How did you initially discover the issue with the reused R values on Blockchain.info?
I have a script that I run regularly that scans for repeated R values. There has been another program producing them since September, so I took a habit of watching that daily. The problem is not new for me. I followed it since April 2013. The program I use is my own one, that I wrote in 2013.
What program was this, and how many bitcoins did you sweep out of those addresses?
The one in Summer 2013 was the Android bug. The buggy RNG [Random Number Generator]. I didn’t sweep much, a few mBTC. But others were doing it as well. That it was Android I only noticed when I searched for one of the broken addresses and found a post at bitcointalk. This was when I created the [bitcointalk] account. I told him that his program was buggy and asked him which [bitcoin client] he used.
Which wallet would you recommend for the average user of Bitcoin that combines security with ease of use?
For small amounts of money one can probably use everything that one finds convenient. I would suggest using some tools that use deterministic wallets, so that one doesn’t have to worry so much about backups. Of course, if one uses a program on the desktop, one should set a wallet password and keep it clean from malware. For larger amounts, that one doesn’t need to access regularly a paper wallet should be used, preferably with the key generated on an offline computer. I use my trezor for this, though.
What is your opinion on the security of Blockchain.info’s webwallet following these incidents?
The bug shows that there is a problem. The patch was changing security critical code and it should have been reviewed more thoroughly. It was just a missing variable initialisation. Careful inspection of the code should have revealed it. JavaScript is also not really meant to program security critical applications. For example, it has no type checking.
How did you verify that the addresses you sweeped were generated on Blockchain.info?
If an address was generated on Blockchain.info at that day it was produced by the random number generator, so it was in my list of random numbers. But I could also attack addresses from which money was spent on that day. In that case the signature contains one random number from my list. I actually didn’t check that I accidentally broke an address that wasn’t related to this problem. There is still some other tool producing the duplicated R values and I’m still wondering which.
But if it happened they should see the note that they should contact Blockchain support. So it is okay
I’m thinking I found most of the money, but I know that 105.9 BTC were stolen already in the evening (probably by some lucky guy who accidentally created the same address).
Can you explain a bit more about this other program producing duplicated R values?
We are still wondering about it. It has a different pattern. It uses a random R value, but it uses it in one transaction for all inputs. amaclin analyzed some of the transactions and said that they spent to a BTC-e address, but we don’t know much more. Since the program is usually not reusing keys often, there have been not so many broken keys and I think only very few sweeped accounts. I think I still have 0.9 BTC from one account. So if we ever find out [which program has the issue] I will offer it back.
