Silk Road forums

Discussion => Security => Topic started by: sinister4ng3l on August 27, 2012, 05:03 pm

Title: BitFloor Question
Post by: sinister4ng3l on August 27, 2012, 05:03 pm
Quick questions about Bitfloor: How would I send money from my Bitfloor account into my SR account? Would I put my SR address in the "wallet" section of the Bitfloor withdraw section or do I need to send it to Mt. Gox first?
Title: Re: BitFloor Question
Post by: elivance on August 27, 2012, 06:37 pm
Ack!  Why would you involve Mt. Gox?

Short term advice: send your coins to a mixing service like TorWallet or blockchain.info (or both, or more) and then send to your SR address.

Long term advice: read about bitcoins so you use them safely and correctly.
Title: Re: BitFloor Question
Post by: angelkiller on August 27, 2012, 08:53 pm
You're aware that SR has it's own mixing thing?
Title: Re: BitFloor Question
Post by: elivance on August 28, 2012, 02:19 am
It's still a good idea to mix them on the way in as well.  This at least attempts to limit the trust you are placing on SR.  (That and encrypting your address with GPG each time.)
Title: Re: BitFloor Question
Post by: angelkiller on August 28, 2012, 12:16 pm
How so? What info does SR hold that would put you at risk, if compromised?
Title: Re: BitFloor Question
Post by: elivance on August 29, 2012, 07:13 pm
They know your destination bitcoin address here.  If the address you are sending from somehow is correlated with your actual identity and if SR is compromised, they now can associate your identity with your SR alias.

If you don't encrypt your shipping address to your vendor, if SR is compromised, they now know your shipping details.

Note: I am not claiming that SR is compromised.  I am merely stating that these are things we do just in case SR is now or at some point in the future compromised.
Title: Re: BitFloor Question
Post by: angelkiller on August 30, 2012, 12:26 am
I understand. I'm just wondering how much we actually need to do.

In the first situation you gave, SR would have be compromised as well as yourself. They have two pieces of you that they normally wouldn't have.

My point is that right now, SR doesn't have anything on me. What if you could theoretically audit someone so you know every address they own. You'd see that they sent a lot of money to SR. BUT you'd only know it was SR if SR got compromised too. Otherwise, you may be able to confirm my identity, but you have no idea who I'm doing transactions with.

So my overall point was that you don't have to mix coins coming in. They need 2 confirmed identities before someone can talk about proving I sent money to someone. They need me and they need the someone. So let's take an example when I send coins from my verified Gox account straight to SR. If SR gets compromised, all you have are wallet addresses. You can even follow the my wallet addresses (that you don't know is mine) and it leads to my Gox account. But you wouldn't know it's a Gox account. All you'd see is my address.

I don't think anyone can prove anything with bitcoin. Assuming you take all those other safety precautions and such. You won't get caught because SR got caught. SR doesn't have anything that links to me in real life. You can't follow annoymous links. I can follow those anoymous links because I know that it's me on the other side. But someone else would only have an address.
Title: Re: BitFloor Question
Post by: elivance on August 30, 2012, 06:18 am
I understand. I'm just wondering how much we actually need to do.

Agreed.  I'm very interested in this question myself.

Quote
[...]
My point is that right now, SR doesn't have anything on me. What if you could theoretically audit someone so you know every address they own. You'd see that they sent a lot of money to SR. BUT you'd only know it was SR if SR got compromised too. Otherwise, you may be able to confirm my identity, but you have no idea who I'm doing transactions with.

There are patterns in different mixing services and ways to test for those patterns.  I believe that SR addresses are not identifiable a-priori; however I have not verified that myself.

Until then, I feel a bit safer in mixing them on the way in as well!

Quote
So my overall point was that you don't have to mix coins coming in. They need 2 confirmed identities before someone can talk about proving I sent money to someone. [...]

Again, I agree.  However I'd argue that even though these transactions may not prove anything, they may imply something.  That, in certain situations, could be more than enough.