Bitcoin Forum
December 04, 2016, 06:21:09 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Usage Report (including: conceptual security issue)  (Read 3079 times)
mkfifo
Newbie
*
Offline Offline

Activity: 4



View Profile
July 16, 2010, 11:52:10 AM
 #1

sorry for my english! I will try to be simple

Usage Report (bitcoin version 0.3.0)

1. [extremely important!] conceptual security issue:

because the program does not use unix-sockets (or -- named-pipes, if Windows) -- Next Problem of security possible:
так как программа не использует unix-сокеты (или -- именованные каналы, если windows) -- следущая проблемма безопасности возможна:

Code:
regular-user@desktop:~$ /opt/bitcoin/bitcoin-0.3.0/bin/32/bitcoind
bitcoin server starting
Code:
random-notprivileges-guest-user@desktop:~$ /opt/bitcoin/bitcoin-0.3.0/bin/32/bitcoind getbalance
0.04000000000000000

means -- a one user can steal money from another user :-(
значит -- один пользователь может украть деньги у другого :-(

that this did not happen -- unix-socket must be created with privileges 0770 (srwxrwx---)
чтобы такого не случилось -- unix-сокет должен создаваться с привелегиями 0770 (srwxrwx---)

unix-soket/named-pipe -- can be for example in the file ~/.bitcoin/link.socket , if the daemon is running in normal mode. or in the directory "$HOME/bitcoin.socket" (where: HOME=/var/run/bitcoin/ ) If the daemon in www-server-helper mode
unix-сокет/named-pipe -- может быть например в файле ~/.bitcoin/link.socket , в случае если демон запущен в обычном режиме. или в директории "$HOME/bitcoin.socket" (где: HOME=/var/run/bitcoin/ ) , если демон в режиме вспомогательного-компонента для www-сервера


2. can not run two copies of the program together, on one computer
невозможно запустить два экземпляра программы одновременно, на одном компьютере

Code:
random-notprivileges-guest-user@desktop:~$ /opt/bitcoin/bitcoin-0.3.0/bin/32/bitcoind
bitcoin server starting
Code:
regular-user@desktop:~$ /opt/bitcoin/bitcoin-0.3.0/bin/32/bitcoind
Unable to bind to port 8333 on this computer.  Bitcoin is probably already running.

because the program always uses the same port "8333". although there is no(!) conceptual necessity.
потому что программа использует всегда один и тот же порт "8333". хотя в этом нет(!) концептуальной необходимости.

but instead:  could use port "0" (zero, that is -- random port, yield by the operating system) in conjunction with unix-socket/named-pipes-if-windows
а вместо этого: можно было бы использовать порт "0" (нуль, то есть -- случайный порт, выдаваемый операционной системой) в сочетании с unix-сокетом/именовынным-каналом

3. inability to specify a comment to the transaction
невозможность указания комментария к транзакции

This is good (no problem) -- if I wish to stay anonymous.
это хорошо -- если я желаю остаться анонимным.

but what if I want to send the amount bitcoin-laundering and specify yourself as the sender? Anyone (who accidentally discovers that I sent the money) will be able to falsely claim that he also send money!
но что делать если я хочу послать сумму bitcoin-денег и указать себя как отправителя? кто угодно (кто случайно узнает что я посылал деньги) сможет обманно заявить что он тоже посылать деньги!

whether there was a technical problem (at the protocol level) that to transaction add comment?
существует ли техническая проблема (на уровне протокола) чтобы к транзакциям была возможность добавлять комментарий?

4. impossibility IPv6 -- this is somehow strange ... in 2009~2010
невозможность IPv6 -- это как-то странно... в 2009~2010 году

see:
hints.ai_family = AF_UNSPEC ;
getaddrinfo(...) ;
...
... etc

5. using OpenSSL -- is no good in licence meaning

OpenSSL - is not BSD-license, and not even GNU-GPL-licensed
OpenSSL -- имеет не BSD-лицензию, и не даже не GNU-GPL-лицензию

as a result bitcoin can not publish -- on the GNU_xxx-licensed, and on the BSD/MIT/...-license (in pure unmodified license, without further infringing on the freedom of the conditions)
в результате bitcoin нельзя опубликовать как по GNU_xxx-лицензии так и по BSD/MIT/...-лицензии (в чистом немодифицированном виде лицензий, без дополнительных ущемляющих свободу условий)

may be GnuTLS, or else something ..... ?
может лучше GnuTLS или ещё чтото?

((( but this is not criticat! :-) just a little comment :-) )))

6. good idea! I liked it!
идёя хорошая! мне понравилось!

All this Mego brilliant!
всё это мего гениально! :-)
1480875669
Hero Member
*
Offline Offline

Posts: 1480875669

View Profile Personal Message (Offline)

Ignore
1480875669
Reply with quote  #2

1480875669
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480875669
Hero Member
*
Offline Offline

Posts: 1480875669

View Profile Personal Message (Offline)

Ignore
1480875669
Reply with quote  #2

1480875669
Report to moderator
1480875669
Hero Member
*
Offline Offline

Posts: 1480875669

View Profile Personal Message (Offline)

Ignore
1480875669
Reply with quote  #2

1480875669
Report to moderator
mkfifo
Newbie
*
Offline Offline

Activity: 4



View Profile
July 16, 2010, 12:35:35 PM
 #2

I think -- paragraph#3 it is not critical if make implement paragraph#4
я думаю -- пункт#3 не критичен, если реализовать пункт#4

because, may to send comments while sending bitcoins-coins on ip :-)
потому что, ведь можно посылать комментарии, при отправке bitcoins-монет на ip :-)

(ip-address version 6 -- have all (or -- may have each), and it is unique, each one time)
(ip-адрес версии 6 -- есть у всех (или -- может быть у каждого), и он уникальный, в каждый один момент времени)
d1337r
Jr. Member
*
Offline Offline

Activity: 35



View Profile
July 16, 2010, 03:09:00 PM
 #3

Well, not everyone has a "white" (direct) IPv6 address, but aiming a little bit to the future would be a nice idea.

My BC: 1FA57SXagJUq7zhnk5kTQMQmWSE3eBVbMr
bdonlan
Member
**
Offline Offline

Activity: 81


View Profile
July 16, 2010, 04:04:48 PM
 #4

Adding comments to transactions is difficult. You could possibly do it by adding some non-executing code to the TxOut signature verification script - but anyone on the network would be able to read it. You can't encrypt it so only the recipient can read it, because you don't have their key - only a hash of it. This seems like something that could use a higher level overlay protocol on top of the core bitcoin protocol...
mkfifo
Newbie
*
Offline Offline

Activity: 4



View Profile
July 16, 2010, 05:12:27 PM
 #5

Quote
... but anyone on the network would be able to read it. You can't encrypt it so only the recipient can read it, ...

it is not so bad! :-)

information itself internally Comments Bitcoin-transactions -- may be useless for all recipients except end-point Bitcoin-participants
сама информация внутри коментария Bitcoin-транзакции -- может быть бесполезна для всех получателей кроме конечных Bitcoin-участников

For example, if these two Bitcoin-users (or -- user and shop) can agree on the use of GPG in comments. although they may agree and what else ... example using -- conditional-single-used codes (shop -- itself can generate single-used codes and ask user to paste them into comment).
например если эти два Bitcoin-участника (или -- участник и магазин) могут договориться об использовании GPG внутри комментариев. хотя они могут договориться и о чём то другом... например об условных одноразовых кодах (магазин сам может генерировать эти коды и просить вставлять их внутрь комментариев).

the main thing -- that the program-Bitcoin warn users -- that the comment is not private, and that should not be use comments for anonymously transactions :-)
главное -- чтобы программа-Bitcoin предупреждала пользователей о том что комментарий не приватный, и что не следует использовать комментарии если требуется анонимная транзакция :-)
d1337r
Jr. Member
*
Offline Offline

Activity: 35



View Profile
July 16, 2010, 05:54:58 PM
 #6

Well, if the "coin" is encrypted with the public key of the recipient, and the recipient decrypts it using his private key, why shouldn't comments (and sender's name) be encrypted with the same key too?

My BC: 1FA57SXagJUq7zhnk5kTQMQmWSE3eBVbMr
Insti
Sr. Member
****
Offline Offline

Activity: 294


Firstbits: 1duzy


View Profile
July 16, 2010, 09:58:05 PM
 #7

You don't really want to be bloating the transaction history, which everyone has to carry around in the block chain, with peoples comments as well.

If you need to know who a transaction is from you can:
a) create a one time receiving address
or
b) get them to submit their sending address and check for transactions from there. (send from specific addresses would need a client modification but not a protocol modification)

Bitcoiner
Member
**
Offline Offline

Activity: 70


View Profile
July 17, 2010, 12:12:46 AM
 #8

You don't really want to be bloating the transaction history, which everyone has to carry around in the block chain, with peoples comments as well.

If you need to know who a transaction is from you can:
a) create a one time receiving address
or
b) get them to submit their sending address and check for transactions from there. (send from specific addresses would need a client modification but not a protocol modification)



Does the protocol support sending from a spoofed address?

Want to thank me for this post? Donate here! Flip your coins over to: 13Cq8AmdrqewatRxEyU2xNuMvegbaLCvEe  Smiley
Insti
Sr. Member
****
Offline Offline

Activity: 294


Firstbits: 1duzy


View Profile
July 17, 2010, 12:19:32 AM
 #9

You don't really want to be bloating the transaction history, which everyone has to carry around in the block chain, with peoples comments as well.

If you need to know who a transaction is from you can:
a) create a one time receiving address
or
b) get them to submit their sending address and check for transactions from there. (send from specific addresses would need a client modification but not a protocol modification)



Does the protocol support sending from a spoofed address?

Only if you have the private key, in which case it's not really spoofed.
(I'm talking Bitcoin addresses, not ip addresses.)

mtgox
Full Member
***
Offline Offline

Activity: 185


View Profile WWW
July 17, 2010, 01:35:40 AM
 #10

Insti: But it doesn't tell you where money was sent from. It only says sent from "unknown".

Insti
Sr. Member
****
Offline Offline

Activity: 294


Firstbits: 1duzy


View Profile
July 17, 2010, 02:05:33 AM
 #11

Insti: But it doesn't tell you where money was sent from. It only says sent from "unknown".
Thats a limitation of this implementation of the client.
the senders bitcoin address IS in the transaction data: (This is a randomly selected transaction dumped by bitcointools)

['TxIn: prev(eed0...7ba2:1) pubkey: 1HyJzQh5i8vJ91kaLnbemTWzRPMnJpnFC3 sig: 73:3046...0701 65:04e0...bca4']
['TxOut: value: 320.00 pubkey: 1HCvjbEUG8rLdUeXZPoKVxHfKwbU7aRi5A Script: DUP HASH160 20:b1c3...fb46 EQUALVERIFY CHECKSIG', 'TxOut: value: 5.00 pubkey: 16RJhLEjd7YyYytVoABB9kgGQr5DAEyWaw Script: DUP HASH160 20:3b71...934b EQUALVERIFY CHECKSIG']


Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!