Ep. 22 Tinker, Tailor, Coinbase, Spy


In this episode of The Unhashed Podcast: Coinbase is embroiled in all sorts of new controversies. Are they under paying their bug bounty hunters while also over-stacking their chainalysis efforts? And what does this mean for privacy (or what little there is left) on the platform going forward? Musig has just been revealed, but what is it? a new release from blockstream that improves multisig or a really uncreative name for a brand new, ultra-powerful pokemon with a nasty tobacco habit? And...Roger Ver has officially announced that he will be announcing an announcement that he will announce his becoming an advisor to a second shitcoin. Can livencoin or livencoin or livencoin or whatever the fuck its called achieve instant pee-to-peer transactions better than BCH could and is his endorsement an admittance that BCH failed?

Weekly News Wrap Up (Feb 11):

  1. Another day, another bug. Coinbase has handed out a massive $30,000 bug bounty for a critical vulnerability in its systems. The flaw was logged on February 12 via Coinbase‘s vulnerability disclosure program on HackerOne. A Coinbase spokesperson confirmed to Hard Fork the vulnerability has since been fixed, and while the vulnerability report is closed to the public, The 30k bounty places it in between the highest and second highest tiers for bug bounties offered by coinbase, meaning this vulnerability must have been pretty critical. “In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers,” the company’s bounty terms stipulate. “Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: impact and exploitability.”

  2. Coinbase acquires Neutrino, a “blockchain intelligence platform”, singing their praises. A lot of people aren’t pleased about this, as it turns out this is a company known for selling surveillance tools to authoritarian states with histories of human rights abuses, like Egypt, and the founders’ earlier startup also provided tech to Saudi Arabia (Francis’ tweet), one of the world’s poster children for human rights violations. Even if you set aside the moral issues, Peter Todd points out that hiring a team that puts backdoors into its own software is a terrible idea from a security perspective.

  3. Dutch publication De Telegraaf reporting indicates that three robbers, somewhat disguised as police, invaded a Dutch cryptocurrency trader’s home. The man was threatened with firearms and seriously injured with a ‘heavy drill’, according to the report. After an hour-long ordeal for the man and his daughter, the suspects left and are now being hunted as part of a major investigation. A fifteen-strong team of Dutch police, usually in charge of murder investigations, are working on the case. The team’s allocation shows the seriousness of the incident and Dutch authorities focus on solving the crime. There is no information to suggest that his cryptocurrency holdings were stolen.

  4. Blockstream released their source code for MuSig, a standard for Schnorr multisignatures that is especially designed for Bitcoin in order to be secure and compact. The current release does come with a slight downside: randomness or state is required in order to ensure MuSig is secure. There are some ideas in the works that could potentially alleviate this problem, but for now the library is released as is. Questions to guide our audience to a better understanding:

    1. What are signatures?

    2. What is Schnorr and how does it compare to the current ECDSA?

    3. What are regular multisignatures, and what is MuSig?

    4. Why is it a problem to require randomness or state?

  5. Roger Ver took to Twitter to confirm he’s taken up the role as an ‘official advisor’ to a blockchain startup called LivenPay on Monday. The startup is due to begin their ICO later this week, seeking to raise $28 million. “I’m honored to help drive mass adoption of cryptocurrencies in Australia by teaming up with LivenPay as an official advisor,” Ver said in a tweet. “What will their top 10 Android app with 400,000 registered users and 20,000 venues do next? Stay tuned!”

ICO My God, They’re Serious:


Shout Outs:

Bryan: @WhatBitcoinDid MTGox series

Colin: This NYT article written by a Venezuelan on how Bitcoin is used there

Ruben: Eric Lombrozo on Twitter (@eric_lombrozo)

Mario: Janine’s thread on coinbase’s growing shady history

Listener of the week:

Northman ₿  @CaptainCrypto4

One Final Note:

Make sure you are storing your crypto on something secure like a Ledger and backing it up on something sturdy like a Billfodl. If you buy these items through the links above, we do take a cut of the profits but it also helps support the show - a win/win for all involved.

Colin aulds