Bitcoin Forum

I was doing some back-of-the-envelope math and realized that the current global hashrate makes me uneasy.  Current hashrate is about 13 THash/s.  Consider an "average" computer can do 5 MHash/s without a GPU.  A simple calculation reveals that it would take 2.6 million "average" computers to start rewriting the blockchain, double-spending and overall complete loss of confidence in BTC.   Now take into account that many of these computers have GPUs so that number is probably more like 1 million computers.    I'm concerned because, not only is this within scope of government agencies, but...

     'Indestructible' botnet snares 4.5 million computers (http://www.telegraph.co.uk/technology/news/8609309/Indestructible-botnet-snares-4.5-million-computers.html)
     'Gang of Six' Controls Botnet of 1.9 Million Computers (http://www.pcworld.com/businesscenter/article/163642/gang_of_six_controls_botnet_of_19_million_computers.html)   (actually, I believe this botnet was deactivated by the US government)
     Data-stealing botnet infects 2.3 million computers (http://www.cbsnews.com/stories/2011/04/13/scitech/main20053717.shtml)

All of these botnets could probably crush the BTC network.  There was already reports of botnets being used to mine BTC, but I'm not sure about any plans to attack it.  Obviously, I'd simply feel a lot more comfortable if it just wasn't feasible.   Three things we have going for us is: 

• (1) The security of Bitcoin should definitely receive credit for the fact that the botnet operators are mining coins like the rest of us, even if it's stolen hardware.  Obviously these botnets have a $#!+load of computing power, yet they can't/aren't using it to try to break the security of the network.
• (2) Bitcoin actually represents a possible benefit to the criminals running them, and they may not want to risk killing the network.  It may be more profitable to mine millions of dollars (and stealing wallets) and then use the same BTC network to move the millions of dollars around without trace.
• (3) The botnets that are mining to make BTC are actually increasing the difficulty.  When botnets compete, everyone else wins.

I'm concerned that, without any significant increases in BTC value, and thus incentives for miners to expand their mining hardware, the global hashrate is going to continue to wane at this vulnerable level.  It's great that only a very select few people/organizations in the world have this capability... but it only takes one to end it for all of us.  And it's only going to get worse over time:  once the rewards are halved, we'll probably see the exit of tons of miners from the network.   The only thing I can see truly making a difference here would be transaction fees.  But at the current tx/day quantities, there is no transaction fee scheme that could incentivise miners that would also be acceptable to the users. 

The more I think about it, the more it makes sense to have designed the network to have a constant generation rate at the beginning, and then switch to constant inflation rate.  This would guarantee that miners will have "economically constant" reward, forever.  Not to mention that many economists (whom I agree with) consider small, consistent inflation to be good for a currency/economy. 

Is there a reason to be more optimistic about this?

I think whoever uses that botnet will make a lot more money mining bitcoins and selling them on the market than using it to try to take down Bitcoin.

Just want to clear a few things up with botnets.

Most of the bigger botnets (anything more than 50k) probably don't use IRC.

In-fact, they probably are just compiled infections that run a miner pointing to a specific worker.
In which the pool owner can simply just delete that worker.

The best shot of a botnet owner (with more than 10k zombies) would be to create a private pool for all their infections to mine at.

I agree that it's quite profitable for botnet owners to use the BTC network as it was designed to mine coins.  But it's feasible that someone, some time, might find it appealing execute a massive double-spend attack and make off with the cash/goods/whatever before the network crashes.  We are all familiar with how motivated some people are by short-term rewards... It only takes one time for this to crush the network, and I think we should all be concerned if there is any one person/organization that is capable of it.  That's a lot of power they're wielding, even if they have no ill-intentions towards the network.

But let's not focus on botnets, and focus on entities with a ton of resources:  perhaps governments that would feel more comfortable without the BTC network.  It's probably feasible for an existing US government agency to pull the trigger on this primarily with existing resources, they'd only need a little bit of preparation to distribute the software to all their computers.   

My point is, I think a one-million-computer threshold for breaking the network is too low.  If you consider the number of GPUs and/or FPGAs needed, it starts to look even easier.  And without a massive spike in BTC value, I only see this getting worse over time.

If I had control of a million zombies (which with a million zombies, you're probably just data-mining) it would be WAY more secure[*] to sell data (CC, Logins...etc) than to mine for Bitcoins.

[*] - I can't think of a better word. :\


[Edit]:
Think of it like this.

If you watch mobster movies about the group trying to buy a massive load of drugs/guns, they already know exactly where to buy from.
Now, think of it in the eyes of the seller (zombie controller)...they know who to sell to.

Groups in control of ~million zombies data-mining aren't looking to sell 1-2 $1.5 USA CC's, they are selling to others who are reselling them.
I've seen a stack 10k-50k /gumbled (USA, CAN, EUR...etc) go for $5k.

I personally think that the fact that a majority of hashing power can overwhelm the network is a good thing. The unequal distribution of wealth, which makes this undemocratic, is a separate social issue in my mind. The alternative is a system that allows those who amass wealth to protect it indefinitely, which I think is dangerous. True, it means that those who have legitimately worked to earn their wealth loose protection, but it also means that the majority can reclaim wealth from malevolent dictators etc. This is political though and just my point of view.

My point is, I don't know if you can have a network that relies on the decision of the majority and still prevent governments and powerful people from being able to obtain that majority.

If someone tries that, an alert will be issued and payments will stop for as long as the botnet owner is willing to waste money. Once the botnet gives up, any damage they've caused will be reversed by hardcoding correct values into the client. Only a few people will end up losing money, and the botnet owner will be worse off than if they had stuck with normal botnet activities or legitimate mining.

First, have you seen how freakin' difficult it is to get users to upgrade their clients?  0.3.24 has been out forever, yet countless users are still using earlier versions, probably because they don't even know a new client is there, or don't feel like being inconvenienced by it when their current client already works.  It would take days to get everyone upgraded, and until then different users will be operating on different branches of the block chain. 

Second, if it happens once, what's to stop the same person from doing it again?  They still have 50%+ computing power, and wasting money may not be the primary concern of the attacker.  Perhaps they just want to disrupt the network...

Third, you can't possibly believe that such an event would not make headlines and cause catastrophic damage to the BTC network...?  The entire value of Bitcoin is based on people's confidence in the system, which is not well-correlated with the technical/security merit of the system.  MtGox and MyBitcoin had nothing to do with the merit of BTC, yet both did quite a bit of damage.  Let's see what happens when we throw a real security "breach" into the ring.

Maybe someone should start up a release mailing list?

It won't be difficult when an alert is issued and everyone's clients are saying "EMERGENCY: DO NOT ACCEPT TRANSACTIONS UNTIL YOU HAVE UPGRADED".


There are various techniques that can force the attacker to get larger percentages of computational power before getting control. These would be developed if necessary. We'd also get better at handling alerts (probably alert-enabled safe mode would be re-introduced) and detecting attacks automatically.

Legitimate miners would have an excuse to charge higher fees, which would allow them to get more hardware.

The attacker will run out of money eventually. It'll never be profitable.


I don't really care about the price. The network will survive, which is what counts.

You're talking about the developers intentionally revoking previously-valid transactions by central fiat - and they can't just revoke the ones involved in the double-spend, they have to revoke all of them. If any exchange or e-wallet site remains running after the double-spend attack - and not all of them can afford to watch the news 24/7 - they risk having their wallets drained by double-spends assisted by the Bitcoin developers themselves! This could well end up doing more damage than the original attack. From the point of view of those affected byt this second attack the developers' version of the chain is in fact the malicious one and they'd be entirely justified in hard-coding their clients to reject it instead; imagine if Mt Gox did this.

Edit: Oh, and it's kind of hard to tell for sure when the botnet has "given up", because they don't have to tell the rest of the Bitcoin network about their malicious chain until it's time to replace the existing one with it.

Theymos, I think you are being way too optimistic about the consequences of such an attack.  Sure, the network may survive, but the value will drop dramatically, and a significant proportion of participants will flee.  You may not need high value for Bitcoin to work, but you do need users...

But I don't want to debate what the fallout would be of such an attack, I want to figure out if my calculations and concerns are justified, and brainstorm how this might be mitigated.  We can debate all day about why no one would/should want to attack the network like this, but people don't always have good reasons to do what they do, and we'd all be better off if it just weren't possible for anyone to do it.  How can we possibly incentivise people to contribute more compute power?  And do we need to? 

P.S. -- One very good reason for the attack could be that someone gets the opportunity to short-sell a couple million dollars worth of BTC.  By killing the network, he gets to keep the money.

Why couldn't the-collective-we only revoke the double-spends (and subsequent txns that depended on them) ?

A hard-coded list of invalid txids wouldn't be hard to insert into the is-valid-transaction checks, and that along with a blockchain checkpoint would work just fine.  Valid transactions on the bad chain would move to the new chain (actually, they'd already be on the non-attacker chain, since the miners on both sides of the block split would have included them).

It's not fiat because, as you mentioned, people can choose to accept or reject the changes.

It will be easy to see which transactions came first, since the blocks containing those transactions were broadcast and then later "replaced". There may be problems with innocent people losing confirmed transactions that were based on double-spent coins, but hopefully the problem can be dealt with before this happens much.

The client should probably require 120+ confirmations for transactions that seem to be double-spends, since these transactions could be reversed later on. Maybe if this kind of attack becomes an issue, a peer warning system for double-spent transactions could be developed to trigger this protection.

Bitcoin could also enter safe mode automatically whenever a reorg longer than 6 blocks is observed, or when smaller reorgs happen too many times within some time period.


Their wallets will be drained in any case. The hardcoded changes might return some of the coins.

Guys, if someone has 55%+ of the network on their own and they have malicious intent, we're screwed.  Once a week they could do a huge double-spend or just start rewriting the blockchain for fun.   The value of BTC, and thus quantities of miners, would probably dissipate after the first or second week, making it even easier on subsequent weeks to throw in the KO punch.  The entire security of BTC is based on the assumption that no one has that much power.  I agree that there should be a plan in place for how to deal with such events, but I'm trying to focus on whether there's a way to avoid it to start. 

Right now, there's only a few entities in the world who can match the global hashrate, but I don't see how this is going to get any better.  I am looking for optimism about the future of BTC in this light.  There is not enough financial incentive for miners to invest in new hardware, and CPUs mine for net loss.  So, is the BTC network always going to be vulnerable to a botnet/gov't attack?  Or is there a reason to believe that things will pick up?  I know we'd like to believe value will jump up above $100/BTC which would certainly provide incentive, but if it doesn't happen before the generation rewards are cut in half, that could be the start of a downward spiral.

here are the bitcoin weaknesses (https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_computing_power).. a bit of misinformation on the 51% fear

I would think the "longest block chain is the valid one" be rethought.  Obviously people think that a human can detect an invalid chain.    There must be some programmatic method to recognize such an attack. 

One easy way, would be that if I saw a new block chain with >4 blocks that overwrite the old ones and that chain includes a transaction that is older than one that is in the old chain, then it is likely a double spend attack.  Couldn't my client simply require that the new chain have several more blocks than the old chain before it is considered valid. For example, for every block the old chain got, the new chain would be required to have 4 more blocks.  Hence, the new chain would only be accepted int the large majority decided it was valid.

I say we try some of these attacks on the new bitcoin clones.

I agree, the fix/workaround for dealing with a Malicious Power would just get worse and worse if they kept the power. And if they ever got it I do think legit mining power would drop as you say.


Obviously a price increase adds strength, but it isn't the only way. Profit motivated individuals will innovate and find more and more efficient ways to get the reward getting us more bang for the buck. Some innovations will be copy-able by Malicious Powers, but some will not, like masses of people in cold climates getting nearly free mining electricity because they would pay for the heat anyway and people putting "owned for other reasons" hardware to work mining when idle. That just means there is some extra (probably growing) multiple of cost for the attacker compared to the costs of honest miners.

I think the 5 Mhash/s figure assumed by the OP is highly optimistic when estimating the power of botnets.  The kinds of computers that become part of a botnet are generally older/unpatched systems.  These computers are likely to have Pentium 3's or 4's and integrated graphics, which would yield only hundreds of khash/s. 

I don't want to get too sidetracked debating the "average" MHash/s estimate, but I was conflicted about how to come up with a ballpark estimate.  I based it on the fact that present-day Intel chips get 2-8 MHash/s, and the AMDs get like 4-16 MHash/s.  However, most computers are Intel, so I sided with the average value there.  I considered that there would be a significant number of older computers, but also that there were going to be a significant number of AMDs offsetting them.  And even one computer with any decent graphics can add the value of 10 - 30 CPUs.

There's a number of huge problems with this.

First, the estimates of millions of PC infected by botnets have always perplexed me. They are estimates, but by who and on what basis? I don't doubt there may have been a few botnets that have come pretty close to or surpassed a million computers, but I think it is far more likely that these kind of botnets would have to be operating in a very loosely-connected fashion, and probably get cleaned on average at a rate of 1% or more per week, meaning the owners have to continually infect new PCs to maintain their numbers. Worse still for the bot herder, I would imagine ISPs block communications from bot to C&C servers at a rate of 10% per week, meaning that they really have to stay on top of things in order to maintain control. I don't get the impression that one single executable with the same instructions and controls runs on 1 million PCs at exactly the same time.

Second, the cleanup rate of these PCs is going to significantly increase once they are being used to mine Bitcoin. Users tend to turn off or disconnect their computers when they run slowly, and then have someone take a look at them. Even in the case of computers with a decent video card that could pump out 25 megahash or more, if the user has issues, they are going to get it checked out.

I really feel there is no feasible way a botnet network would be able to maintain double-spends for any reasonable period of time, especially considering variance means that you need more than just 51% of the network, you aren't going to be able to keep your double-spend forever with only 51%. This is kind of like the zero-variance knowledge proof, every subsequent "right" answer is just more and more confirmation that your transaction went through.

People vastly misunderstand what a double spend means and how the attacker has to keep the double-spend going into perpetuity in order to pull off any sort of legitimate attack.

Raize,

I completely agree with everything you just said.  I recognize that there's more to the calculation than the order-of-magnitude estimate I provided in my first post.  But it doesn't change the fact that:

• (1) For the same reason someone with more than 50% can get unlucky and fail to execute a large double-spend, someone with less than 50% can get lucky and pull it off. 
• (2) There is potentially irreparable harm done to the network by anyone executing this kind of attack for any reason.  We can argue about the unlikelihood of it happening all we want, but the folks designing the Japanese nuclear plants probably would've said the same thing about the liklihood of a 9.0 earthquake+tsunami hitting them (I believe that plant was designed to withstnad 7.0)
• (3) Some might argue that the value of Bitcoin as it stands is completely irrational.  It's based entirely on speculation and imagination.  It doesn't take a rational reason for people to start jumping ship and for the program to come crashing down, even from just one legit attack.  Everyone could see the huge blockchain re-organization, and it would make news headlines.
  
• (4) I don't want to focus on the degree of feasibility so much as the fact that it is possible for someone, whether botnet or government or Warren Buffet, to collect the resources to execute the attack.  It wouldn't be easy, but Bitcoin is a high-profile network with almost $100 million of value, so the possibility that someone would want to do it can't be ruled out.

If it's feasible now, it's only going to become more feasible in the future if nothing changes.  At current rates, the best we can hope for is that BTC will more than 100% ROI when the reward gets halved, and the current mining community sticks around then.  I just don't want to get lost arguing about whether any botnet has precise enough computers to execute the attack, I'm just operating on the assumption that there are people/organizations out there with the same order-of-magnitude of resources needed and that it can't be ruled out. 

Buffet begins buying GPUs
Network doubles
Buffet can't double spend
Buffet mines legitimately to cut losses?
Profit?

Profit!

Honestly I think this is the more realistic scenario.  Bitcoin will never challenge a fiat currency for dominance, at least not anytime soon.  When and if it does, the global hashrate would, by definition, be high enough to *almost* preclude this scenario.

The only solution - honestly - is to get as many people as possible onto the network (the valid network :) )

That's one of the things my partners and I are trying to do.  Bitcoin CANNOT just be for tech geeks if it is going to survive without being compromised as described in this thread; and it will only succeed economically if it begins to gain mass acceptance.

(Nearly) all or nothing imo. My bets are down.

Valid transactions on the bad chain would move to the new chain so long as no-one made a deliberate, malicious attempt to replace them. If they did all bets are off as far as I can tell. Newer transactions wouldn't be on both sides of the block split because all the miners would transition to mining the attackers' blockchain once they heard about it.

Rationally speaking, they can only reasonably go along with what the majority of big players choose. In particular if the exchanges or the pools choose one side, any Bitcoins on the other side are illiquid and essentially worthless. Worse still, any uncertainty as to which side will win is likely to cause a drop-off in mining power that would make additional double spends a lot easier.

The hardcoded changes would return coins to one side of the double-spend by taking them away from the other side. There's no guarantee that either set of coins would be in the hands of the attacker. (Technically the developers could confiscate arbitrary coins and hand them to whoever they want, but that opens up a whole bunch of cans of worms...) Automatically disabling transactions when a node detects a big rearrange would help reduce this risk though.

I'm curious as to the long-term economics of mining.  I'm interested at what happens when bitcoin gains price stability, the majority of bitcoins have already been mined and (presumably) miners mine to win transaction fees rather than new bitcoins.

Suppose all miners are rational economic players, in that they mine if and only if the rewards outweigh the costs.  This means that it is in effect free to buy hardware and electricity to mine with - every GPU and kWh funds itself by winning transaction fees.  This in turn means that (with access to large amounts of initial capital) you can actually build an arbitrarily large self-funding mining rig.  You just keep adding extra nodes/GPUs because each node is self-funding.  Eventually, by accumulating more nodes you end up owning half the network at which point you can (it seems) do many devastating attacks on the network.  Given the time you've invested you may not want to destroy it completely, but you may wish to make some huge double spends that live for long enough for you to cash out into USD.

It seems to me that the only way of stopping people taking control of the network for free, is by making mining being a loss-making activity...but then why would people want to mine for free?  But even then, you would still have to make it significantly loss-making to stop black-hats from 'investing' some short term capital with the reward that they can do some monster double spends.  So you can see the general argument here - it costs the same amount for a good-guy to mine as it does a bad-guy, except that the bad-guy has the added incentive of double-spend upon seizure of the network.  Economically speaking, this means that in the steady-state era it is rational to mine only if you're a bad-guy looking to seize control of the network.

Hopefully I'm wrong about all this and I've missed some key argument...but what is it?

There are two problems with that. First, although each individual might be able to build a large mining rig, no individual would be the only one doing it. You may accumulate more nodes, but other people will also accumulate more nodes and you won't reach 50%.
Second, as everyone adds more nodes that pay for themselves, the difficulty compensates and the nodes can no longer pay for themselves. At that point, it will be profitable to keep the nodes you have on, but not to buy and add more nodes. That would happen long before anyone has the chance to even come close to equaling the global hashrate.
That doesn't mean that it would be impossible to equal the global hashrate, just that it would not be possible to profit from mining by equaling the global hashrate.