Bitcoin Forum
March 29, 2024, 11:46:06 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 87 »
  Print  
Author Topic: Alternative Block Chains : be safe!  (Read 1289635 times)
Gavin Andresen (OP)
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
September 09, 2011, 01:21:18 PM
Last edit: September 09, 2011, 04:41:38 PM by Gavin Andresen
Merited by EFS (90), hugeblack (10), cryptocurrenciesboom (1), prowe (1), douglock (1)
 #1

I haven't seen anybody post about what would be my biggest worry if I were trying out alternative block chains. I realize this may be perceived as "Gavin is FUD'ding anything that isn't bitcoin!"  (FUD == Fear, Uncertainty and Doubt)  But I think some of you might be forgetting some basic computer security fundamentals in the excitement to be early adopters.

When I first heard about bitcoin, my questions were:

1) Can it possibly work (do the ideas for how it works make sense)?
2) Is it a scam?
3) If it is not a scam, could it open my computer up to viruses/trojans if I run it?

I answered those questions by:

1) Reading and understanding Satoshi's whitepaper.  Then thinking about it for a day or two and reading it again.
2) Finding out everything I could about the project.  I read every forum thread here (there were probably under a hundred threads back then) and read Satoshi's initial postings on the crypto mailing list.
3) Downloaded and skimmed the source code to see if it looked vulnerable to buffer overflow or other remotely exploitable attacks.

If I were going to experiment with an alternative block-chain, I'd go through the same process again. But I'm an old conservative fuddy-duddy.

If you want to take a risk on a brand-new alternative block-chain, I'd strongly suggest that you:

1) Run the software in a virtual machine or on a machine that doesn't contain anything valuable.
2) Don't invest more money or time than you can afford to lose.
3) Use a different passphrase at every exchange site.


How often do you get the chance to work on a potentially world-changing project?
1711712766
Hero Member
*
Offline Offline

Posts: 1711712766

View Profile Personal Message (Offline)

Ignore
1711712766
Reply with quote  #2

1711712766
Report to moderator
1711712766
Hero Member
*
Offline Offline

Posts: 1711712766

View Profile Personal Message (Offline)

Ignore
1711712766
Reply with quote  #2

1711712766
Report to moderator
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin Core, which will follow the rules of the network no matter what miners do. Even if every miner decided to create 1000 bitcoins per block, full nodes would stick to the rules and reject those blocks.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711712766
Hero Member
*
Offline Offline

Posts: 1711712766

View Profile Personal Message (Offline)

Ignore
1711712766
Reply with quote  #2

1711712766
Report to moderator
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 09, 2011, 01:48:36 PM
 #2

Thank you Gavin.

The only things I might add is that "use a different password" isn't limited to exchanges, but applies to forums, emails, and even pools Wink , and that some antivirus heuristics seem to hate anything that has mining code in it and isn't explicitly whitelisted.

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
makomk
Hero Member
*****
Offline Offline

Activity: 686
Merit: 564


View Profile
September 09, 2011, 02:08:16 PM
 #3

Also, don't believe everything that prominent members of the Bitcoin community have to say about alternative chains. In particular, I know some people think that the number of confirmations doesn't matter and all that matters is the total expected time of the confirmations, so that 1 10-minute-average confirmation is more secure than 3 3-minute-average confirmations. If you read Satoshi's paper it's clear this isn't true; the number of confirmations is actually more important because transaction security increases exponentially with more confirmations. (His paper has approximate figures; you'll notice that accepting 1 and 2-confirmation transactions is fairly risky.)

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
bitlotto
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
September 09, 2011, 02:32:36 PM
 #4

Good advice.

Using an alternate cryptocurrency client would be a great way to get many people to install a hidden virus that targets Bitcoin users.

If you have a significant amount of Bitcoins, I wouldn't run other clients on the same computer until the alternates have developed trust over a longer period of time... I'm probably on the paranoid side of things though.

These new cryptocurrencies are interesting, and it will be fascinating to see how it will all play out. 

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 09, 2011, 05:04:08 PM
 #5

Generally, if you have a large amount of bitcoins on a given PC, being extra-cautious about third party software (be it an Alt-coin client or a particularly fancy casual game) is advisable.

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1473


LEALANA Bitcoin Grim Reaper


View Profile
September 09, 2011, 05:49:02 PM
 #6

Some people only have one computer and that must suck. Fortunately I have multiple so I can use some of my alt-miners to do this safely.

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 09, 2011, 06:02:15 PM
 #7

You can have more than one wallet dat.

You just need 1 portable bitcoin client that can safely reside on an encrypted and backed up volume, and one regular one for day to day tiny stuff. It's not like you routinely send 5000+ BTC, no?

Incidentally, cobbling together a somewhat workable portable bitcoin is pretty straightforward.

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 11, 2011, 07:06:19 PM
 #8


I would say you nailed this one bullseye with one shot. I think your real concern isn't our "safety" it's yours. Sooner or later one of these alt-chains are going to replace Bitcoin if Bitcoin doesn't do some seriously needed updating and improvements.

You know it, I know it and so does everyone else.

Sometimes the truth isn't all warm and fuzzy, sometimes it's just plain brutal.

I'd like to point out that there is no particular reason why several chains with different properties can't coexist.

For instance, there could be one well-established, reliable chain with only the most needed, most tested and most secure features, and a [pimp] fast-blocked, permanently experimental (sorta like TOR is always experimental forever  ) feature-rich one [/pimp] Wink, as well as dedicated-purpose chains like Namecoin and such.
Also, coins with different degrees of "necessary centralization" might exist, with userbase preference being driven by how comfortable they are with a given net's distribution of "powers that be"

Bitcoin, due to its prominence, has become "serious business". That necessitates a very conservative approach to development.

[pimp]That's why I started a fork with a more lighthearted approach to ... pretty much everything [/pimp] Wink

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
mrb
Legendary
*
Offline Offline

Activity: 1512
Merit: 1027


View Profile WWW
September 12, 2011, 09:55:02 AM
 #9

Some people only have one computer and that must suck. Fortunately I have multiple so I can use some of my alt-miners to do this safely.

People with only one computer can still securely isolate different wallets & apps from each other by using privilege separation. For example on Linux, run bitcoin/namecoin/i0coin/etc under separate user accounts, and chmod 700 their home directories.
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 12, 2011, 07:21:21 PM
 #10

Um, with all due respect, Artforz did not burn anyone's house down with lemons, and his actions have inflicted far less damage upon SolidCoin's credibility than CH's, let's say, questionable public relations escapades.

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 12, 2011, 08:00:01 PM
 #11

It has long since become a tradition to only patch stuff up when an actual attack emerges, hence leading to emergence of a tradition to demonstrate the "seriousness" of attack.

While I personally would rather follow a different approach, this state of affairs is by no means limited to Bitcoin community or even IT in general, and is here to stay.

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
GideonGono
Hero Member
*****
Offline Offline

Activity: 1974
Merit: 501


★Bitvest.io★ Play Plinko or Invest!


View Profile WWW
September 12, 2011, 09:47:14 PM
 #12

I strongly agree. That's partly why I haven't messed with the alt chains. I even mentioned this on the announcement thread for lxcoin but it got drowned out with all the excitement about it.



.
.BIG WINNER!.
[15.00000000 BTC]


▄████████████████████▄
██████████████████████
██████████▀▀██████████
█████████░░░░█████████
██████████▄▄██████████
███████▀▀████▀▀███████
██████░░░░██░░░░██████
███████▄▄████▄▄███████
████▀▀████▀▀████▀▀████
███░░░░██░░░░██░░░░███
████▄▄████▄▄████▄▄████
██████████████████████

▀████████████████████▀
▄████████████████████▄
██████████████████████
█████▀▀█▀▀▀▀▀▀██▀▀████
█████░░░░░░░░░░░░░████
█████░░░░░░░░░░░░▄████
█████░░▄███▄░░░░██████
█████▄▄███▀░░░░▄██████
█████████░░░░░░███████
████████░░░░░░░███████
███████░░░░░░░░███████
███████▄▄▄▄▄▄▄▄███████

██████████████████████
▀████████████████████▀
▄████████████████████▄
███████████████▀▀▀▀▀▀▀
███████████▀▀▄▄█░░░░░█
█████████▀░░█████░░░░█
███████▀░░░░░████▀░░░▀
██████░░░░░░░░▀▄▄█████
█████░▄░░░░░▄██████▀▀█
████░████▄░███████░░░░
███░█████░█████████░░█
███░░░▀█░██████████░░█
███░░░░░░████▀▀██▀░░░░
███░░░░░░███░░░░░░░░░░

██░▄▄▄▄░████▄▄██▄░░░░
████████████▀▀▀▀▀▀▀██
█████████████░█▀▀▀█░███
██████████▀▀░█▀░░░▀█░▀▀
███████▀░▄▄█░█░░░░░█░█▄
████▀░▄▄████░▀█░░░█▀░██
███░▄████▀▀░▄░▀█░█▀░▄░▀
█▀░███▀▀▀░░███░▀█▀░███░
▀░███▀░░░░░████▄░▄████░
░███▀░░░░░░░█████████░░
░███░░░░░░░░░███████░░░
███▀░██░░░░░░▀░▄▄▄░▀░░░
███░██████▄▄░▄█████▄░▄▄

██░████████░███████░█
▄████████████████████▄
████████▀▀░░░▀▀███████
███▀▀░░░░░▄▄▄░░░░▀▀▀██
██░▀▀▄▄░░░▀▀▀░░░▄▄▀▀██
██░▄▄░░▀▀▄▄░▄▄▀▀░░░░██
██░▀▀░░░░░░█░░░░░██░██
██░░░▄▄░░░░█░██░░░░░██
██░░░▀▀░░░░█░░░░░░░░██
██░░░░░▄▄░░█░░░░░██░██
██▄░░░░▀▀░░█░██░░░░░██
█████▄▄░░░░█░░░░▄▄████
█████████▄▄█▄▄████████

▀████████████████████▀




Rainbot
Daily Quests
Faucet
Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 13, 2011, 09:51:56 AM
 #13

I'd like to remind everyone that Gavin, with all due respect, is not an angry   deity and can neither drown people he vaguely disapproves of nor feed them to the lo(l)custs.

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
zillagod
Newbie
*
Offline Offline

Activity: 34
Merit: 0



View Profile
September 13, 2011, 08:07:59 PM
 #14

It has long since become a tradition to only patch stuff up when an actual attack emerges, hence leading to emergence of a tradition to demonstrate the "seriousness" of attack.

Yeah, especially when someone (CH/RS) dares you to go ahead and do it...

Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
September 13, 2011, 09:55:58 PM
 #15

One would think that someone who even tries to code knows to rather not say such things to programmers, lol Smiley

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
kano
Legendary
*
Offline Offline

Activity: 4452
Merit: 1798


Linux since 1997 RedHat 4


View Profile
September 14, 2011, 03:40:17 AM
 #16

...
Why not instead of making posts like this you take some adult leadership initiative and start cleaning up the toxic community that you are allowing to fester out here?  From your passive support through inaction of attacks on alt chains and now it is growing even wider.  You claim to have a thick skin as that is what it takes to lead projects like this, well it also takes a back bone.  You know as well as many of the people here that the alt coins provide much more to learn by being viable than having the community out attacking them.  Grow a pair and speak up, if there is one thing that will kill Bitcoin it is you and this community.  You have yet to condemn the attackers and you have yet to reign in the toxic community growing around Bitcoin, I surely hope your goals are not too see the whole project Blighted?  What would you think if you were a first time noob and came to see all this going on?  At some point people are going to start wondering if a gimpy blind retarded monkey could do a better job leading this project, why don't you start getting involved in the community, take a stance and be a leader, surround yourself with the right people to develop cryptocurrency and help foster an environment that will bring respectable businesses and users into the system.  At some point a leader has to step away from the technical details and stand up and be a leader.
LOL it's an open source project - there are no 'leaders' as you describe them.
No one can force anyone to do anything.

It's not some toxic community that you can clean up and you can't stop people from attacking the chains - though anyone with half an inkling of sense would realise that you can't stop that even in the closed source world Tongue

Try some adult thought beyond a gimpy lack of understanding of reality Smiley

Pool: https://kano.is - low 0.5% fee PPLNS 3 Days - Most reliable Solo with ONLY 0.5% fee   Bitcointalk thread: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code - k for kano
The ONLY active original developer of cgminer. Original master git: https://github.com/kanoi/cgminer
DavinciJ15
Hero Member
*****
Offline Offline

Activity: 780
Merit: 510


Bitcoin - helping to end bankster enslavement.


View Profile WWW
September 14, 2011, 09:56:14 PM
Last edit: September 21, 2011, 09:12:14 PM by DavinciJ15
 #17

Although I don't think the fiasco with Namecoin is over and I do believe we have made it hard for BitcoinExpress.  With that said I looked into the block chain rewrite this is real and can be done while lagitamitly mining bitcoins.  This exploit is quite scary for Bitcoins as a person with 20% of the hash rate can write the block chain.

The good news is it can be fixed and Namecoin is a test of such fixes.

I would STRONGLY suggest you look into this Gavin.
Gavin Andresen (OP)
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
September 14, 2011, 10:49:14 PM
 #18

I would STRONGLY suggest you look into this Gavin.

Relevant discussion on the bitcoin-dev mailing list is here:
  http://sourceforge.net/mailarchive/message.php?msg_id=28082081

How often do you get the chance to work on a potentially world-changing project?
grod
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
October 02, 2011, 08:29:22 PM
 #19

It's hard enough to get the half-baked alt chain software to run at all (and speed is of the essence knowing they are all quickly collapsing pyramids) never mind configuring a VM with appropriate hardware access.  Here are steps I've taken which I think are "good enough" to be advice -- it's worked for me for 4 shitcoin chains so far.

1.  Don't use Windows and pre-built .exes.  Just don't.  Ever.  Nothing inherently wrong with Microsoft software, but it is well understood and commonly used by the botnet types.  Staying out of the monoculture is a form of security by obscurity.
2.  Create a new account with no group membership.  I call mine "goatse" for obvious but nostalgic reasons.  Make absolutely sure that account doesn't have read or write access outside of their home directory.   Make doubly sure they can't read the raw hard drive device.
3.  Log out of your main account and into that account whenever compiling or running the alt chain software.  Remember that compilation & installation scripts are code!
4.  Do not browse exchange sites you have coinage in and definitely do not save passwords in the browser when logged in as this account.
5.  If you log into this account via ssh DO NOT enable X proxying.  It's trivial to read your keystrokes, do screen captures, etc when X is proxied.  Let me repeat this one, make sure X proxying is disabled.  If you can type 'xterm' and see it show up on your main account's screen you're vulnerable. 

And yes, I even follow this for official bitcoin software.  On a different account than "goatse" of course.

Lolcust
Member
**
Offline Offline

Activity: 112
Merit: 11

Hillariously voracious


View Profile
October 02, 2011, 08:39:50 PM
 #20

Was there a documented case of malware propagation via this route, or is this more or less a "what if..." Infosec Comparative E-Masculinity thing Cheesy ?

Geist Geld, the experimental cryptocurrency, is ready for yet another SolidCoin collapse Wink

Feed the Lolcust!
NMC: N6YQFkH9Gn9CTm4mpGwuLB5zLzqWTWFw67
BTC: 15F8xbgRBA1XZ4hmtdFDUasroa2A5rYg8M
GEG: gK5Lx6ypWgr69Gw9yGzE6dsA7kcuCRZRK
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 87 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!