[liberationtech] Bitcoin Armory not as secure as promised?

Jonathan Wilkes jancsika at yahoo.com
Sun Aug 10 11:32:13 PDT 2014 

On 08/10/2014 12:44 PM, Lodewijk andré de la porte wrote:
> So, the response was this:
>
>     Guys, calm down.
>     The code you posted doesn't send your username to
>     bitcoinarmory.com <http://bitcoinarmory.com>, it sends the
>     *truncated hash* of your user home directory path.  This does not
>     give us any information about you except that it will be the same
>     when your system makes multiple requests for version/announcement
>     information.   We*intentionally* chose this *instead* of tracking
>     by IP because we knew that IP logging was "not cool".  And in the
>     end, we don't care about your IP, we only use it the ID for
>     collecting statistics about what operatings systems are being use
>     to run Armory and what versions people are using, especially after
>     announcing new versions.  This helps us remove duplicates.
>     Armory (the company) only tracks unique IDs long enough to collect
>     daily statistics of our user base, like how many people have
>     upgraded.  If a announce-request is made and comes from an ID we
>     have never seen, we add the OS and Armory version to the
>     statistics.  Otherwise we ignore it.   That's it.  We added the
>     unique ID so that we have a way to count unique users
>     *without* logging IP addresses.    We also add the ability for you
>     disable this by running with "--skip-annuonce-check".
>     As a company, we have to have *some* way to measure our userbase,
>     and we felt this was the least intrusive way possible.  And you
>     can opt-out.
>

I was very pleased to see the responses on that thread.  Aside from one 
or two, they share the same laudable traits:
* code is posted inline and accurately assessed for its privacy implications
* the posters couldn't care less about the author's _intentions_ (no 
digressions into the irrelevant issue of whether or not the author acted 
in bad faith)
* nearly every post focuses on collection of IPs and user info-- the 
author is blocked from irrelevant digressions on whether this info is 
actually used
* author is essentially forced to care about privacy or lose his user 
community
* Tor users are referred to multiple times, and not as second-class 
citizens(!)

This has to be the most focused and serious thread I've ever seen 
regarding privacy, at least on a forum that's not dedicated to online 
privacy.  I'm not crazy about the idea of storing bags of gold on 
internet-facing machines, but if that's what it takes to spur on this 
kind of discussion then maybe it's worth the cost.

-Jonathan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140810/a0e33ab4/attachment.html>

More information about the liberationtech mailing list