5 reasons grids should use Bitcoin (if I ever get around to finishing the money server)

In virtual worlds on July 4, 2012 by edmundintokyo Tagged: , , ,

Maria Korolov has written a piece at Hypergrid Business called “5 reasons grids should avoid Bitcoin”.

Bitcoin can be a little bit difficult for people to get their heads around and her article contains some misunderstandings, but they’ve been fairly thoroughly addressed in the comments, so rather than go through the thing point by point, I’m going to go ahead and put the alternative case.

Here’s why the open metaverse needs Bitcoin, or something similar.

1) Users should be able to move their money easily from grid to grid.

When Linden Lab created Second Life, they built in a very nice, simple micro-payments system that allows you easily buy and sell content created by other users. You have to pay money into their system with a credit card, but you only have to do it once, and the same money will work wherever you go in Second Life. But their system depends on having a single company running everybody’s virtual spaces. The OpenSim vision is of independently-run grids connected together, so that you can easily jump from one grid to another. But when you do that, you don’t want to have to keep paying money into every grid you visit. We need one common balance that works everywhere. Meanwhile,

2) You don’t want to be baby-sitting too much of other people’s money.

Linden Lab are a big company with rich investors and their own lawyer, but in the Open Metaverse we want anybody to be able to run a grid, just like anybody can run a web server. If you maintain your own metaverse currency, you have to take on a lot of responsibilty that you may not want, and your users have to give you a lot of trust thay they may not want to give. You also open yourself up the risk that you’re somehow in breach of one of the many amazing regulations that surround currencies and payment processing.

It would be much better to leave your users in control of their own money and wash your hands of the whole thing. The only thing you want to be doing is prompting people to make payments and checking that they’ve been made. You don’t want to set yourself up as a participant in transactions between your users, and you certainly don’t want to look after people’s money for them.

3) When you have a single point of failure, it always fails.

If you’ve been reading this so far, you may be thinking, “No problem, I’ll use Open Metaverse Currency“. OMC is a virtual currency provided by a great little company called VirWox. You can install their money module on your server, and your users will be able to buy their virtual currency and spend it on any other participating grid.

But now, having gone to all the trouble to build OpenSim and avoid being dependent on Linden Lab, we’ve made ourselves dependent on VirWox instead. If they go bust, get bought out, take on a clueless manager, make a more interesting product and decide to focus on that, get shut down by the regulators or do any of the things that usually happen to technology start-ups, it’s goodbye to all your Open Metaverse Currency. Not only that, OMC effectively have a license to print money for themselves and devalue everybody else’s. VirWox seem like very ethical people, but to avoid the temptation to make up for a poor quarter by quietly debasing the coinage, they’ll have to be.

4) Online micro-transactions need cash, not credit cards.

Maria makes a big deal of how Bitcoin isn’t backed by a company, so there’s nobody checking for fraud and looking after you if you’re a victim of it. This is of course true. But in reality I don’t know how much luck you’d have getting your OMC or your Linden Dollars refunded if somebody stole your laptop. And a lot of the fraud that credit companies deal with is actually dealing with the gaping holes in their own security. For example, credit card security is based on the idea that your money is protected by a secret number that you tell everybody that you do business with. This turned out not to work very well, so then they came up with a special three-digit code and you had to tell everybody you did business with that as well. The only way to persuade buyers to adopt a system that’s so full of holes was to let them cancel payments after they’ve been made. But instead of making up the difference themselves, they charge the cancelled payment to the unlucky merchant who was supposed to be getting it. And that, dear grid operator, is you.

It isn’t like this in the real world. We’ve been doing small transactions in meatspace for millenia, and payment systems have never been bundled together with buyer protection systems. Last week I bought a cup of coffee from MacDonalds for 100 yen and got it home only to discover if was full of coffee grounds. I took it back to the shop and they gave me a new cup. A less generous vendor might have refused. But in neither case would I have been able to take my dispute to the Bank of Japan, who issued my 100 yen coin. Small transactions work best when they are final and non-reversible. That doesn’t mean that there is no accountability; if I hadn’t been happy I could have called the national MacDonalds customer support number, or taken it up with the consumer protection bureau. But the accountability mechanism is separate from the payment system. Trying to mush them together for small transactions turns out to be expensive, unfair and unpredictable. When you get paid, you need to stay paid.

5) Volatility doesn’t matter much.

There’s one serious point in Maria’s piece, which is that although it’s been quite stable recently, Bitcoin is prone to volatility that other currencies aren’t usually subject to. Real-world currencies in developed countries tend not to vary against each other by more than a factor of two, and vendor-backed currencies like the Linden Dollar and OMC are kept close to a real-world currency by controlling how much money is issued. Bitcoin has been all over the place, and may see more crazy price spikes if it’s subject to another wave of hype.

But as a grid operator, or indeed a user, this is probably not actually a big problem in practice. You don’t keep all your money in a metaverse micro-economy, so a change in value just means a bit of variation in the value of the small amount of money you’d hold for transactions, which could go up just as easily as it goes down. If you find adjusting prices tiresome and want to peg them to the Dollar or the Yen that’s not a huge technical hurdle – we can probably build it into the money server.

Make me decentralized, but not yet.

Having said all that, there is a real reason why grid operators shouldn’t use Bitcoin yet, which is that so far there is absolutely no technical infrastructure to do it. At a minimum, we need a version of the money server designed to handle Bitcoin addresses, broker transactions and deliver inventory when they are complete. (I’m working on this, but most of my spare time goes into SLOODLE and Avatar Classroom.) And to make the process both really smooth for the end user and fully decentralized, we’ll also need integration with the viewer.

There’s some technical work to do here and I’m not confident that the metaverse will end up adopting Bitcoin. But it should.


Can Anyone Sell Me A Transparent Cloud?

In hacking, internet, voting on February 2, 2012 by edmundintokyo

Recently I’ve run into a couple problems related to things like online voting and payment escrow and where I wanted to be able to provide a hosted service for something, that would be transparent and verifiable. To minimize the amount of trust the users would have to put in me, I wanted to not only make the code that I was running publicly available, but also give people the ability to check that my hosted service was actually running the code that I said it was, and I hadn’t deployed something different, or done something to my server that would make it behave differently.

This kind of transparency didn’t seem like a particularly exotic thing to want, so I googled around for people running a platform that would let me do that kind of thing. But I couldn’t find anything, so I thought I’d write it up and see if anyone has done this, or has thoughts on how it should be done.

Why do I want to make hosted stuff transparent? Here’s an example.

Adam and Bob make a bet, and Chris agrees to referee if one of them tries to cheat. To do this, they agree that two people out of three will need to agree to access the money. If Adam and Bob settle the bet as planned, Chris doesn’t need to do anything. If Adam or Bob loses the bet and disappears, Chris will make sure the money goes to the winner. And if Chris wants to run off with Adam and Bob’s money, he’ll have to persuade one or the other to conspire with him.

To help with transactions like these, someone – let’s call them Dave – runs a website that lets them do the following:

  • Adam goes to Dave’s website and types in his own, Bob’s and Chris’s e-mail addresses.
  • Dave’s server creates a private BitCoin key and a public BitCoin address. The private key can be used to access money sent to the public address.
  • Dave’s server splits the private key into three parts, and sends a different two parts of the three to each of Adam, Bob and Chris along with the public BitCoin address.
  • Dave’s server deletes the key, so it won’t be able to access the money that Adam and Bob are about to pay in.
  • Adam and Bob pay their stakes to the public address.
  • When the bet is settled, the loser sends their part of the private key to the winner, who can now access the money.
  • If the loser fails to send the winner their part of the private key, the referee will send theirs to the winner instead.

(*) The BitCoin people have a plan to solve this problem properly by building multiple-signature features right into the transactions, so hopefully when they’re done it’ll take care of itself.

The problem:
How can Adam, Bob and Chris trust that Dave isn’t going to secretly copy the private key, then use it to steal the money?

The solution:
The software and hardware Dave is running should be publicly verifiable wherever possible, or failing that verifiably in the control of a large, trusted organization with little incentive to cheat.

Thinking about the way cloud hosting works right now, we might do something like this:

  • The server hardware the service runs on is controlled by Rackspace/Amazon.
  • The server OS and core software are based on a publicly available image, if possible created using a transparent process by a trusted party (ideally Rackspace/Amazon, as we have to trust them anyway).
  • The setup steps for the publicly available image are automated based on a public source code repository whose history cannot be modified, and nobody is able to log into the server and change them.
  • A public record is available showing which image is being used for the IP address of the service.
  • A public record is available showing which source code repository was used.

The best I think I could do using existing services would be something like:

  • On EC2 someone (let’s call them Ed) would create a publicly available AMI based on an official Linux AMI, and publicize the steps he used to make it. I’ll call it Ed’s Transparent AMI.
  • Ed’s Transparent AMI would have SSH logins disabled.
  • Ed’s Transparent AMI would run a script on boot specified by a parameter.
  • Dave would create his setup script and check it into a public Subversion repo on Google Code.
  • Dave would create read-only credentials for his EC2 account and publish them.
  • Dave would launch an instance using Ed’s Transparent AMI, specifying his setup script.
  • Dave would (probably) map a DNS name to the IP address of his instance.
  • If the system allowed Dave to update things after the instance was set up, his changes would have to go through public version control, probably using something like Puppet.
  • If Adam, Bob or Chris wanted to check up on Dave, they would:
    • Look up the IP address of the site.
    • Use the public EC2 credentials to find out which instance was attached to the IP address.
    • Use the public EC2 credentials to check which script the instance was using.
    • Check the history of the script on Google Code to make sure Dave hadn’t done anything suspicious.
  • If anyone wanted to check Ed’s Transparent AMI, I guess they’d follow the steps he said he’d used to create it and compare what they got with what he was providing, which is the best we can do for third-party AMIs right now.

Anyone have any thoughts? Friendly person from Rackspace on Twitter?


Power to the MP-ple: How Carswell and Hannan could save Nick Clegg’s Bacon

In Liberal Democrats, UK Politics on May 8, 2010 by edmundintokyo

A Hung Parliament leaves Nick Clegg with a nasty choice. His campaign promised a new start, a different way of doing things and a fresh choice. But one way or another, he has to install one or other of the old politicians. Back Cameron, and his left-leaning supporters will desert him. Back the party that just lost, and floating voters will lynch him. Force a new election, and everybody will hate him.

But what if there was another way? What if, instead of an arrangement between a Conservative PM and the Liberal Democrats, Clegg could arrange for an arrangement between a Conservative PM and the entire House of Commons?

Under the current system, there would be no such thing. A British Prime Minister and his inner circle has enormous power of patronage, a tight grip over what legislation considered by the House of Commons and a lock on the national wallet. Whatever promises he might extract, the real power would live with whatever individual he supported in a confidence vote. The MPs hardly get a look-in.

But some people think there should be another way. Many of those people are in the Conservative Party. Libertarian right-wingers Daniel Hannan and Douglas Carswell advocate slashing the powers of the executive – while lamenting that once lodged in government, Cameron may go the way of Jim Hacker.

And some of these ideas – in a watered-down form – are official Conservative policy.

Clegg should take it further. He should set, as the only condition for allowing Cameron to form a government, a massive transfer of power from the Prime Minister and the cabinet to the House of Commons. For example:

  • Take the formulation of laws away from the ministers, and give it to balanced all-party parliamentary select committees.
  • Let committees control the legislation of the departments they oversee.
  • Give powers exercised by cabinet ministers back to the Commons.
  • Reduce the control of the whips.
  • Give parliament a veto over quango appointments.
  • Change the procedural rules to make it easier to pass legislation that the government disapproves of.
  • Do that all-party committee on the public finances they were talking about.

A request like this would be very hard for Cameron to resist. It would appeal to floating voters, who by definition aren’t attached to one of the parties and like the idea of everyone having grown-up discussions rather than locking the losing party out. It gives power to all MPs not just the LibDems, so it doesn’t sound as self-seeking as insisting on PR. And allows the occasional Lib/Lab alliance to assert itself on a few chosen high-profile issues, keeping their mutual tactical-voting flame alive.

Neuter the executive, and empower the legislature. A legislature which still – by the skin of its teeth – has a centre-left majority.

Thanks to jsfl at for pointing out the Carswell/Hannan connection.

Update: Carswell blogs:

Yet over the past three days we’ve seen a tiny handful of people meeting in private to determine the shape of the next government.

This is wrong.

Rather than cutting secret deals behind closed doors in Whitehall, should we not be having these debates on the floor of the Commons, led by the people’s tribunes?


A more efficient way to waste time on (Firefox, Chrome, Safari, maybe others)

In hacking on April 8, 2010 by edmundintokyo

Mike Smithson’s provocative, tightly-written articles at attract some very astute and interesting comments.

But the site lacks a few useful features, which makes it quite hard work to follow.

  • There’s no “reply” button, so people address each others’ posts using comment numbers, but the numbers themselves sometimes change when a comment comes out of moderation.
  • The discussion tends to move quite fast, but the only way to get the latest comments is to refresh the page.
  • Some days you don’t have time to read the whole thing, but there are some people you don’t want to miss.
  • Not everybody who posts there is astute and interesting, and there are some people you’d just like to skip.
  • The site only sometimes manages to remember your name and e-mail address, and often loses it.

If, like me, you waste far more time on the site than you should, you might want to try this bookmarklet. To use it, install the bookmarklet in your browser, then browse to the page you want to read and click the link:

  • An “Ignore” link will appear next to each comment. When you click on it, it will hide the text of any comments by the poster you chose to ignore. It stores this information in a cookie in your browser, so it will still be there next time you use the site. Ignored posters get an “Unignore” link next to their names, so you can restore their posts if you change your mind.
  • A “Favourite” link will appear next to the “Ignore” link. Clicking that will highlight that poster’s comments, and create a link above their post to let you jump to the next favourited post.
  • A “Reply” link will appear next to the “Favourite” link. Clicking on it will jump you straight to the comment box, which will contain a link to the comment that you are replying to. If you want to quote some text from the original comment in your reply, you can select the text before clicking “reply”. This is gone now we have Disqus, which already has a reply feature.
  • A “Show more comments” link will appear under the final comment. Clicking that will fetch the latest version of the page behind the scenes and copy all the new comments into the page you’re reading, so you don’t need to refresh.

How to install it

  • Make sure you have the bookmark toolbar showing in Firefox. (You can turn it on via View->Toolbars)
  • Go to this page and drag the “PB Enhanced” link to the bookmark toolbar.
  • If Firefox nags you that the bookmarklet may not be safe, tell it to go ahead anyway.

Update: Megalomaniacs4u has repackaged the bookmarklet as a Greasemonkey script, can install it once in Firefox and you won’t have to click it when you reload the page:

Update: Here’s a Greasemonkey version of the new version, for a Disqus-based comments system. This seems to work on recent versions of Chrome out of the box, with no need to install an additional extension.

Bugs and limitations

  • I’ve only tested it on Firefox. It probably won’t work on other browsers. Apparently it works on Chrome as well. Thanks Chad for checking that out. And Safari.
  • The “reply” button doesn’t always work for some reason.
  • After you post a comment, you’ll have to click the bookmarklet again.
  • If you ignore huge numbers of posters, your cookie will get too big, and something will go wrong.
  • The “Show more comments” feature will show you the comments in the order that it gets them, so a comment that comes out of moderation will appear with the new comments, rather than further up the thread based on the time it was posted. This may make the numbering even more messed up than it already was. Fixed in Disqus version.
  • The bookmarklet may open some kind of obscure security hole where somebody can put special characters in their username and steal your login information or something. It should be OK, but to be on the safe side I wouldn’t suggest using it while logged in as an administrator or moderator. Fixed in Disqus version.
  • Updated I’m not convinced the cookies are carrying across different pages correctly. I’ll see if I can make another version that behaves better tomorrow. Fixed
  • Updated Doesn’t keep the cookie when changing to a different subdomain. Fixed


Heads Or Tails Voting: A Secret Ballot In Plain Sight

In internet, voting on December 30, 2009 by edmundintokyo

It would be useful if people could vote secretly from home. If we could do this right, we could do all kinds of things to improve our political systems.

The problem is that if someone is voting outside a secure voting booth, we can’t be sure that someone isn’t watching how they vote. If someone can watch how you vote, they can bribe or pressure you to vote in the way they want. Some people have concluded that it’s impossible to have a secret ballot using online voting.

Heads Or Tails Voting gives you a secret ballot in plain sight. The voter has a single secret piece of information which is never displayed on their computer screen: Whether they are a Heads Voter or a Tails Voter. Using this secret, they can vote without anyone ever knowing how they voted – even if someone was looking over their shoulder as they did it.

Here’s how it works.


  • You register in a secure booth. Like an existing voting booth, only one person is allowed in at a time, and you have to prove who you are before you are allowed to use it.
  • Using the computer in the booth, you create a login name and password that you will be able to use from your PC or mobile phone.
  • The computer randomly chooses either Heads or Tails, and tells you which it chose. This information is stored in the voting database along with your password, and no-one else knows whether your are a Heads Voter or a Tails Voter.
  • You only have to visit the booth once, unless you forget whether you are a Heads Voter or a Tails Voter. Everything else can be done from your PC or your phone.

Voting (Yes or No)

  • Log into the voting website using your login name and password.
  • The screen shows the choices for Heads Voters on one side and Tails Voters on the other side.

A Yes/No Question

  • If you are a Heads Voter, click the top checkbox to vote “Yes” or the bottom checkbox to vote “No”.
  • If you are a Tails Voter, click the top checkbox to vote “No” or the bottom checkbox to vote “Yes”.

Voting (Ranking Multiple Choices)

  • Log into the voting website using your login name and password.
  • The screen shows the candidates arranged in a random order.

Ranking multiple=
(Click for a demo.)

  • Rearrange the order of the candidates by dragging their names to the left or right.
  • If you are a Heads Voter, put your favourite candidate on the left and your least favourite candidate on the right.
  • If you are a Tails Voter, put your favourite candidate on the right and your least favourite candidate on the left.

What Happens If…

  • If you forget whether you are a Heads Voter or a Tails Voter, you can go back to the registration booth and find out.
  • If someone tries to force you to vote the way they want, you can trick them by lying about whether you are a Heads Voter or a Tails Voter, and make your actual votes go to whoever you think will annoy them the most.
  • If someone steals your login name and password, they’ll have to guess whether you are a Heads Voter or a Tails Voter. Since they only have a 50/50 chance of guessing right, they will be as likely to hurt their chosen candidate as help them.


Constitutional QWERTY: Democracy without the stuck keys

In internet, voting on July 18, 2008 by edmundintokyo

With the chance that Britain may soon decide to experiment with democracy by replacing the House of Lords with an elected second chamber, there’s been a fair bit of discussion recently about what form it should take; Some people want only 100 or so senators, others want to use all the seats in the room. Some people want them to be up for election repeatedly, and some people thing they should serve a single term then retire. But there’s very little controversy about the basic design: One way or another, usually involving occasional popular votes, we come up with a list of representatives who will make all the decisions for us.

When nineteenth-century engineers set out to design a keyboard for their new-fangled typewriters, they had some serious technical limitations to deal with. Famously, the typewriters of the day suffered from jammed keys if you typed too fast on them, so we ended up with an arrangement that spread the keys out to put the frequently-used ones further apart.

People designing electoral systems up until the nineteenth-century had some even more constraining limitations to deal with. They were supposed to represent the wishes of millions of people, but it was hard to arrange a meaningful discussion between more than a few hundred. They were supposed to help us make decisions affecting people over hundreds of miles, but getting just a single communication – let alone a conversation – backwards and forwards between someone at one end of the country and someone else at the other end could take over a day. Asking people their opinions was expensive, so you couldn’t afford to do it too often.

Like the keyboard designers, people came up with some creative solutions. The country is arbitrarily divided into electoral areas (constituencies) and each area elects its own representative. People can decide on representatives without knowing what’s going on at the other end of the country, and can make their decisions based on a discussion with somebody close to them. To avoid lots of expensive votes, you pick your representative only once every few years; since the choice you’re making is simple and local, it’s easy to administer. Primitive versions of this system would have a single choice, marked with an “x” (in case you couldn’t write) per person per election. It was simple, crude and cheap, tailored to fit the technology of its time.

Modern keyboards don’t have a problem with stuck keys, and the logistical problems that we worked around with constituencies and parliaments have now been solved. We can have discussions with people without them all being in the same room. We can count a million electronic votes in less than a second. We don’t need constituencies with arbitrary boundries gerrymandered by parties arguing about over bus routes, and we don’t need to restrict our choices in elections to whatever bozo did the best job of sucking up to the local party.

If we wanted a democratic, responsive government, and we weren’t worried about nineteenth-century logistics, here’s how we do it:

1) Start with the concept that everyone gets a vote on everything. If you want to have your say on Article 234Z of Amendment 4B of the Dry Cleaning Regulation Bill, you should be able to exercise it. That didn’t used to be practical; now we have the internet. Vote on everything that way. Problem solved.

2) We don’t need everyone in the same room – we can talk about everything on the web. That means we don’t need a limit on how many people can participate; let anyone join in whatever discussions they like, and let people use whatever ignore filters and reputation systems they like to make sure the people with the most to say get heard.

3) Most people won’t know or care about a lot of issues, or they’ll prefer to let someone they trust figure it out for them. Let them delegate their votes to anyone they like – a friend, a political party, a union, a charity, anyone.

4) Logistically, we don’t need constituencies anymore, and they don’t serve any other useful purpose, so get rid of them. If people value having someone local to represent them, they can delegate their votes to the person of their choice. If for some reason they don’t identify with that local area (as in “I am British, I am English, I am European, but most of all I belong to Oxford West and Abingdon!”) they can delegate their votes based on something else.

This is how Democracy will look in the future. Direct democracy where you want it, representative democracy where you don’t. A local connection where you prefer, national expertise if you’d rather have that instead. Five-year elections and parliaments will be confined to the dustbin of history. We will look back on them as a thing of the past, like those weird old-fashioned qwerty keyboards. Oh, hang on….

Originally posted at Orange By Name.


I think that the

In copyright on June 19, 2008 by edmundintokyo

…argues a commentator writing for AP.