The Era of Irresponsibility Is Coming to An End?

Posted by on

A wind of change is blowing inside the bitcoin community.

For many many years the dominant ideology in bitcoin community was that open source software such as bitcoin is “secure”, and that you need to trust the infinite wisdom of the crowd who will find all the bugs and fix them, the wisdom of the anonymous founder of bitcoin who predicted all the attacks in advance, the wisdom of bitcoin developers, etc.

At the same time the bitcoin community carefully avoided to engage with security professionals, university professors and other experts. External criticism was not well received, people were misled and badly informed on 51% attacks. Technology push dominated and technical issues such as bitcoin speed or crypto issues were systematically swept under the carpet. Bitcoin system and network has remained in a state of systemic chronic under-development. Press and the media were poorly informed about the issues and sometimes focusing on fake security problems which do not have the slightest practical importance (for example when miners are assumed to be innocent and are never trying to do any harm). In bitcoin journalism, serious security issues are typically discussed only after it was too late, after bitcoins have been stolen. What about preventive security engineering?

In private sector people spend billions on security and they frequently fail to secure their systems.  Now in bitcoin, a bunch of people who are not paid for their efforts will make it secure?

SunCloud

Things are changing. There are very strong signals that shoddy security, minimizing the risks, poor security expertise, bad software, bad security engineering practices, and avoiding to talk about serious security problems (or exaggerating less essential problems) will no longer be tolerated. An open reflection about how to secure bitcoin engaging serious security professionals has started.  There is a new C4 consortium which includes people like Peter Todd who have in the past criticized a lot the careless attitude of others in bitcoin community. They are developing standards or professional and ethical behaviour(!). It looks like a genuine effort to improve the security culture in bitcoin.

A big day for bitcoin!

 

Imitation Game Movie – Is A Single Fact Related By This Movie Actually True?

Posted by on

Dr Sue Black [UCL, saving the Bletchley Park activist] explains how much the true story of breaking Enigma during the WW2 is not at all what the movie shows us, and explains that though so many things in the movie are just totally historically inaccurate,  it would be somewhat very difficult to tell the real story of Turing’s life in a 2 hours movie.

On the contrary, having watched the movie myself, it seems to me that to never ever tell us the actual truth,  is somewhat a deliberate choice here.

One of the main points in this movie is that code breaking activity works better if you are able to conceal the truth… to the point where maybe your boss would not know what you are doing.

the-imitation-game-banner

This is another remarkable inaccuracy in this movie. It is clear that the bosses of Alan Turing knew very well what he (and others) has achieved, and how it was achieved. However it is also very true that there was some sort of latent war between Turing and his management, that Turing was not very easy to manage. Cryptologists were brave, had to shoulder a lot of responsibility  and helped each other, and did the right thing many times, sometimes against all odds, and sometimes against the management.

Turing has worked in a company of people… who are capable of dissimulating the truth about their work for years and whole decades. If Turing maybe didn’t do such things, others did… We know numerous examples.

For example most US presidents didn’t know what the NSA was doing with the money they requested for decades (e.g. operation Venona). Politicians were not trusted enough to be ever told the whole truth.

Another known example is the fact that the Polish code-breakers during the WW2 have dissimulated 50% of all decrypted messages from the French intelligence, a whole lot of important and valuable intelligence, and this was kept secret for a period of 30 years, this even though they were working on the French territory and paid by the French intelligence services. Apart from the fact that a number of people who had knowledge of these things died in mysterious circumstances during and after the WW2, this is perfectly normal.
Quite interestingly code breakers have however shared their expertise, achievements and countless concrete daily keys  with Bletchley Park and Turing himself. For example on one day in early 1940 code breakers at BP were really desperate: they could not read a single Enigma message in spite of all the efforts… The solution was that Turing was sent to France on 17 January 1940 to meet his friends. This after the head of British intelligence Stewart Menzies asked French colonel Rivet (10 January, exactly 75 years ago!!!) to send Polish cryptoplogists to BP, which was refused, and after Dilly Knox threatening his management (in writing) with quitting his job, if they would not agree for Turing to be be allowed to travel to France. In few hours his problem was solved… Thus the first wartime decryption of Enigma took place… on January 17th, in France in presence of Turing, conducted by Rejewski, and with a set of Zygalski’s sheets manufactured by the British, graciously offered to the Polish-French code breaking service by Turing, which was basically what they have promised to deliver much earlier.

This early success had many fathers. (Later in 1940 very substantial developments made this attack obsolete and better attacks were invented and implemented by the rising new generation of cryptologists such as Turing and Welchman).

This movie is a strong signal for the security community and people who aspire to work for it. Churchill used to say “truth is so precious that she should be attended by a bodyguard of lies”.  Some people naively believed that this era is over… In reality it is back and stronger than ever. It is in the DNA of the security community.

 

Speculation About The New Theft – 5 Million Dollars Stolen

Posted by on

detective-searching-investigates-searches-footprints-crime-scene-40878956Nobody yet knows how 5 million of dollars in bitcoins were stolen from bitstamp (reported on 5 Jan 2015).  One expert report by Ferrin can be found here, however it is not clear if anybody knows at all HOW these bitcoins have been stolen. The bitcoin address of the thief is also known.
Possibly bitcoin could have been stolen using one of advanced attacks described in our recent paper. However it could have been stolen by another more basic technique. Many bitcoin systems and also many bitcoin cryptographic schemes and standards and protocols are notorious for shoddy security.

Now At Least 200,000 USD Stolen From Blockchain.Info Wallets

Posted by on

It appears that at least 100,000 USD were recently stolen from Blockchain.info wallets.
Then a lot more was stolen again as reported on 15 Dec.

bank-robber

Let us try to get make sure that we understand these events properly.

Historical Background

Bad random events in the blockchain have been known since January 2013. We have written on this topic amply, monitored these events for 18+ months, see also here, and more generally we have studied this topic for many years. A certain anonymous hacker johoe has also been monitoring these for 1 year and posted about these in forums in April 2014.

We  have also already warned the public about poor security practice at blockchain.info wallets in the recent weeks here.

The December 2014 Incident at Blockchain.info

There was a bug in the source code which was around for a few hours and still active afterwards, after remaining in a browser’s cache. The source code can be studied here.

The white-hat hacker johoe has programmed a script which allows him to steal these bitcoins as soon as they appear on the blockchain, in order to prevent other people from swiping them as he claims. He has pledged to return these bitcoins to the rightful owners. He apparently already have returned 267 BTC (225 BTC+ some more) to blockchain.info which will then handle customer complaints and return the money.
Then a lot more, at least 300 BTC were stolen again by the same hacker as reported on 15 Dec.

Possibly no harm was done except what johoe did is not quite legal, yet possibly it is ethical to do, rather than leave these bitcoins to be stolen by others.

Be Warned

The sad reality is that the problem is wider than it seems and it is wider than the current commentators are willing to tell the public.

As it has frequently happened before in bitcoin community journalists have NOT done a good job at educating and warning the public about potential thefts, and as such they share some responsibility for potential thefts. On the contrary bitcoin owners have been exposed to a lot of re-assuring technology push in the recent days, while at the same time the thefts were going on and the public have NOT been sufficiently warned about the risks. It is almost as if the public is ever warned about thefts after bitcoins are stolen. Too bad.

What about warning the public BEFORE the thefts happen not after?

More Advanced Attacks

We risk repeating ourselves but this business is NOT only about bad random attacks, there is lots of more advanced attacks which are likely to bite in the near future.

We recommend reading this paper  to have a glimpse on further more advanced threats and attacks.

Dodgy Security Advice by a Thief

Now very interestingly, the thief recommends a client that employs HD (hierarchical deterministic) wallets, such as Bread Wallet on iOS and Armory, Electrum or Wallet32 on Android”, cf. here.

Is he not aware that these solutions can lead to thefts at a much larger scale? Again, please read the paper.

 

 

 

Block Withholding Attacks – Recent Research

Posted by on

In a recent paper, Ittay Eyal from Cornell University takes the block withholding attacks to the next level. Very interesting work. We are going to decrypt and clarify a few things regarding this paper and how it relates to other previously published works (in particular our paper).

The Invention of Block Withholding

The danger of a block withholding attack is more or less as old as Bitcoin pools, and two specific versions of this attack were already described by Rosenfeld in 2011. In a nutshell, a block withholding attack is a method to sabotage the revenue of a pool in which the attacker mines normally and does not send the winning blocks tot he pool. In fact the miner sends shares routinely as normal and is paid for his effort like any other user, however only  in the excessively rare cases in which the attacker mines a winning block, he does NOT send it to the pool, he simply destroys this block (he cannot use it in any way, as typically the block gives the money not to the miner but initially to one or more specific bitcoin addresses decided and controlled by the pool). This decreases the pool revenue, but does not decrease the percentage of this revenue which will be paid to the attacker. The attacker is paid as more or less as usual. Because the events in which a block is actually mined are excessively rare from the point of view of individual miners, and they have a very large standard deviation, see Section IV-B here, such attacks are in practice extremely difficult to detect (unless the attacker is not very clever, see Discussion below).

Can Block Withholding Be Profitable?

In the new paper we read: “Early work did not address the possibility of pools infiltrating other pools for block withholding” and that “Courtois and Bahack have recently noted that a pool can increase its overall revenue with block withholding”.
This is bit of understatement. Basically, many authors failed to see that block withholding attack could be profitable at all, which is one of the main results in Courtois and Bahack  paper here, and many authors have naively claimed that nobody would execute such an attack… because it is not profitable. This including the author of the new paper himself, who has also written that “the attacker does not gain any direct benefit by performing the attack” and that “it’s purely destructive” even though at this moment a large scale attack of this type was already executed against a major pool which could suggest that the attacker could have a reason to run such an attack.

Now finally the author have changed his mind and in the conclusion he says:
“We observe that no-pool-attacks is not a Nash equilibrium: If none of the other pools attack, a pool can increase its revenue by attacking the others” (which was first discovered in our paper here).

New Developments

The new paper considers further more complex scenarios where several miners are trying to cheat simultaneously, which decreases the incentives for the attack and potentially might convince the miners to be honest.

We agree with this diagnostic.

Discussion

Now the new paper also claims that this “would push miners to join private pools which can verify that their registered miners do not withhold blocks”.

This is not very likely. No pools can ever detect such attacks if they are done correctly.

In our paper we clearly show that these attack can be executed in such a way that it is near-impossible to detect in practice, or at least it is impossible for a large pool to identify any exact user which might be cheating ever.
In a recent real-life large scale attack on Eligius (June 2014) the attacker(s) have basically mined hundreds of bitcoins with just two bitcoin addresses, which made the detection possible, as these addresses have mined a very large number of shares and after a certain time it is unlikely that they would not mine a valid block.
Would the attacker(s) be more careful, and fragmented their block withtholding attack and use many different accounts, the attackers would have never been identified and their money could not be seized by the pool managers.

 

ADDED in 2020. New stratum protocol will have some protection against hash redirection attacks.

Can Bitcoin Users Hope To Remain Anonymous

Posted by on

There is very little hope.

Here is the latest revision (November 2014) of the recent paper this topic (May 2014) which explains how anyone can link seemingly anonymous bitcoin accounts to IP addresses.

These recent de-anonymization techniques can be easily implemented, and are also expected to distinguish between different users are sharing the same IP address and hidden behind NAT.

Bitcoin and TOR

In addition the authors describe a technique to make bitcoin clients ban IP addresses which correspond to TOR exit nodes, so that no one in the bitcoin network will be able to increase their anonymity by using TOR. In general two of the authors have published another dedicated paper  (October 2014) in which they claim that using Bitcoin over TOR is actually a bad idea.

More Bad Randoms In Bitcoin Blockchain

Posted by on

Bad random events are still happening in the bitcoin blockchain, such events are observed on a regular basis.
They are probably due to some yet unpatched software (cf. section Mitigation Points here).

Here is the latest such event at the moment of writing, it has occurred on 29 November 2014, see here.
Two different bitcoin private keys use the same random which makes that the value r=
695667597cf77bfcfd6df2d65b250531c5af7d5730b4385d77d5d300a81ab717 in hex appears in two distinct ECDSA signatures.

More Repeated Random Events

Here is a more complete list of repeated random events in bitcoin blockchain.

How Bad Can This Get?

Here in both events of 26 and 29 Nov the same random number on 256 bits was used twice in the same transaction. However the good news are:

  • In both cases, the same random was used with two different private keys, which does not facilitate the theft. Following the recent paper on this topic, with two different private keys, the owner of each private key to steal the bitcoins of the other owner.
  • Possibly both keys belong to the same person (they are used in the same transaction), in this case potentially there is no harm other than loss of privacy/anonymity.
  • In all such recent events known to us there is no bitcoins which can be stolen, moneys are already transferred to other accounts and there is 0 BTC left in the vulnerable accounts.
  • So we are not all in the situation from 2013 where bitcoins could be stolen by anyone, cf. here. Interestingly these stolen bitcoins have not been spent so far.

So possibly there is no harm.
Now the bad news are:

  • There is no harm… unless both keys were derived using BIP032 !
    Then there are various recent combination attacks.
    The result can be very bad: lots of bitcoins could be stolen from lots of accounts, not only the two accounts involved in the problematic transactions themselves.
    For more details, see the paper.
  • Moreover in addition to repeated random events, visible in the blockchain, there are also related random events, much harder to detect in the blockchain, until possibly it is too late. Again, see the paper (we have not yet disclosed an efficient method to find such events, it will appear in a future update of the paper).

 

 

Regin Malware Watches Cryptographers Among Other High Profile Targets

Posted by on

Regin is a highly targetted malware designed to watch over just a handful of targets, with only around 100 infections uncovered since 2008, including the famous cryptographer Jean-Jacques Quisquater. It entails “a degree of technical competence rarely seen,” according to Symantec.

Targeted Surveillance

wolf43

Known targets are government bodies, banks, small businesses and academics.
Quisquater have been targeted directly which was discovered after federal police probed his machine thoroughly, as the initial scans showed no signs of malware. Following Quisquater:
“The used malware is very clever, very difficult to detect, nearly impossible to remove… In fact the malware was only active when I was outside my home. “ He also says that he was “not alone to be attacked in such a way”, and says that “Maybe the cryptography research is under surveillance”. More on Quisquater event.

The Regin Malware

DNA_keyboard
Regin is a Windows spyware which saves some code in the Windows registry. Infection takes many stages. There is a “dropper”, a Trojan horse which can be installed by visiting a compromised website (initial infection), then the dropper determines the OS and installs more malware designed for taking screenshots, stealing passwords, monitoring the network and controlling the mouse.
Russia’s Kaspersky Lab said that Regin also infected cellular phone base stations. In one unnamed Middle Eastern country Regin apparently created its own private peer-to-peer network, in which the nodes included the office of the country’s president, a bank, an educational institution and a research facility.

Who Is Behind These High-Profile Targeted Attacks?

Regin was in operation since 2008/2009. Earlier in 2014 it became famous because Jean Jacques Quisquater has been hit by this malware, which was found during the investigations related to an alleged GCHQ attack on Belgian ISP Belgacom. Yet until now Quisquater and many other people told us that these attacks probably did not come from NSA/GCHQ. However now after more careful analysis by many experts, we are told that it is really very advanced and clearly related to targeted attack programs described by Snowden. Erik de Jong claims it does come from NSA/GCHQ and the analysis of timestamps in files shows that developers start working at 10AM UK time. F-Secure have also stated in a blog that this malware clearly “isn’t coming from Russia or China.”

 

Saving Bitcoin From Destruction

Posted by on

save_bear
At last… there is a sensible solution proposed which should allow bitcoin to survive and thrive in the future.

There is a new paper (22 October 2014) which revisits the concept of side chains and takes it to the new level. The idea of sidechains is not new, however, the problem is, was it ever taken seriously? Now it seems suddenly to gather enough support from core bitcoin developers and bitcoin foundation. This changes everything in my opinion.

The brilliant solution is … to move bitcoins out of the bitcoin blockchain to a sidechain, in such a way that they can be moved back later. A complete separation between bitcoins (redeemable units of account) and the bitcoin blockchain (bitcoins could live on another blockchain).

Why this is such a great idea?

  • One reason to switch to a different blockchain could be that current bitcoin is so terribly slow, this even though it would be relatively easy to fix it.
  • Or that bitcoin scripting language is not Turing-complete (cf. Ethereum).
  • Or that bitcoin is not very anonymous.
  • Multiple blockchains partly solves the problem of the growing blockchain size.
  • However in our opinion the most exciting idea about the sidechains is that they will be isolated distinct security domains.

So IF there is a “cryptographic break (or malicious design)”  which is clearly one of the main motivations to introduce side-chains in the abstract of the paper , at least bitcoins in another bitcoin blockchain can still survive. The same in case of  some form of 51% attack in one blockchain, which is another hugely underestimated risk and threat today.

Sidechains are expected to make bitcoin much more robust against attacks than ever before. Well, only and at least for a fraction of bitcoins stored in a well-chosen places.  However at least developers who want to make bitcoins more secure than now, will be allowed to do so!

Sidechains should also allow for more advanced cryptography to enter bitcoin space, therefore this paper is probably simply the most significant paper about bitcoin since Satoshi.

Let The Better SideChain Win

The paper also anticipates that one of the new freshly created bitcoin blockchains may soon become MORE popular that the current bitcoin blockchain. For example it is easy to imagine that 90% of people will move ALL their bitcoins to another blockchain, just because these new blockchains will be faster, offer additional  functionality, etc.

This also applies to security. Quite strangely the authors of the paper do hypothesise that it would be one of the newly created sidechains which would be weak,or some sort of dangerous experiment with the security of our bitcoins. In reality the opposite could be argued. Maybe bitcoin will be systematically more dangerous.

Developers of sidechains can get a lot of help:

  • they can benefit from all the positive experience of current bitcoin developers, import their existing source code, and making it better.
  • unlike with many altcoins which had serious problems in the past, with merged mining it is not necessarily true that these blockchains will be any more vulnerable to 51% attacks than now,
  • sidechains could be developed easily on the top of any more advanced platform such as Ethereum which could already (or later) offer vastly superior security and cryptography, for example because Ethereum employs two very good academic cryptography expert advisers.

For now it was the current bitcoin which was notorious for playing with the fire:

So possibly, new sidechains can be systematically better and more secure than bitcoin! At the end of the day, a lot of people will be tempted to move their bitcoins to some fancy new blockchains.

New Threats?

Of course there is also a possibility that some whole new sidechains will be developed with a criminal intention from the start… Well, not a new risk, we already have this problem: current bitcoin has an anonymous author and a dodgy elliptic curve, and there is already plethora of other open source currencies some of which are rather problematic.

Conclusion: Better Prospects for Bitcoin

All this  should have huge consequences and overall my conclusion is very positive.

Sidechains are the best thing which could happen to bitcoin ever. It takes bitcoin to a new dimension.

Sidechains should allow a lot more innovation and security inside bitcoin, not outside bitcoin as it was in the past few years. Inevitably, on the fundamental side, IF such bi-directional transfers are allowed by the current bitcoin software, as this is not guaranteed to happen yet, this should increase the value proposition of bitcoin, as a system, network, brand, place to put savings in etc.

It should also bring more peace to the bitcoin community: remove most of  the exacerbated competition and rivalry between between bitcoin and different alt-coins, and between different technology solutions. For example maybe very soon there will be bitcoins living on the DogeCoin blockchain which will be spent running some fancy scripts with advanced cryptography which were initially meant to run on Ethereum.