Thursday, August 22, 2013

Bitcoin exchanges: "Flying Under the Regulators Radar"

Regulators searching for Bitcoin exchanges
I think some of the most exciting advances in BTC Trading Technology and Exchanges are doing their best to remain "under the radar" due to intense fears about their "legal status" as money-service's businesses, etc. 

Read an interesting piece today about the 'rent vs. own' aspect of becoming a MSB and how CoinX (July's winner of best start-up pitch at Light Squared Ventures Bitcoin Night, which I attended) is obtaining their own MSB license in every-state they want to operate, instead of going the 'rent' route. 


http://www.paymentssource.com/news/in-money-transmitter-licensing-is-it-better-to-own-or-to-rent-3015198-1.html 

So that explains why they're so quiet...don't splash the pool well your trying to swim across. At the same time are they sacrificing 'first mover advantage'? 

Some foreign exchanges like HK based Bitfinex (full disclosure: I'm a user there) - have gained volume and the financial strength to push forward with licensing in the US. The unanswered question is: are they doomed to go the MtGox route and have accounts shuttered at the slightest sign of indiscretion

At the same time, those chasing 'First to Market' with professional market features like NYC based Coinsetter are in private-beta, and paper-trading mode, presumably why they wait to clear regulatory hurdles. 


There's also Atlanta, based CampBX, whose live market is begging to show signs of life inspite of a rather uncertain regulatory environment, they maybe the most active real-money BTC exchange in the US...

Others maybe just going for it, like Australian(?) based BTCSX 

http://www.zdnet.com/startup-opens-bitcoin-only-margin-trading-platform-7000019715/ 



So I want to propose a question: Are all Bitcoin Related Businesses the same?

The recent New York State financial regulation probe not withstanding. Should regulators consider separating "Exchanges" into a separate category than "Broker/Dealers" or "Payment transmitters" based on the types of financial services they offer? 

Early exchanges (MtGox for example) offer payment processing APIs and other features that more closely resemble a blended service like a traditional banking institution, but we've seen the last days of the "Non-banking Entity" fade on Wall St. and if history is any mean, I think Bitcoin's history is like the 200 years of western banking compressed into a few short years! 

It certainly still seems like the Bitcoin Exchange Game is one of a 'baby deer' lost in the regulators 'woods', and for those hard-core Bitcoiners' it's easy to forget: Bitcoin itself maybe pretty resilient, but, as one of the speakers at Bitcoin 2013 pointed out, it could be regulated until it becomes inconsequential.  

Mentioned Exchanges: CoinX (www.coinx.com), Bitfinex (www.bitfinex.com), Coinsetter (www.coinsetter.com), MtGox (www.mtgox.com), BTC.sx (www.btc.sx) and CampBX (www.campbx.com)

Monday, August 12, 2013

PGP Privacy 2 Go


So if your like me, seek help.

I mean seriously. These morbid delusional fantasies about the future of war and technology? Staying awake all night writing software to trade internet funny money (read: Bitcoin)? You get the picture. Your fit for a straight jacket.

Or you need a vacation. Which means it's time to hit the road without your trusty "security hardened" laptop. Your machine is security hardened right? You haven't been using those 'cloud based' services have you!? You host your own email, file sync, music streaming, calendar, and social network from a server under secure lock and key on a redundant internet connection to your condo right?! Not. The cloud is a convenient solution for all of this, unfortunately, it's also an extremely convenient solution for the government to spy on you.

Lets leave the politics of it out here. That's not the point of the post. You want to use Gmail. I get it. I use it. It's fast, reliable, it's servers are these crazy shipping container lego-blocks that can be shipped by train into Mexico in the event of nuclear war...making your email more safe from radiation poisoning than your sorry Starbucks sipping ass. Jordan searches frantically for his stash of iodine tablets but only discovers used Starbucks gift-carts. 

So the next best thing before you go-ahead and upload your email messages to the Utah Data Center for NSA perusal, is to use PGP, which if your reading this I'm relatively confident your already familiar with. If not, it's not hard to understand, but next to retarded difficult for your everyday operating system manufacturer, or email service provider to include with their services.



Once your email is encrypted with PGP, short of obtaining your private key from your physical machine (more on that later), it's extremely cost prohibitive, if not impossible, for anyone but it's intended recipient to read it while it sits for eternity on a hard-drive in central Utah.

The issue for most people whom have taken this precaution, is that the tools are inconvenient. For example, they, unlike your modern email client (Gmail) aren't as portable. Take for example, GPGMail, a reliable and improving tool for managing for managing PGP messaging with OS X Mail on top of OpenPGP. Great already hard enough. At least it grabs public keys attached to emails from your comrades, and stores them for future use.

You see what I'm saying, no wonder no one uses this stuff. Too fucking hard.

In that case... what happens once you've got some encrypted communication going on, and you want to read / send encrypted emails on the go with Gmail? Enter Mailvelope. A handy browser plugin, that allows you to PGP encrypt your webmail as your composing and reading on the go. With Chrome Browser Sync, once you login to your browser, this plugin should be made available to you where-ever you go. As inconvenient as it might be, the last little bit is to hang-on to your private key. I'll leave that part up to you.

Mailvelope Homepage
The issue I ran into was, I had already generated my PGP Pub/Priv key pair on my home machine, and wanted to use it while I was on the go.

Nothing abstract here.

Just a little demo of how to use the same private key to read your encrypted emails using Chrome.

Ok, so first we need to "export" our private key out of our PGP Keychain. Go ahead and open up the keychain in OS X (I usually type "Keychain" in the Spotlight search).


Go ahead and cmd-click, your key-pair, and choose "Export".


Make sure 'Allow secret key export' is checked. Once this is done, the text-file you create will be your "key to the kingdom" so to speak, as it will include a public and private key-pair. 


Doesn't look like much. But there is a lot of information here. Most importantly, your private key should only be placed and left on a browser on a machine you trust won't be compromised.

 Next, lets install the Mailvelope plugin on our Chrome Browser:


Once installed, go ahead and open the plugin (from it's setting's button on the top-right corner of the browser), and than choose the "Import Keys" menu.

This was kind of confusing for me, as I didn't realize you could also import private keys here. I gave it a shot, and it worked. So good on you Mailvelope. 


Paste the entire text of the Pub/Priv key-pair file you just exported into the text box.

Ok, now your good to go. 

Next, open up Gmail and start to compose a mail, and you'll notice a new little button, click it to open a PGP Mail composer from Mailvelope. Hit the "Lock" button.


And than choose your recipient (I'm sending this message to myself to demonstrate).


Your message is encrypted using the public-key of the recipient.


Now the message is placed in the composer as a PGP encrypted message, safe and secure, ready for upload to the government (:


Last step, receiving, and decrypting PGP encoded mail. I hit send, and the message appears in my inbox, as I was the intended recipient. The message is encrypted, but Mailvelope adds a button to my Gmail editor window to decrypt it. I click it, and am asked to unlock my private key (the private key passphrase is sort of a security of last resort to keep others from reading your messages)

And walla, your message is decrypted and has a "water-mark" behind it which has some significance, though I didn't read that far into the Mailvelope documentation.


PGP encrypting security tends to break down around "Physical breaches" of your private key. If you carry it around on an unencrypted USB-stick, or it's stored on your "secure machine" (read: laptop protected with your ex-girlfriends favorite nick-name for your penis as a password), there is a pretty good chance it can be compromised. 

There is more here, consider using a public-keyserver. These servers allows others to grab your key, and encrypt messages to you without you handing them your public key via a message. It also allows you to, in theory (I believe), issue a certificate with a key that allows you to "expire" the key-pair periodically, in-case of theft. Though that is beyond the scope of this blog post, I will be looking into that more in the future, but lets keep it simple for today.

As for physical security, I recommend a gas-powered AR-15 Platform rife, and a few hundred hours of close-quarters combat training. If you don't have this, maybe a mean dog, and a deadbolt. We're all susceptible one way or another...at least now your a little less so to government intrusion into your email box.

Saturday, August 10, 2013

Evangelizing "MEAN STACK"


Any self-respecting "Brogrammer" like me knows how to program in Javascript. When startups try to test your skill set in "lingo" like: "Backend" (and by backend I mean...you an ass man, bro?) Your typically response is: "a whole bunch of stuff that isn't Javascript." 

Guess what: with MEAN STACKNot anymore dude. Yeah, you just went from alert('Hello World'); monkey to full-stack developer...HIGH FIVE.

For a good time, check out: Brosciencelife on Youtube

MEAN STACK, as conceptualized by Valeri Karpov in the blog post linked above, is not new technology, and it's not even based on any new components. It's just, in my opinion, an exciting layering of existing technologies that all run on JavascriptmongoDB, ExpressJS, AngularJS, and NodeJS. And let me tell you: this bad boy cuts through your projects like a hot knife through butterRighteous swell, bro.

Lets get down to it. I'd heard the hype: NodeJs is performant, non-blocking, and easy to learn. (See pretty much everyone at GluCon), and I'd also heard the jeers, Ted Dziuba, etc. (though 
I can't find any of their posts anymore, just mentions of them ... interesting)
var express = require('express'); var app = express();
var server = http.createServer(app).listen(app.get(3000), function() {
console.log('Express server listening on port ' + app.get('port'));
});

Boom!

I know it takes more than that ... but you get the idea. Nothing new there.

So I thought I'd try an example of an operation I hadn't seen a lot of floating around on the interwebz: Streaming new DB entries in realtime out to a page via WebSockets.

This is where it gets really interesting (at least it did for me) using MongoDB's streaming cursors, with capped data-collections. To create basically a one-stop message-queue real-time to web-socket buzzword orgy of awesomeness.

First define a schema in Mongoose, and add a tailable find:
var BidSchema = new Mongoose.Schema({
    price : { type : Number },
    amount : { type : Number } }, 
    { capped: { size: 5242880, max: 1000, autoIndexId: true }});

var Bid = db.model('bidSchema', BidSchema);

var bidStream = Bid.find().tailable().stream();

I ran into some issues at first when I tried this. 
MongoError: tailable cursor requested on non capped collection
BROTIP: THIS ONLY CAPPED COLLECTIONS CAN BE USED FOR STREAMING NEW RECORDS OUT OF MONGODB.

Next we setup a SocketIO to send our results out to the page as they are entered into the database:

var ioserver = require('socket.io').listen(server);
var clientsocket = null;

ioserver.sockets.on('connection', function(socket){
 clientsocket = socket;
 var timeout = null;
 
 bidStream.on('data', function (doc) { 
  clientsocket.emit('bid', doc);
 }).on('error', function (err) {
   console.log('error: '+err);
 }).on('close', function () {
   // the stream is closed
   system.debug('close');
 });
});


Next we setup our client-side, AngularJS Controller:
    script
      var socket = io.connect('http://localhost');

      function BidsController($scope, $http, $window){
        $scope.bids = [];

        $scope.save = function(bidForm){
          $http.post('/placebid', { bid : $scope.newBid }).success(function(response){
            console.log(response);
          });
        };

        $window.socket.on('bid', function (bid) {
          console.log(bid);
          $scope.$apply(function(){
            $scope.bids.push(bid);
          });
        });

      };
And our Jade Template display:

    body
    div(ng-controller="BidsController")
      h1 Enter a bid:
      form(name="bidForm", ng-submit="save(bidForm)")
        input.form-control(type="text", ng-model="newBid.price", name="price", placeholder="Enter a price.")
        input.form-control(type="text", ng-model="newBid.amount", name="amount", placeholder="Enter an amount.")
        input(type="submit")
      table(style="border:1px solid black;")
        tbody
          tr(ng-repeat="bid in bids")
            td(style="border:1px solid black;") {{bid.price}} 
            td(style="border:1px solid black;") ${{bid.amount}}

Bam. That was easy. Like I said...hot-knife through butter...!

Now your a full-stack developer, with plenty of time to go get stacked at the gym.

So get out there and get it brogrammer!

Source: Github here

PS. The whole "bro" thing was not a knock on the MEAN Stack - I've just been watching too much: Brosciencelife on youtube, that hitting the gym all week getting rock-swol for the Denver Triathlon. 

PSS. I'm still having trouble with the streaming cursor in mongoDB returning duplicates/triplicates of the same documents. I'll update if I figure it out, or someone comes along on stackoverflow.