Re: Proof of Work - atmospheric carbon
At 10:40 AM 1/30/2009, Thomas Coppi wrote: Just out of curiosity, does anyone happen to know of any documented examples of a botnet being used for something more interesting than just sending spam or DDoS? There are good botnets and bad botnets. Good ones ask you if you want to join, bad ones don't. Good ones are typically things like s...@home, fold...@home, Great Internet Mersenne Prime Search, DES crackers, etc., and if you've got something good to do, people will help. People usually only set up the bad ones if they want to do something bad - it may be interesting the first time they do it, like a new flavor of DDOS, but it's not usually doing the world any favors. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
John Levine writes: http://www.taugh.com/epostage.pdf I would also point out that nothing is preventing anyone from implementing their own epostage. Just send your email via a paypal Send Money, accompanied with whatever postage you feel is appropriate. No magic, no standards track epostage, no chicken-and-egg implementation problem, not even any crypto needed. Too boring to actually use, I guess. -- --my blog is athttp://blog.russnelson.com | Delegislation is a slippery Cloudmade supports http://openstreetmap.org/| slope to prosperity. 521 Pleasant Valley Rd. | +1 315-323-1241 | Fewer laws, more freedom. Potsdam, NY 13676-3213 | Sheepdog | (Not a GOP supporter). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
On Fri, 30 Jan 2009 11:40:12 -0700
Thomas Coppi thisnuke...@gmail.com wrote:
On Wed, Jan 28, 2009 at 2:19 PM, John Levine jo...@iecc.com wrote:
Indeed. And don't forget that through the magic of botnets, the bad
guys have vastly more compute power available than the good guys.
Just out of curiosity, does anyone happen to know of any documented
examples of a botnet being used for something more interesting than
just sending spam or DDoS?
I asked Rob Thomas of Team Cymru this question (he and they study the
underground). Here is his answer, posted with permission:
Botnets are routinely used as:
1. Proxies (IRC, HTTP HTTPS)
2. To recover financial credentials, e.g. paypal, citibank, et al.
This was the original purpose of the PSNIFF code in some of the early
bots.
Here's a code snippet from the now venerable
rBot_rxbot_041504-dcom-priv-OPTIX_MASTERPASSWORD dating back several
years:
[ ... ]
// Scaled down distributed network raw packet sniffer (ala Carnivore)
//
// When activated, watches for botnet login strings, and
// reports them when found.
//
// The bots NIC must be configured for promiscuous mode (recieve
// all). Chances are this already done, if not, you can enable it
// by passing the SIO_RCVALL* DWORD option with a value of 1, to
// disable promiscuous mode pass with value 0.
//
// This won't work on Win9x bots since SIO_RCVALL needs raw
// socket support which only WinNT+ has.
[ ... ]
PSWORDS pswords[]={
{:.login,BOTP},
{:,login,BOTP},
{:!login,BOTP},
[ ... ]
{paypal,HTTPP},
{PAYPAL,HTTPP},
{paypal.com,HTTPP},
{PAYPAL.COM,HTTPP},
{Set-Cookie:,HTTPP},
{NULL,0}
};
[ ... ]
3. Remember they're called boats now, so anything is possible. Screen
captures are becoming increasingly popular.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
You know those crackpot ideas that keep showing up in snake oil crypto? Well, e-postage is snake oil antispam. While I think this statement may be true for POW coinage, because for a bot net it grows on trees, for money that traces back to the international monetary exchange system, it may not be completely true. It's close enough to completely true. Stealing postage via bots is only one of multiple fatal problems. I wrote this white paper in 2004; some of the details could stand a little update but the conclusions are as clear as ever: http://www.taugh.com/epostage.pdf R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
On Wed, Jan 28, 2009 at 2:19 PM, John Levine jo...@iecc.com wrote: Indeed. And don't forget that through the magic of botnets, the bad guys have vastly more compute power available than the good guys. Just out of curiosity, does anyone happen to know of any documented examples of a botnet being used for something more interesting than just sending spam or DDoS? -- Thomas Coppi - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
Richard Clayton and I claim that PoW doesn't work: http://www.cl.cam.ac.uk/~rnc1/proofwork.pdf I bumped into Cynthia Dwork, who originallyinvented PoW, at a CEAS meeting a couple of years ago, and she said she doesn't think it works, either. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
jo...@iecc.com (John Levine) on Wednesday, January 28, 2009 wrote: You know those crackpot ideas that keep showing up in snake oil crypto? Well, e-postage is snake oil antispam. While I think this statement may be true for POW coinage, because for a bot net it grows on trees, for money that traces back to the international monetary exchange system, it may not be completely true. Snail mail postage limits, but does not eliminate junk mail. I think, without proof, that most people can live with the amount of junk mail they receive. At least I don' hear a lot of conversations about the Junk mail problem. Now it is certainly true that if machines have a small amount of money stored within them for postage, someone who 0wns that machine could steal some of that money. There is a limit to the amount that can be stolen based on the person who pays for the machine noticing and being bothered. There is probably safe profit in skimming small amounts from large number of machines just like there was profit in skimming the round off in payroll calculations. Cheers - Bill - Bill Frantz| The first thing you need when | Periwinkle (408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave www.pwpconsult.com | perimeter. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
On Wed, Jan 28, 2009 at 04:35:50PM -0500, Jerry Leichter wrote: [Proposals to use reversible computation, which in principle consume no energy, elided.] There's a contradiction here between the computer science and economic parts of the problem being discussed. What gives a digital coin value is exactly that there is some real-world expense in creating it. For some definition of digital coin. An alternative design where all coins are double-spend checked against on-line infrastructure belonging to the issuer don't have this constraint. Though they have different properties. For example, anonymity might then depend on trusting mixmaster-type networks to exchange coins the issuer knows you have for coins that the issuer doesn't know you have, but that might make anonymity entirely impractical. But then, how practical are POW coins anyways? I suspect most people in the formal sectors of most economies would gladly live with digital credit/bank cards most of the time and to heck with digital coins. So, how do you tie the cost of a token to power? Curiously, something of the sort has already been proposed. It's been pointed out - I'm afraid I don't have the reference - that CPU's keep getting faster and more parallel and a high rate, but memories, while they are getting enormously bigger, aren't getting much faster. So what the paper I read proposed is hash functions that are expensive, not in CPU seconds, but in memory reads and writes. Memory writes are inherently non-reversible so inherently cost power; a high-memory-write algorithm is also one that uses power. Clever! Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
John Gilmore writes: The last thing we need is to deploy a system designed to burn all available cycles, consuming electricity and generating carbon dioxide, all over the Internet, in order to produce small amounts of bitbux to get emails or spams through. It's interesting to consider the ultimate technological resolution to this issue. Will a global-scale proof-of-work based system inherently consume substantial amounts of energy? Or are there ways of doing computing which would allow such a system to use only moderate energy consumption? This question relates to the thermodynamics of computation. It has long been known that logically reversible transformations can be done with arbitrarily low energy dissipation. Hence attention is focused on irreversible transformations, particularly those that require bit erasure. Erasing a bit dissipates approximately energy of approximately kT where k is Boltzmann's constant and T is temperature. The question is whether a POW system inherently involves a great deal of irreversible logical transitions, causing bit erasure and dissipating energy? Or could a POW token be created using solely reversible logic? One note is that any algorithm can in principle be made reversible except for the size of the output: compute it using reversible logic, possibly creating many excess bits which will allow the reversal, until we get the answer; then make a copy of the output; then reverse the calculation, consuming all the excess bits until we get back to the original value. The only irreversible step was saving the output. However this is impractical for large calculations like we are talking about, because the number of excess bits would dwarf the size of the calculation. The hash collisions used in systems like Bitcoin or Hashcash (technically not collisions, rather searches for pre-images of hash values with many leading zero bits) seem inherently irreversible. The algorithm typically sets up a pre-image that includes a counter value, computes the hash, increments the counter and repeats until a hash is found with the desired properties. The hash function itself typically uses many intrinsically irreversible transitions, since logical irreversibility is a defining requirement of a hash function. Even if we use the trick in the preceding paragraph to eliminate the cost of the intermediate steps in computing the hash, we would still need to erase the output result each iteration, dissipating energy. Typical POW systems in use today require millions to billions of iterations, and this would be likely to increase in the future, so the dissipation could be substantial. Replacing the hash with a logically invertible function might help to reduce the number of intermediate bits, and eliminate the need to use the run-backwards trick. One would require that both the pre-image and the post-image contain a number of bits in fixed positions. However this would still seem to require the same kind of search algorithm, causing dissipation as each intermediate result is erased. Perhaps a variation on this idea would work, if the logically invertible function was itself very slow, perhaps paramaterized to have a huge number of rounds. Then only a relatively small number of iterations would be needed before a lucky result is found, for a given level of POW effort. This would reduce dissipation. However it would slow down verification, and since verification of the POW will be done far more often than creation, we can't afford to tip things too far in that direction. Another idea I had was to use a deterministic POW rather than a random one like hash collision. Cryptographic work on timed commitments and related topics has shown that repeated squarings modulo an unknown RSA modulus allow for a relatively concise and quickly verifiable proofs that some very large number of squarings had taken place, with no shortcuts possible for the creation of the resulting certification. Broadly speaking, modular squaring is logically reversible, in that one could theoretically compute the square root. But in practice, as with the hash computation, computing a modular square using logically reversible operations will produce a large number of excess bits. Even if the excess from a single squaring could be consumed using the trick mentioned above, one would still be forced to erase the temporarily result of each individual squaring operation, as the POW would require a very large number of squarings. So the overall dissipation would appear to be similar to the hash computation. (Also, it's not clear that a deterministic POW works well for an application like Bitcoin; it might let the owner of the fastest computer win every POW race, giving him too much power.) So the question from John's challenge remains open: is there a POW system which could be built solely on logically reversible computation? The computation has to be intrinsically time consuming, but with a short and quickly verifiable
Re: Proof of Work - atmospheric carbon
(Also, it's not clear that a deterministic POW works well for an application like Bitcoin; it might let the owner of the fastest computer win every POW race, giving him too much power.) Indeed. And don't forget that through the magic of botnets, the bad guys have vastly more compute power available than the good guys. You know those crackpot ideas that keep showing up in snake oil crypto? Well, e-postage is snake oil antispam. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
On Jan 27, 2009, at 2:35 PM, Hal Finney wrote: John Gilmore writes: The last thing we need is to deploy a system designed to burn all available cycles, consuming electricity and generating carbon dioxide, all over the Internet, in order to produce small amounts of bitbux to get emails or spams through. It's interesting to consider the ultimate technological resolution to this issue. Will a global-scale proof-of-work based system inherently consume substantial amounts of energy? Or are there ways of doing computing which would allow such a system to use only moderate energy consumption? ... [Proposals to use reversible computation, which in principle consume no energy, elided.] There's a contradiction here between the computer science and economic parts of the problem being discussed. What gives a digital coin value is exactly that there is some real-world expense in creating it. We talk about proof of work, but in fact work done by a computer doesn't, in and of itself, have any value. It gets a value only when it's a limited resource *which might have been used for something else* - i.e., the value of the spare cycles that might be thrown at doing the computations comes from the opportunity cost incurred. If this were not so, anyone could just create as many as they wanted at no cost to themselves. In fact, this is behind the cost model 'bot herders using other people's machines. But ultimately that only works for the 'bot herders because there is no significant loss to the owners of those machines either! Now, if instead we used algorithms not based on some abstraction notion of work, but on the equivalent power that had to be dissipated to do the computation, then the value of a digital token would truly be grounded in the real world. Spare cycles would no longer be free - they would show up on your power bill. Sure, the 'bot herders wouldn't have to pay - but if the owners of the pwned machines saw a real cost, they would have an incentive to do something about it (which they basically don't, today). Eliminating the power cost puts you back to amortizing the fixed cost of the CPU and memory doing the computation - a cost that's dropping all the time. I don't see how you get to an economically viable mechanism that way. So, how do you tie the cost of a token to power? Curiously, something of the sort has already been proposed. It's been pointed out - I'm afraid I don't have the reference - that CPU's keep getting faster and more parallel and a high rate, but memories, while they are getting enormously bigger, aren't getting much faster. So what the paper I read proposed is hash functions that are expensive, not in CPU seconds, but in memory reads and writes. Memory writes are inherently non-reversible so inherently cost power; a high-memory-write algorithm is also one that uses power. (BTW, a number of years back, a VC friend ran by me a proposal to buy the spare cycles on people's set-top boxes - which have pretty hefty chips in them - and rent out the resulting distributed compute server. The claim was that you didn't have to pay people much of anything for use of their boxes - you'd only do it when they were otherwise unoccupied, so they should be happy to get even very small payments. I pointed out the cost they had neglected: Increased power use. Sure, individuals probably wouldn't notice - but at some point some consumer organization would. The resulting bad publicity would kill the business. We did a bit of calculation to add that in to what would be paid to the box owners and the whole enterprise started looking less interesting from a purely economic point of view - not that it didn't have plenty of other problems.) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
On Jan 26, 2009, at 13:08 PM, John Levine wrote: If only. People have been saying for at least a decade that all we have to do to solve the spam problem is to charge a small fee for every message sent. I was one of those people, a decade and a half ago, on the cypherpunks mailing list. In fact, as I recall I once discussed with John Gilmore after a Bay Area Cypherpunks Physical Meeting whether he would pay me to implement some sort of solution to spam, but we didn't agree on a strategy. Unfortunately, there's a variety of reasons that's never going to work. Hey, the future is long. (We hope.) One of the larger reasons is that despite a lot of smart people working on micropayments, we have nothing approaching a system that will work for billions of tranactions per day, where 90% of the purported payments are bogus, along with the lack of any interface to the real world financial system that would scale and withstand the predictable attacks. Coincidentally, I just blogged today about how we are much closer to this now than we were then, even though none of the smart people that you were probably thinking of are involved in the new deployments: http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html#%5B%5BDecentralized%20Money%5D%5D WoW-gold, for example, appears to have at least millions of transactions a day. Does anyone have more detail about the scale and scope of these currencies? My white paper could use a little updating, but the basic conclusions remain sound: http://www.taugh.com/epostage.pdf Thanks! I'll read this. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
If POW tokens do become useful, and especially if they become money, machines will no longer sit idle. Users will expect their computers to be earning them money (assuming the reward is greater than the cost to operate). Computers are already designed to consume much less electricity when idle than when running full tilt. This trend will continue and extend; some modern chips throttle down to zero MHz and virtually zero watts at idle, waking automatically at the next interrupt. The last thing we need is to deploy a system designed to burn all available cycles, consuming electricity and generating carbon dioxide, all over the Internet, in order to produce small amounts of bitbux to get emails or spams through. Can't we just convert actual money in a bank account into bitbux -- cheaply and without a carbon tax? Please? John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
Can't we just convert actual money in a bank account into bitbux -- cheaply and without a carbon tax? Please? If only. People have been saying for at least a decade that all we have to do to solve the spam problem is to charge a small fee for every message sent. Unfortunately, there's a variety of reasons that's never going to work. One of the larger reasons is that despite a lot of smart people working on micropayments, we have nothing approaching a system that will work for billions of tranactions per day, where 90% of the purported payments are bogus, along with the lack of any interface to the real world financial system that would scale and withstand the predictable attacks. My white paper could use a little updating, but the basic conclusions remain sound: http://www.taugh.com/epostage.pdf R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
