Bitcoin Forum
November 19, 2024, 04:07:57 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Proposed: We Should Hire Respectable White Hats to Audit Bitcoin's Security  (Read 2364 times)
RaggedMonk (OP)
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
February 03, 2012, 06:26:01 PM
 #1


As a matter of fact, bitcoin would _greatly_ benefit from having actual professional
cryptographers doing not only BIP reviews, but also trying to devise actual attacks
against the whole system.


Can't we hire respectable white hats to do a professional audit (with pledges)?

I would be interested in funding this. And, Gavin thinks it is a good idea.


Good idea. Who wants to volunteer to do the fundraising and organize this, and let me know how I can help?


Who has experience with white-hat security firms?  Who should we approach?  How much would it cost?
RaggedMonk (OP)
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
February 03, 2012, 10:40:47 PM
Last edit: February 04, 2012, 12:29:47 AM by RaggedMonk
 #2


There are challenges in organizing an audit as the commons, but I imagine high net worth bitcoiners, who have a vested interest in the security of the protocol, could be convinced.

I'll put 10BTC towards this, personally.  Who else is in?
coretechs
Donator
Sr. Member
*
Offline Offline

Activity: 362
Merit: 250



View Profile
February 03, 2012, 10:59:37 PM
 #3

Here I'll save you the trouble.

BlahBlah security crypto consultants inc. has found the following weaknesses in bitcoin:

1. blah blah hash collision blah blah birthday attack gives us a one-in-one-quadblahdrillionzillion chance of double spending coins when it was previously thought to be one-in-onequadblahbilliondrillion
2. people can walk into your house when you are not home, log onto your laptop and steal your coins
3. any criminal/bank/govt with enough financial resources can easily DDoS the largest pools and execute one of many 51% attacks RIGHT NOW if they wanted


Mitigation summary:

1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol
2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)

https://bitcoindoc.com - The Rise and Rise of Bitcoin | https://blocktap.io - Lightning powered crypto query engine
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
February 03, 2012, 11:11:20 PM
 #4

Put bounties for proven exploits in a test environment chainblock, under the condition of not making them public until fixed.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Littleshop
Legendary
*
Offline Offline

Activity: 1386
Merit: 1004



View Profile WWW
February 03, 2012, 11:29:38 PM
 #5



Mitigation summary:

1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol
2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)


+1  There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol.  The main areas that need tightening are the pools because they concentrate so much power.  Most all of the possible attacks would REQUIRE a pool  or more money (in hardware) then the attack would capture. 

muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
February 03, 2012, 11:40:33 PM
 #6



Mitigation summary:

1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol
2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)


+1  There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol.  The main areas that need tightening are the pools because they concentrate so much power.  Most all of the possible attacks would REQUIRE a pool  or more money (in hardware) then the attack would capture. 

There is a bounty for blackhats. Some people wouldn't just steal a bunch of coins from an unsuspecting user. So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742
Merit: 500



View Profile WWW
February 03, 2012, 11:49:16 PM
 #7

coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.

What if there are more bugs like the encryption bug in 0.4?  People trusted that their wallets were secure, but OOPS they weren't.

Having someone paid to look for holes is a good thing.

RaggedMonk (OP)
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
February 04, 2012, 01:05:37 AM
 #8

So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).

I support this idea.
coretechs
Donator
Sr. Member
*
Offline Offline

Activity: 362
Merit: 250



View Profile
February 04, 2012, 02:32:07 AM
 #9

coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.

What if there are more bugs like the encryption bug in 0.4?  People trusted that their wallets were secure, but OOPS they weren't.

Having someone paid to look for holes is a good thing.

I don't believe it's bullet proof at all; I listed 2 of the biggest flaws that NEED to be addressed right away.  A [block]chain is only as strong as its weakest link.

I agree that having someone paid to look for holes is a good thing but I think that is better achieved by paying bounties for exploits to anyone who finds them.  I don't see the point in trying to raise tens or hundreds of thousands of dollars to pay some hardcore commercial netcode/crypto analysts to spend months auditing bitcoin for flaws, and I doubt they would accept BTC as payment.  I'm not trying to be negative, just realistic on what would be more effective.  I'll gladly contribute to bounties for finding exploits.

https://bitcoindoc.com - The Rise and Rise of Bitcoin | https://blocktap.io - Lightning powered crypto query engine
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
February 04, 2012, 06:10:57 AM
 #10

Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.

istar
Hero Member
*****
Offline Offline

Activity: 523
Merit: 500


View Profile
February 04, 2012, 09:36:44 AM
 #11

As said earlier, create a fund with a bounty which any new proven attacks will get if they contact gavin and keep them secret for atleast 6 month?

This kind of things will get easier when we can have multiple adresses needed to control an account. This means that Gavin and some others Casascius etc can hold the different keys for this account.



Bitcoins - Because we should not pay to use our money
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
February 04, 2012, 11:54:40 AM
 #12

Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.

Having it even discussed in the Senate would skyrocket the popularity of bitcoin and the strength of the network.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Timo Y
Legendary
*
Offline Offline

Activity: 938
Merit: 1001


bitcoin - the aerogel of money


View Profile
February 04, 2012, 12:36:19 PM
 #13

Isn't it a bit too early for this?  The protocol is still undergoing significant changes and every modification introduces new bugs.
 

GPG ID: FA868D77   bitcoin-otc:forever-d
Gabi
Legendary
*
Offline Offline

Activity: 1148
Merit: 1008


If you want to walk on water, get out of the boat


View Profile
February 04, 2012, 12:38:02 PM
 #14

I think in these months the whole system has been already attacked by pretty much everyone trying to steal money. And they almost always failed (yeah except for wallet stealer virus and connecting to the RPC interface with fail password and stealing everything)

Syke
Legendary
*
Offline Offline

Activity: 3878
Merit: 1193


View Profile
February 04, 2012, 10:40:22 PM
 #15

The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?

Buy & Hold
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
February 04, 2012, 10:49:47 PM
 #16

The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?

Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox. The size of the current market is right now, you would be very lucky to cash out 100K. This is because are not "good currency" for themselves as is, and must be converted in scale.

Moreover, for some reason we only seem to care about the security of the whole blockchain, when that's not by any means all there is to it. There's individual wallet security, punctual double-spending, etc and all that needs proving.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Elwar
Legendary
*
Offline Offline

Activity: 3598
Merit: 2386


Viva Ut Vivas


View Profile WWW
February 05, 2012, 02:47:42 AM
Last edit: February 05, 2012, 05:03:17 PM by Elwar
 #17

edit

First seastead company actually selling sea homes: Ocean Builders https://ocean.builders  Of course we accept bitcoin.
Syke
Legendary
*
Offline Offline

Activity: 3878
Merit: 1193


View Profile
February 05, 2012, 02:58:55 AM
 #18

Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox.

Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc.

The size of the current market is right now, you would be very lucky to cash out 100K.

Let's look at mtgox order book:
Quote
2.70    809 (4)    214855    1001710    
You can cash more than $1,000,000 worth of bitcoins right this moment, and only drop the price to $2.70. There is plenty of money available for the taking in the blockchain.

Buy & Hold
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
February 05, 2012, 02:36:38 PM
 #19

Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox.

Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc.

If such coins would be stolen it would be very visible in the blockchain, and speculators would firesale anticipating a crash in confidence in the whole bitcoin system. Speculators and basically anyone who'd get wind of the news.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
February 06, 2012, 03:50:10 PM
 #20

Most white hats are corporate parasites or lamers who are not smart enough to be black ones.

Bitcoin is in wild. It is looked over and over again by some really smart people. The Satoshi client is still standing. Is there a need for any more proof?

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!