summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas M. Antonopoulos <andreas@rooteleven.com>2013-08-11 11:21:28 -0700
committerbitcoindev <bitcoindev@gnusha.org>2013-08-11 18:52:53 +0000
commitc571faf390d9cf092108915c0e55637b8862b17d (patch)
tree86eb5af30d8f43f475b61c8a7825fe1b49fae535
parent5966de23a9b3ae5319859c1dd7026ebb254136cb (diff)
downloadpi-bitcoindev-c571faf390d9cf092108915c0e55637b8862b17d.tar.gz
pi-bitcoindev-c571faf390d9cf092108915c0e55637b8862b17d.zip
Re: [Bitcoin-development] Android key rotation
-rw-r--r--db/d40aaff2a790b0bd239e2083b6fb159d41edcf253
1 files changed, 253 insertions, 0 deletions
diff --git a/db/d40aaff2a790b0bd239e2083b6fb159d41edcf b/db/d40aaff2a790b0bd239e2083b6fb159d41edcf
new file mode 100644
index 000000000..a5d685a50
--- /dev/null
+++ b/db/d40aaff2a790b0bd239e2083b6fb159d41edcf
@@ -0,0 +1,253 @@
+Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
+ helo=mx.sourceforge.net)
+ by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
+ (envelope-from <andreas@antonopoulos.com>) id 1V8al3-0002c9-5j
+ for bitcoin-development@lists.sourceforge.net;
+ Sun, 11 Aug 2013 18:52:53 +0000
+Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of
+ antonopoulos.com designates 209.85.214.173 as permitted sender)
+ client-ip=209.85.214.173; envelope-from=andreas@antonopoulos.com;
+ helo=mail-ob0-f173.google.com;
+Received: from mail-ob0-f173.google.com ([209.85.214.173])
+ by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
+ (Exim 4.76) id 1V8al1-0004Cy-Lu
+ for bitcoin-development@lists.sourceforge.net;
+ Sun, 11 Aug 2013 18:52:53 +0000
+Received: by mail-ob0-f173.google.com with SMTP id ta17so8211758obb.18
+ for <bitcoin-development@lists.sourceforge.net>;
+ Sun, 11 Aug 2013 11:52:46 -0700 (PDT)
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=google.com; s=20120113;
+ h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
+ :message-id:subject:from:to:cc:content-type;
+ bh=B1oHWCch7NuncnwTxbQ4FmvXYgq5ALbP76K3pL7G8Ek=;
+ b=K7Kusb0VLA3UsriobIkeIOe1BzYE3nHrCV23ppGfeo9sXO1tl0SrLNRGzmKQ1KPI+w
+ NNw9sqyw++dopsBEGQkVy+jCFAUp1z5KH+l+iO06/C9j1hh9X9o95q+VP6/E5s2ihBF1
+ WJMOnQvk50jUjtmhYe8tJIQbAg5Rx3z/barjOL8nYoiRGLUdNG6hQb8tqdO9RHVo+EaA
+ xOP5CxexEUAxZCG72LKYHkahxNRmzjEn74ezMQsXChDijpEm7ZQNBLzC6etfiss29E41
+ klrdvMn4PjXKC5cBmm49qG8VBNvGC8F5vtV7t2RQydHEtjLMl6oYpDRF6zQOPfLeXSoM
+ l9hQ==
+X-Gm-Message-State: ALoCoQnVh3g6bdX/ErlPaqIw+vy2Y86al1gUZENRSwxwW5BOK6E7lHfROi2prPsJ76mf1mn2XrjZ
+MIME-Version: 1.0
+X-Received: by 10.182.118.129 with SMTP id km1mr8130891obb.15.1376245289028;
+ Sun, 11 Aug 2013 11:21:29 -0700 (PDT)
+Sender: andreas@antonopoulos.com
+Received: by 10.182.72.136 with HTTP; Sun, 11 Aug 2013 11:21:28 -0700 (PDT)
+In-Reply-To: <5207BB9D.3090701@plan99.net>
+References: <5207BB9D.3090701@plan99.net>
+Date: Sun, 11 Aug 2013 11:21:28 -0700
+X-Google-Sender-Auth: ZYS5MPSChmRA94PJlTPZJphfvGM
+Message-ID: <CAFmyj8yTCFQVBisW3sfCF_yGYhLBccXV8GX8hxseB5KAxAo71w@mail.gmail.com>
+From: "Andreas M. Antonopoulos" <andreas@rooteleven.com>
+To: mike@plan99.net
+Content-Type: multipart/alternative; boundary=089e0116141e93a1a804e3b01358
+X-Spam-Score: -0.4 (/)
+X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
+ See http://spamassassin.org/tag/ for more details.
+ -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
+ sender-domain
+ -0.0 SPF_PASS SPF: sender matches SPF record
+ 1.0 HTML_MESSAGE BODY: HTML included in message
+ 0.1 DKIM_SIGNED Message has a DKIM or DK signature,
+ not necessarily valid
+ 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
+X-Headers-End: 1V8al1-0004Cy-Lu
+Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
+Subject: Re: [Bitcoin-development] Android key rotation
+X-BeenThere: bitcoin-development@lists.sourceforge.net
+X-Mailman-Version: 2.1.9
+Precedence: list
+List-Id: <bitcoin-development.lists.sourceforge.net>
+List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+ <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
+List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
+List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
+List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
+List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+ <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
+X-List-Received-Date: Sun, 11 Aug 2013 18:52:53 -0000
+
+--089e0116141e93a1a804e3b01358
+Content-Type: text/plain; charset=ISO-8859-1
+
+Who would be the best person to interview who could explain this issue and
+workaround/resolution?
+
+I'd like to get an audio segment for the Let's Talk Bitcoin show ASAP, as
+this will be a big concern for many users who will not know what to do or
+be able to understand the problem.
+
+Any volunteers for a 15 min audio interview in the next 2 days?
+
+
+On Sun, Aug 11, 2013 at 9:28 AM, Mike Hearn <mike@plan99.net> wrote:
+
+> -----BEGIN PGP SIGNED MESSAGE-----
+> Hash: SHA512
+>
+> Hello,
+>
+> I hope you are having a pleasant weekend. A few days ago we learned
+> that the Android implementation of the Java SecureRandom class
+> contains multiple severe vulnerabilities. As a result all private keys
+> generated on Android phones/tablets are weak and some signatures have
+> been observed to have colliding R values, allowing the private key to
+> be solved and money to be stolen.
+>
+> The public security alert is here:
+>
+> http://bitcoin.org/en/alert/2013-08-11-android
+>
+> I will shortly post in the bitcointalk forums as well.
+>
+> An update for the Bitcoin Wallet app has been prepared that bypasses
+> the system SecureRandom implementation and reads directly from
+> /dev/urandom instead, which is believed to be functioning correctly.
+> All unspent outputs in the wallet are then respent to this new key.
+>
+> The process is automatic and does not involve user intervention.
+> Andreas can control the process via a percentage throttle, which we
+> will use to slow things down if the memory pool load gets too high.
+>
+> A fixed APK is available here:
+>
+>
+> https://code.google.com/p/bitcoin-wallet/downloads/detail?name=bitcoin-wallet-3.15-beta.apk&can=2&q=
+>
+> Andreas plans to release this to beta either today or tomorrow. Once
+> some reasonable population of users has completed testing the
+> automated re-keying process, it will be released via the Play Store.
+> All users will get a notification informing them of the new version
+> and some will be upgraded automatically.
+>
+> Other wallet maintainers have also been notified and are working on
+> similar updates.
+>
+> thanks
+> - -mike
+> -----BEGIN PGP SIGNATURE-----
+> Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
+> Comment: GPGTools - http://gpgtools.org
+> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
+>
+> iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9
+> QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES
+> 7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x
+> YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+
+> /ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw
+> FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU=
+> =bZtl
+> -----END PGP SIGNATURE-----
+>
+>
+> ------------------------------------------------------------------------------
+> Get 100% visibility into Java/.NET code with AppDynamics Lite!
+> It's a free troubleshooting tool designed for production.
+> Get down to code-level detail for bottlenecks, with <2% overhead.
+> Download for free and get started troubleshooting in minutes.
+> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
+> _______________________________________________
+> Bitcoin-development mailing list
+> Bitcoin-development@lists.sourceforge.net
+> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
+>
+
+--089e0116141e93a1a804e3b01358
+Content-Type: text/html; charset=ISO-8859-1
+Content-Transfer-Encoding: quoted-printable
+
+<div dir=3D"ltr"><div><div>Who would be the best person to interview who co=
+uld explain this issue and workaround/resolution?<br><br></div>I&#39;d like=
+ to get an audio segment for the Let&#39;s Talk Bitcoin show ASAP, as this =
+will be a big concern for many users who will not know what to do or be abl=
+e to understand the problem.<br>
+<br></div>Any volunteers for a 15 min audio interview in the next 2 days?<b=
+r></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Su=
+n, Aug 11, 2013 at 9:28 AM, Mike Hearn <span dir=3D"ltr">&lt;<a href=3D"mai=
+lto:mike@plan99.net" target=3D"_blank">mike@plan99.net</a>&gt;</span> wrote=
+:<br>
+<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
+x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
+Hash: SHA512<br>
+<br>
+Hello,<br>
+<br>
+I hope you are having a pleasant weekend. A few days ago we learned<br>
+that the Android implementation of the Java SecureRandom class<br>
+contains multiple severe vulnerabilities. As a result all private keys<br>
+generated on Android phones/tablets are weak and some signatures have<br>
+been observed to have colliding R values, allowing the private key to<br>
+be solved and money to be stolen.<br>
+<br>
+The public security alert is here:<br>
+<br>
+<a href=3D"http://bitcoin.org/en/alert/2013-08-11-android" target=3D"_blank=
+">http://bitcoin.org/en/alert/2013-08-11-android</a><br>
+<br>
+I will shortly post in the bitcointalk forums as well.<br>
+<br>
+An update for the Bitcoin Wallet app has been prepared that bypasses<br>
+the system SecureRandom implementation and reads directly from<br>
+/dev/urandom instead, which is believed to be functioning correctly.<br>
+All unspent outputs in the wallet are then respent to this new key.<br>
+<br>
+The process is automatic and does not involve user intervention.<br>
+Andreas can control the process via a percentage throttle, which we<br>
+will use to slow things down if the memory pool load gets too high.<br>
+<br>
+A fixed APK is available here:<br>
+<br>
+<a href=3D"https://code.google.com/p/bitcoin-wallet/downloads/detail?name=
+=3Dbitcoin-wallet-3.15-beta.apk&amp;can=3D2&amp;q=3D" target=3D"_blank">htt=
+ps://code.google.com/p/bitcoin-wallet/downloads/detail?name=3Dbitcoin-walle=
+t-3.15-beta.apk&amp;can=3D2&amp;q=3D</a><br>
+
+<br>
+Andreas plans to release this to beta either today or tomorrow. Once<br>
+some reasonable population of users has completed testing the<br>
+automated re-keying process, it will be released via the Play Store.<br>
+All users will get a notification informing them of the new version<br>
+and some will be upgraded automatically.<br>
+<br>
+Other wallet maintainers have also been notified and are working on<br>
+similar updates.<br>
+<br>
+thanks<br>
+- -mike<br>
+-----BEGIN PGP SIGNATURE-----<br>
+Version: GnuPG/MacGPG2 v2.0.20 (Darwin)<br>
+Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:=
+//gpgtools.org</a><br>
+Comment: Using GnuPG with Thunderbird - <a href=3D"http://www.enigmail.net/=
+" target=3D"_blank">http://www.enigmail.net/</a><br>
+<br>
+iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9<br>
+QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES<br>
+7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x<br>
+YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+<br>
+/ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw<br>
+FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU=3D<br>
+=3DbZtl<br>
+-----END PGP SIGNATURE-----<br>
+<br>
+---------------------------------------------------------------------------=
+---<br>
+Get 100% visibility into Java/.NET code with AppDynamics Lite!<br>
+It&#39;s a free troubleshooting tool designed for production.<br>
+Get down to code-level detail for bottlenecks, with &lt;2% overhead.<br>
+Download for free and get started troubleshooting in minutes.<br>
+<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D48897031&amp;iu=
+=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
+pad/clk?id=3D48897031&amp;iu=3D/4140/ostg.clktrk</a><br>
+_______________________________________________<br>
+Bitcoin-development mailing list<br>
+<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
+pment@lists.sourceforge.net</a><br>
+<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
+" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
+velopment</a><br>
+</blockquote></div><br></div>
+
+--089e0116141e93a1a804e3b01358--
+
+