Bitcoin Forum
November 07, 2024, 12:00:01 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 [7]  All
  Print  
Author Topic: Bad signatures leading to 55.82152538 BTC theft (so far)  (Read 65145 times)
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1111


View Profile
August 17, 2013, 10:58:25 AM
 #121

I know this is an extremely rough estimage, but guesstimating from Number of Transactions excl. popular we can speculate that roughly 20 kBTC have been moved from android wallets (assuming the spike is just that).

55 / 20k = 0.2% of funds stolen due to the bad RNG... could've been worse. I feel with the people who lost money, of course.

As of today only 51% of users of the Blockchain.info app have upgraded to a patched release, if the pattern is similar with other apps a fair number of wallets might still be vulnerable. But you are right it definitely could have been worse.

This is easy to figure out since one could simply screen the blockchain for bad signatures.

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
August 17, 2013, 08:47:42 PM
 #122

I know this is an extremely rough estimage, but guesstimating from Number of Transactions excl. popular we can speculate that roughly 20 kBTC have been moved from android wallets (assuming the spike is just that).

55 / 20k = 0.2% of funds stolen due to the bad RNG... could've been worse. I feel with the people who lost money, of course.

As of today only 51% of users of the Blockchain.info app have upgraded to a patched release, if the pattern is similar with other apps a fair number of wallets might still be vulnerable. But you are right it definitely could have been worse.

This is easy to figure out since one could simply screen the blockchain for bad signatures.

I don't understand what you mean. Obviously not all signatures made by android wallets are bad.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
hyperreal
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
August 18, 2013, 03:00:32 AM
 #123

I know this is an extremely rough estimage, but guesstimating from Number of Transactions excl. popular we can speculate that roughly 20 kBTC have been moved from android wallets (assuming the spike is just that).

55 / 20k = 0.2% of funds stolen due to the bad RNG... could've been worse. I feel with the people who lost money, of course.

Is there any evidence theft is the cause of the spike, or is this pure speculation? 

Couldn't a spike just as easily been caused by a large number users rotating keys (as would be expected when an updated is pushed out)?

Or, given the volatility of that graph, couldn't it have likely just been noise?
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
August 18, 2013, 07:49:32 AM
 #124

I know this is an extremely rough estimage, but guesstimating from Number of Transactions excl. popular we can speculate that roughly 20 kBTC have been moved from android wallets (assuming the spike is just that).

55 / 20k = 0.2% of funds stolen due to the bad RNG... could've been worse. I feel with the people who lost money, of course.

Is there any evidence theft is the cause of the spike, or is this pure speculation? 

Couldn't a spike just as easily been caused by a large number users rotating keys (as would be expected when an updated is pushed out)?

yeah, that's what I tried to say. Spike caused by key rotations.

Or, given the volatility of that graph, couldn't it have likely just been noise?

Yep. At the time I posted it looked more "spikey". It could still be noise or something else of course. But it's pretty clear that people moved their money. Hard to say how much, of course.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Jesse James
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
August 20, 2013, 01:45:40 AM
 #125

Check this out: https://bitcointalk.org/index.php?topic=277595.msg2968228#msg2968228 ... I don't think Android was the cause of most of the bad signatures seen recently (despite it's problems).
Nubarius
Sr. Member
****
Offline Offline

Activity: 310
Merit: 253


View Profile
August 20, 2013, 08:55:51 AM
 #126

What is the value range for k?

k must be between 1 and p where:

p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

    = 2^256 − 2^32 − 2^9 − 2^8 − 2^7 − 2^6 − 2^4 − 1


This largest value is different from the one mentioned in the wiki (https://en.bitcoin.it/wiki/Private_key), which is  0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141. The exact number is not very important, but just out of curiosity, which is the right one?
jackjack
Legendary
*
Offline Offline

Activity: 1176
Merit: 1280


May Bitcoin be touched by his Noodly Appendage


View Profile
August 20, 2013, 09:16:41 AM
 #127

What is the value range for k?

k must be between 1 and p where:

p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

    = 2^256 − 2^32 − 2^9 − 2^8 − 2^7 − 2^6 − 2^4 − 1


This largest value is different from the one mentioned in the wiki (https://en.bitcoin.it/wiki/Private_key), which is  0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141. The exact number is not very important, but just out of curiosity, which is the right one?
The latter
What you wrote is n and is the upper limit
p is just the prims number you use when doing EC operations

By the way its not really an upper limit: n+1 is a pretty valid private key, it's just that it's equal to 1 (as n+1 mod n == 1 mod n)

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
Nubarius
Sr. Member
****
Offline Offline

Activity: 310
Merit: 253


View Profile
August 20, 2013, 09:19:04 AM
 #128

^Ah, I see. Thanks!
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
August 20, 2013, 09:37:51 AM
 #129

By the way its not really an upper limit: n+1 is a pretty valid private key, it's just that it's equal to 1 (as n+1 mod n == 1 mod n)
If you generate that way you will end up with keys which are not equiprobable. The difference from uniform is very small, but its a certificational weakness you should avoid.
btcdrak
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile
November 09, 2013, 07:59:02 PM
 #130

By the way its not really an upper limit: n+1 is a pretty valid private key, it's just that it's equal to 1 (as n+1 mod n == 1 mod n)
If you generate that way you will end up with keys which are not equiprobable. The difference from uniform is very small, but its a certificational weakness you should avoid.

Is the version of securerandom.js used at bitaddress.org safe? https://github.com/pointbiz/bitaddress.org/blob/master/src/securerandom.js
Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1007


View Profile
November 09, 2013, 08:30:31 PM
 #131

Depends mostly upon where your browser gets it's values for Math.random() from I guess. This is quite off-topic however...

The part about Netscape4 is a bit weird, I wonder how often that triggers.

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
November 09, 2013, 09:47:11 PM
 #132

Depends mostly upon where your browser gets it's values for Math.random() from I guess. This is quite off-topic however...

The part about Netscape4 is a bit weird, I wonder how often that triggers.

netscape4 ?

EDIT: sorry, I see. You're talking about the linked code.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1111


View Profile
November 09, 2013, 11:49:24 PM
 #133

By the way its not really an upper limit: n+1 is a pretty valid private key, it's just that it's equal to 1 (as n+1 mod n == 1 mod n)
If you generate that way you will end up with keys which are not equiprobable. The difference from uniform is very small, but its a certificational weakness you should avoid.

Is the version of securerandom.js used at bitaddress.org safe? https://github.com/pointbiz/bitaddress.org/blob/master/src/securerandom.js

I personally don't trust any computer generated random number. All my addresses are generated with other methods with 256bit entropy

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
November 10, 2013, 12:40:26 AM
 #134

Damn I still use Netscape 4

BurtW (OP)
Legendary
*
Offline Offline

Activity: 2646
Merit: 1137

All paid signature campaigns should be banned.


View Profile WWW
December 22, 2013, 06:07:36 AM
 #135

That paper says that without /dev/random devices (what is a very rare case I believe) SecureRandom use only 31 bits of entropy. It is a horrible situation, but even in this case it is very unlikely that there will be two equal random numbers in signature creation in the whole world.

Given good "enough" secure random number generation the ECDSA used by Bitcoin works.  Bad random numbers, especially repeated numbers, is fatal to the ECDSA used by Bitcoin.

It has been suggested we move to a new ECDSA algorithm that does not use a random nonce.  We should.

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
mokahless
Sr. Member
****
Offline Offline

Activity: 471
Merit: 256



View Profile
August 31, 2017, 03:51:39 AM
 #136

As of August 24th, the funds are on the move. He waited 4 years to try to avoid detection.

https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
August 31, 2017, 05:15:05 AM
 #137

He waited 4 years to try to avoid detection.
Unless I'm missing something the party moving these coins may not be the thief... he could have sold them or deposited them in an exchange 4 years ago and they're just moving now.
Pages: « 1 2 3 4 5 6 [7]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!