Author Archives: Neal Rauhauser

About Neal Rauhauser

Traveler, scribbler, hacker, secret agent for the Republic of Change. Prone to biennial adjustments in research direction, 2015/2016 is all about cipherspace, cryptocurrency & contagions.

Avoiding Tor Panic On @CryptoCoinsNews

Avoiding Tor Panic On CryptoCoinsNews

Avoiding Tor Panic On CryptoCoinsNews

Avoiding Tor Panic, my first story for @CryptoCoinsNews, went up earlier today. Basically some industry watcher got hold of an academic study about trying to use netflow to identify Tor users. Sounds pretty scary unless you’ve got some experience with both tuning large networks using netflow and dealing with academics. I didn’t name names, but I did deflate the fear bubble a bit …

Using @cryptostorm_is’s Free OpenVPN Service

There has been a bunch of chatter about @cryptostorm_is & @hardrouter today on Twitter. It’s disjoint, so here is the recipe for getting a free low speed link to the most secure VPN provider in the world. This presumes you are comfortable with VirtualBox and managing Linux to the level of adding packages and editing a few startup scripts.

The overall layout I use for this was stolen from Whonix, a gateway/workstation solution that uses Tor for their anonymizing network. There has been a lot of negative attention on Tor since Operation Onymous, and I was a bit surprised to find the the Darknet Markets most wanted list were not using a VPN prior to accessing Tor. I have always viewed this as a bare minimum precaution, forcing any spying on me to involve efforts on at least two continents.

The gateway VM is configured to use either NAT or bridge network mode on its first interface, and the internal network on its second. The workstation VM connects its first interface to the internal network and depending on what you are doing it may not even have a default route.

These instructions are tested with Lubuntu, a lightweight Ubuntu distribution chosen for its limited memory and disk space requirements. This should work on any Debian Linux derivative w/o much trouble. Once your install is complete you want to add the following packages:

apt-get install openssh-server
apt-get install openvpn
apt-get install tor
apt-get install polipo
apt-get install htop

Here is the content for /etc/openvpn/cryptostorm.conf

# this is the client settings file, versioning…
# cryptofree_client_linux1_4.conf
# last update date: 5 November 2014: remember, remember…

# it is intended to provide connection solely to the global cryptofree instance/node resource pool
# DNS resolver redundancy provided by TLD-striped, randomised lookup queries
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also… FuckTheNSA – for reals

dev tun
resolv-retry 16

txqueuelen 686
# expanded packet queue plane, to improve throughput on high-capacity sessions

sndbuf size 1655368
rcvbuf size 1655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance

# randomizes selection of connection profile from list below, for redundancy against…
# DNS blacklisting-based session blocking attacks

remote 443 udp

remote 443 udp

remote 443 udp

remote 443 udp

remote 443 udp

comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion –

# runs client-side “down” script prior to shutdown, to help minimise risk…
# of session termination packet leakage

# allows client to pull DNS names from server
# we don’t use but may in future leakblock integration

explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions

hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted

mssfix 1400
# congruent with server-side –fragment directive

auth-user-pass password.txt
# since this is demo /w free service we put two lines of random junk in password.txt

# auth-retry interact
# ‘interact’ is an experimental parameter not yet in our production build.

ca ca.crt
# specification & location of server-verification PKI materials
# for details, see


ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.

auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level…
# integrity checks, & protection against packet injections / MiTM attack vectors

cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested…
# cipher libraries support our choice – AES-GCM is looking good currently

replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order…
# either temporally or via sequence number

# implements ‘perfect forward secrecy’ via TLS 1.x & its ephemeral Diffie-Hellman…
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice

key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap

log devnull.txt
verb 0
mute 1
# sets logging verbosity client-side, by default, to zero
# no logs kept locally of connections – this can be changed…
# if you’d like to see more details of connection initiation & negotiation

This is a starting point for an iptables configuration. It’ll run if you’ve never touched Linux firewalling before, but I am sure there are many criticisms that the @cryptostorm_is guys could offer. I hope they publish a better example.

#clean house
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP

#preserve loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#preserve ping
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

#permit tun0 & eth1
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

# DNS permits cryptostorm, ipchicken & support sites
# only matters until VPN is launched
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “cryptostorm” –algo bm -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “” –algo bm -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “” –algo bm -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 53 -m string –string “” –algo bm -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535 -j ACCEPT

# only permit ssh & OpenVPN on external network
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p udp –dport 123 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –sport 123 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p udp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp –sport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp –sport 443 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i tun0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

People get caught using Tor because they depend on Tor alone and they run their browser on the same machine that has the Tor proxy service and a default route. If you want to be safe your workstation only has access to the internal network and your browser is configured to use a proxy service on your gateway. Here’s a minimal /etc/tor/torrc

SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
SocksPort # Bind to this address:port too.
SocksPolicy accept
ExitPolicy reject *:* # no exits allowed

And a minimal polipo config, because Firefox is a whiny little twerp when it comes to using SOCKS5 proxy services. This goes in /etc/polipo/conf and it will create an http proxy on port 8123 that sends its traffic through Tor.

# This file only needs to list configuration variables that deviate
# from the default values. See /usr/share/doc/polipo/examples/config.sample
# and “polipo -v” for variables you can tweak and further information.

logSyslog = true
logFile = /var/log/polipo/polipo.log
socksParentProxy =
socksProxyType = socks5

You don’t want to have to repeat this every time you boot the gateway, so you itables-save > /etc/iptables.rules, and add this to /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static

#this is the NAT toggle
#set to 0 if you want to just use
#Tor SOCKS5 & polipo
sysctl -w net.ipv4.ip_forward=1
pre-up iptables-restore < /etc/iptables.rules

If you have installed Linux and used any sort of add on package that requires you to make changes to config files you already know how to do everything you need at the network layer. There is a similar amount of work required to unfuck your browser, but briefly using Chrome as an example, you want to do the following:

  • Control scripts with the mighty ScriptNo
  • Install flashblock
  • Install Adblock, just because
  • Find a User Agent switcher, set it to report Internet Explorer

That’s really all there is to it. Your traffic arrives at your favorite Darknet Market via Tor, any attempt to trace you dead ends at an uncooperative VPN provider, and they think they’re looking for a person running Windows in a VirtualBox VM. If you want to be extra annoying you can set your workstation MAC address to some random number belonging to Symbolics, then the feds will know you leveled up by reading me :-)

Commodity Coin @UROisTrue

I have been following a variety of new cryptocurrency accounts with @RealityForger and I stumbled across something truly amazing – @UROisTRUE, a cryptocoin with a fixed value of one metric ton of urea.

Urea Commodity Coin

Urea Commodity Coin

One of the things I researched prior to cryptocurrency was renewable ammonia production. We produce about 140 million tons annually, making it our most common industrial chemical, and the process used is responsible for about 1.5% of total carbon dioxide emissions. 70% of production is with natural gas and most of the rest is done with coal. There are a handful of places that still use hydroelectric power, the largest being Sable Chemical, in Kwe Kwe, Zimbabwe. Ammonia is a gas at room temperature, it’s typically transported as a cryogenic liquid, and it is very often turned into solids – both urea and various nitrate compounds. 90% of it ends up as fertilizer, the rest is used to make explosives, adhesives, and in other industrial processes.

I wrote Dead Gods Of Atacama in 2009. This is a not so long review of the history of fossil nitrogen, without which human population would have capped at about a billion people two hundred years ago.

There are two types of solid fertilizer derived from ammonia. Urea is one and it is applied just before or during rain. Ammonium is an ion and it is always found with another compound – examples include ammonium nitrate, ammonium phosphate, and ammonium sulfate. These compounds can be transported in bags and applied to dry land, which makes them suitable for areas without the infrastructure to handle ammonia or the regular rain needed for urea. Unfortunately ammonium nitrate has another use when mixed with diesel fuel – improvised explosives. Afghanistan faces a terrible problem in that a product they require for food production also plays a key role in insurgency.

A read who did not know the background on this ammonia derivative would likely breeze over the Uro Foundation web site, quickly writing off the sparse text. Understanding the implications, I read it, read it again, and then looked over my shoulder to see if there was a Candid Camera crew filming my reaction.

The Uro Foundation has this to say about its motivation:

“The existing international Urea market is incredibility inefficient, with very poor liquidity and a complete lack of agreement on pricing. The wholesale price of Urea can vary by as much as 300% between different markets, nations and regions. Real farmers – especially small to medium agricultural families – are losing crops and livelihoods over the inability to access affordable fertilizer at the time they need it most.”

Let me see if I can translate this a bit and put it into a broader perspective. 70% of ammonia is made from natural gas and this meant that farmers could hedge ammonia costs by purchasing natural gas futures. If their fertilizer price was up that meant natural gas was up as well, and their futures paid out. This is a natural insurance mechanism inherent in commodity markets … or at least it was, until 2008, when the natgas to ammonia relationship broke down for no clear reason.

We looked at charts and graphs and debated this endlessly; the inevitable conclusion was serious market manipulation, but we could never pin down what mechanism was behind it or where it was being implemented. Recall that 2008 was the year that Wall Street fired bond traders in droves and hired commodities brokers to adapt to the crash.

The 300% difference in wholesale price is less difficult to explain. A Chinese farmer just over the horizon from a coal fired ammonia plant has a much different cost than a North Dakota wheat farmer getting his ammonia from a natural gas fired plant in Trinidad. Depending on the mood of the market transportation can be a quarter of the final cost in the U.S. and that is modulated by the price of oil powered rail freight, which is much less volatile.

I think what the Uro Foundation is trying to say is this:

Food production is too important to be tied to speculation in either currency or fossil fuel markets. Our product is the foundation of food production and thusly the foundation of social stability, and we want off the financial market roller coaster.

Look at the names, look at the countries represented on the board:

  • Chief Development Officer: Bohan Huang
  • QA Engineer: Mohammad Haghighi
  • Chairman: Dr Mukul A. Desai
  • HK/Global NIER: Green Earth Systems Limited
  • India NIER: Urea Trading India
  • China NIER: Crown Team Corp.
  • South Africa NIER: CCL Pillay Group

There are India, China, and South Africa from the BRICS countries. Russia has plenty of natural gas to fertilize their wheat crop, and I know less about Brazil’s agriculture, but they are famous for their soybean exports. Soy, a legume, is a nitrogen fixer thanks to a symbiotic relationship between the plant and certain types of bacteria.

Bitcoin might have gained it’s initial foothold among crops like marijuana and opium poppies, but @UROisTRUE is a frontal assault on the banking sector’s hold on our biggest agricultural chemical market. Do you think Wall Street will retain its grip on the global economy after fifteen years of producing nothing but junk paper and periodic panics?

Cryptocurrency Family Tree By Jabo38

Last week I posted Cryptocurrency Families Visualizer based on an excellent graphic that I found thanks to @blackwood_mr. He just pointed out the original by jabo38 at BitcoinTalk. I prefer to do my own work but I feel this family tree is important enough to reproduce it here with just this introductory comment.

(A) Bitcoin (B) Litecoin (D) Dogecoin (E) Namecoin (F) Darkcoin (H) Bytecoin (J) Monero (K) Maidsafe & Storj (L) Mastercoin (M) Counterparty (N) Bitshares (O) Ethereum (P) Ripple (Q) Stellar (R) Peercoin (S) Nextcoin (U) Supernet (V) NEM (W) Nubits (X) Emunie (Y) Blockstream

Cryptocurrency Visualization

Cryptocurrency Visualization

A. After Bitcoin came out lots of imitation coins tried to copy it. They made small modifications to the code, but were really the same thing. Most of these have had their market value crash and are dead.

B. Litecoin was one of the first real innovated forks of Bitcoin. At the time it was billed as Asic proof, but now uses Asics in a positive way to keep the network secure. One problem is that 25% of Litecoins are owned by 3 wallets.

C. The success of Litecoin spawned almost 1000 clones. All of which have no real innovation and should fade away more than they already have.

D. Dogecoin is the exception to the rule, a coin that turned out to be fun and got a real community. It is a clone of Litecoin with lots and lots of coins so anybody can have some.

E. Namecoin is a truly innovative coin. One of the first to do something original. Namecoin is a fork of Bitcoin but its blockchain can store data. One possible use of this feature is to create a new DNS system, but the idea didn’t ever catch or get widespread use (yet).

F. Darkcoin is marketed as “the first anonymous coin”. It has spawned lots of clones, none of which have caught on. It uses darksend technology to hide transactions.

G. Lots of Darkcoin clones, none of which have really done a lot for themselves or the cryptocommunity. Most are thought to be pump and dumps.

H. Bytecoin is another addition to the anonymous transaction coins but uses a new method to hide transactions called Cryptonote. While the Cryptonote technology has been reviewed and thought to be good, Cryptonote’s origins and Bytecoin’s start are marred with lies and fraud.

I. A dozen or so Bytecoin clones. Many of which are tied into the original Bytecoin and Cryptonote scandal.

J. Monero is the most successful clone of Bytecoin and tried to distance itself from the scandals, but has found problems of its own and as of late the marketshare is declining heavily.

K. Maidsafe and Storj are not coins but are in part inspired by the decentralized revolution started by Bitcoin. Both platforms look to decentralize data storage and applications on top of that data. Both platforms rely on everyday users’ hard drives for cloud storage instead of centralized servers that can be shutdown.

L. Mastercoin was one of the first successful colored coins projects. It is integrated on top of the Bitcoin blockchain and can use the blockchain to represent tokens of different platforms. As of late it has lost its momentum and has become abandoned by many of the people that once supported it.

M. Counterparty has successfully usurped Mastercoin and made it irrelevant. It is based off of the same technology but is more advanced despite being later to the scene. Currently CounterParty wants to expand from just offering colored coins into something called Medici. It has done this by teaming up with Overstock. The plan for Medici is to offer shares in new companies, basically any company that wants funding via the platform anywhere in the world. It remains to be seen if CounterParty/Overstock can actually achieve this. CounterParty has also stated that it is cloning Ethereum’s code and will include it in the CounterParty protocol on the Bitcoin blockchain.

N. Bitshares is a platform that is used to trade one commodity for another on the Bitshares platform. All commodities are not backed by the commodity they represent but by a different part of the Bitshare’s platform. Bitshares is running and so far is working mostly as promised, but has been met with some skepticism and hesitation by the cryptocommunity, which has seen many other bold platforms and ideas turn out to fail or be scams and investors lose their money.

O. Ethereum is not a coin but is meant to be a raw blockchain that any other app or any other business or any other platform can connect into and use. It claims to be agnostic to other projects in the cryptocommunity and would like them all to be a part of Ethereum. The fundraiser has ended and coins cannot be currently traded.

P. Ripple uses a consensus like distributed ledger to process transactions in a similar way to Bitcoin. Ripple though only uses gateways of real partners issuing IOUs for real goods deposited with the gateway. It has a beautiful GUI and is very fast and efficient compared to other platforms but has been marred by scandal too, constantly being called a scam for its large premine. Although the premine of XRP is not meant to be a currency in and of itself as is the case with Bitcoin, but instead as an anti-spam measure. Further scandals have plagued Ripple about its XRP distribution and handling of its funds.

Q. Stellar is basically a clone of Ripple created in part by some of the same people but looks to be more transparent and fair with its platform token distribution. So far Stellar hasn’t gained the institutional partners to the degree that Ripple already has. Both/either platform if realized would make sending money overseas and changing from one currency to another extremely fast, efficient, and easy. These two platforms main and basically sole purpose is international remittance unlike the broad and wide scope many other new 2.0 platforms hope to achieve.

R. Peercoin is another Bitoin based coin that went on to do something innovative. It very quickly had all its coins mined and switch from PoW to a new way of securing the network called PoS. This is where users of the platform can use their coin balances to protect the blockchain.

S. NXT took the idea of PoS to a whole new level. It was written in an entirely different computer language than all the other cryptocoins before it. It has become a platform with many features such as encrypted messaging, asset exchange, digital goods store, and an alias with more features being worked on and planed for the future such as transparent forging and a monetary system.

T. After the broad success of NXT, many other developers tried to recreate its gains. Most turned out to be blatant scams where the developer took money and left the community. Some have managed to make blockchains that claim to have new and novel proof-of-X algorithm but none have open sourced their code and all have been plagued with problems and are lacking.

U. Supernet is a platform being built on top of NXT by a developer called Jl777. He has been very prolific on the NXT platform and has undertaken the ambitious project of Supernet. It aims to act as a bridge between other platforms connecting any altcoin with any other altcoin so that they can share each other’s benefits. It isn’t officially up and running and continues to be worked on daily by the developer.

V. NEM is a new proof-of-X platform called PoI that is used to address flaws in other PoS algorithms. It too has been written from the ground up with an entirely new source code. It has original investors in the thousands and has had an extensive beta test and will have its official release within days. It has 5 core developers that have been working for 11 months to make NEM and additionally has other members that are involved in the business, design, and marketing aspects.

W. Nubits is a coin built on the Peershares platform with Peercoin. Its innovation is to always keep a stable priced that is locked into the USD.

X. Emunie is another platform that seeks to be a platform that can do anything and everything, not just send and receive coins. It has been in a very long and much delayed production cycle. It also had problems with funds from the fundraising be stolen. Despite this it has had closed betas and is planning to launch an open beta in the first part of 2015. The beta’s planned features are quite extensive and more than what is usually offered by other platforms.

Y. Blockstream is a project by some of the most important and respected members in the Bitcoin community. No software has been released. Only a white paper is available. The plan of Blockstream is to introduce side chains into the Bitcoin blockchain. This has been labeled as the “altcoin killer”.

Z. Adept is the collaboration between IBM and Samsumg. Looking forward to the internet of things (IoT), a time when most regular electronic devices will be wired into the internet and sending and receiving data about their stats. Adept seeks to make a simple and unified platform that would enable additional applications of the IoT.

Fraud Galaxy From @Badbitcoinorg

@Badbitcoinorg popped up as a suggestion earlier this week and I just got a chance to visit the Badbitcoin site. I was not terribly surprised to find, which I mentioned earlier in Growth Hacking With Cryptocurrencies, listed as a potential bad actor.

Hashie Listing

Hashie Listing

The Badbitcoin Badlist proved to be a single basic HTML page. I copied, I pasted, I adjusted a few things, and then I had a list of 412 questionable domains in Maltego, a penetration tester’s toolkit. This system got its start as an anti-spam tool and it’s just the right thing for taking a lot of hosting information and distilling down to see where the commonalities (and scam operators) are.

Badbitcoin's Fraud Galaxy

Badbitcoin’s Fraud Galaxy

As you can see from the legend I started with just the domain names and I came up with connections to the following:

  • Web sites
  • DNS names
  • IP addresses
  • Netblocks

Maltego is the graphical tool for your desktop, and if you have the commercial version like I do, it depends on the transform servers of Paterva to get some of its query results. The system that turns Netblocks into Autonomous System numbers is down today, so I couldn’t finish drilling as far as I wanted.

The central points for clusters are things such as a DNS registrar popular with the scammers, IP addresses for servers that have repeatedly been crime scenes, and other commonalities that point to a single actor being multiple events. If the operators of Badbitcoin want to open up their working files we can probably start putting names and phone numbers on this graph as well.

I was curious about the social network for the @Badbitcoinorg account itself so I applied my Twitter Recorder Machine to the problem. The favorites of the account were a random basket of things the operator finds interesting, so while there is a group running the domain the Twitter account reads like a single person. I went through the top mentions and I was a bit sad at the end. I know something of the operator’s views based on whom they address the most, but I was hoping to find some banter with other anti-fraud accounts, which would have led to the identification of the members of that community.

Badbitcoinorg Top Mentions

Badbitcoinorg Top Mentions

The group pursuing the fraudsters is interesting, but not nearly so interesting as the fraudsters themselves. Some months ago I acquired a licensed copy of Sentinel Visualizer for a project which promptly imploded. This is a law enforcement/counter-insurgency grade link analysis tool meant for teasing apart transactions happening across both time and space. As I mentioned above, I’m very curious to see what else @Badbitcoinorg have in their files …

Growth Hacking With Cryptocurrencies

Wilson Peng’s How To Increase User Retention During The Free Trial Period recently popped up in Bitcoin P2P Digital Currency and caught my eye due to the use of the phrase ‘growth hacking’.

Peng’s recommendations are spread across several industries and they address user retention during a free trial period. The strategies include:

  • Follow Up With Email Milestones
  • Include A Strong Community
  • Set up an invitation reward program
  • Engage with your customers
  • Have Constant Updates

I have been investigating many new things connected to both cipherspace and cryptocurrency. I would include Lada Adamic’s Social Network Analysis class in that pool of constructs that seek to hold my attention, as I am getting periodic updates from Coursera prodding me to further engage the community. This class includes some practice in modeling contagions, which is useful for understanding how both diseases spread and socially mediated uptake of things like cryptocurrencies occur.

I got into ZenMiner thanks to an invite from a peer and this person later sent me the purchase price of my first miner, in order to claim their 500 HashPoint bonus. I promptly invested My First Bitcoin Pay into a top quality miner, then I sent a friend an invite and followed it up with enough bitcoin that I got a 500 HashPoint bonus of my own. This is a complex social contagion, in that it spreads more quickly when there are diverse paths to multiple contacts who might be induced to join.

I just noticed‘s offer of a free miner via @BitcoinGarden, which was similar to the reward offered by ZenMiner, but this was broadcast rather than a social connection. I got an account, but then ran afoul of their anti-scammer process, which greatly dislikes Tor.

Hashie Has No Love Of Tor

Hashie Has No Love Of Tor

Am I interested enough in a free miner to give up my home address? Nope. Am I willing to walk to the nearest cafe with wifi and give up my general geographic location? Nope. This site will probably also recognize all of the free VPN providers like VPNBook or PrivateTunnel. If I want to try this without violating my security regimen I’ll have to pick out a VPS and configure it with squid just long enough to let me finish the registration.

I’ve been digging in the altcoin scrum for the last couple weeks and I can’t look at my timeline without seeing an offer like the one from hashie. Given what I saw in the map in Cryptocurrency Families Visualized I am not going to pursue these in some exhaustive fashion, I just plan to look at enough of them that I can accurately describe what they do and how they attract and retain subscribers.

And once I understand that … things might change in a hurry.

Poloniex & Two Factor Authentication

I noticed @Poloniex the other day while researching my post on Monero, a Bytecoin derivative. This exchange offers trading and tracking for bitcoin (BTC), Monero (XMR), and U.S. dollars (USD). As a rule I am less interested in doings of speculators than I am in innovative, productive uses of cryptocurrencies, but exchanges provide liquidity and so long as they do so without engaging in market manipulation this is a good thing.

Poloniex is interesting for their clean interface and for their clear, multifaceted approach to security. Fiat currency banks and credit providers have fraud detection methods, but given the unruly frontier nature of cryptocurrencies fraud interdiction as a feature is desirable. Notice that Poloniex has ‘cold storage’ for customer funds, which offers protection similar to Coinbase’s Vault.

Poloniex Welcome

Poloniex Welcome

All serious players in the cryptocurrency business offer two factor authentication. Poloniex does something I’ve not seen with the others, and it offers a good visual representation of their attention to detail.

Poloniex Two Factor Auth

Poloniex Two Factor Auth

Two factor authentication started with RSA’s SecureID (which has been in steady decline since they sold out their customer base to the NSA). As smart phones became more prevalent and email began to require more serious security Google’s Authenticator spread, and this was followed by services using access codes via SMS.

Poloniex uses Google Authenticator, but they offer the advice that you should record the sixteen alphanumeric string that goes with the QR code. I’ve not previously seen that specific piece of advice for restoring access if one should lose access to a smart device. It’s interesting that they do not support SMS with basic mobile handsets. If you do not own a smart device or if you don’t want to experiment with your phone I suggest you check out Genymotion, an excellent Android emulator that will run Google Authenticator for you.

Two factor authentication is a must for any service you plan to use with your cryptocurrency funds and I would extend that requirement to any email address used to register an account. Phones are heavily targeted with malware. I would suggest the following alternatives to using your day to day mobile device for this task:

  • You likely have a retired phone that has both Wifi and can run Google Authenticator. Use this ‘leave at home’ device to protect large balances, just keep your pocket money in a mobile wallet on the device you regularly carry.
  • Genymotion is a layer on top of VirtualBox, which means an Android simulator hosting a Google Authenticator can be exported as an OVA file and stored on a thumb drive. Be sure to include the install file for Genymotion so you don’t get nipped by compatibility issues if you have to restore access a year or two after you make the backup.

Using cryptocurrency only requires a few new rituals beyond those you are used to for your fiat money accounts. If you are a member of Gen-X like me you’ll want to make a pre-flight checklist for these tasks that you don’t perform every day. Once you have this, at least some of your personal portfolio should be in cryptocurrency.