Title: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: sevensheeps on December 17, 2014, 07:59:07 PM I had to share this interview I just read on twitter! :)
Quote How did you initially discover the issue with the reused R values on Blockchain.info? I have a script that I run regularly that scans for repeated R values. There has been another program producing them since September, so I took a habit of watching that daily. The problem is not new for me. I followed it since April 2013. The program I use is my own one, that I wrote in 2013. What program was this, and how many bitcoins did you sweep out of those addresses? The one in Summer 2013 was the Android bug. The buggy RNG [Random Number Generator]. I didn’t sweep much, a few mBTC. But others were doing it as well. That it was Android I only noticed when I searched for one of the broken addresses and found a post at bitcointalk. This was when I created the [bitcointalk] account. I told him that his program was buggy and asked him which [bitcoin client] he used. Which wallet would you recommend for the average user of Bitcoin that combines security with ease of use? For small amounts of money one can probably use everything that one finds convenient. I would suggest using some tools that use deterministic wallets, so that one doesn’t have to worry so much about backups. Of course, if one uses a program on the desktop, one should set a wallet password and keep it clean from malware. For larger amounts, that one doesn’t need to access regularly a paper wallet should be used, preferably with the key generated on an offline computer. I use my trezor for this, though. What is your opinion on the security of Blockchain.info’s webwallet following these incidents? The bug shows that there is a problem. The patch was changing security critical code and it should have been reviewed more thoroughly. It was just a missing variable initialisation. Careful inspection of the code should have revealed it. JavaScript is also not really meant to program security critical applications. For example, it has no type checking. How did you verify that the addresses you sweeped were generated on Blockchain.info? If an address was generated on Blockchain.info at that day it was produced by the random number generator, so it was in my list of random numbers. But I could also attack addresses from which money was spent on that day. In that case the signature contains one random number from my list. I actually didn’t check that I accidentally broke an address that wasn’t related to this problem. There is still some other tool producing the duplicated R values and I’m still wondering which. But if it happened they should see the note that they should contact Blockchain support. So it is okay :) I’m thinking I found most of the money, but I know that 105.9 BTC were stolen already in the evening (probably by some lucky guy who accidentally created the same address). Can you explain a bit more about this other program producing duplicated R values? We are still wondering about it. It has a different pattern. It uses a random R value, but it uses it in one transaction for all inputs. amaclin analyzed some of the transactions and said that they spent to a BTC-e address, but we don’t know much more. Since the program is usually not reusing keys often, there have been not so many broken keys and I think only very few sweeped accounts. I think I still have 0.9 BTC from one account. So if we ever find out [which program has the issue] I will offer it back. https://www.cryptocoinsnews.com/interview-johoe-hacker-returned-800-bitcoins/ Best wishes, Seven. Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: Meuh6879 on December 17, 2014, 08:02:46 PM good mind.
Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: sevensheeps on December 17, 2014, 08:43:18 PM Yeah it's a good read, what a story! :) It's an impressive thing for a person to do!
Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: LiteCoinGuy on December 17, 2014, 08:45:33 PM 800 BTC ? damn.... getting more and more ... :o
Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: busterroni on December 17, 2014, 09:10:28 PM Hey, that's my article! :) Glad you guys liked it!!
Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: sevensheeps on December 17, 2014, 09:17:38 PM Hey, that's my article! :) Glad you guys liked it!! I really liked it, I shared it with my Twitter followers aswel. I'm glad he's on our fence ;D Mainstream media should report on bitcoin stories like this, don't you agree? Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: mlferro on December 17, 2014, 10:53:53 PM very nice !!
valley and very apena read Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: colinistheman on December 17, 2014, 11:12:01 PM Nice to see some good-intentioned people in the bitcoin space amongst all the scammers and thieves.
You wouldn't believe how many fraudulent emails i get trying to steal my btc. It makes me kind of sick. Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: newIndia on December 17, 2014, 11:17:28 PM Hey, that's my article! :) Glad you guys liked it!! Nice interview Jonathan :) Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: cryptworld on December 18, 2014, 12:01:23 AM bitcoin community is so lucky to have these good people
if it was a bad hacker it would have pulled 800 bitcoins :-\ Title: Re: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. Post by: YinShuiSiYuan on December 18, 2014, 12:25:26 AM I am surprised that he is as honest as he is. Most people that are running these kinds of programs are far from honest and are doing so in hopes of stealing other people's money (usually from stealing brainwallets)
|