1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <petr@praus.net>) id 1UZZpt-0002Ws-4h
for bitcoin-development@lists.sourceforge.net;
Tue, 07 May 2013 04:49:09 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of praus.net
designates 209.85.215.43 as permitted sender)
client-ip=209.85.215.43; envelope-from=petr@praus.net;
helo=mail-la0-f43.google.com;
Received: from mail-la0-f43.google.com ([209.85.215.43])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1UZZpr-00005s-2m
for bitcoin-development@lists.sourceforge.net;
Tue, 07 May 2013 04:49:09 +0000
Received: by mail-la0-f43.google.com with SMTP id ea20so136749lab.30
for <bitcoin-development@lists.sourceforge.net>;
Mon, 06 May 2013 21:49:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=x-received:mime-version:x-originating-ip:in-reply-to:references
:from:date:message-id:subject:to:cc:content-type:x-gm-message-state;
bh=6Mrfh0EhPDuWfdR32jsXw6FTfdqf8muzKvvtkBXAiIU=;
b=kvMOE97FJpI8mJYdiB23ME/YJQDQvTKH0zTSq7+HhG3mhi6cVVSa6GDcgYcmwjCzFJ
J4pidqDtpS7tPnfrMCSfjlEKT7YQ0xyjnaGifHZLQC8/G2X/yRvielow0xQk31RMQJx6
WIgbAjDl0lScdcOZIo0R8FUF7tgFXWHJSKcxa9g1orY+0DtFbWmVoO4vwSdkQlDRTReC
JqaQjEBKD/W3KFxhYhqpe3vFGbTQe8vGbFs8Pxqx8yyNkpmf3U7n5Qb4w78jhJw7cVfD
TdeNNx0ISIYufe6wVLeyi8FY8aR5j557AEXO/Pva8bhSQJG5ibn+eU2aceHebIdH3Otw
uAvg==
X-Received: by 10.112.168.197 with SMTP id zy5mr328518lbb.18.1367902139806;
Mon, 06 May 2013 21:48:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.71.201 with HTTP; Mon, 6 May 2013 21:48:39 -0700 (PDT)
X-Originating-IP: [216.188.247.150]
In-Reply-To: <CAAS2fgQU5yHFEUfzVwco=L2YKU=Ci0Od+4w59o1wx5UUf1w3VQ@mail.gmail.com>
References: <CANEZrP1YFCLmasOrdxdKDP1=x8nKuy06kGRqZwpnmnhe3-AroA@mail.gmail.com>
<20130506161216.GA5193@petertodd.org>
<CA+8xBpfdY7GsQiyrHuOG-MqXon0RGShpg2Yv-KeAXQ-503kAsA@mail.gmail.com>
<20130506163732.GB5193@petertodd.org>
<CANEZrP2WqXZVRJp6ag=RC4mSkt+a6qTYYpvE=DW_0Rdr=_BBHA@mail.gmail.com>
<20130506180418.GA3797@netbook.cypherspace.org>
<CAAS2fgSh+dYxSak8HvE0Sr4=zxzRc=3dMQ6X_nD_a+OdacUBZQ@mail.gmail.com>
<20130506225146.GA6657@netbook.cypherspace.org>
<CAAS2fgQU5yHFEUfzVwco=L2YKU=Ci0Od+4w59o1wx5UUf1w3VQ@mail.gmail.com>
From: Petr Praus <petr@praus.net>
Date: Mon, 6 May 2013 23:48:39 -0500
Message-ID: <CACezXZ-TtHWoBc650kvsWyAuwsz0gmKp58D+x8OkSa9Kue7RDA@mail.gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c23f1c2184f404dc1989b9
X-Gm-Message-State: ALoCoQnLcClN80ZLNgJBsujHWCgAX+ksRaIuyQpGyC0QPodWZBoa+GSECSdxeMlkNhCJz1Q9QPoT
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1UZZpr-00005s-2m
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] limits of network hacking/netsplits (was:
Discovery/addr packets)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 04:49:09 -0000
--001a11c23f1c2184f404dc1989b9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I think it's worth noting that quite a large portion of Linux users
probably get the mainline Bitcoin client from the packages. I think Bitcoin
package maintainers are doing mostly a pretty good job :)
On 6 May 2013 18:13, Gregory Maxwell <gmaxwell@gmail.com> wrote:
> On Mon, May 6, 2013 at 3:51 PM, Adam Back <adam@cypherspace.org> wrote:
> > Maybe I could hack a pool to co-opt it into my netsplit and do the work
> for
> > me, or segment enough of the network to have some miners in it, and the=
y
> do
> > the work.
>
> Or you can just let it mine honestly and take the Bitcoins. This is
> fast (doesn't require weeks of them somehow not noticing that they're
> isolated), and yields the values I listed as 'costs' if you would have
> otherwise been able to use it to mine the difficulty down to 1. Cost
> is just as much foregone income from the alternative attack you could
> have done instead.
>
> > nor even topological, nor even
> > particularly long-lived.
>
> At least for attacks that drive the difficulty down it does.
>
> If you want to talk about abusing a pool or creating a partition in
> order to create short reorgs=E2=80=94 I agree, those don't have to be lon=
g
> lived and you can find many messages where I've written on that
> subject.
>
> It's inconsiderate to propose one attack and when I respond to it
> changing the attack out from under me. :( I would have responded
> entirely differently if you'd proposed people segmenting the network
> and creating short reorgs instead of mining the difficulty down.
>
> > Do you know if there is any downwards limit on difficulty? I know it
> takes
> > going slow for a long and noticeable time, but I am just curious on the
> > theoretical limit.
>
> Every 2016 blocks can at most lower the difficulty by a factor of 4,
> thats where the log4 (number of 2016 groups needed) and 4^n (factor in
> cost reduction for each group) come from in the formulas I gave
> previously.
>
> > I dont see the signatures.
>
>
> http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA25=
6SUMS.asc/download
>
> The signatures can't be inside the tarball because they sign the tarball.
>
> Seems like the website redesign managed to hide the signatures pretty
> good. They're in the release announcements in any case, but that
> should be fixed. Even when they were prominently placed, practically
> no one checked them. As a result they are mostly security theater in
> practice :(, =E2=80=94 so=E2=80=94 unfortunately, is SSL: there are many =
CA's who will
> give anyone a cert with your name on it who can give them a couple
> hundred bucks and MITM HTTP (not HTTPS!) between the CA's
> authentication server and your webserver. Bitcoin.org is hosted by
> github, even if it had SSL and even if the CA infrastructure weren't a
> joke, the number of ways to compromise that hosting enviroment would
> IMO make SSL mostly a false sense of security.
>
> The gpg signatures and gitian downloader signatures provide good
> security if actually used, solving the "getting people to use them"
> problem is an open question.
>
> And I agree, this stuff is a bigger issue than many other things like
> mining the difficulty down.
>
>
> -------------------------------------------------------------------------=
-----
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--001a11c23f1c2184f404dc1989b9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I think it's worth noting that quite a large portion o=
f Linux users probably get the mainline Bitcoin client from the packages. I=
think Bitcoin package maintainers are doing mostly a pretty good job :)</d=
iv>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On 6 May 2013=
18:13, Gregory Maxwell <span dir=3D"ltr"><<a href=3D"mailto:gmaxwell@gm=
ail.com" target=3D"_blank">gmaxwell@gmail.com</a>></span> wrote:<br><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex">
<div class=3D"im">On Mon, May 6, 2013 at 3:51 PM, Adam Back <<a href=3D"=
mailto:adam@cypherspace.org">adam@cypherspace.org</a>> wrote:<br>
> Maybe I could hack a pool to co-opt it into my netsplit and do the wor=
k for<br>
> me, or segment enough of the network to have some miners in it, and th=
ey do<br>
> the work.<br>
<br>
</div>Or you can just let it mine honestly and take the Bitcoins. This is<b=
r>
fast (doesn't require weeks of them somehow not noticing that they'=
re<br>
isolated), and yields the values I listed as 'costs' if you would h=
ave<br>
otherwise been able to use it to mine the difficulty down to 1. =C2=A0Cost<=
br>
is just as much foregone income from the alternative attack you could<br>
have done instead.<br>
<div class=3D"im"><br>
> nor even topological, nor even<br>
> particularly long-lived.<br>
<br>
</div>At least for attacks that drive the difficulty down it does.<br>
<br>
If you want to talk about abusing a pool or creating a partition in<br>
order to create short reorgs=E2=80=94 I agree, those don't have to be l=
ong<br>
lived and you can find many messages where I've written on that<br>
subject.<br>
<br>
It's inconsiderate to propose one attack and when I respond to it<br>
changing the attack out from under me. :( =C2=A0I would have responded<br>
entirely differently if you'd proposed people segmenting the network<br=
>
and creating short reorgs instead of mining the difficulty down.<br>
<div class=3D"im"><br>
> Do you know if there is any downwards limit on difficulty? =C2=A0I kno=
w it takes<br>
> going slow for a long and noticeable time, but I am just curious on th=
e<br>
> theoretical limit.<br>
<br>
</div>Every 2016 blocks can at most lower the difficulty by a factor of 4,<=
br>
thats where the log4 (number of 2016 groups needed) and 4^n (factor in<br>
cost reduction for each group) come from in the formulas I gave<br>
previously.<br>
<div class=3D"im"><br>
> I dont see the signatures.<br>
<br>
</div><a href=3D"http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitc=
oin-0.8.1/SHA256SUMS.asc/download" target=3D"_blank">http://sourceforge.net=
/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA256SUMS.asc/download</a><b=
r>
<br>
The signatures can't be inside the tarball because they sign the tarbal=
l.<br>
<br>
Seems like the website redesign managed to hide the signatures pretty<br>
good. They're in the release announcements in any case, but that<br>
should be fixed. =C2=A0Even when they were prominently placed, practically<=
br>
no one checked them. As a result they are mostly security theater in<br>
practice :(, =E2=80=94 so=E2=80=94 unfortunately, is SSL: there are many CA=
's who will<br>
give anyone a cert with your name on it who can give them a couple<br>
hundred bucks and MITM HTTP (not HTTPS!) between the CA's<br>
authentication server and your webserver. Bitcoin.org is hosted by<br>
github, even if it had SSL and even if the CA infrastructure weren't a<=
br>
joke, the number of ways to compromise that hosting enviroment would<br>
IMO make SSL mostly a false sense of security.<br>
<br>
The gpg signatures and gitian downloader signatures provide good<br>
security if actually used, solving the "getting people to use them&quo=
t;<br>
problem is an open question.<br>
<br>
And I agree, this stuff is a bigger issue than many other things like<br>
mining the difficulty down.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
---------------------------------------------------------------------------=
---<br>
Learn Graph Databases - Download FREE O'Reilly Book<br>
"Graph Databases" is the definitive new guide to graph databases =
and<br>
their applications. This 200-page book is written by three acclaimed<br>
leaders in the field. The early access version is available now.<br>
Download your free book today! <a href=3D"http://p.sf.net/sfu/neotech_d2d_m=
ay" target=3D"_blank">http://p.sf.net/sfu/neotech_d2d_may</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</div></div></blockquote></div><br></div>
--001a11c23f1c2184f404dc1989b9--
|
