prevent or react

Beginning of this year, there was a very tragic event prominently present in all newspapers across Switzerland. The whole thing was so tragic, that I won’t add a link here. But there is one aspect, that kept me thinking for the last two weeks. Today’s blog post by Bruce Schneier triggered me to write about it. There was a family father who fed his family from selling smart phones on online auction sites without delivering anything. Apparently he did that for years. They couldn’t get hold of him because he moved house every couple of months. In contras to places like Nigeria, I didn’t think this was even possible here in Switzerland.

First of all, I don’t think that’s the profession he imagined for himself. There must have gone something terribly wrong long before. I think one has to be very desperate to become a professional cheater. Most measures our society has in place against such behaviour are reactive. Bad behaviour is punished, and the prospect of the punishment should keep the hesitant from misbehaving.

In certain areas of commerce it’s easier. In a brick and mortar store, you get the goods and pay directly. If you take the goods and run out of the store, chances are somebody will follow or somebody will stop you. This kind of theft is also easier for the police to pursue. But there are other areas where you need to bring a certain trust. That’s for example if you order something online and pay upfront. If it is a big name store, you may know it’s reputation. If they wouldn’t deliver, you ‘d tell your friends. This in turn could influence the reputation of the shop. With sites like ebay that have more participants than could any individual keep track of, it doesn’t work as easy. That’s why they have reputation systems built in. There are certain ways how you could trick them. I have no ideas how well that would work out, but the only way to prevent that would be to require for example a social security number instead of just an email address to register. Other countries issued electronic passports for a while which could be used for identification in such cases. Whether this is desired is another question.

Ebay and ricardo do offer some sort of escrow service. But nobody seems to make use of it. Certainly not the victims of the above mentioned iphone scammer. Some may already know where I’m leading to. That’s an area where BitCoin can shine. With it’s built in, easy (soon) to use  multi signature escrow system, certain types of fraud almost disappear over night. If the system doesn’t allow cheating, there is no need for punishment after somebody was ripped off, or threats against such behaviour. So which is better, prevention or reaction paired with menace?

Categories: BitCoin | Tags: | Leave a comment

decentralized social communication

When you think about social networks, do you even realize how centralized and compartmentalized the prevalent systems are? Neither centralization nor artificial borders are inherent traits of a network though. Imagine you could only talk to customers of the same phone company you use. Or you could exchange emails only with customers of the same service provider. Wouldn’t that be ridiculous? And yet this lack of interoperability is the reality with most social networks today.

Blogging -> wordpress

Blogging is about the only category here that is fairly decentralized. You can host your own blog without any problem. Even though wordpress seems to have the lion’s share of feeds, rss and atom are open standards. And indeed lots of products and platforms offer that functionality. And most important: you can freely choose the software that fetches all the news for you. The same system is also used for podcasts, videocasts and various other content you can subscribe to. Lately, wordpress is even used increasingly to build regular websites. It is also what powers the blog you’re currently reading.

Microblogging -> twister

Everybody knows twitter. People who use it say it was great before they had to start pleasing their share holders. It was used for communicating in the North African revolutions. Sounds ironic, given it’s centralized nature. It’s easy to revoke free speech with centralized systems. Nobody is astonished when it happens in turkey.  Lately I read that even in the UK they think about blocking twitter when things are going out of control.

There was a more open alternative called identica, but I don’t know if it’s still used a lot. I saw twister mentioned a while ago, and thought that’s something I should have a closer look at. Only last week I installed it and started playing with it. It triggered new interest in the whole topic. It is based on BitCoin and torrent systems, thus completely decentralized. A blockchain is used to register users, and torrents to distribute the content. Installing is as simple as adding a ppa (personal package archive from launchpad.net) and apt-get install it. As I don’t use twitter, I don’t know for sure, but I think the user experience should be similar except for ads. And while twitter provided rss feeds a long time ago, but stopped due to monetization, it is no problem with twister. While they say it’s in alpha stage, I had no issues, and the experience is better than with many commercial software. One downside it currently has is that a lot of handles for big company names or celebrity names were reserved early on by hwo knows whom. There is no mechanism to transfer a handle other than sharing the secret key. Maybe an expiration model such as with namecoin would be appropriate here. My handle is @ulrichard, if you want to follow me.

Social networks -> diaspora or gnu social?

I never really got it why I should be on facebook. You could describe their business model as a man in the middle attack. You chat with friends and there is always someone nearby who listens in and takes notes. Then he sells the information he gathered. And if he pleases so, he can even block you from chatting with your friends altogether. Sounds over the top? Think about it.

I do have a google+ account, but I actually never used it. It was forced on me to be able to keep uploading videos to youtube. The same criticism as for facebook also apply to google+. But the worst thing is that they are not interoperable. Why do people have to be on the same platform to interact? That is a huge step backwards.

Diaspora was touted as an alternative for a long time. I wanted to give it a try, and I routinely check the packaging status. Usually I only use software that I can apt-get install, and thus is automatically updated, cleanly uninstalled, and I can check what files belong to it and where they go. If it is written in a language and environment that I’m familiar with, I might compile it to give it a try. I’m not familiar with ruby at all. Apart from that, I make very few exceptions from my apt-get rule. So, I’m still waiting for the diaspora packages.

Then I recently learned about gnusocial. It also looks viable, but again, no deb package. So I’m waiting here as well.

Messengers and Video calls -> Tox

Skype used to be great before it was sold to Microsoft. We used it a lot to phone home on our South America trip in 2007. Then GoogleTalk used to be even better until they terminated xmpp federation, and subsequently even switched to a proprietary protocol.

For text messages, xmpp is still perfect, but for voice calls it was difficult for a while. I once tried mumble, but can’t remember at the moment, what I didn’t like about it. My SIP VoIP experiments didn’t lead anywhere. And all the proprietary apps like WhatsApp really don’t cut it for me.

Only through twister I learned about tox. It’s still a mystery to me why I didn’t know about it sooner. It is easy to apt-get install from a ppa, and just works. They say it’s at an early stage and can be buggy. I had no issues so far. Nothing more to say… other than my tox id : 75A6B5F621BF142FA836E58A96023EE8F51AE0446FD85B2FBAFB378F4034E265EFF16B919A7A

Chat -> IRC, BitMessage, TorChat

I almost forgot to mention chat. IRC has been there forever. In my early chat experiences in the nineties I didn’t know about the technology behind, but in retrospect I assume it was powered by IRC. I still use IRC regularly, mainly on freenode to discuss about OpenSource software.

There is BitMessage which uses some ideas from BitCoin to run a fully anonymous stealth communication network. I like the idea and the concept, but getting a message through can sometimes take it’s time.

And recently I learned about TorChat. It worked fine the one time I used it. It makes use of the tor onion router to hide the communication, but appart from that it’s not associated with the tor project.

 

Categories: Software | Tags: , | Leave a comment

wake up to a clean state

I used to have problems when my ultrabook woke up from sleeping mode. Nothing serious, but annoying. One thing was that the empathy messenger application fully occupied one CPU core, effectively transforming the power out of the battery into heat. I grew tired of manually terminate it every time. So I did some research, and put the following lines into  /etc/pm/sleep.d/20_empathy_cpu_hog :

case "${1}" in
    resume|thaw)
        killall empathy-gabble
        ;;
esac

The other problem was the ssh connection that I keep to my server. After waking up from sleep it took a while to time out. Now, I terminate it right after wakeup, so that it can be automatically re-established. To accomplish this , I wrote the following lines into /etc/pm/sleep.d/30_ssh_ulrichard :

#! /bin/bash
case "${1}" in
    resume|thaw)
        kill `ps aux | grep ssh | grep user@server.ch \
                 | grep -v grep | awk '{print $2}'`
        ;;
esac

I love linux, where problems are rare, every problem can be solved, and the solution is just a few lines away…

Categories: Software | Tags: , | Leave a comment

Paying online without a credit card

I can still remember the times when travelling without a credit card could be really inconvenient. But since Maestro and Cirrus cards work around the globe, it’s fine without. The time where shopping on the internet without a credit card was inconvenient to impossible was not so long ago. In a recent post, I announced that I don’t plan to renew my credit card. So here are some hints on how to get by without. BitCoin is the tool of choice as it has so many advantages.

On christmas we usually play a game with the familiy of my wife. Everybody gets assigned a random person to make a gift. Beforehand we distribute our wish lists. My stuff is usually from online sites. The problem is, I’m the only one with a credit card in this circle. So what looks easy to me, might be difficult to order for the others. But the democratization of money, which BitCoin is about, is going to make online commerce a lot easier. Soon anybody with a computer or a phone will be allowed to participate.

Businesses that directly accept BitCoin

Even though there are thousands of businesses listed in the directories to accept BitCoin worldwide, only a few of them are in Switzerland. Most of them are in niche areas, selling goods that most people rarely need. And usually you search for goods rather than places where you can spend your money. Some of the American giants like dell, overstock, tigerdirect, newegg or adafruit deliver abroad at prohibitive costs, not at all, or only allow BitCoin payments for domestic clients. But sometimes you stumble across a site that accepts BitCoin by pure coincidence like for example nitrokey, spycoins or reelhouse.

Movies

Call me old school, but I don’t like subscriptions to watch movies. Yes NetFlix is a lot cheaper than the other options we have in Switzerland, but I just don’t like subscriptions that renew automatically, cost you when you don’t use it, and have notice periods when you want to terminate. Instead I want to select the movie I want to watch, and pay for it. Basta. Why is that so difficult? No wonder movies get pirated all the time. If it were so easy to pay for what you want, and the prices were reasonable, there would be no incentive to download movies from torrents or p2p. The music industry struggled for a while with the same problem. But nowadays you can download music at reasonable prices and it’s not even crippled with DRM anymore. When will the movie industry learn that making interesting offers is better than trying to break the internet? When I bought the movie “The rise and rise of BitCoin” on vimeo, I could pay with BitCoin and download the movie without DRM. The experience was so good, that I started exploring the video on demand section on vimeo. But when I wanted to buy the next movie, there was no BitCoin option, as with the previous one it ran through a voucher code. So I wanted to pay it with PayPal. But it kept failing and asking for a credit card. It just wouldn’t use my balance. It didn’t state it clearly, but somehow vimeo requested the address information associated with a credit card. Why that? Probably because of some area restriction which is almost as stupid as DRM itself. And this type of restriction clearly didn’t apply to the movie I was about to buy. Luckily somebody from “The flying Frenchies” told me that their video is also available from reelhouse. They natively support BitCoin. You can choose to rent and watch in the browser with flash, or buy and download DRM free. That’s exactly how it should be. I found my movie platform, and hope their selection will expand quickly.

Amazon and buy by proxy with discount

No, they still don’t accept BitCoin directly. But you can either buy gift cards from gyft.com or egifter.com, or even better let someone else place the order on your behalf and pay him in BitCoin. That is how purse.io and brawker work. Purse.io is exclusively geared towards amazon. You create a new wish list with amazon, configure your shipping address and populate it. Then you copy the URL of your wish list into purse and select your desired discount. People who want to buy your bitcoins make offers with differing discounts, usually in the range of 7%. You send your coins into escrow and select an offer. Once the goods are delivered, you release the coins from escrow and the buyer gets them. As it is geared towards amazon there are less variables, and thus it runs very smoothly. If your item is listed with amazon, but delivered by a 3rd party seller, purse might have problems processing. That’s when I tried brawker. Here you populate one or more edit fields with URL’s containing direct links to the products you want. They can be on any site. That’s why you also see strange things listed. But the process is otherwise the same as with purse. One thing I noticed is that the escrow BitCoin address is actually a P2SH multisig address. But to release, I didn’t have to sign the transaction with my BitCoin refund address. Thus I don’t really know what this is about. Finally, I sould mention snapcard and bitspend. They offered similar service where they executed the orders and charged in BitCoin. BitSpend closed long ago, and SnapCard changed their business model.

Donations

I used to do donations for Mozilla and SeaShepherd through SnapCard, but these days I do direct BitCoin donations only. And in fact many non profit organisations accept direct donations: Apache, Mozilla, LibreOffice, GnuPG (through the Wau Holland foundation), Electronic Frontier Foundation, digitale-nchhaltigkeit.ch, Wikipedia, Gliding Everest, Ebola fighters, Koptimism, BitCoinFoundation, to name just a few.

Auctions

There used to be an auction site that ran on BitCoin. It was called BitMit and was very cool. For some reason they closed a while ago. I don’t know of a good alternative at the moment, but there are better things to come. The most prominent being OpenBazaar. The great thing about it ist that it’s not jsut another centralized service, but completely decentralized.

Food

In some areas you find lots of restaurants where you can pay with BitCoin. In Switzerland, I know only of Kafi Schoffel in Zürich. But this post is about the internet. You can order food for BirCoin on lieferservice.ch, which for sure has something in your area.

Categories: BitCoin | Tags: , , | Leave a comment

fido universal 2nd factor authentication

In the time since my rant about passwords, more and more sites adopt OAuth. I don’t like this development. Usually they offer login with facebook, sometimes with google or twitter and rarely with linkedin. The problem with OAuth is that the site operator decides what providers are supported. With OpenID on the other hand, I can host my own OpenID provider and secure it with whatever 2nd factor authentication I choose. It’s sad to see that OpenID lost traction, and is actually removed in many places. One concern about OAuth is that exactly the companies that track you the most, get this extra information about where you log into and when. And on top of that you usually have to grant the site you log into the permission to tweet or post on your behalf. But what bothers me most, is that you grant your id provider more power than you are probably ready to admit. Say for example you use google as your id provider for every site you can, because it is just so convenient. Then one day google decides for whatever reason to block your account. As a result you are locked out not just from all google services, but out of most of the sites you care. And it does happen that google blocks accounts for no good reason.

Most BitCoin exchanges these days offer some sort of 2nd factor authentication. Some use YubiKeys, some use GoogleAuthenticator and some send you text messages. They are somewhat similar as they all use something called “one time passwords“. Only how the user gets them is different. Text messages seem like an ugly hack, and phones known to be insecure.  That’s also why I don’t like the Google Authenticator as it is just software running on the regular processor of your smart phone. The YubiKey is clearly the best option out of these, but it also has its weakness. If you use it for different purposes, an OTP generated for one site could be reused for a different site. As it emulates a keyboard it’s a one way track and it has no way of knowing where it is used. This is why the now defunct MtGox distributed dedicated YubiKeys. At least some parts they did right .But there is something in the works to solve all of this…

Last week I received a new USB security token. It’s a PlugUp fido u2fa device. It has exactly the same form factor as the HW1 BitCoin hardware wallet. And that is actually how I paid it. Not directly, but through Brawker. The device implements the new FIDO universal 2nd factor authenticator standard. Finally a conglomerate of big name companies got together to solve the password authentication problem.

When I first read up on it, I found lots of marketing speech, and overly detailed specification, but not the kind of technical overview I was looking for. But it seemed interesting enough to give it a try. So far, there are USB devices available from only two vendors: Yubico and PlugUp. Even though I love the YubiKey NEO, the price was too high just to give it a try. The PlugUp device is much cheaper but also less rigid. Also there are not a lot of places where you can use it so far. But looking at all the companies that form the alliance, that is hopefully going to change.  The only place I could use was to log into my google account, and only with the Chromium browser. My browser of choice is Firefox, but it doesn’t look as if fido support is imminent. I did like what I saw so far. You can register multiple devices per account. And you can use the same device for multiple accounts. There were no technical hiccups. It just worked.

But still I thought, I would prefer a solution based on OpenPGP Card with EnigForm. With GPG, I can manage my identity myself, how I want it. Of course this is great for power users, but not something regular users want or can do. FIDO is targeted at regular users, and I think they found a good compromise. It appeared that from the security standpoint they should be similar, in that both work in a challenge response scheme. The server knows the public key, and lets the device sign something.

Then I found the technical information I was looking for on this blog. Now that looks promising. The device generates a new set of keys for every site. That is perfect for authentication, i.e. making sure it’s the same user as last time. If you want to compartmentalize your identity, you don’t even have to do it by hand. But it doesn’t help with identification. GPG would be better in that regard. So while GPG would be enough to identify a user, with fido the user will still have to fill in some required information. But most important, with both approaches fido and GPG/EnigForm, you don’t need a central service like with OpenID or OAuth that can track you.

Once fido gains more traction, the new YubiKey NEO will be perfect, as it combines fido u2fa with an OpenPGP applet. In the meantime, you can check which sites offer what type of 2nd factor auth at dongleauth.info

Categories: Software | Tags: | Leave a comment

A strange kind of holiday

It all started about two weeks ago when my wife discovered water on the kitchen floor that kept coming. The plumber who came immediately, found out that two parts of the waste pipe shifted out of each other, leaving a gap open. He told us that this must have happened two or three weeks earlier. During this time, the waste  water filled up the base of the kitchen, which turned out to be water tight. He sucked out all the water, and left one part of the base open, so that some air could ventilate. He also told us that probably we would get a giant hair drier installed to get the rest of the moisture out. Nothing happened for more than a week. The smell was disgusting, and we apologized to the guest at Levin’s birthday party. Our neighbour told us that the same thing happened to them last summer, and that they had 40° for some weeks in their kitchen as a result.

When the craftsmen came to inspect the kitchen, they discovered one giant mold fungus. Immediately, they sealed the kitchen from the rest of the flat and all the cupboards. They started to disassemble the kitchen and removed the appliances. Most of it would be replaced. They sprayed some poison to contain it. After they told us the whole flat would have to be sprayed, the house management together with the insurance decided that it would be best for us to move to a hotel for two weeks. The insurance organized it for us. It appears they asked some other hotels first which were fully booked. So we ended up in the best hotel in town, the Waldstätterhof. The breakfast is included, and it is a very nice and delicious buffet. The funniest part for us was the Prosecco bottle next to the fruit juices. We usually don’t make holidays in such exclusive places, but we know it from special events such as the Musical we go to almost every year.

The insurance even pays for the additional costs we have because we can’t cook at home. But he asked us not to eat at the noble restaurants downstairs all the time. Of course we don’t want to exploit the situation, but because Levin had a surgery the day before we had to leave home, we cannot go outside all the time. The first day we ordered some food from lieferservice.ch at seewendays.ch that I could pay with BitCoin. The second day, I bought a warm chicken in the local grocery store. For the rest of the week, Mirella organized to have the meals delivered from the hospital. I must confess, it feels awkward to walk into the lobby of a four star hotel with a hot chicken in the backpack to eat at the room. But yesterday we went to the restaurant downstairs for once. It wasn’t cheap, but delicious.

The kids enjoy the adventure, especially because we rarely have so much time to play with them. Levin got a dinosaur skeleton to excavate from Santa Claus the day we left. So we went to the big hotel terrace to carve out the artificial bones from the enclosing gypsum. He was totally excited as the bones started to get released. Yesterday, we assembled a KAKU robot. Putting the parts together was easy. I had to do most steps, but the boys could help here and there. Noah walks around full of pride with the enclosed emblem. As all the manuals and information I found are in Chinese, its not always easy to find the required information. But the programming system ArduBlocks is exactly what I have been waiting for since I learned about the Scratch programming language.

 

Categories: Family, Projects | Tags: , , , , , | Leave a comment

Fading out my credit card

Once upon a time there was no internet. When you went to a restaurant, you had to pay in cash. If you had no cash with you, you might have been lucky if the owner knew you good enough to think you were credit worthy. But what if you were in another city? Then some clever people invented credit cards. What they essentially did was telling the store owner that the person whose name was on the card was trustworthy, and that the credit card company would vouch for that individual. Obviously, owning such a card was quite a privilege. The companies issuing these cards didn’t want to pay the bills for people who would not pay them back, so they looked closely who would get such a card. But sometimes it happened, that the people spent more than they could afford, or they ran off. It also happened that people bought goods with stolen cards. So they introduced the handwritten signature as a security measure. As the fraud became a regular occurrence, the credit card companies, rather than just fight it, started to accept it as an inevitable part of their business. They calculated like insurance companies, and figured out that they could effectively make more money if they lowered the bar to entry. The honest users would just pay the bill for the occasional crook through the higher fees.

Then came the internet, and people wanted to buy stuff online. Because there was no appropriate payment mechanism, people just used what was available: credit cards. The combination of name, credit card number and expiration date was not sufficient against misuse. This information was on the front of the card, and every store owner where the card was used had the information. So they introduced a three digit number on the back of the card as a security measure. Criminals became cyber-criminals, and they liked this system very much. Now they could steal credit card numbers, and use them to buy stuff that somebody else would have to pay for. Credit card fraud became an even bigger issue. But the credit card companies don’t suffer from that as much as one would think. Customers can complain if something appears on their statement that they didn’t buy. The CC company then issues a chargeback, and demands the money back from the store. In essence, they charge fees for covering the risks, but don’t actually cover it themselves. For some retailers, those fraudulent chargebacks are a real issue.

Then came the internet of money. It is called BitCoin. Just like the internet in 1994, a lot of people are confused, and don’t know what to do with it. Just like the internet liberated and democratized information, BitCoin does the same with finance. The internet didn’t just replace the fax machine, but opened a wealth of possibilities noone had even thought about. BitCoin already now offers a wealth of possibilities not imagined before. And the BitCoin 2.0 space shows even more applications for BlockChain technologies. But for the moment let’s focus on online payment. BitCoin doesn’t need no trusted third parties who could charge disproportionate fees, or could even steal or confiscate the wealth flowing through them. Transactoins are final, so there are no fraudulent chargebacks. For scenarios where both parties don’t know each other and hence don’t necessarily trust each other, there’s an arbitration model already built in, in the form of MultiSig. The arbiter can be freely selected, not like with PayPal for example that always favour the buyer.

For me, the main difference between BitCoin and cash versus credit- and debit cards is this: Either I give the amount I determine, or I give the information to get from my account the amount they want. You surely saw people hand their open purse to the cashier in a store, so the cashier can take out enough money to pay for the goods. Most often these people are retarded, can not count or read the numbers. Why should we act as retards when we want to buy something online?

Just this week, I read an article about a couple whose credit card was charged by a hotel with a $156 penalty for a bad review. Even if this is part of their terms, most people (myself included) perceive this as outright theft. Now guess what, with BitCoin they couldn’t steal from their customers at will.

With all this in mind, and after reading about credit card breaches multiple times a week, I think the time is ripe for a change. For the last two years I frequently ask if I can pay with BitCoin when I buy something online. That is mainly to build awareness, and voice against excuses such as from Amazon stating they didn’t see customer demand for BitCoin payments. I am ready to shift to the next gear. I want to get rid of my credit card in a year. But I won’t just cut it in half, and then regret it. Instead, I give my best to find and use alternatives, that at least involve BitCoin, if it is not direct. I don’t really like buying gift cards for myself, but I’m willing to go that route if I have to, at least temporarily.

I received a new credit card last month, and my first passive step towards my goal was not to register it with every service where I used the old card. That includes Amazon, PayPal, SBB, SPOT, …

The first order online after that was with dealextreme. I asked them about BitCoin payments before. In fact many people did, and I had the feeling they started warming up last year. But after the Chinese government crackdown, they said they couldn’t do it. They accept PayPal however, and since I no longer have my card registered, I wired the money to a PayPal account at a Swiss bank in advance. It’s certainly a hit in convenience, but it’s more secure still.

Then I found out that Amazon doesn’t accept PayPal, but only credit cards. That’s strange, so far, I just assumed they would. So I will have to send some BitCoin to gyft.com or egifter.com when I want to order something from Amazon the next time. I don’t really like this, but well… Ah, there are also services like purse.io where you can submit your amazon wishlist and some BitCoin. Another user who wants to buy BitCoin can then order the items from Amazon and send it to you. This option looks better to me. I’ll try it for sure.

I’m not a big fan of the security I see with PayPal neither. On this blog I ranted about password based security many times. Unlike with the credit card, at least I can change the security element (the password in this case), If I suspect somebody could have sneaked it. Somewhere I thought I read something about two factor authentication with PayPal, but when I looked for it, I couldn’t find anything.

Not everything in this post is historically researched. Rather I just tried to outline how the different system work, and how they became how they are.

Update:

Here is another story worth reading.

Categories: BitCoin | Tags: | Leave a comment

Back to Mac (nothing to do with Apples)

After I stopped flying in competitions, I also slowly stopped flying competition gliders. So I went back to my old and proven sports class glider. I meant to replace it for a long time. But as my Gradient Aspen 1 is by now more than eleven years old, there really were no more excuses.

So, I took the time to test new gliders. The first one I tried was the successor, the Aspen 5. It felt familiar and comfortable. They also have some good results in sports class competitions. So I almost bought one.

But I wanted to try at least one other model. The most obvious was to see what Mac Para has to offer. After all most of my competition gliders were from MacPara, and I still consider the Magus 4 the best glider I ever flew. The description of the Marvel sounded good, but the model is more than two years old. So I asked if the successor is imminent. Most paragliding companies don’t announce the new models in advance, as they still want to sell the old one. I still expect a successor next spring the latest. That is probably the reason why I got such a good deal for the demo glider. Since I don’t fly cross country as much as I would like to these days, I don’t need the latest and greatest. Instead a glider that I am comfortable with, and that lasts for another decade. Ah and there is another factor. I still like the design of the MacPara gliders. When I was collecting information on the Mac Para switzerland webpage, I was pleasantly surprised to see a picture of myself and my Magus 4 over the pre pyrenees at the 2006 pre World Cup.


Categories: Paragliding | Tags: | Leave a comment

MultiSig with HardwareWallets

2014 is touted as the year of multi-signature for BitCoin. It is being integrated into some wallets and services. But not quite the way I expected.

  • Electrum has an implementation that assumes multiple hierarchical deterministic wallets distributed over different machines, that know the other’s master private keys. -> This should work well for corporate environments or other organizations.
  • GreenAddress has a cool, but for my taste too obscure solution. I would recommend it for new users. But for myself, I want to be fully in control.
  • OpenBazaar, although not fully functional yet, will integrate arbitration with multi-sig.
  • and I hear more announcements almost on a daily basis…

When I first read into MultiSig, I understood it like I could combine any Bitcoin Addresses of my choosing to create a MultiSig address. If one of the involved addresses was in my wallet, it would automatically display the MultiSig address as well. And I could then partially sign a transaction with the GUI, and magically forward to the other signing parties. Turns out that is not quite how it works. To combine addresses of my choosing into a MultiSig address, I have to resort to the commandline. There are a couple of good tutorials on the net on how to do that, and also on how to spend. But it’s not like executing a few simple commands. It’s quite hardcore. There are wallets where you can add them as view only addresses, but I’m not aware of a wallet where you can partly sign a transaction in such a setting.

MultiSig brings us escrow services and a load of similar stuff that was not even imaginable before the rise of BitCoin. MultiSig is also good if you want to implement a setting where at least two of your accountants need to sign transaction in a corporate environment. What this adds is security. You surely saw movies where a few generals had to use their physical keys to launch missiles. That’s done to add security. So that the terrorists would have to steal the keys from more than one general, before they could launch a missile. The same works for bank vaults. And the same idea is behind BitCoin MultiSig, only that it goes much further.

MultiSig is just one facet of pay to script (P2SH). You can implement other rules than just MultiSig. I became only recently aware of that, when GreenAddress gave me a transaction that I could use to get my funds off the MultiSig wallet in case they went out of business. What that means, is that if too many parties loose their keys, funds on a MultiSig address are rendered inaccessible. As a measure against that, they created and signed a transaction with their key to transfer all funds, but with a time restriction. This transaction will only become valid after a certain configurable point in time. BitCoin has a stack based scripting language for expressing such rules. For my taste it’s very complicated at first sight, but it’s cool what you can do with it. That’s actually, where ethereum’s main focus is to improve. That’s all good and nice, but wasn’t it possible to program rules for a long time? Of course, but with BitCoin nobody can cheat, and you have to trust nobody. You cannot just change the system time on your computer, or buy a fake certificate to trick a system into using your timestamp server. BitCoin has a distributed consensus, that is very hard to come by.

So in essence, MultiSig is about increasing the security. This is mainly against malware that can infect your notebook and steal the files of your wallet software. There is also another cure against the same threat: HardwareWallets. I wrote about the Trezor and HW1 on my blog before. Now how about combining the two measures? That should raise the level of security up to a point equivalent as storing your gold and silver and diamonds inside a bunker in the Swiss mountains, and guard it with a Russian tank, driven by a rogue artificial intelligence. But I can tell you upfront: just like that rogue AI, it’s not going to be user friendly. While user friendliness and security are often opposing, this is an extreme case. After reading this, don’t be tempted to think BitCoin was difficult to use. BitCoin is wonderful and easy – for normal use.

So let’s begin with the commandline fu. I won’t repeat every step from the gist from atweiden, but concentrate on the special parts:

You don’t need to create any wallets. I assume, the hardware wallets are initialized and ready to use. Read more »

Categories: BitCoin, Software | Tags: , , | Leave a comment

Visiting the doctor after 20 years

My wive usually rolls her eyes, when I tell her: “No, I don’t need that medicine. My immune system can cope with that, and needs to be trained.” or “No, I don’t need that painkiller as long as the headache is not overwhelming. My body reminds me that I should not shake my head too much at the moment”. But last week I had a flue that didn’t improve even after three days in bed. Usually flues weaken me for a week, the strong ones put me in bed for a day. But this was different. For the first time in twenty years (not counting vaccination for travel, and the dentist), I felt it necessary to visit a doctor. He gave me antibiotics, and indeed I started to recover. Would be nice if it took another 20 years until I need a doctor again…

Categories: Family | Tags: , | Leave a comment