AGD (OP)
Legendary
Offline
Activity: 2070
Merit: 1164
Keeper of the Private Key
|
|
June 04, 2014, 07:55:56 AM Last edit: September 22, 2018, 01:14:57 PM by AGD |
|
I had this idea. Dunno if it is realistic, maybe its BS, but need to let it go When the Heartbleed bug was found, the Bitcoin core was quickly updated to version 0.9.0 (then shortly after updated to 0.9.1) Since it was a "major security issue" I assume, that alot of people already updated their client and the new version is more ore less accepted by the majority of the network. Noone wants to get hacked ... Now, what if some expert hacker invents an exploit that targets an issue, which is still not implemented in Bitcoin core, but - with a good reason - COULD be implemented in future versions, because of another big security issue, that will convince the majority of the community to update to the new version. If this expert hacker has a possibility to convince the key persons behind the BitcoinFoundation Bitcoin Development to update the source code with the reasonable security update (like it was done with the Heartbleed bug), he would be the only person with an exploit to the new implementation. This sounds like a quite realistic cenario to me. What do you think?
|
|
|
|
franky1
Legendary
Offline
Activity: 4382
Merit: 4752
|
|
June 04, 2014, 08:00:58 AM |
|
I had this idea. Dunno if it is realistic, maybe its BS, but need to let it go When the Heartbleed bug was found, the Bitcoin core was quickly updated to version 0.9.0 (then shortly after updated to 0.9.1) Since it was a "major security issue" I assume, that alot of people already updated their client and the new version is more ore less accepted by the majority of the network. Noone wants to get hacked ... Now, what if some expert hacker invents an exploit that targets an issue, which is still not implemented in Bitcoin core, but - with a good reason - COULD be implemented in future versions, because of another big security issue, that will convince the majority of the community to update to the new version. If this expert hacker has a possibility to convince the key persons behind the BitcoinFoundation to update the source code with the reasonable security update (like it was done with the Heartbleed bug), he would be the only person with an exploit to the new implementation. This sounds like a quite realistic cenario to me. What do you think? people dont simply dump compiled exe's into the bitcoin dev project area. they put in lins of code, which get reviewed by the other dev's before its then added into the main code area, and then tested to ensure it does not cause other things to fall apart or become exploitable. so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
shwackd
Newbie
Offline
Activity: 25
Merit: 0
|
|
June 04, 2014, 08:01:47 AM |
|
To be perfectly honest:
If the sun was blocked out of the sky for JUST long enough to cause the surface temperature of hydrated driving surface to drop below the freezing point of deionized water we could possibly cause an an automobile accident that would delay an important bitcoin foundation meeting JUST long enough to postpone the next update until our super virus elite hacker skills technician can compromise the mainframe.
|
|
|
|
AGD (OP)
Legendary
Offline
Activity: 2070
Merit: 1164
Keeper of the Private Key
|
|
June 04, 2014, 08:34:27 AM |
|
people dont simply dump compiled exe's into the bitcoin dev project area. they put in lins of code, which get reviewed by the other dev's before its then added into the main code area, and then tested to ensure it does not cause other things to fall apart or become exploitable.
so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core
I agree, that new implementations are reviewed over and over by expert coders until they are released, but this is not the relevant part of it. SSL had a flaw that was indeed exploitable until the core devs were convinced, that they had to change the code and release v 0.9.0. Before that, the guys either didn't know about the Heartbleed bug or they thought it was not necessary to update. This means, that a code - even after multiple reviews by good programmers - can contain bugs/flaws/exploitable parts, which either still has to be found or - in my example - was already found, but kept secret.
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
June 04, 2014, 12:56:30 PM |
|
so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core Haven't you ever heard of this NSA crowdsourcing program? http://en.wikipedia.org/wiki/Underhanded_C_ContestThe Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 04, 2014, 04:08:52 PM |
|
The most critical part of bitcoin is arguably the implementation of ECDSA, which would probably be the most scrutinized and heavily reviewed code. Thus, it would seem unlikely that a serious exploit could be introduced.
|
|
|
|
Este Nuno
Legendary
Offline
Activity: 826
Merit: 1002
amarha
|
|
June 04, 2014, 07:25:36 PM |
|
so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core Haven't you ever heard of this NSA crowdsourcing program? http://en.wikipedia.org/wiki/Underhanded_C_ContestThe Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs. That is pretty wild. I had never heard of this. I wonder how many people have been caught trying to pull something like this on open source projects? I also wonder how many people(if any) have gotten away with inserting such code(intentionally of course) in to any major open source projects.
|
|
|
|
freedombit
|
|
June 05, 2014, 04:08:43 AM |
|
so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core Haven't you ever heard of this NSA crowdsourcing program? http://en.wikipedia.org/wiki/Underhanded_C_ContestThe Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs. That is pretty wild. I had never heard of this. I wonder how many people have been caught trying to pull something like this on open source projects? I also wonder how many people(if any) have gotten away with inserting such code(intentionally of course) in to any major open source projects. Is there a contest like this for Bitcoin or crypto? If not, then there should be. And then just hope that there are more white hats than black hats. If there are more black hats, then we are doomed as a race. ;-)
|
|
|
|
|
Soros Shorts
Donator
Legendary
Offline
Activity: 1617
Merit: 1012
|
|
June 05, 2014, 07:34:39 AM |
|
so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core Haven't you ever heard of this NSA crowdsourcing program? http://en.wikipedia.org/wiki/Underhanded_C_ContestThe Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs. That is pretty wild. I had never heard of this. I wonder how many people have been caught trying to pull something like this on open source projects? I also wonder how many people(if any) have gotten away with inserting such code(intentionally of course) in to any major open source projects. I used to work for a financial institution and we had custom static code analysis modules developed for our build systems for the purpose of detecting malicious code checked in by programmers. There are common techniques as well as counter-measures so this is not a new thing. Disallowing uninitialized variables would probably neutralize half of the attacks.
|
|
|
|
turvarya
|
|
June 05, 2014, 07:39:35 AM |
|
Maybe I am wrong, but wasn't the Version 0.9 the one with the Heartbleed-Bug(0.8.6 didn't have it) and 0.9.1 the fixed Version?
|
|
|
|
franky1
Legendary
Offline
Activity: 4382
Merit: 4752
|
|
June 05, 2014, 12:18:56 PM |
|
Maybe I am wrong, but wasn't the Version 0.9 the one with the Heartbleed-Bug(0.8.6 didn't have it) and 0.9.1 the fixed Version?
version 0.1-0.9 were all vulnerable. the version 0.9 was not released due to heartbleed, it was a standard scheduled release. no one in the world knew about heartbleed at this point... but it just happened to be around the time that the separate matter of heartbleed became public, and as such the dev's released a 0.9.1 update pretty quickly
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
turvarya
|
|
June 05, 2014, 12:46:57 PM |
|
Maybe I am wrong, but wasn't the Version 0.9 the one with the Heartbleed-Bug(0.8.6 didn't have it) and 0.9.1 the fixed Version?
version 0.1-0.9 were all vulnerable. the version 0.9 was not released due to heartbleed, it was a standard scheduled release. no one in the world knew about heartbleed at this point... but it just happened to be around the time that the separate matter of heartbleed became public, and as such the dev's released a 0.9.1 update pretty quickly That can't be true: The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012 http://en.wikipedia.org/wiki/Heartbleed2012-03-16 - Bitcoin-Qt version 0.5.3.1 released • 2012-03-14 - Bitcoin-Qt version 0.5.3 released • 2012-01-09 - Bitcoin-Qt version 0.5.2 released https://bitcoin.org/en/version-historySo, which Bitcoin-Qt vesion was first affected, depends on which first used OpenSSL 1.0.1.
|
|
|
|
AGD (OP)
Legendary
Offline
Activity: 2070
Merit: 1164
Keeper of the Private Key
|
|
June 05, 2014, 06:49:00 PM |
|
Maybe I am wrong, but wasn't the Version 0.9 the one with the Heartbleed-Bug(0.8.6 didn't have it) and 0.9.1 the fixed Version?
version 0.1-0.9 were all vulnerable. the version 0.9 was not released due to heartbleed, it was a standard scheduled release. no one in the world knew about heartbleed at this point... but it just happened to be around the time that the separate matter of heartbleed became public, and as such the dev's released a 0.9.1 update pretty quickly I still have version 0.9.0 in my Download folder.
|
|
|
|
sickpig
Legendary
Offline
Activity: 1260
Merit: 1008
|
|
June 05, 2014, 07:30:53 PM |
|
Maybe I am wrong, but wasn't the Version 0.9 the one with the Heartbleed-Bug(0.8.6 didn't have it) and 0.9.1 the fixed Version?
version 0.1-0.9 were all vulnerable. the version 0.9 was not released due to heartbleed, it was a standard scheduled release. no one in the world knew about heartbleed at this point... but it just happened to be around the time that the separate matter of heartbleed became public, and as such the dev's released a 0.9.1 update pretty quickly I still have version 0.9.0 in my Download folder. on linux bitcoin-qt/bitcoind are dynamically linked to the openssl library bundle with your distro of choice, hence you could have been vulnerable to heartbleed even with 0.9.0 or higher if your libssl package wasn't up to date $ ldd `which bitcoin{-qt,d}` | grep ssl libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb5c8b000) libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb70b0000)
I don't think the same applies for ms win and/or osx
|
Bitcoin is a participatory system which ought to respect the right of self determinism of all of its users - Gregory Maxwell.
|
|
|
mymenace
Legendary
Offline
Activity: 1596
Merit: 1061
Smile
|
|
June 05, 2014, 07:41:19 PM |
|
if it is about choosing a secure currency and your underlying fear is why trust the bitcoin code its simple banks, other currency, shares, investments are subject to hackers, scams and thieves etc etc etc it is just a matter of choosing which one you believe to be the most foolproof for me a network and code monitored by the whole community rather than a company or other is far more trustworthy e.g. linux
|
|
|
|
AGD (OP)
Legendary
Offline
Activity: 2070
Merit: 1164
Keeper of the Private Key
|
|
June 06, 2014, 09:17:29 AM |
|
I guess, most people here in this forum are pro Bitcoin
|
|
|
|
pozmu
|
|
June 06, 2014, 06:56:31 PM |
|
I'm 90% sure this will happen.
|
|
|
|
AGD (OP)
Legendary
Offline
Activity: 2070
Merit: 1164
Keeper of the Private Key
|
|
June 07, 2014, 07:13:00 AM |
|
I'm 90% sure this will happen.
Is it possible that it already happened? I mean, there were several events in the past, in which bitcoins simply "disappeared" from trading sites and owners seemed to be clueless on how it was done.
|
|
|
|
TheTruth4
Member
Offline
Activity: 108
Merit: 10
|
|
June 07, 2014, 06:11:00 PM |
|
Is it possible the bug was introduced into OpenSSL intentionally?
|
|
|
|
|