very annoying by the second half of 2017”. This may change.

Ethereum Classic, the alternative result of the latest fork, also has this ticking difficulty bomb, obviously. But what it doesn’t have is the obligation to migrate to a Proof of Stake consensus system, it doesn’t have the commitment to move to Casper. Its miners do have to move to a different algorithm, though. Or, Ethereum Classic could hard fork to remove the difficulty bomb. It will probably let Ethereum launch Casper and see how it goes, before deciding or not to adopt it. Only by then it will have had to do something about its difficulty levels. Assuming, of course, that it’s still around.

The genius here was in knowing that a possibly contentious hard fork was coming, and devising a way to pre-empt resistance. That doesn’t mean that the process won’t be without drama, though. It’s possible that disagreement emerges as to whether Casper is the right consensus algorithm to be using. Some may believe that another alternative is preferable, and independently fork to that. As we’ve seen with Ethereum Classic, it is possible for more than one Ethereum chain to exist (for now, anyway). The difficulty bomb does not solve the problem of trying to get intelligent and strong-willed people to agree on an optimum process, to facilitate the communication as to why the Casper version is the best, and to demonstrate that the entire community is buying into the Ethereum mainstream creed. Clever as it may be, what the difficulty bomb fails to do is to achieve consensus about consensus.

Blockchain and supply chain examples

A couple of weeks ago we looked at the potential impact of the blockchain on supply chain management, but we didn’t go into detail about actual examples and current trials in this bigger-than-you-probably-expect sector. Even leaving aside the physical logistics sector, which is enormous, the size of the supply chain software industry has grown in recent years to over $10bn, according to research from Gartner. Research and Markets predicts 11% annual growth in this sector at least until 2020. Add in the $18bn of the trade finance market, and you have a considerable slice of the world economy, and not just in terms of strategic importance. Below are some of the startups and projects that are hoping to take a good chunk of that market away from the traditional suppliers such as SAP and Oracle, while re-thinking processes and introducing new efficiencies.

by Erwan Hesry for Unsplash - supply chains
by Erwan Hesry for Unsplash

The startup with the most VC funding in the sector is US-based Fluent, with $2.5 million in seed investment from firms such as ff Venture Capital, Draper Associates, 500 Startups, Digital Currency Group, SixThirty and many more. Founded in 2014, its aim is to streamline supply chain finance with a custom-built blockchain based on bitcoin’s architecture. Invoices can be tokenized once a buyer approves them, avoiding duplicate and fraudulent invoices across the network. Companies can send and receive payments on the Fluent network. The platform also includes a peer-to-peer working capital marketplace which can provide financing for invoices, whole or partial.

California-based SkuChain has also received seed funding from Digital Currency Group among others, although of an undisclosed amount. It wants to open up trade finance to small- and medium-sized businesses by removing the need for Letters of Credit (payment guarantees issued by a bank). This could have a positive impact on exports from developing countries, while reducing the global economy’s dependence on banks and large freight companies. Using the bitcoin network as well as SkuChain’s own technology, the platform hopes to enhance transparency for all participants in the supply chain, while at the same time improving access and broadening the base of its participants.

Wave, based in Tel Aviv, was one of the first startups in the supply chain sector to sign a deal with a big bank. After graduating from Barclays’ fintech accelerator last October, the startup has focussed on developing a platform to help the banks’ clients reduce their supply chain financing costs by substituting physical bills of lading with blockchain-registered digital versions that streamline the shipping process.

London-based Provenance is working on a chain-of-custody solution on both the Bitcoin and the Ethereum blockchains. Founded in 2013, it focuses on not only the verification of origin, but also the authenticity of the data. One of their more interesting projects involves the tracking of fish from the boats in Indonesia to the high-end sushi restaurants in Japan. If this pilot works as expected, we should soon be able to confirm that the steak we ordered at the restaurant did, in fact, come from the plains of Argentina, and that the olive oil that we purchased at the supermarket was, in fact, pressed from arbequina olives in Spain.

Everledger, also based in London, is building a system to track the movement of diamonds from the mine to the jewellery store, creating a provable provenance as well as facilitating diamond trade. This should significantly increase not only the security of the gem supply chain (which still relies largely on paper documents which can be amended or forged), but also the insurance costs.

Australia-based Blockfreight, launched in April of this year, is developing “an open network for global freight” that combines blockchain apps with smart contracts and RFID sensors. Clients will be able to access the platform with the Blockfreight token, launched last month and run on the Counterparty rails, which can be purchased from the company and eventually from licensed agents (I couldn’t find any active exchanges that deal in this token, but it’s early days still), for $1 each as of a few days ago.

CargoChain, still at development stage, won the Shanghai Blockchain hackathon in January 2016 with their chain of custody innovation that records the Bill of Lading on the blockchain, providing a transparent and traceable record, and uses RFID sensors to track the physical shipment. Built on Ethereum, it also plans to offer a smart contract escrow system, which removes the need for the parties of a trade to either rely on a bank to facilitate the transaction, or to know and trust each other. Other planned functions include automatic payment release upon document receipt, and built-in penalties for delays.

While Barcelona-based Consentio will also use the blockchain to digitize and store the documentation, its main focus is on the financial side. Working with regulated payment platforms, it will use smart contracts to offer financial services such as proof of deposit, deposit release and payment upon delivery.

It’s not just startups that are pushing the innovation boundaries in the supply chain field. The Finnish city of Kuovola has received €2.4 million of European funding to develop a project called SmartLog that applies the blockchain and smart contracts to shipping containers. The city is a hub for trade between the EU, Russia and Asia, and its region is host to around 700 logistics companies.

A few weeks ago Toyota Motor Corp. announced that it was joining R3 CEV’s blockchain consortium to test applications for its supply chains. And big boy IBM just last week launched a supply chain service on its enterprise blockchain, which allows companies to experiment with new forms of document storage for their trade processes (one of the first to sign up was Everledger, mentioned above).

Pressing problems yet to solve are the Know Your Client (KYC) requirements that 80% of sector participants cite as the main barrier to sector growth. Since this requirement is tied to the thorny problem of identity, especially difficult in online, automated processes, it would be optimistic to expect mass migration to blockchain-based supply chain solutions. But the potential economic savings and increased transparency and efficiency make the end goal worth the pursuit. And with a wide assortment of business models and technologies working on this potentially very lucrative objective, it certainly will be an interesting space to watch.

(This article was originally published on LinkedIn.)

What is the difference between an algorithm and a protocol, and why does it matter?

This is a deep dive into supremely nerdy territory, but being a stickler for detail, I think it’s worth clarifying: algorithms and protocols are not the same thing. And in the bitcoin-blockchain world, the difference is important.

Which is surprising, since they seem to be used interchangeably. I certainly have used them as if they were the same thing, as have people much more knowledgeable than myself. And my inner Thesaurus desperately wants it to be so, to avoid over-using one word or the other. But a niggling doubt at the back of my mind pushed me to look into it a bit, and here is what I found:

That our confusion in this respect is holding us back.

So in this article, I hope to clarify the differences, and to show how a deeper understanding of this can lead to new breakthroughs. In part, it’s my fondness for the pedantic, but mainly it’s because I firmly believe that if we can understand something more profoundly, it’s more likely that we can come up with useful variations, innovations and use cases.

Here goes:

A protocol is a set of rules that governs how a system operates. The rules establish the basic functioning of the different parts, how they interact with each other, and what conditions are necessary for a healthy implementation. The different parts of a protocol are not sensitive to order or chronology – it doesn’t matter which part is enacted first. And a protocol doesn’t tell the system how to produce a result. It doesn’t have an objective other than a smooth execution. It doesn’t produce an output.

It’s like the engine of a car, how a car works.

An algorithm, on the other hand, is a set of instructions that produces an output or a result. It can be a simple script, or a complicated program. The order of the instructions is important, and the algorithm specifies what that order is. It tells the system what to do in order to achieve the desired result. It may not know what the result is beforehand, but it knows that it wants one.

It’s what you need to do to drive the car, the actions that the driver performs.

The protocol is a set of rules that determines how the system functions.

The algorithm tells the system what to do.

The protocol is. The algorithm does.

In the kitchen, the protocol would be a set of conditions and instructions such as:

  • The knife cuts
  • The flame heats
  • Olive oil is delicious
  • Frying pans are good for sautĂ©ing onions
  • Wash your hands before handling food
  • Burnt food tastes bad

An algorithm in the same kitchen could be:

  • First, chop the onion
  • Then, heat up the olive oil in the pan
  • Put the onion in the pan, add some salt, and stir until the onion is translucent
by Matthew Wiebe for Unsplash - algorithm
by Matthew Wiebe for Unsplash – the bridge is a protocol, the bike is a protocol, the rider is an algorithm

How is any of this applicable to the blockchain? Because the blockchain needs both protocols and algorithms, and each have a distinct role.

In blockchains, the protocol:

  • tells the nodes how to interact with each other (without telling them to do so)
  • determines how data gets routed from one node to the next (without telling the data to move)
  • defines what the blocks have to look like
  • stipulates who decides which transactions are valid
  • establishes how consensus is determined (without dictating the procedure)
  • identifies who maintains the ledger
  • delegates who determines how the rules of the system change
  • decides if identities are needed
  • determines who can create new coins (but not how)
  • triggers procedures in case of error

The algorithm, on the other hand:

  • verifies signatures
  • confirms balances
  • decides if a block is valid
  • determines how miners validate a block
  • establishes the procedure for telling a block to move
  • establishes the procedure for creating new coins
  • tells the system how to determine consensus

So far so good, right? Now here’s the truly befuddling part: are “Proof of Work” and “Proof of Stake” protocols or algorithms? In crypto journalism they tend to get used interchangeably, with frequency coming down on the side of algorithms, but with protocols getting a relatively high score (check out “proof of work algorithm” vs “proof of work protocol” in Google). So I’ve been furrowing my brow and staring into my empty cup of coffee and I’ve concluded:

They’re algorithms. Not protocols.

Both Proof of Work and Proof of Stake tell the miners how to go about validating a block. They establish conditions, like protocols do, but the instructions are fundamental, and there is definitely a desired outcome: to process transactions, to determine which blocks enter the chain, and to provide a consensus as to which chain is the correct one. Both use the underlying protocol to achieve those goals.

Continuing along this brain-wrinkling train of thought, are Bitcoin and Ethereum algorithms or protocols?

They’re protocols. Not algorithms.

They establish the ground rules, set up the “engines” and determine who does what and how. We, the users, then play around with algorithms to get coins sent, to execute smart contracts and to create new business models. The algorithms are what make the protocols useful.

So, if we understand that the rules are one thing and the instructions are another, we can get creative. What is our desired outcome? And what algorithms, using the rules of the protocol, can we come up with to get us those desired outcomes?

That is why the difference is important. We need to understand the distinction between the state and the action. Between the rules and the procedure. Between what we can and can’t do. We can’t change the rules (if you want to, go ahead and set up a new blockchain). But we can create a series of actions, instructions and processes that can get us to where we need to be.


How can Bitcoin be hacked?

Don’t get excited, this isn’t a how-to article. I have no idea how to hack Bitcoin (and even if I did, I probably wouldn’t tell you). With the Bitfinex drama and the Cryptsy theft (by its own CEO??) still appearing in headlines, and with so many of my friends asking “But I thought Bitcoin couldn’t be hacked???”, I wanted to dig into the how, the why and the who. I’m not going to go into all the crypto hacks and thefts over the past few years, that would produce an article the length of a book. But I am going to look at some of the more interesting and relevant ones, going back to the middle of 2014.

First, we need to differentiate between a hack and a theft. Many assume that they are one and the same, but they are not. Technically, a hack is “unauthorized access to a computer”. Many hackers go in and out of others’ computers and servers just for fun (scary, but it happens). Some hacks are positive – there is a service that will try to hack your bitcoin wallet to recover funds for you. The DAO fiasco saw the hacker(s) being hacked to try to recover funds (it didn’t work). And hackers have been helping to root out the owners of alleged scam cloudmining company HashOcean. So, not all hacks involve theft. And not all theft is a hack, obviously. Theft does still happen out there in the physical world, with no computer getting involved.

by Dmitriy Me2dev for Unsplash - hacks
by Dmitriy Me2dev for Unsplash

But, it’s not news that cybercrime is an intensifying threat to individuals, businesses and even economies, as the tougher the security, the more fun the challenge. And as more and more of our lives and our wealth is online, the stakes get higher. All major law enforcement groups have their own cybercrime division, drawing on the skills of detectives, lawyers and, yes, hackers. But in most cases, figures on cybercrime are difficult to come by, as most victims have no interest in publicity, and many attacks are covered up.

In the cryptocurrency world, however, things are very different. The media seems to relish a “see-I-told-you-it-wasn’t-safe” rubbing of hands and pronouncements of crypto doom. Plus, given the community’s active presence in forums and chats, news of hacks, outages and breaches spreads fast. Trying to cover up a crypto hack forever just wouldn’t work. A stroll through reddit or bitcointalk will give you an idea of the volume of chatter, level of detail and degree of scepticism about practically any and every aspect of the sector. Suspicions are aired, spread and debated, and the senior team of the putative hack victim is usually on hand to answer questions. From what I gather, and lamentably with some notable exceptions, they generally do so as truthfully as they can, with good intentions, because they know that hiding stuff from the community (some of whom are hackers themselves) is futile.

So, it’s not that cryptocurrency businesses suffer more hacks than all other sectors. They don’t. It just seems like they do, because those hacks get a lot of public attention.

The most recent one to occupy the headlines is the absolutely huge Bitfinex hack, in which 119,756 bitcoins (worth about $70 million at the time) were siphoned off from the exchange in early August. We don’t yet know how it was done, which is perplexing given that in 2015 Bitfinex announced a collaboration with multisig wallet producer BitGo to enable additional multisig security on Bitfinex wallets. In theory, with the BitGo solution, it was supposed to be impossible to hack clients’ wallets and steal their bitcoin. Yet that is exactly what happened. Both BitGo and Bitfinex assure us that BitGo was not at fault in the hack, that the coding worked as it should. Fingers seem to be pointing at the configuration Bitfinex employed, keeping bitcoins in individual accounts rather than in a cold storage pool (kept offline), to comply with a recent CFTC (Commodity Futures Trading Commission) investigation which resulted in a $75,000 fine and the requirement to change the process of settling margin trades.

In an unprecedented move, Bitfinex decided that in order to stay open for business (and as the 3rd largest exchange in terms of volume and the largest in US$/bitcoin trades, it was important that it do so, for market stability) it needed to spread the losses amongst the clients’ accounts. Rather than have some clients’ accounts lose everything, it applied a 36% haircut to all accounts, instituting the first “bail in” in digital currency history. This is more or less the haircut the account holders would get if Bitfinex went into receivership, and at least this way there is a chance that they can get their money back. The company has replaced the reduced amount with a cryptocurrency token which itself can be traded, or redeemed at a later date for bitcoins, or dollars, or shares in Bitfinex’s parent company, it hasn’t been decided yet. In the end they may not be able to do this, however, as the words “unprecedented” and “finance” generally don’t go well together, and the legality of token trading (which has already started, no time to waste) is in question, as is the concept of “socialized losses”. And, who knows, they may yet be able to recover some of the stolen bitcoins, given the $3.6 million bounty on offer.

In June, the Ethereum project theDAO was hacked to the tune of 3.6 million ether, at the time worth $60 million. The response of the Ethereum developers was to hard fork the blockchain, winding time back to before the theft, and closing the platform on which it happened. Hard forks are contentious, though, because of the risk involved – for it to work as planned, all network participants need to upgrade to the new version, to avoid some validating blocks on the old “invalid” code, which could lead to potential false transactions and double spending. In this case, the proposal was particularly contentious because it demonstrated that public blockchains are not necessarily immutable, resistant to censorship, etc. The Ethereum code was working fine. The change would be to avoid losing money. A good enough reason? If Ethereum can change the code to suit them, what’s to stop them from doing it again in the future, due to self-interest or coercion?

The hard fork turned out not to have the consensus that the developers assumed, and a few holdouts insisted on sticking with the “old” Ethereum chain. The “old” ether became a new cryptocurrency called ETC, while the new one retained the old symbol of ETH. The developers didn’t object at first because they really thought that ETC would fizzle out and quietly disappear. But it is now the 6th largest cryptocurrency in terms of market capitalization. And the thief still has his (or her) 3.6m ethers, the old version, although they are worth a lot less than the original $60 million. It’s disconcerting how one hack can change the fundamental nature of a promising blockchain in unforeseen ways.

gatecoin - hacks

In May, Hong Kong-based crypto exchange Gatecoin reported the theft of 250 bitcoins and 185,000 ether, worth about $2 million at the time. While most clients’ crypto assets are stored in multisig cold wallets, the hacker managed to overwrite the protocol that handles this so that ether went directly to the hot wallet (keys kept online) instead of the cold, and ignored the self-imposed limit of 5% of assets in online storage. In the end, the hacker made off with 15% of the exchange’s crypto assets. Immediately after, Gatecoin announced that it would seek $4-5 million in funding to cover the losses, and offered a bounty and a lifetime of free trading for return of the assets. In the end, the exchange managed to raise $500,000 to strengthen the security infrastructure, and replaced its CTO, referring to him as a possible suspect. At time of writing, its web site was undergoing an overhaul, and is supposed to relaunch today (August 17).

In April, exchange Shapeshift reported a hack executed in stages of 469 bitcoins plus some ether and litecoin, worth at the time about $230,000. In this case they were victim of an inside job – an employee stole the bulk of the funds, sold server access to a professional hacker, and installed malware on colleagues’ computers to enable the hacker to access the refreshed passwords. Erik Voorhees, the founder of Shapeshift, gives a riveting account of the drama here. No customer money was lost, and the site had relaunched by the end of the month.

Also in March of this year, Canadian exchange Cointrader suddenly closed down, with the explanation that an audit had revealed an unexplained deficit of bitcoin. The media took this to mean a hack, but it might not have been. In an email to clients, the exchange explained: “A recent internal audit revealed a deficiency of Bitcoin in our wallets.” Previously, trading had been halted on shares of the parent company Newnote Financial Corp. (listed on the Canadian Securities Exchange, similar to the US’s OTC market), because of failure to file financial statements. The company was undergoing an audit to rectify this, most likely the same audit that uncovered the missing bitcoins. In an official statement, Newnote announced that the audit was still ongoing and that Cointrader would be shut down due to “rising maintenance costs and lower trading volume attributed to an increase in competitors within the Canadian market space”. No mention was made of the hack. So, did the hack even take place? Or had the audit uncovered something else?

Here’s an interesting one, still making headlines today: In December 2015, exchange Cryptsy and the media started receiving a stream of customer complaints about stalled bitcoin withdrawals, some pending for weeks. In early January, in the face of no response whatsoever from the company, a frustrated client initiated a class action lawsuit in an attempt to recover their funds. The next day, the founder published a post on the Cryptsy blog announcing suspension of trade and withdrawals, and confessing to the loss of 13,000 bitcoin and 300,000 litecoin, at the time worth about $5.7 million. The founder explained that a back door had been installed on the exchange by someone claiming to be a developer. The most startling revelation was that the coins had been missing for a year and a half.

Why hadn’t he told anyone? According to his post, because he wasn’t sure what happened (even well over a year later), and “didn’t want to cause a panic”. He assumed that he could replenish the accounts with profits over time. But then an article was published in the sector blog Coinfire (now part of 99 bitcoins), claiming that Cryptsy was under investigation from several Federal agencies (including the SEC, the Department of Homeland Security and the IRS) for a long litany of infractions ranging from operating without licenses to knowingly servicing accounts linked to terrorist financing, which triggered massive withdrawal requests that Cryptsy simply could not honour.

A couple of weeks later, the CEO’s ex-wife claimed in a court filing that she believed that he would flee the country with the funds, and was using the money to support his lover and her children in China. A few weeks after that, we’re now in February of this year, the ex-wife was added as a defendant in the class action lawsuit, since it turns out that in early 2015 she and her (then) husband had paid for a waterside mansion in Palm Beach with cash. In April the court appointed a receiver to dissolve the business and determine how much was recoverable. Last week the receiver revealed that he had discovered that the (now ex-) CEO had been siphoning off crypto funds the whole time.

After an apparent lull in crypto hacks (what were the hackers up to?), in May 2015, a well-known Hong Kong-based exchange suffered a breach and a theft. The exchange was Bitfinex (yes, them again), and this time the target was their online hot wallets, which store a very small amount of crypto assets. Apparently about 1500 bitcoins were stolen, worth approximately $340,000 at the time. Customer wallets were affected, but Bitfinex was able to replenish the losses out of their reserves.

Also in March 2015, Panama-based Coinapult briefly suspended operations following the theft of 150 bitcoins (then worth $42,900) from its online wallet. Customer funds were unaffected, but immediately after, the exchange announced its intention to move to multisig authentication as soon as possible.

The previous month, Chinese exchange Bter, at the time the world’s largest exchange of altcoins (bitcoin alternatives), admitted to a hack of 7170 bitcoin (then worth $1.75 million) taken from its cold wallet. Because of the unlikelihood of a cold wallet getting hacked (the keys are kept offline, so how would the hacker get at them?), some pointed fingers at Bter, accusing them of covering up an inside job. However, there are cold wallets and then there are cold wallets. Depending on the configuration, some cold wallets can be compromised when they connect with the internet, however briefly, which they sometimes need to do to either move bitcoins or update balances.

The size of this theft almost caused Bter to sell the exchange, claiming that it simply did not have the funds to reimburse the 20,000 affected customers. A 1000 BTC loan from mining group JUA saved the day, however, and Bter was able to use that plus the promise to continue to repay out of profits to make the accounts whole. JUA also took over the protection of Bter’s cold wallets.

February 2015 was a busy month for hackers: Excoin was also hacked. The exchange turned out to have a prophetic name, since the hacker managed to divert all of the bitcoin on the exchange, which left it no choice but to shut down.

photo by Loic Djim for Unsplash - hacks
photo by Loic Djim for Unsplash

In January of last year, Bitstamp – a Luxembourg-based exchange, currently the fifth largest BTC/USD exchanges – had 18,866 bitcoins (then worth just over $5 million) stolen in a hack that involved targeted phishing emails and messages which installed malware on the computers of Bitstamp employees. The hackers not only spent time profiling the employees and creating specific language and offers for each in the emails, but they cleverly staged the access and the theft over the New Year period, counting on a slower reaction time. As soon as the movements were discovered (the same evening as the account was drained), it shut down operations, and started work on rebuilding the trading software from scratch.

After another lull in crypto hacks making headlines, in August 2014, Bter was hit again. Almost 52 million NXT (another cryptocurrency, associated with the blockchain of the same name), at the time worth $1.65 million, disappeared from its account. It turns out that the hacker got access by gathering information on one of the Bter developers, hacking an account that he used on a different website, and taking advantage of the fact that he used the same password to get into Bter. The exchange had set up 2-factor authentication on many of its systems, but not on NXT, which to make matters worse was kept in a “hot” online wallet, directly accessible from the site. Given the scale of the attack (at the time the theft was of 5% of the market cap), NXT considered “rolling back” the blockchain to reverse the hack, much like what Ethereum has just done. As we have seen, however, this is a very controversial move for any blockchain based on immutability and censorship resistance, and the majority of the participants opposed the idea. This hack had a “happier” ending, however, since the exchange managed to negotiate the return of the bulk of the coins. Perhaps they used the threat of a hard fork? Keeping some and returning the rest is better than losing all?

And another happy ending: in December 2014, wallet giant was hacked for 255 bitcoins. And then the hacker gave the coins back. Awwww.

Let’s end this walk through history with a really juicy story, with several chapters but no happy ending: in July 2014, altcoin exchange MintPal was relieved of approximately 8 million of bitcoin alternative VeriCoin, which at the time was 30% of its market cap of $6.3 million. It is interesting to note that the exchange’s bitcoin holdings were also targeted, but they were held offline in cold storage and thus ended up untouched. The Vericoin were supposed to be in cold storage, but due to an error most of them weren’t. The community couldn’t allow that much VeriCoin in the hands of one attacker, since it would have given him or her enough weight to instigate a 51% attack, which made the decision to fork simpler – it was that or see the currency completely crash. The problem with hard forks, though, is that everyone in the network needs to update pretty much at the same time. That didn’t happen here, which meant that older versions processing new blocks effectively “reassigned” the attacker the stolen 8 million. A second hard fork a day later managed to fix the problem, diverting the coins to a new, MintPal-controlled wallet.

Trading volumes dropped sharply after the attack, which led to its acquisition by the end of the month by Moopay (more commonly known as Moolah, not to be confused with the payments services provider of the same name). Three months later, on October 14th, after several delays to MintPal’s relaunch, Moopay announced its plans to declare bankruptcy and shut down operations. MintPal had apparently already been transferred to new management, and the new team was focussing on “the resolution of issues surrounding missing balances”. Missing balances?

The following day, the CEO of Moopay insisted that the company had never bought MintPal, all that it had was a management agreement (documents subsequently released show that, indeed, Moopay did not own a stake in MintPal, but the CEO of Moopay did, he held 48% of the company that owned 100% of MintPal). To add to the confusion, less than 24 hours later, the CEO and founder announced that no, on second thoughts, Moopay was not going into bankruptcy after all. He then resigned. At the same time reports started to emerge tying the founder to other identities. The next day, this was separately confirmed by both a former lover and by an ex-associate who in the past had pressed charges against him for fraud. The following day (a busy week) it turned out that the name that they knew him by wasn’t his real name, either. The day after that (we’re now at the 18th of October), the ex-CEO fired all the staff, and the following day he confessed to the name change. And in case things weren’t confusing enough, he re-confirmed the bankruptcy.

At the same time, it emerged that 3,700 bitcoins were missing from MintPal’s wallets. It turns out that they were being held in the Moopay CEO’s personal wallet, and were moved as soon as this was discovered. Simultaneously, the CEO posted an abject apology on Moopay’s blog, which has since been taken down but part of the text is reproduced here. Then the lawsuits started flying, injunctions were handed down and the CEO went missing. In December, he and a former colleague (alleged to be his then girlfriend) were arrested in the UK but released on bail. And in August of this year, a couple of weeks ago, he was sentenced to 11 years in jail, not for theft or fraud, but for rape. I bet you didn’t see that one coming.

As you know, it’s not just cryptocurrencies that get hacked. Banks around the world are subject to a frightening number of hack attempts, some really sophisticated, and some successful. However, the bank hacks tend to be shrouded in secrecy, and many are never even revealed to the public – we wouldn’t want a panic, now, would we? Another big difference is that bank accounts are, in most systems, insured up to a certain amount. There is little if any risk of “losing it all”. With the uninsured crypto exchanges, however, that is not the case, and while the amounts are much smaller than with fiat bank hacks, the community is much more vocal.

How can we protect ourselves from bitcoin hacks? A relatively easy answer is to spread our bitcoin holdings across several wallets and exchanges, and throw the bulk in cold storage. It’s an easy answer, but it’s a hassle, which is why most casual bitcoin users don’t do it. Sticking with reputable exchanges is also a good idea, but a really big hack could decimate even the most solvent of business (crossing fingers for you, Bitfinex). When an exchange gets hacked, the loss of the cryptocurrency is not the only cost. There’s also the expense of the investigation, migrating servers, rebuilding the platform, lawyers…

It’s so easy to apply common sense in retrospect, but unfortunately much less so as we go about our daily lives. And as we’ve seen, crypto hacks can affect any exchange, even reputable, well-protected ones. Theft is lamentably a part of life which we will never be able to completely avoid. And the fact that it exists in no way makes the stolen asset more vulnerable and worthless. Cash is stolen every day, and yet that doesn’t make us suggest that cash is useless, does it? Gold, diamonds, cars… Anything that can be moved, can be taken. And nothing is easier to move, in terms of logistics, than bits and bytes of information. The fact that it doesn’t happen more often is a testament to the ingenuity of security experts, who are continually trying to stay on top of a moving pile of sand. With each hack, the community learns. And with that knowledge, gets stronger. While this doesn’t help the thousands who lose savings, it does strengthen the sector as a whole. And shows that if people are trying to steal what you have, it must be worth stealing.

Blockchains and supply chains

Almost everything you touch during your day is the result of a supply chain. The product originated somewhere. It then moved somewhere else, and after that somewhere else, and so on until it ended up in your life. Your toothbrush, your breakfast cereal, your clothes, your car or bus or bike… You get the picture… We hardly ever think about this, nor should we have to. Because we trust that its sourcing did no harm, that the quality is acceptable and that it’s going to do what it needs to do.

What if you could know so much more? That your toothbrush was made in Texas? That your T-shirt was made in Nepal? That your shoes were designed by someone in Turin but manufactured in Romania? Too much information, you might say. But think about how it would change our relationship to things. Which would change our attitude to consumption. Which could lead to a new commercial culture, one based on transparency, trust and process.

by Lewis Pratt for Unsplash
by Lewis Pratt for Unsplash

Now let’s stop for a second and zoom out. Let’s picture all those toothbrushes and T-shirts and shoes criss-crossing the world to reach their destination. Most by container-stacked ships, some by truck. And all with reams of paperwork to accompany them from one stage to the next. There’s the “pull” order from the end retailer, which probably gets passed to an international distribution agent, which probably gets passed to a local distribution agent before ending up with the actual manufacturer. Of course, there are new forms along the way. Then there’s the “push” paperwork, in which the manufacturer documents the exit from the factory, in which someone else documents the reception and the placing on in the container, in which the goods are expedited from one off-loading stage to another. In this day and age, still, much of that paperwork is physical, using paper, often in triplicate.

That hardly sounds efficient. Or safe, since paperwork can be falsified, mistakenly rerouted, or simply lost. Even most digital versions consist of pdfs or similar, which have the same potential vulnerabilities.

Surely there has to be a simpler way? Of course there is: blockchain-based supply chain management. Here’s how it could work:

The documentation could be digitized, and stored on a blockchain (if you’re not familiar with how they work, see here). This will make it impossible to change or tamper with, without everyone knowing. It would also make it easy to pass from one stage in the journey to the other. And each receipt can be programmed to trigger an action, such as a payment, or a message, or the emission of another document. This could be made even more secure if we include sensors in the containers that automatically inform that the container has physically arrived. Smart contracts could be written that say something like “when the container is loaded onto the distributor’s truck, issue payment and the corresponding documentation”. More automated, more verifiable, more transparent. Retailers and/or end clients could follow the merchandise’s progress, which reduces uncertainty. And the considerable manual work needed to process the transactions could be reduced considerably, which at the same time will lower costs and friction.

This will not only streamline the process of trade, potentially saving billions. It will also make the progression of the merchandise more transparent, allowing more trustworthy documentation and greater confidence in the end product. The manufacturer is happy because it costs much less to get the merchandise to the end user. The end user is happy because he or she feels better about the sourcing and quality.

And the middlemen? It’s easy to assume that they would be happier at having less paperwork to handle, which would require fewer employees, overheads and risk. But their very usefulness is called into question. Would we still need middlemen in a blockchain-based supply chain world?

Yes, of course we would. No amount of automation can replace the need for a flexible and agile supervisor, to make sure that the routing is taking place as planned, and to react when nature and/or man intervene. But less checking of documents, stamping of bills of trade and filing and/or sending the appropriate pieces of paper means not only lower costs, but fewer opportunities for human error.

The lowering of costs would improve distribution profits, as well as perhaps lower the costs for the final customer. Lower costs and smoother processes should lead to increased trade. Increased trade leads to economic growth. And economic growth leads to increased trade. A nice, mutually-reinforcing circular process, based on code, connections and confidence.

An increasing number of startups and established businesses are getting involved in this potentially very lucrative sector. Just last week IBM announced the launch of a new platform that allows businesses to experiment with the “blockchainization” of their supply chains, a sign that this is serious business and that the shift will happen sooner or later. The potential impact will transform sectors as diverse as electronics and agriculture, while spreading the efficiencies along the whole supply chain and benefitting a broad range of communities and economies.


Blockchain and IoT examples

The Internet of Things is such a broad and confusing space, with so much potential impact in business, society and home life, that talking about it feels a bit like talking about the universe. After all, what isn’t a “thing” that can be connected to the Internet? When we’re referring to the Internet of Things, do we include our smartphones? Our cars? Our televisions? What about our satellites and our aeroplanes? Our 3d printers and our factory robots? And getting metaphysical on the issue, what about Facebook pages? Video games? Bank accounts? They’re things too, right? But to bring the discussion of the impact of the Internet of Things into the realm of practicality, most studies and businesses focus on gadgets, either big or small. The smartphone is so obviously a thing connected to the Internet that it is usually not featured in the sector studies, except as a conduit for information from other things. The same goes for computers and sensors. Those obviously-connected devices are what we embed in physical things to get them talking to us and to each other. So, when we refer to the “Internet of Things”, or IoT, we’re really talking about things connected via other things. Sensors, computers and phones talking to each other is the backbone of today’s development. But it’s not new and it’s not news. It’s what those sensors, computers and phones are talking about, what data they are transmitting and what objects they represent, that is of interest.

by Todd Quackenbush for Unsplash - blockchain and IoT
by Todd Quackenbush for Unsplash

For this discussion, I’m just focussing on physical gadgets not related to transport, the supply chain or to the energy sector (there’s so much going on there that we have the basis for a separate series of studies). While IoT is already a reality, its impact so far has been useful but fragmented, more an indication of what’s possible tomorrow than what we can change today. Blockchain technology is increasingly looking like a potential unifier for the different device-specific, manufacturer-specific and sector-specific networks currently in operation or under development. Yet its application is still fraught with obstacles and issues, most of which will be overcome with experimentation and creativity. Here I look at some of the more advanced projects participating in this journey – I fully expect that we’ll be hearing more from them in the months to come, as well as adding interesting newcomers to the list.

As with most blockchain activity these days, experimentation in the Internet of Things space is not limited to startups. In one of the first major papers on the subject, at the beginning of 2015 IBM revealed ADEPT (Autonomous Decentralized Peer-to-Peer Telemetry), a proof-of-concept of a universal IoT blockchain platform that combines P2P messaging, BitTorrent and Ethereum. Two interesting case studies were included: a washing machine that can manage its supply of detergent, self-diagnose and solve maintenance issues, and “negotiate” with other household devices the optimum time for an energy-consuming cycle run; and electronic billboards that manage, allocate and automatically charge for ad display. The proof-of-concept code was supposed to be shared on GitHub, although as far as I can tell it hasn’t yet, perhaps because the project leader left IBM at around the time of the paper release. IBM have certainly not been idle, though, and a few months ago revealed that they are working on combining the blockchain with Artificial Intelligence to manage IoT ownership, access and diagnostics. This is part of IBM’s commitment, announced in March 2015, to invest $3bn in the Internet of Things. Yes, that’s billion with a b. This should be fascinating.

One of the best-funded startups in the blockchain + IoT area is US-based Filament, which has received $7.35m in investment from VCs such as Bullpen, Pantera, Verizon, Crosslink, Samsung, Digital Currency Group and others. Its focus is long-range wireless networks, and its main product is the Tap, a device registered on the blockchain with environmental sensors that can integrate with other sensors, and which has a wireless range of over 15km that does not depend on wifi or cellular networks. These sensors help farmers to monitor soil quality, cities to control outdoor lighting, and vending machine operators to optimize inventory, among a host of other potential applications. While most uses at the moment do not need universal registry, the blockchain base will enable connectivity in the future, which will encourage the development of additional efficiencies and possibilities. Running on the bitcoin blockchain allows for micro-transactions, which will open up the project to a wide range of new business models. And if things are going to talk to and transact with each other, they’re going to need Filament’s blockchain-based help with decentralized identity creation for inanimate objects. The Patch, their other main product, is an embeddable version of the Tap that adds wireless connectivity to any hardware. Filament is one of the most advanced IoT and blockchain companies, in that it actually has paying clients and a seemingly viable business model: it owns the sensors, and charges for the configuration, the data, the maintenance and the updates.

IOTA approaches the issue from the other direction. Instead of focussing on the devices, it has created a cryptocurrency to facilitate micro-transactions between devices. Rather than a heavy blockchain, though, it runs on a lightweight “Tangle”, a “block-less” distributed ledger that makes it possible to transact without fees. Tangle doesn’t have miners that need incentivizing, but “verifiers” that are also users. They process transactions as they use the network, which allows for transactions at no cost, ideal for the high-frequency, low-value, light and constant transactions of the Internet of Things. Technically IOTA does not use a blockchain, but I include it here for its decentralized, trust-less approach to the exchange of value, and its innovative approach to the sticky problem of micro-transactions (still relatively expensive, even on the blockchain), both of which could put the goal of a viable and efficient Machine Economy within reach.

Chainofthings focusses on the security of the data collected and uploaded by the Internet of Things. Run as a consortium composed of several startups and established businesses active in the IoT and blockchain space, it supports and collates research and organizes events designed to promote solutions-based exploration. Participants and supporters include blockchains Ethereum, Lisk and Emercoin; IoT startups Filament and IOTA (mentioned above); blockchain businesses Skuchain and Everstore; bitcoin node hardware manufacturer Bitseed; solar power startups SolCrypto, SolarCoin and ElectriCChain; advisory businesses such as Zerado and Neuroware; and large international conglomerates such as electricity company RWE. Its first case study, revealed at a recent Chainofthings event in London, looked at the application of distributed ledgers to solar power generation, and the next one will focus on sensor mobility.

UniquID is a young project that was first presented at the Consensus conference in May 2016. Based in the US and in Italy, it allows users (still in beta) to create a private blockchain which acts like a sort of “wallet”, on which they can register their devices. All devices registered on that blockchain can communicate with each other, without the need for external authentication. Access to these “wallets” could be from a range of configured devices, which would give flexibility to the format and the deployment of these “local” IoT networks. Unlike other efforts in the sector, UniquID’s idea seems to be to maintain the separation of IoT networks, and it remains to be seen how this is better than a simpler database approach.

Riddle&Code is another young project in development, with an interesting twist. According to its website, the platform “connects blockchain technology to real world objects”, which is what most participants in the sector want to do. The twist is that it uses NFC technology that permits the secret exchange of data and of the cryptographic keys that determine who can access that data.

As you can see, the intersection of blockchain and the Internet of Things is attracting attention, but not yet at the scale the potential warrants, and not yet with a “success story” business model (Filament seems to be on the right track, but there is little public information, and it’s still early days). The ideal balance between hardware and software, centralization and decentralization, complexity and convenience will be difficult to find. But it will emerge as the sector gets more competition and as the businesses move along the timeline from idea to implementation to revenues. This progress is worth encouraging, as the end results will not only open up new potential Internet of Things business models. They will also teach us even more about the potential and actual real-world applications of blockchain technology and its derivatives, which will lead to more innovation and creativity. It won’t be easy – there are many conceptual issues revolving around identity and data that will need to be addressed – but the most important things in history never are.

(If I’ve gotten anything wrong on any of the businesses mentioned, please let me know! I don’t ever want to mis-represent a company or an individual, ever. A similar version of this post was published on LinkedIn. I twitter away at @NoelleInMadrid, come and say hi!)