Bitcoin Forum

I Broke Bitcoin

Alister Maclin can break Bitcoin on command. In an email, Maclin said he's been the one spamming the Bitcoin network over the last several days with enough force to compel a Bitcoin exchange to notify its customers that the attack was causing withdrawal issues. Of course, he added, "Alister Maclin" is an alias.

In retrospect, I should have been more specific when I asked Maclin if there was a way for me to verify his claims.

Normally, confirmation of this kind might come in the form of a cryptographic fingerprint, but when I contacted Maclin over email, he replied in broken English: “I will switch the stress-test on once again for a short period (~10 min) at 17:30 of your local time (there is 00:22 now in Moscow - I wanna sleep). You will see.”

Slightly taken aback, I asked if Maclin meant 5:30 PM tomorrow. “Today! Now! I've already started it ten minutes ago :)” he replied. Sure enough, the number of transactions rejected by the Bitcoin network skyrocketed at 5:30 PM on Tuesday afternoon.

http://motherboard-images.vice.com/content-images/contentimage/no-id/1444232600383997.png

At 5:54 PM, Maclin emailed me again. “Switched off,” he wrote. “Now red lines on the third chart will return back to green.” And as it was written, so it was done. Things calmed down, the number of rejected transactions dropped back to normal levels, and the chart’s red spike settled back to green after an hour.

http://motherboard-images.vice.com/content-images/contentimage/no-id/1444232678283885.png

Maclin isn’t the first person to try and break the Bitcoin network. An exchange called Coinwallet.eu previously threw $48,000 USD in Bitcoin to the winds in an attempt to fill the network with tiny spam transactions and slow things down for everyone. By comparison, however, Maclin’s attack was extremely cheap, simple, and effective.

Maclin used what’s known as a “malleability attack,” which takes advantage of the time delay between when bitcoins are sent and when the transaction record is included in a block and uploaded to the blockchain for posterity. A script written by Maclin, running on a virtual machine, captures transactions and re-broadcasts them to the Bitcoin network with a slightly different ID, thus creating a duplicate transaction, only one of which can be added to a block. Everybody’s bitcoins still get where they need to go, but it could take hours for the transaction to be confirmed instead of the usual 10 minutes... (cont.'d)

But Maclin’s window may be closing. A Bitcoin update designed to fix the malleability issue has been in the works (https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki) for over a year, and the latest attack could be just the spark to light a fire under it.

Nothing's broken.

https://bitcointalk.org/index.php?action=profile;u=197593
that's him. in case anyone missed.

and

https://bitcointalk.org/index.php?action=profile;u=197593
that's him. in case anyone missed.

and

I dont think Alister Maclin spent huge amount of money to get this done but rather he is a genius who can manipulate codes and java languages but i wish he does not do it again because a lot of people in this community suffers during that attack.

We can request him not to repeat..
But what if a government plan against a decentralized system for the purpose of their own system. So, we need to be ready with a versatile robust system to face any kind of attack. Time to think of changes to withstand any kind of attack. Last time, many people suffered with higher fees and late transaction confirmations.

We can request him not to repeat..

Would you like to pay also?

We need to get all the vulnerabilities out of the way.

1) Are you sure that every problem has a solution? (I am talking not about bitcoin, this is generic question)
2) Why should somebody fix vunerability if you do not want to pay for fixing?

Everybody’s bitcoins still get where they need to go, but it could take hours for the transaction to be confirmed instead of the usual 10 minutes

Ummm, why exactly would it take longer to confirm because of transaction malleability?

I think someone is confused....

Ummm, why exactly would it take longer to confirm because of transaction malleability?

I think someone is confused....

He is confusing this issue with the spam attack that raised the miner tx fee for sure. This malleability attack has nothing to do with that and sure a lot of transaction DOUBLE get rejected, that doesn't mean its not business as usual.

Sometimes script kitties like to pretend like anything out of the ordinary is spectacular and they're virtual gods in their own right. They try to show off, get publicity and pretend like they're rich because of these things because then they can lure in other scammers to scam them, and who would be there to stop them ?

Are you talking about bitcointers?  ;D
I saw a very long topic they pretend to be "new elite"

thanks for link to story tokeweed

very annoying but does need addressing
I have little faith in the core developers or foundation to agree zip these days
plus it takes them months, years to even code something small, then they make out their genius'

maybe this guy is doing us a favour in a way
but what if multiple people start doing it? what if he makes his 100 line code opensource

exchanges like cryptsy can't even get basic wallets for alts resynced in over a week. then shut down btc wallet for withdrawals due to this issue for days

shows how fragile things are right now

it would only take a few of these guys to affect price in a bad way, add block debate to conversation too

what if he makes his 100 line code opensource

Do now worry about it.
One has some knowledge in bitcoin protocol and programming skills would be able to write it himself.

Why should somebody fix vunerability if you do not want to pay for fixing?

Why the member who love bitcoin is trying to break its network or working system? Is it only for security test or just to get bitcoin down? Everybody here i think loves the way bitcoin work but why all of these test or attacks going on by the people who love bitcoin.  ??? ???

Why the member who love bitcoin is trying to break its network or working system? Is it only for security test or just to get bitcoin down? Everybody here i think loves the way bitcoin work but why all of these test or attacks going on by the people who love bitcoin.  ??? ???

There seems to be similarity between these names Alister Maclin and Amaclin or it was just a coincidence?

If you are even slightly talented, use your talent to improve the protocol

any kind of system will improve every time it faced and survived an attack.

yes it's me

More than anything i like people that says the truth even in the faces of strong oppositions.
If i may ask, why did you do it? and what do you intend to achieve?

I want to tell you that bitcoin is too weak for you lifetime savings

I want to tell you that bitcoin is too weak for you lifetime savings

but you havent shown that?

but you havent shown that?

I want to tell you that bitcoin is too weak for you lifetime savings

Good to understand your reason but now that you know about its weakness how do we make it strong because there is possibility that a lot of people might die of one ailment or the other if they loss their bitcoins especially those that have put their life investment in it.

Good to understand your reason but now that you know about its
weakness how do we make it strong because there is possibility
that a lot of people might die of one ailment or the other if they
loss their bitcoins especially those that have put their life investment in it.

wever, I remain to be convinced that people are that naïve, and in sufficient numbers, to warrant the excuse amaclin has offered.

1) Are you sure that every problem has a solution? (I am talking not about bitcoin, this is generic question)
2) Why should somebody fix vunerability if you do not want to pay for fixing?

So can the vulnerability be fixed that you have exploited?

So can the vulnerability be fixed that you have exploited?

his answer will be: "no, and it cant be fixed without open another one" (he has already answered that one)

This one can be fixed.
But tx malleability is not major problem of bitcoin.

The core developers need assistance all on fronts, because they're short-staffed and not paid. I don't personally think it would be the end of the world for bitcoin to get hammered in price while we work out some bugs/growing-pains. Weak exchanges, pump-and-dumps and investors that don't belong in the cryptography industry will get theirs if this were the case. Scare away the bandits, feign disorder comrades.

Core has had a fix for this already however, and most 3rd parties are failing to adopt.

I want to tell you that bitcoin is too weak for you lifetime savings

So if amaclin makes these 100 lines of code public, Bitcoin will die?

So, what is strong enough for my lifetime savings?

Let me give you an example.
Assume you have two semi identical electric instruments. For example two drills.
The only difference between them that the first one consumes 1kWH and the second 2kWH
You are reasonable.
What will you do? There are several possibilities:
1) Use both instruments time-to-time
2) Use first one
3) Use second one
4) Modify first one to improve it
5) Modify second one to improve it
6) Research the difference and improve both instruments...
7) ... etc

All of this stuff, all these attack, stress tests, malleability attacks can only improve Bitcoin network. Devs and smart people of this community will see the problems and release patches while preventing this from happening again. This is the way I see it.

So nothing is broken. I wouldn't be worried until if some day some person causes the attack that will make people lose coins for example, this would be devastating. All these other attacks are just helping us in a long run.

I built a program that does the exact same thing, it's script kiddie stuff. This form of 'attack' is not an issue, barely a nuisance if anything.

Can you run it so it force HighS to LowS ? Would limit the consequences of the attack

no, this is only a pesky attack, it will not broke nothing

This is not a "pesky attack" anymore, when a few thousand people or a botnet start to run the script.

Certain bitcoin processor/forwarder/notifier are doing it wrong, e.g. BitPay. They're accepting unconfirmed Tx.

Which exchange was this attack related to? I can assume several wallets and exchanges will lose money if they use txhash to determine whether a payment was successful. This is apparently what MagicalTux claims to have emptied Gox's wallets (which seems implausible). 

Actually, it's pretty good that someone is exploiting some vulnerabilities in the network for the developers to take a closer look at the code and patch it up as soon as they can. What's annoying is that it hurts businesses and normal individuals who just wants to send and receive transactions. It kinda scares them to accept bitcoin and be open about it again.

thanks for link to story tokeweed

very annoying but does need addressing
I have little faith in the core developers or foundation to agree zip these days
plus it takes them months, years to even code something small, then they make out their genius'

maybe this guy is doing us a favour in a way
but what if multiple people start doing it? what if he makes his 100 line code opensource

exchanges like cryptsy can't even get basic wallets for alts resynced in over a week. then shut down btc wallet for withdrawals due to this issue for days

shows how fragile things are right now

it would only take a few of these guys to affect price in a bad way, add block debate to conversation too

The problem isn't that the developers didn't understand the problem or know how to fix it.  The problem is that they lacked the leadership skills to implement the fix.  They have known about the problem since October 4, 2012!

https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898

The problem is that bitcoin lacks leadership and governance.  There are "leaders" who can foresee problems but who can not propose and sell acceptable solutions.  The  malleability attack has been known for three years, but no fix has been deployed.  This is because the "leaders" are afraid that the obvious solutions would not be implemented by the followers.  A "leader" who is afraid that he would not be followed is no leader.

Ok, I don't know exactly what they/he were/was doing but Microsoft just patched it. The attack has to be more than just on the Bitcoin network, as you can see whatever MS changed in the last update fixed it.

Here's today's snapshot with the patch being applied just before 12 PM.

https://i.imgur.com/0jS1djD.png

Here's a week long snapshot.

https://i.imgur.com/5uI8byd.png

Looks like this new attack started on the 8th.

Nope but it caused some annoying disruptions nonetheless.

Nope but it caused some annoying disruptions nonetheless.

a lot of annoying distruption, across many service in bitcoin.

Microsoft patching bitcoin? Source for your graphs please. Statoshi (http://statoshi.info/dashboard/db/transactions) shows there is still a problem:

https://bitcoinnewsmagazine.com/wp-content/uploads/2015/08/screenshot-statoshi-info-2015-10-11-19-08-42.png

Obviously MS isn't patching bitcoind directly but their patch clearly resolved the issue. The source of the graph is p2pool. Finally, I don't consider a backlog of spam an issue; I reject everything under 0.0005 BTC as spam.

I have questions...

#1 what does the graphs show? The x axis is unlabelled.

#2 What MS patch are you talking about?

2) Not sure, MS automatically installs updates and I haven't bothered see what was installed; KB articles tend to be a dry read.