Bitcoin puzzle transaction ~32 BTC prize to who solves it

[analyticnomad]

The guy using MySQL (2005 called, they want their phpMyAdmin back) and thinking 600 million records is technically a problem is trying to roast the guy who single-handedly solved 67 and 68 literally just a few months ago.


Terrific. The best part is that you don't understand what "Vanity addresses" have to do with anything.

I think this alone speaks volumes on where your pool will end up really soon, which is in a historical trash bin. There is absolutely no reason for anyone to trust that even a single key has ever been scanned by anybody, so there is zero incentive for anyone to join your pool.

Oh and BTW you can easily store many billions of entries in a SQLite file on disk, with instant lookup. I think you don't understand how a database works, have you heard about indices?

Oh, I completely forgot that there's a generation here for whom MySQL is no longer considered a real database... Good thing you don't even know what punch cards are — you probably couldn't handle that either.

If memory usage in programs is not a problem for you, then you wouldn't limit the DP in Kangaroo.

Are there proofs of how 67 and 68 were solved?

I and many others would be grateful to know: what role do vanity addresses actually play here?
After all, addresses are generated from a public key, and two identical vanity addresses could be located at the beginning and end of the range!

Facts, facts, facts... We only need facts!

Dude you just activated three of the most legit people on here all telling you the same thing. Probably time you swallowed your pride and let this one go.

[realnewuser]

Just for kicks, I will spoof your pool occasionally. You will never know when, or what ranges, or what user did it. How's that for fun? How does everyone participating in your pool feel about this concept? I can afford losing a few hours to automate this stuff, and neither you or anyone else that ever joined your pool willl ever, ever know, what ranges are actually scanned or not.

Unexpected words from a respected member. Are you truly prepared to spend several hours of your valuable time just to spite people and cause harm?

[Sanka555]

in the pool honestpool.ru there is no "general prize".

There are no prizes for checking more segments than others.

The prize is in no way shared between the participants.

It's just a "notebook" of friends engaged in a common cause.

You don't get any points for completing the segments.

 If there is some idiot who decides to check the segments exactly until the control addresses are found and aborts the process until the last point is reached.
 (this cannot be done in any other way except by direct sequential iteration)
 then the losses will amount to about 0.001% and only from the part that he personally checked. Against the background of 67 million, this is dust.  You can ignore such a pimply jerk.  It will not affect the chances of other participants in any way.

[k2laci]

in the pool honestpool.ru there is no "general prize".

There are no prizes for checking more segments than others.

The prize is in no way shared between the participants.

It's just a "notebook" of friends engaged in a common cause.

You don't get any points for completing the segments.

 If there is some idiot who decides to check the segments exactly until the control addresses are found and aborts the process until the last point is reached.
 (this cannot be done in any other way except by direct sequential iteration)
 then the losses will amount to about 0.001% and only from the part that he personally checked. Against the background of 67 million, this is dust.  You can ignore such a pimply jerk.  It will not affect the chances of other participants in any way.

Another vote for honestpool. Maybe there’s no prize and the tokens are worthless, but it’s open‑source, transparent, and it lists the ranges that have already been solved. I hope many people will join here.

[kTimesG]

Unexpected words from a respected member. Are you truly prepared to spend several hours of your valuable time just to spite people and cause harm?

Are you truly thinking I didn't already do it? Or someone else hasn't done it already? Or that I'm the only one who can do it?

For me, it can only be a win-win, because:

- I know for sure what I scanned and what not
- I'm scanning
- your notebook, though untrusted, can be used to set a lower priority (again, for me) of ranges that I haven't yet scanned. But then again, I could as well just pick randomly unscanned ranges, it would basically be the same thing as what the pool responds with.

For you guys, it's only a harm if you actually think your notebook is a source of truth, when in reality the DB designer cannot prove that even a SINGLE key in the entire database has ever been scanned, and doesn't give two fucks on either understanding the issue, or fixing the problem.

In short, if you either join this kind of pool, or scan solo, it's basically an identical operation. Except that you get more chances by going solo, because the pool is not a source of trust, so you might as well skip the winning key because your pool said its not there.

Pretty much the exact opposite of what you wanted.

[k2laci]

Unexpected words from a respected member. Are you truly prepared to spend several hours of your valuable time just to spite people and cause harm?

Are you truly thinking I didn't already do it? Or someone else hasn't done it already? Or that I'm the only one who can do it?

For me, it can only be a win-win, because:

- I know for sure what I scanned and what not
- I'm scanning
- your notebook, though untrusted, can be used to set a lower priority (again, for me) of ranges that I haven't yet scanned. But then again, I could as well just pick randomly unscanned ranges, it would basically be the same thing as what the pool responds with.

For you guys, it's only a harm if you actually think your notebook is a source of truth, when in reality the DB designer cannot prove that even a SINGLE key in the entire database has ever been scanned, and doesn't give two fucks on either understanding the issue, or fixing the problem.

In short, if you either join this kind of pool, or scan solo, it's basically an identical operation. Except that you get more chances by going solo, because the pool is not a source of trust, so you might as well skip the winning key because your pool said its not there.

Pretty much the exact opposite of what you wanted.

You can indeed scan on your own, but a single RTX 5090 would take about 5,000 years to finish. However, with 1,000 RTX 5090 cards the job would be done in around 5 years — and after that you can just sell the cards.

[Cricktor]

...
Pretty much the exact opposite of what you wanted.

This is what I don't understand why someone would want to join a public pool that doesn't use unspoofable solid PoW for checked ranges.

When you scan, you spend energy aka money because commonly energy doesn't come for free. I wouldn't want to join a pool which isn't mostly open-source so that I or others can see, it only accepts unspoofable PoW and handles region shards properly. Checked shards that don't yield a solution should be near 100% sure a solution isn't missed.

Whatever it takes to achieve this for a pool, is in my opinion mandatory. To develop this, could be a community project. Some loudmouths here could channel their energy into something productive, couldn't they?

As for the client part of a scanner, I'm not eager to run and burn energy with a closed-source executable. OK, I'm not a programmer enough to decide if you have to hide something. Security by obscurity is a failed concept in my opinion.

Proper^TM design of the pool, secured communication, solid unspoofable PoW, blocking of malicious clients shouldn't be impossible to achieve in an open-source fashion, allowing verification and improvement by more than a single shoulder. Yes, I'm still a bit idealistic. Why not?

I think we can agree that puzzle #71 and up requires computational expenses to find the correct private key which are in the ballpark or over the prize reward (on average, not accounting incredible luck). So it's barely profitable or not at all for a single entity to solo scan it all on their own.

The part I'm struggling with is how to prevent a client scanner to run away with the prize coins when it finds the valid solution for the puzzle. The quick answer is likely a closed-source client that verifies it hasn't been tampered and the pool only accepts PoW from such a verified client scanner. Meeh, this sucks (at least for me).

Public pool operation doesn't come for free either when PoW has to be verified. So, naturally the public pool needs its share of a puzzle's prize. Counting on the finder to be honest involves trust and vice versa for the pool kinda, too. I see, it's complicated.

[brainless]

Someone have no machine CPU cyclone to gpucyclone ver with his range list file load features
That could help to achieve high speed for work ?

[Cricktor]

...

Why do you full quote OP's starting post, when the OP has been inactive for roughly one and a half years time?

Additionally you posted an unnecessary and annoying necro-full-quote without any own content. What's the purpose of this?

If you made a mistake, there's an edit button. Yes, you're a newbie, likely unaware of Unofficial list of (official) Bitcointalk.org rules, guidelines, FAQ. Please, read and understand the forum's rules first before you post. Oh and put a few brain cells together and use 'em if you can add something of value to this topic here.

[Bram24732]

Proper^TM design of the pool, secured communication, solid unspoofable PoW, blocking of malicious clients shouldn't be impossible to achieve in an open-source fashion, allowing verification and improvement by more than a single shoulder. Yes, I'm still a bit idealistic. Why not?

I would be happy to participate in the development of a safer pool.
An open source one with as little trust assumptions as possible. Should not be that hard to code.
if there is any interest, let me know.

[E36cat]

Bram, if you make a pool, i will 100% join
i know that if the key is found you will be fair and honest...

[FrozenThroneGuy]

Hello guys!
For secure communication between srv and client in a pool, don’t use PKI (like TLS certs, enrollment headache, revoke and etc).
Try to use simplest way with HMAC and AEAD with redis for personal key storing.
Like my small library: https://github.com/Dookoo2/HashTransit-HT
It gives you:
1. SRV auth.
2. Client auth.
3. Strong auth of each request and response
4. Reply protection
5. Rate limiting per user.
And many another features.
This is a part of my pool, but in another form.
Check it, it will be useful for anyone, who wants to build your own client-srv communication secure

[kTimesG]

Hello guys!
For secure communication between srv and client in a pool, don’t use PKI (like TLS certs, enrollment headache, revoke and etc).
Try to use simplest way with HMAC and AEAD with redis for personal key storing.

Why would you encourage to dump L3/L4 security and move it to L7? Unless you want every router on this planet that routes your packets to rewrite your HTTP headers a little? Maybe the body too? Or maybe some shell code embedded at the end of a nice redirect that maybe some libraries would automatically follow.

TLS can do both server and client auth, and more critically, early TCP termination. Don't overthink it, this is the simple way, not rolling your own crypto and hoping it's safe (hint: it's not).

[FrozenThroneGuy]

Hello guys!
For secure communication between srv and client in a pool, don’t use PKI (like TLS certs, enrollment headache, revoke and etc).
Try to use simplest way with HMAC and AEAD with redis for personal key storing.

Why would you encourage to dump L3/L4 security and move it to L7? Unless you want every router on this planet that routes your packets to rewrite your HTTP headers a little? Maybe the body too? Or maybe some shell code embedded at the end of a nice redirect that maybe some libraries would automatically follow.

TLS can do both server and client auth, and more critically, early TCP termination. Don't overthink it, this is the simple way, not rolling your own crypto and hoping it's safe (hint: it's not).

Each modification of payload/headers - will be blocked by library instantly.
TLS cant do:
1.Request validation.
2. Integrity check.
3. Reply protection on an app layer
And HT has limiters (request per ip/per key).
And also works with tls in Mode C:)
And by the way, typical TLS connection needs tcp handshake for conn establish.
For hundreds of requests it can decrease speed of communication between srv and client.
And I also dont use my own crypto, HT use openssl for it. (Sha, aes, cha-cha)

[kTimesG]

And by the way, typical TLS connection needs tcp handshake for conn establish.
For hundreds of requests it can decrease speed of communication between srv and client.

Assuming you're running a web server, for some unknown reason.

And that the system uses "requests" and "responses". Or HTTP.

And that more than a single initial TLS handshake is ever needed, instead of a long-lasting socket.

Without TLS, the entire traffic is subject of maleability and MITM, and countless other forms of attacks, and no amount of protection in the upper layers can help. So headers checkin' is the last worry, when random data that anyone can modify and see is flowing in and out.

I don't think a puzzle pool is exactly similar to a JavaScript snippet running in Internet Explorer and doing XHR calls. We're in 2026 almost, 14 years post Snowden NSA leaks. But each their own.

[pliego]

i dont know if headers checking is really the "last worry" when a mitm attack could theoretically feed you fake work or hijack your solution if you actually hit it, security should never be an afterthought especially when there is 32 btc on the line, that is enough money to make people get very creative with their attacks

[nomachine]

We're in 2026 almost, 14 years post Snowden NSA leaks. But each their own.

Here’s a demo showing how an attacker can potentially gain access to a system even when the PC appears to be powered off, by exploiting Intel ME/IMR (Management Engine) components.

https://www.youtube.com/watch?v=9fhNokIgBMU&t=1839s

If the ethernet cable is still connected and the machine remains plugged into AC power, the Intel ME network stack can stay active below the OS level. The host CPU and operating system may be halted, but ME firmware can still maintain network presence.

This is why, on systems with ME enabled in firmware/BIOS, full isolation requires physically unplugging both the network cable and the power cord, simply shutting the OS down isn’t sufficient.

There are mitigation approaches such as ME Cleaner and Libreboot that attempt to neutralize or remove ME firmware components from the SPI flash, though support varies by hardware and some ME functionality is required for platform initialization. 

[kTimesG]

If the ethernet cable is still connected and the machine remains plugged into AC power, the Intel ME network stack can stay active below the OS level. The host CPU and operating system may be halted, but ME firmware can still maintain network presence.

Yeah but does it validate JSON in the response body?

I wasn't expecting anything less than this kind of stuff from you. Welcome back!

i dont know if headers checking is really the "last worry" when a mitm attack...

TLS encrypts the entire transport (its in the name) so doing integrity tests on the app layer when the channel is already ensured to be secure is redundant.

App layer is responsible for totally other things, the transmission integrity is not one of them. At most, it can only break things that work.

[Wanderingaran]

There are mitigation approaches such as ME Cleaner and Libreboot that attempt to neutralize or remove ME firmware components from the SPI flash, though support varies by hardware and some ME functionality is required for platform initialization. 

Yeah, Intel ME is a legit problem. It’s basically a built-in backdoor a whole extra co-processor running a stripped-down MINIX OS that can take over your box and execute code without you ever touching a key.

Look at System76 or Purism hardware....they flash Coreboot, strip out ME, clean the firmware. There’s a reason they do that.

If Intel ME was harmless, FBI and NSA wouldn’t be ordering custom rigs from OEMs with the ME nuked from orbit. Feds wouldn’t be rolling with consumer laptops straight off Best Buy shelves. Everybody in the field knows: if it’s inside the silicon and outside your control, you never trust it.

[FrozenThroneGuy]

i dont know if headers checking is really the "last worry" when a mitm attack could theoretically feed you fake work or hijack your solution if you actually hit it, security should never be an afterthought especially when there is 32 btc on the line, that is enough money to make people get very creative with their attacks

Pls read this: https://github.com/Dookoo2/HashTransit-HT
MITM attacks are simply impossible with HT.
But if you dream further, it's much easier to catch data in the local host's memory than to try to crack nonce and bypass the timestamp