Monthly Archives: June 2013

Feedburner on the fritz

Those of you who have subscribed to email updates from the Stubborn Mule will have noticed some strange behaviour lately, as old blog posts have appeared in your inboxes. Why this is happening remains a mystery to me. The email subscriptions are powered by Google’s Feedburner service and, with the recent announcement that Google is shutting down Google Reader, I am starting to wonder whether Google is deliberately sabotaging Feedburner as a precursor to shutting it down too.

The sabotage theory is a bit too extreme, but certainly others are speculating that Feedburner’s days may be numbered. In any event, the time has come for me to look for an alternative in an attempt to stop the random emails.

I have looked at Feedblitz and have been bombarded with marketing materials as a result, so that one is not for me. Mailchimp is a possibility.

While I am weighing my options, I would welcome suggestions from other bloggers who have successfully made the move from Feedburner.

Can I trust MtGox with my passport?

Liberty Reserve logoIn March 2013, the US Financial Crimes Enforcement Network (“FinCen”) published a statement saying that companies which facilitate buying and selling of “virtual” currencies like Bitcoin constitute “money service businesses” and are subject to reporting obligations designed to prevent money laundering and other financial crimes.

A couple of months later, the seizure by US authorities of Liberty Reserve has shaken money service businesses around the world, whether they deal in “real” or “virtual” currencies.

Two days later, the largest Bitcoin exchange, MtGox, tightened their anti-money laundering (AML) controls, posting the following statement on its website:

Attention Users: From May 30th 2013 all withdrawals and deposits in fiat [real] currency will require account verification. However withdrawals and deposits in Bitcoin (BTC) do not require verification.

What MtGox is attempting to do here is meet one of the most fundamental requirements of AML legislation around the world: know your customer. It is so fundamental that it too earns its own three-letter abbreviation, KYC.

So, how does an online business like MtGox verify the identity of its customers? After all, you can’t walk into the local MtGox branch with a fist full of paperwork. Instead, you must upload a scan of “proof of identity” (passport, national ID card or driver’s licence) and “proof of residency” (a utility bill or tax return).

MtGox are not alone in this approach. More and more online money service businesses are attempting to get on the right side of AML rules by performing verification in this way.

Here in Australia, there are still some Bitcoin brokers which do no verification whatsoever, including BitInnovate (who helped me buy my first Bitcoin) and OmniCoins. Australia’s AML regulator, AUSTRAC publishes a list of  “designated services”, which make business subject to reporting obligations including customer verification. The list includes

exchanging one currency (whether Australian or not) for another (whether Australian or not), where the exchange is provided in the course of carrying on a currency exchange business

So I strongly suspect that all local Bitcoin brokers too will soon be demanding scans of your driving licence and electricity bill.

But is the MtGox approach to customer verification a good idea? I don’t think so. I believe it is a bad idea for MtGox and a bad idea for their customers.

It is a bad idea for MtGox because scans of fake identity documents are very easy to come by. For example, one vendor at the online black market Silk Road offers custom UK passport scans with the name and photo of your choice, complete with a scan of a matching utility bill.

It’s a bad idea for the customer too, because it exposes them to increased risk of identity theft. Although my intentions were not criminal, I chose BitInnovate when I bought Bitcoin precisely because I did not have to provide any personal documents. How well do you know MtGox or any other online money service? How confident are you that they will be able to keep their copies of your documents secure? Securing data is hard. Every other week it seems that there are stories of hackers gaining access to supposedly secure password databases. I have no doubt that scans of identity documents will also find their way into the wrong hands.

So what is the alternative?

Third party identity management.

Using a passport or driver’s licence scan is effectively outsourcing identity verification to the passport office or motor registry respectively. Before the days of high quality scanning and printing, these documents were difficult to forge. A better solution is to retain the idea of outsourcing, but adapt the mechanism to today’s technology.

Here’s how it could work.

A number of organisations would establish themselves as third party identity managers. These organisations should be widely trusted and, ideally, have existing experience in identity verification. Obvious examples are banks and government agencies such as the passport office.

Then if I wanted to open an account with MtGox, its website would provide a list of identity managers it trusted. Scrolling through the list, I may discover that my bank is on the list. Perfect! When I first opened an account with my bank I went through an identity verification (IDV) check (ideally, this would have been done in person and, even better, the bank would have some way to authenticate my passport or driver’s licence*), so my bank can vouch for my identity. I can then click on the “verify” link and I am redirected to my bank’s website. Being a cautious fellow, I check the extended validation certificate, so I know it really is my bank. I then log into my bank using multi-factor authentication. My bank now knows it’s really me and it presents me with a screen saying that MtGox has asked for my identity to be validated and, in the process, has requested some of the personal data my bank has on file. The page lists the requested item: name, address, email address and nationality. I click “authorise” and find myself redirected to MtGox and a screen saying “identity successfully verified”.

MtGox is now more confident of my true identity than they would be with scanned documents and I have kept to a minimum the amount of information I need to provide to MtGox: no more than is required to meet their AML obligations.

This authentication protocol is a relatively straightforward enhancement to the “OAuth” protocol used by sites like Twitter and Facebook today. OAuth itself is subject to some controversy, and it may be better to create a new standard specifically for high trust identity management applications like this, but the tools exist to put identity management on a much safer footing.

* Today, unfortunately, banks and other private sector entities are not readily able to authenticate passports or driver’s licences. Once government agencies are able to provide this service, the options for third party identity management will be even greater.

 

BitTorrent Sync

BitTorrent Sync logoI have been a long-time user of Dropbox. It synchronises important files across computers, provides offsite backup and remote access to these files. But it does have its limitations.

A free Dropbox accounts gets you 2 gigabytes of storage (although persuading friends to sign up can earn you an an increase in this limit). If you need more space, paid plans start at $10 per month.

I have found a new solution for file synchronisation without the size limits. BitTorrent Sync is still in its beta stage of development, but so far I have found it works very well. It is fast, efficient and does exactly what I want it to do.

BitTorrent Sync is not a cloud storage system, so it does not offer all of the features of DropBox. But anyone with with more than one computer, or anyone who wants to regularly share files with a friend or colleague will quickly find BitTorrent Sync an invaluable tool.

So what exactly does BitTorrent Sync do, and what doesn’t it do?

Two-Way Synchronisation – YES

BitTorrent sync really does one thing and one thing well: synchronisation. Install BitTorrent on two computers, point it at a folder on each computer and it will ensure that the contents of the two folders stay in sync. Change a file on one computer and it will change on the other. Add a new file and it will quickly appear on the other computer.

I have a desktop machine and a laptop. They both have Dropbox installed, so I usually save documents in my Dropbox folder to ensure I have access from both machines. But my Dropbox account is getting full, so if I am working with a large dataset or large image files, I keep them out of Dropbox. I then inevitably find I need to use those files on a different machine. BitTorrent Sync has solved that problem for me.

Synchronisation works like a rocket on a local network, but will also work over the internet. As the name suggests, BitTorrent Sync makes use of the same technology use in BitTorrent and is extremely efficient when it comes to dealing with very large files. Synchronisation over the internet when users at each end are behind their own routers works well, thanks to similar “NAT traversal” techniques to those used by Skype. All file transfers, whether local or over the internet, are encrypted. As long as you keep your secret safe, your data is safe.

Setting up synchronisation is straightforward. When you first point BitTorrent Sync at a folder, a “secret” is generated. Secrets are strings of numbers and letters, like this: WBUAH4P6P41KAPJ7ERSAWXY5RB2BCT28. Then, when setting up other machines to share the same folder, all you need to do is enter the secret from the first computer. Multiple machines can share the same folder with the same secret and BitTorrent Sync can also manage multiple folders with different secrets.

One-Way (Read Only) Synchronisation – YES

While Two-Way synchronisation works well for sharing files with family and friends. Sometimes you will want to give others read access to files without allowing them to delete or edit the files. This is where one-way synchronisation comes in. Each synchronised folder has a “read only secret” in addition to the main secret. Give this read only secret to your mother and she can see all of your family photos and you need not worry that she will accidentally delete any of them*.

As far as I know, Dropbox does not offer one-way synchronisation.

Mobile Access – NOT YET

Dropbox offers apps for iPhone, iPad and Android devices which allow you to access files on the go. Mobile apps for BitTorrent Sync are not yet available, but they are under development.

Cloud Backup – NO

BitTorrent Sync directly syncs content machine to machine. Dropbox, on the other hand, syncs each machine with the Dropbox’s own servers. If all of your computers suffer catastrophic failure, you can still recover your data from Dropbox. BitTorrent Sync does not provide any cloud backup. Of course, you could always set up a Rackspace server and install BitTorrent Sync there…

Web Access – NO

With all of your files on their servers, Dropbox can easily provide web access to your files. BitTorrent Sync cannot. The files will only be available on machines with BitTorrent Sync installed.

Version Control – NO

Another useful feature offered by Dropbox is version control. If you make some drastic edits to your latest presentation, which you later regret, Dropbox allows you to recover previously saved versions. BitTorrent Sync will not help you with version control.

BitTorrent Sync does not do as much as Dropbox and other cloud backup services. But what it does do, it does very well. I expect to get a lot of use out of it.

* Two-way synchronisation does provide protection against accidental deletion: when a file is deleted on one machine, copies on other machines are moved to a hidden folder rather than deleted, so they can be recovered later.