Monthly Archives: June 2011

Crowdsourcing Book Title & Design

Posted on June 21, 2011 by Michael Froomkin

Bruce Schneier is asking you to help him pick the title and cover for his next book.

Posted in Cryptography, National Security | Comments Off on Crowdsourcing Book Title & Design

EFF Straight Up on Bitcoin

Posted on June 21, 2011 by Michael Froomkin

Nobody’s perfect, and even the regularly sharp and interesting Technology Liberation Front blog can miss the point sometimes, a hazard of trying to push the envelope. And that’s what I think has happened in EFF Gone Wobbly on Bitcoin.

The Electronic Frontier Foundation‘s Cindy Cohn announced yesterday that EFF would no longer take BitCoins.1 She gave several reasons:

1. EFF’s holding and spending of Bitcoins created some legal issues that EFF didn’t fully understand.

Bitcoin raises untested legal concerns related to securities law, the Stamp Payments Act, tax evasion, consumer protection and money laundering, among others. And that’s just in the U.S.

2. Doing something that raises legal questions risks making EFF the subject of a legal action, rather than the lawyer defending someone else.

While EFF is often the defender of people ensnared in legal issues arising from new technologies, we try very hard to keep EFF from becoming the actual subject of those fights or issues. Since there is no caselaw on this topic, and the legal implications are still very unclear, we worry that our acceptance of Bitcoins may move us into the possible subject role.

3. Donors might be misled. Donors who give EFF Bitcoins (and there were quite a few of them!) would expect EFF to spend them to support its mission. But because EFF feels unable to spend Bitcoins, due to the legal issues they raise, that expectation would be dashed. That’s bad for the donors — they waste their Bitcoins — and it’s bad for EFF, as it risks disappointing the donors (and, I might add, crowding out donations in currency it would actually use).

4. Some people might take EFF’s high-profile acceptance of Bitcoins as an endorsement of Bitcoins. But EFF is not in the endorsement business.

Cindy is an old and valued friend, so I’m likely biased here, but I think that in the face of true uncertainty, EFF did the wise and courageous thing.

But Jim Harper of the TLF writes that he thinks EFF’s decision is an error:

My insta-reaction was to joke: “Related: ACLU to stop bringing ‘right to petition’ cases.” That’s a little ambiguous, so: Imagine that the government took a position in litigation that suing the government was not protected by the First Amendment, but was in fact actionable. Under EFF’s logic—avoid becoming the subject of a rights fight—the ACLU would not fight the government on that issue. Luckily, the ACLU would fight the government on that issue—as fiercely or more fiercely than any other!

I think this misses Cindy’s second point above, which to me is probably the most critical one: An organization like EFF exists to fight for our rights by advocacy, by offering legal representation, and by other means. Prudent stewardship of an institution like EFF requires that it not lightly risk the organization on any one issue. (I’m not foreclosing the possibility that there might some day be some existential issue worth betting the farm on, but I think no one seriously suggests Bitcoin is The Big One.) When EFF represents clients, it donates its time, effort, and good name; it doesn’t stand as a guarantor for damages if the case goes wrong. Thus, if EFF loses — and that happens — EFF lives on to fight another day. Becoming a party directly means risking substantial direct civil (and for all I know criminal) liability. That’s unwise because it means a loss in one matter will impose costs that will undermine EFF’s ability to function in other areas and might, in the worst case, take down the entire organization.

This concern does not strike me as excessively fanciful. The US government today is busy prosecuting reporters and whistle-blowers on new and expansive legal theories. The Justice Department has taken a litigation posture in state secrets cases that is at least as aggressive as the Bush administration did. EFF has been a leader in pushing back against secret surveillance, and is undoubtedly a thorn in the Justice Department’s side. Would, say, a Stamp Act, or money laundering, or securities law charge against what may have been the largest single holder of Bitcoins be impossible to imagine? No. While I don’t know how likely such a prosecution would be, the prudent thing for EFF management to do is not to expose itself to that risk.

Jim Harper’s second complaint is that,

refusing donations in Bitcoin seems to detract from EFF’s mission because it denies the organization a source of funds. The donors who gave U.S. dollars expecting EFF to defend things like Bitcoin may feel mislead by EFF’s reluctance to do so.

Again, I think this is exactly wrong. People who give dollars to EFF will have their reasonable expectations fulfilled: EFF will use the money to fight for cyber-rights and expressive freedom. People who gave Bitcoins to EFF had their reasonable expectations frustrated once EFF decided, prudently (or even excessively prudently), that it couldn’t safely spend them without perhaps becoming a (rather visible) target itself.

Were the federal government to prosecute a participant to a Bitcoin transaction, that might well be a good case for EFF to take on, subject to the usual case intake issues. But as a lawyer or advocate, not as the defendant.

  1. I am a member of EFF’s Advisory Board. However, I had no part in the decision on Bitcoin, and have no inside info regarding the decision other than knowing from a brief personal conversation that the concerns set out in the EFF memo are sincerely held by EFF’s lawyers and result from their having put some real time into the issue. The views expressed in this blog post are my own, and I do not speak for EFF on this — or indeed any — issue. []
Posted in Cryptography, Law: Internet Law | Comments Off on EFF Straight Up on Bitcoin

Bitcoin Gets Compromised

Posted on June 20, 2011 by Michael Froomkin

Bad times at BitCoin Mountain.

[Update – 12:52 GMT] Account recovery page will be up tomorrow morning (Japan time)

We have almost completed the account recovery page and are waiting for result to unit tests and intrusion tests (and more than anything, don’t want to put something online and go to sleep just after, best way to get screwed), so the page will be put online tomorrow morning.

It will allow every user to claim ownership of their account based on proof such as deposits, withdraws, password (if complex enough), email or notarized documentation.

Once it is deemed enough users had the chance to get their account back, the exchange will be open again (opening time will be announced at least 24 hours in advance). It will still be possible to file claims for user accounts after this.

[Update – 6:30 GMT] Still here. Still working hard to get things online.

  • SHA-512 multi-iteration salted hashing is in enabled and ready for when we get users reactivating their accounts
  • We are going to push our relaunch time to 2:00am GMT tomorrow so we have time to launch a our new backend and withdraw passwords.

Thanks to everyone sending the supportive emails and our extremely patient users. 

 

 

[Update – 3:45 GMT] DO NOT DOWNLOAD ANYTHING

If you receive ANY email which seems coming from Mt.Gox asking you to download something (certificate, generating program, etc), DO NOT DOWNLOAD. Do not either input your password on any site which is not MTGOX.COM.

 

[Update – 2:06 GMT] What we know and what is being done.

  • It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
  • Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven’t been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
  • We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified. 
  • Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT. 
  • When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
  • Once Mt.Gox is back online,  trades  218869~222470 will be reverted. 


We will continue to update as we find new information.

Huge Bitcoin sell off due to a compromised account – rollback

 

The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.

UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

SERVICE RETURN

Service will not be back before June 20th 11:00am (JST, 02:00am GMT). This may be delayed depending on what is found during the investigation.

Posted in Cryptography, Econ & Money | 2 Comments

In Which I Sort of Defend Rep. Allen West from a Charge of Illegal Flag-Wetting

Posted on June 17, 2011 by Michael Froomkin

The Daily Pulp accused Rep. Allen West of violating the law against letting the US flag get when when he took a flag Scuba diving in order to be photographed planting it on a reef.

It seems Politifact had nothing better to do than to consider this important question, and in the process of exhaustively considering it, they gave me a call. You can see their report at Bloggers say West violated federal law by diving with American flag, in which they rate the claim as “False”.

Which is sort of true. It’s certainly true that there is a zero percent chance that anyone would be prosecuted for taking a flag underwater, as the US Supreme Court has ruled that a statute (18 U.S.C.A. § 700) banning flag burning was unconstitutional. United States v. Eichman, 496 U.S. 310 (1990), and earlier Texas v. Johnson, 491 U.S. 397 (1989). From the flag burning decisions it surely follows that any attempt to prosecute someone for violating 4 USC § 8 by taking a flag under water would fail. [We won’t even discuss the question of submarines’ hulls…]

In any case there appears to be no legal penalty for violating that section (as contrasted to, say, 4 USC § 3, which creates a penalty for using the flag for advertising in the District of Columbia).

Furthermore § 8 is preceded by § 5 which says in part:

The following codification of existing rules and customs pertaining to the display and use of the flag of the United States of America is established for the use of such civilians or civilian groups or organizations as may not be required to conform with regulations promulgated by one or more executive departments of the Government of the United States.

Plus, § 8 (like §§ 5-7) uses the word “should” which also suggests this is not a legally binding rule.

So it’s pretty clear to me that this rule is advisory, or normative, but, not mandatory unless referenced somewhere else in the code, which I don’t believe it is.

This creates the odd (but not unique) circumstance that something can be a violation of a provision in the US Code, yet not a violation of a law that you can actually get arrested or fined for violating. Thus, from an enforcement perspective the rules are, as I told Politifact, an issue of decorum, not law.

Unlike Politifact, though, I’m a bit more sympathetic to the Daily Pulp story, which I’d say was carefully drafted in an attempt to be technically true. The one thing one might question is this sentence: “The Flag Code constitutes federal law, although there is no penalty for breaking this law.” (And I guess the headline too.)

But that just highlight the philosophical question: can you have a “law” that there is no penalty for breaking? If you think that everything in the federal code is “federal law” then the Pulp piece is almost true, subject to the additional complexity that this “law” would be unconstitutional if enforced (it’s not actually unconstitutional only because it is not in fact enforced).

On the other hand, if you don’t buy that — and I think I don’t — then you think the advisory parts are not really “law”. But doesn’t that maybe make the Daily Pulp story maybe “mostly true”. After all, the Daily Pulp article does immediately say the “law” is not an enforceable rule. It’s not as if they falsely suggested Rep. West was facing even a ticket, much less a court date. I’d let them off gently.

On last thought: with coral reefs being endangered, was the flag planting in compliance with environmental law? A quick search suggest it might be so long as the divers didn’t take any coral home with them, nor hit it with a boat.

Posted in Law: Constitutional Law, Politics: US, The Media | 3 Comments

How Not to Market Ethics

Posted on June 15, 2011 by Michael Froomkin

Suppose you are EthicsGame, LLC, which bills itself as “the leading provider of topic-based simulations and assessments designed to teach ethical decision-making in everyday life.” And suppose that you want to promote your “Summer Camp for Faculty”.

How do you do it? Wait for it…by spamming!

Yes, that’s right: these folks who want to teach me and my colleagues how to teach our students ethical behavior just spammed me and at least one of my colleagues with their free trial offer. (For some unexplained reason they want a “non-university email address” to give us trial access to their online ethics game. Gotta wonder about that one.)

EthicsGame, LLC appears, from a brief web search, to be a for-profit enterprise. No links for them, why give them the Googlejuice.

Plonk.

Posted in Internet | Comments Off on How Not to Market Ethics

The Computers Are Calling

Posted on June 14, 2011 by Michael Froomkin

First a computer-controlled voice “polled” me on the upcoming Mayor’s race – likelihood of voting, favorable/unfavorable for both candidates (I pushed the buttons for “unfavorable” to both), who you were likely to vote for (I pushed for Gimenez), party registration, gender, age group.

One minute later, the phone rings and a similar recorded voice tells me that “Hialeah Robaina” (I really do not like that phrase, I do not care if it is polling well as a negative, I think it will backfire) is the highest paid Mayor in the area, knocking down $250,000 of tax dollars to fund his “lavish lifestyle”.

At the end of it there was a five second delay – long enough for most folks to hang up – then it said it was paid for by “Common Sense Now”… whatever that might be. The disclosure laws have been reduced to a mockery.

One minute later the phone rings again. Enough already! But it’s the computer from the kids’ orthodontist calling to remind us about an appointment.

Previously: Report From the Miami-Dade Mayoral Candidate Debate

Posted in Miami | Comments Off on The Computers Are Calling