カテゴリーアーカイブ: Privacy & security

Bitcoin Wallet Reviews: What’s the Best Hardware Wallet on the Market? Part 2

This hardware bitcoin wallet review tests the simplicity, software, verification, unique features and privacy of the Trezor Model T, Ledger Nano X, KeepKey, BitBox02 and Coldcard Mk3.

The post Bitcoin Wallet Reviews: What’s the Best Hardware Wallet on the Market? Part 2 appeared first on Bitcoin Magazine.

Binance Hacked for $40M, CEO Backpedals on Recoup Via Block Reorganization

binance.jpg

Chinese crypto exchange Binance suffered a major hack on Tuesday, which the company’s CEO responded to by proposing a rollback of the Bitcoin blockchain to rectify — a suggestion that riled up the community.

The company formally notified the public via an announcement on the evening of May 7, 2019, claiming that the hackers had employed a diverse range of tactics from outright viruses to social engineering techniques such as phishing scams. In addition to gaining access to other sensitive information, Binance also admitted that a single transaction sapped 7,000 bitcoins from Binance’s wallet, roughly 2 percent of the company’s entire BTC holdings.

“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that,” the announcement reads.

Binance will use reserves from its Secure Assets Fund for Users (SAFU fund) to compensate clients, noting “[n]o user funds will be affected.” Trading is continuing uninhibited, but Binance has suspended deposits and withdrawals for the time being.

Later that same evening, Binance CEO Changpeng Zhao insinuated that he was considering a scheme proposed by Bitcoin Core contributor Jeremey Rubin to reorganize the Bitcoin blockchain to rewrite the hack. Ultimately, he backpedaled from this idea after deliberating with or industry leaders like Bitmain’s Jihan Wu, saying that such a move “may damage credibility of BTC” and/or “cause a split in both the bitcoin network and community.”

After speaking with various parties, including @JeremyRubin, @_prestwich, @bcmakes, @hasufl, @JihanWu and others, we decided NOT to pursue the re-org approach. Considerations being:

— CZ Binance (@cz_binance) May 8, 2019

Such a rollback scheme would be an incredibly ambitious undertaking. The most feasible plan would entail Binance sending its own 7,000 BTC transaction from the hacked address to another one that it owns with a hefty fee. With a substantial enough fee, miners would be incentivized to let Binance spend the 7,000 BTC it does have, reorganizing the blockchain’s transaction history to include this transaction in the ledger (miners would need a large fee to justify nullifying the block rewards they received since the hack). In this double-spend scenario, miners would forge an alternate chain, though this chain split would resolve itself once the chain became longer than the old one and all nodes accepted it.

Nevertheless, such a plan could have serious repercussions for the crypto asset space. Such a reorganization could shake user confidence in bitcoin’s immutability, possibly having an adverse effect on the price and reducing miners’ incentive to participate in the scheme. Participating in the rollback, after all, also contains opportunity costs. Zhao went back onto Twitter on the morning of May 8 to reiterate that the idea had some possible applications but, overall, was not worth the risks and would not be considered any further. Other critics of the proposal mentioned that, alongside being potentially hazardous to the network’s reputation, such a move is technically difficult and extremely unlikely.

a re-org is just not happening https://t.co/rTey7KU590, but if something like it did get started somehow in the future, many would support actions to reject it, UASF style. finality matters. I think cycles should be put into tested code to make ecosystem rejection of re-orgs easy

— Adam Back (@adam3us) May 8, 2019

This article originally appeared on Bitcoin Magazine.

PayPal Wins Patent for Ransomware Detection Solution

PayPal

Global payment processing platform PayPal has been awarded a patent for a technique that can help with the timely detection and reduction of ransomware attacks. Ransomware attacks are a form of malware that takes over the victim’s computer, locks up the files therein and demands a ransom before the files can be accessed again — often to be paid in cryptocurrency.

“Frequently, the malicious party will demand that the user pay him some amount of anonymous crypto-currency (e.g., BitCoin) in order to have the user’s files decrypted so that they are accessible again,” per the description of PayPal’s patent, which was filed with the United States Patent and Trademark Office almost three years ago and was awarded on April 16, 2019. “If the user does not pay, then the files may remain encrypted and inaccessible.”

The patent details how the company, and by extension computer users, can detect and prevent ransomware from locking up certain files with the use of existing system data.

The technique will distinguish between two pieces of content loaded in the cache of a computer system, comparing the two to determine if a version has been altered and encrypted. If this is found to be true, the version that is yet to be altered will be prevented from being deleted by the ransomware. Essentially, it will see to it that the original content is still accessible, even if the ransomware has affected the altered version.

“By detecting that ransomware is operating on a computer (e.g., by correlating between the original data and content in different cache layers), the negative effects of the ransomware may be mitigated or avoided,” according to the patent abstract.

Ransomware attacks have become increasingly frequent with devastating effects. The inability to access valuable data is particularly detrimental to large companies.

A report from RT noted the steps that major corporations have been taking to prepare for the occurrence of ransomware attacks. Attackers have been known to demand bitcoin payments in exchange for the release of their locked data due to the perceived anonymous nature of crypto transactions. RT reported that, due to this trend, companies have been silently piling up BTC to ensure that they can make these payments in the event of a ransomware attacks.

This article originally appeared on Bitcoin Magazine.

Wikileaks Founder Julian Assange Arrested in London, Site’s Bitcoin Donations Spike

wikileaks.jpg

Julian Assange, co-founder of Wikileaks and early Bitcoin supporter, was arrested at the Ecuadorian Embassy in London and faces extradition to the U.S. on conspiracy charges.

Having spent the last seven years seeking asylum in the embassy, Assange has at last lost the support of the Ecuadorian government. He was arrested on April 11, 2019, for failing to appear in British courts. Originally in hiding due to a Swedish arrest warrant over allegations of sexual assault completely unrelated to his involvement with Wikileaks, these charges have since been dropped altogether. Nevertheless, the British government has sought his arrest for failing to appear in court for these charges.

The elephant in the room for this prosecution is the involvement of the U.S. federal government. Pursuing him with only a single charge of conspiracy to commit computer hacking, law enforcement has made apprehending him a consistent priority as part of a campaign against Wikileaks’ whistleblowers on the War on Terror.

Wikileaks and Bitcoin

Assange has been a longtime supporter of the Bitcoin community for its ability to circumvent international crackdowns of this nature. After PayPal joined U.S. and Swiss-based banks in banning users from sending donations to Wikileaks, Assange began accepting bitcoin donations as the primary mode of funding in 2011. Wikileaks became one of the first major institutions to accept the payment method, bringing international press coverage to the fledgling crypto community.

Since then, Wikileaks has gone on to accept a gigantic amount of bitcoin over the years. In 2016, the site’s public donation address reached the milestone of a whopping 4,000 bitcoins, a sum worth millions of dollars. Even as Coinbase cut off support to Wikileaks’ online shop in 2018, the site continues to process sales and receive donations in bitcoin.

With the dogged persistence the U.S. government has shown in chasing Assange and other whistleblowers, his future upon extradition seems bleak. Chelsea Manning, the veteran who provided Assange with leaked evidence of U.S. war crimes, had her sentence commuted by U.S. President Obama. Nevertheless, she has been sent back to prison and was even condemned to solitary confinement for a month after refusing to testify against Assange in 2019.

Fellow whistleblower Edward Snowden, who has been in hiding in Russia for several years, called Assange’s arrest “a dark moment for press freedom.”

Assange’s arrest has already seen pushback from the crypto community, with the Wikileaks public address again seeing a large spike in bitcoin donations from a variety of sources. Nevertheless, his upcoming trial in the U.S. is all but certain.

If you would like to donate to Wikileaks’ mission, the organization’s cryptocurrency donation addresses can be found here.

This article originally appeared on Bitcoin Magazine.

VeriBlock’s Bitcoin-Backed Security Protocol Goes Live

VeriBlock

After a year on its testnet, the VeriBlock blockchain went live yesterday on the Bitcoin mainnet, allowing exchanges, wallet providers, merchants and other crypto businesses to leverage Bitcoin’s robust blockchain security.

Now that it’s live on the mainnet, VeriBlock’s model extends the Bitcoin blockchain’s security protection from 51-percent attacks to non-Bitcoin blockchains by linking them to the Bitcoin blockchain, offering it as a security backstop.

How Does VeriBlock Work?

VeriBlock allows any blockchain to inherit the full proof-of-work security of Bitcoin using a novel consensus protocol — proof of proof — which records snapshots of any given blockchain and embeds them (in an aggregated form) in Bitcoin transactions, allowing the former to inherit the latter’s security characteristics.

These snapshots can be automatically referenced by the protocol in the event of a 51-percent attack to determine the correct chain. The presence of conflicting snapshots for a particular “altchain” triggers early attack detection (EAD) metrics, which warns users about the potential rewrite before they confirm the transaction and updates them when the transaction is safe to accept.

VeriBlock uses OP_RETURN — a type of bitcoin transaction that is used for embedding data on the blockchain. It can be used for anything from proving the existence of some data at a specific point in time (proof of existence) to issuing new assets, all on top of the Bitcoin blockchain.

“A ‘regular’ Bitcoin transaction and one carrying a VeriBlock publication need not be mutually exclusive,” VeriBlock CTO Max Sanchez said. “It would be a relatively simple engineering matter to add an option in a Bitcoin wallet that said ‘Sending BTC? Secure the crypto-ecosystem with VeriBlock and subsidize your BTC transaction fee.’”

Does VeriBlock Create Problems for Bitcoin?

There have been estimates of the percentage of the Bitcoin blockspace used by VeriBlock that range from 20 percent of the network to as high as 45 percent. This may raise some concerns about how VeriBlock will affect the network.

“This was widely reported right before the VeriBlock testnet was phased out,” Sanchez said. “However, the effects of proof of proof on the Bitcoin network are actually very small … As demand for bitcoin transactions increases and users are willing to bid higher fees, the amount of space VeriBlock consumes in Bitcoin will shrink — the two economic forces result in an equilibrium.”

Sanchez also noted that VeriBlock’s solution offers security regardless of Bitcoin’s transaction frequency at a given time.

“The natural ebb-and-flow of VeriBlock transaction volume on Bitcoin does not affect the security characteristics of VeriBlock or VeriBlock-secured altchains, nor does it adversely affect Bitcoin,” he said.

Jameson Lopp, CTO of Casa, has been observing VeriBlock’s activity on Bitcoin’s testnet for over a year.

During an episode of the HSHR8 podcast on March 20, 2019, Lopp said that he doesn’t see the VeriBlock venture as an attack on the Bitcoin network, as some might, but he wondered about the economics of spending millions in fees to provide security.

“If you’re paying the fees to put it in the blockchain and you convince some miners to put it in, then there might be some economic rationality for this,” he said. Lopp also noted that he can see “the value of having a data anchor” for Bitcoin.

“We believe that VeriBlock elegantly expands Bitcoin’s usefulness and does so in a way that doesn’t result in a burden on the network,” VeriBlock CEO Justin Fisher told Bitcoin Magazine. “It drives demand for Bitcoin and also, in its own way, helps make Bitcoin more secure while maximizing the utility derived from Bitcoin’s energy consumption.”

In an announcement on March 25, 2019, Matt Roszak, Bloq co-founder; Anthony di Iorio, founder and CEO of Decentral; and Bill Shihara, co-founder and CEO of Bittrex, all commended VeriBlock on its innovative new protocol, expecting it to add a new level of security to the blockchain ecosystem.

“Bloq is proud to have been part of the journey with VeriBlock over the past two years — and especially with a technology that helps any blockchain project thrive and benefit from the security that Bitcoin provides,” Roszak wrote on his company blog. “As the multi-chain, multi-network, multi-token world emerges, we are confident that VeriBlock will continue to play a vital role as a security root for this new frontier.”

The vice president of crypto exchange BitBuy, Jordan Anderson, also praised the solution in an interview with Bitcoin Magazine.

“VeriBlock is an excellent example of a proof-of-proof initiative to ensure altcoins are not susceptible to a 51-percent attack,” he said. “VeriBlock will promote security and stability within the altcoin ecosystem, and provide greater confidence to consumers looking to participate.”

Meanwhile, long-time bitcoin core developer Peter Todd was more apprehensive, explaining that he needed time to look at the actual implementation of the VeriBlock project.

“The general idea of piggybacking on an existing consensus system is a good one,” he said. “But VeriBlock is an unusually complex variant of that idea, so I’m not confident given what I’ve seen in the white paper that it is secure.”

This article originally appeared on Bitcoin Magazine.

Reacting to Public Ire, Coinbase Drops Neutrino Execs With Hacking Team Ties

Coinbase hacking team cuts.jpg

After a week of community discontent, cryptocurrency exchange Coinbase has decided to sever its business relationship with Neutrino employees who previously worked at the notorious Italian malware/software provider Hacking Team.

Blaming “a gap in [Coinbase’s] diligence process,” CEO Brian Armstrong writes in a Medium post that Coinbase “did not properly evaluate everything from the perspective of our mission and values as a crypto company.”

“We took some time to dig further into this over the past week, and together with the Neutrino team have come to an agreement: those who previously worked at Hacking Team (despite the fact that they have no current affiliation with Hacking Team), will transition out of Coinbase. This was not an easy decision, but their prior work does present a conflict with our mission. We are thankful to the Neutrino team for engaging with us on this outcome.”

Last week, Neutrino’s link to Hacking Team came to light thanks to Twitter commentators like Block Digest’s “Janine.” At least three individuals in Neutrino’s core team (CEO Giancarlo Russo, CRO Marco Valleri and CTO Alberto Ornaghi) had been principal employees of Hacking Team, as well as Luca Guerre, an intern-turned-software-engineer at the company.

Coinbase did not disclose which team members would be let go, so there’s no information to indicate how many other Neutrino employees might be affected by the severance. Armstrong also offered no timeline in his post for when these departures would take place.

Disbanded in 2016, Hacking Team made headlines during its business’ zenith for selling surveillance malware to authoritarian governments. Their software’s use has been implicated in inumerable privacy and human rights abuses, including the death and imprisonment of journalists and civil rights activists.

News of Hacking Team’s abuses spread like wildfire through the community, in part stoked by tenacious media coverage and social media backlash, culminating in a #DeleteCoinbase campaign.

And apparently, this heat was enough for Coinbase to decide to dissolve its connections with the people previously associated with Hacking Team.

Previously, the exchange had defended its acquisition in a blanket statement sent to the press. Coinbase stated that it “does not condone nor will it defend the actions of Hacking Team,” but that it wasimportant for [it] to bring [blockchain analysis services] in-house to fully control and protect our customers’ data, and Neutrino’s technology was the best we encountered in the space to achieve this goal.”

A few days after this response to the situation, Coinbase’s Director of Institutional Sales, Christine Sandler, would tell Cheddar that the need to bring these services in-house to protect data was due to its former blockchain analysis providers monetizing user data, something that is against Coinbase’s privacy policy.

In his post, Armstrong mentions that Neutrino was also acquired because their old providers didn’t support all the assets [the exchange] wanted to have on [its] platform,” so it “examined the players, found that Neutrino had some of the best technology in this area, and decided to acquire them.”

This article originally appeared on Bitcoin Magazine.

Coinbase Bought Neutrino Because Its Old Analysis Providers Sold User Data

Coinbase confidential.jpg

Coinbase’s Director of Institutional Sales, Christine Sandler, said in an interview last week that, in part, the exchange acquired controversial software firm Neutrino because its prior blockchain analysis providers were selling customer data.

“The compelling reason for making the acquisition was that Neutrino had some industry leading, best in class technology. It was important for us to migrate away from our current providers. They were selling client data to outside sources and it was compelling for us to get control over that and have proprietary technology that we could leverage to keep the data safe and protect our clients,” Sandler said in an interview with Cheddar.

In its current privacy policy, Coinbase asserts that it only shares customer information with third parties for fraud prevention and legal compliance as well as for “bill collection, marketing, and other technology services.” The same active policy says that they will personally never sell client information, transaction or personal, and nor will these third parties.

https://twitter.com/J9Roem/status/1102240022055604224

Sandler’s slip up tells another tale. If her statement is true, then Coinbase may have inadvertently violated its terms of use. Coinbase users believed that their data was only being shared for regulatory purpose, not being monetized, as Jill Carlson points out on Twitter:

“Selling data is very different from collecting it for regulatory purposes. I consented to Coinbase collecting my data for KYC/AML purposes. I did not knowingly consent to Coinbase collecting my data to sell to other parties.”

Seeing as their prior providers breached this trust, Coinbase’s acquisition of Neutrino makes sense; out with the old and in with the (hopefully more trustworthy) new. In one of its news blurbs, cryptocurrency media platform Messari indicates that the purchase was likely made to minimize counterpart risk by bringing analysis services in house. Most all other exchanges use the same providers, a source told Messari, so going with the new kid on the block was likely the only way Coinbase could make sure the provider would do as they’re told.

“A source with knowledge of the situation explained there wasn’t much of a choice for Coinbase, as almost all regulated crypto exchanges likely use one of several large blockchain analytics tools, including those from industry leaders Elliptic and Chainalysis. The source said that those firms had moved to a ‘give-get’ data model, where Coinbase would only have been permitted to use the service in return for providing its own data. Coinbase ‘brought that capability in house so they weren’t in a situation where using a 3rd party tool was making it better’ as a surveillance tech.”

Still, if Coinbase was looking for a team it could trust, Neutrino’s past is far from trustworthy. The company’s three executives used to run a business called Hacking Team, which sold surveillance malware to authoritarian regimes around the world which precipitated, among other human rights abuses, the monitoring, imprisonment and death of journalists and regime dissidents.

Neutrino’s past has it and Coinbase embroiled in intense community scrutiny, and the collective ire has manifested in a #DeleteCoinbase campaign on Twitter.

Coinbase claims that Neutrino offer best-in-class software, hence why they’re the best fit for AML/KYC compliance and other business-related transaction analysis. But even disregarding the questions of trust that Neutrino’s past may muster, the company’s pedigree might not even be all that up-to-snuff.

Jesse Powell, CEO of Kraken exchange, said that Neutrino was disqualified “due [to its] risks” in a compliance evaluation. Even without this risk, they came in last for actual product when compared to four other providers.

“I asked our Compliance team what they thought of Neutrino,” Powell tweeted. “Fortunately, they’d just completed an evaluation. Neutrino came in last place on product (out of the 5) but was disqualified anyway due to the risks. However, other factors are important in M&A: cost, culture fit.”

BHB Network head Giacomo Zucco told Bitcoin Magazine that his company gave a negative evaluation of Neutrino’s services for similar reasons that Kraken’s compliance review raised red flags. Zucco told Bitcoin Magazine that, when BHB Network evaluated a live demo of Neutrino’s blockchain analysis technology for a client in February 2017, the company refused to let BHB test the tech using their own addresses.

The demo was conducted using “pre-defined addresses,” he said, and the team argued that they couldn’t open source the software because the technology had its own “secret” source that they couldn’t give away.

“We didn’t actually get so far. After the demo, I had some doubts about the ‘secret source’ claims. Then we googled names and that was enough for me to tell my client to pass,” Zucco told Bitcoin Magazine.

At the time of publication, Coinbase had not returned Bitcoin Magazine’s request for comment.

This article originally appeared on Bitcoin Magazine.

Coinbase Snaps Up Blockchain Intelligence Startup Neutrino

Coinbase Neutrino.jpg

U.S.-based digital asset platform Coinbase has acquired blockchain intelligence startup Neutrino. The company made the news known earlier today, February 19, 2019, but the cost of the acquisition was not disclosed.

The announcement reads:

“Neutrino’s technology is the best we’ve encountered in this space, and it will play an important role in legitimizing crypto, making it safer and more accessible for people all over the world.”

The blockchain startup will analyze data on public blockchains and help prevent theft of funds on Coinbase, investigate ransomware attacks when they come up and identify the culprits using its suite of tools.

Neutrino offers similar services to New York-based Chainalysis, designing and developing tools for monitoring data on the blockchain. Per its website, Neutrino creates custom solutions for “monitoring, analyzing and tracking cryptocurrency flows across multiple blockchains, providing actionable insight on the whole cryptocurrency ecosystem.”

With its analytical capabilities, Neutrino will help Coinbase add new features and tokens to the platform, while ensuring “compliance with local laws and regulations.”

Beyond analytics, Neutrino claims to have some firepower under its sleeves. The startup has a solution specifically developed for law enforcement agencies dubbed the XFlow nSpect, which allows for total tracking of cryptocurrency movements across multiple blockchains. Per details on its website, Neutrino claims the XFlow can be used to track stolen funds, monitoring their flow from one exchange to another, mixers and other services in real time.

Coinbase says Neutrino will not go through any rebranding efforts. Instead it will continue to operate as an independent entity out of Coinbase’s London office. The exchange sees the acquisition as a step in the right direction for creating an “open financial system.” \

This article originally appeared on Bitcoin Magazine.

Bitcoin Wallet Forced to Drop Key Privacy Features From Google Play App

Samourai.jpg

Privacy-focused bitcoin wallet Samourai is having its hand forced by Google.

According to a Samourai blog post, the wallet provider is disabling privacy features that are key to its design before its latest version, 0.99.4, hits the Google Play store tomorrow. The removed features include Samourai’s Stealth Mode, remote text message (SMS) commands, and SIM Switch Defense (a measure to protect against sim swaps).

The privacy restrictions only affect the version of the wallet available on Google Play. To bypass these restrictions, users can also download what Samourai calls the “non-nerfed version” of the wallet client’s latest version directly from the project’s Github. Down the road, the team also hopes to get the wallet, privacy features fully-enabled, listed on F-Droid and other alternative, open-source app stores, as well.

“In October, Google announced changes to their policies regarding SMS and Dialer permissions that apps are allowed to use. The way that our Stealth Mode, Remote SMS commands, and SIM Switch Defense work require use of these permissions,” a Samourai Wallet representative told Bitcoin Magazine in an email correspondence.

Samourai proceeded to file for an exemption, but they were notified of their exemption’s rejection just “a few days ago,” according to the representative.

“Unfortunately, they didn’t tell us anything specifically, we learned of everything through automated emails that could not be responded to,” they continued.

Samourai is only available for Android, in part because it can’t pin down iOS developers who “are willing to work for the passion of it over the profit,” the representative indicated. The project hasn’t “had much luck with iOS developers so far,” but it is “committed to bringing some version of Samourai to the iOS store eventually,” they claimed.

With these restrictions, Samourai lamented the changing landscape of Android over the past few versions. These changes have, in Samourai’s words, created a “walled garden,” something the wallet provider discusses in its blog post and reiterated in our correspondence.

“Very strict changes in background data a few versions ago meant that Samourai users would no longer receive alerts on incoming payments unless we routed all alerts through Google’s own servers. We obviously decided not to do that, but that was — in our view — the beginnings of the walled garden being built. The latest policy changes regarding SMS and Dialer permissions show a marked change of strategy for Google, bringing it closer in alignment with the Apple iOS Store than ever before.”

If users opt to download the wallet directly from Samourai’s Github, the team cautioned that they should “verify the integrity of the APK they download by comparing the SHA-256 hash of their APK with the SHA-256 hash published on Github.”

At time of publication, Google had not responded to Bitcoin Magazine’s request for comment.

This article originally appeared on Bitcoin Magazine.

Neutrino: A Privacy-Preserving Light Wallet Protocol

Neutrino: A Privacy Preserving Light Wallet Protocol

Lightning is all the rage these days and, while it’s an exciting development, users currently have to have a full node running in order to transact in it. In this article, I’m going to introduce Neutrino, a new protocol for light clients to get the data that they need while preserving privacy and without trusting a central server.

A Little History

In the original white paper written in 2008, Satoshi Nakamoto described something called Simplified Payment Verification (SPV). SPV is how a light node can verify payments without downloading, verifying or storing the entire blockchain. This was supposed to be the basis of light wallets. Unfortunately, the original Bitcoin Core software did not implement Simplified Payment Verification, so light clients did not have access to the data necessary to do SPV in a privacy-preserving way.

In 2013, BIP0037 was added to Bitcoin Core to make SPV viable. BIP0037 created network commands to make the Simplified Payment Verification possible for light nodes to do. Light nodes could now ask for proof that a particular transaction happened in a particular block. That way, light nodes wouldn’t have to trust servers but could actually verify the data being given to them.

To achieve this, the light client gives the server a filter. The server then runs the filter over all the transactions of a new block and reports back those transactions, along with proof that they’re in the block, to the client. The client then verifies the proof and looks at the transactions to see if any of them belong to the wallet.

Unfortunately, BIP0037 has a few drawbacks. Among others, it was seen as being difficult to implement and most light wallets have opted to use something else. The Electrum wallet, for example, uses its own proprietary protocol which isn’t privacy-preserving. The Mycelium wallet calls servers that the Mycelium company runs. In addition, there are denial-of-service vectors (by having to run lots of filters) to exploit servers that respond to BIP0037 requests.

Furthermore, the privacy aspects of BIP0037 turned out to not be as strong as was thought. It turns out the server can know a lot about the light wallet (like what balance it might have, whom its transacting with, possibly even what it’s buying) by looking for certain kinds of patterns.

As a result, BIP0037 has largely fallen into disuse, despite being in the Core software since 2013.

What Is Neutrino?

Neutrino is a protocol to verify payments, except this time, the bulk of the work is done on the client side. Instead of the server filtering transactions for the client, now all the transactions belonging to a block (technically ScriptPubKeys corresponding to each input and output except the OP_RETURN outputs) are compressed and sent to the client. It’s now the client’s job to figure out if any of the transactions are ones it has transacted in. If any of the transactions are relevant to the wallet, the client then requests the full block to verify the transactions.

It turns out that the compression can be pretty impressive. A normal block is around 1.4MB, but by compressing it (technically, hashing each ScriptPubKey to 64 bits), each block produces about 20KB of super-compressed data per block. Since this super-compressed block is the same for every light client, this removes the denial-of-service vulnerability for the server. This also means that the server gets no special information about the light client other than what blocks it wants to look at, meaning that there are much fewer privacy leaks.

Trade-offs

Of course, by adding privacy, we do have some trade-offs to consider. First, there’s more data being sent back and forth. While 1.4MB to 20KB is a pretty large reduction in bandwidth, BIP0037 allowed an even bigger reduction as servers only transmitted about 3KB of data for blocks where there were transactions the wallet participated in and only 80 bytes for blocks without such transactions. Assuming about one transaction per day, that’s about 100 bytes per block overall for BIP0037, which means Neutrino is more expensive from a bandwidth standpoint.

Further, there is more validation to do on the client side as the client now has to do additional verification to prove that the data sent by the server is true.

Privacy is preserved while looking for transactions that the wallet has participated in. Usually, these are transactions where the wallet is receiving money. For sending money, however, Neutrino doesn’t really help and there are a lot of privacy concerns there still (though Tor and Dandelion can help).

Lastly, there is likely going to have to be a new commitment to the coinbase transaction of each block to facilitate Neutrino, which would require a soft fork.

What This Means for You

It turns out that Neutrino is not just useful for Bitcoin wallets, it’s also useful for Lightning. Setting up a Lightning node is currently difficult, in part because you have to run a full node which takes a long time to sync. Neutrino is available in btcd, but not in Bitcoin Core yet, so until it’s available in Bitcoin Core, light wallets are going to have a tough time finding nodes to get data from. It is for this reason that Wasabi has had to make their own servers with similar super-compressed block data.

Once Neutrino arrives to Bitcoin Core, Lightning Wallets will be able to run as a light client much more easily. And that means that your bitcoin wallet will be far more effective in preserving privacy. This does not mean that you’ll have complete anonymity, especially from chain analysis, but you will be able to achieve a large portion of the privacy that full nodes currently enjoy without storing, transmitting or verifying the entire blockchain.

Privacy leaks are ultimately security leaks as information about you can be used against you.

Transacting with wallets which use the Neutrino protocol means that your bitcoin transactions, whether on-chain or on the Lightning Network, will be a little less susceptible to leaking information.

More Information

For developers interested in this technology, BIP0157 and BIP0158 spell out the protocol in detail and test vectors are available from the developers at Lightning Labs. For consumers, ask if your wallet provider is planning on implementing Neutrino.

Conclusion

Neutrino is a technology that is long overdue. Most people using light node software have to trust external parties to some degree, which is not the cypherpunk ideal. By using Neutrino, wallet developers will now be able to create wallets that are truly self-contained and do not require trusting a server.

This article originally appeared on Bitcoin Magazine.

Target and Google Official Twitter Accounts Hacked, Used for Crypto Scams

Twitter scams

In what is becoming an emerging trend, Twitter accounts of popular brands are being hacked in an attempt to scam unsuspecting users out of their cryptocurrencies.

Target and Google are two high profile targets that have seen their accounts taken over by hackers who, in turn, have used them to scam followers by advertising fraudulent crypto giveaways.

Google’s G Suite Twitter Account is Hacked!! pic.twitter.com/JdB7huGksO

— Burton (@B_u_r_t_o_n) November 13, 2018

Target’s Twitter account, which is followed by nearly 2 million users, posted a tweet, confirming the hack which occurred on November 13, 2018. The retailer stated:

“Early this morning, our Twitter account was inappropriately accessed. The access lasted for approx. half an hour & one fake tweet was posted during that time about a bitcoin scam. We have regained control of the account, are in close contact with Twitter & are investigating now.”

Seemingly targeted by the hacking syndicate, Google’s G Suite Twitter account was breached hours after Target fell victim. The hack on Google was marked by the same tactics as the one that plagued Target — a scammy tweet ridden with typos promising free bitcoin to G Suite’s 800,000 followers.

A Google spokesperson confirmed the hack to Business Insider in a statement:

“This morning an unauthorized promoted tweet was shared from the G Suite account. We removed the tweet and are investigating with Twitter now.”

These incidents are a more sophisticated version of the Twitter scams that have become a constant nuisance for the cryptocurrency community. Typically, these scams include bad actors merely imitating popular figures in the crypto industry with near-identical profiles, though it’s rare for the real accounts themselves to be taken over to advertise the scams.

While it’s unclear how scammers are gaining access to the brands’ social media account, it’s obvious new measures are needed to combat the scams.

Criticized in the past for its failure to devise a clear defense against these incidents, Twitter is reportedly working on counter security measures to prevent similar breaches like the one witnessed by Target on its platform in the future.

Earlier this year, anti-fraud software company MetaCert released Cryptonite, a browser extension that safeguards users against fraudulent accounts.

This article originally appeared on Bitcoin Magazine.