An API For Bitcoin:Blockchain

The Bitcoin blockchain is publicly available and offers a browsable interface and an API.'s API’s API

I have a background in software development but my academic career ended a couple of years before the web was created. The development I have done has all been command line and I would be more correctly described as an integrator than a programmer. My talent, such as it may be, is finding systems that do many things right, and which need only a bit of ‘glue’ to hold them together.

These last two years I have painfully converted from perl to python, my first new language acquisition in almost twenty years. This was brought on by my interest in the Splunk machine data handling platform and by a desire to extend the Maltego penetration tester’s toolkit.

I’ve had some success with Twitter, LinkedIn, Meetup, and I tried and despised everything to do with Facebook. As a rule if I can’t get something going via command line on a new platform within the first day after I take interest it’s probably never going to happen at all. I’ve been looking at the Blockchain package on PyPI and it looks promising, which in my case means I can probably write a couple of one page command line scripts and start getting some useful information from

Sometimes there are pre-existing transforms, the word Maltego uses to describe queries. Here’s one called bitcoin-explorer which is written in Python and which uses the Canari transform construction kit.

Maltego local transform pack that parses the Bitcoin Blockchain ( and creates Maltego graphs based on bitcoin wallet addresses and transactions. Will allow analysts to look up specific addresses and identify relationships between transactions and holding patterns visually. Further, it will allow analysts to quickly follow specific Bitcoin transactions in the case of following stolen bitcoins easily and precisely with the data returned from In addition if an owner of a specific bitcoin address discloses the address publicly in a way that reveals their online persona or identify then it is possible to relate a bitcoin wallet address to a specific persona or identity in this way.

There are a lot of cryptocurrency related scams out there, which @Badbitcoinorg tracks. If I can coax this set of transforms into operation and then start extending it, maybe some of those fraudulent sites will prove to have poor OPSEC, and just maybe some of the victims will get their money back.

Social Network Analysis: @VentureScanner @npacer & @rogerkver

Yesterday I spoke with Nate Pacer @npacer, the private placement equity analyst who runs the Bitcoin scan for @VentureScanner. They are tracking over 550 companies who have received a total of $430 million in funding from a variety of funding sources. I know that @rogerkver, known as “Bitcoin Jesus”, is the foremost evangelist for Bitcoin, so I decided to examine the social network of these three accounts to see what I could learn about the players involved in Bitcoin investments.

@VentureScanner @npacer & @rogerkver

@VentureScanner @npacer & @rogerkver

Roger has almost 18,000 followers, which would make Maltego intolerably slow, so I ignored them. The 1,100 people he follows are presumably a who’s who in the Bitcoin realm. Venture Scanner has five analysts tracking nine different business sectors so there are many accounts they follow which are not Bitcoin specific.

I tagged the three key accounts with a red star, the three pink dots are aliases, which I use in a similar fashion to the colored stars, tagging groups of accounts, but they have the added effect of adjusting the overall layout of the network. I pushed and pulled and deleted until I had just 172 other accounts on this graph, all of which connected to at least two of the three key accounts.

@npacer Contacts

@npacer Contacts

@VentureScanner Contacts

@VentureScanner Contacts

@rogerkver Contacts

@rogerkver Contacts

What do these three graphs tell us? That isn’t clear yet, but here are some hypotheses to consider:

  • @npacer searches exhaustively, then the companies he profiles are mentioned by @VentureScanner, and finally they come to @rogerkver‘s attention.
  • @rogerkver knows everyone and hears it all before everyone else, @VentureScanner overlap are the companies being funded, and this larger group on the left is a mix of @npacer‘s professional contacts and companies that might be rising stars.
  • Both of the hypotheses are correct for some of the other accounts included, and the three key accounts have other information gathering or promotion strategies which cannot be neatly fitted into the funding pipeline model implicit in the first two options.

Bi-directional following relationships from multiple accounts can tell you who might be in private communication. Examining open mentions of other accounts shows who is involved in the day to day conversation. The three key accounts mentioned 728 other accounts a total of 767 times. The colors here are just so you can see which accounts are ‘closer’ to each of the key accounts. This is done with the Louvain Method of community detection, a flexible tool for picking out structure within a mass of nodes and links.

@VentureScanner @npacer @rogerkver Conversations

@VentureScanner @npacer @rogerkver Conversations

I removed the accounts only mentioned by one of the three key accounts, except for four that @rogerkver talks to quite a bit, since they looked like they might be important in the overall cryptocurrency discussion on Twitter. There are 34 accounts here, I think 32 of them are relevant for getting the jump on things.

Conversation Closeup

Conversation Closeup

Having sorted out who was actively involved in the conversation, I pasted that list of accounts into Maltego and I think this confirms the idea that the contacts for @npacer are fellow professionals and friends – all of the current conversation is happening over on the right.

Current Conversations

Current Conversations

The techniques I applied here are the product of my taking Lada Admic’s Social Network Analysis class on Coursera. Most of the graphs are done with Maltego, a penetration tester’s toolkit by Paterva. The conversation graph was made with Gephi, an open source data visualization tool.

If this has stirred your curiosity, but not so much that you’ll download and learn a complex software package or take a two month class, you should take a look at FollowerWonk, a service which can be used to do basic reconnaissance on Twitter. Their free version is quite useful and the list time I had it the monthly cost was just $20, a pretty good deal for the capabilities it provides.

Addendum: I haven’t done this in a while, I forgot to include the detailed map so you can see who is involved in the current conversation:

The Current Conversation

The Current Conversation

Attention Doesn’t Scale by @ewengel

The Attention Doesn’t Scale whitepaper by Elizabeth Weaver Engle @ewengle is another file that makes periodic appearances on my desktop, which I am busily cleaning today. I have been writing about “attention conservation” for a number of years. There has been an influx of new readers since I started covering Cipherspace, Cryptocurrency & Contagions, now seems like a good time to revisit this important concept.

This white paper appeared two years ago, and it was two years prior to that when Progressive Congress News was launched. I haven’t done anything with PCN since early 2011 when it was turned over to the group that currently runs it, but I am told it has grown to cover nearly a quarter of all U.S. Congressional staff. The lesson here is simple: We’re cornered by content, we’re drowning in data, and if you can engage in quality sense-making efforts you will rise to the top.

Future Work Skills 2020, referenced in the white paper, identifies ten key skills, and I’ve highlighted the ones that are particularly important for curation:

1. Sense-making: the ability to determine significance.

2. Social intelligence: the ability to connect with others in a deep way.

3. Adaptive thinking: the ability to come up with novel solutions.

4. Cross-cultural competency: the ability to operate in new contexts.

5. Computational thinking: the ability to think abstractly and make data-driven decisions.

6. New media literacy: the ability to assess new media critically and use it appropriately.

7. Transdisciplinarity: the ability to understand concepts across a wide range of disciplines.

8. Design mindset: the ability to understand how the physical environment impacts thinking and make conscious choices in using it.

9. Cognitive load management: the ability to filter information.

10. Virtual collaboration: the ability to be a productive part of a virtual team.

I don’t recall if I’ve mentioned it previously, but I am currently reading Daniel Kahneman’s Thinking Fast & Slow. While I often read white papers this is the first book on cognition I’ve picked up since reading Psychology of Intelligence Analysis. I suspect that people are exposing their “System 1″ intuitive and emotional judgments with Twitter, while longer form venues such as this blog are correlated with the deliberate, logical “System 2″.

Having a bit of experience in building curation systems and now having a roadmap in hand in the form of Kahneman’s book, I am starting to suspect I’m about to build something, I’m just not yet sure exactly what it will be.

I have my fingers in two Aggregation, Distillation and Elevation efforts (@CryptoCoinsNews and @DeepDotWeb). I have my eye on two other entities that play longer games, fraud tracker @Badbitcoinorg and private placement equity tracker VentureScanner:Bitcoin by @npacer.

All four of these entities promote their work on Twitter, the things they report on almost always have a Twitter presence as well, but none of them display serious analytical capability in that area. The news efforts engage ‘System 1′ visitors who are scanning articles and ‘System 2′ visitors who are actually taking the time to read. The fraud tracker also gets a mix of ‘System 1′ scanners and ‘System 2′ readers, the former are presumably avoiding trouble, while the latter may be trying to figure out how to get their coins back. @VentureScanner readers are likely scanning the entire report for an overall market assessment, and then reading in detail as they work out how and where to invest.

All four of them fall under the umbrella of curation. Two are news of the day, two are long term perspective. Two follow the legitimate growth in the cryptocurrency sector, two inhabit the dirty end of the field. I did not mindfully set out to accomplish this and it really wasn’t clear to me until I started writing this closing paragraph, but in the three weeks since I published Cipherspace, Cryptocurrency & Contagions I’ve worked my way into a position where I have a good view of what is happening as well as the ability to direct attention to things that interest me.

I’ve rewritten the closing paragraph for this half a dozen times. This is generally an indication that I need to continue writing, but that I should switch from English to Python …

Ten Commandments of OPSEC by @thegrugq

He bills himself as both an ‘Internet Security Pornstar’ and ‘Cultural Attaché’, the latter being a U.S. embassy position often filled by CIA operatives. The real name of this South African expat who now lives in Bangkok is a carefully concealed secret, which is certainly a wise move given that he is the world’s foremost ‘0day broker’. An ‘0day’ is security industry slang for a new software vulnerability and if you find one affecting Apple’s mobile devices they can sell for as much as $500,000. If you want to ‘level up’ as a hacker, you should be following and heeding the advice of @thegrugq.

I collected the slide deck for the presentation he gave at DEFCON 22 in August along with @octal and @marcwrogers, because I was interested in their travel router concept … and having written for House, Senate, and Gubernatorial candidates I was completely mortified by this egregious editing failure.

An Editorial Abomination

An Editorial Abomination

I covered my eyes for page four of the slide deck, but when I revisited it a few days later I decided these commandments ought to be turned into a single well formatted page. Here it is in both image and text format.

The Ten Commandments, @thegrugq Style

The Ten Commandments, @thegrugq Style

The Ten Commandments of OPSEC
by @thegrugq

Thou shall keep thy head down.
Thou shalt not reveal current or past operational details.
Thou shalt not reveal future plans.

Thou shall separate business from pleasure.
Thou shall compartmentalize business, lest one lost sheep cause a stampede.
Thou shalt not piss on thine own doorstep.
Thou shall keep thine operation contraband free.

Thou shall be proactively paranoid.
Thou shall give no one leverage over thee.
Thou shall trust no man beyond his assigned compartment.

This has been sitting on my desktop for almost five months and I’ve been on a cleaning binge. The travel router concept is a good one and it fits into the cipherspace category. Do take the time to read the slide deck, there are many additional treasures in there.

Bailing Out Of #ZenMiner, On To VentureScanner

Two weeks ago I put My First Bitcoin Pay into ZenMiner. Last night I liquidated all of my miners except the gift and a single Hashlet Prime which someone else had funded, urging me to use it to learn more about what this company’s strategy. Here’s a composite shot of what they offer, what I have left, and the various mining pools.

Bailing Out Of ZenMiner

Bailing Out Of ZenMiner

See the Hashlet Genesis, denominated in gigahashes, and the Hashlet Prime denominated in megahashes? There are some cryptocurrencies that depend on calculations (gigahashes of SHA256) that can be greatly accelerated by using graphics cards or custom ASICs, while others (megahashes of Scrypt) require extensive ram in order to run, favoring general purpose computing systems rather than expensive fixed function hardware. The dynamic of balancing processor, storage, and electrical usage is something I understand from managing service providers.

The cluster of icons at the right indicate various ‘pools’ – one can mine bitcoin by selecting Genesis Guild, Genesis Hash, or Genesis Multi. Other than the names, I can’t seem to locate what these things are – I guess they are mining pools, but as for which to pick, there isn’t enough information available.

See the row of miners and their list prices? This is where my frustration built to the point that I was ready to just pack up and move on. I can not describe what these things represent and how they contribute to the overall work the system does. I have spent some time poking around on the ZenMiner site as I am writing this, confirming my perception – there isn’t a big chart that shows how all this stuff fits together, nor are there individual write-ups that would permit an interested party to map the system.

Conclusion: There is a lot of buzz about ZenMiner and the upcoming HashCoin ICO, but the environment the company offers is friendly only to those who already have extensive knowledge, and some of that knowledge may only be available to those who have a history of participation in this business. A newcomer, even one who understands both the technology issues and who can read a P&L/balance sheet is going to find this to be an impenetrable labyrinth.

I received $30 for my first ever story on darknet markets, it became $34 by the time it arrived thanks to Bitcoin volatility, and I got a $6 tip for helping someone along the way. Between mining results and the sale of all miners, except the Hashlet Prime someone else funded, I have $45 USD in bitcoin, so this has been a profitable experiment.

I also have 1,300 HashPoints, which will convert to PayCoin at 500:1 at some point in the near future, and predictions are this currency will be worth between $4 (skeptics) and $20 (@gawceo). I should have enough HP for three PayCoin when it becomes available in December and if Josh Garza’s optimism is correct I will pay back the person who gave me the Hashlet Prime, leaving me with a pair of working miners and a small amount of Bitcoin.

My next move is going to be back to the more familiar territory of private placement finance. I just got a free thirty day trial of Venture Scanner’s Bitcoin coverage by Nathan Pacer (@npacer). This $99 monthly service tracks investment in twelve subsections of the overall cryptocoin business, where 552 companies profiled have taken in a total of $430 million in direct investment. Pacer’s work is available as downloadable CSV files amenable to my urges to dig deeper and visualize data with my own tools. I have a first article in the works which I think will be appearing on @CryptoCoinsNews, but not until some time this coming week.

Avoiding Tor Panic On @CryptoCoinsNews

Avoiding Tor Panic On CryptoCoinsNews

Avoiding Tor Panic On CryptoCoinsNews

Avoiding Tor Panic, my first story for @CryptoCoinsNews, went up earlier today. Basically some industry watcher got hold of an academic study about trying to use netflow to identify Tor users. Sounds pretty scary unless you’ve got some experience with both tuning large networks using netflow and dealing with academics. I didn’t name names, but I did deflate the fear bubble a bit …

Using @cryptostorm_is’s Free OpenVPN Service

There has been a bunch of chatter about @cryptostorm_is & @hardrouter today on Twitter. It’s disjoint, so here is the recipe for getting a free low speed link to the most secure VPN provider in the world. This presumes you are comfortable with VirtualBox and managing Linux to the level of adding packages and editing a few startup scripts.

The overall layout I use for this was stolen from Whonix, a gateway/workstation solution that uses Tor for their anonymizing network. There has been a lot of negative attention on Tor since Operation Onymous, and I was a bit surprised to find the the Darknet Markets most wanted list were not using a VPN prior to accessing Tor. I have always viewed this as a bare minimum precaution, forcing any spying on me to involve efforts on at least two continents.

The gateway VM is configured to use either NAT or bridge network mode on its first interface, and the internal network on its second. The workstation VM connects its first interface to the internal network and depending on what you are doing it may not even have a default route.

These instructions are tested with Lubuntu, a lightweight Ubuntu distribution chosen for its limited memory and disk space requirements. This should work on any Debian Linux derivative w/o much trouble. Once your install is complete you want to add the following packages:

apt-get install openssh-server
apt-get install openvpn
apt-get install tor
apt-get install polipo
apt-get install htop

Here is the content for /etc/openvpn/cryptostorm.conf

# this is the client settings file, versioning…
# cryptofree_client_linux1_4.conf
# last update date: 5 November 2014: remember, remember…

# it is intended to provide connection solely to the global cryptofree instance/node resource pool
# DNS resolver redundancy provided by TLD-striped, randomised lookup queries
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also… FuckTheNSA – for reals

dev tun
resolv-retry 16

txqueuelen 686
# expanded packet queue plane, to improve throughput on high-capacity sessions

sndbuf size 1655368
rcvbuf size 1655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance

# randomizes selection of connection profile from list below, for redundancy against…
# DNS blacklisting-based session blocking attacks

remote 443 udp

remote 443 udp

remote 443 udp

remote 443 udp

remote 443 udp

comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion –

# runs client-side “down” script prior to shutdown, to help minimise risk…
# of session termination packet leakage

# allows client to pull DNS names from server
# we don’t use but may in future leakblock integration

explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions

hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted

mssfix 1400
# congruent with server-side –fragment directive

auth-user-pass password.txt
# since this is demo /w free service we put two lines of random junk in password.txt

# auth-retry interact
# ‘interact’ is an experimental parameter not yet in our production build.

ca ca.crt
# specification & location of server-verification PKI materials
# for details, see


ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.

auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level…
# integrity checks, & protection against packet injections / MiTM attack vectors

cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested…
# cipher libraries support our choice – AES-GCM is looking good currently

replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order…
# either temporally or via sequence number

# implements ‘perfect forward secrecy’ via TLS 1.x & its ephemeral Diffie-Hellman…
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice

key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap

log devnull.txt
verb 0
mute 1
# sets logging verbosity client-side, by default, to zero
# no logs kept locally of connections – this can be changed…
# if you’d like to see more details of connection initiation & negotiation

This is a starting point for an iptables configuration. It’ll run if you’ve never touched Linux firewalling before, but I am sure there are many criticisms that the @cryptostorm_is guys could offer. I hope they publish a better example.

#clean house
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP

#preserve loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#preserve ping
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

#permit tun0 & eth1
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

# DNS permits cryptostorm, ipchicken & support sites
# only matters until VPN is launched
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “cryptostorm” –algo bm -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “” –algo bm -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “” –algo bm -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “” –algo bm -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535 -j ACCEPT

# only permit ssh & OpenVPN on external network
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p udp –dport 123 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –sport 123 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p udp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp –sport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –sport 443 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i tun0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

People get caught using Tor because they depend on Tor alone and they run their browser on the same machine that has the Tor proxy service and a default route. If you want to be safe your workstation only has access to the internal network and your browser is configured to use a proxy service on your gateway. Here’s a minimal /etc/tor/torrc

SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
SocksPort # Bind to this address:port too.
SocksPolicy accept
ExitPolicy reject *:* # no exits allowed

And a minimal polipo config, because Firefox is a whiny little twerp when it comes to using SOCKS5 proxy services. This goes in /etc/polipo/conf and it will create an http proxy on port 8123 that sends its traffic through Tor.

# This file only needs to list configuration variables that deviate
# from the default values. See /usr/share/doc/polipo/examples/config.sample
# and “polipo -v” for variables you can tweak and further information.

logSyslog = true
logFile = /var/log/polipo/polipo.log
socksParentProxy =
socksProxyType = socks5

You don’t want to have to repeat this every time you boot the gateway, so you itables-save > /etc/iptables.rules, and add this to /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static

#this is the NAT toggle
#set to 0 if you want to just use
#Tor SOCKS5 & polipo
sysctl -w net.ipv4.ip_forward=1
pre-up iptables-restore < /etc/iptables.rules

If you have installed Linux and used any sort of add on package that requires you to make changes to config files you already know how to do everything you need at the network layer. There is a similar amount of work required to unfuck your browser, but briefly using Chrome as an example, you want to do the following:

  • Control scripts with the mighty ScriptNo
  • Install flashblock
  • Install Adblock, just because
  • Find a User Agent switcher, set it to report Internet Explorer

That’s really all there is to it. Your traffic arrives at your favorite Darknet Market via Tor, any attempt to trace you dead ends at an uncooperative VPN provider, and they think they’re looking for a person running Windows in a VirtualBox VM. If you want to be extra annoying you can set your workstation MAC address to some random number belonging to Symbolics, then the feds will know you leveled up by reading me :-)