Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WCwjD-0002IS-Ij for bitcoin-development@lists.sourceforge.net; Mon, 10 Feb 2014 19:41:15 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.148.108 as permitted sender) client-ip=62.13.148.108; envelope-from=pete@petertodd.org; helo=outmail148108.authsmtp.net; Received: from outmail148108.authsmtp.net ([62.13.148.108]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1WCwjB-0000Ip-21 for bitcoin-development@lists.sourceforge.net; Mon, 10 Feb 2014 19:41:15 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt15.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s1AJf6BJ053047; Mon, 10 Feb 2014 19:41:06 GMT Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s1AJf2pZ061255 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 10 Feb 2014 19:41:05 GMT Date: Mon, 10 Feb 2014 14:40:32 -0500 From: Peter Todd To: naman naman Message-ID: <20140210194032.GD17359@savin> References: <20140210144003.2BDCCDDAEFC@quidecco.de> <20140210163055.GJ3180@nl.grid.coop> <20140210182506.GM3180@nl.grid.coop> <52F91E66.6060305@gmail.com> <20140210190703.GO3180@nl.grid.coop> <20140210192308.GA17359@savin> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="WChQLJJJfbwij+9x" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 47ef143b-928b-11e3-b802-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdwIUHlAWAgsB AmIbWl1eVFx7WWY7 bAxPbAVDY01GQQRq WVdMSlVNFUsrAG17 UBxeOBl0dgdDfTBx ZURrWD5fWxEsdEJ+ EFNdF2VUeGZhPWMC AkhYdR5UcAFPdx8U a1UrBXRDAzANdhES HhM4ODE3eDlSNilR RRkIIFQOdA4uAhE7 V1gIGTwqEFZNTSQv JBsnLDb9 X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 76.10.178.109/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1WCwjB-0000Ip-21 Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] MtGox blames bitcoin X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 19:41:15 -0000 --WChQLJJJfbwij+9x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote: > Hi guys, >=20 > Please check this thread > https://bitcointalk.org/index.php?topic=3D458608.0for a possible attack > scenario. >=20 > Already mailed Gavin, Mike Hearn and Adam about this : >=20 > See if it makes sense. That's basically what appears to have happened with Mt. Gox. Preventing the attack is as simple as training your customer service people to ask the customer if their wallet software shows a payment to a specific address of a specific amount at some approximate time. Making exact payment amounts unique - add a few satoshis - is a trivial if slightly ugly way of making sure payments can be identified uniquely over the phone. That the procedure at Mt. Gox let front-line customer service reps manually send funds to customers without a proper investigation of why the funds didn't arrive was a serious mistake on their part. Ultimately this is more of a social engineering attack than a technical one, and a good example of why well-thought-out payment protocols are helpful. Though the BIP70 payment protocol doesn't yet handle busines to individual, or individual to indivudal, payments a future iteration can and this kind of problem will be less of an issue. Similarly stealth addresses have an inherent per-tx unique identifier, the derived pubkey, which a UI might be able to take advantage of. --=20 'peter'[:-1]@petertodd.org 0000000076654614e7bf72ac80d47c57bca12503989f4d602538d3cd7892ca7d --WChQLJJJfbwij+9x Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQGrBAEBCACVBQJS+SswXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw MDAwMDAwNzY2NTQ2MTRlN2JmNzJhYzgwZDQ3YzU3YmNhMTI1MDM5ODlmNGQ2MDI1 MzhkM2NkNzg5MmNhN2QvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0 ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfuTMgf/YWxPCzbUez6gQdEYxaz+WzFj 8KD6/IU/PcgmV47iqw3NVYRU6a7d5vcIZBdBTR6TufKCqSAIao2v/w3KDLZbqSza bKI5xKLXoDZWPWy9X9BcWuTn6M7l8KJKQfMd4Y/7Bw1Lc7IjwAMWozjepWW2r89u oatYYeCtRynsel9DeFC1O37J5MSVYGcnDWg5EOP69GfC7Tz5Y4EG4pGW65sOhclg G7RnH9W+gxCYq1cdCNg4E0GJfUma8xtuA6ChRUPasCWFMALzDHWPl4G4DI2u5rRp 9Kl8d18lrgZlIBCQfYddcxjzuVpImkcxMF9zCJr9Gji1MVFzeL9au3fB0IiawA== =GIzy -----END PGP SIGNATURE----- --WChQLJJJfbwij+9x--