Bitcoin Forum

Seems there's good news at last:
http://www.cryptocoinsnews.com/2014/02/13/bitcoin-developers-ddos-fix-ready/

There seems to be no source for their claim?

Article says "The sessions have been constructive and up-beat, and patches to the imminent 0.8.x version upgrade are being finalized." so I guess we'll see a new version appearing shortly.

I guess it's possible to give them the benefit of the doubt.

Cause looking at this, not much is happening.

https://github.com/bitcoin/bitcoin/commits/master

Some action going on now!

Just noticed a fix "Add raw transaction hex to `gettransaction` wallet RPC" and from what I understand, this provides a non-modifyable token by which clients can distinguish an original transaction from an altered one.

The real question is if this was a known issue, why was it not addressed before? It seems if they had a solution they would have implemented it a long time ago.

Why do so many vulnerabilities go unfixed until there is a working exploit and it starts to hurt?

Oh, yeah, and of course it is very easy to ask that now.

Why didn't you say anything last month? ;)

Actually, this is the fix. I'm already running it on my nodes.

https://github.com/bitcoin/bitcoin/pull/3025

This is how you provide accountability for an institution.  If they saved the day ahead of time you would say, "Why do we need them?"  Much like the Federal Reserve who knew exactly what was about to happen and still let it happen to obtain more strength and legislation giving them more powers.

The Shock Doctrine.

Good read.

This leaves me with some questions:
1. How long will it take for a new reference client version to make a real impact on the network?
2. What software do miners use? If they use other software how long will it take for that to be updated? Attackers could still try to plant mallified transactions by peering with miners using older software right?
3. What is to stop an attacker to hire his own mining equipment and stick mallified transactions in it? Or is this too expensive?

As far as 1) There's no impact from the problem as it is, it's just nerves.

As far as the rest, the blockchain stops all that already, this is only a problem for exchanges that process withdrawals before confirmation, which you would think would be none of them.

No, the malleability attack has exposed a more general problem that can affect the reliability of zero-confirmation transactions between honest participants:

When the network is under malleability attack, zero-confirm transactions built from unconfirmed change outputs are not reliable.

Under certain conditions, it would be possible to pay for coffee with bitcoin, have the BitPay receipt say "paid", and later find out that the transactions was voided due to a malleability attack on the parent transaction [even when both customer and merchant are honest and do everything right].  

I think the work-around (while we wait for a true fix to end malleability) will be for the wallets to disallow transactions built from unconfirmed change outputs, and for better in-wallet coin management to ensure a sufficient reserve of confirmed outputs to spend.