White hat hacker awarded $2M for fixing ETH-creation bug(cryptoadventure.com) |
White hat hacker awarded $2M for fixing ETH-creation bug(cryptoadventure.com) |
https://news.ycombinator.com/item?id=30289240
My (I'm the hacker) article / post-mortem this blog post is referring to:
https://www.saurik.com/optimism.html
At the time of this last getting traction a few days ago, some people were sad that the title of my article and the discussion that resulted focused more on the bug instead of the bounty (which my article gets into near the end as part of some high-level thoughts on ethics), which is maybe why I am suddenly seeing this appear here again this morning (as this news article is instead focussing on the bounty angle)?
FWIW, the $2M bounty--which was actually listed as $2,000,042 (as they wanted it to sort higher on the list at Immenufi, lol)--was potentially (none of us realized this at the time I "won", and I am honestly still not 100% sure of it now, though I haven't yet come across any counter-examples) the largest single bug bounty payout ever (...though, by only $42 ;P).
https://twitter.com/bobanetwork/status/1491989915336388618?s...
So I was the coder for a payroll system for those paid out of the channel islands, in 2008, day after boxing day I was asked to add 3 more digits to the payroll system so a trader could be paid a bonus. That system moved alot of money all around the world.
Another example of costs. $81million nicked from Federal Reserve Bank of New York. https://www.reuters.com/article/us-cyber-heist-bangladesh-id...
Here is an example of what has to be paid out when things go wrong, it was made into a film, adjust for inflation and quantitative easing.
https://en.wikipedia.org/wiki/Nick_Leeson#Downfall_and_impri... https://www.imdb.com/title/tt0131566/
Best office I have seen is Nomura's directors office in London. You could fit a house in it!
Probably a lot you can do.
Congrats on the bounty, glad to see you don't plan on blowing through it mindlessly :) With a worldwide diversified ETF portfolio you should be able to live off of this amount of money indefinitely.
(Dec 28 2021)
> Polygon is paying out a bounty of $2.2m in stablecoins to Leon Spacewalker and 500,000 MATIC to Whitehat2, which according to current market value is worth $1,262,711. The $2.2m exceeds the maximum value of Polygon’s critical bounty in recognition of the severity of the vulnerability.
More info about the bug: https://medium.com/immunefi/polygon-lack-of-balance-check-bu...
Interestingly, this reminds me of a report I wrote a long time ago about the dangers of ecrecover (as it can give ambiguous results)
I'm not sure if this was discussed in the previous thread, but does the bug allow the creation of real ETH coins, or it just increase the counter in the Optimism database (or whatever system they are using)?
The native currency on Optimism (used to pay gas, like ETH is used on Ethereum) is effectively ETH; but, as it isn't Ethereum, that ETH on Optimism has to actually live on Ethereum: it gets locked into a contract there which acts as a repository/reserve for all of the ETH being used on Optimism.
When you deposit ETH in this reserve on Ethereum you get credited the same amount on Optimism in the form of cryptocurrency IOUs (which we might call "OETH"), and you can later withdraw that money back to Ethereum, whereupon the OETH is destroyed and ETH is unlocked from the reserve contract.
The bug here (which I go into detail in in my post-mortem, along with another / different description of how these "bridges" work) was in the VM used for the smart contract behaviors on Optimism, which would mean you could arbitrarily replicate OETH (the IOUs for ETH).
For avoidance of any doubt: you couldn't use this bug to create an arbitrary amount of ETH/Ether, but the issue is that a lot of people call the money on Optimism--which is normally backed 1:1 with ETH--"ETH". (There is a discussion about what it should be called in the Ethereum chains database; I personally think what we need is a terminology for describing the full path whenever you have "ETH via an indirect path".)
More seriously, will you keep it in the bank and extract $100k a year the rest of your life? What are you going to do?
(FWIW, I maybe should at some point buy a car--as I currently waste money on renting one; pre-pandemic I was using a combination of ZipCar and Lyft, but both services suck now--but I can't imagine myself buying a pointlessly extravagant car; and, sadly, now is a bad time to buy a car anyway... which I think is related to the ZipCar issue: I imagine they might have sold their fleet? Maybe ZipCar will return in force when prices rebalance.)
https://www.zillow.com/sunnyvale-ca-94087/luxury-homes/?sear...
Yesterday I was reading "how to drop out", to me it seemed like a bad plan overall: https://news.ycombinator.com/item?id=30318285
Some people want to learn to live on the cheap to drop out, or to fatFIRE (which is another way to do the same). Personally, I love working and doing interesting things, and being with other people and society itself!
So my personal plan is the opposite of fatFIRE: work until I die regardless of what happens on the side, because I enjoy what I do, so stopping what I do just because something happened on the side would be like punishing myself, then waiting to die out of boredom?
Doesn't seem like such a bright idea to me. Maybe it's different (if you don't like modern society, or maybe other people, or the idea of work itself?
Also, thank you for Cydia, I used it in middle school and high school. It definitely made an impression, thank you.
Orchid looks cool too!
https://immunefi.com/bounty/wormhole/
Good job btw.
Immunefi turns out to be the correct spelling (weird that Google didn't figure that one out).
Wondering (some of it aloud), how long was the vulnerability present in the code? Is it possible to know if someone was actually using this exploit to mint OETH's? How would a disconnect of this sort show up? Regular reconciliation (hourly, daily) or perhaps there are other methods.
Though it's pretty weird that I wasn't sure whether you were referencing geohot's (another infamous hacker, mentioned in the article) rap songs at first: https://soundcloud.com/tomcr00se
Not sure why it's a thing for prominent hackers to have aspirations to become soundcloud rappers.
It is thereby really only "required" (for the world to function) that there is sufficient monetary motivation for people who don't want to spend the rest of their life feeling either the guilt or stress (even if merely due to the ramifications of people finding out) of having done something "wrong" (which I put in quotes as I feel the "code is law" argument that can result at this point isn't actually that useful in a discussion of morality) to bother to then go out of their way to help (as opposed to not searching hard in the first place, looking the other way instead of reporting, or merely hoarding the bug as a parlor trick).
And so like, while I totally see how this bug could easily be worth at least tens of millions of dollars to someone, it isn't clear to me that finding and reporting this bug should imply that I would need to be paid (and "by who?" is a then a hard question to answer even if we think this, one which might bleed into "and how?" a bit as the first answer is probably awkwardly decentralized in scope) the tens (or even hundreds) of millions of dollars that that hypothetical black hat might have figured out how to extract (which I make a bit theoretical as profiting from crypto hacks is harder than people often assume, something I touch on in my article; I think you might have to go for extortion, and even that didn't work for the Wormhole hacker)... most people simply aren't of the moral constitution to be black hats (which is probably a good thing).
(In this case, the main lingering ethics question related to this bounty that I come back to occasionally is that there are projects--such as Metis--that forked Optimism and now compete with it using Optimism's own code and vision... projects that (in the case of Metis) are actually of similar size to it (based on "total value locked", which is imprecise but probably the best measure here for potential impact: Defi Llama lists Optimism at $344M and Metis at $347M) which are still relying on Optimism to motivate the security efforts for their platform... it feels at least awkward to me that they should get a "free pass" here simply because their listed bounties were lower than Optimism's? Like, even if you don't think I should get money from them, maybe they should be helping compensate Optimism?)
The true value of exploits is NOT the cost of the damage they could do, because that externalizes various costs to the perpetrator: evade law enforcement for the rest of your life, lose access to friends and family, become a high-value target for traditional organized crime, etc. For many people that is a net negative, even for a 9-figure payout. And that is a good thing, I think.
Do you not understand the immense amount of effort they would have needed to expend to hide, not to mention the ongoing stress involved afterward?
That person is there, maybe not today, maybe not within 10km. By wait a few years, or drive a few thousand KM or both.
Does that make the first, already above-average offer 'pennies'?
Off course not.
> This could’ve easily been a bug worth hundreds of millions of dollars
That doesn't mean that you could find someone to give you $100 mil, clean or unclean.
Edit: He has a great write-up about the vulnerability and its discovery on his blog:
https://www.saurik.com/optimism.html
(which was on HN a couple days ago)
Clubs have members; businesses have employees.
I think I'll take my lessons on business terminology from someone else, if it's all the same to you.
"What are you coding there?" "Oh, I'm writing an application to manage patients at my dental practice" "You're a dentist?" "Yup"
Funny how it all works.
Minting supply inflation bugs happen all the time, but not usually for something redeemable for something so liquid and valuable.
The bridges are a new unique target.
I can understand the anger at Proof-of-Work cryptos, or perhaps the current somewhat "wild west" state of them, where fly-by-night operations work to separate people from their money, but ultimately I see them as the wave of the future.
Ultimately I think the cryptos that see the most success will likely be those that can be better regulated, which is somewhat at odds with why crypto came about, but without some protection it would be like an unregulated stock market.
I am curious, would it be easy to detect an individual who was exploiting this vulnerability?
For anyone who may have missed the link in the article or thread, this is it: https://www.saurik.com/optimism.html
Just wait until AI gets its mittens on it.
It's good to see white hat hackers in this space trying to fix what is already broken.
But sorry to be that person, just a timely reminder of the truth: All cryptocurrencies and 'DeFi projects' are ponzi scams including Orchid.
How sad to see web3 rehashing the failures of webs 1 through two.
Dan's general attitude is that crypto isn't revolutionary and isn't really trying to be. It's not trying to democratize money. It's trying to build a system with the same power dynamics as the current system, but with different people at the top of that power structure. His take is that crypto doesn't solve any of the problems with the existing systems and just creates a bunch of new ones.
My recollection is that he doesn't spend much time on the energy use (he touches on it but IIRC doesn't dwell on it). He does go deep into the "wild west" state of them. His attitude seems to be "wild west" isn't a transitory phase; it's the end state of crypto.
I don't think he says it in that video, but in a subsequent interview, Dan pointed out a danger with this and all deflationary currencies - they reward early adopters and people with a lot of capital. People who buy in late (either by choice or because they were simply born later) have a compounded difficulty in "catching up". He says he's worried about a future where crypto isn't an option and everybody needs to use it to some extent in day-to-day life. Moms and dads - or toddlers - who didn't "get in early" will be at a significant disadvantage.
---
Personally, my main concern is with PoW. It's fine to say that PoS will eventually replace PoW, but that's not the situation right now. PoW is wasteful by design, and that just rubs me the wrong way. It's great that miners tend to use more renewable sources on average than the average utility customer, but they're still using an awful lot of nonrenewable sources as well. I guess I just think about all the other things we could do with that electricity and it seems like such a waste.
My secondary concern is with the hype machine in overdrive. It feels a lot like the dotcom bubble to me - people making all kinds of wild claims about crypto, NFTs, web3.0, etc. Everybody so desperately wants it to be the next big thing because they smell an opportunity to make a buck. But it feels very cart-before-horse to me. It's not clear to me, for the kinds of problems that crypto is trying to solve, that crypto is the best solution to those problems. How many use cases really call for a decentralized, trustless ledger?
This article (https://thecorrespondent.com/655/blockchain-the-amazing-solu...) mentioned a couple of projects that got greenlit due to blockchain hype, yet either don't have anything to do with blockchain or else use blockchain in pointless ways - such as having a small, fixed pool of trusted mining nodes controlled by one entity.
And they're crowding out better uses of those renewable energy resources, too.
All tokenization schemes are ponzi scams including USD, it's just that some use violence to stay relevant, and other use bug bounties.
It's irrelevant. We don't use 'algorithms as ownership' in the real world. We use social agreements like contract law to undo problems.
"All tokenization schemes are ponzi scams including USD, it's just that some use violence to stay relevant, and other use bug bounties."
We use the law to maintain civil infrastructure. Yes, if someone wants to murder you or someone else, or launder billions, we'll use violence to stop them.
An algorithm that is effectively used as a Pyramid Scheme is not going to save your from anything.
However, I can use USD, GBP or any fiat currency in my local grocery store.
Can I use Bitcoin, Shib, Doge, or even Orchid at my grocery store without waiting hours in the queue for the transaction to complete and no huge fees?
Seems like just an opinion to me, and a poorly opinionated one at that.
What I would say is that most cryptocurrencies have no fundamental value, and are therefore bubbles. I don't know what the term is for when someone deliberately creates an asset bubble with the intention of profiting from it. It's something like a very long-form, deliberative pump-and-dump.
All I see are people holding coins and not using them at all for anything else other than 'I want coin to go up'.
Other organization bounties should go higher. Especially Web2 ones.
Why do I have to pay more fees to swap tokens on decentralised exchanges making them unusable, and how exactly is DeFi decentralised?
No - sorry - ETH doesn't get a 'pass' on this.
The 'Rest Of The World' is tired of the Crypto Scam Delusion masquerading as something reasonable and watching these critical failures getting swept under the rug.
This issue demonstrates that critical failures will exist in the wild (and it's wrong to suggest that they won't come up in the future - they will) creating an existential flaw for systems in which there is no intrinsic remedy. Forks by 'completely arbitrary central powers' entirely defeat the purpose.
Just last week we had the FBI arrest criminals laundering literally billions in Crypto.
It's a tiring fraud absorbing enormous amounts of attention and energy for no apparent benefit but entertainment.
The concept is currently fundamentally flawed, it belongs in 'side project' territory for now, not in the mainstream.
I expect that my bank is not perfectly secure. And when it fails, there will be ways to redress the problem, i.e. account insurance, bank refunds, legal recourses etc..
Blockchains have 'no way out'. When there is a problem, it breaks everything. Recently, there was a grift on ETH and to overcome the problem, there was a massive fork, which is enormously hypocritical because it implies that there are 100% 'Central Authorities' with ETH, who are unarmed, unrestrained by any regulation or oversight, policy and probably any legality. Etc.
The only way for Blockchains to maintain their ideological integrity is if they are 'perfect'. But they are not 'perfect' and require 'maintenance and oversight'. Ergo they are self defeating their own purpose.
Ultimately, it's a ruse or will mostly be used as such.
Indeed, strange trend :D
I'm responding to whether the term applies.
[1]: https://www.irs.gov/businesses/small-businesses-self-employe...
Edit: Don't want to sound too negative. This is a great windfall. Simply sticking it into an investment account should pull in financial independence/retirement by 5-20 years, depending on his age.
My _kitchen_ remodel in 94087 cost over $100k
Your TLS config is good for now, unless another padding oracle attack comes along and makes those CBC ciphers weak again, or some other vuln.
(your cert is expiring next month btw, might be a good opportunity to set up LetsEncrypt)
When I set the crypto policy in Fedora to Legacy, which lifts those restrictions, I can visit your website.
Chrome doesn't have this problem in Fedora because it ships with its own SSL/TLS specific things bundled (or something along the lines, didn't care to get deeper in the topic).
Edit to add: It’s possible to run update-crypto-policies --set=DEFAULT:SHA1 and avoid enabling the whole LEGACY policy
https://ssl-config.mozilla.org
I tend to use it for generating config's for static Nginx sites, though it can do much more. :)
I am much happier being able to get a bunch of clean money and then be able to give talks on the subject at conferences and get a lot of "street cred" in the tech community for my effort than spending the rest of my life wondering if there's someone from a real-world mob out there trying to hunt me down to recover the $100M I "owe them".
As for your murder comment, I'm not saying that violence is strictly unnecessary, just that the coincidence of "we have the guns" with "we issue the ponzi tokens" is probably not the only way to enforce the law.
Not "the only way", perhaps, but AFAICS the only way that makes sense. Sure, "the law is an ass" and "the querns of law grind exceedingly slow" and all that... But still, it's the worst alternative except for having no law, right?
So if you want the rule of law, the law needs to have the biggest guns. And why would anyone want anyone but the law to issue the tokens of lawful commerce?
Wait for ETH 2.0. It's a really difficult problem to solve. In the meantime though, use Polygon (or other side chains). Swap tokens for a cent or two.
> how exactly is DeFi decentralised
Take a protocol like app.uniswap.org or pooltogether.com. If you have an internet connection, no one can stop you from using these protocols (and many other protocols). No arbitrary rules imposed by governments or companies. Your funds are your funds, there are no arbiters (just tens of thousands of Ethereum nodes which are responsible for settling transactions).
> What is the process of getting your money back from a hacked DeFi project?
Use protocols that have been around for a long time and have hundreds of millions, billions, or even tens of billions of dollars locked in. That decreases chances of you losing funds. But it is a problem, I agree, hopefully somehow we will make it better.
So I still have to wait at least 2023 (2025 or 2026 for a realistic possibility of merchant adoption) for ETH 2.0 to be used?
I don't think merchants would want to wait for something that is not complete and unregulated.
You do realise that ETH 2.0 has nothing to do with lowering fees? So all the DeFi apps using it will still be unusable anyway.
> If you have an internet connection, no one can stop you from using these protocols (and many other protocols)...(just tens of thousands of Ethereum nodes which are responsible for settling transactions).
Aren't most of these Ethereum nodes and DeFi exchanges on AWS like dydx? It went down a few months ago no? [0]
That doesn't sound decentralised to me.
> Use protocols that have been around for a long time...That decreases chances of you losing funds. But it is a problem
So I can't get my money back then? I see DeFi hacks everyday and not getting my money back doesn't help either.
Makes robbing a bank less attractive for criminals and instead target DeFi projects.
[0] https://twitter.com/dydxprotocol/status/1468293558360805381
The decentralized part of DeFi is the smart contracts. If you can interact with the contracts without any centralized help, then how exactly is it centralized in your opinion?
- Long term vs short term
- different rates
- state capital gains taxes
In this case, with the receiver being a CA resident, he pays almost certainly more than 50% in taxes on this bounty.
Plus state income taxes.
There’s also pro and anti arguments for being in control of your assets.
KYC and AML? Just lie that you mined the monero on a now defunct pool. I have a plenty of coins that I genuinely acquired in such manner and haven’t had issues selling them. The bank only cares about hearing a vaguely consistent story, they aren’t cops.
The KYC stuff will only become a problem if you get caught via some other means, because lying to the bank is a crime.
The IRS will ask questions of those people, but not the black hat "security researcher".
All the balances and stuff are public on the blockchain. It only takes one person to write a script to verify that the locked up amount matches the number of tokens out there. and when it doesn't, alert.
That then means any attacker will have to be very quick with their theft, and if so, there is still a good chance whatever coins they get will end up blacklisted or the transactions reversed by a sufficiently large army of upset users who fork the eth network or the L2 network.
(They have administrative controls for now during development, at some point they're supposed to turn it completely permissionless...)
https://help.hop.exchange/hc/en-us/sections/4405172442509-FA...
Edit: O...kay? Apparently the parent of this comment is aware of alternate, much-faster ways of withdrawing L2->L1, and what their constraints are, but still elected to leave those out and imply the one-week lag was a binding constraint?
(Would have posted as a reply, but my comment rate is getting throttled for some reason.)
Edit: Sorry for being disingenuous and unnecessarily curt in my reply. I didn't mean to. I'm in some kind of weird zombie mode this morning.
Even if the government figures out that you have unexplained assets, that isn’t the same as getting caught. Having unexplained assets is generally not a crime, and monero can make it impossible for the government to figure out where you got that money from.
Currently people are pessimistic about stock market returns going forward so it could be lower (3-3.5%). And even lower if you want it to last longer than 30 years.
The market historically has been going up, so at least historically it's been reliable to get a fixed income. I don't think $2M is sufficient to retire very early, mostly because of bad years and that your initial capital loses value over the years, but it can generate a nice income and most people can have something on the side that generates some extra money as needed. With $4M I would be more comfortable retiring at 40 let's say, depending on cost of living of course.
"Fixed Income" is more about structurally reliable and consistent returns, rather than historical average returns.
An outlier bad year can easily wipe a huge percentage of capital invested in stock--but the younger you are, and the more buffer you have, the less likely this is to be a problem. But don't mistake that for fixed income!
Fixed income usually refers to interest rate products, and as mentioned above in this thread, the inflation-adjusted rates have been pretty bad. Pretty much since the start of Quantitative Easing, I believe.
You could buy an annuity from an insurance company. A quick Google search shows that $2mil should buy a 40 year old about $70k/year for the rest of their life.
Ethereum itself clearly is a secure blockchain given the fact that it has not been exploited directly ever, as far as I am aware. Smart contracts running in the EVM obviously have exploits galore, but that is different from Ethereum itself being vulnerable. Just like it is different when the Java Virtual Machine itself has an exploit (uncommon) vs when a program that runs in the JVM does (very common).
You can of course argue that the lack of inherent soundness / correctness in Ethereum smart contracts makes the entire chain less useful since running smart contracts is kinda the whole point, but then you should make that argument rather than saying dumb things like:
> ETH was an insecure blockchain
Oh, so it can only be exploited indirectly. Yeah, wow, that makes it oh-so-secure.
Certainly anything that's absolutely mission critical should not live on these L2 networks yet.
It’s all new technology so they’re taking it slow.
I'm not saying it's a better or worse plan than whatever might happen under an alternative system, but just that it's not exactly a clean solution either.
But with ETH we have the community patting themselves on the back for it. It’s madness.
You are making a false equivalency when you compare crypto with usd.
The way that the credit card system works in the US is fundamentally biased towards consumer protection, because that's an explicit policy objective. The same with the Direct Debit guarantee in the UK, or the various laws which limit the maximum exposure due to fraudulent use of payment cards.
And when exchanges break trades, they undo the entire transaction - you don't end up with one party out cash or shares.
Now I get a bank-subsidized thing and you're not missing any money. It creates a drag on the whole economy, because instead of doing productive work to get the thing, it's often easier to play games with the system.
The fact that credit cards use a symmetric key to authorize spend is a glaring flaw. The technology to fix it (asymmetric key cryptography) has been around for decades. But instead of fixing it, the credit card companies just keep writing off the instances of fraud.
But that's orthogonal to how quickly the maintainers of these tokens can make changes in response to threats.
Over a decade later and I still cannot use any of them at the restaurant or without waiting in the queue for the transaction to settle and paying more for the fees than the goods itself.
Never mind that the entire threat class doesn’t exist in traditional finance?
The strike app (which uses Lightning) is not available worldwide which really doesn't give the image that Bitcoin lightning is decentralised at all.
Lol, you never actually handled the sums the submission is about right? The IRS will definitely ask questions about where the money you spend come from, if you end up on their radar. And if the answer is not satisfactory, they will grill you on it.
And even if you did, there’s no way for them to ever prove where your monero came from unless you fucked up during either the hack or the swap to monero.
Even if the IRS suspected that you’re lying to them, how could they prove it?
But yeah, I'm not claiming it's impossible to clean stolen ETH. The only claim I did was that the IRS will definitely start asking questions if you go from a declared income around average in the US to a declared income around $100 million from one year to another. To believe that they are just gonna accept "I mined it lol" is a grand delusion.
Annuities really just work well if you are 80+ and want to insure against longevity risk.
I just think it is also worth noting that, even if we do accept the false dichotomy, I would not be an effective criminal... which seems to continually disappoint some people ;P. (I'm sorry to be such a let down! lol)
Don't bleed all over us!, or let others bleed on us.
___
[1]: lit. "makers": "Fiat" is Latin for "let there be made", a form of the verb "to make". It's a cognate of modern French "faire", Italian "fare", etc. (Related words are "fact" and "factory".)
That seems, to me, like a sensible risk balancing approach. In the cryptocurrency "all sales are final" world - you're the loser. I don't really see that the economic drag is larger one way or the other.
AFAIK the use of symmetric key cryptography in card capture and payment processing is not in any way a significant factor in payment card fraud - where do you get that information from?
Better would be to have whatever secret authorizes spend (private key) be separate from the account identifier (public key) and to push money, rather than sharing a symmetric secret which authorizes whoever has it to pull money.
But $10 million a year? Perhaps much more if split over a couple of jurisdictions? No problem.
In the end this was about stolen $100 million being worth more than totally legit $2 million. I firmly believe that it would be downright easy to safely cash out $2 million a year from the stolen $100 million.
> To believe that they are just gonna accept "I mined it lol" is a grand delusion.
Unless you keep evidence of your crimes sitting around, at some point they’ll have to.
Assuming you use monero correctly, no amount of forensic analysis will be able to go back from your funds to the original crime.
And besides, the “early miner” story is hardly incredible. Many people have recovered huge sums of money from old hard drives.
> If you describe that you got $100 million from mining Monero, you're gonna have to show proof that you have the equipment to actually get that, over the timeframe you're claiming you have mined
This isn’t really a problem as long as you claim to have started mining early enough, fairly basic hardware would probably suffice.
It's about winning the lottery but still applicable to some extent, and shows how people's lives go horribly wrong.
That Reddit comment is not about 'poor people', though it's true the scale is a bit different.
There are plenty of horror stories that are below $10 million.
Assuming that was unintentional, now might be a good opportunity to reflect on unconscious bias.
I was in jail with a guy who was a total mess. Nice, but seemed pretty mentally-disabled.
One day a new guy came on the block. "Wow, what is George doing in here?" "You know him?" "Yeah, I know him. He is one of the greatest musicians I ever met. He can play any instrument like a savant. I knew him a few years ago, just after he inherited $4m when his father passed. He ended up getting in drugs and everyone would hang out at his house." "Wow, who was his dealer?" "Who was his dealer?! EVERYONE was his dealer!"
I'd been keeping George in coffee, because he didn't have a single cent on his commissary account (which is rare in jail, even the worst criminals usually have someone out there). Poor George had snorted or injected $4m of drugs and everyone had sold them to him and partied with him until all the money was gone and George's brain was cooked and he went around shaking his fist at the sky until he was arrested. And not one of his hundreds of "friends" would put a cent on his account.
This bankruptcy thing is a myth that seems to have been made up and won’t die. I’ve looked into this in the past and the only stats I could find that back it up are based on small winnings, not large winnings, contrary to your redditor’s claims, and the bankruptcy rates were temporary. Get this: the bankruptcy rates went down 2 years after winning between $50k-$150k, and then 3 years after that they returned back to normal. The returning back to normal from a low point was cherry-picked and reported widely as bankruptcy rates going up. Misleading, right? Here’s the Florida study this misinformation was based on: https://eml.berkeley.edu/~cle/laborlunch/hoekstra.pdf
The National Endowment for Financial Education has issued a press release about this bankruptcy misinformation: https://www.nefe.org/news/2018/01/research-statistic-on-fina...
I am grateful for this insight.
That said, I do concur that Zipcar sucks now, compared to what it was. I've still never used Lyft or Uber, so can't comment on those. Oh wait hold on, I did try once to gift some Lyft rides to someone via the website and was literally unable to successfully give Lyft money. Still, I would say it makes less sense now to buy a car (even electric) than at any other point in history.
Get a fun car that can be a hacking project :)
I was suggested a police car by a friend. They are cheap at auctions, more or less well maintained (tax payer money) and have interesting internals (check sites like https://www.dippy.org/upgrade/dipcop.html) especially for electrical circuits where a police-taxi-module lets you hook up to other functions.
And the laptop mount is a geek dream: your laptop right by you, charging, which doubles as a make-do coffee table at the drive through :)
Except that
1) a lot of them are Dodge Chargers which are terribly unreliable
2) they spend incredible amounts of time idling, which isn't good for the engine of a sports car
The problem with a car is for most people it’s their most expensive or second most expensive capital asset, yet has a very low utilization rate (often less than 5%). If interest rates rise their op ex in servicing it (fuel, insurance, loan interest) will exceed that!
A few years ago I sold all my cars. I found I only drove at all a few times a week at most (walk/bike instead). Like you I switched to ridershare/rent and it was fine. My motivation wasn’t really to save money but just eliminate the hassle of having all those cars.
Make sure to read it.
Tokens are used to have a stake as an indexer (data provider) and to pay for query fees (data consumption), and if indexers tamper with the data they lose their stake.
It was released last year and has a long way ahead to mature, but it's an amazing product and tokens/blockchain is essential to its decentralized nature. Simply put, there is no way to accomplish this if the network didn't adopt its own cryptocurrency.
Just like all the other coins, the only use case is burning up the planet by using Ethereum, BTC, etc, racking up high fees and being used by speculators while everyone else who invests in the ponzi scheme lose their money when it all crashes.
Nothing has changed.
How so?
I won't bother with the rest of the post as it's your usual crypto bad spiel that has absolutely nothing to do with the discussion we're currently having and has absolutely nothing to back up its claims (as do the rest of your posts, which I'm surprised aren't flagged/dead yet considering their low quality, but I guess HN is ok with them since they're anti crypto), but I'm curious to see how you would build a decentralized system that lets developers build data indexing programs, allows anyone to join the decentralized network as a data provider to run those programs, and lets consumers query that data from the network while also ensuring that the data is valid and hasn't been tampered with by the providers without blockchain/tokens.
Please, do enlighten me, I'm curious.
Yes, exactly, and that's why we can't have distributed systems with 'no central authority' - if those systems are inherently and always faulty there needs to be intervention of some kind by an 'authority'.
There is no such thing as a trestles system, the whole thing depends on webs of trust.
Adding a new technology + blockchain + a coin still makes it ponzi scheme scam, even worse when the price of this coin comes crashing down.
And there is no human coordination mechanism without the freely convertible currency
Blockchains provide the open source rails of all the account management and distribution, easing development costs. The infrastructure is already built compared to alternate ways of attempting to do this
have fun doing that without a blockchain
The only reason Helium's LoRaWAN coverage is expanding rapidly is due to the crypto aspects of it.
There is definitely an opportunity to sell overpriced hardware into the community then.
There are some other antenna-blockchain systems out there that look more like "schemes to sell hardware", such as Match X. There is a big and burgeoning market for these "passive income" things, people install hardware to earn a cryptocurrency.
It is definitely worthwhile to sell the hardware if you can.
And earlier:
>>> GPS
So is this the Charlie Stross blockchain scheme?
https://news.yahoo.com/zappos-founder-tony-hsieh-didnt-17410...
Like all the others, most people are just speculating on the token price, asking if it is a good investment, etc. You would have to be lying to yourself to believe that people care about the technology.
Could you tell me why does this project needs a token attached? Even if we were to look at the price, the painful truth is that most (if not all) people who invested lost most of their money on this shitcoin, and this is excluding the punishing gas fees so it could be even worse. I hope this doesn't include you as well.
As I said, querying blockchains can be done without the need to attach a token to a project. BitQuery is an example of this without trying to burn up the planet with Proof of Waste.
If you are in support of the Graph you are also in support of the ponzi scheme.
If I would like to lose my money in style this would be it.
Well get in line, the backlog for receiving hotspots across all distributors is 6-9 months long.
Yours would likely be family or close relatives.
I think you’d take money to do something untoward if that was the alternative. Almost everybody would. And there’s nothing wrong with admitting that.
Aside from the problems of this statement being a completely vague and unspecific and extreme hypothetical, isn’t there a problem with switching from talking about incentives to talking about threats? Being threatened with death isn’t the same as being offered money, and this ground has been well covered by philosophers who point out that there are things wrong with “admitting that” as you call it. Calling it a price tag seems misleading at best. There’s further a massive problem with suggesting a person’s ethics might be based on what someone threatening them with death wants them to do, no? If the action isn’t something you are choosing to do, and isn’t something you would do if not threatened, for any amount of money, then why would you consider it your actions or part of your ethics?
It helps to frame it this way, because once you accept that you’d do that, you’re more likely to accept you would do something unethical for a billion dollars if it had no consequences to you. And from there, it’s a binary search to determine exactly what your price is.
Would you be able to say you wouldn’t lie to your wife if it meant you’d walk away with a billion dollars? Certainly this is contrived, but all examples in this territory are contrived.
Compare “kill this person to save your son’s life” with “kill this person to earn $1 million.” They’re not equivalent, even if both might be metaphorically referred to as a price.
The illusion that they feel different is extremely powerful. It’s worth resisting. It helps uncover all kinds of ways that we contribute to unethical behavior, if only through inaction.
The concept of having a price attached to your ethics is essential. Without it, people fool themselves into believing they’re above temptation. In my experience those same people tend to be the most vulnerable to it.
OP branched here: "it's not as if the choices were 'commit crime / get bounty'."
Any example relevant to OP's branch cannot end with the subject in a river. The very fact that you are discussing it proves we've jumped to the other branch of the conditional-- the one where the choice is exclusively between `commit crime / get bounty` (by threat of death in your example)
tldr; goto considered harmful on HN
I'm not sure this is a sound analogy, but imagine someone picking up cigarettes for the first time and building up tolerance over time as they go from one cig a day to two, three, four and so on. Now, compare that to someone suddenly smoking 10 cigs per day. The latter person is more likely to get wrecked from the side effects.
Edit: I checked your profile and saw that you're the co-founder of Industry Dive, damn. I love your newsletters and websites!...especially Payments and Banking Dive.
Not sure if that's true by number of gamblers, but my gut says it's mostly true weighed by the amount of money gambled away. I say mostly, because we don't count rich kids / oligarchs wasting money for fun, who might dominate the value chart.
Most people who are the poorest are usually the ones who know exactly where their dollars are going. They can tell you exactly how much a carton of eggs and milk are.
You're making the assumption that everyone plays the lottery because they think it is a smart financial decision.
It's easy to say "well, lotteries have a negative expected payoff". And that's true, but it can still have a less negative payoff than a payday loan or having your car repossessed.
The utility of $2*X is not exactly twice $X. It can be more or less, and that can differ between different people.
That said, it's more likely that someone whose life ended in poverty is not as smart as someone who can live comfortably. IQ generally correlates with income (you can google a few studies).
There are surely tons of reasons that can push smart people into poverty (bad health, poor environment leading to poor choices) but that shouldn't obscure the general trend.
That said, I think over a certain IQ, other traits of your personality or the environment will have the predominant effect in determining whether you'll end up poor or not.
Similarly, over a certain amount of money, I'm sure there will be more variance. Making 5k more than your peers doesn't mean you're smarter than them - and the fact that you're all able to earn a living and save some money means you're all smart.
"Would you sell your mother or your children at any price?"
And I hope - admittedly, that's speculation - I know what the answer to that would be.
So this is now an absurd discussion, whereas it started off from a rational point of view: there exist such people whose ethics can not be corrupted. The fact that you believe this is not the case says nothing about people in general.
You are asking what I would personally do. But it’s better to think of limit cases that everyone would do — such as lie to their wife for a billion dollars. Since it’s guaranteed you fall into the bucket of “everybody”, that means you can locate your ethical price tag.
It’s helpful for people to do this mental exercise. At least, I find it comforting knowing my own price tags in advance.
My statement is pretty simple: ethical people exist.
You countered with "Everyone’s ethics have a price tag. It’s better not to pretend otherwise, since it clarifies a lot of human behavior."
And have been moving the goalposts ever since. The fact that unethical people exist was never up for debate.
(Like, work to avoid creating the situation where you have to compromise, if possible)
The way I view it is that it’s important to seek out yours ahead of time -— to game out different scenarios, and to consider whether you would do X or Y if forced to choose. That way, when you’re in a situation where you feel like compromising, you’ll remember your limits.
In other words, I was less tempted to act unethically in the moment than I would have been if I’d been surprised by the opportunity.
This is especially important in scientific circles. It’s often trivial to falsify data, and the rewards for doing so are generally high. It’s also not always an active, conscious decision; it’s easy to make small mistakes that have favorable outcomes for yourself.
The exercise has helped me steer far away from any of those. I’ve watched peers fall into a trap that I’d label “scientific hype,” i.e. claim that you’re doing something impressive when in reality you’re nowhere close. This is a very easy mistake to make, and if I hadn’t mentally found my boundaries ahead of time then I’d have been vulnerable to making the same error. Or I may have stayed silent when my peers were doing something naughty.
On an individual level, gambling is roughly breaking even in the long run (say, 95% retention of the resources).
Yes, it is.
> It is a transfer of resources from one entity to another. It's a zero-sum game.
All real gambling consumes as well as transfers resources, and is, therefore, negative sum.
By your definition it seems literally everything is a "waste of resources"
No it's not.
Are we "debating" like in first grade or what is this?
Most activities use resources.
Many produce value and are not a waste of resources.
Suppose another ape and I are out enjoying the State of Nature, and we both should have a round troy ounce of silver in our pockets, with heads and tails as an agreed convention. Suppose I were to say to the other ape, "on whose face does Fortune shine her rays?" and we were to flip both rounds, such that whomever showed heads had the better of it: were it both of us, we would exchange, but one head and one tails, well, one ape will leave the gamble richer and the other skint.
Tell me toolz, how should you prevent this encounter without committing a human rights violation? Show your work, please.
All I've said is that you, nor I, should be responsible for making this behavior possible - you seem to have misinterpreted my intent completely if you think the absence of a right is the same as a mandate against someones ability to participate freely as they wish with other consenting adults.
Like without getting into nits, you can actually directly effect the direction and value of a company, but you can't affect the roll of dice or the output of a random number generators.
Risk in and of itself doesn't imply the entire thing is gambling; that said, investing by itself would be way closer to gambling in that context, imo
I'm saying the opposite of what you seem to be implying. I'm saying anyone can gamble or start a business, but it's no ones responsibility to make sure they have the option to do so.
Since you’re misquoting yourself, it sounds like you don’t want to have this debate, or you may not have realized what you said. But “The whole assumption that ethics have a price tag attached is faulty” is not at all the same thing as “ethical people exist.” It’s not a pedantic distinction; one is debating whether people will take compensation for acting unethically, even if they feel they’re the most ethical person on the planet — I think the answer is “yes” — whereas “ethical people exist” is a point no one could disagree with.
It’s a bit unexpected for you to omit your “price tag” words and then continue with my argument.
But we’re past the point that readers are having a nice time reading this. If you’d like to continue, I’m happy to do so, but we need to restrict ourselves to a high caliber of debate, if only for HN’s sake.
Whereas in fact it is anything but pedantic.
"The whole assumption that ethics have a price tag attached is faulty"
For everyone.
> But we’re past the point that readers are having a nice time reading this.
You seem to be in a habit of projecting your own feelings onto everybody else.
> If you’d like to continue, I’m happy to do so, but we need to restrict ourselves to a high caliber of debate, if only for HN’s sake.
Suit yourself.
If you ever do want to probe deeper into the question of ethics vs cost, I think it would be interesting. But since you keep talking about me rather than the idea, the interest feels one-sided.
Ethics problems typically do not lend themselves to be translated into a caricature of the market economy. The habit of assigning price tags to stuff can help if the original problem is cost related, but it tends to be a crutch when things of a more principal nature are discussed, which would have a valid meaning absent such things as money or physical rewards. As long as you keep framing it like that you won't get further.