Bitcoin Forum

Just wanted to see how many Whitehats we have in this community.

We have plenty of visionaries, business people, and pundits, but how many security specialists do we have actually focusing on ways that Bitcoin opponents could try to damage the Bitcoin p2p, the application, etcetera...

Please sound off if you consider yourself a Whitehat, and Bitcoin is under your microscope!

I considered myself a Whitehat. Just recently I found a security hole in pastecoin which allowed an attacker to upload shells and practically root the server. I  notified the owner of the issue and now it is fixed. :)

I am just a newby though. I still need to learn C++ to inspect the main project.

Well, I like HNN, reddit, slashdot, HTS, and I am part of a gaming community. :P

What do you like? What websites do you visit?

The easiest way to gain the attention of *hats would be to setup a test network with  a dozen generating machines, and dare them to crack it with new methods. There would have to be some kind of prize for those who manage that. And of course, the prize would have to be bigger that what one can expect to gain by exploiting the bugs he finds.

Well, there is the "if you can find a way to exploit it you keep any coins you make". MtGox made a jump to 0.4 USD per BTC and I am sure you could make at least 5K USD fast enough before someones notices the attack.(A new nice gaming rig <3)

As a matter of fact I am so confident it will resist any attack that I could go taunt the *Hats and SKiddies with botnets to bring their asses here and not be able to exploit it at all. Also, there IS a test network with a separate blockchain than the official one.

If the test network exists, then there should be a bounty for cracking it.

I have a contact with a part of the community and even know some of them for a long time so if you're interested, I may ask for their help.

That would be great! Apart, I am sure they would love Bitcoin. :)

Every hacker loves bitcoin. Bitcoin is the ultimate hacker & cyberpunk dream.

Perhaps when coupled to Raindroplet, it's everyone's dream as far as I can tell :-)

That's pretty stupid... The funds circulating on the actual network *are* the implicit bounty for cracking it...

By offering some prize if people crack the test network, you give them an incentive to not exploit the real network, but to speak forward and claim the prize. Unless you don't care much for what happens to the real network, there really should be some incentive to report the bugs.

If there is a vulnerability someone can exploit it. If there is a vulnerability in the protocol the whole blockchain will have to be rebuild!(Even if it is not directly attacked)

If an attacker succeeds then he has enough time to make his hand with about $5k USD before we even realize it.

- there are vulnerabilities that are easy to exploit on a small network and harder to exploit on larger ones, so discovering a vulnerability on the test network doesn't mean it will reasily work on the real one.

- most of the vulnerabilities are first revealed as a proof-of-concept with no actual implementation, until it gets perfected into a real exploit. Would you rather get the proof-of-concept report early, or just wait for someone to rip you of your bitcoins ?

- I'd rather give bitcoins to someone who reports bugs than lose the same amount to someone who exploited bugs

No way. There was a bug in the protocol that allowed someone to create several billion BTC in the main chain. Everyone agreed to delete that transaction, and everything turned out fine. Not a single legitimate transaction was lost due to that incident.

We'll always be able to come to some agreement about what the block chain should contain. Someone will always have a backup. Some transactions might be lost, but it'll always be a small percentage, as an attacker can only affect coins that he has owned at some point in time (in most cases).

There was a bug that allowed an attacker to crash all running clients, and there was a bug that allowed an attacker to claim transactions that he never owned. I will pay 250 BTC per distinct issue (max 1000 BTC) if you report these critical rule-breaking bugs privately to Satoshi and he confirms they actually work.

The number of blocks is irrelevant, what is relevant is the computing power of the network. I don't know a thing about the test network but I suppose it's far easier to reach a sizable portion of its computing power with common hardware.

afd

I don't know if I'm a security specialist, but you can look at my thread: http://bitcointalk.org/index.php?topic=2868.0