Bitcoin Forum
November 02, 2024, 11:59:50 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 »  All
  Print  
Author Topic: Reused R values again  (Read 121270 times)
nogf
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
December 26, 2014, 12:05:38 PM
 #381

This is important.
Please refrain from giving a step by step instruction on how to hack people's addresses.

I highly respect what johoe did but I think he got carried away with his new 'fame' by telling everybody how he did it.
Not cool.

There's somewhat of a difference with this case, in that he was explaining things a lot of us knew about already. Due to the way this particular event played out all of those private keys are compromised and that's the end of it. There's no further exploitation to be done, no further thefts, no further damage. If nothing else he raised awareness for RFC6979 signatures which mitigate this particular problem entirely.

In general there's little value to doing full disclosure. It's a net loss for the reporter (no bounty payout), for the users (they could be negatively affected) and for the company (that has to deal with the fall out). However, in some cases it's necessary to act in that way in order to get things fixed. If a company is being obtuse, lying, or otherwise not fulfilling their obligations to their customer then there's really no choice.
LFC_Bitcoin
Legendary
*
Offline Offline

Activity: 3710
Merit: 10426


#1 VIP Crypto Casino


View Profile
December 26, 2014, 12:21:18 PM
 #382

^^^^

Fair enough nogf.

You guys are so tech savvy, very impressive tbh.

█████████████████████████
███████████▄█████████████
██████▀░▀█▀░▀█▀░▀████████
███████▄███▄███▄█████████
████▀██▀██▀░▀████▀░▀█████
███████████░███▀██▄██████
████▀██▀██░░░█░░░████████
███████████░███▄█▀░▀█████
████▀██▀██▄░▄███▄░░░▄████
███████▀███▀███▀██▄██████
██████▄░▄█▄░▄█▄░▄████████
███████████▀█████████████
█████████████████████████
 
.Bitcasino.io.
 
.BTC  ✦  Where winners play  BTC.
.
..
.
    ..





████
████
░░▄████▄████████████▄███▄▄
░███████▄██▄▄▄▄▄▄█████████▄
███████████████████████████
▀████████████████████████▀
░░▀▀████████████████████
██████████████████▄█████████
██
▐███████▀███████▀██▄██████
███████▄██▄█▀████▀████████
░░██████▀▀▀▄▄▄████▀▀████
██▐██████████▀███▀█████████████    ████
███
████████████
███████████████    ████
█████▀████████████████▀
███████▀▀▀█████████▀▀
..
....
 
 ..✦ Play now... 
.
..
Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
December 26, 2014, 01:55:31 PM
 #383

So, this:

Not everybody reads this little pit on the side of the internet. Not everybody speaks English. Unless it's a very high profile event "saving" someones money will just be theft with no positive identification. [...]

But then also this:

[...] It's very much public knowledge that there's huge problems with their management of security, else this thread wouldn't be 20 pages long and I wouldn't be posting here.

 Huh

It went from here to various different news / social media sites without johoe having to lift a finger.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
December 26, 2014, 02:38:38 PM
 #384



There's no method of doing that in Bitcoin.

But johoe did not steal anything, he just picked it up. There is no perfect real world analogy, but this one makes more sense than yours.

Misspelling protects against dictionary attacks NOT
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
December 26, 2014, 02:40:29 PM
 #385

Of course there is. The blockchain is a public ledger. Sweeping coins to an address and then posting about it and the address is exactly that. The word will spread quick enough, as was shown in johoe's case.

If you start using a service to store your money, you better have at least one common language with the service provider.

Misspelling protects against dictionary attacks NOT
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
December 26, 2014, 02:45:32 PM
 #386

In general there's little value to doing full disclosure. It's a net loss for the reporter (no bounty payout), for the users (they could be negatively affected) and for the company (that has to deal with the fall out). However, in some cases it's necessary to act in that way in order to get things fixed. If a company is being obtuse, lying, or otherwise not fulfilling their obligations to their customer then there's really no choice.

Full disclosure is still good, because it will wipe bad service providers from the market and teach careless users a lesson. And the reporter's greatest asset is not some change for reward, but great achievements in his vita.

Companies have to die at some point, and some users unfortunately have to learn their responsibilities the hard way.

Misspelling protects against dictionary attacks NOT
nogf
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
December 26, 2014, 03:59:52 PM
 #387

So, this:

Not everybody reads this little pit on the side of the internet. Not everybody speaks English. Unless it's a very high profile event "saving" someones money will just be theft with no positive identification. [...]

But then also this:

[...] It's very much public knowledge that there's huge problems with their management of security, else this thread wouldn't be 20 pages long and I wouldn't be posting here.

 Huh

It went from here to various different news / social media sites without johoe having to lift a finger.

There's a huge difference between a general fact "their security practice is poor" and a statement like "some user stole $50 it might be yours". One can be widely reported, one generally will not.
johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
December 28, 2014, 02:22:30 PM
 #388

I'm the security researched who "caused" all of this by reporting a related bug to blockchain.info, which is why they were touching this critical code in the first place. The broken changes (there were multiple, only one is public knowledge) was pushed into production at midnight on Sunday in the UK. I caught the change and was able to get an emergency message to them in order to get them to pull the plug. Had I not had a script watching for changes like this on their site (previous experience has shown they love pushing broken code and then hiding it in git), it might have been a full 8 hours of sleep later that they could have taken down the website. Unsung hero and all that, but people would have lost a lot more money had it not been for that.

Interesting, so how did you detect that there was a serious problem?  Just by code inspection, or did you see a clash on randomly created addresses?

Quote
Their RNG was broken at least 4 times before this incident as well, it just didn't get any publicity.
This time it was special. This was the first time they created the same r value more than once. And there were 1000 repeated values in the few hours it was online.


Next time you should exploit a vulnerability, remove the coins and make it public. It will let you collect a good bounty, increase your profile and get hired as a consultant by some company and expose blockchain which will keep the public warned about using it.

That would be gray hat. I am white hat.

I had the opportunity to take all of the money johoe did significantly before he even realized it was an issue. It wasn't my place to go saving anybodies coins, it was if anybodies it was blockchain.info's. I don't know the legality of what joehoe did, as far as I could justify in my head at the time even though it was a "good" act, it would still be breaking my countries law. During the event I asked blockchain.info for permission to sweep the money and return it to the company, but they didn't respond in time.

I'm not sure about the legality, but it was the only way to save the money.  I didn't break into other computers; I just took the public ledger and extracted the private keys from that.  Usually, if there is a problem with repeated R values, it is exploited within a few hours.  In this case it took a bit more than 24 hours.

I wonder why you didn't sweep the remaining coins that required to break the RNG.  When I did this after six days, I was astonished how much money there still was on these addresses.

Lay off playing the concerned. There's a balance that needs to be struck no matter how you look at it. If people don't voice concern about the security practice of a company, there's an assumption that everything is just fine. I've given no information that could aid anybody in finding vulnerabilities in their code.

This is important.
Please refrain from giving a step by step instruction on how to hack people's addresses.

I highly respect what johoe did but I think he got carried away with his new 'fame' by telling everybody how he did it.
Not cool.

I think, I never gave a step by step instruction of how to break an address.  You are probably referring to the posting how to break a particular address using a particular chain of R values and other addresses.  That description showed how I broke one particular key, but that key didn't have any money anyway.  I didn't include the details, or any of the private keys.  Of course, you can look up the details at Wikipedia.  Or you can find the other step-by-step instructions on the web. The knowledge that it is possible to follow R values over several addresses was already out; there was another thread that started two weeks earlier.  Also my posting was at a time when there were already bots sweeping the addresses when they were exploited.  I tried to keep the details of the RNG secret as long as possible.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1474


LEALANA Bitcoin Grim Reaper


View Profile
December 28, 2014, 08:09:33 PM
 #389

Sorry for my ignorance, but has this issue been resolved on BC.I's end?

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
December 28, 2014, 08:25:24 PM
 #390

Sorry for my ignorance, but has this issue been resolved on BC.I's end?

Yes, there haven't been any bad transactions for a week now.

There are still people paying to addresses that were exposed by the bug or that were created by the buggy random number generator, but there is nothing BC.I can do about this.

Edit: I should add that bc.i claimed to fix this bug within a few hours.  There is no way to prove this from my end, but the logs support this as more than 75% of the bad transactions occurred during a few hours.  

BC.I has changed to RFC 6979, now.  Thus, the signatures do not depend on the random number generator anymore.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
temen
Member
**
Offline Offline

Activity: 119
Merit: 10


View Profile
December 28, 2014, 09:41:17 PM
 #391

johoe: As a sidestep  to this, to me it looks like you "found" these bitcoins and returned them to BC.info. In here Finland there is a law that ensures some 10% of findings to the finder. Hope you got your share for doing these people a service, that was quite a feat!
goosoodude
Hero Member
*****
Offline Offline

Activity: 584
Merit: 500



View Profile
December 28, 2014, 11:14:58 PM
Last edit: December 28, 2014, 11:29:06 PM by goosoodude
 #392

BC.I has changed to RFC 6979, now.  Thus, the signatures do not depend on the random number generator anymore.

The issue was known from a long time back, so why did a company like Blockchain which handles huge amounts of BTC failed to correct it? Its a very serious lax, and the users should be educated to keep BTC there only when necessary. Many use Blockchain as a primary storage wallet.






██████████████████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████████▄▄▄███████████████████████
███████████████████████████████████████████████████████████████████████▀▀▀████████████████████████
██████████████████████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████████████████████





...INTRODUCING WAVES........
...ULTIMATE ASSET/CUSTOM TOKEN BLOCKCHAIN PLATFORM...






Willisius
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

I'm really quite sane!


View Profile
December 29, 2014, 04:11:11 AM
 #393

Sorry for my ignorance, but has this issue been resolved on BC.I's end?

Yes, there haven't been any bad transactions for a week now.

There are still people paying to addresses that were exposed by the bug or that were created by the buggy random number generator, but there is nothing BC.I can do about this.

Edit: I should add that bc.i claimed to fix this bug within a few hours.  There is no way to prove this from my end, but the logs support this as more than 75% of the bad transactions occurred during a few hours.  

BC.I has changed to RFC 6979, now.  Thus, the signatures do not depend on the random number generator anymore.
It sounds like it is somewhat safe to use blockchain.info again.

I would also say this just shows the importance of rigorously testing any new release of any software that in any way controls any kind of money because people may not immediately continue the upgrade cycle after a 2nd release is released to fix any potential problem 
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 29, 2014, 04:32:34 AM
 #394

It sounds like it is somewhat safe to use blockchain.info again.

I would also say this just shows the importance of rigorously testing any new release of any software that in any way controls any kind of money because people may not immediately continue the upgrade cycle after a 2nd release is released to fix any potential problem  
I haven't seen any sign that they have fixed the organizational problem that created the technical problem.

According to other reports, they have a single super-programmer who ships changes without independent review.

If that is true, good luck...

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
Willisius
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

I'm really quite sane!


View Profile
December 29, 2014, 04:46:09 AM
 #395

It sounds like it is somewhat safe to use blockchain.info again.

I would also say this just shows the importance of rigorously testing any new release of any software that in any way controls any kind of money because people may not immediately continue the upgrade cycle after a 2nd release is released to fix any potential problem  
I haven't seen any sign that they have fixed the organizational problem that created the technical problem.

According to other reports, they have a single super-programmer who ships changes without independent review.

If that is true, good luck...
That is probably not a good idea. Regardless of how "good" someone is at their job it is always important to have people check behind workers' work in order to make sure it meets a certain quality standard.

Although it would generally not be a good idea to have one person (or even one team) in charge of such programming, it would still potentially be feasible as long as a completely separate group is able to independently test and audit the code prior to it being released
goosoodude
Hero Member
*****
Offline Offline

Activity: 584
Merit: 500



View Profile
December 29, 2014, 01:50:09 PM
 #396

It sounds like it is somewhat safe to use blockchain.info again.

I would also say this just shows the importance of rigorously testing any new release of any software that in any way controls any kind of money because people may not immediately continue the upgrade cycle after a 2nd release is released to fix any potential problem  
I haven't seen any sign that they have fixed the organizational problem that created the technical problem.

According to other reports, they have a single super-programmer who ships changes without independent review.

If that is true, good luck...

They have another problem now as they are incorrectly marking transactions as double spend.
Its time people moved on from there, too risky to keep valuables there.






██████████████████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████████▄▄▄███████████████████████
███████████████████████████████████████████████████████████████████████▀▀▀████████████████████████
██████████████████████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████████████████████





...INTRODUCING WAVES........
...ULTIMATE ASSET/CUSTOM TOKEN BLOCKCHAIN PLATFORM...






newIndia
Legendary
*
Offline Offline

Activity: 2226
Merit: 1052


View Profile
January 03, 2015, 08:32:55 PM
 #397

May I request the mods to make this thread sticky ? Because, I think, new people have a lot to learn from this thread.

gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
January 03, 2015, 10:41:14 PM
Last edit: January 03, 2015, 10:57:39 PM by gmaxwell
 #398

I'm not sure that people actually have much to learn from it; or at least the lesson most learn isn't the lesson they need to learn.

The problem is that the security of cryptosystems can't be assured by following a checklist. Do this. Don't do that.  Do this.  No finite set of instructions is necessary or sufficient for security.

The real lesson is the serious hard work, challenge, public review, testing, and residual risk there is with writing cryptographic software.  When you fixate on the list you feel like you have control of the security.

There is far too much adhoc cryptographic code being written in this community (and beyond) by people who are not putting in the serious effort to make sure it's done right. No matter how awesome a coder you are, no matter how many lists of things to avoid, if you're going it alone your code will not be secure, if you're just following instructions from the forum your code is not going to be secure, etc. Maybe it will be _mostly_ secure, but mostly isn't really good enough.

Put another way, if this thread is alerting you to the concern here then it's very likely that you are not yet prepared to be writing cryptographic software for large numbers of people.
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
January 03, 2015, 10:55:20 PM
 #399

Quote
The problem is that the security of cryptosystems can't be assured by following a checklist.

The problem is that you have to pay for everything.
Free cheese is only in mousetrap.
Free service (bitcoin/blockchain) can not be better than professional one (fiat/banks)
itod
Legendary
*
Offline Offline

Activity: 1974
Merit: 1077


^ Will code for Bitcoins


View Profile
January 03, 2015, 11:16:45 PM
 #400

Free service (bitcoin/blockchain) can not be better than professional one (fiat/banks)

Hard lesson to swallow but ultimately true. It doesn't mean that banks are better than the blockchain, but bank security is certainly better for that simple reason highly paid professionals are doing security for banks, and they've been doing that for a long time. When bitcoin accumulates few decades of safe security practices under the belt things like this will not happen.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!