Today I’m going a little deeper into the wading pool that is Bitcoin.
Overview / Recap
As I discussed in our last episode, Bitcoin is a decentralized Cryptocurrency that is relatively anonymous. Technically speaking, it’s pseudonomous, meaning it records all transactions based on your online Bitcoin ID. Believe it or not, my real name is not The Geek – it’s a pseudonym. I can hide behind the relative anonymity of that name, but if my real name were tied to my pseudonym, the anonymity dissolves like a Mentos candy in a bottle of Diet Coke. Bitcoin was invented in 2009 by a group or individual known as Satoshi Nakamoto. A Bitcoin is like a Dollar in that it can be sub-divided into smaller pieces. For example, a Dollar can be broken down into 100 pennies, or 20 nickels, or 10 dimes. The smallest Bitcoin part is the Satoshi, with one Bitcoin being worth 100 million Satoshi.
Bitcoin is unique in that every transaction is visible and known to all Bitcoin clients in a digital ledger called the Blockchain. Each month, you probably get a bank statement that lists each deposit and withdrawal from your own bank account. Now imagine how unique that would be, if you had record of every transaction for every single dollar – for everyone who ever owned each dollar, since its inception back in 1785. Bitcoin’s ledger keeps track of the creation of each Bitcoin, as well as who had ownership of each Bitcoin at any given time. Pretty impressive, right? And that ledger is stored, updated, and maintained by each device that mines Bitcoin. More on that in a moment. Once a transaction is agreed upon (or confirmed) six times by miners, it is considered legitimate and is added into the Block. Each Block is then updated with a hash of the previous block, in a process that in essence chains all the Blocks together. Now the concept of a Blockchain makes sense, right? This graphic does a great job of visualizing the process:
It can take transactions up to 100 minutes to receive the necessary 6 confirmations that validate the transaction. In the good old days of Silly Putty on Sunday comics, you wrote a check to someone, then waited for that check to clear before they could access the cash. That’s kind of like how validation works, in the Bitcoin realm. But when you buy that Triple Mocha Latte at Starbucks, and pay with Bitcoin, does Starbucks really wait around 100 minutes before handing you the a steaming cup of overpriced caffeinated bean juice? Some vendors will consider a transaction as being immediately legitimate, which in Bitcoin land is called a zero-confirmation transaction. A diabolical individual could take advantage of the inherent trust in a zero-confirmation transaction, and run next door to the Gamestop (with steaming Starbucks cup in hand) and spend that same Bitcoin on a used copy of Legend of Zelda – Breath of the Wild. This is called a double-spending attack. We’ll get into this later on, in the section on Bitcoin Security.
I mentioned that each block contains a bunch of Bitcoin transactions, as well as a hash of the previous block. I attempted to explain what hashing was, but don’t think I did a very good job of explaining. Hashing takes any string of any length, and uses a one-way method to boil it down into a fixed output. Please be patient with my horrendous attempt at doing complex maths, as I confess I really do stink at it. Because all feeble attempts at complex math should begin with a universal truth, let’s start with this phrase:
I can run this phrase through a very simple process, where each letter of the alphabet is given a number. a = 1, b = 2, and so on until z = 26. Then A = 27, B = 28, all the way to Z = 52. For the sake of simplicity, I removed any spaces, but you get the point. I then add up the total of each letter’s numerical output, and get 282.
Now I take each letter’s numerical output and multiply it by itself (square it), and add them all up, and get 6,890.
And now I take the sum of each letter, and the sum of each squared letter, and multiply them together to get 1,942,980.
Because each hash must always be a fixed length, and for giggles I want my hash to be six characters long, I’ll take the left-most 6 characters, and say my hash is 194298.
Notice that my hashing algorithm always stays the same – I take the numerical output of each letter in my message and add it together (282). I then take the numerical output of each letter in my message and multiply it by itself (6,890). I then multiply those two numbers by each other (1,942,980). Then I want only the left-most six characters (194298). For that message, I will ALWAYS get the same output if I run it through my hashing rules. And note that you cannot take the hash output of 194298 and figure out what my original message was – it’s uni-directional. It’s a one-way process. And the chances that any other message having the same exact hash is extremely unlikely. So yeah – with such a small simple example as my hashing algorithm in the example, it’s possible. But most modern hashing algorithms are so incredibly complex that it’s statistically improbable that two different inputs will produce the same hashed output (in IT, the term for this is called a Hash Collision).
I can send someone my message of ILikeDuckDonuts, and include the hash for the message, and they can run my message through the hashing formula to see if it is the same. It must always be the same. Because if I change even one letter in my message, the hash is totally off.
In the security arena, hashing is a method for checking the Integrity of something. When you download a disk image of Kali Linux from their web page, they include the hash for the file. Once you download the disk image, you can run the one-way hash tool that they specify (in the picture below, the sha256sum hash), and make sure it matches what they advertised as the hash on their download web page. This guarantees that no one made one single change or modification to the file. It’s guaranteed authentic – it has integrity.
Now I’ve nerded out on you with hashing, and probably lost you forever. But hashing is a pretty big deal in the computing arena, you really should understand it. I hope that I’ve done it justice – and if not, leave it here and move on.
Bitcoin mining involves using your computer’s processing power to solving complex mathematical equations. Mining includes verifying / confirming transactions and adding them to the ledger (Blockchain), as well as developing and verifying the hash for Bitcoin transactions. Why would people want to spend their time and effort and computational power to build the Blockchain through mining? Remember the alligator / bird symbiotic relationship I spoke about in a prior blog? Zuzu Bailey had a wonderful line from a wonderful movie – “every time a bell rings an angel gets his wings”. Well, every time a new block is added to the blockchain, a new baby Bitcoin is born. And if you’re the individual who took part in adding that block to the chain you get 12.5 Bitcoin. You’re a miner, and you just found a gold nugget.
This explains why so many people willingly spend hours and powers (electricity) and money (electricity costs money) mining Bitcoins. A new block is added to the chain roughly every ten minutes. Doing the math (something I am pretty bad at), one Bitcoin is currently worth $9,021.50. If you earned all 12.5 in ten minutes, that would land you about $112,768.75. When you consider that much money being made available every ten minutes, now you understand why the world is going crazy for Bitcoin mining. All the devices (nodes) that participate in Bitcoin mining create the distributed Peer to Peer backbone upon which the entire system runs. As time progresses, the mathematical stuff you perform as part of the mining process get more difficult. And ultimately, because there is a finite number of Bitcoins to ever be mined (21 million), they should all be mined some time around 2140. Please, don’t ask me what will happen to Bitcoin miners when that finally happens – I imagine they could all just stop mining (because the reward for discovering new Bitcoins would be gone) and the entire system collapses. I don’t know. Maybe I’ll blog about it if I’m still around in 2140, that should provide a welcome break from shaking my cane at passing cars from my front porch.
With all the hullabaloo about Bitcoin, and the possibility of earning $112,768.75 every ten minutes, it stands to reason that bad guys are paying very close attention to Bitcoin. The 2017 version of the Verizon Data Breach Investigation Report (a fantastic free resource about the trends and motives of hackers) noted that 93% of all data breaches (hacks) were motivated by financial gain & espionage. It makes sense – hackers go where the easy money is. Why are there so many Ransomware attacks these days? It’s easy money.
First, let’s talk about what Bitcoin does to protect itself.
Encryption: The Bitcoin is encrypted to prevent unauthorized people from tinkering with it. Hashing: Each new blockchain contains a hash of the previous blocks, which ensures that no one tinkers with it. Decentralized: Because Bitcoin does not exist on a single computer system or bank’s network, it cannot easily be hacked and hijacked. Unregulated: Because Bitcoin is not owned or regulated by a single government agency, it is relatively free from the coercion and corruption that is inherent in any government regulation.
First, a term needs to be introduced – Theorycrafting. According to the rather excellent Bitcoin for Dummies book, theorycrafting refers to “any strategy that exists in theory and is never actually put into action”. Geeks tend to love theorycrafting – get two geeks together, and they will joyfully spend hours passionately arguing about something or other that probably will never happen. I liken this to visiting a comic book shop on delivery day (the day that all new weekly comics come in). If you stand around long enough, you’ll most likely overhear a jovial argument about important topics like Thor’s hammer, the likelihood of a kaiju attack, or something involving kryptonite. It’s pretty much a given – it’s the mesh that holds the geek universe together. So that said, much discussion revolves around attacks that may not ever happen, but may – if the technical stars align – be statistically possible. You have been warned.
I’ve already talked briefly about the biggest threat to Bitcoin Security – the dreaded Double-Spend. In actuality, this is much less common than you would think. Remember, this type of hack would require the victim to accept zero-confirmation transactions. That filters down the potential victim pool considerably, and requires more effort. Hackers typically go for the perfect balance of big gains for minimal effort – and Double-Spend doesn’t exactly fit that bill. There are several different types of Double-Spend attacks, they all have the same thing in common – they attempt to rip people off by spending a Bitcoin twice.
This brings us to the dreaded 51% attack. If one individual bitcoin miner owned more than 50 percent of all the network’s computational power, that miner would have the ability to control what transactions were written into the ledger, and control the mining process. This could create a “fork” or split in the blockchain, and cause two ledgers to form into existence. This would be bad, because Bitcoin’s reputation is built upon a single authentic decentralized ledger. If this one miner created its own fork, it could choose to enter certain transactions while ignoring others. Or to be more concise, it would allow that miner to ignore documenting its own transactions, and double-spend its own Bitcoins.
Before you write this one off as being impossible – how could one person’s computer be powerful enough to be handling 51% of all Bitcoin mining – let’s talk about Bitcoin Pools. Because so many people are dewy eyed at the concept of mining free Bitcoins (which is itself a silly concept, as mining requires hardware and power), mining groups and pools have formed, to pool all their mining resources together. In July of 2014, the Bitcoin mining pool Ghash.io crossed the 51% threshold. Thankfully, they did not intentionally (or even accidentally) cause a fork. But this forced the Bitcoin community to take action and Ghash stopped accepting new accounts into the pool. According to research, the current largest Bitcoin pools are in China and contain about 25% of all the mining resources. Iceland, Japan and the Czech Republic are in the top ten, though China clearly rules the roost. The threat of a 51% attack and subsequent fork are, for now, a topic for theorycrafting.
The biggest threat to Bitcoin security comes at the most logical place – where they are exchanged. This makes a lot of sense. Imagine, if you will, that Bitcoins are like normal currency that is stored in a third party bank vault. Because the ledger is so well built, it’s too difficult to try and tweak the books and steal money. The best strategic place to steal that money is where it is transferred between banks – the classic stagecoach robbery, if you will. In the Bitcoin arena, this happens at the Bitcoin Exchange level. Let’s say I have $20 and want to buy some Bitcoin with it, to do some online shopping. I could get an online Bitcoin wallet and attempt to sell something in real life (IRL) for Bitcoin, then I’d have some Bitcoin to my own name. Or I could buy some Bitcoin from an exchange, who has a large pool that they can sell to others in exchange for real currency. That is the stagecoach rumbling down the dirt road, ripe for the plundering.
And ripe it is. The number of Bitcoin exchanges who have been hacked and plundered is staggering. Many of the largest Bitcoin Exchanges in the world have been brought down through hacking. And because Bitcoin is not centralized, it’s difficult for a governing agency to offer insurance options that are provided for a typical brick-and-mortar bank. Or to say it differently, if you entrust your Bitcoin to a third party bank, and that bank gets hacked, you’re flat out of luck. Ars Technica provides a great (and frightening) history of the largest Bitcoin heists and robberies. It’s safe to say that millions of dollars worth of Bitcoins have been stolen at this exchange level, use it at your own risk.
So that wraps up this blog series on Bitcoin. I hope you have found it helpful and interesting. As always, if you have any questions or I’ve done a poor job of explaining something, I’d love to hear from you, the comments section works great.