diff options
author | Andreas M. Antonopoulos <andreas@rooteleven.com> | 2013-08-11 11:21:28 -0700 |
---|---|---|
committer | bitcoindev <bitcoindev@gnusha.org> | 2013-08-11 18:52:53 +0000 |
commit | c571faf390d9cf092108915c0e55637b8862b17d (patch) | |
tree | 86eb5af30d8f43f475b61c8a7825fe1b49fae535 | |
parent | 5966de23a9b3ae5319859c1dd7026ebb254136cb (diff) | |
download | pi-bitcoindev-c571faf390d9cf092108915c0e55637b8862b17d.tar.gz pi-bitcoindev-c571faf390d9cf092108915c0e55637b8862b17d.zip |
Re: [Bitcoin-development] Android key rotation
-rw-r--r-- | db/d40aaff2a790b0bd239e2083b6fb159d41edcf | 253 |
1 files changed, 253 insertions, 0 deletions
diff --git a/db/d40aaff2a790b0bd239e2083b6fb159d41edcf b/db/d40aaff2a790b0bd239e2083b6fb159d41edcf new file mode 100644 index 000000000..a5d685a50 --- /dev/null +++ b/db/d40aaff2a790b0bd239e2083b6fb159d41edcf @@ -0,0 +1,253 @@ +Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] + helo=mx.sourceforge.net) + by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) + (envelope-from <andreas@antonopoulos.com>) id 1V8al3-0002c9-5j + for bitcoin-development@lists.sourceforge.net; + Sun, 11 Aug 2013 18:52:53 +0000 +Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of + antonopoulos.com designates 209.85.214.173 as permitted sender) + client-ip=209.85.214.173; envelope-from=andreas@antonopoulos.com; + helo=mail-ob0-f173.google.com; +Received: from mail-ob0-f173.google.com ([209.85.214.173]) + by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) + (Exim 4.76) id 1V8al1-0004Cy-Lu + for bitcoin-development@lists.sourceforge.net; + Sun, 11 Aug 2013 18:52:53 +0000 +Received: by mail-ob0-f173.google.com with SMTP id ta17so8211758obb.18 + for <bitcoin-development@lists.sourceforge.net>; + Sun, 11 Aug 2013 11:52:46 -0700 (PDT) +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=google.com; s=20120113; + h=x-gm-message-state:mime-version:sender:in-reply-to:references:date + :message-id:subject:from:to:cc:content-type; + bh=B1oHWCch7NuncnwTxbQ4FmvXYgq5ALbP76K3pL7G8Ek=; + b=K7Kusb0VLA3UsriobIkeIOe1BzYE3nHrCV23ppGfeo9sXO1tl0SrLNRGzmKQ1KPI+w + NNw9sqyw++dopsBEGQkVy+jCFAUp1z5KH+l+iO06/C9j1hh9X9o95q+VP6/E5s2ihBF1 + WJMOnQvk50jUjtmhYe8tJIQbAg5Rx3z/barjOL8nYoiRGLUdNG6hQb8tqdO9RHVo+EaA + xOP5CxexEUAxZCG72LKYHkahxNRmzjEn74ezMQsXChDijpEm7ZQNBLzC6etfiss29E41 + klrdvMn4PjXKC5cBmm49qG8VBNvGC8F5vtV7t2RQydHEtjLMl6oYpDRF6zQOPfLeXSoM + l9hQ== +X-Gm-Message-State: ALoCoQnVh3g6bdX/ErlPaqIw+vy2Y86al1gUZENRSwxwW5BOK6E7lHfROi2prPsJ76mf1mn2XrjZ +MIME-Version: 1.0 +X-Received: by 10.182.118.129 with SMTP id km1mr8130891obb.15.1376245289028; + Sun, 11 Aug 2013 11:21:29 -0700 (PDT) +Sender: andreas@antonopoulos.com +Received: by 10.182.72.136 with HTTP; Sun, 11 Aug 2013 11:21:28 -0700 (PDT) +In-Reply-To: <5207BB9D.3090701@plan99.net> +References: <5207BB9D.3090701@plan99.net> +Date: Sun, 11 Aug 2013 11:21:28 -0700 +X-Google-Sender-Auth: ZYS5MPSChmRA94PJlTPZJphfvGM +Message-ID: <CAFmyj8yTCFQVBisW3sfCF_yGYhLBccXV8GX8hxseB5KAxAo71w@mail.gmail.com> +From: "Andreas M. Antonopoulos" <andreas@rooteleven.com> +To: mike@plan99.net +Content-Type: multipart/alternative; boundary=089e0116141e93a1a804e3b01358 +X-Spam-Score: -0.4 (/) +X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. + See http://spamassassin.org/tag/ for more details. + -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for + sender-domain + -0.0 SPF_PASS SPF: sender matches SPF record + 1.0 HTML_MESSAGE BODY: HTML included in message + 0.1 DKIM_SIGNED Message has a DKIM or DK signature, + not necessarily valid + 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid +X-Headers-End: 1V8al1-0004Cy-Lu +Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> +Subject: Re: [Bitcoin-development] Android key rotation +X-BeenThere: bitcoin-development@lists.sourceforge.net +X-Mailman-Version: 2.1.9 +Precedence: list +List-Id: <bitcoin-development.lists.sourceforge.net> +List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, + <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> +List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> +List-Post: <mailto:bitcoin-development@lists.sourceforge.net> +List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> +List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, + <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> +X-List-Received-Date: Sun, 11 Aug 2013 18:52:53 -0000 + +--089e0116141e93a1a804e3b01358 +Content-Type: text/plain; charset=ISO-8859-1 + +Who would be the best person to interview who could explain this issue and +workaround/resolution? + +I'd like to get an audio segment for the Let's Talk Bitcoin show ASAP, as +this will be a big concern for many users who will not know what to do or +be able to understand the problem. + +Any volunteers for a 15 min audio interview in the next 2 days? + + +On Sun, Aug 11, 2013 at 9:28 AM, Mike Hearn <mike@plan99.net> wrote: + +> -----BEGIN PGP SIGNED MESSAGE----- +> Hash: SHA512 +> +> Hello, +> +> I hope you are having a pleasant weekend. A few days ago we learned +> that the Android implementation of the Java SecureRandom class +> contains multiple severe vulnerabilities. As a result all private keys +> generated on Android phones/tablets are weak and some signatures have +> been observed to have colliding R values, allowing the private key to +> be solved and money to be stolen. +> +> The public security alert is here: +> +> http://bitcoin.org/en/alert/2013-08-11-android +> +> I will shortly post in the bitcointalk forums as well. +> +> An update for the Bitcoin Wallet app has been prepared that bypasses +> the system SecureRandom implementation and reads directly from +> /dev/urandom instead, which is believed to be functioning correctly. +> All unspent outputs in the wallet are then respent to this new key. +> +> The process is automatic and does not involve user intervention. +> Andreas can control the process via a percentage throttle, which we +> will use to slow things down if the memory pool load gets too high. +> +> A fixed APK is available here: +> +> +> https://code.google.com/p/bitcoin-wallet/downloads/detail?name=bitcoin-wallet-3.15-beta.apk&can=2&q= +> +> Andreas plans to release this to beta either today or tomorrow. Once +> some reasonable population of users has completed testing the +> automated re-keying process, it will be released via the Play Store. +> All users will get a notification informing them of the new version +> and some will be upgraded automatically. +> +> Other wallet maintainers have also been notified and are working on +> similar updates. +> +> thanks +> - -mike +> -----BEGIN PGP SIGNATURE----- +> Version: GnuPG/MacGPG2 v2.0.20 (Darwin) +> Comment: GPGTools - http://gpgtools.org +> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ +> +> iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9 +> QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES +> 7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x +> YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+ +> /ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw +> FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU= +> =bZtl +> -----END PGP SIGNATURE----- +> +> +> ------------------------------------------------------------------------------ +> Get 100% visibility into Java/.NET code with AppDynamics Lite! +> It's a free troubleshooting tool designed for production. +> Get down to code-level detail for bottlenecks, with <2% overhead. +> Download for free and get started troubleshooting in minutes. +> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk +> _______________________________________________ +> Bitcoin-development mailing list +> Bitcoin-development@lists.sourceforge.net +> https://lists.sourceforge.net/lists/listinfo/bitcoin-development +> + +--089e0116141e93a1a804e3b01358 +Content-Type: text/html; charset=ISO-8859-1 +Content-Transfer-Encoding: quoted-printable + +<div dir=3D"ltr"><div><div>Who would be the best person to interview who co= +uld explain this issue and workaround/resolution?<br><br></div>I'd like= + to get an audio segment for the Let's Talk Bitcoin show ASAP, as this = +will be a big concern for many users who will not know what to do or be abl= +e to understand the problem.<br> +<br></div>Any volunteers for a 15 min audio interview in the next 2 days?<b= +r></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Su= +n, Aug 11, 2013 at 9:28 AM, Mike Hearn <span dir=3D"ltr"><<a href=3D"mai= +lto:mike@plan99.net" target=3D"_blank">mike@plan99.net</a>></span> wrote= +:<br> +<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= +x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br> +Hash: SHA512<br> +<br> +Hello,<br> +<br> +I hope you are having a pleasant weekend. A few days ago we learned<br> +that the Android implementation of the Java SecureRandom class<br> +contains multiple severe vulnerabilities. As a result all private keys<br> +generated on Android phones/tablets are weak and some signatures have<br> +been observed to have colliding R values, allowing the private key to<br> +be solved and money to be stolen.<br> +<br> +The public security alert is here:<br> +<br> +<a href=3D"http://bitcoin.org/en/alert/2013-08-11-android" target=3D"_blank= +">http://bitcoin.org/en/alert/2013-08-11-android</a><br> +<br> +I will shortly post in the bitcointalk forums as well.<br> +<br> +An update for the Bitcoin Wallet app has been prepared that bypasses<br> +the system SecureRandom implementation and reads directly from<br> +/dev/urandom instead, which is believed to be functioning correctly.<br> +All unspent outputs in the wallet are then respent to this new key.<br> +<br> +The process is automatic and does not involve user intervention.<br> +Andreas can control the process via a percentage throttle, which we<br> +will use to slow things down if the memory pool load gets too high.<br> +<br> +A fixed APK is available here:<br> +<br> +<a href=3D"https://code.google.com/p/bitcoin-wallet/downloads/detail?name= +=3Dbitcoin-wallet-3.15-beta.apk&can=3D2&q=3D" target=3D"_blank">htt= +ps://code.google.com/p/bitcoin-wallet/downloads/detail?name=3Dbitcoin-walle= +t-3.15-beta.apk&can=3D2&q=3D</a><br> + +<br> +Andreas plans to release this to beta either today or tomorrow. Once<br> +some reasonable population of users has completed testing the<br> +automated re-keying process, it will be released via the Play Store.<br> +All users will get a notification informing them of the new version<br> +and some will be upgraded automatically.<br> +<br> +Other wallet maintainers have also been notified and are working on<br> +similar updates.<br> +<br> +thanks<br> +- -mike<br> +-----BEGIN PGP SIGNATURE-----<br> +Version: GnuPG/MacGPG2 v2.0.20 (Darwin)<br> +Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:= +//gpgtools.org</a><br> +Comment: Using GnuPG with Thunderbird - <a href=3D"http://www.enigmail.net/= +" target=3D"_blank">http://www.enigmail.net/</a><br> +<br> +iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9<br> +QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES<br> +7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x<br> +YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+<br> +/ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw<br> +FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU=3D<br> +=3DbZtl<br> +-----END PGP SIGNATURE-----<br> +<br> +---------------------------------------------------------------------------= +---<br> +Get 100% visibility into Java/.NET code with AppDynamics Lite!<br> +It's a free troubleshooting tool designed for production.<br> +Get down to code-level detail for bottlenecks, with <2% overhead.<br> +Download for free and get started troubleshooting in minutes.<br> +<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D48897031&iu= +=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam= +pad/clk?id=3D48897031&iu=3D/4140/ostg.clktrk</a><br> +_______________________________________________<br> +Bitcoin-development mailing list<br> +<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo= +pment@lists.sourceforge.net</a><br> +<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development= +" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de= +velopment</a><br> +</blockquote></div><br></div> + +--089e0116141e93a1a804e3b01358-- + + |