Ramblings of Juraj

Solve the World’s Problems as Your Career

In recent months I have met many inspiring people. They are generous, fun to be around and solving the world’s problems. Diabetes, partnerships, waste, security, retirement - all of these are huge problems, and I met people that are doing all they can to fix these problems. I think this is the best career move any individual can make; and for me, these people are an inspiration.

Many things in this world piss me off, and there are some things I can fix. On the other hand, I met a lot of young start-up entrepreneurs that are working on “apps” that just seem profitable. They don’t fix a pressing issue that people have. I think making the right decision in your career is important and “fixing world’s problems” is the most overlooked guiding principle in our careers. People study law, business or medicine just because these professions “pay well.”

Solving pressing problems usually pays well too. If it is something that people care about, they are willing to pay for the problem to go away.

Ikigai

The solutions don’t have to be perfect. Some products and services solve huge problems, and it took two weeks to implement them! One of the main misconceptions of entrepreneurship is that it is hard, that only certain people know how to create a profitable business and that you need to attend business school, read business books, become part of a startup networking group or a mastermind. It is not true. You need to find the right problem to solve, find the right financial model that works for you and do it.

Sometimes, the solution feels crappy. The website could be nicer; the product could be leaner and without bugs. But if it does solve the problem then solve it!

You don’t need to become an entrepreneur You can also solve problems in the company you work for; you don’t necessary need to become an entrepreneur if it is not the right path for you. Are your customers or your colleagues frustrated by something? Fix it!

Chade-Meng Tan was an engineer at Google. He found out that his colleagues are stressed, can’t focus and have a lot of personal problems. He created a meditation course called “Search inside yourself.” Slowly, he moved from engineering position and became a full-time mindfulness guru inside of Google. Then he realized this is a skill that more people need to know and wrote a few books about this topic (Search Inside Yourself, Joy on Demand, …) and started also teaching outside of Google. He saw a problem and fixed it - completely outside his original field of expertise and without becoming an entrepreneur.

Entrepreneurs solve problems There’s an epidemic of “we pay politicians to solve our problems” train of thought. If we follow this approach, we are set for disappointment. Most problems are solved by private people and companies, not politicians, and if we rely on politicians to solve our problems, we are going to wait for a long time.

Of course, the most trustworthy person to solve problems is us - and we can become entrepreneurs quickly, we don’t need fancy business schools or genius ideas. Here’s an inspiring story from our trip to Bali.

Recycling in Bali Bali is a unique island. Although poverty and the standard of living there fell far short of our western comfort, there are amazing entrepreneurs in Bali. In the town of Ubud, you will find boutiques with various clothing that you won’t find in most western cities - from the cheapest to the more luxurious brands. We know Bali for its art that they export to the rest of the world. Carved wooden sculptures, furniture and paintings are among the most famous products of Bali. People work and produce. Bali is also known for local coffee that includes part-digested coffee cherries eaten and defecated by the civets. Doesn’t sound very yummy, but it is not bad! If you like architecture, you should definitely see the largest bamboo structures in the world. Fans of freedom of learning and innovation in education should certainly check out the Green School, which is also located in a bamboo house. The creativity and productivity was amazing!

Bali has some unusual religious practices. I will mention them only briefly, as they relate to the story. The inhabitants of the island are committed to maintaining harmony between good and evil. In practice one day before Nyepi rituals, the residents of Bali try to attract evil spirits from the universe, feed them with offerings and then burn and starve them. Then they run and hide inside their houses on Nyepi - the day of silence. What is remarkable that they feel that it is their job to ensure the harmony. The religious offerings used to be served in recyclable bamboo, now they are mostly plastic.

As the part of our trip, we went to see the Mother Temple. Our guide Wayan was walking around and always collecting plastic garbage and throwing it into trashcans. He told us that in the beginning, he was just pissed off with the trash. It was a problem that he tried to solve by collecting the plastic garbage that people threw away everywhere. Later he found a way to address this issue in a sustainable way. He met a few Australian and Japanese tourists, and they helped him with a capital investment (this is the term he used - no business school!) in the form of a machine to recycle plastic bottles into a plastic powder that can be used to produce products, such as pots for growing plants.

Up to this point, people used to make fun of him - they called him “the garbage man.” And they were laughing about his unsustainable attempt to get rid of the plastic. He was collecting and disposing of it, and the amount of plastic was growing more and more. But he found a solution to this problem - by obtaining the recycling machine. He started to buy the plastic waste from the locals and turning it into a usable product that he could sell. Those same people that were making fun of him started collecting the garbage because it was profitable for them!

Wayan teaching a kid to collect trash

He finally bought trashcans around the temple, and tourists started using them, collecting the trash for him.

The best way to find energy for doing business is finding something that bothers you - ideally a recurring problem that you hate - and solve it. Wayan hated plastic trash around a beautiful cultural site. What surprised me more is that Wayan never mentioned government as a solution to this problem. He never expected someone else to work around this issue; he was looking for a solution himself. He never attended business school, yet he understood profit and loss and the fact that if he wants to solve this problem, he needs to find a financial model that works for him.

In the west, we usually subsidize recycling, and it is often a waste of our money and energy. It is not a sustainable solution; it is a net cost to our society. I don’t think that Wayan’s way of solving this problem would be viable in the west, mainly because the cost of labor is much higher than in Bali. What I know is that there are sustainable solutions to this problem, and people are working on them. They are making a career out of saving the world.

Wayan became a lifestyle entrepreneur, even though he originally had no capital and did not finish any business school nor course. Lifestyle entrepreneur means that he started a company to support his lifestyle and values. I believe that anyone can be an entrepreneur - make sure that you solve some problem inside a financial model that works for you. That’s the key. No business books required.

Barbell Strategy for Investment

What you’ll learn:

  • Investment is not about picking the right financial product (like stocks or bonds or mutual funds)
  • There’s an investment strategy that is based on your values and relates to other goals of your life - like elimination of stress
  • There is a way to gain from disorder and chaos, not only go through it
  • That your time, money and energy can be used to help both yourself and the world
  • How to be financially secure even if you are not rich

Introduction

When making investment decisions, people often choose from prepackaged “risk-rated” investment portfolios. I will show you a different approach and expand the possibilities. We will include investing in yourself, creating your own business and investing in your children as an investment strategy. I think buying some random stock that a financial advisor recommends you, or going with government bonds is not a good idea for most people. While this article is about finance, I will show you how you can use this in virtually any area of your life.

The myth of “medium risk investment”

Let’s start with medium risk investment. It is usually something like a government bond. Since governments can print money at will, the risk is considered low, because if they run out of money, they can “always” print some more money, up to a point which is the melting point of the country’s currency. Some people argue we are pretty close to this point, at least in Europe where I’m from. I am not going to give you an economic outlook because we are kitchen investors and honestly we don’t need to understand this much for the strategy to work.

What makes the investment medium risk? You won’t make much, but you won’t loose much. The upside (how much you can make) is fixed. If the bond returns 2% p.a., you will never make more than 2% p.a. on the bond itself. So the upside (the possibility of a return) is fixed, and it is relatively small. I would argue that it does not make you any money, it would probably not even make for inflation (rising prices). So what’s the downside? The worst that could happen is that the country defaults on its bond and gives you some proportion of the principal or nothing in the worst case. So the possible downside is 100%. If you paint the picture like this, it’s not a good medium risk strategy; the downside is unlimited, and the upside is very limited.

Unbreakable cups and antifragility

Enter Nassim Nicholas Taleb, the author and philosopher who coined the term Black Swan - an improbable event with a high impact (very simplified explanation). In his recent book called Antifragile, he is talking about all kinds of objects in the world and how they respond to chaos, uncertainty, time, and/or entropy. He is a former options trader, so investment is his primary domain, but he also talks about health, countries, entrepreneurship, marriage and other things. It’s one of the best books I’ve read, ever. I highly recommend going through it, if you have the time.

He talks about the objects being either fragile, robust or antifragile. Let’s take a porcelain cup. If you throw it to the floor, it will break apart. It is “fragile to collision with other objects”. It will break and cause ruin - the cup is no good anymore. The only upside is applying an old superstition and saying it will bring you luck. And luck is something we don’t want to rely on when investing our time, money and energy.

Then you have a plastic cup. You throw it on the floor, and it will not break. Nothing will happen to it. It is robust. So what is antifragile? Can a cup become better by falling on the floor?

Let’s take another example - exercise. Let’s take weight lifting. Your body can lift some weight, say you pick up a plastic cup from the floor. It is robust; you apply force, and nothing special happens. But let’s say you find something a little bit heavier, something that you are not used to. Your muscles get stressed, damaged a little bit, and the body reacts. More muscles grow. You apply force that clearly does harm to your muscles, and then the body responds by fixing them and making them stronger. Your body is antifragile to lifting heavy stuff. Of course, until a point where it becomes fragile again - if you try to lift a truck hard enough, the damage to your body would be unrepairable.

So the same object can be either fragile, robust or antifragile, depending on circumstances.

Are our investments fragile?

Let’s look back at our investment portfolio. If waters are calm, and the economy is doing well, you gain 2% p.a. If anything happens, if you apply uncertainty, entropy and chaos, it will never grow more, it can only fall. So your medium risk investment portfolio is as fragile as it could be.

So what was the goal of medium risk investment portfolio? Make sure you don’t loose much (so don’t risk much), but for upside, we want the sky to be the limit. And the last time I checked, the sky was not capped at 2% p.a.

The barbell strategy

Taleb has a strategy for this, and it works with many real world problems besides investing. He calls it a barbell strategy. He describes it as “marry an accountant and have an occasional fling with a rock star”. No, I’m not suggesting you actually do that.

Here’s how you build a barbell. Take 80% (or 90%, depending on the parameters) and make sure they are something, that is of value to you regardless of anything else. For me, it is an apartment I live in, some Euros (currency that is used in the country where I live), some gold and some silver. No debt such as a mortgage, no third party obligations. A good check if you picked the right thing into this part of the barbell is that you don’t care about its value. I am not checking what’s the market price of my apartment at all. I don’t care. I have to live somewhere, and if the price of my house raises on the market, the other houses rise in price as well. So it’s not an option for me to sell it and buy something else cheaper nearby. So how much is the apartment I live in worth right now? I don’t know, and I don’t care at all. How much is a thousand euros worth compared to Japanese yen? I don’t care, as long as the prices stay more or less the same. There’s a possibility of currency collapse, hence gold. One ounce of gold buys you a custom tailored suit, and one ounce of silver buys you a night stay at a hotel anywhere in the world. And it has been this way for hundreds of years. All of these are not making money for me; I want to ensure that they are not losing value over time, but that’s all. I can have a check once a year or so and slightly rebalance them (when gold is cheap, I exchange some more euros for gold, I don’t do that the other way around because I earn new euros anyway).

So now we have something that does not loose value for us - the composition of this part of the barbell will be different for everyone. The check is intuitive and emotional - would you care if the value of this dropped a little or a lot? If your gut feeling is “I don’t give a ….”, you found it. Don’t even think about upside; you don’t care about upside here at all - if it has an upside, it has hidden risk, so if you feel “I’m gonna gain something from this,” something’s wrong.

Now the other part of the barbell (20% or 10%, depending on what you choose). It’s the riskiest thing you can find. The question is - can this earn me a huge return? Don’t think about downside at all. You can lose it all; it does not matter. This part of the investment portfolio for me is an investment in myself, entrepreneurship and some leisurely cryptocurrency speculation. It might and should contain investment in your kids (not Taleb’s recommendation, it’s mine).

Investment in myself - is there something I can do that has the possibility of hugely increasing my upside? Something like a personal development investment maybe? Or learning a skill that will double my market value? Maybe an investment in my health and fitness that increases my productivity? It might be a dead end (we don’t look at the downside here), the investment strategy might not make a return. But if it gives me two more productive hours a day, better friends, a skill I can sell on the market - all of these can have huge yields. Much more than 2% p.a. for sure. But think about something that has 100% to 1000% return on investment. Of course these are as risky as they can be. But we are not looking at downside at all. Why buy stock of a Fortune 500 company? Unless you know something that the whole world does not know, which is very unlikely, the expected returns are already reflected in the price of the stock. Plus you have no idea how the company is run and no control of the people running it.

Do you have a cousin or a nephew or a friend that has an amazing startup idea that clearly resonates with you and solves a big issue in the world? Invest in them! Do you have such idea? Do it! Starting companies these days is incredibly cheap and contrary to public belief, doing business is not about talking to investors, but rolling up your sleeves and solving a problem. Preferably an irritating, recurring problem that you dream of being solved. Here’s a gut feeling - is there something in this world that pisses you off so much that you are angry even when you think about it? Solve it! Thanks to the barbell strategy, you don’t care if you fail - at all (don’t go into debt though). But if you win, you make a lot of money and solve the problem - and your emotional issues - at once. Looks good to me.

Barbell strategy is antifragile

Let’s have a look at the fragility of this strategy. The world is in chaos, you have your house, your gold, the course you took is of no value and your companies are bankrupt. You are at 80% of your wealth, and you are doing great. That’s the worst case scenario.

Let’s say some of the upside strategies worked. You gained a skill, your smart kids help you with solving an issue and you made 300% of the 20% part of your barbell investment. You have made a 60% return on your whole investment (if we count the 80% that did not move up or down).

Some technical strategies

Some strategies and precautions. Never move money from one side of the barbell to the other. Yes, your business might need that extra $10k that you have on the other account. Next day it might need another $15k. This strategy is definitely not called “barbell strategy,” it has a different name - “Gambler’s ruin.” And ruin is the real result of this approach. Cover your losses, bankrupt the company and start something else. You still lost only 20%. Or find an investor. Don’t go into debt! (For some, the story of Elon Musk risking his last money for the fourth SpaceX launch might come to mind - yes, it might work sometimes. If it had not, there would be no Tesla and Elon Musk would most probably be making a living as a speaker at conferences, speaking about his financial ruin. He would definitely not be a famous entrepreneur we now know. It was a stupid gamble that paid off. Please, don’t do that).

People that are new to gold ask me about this a lot. There are several options. Let’s get the worst option off the table first - don’t buy a gold certificate from a bank. They have a long history of not having the gold you pay them to store for you. There’s a longer history of confiscation of gold. The other options are: Buy a safe and buy either gold bars or gold coins. It does not matter what’s on them that much, but the most famous are easiest to sell, these are Canadian Maple Leafs, Krugerands, Wiener Philharmonikers and Austrian Mint. Among these, buy the one that is cheapest, although the price is usually similar. They would state a price on them, an ounce of philharmoniker says “100€”. That’s the price that the European central bank guarantees it will pay for that coin. You can safely ignore this; it is worth ten times the amount. It does not matter.

The other option is to rent a safe deposit box at a bank. Since they don’t know what you have there and you know you have real gold there, it is a better option and it has better security against burglars than your house.

The third option is to store it at a reputable gold storage vault. I use Goldmoney for this service. They facilitate gold storage in vaults around the world. In case something bad happens in your country, you can “move out” and claim your wealth elsewhere. I am not suggesting something bad will happen, I don’t know. But we’re protecting against downside on this side of the barbell, and that means we have to protect ourselves against the possibility of something bad happening. We want no downside here.

Gaining from disorder

We live in an uncertain world. With antifragile strategies, we can make the uncertainty work in our favour. We can gain from disorder and help the world while doing so. For me as an entrepreneur, having this “safety net” (the 80% side of my barbell) gave me emotional peace. Before, even when my businesses were doing extraordinary well, I felt threatened. The uncertainty was too high and it showed in my emotional life and in my personal life. Now I am confident that I can live - even for a few years - from the 80% side of my barbell. I own the house where I live, have no debt and I can feel safe regardless of how my businesses are doing. That makes growing them and working on them enjoyable.

So how to gain from disorder? If there is a crisis, world (or your country) is in chaos, but your own roof is not on fire. You actually have some cash and you can buy assets that are cheap because of the turmoil. You can look at the world around you with clear eyes and ask yourself: “What is the best way to help people right now?” And by helping people, you gain - you grow as a person, you feel accomplished and you create value for people, which usually means financial profit for you. This way, your 20% side of your barbell will grow. That’s the ultimate way to gain from disorder.

A few years back, my situation was different. I was not poor, but the uncertainty caused me a lot of emotional issues and anxiety. I don’t consider myself a rich person. I am probably just an average guy from a weird european country. But here I am, writing about my financial strategy and my financial life is giving me stability and strength. The fun part is that you can apply the barbell strategy to almost any part of your life - do the things that limit your downside 80% of the time, do the things for potential unlimited upside 20% of the time.

If anyone is interested, we can discuss barbell strategies for other parts of our lives.

Ethereum and Other Altcoins

As you all probably know I am a fan of Bitcoin, but I am not that much of an alt-coin guy. What I mean by that is that I think that a main property of money is that it is universal means of exchange. It is good that you can store your wealth as savings (for example in gold or oil). It is also important to choose a unit of account. But what matters is if you can use the money to exchange it for the stuff you actually want. People think they want money, but they are not much thrilled about my one hundred trillion Zimbabwe dollars. Why? Because it can’t buy anything.

I think this is one of the most important drawbacks of Bitcoin right now - it is not universally accepted. On the other hand, it is gaining traction and I like both the ideas behind Bitcoin and its technological ingenuity.

For me, switching to another alt-coin has to be justified by a significant improvement - one that would make the switch worth the loss of the network that accepts Bitcoin. I am all for playing with alternative ideas - I just think that what we need now is not ideas, but acceptance.

So far the main reasons behind developing alt-coins (except for fun and pre-mining profit) has been a different mining algorithm and speed of confirmation. I’ll touch both of these and then I will cover Ethereum.

Commodity mining

Litecoin was the first prominent alt-coin being developed from the Bitcoin source code with a different algorithm for mining. It’s called scrypt and it was supposed to be an algorithm that is hard to implement in specialized mining hardware, meaning that anyone could mine it on their computers. We now know that they have been wrong and KNCMiner just announced their scrypt miners. People have been mining Litecoins and other litecoins running on scrypt on their more expensive GPUs. A CPU is a general purpose processor and of course you may make it more difficult to create specialized mining equipment by being as general as possible (requiring both computational speed and memory access). Eventually, it is always possible to create faster specialized equipment. But the real question here is why to do that? Of course the common answer is that we want common people to perform mining and thus distribute the coins among the people. The beauty of the idea behind Bitcoin is that the mining is not an end by itself. It’s a mean to provide network security. You need to make sure that more than half of the network is honest to maintain security. Mining could be also called block validation. I understand that people freak out when they realize that someone with enough money could take over the network by secretly manufacturing this required computing power and taking over the network. The question remains: Would people still use it? Would they want to undermine the network or just make it stronger so their investment pays off? Of course, there’s no clear answer and depends on their value system. If they feel threatened by Bitcoin, they could do that and undermine it’s legitimacy and trust people put in it. How difficult would it be to start new alt-coin with slightly different algorithm, so their equipment is a piece of useless metal trash?

Now take the “commodity mining hardware” train of thought for a while. Anyone can mine it. How many huge organizations have commodity hardware that is underutilized at least a certain amount of time? Google, Microsoft, Amazon, NSA, … I don’t mean to say that they would do it, but they might as might anyone else. What about computer factories making supercomputers? Don’t they want to test the equipment they manufacture for four days before they ship it to their customers? Oh and when this currency is taken over and another one that works best on commodity hardware is popular, they just change the mining software they use.

What I really see is a socialistic sentiment - an idea that poor people’s old laptops could make this currency. But mining is not only about making new units of currency, it is about making it secure. Making it commodity-only friendly is a bad idea. I would rather trust a huge mining power of Bitcoin ASIC miners than 10 thousand old laptops. And would it work? The more people that invest their computing resources into mining, the less reward they collect (per computational unit). That effectively drives profit margins on mining to zero. So not only the network would be less secure, it would not be profitable for the common men. The incentive may be higher in people who invested in the computing power already - say from taxpayer money - and don’t care about profit. Like the NSA.

Confirmation time

Now about the confirmation time. Litecoin’s mining algorithm is targetted for 2.5 minutes blocks on average. That means that blocks get “confirmed” sooner, because they appear in the blockchain. But do they? Actually, no. For the block to be confirmed it means that it is more difficult to cause the blockchain to fork and undo a confirmed transaction. Satoshi showed in his original paper that the probabilty of this happening decreases exponentially with each new block. But in the end, it’s about computing power. Let’s say that we need a trillion operations for one block in Bitcoin. Then comes Litecoin and says that the block needs a quarter of a trillion operations, so the blocks come faster. Say the mining power is the same in both networks. Say I would trust a transaction to be confirmed after it’s been included in 5 blocks of the blockchain. How many blocks in Litecoin network would I need to do that?

You might say that it’s after five blocks (and they take a quarter of the time), but that’s actually not true. If an attacker had significant mining power, the probability is not dependant on the number of blocks, it’s based on number of operations performed.

So given that the mining power (operations per second) is the same, you would need to wait 20 (5 times 4) blocks in Litecoin network to have the same confidence and that’s exactly the same amount of time (probabilistically speaking).

Ethereum

I have to admit, that Ethereum is the first alt-coin that has significant changes to Bitcoin that would make me consider it. One special exception is Zerocoin, which I love and hope to see implemented in every alt-coin and possibly the main Bitcoin blockchain.

Ethereum has this idea of advanced scripting language at it’s core that is Turing-complete. Being Turing-complete, it can compute any function there is, making it a programmable currency. A little bit more about it later.

They also play the “commodity hardware” mining tune which I totally dislike and do something which has been a big “no-no” in alt-coin community and that is called pre-mining (or creating units in advance). The idea is that to fund the development of Ethereum, some of the currency will not be allocated to miners, but will be taken by a development team and redistributed to authors and contributors. There’s also this idea that they will pre-sell some units for Bitcoin, which makes me wonder - do they even trust it’s going to be the currency that they are willing to sell their superior currency for some older currency? I understand that they want to make it valuable and that they hope that the artificially set pricing will be set and go on with the currency. This all reminds me of social engineering and central planning. Bitcoin is simple. It is not overengineering, it does not have many weird arbitrary rules. It is simple and that’s probably the author’s intention. Now Ethereum has not even started yet and I already see the discussions about how it will be allocated and who will vote about who gets the “development” money. It is exactly this reason why I don’t like democracy. There’s no direct relation between those who pay and those who receive.

I understand that people want to get paid for their work and I have no problem with it. But this smells with committees, voting and conflict. What about making a Kickstarter-like crowdfunding. Want to have this project done? Contribute some Bitcoins. Create a prediction market for Ethereum prices and you can even denominate a crowdfunding idea in Ethers. Make people vote directly with their money.

Please learn from Bitcoin. There is this “official” Bitcoin foundation that people are talking about. People are saying that it should not represent Bitcoin users, talk to politicians, … I understand that there are people who are for it. But what is wrong with people wanting to vote with their money? You want this feature? Pool resources with others who do it and crowdfund it. Then it will be about users’ will - what gets funded, gets done.

No arbitrary pre-funding, constants, distribution, votes, …

I also don’t believe that unlimited (but slow) inflation is neither required nor wanted, but I can live with it (unlike with traditional fiat money, the inflation rate will be known in advance to everyone and it will directly affect the future price of Ethers).

The halting problem

In computational theory, there is a well-known and proven fact that you can’t tell about any general program if it will ever halt or just compute forever. It’s not that we have not yet found an algorithm to do that, we know for a fact that it’s impossible (in general Turing-complete programs). This is one of the basic findings of computer science that we have to live with.

I believe that the fact that Bitcoin’s scripting language is not Turing-complete is a design feature. If you can’t create loops (and jumps), you create a limited language that you know for sure will end in a limited time. If you don’t allow loops and instructions take certain amount of time, you know that the program will end after umber_of_instructions*slowest_instruction_execution_time. This trick is not new and there are many languages that are limited on purpose this way, for example, DTrace scripting language used for debugging kernel and user-level programs in some operating systems (Solaris, Mac OS X, …). The miner fees are also directly related to the size of a transaction, meaning that the longer program you write, the more you have to pay in fees to process it.

The problem with the scripting in the blockchain is that every full node has to process it and store it. Bitcoin also limits the number of external inputs making the execution completely deterministic - meaning that all nodes interpret the code in the blockchain exactly the same way. You can not rely on current time (you can rely on block number to represent time). You cannot rely on external inputs (like a content of a website) because they can change over time.

Ethereum can “solve” the halting problem by collecting fees per processed instruction. On the other hand, do we actually need this complexity to do what we need to do? The power of Bitcoin contracts is still not fully used to this day and yet we want to create something better. But if we regard the determinism and time-bounded execution constrain as a feature, not a bug, is it an improvement?

Conclusion

I am not against anyone developing a new currency. I am not expecting huge popularity of Ethereum either. Vitalik Buterin explained in his Bitcoin Magazine article that he wanted to make cryptocurrencies more general. He compared it to creating something more like TCP/IP instead of SMTP. I have another analogy: Everyone is using e-mail to communicate. There is also a clear room for innovation here - encryption and fighting spam. Why hasn’t anyone switched yet? It’s because of the network problem - the more people use it, the more difficult it is to make everyone switch. And if encryption and spam aren’t good enough reasons for people to ditch good old SMTP, I think Ethereum has to offer something more than a new philosophical approach to be an attractive alternative to Bitcoin.

On the other hand, I wish them well and I hope they succeed. I may even buy some Ethers just for the casino-like rush and being able to tell people I was one of the first owners of Ethers. I will be really excited when there are 10000 shops accepting it as a payment. And unless there’s much better PR and significant practical improvements over Bitcoin, I doubt that’s going to happen.

Report From 30C3: There’s No Privacy

Chaos Communication Congress is the oldest hacker conference in the world and the largest of its kind in Europe. It takes place at the end of each year in Hamburg and brings current research in the field of security, networking and increasingly also politics and other topics related to “hacking” - the unconventional use of ideas, technologies and things around us.

For the past few years, I was always left with the similar impression after coming back from the conference: Our “paranoia ” is not paranoid enough; technologies are vulnerable and (rich, big) states increasingly breach our privacy and other rights. This year was no exception, on the contrary: Jacob Appelbaum presented new documents leaked by Edward Snowden, along with technological analysis. In his talk To Protect and Infect (Part 2), he revealed among other things an NSA-internal “Catalogue of spying technologies and products” they use against their targets. I had a feeling that I was in a dystopian spy novel - that all the conspiracy theories about what the NSA can do are true, and conspiracy theorists lacked the imagination to describe what is actually happening.

30C3 entrance, photo by Blinkenarea.org Photo credit: Blinkenarea.org CC-BY-SA-3.0

Sooner last year, we learned that the NSA is intercepting most of the major Internet services and companies such as Gmail, Yahoo, Microsoft and so on. Some of these parties clearly cooperated with the NSA, in some cases they easily intercepted Internet traffic or traffic between data centers of the company. Many mobile operators had to abandon any hope for the privacy of its customers under a court order, issued by a secret court, which is not under public scrutiny.

]Jacob Appelbaum presented other documents leaked by Snowden) that describe, among other things that the NSA can install malware in the BIOS or in the firmware of your hard drive (such malware survives a full reinstallation of the operating system). In cooperation with the U.S. National Institute of Standards and Technology (NIST), they influenced standardization process and approved a random number generator algorithm that had a NSA backdoor built in. Anyone who wants to sell products that comply with FIPS (a federal security standard) had to implement this algorithm. Some companies, such as RSA used it for several months as a default random number generator in some of their products. RSA was blamed that they were “bribed” by the NSA to have this default setting, which caused several security researchers to boycott the RSA Security Conference and withdraw their papers. The backdoor means that there’s a secret to this algorithm, which allows NSA to predict the numbers generated by the algorithm and guess private encryption keys that were generated using this algorithm. Aris Adamantiadis showed a proof of concept how this backdoor can be used.

A lot of people thought that NSA is passive during their mass surveillance operation. Although the majority of interception points probably cannot really change the data, another of the NSA program called Quantum Insert “solves” this problem. The NSA controls an unspecified number of routers around the world (including home routers) which allows them to “insert” data into an existing TCP connection. This tool is used to infect the computers with their “uninstallable” spying malware. They can infect a software package you are downloading from the Internet. It is time to start verifying digital signatures of software downloads (and use HTTPS everywhere)…

The NSA also has a special program for installation of hardware “backdoors”, which are installed into notebooks and servers between the time they leave the factory and come to you. They are intercepted during transport and modified to include a hardware backdoor. Of course, I would suspect the NSA to use this technique for really interesting targets, not as a general surveillance tool, but still: This really seems like a story from a bad spy novel, but it seems it’s a reality.

ATMs, beware!

NSA is not the only bad guy in the world. Researchers described a special kind of malware that has been found in several infected ATMs. The criminal organization that created it used it to steal bank notes. The method of installation was relatively simple – the thieves cut out a hole in plastic and inserted their own USB key. Then they forced the ATM to reboot from the USB key. When the machine has been infected, they could gain access to a special menu by entering a short secret code on the keypad. This enabled them to see the number of bank notes in each cassette inside the ATM.

When they wanted to steal the content of one or more cassettes, they had to call “the headquarters” of the organization and say a unique challenge code displayed on the ATM screen. Using a challenge-response algorithm, the HQ told them a unique answer code for withdrawal. This made sure that the headquarters knew who steals from the ATMs and how much.

The malware is actively developed and reminds me of a bitter taste of the old joke about the pickaxe hackers who “hack” the ATMs.

30C3 lounge, photo by Moritz Petersen 30C3 Lounge, photo credit: Moritz Petersen CC-BY-SA-3.0

The Year In Crypto

A follow up to the last year’s talk on developments in cryptography suggests that Dan J. Bernstein, Nadia Heninger and Tanja Lange started another tradition. And I like it. In “The Year in Crypto” they describe what happened in the field of cryptography. In addition to backdoors in algorithms, they mentioned problems with TLS, random number generators, etc. We learned about the upcoming “cryptocalypse”, which is very likely to be caused by the arrival of quantum computers. At least NSA is trying to build one, and its goal is to break ciphers. What ciphers should be used after some of us upgrade our old Pentiums to quantum computers? Check the recording of this talk online.

We must also praise Google for introducing Perfect Forward Secrecy in their HTTPS configuration and the introduction of encryption between their data centers. We do not know if Google willingly cooperated with the NSA, what we do know is that they are trying to make it more and more difficult for others to spy on the traffic between their servers and their users.

Perfect Forward Secrecy ensures that even if HTTPS private keys of servers are compromised, this does not allow the attacker to decrypt previously recorded sessions. The keys are used to verify the identity, and the exchange of encryption keys is done by separate instance of asymmetric key exchange algorithm (ECDSA or DSA). In practice, this means that if anyone gets the private key and also has a huge worldwide interception network, they must actively attack each connection (using the so-called man in the middle attack), passive listening is not enough. Do you think that such an organization does not exist? According to the available information, an e-mail provider Lavabit was forced to disclose their server’s private keys by a secret court order. And coincidentally, the NSA has a worldwide eavesdropping network. I believe that perfect forward secrecy will make it difficult to do untargeted mass interception of innocent people…

Knock, knock, internet!

For a couple of geeks like me, it is important to know how many computers on the Internet are live, whether they use encryption and whether they have up to date software. And some of us have dreamed of doing an internet-wide scan to seek answers to their weird geeky questions. Zakir Durumeric of the University of Michigan and his team are the ones who woke up and made their dream a reality. They wrote a scanner that can do an internet-wide scan in a matter of hours. In this way, they were able to collect SSL certificates used online and evaluate how many of them use compromised keys. Also, they were able to determine how many computers have vulnerable implementations of UPnP or IPMI. The results can be found in this talk, or on zmap.io, but if you have any illusions about Internet security, I recommend breathing deeply before watching the lecture…

Journalists & whistleblowers

In addition to technical issues, freedom and politics were main issues. The keynote was presented by Glen Greenwald, an independent journalist who publishes Edward Snowden leaks. He talked about the right to privacy and huge impact of the surveillance state. From WikiLeaks, we could hear Julian Assange (who unfortunately had a crappy video connection – he still cannot leave the Ecuadorian embassy in London) and Sarah Harrison, who according to WikiLeaks saved the life of Edward Snowden when he had to leave Hong Kong suddenly.

Malware in your SIM card

Karsten Nohl presented new attacks that target SIM cards. The GSM mobile phones have many more processors than most of us think. The main ones are the baseband chip, which handles communication with the mobile network (and attacks on it were presented in another talk), application chip (that’s the one that runs the applications and the operating system with which users interact) and SIM card – yes, the SIM card itself can also run stored programs. SIM card can detect your location, turn on your microphone, send data and SMS, etc…

Karsten Nohl presented another attack, which can be used to install spyware (or any other code) to the SIM card. It can, for example, turn on the microphone and call a toll-free number or regularly send your physical location to the attacker.

By saying “presented” I mean that he showed the attack live on stage using fake GSM network and a phone which he infected on stage. So this is not a weird academic paper, but a very practical reality. This type of attack is undetectable by the user. Enforcing encryption can prevent the attack. For this reason, Karsten released GSM Map which maps various security parameters of GSM operators around the world.

It’s no surprise that this “new” attack that was presented at the conference was already being used by the NSA at least since 2008. However, just in case the NSA does not have direct access to the mobile operator, their mercenary hackers simply break in, as one Belgian GSM operator experienced on their own. Who knows what other networks are hacked by the NSA (or other countries, which have no Edward Snowden yet, but still have huge spying and hacking programs).

Satellite antenna in the backyard

Travis Godspeed presented a project of a satellite antenna, which he built in his backyard. He can track satellites in low earth orbit and record what they transmit. Unlike the satellites in geostationary orbit, these are moving around and the antenna has to be rotated to follow the satellite. At first we envied the amount of free time Travis had, but I have to admit I would love to play with such a thing that not many people can have hands-on experience with.

Bitcoin Trezor

In 2013, Bitcoin – a decentralized alternative currency – gained even more popularity, the exchange rate (or value) increased, and more general acceptance followed. Unfortunately, the Congress did not follow this trend – you could not buy tickets with Bitcoins, pay for food or T-Shirts. Some hackerspaces accepted it, and you could use it to pay for some nerdy stuff like electronics kits, etc.

The only Bitcoin-related talk was by my friend Pavol Rusnák, who presented his project Bitcoin Trezor. It allows secure storage of Bitcoins even when your computer can be infected with malware. If you have any Bitcoins, I recommend looking at this project. Many people got infected or hacked, and their Bitcoins were stolen.

Ztohoven

Czech art group Ztohoven (with my help) presented its three projects - Media Reality (atomic mushroom in a live broadcast of Czech public television), Citizen K. (exchange of identities) and Moral Reform - drama for parliament, government, the president and journalists. Watch it, it’s cool!

The Venue

Hacking is not just playing with computers or soldering iron. The lounge presented bands that are close to the hacker culture. On the top floor, there were several places where you could prepare coffee in different ways (for example you could use the bike-powered grinder). If you wanted to communicate with someone, it was possible to use the internal telephone network. However, if by communication you rather mean a message in a bottle, you could use pneumatic tube mail that was all in and around the building.

Check it out:

Conclusion

Chaos Communication Congress has traditionally been the place to meet hackers, artists, cryptology and security experts and developers. All lectures are streamed live, so in addition to the direct participants, there were hundreds of people watching around the world, mainly from hackerspaces that organized viewing parties. If you missed the opportunity to see the presentations live, recordings are available. I hope you could join us next year, it’s a remarkable experience.

Migrating From iPhone to Android 4.4 (Nexus 5) - the Geeky Review

For the past few years, I have been an iPhone user. At first I was jailbreaking, that got frustrating pretty soon, so I forgot about phone freedom, which for me means I can install any app I want, not any app that Steve or any other guy (however nice) approves of.

I mainly missed a Bitcoin wallet, a good PGP implementation, encrypted folders. So I bought a Nexus 5 and quickly got introduced to the world of Android.

The good:

  • I can easily install any app I want. That includes a Bitcoin wallet (I use Mycelium), Tripglasses :) and Fon (which can automatically log me into free wifi hotspots when I’m around)
  • Most apps I used have a good Android version or there’s a good alternative. The most difficult thing to migrate was GTD/to-do list app called Things, which I really enjoyed. Thankfully, I have found an alternative called doit.im, which is subscription-based ($20 for a year if you want a desktop app; otherwise it’s free as in beer). I have migrated while still on iPhone, and the device support of the app is just amazing. It also has all the features from Things I used and some more. There are some things in the GUI that are not so optimal, but I am very satisfied.
  • All the geeky stuff is there. I switched from Acrobits Softphone to csipsimple for encrypted calls. I also installed RedPhone. The first guy I called had it installed, so it switched the call to encrypted automatically. No hacking needed! It has encrypted filesystems, mail client with PGP and S/MIME support, SSH shell, terminal access. Llama can do things based on my location (like switch on ringtones when I leave home). It does not use the GPS; only cell tower IDs (it has to learn them), so it does not eat battery nor send my location to Google.
  • It is fast. I switched from Dalvik to ART runtime, which compiles the application during the first boot (or when they are installed). That makes it even faster!
  • Apps run in the background without hassle. Threema downloads my messages.
  • I can change my ringtones without hacking. I can upload and download music to a folder using any app I want, not just iTunes. I can listen to FLAC music.
  • The home screen widgets are fun. It’s very useful to see my agenda, browse the to-do list, etc.
  • SwiftKey - guys, this is amazing! The best way to type on a phone ever. It works in both English and Slovak at the same time, and it makes me want to type blogs on my phone. OK, not really, but it is so convenient. And it shows that on Android, you are free to change default keyboard, which Apple does not allow you to do because they know what’s best for you. Also, Google voice dictation works both for Slovak and English and is much better than Siri for English (I have to admit I am working a little bit on my accent, but we tried with really heavy eastern European accent at work). And the assistant activates by saying OK Google - how cool is that? :). Of course, there are privacy concerns, but for setting alarms at night, it’s very convenient.
  • All the apps show you what kind of permissions they want before they are installed. The system enforces those permissions. There are also firewalls, antivirus and anonymization programs, although iPhone has Onion Browser as well.
  • The notification LED is cool - it can change color based on how you configure it, and you see if you have a message, missed call or any other significant event occurred. It does not reveal any sensitive information; it’s just a blinking LED.

The bad parts of migration from iPhone:

  • iTunes backups to my Mac (not to cloud) took me a minute to set up, and they would just work. I could set up encrypted backups, and I would have a recent backup over wifi without needing to do anything. If I don’t want to send my data to Google, I need a third party solution. I use Titanium Backup, but hell the UI looks worse than our internal information system :). It also needs to backup to my local internal ROM and then it can upload (encrypted, which is good) to Dropbox or Box.com. I don’t need the backup on my phone; I need it somewhere - safe and encrypted, without me ever touching a button. I don’t want to do manual backups through USB. And I don’t want my backups to waste precious space on my phone.
  • I use r2mail2, because I use both S/MIME (I would not be able to read any work related e-mail without it) and PGP. The user interface is really not so nice if you are used to Apple Mail client - and that needs an improvement. To be fair, there are different e-mail clients that support S/MIME, r2mail2 is just the only one that support both S/MIME and PGP (both inline and PGP/MIME). So I am gaining functionality I did not have on iPhone at the expense of a worse GUI. Hopefully it will stop me from replying to e-mails from my phone, and I will enjoy life around me more :)
  • I had to buy a few apps even when I have Android versions. Evernote just used my premium account, so that’s fine. I have not decided for navigation yet, but I guess I’ll buy Sygic because it’s the cheapest option with offline maps and navigation (there are pretty cool OpenStreetMaps based offline maps, but they don’t support search and offline directions).
  • On iPhone, I really hated that simple apps like calculators, rulers and flashlights were not free or displayed ads. Seems that Android is not so much different, but there are at least more options usually. I learned about a nice flashlight app that traced your location. Thankfully, I found one flashlight that is both free as in beer and free of spyware called SearchLight. I was actually seeing myself installing the fresh new IDEA-based Android SDK and writing the app that turns on the camera flash myself.

Things I would like to see in the future:

  • Amazing e-mail client
  • OK Google dictation
  • More Bitcoin and encryption apps
  • Smaller phone (although the display is nice)
  • Finally a phone that lasts for days on battery. I know the old Nokias didn’t do much, but one week battery life was cool!

Right now I am happy Android user. I am learning new stuff, and I will probably not hack the phone as a total geek, it’s good to customize the device that travels with you.

Update: PowerToggles deserves a very honorable mention as well, landed on my home screen.

Interview With Me About Bitcoin and Other Virtual Currencies

There was an interview with me on a Slovak web about money and I decided to translate it to English (and do a few minor edits). Enjoy!

Is Bitcoin a pyramid scheme? Certainly not, is more like gold. Juraj Bednar talks about the most popular virtual currency in the world.

Mining and buying are two ways of getting Bitcoin. What is the difference?

Regarding Bitcoin mining, we can use an analogy to gold. Mining is a very difficult process and currently makes use of specialized hardware developed only for this purpose. As with gold, most people who want to get gold (and Bitcoin) buy it on the market instead of mining it. Mining gold from nature means people need specialized machines to mine gold. They also need a lot of knowledge - like the location of good mining spots.

Is it better to mine or to purchase Bitcoins?

Mining is required to secure the Bitcoin network, and you need to realize that there are only 25 Bitcoins mined every ten minutes in the whole network. Miners compete to get these 25 Bitcoins. I guess for all normal Bitcoin users, mining is irrelevant and too difficult.

Aren’t the “first miners” in advantage?

Again the analogy with gold: Those who have mined it first were in advantage, because it was much easier to find new gold then than it is now. With Bitcoin mining, there was always a risk - no one knew if Bitcoin would take off and have any value at all. First miners are rewarding for taking this risk and investing in mining infrastructure.

Isn’t it a bit of like a pyramid scheme? Who got in first has earned the highest profit…

Unlike pyramid schemes, there is one crucial difference - no one ever promised profit on Bitcoin. A pyramid scheme is based on the fact that those who join it first earn profit at the expense of those who came later, despite promises that they all earn profit. There is and never was such promise with Bitcoin - it is, and it was risky all the time. Bitcoin was invented as a new medium of exchange, not as a quick way to get rich.

Even so, a lot of people buy it hoping to get rich…

You should be aware that Bitcoin itself is not an investment. It does not create anything new; it is just a medium of exchange. One can make a profit if one is willing to take a chance and “bet” on the future value of Bitcoin. It is also possible that the value crashes and you end up with a loss.

It is important to note that speculations are very beneficial for the market because, in the long term, they stabilize prices. And it is not just earning, it is risk-taking with a possible downside. At the same time, people who started using it first took the risk, popularized it and built the necessary infrastructure around it. In my opinion, they deserve a reward.

Why has Bitcoin become the most popular virtual currency right now?

Because it was the first fully decentralized virtual currency. Technologically it is something new, the authors of this currency invented some really unique solutions to previously unsolvable problems. At the same time, during the financial crisis, people at least for a moment lost their illusions about the stability of the international financial system based on government fiat money and welcomed an alternative. Alternative currencies have existed in the past - for example e-gold based on gold, but all were centralized. This was also their main problem if they have not crashed before that because of inflation or poor acceptance (especially true for so-called local currencies).

Which of virtual currencies do you think are the most interesting right now?

Currently, I think that the most promising is still Bitcoin because it is the largest and most widely accepted. If anything is to become a universal medium of exchange, liquidity is the most important parameter, i.e. for what it can be exchanged. Bitcoin is still too small, especially compared to credit cards, but all other decentralized virtual currencies are only a small fraction of the Bitcoin economy.

There are more than 40 of such currencies on the market…

Other currencies are not so popular because they did not bring much new. Most of the differences are cosmetic and do not bring anything fundamentally new to the user. The best technological innovations currently are ZeroCoin, which brings anonymity on top of Bitcoin and proof-of-stake mining, which gives more power to holders of the currency (in addition to miners). For example, TerraCoin implements this. It is a little bit more ecological because the creating new blocks can be done also without power-hungry calculations. I want to state again that mining is not an end in itself, but it helps to maintain network security.

Bitcoin is relatively new - it is from 2009. Are there any predecessors?

Several attempts have been made to create virtual currency. The ideological predecessor of Bitcoin was probably Hashcash, which was not a currency in itself; it was a system designed to fight spam. It used similar calculations as Bitcoin to increase the price of sending an e-mail. If you wanted to send an e-mail, you had a computer perform calculations similar to mining - if a person wanted to send one e-mail, it took a few seconds. If a person wanted to send millions of e-mails, it would take too long, and it would cost a lot of computing power and electricity. Verification of the calculation (as with Bitcoin) is simple and takes very short time. The second system was the forerunner of Bitcoin called Bit Gold, authored by Nick Szabo. It has a lot of characteristics similar to Bitcoin and many people believe that the author of Bitcoin who hides behind the pseudonym Satoshi Nakamoto is Nick Szabo.

Bitcoin is currently worth about a thousand dollars. Is it also suitable for smaller payments?

High value of Bitcoin is certainly not a problem. What you know as Bitcoin is a hundred million pieces of units called Satoshi. When you send a Bitcoin, in fact, send a hundred million Satoshi. The authors of Bitcoin knew about the possibility that the price of Bitcoin would rise. I have changed my wallet to display balances in millibitcoins (one Bitcoin equals 1000 mBTC), and I know that 100mBTC is about $100 as of time of this writing. Bitcoin is also suitable for sending small transactions.

Is it possible to steal or fake Bitcoins?

It is currently not possible to create fake Bitcoins, but it is possible to steal them - your Bitcoins are stored on your computer in your wallet - an encrypted file with a “private key”. The easiest way of stealing it is infecting your computer with a virus that waits until you enter the decryption password for your wallet and at that moment, it transfers all Bitcoins to the thief’s address. When using Bitcoins, you need to follow all safety precautions as with any other electronic payments. There are several solutions to the security problem. You can use an offline wallet, when transactions are created on a computer that does not have the necessary private keys to sign it, and then sign it on another computer that is not connected to the Internet and is sufficiently secured against theft. I would also like to mention Bitcoin Trezor, which is a good solution for securing your Bitcoins.

What about legislation? Does it treat Bitcoin as private property?

I hope that every theft is illegal, and legislation sees Bitcoin as an asset, but it is a question for lawyers (and the answer would probably differ among countries). Even more interesting question is if the police can actually do something about the theft. Like ten years ago, the Internet was something completely unknown for police and justice systems in most countries. I do not believe that our police would be able to investigate the theft of Bitcoins or do something about it. By design, Bitcoin transactions are irreversible and relatively anonymous. The investigation and correction would be tough even for experienced security professionals. I recommend that you think deeply about security if you hold a significant amount of Bitcoins.

Avoid News

If you have an intellectual minute, read Avoid news by Rolf Dobelli

I highly agree. I have not watched TV for years now (we don’t have a subscription and I did not bother installing an antenna) and I’ve been practicing a healthy news diet for more than a year now. It really helps, especially with focus. The justifications in the article are sound, and I highly agree with this article. Nothing important passed my attention - someone always tells me. I am sometimes in an awkward situation when I don’t know that our country’s president said something stupid again, but I am actually proud of it.

I try to learn more about internal structures of the world by reading books. I add to the suggested diet by reading books which I know I won’t agree with to challenge what I believe. I also try to talk to people with opinions highly different than mine.

Also read this article by N. N. Taleb which explains why noise explodes faster than data (and thus why you should read less news, not more). Warning: equations ahead! :)

If you are trying to replace news with some really interesting reading, I highly suggest Taleb’s Antifragile and Dobelli’s The Art of Thinking Clearly. Both are both interesting and very valuable. They will both also improve your life, not only stimulate your intellect.

What do you think?

OHM2013 - Hackers Are Camping

OHM2013

The evocative video made by conference organizer tried to convince the audience that the hacker campgrounds are a Dutch tradition - as well as tulips, windmills, Gouda cheese and wooden shoes. Since 1989, every four years hackers gather in a traditional Dutch style campsite. Imagine a large music festival, substitute concerts with tech lectures and replace a variety of food stalls with tents of various hackerspaces, makerspaces and projects. At night, the camp turns into a twinkling city in which hackers want to prove that the image of the hacker as an intellectual loner is pure cliché.

Our group starts arriving to Amsterdam a few days early group by group. We all want to see the other Dutch traditions - Red Light District, have a beer at the windmill and go cycling. Many of us opt for a bicycle trip from the nearest station to the campground. We were welcomed by a typical Dutch weather and arrive completely wet, but happy. Trying to dry at the Progressbar, Laila, the chief decorator of our camp tent is already sticking posters to the wall. Others build up tents - inside the main tent which is the headquarters of Czech-Slovak village. Geography is maintained at least relatively because a short walk from our village is HQ and campsite of Metalab, Vienna. Their typical telephone booth is connected to the OHM2013 phone network. Brmlab from Prague is a bit further but still close.

Unofficial, but apparently the main theme of OHM2013 is the apparent asymmetry between the human desire for privacy and large organizations – headed by the NSA and the largest social networks and portals, who have other plans with the “private” data. Proclaimed objective of NSA is to protect the public against terrorist attacks, although the facts show a significantly different story. According to the latest information, NSA-caught personal communication is distributed to DEA for minor drug investigations as well. The aim of “technology” giants like Google, Facebook and Yahoo is to serve their customers - the advertisers. In this way, they can raise prices and allow better ad targeting. People are starting to realize that for these companies, we are not the customers, but the product. Julian Assange spoke about this from his “asylum” in the Ecuadorian Embassy in London via Skype. Jérémie Zimmermann, founder of La Quadrature du Net, a European organization that is fighting for the right to privacy of users said, “Julian, I really wish that you could be here with us. It’s beautiful here, there are lots of blinking lights at night. We miss you.” The atmosphere was nostalgic, just four years ago he gave one of the major speeches on his project Wikileaks at this same event. Julian Assange did not say much, but one new thing we did learn - according to him, the states are not forcing companies to send data to their secret organizations and companies are fighting, but ultimately giving up. Technology giants and NSA are in the same bed. As an example, he mentioned a visit from Eric Schmidt of Google, who came up with several representatives of state power.

OHM2013 by night

The so-called “Spook Panel”, which consisted of former agents and contractors of NSA, CIA, MI5 and American Department of Justice, explained to us how the surveillance system works. There is a great deal of exchange of information between the agencies. Since the NSA cannot eavesdrop on Americans officially, they simply outsource this part of activities to their partners, who in exchange receive information that are captured by the U.S. probes. Analyst at the agency sees target’s e-mails, conversations on social networks, browsing history, metadata about phone calls (date, time of call and dialed number), or SWIFT transfers and card transactions. Whenever the analyst tries to get the information, they must provide written justification, however, although it is archived, nobody reads it.

In addition to political issues, there were also purely technical issues. Philippe Langlois started a popular topic of hackers - hacking telecommunications infrastructure. Telecommunications market is known for its closeness and overcomplicated solutions and protocols. It is a popular target for hackers because closed complex systems usually involve a lot of vulnerabilities. Phillipe’s lecture was about Home Location Registry of cellphone operators. HLR is a central database of users and information about them. Each access to the network by the user, whether at home or from a roaming network is verified by this system. It contains most sensitive data operator knows about its users. And it’s almost always a huge, complex system covered with the various old components. It is no wonder that finding security holes is not that difficult. But no one would forget to protect such systems with firewall and certainly no one would ever put them out on the Internet, to be reachable by anyone, right? Not really - several mobile operators with millions of active users have put the most important system they own out on the Internet.

Karsten Nohl continued his series of mobile technology hacks and this time he focused on the SIM card. He found a vulnerability in firmware signing of several SIM cards, which allows complete remote cloning, locating the user or calling the attacker-chosen phone number at any time. Effectively this way an attacker can transform a phone with a SIM card to a surveillance bug, which intercepts not only what you say, but also where you are. Some mobile operators stated that their SIM cards are not vulnerable - at least our SIM cards were OK. But you should be aware that mobile phone operators change their SIM card technology, and while the newest cards may not be vulnerable, when was the last time you actually changed the SIM card?

Like at other hacker camps, what is happening outside of the official program is usually much more fun and interesting. Workshops, technology demonstrations and dance floors gave us perhaps more than mere lectures. Opportunity to meet interesting people from different fields of science, technology and art is almost priceless. And the biggest surprise? Flying ostrich. Do you say that ostriches do not fly? That is true, but not at hacker camps, where they replace their inside with an engine and add few rotors on top. And voilà, the ostrich can fly. I saw it with my own eyes.

Stuck Bitcoin Transaction and Play With Double-spend

A few days ago I was sending my friend a payment of 1.2 BTC. My account had only slightly more than this amount available, not even enough for recommended transaction fee. Instead of borrowing or waiting for a miner to generate more, I decided I would push a transaction with a much smaller fee to the network and hope it gets confirmed in under a day. It did not happen. According to Bitcoin wiki, a transaction needs to pay the recommended fee unless all outputs are more than 0.1 BTC and few other conditions. I did not meet this condition, because I had one 1.2 BTC output and one change which was smaller than transaction fee. It was stuck there for more than a day, my mining pool paid me, so I decided I want to just cancel this transaction and create a new one with a proper fee. Easier said than done :).

I use Electrum as a client - it is much better than stock Bitcoin client and there’s a nice console. I was able to extract the transaction and try to modify it to include the fee. The interface is not so nice, or at least I am too lame. I got the transaction as a JSON structure from Wallet object by transaction hash. I was not able to easily create a different transaction without going through manually finding keys to sign.

mktx does not work, because I don’t have enough unspent outputs (same as paying from the GUI).

createrawtransaction is something I managed to do, but then for signing, I would need a list of private keys, addresses and scripts. My transaction had more than 10 inputs and I was too lazy to find which keys belonged to the other addresses (and if it’s possible to do it programatically, there should be a function to do it - I guess that’s what mktx does internally too). I guess it should work with less parameters per documentation, but the console call insisted I fill all the parameters.

I found out a very lame and easy solution. I thought if Electrum does not see the old transaction, it can spend the inputs again. So I changed wallet.py. There’s a function called update_tx_outputs that takes a tx_hash and updates a list of spent outputs. I modified it like this:

1
2
3
4
def update_tx_outputs(self, tx_hash):
    if tx_hash == '00455149b368344f4087596c97dccf9dc185ed275a58187a63f72399618f815d': return
    tx = self.transactions.get(tx_hash)
    ...

So if my transaction (the hash is from other stuck transaction I found online) is found, it’s skipped, so Electrum thinks the outputs are not spent.

I thought I would just pay, but the transaction got refused by Electrum server, because it thought it’s a double spend (which was correct). So I used mktx and used Coinb.in’s wonderful Raw Transaction utilities to broadcast the hash to the network. It also returned that the transaction is invalid, but it propagated anyway and a miner included it in a block.

I found out that blockchain.info reports on attempts to double spend when I look at a transaction or address and recommends you proceed with caution.

Takeaways: Pay the transaction fee, really. Nodes try to refuse double spends (they cache stuck transactions), but the transaction eventually propagates. Electrum could have much nicer Python interface for things.

I guess Amir’s sx command-line utility would make my life much easier, but I had no time to upgrade my g++ toolchain, it does not compile on any system I own. Installing Ubuntu or ArchLinux just because I want to play with it takes a lot of time. I tried fixing a few of the main problems of libbitcoin not compiling on OS X, but I had no more time doing it. I would love to use sx with OS X or Scientific Linux someday. Playing with Electrum and it’s internals is fun too though.