1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <adam.back@gmail.com>) id 1UZUGG-0001ML-J7
for bitcoin-development@lists.sourceforge.net;
Mon, 06 May 2013 22:52:00 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
designates 74.125.83.45 as permitted sender)
client-ip=74.125.83.45; envelope-from=adam.back@gmail.com;
helo=mail-ee0-f45.google.com;
Received: from mail-ee0-f45.google.com ([74.125.83.45])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1UZUGF-0007J5-Ai
for bitcoin-development@lists.sourceforge.net;
Mon, 06 May 2013 22:52:00 +0000
Received: by mail-ee0-f45.google.com with SMTP id l10so1968207eei.18
for <bitcoin-development@lists.sourceforge.net>;
Mon, 06 May 2013 15:51:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=x-received:date:from:to:cc:subject:message-id:references
:mime-version:content-type:content-disposition
:content-transfer-encoding:in-reply-to:user-agent:x-hashcash
:x-hashcash:x-hashcash:x-hashcash;
bh=3k8YZHgd09jtWt6WhjcH8RzWYQJf4DM+k72Nrtct+c8=;
b=X0ht6TYPOAXk7fVNNCij0Pc7H+1Vl/fy9GVOPuuxTD1wqK29uLpylojmoI2+0xSr3d
dTPulCLskIbduPfPUU/kWA+x65hvpnPUGPx0z6jlji0xFUOKANGaayhgF8H7WhQrTSke
4OL1Q8nG3Xb/qIVFk4AGyitbROAGIBpL+L1bTUmUYE8nAWe/+rhEhfzzVSCP3TSgvh9s
GerJpC8aJJrvWO2SkAgtYoYwy6pv7MJw649VKLLbzCXOk7NR3hpLLCql4i4nN1jMkbER
GBcvPQJ6m9fd65MOczxxfrp8GAEbWwviUiBZtDq0ISyQPGwujBQM9oBT479WPSIHTnPg
RFLw==
X-Received: by 10.14.194.70 with SMTP id l46mr65173427een.28.1367880712936;
Mon, 06 May 2013 15:51:52 -0700 (PDT)
Received: from netbook (c83-90.i07-21.onvol.net. [92.251.83.90])
by mx.google.com with ESMTPSA id
e50sm35924899eev.13.2013.05.06.15.51.51 for <multiple recipients>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Mon, 06 May 2013 15:51:51 -0700 (PDT)
Received: by netbook (Postfix, from userid 1000)
id 8073C2E0442; Tue, 7 May 2013 00:51:49 +0200 (CEST)
Received: by flare (hashcash-sendmail, from uid 1000);
Tue, 7 May 2013 00:51:46 +0200
Date: Tue, 7 May 2013 00:51:46 +0200
From: Adam Back <adam@cypherspace.org>
To: Gregory Maxwell <gmaxwell@gmail.com>
Message-ID: <20130506225146.GA6657@netbook.cypherspace.org>
References: <CANEZrP1YFCLmasOrdxdKDP1=x8nKuy06kGRqZwpnmnhe3-AroA@mail.gmail.com>
<20130506161216.GA5193@petertodd.org>
<CA+8xBpfdY7GsQiyrHuOG-MqXon0RGShpg2Yv-KeAXQ-503kAsA@mail.gmail.com>
<20130506163732.GB5193@petertodd.org>
<CANEZrP2WqXZVRJp6ag=RC4mSkt+a6qTYYpvE=DW_0Rdr=_BBHA@mail.gmail.com>
<20130506180418.GA3797@netbook.cypherspace.org>
<CAAS2fgSh+dYxSak8HvE0Sr4=zxzRc=3dMQ6X_nD_a+OdacUBZQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAS2fgSh+dYxSak8HvE0Sr4=zxzRc=3dMQ6X_nD_a+OdacUBZQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Hashcash: 1:20:130506:gmaxwell@gmail.com::fDvR0UGH52ncgc9K:0000000000000000000
0000000000000000000000002xQv
X-Hashcash: 1:20:130506:mike@plan99.net::DvPhSPCo5wq/UznE:006auX
X-Hashcash: 1:20:130506:bitcoin-development@lists.sourceforge.net::HPX0/3PzeYV93
0Qj:000000000000000000002DdN
X-Hashcash: 1:20:130506:adam@cypherspace.org::9GJjSSv/T7mFpc8U:00000000000000000
0000000000000000000000006y3F
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(adam.back[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 LOTS_OF_MONEY Huge... sums of money
X-Headers-End: 1UZUGF-0007J5-Ai
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: [Bitcoin-development] limits of network hacking/netsplits (was:
Discovery/addr packets)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2013 22:52:00 -0000
On Mon, May 06, 2013 at 11:25:50AM -0700, Gregory Maxwell wrote:
>On Mon, May 6, 2013 at 11:04 AM, Adam Back <adam@cypherspace.org> wrote:
>> bitcoins primaryvulnerability IMO (so far) is network attacks to induce
>> network splits, local lower difficulty to a point that a local and
>> artificially isolated area of the network can be fooled into accepting an
>> orphan branch as the one-true block chain,
>
>It currently costs about 2016*25*$120 = six million dollars to
>reduce the difficulty in your isolated fork by a factor of 4.
Well I take your point that you have to produce 2016 blocks, but at a lower
rate. But that doesnt directly translate into my cost, I am thinking pure
network hacking.
Maybe I could hack a pool to co-opt it into my netsplit and do the work for
me, or segment enough of the network to have some miners in it, and they do
the work.
I am just thinking $500k/day worth of relatively perfect crime reward is a
lot of motivation for hacking networks. Many routers home and even carrier
are vulnerable to people armed with cisco source code & 0-days. The
netsplit doesnt have to be geographical, nor even topological, nor even
particularly long-lived.
If you control enough people's network routing at a low enough level, you
dont even have to stop transactions, nor do any mining work, just stop
blocks from the netsplit crossing over, and hold that position for say a day
(if your netsplit has 1/24 of network hash rate in it, so the split gets 6
confirmations to reassure the victims) and let the miners do the work. Do
enough transactions to do a big cash out (spend differently on the two
netsplits). Obviously a big and human inattentive pool, dark-miner etc is
the ideal target to put into the netsplit to increase the power while
controlling less nodes.
Malware could do the same thing for clients, dont forget most are running
windows. Malware could also start a miner if none present.
>> maybe even from node first install time.
>
>Protecting against that— making sure any such attack has to start from
>a high difficulty— is, in my opinion, the biggest continued
>justification for checkpoints.
Do you know if there is any downwards limit on difficulty? I know it takes
going slow for a long and noticeable time, but I am just curious on the
theoretical limit.
>> (btw I notice most of the binaries and tar balls are not signed, nor served
>> from SSL - at least for linux).
>
>They are signed.
I dont see the signatures.
http://bitcoin.org/en/download
I see no signatures for linux and none in the tarball. There are some
public keys inside the tarball, thats it. Also no SSL. sourceforge support
SSL so you can download that. But bitcoin.org doesnt even answer 443, and
the source forge link is HTTP. But even if the sourceforge link was SSL one
should not serve an SSL download link from an HTTP page, any more than type
a password into an HTTPS form action on an HTTP page. The attacker can just
redirect and the user doesnt know what is legitimate.
Consequently even if there is code signing on the windows exe, the user
doesnt know that, nor who they should be signed by, and as they are served
via HTTP, its bypassable.
I guess by far the easiest way to attack right now (at least linux users) is
just to change the binaries to create a user operated netsplit, or just have
all their wallets empty to you via a mix once the amount gets interesting.
(All attacks hypothetical of course - I'm actually a white-hat type of
person).
Adam
|