Thoughts on Bitcoin

One of the things I've heard a lot about recently has been Bitcoin - a math-based currency that has been attracting more and more popularity in recent months.

On a recent vacation, I spent a lot of time reading and trying to (1) understand why people are saying Bitcoin is revolutionary and (2) how to articulate that understanding in my own words.

I wrote a quick piece over at Medium that helped me put my understanding of Bitcoin into perspective. Hopefully it's helpful to you too.

DC's Powerful Internet No One Can Use

It’s kind of maddening to see tax breaks getting given out to fucking LivingSocial while they’re sitting on a 21st-century resource,” complains Bloom. “They want to talk about making D.C. a tech capital? Make it easier to make broadband accessible to everyone.

Turns out the District of Columbia has spent about $25m building out a 100-gigabet fiber net but due to franchise agreements with Verizon and Comcast cannot actually offer a last-mile service to residents.

As a former DC taxpayer, it's a real shame that the DC Government has invested in a first rate Internet backbone and has failed to thusfar extend the benefits to its citizens - especially those in areas of the city where reliable and affordable high speed internet services are still out of reach.

How To Order The Perfect Drink

Adjust your order to the location and bartender skill level of the venue.

This is very good advice when entering any drinking establishment. Know your preferences by flavor profile (bitter v. sweet) and spirit (don't be lazy with any of this 'dark v light' bullshit - know your gin v vodka and rye v bourbon).

I also pay close attention to a few other things before ordering:

  • Measurements: Are the bartenders building drinks by eye or with any type of jigger-style device. I don't care if the measurements are precise, but I care that some semblance of ratios are used (unless ordering a straight spirit, then I leave the pour in the hands of the bartender - as long as it is generous)

  • Ice: I try not to be snobbish about ice choices, but rather treat it as a leading indicator. If you've ordered a $12 cocktail with top shelf ingredients, but it's served like an in-flight soda in an ice-filled glass - after about 5 minutes you're sipping mostly water. If your establishment of choice cares enough to serve massive, clear, uniform size ice, you can rest easy that they will be sweating all other details in building a quality cocktail

Evolving Security at Google

Interesting vulnerability (now patched) in Google’s 2-Factor Authentication model that allowed full account access.

Google was a front-runner in bringing 2FA to a consumer audience - although it continues to remain an opt-in only feature. ( This article gives a nice general overview of 2FA in other popular consumer services).

More interesting to me was that Google has seemingly bucked the oAuth trend made popular by other services (notably Twitter) with their implementation of *Application-Specific Passwords":

Generally, once you turn on 2-step verification, Google asks you to create a separate Application-Specific Password for each application you use (hence “Application-Specific”) that doesn’t support logins using 2-step verification. Then you use that ASP in place of your actual password. In more-concrete terms, you create ASPs for most client applications that don’t use a web-based login: email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc.); chat clients communicating over XMPP (Adium, Pidgin, etc.), and calendar applications that sync using CalDAV (iCal, etc.).

As an iOS user and Google Apps user, ASPs have nearly forced me to turn off 2FA a number of times. The implementation forces users to navigate deep within their Google account settings to generate a 16-character code you would have to type onto a second screen (I encountered this most often with new apps seeking to sync with Gmail/Contacts/Calendars).

This caught my eye though:

Even some of Google’s own software initially required you to use ASPs – e.g. to enable Chrome’s sync features, or to set up your Google account on an Android device. More recently, these clients have generally shifted to using methods along the lines of OAuth. In this model, when you first log in using a new application or device, you get an authorization prompt — including 2-step verification — in a webview; after a successful login, Google’s service returns a limited-access “token”, which is used to authenticate your device/application in the future.

It’s a fine line between having an authentication standard that is so dumbed down that it is easy to circumvent versus complicated enough to foil moderately sophisticated hacking attempts. Google’s attempts to prevent account hijacking are clearly working, but it user authentication is still very much a disjointed process on mobile.

Ideally I’d like to see an evolved version of the Google Authenticator app that would allow me to authenticate a device once and then leverage ASP/oAuth integration in the app itself to allow one-touch authentication of a new app/service seeking access to my account.

Bonus points for instituting real-time notifications/tracking of account access attempts (American Express’s Passbook implementation of transaction notifications is the model here) for users to verify their accounts on the go.

Account security is an incredibly hard problem to solve technically, let alone for a consumer-oriented suite of services in use by a global audience. I think there are ways to effectively and securely combine both 2FA and something like oAuth/ASPs to prevent ever-evolving security threats while also presenting users with something that is simple enough to encourage broader adoption.

Oxford Blocks Google Docs

Oxford takes to extraordinary measures and blocks Google Docs from its network users (for 2.5 hours) to stem the tide of aggressive phishing attacks.

Unclear from this article (or the comments) as to whether or not Oxford is a Google Apps customer (which would provide additional security and URL/network management tools) or is simply blocking an overly popular service.

Network management and security are core competency requirements of any cloud-based services. If any of these services are mission critical to your business or organization, you need to understand your options and recourse if you do not have direct end-to-end control of how your users are leveraging said service(s).