A quick technical rundown on the latest cryptocurrency wallet hole. tl;dr JSON RPC server on localhost with wide-open CORS; a random web page could clean out your Electrum wallet. Publicised by Tavis Ormandy.
A quick technical rundown on the latest cryptocurrency wallet hole. tl;dr JSON RPC server on localhost with wide-open CORS; a random web page could clean out your Electrum wallet. Publicised by Tavis Ormandy.
Well that’s disturbing, better go update mine.
Reminds me of what I’ve been saying about cryptocurrency from the beginning - it’s an interesting technology that we may find some cool things to do with, but anyone who thinks it’s going to displace conventional banking is delusional. You’re going to need a system where you aren’t constantly one mistake away from having all of your money disappear irreversibly for one.
Edited for additional, important details.
I’d ask what they were thinking, but they obviously weren’t.
The venture capitalist says: “Holy crap, that’s the worst idea I’ve ever heard! What’s the act called?”
The anarchocapitalists reply: “The Blockchain!”
The advice I’ve always given applies now more than ever: use a hardware wallet. Besides dumb shit like this, there’s also the risk that any keys you keep in RAM get swiped by the new set of side-channel attacks.
Electrum has good hardware wallet support too! It’s just like normal except you have to approve transactions on the device before they go through. I’ve tried both the Trezor and the Ledger. They are highly cross-compatible and both good designs.
Then you have to trust the hardware vendor’s security design - oh look, here’s someone breaking into a Trezor.
Or that the guy you buy the hardware from isn’t just a crook.
The more general problem is that cryptocurrency security is vastly harder than any normal user can be expected to achieve - because every mistake or theft is utterly irreversible, by design. “Be your own bank” means be your own financial institution Chief Security Officer, with deep system knowledge.
The solution we use in the wider world is division of labour, and financial institutions that are trusted but regulated in law. This turns out to work usably well for running a modern economy, in a way that “everyone has to know everything in depth or LOL too bad” doesn’t.
When someone in the Philippines got my credit card number and attempted to spend £600 on it, the first I knew about it was when my bank called me to ask about it. I verified it wasn’t me, and the charge was reversed and they sent me a new card. This is a ridiculously better level of service than I could ever get using a cryptocurrency, and the level of service that normal people in society expect from their financial services vendors.
(I know you personally don’t think that level of reversibility is important, but I think you’re incorrect on this one.)
Unfortunately, trusting centralised institutions - exchanges - with your crypto hasn’t worked out so well either in far too many cases. There’s reasons the conventional currency system went to insured banks with a lot of regulation.
Pervasive irreversibility at all levels was the fundamental design decision of cryptocurrency - and it’s turned out to be a bad one.
Manually sideloading a custom firmware isn’t even remotely in the same realm of vulnerability as “exposed unauthenticated RPC port”
If someone’s dumb enough to dump $34,000 into someone else’s private key, they’re definitely dumb enough to lose their money in more traditional ways.
The “level of service” you get with a cryptocurrency is that some random dude in the Phillipines can’t just go and steal your money in the first place. It seems insane to me that you can interpret this story in a positive way. As a counter-anecdote, the only unauthorized transaction I’ve ever had was when the government took money from my account due to a paperwork error and Wells Fargo charged me a “legal fee” for this privilege. Someone else should not be able to take my money without my permission, full stop. If I have to lose the ability to bust transactions in exchange, so be it.
We had basically the same argument last time; you’re of the opinion that financial systems should cater to the lowest common denominator, and I just want a system that doesn’t suck. These are both at least somewhat reasonable but they’re inherently incompatible.
Yes, there are valid historical reasons, but “boy, I sure hate non-repudiation” isn’t one of them.
You can say that as much as you want, but (as of now) over $800,000,000,000 begs to disagree.
That’s $800B. I wondered where that number comes from, and actually googling “800,000,000,000” gives this link, which states
What does that number represent?
It’s simply this algorithm:
Anyone who believes that $800B represents real, actual money is, in my opinion, delusional. As an example of magnitude, the government income of Sweden, an industrialized country of 10M people, was $128B last year.
For comparison, what was the “market cap” of the Beanie Babies market in July 1999? Where did all that value go when it crashed? Nowhere, it was an illusion.
Not quite an illusion but perhaps a representation of the volume of funds transfer from one set of people to another set? At the point of crash, many people lose their money but there are many other people who have cashed out prior and effectively got that money from the first set.
Nope, not even that. It represents only (last transaction) * (total number of tokens). This is not money put in, money you could get out, money you would pay to take it over (which is meaningful for a stock but not a crypto), etc. It is a meaningless number that looks good in headlines.
(I basically need to write a blog post on why “market cap” of a crypto is a completely bogus measure.)
Where do you think the last transaction price comes from?
Please do, I’d love to read it.
Where does the value “go” when Apple drops 0.4%? The answer is that you’re asking a nonsensical question. There’s no such thing as conservation of value - it can be spontaneously created and destroyed. It’s disappointing that someone can comfortably profess opinions about economic value without this being apparent.
How do you think market cap is normally calculated? I’m not really sure what you’re trying to express with your insinuation that this figure is “not real” - it is, in fact, the total value of all instances of the asset as determined by the market. Multiplying volume weighted price by number of units is only a first order approximation, but it’s usually reasonably close.
I am aware how market cap is calculated in the common usage of a stock. The question is, can you equate a cryptocurrency token with an equity stake in a company?
If someone buys all the stock in a company, they attain legal rights to everything pertaining to that company: employees, physical assets, patents, etc etc.
If someone buys all the bitcoins, what do they gain?
If someone buys gold bars, what do they gain?
A hunk of metal?
I think @wyager is suggesting that buying either gold or Bitcoin is speculation in a market driven mostly by group behaviour, so it sounds like you are in agreement. (Whereas buying stocks is different, as both you and I have suggested in this thread.)
Maybe you can help me understand what exactly people are investing into? I’m trying to understand this, but so far I haven’t been able to figure it out from reading and talking to a couple of people.
From what I understand so far, people aren’t investing into an asset (since Bitcoin doesn’t have intrinsic value), and they can’t be investing into the potential of Bitcoin to replace the traditional financial system (transaction fees are high, there’s apparently a hard limit on the rate of transactions, the interface to traditional currencies has issues with trustworthiness). So what is it that they are investing into? And can Bitcoin scale to replace a country-sized or world-sized financial system?
Most cryptocurrencies have the potential to be used in the black market (online drug sales, illicit/illegal digital goods such as carding and CP), as well as for more legitimate privacy-enhancing goods, such as VPNs. This represents, in my opinion, a base value for crypto in general (not specifically Bitcoin, this use case is relatively fungible).
The rest of the valuation is speculative.
To be charitable, people are working on proposed solutions to the issues that Bitcoin is facing right now - the latest fad is the “Lightning network”, that adds a layer on top of the BTC blockchain. This would transform BTC into literal digital gold and give rise to a new class of institutions working to provide services based on its value.
Thanks for the information. I read a little bit about the Lightning network. It sounds like it might alleviate the scalability issues, but I still don’t understand how it makes the blockchain a replacement for gold. The blockchain is still a distributed transaction database with nice properties rather than an asset with its own commonly accepted value. Do you think you could clarify this further for me?
I’m a card-carrying Bitcoin skeptic.
Apart from the above “real usage”, I don’t believe there’s any value in the currency at all.
“Blockchain” as a tech is mildly interesting in a distributed database kind of way, but the currency form is rooted in outdated economic theories bolstered by wild conspiracy theorizing.
Got it, thanks :)
This is a dogwhistle for economic confusion, and “not even wrong”. There’s no such thing as “intrinsic value”. Nothing derives its economic value from any intrinsic property. All value is extrinsic. For example, where is the “intrinsic” values of dollars, or abstract financial instruments?
I’m certainly not an economics expert, which is why I’m asking.
I think I have a distinction in my mind between investing (eg into shares) and speculation/trading.
I’d say that nobody “invests” into currencies or, say, derivatives, but people trade/speculate with them instead. Eg currencies are not expected to keep going up in price indefinitely.
Shares, on the other hand, are an income-generating asset (via dividends), have a soft lower bound on price (net asset value of the company), and their price has some relation to the company’s activity. Buying shares or bonds is what I call investing.
So I guess you’re saying that people who buy Bitcoin are traders/speculators. Fair enough, but in that case, my question is: why do they think the price will keep going up? What drives the upward trend in price, other than a lot of people piling on cash?
Good point. No one invests in currencies because they’re a bad investment - by design. Current institutional economics de rigueur mandates that currencies should be inflationary. This is a policy decision, not an inherent property of currencies in general. If the policy were different, people might treat currencies more like government bonds.
On the other hand, people (and institutions) actually do invest into derivatives. One could argue that ETFs (generally considered the best choice for passive investors) are a kind of derivative, although mostly for PR reasons ETF providers reject that classification. Typically people mean some nonlinear contract on an underlying, like an option (also a perfectly reasonably investment depending on your goals).
Gold doesn’t issue any dividends, but people (and companies, and governments) still invest in it. Where does its value come from? I’ll leave that to you to think about.
Bitcoin is interesting because it has some properties of both commodities (like gold) and currencies. It arguably has most of the beneficial propterties of gold, as well as the property of (nominally) being substantially easier to handle and transfer.
Aside from having some sort of a lower bound on price because it has uses as a metal, the difference with gold is that it has the benefit of being widely (practically universally) accepted as something of value. Presumably it also has relatively low price volatility (I’m not sure).
Is the idea then that Bitcoin will also become universally accepted as an “investment” akin to gold, and have a somewhat stable price? Is that at odds with multiple competing cryptocurrencies in existence, especially in the situation where new cryptocurrencies can be added without limitation? Do you think there will be a small number of “investment grade” cryptocurrencies?
Fun fact! In The Silk Road Valerie Hansen talks about how trade worked along (drumroll) the silk road. Merchants and armies would use both notes and gold as a medium of exchange. However, in more remote areas or areas in economic or military chaos, everybody used dry food or bolts of cloth as a medium of exchange. There’s a relatively thin band of instability where fiat currencies are not accepted but gold is. Usually you either can buy and sell currency anyway, or nobody wants your gold anyway.
Gold swings pretty wildly.
Compared to the silk road days, I wouldn’t be surprised if the band has gotten even narrower, since USD in many places now serves as a kind of universal backup currency in preference to gold. It’s quite common for people in countries with political and/or economic unrest that’s led to a loss of faith in the national currency to turn to black-market dollars for day-to-day trading, while turning to gold for that purpose is pretty rare.
I agree that the ability of gold to be a fallback currency is very questionable. Considering the price swings, I’m not sure how comparing Bitcoin to gold presents Bitcoin in a positive light.
So what I’m left with is that both gold and Bitcoin speculation is entirely driven by group behaviour dynamics.
Depending on how one uses the words “invests” this is not actually true. Currency speculation happens with fiat just like it does with cryptos. It’s probably not popular with the retail market in USA, but it happens elsewhere
That’s exactly the distinction I was drawing: investing vs speculation. Currency speculation is of course done a lot.
I’d like to have edited my comment below, but it’s not possible any longer.
Anyway, current total “market cap” is now $684B, a “loss” of $116B compared to the high water mark of 800B.
Why?
Because Coinmarketcap.com decided to remove South Korean exchanges from their calculations.
This is a fair complaint; a more accurate notion of market cap accounts for regional liquidity limits and sources of friction. This occurs in any region with capital controls, and isn’t unique to cryptocurrencies.
True. A big issue in cryptocurrency in general is the interface (i.e. exchanges) between crypto and nationally-backed fiat currencies. This is where the scamming, fraud, and dishonest trading happens.
I ran 3.0.2 with a wide open JSON RPC host with an unpassword protected wallet for a month or so. Turns out no one was exploiting it in the wild on any sites I visited.
What’s a bitcoin worth these days anyways?
Around $16,500, give or take a few %
Today’s high was $17,224, low of $16,187.