1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <pete@petertodd.org>) id 1WCwjD-0002IS-Ij
for bitcoin-development@lists.sourceforge.net;
Mon, 10 Feb 2014 19:41:15 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org
designates 62.13.148.108 as permitted sender)
client-ip=62.13.148.108; envelope-from=pete@petertodd.org;
helo=outmail148108.authsmtp.net;
Received: from outmail148108.authsmtp.net ([62.13.148.108])
by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1WCwjB-0000Ip-21 for bitcoin-development@lists.sourceforge.net;
Mon, 10 Feb 2014 19:41:15 +0000
Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235])
by punt15.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s1AJf6BJ053047;
Mon, 10 Feb 2014 19:41:06 GMT
Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109])
(authenticated bits=128)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s1AJf2pZ061255
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
Mon, 10 Feb 2014 19:41:05 GMT
Date: Mon, 10 Feb 2014 14:40:32 -0500
From: Peter Todd <pete@petertodd.org>
To: naman naman <namanhd@gmail.com>
Message-ID: <20140210194032.GD17359@savin>
References: <CANAnSg1LgpHGf-vTV0to1Z7sogf1ic6WTbogEsrQy1wh4C5zfw@mail.gmail.com>
<20140210144003.2BDCCDDAEFC@quidecco.de>
<20140210163055.GJ3180@nl.grid.coop>
<CAAS2fgQjKHK4ReQOEtLsTt9KOLxT4G-MiZJ7UKU=qH9ifpuN8g@mail.gmail.com>
<20140210182506.GM3180@nl.grid.coop> <52F91E66.6060305@gmail.com>
<20140210190703.GO3180@nl.grid.coop> <20140210192308.GA17359@savin>
<CA+SxJWBbWH_amgpst9N7nfT4twvfreAhGaxVWZYfTiLjyN8m3g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="WChQLJJJfbwij+9x"
Content-Disposition: inline
In-Reply-To: <CA+SxJWBbWH_amgpst9N7nfT4twvfreAhGaxVWZYfTiLjyN8m3g@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: 47ef143b-928b-11e3-b802-002590a15da7
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
aAdMdwIUHlAWAgsB AmIbWl1eVFx7WWY7 bAxPbAVDY01GQQRq
WVdMSlVNFUsrAG17 UBxeOBl0dgdDfTBx ZURrWD5fWxEsdEJ+
EFNdF2VUeGZhPWMC AkhYdR5UcAFPdx8U a1UrBXRDAzANdhES
HhM4ODE3eDlSNilR RRkIIFQOdA4uAhE7 V1gIGTwqEFZNTSQv JBsnLDb9
X-Authentic-SMTP: 61633532353630.1023:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 76.10.178.109/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
X-Headers-End: 1WCwjB-0000Ip-21
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] MtGox blames bitcoin
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 19:41:15 -0000
--WChQLJJJfbwij+9x
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
> Hi guys,
>=20
> Please check this thread
> https://bitcointalk.org/index.php?topic=3D458608.0for a possible attack
> scenario.
>=20
> Already mailed Gavin, Mike Hearn and Adam about this :
>=20
> See if it makes sense.
That's basically what appears to have happened with Mt. Gox.
Preventing the attack is as simple as training your customer service
people to ask the customer if their wallet software shows a payment to a
specific address of a specific amount at some approximate time. Making
exact payment amounts unique - add a few satoshis - is a trivial if
slightly ugly way of making sure payments can be identified uniquely
over the phone. That the procedure at Mt. Gox let front-line customer
service reps manually send funds to customers without a proper
investigation of why the funds didn't arrive was a serious mistake on
their part.
Ultimately this is more of a social engineering attack than a technical
one, and a good example of why well-thought-out payment protocols are
helpful. Though the BIP70 payment protocol doesn't yet handle busines to
individual, or individual to indivudal, payments a future iteration can
and this kind of problem will be less of an issue.
Similarly stealth addresses have an inherent per-tx unique identifier,
the derived pubkey, which a UI might be able to take advantage of.
--=20
'peter'[:-1]@petertodd.org
0000000076654614e7bf72ac80d47c57bca12503989f4d602538d3cd7892ca7d
--WChQLJJJfbwij+9x
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQGrBAEBCACVBQJS+SswXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwNzY2NTQ2MTRlN2JmNzJhYzgwZDQ3YzU3YmNhMTI1MDM5ODlmNGQ2MDI1
MzhkM2NkNzg5MmNhN2QvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfuTMgf/YWxPCzbUez6gQdEYxaz+WzFj
8KD6/IU/PcgmV47iqw3NVYRU6a7d5vcIZBdBTR6TufKCqSAIao2v/w3KDLZbqSza
bKI5xKLXoDZWPWy9X9BcWuTn6M7l8KJKQfMd4Y/7Bw1Lc7IjwAMWozjepWW2r89u
oatYYeCtRynsel9DeFC1O37J5MSVYGcnDWg5EOP69GfC7Tz5Y4EG4pGW65sOhclg
G7RnH9W+gxCYq1cdCNg4E0GJfUma8xtuA6ChRUPasCWFMALzDHWPl4G4DI2u5rRp
9Kl8d18lrgZlIBCQfYddcxjzuVpImkcxMF9zCJr9Gji1MVFzeL9au3fB0IiawA==
=GIzy
-----END PGP SIGNATURE-----
--WChQLJJJfbwij+9x--
|