01:36:02coinheavy_:coinheavy_ is now known as coinheavy
02:18:10kazcw:kazcw is now known as freebitcoin
02:45:32dsnrk:petertodd: https://blockchain.info/address/WqYQaBi2jNfwrPZkfgJ46M7rrTJaq9fpXuWk3ZKU1HqtGMmX8VgLfYi2A763vt6ShkqF6DQdXiNcxGCHybZ97VMn1if8tJ3YNCfGJPXXaAo5aziVWmQXLHenaA6v8Gq
02:45:49dsnrk:there's more broken than their multisig stuff.
02:46:33tacotime:such hash160
02:47:05dsnrk:many bytes
02:47:32tacotime:amusingly if you click it checksum doesn't validate
02:51:54freebitcoin:freebitcoin is now known as kazcw
05:56:42maaku:maaku is now known as Guest39326
07:33:56cracksmurf:has anyone proposed a bitvote sidechain?
07:34:17cracksmurf:http://www.reddit.com/r/bitlaw/comments/294qqn/request_for_bitvote_ideas/
07:39:00gmaxwell:A blockchain is generally the wrong tool for voting. It doesn't provide any of the things that voting needs or wants. Blockchains are not strongly censorship resistant, they don't provide the right kinds of privacy, they don't prevent sybils of real people (unless you're happy with the parties with the most money controlling the vote outcome).
07:47:28dsnrk:I don't follow that. so far I've seen block chains proposed for DRM, for serial number management, backups, password storage, elections, and a pile of other completely irrelevant data types. it's a brand new magic keyword to sell a system, rather than the system needing an actual function of having a block chain.
07:54:53Apocalyptic:dsnrk, it's the new paradigm, "decentralize all the things with the blockchain !"
07:55:07_ingsoc:dsnrk: CC backed by fertilizer (http://uro.io). Where is your God now?
07:56:15dsnrk:_ingsoc: I'm so battered I don't even know if that's satire or not
07:56:36gmaxwell:the authors are probably pissed that "shitcoin" was already taken.
07:56:49gmaxwell:well perhaps not, no one seems to have created a "pisscoin"
07:57:03_ingsoc:Pretty sure it's real. Why haven't you invested yet? :O
07:57:33dsnrk:...
07:58:19_ingsoc:dsnrk: Please tell me you've at least swarmed today (http://swarmcorp.com)?
07:58:27dsnrk:I don't even know what's going on here. is this a urine based altcoin?
07:59:08_ingsoc:I love how they say, if we raise 1k BTC, the majority will go to salaries - and this is probably legal.
07:59:47Dizzle__:Dizzle__ is now known as Dizzle
07:59:56dsnrk:look, sorry if you showed me that and told me it was satire I would have been 100% on board.
08:00:15Apocalyptic:dsnrk, do you really want to know ?
08:00:22dsnrk:I mean sweet, haha you've got people trading piss tokens
08:00:41dsnrk:_ingsoc: what the hell is bitcoin 2.0 technology?
08:00:43_ingsoc:I think I should start a project where I raise BTC that I can use to alert the authorities to these illegal security offerings.
08:00:55_ingsoc:I can carry a badge and everything.
08:01:36dsnrk:_ingsoc: alright. so I've read the Swarm page. can you explan it to me just a little bit?
08:01:45dsnrk:start with: what is it
08:01:49_ingsoc:dsnrk: I was hoping you could explain it to me.
08:02:06_ingsoc:I've already refinanced my house to invest, so I need to know what it is.
08:02:28dsnrk:multi faceted web 2.0 startup that's using the synergy of bitcoin to achieve massive profits
08:03:27dsnrk:from what I can tell it's a pretty website asking for 1000BTC to pay people to make something that might be interesting in the future but can't really be explained.
08:03:36_ingsoc:But the buzzwords and self portraits of the founders?
08:03:52_ingsoc:They don't look like people who would steal my money. Tell me I didn't make a mistake.
08:04:36dsnrk:so they're a company people are funding to make software to make altcoins.
08:04:40_ingsoc:Actually, they've drawn up plans for 21.5k BTC.
08:05:39dsnrk:excellent stuff. forrest is too poor to work on p2pool full time, yet people send millions of dollars to a group of people that can't explain their core product.
08:06:03_ingsoc:This is when you know dirty VC money is in town. :)
08:06:17dsnrk::C
08:06:45dsnrk:that's sort of awful really. these people could actually be doing something to help Bitcoin for real, and instead they're buying bees
08:08:09_ingsoc:Why would they help Bitcoin? Unless you have a reasonable amount of coin, there's very little incentive for people to support its dev.
08:08:12dsnrk:not real bees, they would produce honey and be treasured by Luke-Jr. a virtual bee-named platform that needs millions of dollars to be funded which might become useful in the future but probably not because they're in the money anyway.
08:08:38_ingsoc:People put their money toward things that can make them money in return.
08:08:44dsnrk:_ingsoc: I'm fairly poor in the Bitcoin scheme of things, but I happily donate to the projects I use.
08:09:25_ingsoc:Most people aren't like that.
08:09:32cbeams:dsnrk, _ingsoc: re: Swarm, here are the founders launching and explaining the product at the Central European Bitcoin Expo a few weeks ago. https://www.youtube.com/watch?v=gmVWW_7lCAQ
08:09:52_ingsoc:cbeams: Are any of the CEBE talks online?
08:09:57_ingsoc:Of other presentations.
08:10:12cbeams:Saw a couple elsewhere. Not sure if there's a central location, though.
08:10:22cbeams:it's not advertised on the CEBE site anyway.
08:10:49cbeams:it was all UStream; a couple quick searches came up empty. I finally found this one just by searching directly on youtube.
08:11:13_ingsoc:Darn, would love to listen to some of them.
08:11:18dsnrk:_ingsoc: I know, but I have developed open source projects before. it's a really nice feeling when you see that somebody supports your software. I've donated to bfgminer and p2pool and a few other projects in the past for that exact reason.
08:11:55dsnrk:even just a token amount does the trick of restoring morale.
08:12:33_ingsoc:I hear ya. It would be nice if people operated like that.
08:13:56gmaxwell:there should be some program that spys on your computer use and estimates your usage of various open source programs, and the lets you get monthly or annual reports, so you can use that information in what you decide to support.
08:14:15_ingsoc:Hah.
08:14:43_ingsoc:Bitcoin should have had a commons where x% goes to dev.
08:15:06dsnrk:gmaxwell: my use of mdp is going to be off the scale, might not work for everything.
08:15:12dsnrk:*mpd
14:04:47maaku:maaku is now known as Guest9755
14:30:16Guest9755:Guest9755 is now known as maaku
15:01:01dgenr8:gmaxwell: re voting, what other decentralized transfer ledger exists, aside from a blockchain?
15:01:19sipa:why do you need a decentralized transfer ledger for voting?
15:01:37sipa:there are dedicated protocols for multiparty secure voting
15:02:19dgenr8:sipa: got a reference?
15:08:34dgenr8:top 3 google results are chain-based. #4 is from 2009, looks interesting
15:10:49epscy:voting is pretty tricky, you could argue we struggle to meet all the requirements IRL
15:11:18epscy:without trying to do it in a decentralized way with anonymous participants
15:11:55Pan0ram1x:Pan0ram1x is now known as Guest60403
15:13:28dgenr8:when thinking about it I get stuck on the part where you need to be able to prove to yourself that your vote was counted, but retain the ability to confuse someone who thinks you sold them your vite
15:13:36dgenr8:vote
15:16:01Luke-Jr:I don't think a voting system should make fraud easy.
15:16:30Luke-Jr:or is the goal to simply stop it from happening?
15:17:34epscy:Luke-Jr: i think dgenr8 means that you need to be able to verify that someone didn't vote twice but make sure each vote is anonymous (to prevent coercion)
15:17:42sl01:dgenr8: watch this as a starting pt https://www.youtube.com/watch?v=ZDnShu5V99s
15:18:03sl01:it answers that specific question
15:19:06Luke-Jr:in any case, I don't think decentralised voting really has anything in common with Bitcoin or similar technolgies.
15:19:27Luke-Jr:except maybe attraction to anarchist nuts
15:22:53epscy:it's an interesting problem, but i can't see it being viable anytime soon, witness the controversy around electronic voting machines
15:23:37dgenr8:Luke-Jr: you're worried I will defraud the guy to whom I sold my vote? ;P
15:23:52epscy:that being said, in 2000 some florida voters struggled with punch card ballots...
15:26:33dgenr8:espcy: if there were a solution, it would get adopted in a grass-roots way in small elections at first. you know the drill
15:28:06Luke-Jr:dgenr8: yes
15:28:19Luke-Jr:if you're selling your vote, do it honestly :P
15:29:08dgenr8:Luke-Jr: how ironic, to find myself arguing the point that some people deserve to be defrauded
15:31:06dgenr8:with you specifically
15:31:07dgenr8:It makes the point well that we must seek fair, technical solutions
15:45:05killerstorm:killerstorm has left #bitcoin-wizards
15:48:19dgenr8:sl01: ah, the importance of enforced balloting secrecy
15:55:19jtimon:dgenr8 didn't read it yet, but this paper looks interesting (maybe not up to date?) https://uwspace.uwaterloo.ca/handle/10012/5992
16:09:41gmaxwell:[6~[6~[6~[6~08:01 < dgenr8> gmaxwell: re voting, what other decentralized transfer ledger exists, aside from a blockchain?
16:10:18gmaxwell:... a "transfer" ledger isn't what you want for voting. It's not related to any of the hard problems in voting.
16:11:53gmaxwell:Hard problems in voting include— giving keys to voters without someone being able to stuff the ballots (sybil resistance), preventing censorship of ballets, counting ballots without knowing whats in them (goes hand in hand with avoiding censorship), preventing voters from being able to sell their vote or be coerced.
16:35:44Pasha:Pasha is now known as Cory
16:58:15gwillen:Luke-Jr: so, the purpose of ballot secrecy is not to make it possible to defraud a vote-buyer, right
16:58:37gwillen:Luke-Jr: it's to ensure that the value of your vote to a third party -- to whom it is impossible to prove your vote -- is guaranteed to be zero, thus preventing the vote from being sold in the first place
16:59:12gwillen:(it's not even really that; I think it's more to prevent someone who has power over you from compelling your vote for free.)
17:14:32pigeons:suddenly everyone who voted for theunion is fired, and everyone who voted against the war disappeared
17:16:49sipa:...?
17:28:22pigeons:without ballot secrecy, and then next time suddenly everyone voted the way they were expected to
17:46:55Luke-Jr:gwillen: people will still buy votes with empty promises
17:47:08gwillen:that doesn't sound like my problem
17:47:20gwillen:that sounds like the problem of an idiot who would buy a vote on an empty promise
17:48:26Luke-Jr:well, the problem is that idiots are allowed to vote, yes
18:15:58gmaxwell:Ballot secrecy has a couple purposes.
18:20:51gmaxwell:It inhibits coercion ("I fire you unless you vote my way" or softer forms like social ostricism), it prevents a vote buyer from not getting ripped off, it reduces the effectiveness of vote censorship (harder to rig the election if you can't tell what ballots you're destroying). There are some second tier advantages, for example, if you can read the election in progress you can deploy crazy (e.g. unpermitted) stunts if they are ...
18:20:57gmaxwell:... necessary and sufficient to win.
18:23:05helo:discussion much appreciated
18:23:42gmaxwell:Some ways of achieving ballot secrecy satisify some of these and not others.
18:25:04gmaxwell:For example, encrypting your ballot with non-denyable encryption basically meets none of those except the last, if you consider the case where the attacker can apply pressure to you before the election. (e.g. "record the nonce you used when encrypting your ballot, or I fire you")
18:45:34tomaw:[Global Notice] Hi all. I'm going to reroute a hub and then restart a client server for a few updates. It'll be noisy but should be brief!
19:25:07jcluck:jcluck is now known as cluckj
19:37:03gmaxwell:I wonder what the implication would be of having each block include commitments to the observed times of the prior blocks (optionally 0 for blocks the miner didn't have what it believed to be a reliable observation)
19:38:35gwillen:of how many prior blocks?
19:39:25gwillen:it would be hard to distinguish lying from network latency
19:40:21gmaxwell:The notion there is that since future blocks time past ones, you can make estimates that are accurate so long as most of the blocks are not lying about the time.
19:41:21gmaxwell:e.g. timestamp the last 288 blocks, and for each of the blocks perform a median to get a consensus time for that block..
19:42:34gmaxwell:e.g. part of the problem with faster difficulty updates is that it increases sensitivty to bullshit in block timestamps.
21:20:45kanzure_:kanzure_ is now known as kanzure
21:27:58dsnrk:while off topic I think it's worth mentioning here just depending on the scale of the fallout. brainwallet.org has been using a bad RNG to make "random" private keys which it seems people have used to store a large amount of "cold storage" funds with, a user in the comments of reddit has posted that they have lost 35+ BTC to this.
21:28:37gmaxwell:I didn't know it had an rng?
21:28:43maaku:gmaxwell: math.random
21:28:49gmaxwell:waht!?!@$!(123
21:28:57dsnrk:on the front page there's a "random" button which appears to make a random private key. this uses math.random.
21:28:58maaku:when you click 'generate random address'
21:29:08gmaxwell:math.random is a 32bit lcg.
21:29:14dsnrk:yep.
21:29:21gmaxwell:I cannot believe that Joric didn't know this.
21:29:33maaku:can some unscrupulous person please shut this site down
21:30:10dsnrk:we can assume that all funds stored "cold" with brainwallet.org's random key are now stolen, and from a bit of searching around it seems that it's fairly widely used.
21:34:48dsnrk:the button was added on october 19th, 2013.
21:35:39jcorgan:somehow despite the warnings of smart people, dump people will continue to do dumb things
21:35:57gmaxwell:https://en.bitcoin.it/wiki/User:Gmaxwell/things_im_surprised_dont_exist < also a little offtopic, but some of you might have some things along these lines to contribute.
21:36:36dsnrk:>
21:36:36dsnrk:Dear lord, why the @#$@ are we still using IRC?
21:36:56jcorgan:?
21:37:21dsnrk:it's one of the comments from gmaxwell's page, butchered by me copying a linebreak
21:37:34gmaxwell:Checking my logs, Joric has been in #bitcoin on several occasions when I've specifically mentioned that math.random was insecure and can be trivially searched.
21:38:09dsnrk::C
21:38:22justanotheruser:gmaxwell: Encrypted, authenticated, reputable multiparty chat
21:38:26justanotheruser:Tox is 2/3
21:38:38jcorgan:i would assume at this point that this is intentional by Joric
21:38:41gmaxwell:If it's not 3/3 it's a liability.
21:38:48dsnrk:not stupidity then. that's a fairly horrible thing to be up against, given the popularity of brainwallet.org.
21:38:59gmaxwell:Now I'm seeing how any of those incidents align with the addition of the future and his question about faster EC pubkey generation.
21:39:05justanotheruser:Well it's auditable. I'm not sure what you mean by reputable
21:40:14gmaxwell:justanotheruser: when we have a conversation it shouldn't result in creating digital signatures where you (or someone who's later compromised your machine) can take the logs and prove to someone who wasn't in the conversation what was said— unless we specifically ask for it.
21:40:45gmaxwell:Without that property encryption can make you less secure, e.g. if your real risk was publication not evesdropping.
21:40:53gmaxwell:OTR achieves it for two person chat.
21:42:59justanotheruser:gmaxwell: yeah, hopefully OTR is a feature in the near future
21:46:12sipa:feature of what?
21:46:40justanotheruser:sipa: Tox
21:52:05mortale_:mortale_ is now known as mortale
21:52:16justanotheruser:my mistake, tox apparently already has perfect forward secrecy
21:52:56gmaxwell:perfect forward secrecy is no the same as being reputable.
21:53:00gmaxwell:s/no/not/
21:53:29justanotheruser:gmaxwell: I'm confused. Are you implying their cryptography may be inperfect? What is reputable?
21:54:04sipa:reputable or refutable?
21:54:32gmaxwell:The opposite of non-reputable.
21:55:06gmaxwell:justanotheruser: I explained the property above. The system shouldn't be constructed so that someone can log it and produce a transcript which would convince a third party that the transcript wasn't forged. Just about anything that uses a digital signature anywhere fails this criteria. PFS is orthorgonal.
21:56:11sipa:i think you mean refutable?
21:58:02gmaxwell:sipa: its a direct parallel to http://en.wikipedia.org/wiki/Non-repudiation I'm refering to the opposite property.
21:58:50sipa:i'm confused
21:59:01dsnrk:is it worth while to put a notice on the /topic of #bitcoin about the brainwallet thing?
21:59:15gmaxwell:dsnrk: yes.
21:59:24gmaxwell:dsnrk: give me suggested text.
22:00:03gmaxwell:hm. I really don't remember that random button being on brainwallet.org
22:00:17gmaxwell:does anyone have an old checkout or capture of the source code?
22:00:22dsnrk:it's been there for months
22:00:27gmaxwell:okay, I believe you then.
22:00:40dsnrk:front page, button next to "secret exponent"
22:00:54gmaxwell:I see it there, just don't recall seeing it before.
22:01:09gmaxwell:(and the git history could obviously have been forged)
22:01:21dsnrk:commit is from october 19, I have the repos locally for Justin.
22:02:13dsnrk:gmaxwell: https://web.archive.org/web/20131205042843/http://brainwallet.org/
22:05:25dsnrk:ADVISORY: All keys generated with brainwallet.org are to be considered compromised, see !brainwallet
22:05:30dsnrk:!brainwallet: The "random" button on brainwallet.org appears to create maliciously weak private keys which can be broken by a third party. Using the HTML source offline does not absolve this vulnerability. Any funds stored in these addresses have been stolen, or at at immediate risk of being stolen.
22:05:31gribble:Error: "brainwallet:" is not a valid command.
22:05:39dsnrk:* dsnrk pets gribble
22:08:41dsnrk:gmaxwell: good enough?
22:08:52maaku:maaku is now known as Guest79914
22:09:18gmaxwell:I dunno how to update gribble but I asked.
22:09:50dsnrk:!facts
22:09:50gribble:To see a nice sortable web view of all factoids, click here: http://gribble.dreamhosters.com/viewfactoids.php?db=%23bitcoin-wizards || To see a list of the most popular factoids, run !rank || To search factoids, run !factoids search
22:10:37dsnrk:serajewelks / iwilcox have added them mostly.
22:10:40justanotheruser:Can we have a memory hard PoW snark and PoS snark that explains why they don't work or are bad, links to the papers and says it's OT?
22:11:34justanotheruser:Regarding PoS, I wonder how much it would cost to buy private keys from used stake
22:11:48dsnrk:not much if people don't know what they can be used for.
22:11:57tacotime:probably equivalent to whatever the reward is for stake mining.
22:12:08dsnrk:bet I could talk somebody into selling me their coinbase private key from 2011.
22:12:25justanotheruser:tacotime: their reward is zero if they transferred the funds from that addr
22:12:34justanotheruser:s/from that addr/to another addr
22:12:35gmaxwell:justanotheruser: I'd assume ~0
22:12:45tacotime:heh
22:12:56gmaxwell:which is also consistent with tacotime's comment!
22:13:12dsnrk:sourceforge makes me cry.
22:13:12justanotheruser:gmaxwell: the reward for stake mining isn't 0?
22:13:19tacotime::P
22:13:28justanotheruser:Even though the value of the currency should be 0
22:13:31gmaxwell:it's zero once its already used.
22:13:45dsnrk:there's no reason any PoS currency should have value, but it does
22:13:48justanotheruser:ya, true
22:13:50gmaxwell:I assumed by used you mean old keys which are no longer in control of funds in the consensus network.
22:13:58justanotheruser:gmaxwell: I did
22:14:55dgenr8:gmaxwell: 1) I like your idea that treats node clock observations as a resource for doing useful things like average timestamps
22:14:57justanotheruser:I wonder how much old work would cost :P
22:15:09gmaxwell:yea, so I think the frictionless free market price for selfishly-honest (someone who won't do evil, but won't earn less income to prevent someone else from doing evil) participants should be 0.
22:16:55dsnrk:selfishly-honest is a good term for miners at the moment.
22:17:26dgenr8:gmaxwell: 2) That great Ben Adida video does make it pretty clear that a blockchain could contribute precious little to his example crypto voting scheme.
22:20:09dsnrk:http://0bin.net/paste/7PescMMgYddHILZw#G5ZU4M2wLZSZgRivo2TAgTg1ec8BquoGuWjz-y3bvRa
22:20:15gmaxwell:11:31 <@gmaxwell> I especially liked the day a couple months back where Joric was complaining about being out of money in here, and then the next message from him was him asking me in #bitcoin-dev about faster ECDSA pubkey generation code.
22:20:20gmaxwell:11:33 < Joric> well, now i got secp256 hehehe
22:20:32dsnrk:can anybody pick the back door in that code snippet?
22:20:37dsnrk:it's pretty sneaky.
22:21:05justanotheruser:dgenr8: what advantage does a blockchain have overhttps://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems
22:21:30gmaxwell:dsnrk: where is that from?
22:21:37dsnrk:brainwallet.org.
22:21:52dsnrk:that's part of the minified bitcoin-js lib, I'm checking now if it's from upstream
22:23:03dgenr8:justanotheruser: i got nothing. after you vote, no need to "transfer" anything ever again.
22:23:19gmaxwell:oh wow, it wasn't even directly using math.random() but it was doing it in an obfscuated way?
22:23:25dsnrk:yes
22:23:37dsnrk:on first glance it looks like crypto.random, but it's not
22:24:14sipa:i don't know JS>..
22:24:27justanotheruser:dgenr8: both are verifiable, both can be made anonymous, both are jammable and in both the user knows if they're being jammed, but in one you need to incentivize miners (pay)
22:24:49dsnrk:gmaxwell: wait. is my javascript totally useless or is that wrong? because that code is from upstream.
22:25:21dsnrk:I really hope I've read that wrong.
22:25:33dgenr8:The Ben Adida video linked by sl01 above describes a "mixnet" as part of voting. It begs one to wonder if such a thing could be implemented as a real open-source p2p project for mixing bitcoin
22:25:58justanotheruser:dgenr8: there are already methods of mixing bitcoins trustlessly
22:26:02justanotheruser:namely coinjoins
22:26:07dgenr8:a pretty extensive set of cross-node audits are described
22:27:05dsnrk:alright. so that dodgy looking code is served up by bitcoinjs.org.
22:27:31helo:hah
22:27:40dsnrk:it's either 1) not a backdoor and I'm a complete idiot 2) upstream is tainted too
22:27:44dgenr8:there is an onion structure a la tor
22:28:21tacotime:dgenr8, that seems to be the intentions of darkcoin
22:28:35tacotime:although perhaps we'll never know because they're refusing to foss it
22:29:01justanotheruser:tacotime: darkcoin has a broken incentive structure
22:29:03dgenr8:this would be a separate network, not a new chain
22:29:08tacotime:they also require mixing nodes to have 1000 coins, which is silly
22:29:11tacotime:justanotheruser, yeah
22:29:19jcorgan:dsnrk: or, Joric is aware of that and used it intentionally
22:30:11dsnrk:jcorgan: if it's part of bitcoinjs (it is, that's the only part in the minified code where crypto.random is used) then a lot more than brainwallet.org is affected.
22:32:12dsnrk:or we have the option that I'm an idiot and completely misreading it, in which case brainwallet.org is weak in some other way
22:34:54jcorgan:meh, i'm tired of giving the benefit of the doubt. anything internet-sourced is evil until proven otherwise :)
22:35:39dsnrk:for me at least the line with crypto.random doesn't execute at all. navigator.appVersion is "5 (Macintosh)", which isn't < 5. so for me I skip that whole round and move on to seeding just with Math.random.
22:37:21gmaxwell:dsnrk: the obvious thing to do is to make a demo version of the site which is completely identical excecpt math.random() is replaced with 0.
22:37:27gmaxwell:and then it will be really obvious what its doing.
22:38:22dsnrk:alright.
22:38:38Guest79914:Guest79914 is now known as maaku
22:39:13dsnrk:would be easier if it wasn't minified :|
22:39:55dsnrk:gmaxwell: confirmed. without Math.random all values are static.
22:40:15sipa:wait
22:40:27sipa:what does that imply?
22:40:42gmaxwell:dsnrk: the code you pastebinned was befuddling me because it appears to be missing characters.
22:41:02gmaxwell:e.g. no ; at the end of the for line
22:41:17dsnrk:yes, that's a side effect of the deminifier I used I suspect
22:41:20gmaxwell:and I don't think "new Array," is valid JS, but I'm not a JS expert.
22:41:36gmaxwell:but the test you did that I suggested was definitive.
22:42:30dsnrk:it's possible I broke it in other ways, I wouldn't call it definitive unless somebody can verify it.
22:42:47gmaxwell:well you should be able to remove the math.random in the minified code, no?
22:43:00dsnrk:yes
22:45:07dsnrk:but still, holding off until somebody else can verify would be ideal.
22:49:12dsnrk:ah I see, so clicking the "random" button uses genRandom() in brainwallet.js, but the starting values of the fields are generated using secureRandom() from bitcoinjs. the one from brainwallet.org is actually the secure one, the one from bitcoinjs is not.
22:49:25gmaxwell:dsnrk: http://0bin.net/paste/5sfCTYq4rSkMN9wh#Y-w9R28MAb9M3lxptRs9Fs6nD6ko/HJxMXOfNtQfpwg
22:49:46gmaxwell:I apply that patch, and I get all zeros.
22:50:01gmaxwell:can someone else inspect my patch and confirm that I didn't do anything obviously stupid?
22:51:08gmaxwell:I think it was the first line changed that made it misbehave, not the second.
22:54:22dsnrk:gmaxwell: that's a different result to me, I got a static but unchanging value
22:54:25dsnrk:not all zeroz.
22:57:05gmaxwell:dsnrk: I replaced Math.floor(Math.random()*256) with Math.floor(0)
22:57:50gmaxwell:and the 'secret exponent' becomes 0000000000000000000000000000000000000000000000000000000000000000
22:58:25dsnrk:alright, I can confirm. I was being stupid.
23:01:18dsnrk:http://188.226.199.217:8000/ < with the replaced code
23:02:37gmaxwell:yep. anyone here on something different than whatever dsnrk and I are running (I'm using firefox nightly on linux)
23:02:41gmaxwell:?
23:04:19dsnrk:safari on OSX, firefox aurora both return all zeros. booting up windows XP.
23:05:06justanotheruser:chromium on debian: 0000000000000000000000000000000000000000000000000000000000000000
23:05:19dsnrk:google chrome latest, all zeros
23:06:00dsnrk:ie8, all zeros
23:06:19gmaxwell:great. okay. not platform specific then, justanotheruser thanks.
23:07:23justanotheruser:but what about solaris :O
23:07:23[nsh]:what's being investigated here? some javascript crypto?
23:07:30dsnrk:brainwallet.org.
23:07:39[nsh]:ah
23:07:52dsnrk:lots of people used a nasty website with a bad past to make "offline" storage. turns out the RNG sucks.
23:07:55tacotime:apparently it's causing some misadventures in finance today http://www.reddit.com/r/Bitcoin/comments/295las/35_of_my_btc_gone_pc_not_compromised/
23:08:28justanotheruser:At least they aren't blaming bitcoin: "Edit: I was an idiot and assumed that the "random" button on brainwallet.org was truly random, but it clearly is not. My coins were taken by someone who is clearly smarter than myself and this is completely my fault by creating Bitcoin addresses on a website that I assumed was safe. There's a $20k life lesson that I'll never forget, that's for sure. Also, to elaborate, I did not use the p
23:08:47dsnrk:justanotheruser: the theif returned the funds lower down in the thread.
23:09:46dsnrk:http://www.reddit.com/r/Bitcoin/comments/295las/35_of_my_btc_gone_pc_not_compromised/cihvzeq
23:10:33justanotheruser:neato
23:10:44dsnrk:given how willing they are to do that, it's pretty reasonable to assume a lot more people were stolen from.
23:10:58[nsh]:* [nsh] reads thread
23:12:38[nsh]:how were the random addresses recreated/determined by the attacker?
23:12:43[nsh]:or is that not clear yet?
23:12:47cracksmurf:cracksmurf is now known as paavo
23:13:13sipa:by figuring out how the browser's math.random works, and trying all its potential states?
23:13:17dsnrk:math.random isn't a secure RNG
23:13:23[nsh]:seems so
23:13:45[nsh]:i wonder how many other people are similarly exposed (or how many bitcoins)
23:13:53dsnrk:hard to know.
23:14:05[nsh]:i guess it resolves itself eventually through malicious education
23:14:05dsnrk:only way of finding out is people self reporting
23:14:26dsnrk:it's also one of those things where people won't check for a few years, then go to get their millions out only to find an empty key.
23:14:36[nsh]:in an ideal world the education would be mischievous rather than malicious (as in this thread)
23:14:59[nsh]:but we don't live in an ideal world, and i have come to terms with the ecological advantage of lessons being learnt the yoinky way
23:15:36dsnrk:if they found 35 different "random" keys, it's pretty easy to assume they have enumerated the whole space
23:22:38gmaxwell:sipa: in firefox at least math.random() is a 32-bit LCG, I'm reasonable sure its the same in IE and expect it to be the case in chrome too.
23:23:48maaku:gmaxwell: any chance you could get that fixed?
23:24:21dsnrk:what needs to be fixed? there's already a CSRNG, it's even in the bitcoinjs code. it just never runs.
23:25:06maaku:dsnrk: talking about firefox (gmaxwell works at mozilla)
23:25:26maaku:stop other people from shooting themselves in the foot too badly
23:25:50dsnrk:I know, but there's no reason for Math.random to be a CSRNG. that's what window.crypto is for.
23:25:56gmaxwell:maaku: anything reasonably secure would probably be noticably slower.
23:26:08gmaxwell:So I expect that would be the counter argument.
23:26:52maaku:rhm imho cryptographically secure or true rng should be the default math.random (standards be damned). you should be calling obscure apis to get a faster, less secure rng, not the other way around
23:27:22maaku:i wouldn't expect google or msft to agree with such an argument however
23:28:08dsnrk:I think it's best to just say that math.random is not secure, crypto.getrandombytes is. avoids the situation where some browsers are less secure than others.
23:28:49maaku:dsnrk: oh i agree, but that doesn't stop one browser vendor from actually making math.random secure under the hood
23:28:59gmaxwell:Even if you buy that going forward (rust's default rng is cryptographic one, though not perhaps as strong as you might like) the web already exists, so it might not be welcome to swap out math.random on things.
23:30:25dsnrk:bitcoin.org lists an awful lot of projects which use their library.
23:31:07dsnrk:isn't bc.i based on it?
23:31:11maaku:btw on the topics of utxo commitments ... i gave up trying to come up with cases where patricia tree level compression causes problems
23:31:13gmaxwell:dsnrk: did you also observe that it was the first line that breaks brainwallet?
23:31:29gmaxwell:maaku: go and implement it and see where it fails?
23:31:40maaku:yeah, probably
23:31:43dsnrk:gmaxwell: this one?
23:31:46dsnrk:if (navigator.appName == "Netscape" && navigator.appVersion < "5" && window.crypto) {
23:32:21maaku:i'm rewriting the bip and such to use level compression only, and i'm going to add a note to the message to the mailing list about the issue, in case someone wants to poke around
23:32:36gmaxwell:dsnrk: no, in the minified js code math.random() is called at two places, I believe it was the first and only the first that needed to be changed to break brainwallet.
23:32:47maaku:alas my irc client doesn't save logs from way back when we discussed this, many moons ago
23:33:38dsnrk:gmaxwell: wonder if anybody ever looked at this.
23:34:42gmaxwell:I did, before it had the random button, and I complained that there was math.random in the codebase at all.
23:35:06dsnrk:gmaxwell: hope coinpunk doesn't use this function. https://github.com/kyledrake/coinpunk-bitcoinjs/blob/master/src/crypto-js/crypto.js#L11
23:36:36gmaxwell:dsnrk: https://github.com/cantonbecker/bitcoinpaperwallet/blob/master/generate-wallet.html
23:37:32dsnrk:that one isn't as bad, but still fails if window.Uint8Array isn't around.
23:37:56dsnrk:oh we are so fucked :C
23:38:11gmaxwell:dsnrk: it has the same doesn't-even-test randomBytes function
23:38:51dsnrk:alright. so where do we go from here?
23:39:16gmaxwell:I mean we were already telling people not to use these things, we already knew they were insecure due to a multitude of reasons.
23:39:29dsnrk:at this point I assume a large portion of bitcoin is stored in keys generated using these weak functions. is that pretty much the size of it?
23:40:19maaku:dsnrk: probably
23:40:31[nsh]:what is it that brainwallet.org offered this unlucky->lucky user that they couldn't have done with the bitcoin client or something else secure?
23:40:45sipa:[nsh]: the bitcoin client doesn't run in a browser
23:40:50dsnrk:people thought they could download brainwallet.org's source and use it "offline"
23:41:14[nsh]:* [nsh] frowns
23:41:30dsnrk:which you know is worth shit anyway if the RNG isn't safe.
23:41:38maaku:[nsh]: that would require running the bitcoin client
23:42:28gmaxwell:it's this Crypto-JS thing that is the complete fail one
23:43:23dsnrk:we should probably be working on making a list of affected parties and getting an advisory out.
23:43:33dsnrk:sort of no point being stealthy about it, it's being exploited in the wild.
23:43:57maaku:dsnrk: what can we do that we haven't already done?
23:44:21maaku:ok well we should get a list of other stuff besides brainwallet that is monumentally bad
23:44:41jcorgan:why isn't "WEB WALLETS ARE BAD" enough?
23:45:12sipa:jcorgan: because they're convenient
23:46:34dsnrk:maaku: this is sort of bigger than the /topic on the channel. anybody who has used these services in the past needs to be moving their funds to a secure wallet, if they have any left.
23:46:55dsnrk:it's not a matter of *if* the funds will be stolen anymore, it's *when*.
23:47:15[nsh]:have to take users as they come. remedial measures against avoidable stupidity are still a social good
23:47:52dsnrk:https://pay.reddit.com/r/Bitcoin/comments/2971e2/best_method_to_generate_a_new_address/cii1ryy
23:47:55dsnrk:ARRGH
23:48:01jcorgan:i hate to be so cynical but at this point it seems like just evolution in action
23:48:58[nsh]:yeah but cultural evolution does not require each individual to experience their own comeuppance. the 'progress' can be secured by many learning from one's mistake as well as by many each learning from their own mistakes
23:49:26[nsh]:in which case, utility is better served by exporting this one individual's lesson to as many people as possible with minimum overhead
23:49:29dsnrk:I'm with [nsh].
23:49:37jcorgan:of course, i am too
23:49:45dsnrk:we have communication tools, lets use them to the best we can.
23:50:05gmaxwell:I note joric hasn't joined IRC in a couple weeks as far as I can tell.
23:50:53dsnrk:annoyingly a hard person to dox because he chose a nick from Skyrim.
23:51:44jcorgan:is there any reason to think that our "communication tools" will be any better now than at any time in the past?
23:52:13dsnrk:yes, as it's being exploited in the wild.
23:52:29gmaxwell:jcorgan: I think more of the point is tha with someone having lost 35 btc while following what most of the idiots on reddit would consider best practices makes it a uniquely good time to be heard.
23:52:29jcorgan:sorry, i should shut up
23:53:41gmaxwell:We've all been telling people not to use these things for eons, but the fact of the matter is that bitcoin has grown oodles fold in the last year, most of the people who've come in are clueless and they outnumber the expirenced people. Joe average hears a chorous of voices telling him to use brainwallet, and well— it can't be that bad with the majority supporting it, can it?
23:55:32jcorgan:gmaxwell: you're right, of course, i'm just getting burnt out
23:55:40[nsh]:* [nsh] smiles
23:56:06[nsh]:misconceptions are like weeds. they'll just turn up and take over if you don't tend the garden regularly enough
23:56:26jcorgan:i'd like to think Joe Average is better than he aparently is, but keep getting proven wrong
23:57:12dsnrk:I know at least one person who used one of these online services to make an "offline" wallet. they're not really joe average either.