01:36:02 | coinheavy_: | coinheavy_ is now known as coinheavy |
02:18:10 | kazcw: | kazcw is now known as freebitcoin |
02:45:32 | dsnrk: | petertodd: https://blockchain.info/address/WqYQaBi2jNfwrPZkfgJ46M7rrTJaq9fpXuWk3ZKU1HqtGMmX8VgLfYi2A763vt6ShkqF6DQdXiNcxGCHybZ97VMn1if8tJ3YNCfGJPXXaAo5aziVWmQXLHenaA6v8Gq |
02:45:49 | dsnrk: | there's more broken than their multisig stuff. |
02:46:33 | tacotime: | such hash160 |
02:47:05 | dsnrk: | many bytes |
02:47:32 | tacotime: | amusingly if you click it checksum doesn't validate |
02:51:54 | freebitcoin: | freebitcoin is now known as kazcw |
05:56:42 | maaku: | maaku is now known as Guest39326 |
07:33:56 | cracksmurf: | has anyone proposed a bitvote sidechain? |
07:34:17 | cracksmurf: | http://www.reddit.com/r/bitlaw/comments/294qqn/request_for_bitvote_ideas/ |
07:39:00 | gmaxwell: | A blockchain is generally the wrong tool for voting. It doesn't provide any of the things that voting needs or wants. Blockchains are not strongly censorship resistant, they don't provide the right kinds of privacy, they don't prevent sybils of real people (unless you're happy with the parties with the most money controlling the vote outcome). |
07:47:28 | dsnrk: | I don't follow that. so far I've seen block chains proposed for DRM, for serial number management, backups, password storage, elections, and a pile of other completely irrelevant data types. it's a brand new magic keyword to sell a system, rather than the system needing an actual function of having a block chain. |
07:54:53 | Apocalyptic: | dsnrk, it's the new paradigm, "decentralize all the things with the blockchain !" |
07:55:07 | _ingsoc: | dsnrk: CC backed by fertilizer (http://uro.io). Where is your God now? |
07:56:15 | dsnrk: | _ingsoc: I'm so battered I don't even know if that's satire or not |
07:56:36 | gmaxwell: | the authors are probably pissed that "shitcoin" was already taken. |
07:56:49 | gmaxwell: | well perhaps not, no one seems to have created a "pisscoin" |
07:57:03 | _ingsoc: | Pretty sure it's real. Why haven't you invested yet? :O |
07:57:33 | dsnrk: | ... |
07:58:19 | _ingsoc: | dsnrk: Please tell me you've at least swarmed today (http://swarmcorp.com)? |
07:58:27 | dsnrk: | I don't even know what's going on here. is this a urine based altcoin? |
07:59:08 | _ingsoc: | I love how they say, if we raise 1k BTC, the majority will go to salaries - and this is probably legal. |
07:59:47 | Dizzle__: | Dizzle__ is now known as Dizzle |
07:59:56 | dsnrk: | look, sorry if you showed me that and told me it was satire I would have been 100% on board. |
08:00:15 | Apocalyptic: | dsnrk, do you really want to know ? |
08:00:22 | dsnrk: | I mean sweet, haha you've got people trading piss tokens |
08:00:41 | dsnrk: | _ingsoc: what the hell is bitcoin 2.0 technology? |
08:00:43 | _ingsoc: | I think I should start a project where I raise BTC that I can use to alert the authorities to these illegal security offerings. |
08:00:55 | _ingsoc: | I can carry a badge and everything. |
08:01:36 | dsnrk: | _ingsoc: alright. so I've read the Swarm page. can you explan it to me just a little bit? |
08:01:45 | dsnrk: | start with: what is it |
08:01:49 | _ingsoc: | dsnrk: I was hoping you could explain it to me. |
08:02:06 | _ingsoc: | I've already refinanced my house to invest, so I need to know what it is. |
08:02:28 | dsnrk: | multi faceted web 2.0 startup that's using the synergy of bitcoin to achieve massive profits |
08:03:27 | dsnrk: | from what I can tell it's a pretty website asking for 1000BTC to pay people to make something that might be interesting in the future but can't really be explained. |
08:03:36 | _ingsoc: | But the buzzwords and self portraits of the founders? |
08:03:52 | _ingsoc: | They don't look like people who would steal my money. Tell me I didn't make a mistake. |
08:04:36 | dsnrk: | so they're a company people are funding to make software to make altcoins. |
08:04:40 | _ingsoc: | Actually, they've drawn up plans for 21.5k BTC. |
08:05:39 | dsnrk: | excellent stuff. forrest is too poor to work on p2pool full time, yet people send millions of dollars to a group of people that can't explain their core product. |
08:06:03 | _ingsoc: | This is when you know dirty VC money is in town. :) |
08:06:17 | dsnrk: | :C |
08:06:45 | dsnrk: | that's sort of awful really. these people could actually be doing something to help Bitcoin for real, and instead they're buying bees |
08:08:09 | _ingsoc: | Why would they help Bitcoin? Unless you have a reasonable amount of coin, there's very little incentive for people to support its dev. |
08:08:12 | dsnrk: | not real bees, they would produce honey and be treasured by Luke-Jr. a virtual bee-named platform that needs millions of dollars to be funded which might become useful in the future but probably not because they're in the money anyway. |
08:08:38 | _ingsoc: | People put their money toward things that can make them money in return. |
08:08:44 | dsnrk: | _ingsoc: I'm fairly poor in the Bitcoin scheme of things, but I happily donate to the projects I use. |
08:09:25 | _ingsoc: | Most people aren't like that. |
08:09:32 | cbeams: | dsnrk, _ingsoc: re: Swarm, here are the founders launching and explaining the product at the Central European Bitcoin Expo a few weeks ago. https://www.youtube.com/watch?v=gmVWW_7lCAQ |
08:09:52 | _ingsoc: | cbeams: Are any of the CEBE talks online? |
08:09:57 | _ingsoc: | Of other presentations. |
08:10:12 | cbeams: | Saw a couple elsewhere. Not sure if there's a central location, though. |
08:10:22 | cbeams: | it's not advertised on the CEBE site anyway. |
08:10:49 | cbeams: | it was all UStream; a couple quick searches came up empty. I finally found this one just by searching directly on youtube. |
08:11:13 | _ingsoc: | Darn, would love to listen to some of them. |
08:11:18 | dsnrk: | _ingsoc: I know, but I have developed open source projects before. it's a really nice feeling when you see that somebody supports your software. I've donated to bfgminer and p2pool and a few other projects in the past for that exact reason. |
08:11:55 | dsnrk: | even just a token amount does the trick of restoring morale. |
08:12:33 | _ingsoc: | I hear ya. It would be nice if people operated like that. |
08:13:56 | gmaxwell: | there should be some program that spys on your computer use and estimates your usage of various open source programs, and the lets you get monthly or annual reports, so you can use that information in what you decide to support. |
08:14:15 | _ingsoc: | Hah. |
08:14:43 | _ingsoc: | Bitcoin should have had a commons where x% goes to dev. |
08:15:06 | dsnrk: | gmaxwell: my use of mdp is going to be off the scale, might not work for everything. |
08:15:12 | dsnrk: | *mpd |
14:04:47 | maaku: | maaku is now known as Guest9755 |
14:30:16 | Guest9755: | Guest9755 is now known as maaku |
15:01:01 | dgenr8: | gmaxwell: re voting, what other decentralized transfer ledger exists, aside from a blockchain? |
15:01:19 | sipa: | why do you need a decentralized transfer ledger for voting? |
15:01:37 | sipa: | there are dedicated protocols for multiparty secure voting |
15:02:19 | dgenr8: | sipa: got a reference? |
15:08:34 | dgenr8: | top 3 google results are chain-based. #4 is from 2009, looks interesting |
15:10:49 | epscy: | voting is pretty tricky, you could argue we struggle to meet all the requirements IRL |
15:11:18 | epscy: | without trying to do it in a decentralized way with anonymous participants |
15:11:55 | Pan0ram1x: | Pan0ram1x is now known as Guest60403 |
15:13:28 | dgenr8: | when thinking about it I get stuck on the part where you need to be able to prove to yourself that your vote was counted, but retain the ability to confuse someone who thinks you sold them your vite |
15:13:36 | dgenr8: | vote |
15:16:01 | Luke-Jr: | I don't think a voting system should make fraud easy. |
15:16:30 | Luke-Jr: | or is the goal to simply stop it from happening? |
15:17:34 | epscy: | Luke-Jr: i think dgenr8 means that you need to be able to verify that someone didn't vote twice but make sure each vote is anonymous (to prevent coercion) |
15:17:42 | sl01: | dgenr8: watch this as a starting pt https://www.youtube.com/watch?v=ZDnShu5V99s |
15:18:03 | sl01: | it answers that specific question |
15:19:06 | Luke-Jr: | in any case, I don't think decentralised voting really has anything in common with Bitcoin or similar technolgies. |
15:19:27 | Luke-Jr: | except maybe attraction to anarchist nuts |
15:22:53 | epscy: | it's an interesting problem, but i can't see it being viable anytime soon, witness the controversy around electronic voting machines |
15:23:37 | dgenr8: | Luke-Jr: you're worried I will defraud the guy to whom I sold my vote? ;P |
15:23:52 | epscy: | that being said, in 2000 some florida voters struggled with punch card ballots... |
15:26:33 | dgenr8: | espcy: if there were a solution, it would get adopted in a grass-roots way in small elections at first. you know the drill |
15:28:06 | Luke-Jr: | dgenr8: yes |
15:28:19 | Luke-Jr: | if you're selling your vote, do it honestly :P |
15:29:08 | dgenr8: | Luke-Jr: how ironic, to find myself arguing the point that some people deserve to be defrauded |
15:31:06 | dgenr8: | with you specifically |
15:31:07 | dgenr8: | It makes the point well that we must seek fair, technical solutions |
15:45:05 | killerstorm: | killerstorm has left #bitcoin-wizards |
15:48:19 | dgenr8: | sl01: ah, the importance of enforced balloting secrecy |
15:55:19 | jtimon: | dgenr8 didn't read it yet, but this paper looks interesting (maybe not up to date?) https://uwspace.uwaterloo.ca/handle/10012/5992 |
16:09:41 | gmaxwell: | [6~[6~[6~[6~08:01 < dgenr8> gmaxwell: re voting, what other decentralized transfer ledger exists, aside from a blockchain? |
16:10:18 | gmaxwell: | ... a "transfer" ledger isn't what you want for voting. It's not related to any of the hard problems in voting. |
16:11:53 | gmaxwell: | Hard problems in voting include— giving keys to voters without someone being able to stuff the ballots (sybil resistance), preventing censorship of ballets, counting ballots without knowing whats in them (goes hand in hand with avoiding censorship), preventing voters from being able to sell their vote or be coerced. |
16:35:44 | Pasha: | Pasha is now known as Cory |
16:58:15 | gwillen: | Luke-Jr: so, the purpose of ballot secrecy is not to make it possible to defraud a vote-buyer, right |
16:58:37 | gwillen: | Luke-Jr: it's to ensure that the value of your vote to a third party -- to whom it is impossible to prove your vote -- is guaranteed to be zero, thus preventing the vote from being sold in the first place |
16:59:12 | gwillen: | (it's not even really that; I think it's more to prevent someone who has power over you from compelling your vote for free.) |
17:14:32 | pigeons: | suddenly everyone who voted for theunion is fired, and everyone who voted against the war disappeared |
17:16:49 | sipa: | ...? |
17:28:22 | pigeons: | without ballot secrecy, and then next time suddenly everyone voted the way they were expected to |
17:46:55 | Luke-Jr: | gwillen: people will still buy votes with empty promises |
17:47:08 | gwillen: | that doesn't sound like my problem |
17:47:20 | gwillen: | that sounds like the problem of an idiot who would buy a vote on an empty promise |
17:48:26 | Luke-Jr: | well, the problem is that idiots are allowed to vote, yes |
18:15:58 | gmaxwell: | Ballot secrecy has a couple purposes. |
18:20:51 | gmaxwell: | It inhibits coercion ("I fire you unless you vote my way" or softer forms like social ostricism), it prevents a vote buyer from not getting ripped off, it reduces the effectiveness of vote censorship (harder to rig the election if you can't tell what ballots you're destroying). There are some second tier advantages, for example, if you can read the election in progress you can deploy crazy (e.g. unpermitted) stunts if they are ... |
18:20:57 | gmaxwell: | ... necessary and sufficient to win. |
18:23:05 | helo: | discussion much appreciated |
18:23:42 | gmaxwell: | Some ways of achieving ballot secrecy satisify some of these and not others. |
18:25:04 | gmaxwell: | For example, encrypting your ballot with non-denyable encryption basically meets none of those except the last, if you consider the case where the attacker can apply pressure to you before the election. (e.g. "record the nonce you used when encrypting your ballot, or I fire you") |
18:45:34 | tomaw: | [Global Notice] Hi all. I'm going to reroute a hub and then restart a client server for a few updates. It'll be noisy but should be brief! |
19:25:07 | jcluck: | jcluck is now known as cluckj |
19:37:03 | gmaxwell: | I wonder what the implication would be of having each block include commitments to the observed times of the prior blocks (optionally 0 for blocks the miner didn't have what it believed to be a reliable observation) |
19:38:35 | gwillen: | of how many prior blocks? |
19:39:25 | gwillen: | it would be hard to distinguish lying from network latency |
19:40:21 | gmaxwell: | The notion there is that since future blocks time past ones, you can make estimates that are accurate so long as most of the blocks are not lying about the time. |
19:41:21 | gmaxwell: | e.g. timestamp the last 288 blocks, and for each of the blocks perform a median to get a consensus time for that block.. |
19:42:34 | gmaxwell: | e.g. part of the problem with faster difficulty updates is that it increases sensitivty to bullshit in block timestamps. |
21:20:45 | kanzure_: | kanzure_ is now known as kanzure |
21:27:58 | dsnrk: | while off topic I think it's worth mentioning here just depending on the scale of the fallout. brainwallet.org has been using a bad RNG to make "random" private keys which it seems people have used to store a large amount of "cold storage" funds with, a user in the comments of reddit has posted that they have lost 35+ BTC to this. |
21:28:37 | gmaxwell: | I didn't know it had an rng? |
21:28:43 | maaku: | gmaxwell: math.random |
21:28:49 | gmaxwell: | waht!?!@$!(123 |
21:28:57 | dsnrk: | on the front page there's a "random" button which appears to make a random private key. this uses math.random. |
21:28:58 | maaku: | when you click 'generate random address' |
21:29:08 | gmaxwell: | math.random is a 32bit lcg. |
21:29:14 | dsnrk: | yep. |
21:29:21 | gmaxwell: | I cannot believe that Joric didn't know this. |
21:29:33 | maaku: | can some unscrupulous person please shut this site down |
21:30:10 | dsnrk: | we can assume that all funds stored "cold" with brainwallet.org's random key are now stolen, and from a bit of searching around it seems that it's fairly widely used. |
21:34:48 | dsnrk: | the button was added on october 19th, 2013. |
21:35:39 | jcorgan: | somehow despite the warnings of smart people, dump people will continue to do dumb things |
21:35:57 | gmaxwell: | https://en.bitcoin.it/wiki/User:Gmaxwell/things_im_surprised_dont_exist < also a little offtopic, but some of you might have some things along these lines to contribute. |
21:36:36 | dsnrk: | > |
21:36:36 | dsnrk: | Dear lord, why the @#$@ are we still using IRC? |
21:36:56 | jcorgan: | ? |
21:37:21 | dsnrk: | it's one of the comments from gmaxwell's page, butchered by me copying a linebreak |
21:37:34 | gmaxwell: | Checking my logs, Joric has been in #bitcoin on several occasions when I've specifically mentioned that math.random was insecure and can be trivially searched. |
21:38:09 | dsnrk: | :C |
21:38:22 | justanotheruser: | gmaxwell: Encrypted, authenticated, reputable multiparty chat |
21:38:26 | justanotheruser: | Tox is 2/3 |
21:38:38 | jcorgan: | i would assume at this point that this is intentional by Joric |
21:38:41 | gmaxwell: | If it's not 3/3 it's a liability. |
21:38:48 | dsnrk: | not stupidity then. that's a fairly horrible thing to be up against, given the popularity of brainwallet.org. |
21:38:59 | gmaxwell: | Now I'm seeing how any of those incidents align with the addition of the future and his question about faster EC pubkey generation. |
21:39:05 | justanotheruser: | Well it's auditable. I'm not sure what you mean by reputable |
21:40:14 | gmaxwell: | justanotheruser: when we have a conversation it shouldn't result in creating digital signatures where you (or someone who's later compromised your machine) can take the logs and prove to someone who wasn't in the conversation what was said— unless we specifically ask for it. |
21:40:45 | gmaxwell: | Without that property encryption can make you less secure, e.g. if your real risk was publication not evesdropping. |
21:40:53 | gmaxwell: | OTR achieves it for two person chat. |
21:42:59 | justanotheruser: | gmaxwell: yeah, hopefully OTR is a feature in the near future |
21:46:12 | sipa: | feature of what? |
21:46:40 | justanotheruser: | sipa: Tox |
21:52:05 | mortale_: | mortale_ is now known as mortale |
21:52:16 | justanotheruser: | my mistake, tox apparently already has perfect forward secrecy |
21:52:56 | gmaxwell: | perfect forward secrecy is no the same as being reputable. |
21:53:00 | gmaxwell: | s/no/not/ |
21:53:29 | justanotheruser: | gmaxwell: I'm confused. Are you implying their cryptography may be inperfect? What is reputable? |
21:54:04 | sipa: | reputable or refutable? |
21:54:32 | gmaxwell: | The opposite of non-reputable. |
21:55:06 | gmaxwell: | justanotheruser: I explained the property above. The system shouldn't be constructed so that someone can log it and produce a transcript which would convince a third party that the transcript wasn't forged. Just about anything that uses a digital signature anywhere fails this criteria. PFS is orthorgonal. |
21:56:11 | sipa: | i think you mean refutable? |
21:58:02 | gmaxwell: | sipa: its a direct parallel to http://en.wikipedia.org/wiki/Non-repudiation I'm refering to the opposite property. |
21:58:50 | sipa: | i'm confused |
21:59:01 | dsnrk: | is it worth while to put a notice on the /topic of #bitcoin about the brainwallet thing? |
21:59:15 | gmaxwell: | dsnrk: yes. |
21:59:24 | gmaxwell: | dsnrk: give me suggested text. |
22:00:03 | gmaxwell: | hm. I really don't remember that random button being on brainwallet.org |
22:00:17 | gmaxwell: | does anyone have an old checkout or capture of the source code? |
22:00:22 | dsnrk: | it's been there for months |
22:00:27 | gmaxwell: | okay, I believe you then. |
22:00:40 | dsnrk: | front page, button next to "secret exponent" |
22:00:54 | gmaxwell: | I see it there, just don't recall seeing it before. |
22:01:09 | gmaxwell: | (and the git history could obviously have been forged) |
22:01:21 | dsnrk: | commit is from october 19, I have the repos locally for Justin. |
22:02:13 | dsnrk: | gmaxwell: https://web.archive.org/web/20131205042843/http://brainwallet.org/ |
22:05:25 | dsnrk: | ADVISORY: All keys generated with brainwallet.org are to be considered compromised, see !brainwallet |
22:05:30 | dsnrk: | !brainwallet: The "random" button on brainwallet.org appears to create maliciously weak private keys which can be broken by a third party. Using the HTML source offline does not absolve this vulnerability. Any funds stored in these addresses have been stolen, or at at immediate risk of being stolen. |
22:05:31 | gribble: | Error: "brainwallet:" is not a valid command. |
22:05:39 | dsnrk: | * dsnrk pets gribble |
22:08:41 | dsnrk: | gmaxwell: good enough? |
22:08:52 | maaku: | maaku is now known as Guest79914 |
22:09:18 | gmaxwell: | I dunno how to update gribble but I asked. |
22:09:50 | dsnrk: | !facts |
22:09:50 | gribble: | To see a nice sortable web view of all factoids, click here: http://gribble.dreamhosters.com/viewfactoids.php?db=%23bitcoin-wizards || To see a list of the most popular factoids, run !rank || To search factoids, run !factoids search |
22:10:37 | dsnrk: | serajewelks / iwilcox have added them mostly. |
22:10:40 | justanotheruser: | Can we have a memory hard PoW snark and PoS snark that explains why they don't work or are bad, links to the papers and says it's OT? |
22:11:34 | justanotheruser: | Regarding PoS, I wonder how much it would cost to buy private keys from used stake |
22:11:48 | dsnrk: | not much if people don't know what they can be used for. |
22:11:57 | tacotime: | probably equivalent to whatever the reward is for stake mining. |
22:12:08 | dsnrk: | bet I could talk somebody into selling me their coinbase private key from 2011. |
22:12:25 | justanotheruser: | tacotime: their reward is zero if they transferred the funds from that addr |
22:12:34 | justanotheruser: | s/from that addr/to another addr |
22:12:35 | gmaxwell: | justanotheruser: I'd assume ~0 |
22:12:45 | tacotime: | heh |
22:12:56 | gmaxwell: | which is also consistent with tacotime's comment! |
22:13:12 | dsnrk: | sourceforge makes me cry. |
22:13:12 | justanotheruser: | gmaxwell: the reward for stake mining isn't 0? |
22:13:19 | tacotime: | :P |
22:13:28 | justanotheruser: | Even though the value of the currency should be 0 |
22:13:31 | gmaxwell: | it's zero once its already used. |
22:13:45 | dsnrk: | there's no reason any PoS currency should have value, but it does |
22:13:48 | justanotheruser: | ya, true |
22:13:50 | gmaxwell: | I assumed by used you mean old keys which are no longer in control of funds in the consensus network. |
22:13:58 | justanotheruser: | gmaxwell: I did |
22:14:55 | dgenr8: | gmaxwell: 1) I like your idea that treats node clock observations as a resource for doing useful things like average timestamps |
22:14:57 | justanotheruser: | I wonder how much old work would cost :P |
22:15:09 | gmaxwell: | yea, so I think the frictionless free market price for selfishly-honest (someone who won't do evil, but won't earn less income to prevent someone else from doing evil) participants should be 0. |
22:16:55 | dsnrk: | selfishly-honest is a good term for miners at the moment. |
22:17:26 | dgenr8: | gmaxwell: 2) That great Ben Adida video does make it pretty clear that a blockchain could contribute precious little to his example crypto voting scheme. |
22:20:09 | dsnrk: | http://0bin.net/paste/7PescMMgYddHILZw#G5ZU4M2wLZSZgRivo2TAgTg1ec8BquoGuWjz-y3bvRa |
22:20:15 | gmaxwell: | 11:31 <@gmaxwell> I especially liked the day a couple months back where Joric was complaining about being out of money in here, and then the next message from him was him asking me in #bitcoin-dev about faster ECDSA pubkey generation code. |
22:20:20 | gmaxwell: | 11:33 < Joric> well, now i got secp256 hehehe |
22:20:32 | dsnrk: | can anybody pick the back door in that code snippet? |
22:20:37 | dsnrk: | it's pretty sneaky. |
22:21:05 | justanotheruser: | dgenr8: what advantage does a blockchain have overhttps://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems |
22:21:30 | gmaxwell: | dsnrk: where is that from? |
22:21:37 | dsnrk: | brainwallet.org. |
22:21:52 | dsnrk: | that's part of the minified bitcoin-js lib, I'm checking now if it's from upstream |
22:23:03 | dgenr8: | justanotheruser: i got nothing. after you vote, no need to "transfer" anything ever again. |
22:23:19 | gmaxwell: | oh wow, it wasn't even directly using math.random() but it was doing it in an obfscuated way? |
22:23:25 | dsnrk: | yes |
22:23:37 | dsnrk: | on first glance it looks like crypto.random, but it's not |
22:24:14 | sipa: | i don't know JS>.. |
22:24:27 | justanotheruser: | dgenr8: both are verifiable, both can be made anonymous, both are jammable and in both the user knows if they're being jammed, but in one you need to incentivize miners (pay) |
22:24:49 | dsnrk: | gmaxwell: wait. is my javascript totally useless or is that wrong? because that code is from upstream. |
22:25:21 | dsnrk: | I really hope I've read that wrong. |
22:25:33 | dgenr8: | The Ben Adida video linked by sl01 above describes a "mixnet" as part of voting. It begs one to wonder if such a thing could be implemented as a real open-source p2p project for mixing bitcoin |
22:25:58 | justanotheruser: | dgenr8: there are already methods of mixing bitcoins trustlessly |
22:26:02 | justanotheruser: | namely coinjoins |
22:26:07 | dgenr8: | a pretty extensive set of cross-node audits are described |
22:27:05 | dsnrk: | alright. so that dodgy looking code is served up by bitcoinjs.org. |
22:27:31 | helo: | hah |
22:27:40 | dsnrk: | it's either 1) not a backdoor and I'm a complete idiot 2) upstream is tainted too |
22:27:44 | dgenr8: | there is an onion structure a la tor |
22:28:21 | tacotime: | dgenr8, that seems to be the intentions of darkcoin |
22:28:35 | tacotime: | although perhaps we'll never know because they're refusing to foss it |
22:29:01 | justanotheruser: | tacotime: darkcoin has a broken incentive structure |
22:29:03 | dgenr8: | this would be a separate network, not a new chain |
22:29:08 | tacotime: | they also require mixing nodes to have 1000 coins, which is silly |
22:29:11 | tacotime: | justanotheruser, yeah |
22:29:19 | jcorgan: | dsnrk: or, Joric is aware of that and used it intentionally |
22:30:11 | dsnrk: | jcorgan: if it's part of bitcoinjs (it is, that's the only part in the minified code where crypto.random is used) then a lot more than brainwallet.org is affected. |
22:32:12 | dsnrk: | or we have the option that I'm an idiot and completely misreading it, in which case brainwallet.org is weak in some other way |
22:34:54 | jcorgan: | meh, i'm tired of giving the benefit of the doubt. anything internet-sourced is evil until proven otherwise :) |
22:35:39 | dsnrk: | for me at least the line with crypto.random doesn't execute at all. navigator.appVersion is "5 (Macintosh)", which isn't < 5. so for me I skip that whole round and move on to seeding just with Math.random. |
22:37:21 | gmaxwell: | dsnrk: the obvious thing to do is to make a demo version of the site which is completely identical excecpt math.random() is replaced with 0. |
22:37:27 | gmaxwell: | and then it will be really obvious what its doing. |
22:38:22 | dsnrk: | alright. |
22:38:38 | Guest79914: | Guest79914 is now known as maaku |
22:39:13 | dsnrk: | would be easier if it wasn't minified :| |
22:39:55 | dsnrk: | gmaxwell: confirmed. without Math.random all values are static. |
22:40:15 | sipa: | wait |
22:40:27 | sipa: | what does that imply? |
22:40:42 | gmaxwell: | dsnrk: the code you pastebinned was befuddling me because it appears to be missing characters. |
22:41:02 | gmaxwell: | e.g. no ; at the end of the for line |
22:41:17 | dsnrk: | yes, that's a side effect of the deminifier I used I suspect |
22:41:20 | gmaxwell: | and I don't think "new Array," is valid JS, but I'm not a JS expert. |
22:41:36 | gmaxwell: | but the test you did that I suggested was definitive. |
22:42:30 | dsnrk: | it's possible I broke it in other ways, I wouldn't call it definitive unless somebody can verify it. |
22:42:47 | gmaxwell: | well you should be able to remove the math.random in the minified code, no? |
22:43:00 | dsnrk: | yes |
22:45:07 | dsnrk: | but still, holding off until somebody else can verify would be ideal. |
22:49:12 | dsnrk: | ah I see, so clicking the "random" button uses genRandom() in brainwallet.js, but the starting values of the fields are generated using secureRandom() from bitcoinjs. the one from brainwallet.org is actually the secure one, the one from bitcoinjs is not. |
22:49:25 | gmaxwell: | dsnrk: http://0bin.net/paste/5sfCTYq4rSkMN9wh#Y-w9R28MAb9M3lxptRs9Fs6nD6ko/HJxMXOfNtQfpwg |
22:49:46 | gmaxwell: | I apply that patch, and I get all zeros. |
22:50:01 | gmaxwell: | can someone else inspect my patch and confirm that I didn't do anything obviously stupid? |
22:51:08 | gmaxwell: | I think it was the first line changed that made it misbehave, not the second. |
22:54:22 | dsnrk: | gmaxwell: that's a different result to me, I got a static but unchanging value |
22:54:25 | dsnrk: | not all zeroz. |
22:57:05 | gmaxwell: | dsnrk: I replaced Math.floor(Math.random()*256) with Math.floor(0) |
22:57:50 | gmaxwell: | and the 'secret exponent' becomes 0000000000000000000000000000000000000000000000000000000000000000 |
22:58:25 | dsnrk: | alright, I can confirm. I was being stupid. |
23:01:18 | dsnrk: | http://188.226.199.217:8000/ < with the replaced code |
23:02:37 | gmaxwell: | yep. anyone here on something different than whatever dsnrk and I are running (I'm using firefox nightly on linux) |
23:02:41 | gmaxwell: | ? |
23:04:19 | dsnrk: | safari on OSX, firefox aurora both return all zeros. booting up windows XP. |
23:05:06 | justanotheruser: | chromium on debian: 0000000000000000000000000000000000000000000000000000000000000000 |
23:05:19 | dsnrk: | google chrome latest, all zeros |
23:06:00 | dsnrk: | ie8, all zeros |
23:06:19 | gmaxwell: | great. okay. not platform specific then, justanotheruser thanks. |
23:07:23 | justanotheruser: | but what about solaris :O |
23:07:23 | [nsh]: | what's being investigated here? some javascript crypto? |
23:07:30 | dsnrk: | brainwallet.org. |
23:07:39 | [nsh]: | ah |
23:07:52 | dsnrk: | lots of people used a nasty website with a bad past to make "offline" storage. turns out the RNG sucks. |
23:07:55 | tacotime: | apparently it's causing some misadventures in finance today http://www.reddit.com/r/Bitcoin/comments/295las/35_of_my_btc_gone_pc_not_compromised/ |
23:08:28 | justanotheruser: | At least they aren't blaming bitcoin: "Edit: I was an idiot and assumed that the "random" button on brainwallet.org was truly random, but it clearly is not. My coins were taken by someone who is clearly smarter than myself and this is completely my fault by creating Bitcoin addresses on a website that I assumed was safe. There's a $20k life lesson that I'll never forget, that's for sure. Also, to elaborate, I did not use the p |
23:08:47 | dsnrk: | justanotheruser: the theif returned the funds lower down in the thread. |
23:09:46 | dsnrk: | http://www.reddit.com/r/Bitcoin/comments/295las/35_of_my_btc_gone_pc_not_compromised/cihvzeq |
23:10:33 | justanotheruser: | neato |
23:10:44 | dsnrk: | given how willing they are to do that, it's pretty reasonable to assume a lot more people were stolen from. |
23:10:58 | [nsh]: | * [nsh] reads thread |
23:12:38 | [nsh]: | how were the random addresses recreated/determined by the attacker? |
23:12:43 | [nsh]: | or is that not clear yet? |
23:12:47 | cracksmurf: | cracksmurf is now known as paavo |
23:13:13 | sipa: | by figuring out how the browser's math.random works, and trying all its potential states? |
23:13:17 | dsnrk: | math.random isn't a secure RNG |
23:13:23 | [nsh]: | seems so |
23:13:45 | [nsh]: | i wonder how many other people are similarly exposed (or how many bitcoins) |
23:13:53 | dsnrk: | hard to know. |
23:14:05 | [nsh]: | i guess it resolves itself eventually through malicious education |
23:14:05 | dsnrk: | only way of finding out is people self reporting |
23:14:26 | dsnrk: | it's also one of those things where people won't check for a few years, then go to get their millions out only to find an empty key. |
23:14:36 | [nsh]: | in an ideal world the education would be mischievous rather than malicious (as in this thread) |
23:14:59 | [nsh]: | but we don't live in an ideal world, and i have come to terms with the ecological advantage of lessons being learnt the yoinky way |
23:15:36 | dsnrk: | if they found 35 different "random" keys, it's pretty easy to assume they have enumerated the whole space |
23:22:38 | gmaxwell: | sipa: in firefox at least math.random() is a 32-bit LCG, I'm reasonable sure its the same in IE and expect it to be the case in chrome too. |
23:23:48 | maaku: | gmaxwell: any chance you could get that fixed? |
23:24:21 | dsnrk: | what needs to be fixed? there's already a CSRNG, it's even in the bitcoinjs code. it just never runs. |
23:25:06 | maaku: | dsnrk: talking about firefox (gmaxwell works at mozilla) |
23:25:26 | maaku: | stop other people from shooting themselves in the foot too badly |
23:25:50 | dsnrk: | I know, but there's no reason for Math.random to be a CSRNG. that's what window.crypto is for. |
23:25:56 | gmaxwell: | maaku: anything reasonably secure would probably be noticably slower. |
23:26:08 | gmaxwell: | So I expect that would be the counter argument. |
23:26:52 | maaku: | rhm imho cryptographically secure or true rng should be the default math.random (standards be damned). you should be calling obscure apis to get a faster, less secure rng, not the other way around |
23:27:22 | maaku: | i wouldn't expect google or msft to agree with such an argument however |
23:28:08 | dsnrk: | I think it's best to just say that math.random is not secure, crypto.getrandombytes is. avoids the situation where some browsers are less secure than others. |
23:28:49 | maaku: | dsnrk: oh i agree, but that doesn't stop one browser vendor from actually making math.random secure under the hood |
23:28:59 | gmaxwell: | Even if you buy that going forward (rust's default rng is cryptographic one, though not perhaps as strong as you might like) the web already exists, so it might not be welcome to swap out math.random on things. |
23:30:25 | dsnrk: | bitcoin.org lists an awful lot of projects which use their library. |
23:31:07 | dsnrk: | isn't bc.i based on it? |
23:31:11 | maaku: | btw on the topics of utxo commitments ... i gave up trying to come up with cases where patricia tree level compression causes problems |
23:31:13 | gmaxwell: | dsnrk: did you also observe that it was the first line that breaks brainwallet? |
23:31:29 | gmaxwell: | maaku: go and implement it and see where it fails? |
23:31:40 | maaku: | yeah, probably |
23:31:43 | dsnrk: | gmaxwell: this one? |
23:31:46 | dsnrk: | if (navigator.appName == "Netscape" && navigator.appVersion < "5" && window.crypto) { |
23:32:21 | maaku: | i'm rewriting the bip and such to use level compression only, and i'm going to add a note to the message to the mailing list about the issue, in case someone wants to poke around |
23:32:36 | gmaxwell: | dsnrk: no, in the minified js code math.random() is called at two places, I believe it was the first and only the first that needed to be changed to break brainwallet. |
23:32:47 | maaku: | alas my irc client doesn't save logs from way back when we discussed this, many moons ago |
23:33:38 | dsnrk: | gmaxwell: wonder if anybody ever looked at this. |
23:34:42 | gmaxwell: | I did, before it had the random button, and I complained that there was math.random in the codebase at all. |
23:35:06 | dsnrk: | gmaxwell: hope coinpunk doesn't use this function. https://github.com/kyledrake/coinpunk-bitcoinjs/blob/master/src/crypto-js/crypto.js#L11 |
23:36:36 | gmaxwell: | dsnrk: https://github.com/cantonbecker/bitcoinpaperwallet/blob/master/generate-wallet.html |
23:37:32 | dsnrk: | that one isn't as bad, but still fails if window.Uint8Array isn't around. |
23:37:56 | dsnrk: | oh we are so fucked :C |
23:38:11 | gmaxwell: | dsnrk: it has the same doesn't-even-test randomBytes function |
23:38:51 | dsnrk: | alright. so where do we go from here? |
23:39:16 | gmaxwell: | I mean we were already telling people not to use these things, we already knew they were insecure due to a multitude of reasons. |
23:39:29 | dsnrk: | at this point I assume a large portion of bitcoin is stored in keys generated using these weak functions. is that pretty much the size of it? |
23:40:19 | maaku: | dsnrk: probably |
23:40:31 | [nsh]: | what is it that brainwallet.org offered this unlucky->lucky user that they couldn't have done with the bitcoin client or something else secure? |
23:40:45 | sipa: | [nsh]: the bitcoin client doesn't run in a browser |
23:40:50 | dsnrk: | people thought they could download brainwallet.org's source and use it "offline" |
23:41:14 | [nsh]: | * [nsh] frowns |
23:41:30 | dsnrk: | which you know is worth shit anyway if the RNG isn't safe. |
23:41:38 | maaku: | [nsh]: that would require running the bitcoin client |
23:42:28 | gmaxwell: | it's this Crypto-JS thing that is the complete fail one |
23:43:23 | dsnrk: | we should probably be working on making a list of affected parties and getting an advisory out. |
23:43:33 | dsnrk: | sort of no point being stealthy about it, it's being exploited in the wild. |
23:43:57 | maaku: | dsnrk: what can we do that we haven't already done? |
23:44:21 | maaku: | ok well we should get a list of other stuff besides brainwallet that is monumentally bad |
23:44:41 | jcorgan: | why isn't "WEB WALLETS ARE BAD" enough? |
23:45:12 | sipa: | jcorgan: because they're convenient |
23:46:34 | dsnrk: | maaku: this is sort of bigger than the /topic on the channel. anybody who has used these services in the past needs to be moving their funds to a secure wallet, if they have any left. |
23:46:55 | dsnrk: | it's not a matter of *if* the funds will be stolen anymore, it's *when*. |
23:47:15 | [nsh]: | have to take users as they come. remedial measures against avoidable stupidity are still a social good |
23:47:52 | dsnrk: | https://pay.reddit.com/r/Bitcoin/comments/2971e2/best_method_to_generate_a_new_address/cii1ryy |
23:47:55 | dsnrk: | ARRGH |
23:48:01 | jcorgan: | i hate to be so cynical but at this point it seems like just evolution in action |
23:48:58 | [nsh]: | yeah but cultural evolution does not require each individual to experience their own comeuppance. the 'progress' can be secured by many learning from one's mistake as well as by many each learning from their own mistakes |
23:49:26 | [nsh]: | in which case, utility is better served by exporting this one individual's lesson to as many people as possible with minimum overhead |
23:49:29 | dsnrk: | I'm with [nsh]. |
23:49:37 | jcorgan: | of course, i am too |
23:49:45 | dsnrk: | we have communication tools, lets use them to the best we can. |
23:50:05 | gmaxwell: | I note joric hasn't joined IRC in a couple weeks as far as I can tell. |
23:50:53 | dsnrk: | annoyingly a hard person to dox because he chose a nick from Skyrim. |
23:51:44 | jcorgan: | is there any reason to think that our "communication tools" will be any better now than at any time in the past? |
23:52:13 | dsnrk: | yes, as it's being exploited in the wild. |
23:52:29 | gmaxwell: | jcorgan: I think more of the point is tha with someone having lost 35 btc while following what most of the idiots on reddit would consider best practices makes it a uniquely good time to be heard. |
23:52:29 | jcorgan: | sorry, i should shut up |
23:53:41 | gmaxwell: | We've all been telling people not to use these things for eons, but the fact of the matter is that bitcoin has grown oodles fold in the last year, most of the people who've come in are clueless and they outnumber the expirenced people. Joe average hears a chorous of voices telling him to use brainwallet, and well— it can't be that bad with the majority supporting it, can it? |
23:55:32 | jcorgan: | gmaxwell: you're right, of course, i'm just getting burnt out |
23:55:40 | [nsh]: | * [nsh] smiles |
23:56:06 | [nsh]: | misconceptions are like weeds. they'll just turn up and take over if you don't tend the garden regularly enough |
23:56:26 | jcorgan: | i'd like to think Joe Average is better than he aparently is, but keep getting proven wrong |
23:57:12 | dsnrk: | I know at least one person who used one of these online services to make an "offline" wallet. they're not really joe average either. |