Bitcoins -what?

There is a new ATM in South Station in Boston. South Station is a sort of rail and bus hub where the subways, commuter rails, AmTrack and buses all come together on the south side of Boston. Lot of people from all over come through there.

Well the Boston Globe reports they have a Bitcoin ATM machine there. If you've been following the news about this new currency it's kind of interesting, and I'm just imagining how many disappointed and outraged mistaken users might stumble across the machine unless the signage is significantly better than the norm here in Boston. Apparently Boston is a Johnny come lately to the bitcoin ATM party. I read that there are already bitcoin ATMs in Austin, Seattle and Vancouver, and maybe in Calgary. Apparently they are coming to Europe and Asia as well.

Bitcoins are a digital currency. The Wikipedia article states they were introduced as open source software in 2009 by a pseudonymous person or group calling itself Satoshi Nakamoto. It is a peer-to-peer currency, meaning that it isn't minted by a government and doesn't pass through a financial institution. It is "mined" by any individual who has the ability and computing ability to set up a software program to run the cryptography to create bitcoins and also earned by those who manage the "block chains" whereby the transactions using each bitcoin are traced in its records. This prevents double spending, a major problem with digital currencies. The transactions are designed to be very secure and private between the parties. There are several problems, some with gaps in security and some with the extreme volatility of the currency compared against other currencies. There are some news stories recently commenting that this may be settling in the near future.

Most in the news recently, bitcoins have been the object of speculation. When introduced into China, many Chinese citizens became enthusiastic speculators in the global bitcoin market. This caused a spike the value of bitcoins, with a bitcoin trading at the equivalent of $1,100 U.S. in November, 2013 in China. The Chinese government, concerned about an ephemeral and foreign currency flooding their country, had the Bank of China announce in December, 2013 that Chinese financial institutions could not use bitcoin. Shortly after, the Chinese internet ISP Baidu announced it would no longer accept bitcoin to purchase website security services. Since 2009, according to Wikipedia, it has been illegal to purchase real world goods with virtual currencies in China.

Bitcoins, though digital, sometimes have a physical manifestation. They can be turned into a physical coin, usually made of some light weight metal like aluminum, wood, or plastic but often colored gold, to convey its value. In either the physical or digital form, bitcoins can be stolen. They have 2 step security, with a private and a public key. But if a user is not careful storing the data, and generating the key on a secure computer, thieves can apparently retrieve both keys and make off with the coin or coins.

Bitcoins have, like all money, been associated (already!), with organized crime. There has been a money-laundering scheme using bitcoins. There has just been a large denial of service attack on the bitcoin exchanges that forced them to suspend services. That action dropped the value of bitcoins on markets around the world. The bitcoin folks themselves have a sort of "warning" page of things you ought to know before you jump into the bitcoin experiment.

The very beautiful image of one physical form of the bitcoin is from Wikicommons, from Casascius.

Living Social Hack and AP Twitter Account Hacked

The website, LivingSocial, a daily deals site, was hacked late yesterday.  The original report came from AllThingsD.com, and includes the text of an e-mail the CEO sent to staff and now the public. No credit card data or merchant financial information was accessed, which must mean that they stored them on a separate server.  The cyberattack affected 50 million users (all users except those in Korea, Thailand, Indonesia and the Phillipines, which use different services with separate servers).  The attackers netted millions of user names, birthdates, e-mail and passwords.

The website now greets users with an announcement of the attack, and recommendation that users change their passwords.  The announcement notes that passwords are coded, and the CEO's e-mail says they have been "hashed and salted."  This mean they use an algorithm to code, or "hash" the passwords. Salting means that each user who uses the same password would have their password "hashed" into a different coded version.  However, those with passwords which are too easy may make it easy for the hackers to guess, since the hashing algorithm is known.  Hackers can use an online dictionary and a computer to try to guess multiple passwords in just a few seconds.  But because multiple passwords set to "password" would each have a different hashed version, the hackers will have to devote considerably more time to cracking passwords.

CNN Money Tech reports that a different cyberattack on the Twitter account of the Associated Press.  The hackers in that case planted a false report that President Obama had been injured in two explosions at the White House.   AP suspended their Twitter account, with an announcement that the report was false. However, the attack shows up security weaknesses with Twitter, which had been discussed for some time by security analysts with concern.  Apparently, unlike Facebook and Dropbox, among other sites which offer the option, Twitter does not yet require a "two-step authentication" process.

A two-step authentication, done properly, requires a combination of two out of three types of information:
1.  Who you are (physical ID for instance, or fingerprint scan or facial recognition now on many laptops)
2. What you have (a gadget that generates a code, or a one-time password provided in a list by the website for users, for instance),
3.  What you know (passwords, mother's maiden name for a security question, for example)

For instance, a good two-step authentication procedure might require not only your password, but also an individually created key, which might be stored only on a user's phone. The user sends the secret key along with their password.  A lower tech alternative to the gadget code is the list of passwords provided separately to users. A user would input one of the codes and mark it off the list.  When a user runs low on the number of provided by the website, they request a new list.  As long as the two items are received within a short time (approximately 30 seconds), the system will accept the combination log-in.  The CNN article notes that Twitter had advertised for engineers to develop a two-step security process, but apparently this has not yet been implemented.

Another hack previously compromised Fox News' Twitter account. In that case, the hacked tweet was that President Obama had been assassinated. The recent fake tweet actually caused a brief downturn in the stockmarket. According to the CNN report,  Twitter's response to these and various other hacks on corporate Twitter accounts has been to urge more care.  What they need is to implement better security.

The decoration for this post is from Wikipedia, which notes it was designed in the late 1990's by Dagmar D'Surreal, as a logo for the PhreakNIC annual conference in Nashville, Tennessee. Many thanks to my son, Joe McKenzie, for technical explanations made easy.