Yesterday I discovered the Bets of Bitcoin site, which is a simple yet entertaining betting site. It’s a pretty simple idea: people sign up, make a statement and then people bet on whether they agree or disagree with the site.
The statements can be anything from whether Barack Obama will be re-elected as the president of USA to whether the existence of extraterrestrials to be officially confirmed by US government by the end of 2012. For people with a few spare Bitcoins the site can be quite entertaining. Especially with some bets having an outcome that is so obvious it’s ridiculous.
So I created an account and threw a single Bitcoin in there to have a little play. Obviously I bet against the US government officially confirming the existence of extraterrestrials. In the unlikely event that I’m wrong then I’ll be more entertained by space aliens than worried about the lost bet.
Then I started trying to think of something for other people to bet on and which could be more entertaining and debated than a host of political bets (although they’re always fun). So I came up with something that I was sure would divide opinion and it was announced as live a short while ago.
— Bets of Bitcoin (@betsofbitcoin) September 20, 2012
The bet is whether or not the darknet site Silk Road will be closed by July 1st, 2013. Those who agree with the statement are betting on either a major success by law enforcement, the pseudonymous entity known as Dread Pirate Roberts retiring without passing the site on to another person (or people) or simply scamming all the users and running off with the cash. Those who disagree with the statement assume that the Silk Road staff will be able to stay one step ahead of the police for the next nine months and are in their business for the long haul.
Depending on how you look at these things, this kind of bet really could go either way. My initial bet is in the disagree camp, mainly because I think the people behind the site are pretty clever and probably can maintain a technical advantage, plus an ongoing income is much better than a quick, but large scam. That said, it could really go either way and a lot can happen in nine months.
Regardless of whether I’m right or wrong, though, I expect to get a bit of entertainment out of this site by the time the bet deadline is reached. As long as the level of entertainment is worth at least ฿0.2 BTC to me, then it’s well worth it (and at the current exchange rate that seems likely).
I’d still like to see the denizens of law enforcement put their money where their mouth is and bet on agreement with my statement, but I’ll never see where the other bets come from.
Getting back to the rest of the site, it’s a nice, simple design; very clean and easy to use. I only have one technical concern with it, which I’ll be taking up with the developers. Other than that, I think it could be quite entertaining. Especially when Australian Bitcoin users start making bets on Australian politics, such as the outcome of elections and whether Kevin Rudd makes another tilt for leading the ALP.
Yesterday’s news that Paul Freebody, a candidate for the Queensland seat of Cairns, has been expelled from the Liberal National Party (LNP) highlights the need for the greater adoption of email encryption and digital signatures.
As with the OzCar Affair of two years ago, the issue here relates more to the verification that an email has not been tampered with rather than protecting the content from prying eyes. Thus it is a digital signature which would have been of use to Freebody in this case. Had he already been using OpenPGP compliant software to sign his emails, such as PGP or GPG, Freebody could have proven that the change to his email after signing and sending it was made by someone else, without needing to identify or, in this case, embarass that person.
The reports regarding the case of Paul Freebody are a little unclear as to whether the modified email had been sent from his computer or whether a family member who had received the email modified it and then forwarded it on. Regardless of which of those two alternatives it was, the regular use of a digital signature would have helped.
If the email had been modified on Mr. Freebody’s computer before it was sent, the prompt to sign the message would have prevented message from being sent without the relevant passphrase. If the relative had removed the signing option then Mr. Freebody could have pointed to the lack of the signature as a certain level of proof that he did not send that email.
Had the email been signed and a recipient modified the content before forwarding it to others, the signature would not validate for that message and Mr. Freebody could then have pointed to that as proof that the message had been altered. In this case Mr. Freebody could have provided a copy of the original message with the valid signature for comparison.
This is the second time in as many years in which a forged or modified email has resulted in a scalp being claimed in Australian politics; yet the tools to prevent it have been available for two decades and standardised since the late 1990s. Since that time the ease of using email encryption and signatures, particularly with the combination of Thunderbird, GPG and Enigmail, has been improved considerably.
Until people in public life start using at least this aspect of cryptographic technology, even if they don’t actually encrypt their email, these kind of scandals will continue to occur.
Recently I have noticed that a number of my friends and acquaintances have had their GMail accounts compromised. While my preferred email address is on my own server, I do have a GMail address too (actually I have a couple, but only one that is really used much) and it has not been compromised. I’ve been asked about it a little bit and I figured it best to add my thoughts here regarding best practices, along with some software recommendations.
The first and most obvious recommendation is to use a strong password, ideally with a minimum of 128 bits of entropy. The best way to achieve this is to generate a suitably strong password with KeePassX (Windows users should use KeePass). KeePassX can also be used to generate and securely store passwords for any other account or site. KeePass and KeePassX store all passwords in a database that is protected by a passphrase and 256-bit AES or Twofish encryption.
The second recommendation is to never under any circumstances use the same password for multiple accounts. Passwords for one service should not be used to link it to another service where it may be exploited by an application or plugin for the second service. This way even if one service is compromised, the potential damage is limited to that service only and won’t be able to affect other accounts on different sites.
The third recommendation is to always connect using SSL/TLS. I always recommend the Mozilla Firefox browser with the EFF’s HTTPS Everywhere plugin. The Google settings for always connecting via HTTPS and enabling either or both of IMAPS and POP3S.
The fourth recommendation is to configure a proper mail client, such as Mozilla Thunderbird, to connect with IMAP over SSL. Using a proper and robust mail client, like Thunderbird, is my preferred method of accessing email, but in the case of GMail and other primarily web based email hosting does not prevent access via the web.
The fifth recommendation is to use the Tor Browser Bundle when connecting to GMail through a public wireless point or public network (e.g. an Internet café). This software includes a modified version of Firefox that incorporates HTTPS Everywhere and will help prevent session hijacking, such as that used by the Firesheep exploit. The Tor Browser Bundle is designed to run from a USB stick and does not require any installation; simply click and run.
These fairly straight forward measures should be enough to protect any GMail account from compromise and may also be applied to other web email hosts such as Hotmail or Yahoo. Although I have not checked the extent of support for SSL/TLS connections to either of those services.
Finally, I still encourage the use of the GNU Privacy Guard for securing correspondence between parties, but that is a different matter to securing the accounts themselves.
For the last couple of years the Australian government has been strongly pushing a policy of Internet censorship; usually dubbed the Clean Feed, following the UK model. The first ACMA report from 2008 included some detail of attempts to filter more than just web traffic.
The ACMA report prompted me to analyse the methods by which the government might be able to achieve one of the options in the ACMA report: filtering HTTPS traffic. My report, Cleaning A HTTPS Feed: Report on the Filtering of the Hypertext Transfer Protocol over Transport Layer Security or Secure Socket Layer Connections, was first published last year by Atomic MPC Magazine and later by Civil Liberties Australia.
Since last year’s election and the precarious outcome, the government has announced a review of the classification system before making a final decision on how to proceed with an Internet censorship regime. In spite of the significant opposition to the scheme, both the Minister responsible, Senator Stephen Conroy, and Prime Minister Gillard have voiced continued support for censorship of the Internet.
As the government does not wish to drop this policy, I don’t wish my report into the implications of certain aspects of filtering to slip by. My full report on the methods of filtering traffic which is intended to be secure is available here (PDF).