Bitcoin Forum
June 19, 2019, 04:18:17 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 »  All
  Print  
Author Topic: Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required  (Read 63858 times)
Evilish
Hero Member
*****
Offline Offline

Activity: 658
Merit: 501



View Profile
April 09, 2014, 10:18:07 AM
 #101

Does this only apply only for Bitcoin QT? Just wondering because I use BlockChain online wallet and MultiBit.
1560961097
Hero Member
*
Offline Offline

Posts: 1560961097

View Profile Personal Message (Offline)

Ignore
1560961097
Reply with quote  #2

1560961097
Report to moderator
COINSWITCH
Trade 300+ coins
No Login
No KYC
Get $5 on 1st order
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
platorin
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250


View Profile
April 09, 2014, 10:38:58 AM
 #102

Thank you for the info and the update. All best!
S4VV4S
Hero Member
*****
Offline Offline

Activity: 1050
Merit: 500


View Profile
April 09, 2014, 10:51:58 AM
 #103

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.

+1
I would like to know this as well
Rampion
Legendary
*
Offline Offline

Activity: 1120
Merit: 1000


View Profile
April 09, 2014, 11:02:31 AM
 #104

Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.

+1
I would like to know this as well

I've opened a dedicated thread in Technical Discussion for this purpose.

5ick3uffalo
Legendary
*
Offline Offline

Activity: 994
Merit: 1000



View Profile
April 09, 2014, 11:14:40 AM
 #105

i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?

BTC: 1Dw9feZAGSeHvaiQ55T7C92VAAXB2nVKKk
Luke-Jr
Legendary
*
Offline Offline

Activity: 2450
Merit: 1015



View Profile
April 09, 2014, 11:16:54 AM
 #106

i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed.
So probably not.

5ick3uffalo
Legendary
*
Offline Offline

Activity: 994
Merit: 1000



View Profile
April 09, 2014, 11:17:57 AM
 #107

i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed.
So probably not.

Ok thank you Smiley

BTC: 1Dw9feZAGSeHvaiQ55T7C92VAAXB2nVKKk
Hyena
Legendary
*
Offline Offline

Activity: 2016
Merit: 1002



View Profile WWW
April 09, 2014, 11:21:54 AM
 #108

How do I install this for Linux Mint? On the previous version there was just a bitcoin-qt file which I could click on and run. Now the extracted folder contains several files, none of which are executable. I am stupid and know almost nothing about using the terminal, compiling libraries, etc. Can someone give me a simple explanation please?

Please.

Almost sounds like you've downloaded a source archive. Are you sure you've downloaded https://bitcoin.org/bin/0.9.1/bitcoin-0.9.1-linux.tar.gz , 36MB in size?

I had a quick look at this archive and the executables appear to be there:

bin/32/bitcoin-qt
bin/64/bitcoin-qt

The file I downloaded from your link and the previous link is 47.5 MB. I tried it again with your link, but same result. Bitcoin-qt is not an executable, it is a "shared library (application/x-sharedlib)". I have no program that can execute this file. Fuck. Why didn't they just make an "executable (application/x-executable)" file like version 0.8.5?

On Linux Mint 14 you can still launch your bitcoin-qt if you go to terminal and type "./bitcoin-qt". If you want to start it without having it tied to your terminal window then type "(./bitcoin-qt -min &> /dev/null &)"

mjosephs
Full Member
***
Offline Offline

Activity: 129
Merit: 100


View Profile
April 09, 2014, 11:23:54 AM
 #109

If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.

What did they do?  They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately.  Oh wait, that happened.

Carry on.

wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000

No Maps for These Territories


View Profile
April 09, 2014, 11:33:42 AM
 #110

What did they do?  They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately.  Oh wait, that happened.

Carry on.
It's easy to cry "I told you so" in retrospect. But there could have been an exploit in any of the other dependencies. Or in the Bitcoin P2P or RPC network code itself. By no means is OpenSSL the only software that has bugs.

The only long-term sustainable solution to key theft would be to isolate the private keys and signing from the wallet in either a separate process, a trusted computing module or even a seperate device (in order of increased security).

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Kenshin
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250


View Profile
April 09, 2014, 11:36:00 AM
 #111

I really like this new update. It has better functions then 0.9.0. I can't wait for the 1.0 release.
Lucko
Hero Member
*****
Offline Offline

Activity: 826
Merit: 1000



View Profile
April 09, 2014, 11:52:59 AM
 #112

Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?
ShadesOfMarble
Donator
Hero Member
*
Offline Offline

Activity: 543
Merit: 500



View Profile
April 09, 2014, 11:56:32 AM
 #113

Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?
I guess wallet stealing trojans exists almost as long as Bitcoin, so your loss could have many (other) causes.

First, scan your computer. Second, did you click on any "bitcoin:"-link?

Review of the Spondoolies-Tech SP10 „Dawson“ Bitcoin miner (1.4 TH/s)

[22:35] <Vinnie_win> Did anyone get paid yet? | [22:36] <Isokivi> pirate did!
Hyena
Legendary
*
Offline Offline

Activity: 2016
Merit: 1002



View Profile WWW
April 09, 2014, 11:57:56 AM
 #114

If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.

What did they do?  They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately.  Oh wait, that happened.

Carry on.

0.9 introduced a bunch of bullshit. How the hell can bitcoin magnet link be vulnerable?! If they continue introducing unwanted bullshit features, bloating the bitcoin official client then bitcoin will be dead for me. This has already gone too far. The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?

IIOII
Legendary
*
Offline Offline

Activity: 1153
Merit: 1012



View Profile
April 09, 2014, 12:05:02 PM
 #115

That's exactly what all those three letter organizations doing within the Bitcoin Foundation, introducing vulnerabilities to the protocol.

Yeah that's a risk that should not be disregarded lightly.

As far as I understand the main vulnerability was introduced in Bitcoin Core 0.9.0 by the payment protocol's reliance on OpenSSL. If I understand correctly the payment protocol was first introduced with Core 0.9.0 (I think Gavin was doing this).

I think (and mentioned this in the past) that the payment protocol is an entirely optional feature that is not essential for Bitcoin and should not be included. It can be substituted by third parties. The added security risk by reliance on (more) external libraries is much more relevant than providing a somehow useful, but non-essential feature.
IIOII
Legendary
*
Offline Offline

Activity: 1153
Merit: 1012



View Profile
April 09, 2014, 12:06:30 PM
 #116

If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.

What did they do?  They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately.  Oh wait, that happened.

Carry on.

0.9 introduced a bunch of bullshit. How the hell can bitcoin magnet link be vulnerable?! If they continue introducing unwanted bullshit features, bloating the bitcoin official client then bitcoin will be dead for me. This has already gone too far. The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?


+1

Funny... you posted this.. while I was still typing my reply.
Lucko
Hero Member
*****
Offline Offline

Activity: 826
Merit: 1000



View Profile
April 09, 2014, 12:07:08 PM
Last edit: April 09, 2014, 12:27:59 PM by Lucko
 #117

Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?
I guess wallet stealing trojans exists almost as long as Bitcoin, so your loss could have many (other) causes.

First, scan your computer. Second, did you click on any "bitcoin:"-link?
It runs only wallet and no I just installed it... I used Ufasoft coin till now but it really runs bad with current blockchain size so I migrate keys.

I do have antivirus and malware bits on... So I don't think it is that. It also has own firewalled subnet...

EDIT: Scan completed. Noting found by AVG or Malwarebits
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000

No Maps for These Territories


View Profile
April 09, 2014, 12:22:03 PM
 #118

The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?
Right, in principle, wallet functionality isn't needed at all to maintain the Bitcoin P2P network, the reason for Bitcoin Core's existence.

This is why --disable-wallet mode was introduced in 0.9.0. It allows you to build without the wallet, which removes quite a few dependencies (OpenSSL however is still required as we also use it for ECDSA at this point, and for RPC SSL support, but this could change after merging sipa's ECDSA library).

In the long run there are two options: either we remove the wallet, or we keep it and try to keep up with features of other wallets. Keeping up includes the payment protocol. If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
IIOII
Legendary
*
Offline Offline

Activity: 1153
Merit: 1012



View Profile
April 09, 2014, 12:41:13 PM
 #119

If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.

Who did complain?

If payment protocol is distributed with Core, it should be an optional thing, which the user can decide to activate (by checkbox, whatever). Security is much more important.


Edit. imho the dialog introduced in 0.9.0 which replaced the receiving addresses field is not an improvement. It makes things more awkward. (An example of a really good improvement is coincontrol and wallet file selection.)
fryarminer
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


View Profile
April 09, 2014, 12:43:57 PM
 #120

Memorized private keys, the safest way to own bitcoin.
Memorized private keys are in fact one of the least secure ways to own bitcoin.


Dang it! I was sitting here trying to memorize private keys!
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!