The Good, The Bad And The Ugly Of Bitcoin Security

Posted by Harshad

The Good, The Bad And The Ugly Of Bitcoin Security

The Good, The Bad And The Ugly Of Bitcoin Security

Posted: 04 Mar 2014 07:01 AM PST

It’s probably safe to assume that Bitcoin is here to stay. Yes, it’s a bit volatile and yes, other cryptocurrencies are a lot easier to mine and a lot cheaper to buy, but the ever-growing number of ways to spend bitcoins – plus the fact that it’s still around after being proclaimed dead numerous times over the past few years – is a testimony of the resilience of the world’s most popular, and polarizing, cryptocurrency.

Thing is though, this doesn’t mean that you should blindly jump into Bitcoin. Aside from the high price of entry, a string of events over the past year have shown that while the Bitcoin protocol itself may be secure, the wallets and services used to store and exchange Bitcoin may not.

Here’s a quick look into the security of the bitcoin protocol itself as well as some notable instances of large-scale bitcoin theft.

Encryption And the Blockchain

Bitcoin is one of many cryptocurrencies available today. Cryptocurrencies are digital currencies that implement cryptography as a central part of the protocol, in order to establish pseudonymous (or anonymous) and decentralized currencies.

Bitcoin uses SHA-256 encryption for both its Proof-of-Work (PoW) system and transaction verification. The security of the bitcoin protocol lies in one of its fundamental characteristics, the transaction blockchain.

Bitcoin Blockchain

The blockchain is basically a chain of multiple "blocks" containing transaction history. The blockchain starts with the initial block, known as the genesis block. Transactions and solved hashes add new blocks after this genesis block, creating a blockchain.

The image below shows a visualisation of the blockchain, with the genesis block in green and the longest blockchain in black:

Bitcoin Blockchain
(Image Source: Wikipedia)

Within the bitcoin protocol, the blockchain that has seen the most work put into it is considered to be the best blockchain and the one that the entire protocol refers to when verifying transactions. Bitcoins are considered spent once a transaction has been verified.

Double Spending

It’s possible (despite belief in the contrary) to trick the blockchain and spend the same bitcoins twice, an action known as double spending.

There are a number of ways this can be done. If a merchant doesn’t wait for transaction confirmation, bitcoins can be double spent by attacker(s) quickly sending two conflicting transactions into the network. Another way is to pre-mine one transaction into a block and then spend the same coins, before releasing the block into the blockchain.

However the amount of computing power required to succeed at this renders it less productive than just to mine bitcoins legitimately.

Bitcoin Wallets

Bitcoins are stored in wallets, but unlike, say, a PayPal account, these "wallets" don’t actually store the bitcoins themselves. Despite a number of different implementations and formats, generally wallets will contain a public key that is used to receive bitcoins (similar to a bank account number). It also contains a private key that is used to verify that you are indeed the owner of the bitcoins you’re trying to spend.

Storing Bitcoins Offline

Wallets are usually stored digitally, either locally or online, but there are more secure ways to store bitcoins. Your bitcoin "wallets" can be printed out and stored on paper. A paper wallet is a slip of paper with both your private and public keys printed on it.

Bitcoin Paper Wallet

There are also hardware wallets, which store key information in offline hardware. The advantage of hardware wallets is in the fact that the key data is stored in a protected area of a microcontroller and that they are immune to software and viruses that can steal wallets stored on normal computers.

The bitcoins stored in hardware wallets can also be used directly, unlike paper wallets, which need to be keyed in or imported to software. Pi-Wallet (pictured below) is one of the few currently available hardware wallets. You can even build your own Pi-Wallet.


Security Breaches

As mentioned earlier, the bitcoin protocol itself may be secure enough, but this does not extend to all the sites and services that deal in bitcoin. Here’s a quick rundown of some of the more notable instances of security-related issues over the past year or two.


October 2013, online Bitcoin wallet service inputs.io was hacked twice. A total of 4,100 Bitcoins, worth about $1.2 million at the time were stolen via a social engineering attack, gaining access to inputs.io’s systems hosted on Linode, a cloud-hosting provider.

By compromising a series of email accounts, beginning with an email account that the inputs.io founder had set up six years prior to the attack, the hacker managed to gain access to the site’s account on Linode and reset the site’s account password.

Mt. Gox

Mt. Gox, which used to be one of the leading Bitcoin exchange services, has filed for bankruptcy protection, having lost a staggering amount of bitcoins: $468 million worth!

Mt. Gox’s demise began in early February when it, alongside other Bitcoin exchange sites such as BTC-e, froze Bitcoin withdrawals citing heavy Distributed Denial of Service (DoS) attacks aimed at taking advantage of bitcoin’s transaction malleability.

Simply put, transaction malleability means that it’s possible for valid transactions to be modified so that the transactions appear to not have gone through, when in reality it was succesful.

Mt. Gox Protesters
(Image Source: Businessweek)

However, transaction malleability is not a new issue. Neither is it one that is impossible to solve, as Bitcoin developer Greg Maxwell has pointed out.

In fact, other Bitcoin exchanges such as Bitstamp and BTC-E are still operational, having resolved the issues on their side and resumed processing transactions within days after initially freezing transactions. Most damning of all, though, is the aforementioned lost bitcoins and poor security and accounting in Mt Gox, as detailed in a leaked series of slides. There might have been more going on behind the scenes than just issues with transaction malleability.

Silk Road 2.0

In February this year, $2.7 million worth of bitcoins were stolen from Silk Road 2.0‘s escrow account. This heist occured at roughly the same time as the aforementioned DoS attacks on bitcoin exchanges such as Mt. Gox, and exploited the same transaction malleability in the bitcoin protocol.

However, unlike the bitcoin exchanges, which shut themselves down as a precautionary measure, Silk Road 2.0 did not shut itself down and was attacked during a re-launch phase when all bitcoins were stored in hot storage.

Silk Road 2.0

However, some users, such as those on Reddit’s DarkNetMarkets, believe that the hacking story was a cover-up – and that Silk Road 2.0 was a scam from the start.

The idea is that the new Dread Pirate Roberts set up the site expressly to steal users’ bitcoins, leveraging on the trust present in the Silk Road name. The illicit nature of the goods bought and sold on Silk Road 2.0 would help such an endeavour, since it would make victims think twice about seeking aid from law enforcement.

"Pony" Botnet

Over the course of 5 months (Sept 2013 – Jan 2014), criminals used a botnet known as Pony to infect a large number of computers, stealing up to $220,000 worth of bitcoins and other cryptocurrencies. Pony was the same botnet that was found to have stolen more than two million passwords and stored them on a server owned by the hackers.

Pony infected computers and stole bitcoin wallets stored locally on the infected machines., effectively showing the dangers of storing bitcoin wallets on Internet-connected devices.

51% Attack

This isn’t a security breach per se, but it is one of the bitcoin network’s most dangerous weaknesses. When an individual or a group of individuals owns more than 50% of the computing power within the bitcoin network, the network is opened up to the possibility of a 51% attack – the advantage in computing power can be used to fork the main transaction blockchain and commit fraud, including the double spending discussed earlier.

While this may seem far-fetched, the bitcoin network was nearly exposed to such an attack earlier this year. In January, panic spread when Ghash.io, a mining pool, began approaching that 50% limit. The situation was resolved without incident, due to miners leaving Ghash.io for smaller pools, as well as the pool’s own decision to stop accepting new miners.

While the reaction shows that the bitcoin network can self-regulate, having to rely on miners and pool owners doing the right thing is problematic, to say the least. The distribution of mining power has become less concentrated, but the possibility remains that a 51% attack can still happen.

Bitcoin Mining Distribution
(Image Source: Blockchain.info)

Final Thoughts

It’s hard to deny that there are indeed security issues with bitcoin. However, a recurring theme is the fact that these security breaches and issues have less to do with the protocol itself, and a lot more to do with the people and services handling and storing these bitcoins.

For instance, the inputs.io bitcoin heist and the Pony botnet took advantage of wallets stored online and on Internet-connected computers. Simply storing Bitcoins in an offline savings wallet, such as a paper or hardware wallet, should eliminate the risk of having bitcoin wallets stolen over the Internet. While some of the money lost in the Mt. Gox fiasco was indeed from offline wallets, there is conjecture that this was a direct result of how Mt. Gox implemented an automated system which pulled from offline wallets when needed.

Dodgy Exchanges

The dangers of once-trusted sites and exchanges such as Mt. Gox and Silk Road 2.0 either being hacked or imploding and going offline are not so easily dismissed, though. The lack of a central authority that regulates bitcoin can be seen as a strength, but it’s also a weakness. For one, it may be a lot more difficult to hold individuals or companies accountable through legal channels.

More importantly, though, the unregulated bitcoin ecosystem means that there’s no way to ensure that services and exchanges comply to standards of trustworthiness and security. We trust banks because we know that they’re heavily regulated and can’t be established on a whim. This plainly hasn’t been the case with bitcoin exchanges.

The Future?

Interestingly enough, the fallout from Mt. Gox may just be good for bitcoin. In a joint statement issued by 5 leading bitcoin exchanges, the need for appropriate and independently audited safety measures for custodians, alongside more transparency and accountability, is brought up.

It’s conceivable that such measures are exactly what bitcoin needs if it wants to survive recent events and reestablish its credibility and security. Ironically however, these forms of regulation and auditing may end up going against the original spirit of bitcoin. How this paradox will resolve itself, though, remains to be seen.


Fresh Resources for Designers and Developers — March 2014

Posted: 04 Mar 2014 05:01 AM PST

We have been covering this series for almost two years now. But it seems that the resources for developers and designers are infinite; every month, there will always be a new list, and we’re going to keep this coming as long as developers keep making really awesome resources to share with web users.

This round, we’ve put together a number of tools that are not only useful but also great time savers, such as a tool that helps you in synchronized browser testing, one to grab screenshots off multiple screen sizes, and a color scheme collection of top brands in CSS, SCSS, and LESS format. Let’s check them out.


Sachen is a collection of Sass and Compass extensions. You can find responsive frameworks, font icons, common design patterns, as well as Mixin libraries. If you build websites with Sass and Compass, save Sanchen in Bookmark for your reference later.

Launch Rocket

LaunchRocket is an OS X Preference Pane to manage services that has been installed through Homebrew. Homebrew is an OS X utility that allows you to install tools, packages, or services like PHP, Nginx, and MySQL in OS X. With LaunchRocket, you can turn them on or off through OS X System Preference instead of using Terminal.


Building a responsive website means that you have to test the website on multiple browsers; both on desktop, and mobile browsers. BrowserSync is a tool that allows you to sync website testing on multiple browsers. So changes as well as actions that occur (scroll, click, and refresh) will automatically be reflected in all the browsers.

Free Programming Book

One the best things from Design and Development industry is that there are loads of free books for learning the skills. Here, you can find an enormous collection of free programming book of various languages, including C, C++, Java, HTML, JavaScript, and CSS. Go ahead, and grab them.

JS The Right Way

JS The Right Way collects resources for JavaScript best practices from the experts in the field. If you are currently learning JavaScript, this is the source to learn how to do write JavaScript in right way.


Pageres is a Terminal command line that allows you to grab web screenshots in multiple sizes at once. It is perfect fit for testing responsive websites. Or, if you are like me who frequently cover about web tools, Pageres could be a very handy tool to accommodate your job.


WPGear is a collections of tools and resources for WordPress plugin and theme developers. You can find a number of debugging tools, plugins, frameworks, boilerplates for starting off your WordPress-base projects.

The Pattern Library

Are you a designer looking for patterns? Visit the Pattern Library. You can find a collections of beautiful and striking patterns that are designed by several designers.


BrandColors is a collections of color schemes used by top brands in tech industry like Facebook, Twitter, Adobe, eBay, Stripe, SaleForce, RedHat, and many more. You can download the colors in CSS, SCSS, and LESS format.

Bootstrap UI Kit

This UI Kit transforms the Bootstrap UI into vector graphic format to allow infinite scalability. It’s a perfect resource for developers who build design prototype with Bootstrap.


Why We Need a Keyboard Revolution

Posted: 04 Mar 2014 02:01 AM PST

Editor’s note: This is a contributed post by Loannis Verdelis, the co-founder and COO of Fleksy, a revolutionary keyboard that makes typing on a touchscreen so easy you can type without even looking. Connect with him on Twitter.

One of the biggest myths in America is that the QWERTY keyboard was scientifically designed to be the most efficient key layout. Look at the point values the next time you play Words with Friends or Scrabble. The letters with lower point values are the easy letters to play because they’re used in the most words.

About 70 percent of words in the English language can be created using the letters DHIATENSOR, yet from that list, your fingers only touch "A," "S," "D," and "H" at their resting position on a QWERTY keyboard. Why are we stuck using such an inefficient method?


The QWERTY layout dates back to the days of mechanical typewriters (the 1870s, to be more specific). We all know you can’t type as fast as you think and speak. What isn’t as well known is that this limitation was implemented on purpose — Remington adopted the layout on its typewriter specifically to slow down fast typists. If you typed too fast, you’d make the machine work harder and increase its chances of mechanical failure.

Needless to say, physical keyboards have evolved a lot in the last century and a half, so there’s no longer a need to slow ourselves down with these input methods. Not only that, technology is on the verge of completely removing mechanical boundaries with touch- and movement-based input.

Think you type fast? If you want to put your typing skills to a real test, try reconfiguring your keyboard to one of these QWERTY alternatives, Dvorak and Colemak, and see how you fare. (On Mac, Go to Keyboard > Input Sources > Dvorak to switch to the Dvorak layout.)



(Image source: wikimedia.org)

Although introduced 70 years apart, both layouts are meant to be ergonomically correct and more intuitive than QWERTY. But touchscreens aren’t a perfect solution to our typing woes (as anyone who’s ever visited the site Damn You Autocorrect should know).

Autocorrect Isn’t Smart Enough

If our phones are so smart, autocorrect and predictive text really should know us better. The suggestions most systems provide show how far we have to go before our smartphones learn how to apply themselves.

On the technical side, autocorrect algorithms are evolving slightly, but there are still errors in the major virtual keyboard designs that are caused by mechanical limitations. Moving your finger over a glass screen produces random errors that amount to complete gibberish and have been known to occasionally crash your app or device.

Clearly, keyboard designers and smartphone manufacturers have a long way to go before the touchscreen is really perfected.

Typing, a Multi-Dimensional Problem

Make no mistake: the long-overdue keyboard revolution isn’t just dependent on the QWERTY layout or touchscreen technology. Typing is a multi-dimensional problem. Every person’s typing experience is unique, and the problems users face depend upon their language, behaviors, and personal typing quirks.

Even today, every language has a different keyboard layout, and each user has different expectations and seeks different features: touchscreens pose a unique challenge for users who are blind because they lack the tactile feedback of mechanical keyboards. Gamers tend to use certain keys more than the average user, including the "W," "A," "S," and "D."

When you look at how many variations of writing, sign language, and other communication methods we’ve come up with as humans, we need a variety of options to interact with our gadgets, merging many technologies between typing (seen as a business activity) and video games (seen as an entertainment activity).

The Race to Perfect the Typing Experience

Device manufacturers are acutely aware of users’ expanding typing needs — both on their home computers and their mobile touchscreen devices. They are in a race to provide a more seamless experience (especially on mobile) that makes typing on a smartphone just as easy and convenient as typing on a traditional mechanical or membrane keyboard.

The iPhone is so popular because it’s a great tool for creating and receiving content. The iPhone represents the apex of smartphone design, but it hasn’t yet perfected the content experience in China. The Chinese prefer a larger screen for prolonged reading and content consumption.)

Samsung already has bendable and foldable prototypes, Google Glass is nearing a full consumer launch phase, and everyone from the big guns at Microsoft to the little guys in garages are looking into creating fully interactive experiences within our homes, offices, and everywhere else we go.

Gesture-based input is advanced to the point where QWERTY, once a pain in our necks that was forced upon us, is now just a personal preference. Take Fleksy’s design, for instance, which gives users the option to use gestures instead of the spacebar or delete key.

In Conclusion

With all of this innovation, we hold on to QWERTY more out of nostalgia than anything else. The paradigm of buttons is quickly dying, and in a few generations, it’s possible that voice-activated AI assistants will fully saturate society (although I’m sure QWERTY, much like Linux, will always have a strong following). We need to rethink our expectations and perceptions of how we interact with our devices.

The infinite possibilities of UI presented by shifting trends in mobile and wearable technology open the door to reimagining how we interact and communicate with the world around us. Perhaps in the future, we won’t need to do very much typing at all, but in the meantime, we need a keyboard revolution.


Create Built-In Loading Effect in Buttons with LADDA

Posted: 03 Mar 2014 11:01 PM PST

There are various kinds of animation you can apply into your webpage. Animation for text, modal box, transition and the progress indicator. For progress indicators, usually in the form of bars, the progress you see on the bar indicates how much progress has been made (or loaded). If however you are interested of progress inside a button, try out Ladda.

Ladda is a jQuery plugin made by Hakim El Hattab to give you the loading effect inside a button. It’s a UI concept that effectively separates the gap between action and feedback. Users will be given a feedback in the form of a loading indicator instead of having to leave the page. There is also a version of Ladda for WordPress available.

Basic Usage

Ladda can be used as a standalone plugin which need no any other dependencies. To get started, firstly you have to include both the ladda.min.js and spin.min.js files you can get from GitHub page in your project, like so.

 <script src="js/spin.min.js"></script> <script src="js/ladda.min.js"></script> 

To make the button apply default Ladda themes, load the CSS file of ladda.min.css. If you want only the functional buttons without the theme, load the ladda-themeless.min.css file.

 <link rel="stylesheet" href="dist/ladda.min.css"> 

HTML Markup

In order to make Ladda work, you have to include the ladda-button class into the button. Here is an example:

 <button class="ladda-button" data-color="mint" data-style="expand-right" data-size="xl">Submit</button> 

Ladda also provides you options within the HTML using data attributes for the button style. As you can see above, the button uses data-style for animation style. To apply a different style, you can check the full list in the demo page.

To change the color, you can use data-color. For button size, include data-size to the button.

Merging with the Server

And now, to make the loading animation submit to the server (which will reload the page after the animation) we will need the bind() method. This will bind progress buttons and simulate loading progress:

 <script> Ladda.bind( 'button', { callback: function( instance ) { var progress = 0; var interval = setInterval( function() { progress = Math.min( progress + Math.random() * 0.1, 1 ); instance.setProgress( progress ); if( progress === 1 ) { instance.stop(); clearInterval( interval ); } }, 200 ); } }); </script> 

You are also able to control your buttons using Javascript API with the following approach:

 <script> var l = Ladda.create( document.querySelector( 'button' ) ); l.start(); l.stop(); l.toggle(); l.isLoading(); l.setProgress( 0-1 ); </script> 


With the support of Bootstrap and being responsive as well, Ladda is worth a try in your project. Moreover, it has been tested and it works well in the latest version of Chrome, Firefox, Safari as well as IE9 and above. Feel free to let us know what you think in the comment box below.


How To Change OneDrive Default Location On Windows 8.1 [QuickTip]

Posted: 03 Mar 2014 09:01 PM PST

Microsoft’s OneDrive (previously known as SkyDrive) is a cloud storage service inside Windows 8.1 via which users can sync their files to all their Windows devices. Because it’s installed together with Windows 8.1, its folder is located in the operating system hard drive. This might be a turn off to users with a small-capacity solid state drive.


This quick tip will help you relocate the default OneDrive folder location to open up storage space for the installation of other files. It’ll be good to relocate it to a secondary storage drive on your computer.

Note: Microsoft hasn’t updated SkyDrive to OneDrive as seen in the pictures during the time of this writing.

Change OneDrive Default Folder Location

Open a Windows File Explorer window and right click on SkyDrive at the quick navigation pane on the right and select Properties.

SkyDrive Properties

A window with the SkyDrive properties will pop up. Under the Location tab, you’ll see the current location of the SkyDrive folder. To change this, click on Move… and choose the folder you want to move all of your SkyDrive’s contents to.

SkyDrive Folder Location

Once you’ve selected a folder, click OK and it’ll prompt you if you want to move all the files from the current location to the new folder location. Click on Yes.

SkyDrive Move

Now when new files get synced into this computer, it’ll be stored in the new location. Everything will work like it should and you would have more free space on your operating system hard drive or solid state drive.



Post a Comment