|
Title: 0.13.0 Binary Safety Warning Post by: Lauda on August 17, 2016, 10:58:00 PM Quote Summary Currently found on Bitcoin.org (https://bitcoin.org/en/alert/2016-08-17-binary-safety). There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)?Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website. In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers. Mitigation The hashes of Bitcoin Core binaries are cryptographically signed with this key. We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers. Title: Re: 0.13.0 Binary Safety Warning Post by: Carlton Banks on August 17, 2016, 11:14:22 PM Currently found on Bitcoin.org (https://bitcoin.org/en/alert/2016-08-17-binary-safety). There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)? I find it a little odd that Core team (who presumably control Bitcoin.org?) could be at all certain about the origin or target of such a threat. If the threat itself is public, a simple hyperlink to the threat would suffice. If the threat is private, it depends a great deal on the status (and therefore also the identity) of the menace. Maybe the reference to China is only a reference to China's majority hashrate, and not to anything specific about the known threat. Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 17, 2016, 11:18:25 PM I find it a little odd that Core team (who presumably control Bitcoin.org?) could be at all certain about the origin or target of such a threat. No. The people who have commit access/contribute to Bitcoin Core do not control Bitcoin.org. The people who work (or have commit access) on Bitcoin.org are Cobra, saivan, harding (https://github.com/bitcoin-dot-org/bitcoin.org/graphs/contributors), etc. They are usually quite different from the Bitcoin Core team. From what I can understand so far, Cobra skipped the peer-review process around 2 hours ago and pushed this commit. Bitcoin-core-dev:Quote 11:06 <achow101> what's up with this: https://bitcoin.org/en/alert/2016-08-17-binary-safety 11:06 <sipa> we don't know Title: Re: 0.13.0 Binary Safety Warning Post by: Carlton Banks on August 17, 2016, 11:26:41 PM I find it a little odd that Core team (who presumably control Bitcoin.org?) could be at all certain about the origin or target of such a threat. No. The people who have commit access/contribute to Bitcoin Core do not control Bitcoin.org. The people who work (or have commit access) on Bitcoin.org are Cobra, saivan, harding, etc. Not sure I have heard of those characters, with the possible exception of harding (if it's the harding from this forum, I haven't seen that user here in a while). 11:06 <achow101> what's up with this: https://bitcoin.org/en/alert/2016-08-17-binary-safety 11:06 <sipa> we don't know Interesting. Sipa is way too involved to be unaware of such issues, so I smell potential drama. Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 17, 2016, 11:33:59 PM Not sure I have heard of those characters, with the possible exception of harding (if it's the harding from this forum, I haven't seen that user here in a while). Well, they generally are only involved in website related work. As far as Cobra is concerned, they're anonymous (i.e. nobody really knows who they are - I don't remember who gave them commit access). I've added a Github link for the contributors.Interesting. Sipa is way too involved to be unaware of such issues, so I smell potential drama. From what I can gather on the public communication channels, nobody really knows what the reason behind this is. You can see the commit was pushed here:https://i.imgur.com/fTNfG9F.png Interesting information that may be relevant: https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html Quote The GnuPG Project is pleased to announce the availability of new Libgcrypt and GnuPG versions to fix a critical security problem. Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions. Impact:Quote All Libgcrypt and GnuPG versions released before 2016-08-17 are affected on all platforms. A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest not to overhasty revoke keys. Title: Re: 0.13.0 Binary Safety Warning Post by: MyBTT on August 17, 2016, 11:40:11 PM I currently have a backup 0.12.1 wallet in case my primary ledger wallet fails. Because of this, should I not download the next version of qt until this problem is solved? Or should I download from github and compile it myself?
Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 17, 2016, 11:42:28 PM Because of this, should I not download the next version of qt until this problem is solved? You shouldn't download the next version from the website until this resolves just to be sure. However, Bitcoin Core 0.13.0 is not ready yet (currently RC3).Or should I download from github and compile it myself? That's always the preferred option. Title: Re: 0.13.0 Binary Safety Warning Post by: bitkilo on August 17, 2016, 11:42:49 PM Quote Summary Currently found on Bitcoin.org (https://bitcoin.org/en/alert/2016-08-17-binary-safety). There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)?Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website. In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers. Mitigation The hashes of Bitcoin Core binaries are cryptographically signed with this key. We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers. They say they have a "reason to suspect" do we know what that reason is? Title: Re: 0.13.0 Binary Safety Warning Post by: MyBTT on August 17, 2016, 11:45:21 PM Quote Summary Currently found on Bitcoin.org (https://bitcoin.org/en/alert/2016-08-17-binary-safety). There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)?Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website. In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers. Mitigation The hashes of Bitcoin Core binaries are cryptographically signed with this key. We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers. They say they have a "reason to suspect" do we know what that reason is? "State sponsored attacks"... From my understanding that would be implying that the bitcoin.org has info that a government has the intention to maliciously attack bitcoin, or are funding hackers? After doing a little search, I can't find anything on what the "reason" is. Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 17, 2016, 11:48:40 PM They say they have a "reason to suspect" do we know what that reason is? From what I know so far, the person who applied the change to the website has not provided (at least not public) an explanation."State sponsored attacks"... From my understanding that would be implying that the bitcoin.org has info that a government has the intention to maliciously attack bitcoin, or are funding hackers? No. We are talking about stuff in the lines of MITM attacks; there are a different number of approaches that could be attempted here (someone mentioned SSL MITM with rogue certificates).Title: Re: 0.13.0 Binary Safety Warning Post by: Carlton Banks on August 17, 2016, 11:53:40 PM By the way the above is written it seem as though they may have an idea who will be leading these "state sponsored attacks" They say they have a "reason to suspect" do we know what that reason is? The text is specific about "state-sponsored attacks", and implies knowledge about both the origin and target of the attack. Extraordinary claims (not saying the requisite extraordinary proof doesn't exist, but I would like to see that proof for myself nonetheless). RNG bugs in GPG don't tell that story (and what a curious bug: like the Bash bug from last year, it's been in Linux for decades. Revoke all the keys!!!) Title: Re: 0.13.0 Binary Safety Warning Post by: unamis76 on August 18, 2016, 12:53:58 AM Saw the warning and came here to post, when I saw this thread. I am very concerned about this, pretty curious on who's threatening Bitcoin binary distribution and what does it have to win with this...
Title: Re: 0.13.0 Binary Safety Warning Post by: BitcoinNewsMagazine on August 18, 2016, 01:59:01 AM theymos on /r/bitcoin - https://www.reddit.com/r/Bitcoin/comments/4y8m76/0130_binary_safety_warning_bitcoinorg/d6m0z16
Quote Here's a guide on verifying Bitcoin Core: https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core I've heard that almost nobody in the Chinese Bitcoin community verifies signatures. If anyone speaks Chinese, it'd be helpful to write a similar guide in Chinese and advertise this issue more. Everyone should be on high alert when 0.13.0 is released. In fact, I recommend not even updating highly sensitive systems to 0.13.0 until at least 3-8 weeks after it's released. I wouldn't blindly trust Linux package repositories. Oftentimes packages there are managed by relatively unknown volunteers, and there's not much oversight/checking. Title: Re: 0.13.0 Binary Safety Warning Post by: Quantus on August 18, 2016, 02:34:44 AM You should securely verify the signature and hashes before running any Bitcoin Core binaries. So just checking the hash is insufficient? Title: Re: 0.13.0 Binary Safety Warning Post by: theymos on August 18, 2016, 03:04:02 AM theymos on /r/bitcoin - https://www.reddit.com/r/Bitcoin/comments/4y8m76/0130_binary_safety_warning_bitcoinorg/d6m0z16 That guide for verifying Bitcoin Core is also available here: https://bitcointalk.org/index.php?topic=1588906.0 . I added a news entry pointing there as well. I recommend taking this threat very seriously. It's possible that bitcoin.org has received bad info, or maybe the attackers will give up now that they've been outed, but it's better to assume that it is a real, serious threat. And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can. Of course, you should always be very careful and verify Bitcoin Core software (and other software!), but this is a reason to be especially careful. So just checking the hash is insufficient? You have to check the hash against some reference hash. The most secure way to make sure that the reference hash is reliable is to check that it's signed by someone you trust. Title: Re: 0.13.0 Binary Safety Warning Post by: AliceGored on August 18, 2016, 03:43:05 AM Sounds like laying the groundwork for a disinfo campaign when Chinese miners fork to a larger max blocksize. Sowing the seeds now to favor an adversarial mindset when it comes to plans coming from China.
Nah, I’m probably just wish thinking… More likely that “cobra” is just acting like a petty tyrant again, similar to the last time he showed up, wanting to edit satoshi’s whitepaper. Title: Re: 0.13.0 Binary Safety Warning Post by: Quickseller on August 18, 2016, 03:59:13 AM I recommend taking this threat very seriously. Based on the message on bitcoin.org, it looks like the Chinese government would be behind the attack; is this a correct assumption? --snip-- And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can. Is the motive behind the (anticipated) attack known? How might this state sponsored agency attack the Bitcoin network? Why would they need to infect existing Bitcoin users to attack the network? I would assume that most state sponsored (hacking) agencies would have budgets exceeding that of the market cap of bitcoin, and as a result would be able to launch attacks against the network without the help of malware infected machines. Title: Re: 0.13.0 Binary Safety Warning Post by: Bitcoinpro on August 18, 2016, 04:38:00 AM I recommend taking this threat very seriously. Based on the message on bitcoin.org, it looks like the Chinese government would be behind the attack; is this a correct assumption? --snip-- And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can. Is the motive behind the (anticipated) attack known? How might this state sponsored agency attack the Bitcoin network? Why would they need to infect existing Bitcoin users to attack the network? I would assume that most state sponsored (hacking) agencies would have budgets exceeding that of the market cap of bitcoin, and as a result would be able to launch attacks against the network without the help of malware infected machines. Market cap could exceed these budgets within a matter of hours if the price jumped to say $5000 a coin and that's precisely what would happen if an attack like this occurred because all of a sudden it would mean Bitcoin is very special, which we know it already is :) also dont forget the amount of coins out their through exchange leverage means total coin numbers is in the 100's of millions, Title: Re: 0.13.0 Binary Safety Warning Post by: Bitcoinpro on August 18, 2016, 05:00:24 AM Can you explain this MIM attack more precisely, are you saying that data will be forged for a long time, would they need to attack both
sender and receiver at the same time, is this attack going after transactions or miners confirming transactions, and what kinds of alerts will be prompted if the Binaries aren't correct, Title: Re: 0.13.0 Binary Safety Warning Post by: Quickseller on August 18, 2016, 05:04:30 AM I recommend taking this threat very seriously. Based on the message on bitcoin.org, it looks like the Chinese government would be behind the attack; is this a correct assumption? --snip-- And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can. Is the motive behind the (anticipated) attack known? How might this state sponsored agency attack the Bitcoin network? Why would they need to infect existing Bitcoin users to attack the network? I would assume that most state sponsored (hacking) agencies would have budgets exceeding that of the market cap of bitcoin, and as a result would be able to launch attacks against the network without the help of malware infected machines. Market cap could exceed these budgets within a matter of hours if the price jumped to say $5000 a coin and that's precisely what would happen if an attack like this occurred because all of a sudden it would mean Bitcoin is very special, which we know it already is :) also dont forget the amount of coins out their through exchange leverage means total coin numbers is in the 100's of millions, I also do not think the value of bitcoin would increase if this kind of attack took place, I would think the price would dramatically fall, especially if any substantial number of users (especially large companies) were successfully attacked. Title: Re: 0.13.0 Binary Safety Warning Post by: Kakmakr on August 18, 2016, 05:49:55 AM Is the attacking of the binaries a new angle to take control of the network, or just a attempt to steal a bunch of coins and to discredit the security of a decentralized network? If this succeeded, we would have been in serious problems. Good work catching this early and sending out warning notices before it happened. ^smile^
Title: Re: 0.13.0 Binary Safety Warning Post by: Coding Enthusiast on August 18, 2016, 06:08:14 AM You should securely verify the signature and hashes before running any Bitcoin Core binaries. So just checking the hash is insufficient? there is a difference between checking the integrity and checking the Authenticity of a downloaded file. checking the hashes (CheckSums) with only computing the hash using MD5, SHA or CRC will only let you verify the integrity of the downloaded file and it is vulnerable to collision attack. that is why you should always check the signature of the file using GnuPG (GNU Privacy Guard). this way you make sure of both authenticity (owner) and integrity (content) of a downloaded file. Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 18, 2016, 08:23:02 AM Sounds like laying the groundwork for a disinfo campaign when Chinese miners fork to a larger max blocksize. Sowing the seeds now to favor an adversarial mindset when it comes to plans coming from China. Stop trolling.Nah, I’m probably just wish thinking… More likely that “cobra” is just acting like a petty tyrant again, similar to the last time he showed up, wanting to edit satoshi’s whitepaper. There's nothing tyrannic about this nor his suggestion to add an updated version of the whitepaper. Also Lauda your the CEO of BTCE arnt you? I may or may not be. Please refrain from creating consecutive posts.Can you explain this MIM attack more precisely, are you saying that data will be forged for a long time, would they need to attack both sender and receiver at the same time A simple Google search would give you the required information (changing data in between the two of them).is this attack going after transactions or miners confirming transactions, and what kinds of alerts will be prompted if the Binaries aren't correct, No alert will be prompted, that's the problem.Is the attacking of the binaries a new angle to take control of the network, or just a attempt to steal a bunch of coins and to discredit the security of a decentralized network? If this succeeded, we would have been in serious problems. Generally, it is unfortunate that only a handful of people compile and build their own binaries (which is recommended).Title: Re: 0.13.0 Binary Safety Warning Post by: eddie13 on August 18, 2016, 02:45:27 PM Maybe you should sticky this?
Title: Re: 0.13.0 Binary Safety Warning Post by: Wind_FURY on August 18, 2016, 02:50:34 PM Potential drama or is this something really serious? "State sponsored attacks" sounds really serious and I wish that someone who knows something posts what's really going on here.
Title: Re: 0.13.0 Binary Safety Warning Post by: Hazir on August 18, 2016, 02:57:52 PM I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
Wait for version 0.14 or something? It this a feasible solution? Title: Re: 0.13.0 Binary Safety Warning Post by: achow101 on August 18, 2016, 03:07:39 PM If the binaries hosted on bitcoin.org are compromised or down, some of the developers host their own builds of the binaries. Since these are deterministically built, the hashes should all be the same. These hashes for all of the files are stored in the gitian.sigs repo (https://github.com/bitcoin-core/gitian.sigs) and they are all signed with the PGP keys of all the signers. (https://github.com/bitcoin/bitcoin/tree/master/contrib/gitian-keys) The organization of that signature repo is self explanatory.
I host my gitian build on my GitHub repo here: https://github.com/achow101/bitcoin/releases. IIRC Jonas Schnelli also hosts the binaries on his website, but I don't remember where they are. Title: Re: 0.13.0 Binary Safety Warning Post by: Pursuer on August 18, 2016, 03:13:37 PM I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all? Wait for version 0.14 or something? It this a feasible solution? first of all I think it is more of a drama than anything else and I wish they'd explained more about the situation already. second of all, this risk is not a new thing (although the attack itself in a bigger size is new) and you should always check the signature of these sensitive file when your money is involved regardless of the current situation. edit: reading more about https and compromises I realize there are many other ways this can go down! Title: Re: 0.13.0 Binary Safety Warning Post by: YIz on August 18, 2016, 03:15:10 PM Is there no way of distributing a file more safely than uploading to bitcoin.org's server? for example, if the devs upload the file to Google Drive, wouldn't it be safer?
Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 18, 2016, 03:23:52 PM Maybe you should sticky this? There's a stickied thread regarding verification in Begginers & Help. I'm not sure about making this one sticky as well. I guess putting in on temporarily wouldn't harm.Potential drama or is this something really serious? General rule: Better safe than sorry.I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all? This isn't a solution of any sort. You're mitigating the upgrade process; there's nothing that prevents this from happening from the next major release.to my knowledge since they are uploading the binaries on https://bitcoin.org unless their ssl keys are not compromised there is no way of messing with the uploaded files. right? That's a common misconception. SSL is secure if all of the 'pre-conditions' are set (e.g. server key is not stolen). Look up the term "dSniff" - this was the first public implementation of MITM vs. SSL (IIRC).for example, if the devs upload the file to Google Drive, wouldn't it be safer? If we are talking about state-sponsored attacks, what makes you think that Google would be safer? Title: Re: 0.13.0 Binary Safety Warning Post by: RodeoX on August 18, 2016, 03:25:07 PM It's time for users to learn about cryptographically signed keys and how to compare hashes.
P.S. Is this related to the NSA tool kit release? Title: Re: 0.13.0 Binary Safety Warning Post by: BillyBobZorton on August 18, 2016, 03:29:56 PM Soroscoin is finally here :p
Anyway, it's funny how /r/btc trolls always find a way to blame everything on blockstream. Those guys are real schizos. I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all? Wait for version 0.14 or something? It this a feasible solution? just verify the file... you should be doing this since day 1. Title: Re: 0.13.0 Binary Safety Warning Post by: Quickseller on August 18, 2016, 03:31:17 PM Sounds like laying the groundwork for a disinfo campaign when Chinese miners fork to a larger max blocksize. Sowing the seeds now to favor an adversarial mindset when it comes to plans coming from China. Stop trolling.Most major bitcoin entities will most likely be using custom software that is built from scratch anyway, so verifying the signatures of the blockstream core devs is mostly a moot point. I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all? If what is being described in the OP is true, then the attacker would simply wait for 0.14 to be released to infect their targets. Wait for version 0.14 or something? It this a feasible solution? p.s. to my knowledge since they are uploading the binaries on https://bitcoin.org unless their ssl keys are not compromised there is no way of messing with the uploaded files. right? No. An attacker can use different https keys, and use other means to trick trick a user into thinking that the https keys are correct. Or, an attacker can potentially steal the https keys from bitcoin.org, which by design, must remain online at all times. Is there no way of distributing a file more safely than uploading to bitcoin.org's server? for example, if the devs upload the file to Google Drive, wouldn't it be safer? Google drive would not be safer. Title: Re: 0.13.0 Binary Safety Warning Post by: YIz on August 18, 2016, 03:32:23 PM for example, if the devs upload the file to Google Drive, wouldn't it be safer? If we are talking about state-sponsored attacks, what makes you think that Google would be safer? I assume they will have more trouble compromising it than bitcoin.org servers. I was just asking. Title: Re: 0.13.0 Binary Safety Warning Post by: BitcoinSupremo on August 18, 2016, 03:34:21 PM NSA has been hacked lately but I guess this has not anything to do with it. I read at the hacker news that the hackers were asking 560 mln USD in bitcoin in order to give back the hacking tools of NSA. Is electrum still safe as that's the wallet I use ? Or it is related to the bitcoin core ? Thanks in advance for clearing my doubts. I never used bitcoin core but I want to know if my coins are at risk or not ?
Title: Re: 0.13.0 Binary Safety Warning Post by: billotronic on August 18, 2016, 03:42:28 PM Is there no way of distributing a file more safely than uploading to bitcoin.org's server? for example, if the devs upload the file to Google Drive, wouldn't it be safer? ffs people, https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md it's all there... ready to go. learn to use the tools that are given to you. gitian building is the second sexist thing about bitcoin and anyone reading this thread should be thinking long and hard about taking control of your own bins. Title: Re: 0.13.0 Binary Safety Warning Post by: eddie13 on August 18, 2016, 03:42:35 PM This is actually kinda cool and has the potential for a positive spin..
If it really comes down to it, NSA Vs. BTC, or China gov Vs. BTC, then WHEN (not if) BTC whoops their asses BTC will go to $10k for sure.. Just one more thing for BTC's resume, like a world champion UFC belt.. I say bring it on and lets get this forlong proposed dual out of the way. Maybe the sooner the better.. If the headlines in 6 months are "NSA attacks BTC, BTC wins, NSA cries" - then Moon, super confidence.. People have been wondering and some unconfident about this possibility since the inception of crypto, if we can finally put it to bed and come out on top we will come out WAY on top.. Title: Re: 0.13.0 Binary Safety Warning Post by: Mr Felt on August 18, 2016, 04:02:30 PM Do we know whether Cobra was hacked or something? How can we be certain there is genuine concern about state-sponsored attacks and that yesterday's Cobra is the same a prior Cobras?
@Theymos - Do you guys have a protocol in place in the event one of the bitcoin.org maintainers becomes compromised (not suggesting that happened here - just thinking hypothetically)? Title: Re: 0.13.0 Binary Safety Warning Post by: theymos on August 18, 2016, 05:16:14 PM I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all? Wait for version 0.14 or something? It this a feasible solution? There's no flaw in 0.13.0. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that. Do we know whether Cobra was hacked or something? Cobra signs all of his commits to bitcoin.org. Unless his PGP key and several of his accounts were compromised, he's the same person @Theymos - Do you guys have a protocol in place in the event one of the bitcoin.org maintainers becomes compromised (not suggesting that happened here - just thinking hypothetically)? Cobra has full control of the domain name. I'm the backup in case he gets hit by a bus or something. To my knowledge, there's no way to improve this "one person compromised -> domain compromised" situation without creating some sort of legal entity (and even then I'm not so sure). Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 19, 2016, 08:46:57 AM https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md That process needs to be more streamlined and a better guide needs to be made (one that is less complex). Keep in mind that it may very well be difficult for non tech savy users to follow it. Additionally, errors/problems during the process are also not uncommon.it's all there... ready to go. learn to use the tools that are given to you. gitian building is the second sexist thing about bitcoin and anyone reading this thread should be thinking long and hard about taking control of your own bins. If the headlines in 6 months are "NSA attacks BTC, BTC wins, NSA cries" - then Moon, super confidence.. If we do assume that this is the case, what makes you think that the NSA would admit this/leave traces of it? Additionally, what makes you think that the major media would run a story like this?-snip- Bumping this up for visibility due to its importance. It's being pushed down by spam. Title: Re: 0.13.0 Binary Safety Warning Post by: Quantus on August 19, 2016, 03:36:05 PM I took the short bus to school you guys are asking a lot of me.
If you ask the community to jump threw all these hoops every time they update your going to lose a lot of people. A Bitcoin specific video tutorial on how to confirm the Integrity and Authenticity of binaries and then compile them into a working program for windows would make me feel all warm and fuzzy inside. Bonus points if you can find a perky enthusiastic middle aged girl to do it :) It would also be nice to know why the origin of this threat can't be revealed. Dose the Bitcoin community have its own intelligence arm now? Do we have our own Title: Re: 0.13.0 Binary Safety Warning Post by: unamis76 on August 19, 2016, 04:06:30 PM 2 days later, 3 pages later and there is still no clue as to what this threat may be and how to cut this issue from the root up. Domain admin has probably seen these kinds of posts already, so I think it's imperative for him or someone more knowledgeable of this situation to give us a bit of update on why this warning was issued.
Title: Re: 0.13.0 Binary Safety Warning Post by: Carlton Banks on August 19, 2016, 04:11:33 PM I took the short bus to school you guys are asking a lot of me. If you ask the community to jump threw all these hoops every time they update your going to lose a lot of people. A Bitcoin specific video tutorial on how to confirm the Integrity and Authenticity of binaries and then compile them into a working program for windows would be really nice. Bonus points if you can find a perky enthusiastic middle aged girl to do it :) Alot of people might lose some money if they don't practice this, though. I can understand it would be frustrating if you're not confident, but we were all ignorant about PGP once. My strong advice to anyone: take control of your computer. Learn the fundamentals about hardware and software, learn about using a command prompt, learn basic HTML and CSS. All these kind of basics (which children should all learn going into the 21st century) are the new basics; the old basics are beyond simple now, children can learn those just by watching others do it. Just as we're currently divided into computer users and neo-Ludd technophobes today, when those technophobes barely register in real life any more, the divided will between hands-on computer people and people who demand that it "just works" (i.e. "please don't make me think too much"). PGP wouldn't seem so daunting to those with the hands-on approach. Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 19, 2016, 04:32:08 PM A Bitcoin specific video tutorial on how to confirm the Integrity and Authenticity of binaries and then compile them into a working program for windows would make me feel all warm and fuzzy inside. That's a good suggestion. IMO it is generally better to have video walkthroughs than just written guides. This applies to both building Bitcoin from source and verifying the authenticity of the download. It would really be helpful if someone created one (I do wonder why nobody did do that so far?).Bonus points if you can find a perky enthusiastic middle aged girl to do it :) You're asking for too much.Dose the Bitcoin community have its own intelligence arm now? Do we have our own We do, the BSA - Bitcoin Security Agency. :D2 days later, 3 pages later and there is still no clue as to what this threat may be and how to cut this issue from the root up. I guess the information is there, but it isn't public. I do recall reading on IRC that maxwell talked to cobra.Title: Re: 0.13.0 Binary Safety Warning Post by: unamis76 on August 19, 2016, 04:51:46 PM 2 days later, 3 pages later and there is still no clue as to what this threat may be and how to cut this issue from the root up. I guess the information is there, but it isn't public. I do recall reading on IRC that maxwell talked to cobra.Then the information isn't there. There should at least be an explanation on why the information isn't being disclosed in case it's something private. Sorry being so critical about this, but this is what I think. I guess I'll have to start hanging around on IRC. Title: Re: 0.13.0 Binary Safety Warning Post by: Lauda on August 22, 2016, 03:13:22 PM Then the information isn't there. There should at least be an explanation on why the information isn't being disclosed in case it's something private. Sorry being so critical about this, but this is what I think. I forgot to answer this post. This doesn't mean that they don't have a reasoning behind the warning, it just means that they don't want to disclose it with the public.I guess I'll have to start hanging around on IRC. It can end up being useful for you.This really needs more visibility as 0.13.0 has been tagged (https://github.com/bitcoin/bitcoin/releases/tag/v0.13.0). Verify your downloads or optimally build from source yourself! |
