Youd Be Crazy to Actually Spend Bitcoin

A little more than four years ago, Coupa Café, a caramel-macchiato joint in Palo Alto, began accepting bitcoin. This was shortly before the first big bitcoin rush briefly pushed the cryptocurrency’s price from about $100 to more than $1,000. At the time, two or three Coupa customers a week would pay their bills with bitcoin, says co-owner Camelia Coupal. Today, the number is … still two or three people a week. “It’s a really minimal part of our sales,” she says. “It’s really just a quirky thing for our customers.”

That’s the story of bitcoin this past year: The cryptocurrency has made fortunes for speculators, but—for that reason and others—it hasn’t been much use as a medium of exchange. Except in countries such as Venezuela, where inflation makes the local money even more volatile than bitcoin prices, its use by online merchants is virtually zero and shrinking, according to Morgan Stanley. When businesses like Coupal’s started accepting bitcoin, advocates predicted it would eventually replace money. Those voices have grown quiet. “The value of bitcoin is really predicated on its being a useful means of transactions,” says Jacob Leshno, an assistant professor at Columbia Business School. “If you take that away, all you are left with is a bubble asset.”

In 2017 bitcoin’s value rose from about $1,000 to as much as $19,000, often with swings of thousands of dollars a day. (As of publication, it’s trading at about $15,000.) Governments including China’s and Japan’s tightened the rules governing cryptocurrency businesses, and China has shut down its exchanges. Bitcoin’s popularity has also made its network much slower and sent transaction fees spiraling. In late December, sellers had to choose between waiting hours and sometimes days for their transactions to go through or paying an average $55 fee to jump the line. (In mid-2016 such fees topped out at about 15¢.) That’s made bitcoin impractical for everyday transactions, such as $3 cups of coffee.

The eight-year-old bitcoin network is “really janky,” says John Quinn, co-founder of Storj Labs Inc., whose dozen employees worked 12-hour days for two months last spring to switch their data-storage startup from bitcoin to the rival cryptocurrency ethereum. Two-year-old ethereum has its own problems, including rising transaction fees, but it’s become the first choice for most startups seeking to use so-called smart contracts or raise money through initial coin offerings, which generated about $4 billion in 2017. While ethereum has added lots of features and uses, bitcoin looks almost the same as it always has, says Lucas Nuzzi, a senior analyst at Digital Asset Research.

Bitcoin’s limitations are becoming bigger issues as banks and other financial institutions build out their own similar networks. “Cost, we expect that to be sub-1¢,” says Richard Brown, chief technology officer for industry consortium R3, which is helping companies build such networks. Completing a transaction, he says, “takes the speed of light, seconds at most.”

Some bitcoin developers are trying to tweak the network software to speed transactions, but disagreements about the approach have led some groups to split off and create their own smaller networks. “Startups need to be aware that they are building a house on moving ground,” says Michael Dunworth, chief executive officer of Wyre Inc., a cross-border payment service using the bitcoin network.

Because only 21 million bitcoins will ever be issued, there’s a case to be made that the currency is simply evolving from a transaction network to digital gold. Longtime advocates say different. “At the end of the day, it is bitcoin’s use in commerce that drives its price and further adoption,” says Roger Ver, the advocate known as Bitcoin Jesus, who spent bitcoin last year to cover his startup’s 60-person payroll and book hotels on Expedia. (He’s become a vocal champion for “bitcoin cash,” a cryptocurrency that’s facing an internal insider-trading investigation after having splintered from bitcoin last summer.)

Amid the current fervor, Ver is the exception. “No one is spending bitcoin,” says Iqbal Gandham, managing director at EToro Ltd., a cryptocurrency exchange. “It could be the most expensive piece of pizza you ever bought.”

    BOTTOM LINE – There’s little sense in using bitcoin for its intended purpose as a medium of exchange when its value can fluctuate by thousands of dollars in a given trading day.

    Read more: www.bloomberg.com

    A $50 Million Hack Just Showed That the DAO Was All Too Human

    Sometime in the wee hours Friday, a thief made off with $50 million of virtual currency.

    The victims are investors in a strange fund called the DAO, or Decentralized Autonomous Organization, who poured more than $150 million of a bitcoin-style currency called Ether into the project.

    Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

    The people who created the DAO saw it as a decentralized investment fund. Instead of leaving decisions to a few partners, anyone who invested would havea say in which companies to fund. The more you contributed, the more weight your vote carried. And the distributed structure meant no one could run off with the money.

    That was the plan, anyway.

    The DAO is built on Ethereum, a system designed for building decentralized applications. Its creators hoped to prove you can build a more democratic financial institution, one without centralized control or human fallibility. Instead, the DAO led to a heist that raises philosophical questions about the viability of such systems. Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

    A Never-Ending ATM

    DAO developers and Ethereum enthusiasts are trying to figure out how they mightreverse the theft. The good news is that time is on their side. The thief transferred the stolen funds into a clone of the DAO that likely includes code that, as in the original system, delays payouts for a few weeks.

    Stephan Tual, the COO of Slock.it, the company that built the DAO, says the thiefprobably never expected to be able to spend the ether. Each unit of ether is unique and traceable. If the hacker tries to sell any of the stolen ether in a cryptocurrency market, the system will flag it.

    “It’s like stealing the Mona Lisa,” he says. “Great, congratulations, but what do you do with it? You can’t sell it, it’s too big to be sold.”

    The DAO is a piece of software known as a “smart contract”–essentially an agreement that enforces itself via code rather than courts. But like all software, smart contracts do exactly what their makers program them to doand sometimes those programs have unintended consequences.

    It’s not clear yet exactly how the hack worked, says Andrew Miller, a PhD student at the University of Maryland who studies smart contracts and helped audit Ethereum’s code last year. But he says the attacker probably exploited a programming mistake that’s exceedingly common in smart contracts.

    Let’s say you have $50 in the bank and you want to withdraw that from an ATM. You insert your card, punch in your PIN number and then request that $50. Before the machine spits out the cash it will check your balance. Once it spits out the cash, it will debit $50 from that balance. Then the machine asks you if you’d like to process another transaction. You tap “yes” and try to take $50 again. But the ATM sees that your balance is now $0 and refuses. It asks you again if you want to process another transaction, so this time you say “no.” Your session ends.

    Now imagine that the ATM didn’t record your new balance until you ended the session. You could keep requesting $50 again and again until you finally told the machine you didn’t want to process any more transactionsor the machine ran out of money.

    The DAO hacker was probably able to run a transaction that automatically repeated itself over and over again before the system checked the balance, Miller says. That would allow anyone to pull far more money out of the fund than they put in.

    The programming language that Ethereum developers use to write smart contracts, Solidity, makes it really easy to make this sort of mistake, says Emin Gun Sirer, a Cornell University computer scientist who co-authored a paper earlier this year pointing out a number of potential pitfalls in the DAO’s design. Others have previously spotted places in the DAO code that would have made such a theft possible. Sirer says the DAO developers have tried to be vigilant about preventing such flaws, but because it’s such an easy mistake to make, it’s not surprising that instances of the bug escaped notice.

    All Too Human

    As bad as the bug was, Sirer still thinks that both the DAO and Ethereum are worthwhile experiments. The DAO helped raise awareness of the idea of smart contracts, which Sirer thinks will eventually become extremely important to how the world conducts transactions. The project has also called attention to some of the biggest technical challenges.

    “This is a rite of passage for the project,” he says.

    The Ethereum team is now debating how, and whether, to refund the stolen funds. Ethereum works much like Bitcoin does: the system records each transaction in a global ledger that resides on every Ethereum user’s computer. The Ethereum team could release a new version of the software that tweaks this ledger to essentially reverse all of the DAO heist transactions. If enough people installed this version, it would be like the hack never happened. That’s exactly what many people in the community, including Ethereum creator Vitalik Buterin and the Slock.it team would like to see happen.

    ‘No one wants to see this fail.’

    “Fourteen percent of all ether is in the DAO,” Tual says. “No one wants to see this fail.”

    But others think that reversing the transactions could have a damaging effect on people’s perceptions of ether an cryptocurrencies in general.

    Alex Van de Sande, a user experience designer who has contributed to several Ethereum-related projects, and who put money into the DAO, says he believes other ways exist to retrieve the missing funds. Because the thief transferred the pilfered ether into a clone of the DAO, de Sande points out, it may well have the exact same security vulnerability as the original. Developers could just steal the ether back.

    The idea behind Ethereum, much like Bitcoin, was to create a computer system that facilitated transactions using the immutable rules of mathematics. The code would eliminate the need to trust anyone. If people can simply reverse transactions they didn’t mean to make, it proves that people, not mathematics are really in charge of the system, de Sande says. If the code did something people didn’t mean it to do, then people will have to live the consequences.

    The fact that a fork is being discussed at all proves that despite the Ethereum team’s best efforts, machines will always be subject to the messy politics of the human world. But that also might end up saving the project. The heist has divided people and exposed the inevitability of human weakness. But it’s also bringing people together to fix things. Humanity is making that possible, not mathematics.

    Read more:

    Hackers have stolen $60 million and counting from Bitcoin’s ‘unhackable’ competitor

    Over $60 million worth of the virtual currency Ether, Bitcoin‘slargest competitor, has been stolen in a hackthat’s still ongoing as of Friday morning.

    Meanwhile, the price of Bitcoin surged 70 percent this week and over 200 percent on the year, making it one of the currency’s best years ever.

    Introduced in July 2015, the Ethereum protocol and its crytocurrency, Ether, blew past $1 billion in May 2016, a rapid rate of growth that the inspired co-founder of Coinbase, Fred Ehrsam, to say Ethereum could “blow past Bitcoinentirely.”

    A new virtual gold rush is underway,” Nathaniel Popper wrote in the New York Times. Corporate giants called it Bitcoin 2.0.

    Now, in the midst of this massive and so far successful heist against one of Ethereum’s most popular applications, the currency’s future course is in question. Previous criticisms from Bitcoin advocates over Ethereum’s security problems and lack of testing are looking increasingly prescient.

    The price of the currency fell significantly until Ethereum co-founder Vitalik Buterin asked currency exchanges, where people can buy and sell Ethers, to immediately pause transactions.

    The target of the attack is the Decentralized Autonomous Organization (DAO), a platform built on top of Ethereum meant to innovate over Bitcoin’s much-talked about blockchain, the open ledger of cryptocurrency transactions at the core of many of Bitcoin’s innovations.

    The Ethereum code and network itself has not been hacked.

    The DAO, which was worth well over $100 million prior to this attack, is essentially open-source code meant to transparently hold money and create binding financial agreements independent of human oversight. Media called the application nearly unhackable.

    The DAO, rather than Ethereum itself, is exactly what’s being attacked and stolen from right now by unknown hackers.

    Griff Green, spokesman for Slock.it, the creators of the Dao, stated on the DAO Slack channel, according to Crypto Coin News:

    “The DAO is being attacked,” Green said toward the beginning of the attack. “It has been going on for 3-4 hours, it is draining ETH at a rapid rate. This is not a drill.”

    Observers can watch the hack in progress from one key perspective: The attacker’s Ether wallet is open for all to see as funds are siphoned in. Money is still piling up. However, at the time of publication, nothing has been cashed out.

    The exploit used to hack the DAO was publicly disclosed a week ago.

    “Your smart contract is probably vulnerable to being emptied if you keep track of any sort of user balances and were not very, very careful,” cryptocurrency expertPeter Vessenes wroteon his website.

    “An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO,”George Hallamof theEthereumFoundation explained on Reddit. “The attack is a recursive calling vulnerability, where an attacker called the ‘split’ function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.”

    Significant tension exists now about how to address the heist, especially because it is the DAO and not Ethereum itself that’s been hit. A lively debate has sprung forth about the options of “rolling back” the currency or altering the code in what’s being dubbed a “too big to fail political fork” of the software.

    The immediate and obvious comparison is to the enormous heist that hit Bitcoin’s Mt. Gox exchange in 2013, earning the hackers bitcoins worth $450 million then and $640 million today.

    That heist, which remains murky to this day, was a heavy black eye for Bitcoin, but one that it ultimately survived.

    Read more:

    With Ethereum wallets under constant attack, Jibrel Network decided to build their own

    Since blockchain technologies appeared people have been trying to figure out how to put traditional assets like currencies, bonds and other financial instruments onto it in a way which has regulatory compliance and is secure. If you could do that you could sell securities in a legitimate way, thus disrupting large swathes of the asset management industry. In case you didn’t happen to know, the asset management industry is worth around $69 trillion or more, globally. But you have to hold these assets in wallets. And it’s not easy getting it right.

    There are already a number of players in this space. Tether is a cryptocurrency issued on the Bitcoin blockchain via the Omni Layer Protocol. This allows users to trade and use digital tokens backed by the US Dollar. Each of their ‘USDT’ cryptocurrency tokens is allegedly backed by this real currency held in Tether’s reserves and can be redeemed through the Tether Platform. LAToken is a blockchain protocol and platform for creating and trading listed equity asset tokens. And Blackmoon Crypto is designed to enable traditional asset managers create and manage tokenized funds in a legally compliant manner (i.e. not go to jail!).

    But this world is not easy and is fraught with problems. Tether recently claimed it was robbed of $31 million in tokens after a malicious attack.

    And just recently the leading Ethereum developer, Parity, accidentally permanently froze over $160 million worth of user funds because of a fault in its wallet. Oops!

    Now a new company claims it will be able to fix some of these problems, especially as it concerns wallets.

    Jibrel Network, a company registered in the so-called “crypto-valley” of the Swiss canton of Zug, specializes in blockchain implementations for banks and so-called ‘Non-Bank Financial Institutions’. It recently raised $3 million from crypto investors including TaaS Fund, Tech Squared, Aurora Partners, Arabian Chain, among others.

    With few robust Ethereum wallets available, and hacks continuing, the team decided to build its own.

    It’s now launched the jWallet, a product aimed at consumers which, the company says, can store financial assets such as currencies, commodities, bonds and equities, on the Ethereum blockchain. The Alpha version of the wallet, which provides a simple way to store, transfer and convert ERC20 tokens, comes out today. jWallet holds no user data and all keys are stored locally.

    Most wallets have to make the decision to either sacrifice security or usability. But the jWallet can be run locally, is open source and a mobile version is also available.

    “There is a growing need for reliable, enterprise-grade wallet solutions, that deliver the highest levels of user-friendliness, without sacrificing security,” says Victor Mezrin, CTO.
    Unlike Tether, which provides only USD in the form of ERC-20 tokens, Jibrel has created tokens for six fiat currencies (USD, GBP, EUR, RUB, AED, CNY).

    Yazanz’s Barghuthi (project lead at Jibrel Networks) criticised Tether’s approach: “As it stands, Tether requires centralization with reliance on traditional banking… Simply put, in tether, users purchased USDT directly from an exchange, whereas in Jibrel, one purchases JNT and then uses that to purchase asset-backed tokens from the Jibrel DAO.”

    Fighting talk.

    Jibrel’s advisory board includes Don Tapscott (of Thinkers50 and author of ‘Blockchain Revolution’) and Eddy Zuaiter (former COO Soros Fund).

    Read more:

    Security News This Week: $280M Worth of Ethereum Is Trapped Thanks to a Dumb Bug

    On Monday, a small configuration mistake at an internet service provider and infrastructure company caused internet outages around the United States for a few hours, reverberating across other ISPs' networks as well. Cool way to start the week. From there, research indicated this week that the Kremlin-linked hacking group APT28 (also known as Fancy Bear) has been exploiting a newly exposed vulnerability in Microsoft Office to do topical phishing attacks referencing the recent ISIS bike path attack in New York City.

    WIRED did deep dives into the ubiquitous and extremely clever Mimikatz password hacking tool, the crippling deluge of spam attacks journalists can receive in retaliation for controversial reporting, and the never ending question of whether Facebook is always listening to users' lives through their smartphone microphones.

    The Pentagon has spent more than a year working with civilian hackers to find vulnerabilities in their systems—and the collaboration is actually making the Department of Defense more secure. Chrome is taking steps to block annoying, unwanted (and sometimes dangerous) webpage redirects. And that effective Netflix phishing scheme is making the rounds once again. It could be coming soon to an inbox near you! Take WIRED's advice and lock down your iOS 11 privacy and security settings right now. And while you're at it, make sure your cryptocurrency is safe, too.

    And there's more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

    Ethereum Worth Almost $300M Is Trapped in Digital Wallets Because of a Bug

    Almost $300 million-worth of the cryptocurrency ether is locked in digital wallets and unreachable because of an alleged mistake that triggered a bug in a popular wallet from Parity. The company released a security alert on Wednesday.

    The flaw created a situation where Parity's multi-signature wallets (that require multiple sign offs on transactions) could be converted to individual wallets and taken over by a new single owner. A user, known on some sites as "devops199," triggered the bug this week (apparently by accident), gaining sole access to a number of formerly multi-signature wallets. From there the user eliminated their own access to the wallets—perhaps in a misguided attempt to undo what had happened. This is called killing or "suiciding" your wallet connection, because it means that no one will ever be able to access the wallet and whatever is in it will be stuck. Crucially, the software flaw that enabled this situation was in code meant to fix a different Parity bug that hackers used in July to steal $32 million-worth of ether. A possible solution would be a "hard fork" of Ethereum that would undo the situation and restore the trapped currency—kind of like a parallel universe in which the incident never occurred. The Ethereum community had chosen to make a hard fork once before after an attacker stole about $50 million-worth of currency last year.

    Wikileaks Releases Code for CIA Hacking Tool That Impersonated Kaspersky Labs

    WikiLeaks posted alleged CIA source code on Thursday, publishing details of a hacking tool called Hive that generates phony authentication certificates to communicate with malware installed on victim devices. As part of its Vault 7 release, Wikileaks already published documentation about Hive earlier this year. The organization has now selected the tool as the first in its “Vault 8” source code release series.

    Wikileaks notes that one example of a forged Hive certificate pretended to come from the antivirus vendor Kaspersky Labs. CEO Eugene Kaspersky said in a statement, “We've investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected.”

    The Wikileaks release comes as Kaspersky Labs, a Russian company whose antivirus products are used around the world, is embroiled in extensive controversy over its potential participation in Kremlin espionage. Security experts also noted the potential dangers of the Vault 8 source code releases. While they said the Hive publication is unlikely to particularly aid malicious hackers, future releases might. For example, the alleged NSA Windows exploit known as Eternal Blue was leaked by hackers known as the Shadow Brokers in April and was subsequently used in damaging cyber attacks like the WannaCry ransomware outbreak.

    Websites Owned by the Trump Empire Were Hacked Years Ago

    Hackers compromised at least 195 websites owned by Donald Trump, his businesses, or his family in 2013 as part of a campaign that may have originated in Russia. Researchers say that users who visited the hijacked sites—which included domains like donaldtrump.org, donaldtrumprealty.com, and barrontrump.com—would have been redirected to malware distribution sites hosted on servers in St. Petersburg. Many of the URLs were not in active use. The attackers' redirect pages contained common malware like ransomware and password theft tools. The hacked sites were slowly reclaimed from the hackers and purged over the years, but the AP reports that the last of the still-compromised sites weren't fixed until last week when AP reporters asked the Trump Organization about the situation. It is unclear whether any of the sites succeeded in victimizing unsuspecting internet users, and the identity of the hackers is still unknown. They may or may not have been working for the Russian government or at all related to the attackers who infiltrated the DNC. Trump representatives deny that the websites were hacked.

    Equifax Is Paying a Big Price for Its Epic Data Breach

    The credit reporting bureau Equifax said on Thursday that it has racked up $87.5 million in expenses because of its giant data breach, disclosed in September. The company is also embroiled in dozens of state and federal investigations plus inquiries from Canada and the United Kingdom as a result of the massive blunder. And 240 lawsuits against the company are working toward class action status. On Thursday the company reported third-quarter profits of $96.3 million, a drop of 27 percent since the same quarter last year. The company says it still cannot estimate the final total of what the breach will cost.

    Read more: https://www.wired.com/story/280m-worth-of-ethereum-is-trapped-for-a-pretty-dumb-reason/