Bitcoin Forum
December 03, 2016, 04:49:54 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: [ANN] Critical vulnerability (denial-of-service attack)  (Read 23344 times)
ludo0777
Jr. Member
*
Offline Offline

Activity: 42



View Profile WWW
June 12, 2012, 07:43:27 PM
 #61

"WARNING: Displayed transactions may not be correct!  You may need to
upgrade, or other nodes may need to upgrade."

 Shocked I had that message! I then tried to upgrade and nearly lost my wallet!

If I've helped you then tip me!
1Lz67YM8apN4sTVMPrQDbFhBQNsKqnAjCY

Play the game and win up to 22.5x your bitcoins!
http://bit.ly/MYXJ4x

Get Free Instant bitcoins every hour!
http://mycryptcoin.com/?rid=1Pk3K1ZfXzsZvfwnL1bZyU3bvWdBJhi8Nu
1480740594
Hero Member
*
Offline Offline

Posts: 1480740594

View Profile Personal Message (Offline)

Ignore
1480740594
Reply with quote  #2

1480740594
Report to moderator
1480740594
Hero Member
*
Offline Offline

Posts: 1480740594

View Profile Personal Message (Offline)

Ignore
1480740594
Reply with quote  #2

1480740594
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480740594
Hero Member
*
Offline Offline

Posts: 1480740594

View Profile Personal Message (Offline)

Ignore
1480740594
Reply with quote  #2

1480740594
Report to moderator
1480740594
Hero Member
*
Offline Offline

Posts: 1480740594

View Profile Personal Message (Offline)

Ignore
1480740594
Reply with quote  #2

1480740594
Report to moderator
1480740594
Hero Member
*
Offline Offline

Posts: 1480740594

View Profile Personal Message (Offline)

Ignore
1480740594
Reply with quote  #2

1480740594
Report to moderator
coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
June 13, 2012, 06:15:54 AM
 #62

I wanted to add here that it is worrying, how much power here is vested in developers. And as much of a great job they do, they do make mistakes. Every time I have to upgrade, there is always a thought on the back of my mind - what if there is a vulnerability or exploit? Even worse is that even those of us who don't upgrade for that reason still depend on the 50% of other nodes to be not vulnerable

This doesn't bother me one bit as I keep most of my coin on paper wallets.  My exposure to a client bug is always limited to the amount of coin I have online at any given time.

I wish the idea of putting bitcoins on paper had more favor with the developers and was considered an important feature for the client.  "Click File, Print, Print Money.  Be your own bank."  Specifically, having the private key sweep/import feature exposed in the UI and for it to not need a full blockchain scan to execute would go a long way toward users ability to protect themselves from risks, including future client bugs.  The more this feature is offered by lightweight clients, the fewer full bitcoind nodes there are going to be on the network as people choose those other clients.

And this is what you don't realize, and many people don't either. With too-widespread software flaw, you can lose bitcoin EVEN if nobody picks your private key, or hacks into your PC. The bitcoin network is only as good as the software. If there is a critical bug introduced, and too many people use the client that has this bug, you could push through any transaction you want. Those would technically be invalid transactions, and clients not affected by bug would reject them, but if too many clients will accept, it will become de-facto a new block. And once a bunch of blocks are stacked over invalid block, it will be practically impossible to rollback. So, your paper money would lose the balance and you wouldn't even know.

This is why, to my mind, it is so important to have the most basic, the most minimal client possible.

Command line daemon could have been it, but unfortunately there are known, 100% reproducible bugs in it, such as this one, that have been there for years, and nobody would put a permanent fix. I realize, I'm jumping from a critical bug scenario to the one of real low priority, but bugs like that are the reason not too many UIs exist for a daemon

GPG key: 6F8E305690A05365B58C50A
Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
June 13, 2012, 06:48:40 AM
 #63

With too-widespread software flaw, you can lose bitcoin EVEN if nobody picks your private key, or hacks into your PC. The bitcoin network is only as good as the software. If there is a critical bug introduced, and too many people use the client that has this bug, you could push through any transaction you want. Those would technically be invalid transactions, and clients not affected by bug would reject them, but if too many clients will accept, it will become de-facto a new block. And once a bunch of blocks are stacked over invalid block, it will be practically impossible to rollback. So, your paper money would lose the balance and you wouldn't even know.
Bitcoin has had to rolled back up to 53 blocks before (CVE-2010-5139), so I wouldn't say it's impossible. Integrity of the currency comes before miners' income.

coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
June 13, 2012, 02:39:26 PM
 #64

With too-widespread software flaw, you can lose bitcoin EVEN if nobody picks your private key, or hacks into your PC. The bitcoin network is only as good as the software. If there is a critical bug introduced, and too many people use the client that has this bug, you could push through any transaction you want. Those would technically be invalid transactions, and clients not affected by bug would reject them, but if too many clients will accept, it will become de-facto a new block. And once a bunch of blocks are stacked over invalid block, it will be practically impossible to rollback. So, your paper money would lose the balance and you wouldn't even know.
Bitcoin has had to rolled back up to 53 blocks before (CVE-2010-5139), so I wouldn't say it's impossible. Integrity of the currency comes before miners' income.

Interesting!!!! I didn't realize that actually have already happened once. So, I guess, that illustrates my point very nicely, how much the whole community depends on a small number of developers. It is very good to know that they already handled such situation appropriately, kudos to devs.

Yet, it also confirms that there ARE reasons to be concerned. We are all humans, and there are organizations out there, which wield significant power, and can put enormous pressure on a person. There would be significantly more certainty if there was a client, code of which never gets touched.


GPG key: 6F8E305690A05365B58C50A
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!