Dear Berkeley, Thank You

Dear Berkeley,

If you had tried to talk to me after the #MiloAtCal event, I don’t think I would have talked to you.

In fact, I’m pretty sure I called you a pile of failing garbage on Twitter. So it’s safe to say I was pretty peeved. I came to Berkeley trying to see a Milo event, and I get blasted for wearing a “Make Bitcoin Great Again” hat. It’s been a couple months since then, and I can’t say things have gotten any better between us, but since you’ve blasted another 100 faces with mace I have found a new perspective on the issue.

I think you have a problem.

Today there are more controversial debates in the streets of Berkeley than in the hall of it’s University. That’s not just hilarious, it’s a very defeating reality for the California University system. UC Berkeley used to be one of the top public universities in the country. Now the only thing the UC system is #1 in, is in donating to the DNC.1

If you had asked me two months ago if I was upset about the political violence in the streets of Berkeley I would have unleashed a 10 minute rant on you. Now I realize your temper and intolerance of alternative viewpoints is more your problem than mine.

When you arbitrarily label people to “legitimize” political violence, we win.

Yvette Felarca is a BAMN organizer at the Milo protests said:

Well, first of all, Milo Yiannopoulos is a fascist. He’s a white supremacist. He’s funded by Steve Bannon and Breitbart. He’s an acolyte of Donald Trump. And he was on the UC-Berkeley campus to try and recruit more fascists, and to wage attacks on Muslim students, immigrant students, women and trans students.

When you censor people, we win.

I enjoy intellectual conversation as much as the next person with an IQ over 110, but this new methodology of banning and shouting people down is much more entertaining, not to mention easier. Before speakers would actually have to write their speeches. Now Ann Coulter just announces where she’s planning on speaking, and she doesn’t even have to show up.

You do know that we can watch her on YouTube right? You’ve turned conservative speeches into a national spectator sport. Universities all over the country are chasing controversial topics to the depths of 4chan, then assigning 4chan as homework.2

To quote Bernie Sanders:

To me, it’s a sign of intellectual weakness. If you can’t ask Ann Coulter in a polite way questions which expose the weakness of her arguments, if all you can do is boo, or shut her down, or prevent her from coming, what does that tell the world?

It tells us you don’t have an argument.

When you lie, we win.

In Berkeley freedom of expression now includes, imminent threats of violence, pepperspray, M80s, and civil war flags. But not Fascists, definitely not fascism. Thank you for reminding the rest of us that freedoms aren’t free, and its a constant battle to preserve them. Thank you for bringing out the silent majority, if it wasn’t for you I might never have heard from them.

I would rather win the war of ideas…

but parties are cool too.

If you manage to shut down our next event, we’ll pray for you at the Latter Day Church of Winning.

Citations

  1. “In fact, its professors and other employees and their families combined to give Barack Obama $1.2 million in the 2012 election cycle, making UC his largest donor.”
  2. University has Class Coursework Making Students Raid Us…

Top n Best Bitcoin Practices

1. Always Have Direct Control of Your Bitcoins (private keys).

If you don’t have the keys, you don’t control the bitcoins.

What does it mean to have control of your bitcoins? You want to make sure that you’re the only one with access to your private key.

Historically, one of the great advancements of Bitcoin over fiat currency is the ability to transfer and exchange value without a third party bank or payment processor. Using a third party bitcoin exchange undermines the value innate to Bitcoin.

Example: As in the cases of Bitstamp and Bitfinex, it’s possible an exchange get hacked and for the users, holding “hot” wallets on them, to potentially lose their bitcoins. In the case of Mt. Gox, the exchange itself stole the users’ bitcoins. Anytime your bitcoins are in an online exchange, or “hot” wallet they’re at risk.

Solution: Withdraw the bitcoins you are not intending to use in the near term and keep them in a cold wallet.

Hot Wallet vs. Cold Wallet

What is the difference between a hot wallet and a cold wallet? The simplest answer is that a hot wallet stores your bitcoins online, and a cold wallet stores your bitcoin offline.

Hot wallets connected to the internet are significantly more risky. You should not keep any significant sum of bitcoins online. If used correctly a cold wallet protects against online threats, because it exists in an “air gap” and never exposes itself to the internet.

More on securing your wallet here.

2. Use a Wallet Backup and Double Check It

Part of the value in bitcoin is that you can “be your own bank” (to a degree). If you manage your private keys properly you can be reasonably certain your bitcoins stay yours. But with great power comes great responsibility. If you lose your private keys, there is little hope in recovering them, unless you’ve stored a backup.

To protect yourself losing your wallet and your bitcoins, make sure to use a mnemonic recovery. You’re going to want to write this down before you actually lose your wallet, since there is no way to recover it after the fact.

Attention: Did you catch that? If you don’t write this down and anything happens, all your bitcoins will be completely and irrevocably lost.

Mnemonic Recovery

Mnemonic: the process or technique of improving or developing the memory.

In the same way that it’s easier to remember list if you turn it into a song, it’s easier to remember a bitcoin private key if you turn it into human readable words.

HD Root Key:

xprv9s21ZrQH143K46MjamYFv12wUfxuoHvGxDGSy5MpGZyWhbhMfeEXydKKsyn61SSke8kZ7phepP2cM6M6zsX2DGYW9ptiwpqW7BX5gVSgJYv

Mnemonic Recovery Words:

squeeze assume insane boring inhale fold tourist toward cart turn physical marriage wise hidden flame

Most wallets will prompt you with your recovery mnemonic and password. But make sure your write it down (offline) and test it, to guarantee it works. Mnemonic recovery is generally used for cold wallets, but if you’re using a hot wallet instead be sure to enable 2-factor authentication for all of your online accounts.

2-Factor-Authentication

2FA is extremely important, not just for Bitcoin, but for all apps that deal with sensitive data. 2FA can protect you from hackers trying to gain access in to your account. Still, it’s important to remember this does not protect you from the exchange itself.

Password Managers as Your Keychain

Mr. Laidback is perfectly comfortable reusing his same old password on of all of the site he visits. He understands and knows what a secure password is, but instead ops for using a combination of his pets name and birthday. When he’s forced to change his password, he adds the number “1” to the end of it in annoyance. Mr. Laidback doesn’t believe he is at any risk from reusing passwords since he believes his accounts are of little value to hackers anyway. Don’t be Mr. Laidback, be better.

Reusing a password is the equivalent of dropping a copy of your master key every time you walk through a new door. Now the solution to this is not to rekey the doors every six months, but to stop leaving your keys everywhere. As you transition into more responsible key management you are going to need a keychain.

Password managers are your Keychain

Not all password managers are created equal. They all do the basic functions, they generate passwords and then they store them. But the most important questions to ask when validating the security of a password manager are:

  1. Are your encryption keys stored locally? (and not cloud-based)
  2. Can you trust the code? (open source with verifiable builds)
1Password LastPass KeePass
Are your encryption keys stored locally? X X
Can you trust the code? X

Encryption Key Cloud Storage

The ability to store passwords on the cloud typically means you’ll have access to your passwords across browsers, networks, and devices. Each of the password three managers gives you the option of storing your password database to the cloud, but I assume for usability reasons, LastPass requires it. If you’re comfortable storing encrypted passwords on the cloud you might use LastPass. However, storing the encryption keys to those passwords on the cloud is another thing entirely.

A 1Password support post (2014) :

“The encrypted keys are stored with the data in the cloud. They are encrypted with keys derived from your Master Password. Your Master Password is not stored, but knowledge of it is required to be able to decrypt the keys that are used to encrypt the stored data.”

“You can read about the gory details of the key derivation, but that is a highly technical document.”

The link referanced now redirects to a general help page without any information on key derivation. But the Internet Archive Wayback Machine has a record of the previous listed sketchy key derivation mechanisms. Which for some reason they’ve removed. Not at all suspicious…

Do you trust 1Password to not store your Master Password and derived encryption key?

The correct answer is, you shouldn’t have to.

From a security perceptive, if trust and a legal agreement is the only thing protecting you you’re security sucks. Providers claim to protect your privacy in the details of their service agreements, but really you have no control over your private keys. You don’t know if an employee is going to go rogue, or if someone with shiny shoes is going to strut along “legally” requesting your encryption keys and decrypting your “private” data.

The only way to encrypt with confidence is keep control of your private keys at all times. In addition to this, KeyPass allows you to require a “key file” locally, a USB, or a specific manufactured authentication device.

KeePass help:

“KeePass stores your passwords securely in an encrypted file (database). This database is locked with a master password, a key file and/or the current Windows account details. To open a database, all key sources (password, key file, …) are required. Together, these key sources form the Composite Master Key.”

Requiring this file together with your master password, makes it slightly more difficult for an attacker to obtain your password database.

Open Source

In security there is no trust without transparency. How many experts have audited the code? Generally being open sourced means more auditing has occurred. But this is not always true, as is especially less true in the cryptography community where experts are few and far between. Open sourced code could also mean that it vulnerable to targeted attacks. Such as KeeFarce for KeePass.

To the extent that open source code can improve your degree of trust in a binary is in your ability to download and verify the binaries of the code. Open source means nothing when the source does not match the binary. No password management system is a silver bullet, they’re practical defenses against probable attack vectors.

For Mr. Laidback using any of these password managers would be a significant improvement to his daily security practices. But for you and me KeePass is the favorite. For anyone who’s skeptical I’ll walk though an alternative open source solution in the next blog post.