Bitcoin Client Exploit

[dircules]

Would be an explanation for all the stolen BCs...

All these clients are nicely p2p networked, IPs available for everyone, traceable...if someone exploits the client => mass robbing!

[1713584710]

1713584710

[1713584710]

1713584710

[1713584710]

1713584710

[myrkul]

No need. Most of these clients are running on windows, which has security holes big enough to drive an M1 Abrams through.

[kw71]

That's probably not the situation.

Someone could be distributing a trojaned modified client, though.

What's been going on lately is, a modified poclbm was circulated that contains a trojan.  Apparently people fell for its claims of cpu efficiency or whatever.

[gigawatt]

There's quite a few problems with this.
Unless a person is running a client configured to act like a server and somehow removes a username/password requirement along with allowing any IP, then sure, someone could just tell the client to send out the coins in their wallet.

Secondly, assuming that the client is configured properly and that it's a buffer overflow (or something similar) via network communication... well... the source code for the bitcoin client is publicly available and there haven't been any exploits so far.  That's not to say that there's no chance that there's a potential exploit, but for the most part, bitcoin has well defined protocol standards and uses JSON formatting to send data.

Lastly, if you're talking a local malicious action (where a user has access to a computer directly), then there's nothing bitcoin could do to stop it because that's a system wide unauthorized access.  Anything a user could do an attacker would do.


So long story short, I wouldn't sweat it.  Bitcoin uses well defined standards so unless there happens to be a massive gaping hole in open source software that nobody's managed to spot (and the exploitation of it thus far has impossibly managed to stay invisible), then there really isn't a need to worry.

[BitterTea]

What's been going on lately is, a modified poclbm was circulated that contains a trojan.  Apparently people fell for its claims of cpu efficiency or whatever.

Was there a thread on this?

[TiagoTiago]

No need. Most of these clients are running on windows, which has security holes big enough to drive an M1 Abrams through.

Tanks can go thru lots of things easily regardless of the original size of the opening, perhaps a blimp would be a better vehicle to illustrate your point.

[myrkul]

No need. Most of these clients are running on windows, which has security holes big enough to drive an M1 Abrams through.

Tanks can go thru lots of things easily regardless of the original size of the opening, perhaps a blimp would be a better vehicle to illustrate your point.

Fine point, fine point...

Very well, Consider my statement to be amended thus: ...big enough to float the Goodyear blimp through.

[okiyama]

On the matter, wouldn't it be fairly easy to sneak malware onto any of the various parts of mining. The miner, the kernel, these are all exes that could be potentially tampered with.

[peedee]

On the matter, wouldn't it be fairly easy to sneak malware onto any of the various parts of mining. The miner, the kernel, these are all exes that could be potentially tampered with.

Definately very easy, so only download from trusted sites / users. Which are those? I don't know, just got here 

[myrkul]

Best practices:
Do not mine on the same computer you run the client on.
Do not run the client on a potentially compromised system. (IMO this includes ALL windows systems)
Back up your wallet.dat securely. There are other threads about that.
ONLY use the client from Bitcoin.org. It's free, there's no reason to get it anywhere else.


I'm sure there are more, But this will be a good start.

[Yatta99]

On the matter, wouldn't it be fairly easy to sneak malware onto any of the various parts of mining. The miner, the kernel, these are all exes that could be potentially tampered with.

Definately very easy, so only download from trusted sites / users. Which are those? I don't know, just got here 

If in doubt go to the 'mining software' sub-board of the 'mining' topic. In one of the stickies you will find a list of clients and their links for download. Download from those rather than from some random Google search. Lots of good info in there too on client recent changes, upcoming changes, and how to run/use. Good Luck.

[Bastet]

Never mind a Bitcoin Client Exploit...

ANYTHING downloaded after the sharp rise in Bitcoin prices is a potential trojan wallet stealer.

You really like that fancy free screensaver/app/util/crack/game/whatever.  You download and install.  2 minutes later, wallet & Bitcoins gone.

I expect the amount to Bitcoin hack/trojan heists to sharply increase in the next few months.

You have been warned.  Take appropriate evasive maneuvers meow.

[willphase]

Catalyst 11.6 comes out... Wallets get stolen... AMD stock goes up... Are they linked?! Tinfoil hats!

[myrkul]

You want some tinfoil hat stuff...
Gavin talks to government about Bitcoin => Mining pools and Mt Gox get DDoSed.

Coincidence?

I think not!

[dircules]

The point is that because Bitcoin is P2P based, you could identify ppl with bitcoins pretty easily + if you got a client exploit, GOTCHA, 100% vulnerability...

[LokeRundt]

The point is that because Bitcoin is P2P based, you could identify ppl with bitcoins pretty easily + if you got a client exploit, GOTCHA, 100% vulnerability...

I hereby dub you "Derpcules"

[myrkul]

The point is that because Bitcoin is P2P based, you could identify ppl with bitcoins pretty easily + if you got a client exploit, GOTCHA, 100% vulnerability...

I hereby dub you "Derpcules"

+1