Re: [Bitcoin-development] MtGox blames bitcoin

author: Peter Todd <pete@petertodd.org> 2014-02-10 14:40:32 -0500
committer: bitcoindev <bitcoindev@gnusha.org> 2014-02-10 19:41:15 +0000
commit: 9f15ac0c4011b924b500d937633f2ccad3a384ef (patch)
tree: e56e24e45eacf823b0af0e75bf1d6b80a4c97fb4
parent: 9a09406522eb7c2a99a50ffc65aa06d57998cc93 (diff)
download: pi-bitcoindev-9f15ac0c4011b924b500d937633f2ccad3a384ef.tar.gz
pi-bitcoindev-9f15ac0c4011b924b500d937633f2ccad3a384ef.zip
1 files changed, 138 insertions, 0 deletions
diff --git a/b8/3eddd1e3431624d73c25180a079967f9c22d15 b/b8/3eddd1e3431624d73c25180a079967f9c22d15
new file mode 100644
index 000000000..838e10948
--- /dev/null
+++ b/b8/3eddd1e3431624d73c25180a079967f9c22d15
@@ -0,0 +1,138 @@
+Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
+	helo=mx.sourceforge.net)
+	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
+	(envelope-from <pete@petertodd.org>) id 1WCwjD-0002IS-Ij
+	for bitcoin-development@lists.sourceforge.net;
+	Mon, 10 Feb 2014 19:41:15 +0000
+Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org
+	designates 62.13.148.108 as permitted sender)
+	client-ip=62.13.148.108; envelope-from=pete@petertodd.org;
+	helo=outmail148108.authsmtp.net; 
+Received: from outmail148108.authsmtp.net ([62.13.148.108])
+	by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
+	id 1WCwjB-0000Ip-21 for bitcoin-development@lists.sourceforge.net;
+	Mon, 10 Feb 2014 19:41:15 +0000
+Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235])
+	by punt15.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s1AJf6BJ053047;
+	Mon, 10 Feb 2014 19:41:06 GMT
+Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109])
+	(authenticated bits=128)
+	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s1AJf2pZ061255
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
+	Mon, 10 Feb 2014 19:41:05 GMT
+Date: Mon, 10 Feb 2014 14:40:32 -0500
+From: Peter Todd <pete@petertodd.org>
+To: naman naman <namanhd@gmail.com>
+Message-ID: <20140210194032.GD17359@savin>
+References: <CANAnSg1LgpHGf-vTV0to1Z7sogf1ic6WTbogEsrQy1wh4C5zfw@mail.gmail.com>
+	<20140210144003.2BDCCDDAEFC@quidecco.de>
+	<20140210163055.GJ3180@nl.grid.coop>
+	<CAAS2fgQjKHK4ReQOEtLsTt9KOLxT4G-MiZJ7UKU=qH9ifpuN8g@mail.gmail.com>
+	<20140210182506.GM3180@nl.grid.coop> <52F91E66.6060305@gmail.com>
+	<20140210190703.GO3180@nl.grid.coop> <20140210192308.GA17359@savin>
+	<CA+SxJWBbWH_amgpst9N7nfT4twvfreAhGaxVWZYfTiLjyN8m3g@mail.gmail.com>
+MIME-Version: 1.0
+Content-Type: multipart/signed; micalg=pgp-sha256;
+	protocol="application/pgp-signature"; boundary="WChQLJJJfbwij+9x"
+Content-Disposition: inline
+In-Reply-To: <CA+SxJWBbWH_amgpst9N7nfT4twvfreAhGaxVWZYfTiLjyN8m3g@mail.gmail.com>
+User-Agent: Mutt/1.5.21 (2010-09-15)
+X-Server-Quench: 47ef143b-928b-11e3-b802-002590a15da7
+X-AuthReport-Spam: If SPAM / abuse - report it at:
+	http://www.authsmtp.com/abuse
+X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
+	aAdMdwIUHlAWAgsB AmIbWl1eVFx7WWY7 bAxPbAVDY01GQQRq
+	WVdMSlVNFUsrAG17 UBxeOBl0dgdDfTBx ZURrWD5fWxEsdEJ+
+	EFNdF2VUeGZhPWMC AkhYdR5UcAFPdx8U a1UrBXRDAzANdhES
+	HhM4ODE3eDlSNilR RRkIIFQOdA4uAhE7 V1gIGTwqEFZNTSQv JBsnLDb9
+X-Authentic-SMTP: 61633532353630.1023:706
+X-AuthFastPath: 0 (Was 255)
+X-AuthSMTP-Origin: 76.10.178.109/587
+X-AuthVirus-Status: No virus detected - but ensure you scan with your own
+	anti-virus system.
+X-Spam-Score: -1.5 (-)
+X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
+	See http://spamassassin.org/tag/ for more details.
+	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
+	sender-domain
+	-0.0 SPF_PASS               SPF: sender matches SPF record
+X-Headers-End: 1WCwjB-0000Ip-21
+Cc: bitcoin-development@lists.sourceforge.net
+Subject: Re: [Bitcoin-development] MtGox blames bitcoin
+X-BeenThere: bitcoin-development@lists.sourceforge.net
+X-Mailman-Version: 2.1.9
+Precedence: list
+List-Id: <bitcoin-development.lists.sourceforge.net>
+List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
+List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
+List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
+List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
+List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
+X-List-Received-Date: Mon, 10 Feb 2014 19:41:15 -0000
+
+
+--WChQLJJJfbwij+9x
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+Content-Transfer-Encoding: quoted-printable
+
+On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
+> Hi guys,
+>=20
+> Please check this thread
+> https://bitcointalk.org/index.php?topic=3D458608.0for a possible attack
+> scenario.
+>=20
+> Already mailed Gavin, Mike Hearn and Adam about this :
+>=20
+> See if it makes sense.
+
+That's basically what appears to have happened with Mt. Gox.
+
+Preventing the attack is as simple as training your customer service
+people to ask the customer if their wallet software shows a payment to a
+specific address of a specific amount at some approximate time. Making
+exact payment amounts unique - add a few satoshis - is a trivial if
+slightly ugly way of making sure payments can be identified uniquely
+over the phone. That the procedure at Mt. Gox let front-line customer
+service reps manually send funds to customers without a proper
+investigation of why the funds didn't arrive was a serious mistake on
+their part.
+
+Ultimately this is more of a social engineering attack than a technical
+one, and a good example of why well-thought-out payment protocols are
+helpful. Though the BIP70 payment protocol doesn't yet handle busines to
+individual, or individual to indivudal, payments a future iteration can
+and this kind of problem will be less of an issue.
+
+Similarly stealth addresses have an inherent per-tx unique identifier,
+the derived pubkey, which a UI might be able to take advantage of.
+
+--=20
+'peter'[:-1]@petertodd.org
+0000000076654614e7bf72ac80d47c57bca12503989f4d602538d3cd7892ca7d
+
+--WChQLJJJfbwij+9x
+Content-Type: application/pgp-signature; name="signature.asc"
+Content-Description: Digital signature
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+iQGrBAEBCACVBQJS+SswXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
+MDAwMDAwNzY2NTQ2MTRlN2JmNzJhYzgwZDQ3YzU3YmNhMTI1MDM5ODlmNGQ2MDI1
+MzhkM2NkNzg5MmNhN2QvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
+ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfuTMgf/YWxPCzbUez6gQdEYxaz+WzFj
+8KD6/IU/PcgmV47iqw3NVYRU6a7d5vcIZBdBTR6TufKCqSAIao2v/w3KDLZbqSza
+bKI5xKLXoDZWPWy9X9BcWuTn6M7l8KJKQfMd4Y/7Bw1Lc7IjwAMWozjepWW2r89u
+oatYYeCtRynsel9DeFC1O37J5MSVYGcnDWg5EOP69GfC7Tz5Y4EG4pGW65sOhclg
+G7RnH9W+gxCYq1cdCNg4E0GJfUma8xtuA6ChRUPasCWFMALzDHWPl4G4DI2u5rRp
+9Kl8d18lrgZlIBCQfYddcxjzuVpImkcxMF9zCJr9Gji1MVFzeL9au3fB0IiawA==
+=GIzy
+-----END PGP SIGNATURE-----
+
+--WChQLJJJfbwij+9x--
+
+
author	Peter Todd <pete@petertodd.org>	2014-02-10 14:40:32 -0500
committer	bitcoindev <bitcoindev@gnusha.org>	2014-02-10 19:41:15 +0000
commit	9f15ac0c4011b924b500d937633f2ccad3a384ef (patch)
tree	e56e24e45eacf823b0af0e75bf1d6b80a4c97fb4
parent	9a09406522eb7c2a99a50ffc65aa06d57998cc93 (diff)
download	pi-bitcoindev-9f15ac0c4011b924b500d937633f2ccad3a384ef.tar.gz pi-bitcoindev-9f15ac0c4011b924b500d937633f2ccad3a384ef.zip