In a recent spillover of internet-based long-form intellectual new media into the mainstream, Eric Weinstein appeared as a guest on Ted Cruz's podcast. Eric was well prepared. Cruz played the role of a charitable and engaged critic while avoiding direct confrontation. The conservation laid bare the intersection of the anti-corporate socialist left and anti-government libertarian right and the potential of these forces as a combined political interest. There was a strong sense of shared acknowledgement of the current crisis and they touched on all the culture war aspects. But I'm more interested in what Eric has pointed to now several times as the root cause of the systemic decline, and what seems to be the original trigger for the slow decay and building of tension that has ultimately led to the rise of darker elements on both the left and right that we see today: a Great Decoupling of productivity (GDP) and wage growth in the early 1970's. The significance of this time period has also been highlighted by Eric's boss, Peter Thiel. We are referred to https://wtfhappenedin1971.com/, where a collection of charts give the impression that a profound change in the foundations of the economy took place, effectively causing a divergence of all kinds of metrics related to equality, wealth creation, the complexity of regulation, and implicitly downstream effects like political polarization, incarceration rates, and age of marriage. The simple, seemingly persuasive answer is that the effective cancellation of the gold standard set us on a path towards borrowing ever larger sums to avert financial crises as they arise, and the return to a currency backed by something provably scarce, i.e. bitcoin, is a solution. I can't say I'm convinced it's that simple. And Eric doesn't mention currency specifically as the problem. So what I want to know is, was 1971 a real inflection point, the real root of inequality and dysfunction we see today? Was the removal of limits on the Fed's ability to print money a mistake? Or was there some other government action or change at that time that was the real cause? Do we need to let stock market crashes happen from time to time? A year ago, u/gwern posted a 1986 Atlantic article that described a lot of the problems in black America that are still around 4 decades later and offered more in the way of nuance and insight than most of the discourse we see today. What struck me on revisiting it was how the timing of the decline of Chicago aligns with the early 1970's trigger hypothesis:
In 1970 thirty-seven percent of the population of the area was below the poverty line; in 1980 the figure was 51 percent. In 1970 the unemployment rate was 9.5 percent; in 1980 it was 24.2 percent. In 1970 forty percent of the residents of the neighborhood lived in families with a female head; in 1980 the number had grown to 72 percent. In 1980 of the 54,000 residents 33,000 were on welfare. Experts agree that all of the numbers are even worse today.
My mental model for social issues is that they are mostly rooted in economics. If you have a society that generates wealth, you can pay teachers, doctors, and police well enough to attract competent candidates and the competition necessary to create real expertise. You can afford to build and maintain good infrastructure and spend time on figuring out how to best help the disadvantaged. You have the resources to advance technology and support the arts. You get all the positive feedback loops that come with this. When wealth generation becomes concentrated and restricted, public institutions start to struggle, people feel they have less opportunity, and social issues start to bubble up like the formation of outgroups of all kinds. A massive oversimplifation, I know, but a useful general framework to approaching issues that avoids (mis)placing blame on cultural degeneracy, "evil" corporations, or other common scapegoats that are largely symptoms of greater problems. Today, this mindset seems to align with the conservative right, but in the 1986 article it's the "liberal answer" to the problem of ghettos that I identify with:
In Chicago the harbinger of the change was the closing in the late fifties of the stockyards, which for half a century were the sine qua non of lower-class grunt work and a heavy employer of blacks. Chicago lost 200,000 jobs in the seventies; small shut-down redbrick factories that used to make products like boxes and ball bearings dot the city, especially the West Side. The lack of jobs, the argument continues, caused young men in the ghetto to adopt a drifting, inconstant life; to turn to crime; to engage in exaggeratedly macho behavior -- acting tough, not studying, bullying women for money -- as a way to get the sense of male strength that their fathers had derived from working and supporting families. As Murray believes that one simple step, ending all welfare programs, would heal the ghettos, the unemployment school believes that another simple step, jobs, would heal them. "When there's a demand for the participation of the black underclass in the labor force, most of the so-called problems people talk about will evaporate in a generation," says John McKnight. an urban-research professor at Northwestern University.
Indeed, Mr. McKnight. And up until this spring, it looked like the Trump presidency's aggressively pro-jobs and pro-American workers policy was showing promise of vindicating this view - the presence of BLM and racial tensions leading up to 2016 had all but subsided by 2018-2019. I wonder just how little backlash the George Floyd incident would have caused if the pandemic hadn't undone the economic progress of the past 3 years. Mind you, that "progress" was but a tiny step in the right direction in terms of improving wages and opportunities for the lowest earners. And for all the times the "audit the fed" meme hit the top of the_donald, it now seems impossible that the current administration has any capability or willingness to take the drastic steps needed to address the real root cause that apparently started 50 years ago. To do that, we may need an actual revolution.
My 2019 curated list of articles, resources and links on programming, math and computer science.
Hi /compsci! Every year I bookmark many websites, tutorials and articles on mostly programming, math, technology and computer science. I go through them all in the end of the year and curate the best, unique and interesting stuff to make a list for myself (and discard the others). I hope some will benefit you, ignite your interests further in computer science or find something interesting to read and learn. Enough talk, let's get to the meat!
Paperdigest, tracks and analyzes all new papers (ai, machine learning, vision, robotics, etc) uploaded to Arxiv and published on selected conferences, and then generates a one sentence summary for each paper to capture the paper highlight.
cogsci reading list, the cognitive science subreddit's reading list is an amazing resources with a lot of books, papers and articles if you're into cognitive science.
Gwern's Blog/Website, about psychology, statistics, and technology; Gwern writes about darknet markets & Bitcoin, blinded self-experiments & Quantified Self analyses, dual n-back & spaced repetition, and modafinil.
Pragmatists, Romantics, Analysts, and Fundamentalists: a fun heuristic for classifying personalities
What are you favourite ways of categorising personality types? Joke: Big 5 Broke: MBTI Woke: Zodiac Sign Bespoke:Which Veggietales Character Are You? In all seriousness, I love finding interesting new ways of categorising personalities. I've taken MBTIs, Big 5s, Personality Disorder tests, and Hogwarts House quizzes more times than I can count. Even if a given schema isn't scientifically robust, it can serve as a useful shorthand among a knowing audience - you can communicate a lot by saying things like "he's a typical fucking Aries" or "he thinks he's an Aragorn but he's actually a Boromir". I'd love to hear what schemata others have come up with, but one useful little framework I've devised and found surprisingly adaptable is to carve up people into Pragmatists, Romantics, Analysts, and Fundamentalists. Pragmatists are relatively unreflective and just want to get on with life. Romantics are driven by emotion and beauty. Analysts are self-conscious optimisers who value truth and knowledge. And fundamentalists operate on the basis of axiomatic principles that structure everything else they do. Pragmatists think the other types are out to lunch. Romantics think the other types are boring and cold. Analysts think the other types are stupid and unreflective. And fundamentalists - insofar as they understand the other types at all - think of them as benighted and deprived of some basic insight. I don't think this framework is particularly useful in classifying people tout court, but it's quite intuitive to apply to particular domains. Consider Christianity, for example. A Pragmatist Christian goes to Church because that's what they've always done and the Minister gives funny sermons and it's a good opportunity to chat about what's happening in the community. A Romantic Christian is a William Blake type - they're moved to tears every time they listen to Allegri's Misere, and love Kierkegaard. They've probably been to Taizé. Analyst Christians are impressed by the Cosmological Argument, have a signed copy of the Summa Theologica, and privately worry a lot about the problem of evil. Finally, a Fundamentalist Christian cleaves to a few basic principles - maybe that's biblical literalism, but it could equally be a single moment of personal revelation they had that they've subsequently built their life around. Science is another nice example. The Pragmatic Scientist would like to finish the paper they're working on, get a publication in Nature, and secure a juicy grant. The Romantic Scientist gazes at the stars at night feeling a mix of terror and wonder. They think about the Fermi paradox ten times a day. They probably love Carl Sagan. The Analyst Scientist likes metanalyses, worries about the replication crisis, and complains about the statistical incompetence of their peers. The Fundamentalist Scientist is in a ten year back-and-forth publication battle with a rival at Stanford who they consider to be a fucking idiot who doesn't grasp the obvious truth of Modified Newtonian Dynamics. They are possibly a fan of Richard Dawkins. I also see a nice mix of these personality types in the Rationalist community. Probably the Pragmatists Rationalists are the least well represented, but they're around. They started reading Less Wrong after they started working for an algorithmic trading fund and it was recommended to them by a coworker. They're always on the lookout for inadequate equilibria they can exploit. They bought BitCoin early and used the money to fund their EVE Online Corp. They frequently makes comments like "Well if you really believe that, you could make a bunch of money on PredictIt right now." They use Modafinil three times a week and can't understand everyone doesn't do the same. Naturally, they're one-boxers. The Romantic Rationalists, by contrast, probably came into the movement after reading Kurzweil and Bostrom. They worry a lot about consciousness and frequently flirt with panpsychism. They love Scott Alexander and CS Lewis and have read Harry Potter and The Methods of Rationality seven times. They sometimes worry that they've given themselves HPPD from microdosing but aren't sure if things always looked that way (or maybe it's just their new polyphasic sleep schedule?). The Analyst Rationalists got into Rationalism via reading u/gwern or maybe listening to Rationally Speaking. They find Newcomb's problem deeply disturbing but find One Boxers to be baffling and annoying. They try not to think about Roko's Basilisk (sorry for mentioning it). They take 2mg of melatonin to sleep at night but worry that they're becoming dependent. They see the obvious appeal of Mealsquares. They use unnecessary formalism at every opportunity. They actually read the fucking article you just posted. Finally, Fundamentalist Rationalists probably came across Less Wrong at a delicate age and were immediately convinced by the obvious and irrefutable truth of Timeless Decision Theory, HBD, antinatalism, or Bayesianism. They are up to 20g of Phenibut a day but have no intention of tapering. They either love or despise Nicholas Nassim Taleb. They once broke up with their girlfriend because she was a Frequentist. They have probably been banned from the Culture War Thread at least once.
This is a subreddit in which all posts (except for this one) and comments are generated automatically using a fine-tuned version of the GPT-2 language model developed by OpenAI. This project is similar to (and was inspired by) /SubredditSimulator, with the primary difference being that it uses GPT-2 as opposed to a simple markov chain model to generate the posts/comments. This highly advanced language model results in significantly more coherent and realistic simulated content. This subreddit is not intended to be interactive, so please do not post or comment here. If you wish to discuss anything related to this subreddit, or highlight particular comments/submissions, please use SubSimulatorGPT2Meta.
How were the submissions/comments created?
For each subreddit that I was simulating (see below for the current list), I used Pushshift to scrape a selection of its comments, as well as the titles/urls/self-texts of its submissions. I typically grabbed a maximum of around 500K comments per subreddit. Using this, I was able to construct training sets specific to each subreddit, which I could use for fine-tuning GPT-2. These are simply very long txt files (usually ~80-120 MB) containing the comment and submission information that I'd scraped. In addition to the body of the comments/submissions, these txt files also included the following metadata:
The beginning and end of each comment/submission
Whether it was a submission, top-level comment, or reply. Top-level comments are often very distinct from other replies in terms of length and style/content, so I thought it was worth differentiating them in training.
The comment or submission ID (e.g. this would have an id of “bo26lv”) and the ID of its parent comment or submission (if it has one). This was included as an attempt to teach the model the nesting pattern of the thread, which otherwise it would have no information about. My idea was to place the ID at the end of each comment and then to include the parent_id at the beginning, so even with a small lookback window it could hopefully recognize that when the two ids match, the second comment is a reply to the first.
For submissions, the URL (if there is one), the title, and the self-text (if any) were all separated by new-lines
I then put all the submissions and comments in a txt file in an order mimicking reddit’s “sort by top”, and fine-tuned for each subreddit using GPT-2-345M, specifically nsheppard's GPT-2 implementation. This tutorial written by u/gwern provided very helpful guidance as well. Once I had the models trained (I usually let them each run about 20K steps), my method for actually generating one of the "mixed" threads was:
Randomly select a subreddit and generate a submission (consisting of a title and url or self-text) by prompting that subreddit's model with my "submission" metadata header.
Generate top-level comments by randomly selecting subreddits and prompting each of their models with the submission info appended with the "top-level comment" metadata header (correctly matching the submission id).
Similarly, generate replies by prompting with the "context" (ie the submission info and the parent comment) appended with the metadata header of a reply (again correctly matching the parent comment's id). Generate replies-to-replies in the same way. (Note: I could have done more levels of replies, but the generated text usually gets less coherent at greater depths, and it occasionally starts to return incorrectly-formatted metadata as well).
The "subreddit-specific" threads were generated identically to the "mixed" ones, except instead of randomly selecting a new simulated-subreddit for each comment, it sticks with the one that made the submission. (EDIT: As of 1/12/2020 the model has been upgraded to use the 1.5B version of GPT-2 rather than the 345M models. Another difference is that the original 345M models had been separately fine-tuned for each subreddit individually, whereas the upgraded one is just a single 1.5B model that has been fine-tuned using a combined dataset containing the comments/submissions from all the subreddits that I scraped. For more details, see the announcement post here.)
I currently generate three types of simulated threads: "mixed", "subreddit-specific", and "hybrid". These can be identified by the tag/flair to the left of each submission. In the "subreddit-specific" threads, the selected subreddit is the same for the submission and all its comments. In the "mixed" threads, on the other hand, a new subreddit is randomly selected before making each comment (this type more closely matches the style of the original SubredditSimulator). In the "hybrid" threads, the selected subreddit is combined with a model fine-tuned on a non-reddit text corpus (for now, usually the writings of some particular well-known author), and this combination is used for both the submission and all the comments. The intention is that it should generate comments that are still relevant to the chosen subreddit, but are also written in a distinct style. See my explanation posts here and here for more details on this. For now, a new thread is posted every 20-30 minutes. IMO, the "subreddit-specific" threads are usually more coherent than the "mixed" ones, so I generate the former more frequently (3/4 of the time, with the remaining 1/4 being the "mixed" threads). I only generate "hybrid" posts occasionally, so those don't have any fixed schedule.
Current list of bots
I currently have fine-tuned models for the 130 subreddits listed below. Some of these I chose because they were highly rated on SubredditSimulator, and others I just thought would be interesting or amusing to see. I'm open to adding other subreddits if there is demand; please make such requests in SubSimulatorGPT2Meta if you have them.
List of Scott's most influential twitter followers
It seems like Scott/SSC has gotten much more mainstream recognition over the past year, so I was curious to know who the most influential SSC readers are now. Using twitter follower data for this isn't perfect (follower count is not a perfect proxy for influence, not all SSC readers follow the twitter account, etc.), but it's the best I could think of and I figured it would be a fun exercise regardless. As an aside, a few interesting stats I learned about Scott's twitter followers (scraped on 12/30/17):
Of the top 100 most-followed followers, the gender breakdown (by my count) is 82 men vs 8 women (along with 10 organization or anonymous accounts). Among the top 50, it's 43 men and 1 woman (Liv Boeree)
385 followers (2% of the total) have bios including either "bitcoin", "ethereum", "crypto" or "blockchain"
There are 67 followers whose bios include either "@Google", "@ Google", "at Google", or "Googler"
Note: When constructing the top 100 below, I excluded accounts that had extremely large Following counts, since I wanted the list to just consist of (likely) actual SSC readers. My exact rule was to exclude any account that follows >20K, include any that follows <10K, and include accounts in the 10K-20K range iff their following/follower ratio was less than 10% (this last condition was mostly just because I wanted to keep @pmarca on the list). Anyway, below is the top 100. I also constructed lists for Eliezer, Robin Hanson, and gwern, and I can post those in the comments if anyone's interested.
Editor-in-Chief, @FiveThirtyEight. Author, The Signal and the Noise (http://amzn.to/QdyFYV). Sports/politics/food geek.
Disaster averted: How I would go about addressing climate change
There is a lot of despair surrounding climate change lately, because the future we had hoped for did not unfold. The despair is justified to a large degree, as a lot of things have gone terrible wrong. As an example, the Americans have decided to elect a president who doesn't want to commit to reducing carbon emissions and instead wants to subsidize the dying coal industry. I don't feel like delving too much into the question of what causes this delusional mentality, nor do I feel like addressing the various arguments people have come up with to justify sticking their heads into the sand. Today I'd rather look at some of the things we can still do, to preserve a habitable planet. Even if the catastrophic predictions about positive feedback loops that go around turn out to be correct, it's unjustified to state that all hope is lost. There's a lot that can still be done, that people haven't adequately considered. I hope to cover some of those projects today.
Emergency interventions for threatened ecosystems
You might have seen some of the studies that came out, arguing that limiting the temperature rise to 1.5 degree Celsius would be insufficient to save most of the world's coral reefs. The coral reefs seem to be the most urgently threatened ecosystems out there. However, there are a number of emergency measures we can take, that would help us to buy time to prevent the coral reefs from dying. As an example, we can emit sulfates into the atmosphere, that block sunlight. It's estimated that one kilogram of well-placed sulfates, can offset the effects of hundreds of thousands of kilogram of carbon dioxide. Studies have been done on this subject, which found that placing sulphates into the atmosphere, would help us to prevent the coral reefs from dying. Other emergence measures for the coral reefs are discussed here. Important of course to note is that the coral reefs aren't just at risk of extreme temperatures, they're threatened by ocean acification too. However, ocean acidification can also be addressed to some degree as well. Seaweed takes up carbon from the ocean when it grows, thus locally reducing the Ph of the ocean. Studies are being done, that look at protecting coral reefs, by building seaweed farms near the coral reefs. The seaweed farms are found to be able to buy us anywhere between 7 to 21 years. Of course, it's important to note that we first need to ensure that seaweed cultivation becomes economically viable on such a large scale. A good start would be to start eating seaweed. Globally, seaweed cultivation is the fastest growing crop, growing by an estimated 8% per year. Billions of people worldwide receive too little iodine in their diet, including an estimated 70% of people in the United Kingdom. I personally try to eat a lot of seaweed. If the seaweed industry grows fast enough, costs may eventually drop down enough, to allow us to feed seaweed to our pets and to farm animals, before we will eventually use seaweed as a form of biomass for renewable energy.
The meat industry
The Japanese eat a third of the amount of meat Americans eat, but live four years longer on average, with far less obesity, heart disease, diabetes and cancer. I think humans benefit from some animal products in their diet, but we certainly don't need as much meat in our diet as we eat in the Western world. The ideal scenario would be if we could eliminate the consumption of all domesticated vertebrates. Instead, the main meat we would continue to eat would be from shellfish. We're approaching the point where we can grow meat in labs, at commercially viable prices. When this happens the amount of land needed to produce meat is reduced by 99%, while greenhouse gas emissions are reduced by 78-96%. Globally, the vast majority of the land we use, is used to grow animals who end up as meat on our dinner plate. It's clear that if lab-grown meat can be deployed on a large enough scale, large-scale reforestation of the planet becomes a viable objective to pursue. Many farms will go bankrupt, while massive migrations from the countryside towards the city will occur, as new jobs will emerge in cities, at the cost of rural lands. Governments can and should encourage this development. An easy way to encourage this development, would be to level the playing field. You don't need to subsidize lab-grown meat, we can easily stand on our own feed. Instead, get rid of your agricultural subsidies for meat production. I'm all in favor of Britain withdrawing from the EU, because the EU pumps billions of dollars every year into an unsustainable form of agriculture that puts our planet on the path towards global annihilation while filling the pockets of blue-blooded aristocrats who happen to have inherited a lot of land, most of which was simply stolen over successive generations.
I have long been skeptical, but it's clear to me now that an economy based on renewable energy can function. It might not be easy and it may take some adaptation, but we can sustain civilization without fossil fuels. The big argument generally brought up against renewable energy is that renewable energy is an intermittent form of energy. However, this doesn't have to be a significant problem, if we consider the simple fact that our civilization can learn to use energy on an intermittent basis. As an example, a house that's well insulated can lose 1 degree Celsius of heat, when it goes four hours without being heated. Thus, if you're dealing with intermittent electricity, excess electricity could quite easily be used to heat the house. How would you go about using excess electricity to heat your house? I can think of many ways, but here's an example: If your computer is using Boinc, it could quite easily be set up to start grinding once electricity prices are cheap and temperatures in your house are low. Once Gridcoin becomes a success, this will actually earn you money. Similarly, when your refrigerator is closed, like it generally is during the night, it can quite easily go a few hours without cooling. Appliances can quite easily be designed to work with the reality of intermittent electricity. Of course I'm not suggesting here that we could cope with a world where everything runs on intermittent solar and wind, with zero storage. Fortunately, to some degree we will find ourselves able to store electricity. Electrical cars can be used to donate electricity to the grid, during moments of (looming) shortage. In addition to this, we will always maintain a source of electricity that's not intermittent: Biomass. In the ideal scenario, we will create giant seaweed farms, where seaweed is grown that's then burned in our current coal plants. The carbon that's emitted when the seaweed is burned can then be used for various purposes, rather than being dumped into the atmosphere. I often see the argument proposed that some solution can't be scaled. There is not enough lithium for electrical cars, there is not enough lead for batteries, there is not enough land for biofuels, there are not enough empty roofs for solar panels, etcetera. What's forgotten in these arguments, is that none of these solutions will have to stand on their own. Climate change is not an easy problem, but it's a problem that's going to be solved by applying many different solutions. Some societies will be successful at this and succeed, others will fail and become failed states. America under Trump is likely to join the latter category. Another issue that's forgotten, is the fact that we're really spoiled, to a degree that it harms us. What would happen if Americans would suddenly have their electricity supply drop by fifty percent? If they can't learn to use electricity more efficiently, they would have to return to the standard of living they had in the 1960's. Did people die of hunger in the streets back then? As far as I can tell, they played more card and board games and went out more, rather than staring at screens. I think if we lost fifty percent of our electricity supply, we would be miserable for a few months, before we would breathe a sigh of relief and learn to deal with it. To me, the real question is whether we have the willpower to do what needs to be done, not whether it can be done or not.
I've already shown that we can free large amounts of land through lab-grown meat, that can then be used to grow enormous forests that will sequester carbon dioxide. The Amazon rainforest can be restored to its original extent, if we play our cards right. However, it doesn't stop here. We have alternative methods of carbon sequestration available to us too. If we covered 9% of the world's oceans with seaweed, we could sequester all the carbon dioxide we emit per year today. The reality remains that most of the ocean consists of deserts, where nothing can live because seaweed, corals and shellfish don't have the attachment points to grow and develop a rich ecosystem. You might have seen some of the nature documentaries, where an old ship is dumped at the right location, to make an artificial coral reef. This can be done in many ways, for many different organisms. Wind farms in the North Sea were discovered a few months ago to serve as perfect places for oysters to attach to. These oysters grow there now and attract other animals, that live off the oysters. In a similar manner, humans can grow seaweed in places, simply by creating attachment points for these plants. We're used to destroying ecosystems, turning giant forests into deserts as we have done around the world. What we're capable of doing too, is turning oceanic deserts into giant underwater forests. It doesn't require intense effort, we're already doing it by accident, as the wind turbines in the North Sea have demonstrated. When we grow biomass, we think of it as a carbon-neutral form of energy production. We can easily turn it into a carbon-negative form of energy production however, simply by using the carbon dioxide. There are many different forms of carbon sequestration. The most promising perhaps, is to build with carbon-negative concrete, which is concrete that's built using carbon dioxide. Concrete production currently causes 5% of all global CO2 emissions. It's thought however, that we can produce concrete that sequesters twice as much carbon as regular concrete emits. We would thus be able to reduce CO2 emisisons by 15%, simply by replacing all of our current concrete with this new carbon-negative concrete. The curve of technology adaptation is becoming steeper. Whereas it took a century before most people in Western nations had cars, it took ten years before most of us had internet. How fast do you think we can transition to 100% carbon-negative concrete? I think this can be accomplished within a few years, if we're willing to make the transition. Similarly, in Iceland, power plants are being developed that sequester carbon dioxide while generating energy. Of course the amount sequestered is not enormous yet, the equivalent of 150 Bitcoin transactions, but it's a first step in the right direction.
I think this solution is important to note, even if it will seem like far-fetched science-fiction to some of you. This is ultimately a solution on which every above solution will come to depend. We're used to problems that have a singular unified solution. Climate change is not such a problem, it requires reconfiguring our entire carbon-based economy. We will find ourselves faced with a situation that may require hundreds of small solutions, rather than one single big solution. This requires intelligent people, who are capable of discovering and implementing such solutions. What we need right now is a cultural transition, that will lead people to take this problem seriously. When people take the problem seriously, they'll take the solutions seriously and move towards implementing them. One important thing we've noted, is that people's environmental attitude, is strongly linked to their ability to delay gratification. People who are able to delay gratification, desire to take care of the environment they inhabit. Delayed gratification in turn, is a product of intelligence. When we look at societies where people try to take care of the environment they inhabit, we find that the people there tend to be relatively intelligent. Consider for example, the two nations where the highest percentage of the population considers climate change to be caused by human activity: South Korea and Japan. South Koreans and Japanese people are among the most intelligent people on the planet. Similarly, Chinese people score at the top of the list. Why do Americans stick their heads into the sand? Why do they vote for leaders who pretend the problem isn't real? Why are you guaranteed to have some American numbnuts show up in the comment section of any article about climate change, insisting that we'll soon have a solar minimum that will somehow end the problem, that the climate has always changed, that volcanoes actually emit more CO2 than humans, that carbon dioxide makes plants grow, that climate change is actually caused by poor Indians and Africans who have too many children rather than by Americans, or that it only seems like the Earth is warming because of measuring stations located near cities? The answer is, that on average Americans are simply not very intelligent people. Keep in mind, that 41% of Americans genuinely believe that Jesus will return to Earth before the year 2050. Besides lacking intelligence, they lack the ability to think critically. They're good at selectively seeking out information they already want to believe. Like a bunch of parrots in a tree they'll blindly copy whatever they're hearing and amplify each other's stupidity to soothe their nerves. We can discuss all of the various reasons why Americans are not very intelligent and poorly capable of critical thought in a later essay. It's worth noting however, that most Americans suffer from very poor health, which diminishes their innate cognitive potential. Imagine if the whole world had the level of intelligence of Japanese or South Korean people. People there have birth rates and immigration policies that ensure their population is gradually declining. Japanese people eat a third of the meat American people eat. In addition, Japanese people emit 70% less CO2 in transportation, than Americans. The reality we're dealing with, is that our problem would be relatively easy to solve, if we lived on a planet with seven billion people with a level of intelligence equivalent to that of East Asians. The global overpopulation crisis we face is almost entirely caused by religious fundamentalism. Religious fundamentalism in turn, is caused by people who lack intelligence. Intelligent people, capable of critical thinking, don't force children to carry out suicide bombings. A society with sufficient intelligent people, is one where dumb people adjust themselves to the culture of intelligent people, whereas in most societies the opposite occurs. The solution we're looking for, is thus ultimately a form of cognitive enhancement. There are many different ways to go about this. It's possible for people to select the smartest embryo to implant, to ensure children have a genetic potential that far outweighs their parents. There are however, far simpler probably more cost-effective methods we can already use right now. Millions of people, even in Western nations, suffer from iodine deficiency during pregnancy. This permanently stunts the IQ of their children. Similarly, we can feed people a healthy diet with sufficient Omega 3 fatty acids, encourage breastfeeding and eliminate gestational diabetes, while reducing exposure to fluoride which competitively displaces iodine in the human body. If these solutions are genuinely pursued, we will raise the average IQ of the world's population, which should be sufficient to create the kind of conditions where people vote for leaders who take climate change seriously and pursue serious effort to preserve a habitable planet. We don't have to be like deer on an island, because we will have the cognitive potential to plan ahead for the crisis that looms ahead of us.
Is there actual evidence of a child porn market using cryptocurrencies?
Is there any actual evidence of child pornography being sold for cryptocurrency? It's a commonplace to link Bitcoin to child porn, and we joke about "pedo-pesos", because anyone who's ever asked an anarcho-capitalist for their views on age of consent will want to give their brain a long shower afterwards. But is there any actual evidence of this? I can't find anything I'd trust as evidence, and I'm not confident as yet to stand up and say "there probably is" or "there probably isn't". gwern's release of 1.5TB of darknet screencaps apparently shows nothing along these lines at all. As he said on HN:
As far as CP goes, there should be essentially zero CP anywhere in the archive. DNM users almost universally loathe CP, and no market has ever dared to permit sales. (You may find this funny: CP is so taboo, on the DNMs like elsewhere, that it's been used in at least one attack - SR2's DoctorClu/Brian Farrell infamously attacked a rival market's forum by posting CP to it.)
The European Financial Coalition Against Commercial Sexual Exploitation Online, whoever they actually are, cite Internet Watch Foundation claims. The IWF claims are in two Guardian articles (1) (2). The trouble with those is that they appear to be content-free scary techcnical bafflegab about evil therefore you should fund us, and I know the IWF to be technically incompetent fools who will say any BS to justify their continued existence, after Wikipedia tangled with them in 2009 and I got to call them "hamfisted and incompetent" on telly. (And Jon Snow ripping the IWF guy to shreds on Channel 4 News was champagne comedy.) So I flatly don't consider the IWF any sort of trustworthy or usable source. There's Amir Taaki's famous post offering phone sex from his underage self or his underage friends, of course. That's not quite a market, so I'm not sure it quite counts. Does anything know of anything else that actually has a reasonably backed up source? [This is separate from the CP link someone put into the blockchain, of course.] edit: almost wishing I hadn't asked now. My brain needs a shower again.
The evolution of Distributed Ledger Technologies - Part 1
Understanding really something means that you need to look at how it was created and how it has evolved. Blockchain technology was not created out of nowhere or overnight from an anonymous crazy inventor called Satoshi Nakamoto, as some may believe. It was the outcome of collective human innovation through a very strange set of circumstances that would set the setting stone for a new decentralized movement and a new and better concept of money. To grasp ahold of the origin of Bitcoin and the Distributed Ledger Technologies, or plainly laid out “Blockchain” in modern online literature, one has to look at the history and the combined influence of 4 elements, Cryptography, Open Source Software, Peer to Peer Sharing Networks, Crypto-Economics.
Part 1 - Introduction to Cryptography
Cryptography is about solving the problem of transmitting information fast, securely and covertly to an audience. The problem arose as new technology increased the potential of communication and the danger from information being stolen. In the 1930s and during the World War II encryption and cryptography boomed as a result of military research and development, that would provide a competitive advantage and eventually greatly assist by breaking almost every German and Japanese code. Formal information security and electronic surveillance organizations would then be born and continue to this day, such as the NSA. Military Enigma machine, model \"Enigma I\", used during the late 1930s and during the war; displayed at Museo scienza e tecnologia Milano, Italy. Pioneering cryptographers were James Ellis and Clifford Cocks with their public key encryption idea. An encrypted message would contain the key that would enable unlocking the encryption, however the idea was not at that point feasible as it entailed a public communications network such as the internet as a foundation. These systems were not yet available to the public in the 1970s. Additionally, David Chaum, was the first to propose cryptocurrency in 1983, in a paper called “Numbers can be a better form of cash than paper” as well as other ideas like untraceable electronic mail, digital signatures and digital secret identities.
The Rise of the Cypherpunks
With the emergence of the internet, by the 1990s’ a new movement called Cypherpunks was born. These people wanted to use the encryption tools developed by the military-industrial complex to protect individuals and their privacy. In early 1991, a U.S. Senate legislation had a proposal that would force electronic communications service providers to hand over individuals’ private messages. A little known programmer called Phil Zimmerman decided to develop a tool that would help individuals freely communicate on the internet. Concerned that the American government would soon require service providers to turn over its users’ communications, Phil developed the free software known as Pretty Good Privacy, or PGP, so that individuals could encrypt the contents of their own messages, texts and files. PGP quickly became the world’s most popular email-encryption software and one of the world’s first examples of public key encryption to gain any kind of widespread adoption. It was notably used by Edward Snowden to secretly transfer classified documents from the NSA to journalist Glenn Greenwald in 2012. NSA whistle-blower Edward Snowden in a still image taken from video during an interview. In late 1992, Eric Hughes, Tim May and John Gilmore invited twenty of their closest friends to an informal meeting to discuss programming and cryptographic issues. This meeting was then held monthly at John Gilmore’s company, Cygnus Solutions and as the group grew they decided to setup a mailing list to reach other people elsewhere and the Cypherpunks were already growing in numbers. The ideas and concepts shared in this mailing list varied from cryptography, mathematics, computer science and political as well as philosophical debates, with privacy being one of the main founding principles.
“Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.”
Early attempts of anonymous transaction systems that would introduce game theory and incentivised behaviour, was the Hashcash in 1997, by Dr. Adam Back, which was a system to prove that some computational power was spent to create a stamp in the header of an email, acting as an anti-spam mechanism, a concept that might sound familiar to the proof of Work use in Bitcoin. In 1998, Wei Dai published his proposal for B-Money, which included two methods of maintaining transaction data, one in which all participants hold a separate database or ledger and a second in which a specific group only holds the database and are incentivized to act honestly as they have deposited their own money into a special account and stand to lose it by acting dishonestly, also known as the “Proof of Stake” method. Ethereum is one of the cryptocurrencies considering to move to this method of transaction verification since it provides efficiency benefits. In 2004, Hal Finney created the Reusable Proofs of Work based on the principles of Hashcash, which were unique cryptographic tokens you could only spend once, but were limited to validation and protection against double spending from a central server. In 2005 Nick Szabo gave his own proposal for BitGold, a system which units would be valued differently based upon the amount of computational work performed to create them. https://preview.redd.it/kx6psm0vfgj11.jpg?width=1067&format=pjpg&auto=webp&s=3d72dc76341c76dc671a0f6e46f9a98acc6d0179 Finally, in 2008, Satoshi Nakamoto, a pseudonym for a still-unidentified individual or individuals, published the bitcoin whitepaper, citing both hashcash and b-money, addressing many of the problems that the earlier developers had faced, including double spending. The bitcoin white paper attracted a lot of criticism from sceptics, but Satoshi moved on despite the critics and mined the genesis block of Bitcoin on 3rd of January 2009. See you in the nextarticle! I think that’s enough condensed knowledge for one article. In the following article we’ll look at Open Source Software and study its influence in the development of Blockchain Technologies.
176 Moronic Monday - It's your weekly stupid questions thread. Please upvote for visibility. I receive no karma.
Hey /SilkRoad, it is time for Moronic Monday! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Many questions get submitted late each week that don't get a lot of action, so if your question didn't get answered before, feel free to post it again. I do ask that you refrain from abusing noobs in this thread. Feel free to link to guides, wikis, forums, other subreddits (particularly /bitcoin and /drugs [though many on the Bitcoin subreddit don't take real kindly to SR]), or the FAQ, though. The Chinese scammer is still doing his thing here, and there's a new scammer on the official forums advertising for a supposed "Silk Road Advanced". Also, Coachella420/InfiniteSource/boostintoHYPERSPACE/DealerofDrugs is at it again. He seems pretty pissed off at me again. I expect him to start the same nonsense again in this thread. I suppose it's easier to post here since you have to spam to 50 in the official forums, where he has also been banned. Useful resources: http://erowid.org http://dkn255hz262ypmii.onion http://dkn255hz262ypmii.onion/wiki/index.php?title=Main_Page reddit.com/Drugs reddit.com/SilkRoadDeals reddit.com/nootropics http://gwern.net The sidebar ----- Fire away!
EDIT: No one has offered to accept any of the bets, so I am declaring this offer withdrawn.
BMR & Sheep have demonstrated their danger, but few black-market-users seem to genuinely appreciate this. I am publicly betting that they will fail in the near-future. If you think I am wrong, just try to take my money and prove me wrong! Otherwise, spare us your cheap talk.
Hi! I'm Gwern Branwen. You may remember me from such black-market webpages as Silk Road: Theory & Practice, and /silkroad. Today I'm here to talk to you about BlackMarket Reloaded & Sheep Marketplace. (A signed version of this 30 October 2013 post will be posted as a comment, because I wish to use Markdown formatting; my PGP key is available.)
With the fall of SR, we're all very sad: it was a good site which performed a useful function. But life goes on, so it's no surprise we're all moving on to new black markets. That said, I am concerned by the accumulating pattern I am seeing around BMR and Sheep, and by the delusional optimism of many of the users.
BlackMarket Reloaded, since the fall, has been marked by a pattern of arrogance, technical incompetence, dismissal of problems, tolerance for sellers keep buyer addresses & issuing threats, astounding tolerance for information leaks (all the implementation information, and particularly the VPS incident with the user data leak; mirrors: 1, 2), etc. We know his code is shitty and smells like vulnerabilities (programmer in 3 different IRC channels I frequent quoted bits of the leaked code with a mixture of hilarity & horror), yet somehow backopy expects to rewrite it better, despite being the same person who wrote the first version and the basic security principle that new versions have lots of bugs. (I'm not actually bothered by the DoS attacks; they're issues for any site, much less hidden services.) And then there's the things he's not telling us. Atlantis shut down because they were worried about contacts from LE, and thus far this shut down seems to have saved them; but BMR has been around several times longer than Atlantis - would it not beggar belief if LE had not made contacts, attempted SR-style stings, or infiltrated BMR staff? And remember how we were able to discover all sorts of leaks in DPR's opsec once we had the indictment and knew what to look for? Or consider the claims being made about the Project Black Flag Leaks, where someone claims to have accessed laundry list of information from its internals - only after Metta DPR decided to rip-and-run. If this is what we see publicly for BMR, what on earth is going on behind the scenes? backopy should have handed on BMR weeks ago, but is still around. He seems to plan to repeat SDPR's mistakes exactly: leak information all over the place, never retire, and just keep on until he is busted and takes who-knows-how-many people down to prison with him. He has learned nothing. What, exactly, is his exit strategy? What goals does he have and when will they ever be satisfied? He has been running BMR for more than 2 years now, and has not left. How does this story end: of a man who does not know his limits, does not have ability equal to the task, and refuses to quit while he's ahead? It ends with a party-van, that's how it ends. And hardly anyone seems troubled by this! The BMR subreddit is full of bustle; people are even hailing backopy as a "hero" for allowing withdrawal of bitcoins. (How generous of him.)
Is Sheep any better? No. BMR is troubled and probably infiltrated at this point, but Sheep may well be a dead market walking at this point. No one has a good word to say about its coding, so there may well be BMR-style issues in its future. More importantly: the veriest Google search would turn up that clearnet site, and it has beenpointed out that the clearnet Czech site hosted by HexaGeek was uncannily similar to the actual hidden service. It uses almost the same exact technology, and the official explanation is that they had "fans" (fans? who set up, many months ago, before anyone gave a damn about Sheep, an entire functioning mirror while cloning the software stack and being in a foreign non-English-speaking country just like the Sheep admins?). Ridiculous! DPR may have set up a WordPress site, but at least 'altoid' didn't run an entire SR mirror! (He left that to onion.to & tor2web.org.). Sheep's likely about one subpoena of HexaGeek away from fun party times in the party-van.
I am uninterested in seeing Sheep/BMR busted and lots of newbies caught because they can't appreciate the patterns here. People don't take mere criticism seriously, and even if I lay it all out like here, and I mention that I have an excellent track record of predictions, they still won't because anyone can doom-monger and issue warnings, it won't get through to them. I want to get through to them - I want them to understand the risks they're taking, I want them to reflexively use PGP, and I want them to leave balances on sites for as short a time as possible. So! I am putting my money where my mouth is.
I and 3 others are publicly wagering ฿4 ($816 at today's rate), ฿1 each, on the following 4 bets:
BMR will not be operating in 6 months: 25%; 1:3 (you risk ฿3 and if BMR is still operating, you win our ฿1, else you lose the ฿3 to us)
BMR will not be operating in 12 months 40%; 1:1.5 (you risk ฿1.5 & BMR is operating in a year, you win our ฿1, else lose ฿1.5)
Sheep will not be operating in 6 months 30%; 1:2.3 (your ฿2.3 against our ฿1)
Sheep will not be operating in 12 months 60%; 1:0.66 (you risk ฿0.66 against our ฿1)
The ฿4 are currently stored in 1AZvaBEJMiK8AJ5GvfvLWgHjWgL59TRPGy (proof of control: IOqEiWYWtYWFmJaKa29sOUqfMLrSWAWhHxqqB3bcVHuDpcn8rA0FkEqvRYmdgQO4yeXeNHtwr9NSqI9J79G+yPA= is the signature by 1Az of the string "This address contains bitcoins for the BMSheep bet run by gwern.").
BMR = kss62ljxtqiqdfuq.onion
Sheep = sheep5u64fi457aw.onion
The exact definition of 'not operating' includes but is not limited to this: on noon EST of 30 April 2013 (6-months) or 30 October 2014 (12-months), if Nanotube can visit the relevant black-market, create a buyer account, deposit bitcoins, and order an item, then the site is operating. If deposits or new accounts or purchases are not allowed or not possible, it is not operating. At his own discretion, the arbitrator can take into account other factors, like widespread reports that a market has been raided and turned into a sting operation.
Arbitration & escrow are being provided by Nanotube, a long-time Bitcoin user & -otc trader, who has handled some past bets (most famously, the ฿10,000 bet between the Ponzi schemer pirateat40 & Vandroiy) and I believe can be trusted to escrow this one as well; he has agreed to a nominal fee of 1%. (I am not using Bets of Bitcoin because they have a dishonest & exploitative rule-set, and I am not sure Predictious would allow these bets.)
If you disagree and are man enough to take our bets, post the amount you are betting on which bet, and Nanotube will supply an address for you to transfer your bitcoin to. When it arrives in his wallet, then our bet will be in effect. May the most accurate beliefs win.
Moronic Monday - It's your weekly stupid questions thread
Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Many questions get submitted late each week that don't get a lot of action, so if your question didn't get answered before, feel free to post it again. I do ask that you refrain from abusing noobs in this thread. Feel free to link to guides, wikis, forums, other subreddits (particularly /bitcoin   and /drugs   [though many on the Bitcoin subreddit don't take real kindly to SR]), or the FAQ, though. Weekly MOD update: For all that dont know already, we are welcoming a new Mod hugsfordrugs! Excited to see them aboard as we are slowly turning this subreddit away from drama and non-SR related threads by deleting them almost instantly. A reminder to use the spam and report options available when you see post that break the rules, we catch most of it but sometimes a post will slip through and when it is reported, we get notifications. Useful resources: http://erowid.org http://dkn255hz262ypmii.onion http://dkn255hz262ypmii.onion/wiki/index.php?title=Main_Page reddit.com/Drugs   reddit.com/askdrugs   reddit.com/SilkRoadDeals   reddit.com/nootropics   http://gwern.net The sidebar ----- Fire away!
I saw today a reddit publication on /btc claiming that "bitcoin cash" is the real bitcoin. I saw another publication 1-2 days ago, I think in /bitcoincash, of graphics and logo's making the "bitcoin" word more visible and the "cash" less visible, thereby deliberately creating confusion. Eventually, who can today claim copyright on the bitcoin term and stop this childish bickering and manoeuvring that is misleading to new users ? As far back as I know, the first publication naming bitcoin is Satoshi Nakamoto's in 2009. See the white paper: https://bitcoin.org/en/bitcoin-paper or this site: https://www.gwern.net/docs/2008-nakamoto. Assuming that the real Satoshi is not going to reveal his identity to clear this debate :) , is there any other party who can somehow legitimately claim some trademark ownership on the "bitcoin" term? I fundamentally do not care which one of BTC or BCH gets to grow most, or some other cryptocoins for that matter, as long as the overall cryptocoin ecosystem develops in the direction that we aspire to: establishing the decentralized trustless financial system. And that will happen if people focus on the purpose, technology, targets and not infighting.
Bitcoin may very well have sparked a crypto revolution, but can it be the last coin standing?
I think the genius of Bitcoin comes from the fact that the creator(s) picked clever technologies and good ideas in a wide variety of disciplines and brought them together in a system that just works, and released it at the right time. However in each discipline the individual choices aren't exactly optimal, and a lot of them can be questioned:
The whole idea relies on its crypto algorithms to be solid. But can the network really adapt to new algos if needed?
Is a fixed Bitcoin supply the best approach? There is a lot of debate among the different economist schools of thought about such things.
Are the confirmation times, block reward, halving times, difficulty retarget and other parameters ideal?
Will the network ever be able to scale for wide-scale adoption, realistically speaking?
Was it fair (and smart) to give so much edge to early adopters? Wouldn't it have been smarter, for price stability and fairness's sake to give decaying edge to early miners?
I'm not criticizing Bitcoin, but I am worried that now that the foundations are laid, only one of the three scenarios will become true:
Bitcoin is able to become perfect in each individual discipline, with a dev team becoming large and efficient enough to resolve problems quick enough as they come
Some university or organization takes the main principles and makes a new coin that is optimal in each of its aspect, making it a better choice for the long term
Banks end up soaking up the advantages of Bitcoin in its existing products, and makes crypto irrelevant as a means for payment or even as a store of value
I'm full-on bullish on crypto, but I'd love to be convinced that Bitcoin is a good candidate to win the adoption race. What do you guys think? EDIT: Removed the 21M Bitcoin argument. My point is that having a finite supply could be debated, obviously not the value of that limit. Also: I've been asking myself these questions for a while now, and stumbled upon this article recently. It makes a lot of very valid points and raises a lot of questions for debate. If you're long-term Bitcoin bullish, you should really read it.
"If Trump Wins, here's what I'll do..." User Coincle pledges to give away 25.47 bitcoin to those who commented on his post if Donald J. Trump is elected president. So, where's my bitcoin? by ILikeGreenit (806 points, 355 comments)
Monthly reminder for newbies: The Bitcoins you store on an exchange ARE NOT YOUR BITCOINS - they are an IOU. If you hold a decent amount of bitcoins, please make the intelligent decision NOW to transfer your coins to a secure mobile or hardware wallet that you control. by GabeNewell_ (759 points, 237 comments)
534 points: EgoTrps's comment in "If Trump Wins, here's what I'll do..." User Coincle pledges to give away 25.47 bitcoin to those who commented on his post if Donald J. Trump is elected president. So, where's my bitcoin?
334 points: SuperPuffin's comment in BREAKING: Trump advisers considering $JPM CEO Dimon for Treasury post
190 points: brokenskill's comment in "If Trump Wins, here's what I'll do..." User Coincle pledges to give away 25.47 bitcoin to those who commented on his post if Donald J. Trump is elected president. So, where's my bitcoin?
173 points: deleted's comment in Peter Thiel (member of President-Elect Trump's Transition Team): "It becomes a threat to fiat money at a point where Bitcoin is encrypted in such a robust way that the tax authorities can't break the encryption, can't tell how much money you have, and what transactions you are doing." [x-post]
171 points: butters1337's comment in BREAKING: Trump advisers considering $JPM CEO Dimon for Treasury post
Warning: DrugsList is extremely insecure [x-post /r/DarkNetMarkets]
DISCLAIMER: I have no affiliation with any marketplace. My interest is only seeing a more secure and trustworthy underground drug market. I have reported numerous issues to other drug markets and have had them successfully fixed. I have never accepted payment from any drug market for security services. I am only an interested observer and occasional customer. EDIT: here is the original thread at /DarkNetMarkets The Drugslist website makes numerous simple security errors in its implementation, and is completely unfit as an underground drug marketplace storing bitcoin wallets.
Error 1: The PGP error
As drug market users you have likely noticed that it is always reinforced that you should use PGP for all private message. A lot of users struggle with PGP since you have to download an application, learn public key cryptography, learn how to sign/encrypt and manage keys etc. There is a reason why it is complicated, because ease of use and security are a direct tradeoff. Were PGP to be simple, it likely wouldn't be effective. This is why you have never seen a serious drug marketplace that attempts to implement PGP on the web, or inside a browser - because it is insecure. You can only guarantee the security of PGP and your messages if you use a desktop app. I noticed yesterday that drugslist was making a huge error and had implemented PGP in a web browser as part of the their drugs marketplace. This is a huge red flag, because not only is it not secure, but it also teaches users that pasting private keys into a web form is ok, when it is far from. Security conscious people spend a lot of time reiterating into people basic security practices and when Drugslist does something like implement PGP in a browser and ask users to paste a private key into a web form, they undo a lot of that security advocacy performed by others. I'm going to try and explain in the simplest terms of why PGP in the browser is a bad idea, because I explain what Drugslist did: When you install PGP normally on the desktop - you go to a trusted site and download the package, and almost all PGP tutorials will, as a second step, show you how you can verify that the package you downloaded is the same one the developers signed off on - to guarantee that it either hasn't been backdoored or manipulated on the server, or that it hasn't been backdoored or manipulated in transit to your computer. You only have to do this once, when you install the application. From then on your can use the PGP app a thousand times and be confident that it hasn't been backdoored (there are ways around this, such as a trojan on your system, but it won't be backdoored by the developer). This is an essential part of establishing the trust relationship between developer and user, you can guarantee that it hasn't been compromised using cryptography (Bitcoin also does this, as does Tor). When you use PGP in a browser, your browser downloads a new copy of PGP every time you use it, and has no way of checking the signature. Worse, it doesn't even check if is downloading it from the correct server. That means someone could easily insert a backdoor into it, or weaken it, and you would never notice. It doesn't matter how much you check the code the first time you use it, you can't guarantee that it would be the same every subsequent time. This isn't a hypothetical attack, there are at least two known cases where the US Government has taken advantage of web-based cryptography to read 'encrypted' messages for users: Hushmail and Lavabit. In the Hushmail case users had no idea that Hushmail had changed the code to give the government access. In the Lavabit case, because they were using web based crypto they were also vulnerable to a subpoena, which they ended up receiving when Snowden became a user. This is why web-based crypto is bad, because it can't be protected or guaranteed. Drugslist present their web-based PGP alternative as a direct replacement for desktop PGP, which is not the case. Web based PGP is never secure. They place a link to it right above the box where you send private messages:
Don't know PGP? Check out our client-side PGP encryption tool. No data transferred and everything stays on your device!
All throughout the site, in the FAQ, there on the private message box, it mentions the web-based PGP implementation as an alternative to desktop based PGP, which it certainly is not. Now this part I can't stress enough: to a security professional, this is a very simple mistake - it is something that even a security professional with only hours of experience would know is a red flag. This is like a mechanic pointing out that the tyre in your car is wobbly and about to fall off. I noticed that Drugslist have this feature yesterday in their thread about their API. I knew very very little about Drugslist at this time, I had signed up a week earlier and then forgotten about it - not even looking at what vendors are there, etc. Here is the thread announcing the API: http://www.reddit.com/DarkNetMarkets/comments/1w2rq9/drugslist_launching_optional_new_full_api/ I got to this second paragraph and immediately stopped reading:
Our site now offers, a fully featured API escrow, auto withdraw for vendors, 1% commission payments on any money spent by anyone whom you refer, a fully integrated forum and email system, client side pgp encryption and decryption as well as a very active customer support and development team.
Note two things here: they are still misunderstanding the issue - there is no way to implement this securely, besides their reassurance. Also note that this is a feature that is supposed to be built for users who find desktop PGP complicated, yet it is asking them to conduct a thorough audit of the PGP code prior to using the tool each time. This is completely unrealistic. Back on the comment thread, there was also a completely surreal situation where i'm left spending a dozen comments explaining to DrugsList what the actual problem is, since it is clear they don't understand what i'm actually reporting - in the meantime they continue to deny that there is a problem. I had no idea at the time that this would lead to an hours-long conversation where drugslist would repeatably deny the existence of numerous security issues despite the clear evidence to the contrary. I went back up to that original post and kept reading about the API. Two lines later and we have another security issue:
2. API Security Issues
I'll keep this brief. The problems with the API are:
It asks you to place your marketplace password in the URL of the API. This is a big no-no, since many applications log URLs in plain text. A URL is 'non sensitive' data and all applications treat it that way, you should not be placing passwords into the URL
The password used in the API is the same as that used in the API, so if your API somehow leaks, the person finding the password can login as you. This is poor design.
The API client makes no effort to authenticate the server, and vice-versa. This means it would be incredibly simple to intercept the data passing between the API client and the API server. Running over Tor only makes it easier, since a lot of Tor configs have misconfigured DNS.
The drugslist response to these concerns is that they 'expect' API clients to know these problems and to use them securely. I had now discovered a number of basic security issues in reading only two paragraphs of text from Drugslist, and in all these cases the Drugslist user had responded quickly, completely denying any issue or any problem - and dismissing the concern. This was becoming a pattern and it prompted me to look at the history of this user and this drug marketplace, it didn't take me long to find more hits.
Error 3: SQL Injection
I only had to scroll down 3 or 4 previous thread before finding this thread - where a user of reddit had reported an SQL Injection vulnerability to DrugsList. Set aside for a moment what you may believe about how the person reporting that bug behaved or conducted themselves, because this is a very serious issue. I could not believe what I was seeing as I scrolled through the screenshots attached. I haven't seen this type of elementary SQL Injection bug for years. This stuff used to work 10 years ago, but you rarely see it any more as most programmers and websites have wisened up to the simplest of SQL Injection bugs. Make no mistake about this: what is being demonstrated in that bug is the ability to take control of the application and run whatever commands you wish on the database. This means you can take passwords, steal bitcoin, insert your own vendor account etc. This is the exact same type of bug that cause both Sheep and BMR to be hacked, instead this bug was much, much simpler than either of those This SQL Injection bug lead to what was now becoming a regular situation - the drugslist user coming in, denying that there was an error, and claiming that the user who found an SQL Injection had only found a 'small bug' and couldn't 'do anything'. He was daring the next attacker to delete/hack his entire site as a way of proving that a bug exists. This lead to a completely surreal comment thread, the kind I have never really had before, where we have the admin of the drug market along with a mod from the sub trying to convince people that this wasn't a real bug - using terms that are taken from information security, but using them in such a way that makes it clear to anybody who knows the field that these guys have no idea of what they are talking about. The sheer simplicity of the SQL Injection attack lead me to open up a browser and to go to Drugs Marketplace and to check for myself to see if I could find any other bugs (having a single simple bug on the main page usually means there are more).
Error 4: Multiple SQL Injection Points
Within 3 minutes of checking their app it was clear that both their search page and their product page are not filtering user input and allow a user to tamper with SQL queries in any way they want. I private message Drugslist and tell him that he needs to take his site down and come clean about the security issues. I've never seen a site like this. A potential hacker with no knowledge of info sec would only require 10-12 hours of learning to take complete advantage of stealing everything from Drugs List.
Error 5: Server Leaking Info
After discovering the two bugs I come to the conclusion that there is no point in testing this further, since every parameter I test is vulnerable. I look down at my logs and I can't believe what i'm seeing - the server is leaking critical information about itself that would make it simple for a dedicated adversary to trace down not only the location of the server, but the people running it. This is worse than Silk Road in the early days, where similar output lead the authorities to the location of the Silk Road server.
Error 6: Consolidating everything in one market
The other problem with Drugs List is that in an effort to be convenient they consolidate everything into one website and behind one URL: market, wallets, email, forum and even PGP Were the market hacked or taken over by LE, they would get everything - your emails, your messages, your PGP (via the web tool). This is why each vendor and buyer should host each of these separately - email should be with one host, wallet with another, marketplace on another, PGP on your desktop - this rule is the same as the 'diversify your holdings' rule in the finance world, you don't want a single point of vulnerability. There is also a reason why other markets host their forums and their marketplaces on separate URLs, its so that you isolate them from each other. The threat model to a forum is very different to the threat model for a bitcoin drug marketplace - you don't want a bug in the forum leading to a complete compromise of your bitcoin drug marketplace.
Over-marketing and under-delivering
If you look at Drugs Lists claims, they keep reiterating security and how they have hired 'PHD's in math' and 'security experts'. There is no chance this is true. Drugs List has almost certainly been put together by a single person with a minor understanding of technology and almost no understanding of security who outsourced the work of programming the marketplace. It is likely that he has hired cheap offshore labour to build this site using a service like oDesk or Elance. I don't believe his programmers know that what they are building is being used as a drug marketplace. When I search some of these marketplaces for 'bitcoin escrow marketplace' I get a number of hits for people attempting to hire cheap labour to build such a marketplace. Some of these sound a lot like Drugs List, and that would also match up with how the site has been implemented. This is exactly how SR1 was taken down and I have more than enough information to conclude that were a sufficiently motivated adversary interested in taking down Drugs List, they would likely do so in very short order. It doesn't matter if you believe that I am out to "get" drugs list or not, there is a pattern in his communication where numerous people have reported security or other concerns to them and they are dismissed. So either all these people reporting concerns are crazy (which would include me, two other techs on the SQL injection thread, TMPSchultz and gwern on the multi-sig thread), or drugs list is negligent with user data and are in way over their heads with operating a secretive bitcoin based underground drug market. Of the 3 issues I reported to them, his replies indicated that he didn't even understand 2 of them. It took me numerous messages to explain what was wrong with doing web-based PGP, despite their first response indicated that they understood the issue and thought it was ok. There is a pattern here in how features are over-marketed and then under delivered and sheer negligence with security reports. The question vendors and buyers have to ask themselves is do they really trust their identity and money with someone who is not only incompetent in building a website but in utter denial about there being a problem. IF YOU ARE A VENDOR OR BUYER: Don't trust me - please, find someone you know who is a programmer or a tech and ask them to take a look at these two threads:
That is the lest amount of due diligence you should do before using a drug marketplace, especially as a vendor. You will find that even those with a cursory knowledge of programming or info security will find those threads worrying to the point of being amusing.
What do we know about Gwern? Near-encyclopediac knowledge of Bitcoin, Tor, and Darkwebs. Is heavily into Japanese culture. One of the early bitcoin adopters. Has done prolific research into remaining anonymous 1. So far we've assumed that this was in order to de-anonymyse Satoshi, but what if it was to remain anonymous himself? So that could give bitcoin a price of $8 million dollars, so $1 million dollars is even a discount to where bitcoin could eventually go. When it gets there, who knows,” Altucher explained in an interview on Thursday. Over the past two months, the cryptocurrency market has seen the bitcoin price double, rallying from $4,200 to $8,600. On Thursday, bitcoin extended its rally past a new ... 2011 essay on how Bitcoin’s long gestation and early opposition indicates it is an example of the ‘Worse is Better’ paradigm in which an ugly complex design with few attractive theoretical properties compared to purer competitors nevertheless successfully takes over a niche, survives, and becomes gradually refined. Since the Bitcoin network was launched in 2009, a number of people have had suspicions that Wei Dai could have played the role of Nakamoto. Also Read: The Many Facts Pointing to Ian Grigg Being ... Thanks for the articles gwern, some bitcoin coming your way. But a suggestion, could you add your bitcoin address by the Paypal donate button on your site? I found it a little hard to find. gwern on May 6, 2013. I'll look into adding it. Not sure quite the best way to do it. obviouslygreen on May 4, 2013. If you find value in it, does this really matter? Knowing these things about a person ...
Gwern Branwen* is a researcher, self-experimenter, and writer who has has worked for or published in Wired, MIRI3 (formerly SIAI), CFAR, A Global Village, Cool Tools, Quantimodo, New World ... Der Blog Digiconomist versucht mit seinem Bitcoin Energy Consumption Index, den Energiehunger von Bitcoin in Zahlen zu gießen. Danach verbraucht das Bitcoin-... Bitcoin proponent based in Germany. William Henry "Bill" Gates III is an American business magnate, philanthropist, investor, and computer programmer. Nachdem der Bitcoin die Marke bei 10.000 Dollar erfolgreich verteidigt hat, steht der Bitcoin Preis nun nahe der 13.600 Dollar Marke. Wenn diese Marke durchb... SternTV hat sicherlich eine gute Reichweite und berichtete über den Bitcoin. Wie objektiv und sachlich dieser Bericht ausfiel, darauf geh ich kurz ein. Weiters möchte ich hier noch einen ...