I haven't seen anyone talk about my main concern when it comes to exploring alternative blockchains. I know some might think I'm just spreading FUD about anything that's not bitcoin (FUD means Fear, Uncertainty, and Doubt), but honestly, some of you might be overlooking some key cybersecurity basics while getting hyped as early adopters.
When I first came across bitcoin, I had a few questions:
1) Does it really work (do the concepts behind it make sense)?
2) Is it a scam?
3) If it’s not a scam, could using it expose my computer to malware or other threats?
Here’s how I tackled those questions:
1) I read and wrapped my head around Satoshi's whitepaper, then took a couple of days to really think about it before reading it again.
2) I dug up everything I could about the project, read every thread here (there were probably less than a hundred back then) and checked out Satoshi's early posts on that crypto mailing list.
3) I downloaded and skimmed the source code to see if it had any weaknesses like buffer overflow or other attacks that could be exploited remotely.
If I were to play around with a new alternative blockchain, I’d follow the same steps again. But yeah, I admit I’m a bit of an old-school cautious type.
If you’re thinking about jumping on a brand-new alternative blockchain, I really recommend you:
1) Run the software in a virtual machine or on a device that doesn’t hold anything important.
2) Only invest what you can afford to lose, both in terms of cash and time.
3) Use a unique passphrase for every exchange site you sign up to.
Thank you Gavin.
The only things I might add is that "use a different password" isn't limited to exchanges, but applies to forums, emails, and even pools , and that some antivirus heuristics seem to hate anything that has mining code in it and isn't explicitly whitelisted.
Also, don't believe everything that prominent members of the Bitcoin community have to say about alternative chains. In particular, I know some people think that the number of confirmations doesn't matter and all that matters is the total expected time of the confirmations, so that 1 10-minute-average confirmation is more secure than 3 3-minute-average confirmations. If you read Satoshi's paper it's clear this isn't true; the number of confirmations is actually more important because transaction security increases exponentially with more confirmations. (His paper has approximate figures; you'll notice that accepting 1 and 2-confirmation transactions is fairly risky.)
Good advice.
Using an alternate cryptocurrency client would be a great way to get many people to install a hidden virus that targets Bitcoin users.
If you have a significant amount of Bitcoins, I wouldn't run other clients on the same computer until the alternates have developed trust over a longer period of time... I'm probably on the paranoid side of things though.
These new cryptocurrencies are interesting, and it will be fascinating to see how it will all play out.
Generally, if you have a large amount of bitcoins on a given PC, being extra-cautious about third party software (be it an Alt-coin client or a particularly fancy casual game) is advisable.
You can have more than one wallet dat.
You just need 1 portable bitcoin client that can safely reside on an encrypted and backed up volume, and one regular one for day to day tiny stuff. It's not like you routinely send 5000+ BTC, no?
Incidentally, cobbling together a somewhat workable portable bitcoin is pretty straightforward.
I'd like to point out that there is no particular reason why several chains with different properties can't coexist.
For instance, there could be one well-established, reliable chain with only the most needed, most tested and most secure features, and a [pimp] fast-blocked, permanently experimental (sorta like TOR is always experimental forever ) feature-rich one [/pimp] , as well as dedicated-purpose chains like Namecoin and such.
Also, coins with different degrees of "necessary centralization" might exist, with userbase preference being driven by how comfortable they are with a given net's distribution of "powers that be"
Bitcoin, due to its prominence, has become "serious business". That necessitates a very conservative approach to development.
[pimp]That's why I started a fork with a more lighthearted approach to ... pretty much everything [/pimp]
People with only one computer can still securely isolate different wallets & apps from each other by using privilege separation. For example on Linux, run bitcoin/namecoin/i0coin/etc under separate user accounts, and chmod 700 their home directories.
Um, with all due respect, Artforz did not burn anyone's house down with lemons, and his actions have inflicted far less damage upon SolidCoin's credibility than CH's, let's say, questionable public relations escapades.
It has long since become a tradition to only patch stuff up when an actual attack emerges, hence leading to emergence of a tradition to demonstrate the "seriousness" of attack.
While I personally would rather follow a different approach, this state of affairs is by no means limited to Bitcoin community or even IT in general, and is here to stay.
I strongly agree. That's partly why I haven't messed with the alt chains. I even mentioned this on the announcement thread for lxcoin but it got drowned out with all the excitement about it.
I'd like to remind everyone that Gavin, with all due respect, is not an angry deity and can neither drown people he vaguely disapproves of nor feed them to the lo(l)custs.
LOL it's an open source project - there are no 'leaders' as you describe them.
No one can force anyone to do anything.
It's not some toxic community that you can clean up and you can't stop people from attacking the chains - though anyone with half an inkling of sense would realise that you can't stop that even in the closed source world
Try some adult thought beyond a gimpy lack of understanding of reality
Although I don't think the fiasco with Namecoin is over and I do believe we have made it hard for BitcoinExpress. With that said I looked into the block chain rewrite this is real and can be done while lagitamitly mining bitcoins. This exploit is quite scary for Bitcoins as a person with 20% of the hash rate can write the block chain.
The good news is it can be fixed and Namecoin is a test of such fixes.
I would STRONGLY suggest you look into this Gavin.
It's hard enough to get the half-baked alt chain software to run at all (and speed is of the essence knowing they are all quickly collapsing pyramids) never mind configuring a VM with appropriate hardware access. Here are steps I've taken which I think are "good enough" to be advice -- it's worked for me for 4 shitcoin chains so far.
1. Don't use Windows and pre-built .exes. Just don't. Ever. Nothing inherently wrong with Microsoft software, but it is well understood and commonly used by the botnet types. Staying out of the monoculture is a form of security by obscurity.
2. Create a new account with no group membership. I call mine "goatse" for obvious but nostalgic reasons. Make absolutely sure that account doesn't have read or write access outside of their home directory. Make doubly sure they can't read the raw hard drive device.
3. Log out of your main account and into that account whenever compiling or running the alt chain software. Remember that compilation & installation scripts are code!
4. Do not browse exchange sites you have coinage in and definitely do not save passwords in the browser when logged in as this account.
5. If you log into this account via ssh DO NOT enable X proxying. It's trivial to read your keystrokes, do screen captures, etc when X is proxied. Let me repeat this one, make sure X proxying is disabled. If you can type 'xterm' and see it show up on your main account's screen you're vulnerable.
And yes, I even follow this for official bitcoin software. On a different account than "goatse" of course.