Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of praus.net
	designates 209.85.215.43 as permitted sender)
	client-ip=209.85.215.43; envelope-from=petr@praus.net;
	helo=mail-la0-f43.google.com; 
MIME-Version: 1.0
In-Reply-To: <CAAS2fgQU5yHFEUfzVwco=L2YKU=Ci0Od+4w59o1wx5UUf1w3VQ@mail.gmail.com>
References: <CANEZrP1YFCLmasOrdxdKDP1=x8nKuy06kGRqZwpnmnhe3-AroA@mail.gmail.com>
	<20130506161216.GA5193@petertodd.org>
	<CA+8xBpfdY7GsQiyrHuOG-MqXon0RGShpg2Yv-KeAXQ-503kAsA@mail.gmail.com>
	<20130506163732.GB5193@petertodd.org>
	<CANEZrP2WqXZVRJp6ag=RC4mSkt+a6qTYYpvE=DW_0Rdr=_BBHA@mail.gmail.com>
	<20130506180418.GA3797@netbook.cypherspace.org>
	<CAAS2fgSh+dYxSak8HvE0Sr4=zxzRc=3dMQ6X_nD_a+OdacUBZQ@mail.gmail.com>
	<20130506225146.GA6657@netbook.cypherspace.org>
	<CAAS2fgQU5yHFEUfzVwco=L2YKU=Ci0Od+4w59o1wx5UUf1w3VQ@mail.gmail.com>
From: Petr Praus <petr@praus.net>
Date: Mon, 6 May 2013 23:48:39 -0500
Message-ID: <CACezXZ-TtHWoBc650kvsWyAuwsz0gmKp58D+x8OkSa9Kue7RDA@mail.gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c23f1c2184f404dc1989b9
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] limits of network hacking/netsplits (was:
 Discovery/addr packets)
Precedence: list

--001a11c23f1c2184f404dc1989b9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I think it's worth noting that quite a large portion of Linux users
probably get the mainline Bitcoin client from the packages. I think Bitcoin
package maintainers are doing mostly a pretty good job :)


On 6 May 2013 18:13, Gregory Maxwell <gmaxwell@gmail.com> wrote:

> On Mon, May 6, 2013 at 3:51 PM, Adam Back <adam@cypherspace.org> wrote:
> > Maybe I could hack a pool to co-opt it into my netsplit and do the work
> for
> > me, or segment enough of the network to have some miners in it, and the=
y
> do
> > the work.
>
> Or you can just let it mine honestly and take the Bitcoins. This is
> fast (doesn't require weeks of them somehow not noticing that they're
> isolated), and yields the values I listed as 'costs' if you would have
> otherwise been able to use it to mine the difficulty down to 1.  Cost
> is just as much foregone income from the alternative attack you could
> have done instead.
>
> > nor even topological, nor even
> > particularly long-lived.
>
> At least for attacks that drive the difficulty down it does.
>
> If you want to talk about abusing a pool or creating a partition in
> order to create short reorgs=E2=80=94 I agree, those don't have to be lon=
g
> lived and you can find many messages where I've written on that
> subject.
>
> It's inconsiderate to propose one attack and when I respond to it
> changing the attack out from under me. :(  I would have responded
> entirely differently if you'd proposed people segmenting the network
> and creating short reorgs instead of mining the difficulty down.
>
> > Do you know if there is any downwards limit on difficulty?  I know it
> takes
> > going slow for a long and noticeable time, but I am just curious on the
> > theoretical limit.
>
> Every 2016 blocks can at most lower the difficulty by a factor of 4,
> thats where the log4 (number of 2016 groups needed) and 4^n (factor in
> cost reduction for each group) come from in the formulas I gave
> previously.
>
> > I dont see the signatures.
>
>
> http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA25=
6SUMS.asc/download
>
> The signatures can't be inside the tarball because they sign the tarball.
>
> Seems like the website redesign managed to hide the signatures pretty
> good. They're in the release announcements in any case, but that
> should be fixed.  Even when they were prominently placed, practically
> no one checked them. As a result they are mostly security theater in
> practice :(, =E2=80=94 so=E2=80=94 unfortunately, is SSL: there are many =
CA's who will
> give anyone a cert with your name on it who can give them a couple
> hundred bucks and MITM HTTP (not HTTPS!) between the CA's
> authentication server and your webserver. Bitcoin.org is hosted by
> github, even if it had SSL and even if the CA infrastructure weren't a
> joke, the number of ways to compromise that hosting enviroment would
> IMO make SSL mostly a false sense of security.
>
> The gpg signatures and gitian downloader signatures provide good
> security if actually used, solving the "getting people to use them"
> problem is an open question.
>
> And I agree, this stuff is a bigger issue than many other things like
> mining the difficulty down.
>
>
> -------------------------------------------------------------------------=
-----
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

--001a11c23f1c2184f404dc1989b9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I think it&#39;s worth noting that quite a large portion o=
f Linux users probably get the mainline Bitcoin client from the packages. I=
 think Bitcoin package maintainers are doing mostly a pretty good job :)</d=
iv>

<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On 6 May 2013=
 18:13, Gregory Maxwell <span dir=3D"ltr">&lt;<a href=3D"mailto:gmaxwell@gm=
ail.com" target=3D"_blank">gmaxwell@gmail.com</a>&gt;</span> wrote:<br><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex">

<div class=3D"im">On Mon, May 6, 2013 at 3:51 PM, Adam Back &lt;<a href=3D"=
mailto:adam@cypherspace.org">adam@cypherspace.org</a>&gt; wrote:<br>
&gt; Maybe I could hack a pool to co-opt it into my netsplit and do the wor=
k for<br>
&gt; me, or segment enough of the network to have some miners in it, and th=
ey do<br>
&gt; the work.<br>
<br>
</div>Or you can just let it mine honestly and take the Bitcoins. This is<b=
r>
fast (doesn&#39;t require weeks of them somehow not noticing that they&#39;=
re<br>
isolated), and yields the values I listed as &#39;costs&#39; if you would h=
ave<br>
otherwise been able to use it to mine the difficulty down to 1. =C2=A0Cost<=
br>
is just as much foregone income from the alternative attack you could<br>
have done instead.<br>
<div class=3D"im"><br>
&gt; nor even topological, nor even<br>
&gt; particularly long-lived.<br>
<br>
</div>At least for attacks that drive the difficulty down it does.<br>
<br>
If you want to talk about abusing a pool or creating a partition in<br>
order to create short reorgs=E2=80=94 I agree, those don&#39;t have to be l=
ong<br>
lived and you can find many messages where I&#39;ve written on that<br>
subject.<br>
<br>
It&#39;s inconsiderate to propose one attack and when I respond to it<br>
changing the attack out from under me. :( =C2=A0I would have responded<br>
entirely differently if you&#39;d proposed people segmenting the network<br=
>
and creating short reorgs instead of mining the difficulty down.<br>
<div class=3D"im"><br>
&gt; Do you know if there is any downwards limit on difficulty? =C2=A0I kno=
w it takes<br>
&gt; going slow for a long and noticeable time, but I am just curious on th=
e<br>
&gt; theoretical limit.<br>
<br>
</div>Every 2016 blocks can at most lower the difficulty by a factor of 4,<=
br>
thats where the log4 (number of 2016 groups needed) and 4^n (factor in<br>
cost reduction for each group) come from in the formulas I gave<br>
previously.<br>
<div class=3D"im"><br>
&gt; I dont see the signatures.<br>
<br>
</div><a href=3D"http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitc=
oin-0.8.1/SHA256SUMS.asc/download" target=3D"_blank">http://sourceforge.net=
/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA256SUMS.asc/download</a><b=
r>


<br>
The signatures can&#39;t be inside the tarball because they sign the tarbal=
l.<br>
<br>
Seems like the website redesign managed to hide the signatures pretty<br>
good. They&#39;re in the release announcements in any case, but that<br>
should be fixed. =C2=A0Even when they were prominently placed, practically<=
br>
no one checked them. As a result they are mostly security theater in<br>
practice :(, =E2=80=94 so=E2=80=94 unfortunately, is SSL: there are many CA=
&#39;s who will<br>
give anyone a cert with your name on it who can give them a couple<br>
hundred bucks and MITM HTTP (not HTTPS!) between the CA&#39;s<br>
authentication server and your webserver. Bitcoin.org is hosted by<br>
github, even if it had SSL and even if the CA infrastructure weren&#39;t a<=
br>
joke, the number of ways to compromise that hosting enviroment would<br>
IMO make SSL mostly a false sense of security.<br>
<br>
The gpg signatures and gitian downloader signatures provide good<br>
security if actually used, solving the &quot;getting people to use them&quo=
t;<br>
problem is an open question.<br>
<br>
And I agree, this stuff is a bigger issue than many other things like<br>
mining the difficulty down.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
---------------------------------------------------------------------------=
---<br>
Learn Graph Databases - Download FREE O&#39;Reilly Book<br>
&quot;Graph Databases&quot; is the definitive new guide to graph databases =
and<br>
their applications. This 200-page book is written by three acclaimed<br>
leaders in the field. The early access version is available now.<br>
Download your free book today! <a href=3D"http://p.sf.net/sfu/neotech_d2d_m=
ay" target=3D"_blank">http://p.sf.net/sfu/neotech_d2d_may</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</div></div></blockquote></div><br></div>

--001a11c23f1c2184f404dc1989b9--