RaggedMonk (OP)
|
|
February 03, 2012, 06:26:01 PM |
|
As a matter of fact, bitcoin would _greatly_ benefit from having actual professional cryptographers doing not only BIP reviews, but also trying to devise actual attacks against the whole system.
Can't we hire respectable white hats to do a professional audit (with pledges)? I would be interested in funding this. And, Gavin thinks it is a good idea. Good idea. Who wants to volunteer to do the fundraising and organize this, and let me know how I can help?
Who has experience with white-hat security firms? Who should we approach? How much would it cost?
|
|
|
|
RaggedMonk (OP)
|
|
February 03, 2012, 10:40:47 PM Last edit: February 04, 2012, 12:29:47 AM by RaggedMonk |
|
There are challenges in organizing an audit as the commons, but I imagine high net worth bitcoiners, who have a vested interest in the security of the protocol, could be convinced.
I'll put 10BTC towards this, personally. Who else is in?
|
|
|
|
coretechs
Donator
Sr. Member
Offline
Activity: 362
Merit: 250
|
|
February 03, 2012, 10:59:37 PM |
|
Here I'll save you the trouble.
BlahBlah security crypto consultants inc. has found the following weaknesses in bitcoin:
1. blah blah hash collision blah blah birthday attack gives us a one-in-one-quadblahdrillionzillion chance of double spending coins when it was previously thought to be one-in-onequadblahbilliondrillion 2. people can walk into your house when you are not home, log onto your laptop and steal your coins 3. any criminal/bank/govt with enough financial resources can easily DDoS the largest pools and execute one of many 51% attacks RIGHT NOW if they wanted
Mitigation summary:
1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol 2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)
|
|
|
|
muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
February 03, 2012, 11:11:20 PM |
|
Put bounties for proven exploits in a test environment chainblock, under the condition of not making them public until fixed.
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
February 03, 2012, 11:29:38 PM |
|
Mitigation summary:
1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol 2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)
+1 There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol. The main areas that need tightening are the pools because they concentrate so much power. Most all of the possible attacks would REQUIRE a pool or more money (in hardware) then the attack would capture.
|
|
|
|
muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
February 03, 2012, 11:40:33 PM |
|
Mitigation summary:
1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol 2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)
+1 There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol. The main areas that need tightening are the pools because they concentrate so much power. Most all of the possible attacks would REQUIRE a pool or more money (in hardware) then the attack would capture. There is a bounty for blackhats. Some people wouldn't just steal a bunch of coins from an unsuspecting user. So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
Red Emerald
|
|
February 03, 2012, 11:49:16 PM |
|
coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.
What if there are more bugs like the encryption bug in 0.4? People trusted that their wallets were secure, but OOPS they weren't.
Having someone paid to look for holes is a good thing.
|
|
|
|
RaggedMonk (OP)
|
|
February 04, 2012, 01:05:37 AM |
|
So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).
I support this idea.
|
|
|
|
coretechs
Donator
Sr. Member
Offline
Activity: 362
Merit: 250
|
|
February 04, 2012, 02:32:07 AM |
|
coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.
What if there are more bugs like the encryption bug in 0.4? People trusted that their wallets were secure, but OOPS they weren't.
Having someone paid to look for holes is a good thing.
I don't believe it's bullet proof at all; I listed 2 of the biggest flaws that NEED to be addressed right away. A [block]chain is only as strong as its weakest link. I agree that having someone paid to look for holes is a good thing but I think that is better achieved by paying bounties for exploits to anyone who finds them. I don't see the point in trying to raise tens or hundreds of thousands of dollars to pay some hardcore commercial netcode/crypto analysts to spend months auditing bitcoin for flaws, and I doubt they would accept BTC as payment. I'm not trying to be negative, just realistic on what would be more effective. I'll gladly contribute to bounties for finding exploits.
|
|
|
|
BkkCoins
|
|
February 04, 2012, 06:10:57 AM |
|
Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.
|
|
|
|
istar
|
|
February 04, 2012, 09:36:44 AM |
|
As said earlier, create a fund with a bounty which any new proven attacks will get if they contact gavin and keep them secret for atleast 6 month?
This kind of things will get easier when we can have multiple adresses needed to control an account. This means that Gavin and some others Casascius etc can hold the different keys for this account.
|
Bitcoins - Because we should not pay to use our money
|
|
|
muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
February 04, 2012, 11:54:40 AM |
|
Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.
Having it even discussed in the Senate would skyrocket the popularity of bitcoin and the strength of the network.
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
Timo Y
Legendary
Offline
Activity: 938
Merit: 1001
bitcoin - the aerogel of money
|
|
February 04, 2012, 12:36:19 PM |
|
Isn't it a bit too early for this? The protocol is still undergoing significant changes and every modification introduces new bugs.
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
February 04, 2012, 12:38:02 PM |
|
I think in these months the whole system has been already attacked by pretty much everyone trying to steal money. And they almost always failed (yeah except for wallet stealer virus and connecting to the RPC interface with fail password and stealing everything)
|
|
|
|
Syke
Legendary
Offline
Activity: 3878
Merit: 1193
|
|
February 04, 2012, 10:40:22 PM |
|
The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?
|
Buy & Hold
|
|
|
muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
February 04, 2012, 10:49:47 PM |
|
The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?
Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox. The size of the current market is right now, you would be very lucky to cash out 100K. This is because are not "good currency" for themselves as is, and must be converted in scale. Moreover, for some reason we only seem to care about the security of the whole blockchain, when that's not by any means all there is to it. There's individual wallet security, punctual double-spending, etc and all that needs proving.
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
Elwar
Legendary
Offline
Activity: 3598
Merit: 2386
Viva Ut Vivas
|
|
February 05, 2012, 02:47:42 AM Last edit: February 05, 2012, 05:03:17 PM by Elwar |
|
edit
|
First seastead company actually selling sea homes: Ocean Builders https://ocean.builders Of course we accept bitcoin.
|
|
|
Syke
Legendary
Offline
Activity: 3878
Merit: 1193
|
|
February 05, 2012, 02:58:55 AM |
|
Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox.
Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc. The size of the current market is right now, you would be very lucky to cash out 100K.
Let's look at mtgox order book: 2.70 809 (4) 214855 1001710
You can cash more than $1,000,000 worth of bitcoins right this moment, and only drop the price to $2.70. There is plenty of money available for the taking in the blockchain.
|
Buy & Hold
|
|
|
muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
February 05, 2012, 02:36:38 PM |
|
Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox.
Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc. If such coins would be stolen it would be very visible in the blockchain, and speculators would firesale anticipating a crash in confidence in the whole bitcoin system. Speculators and basically anyone who'd get wind of the news.
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
February 06, 2012, 03:50:10 PM |
|
Most white hats are corporate parasites or lamers who are not smart enough to be black ones.
Bitcoin is in wild. It is looked over and over again by some really smart people. The Satoshi client is still standing. Is there a need for any more proof?
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
|