1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <namanhd@gmail.com>) id 1WDK9i-00042W-IC
for bitcoin-development@lists.sourceforge.net;
Tue, 11 Feb 2014 20:42:10 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.128.175 as permitted sender)
client-ip=209.85.128.175; envelope-from=namanhd@gmail.com;
helo=mail-ve0-f175.google.com;
Received: from mail-ve0-f175.google.com ([209.85.128.175])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WDK9g-0008Q5-N3
for bitcoin-development@lists.sourceforge.net;
Tue, 11 Feb 2014 20:42:10 +0000
Received: by mail-ve0-f175.google.com with SMTP id c14so6459829vea.6
for <bitcoin-development@lists.sourceforge.net>;
Tue, 11 Feb 2014 12:42:03 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.58.229.4 with SMTP id sm4mr14714551vec.10.1392151323162;
Tue, 11 Feb 2014 12:42:03 -0800 (PST)
Received: by 10.221.49.8 with HTTP; Tue, 11 Feb 2014 12:42:02 -0800 (PST)
In-Reply-To: <52F9377D.9010405@gmail.com>
References: <CANAnSg1LgpHGf-vTV0to1Z7sogf1ic6WTbogEsrQy1wh4C5zfw@mail.gmail.com>
<20140210144003.2BDCCDDAEFC@quidecco.de>
<20140210163055.GJ3180@nl.grid.coop>
<CAAS2fgQjKHK4ReQOEtLsTt9KOLxT4G-MiZJ7UKU=qH9ifpuN8g@mail.gmail.com>
<20140210182506.GM3180@nl.grid.coop> <52F91E66.6060305@gmail.com>
<20140210190703.GO3180@nl.grid.coop> <20140210192308.GA17359@savin>
<CA+SxJWBbWH_amgpst9N7nfT4twvfreAhGaxVWZYfTiLjyN8m3g@mail.gmail.com>
<20140210194032.GD17359@savin> <52F9377D.9010405@gmail.com>
Date: Wed, 12 Feb 2014 02:12:02 +0530
Message-ID: <CA+SxJWBM0USWETNeDh-oRgOfrU64GiPbL_Qt5hrFN53C42yNxg@mail.gmail.com>
From: naman naman <namanhd@gmail.com>
To: Vocatus Gate <vocatus.gate@gmail.com>
Content-Type: multipart/alternative; boundary=047d7bdca04617422c04f2277d82
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(namanhd[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WDK9g-0008Q5-N3
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] MtGox blames bitcoin
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 20:42:10 -0000
--047d7bdca04617422c04f2277d82
Content-Type: text/plain; charset=ISO-8859-1
I was talking about a DOS attack in
https://bitcointalk.org/index.php?topic=458608.0 (ofcourse only applicable
to entitys doing the tracking with txids).
Amazing how I did not get a response from any of the devs (except Greg's
response
https://bitcointalk.org/index.php?topic=458608.msg5063789#msg5063789 but
that too was short and not concerning the attack scenario plausibiity as I
replied to him).
Today they are apparently at work here
https://github.com/bitcoin/bitcoin/pull/3651
Amazing how nobody acknowledges it until later when the attack already
happens. The devs need to show some greater level of responsibility.
Don't get me wrong - I am not trying to claim credit for the attack scheme
described (though I do not know of any other place where this was mentioned
earlier as an attack scheme), but I am trying to make the point that people
should just be around and at least make others feel that their concerns are
being read. Now putting this on some place like reddit will only give the
community a bad name.
On a lighter note I messaged some of the devs (as my previous mail says)
saying the attack should be called "thenoblebot" attack (after my handle,
which would inspire me to pursue crypto studies further). It was meant to
be a lame joke. But I had no idea how it would start causing so much
disruption in the ecosystem.
Regards
thenoblebot
On Tue, Feb 11, 2014 at 2:03 AM, Vocatus Gate <vocatus.gate@gmail.com>wrote:
> It's quite simple, really:
>
> Unique transaction == (Inputs+Outputs+ReceivingAddress)
>
> Problem solved. Simply don't rely on TxID for tracking. Can we put this
> issue to rest and move on?
>
>
>
>
> On 2014-02-10 12:40 PM, Peter Todd wrote:
>
> On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
>
> Hi guys,
>
> Please check this threadhttps://bitcointalk.org/index.php?topic=458608.0for a possible attack
> scenario.
>
> Already mailed Gavin, Mike Hearn and Adam about this :
>
> See if it makes sense.
>
> That's basically what appears to have happened with Mt. Gox.
>
> Preventing the attack is as simple as training your customer service
> people to ask the customer if their wallet software shows a payment to a
> specific address of a specific amount at some approximate time. Making
> exact payment amounts unique - add a few satoshis - is a trivial if
> slightly ugly way of making sure payments can be identified uniquely
> over the phone. That the procedure at Mt. Gox let front-line customer
> service reps manually send funds to customers without a proper
> investigation of why the funds didn't arrive was a serious mistake on
> their part.
>
> Ultimately this is more of a social engineering attack than a technical
> one, and a good example of why well-thought-out payment protocols are
> helpful. Though the BIP70 payment protocol doesn't yet handle busines to
> individual, or individual to indivudal, payments a future iteration can
> and this kind of problem will be less of an issue.
>
> Similarly stealth addresses have an inherent per-tx unique identifier,
> the derived pubkey, which a UI might be able to take advantage of.
>
>
>
>
> ------------------------------------------------------------------------------
> Androi apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Bitcoin-development mailing listBitcoin-development@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
--047d7bdca04617422c04f2277d82
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I was talking about a DOS attack in=A0<a href=3D"https://b=
itcointalk.org/index.php?topic=3D458608.0">https://bitcointalk.org/index.ph=
p?topic=3D458608.0</a> (ofcourse only applicable to entitys doing the track=
ing with txids).<div>
<br></div><div>Amazing how I did not get a response from any of the devs (e=
xcept Greg's response <a href=3D"https://bitcointalk.org/index.php?topi=
c=3D458608.msg5063789#msg5063789">https://bitcointalk.org/index.php?topic=
=3D458608.msg5063789#msg5063789</a>=A0but that too was short and not concer=
ning the attack scenario plausibiity as I replied to him).</div>
<div><br></div><div>Today they are apparently at work here=A0<a href=3D"htt=
ps://github.com/bitcoin/bitcoin/pull/3651">https://github.com/bitcoin/bitco=
in/pull/3651</a></div><div><br></div><div>Amazing how nobody acknowledges i=
t until later when the attack already happens. The devs need to show some g=
reater level of responsibility.</div>
<div><br></div><div>Don't get me wrong - I am not trying to claim credi=
t for the attack scheme described (though I do not know of any other place =
where this was mentioned earlier as an attack scheme), but I am trying to m=
ake the point that people should just be around and at least make others fe=
el that their concerns are being read. Now putting this on some place like =
reddit will only give the community a bad name.</div>
<div><br></div><div>On a lighter note I messaged some of the devs (as my pr=
evious mail says) saying the attack should be called "thenoblebot"=
; attack (after my handle, which would inspire me to pursue crypto studies =
further). It was meant to be a lame joke. But I had no idea how it would st=
art causing so much disruption in the ecosystem.</div>
<div><br></div><div>Regards=A0</div><div>thenoblebot=A0</div></div><div cla=
ss=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Tue, Feb 11, 2014 =
at 2:03 AM, Vocatus Gate <span dir=3D"ltr"><<a href=3D"mailto:vocatus.ga=
te@gmail.com" target=3D"_blank">vocatus.gate@gmail.com</a>></span> wrote=
:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
=20
=20
=20
<div text=3D"#000000" bgcolor=3D"#FFFFFF">
It's quite simple, really:<br>
<br>
Unique transaction =3D=3D (Inputs+Outputs+ReceivingAddress)<br>
<br>
Problem solved. Simply don't rely on TxID for tracking. Can we put
this issue to rest and move on?<div><div class=3D"h5"><br>
<br>
<br>
<br>
<div>On 2014-02-10 12:40 PM, Peter Todd
wrote:<br>
</div>
</div></div><blockquote type=3D"cite"><div><div class=3D"h5">
<pre>On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
</pre>
<blockquote type=3D"cite">
<pre>Hi guys,
Please check this thread
<a href=3D"https://bitcointalk.org/index.php?topic=3D458608.0for" target=3D=
"_blank">https://bitcointalk.org/index.php?topic=3D458608.0for</a> a possib=
le attack
scenario.
Already mailed Gavin, Mike Hearn and Adam about this :
See if it makes sense.
</pre>
</blockquote>
<pre>That's basically what appears to have happened with Mt. Gox.
Preventing the attack is as simple as training your customer service
people to ask the customer if their wallet software shows a payment to a
specific address of a specific amount at some approximate time. Making
exact payment amounts unique - add a few satoshis - is a trivial if
slightly ugly way of making sure payments can be identified uniquely
over the phone. That the procedure at Mt. Gox let front-line customer
service reps manually send funds to customers without a proper
investigation of why the funds didn't arrive was a serious mistake on
their part.
Ultimately this is more of a social engineering attack than a technical
one, and a good example of why well-thought-out payment protocols are
helpful. Though the BIP70 payment protocol doesn't yet handle busines t=
o
individual, or individual to indivudal, payments a future iteration can
and this kind of problem will be less of an issue.
Similarly stealth addresses have an inherent per-tx unique identifier,
the derived pubkey, which a UI might be able to take advantage of.
</pre>
<br>
<fieldset></fieldset>
<br>
</div></div><div class=3D""><pre>------------------------------------=
------------------------------------------
Androi apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D124407151&iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D124407151&iu=3D/4140/ostg.clktrk</a></pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Bitcoin-development mailing list
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net" target=3D"_bla=
nk">Bitcoin-development@lists.sourceforge.net</a>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a>
</pre>
</div></blockquote>
<br>
</div>
</blockquote></div><br></div>
--047d7bdca04617422c04f2277d82--
|
