Firmcoins are not completely hack-proof nor any device I know of. With enough money it's possible to crack anything.

Was is important is that Firmcoins are designed so that cracking a single Firmcoin does not give the attacker a significant advantage for cracking the next one.  We've put a lot attention to protect the Firmcoin from software bugs, which could be exploited from the outside world without physically compromising the device.

There is no global key, nor shared symmetric secret that you can extract from a Firmcoin, to use in another Firmcoin. Almost everything that's inside the Firmcoin, you can extract by just asking the device for it.

So if a Firmcoin holds 1 BTC, and cracking a Firmcoin costs 100 BTC, then there is no incentive on cracking it for money. I even expect that a university will crack one some day, and that won't affect the security of Firmcoins as a means to make low to medium valued payments (e.g. less or equal to 100 USD per Firmcoin). The same is true for bank notes (and that's why there are no 1M USD banknotes)

If you want to pay more, you're probably in a a context where you're online and you can just make a normal Bitcoin transaction.

The key property of a Firmcoin is not tamper-proof, but tamper-evidence.

Add still another layer of physical security.  It's a measure to deter counterfeiting, but REALLY it does not buy much additional security as I suppose that holograms can be reverse-engineered and cracked.

Check this proposal, which I think is almost exactly that you propose: Increasing the Network Hashing Power by reducing block propagation time
https://bitcointalk.org/index.php?topic=145066.0

Two little additional tweaks:
- Mining blocks of type B give you a 50% percent less reward than type A mining. (this is to avoid type B only mining)
- Difficulty of block branches are compared using the actual PoW (not the expected PoW).

I'm unsure if HL mining is equivalent to my other proposal https://bitcointalk.org/index.php?topic=145066.0 or better/worse.

Edit after thinking: Also, it does not work as described in a deflationary coin when the time the block reward goes to zero comes. In other words, it only works on slightly inflationary coins. Or it could work in deflationary coins if a small percentage of the fees (e.g. 10/60) in blocks of type A is awarded to the miner of the following block of type B.

Interesting paper, although I have only read the conclusions. But this is how I completely solved the problem of orphan blocks (well, this is IMHO) in other experimental alt-coins (and I may apply it to QixCoin).

The method is called HL mining (for Heavy/Light mining).

I have two alternate mining stages:

The first is a normal mining stage, 1 minute interval. (type A, this is the heavy block)

The second is a reduced difficulty stage, 10 seconds time. (type B, this is the light block)
This stage produces blocks that do not include ANY transaction except for the coinbase.  This is mandatory.
Type B blocks only used to compensate for propagation delay of Txs and give incentive to miners to start mining on a received block EVEN if not all the transactions in that block have been received/verified.

So miners receive a normal type A block header without transaction list (which propagates very fast) and start mining a type B block using the type A block as parent. This is a bet that the type A block is ok. While they are mining, they receive the second part (which includes the transaction hash list), they download/check the missing transactions of the previous type A block. If 20 seconds have past and they are unable to collect all missing transactions, they re-start again mining a block that competes with the (invalid/incomplete) received type A block.

Mining always alternate types of blocks: A B A B A B ...

The total interval between type A blocks is (on average) 1 minute and 10 seconds. Mining a block type B gives you a reward proportional to the difficulty relation between type A blocks and type B blocks (1/6 in the example shown).

Since block headers and hash list (without Txs) propagate very very fast, the orphan rate is at least 100 times less.
Obviously it may be the case that a miner receives a type A block, then a type B block and still it has not validated the Txs of the type A block.
In this case the miner will still compete for the type A block, after the wait time has elapsed.  This will lead to wasted hashing power, but this is a very unlikely scenario.

Note that the hashing power used to mine blocks of type B is not "wasted" since is works as an additional (fractional) confirmation of a block.
Also note that type B block will have a much higher contention rate, but since propagation is also much higher (e.g. 100X) I we would expect a low orphan rate of these blocks, and since type B blocks only account for a fraction of the network hashing power, then the overall wasted hashing power is lower with the ratio 10/60 approximately.

This can be accomplished in Bitcoin with small code changes, but a hard fork.

I do not have a theoretical analysis of this scheme, but some simulations I did show that it waste much less hashing power (in orphans) and bandwidth than the current Bitcoin system.

I didn't implemented it. I'm too busy.
But Luke-Jr implemented something that is very very close. You can modify it easily: maybe 5 lines of code is enough.

What about using the wasted electricity to heat your shower water? Or to cook?

BTW, we should be happy Satoshi choose 1 as the error code and not 0, because 0 is a weak message for a ECDSA hash and can be easily forged. This would result in anybody being able to steal each other coins.

(or maybe he knew about this fact)

No, this is only partially true. You could use a tweaked bitcoin miner to do vanity address generation (but you probably won't be able to use an off-the-shelf ASIC miner).

Check https://bitcointalk.org/index.php?topic=255245.0 (10X Faster Vanity addresses (P2SH/M))

Now we've found the first and only way to test the execution of the line:


(for which I thought it would be impossible to ever test in a live transaction)

Since the hash "00 .. 01"  does not depend on the script hash that spends the output, you can create a scriptpub that actually includes the signature of the hash "00 .. 01" in the script.

For example:

<sig("00 .. 01")> OP_DROP OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

Will result in <sig("00 .. 01")>  being stripped from the script when the output transaction is redeem by a SIGHASH_SINGLE signature with an out-of-bounds nOut.

Nevertheless since it won't affect in any way the outcome of the signature checking, you'll only be checking if that execution path aborts with an exception or continues normally.

Thanks

If you think you are, then you should tell the difference between all the possibilities in each category, without looking at the source code.

What's the difference between:

1. Arbitrary length integers:

A. CAutoBN_CTX (hint: bignum.h)
B. BIGNUM (hint: bignum.h)
C. CBigNum (hint: bignum.h)
D. base_uint<n>  (hint: uint256.h)

2. Representation of long integers:

A. "Compact" representation of CBigNum (used for difficulty storage)
B. Hex representation of CBigNum (not used in production code)
C. Base(b) representation of CBigNum (only used for debug messages)
D. Script Stack representation of CBigNum OR Serialized CBigNum (hint: CBigNum.setvch in bignum.h)
E. Script CastToBigNum() representation of CBigNum (hint: script.cpp: CastToBigNum())
F. OpenSSL mpi representation

3. Representation of sizes:

A. var_int or "Compact size"  (hint: serialize.h)
B. "Variable-length integers"  (hint: serialize.h)


These are real interpretation problems I had to face while digging into the Satoshi source code.

BYW: The code in serialize.h states over "Variable-length integers" : "Every integer has exactly one encoding".
This is mistaken. When you decode a var-length integer into an arbitrary fixed length type, an infinite number of encodings refer to the same number.
E.g.: decoding into an uint32: "0x80 0x80 0x80 0x80 0x00" = "0x80 0x80 0x80 0x80 0x80 0x00"  = "0x80 .... 0x80 0x00"
Please no more malleability!!! I wonder why it was necessary to invent a new encoding anyway.

I encourage Bitcoin pros to write their own quizzes and share them with the community.

Best regards, Sergio.

My proposals to reduce this kinds of risks are:

- Make non-compact Var_ints non-standard (this should harm nobody, since I don't know why a client should store them in any other way that the encoding of minimum size)

- Remove the MapRelay functionality (or at least explain what exactly is the functionality!)

After talking with the core dev about this issue, their opinion is that this is not a security threat, nor a vulnerability. Accordingly, it's best for the community to be informed about the problem so each user or organization evaluates if upgrading to the 0.8.3 version (instead of using the previous version, vulnerable to CVE-2013-4627) is desirable or not, depending on risks associated with their own Bitcoin infrastructure.

The original disclosure can be found at: https://bitslog.wordpress.com/2013/07/18/buggy-cve-2013-4627-patch-open-new-vectors-of-attack/

Here I'm copying the contents so bitcointalk users do not need to click on the link:

Buggy CVE-2013-4627 patch, open new vectors of attack

Secure coding is hard. But in Bitcoin, secure coding also means understanding every little detail of the undocumented (or code-documented) rules that Satoshi the great has brought to us mortals. CVE-2013-4627 patches a DoS vulnerability discovered by Peter Todd. The vulnerability is easy to spot once you read the code after the patch was applied. Bitcoin network messages can be of arbitrary sizes, and this is generally not a problem, with the sole exception of transaction messages. Almost all objects that are exchanged between Satoshi clients are deserialized to be stored in memory and serialized again when they need to be forwarded. . Transactions are also first deserialized in order to be parsed, but they are stored “as is” in a temporary cache called MapRelay, and forwarded without being serialized again. I really don’t know why this is done. But the point is that the storage of messages as they are received leads to the possibility that an attacker creates messages much bigger than the actual transaction object contained, which, when stored in MapRelay memory, can be used to exhaust the memory of a node. This is the code that patches the vulnerability:



This patch that supposedly solves the CVE-2013-4627 bug opens the door at least two other attacks. Transactions on the wire may have an encoding which is different from the encoding you get when you serialize and deserialize it.
Still after many efforts to standardize transactions, preventing ambiguity and storing signatures in a canonical form, transactions are malleable. So when you truncate vMsg, you don’t know what are you truncating.

Double-spend Attack

The attack works against sites that accept 0 confirmations like SatoshiDice. It could allow 100% effective double-spends. The idea is that you create a message vMsg with a transaction Tx such that:


But in the transaction stored in vMsg, the field vin.size is stored in a non-standard format that takes 4 bytes more.

Suppose that vin.size = 1. Then it is stored as: 0xfe 0×01 0×00 0×00 0×00, instead of being stored as “0×01″

When vMsg is truncated by vMsg.resize(nSize), it will become an invalid transaction (since 3 good bytes at the end will be chopped off).
Now the node that receives vMsg will process the Tx normally, but will relay the transaction vMsg (which is invalid). This is because the invalid tx in the msg will be stored in MapRelay for 15 minutes. Peers will ignore this invalid message. If the node processes Tx and responds with a transaction Tx’ (using Tx outputs, such as SatoshiDice) then Tx’ will end up in peer’s orphan cache, because Tx is not present since it wasn’t accepted.

So the attack works with 100% success rate for sites that create transactions as response to unconfirmed transactions, such as SatoshiDice, and are running version 0.8.3 of the Satoshi client.

Suppose that a site called InstantBitBets uses version 0.8.3 of the Satoshi client. The attack against InstantBitBets looks like this:

1. Locate the node of InstantBitBets. Connect directly to this node.
2. Create a bet in a Tx. Create a non-standard message vMsg with 1 extra byte and a non-standard  vin.size field.
3. Send it directly to InstantBitBets node.
4. If you receive a Tx’ saying that you won, broadcasts Tx to the rest of the network (normally).
5. If you’ve lost, move the funds from Tx to Tx2, and try again from Tx2 (this step might not even be necessary).

Also the attack could help to execute other kind of unknown attacks, since everybody expects a node to broadcasts successfully a Tx that it accepts.

Remote Anonymous Denial of Service Attack

If the right mix of Bitcoinj, old Satoshi nodes and new 0.8.3 nodes are present in the network, then a new attack vector emerges that is able to disconnect 0.8.3 nodes from Bitcoinj nodes remotely.
Consider, for example,  the following mix: old nodes=50%, 0.8.3 nodes=40%, Bitcoinj nodes=10%.

The attacker builds a transaction with an expanded var_int field (e.g.: input count). The expansion consist of encoding the count in more bytes than it is required. This transaction is forwarded to a bunch of 0.8.1 and prior clients. Alternatively, transactions passing through the attackers node can be modified on-the-fly, expanding the input count fields. Each of these clients will resend the tx without modification, and the tx will spread. When the transaction arrives to an old Satoshi code, it will broadcast it. When this transaction arrives to a 0.8.3 node, it will resend it truncated, and this will disconnect the 0.8.3 node from all Bitcoinj nodes surrounding it. I have not verified by testing that Bitcoinj does this, but I’m almost sure that the exception thrown will terminate the connection.
If the attack does not success the first time, the attacker can try as many times as he wants. As previously said, he can even use existing relayed transactions, expanding the input_count field. So after some minutes, and high number of modified txs, the attack must be successful.
The success probability depends on the number of old, 0.8.3 and bitcoinj nodes, and network topology. And the attackey may try sending the tx to different nodes to find the right path to the victim’s node. So I think that with enough tries, it will succeed even with very different client version mixes.

So basically the attack takes advantage of the network client mix, and remotely (an anonymously) harm 0.8.3/Bitcoinj nodes.
If the attacker knows that two victims are connected, one is a 0.8.3 nodes, and the other is a Bitcoinj node, he can remotely perform the attack to disconnect them.

Are these problems vulnerabilities of Bitcoin 0.8.3? It depends on what you expect from the protocol. If you expected the Satoshi code to be protected from DoS and 0-confirmation double-spends, then it is. It seems that Satoshi code was not designed to protect you from DoS, but it’s also true that the core developers have tried to add some DoS preventions since the Satoshi times.

In any case, it’s only a minor vulnerability or flaw.

Best regards, Sergio.

I have the following proposal:

Why don't we schedule a hard fork for 2014 to enable 50 additional opcodes that we know for sure that cannot have any semantic ambiguity or security flaw?

For example: OP_PUSH_BLOCK_DATE.

We also re-standarize small/fast arbitrary scripts (say no more than 10 ops, no more than 5 sigs)

So we give researchers and innovators a whole bunch of tools to try new ideas for real.

At the end it's a financial decision: if you want to use a long vanity address either you pay 20 times more in advance, or you pay a little more each time you receive a transaction.

Because a third party mining vanity addresses for you would need to prove to you that he didn't choose the pubkey using ECC (and knows the private key).
If you have a hash pre-image, that's a proof.
Also a simple sequence like 1,2,3 may end up in a weak case of a pubkey (I'm unsure if ECDSA has weak keys).

If you mine for yourself, then you can count simply as you said, but it would be better to choose the sequence starting from a random 32-byte value.

All info is in the FAQ (http://firmcoin.com/?page_id=29)

The idea is that the device is tamper-evident, and the private key is chosen by the Firmcoin and stored in tamper-proof memory.
If someone has violated the security of the device, the payee will know.
 

We have a way of establishing the severity of a vuln: the severity field (https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures)

But if you think that "DoS vulnerabilities" are not vulnerabilities, let's rename them to "DoS problems". I don't mind.

Regarding a systematic approach, I agree. This is what I wrote in the wiki much time ago (https://en.bitcoin.it/wiki/Weaknesses#Denial_of_Service_.28DoS.29_attacks):

  "Satoshi client does not directly limit peer bandwidth nor CPU usage."

Limiting peer resources would be a systematic approach.

Regarding programming: how can one help Bitcoin if one has half an hour of free time a day to dedicate to it?
I cannot program decent code in that time. It takes me half an hour to get concentrated on what I have to do, to do it right.

The best would be that people donated more money to the Foundation so the foundation could hire more programmers to do the hard work.