(date: 2024-02-02 17:13:16)
date: 2024-02-02, updated: 2024-02-03, from: Daring Fireball
Setting aside potential trademark complaints from their friends at Disney, this is what Apple should have saved the term “Force Touch” for.
https://daringfireball.net/2024/02/simple_tricks_and_nonsense Save to Pocket
date: 2024-02-02, updated: 2024-01-26, from: Bruce Schneier blog
Argentina is reporting that there is a good population of illex squid in its waters ready for fishing, and is working to ensure that Chinese fishing boats don’t take it all.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
https://www.schneier.com/blog/archives/2024/02/friday-squid-blogging-illex-squid-in-argentina-waters.html Save to Pocket
date: 2024-02-02, updated: 2024-02-02, from: Daring Fireball
https://developer.apple.com/visionos/resources/ Save to Pocket
date: 2024-02-02, updated: 2024-02-02, from: Bruce Schneier blog
David Kahn has died. His groundbreaking book, The Codebreakers was the first serious book I read about codebreaking, and one of the primary reasons I entered this field.
He will be missed.
https://www.schneier.com/blog/archives/2024/02/david-kahn.html Save to Pocket
date: 2024-02-02, from: Robert Reich’s blog
The one remaining problem can’t be dealt with through higher interest rates. It needs vigorous antitrust enforcement.
https://robertreich.substack.com/p/the-truth-about-the-economy Save to Pocket
date: 2024-02-02, updated: 2024-02-02, from: Daring Fireball
https://www.apple.com/newsroom/2024/02/apple-reports-first-quarter-results/ Save to Pocket
date: 2024-02-02, updated: 2024-01-26, from: Bruce Schneier blog
In 2009, I wrote:
There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain (to the police, a judge, or his parents) if he doesn’t think it’s fair. This also works, but still requires another person—at least to resolve disputes. A third way is for one person to do the dividing, and for the other person to choose the half he wants.
The point is that unlike protocols that require a neutral third party to complete (arbitrated), or protocols that require that neutral third party to resolve disputes (adjudicated), self-enforcing protocols just work. Cut-and-choose works because neither side can cheat. And while the math can get really complicated, the idea …
https://www.schneier.com/blog/archives/2024/02/a-self-enforcing-protocol-to-solve-gerrymandering.html Save to Pocket
date: 2024-02-02, from: Robert Reich’s blog
The start of my schooling did not go well
https://robertreich.substack.com/p/why-i-was-expelled-from-miss-boutons Save to Pocket
date: 2024-02-02, from: Daniel Stenberg Blog
Five years ago now, on February 2nd 2019, I started working for wolfSSL doing curl full time. I have now worked longer for wolfSSL than I previously did for Mozilla. I have said it before and I will say it again: working full time on curl is my definition of living the dream. Joining wolfSSL … Continue reading Five year full time curl anniversary
https://daniel.haxx.se/blog/2024/02/02/five-year-full-time-curl-anniversary/ Save to Pocket
date: 2024-02-02, from: John Naughton’s online diary
Young farmer of the year Provence, Summer 2023 at a street festival put on for kids by the local branch of the Farmers Union. Quote of the Day ”Sex without love is a meaningless experience, but as far as meaningless … Continue reading
https://memex.naughtons.org/friday-2-february-2024/39091/ Save to Pocket
date: 2024-02-01, updated: 2024-02-01, from: Daring Fireball
https://www.apple.com/newsroom/2024/02/apple-announces-more-than-600-new-apps-built-for-apple-vision-pro/ Save to Pocket
date: 2024-02-01, from: Om Malik blog
A review unit of Apple’s Vision Pro showed up yesterday. I’ve spent the majority of the past 24 hours setting it up. The setup was much simpler than I thought it would be. Given my previous experiences with the device at Apple Park, I have a slight advantage. So, your mileage might vary. Still, I …
https://om.co/2024/02/01/what-does-vision-pro-t1-connection-have-in-common/ Save to Pocket
date: 2024-02-01, from: Robert Reich’s blog
That’s the tradeoff in the new tax bill
https://robertreich.substack.com/p/quiz-do-you-favor-giving-some-help Save to Pocket
date: 2024-02-01, from: David Rosenthal’s blog
The Stanford Digital Library Project stated its goal thus:The Stanford Integrated Digital Library Project will develop enabling technologies for an integrated “virtual” library to provide an array of new services and uniform access to networked information collections. The Integrated Digital Library will create a shared environment linking everything from personal information collections, to collections of conventional libraries, to large data collections shared by scientists.Stanford librarians Vicky Reich and Rebecca Wesley provided the “library” input for the research.
|
| Wayback Machine, 11/11/98 |
This rough transcript runs from
[47:47]
to
[53:35].
Andy speaks:
The true story is that I met the founders of
Google before the company existed because they were, like I was, a
student at Stanford. I’m not sure Larry was really ready to abandon the
PhD program and jump into this. So I was in this same position once
myself and I used the same line “you’ll always finish your PhD later”.
Now the concern I had is that if they didn’t get going this great idea
may be not happening.
Of course I was involved in the
company itself but it was really really a very good idea, one of the
best ideas I’ve ever seen. This notion of relevant search and relevant
ads and this business model that solved it Put it this way, I was very
familiar with scientific publishing where what matters is not how many
papers you write but how many people cite your papers. So if you apply
the same thing to the Web clearly what is relevant is what other people
link to and notice. You could automatically build a graph, a structure
that said what’s more important than others.
At the time
people didn’t think automatic search was actually possible because Alta
Vista which was popular at the time just looked at keywords. What people
would do is they would add the whole dictionary as a dark page behind
the document. Since every word you are looking for is in the dictionary
you couldn’t find anything any more because every document had every
word. That wasn’t a path to success; you couldn’t actually look at the
document because it could just be spam.
Yahoo believed
fairly strongly, they actually had at one point talked to Larry and
Sergey and maybe even Larry was offering them to sell them the idea but
Yahoo passed on the belief that you just couldn’t do it. They really
thought you could hire people, like newspaper editors, they would make
the sports section and the garden section like a newspaper; select
content from the Web that then they would present to the front page.
Clearly that was not going to scale if there were millions of Web pages
you just couldn’t keep it up.
So Larry and Sergey believed
very strongly that it had to be automatic and that if that wasn’t
possible — it was the only way to do it basically. That first demo which
they had on a laptop was actually quite compelling it looked the same as
before — here’s the lucky button. The only worry was they wanted to sort
of demo they could scale the search engine to like a couple of racks of
computers before they would raise the real venture and there was some
question whether it was scalable. For that they just wanted to raise a
small amount of money to build the first couple of racks with
motherboards.
The money that I put in there on day one was
actually before the company started helped to demonstrate that. So I
bought them this check. They had the name of the company but the check
was to the name of the company that didn’t exist. At the time some of
the law firms were so busy they didn’t want to take on new clients that
didn’t have some funding behind them. I figured if I write them a check
it would help them to get the right firm. But I can’t claim any credit
for what they’ve done its all due to the insight they had and the team
they built.
Let me back up here. I couldn’t find stuff on
Alta Vista so I was desperate for better search. A lot of my time was
looking for data sheets and information I was looking for and if I
couldn’t find anything on the Web the Web wouldn’t be very useful. Like,
how do you find stuff? Its the most important thing. So for me it was a
personal goal to have something that would actually work.
But in any new company the first question is “what’s your business
model?” Even at the time they had this model of sponsored links that
would take your search query and link it to this ad inventory. I asked
them “how much is it per click?” and they said 5 cents per click which
is still their bottom price today - this is before they got into the
competitive bidding - and I did this math in the back of my mind “a
million clicks a day and 5 cents a click is $50K a day” — they can’t go
broke.
I had no idea how this would scale, in effect I
don’t think anybody understood this but it was clear that there was
enough interest in finding the people who were looking for stuff. Lets
say you search for a tennis racket. That means you’re probably a tennis
player and most likely there will be an ad that shows you tennis rackets
or tennis balls or something that relates to your interest. And the key
was you have an unlimited ad inventory, instead of having these banner
ads that I have never clicked on in my life, maybe once.
Banner ads are a waste of bandwidth essentially. These ads were highly
more relevant and even today except for spam mail its the most
cost-effective way of advertising or finding customers. It took
advantage of the fact that the Internet is a full-duplex communication
path whereas banner ads were more like TV — here’s your ad break and
here’s what you have to consume before you get to the next page.
Google was an absolutely brilliant idea but funnily enough
their business really took off after the dot-com implosion in 2001. If
you look at their historical revenue what happened at that point I
believe was that people realized that they spent on banner ads was
basically wasted and they got back to an ROI calculation of where do we
apply money more cost-effectively and, yeah, so Google. Once people
started bidding for the keywords of course the price per click went up
but it still provides very very good value for advertisers.
https://blog.dshr.org/2024/02/the-stanford-digital-library-project.html Save to Pocket
date: 2024-02-01, updated: 2024-01-26, from: Bruce Schneier blog
Consumer Reports is reporting that Facebook has built a massive surveillance network:
Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in the study had their data sent to Facebook by 2,230 companies. That number varied significantly, with some panelists’ data listing over 7,000 companies providing their data. The Markup helped Consumer Reports recruit participants for the study. Participants downloaded an archive of the previous three years of their data from their Facebook settings, then provided it to Consumer Reports…
https://www.schneier.com/blog/archives/2024/02/facebooks-extensive-surveillance-network.html Save to Pocket
date: 2024-02-01, from: Dan Rather’s Steady
I write this not to advocate for people immigrating to the United States or to campaign against them. This is a story about a desperate journey that tens of thousands are making, in spite of the cost or consequences. Because they feel they must. It is not about one person or group. I am using the stories of Venezuelans as an example because so many have fled their country and are coming to ours. In 2023, more than 260,000 Venezuelan migrants crossed the U.S.-Mexico border. Venezuela’s migrants represent the largest displacement crisis in the world.
https://steady.substack.com/p/what-would-you-do Save to Pocket
date: 2024-02-01, from: Robert Reich’s blog
Michael Johnson and other House leaders must pledge to certify the election results
https://robertreich.substack.com/p/how-trump-wins-the-presidency-even Save to Pocket
date: 2024-02-01, updated: 2024-02-01, from: Julia Evans blog
https://jvns.ca/blog/2024/02/01/dealing-with-diverged-git-branches/ Save to Pocket
date: 2024-01-31, from: Robert Reich’s blog
A judge has ruled that Musk’s compensation package is excessive
https://robertreich.substack.com/p/elons-gonzo-pay Save to Pocket
date: 2024-01-31, from: Om Malik blog
No, not again! Not another Vision Pro Review! I feel you — after all the reviews yesterday, I am pretty sure you don’t want to read another review. Here’s the good news — it’s not a review. Instead, I will share my quick impressions from a deep dive at Apple Park, and my four magic …
https://om.co/2024/01/31/my-4-magic-moments-with-vision-pro/ Save to Pocket
date: 2024-01-31, updated: 2024-01-26, from: Bruce Schneier blog
In October, the Consumer Financial Protection Bureau (CFPB) proposed a set of rules that if implemented would transform how financial institutions handle personal data about their customers. The rules put control of that data back in the hands of ordinary Americans, while at the same time undermining the data broker economy and increasing customer choice and competition. Beyond these economic effects, the rules have important data security benefits.
The CFPB’s rules align with a key security idea: the decoupling principle. By separating which companies see what parts of our data, and in what contexts, we can gain control over data about ourselves (improving privacy) and harden cloud infrastructure against hacks (improving security). Officials at the CFPB have described the new rules as an attempt to accelerate a shift toward “open banking,” and after an initial comment period on the new rules closed late last year, Rohit Chopra, the CFPB’s director, …
https://www.schneier.com/blog/archives/2024/01/cfpbs-proposed-data-rules.html Save to Pocket
date: 2024-01-31, from: Robert Reich’s blog
How much impact would these entertainers have on voters?
https://robertreich.substack.com/p/office-hours-can-taylor-swift-dolly Save to Pocket
date: 2024-01-31, from: Daniel Stenberg Blog
Numbers the 254th release7 changes56 days (total: 9,448)154 bug-fixes (total: 9,888)257 commits (total: 31,684)0 new public libcurl function (total: 93)1 new curl_easy_setopt() option (total: 304)0 new curl command line option (total: 258)65 contributors, 40 new (total: 3,078)36 authors, 18 new (total: 1,237)1 security fix (total: 151) Release presentation Security CVE-2024-0853: OCSP verification bypass with TLS … Continue reading curl 8.6.0
https://daniel.haxx.se/blog/2024/01/31/curl-8-6-0/ Save to Pocket
date: 2024-01-31, from: John Naughton’s online diary
Cambridge, late afternoon Snapped on my way to a book launch in Heffers. Quote of the Day ”It would be possible to say without exaggeration that the miners’ leaders were the stupidest men in England if we had not frequent … Continue reading
https://memex.naughtons.org/wednesday-31-january-2024/39085/ Save to Pocket
date: 2024-01-30, updated: 2024-01-29, from: Bruce Schneier blog
GCHQ has released new images of the WWII Colossus code-breaking computer, celebrating the machine’s eightieth anniversary (birthday?).
News article.
https://www.schneier.com/blog/archives/2024/01/new-images-of-colossus-released.html Save to Pocket
date: 2024-01-30, updated: 2024-02-02, from: Daring Fireball
A headset, a spatial productivity platform, and a personal entertainment device.
https://daringfireball.net/2024/01/the_vision_pro Save to Pocket
date: 2024-01-30, from: Om Malik blog
Apple Vision Pro reviews have started to roll in — and depending on who you read, the consensus vacillates between amazing and work in progress. In most cases, they reflect some version of reality. If one is looking for faults with Apple’s face computer, then one will find them. And if you are looking at …
https://om.co/2024/01/30/apples-vision-pro-the-meta-review/ Save to Pocket
date: 2024-01-30, from: David Rosenthal’s blog
I apologize for the delay in posting but, as you will see, the post I was working on grew rather long.
|
| Source |
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we characterize longitudinal changes in the Bitcoin market, the stresses these changes are placing on the system, and the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.Meiklejohn started from an observation by Satoshi Nakamoto. Greenberg quotes Nakamoto:
“Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner,” Satoshi wrote. “The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.”Linking the inputs of multi-input transactions roughly halved the then number of Bitcoin users. Meiklejohn then developed the “change address” technique:
When you pay someone 6 bitcoins from a 10-coin address, 6 coins go to their address. Your change, 4 coins, is stored at a new address, which your wallet software creates for you. The challenge, when looking at that transaction on the blockchain as a sleuthing observer, is that the recipient’s address and the change address are both simply listed as outputs, with no label to tell them apart.Meiklejohn’s first criminal case started when “Flycracker” raised funds to mail Brian Krebs a baker’s dozen bags of heroin from Silk Road:
But sometimes, Meiklejohn realized, spotting the difference between the change address and the recipient address was easy: If one address had been used before and the other hadn’t, the second, totally fresh address could only be the change address
Flycracker had made it easy. By posting a Bitcoin address to the cybercriminal forum, he’d given Meiklejohn a starting point. She simply copied the thirty-four-character string into her blockchain software and looked at the transactions at that address. After collecting 2 bitcoins in donations at the address he’d posted, worth around $200 at the time, a little over three-quarters of the money had been sent to another address, with a third collecting the change. At a glance, Meiklejohn immediately identified the change address and checked the money’s destination against her database. Sure enough, the address was one of the nearly 300,000 she had already tagged as belonging to the Silk Road. Meiklejohn had just connected Flycracker’s address directly to the source of the heroin he’d tried to use to frame Krebs.The first major cryptocurrency bust Greenberg recounts was the arrest of Silk Road’s Dread Pirate Roberts in a San Francisco library. It did not depend upon these tracing techniques:
The FBI has described that cybersurveillance coup as the result of a misconfiguration in the site’s use of the Tor anonymity software but has been reluctant to ever officially explain that error in a courtroom.In fact:
it had been the IRS’s Gary Alford, sitting in his New Jersey home four months earlier, who’d done the meticulous, unglamorous work that had led to the case’s first real breakthrough. Alford had been using Google to dig up the earliest online posts about the Silk Road on drug forums when he’d found a curious artifact: Someone going by the name “altoid” had posted to a site called the Shroomery in January 2011 recommending the Silk Road’s just-launched dark web market as a source for drugs. Around the same time, a user with the same handle had also asked for programming help on a coding forum. On that page, altoid had listed his email address: rossulbricht@gmail.com.Another IRS agent, Tigran Gambaryan, received a tip that Carl Force, one of the DEA agents working on Silk Road, had used a fake ID to set up an account at Bitstamp, a cryptocurrency exchange, and deposited a lot of BTC He had cashed out $200K and, as Gambaryan examined his financial records:
He found that Force had, in late 2013, paid off his home’s entire mortgage, an outstanding loan of $130,000. He’d repaid, too, a $22,000 loan he’d taken out against his federal retirement account. He’d even made a gift of tens of thousands of dollars to his local church, the sort of largesse that, Gambaryan knew all too well, was tough to afford on a federal agent’s salary. The numbers only got shadier from there: Gambaryan found records of real estate investments in which Force had listed his net worth as more than 1 million. That wealth was almost entirely due, it became clear, to a massive influx of liquidated bitcoins from cryptocurrency exchanges like Bitstamp and CampBX that had flowed into Force’s bank accounts. The payments totaled $776,000 beyond his $150,000 annual DEA salary over the two prior years that he’d worked on the Silk Road case. With that ample financial padding, Force had then retired from the DEA, just days before Gambaryan began to look into his records.Gambaryan could get Force’s wallet addresses from the exchanges he used, and he found an unencrypted message from DPR referencing a 525 BTC payment to Force’s investigative alias, but he needed proof, So, Greenberg writes:
Despite having read Meiklejohn’s paper, he possessed none of the data that she’d assembled over months of clustering Bitcoin addresses and identifying them with test transactions. So he simply started copying Bitcoin addresses from Carl Force’s account records—the ones he’d gotten from exchanges such as CampBX and Bitstamp—and pasting them into the search field on Blockchain.info, which displayed the entire blockchain on the web. At first, the collections of garbled character strings seemed meaningless to Gambaryan. But almost immediately, he could see he was onto something. On September 27, 2013, just a few days before Ross Ulbricht’s arrest, Gambaryan saw with a jolt of recognition that one of Force’s CampBX addresses had received a 525-bitcoin payment—the magic number that DPR had mentioned in his conveniently unencrypted message.Gambaryan manually followed the chains backward, from their inputs to the outputs that caused them, until finally:
Following the money at each of the remaining addresses back one more step, he now saw the coins had originally come from just four sources. Each of those addresses had received their funds on the same day: August 4, 2013—the exact date when the Dread Pirate Roberts had told Nob he’d paid him. Gambaryan mentally recorded the payments: They were for 127, 61, 134, and 203 bitcoins. He added the numbers in his head. They summed up to 525 bitcoins.He thus became apparently the first law enforcer to use blockchain tracing as evidence in an investigation. Its first use in a trial appears to be when, with help from Nick Weaver, the prosecution of Ross Ulbricht introduced a trace of his payment for a murder-for-hire attempt:
…
The next morning, after a few hours’ sleep, Gambaryan began texting his DHS contact Jared Der-Yeghiayan, the Armenian American agent in Chicago whom he’d befriended. He needed to check the four addresses he’d found with someone who had access to the Dread Pirate Roberts’s Bitcoin wallet. As a member of the Silk Road investigation team, Der-Yeghiayan still had access to all the site’s server data, including its Bitcoin addresses. Der-Yeghiayan called Gambaryan back a few hours later and confirmed what Gambaryan already knew: Each of the four addresses belonged to DPR.
But the day when the prosecution found the incontrovertible, public, and unerasable proof of Ulbricht’s Silk Road millions, argues Nick Weaver, remains a milestone in the history of cryptocurrency and crime. “That is the date,” Weaver says, “that you can state unequivocally that law enforcement learned that the blockchain is forever.”The blockchain tracing industry’s pioneer, Chainalysis, spun out of the Kraken exchange as a result of the next big crime Greenberg covers, the collapse of the Mt. Gox exchange:
Kraken’s management, in a pro bono attempt to help rescue the cryptocurrency ecosystem from the rippling shock of Mt. Gox’s failure—and the collapse in Bitcoin’s price that followed—had agreed to help distribute any remaining bitcoins that could be found to Mt. Gox’s thousands upon thousands of angry creditors.The co-evolution of Bitcoin’s and tracing technology started with the revelation that Chainalysis, by running a node in the Bitcoin network, could discover the IP address associated with many wallets, which garnered both hostility and customers. With a head-start, Chainalysis rapidly became the leader in their emerging market, as Brian Arthur would have predicted.
Michael Gronager, for his part, had taken on a far more uncertain task. He’d agreed to find the missing coins. By all appearances, this was not a rational decision. The Danish entrepreneur had left his relatively comfortable position as the COO of Kraken to found a new start-up whose sole client, for the moment, was this roomful of Japanese bankruptcy lawyers asking him to track down Mt. Gox’s gigantic, wayward fortune. Even calling them a client would be a stretch: He would receive no fee, and no portion of the recovered funds, if he could manage to find any.
computers where the exchange was hosted weren’t on the dark web, protected by Tor. They ought to be discoverable with a simple “traceroute” command, an operation that anyone with a computer and an internet connection can run to find a site’s IP address—no harder than looking up a commercial service’s number in a phone book. Gambaryan checked, and it turned out the only layer of misdirection that had prevented curious observers from learning the location of BTC-e’s servers in the first place was a company called Cloudflare, a web infrastructure provider and security service that shielded the exchange’s IPs from prying eyes like Gambaryan’s.Subpoenas to Cloudflare revealed they were hosted in the US, which allowed them to be imaged:
Gambaryan dug into the data his team had copied from the BTC-e server. What he found was a revelation: The IP address for the account trading in stolen Mt. Gox coins on BTC-e matched one of the few IP addresses on the BTC-e server’s allow list for the administrators’ connections. In other words, the person who had siphoned hundreds of thousands of bitcoins from Mt. Gox into BTC-e wasn’t just any BTC-e user. They were a BTC-e administrator. Specifically, an admin with the username WME. “The gears started turning in my head,” Gambaryan remembers. “What better way to launder hundreds of thousands of bitcoins than to launch your own Bitcoin exchange?”WME was Alexander Vinnik but, alas, he was in Russia.
The Texas man had taken a rare approach to his legal defense: He’d pleaded guilty to possession of child sexual abuse materials, but he also appealed his conviction. He argued that his case should be thrown out because IRS agents had identified him by tracking his Bitcoin payments—without a warrant—which he claimed violated his Fourth Amendment right to privacy and represented an unconstitutional “search.”This firmly established blockchain tracing as a legitimate form of evidence.
A panel of appellate judges considered the argument—and rejected it. In a nine-page opinion, they explained their ruling, setting down a precedent that spelled out in glaring terms exactly how far from private they determined Bitcoin’s transactions to be.
“Every Bitcoin user has access to the public Bitcoin blockchain and can see every Bitcoin address and its respective transfers. Due to this publicity, it is possible to determine the identities of Bitcoin address owners by analyzing the blockchain,” the ruling read. “There is no intrusion into a constitutionally protected area because there is no constitutional privacy interest in the information on the blockchain.”
A search requires a warrant, the American judicial system has long held, only if that search enters into a domain where the defendant has a “reasonable expectation of privacy.” The judges’ ruling argued that no such expectation should have existed here: The HSI agent wasn’t caught in the Welcome to Video dragnet because IRS agents had violated his privacy. He was caught, the judges concluded, because he had mistakenly believed his Bitcoin transactions to have ever been private in the first place.
|
|
Source |
|
| Source |
2023 saw a significant drop in value received by illicit cryptocurrency addresses, to a total of $24.2 billion. As always, we have to caveat by saying that these figures are lower bound estimates based on inflows to the illicit addresses we’ve identified today. One year from now, these totals will almost certainly be higher, as we identify more illicit addresses and incorporate their historic activity into our estimates. For instance, when we published our Crypto Crime Report last year, we estimated $20.6 billion worth of illicit transaction volume for 2022. One year later, our updated estimate for 2022 is $39.6 billion. Much of that growth came from the identification of previously unknown, highly active addresses hosted by sanctioned services, as well as our addition of transaction volume associated with services in sanctioned jurisdictions to our illicit totals.Although these arae large sums, Chainalysys estimate they represent a fairly small proportion of the total cryptocurrency volume, falling from 0.42% in 2022 to 0.34% in 2023. Of course, it is unlikely that they have identified all the illicit transactions.
Another key reason the new total is so much higher, besides the identification of new illicit addresses: We’re now counting the $8.7 billion in creditor claims against FTX in our 2022 figures. In last year’s report,
|
| Source |
Through 2021, Bitcoin reigned supreme as the cryptocurrency of choice among cybercriminals, likely due to its high liquidity. But that’s changed over the last two years, with stablecoins now accounting for the majority of all illicit transaction volume. This change also comes alongside recent growth in stablecoins’ share of all crypto activity overall, including legitimate activity.Bitcoin’s volatility is great for speculation, but when it fails to proceed moonwards it is a big problem for criminals, and especially for sanctions-busters:
Some forms of illicit cryptocurrency activity, such as darknet market sales and ransomware extortion, still take place predominantly in Bitcoin. Others, like scamming and transactions associated with sanctioned entities, have shifted to stablecoins. Those also happen to be the biggest forms of crypto crime by transaction volume, thereby driving the larger trend. Sanctioned entities, as well as those operating in sanctioned jurisdictions or involved with terrorism financing, also have a greater incentive to use stablecoins, as they may face more challenges accessing the U.S. dollar through traditional means, but still want to benefit from the stability it provides.The report notes that stablecoin users,criminal or not, run the risk of having their wallets and thus their funds “frozen”, as Tether has been doing recently. Patrick Tan covered the case of an Indian user (The Victim) in detail in What happens when Tether “freezes” your Tether?. On 7th December 2023 Tether changed its Terms of Service and, in 3 Things You Must Know About Tether’s Terms of Service, Tan delves into the deliberately confusing details and ends up agreeing with Jonathan Reiter about the The Victim’s problem:
On a basic level this user was relying on an unlicensed money transmitter where they have 0 access to any authority that feels accountable to them.
Tether isn’t an Indian money services business. Nor is it regulated in the victim’s country. Or anywhere with a real process.
…
This — precisely this — is the cost of living outside the law. You may end up with no recourse. Or not.
But you don’t even have someone to complain to that feels accountable for your problems (i.e. your local police or elected representative, or an employee of a business accountable to a regulator you can contact).
|
| Source |
Perhaps the most obvious trend that emerges when looking at illicit transaction volume is the prominence of sanctions-related transactions. Sanctioned entities and jurisdictions together accounted for a combined $14.9 billion worth of transaction volume in 2023, which represents 61.5% of all illicit transaction volume we measured on the year. Most of this total is driven by cryptocurrency services that were sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), or are located in sanctioned jurisdictions, and can continue to operate because they’re in jurisdictions where U.S. sanctions are not enforced.Translation: platforms need to subscribe to Chainalysis to be safe. Andy Greenberg’s ‘Stablecoins’ Enabled $40 Billion in Crypto Crime Since 2022 quotes Chainalysis’ Andrew Fierman:
While those services can and have been used for nefarious purposes, it also means that some of that $14.9 billion in sanctions-related transaction volume includes activity from average crypto users who happen to reside in those jurisdictions. For example, Russia-based exchange Garantex, which was sanctioned by OFAC and OFSI in the U.K. for its facilitation of money laundering on behalf of ransomware attackers and other cybercriminals, was one of the biggest drivers of transaction volume associated with sanctioned entities in 2023. Garantex continues to operate because Russia does not enforce U.S. sanctions. So, does that mean all of Garantex’s transaction volume is associated with ransomware and money laundering? No. Nevertheless, exposure to Garantex introduces serious sanctions risk for crypto platforms subject to U.S. or U.K. jurisdiction, which means those platforms must remain ever-more vigilant and screen for exposure to Garantex in order to be compliant.
As examples, Fierman points to Nobitex, the largest cryptocurrency exchange operating in the sanctioned country of Iran, as well as Garantex, a notorious exchange based in Russia that has been specifically sanctioned for its widespread criminal use. Stablecoin usage on Nobitex outstrips bitcoin by a 9:1 ratio, and on Garantex by a 5:1 ratio, Chainalysis found. That’s a stark difference from the roughly 1:1 ratio between stablecoins and bitcoins on a few nonsanctioned mainstream exchanges that Chainalysis checked for comparison.Of course, when Chainalysis says “stablecoin” they essentially mean Tether. Three years ago, this interview of Charles Yang, head trader of Genesis Block based in Hong Kong, by John Riggins descibed how Tether was the basis for trade flows in South-East Asia because it evaded governments’ currency controls. Yang noted:
bank acccounts are the absolute most valuable thing — you have to set up a bunch of different companies, a lot of different bank accounts just to facilitate trades that aren’t that big, maybe $50K. The moment you tell them this is for a USDT trade, you’re basically asking them to shut your bank account down.Last September DataFinnovation posted USDT-on-TRON, FTX & WTF Is Really Happening. In summary:
FTX/Alameda minted nearly all the USDT-on-TRON and operate as something like a central bank or reserve manager for a shadow East Asian USD payment system. We provide convincing evidence from novel on-chain analysis that shows how a real, albeit mostly-not-kosher, crypto use case works. This data also makes plain that Binance/Cumberland runs the Ethereum part of the same ecosystem and that these two groups of parties probably coordinate their actions in some way.The UN Office for Drugs and Crime (UNODC) just published a report entitled Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden, Accelerating Threat:
…
we are going to show that this entire complex looks an awful lot like a funnel to establish backing for a USD payment network aimed at people who cannot (easily or legally, depending) hold USD or transfer them. This also exposes how USDT is split into a China-and-surroundings slice and a rest-of-world slice with a different major crypto entity handling each part.
Online gambling platforms, and especially those that are operating illegally, have emerged as among the most popular vehicles for cryptocurrencybased money launderers, particularly for those using Tether or USDT on the TRON blockchain,
…
USDT on the TRON blockchain has become a preferred choice for crypto money launderers in East and Southeast Asia due to its stability and the ease, anonymity, and low fees of its transactions. Law enforcement and financial intelligence authorities in the region have reported USDT among the most popular cryptocurrencies used by organized crime groups in the region, particularly those involved in the regional cyberfraud industry, demonstrated by a surging volume of cases and unauthorized online gambling and cryptocurrency exchange platforms offering undergroud [sic] USDT-based services.
|
| Source |
As third- and fourth-party payments have become better understood by authorities and more widely reported following ‘Operation Chain Break’ and other measures in China, organized crime groups have responded by accelerating the integration of cryptocurrencies into their illegal betting operations, creating significant challenges for investigators. In recent years, law enforcement and financial intelligence authorities have reported the growing use of sophisticated, high-speed money laundering ‘motorcade’ teams specializing in underground USDT – fiat currency exchanges (卡接回U) across East and Southeast Asia. This has also included the mass recruitment of mule bank accounts across virtually all jurisdictions in the Asia Pacific region which can be purchased for as little as US $30.
Due to the rise of cryptocurrency-integrated motorcades, points running syndicates, and other challenges, in 2021 the Government of China banned cryptocurrency transactions, trading, and mining. The industry subsequently migrated to various jurisdictions, particularly driving up already rising cryptocurrency adoption in several countries in Southeast Asia, together with the establishment of high-risk and underground cryptocurrency exchanges. At the same time, it is worth noting that cryptocurrency flows connected to organized crime have been cited as being vastly underestimated by industry experts as well as law enforcement and regulatory authorities in the region. Experts have pointed to a number of shortcomings related to existing analyses including massive gaps in crime attribution on the blockchain, fabricated reporting by crypto exchanges, and the prevalence of wash trading which inflates crypto transaction volumes, thereby shrinking the portion of illicit transactions identified.
The US is rightly concerned that Tether is undermining their
sanctions system, but countries like China with strict controls on
cross-boarder currency flows are also worried about similar undermining.
Fortunately, the flows of Tether are observable on the Ethereum and Tron
blockchains, so tracing techniques can be and, as I discussed in
The
Stablecoin Saga,
The
Stablecoin Saga Continued and
Alameda’s
On-Ramp are being, applied.
https://blog.dshr.org/2024/01/criming-on-blockchain.html Save to Pocket
date: 2024-01-30, updated: 2024-01-29, from: Bruce Schneier blog
It finally admitted to buying bulk data on Americans from data brokers, in response to a query by Senator Weyden.
This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise.
https://www.schneier.com/blog/archives/2024/01/nsa-buying-bulk-surveillance-data-on-americans-without-a-warrant.html Save to Pocket
date: 2024-01-30, from: Dan Rather’s Steady
There’s an old expression in boxing, a “slugger’s chance.” It means an underdog is given an outside chance to win if the fighter has a reputation for being an especially heavy puncher. I’ve been saying since Nikki Haley first got into the race for the Republican presidential nomination that she had a slugger’s chance. With Haley’s bid for an upset fading but not yet finished, let’s take a look at whether she still has even that chance. The so-called smart money has said from the start that there is no way she can defeat Donald Trump.
https://steady.substack.com/p/the-last-woman-standing Save to Pocket
date: 2024-01-30, from: Robert Reich’s blog
Trump’s biggest issue in the campaign is neofascist bupkis
https://robertreich.substack.com/p/bluff-and-bluster-on-the-border Save to Pocket
date: 2024-01-30, updated: 2024-01-30, from: Daring Fireball
https://workos.com/?utm_source=daringfireball&utm_medium=display&utm_campaign=q12024 Save to Pocket
date: 2024-01-29, updated: 2024-01-29, from: Daring Fireball
https://developer.apple.com/support/core-technology-fee/ Save to Pocket
date: 2024-01-29, updated: 2024-01-30, from: Bruce Schneier blog
Microsoft is reporting that a Russian intelligence agency—the same one responsible for SolarWinds—accessed the email system of the company’s executives.
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. …
https://www.schneier.com/blog/archives/2024/01/microsoft-executives-hacked.html Save to Pocket
date: 2024-01-29, from: Robert Reich’s blog
Putting your outrage to constructive use
https://robertreich.substack.com/p/beyond-outrage Save to Pocket
date: 2024-01-29, from: John Naughton’s online diary
All that remains… … of a groyne on a beach in North Norfolk. Quote of the Day “The Massachusetts Institute of Technology now has almost eight times as many nonfaculty employees as faculty employees. In the University of California system, … Continue reading
https://memex.naughtons.org/monday-29-january-2024/39077/ Save to Pocket
date: 2024-01-28, from: Om Malik blog
As a way to play music, it was better in nearly every way. Spotify then became my favorite way to listen to music. Recently though, I’ve found myself hating Spotify. The app loads slowly. Music no longer plays instantly. The interface is riddled with recommendations, podcasts, audiobooks, and other junk that I don’t care for. …
https://om.co/2024/01/28/spotify-is-garbage/ Save to Pocket
date: 2024-01-28, from: Dan Rather’s Steady
I was reminiscing recently about songs that are close to my heart. So many country songs from my younger years pop into my head at the oddest times these days, but I heard one recently from my friend Willie Nelson that reminded me of another time in Texas, a gentler time, and it’s certainly a reason to smile. Back in 1982, Willie recorded “Always On My Mind.”
https://steady.substack.com/p/willie-on-my-mind Save to Pocket
date: 2024-01-28, from: Robert Reich’s blog
And last week’s winner
https://robertreich.substack.com/p/sunday-caption-contest-land-ho Save to Pocket