asciilifeform: btc is the first step into the fun world of interstellar commerce, where fuckups are between you and your gods to cry over
asciilifeform: so far, whenever banks get burned, ultimately some nice fellows with printing presses (or automatic weapons, if need be) show up to make them whole again.
asciilifeform: btc is where the cold equations meet your skin up close and personal
asciilifeform: banks, interestingly, don't terribly mind being hackable, because sovereigns can sort of reverse their fuckups for them. and at any rate, they pass the cost onto chumps.
asciilifeform: mircea_popescu: the fact that all of your assets appear to be roughly where they are supposed to be is proof only of your good fortune.
asciilifeform: mircea_popescu: I sincerely hope you're joking
asciilifeform: mircea_popescu: yes, but the false implication is that someone, somewhere on Planet 3 can actually buy a computer. in actual fact, they can only buy a "combuder."
asciilifeform: "The "you don't own your computer" paradigm is not merely wrong. It is violently, disastrously wrong, and the consequences of this error are likely to be felt for generations to come, unless steps are taken to prevent it."
asciilifeform: imagine if someone were to "root" your eyes and your hands.
asciilifeform: you are trusting the work of ten thousand people (some of whom think your flesh is rather tasty) when you ask it to represent the world to your eyes and act on your behalf.
asciilifeform: except that phrasing the problem as a failure to encrypt is misleading
asciilifeform: on a new machine architecture, that crypts ram/disk natively, and a number of other essentials...
asciilifeform: the one common idea here is that keeping one's money in a public toilet is a Bad Thing.
asciilifeform: my point, though, is that even if you dispense with the convenience of sessions and go the full-bore "hair shirt" with a paper one-time-pad or whatnot, a compromised machine is still a compromised machine.
asciilifeform: but the chumps love it (except when they don't, yes)
asciilifeform: the whole pc orchestra (incl. but not limited to wintel) is idiocy from hell.
asciilifeform: it is rather like, most people are only vaguely aware that they have livers, until the shot rings out and there is an extra bodily orifice suddenly present.
asciilifeform: perhaps consumers should be encouraged rather than discouraged in their belief that their pc is alive and is inhabited by devils.
asciilifeform: the proper course of action in a case like this is to 1) publish a (sanitized) image of your hdd and 2) perform manly seppuku if necessary
asciilifeform: someone should sit with the chump, and patiently explain that mtgox doesn't talk to your yubikey. it talks to your idiot consumer pc that happens to have a yubikey plugged in, and a display that can output whatever your new owner wants it to.
asciilifeform: "my house was raided by interstellar bandits, and they took my TV set to alpha centauri." - "please file a police report."
asciilifeform: gotta love the advice to file a police report
asciilifeform: and if you find a fresh one, I do hope you have better sense than to tell us.
asciilifeform: it not only lets you sell the same machine many times, but passes the security buck to the chump: "oh, you got rooted? your fault, should have patched yourself"
asciilifeform: but in the pc world it is used as an attempt to paper over the fact that the os sucks
asciilifeform: some machine architectures (ibm mainframes) had virtualization baked in in an intelligent way, vs. the x86 retrofit
asciilifeform: it is like fractional reserve banking for the hosting business.
asciilifeform: so you can rent a "server" to chumps without actually using one up
asciilifeform: example of the latter: many (most?) xen installs let you set the virtual nic card into promiscuous mode if you root one running os
asciilifeform: vm escapes run the spectrum from the apocalyptic to the "it always worked this way and we don't give a fuck"
asciilifeform: ok, wasn't me this time. but "I approve of this message (tm)"
asciilifeform: mircea_popescu: yes, the girls calculate RSA signatures for you with paper and pencil
asciilifeform: alternatively, a drive-by is used to make your machine click "yes" for you.
asciilifeform: now you go to a site with routinely botched ssl, like mtgox (at least in the recent past), and then click "what the hell" when your browser complains
asciilifeform: I'll mention one example from places far away. In certain countries, doctored root certs are routinely placed into default ms-windows installs wherever possible.
asciilifeform: feel free to interpret my silence as proof that I'm full of shit, but personally I'm rather fond of living.
asciilifeform: my other point is that btc ups the ante for working on hard targets as well as soft ones. you can do some very nice MITM with a compromised router, for instance.
asciilifeform: mircea_popescu: believe me (or not, your choice) this is actually very, very easy.
asciilifeform: as far as the world could tell (even if you log all the packets coming out of your home) it will look like you voluntarily donated your stash to X.
asciilifeform: btw there is never any real need to steal wallet.dat. all you need to do is patch bitcoind (or whatever) on the disk so that it sends everything to address X when you finally key in the passphrase.
asciilifeform: optimator: have you personally gone through the trusted public cert store in your browser/OS?
asciilifeform: truecrypt in particular is trivially broken on a compromised machine.
asciilifeform: an amoeba colony, but in a public toilet, waiting for the janitor and his chlorine.
asciilifeform: my only argument, really, is that btc as we know it is a soft target, and that life will become considerably more interesting once the truly competent people take an interest in playing.
asciilifeform: not that I believe the linked thread to be evidence of such, mind you
asciilifeform: so it is entirely conceivable that a yubikey-enabled gox diddler exists but has managed to infect only paupers
asciilifeform: all he has is hope, that some of the chumps will own high-end ATI cards, etc
asciilifeform: the author has little control over who will be infected
asciilifeform: I study trojans for money. Most BTC botnets, for example, are quite pitiful (a handful of GH/sec.)
asciilifeform: one more observation: yubi works by emulating usb keyboard. which makes for a very simple man in the middle, esp. if you press the button an extra time.
