Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1S2mh6-0000hC-Sw for bitcoin-development@lists.sourceforge.net; Wed, 29 Feb 2012 16:48:00 +0000 X-ACL-Warn: Received: from vps7135.xlshosting.net ([178.18.90.41]) by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1S2mh1-0005i9-8B for bitcoin-development@lists.sourceforge.net; Wed, 29 Feb 2012 16:48:00 +0000 Received: by vps7135.xlshosting.net (Postfix, from userid 1000) id 3123F603C7; Wed, 29 Feb 2012 17:47:49 +0100 (CET) Date: Wed, 29 Feb 2012 17:47:48 +0100 From: Pieter Wuille To: Zooko Wilcox-O'Hearn Message-ID: <20120229164747.GA581@vps7135.xlshosting.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-PGP-Key: http://sipa.ulyssis.org/pubkey.asc User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: 1.2 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pieter.wuille[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list X-Headers-End: 1S2mh1-0005i9-8B Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Duplicate transactions vulnerability X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 16:48:01 -0000 On Tue, Feb 28, 2012 at 06:41:31PM -0700, Zooko Wilcox-O'Hearn wrote: > Could you spell out the attack explicitly? Presumably there aren't a > lot of people with the "malice energy" to perform the attack but not > to figure it out for themselves. I, however, have the "niceness > energy" to think about it for a few minutes but not to figure it out > for myself. If in your opinion it is realistically dangerous to post > it publicly, would you be so kind as to include me in the private > sharing of the explanation? It's not exactly a secret anymore, as the patch also references it. Russell O'Connor described the attack on his blog: http://r6.ca/blog/20120206T005236Z.html -- Pieter