what is the "scratch"? it's FUD or truth?

[HorseRider]

http://www.itweb.co.za/office/securitysummit2012/PressRelease.php?StoryID=228225


Scratches on the Surface of SHA256
A closer look at the cryptography in use for digital currency Bitcoin shows new vulnerabilities in SHA256, says Absa information security researcher Frans Lategan.

Issued by: ITP Communications   
[Johannesburg, 26 March 2012] -

Frans Lategan – Absa information security researcher and speaker at the ITWeb Security Summit.

Frans Lategan, who will be one of the expert speakers at the annual ITWeb Security Summit, in May, says he will reveal for the first time at the Summit newly-discovered weaknesses in the gold standard cryptography.
Describing the vulnerabilities as “scratches in the paintwork, rather than a train smash”, Lategan says his findings nevertheless indicate that vulnerabilities can exist even in trusted algorithms in use to protect currency as valuable and widespread as Bitcoin.

Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

“The downside of virtual currency such as Bitcoin is that there is no recourse if it is hacked or stolen,” he says.

Which is why any vulnerability in the security around it is of interest.

ITWeb Security Summit
The ITWeb Security Summit and Awards takes place from 15 to 17 May 2012. For more information and to reserve your seat, please click here.

Lategan points out that SHA256, in use for over a decade, will be replaced by the SHA3 hash family in the foreseeable future.
The annual ITWeb Security Summit will take place from 15 - 17 May 2012 at the Sandton Convention Centre. For more information and to book your seat, go to www.securitysummit.co.za.

 
EDITORIAL CONTACTS
ITP Communications
Leigh Angelo
(011) 869 9153
leigh@tradeprojects.co.za

[1713570821]

1713570821

[bulanula]

Probably FUD.

Sell all the BTC !

[julz]

see also the brief bio:

Frans Lategan is a security consultant with Absa Bank. His presentation, titled SHA256 vulnerabilities exposed by Bitcoin, will contextualise Bitcoin, discuss the technical workings of Bitcoin and SHA256, and look at divergences between expected and actual findings for SHA256.

(from http://www.itweb.co.za/index.php?option=com_content&view=article&id=50468)

So it seems the original title was 'SHA256 vulnerabilites exposed by Bitcoin'.

Ahh..  who would have thought bitcoin would be so useful to the banking industry as to help expose cryptographic weaknesses!? 

[BurtW]

Someone was paid by the banking industry to discredit Bitcoin?

(sarcasm attempt fail)

[Koekiemonster]

Someone was paid by the banking industry to discredit Bitcoin?

How does this discredit Bitcoin? 

[julz]

Someone was paid by the banking industry to discredit Bitcoin?

Doesn't seem that way to me.
Assuming he's correct... The bitcoin system has proved useful in revealing a minor issue with SHA256 ... which the banks (and military) also use.

Note that many US military systems are still in the process of migrating *to* SHA256.

It's highly unlikely that these surface scratches indicate a massive reduction in the security and utility of SHA256.
It's more a case of 'orderly migration' to something stronger - rather than 'panic exit'.

[Gabi]

FUD

Lol, bitcoin, wich has a market cap of less than 50 millions of $ discover a weakness that no one in all the world governments and banks and whatelse and trillions of $ discovered? Yeeeah sure. And what about Area 51? I've heard they have aliens there!!!

[Hawkix]

Bitcoin with its current hashrate may be the most powerfull SHA256 testing tool that has been running so far ...

[molecular]

Someone was paid by the banking industry to discredit Bitcoin?

Doesn't seem that way to me.
Assuming he's correct... The bitcoin system has proved useful in revealing a minor issue with SHA256 ... which the banks (and military) also use.

what minor issue?

[triplehelix]

any vulnerability can and will be verified.  why are so many so quick to write this off?  just because he works for a bank?

[DeathAndTaxes]

Frans Lategan, who will be one of the expert speakers at the annual ITWeb Security Summit, in May, says he will reveal for the first time at the Summit newly-discovered weaknesses in the gold standard cryptography.  Describing the vulnerabilities as “scratches in the paintwork, rather than a train smash”, Lategan says his findings nevertheless indicate that vulnerabilities can exist even in trusted algorithms in use to protect currency as valuable and widespread as Bitcoin.

Ok so it is only academic.  Obviosuly one wouldn't wait 2+ months to release findings on a flaw unless it is minor ...

Also I love the " protect currency as valuable and widespread as Bitcoin."  

Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

How exactly does he know Bitcoin has been a victim?  Unless he is talking about things like DDOS and thefts which have nothing to do with the vulnerability?

Hmm... Either he is full of shit trying to pump up his presentation ahead of the conference or his is the single most unethical cryptographer on the planet.

"I know of a vulnerability which is costing other money and undermining public trust in cryptography so I will wait for two months before telling anyone about it ... er I will tell me about it, just not what it is."

[Etlase2]

Also I love the " protect currency as valuable and widespread as Bitcoin."  

..

How exactly does he know Bitcoin has been a victim?  Unless he is talking about things like DDOS and thefts which have nothing to do with the vulnerability?

Hmm... Either he is full of shit trying to pump up his presentation ahead of the conference or his is the single most unethical cryptographer on the planet.

I love how on one hand you love what he said, then one sentence later you turn into a raving, rabid bitcoiner.

Obviously he was referring to other attacks. Does he really need to spell this out?

[ribuck]

why are so many so quick to write this off?  just because he works for a bank?

We are writing off this "news", because there isn't any news. At this point he's just pimping his conference presentation.

If he announces anything substantial, we can consider it on its merits.

[finway]

WangXiaoYun(王小云) uses 10 years to find the vulnerability of MD5 and SHA-1

This guy cracks SHA256, HE must be another WangXiaoYun!

[finway]

I guess the "vulnerability" of SHA256 may refers to BIP30 -- the same tx hash.


A Big Finding.

[triplehelix]

the guy himself said its just a scratch in the paint, not a deep rooted issue.

[Gabi]

Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

[triplehelix]

Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

you could argue that the worm stealing wallets was a direct attack on bitcoin.

[rjk]

Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

you could argue that the worm stealing wallets was a direct attack on bitcoin.

They didn't break the protocol.

[triplehelix]

Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

you could argue that the worm stealing wallets was a direct attack on bitcoin.

They didn't break the protocol.

no, but they exposed a weakness in the default client which is provided by the core dev team.