00:00:38dgenr8:KryptoKit has its own randomBytes function ... implemented with Math.random()
00:00:49dsnrk:yes, I know.
00:01:09dsnrk:a month ago I made many attempts to contact them, couldn't get anybody to reply to me.
00:01:20grubles:what about bitaddress.org
00:01:45dsnrk:gmaxwell can attest to that, as can petertodd.
00:03:10pigeons:counterwallet.co, the wallet for counterparty switched a few months or so ago from bitcoinjs lib because after a signing issue was fixed, they found that something about the way they were using the lib made weaker keys than expected, even though it was kind of a usage error, there was no indication, so they switched to bitcoind for that
00:03:30dsnrk:dgenr8: I mean give it a shot, I tried my best to find somebody to fix it.
00:04:26gmaxwell:pigeons: in their case some older version of the underlaying lib would hash a stringified ["string"] a later version called with the same array input would has "Object" ... go go type safty failure.
00:07:50dsnrk:pigeons: keep in mind too that switching doesn't really help anybody unless they rotate their keys as well.
00:10:50gmaxwell:works especially well with all this address reuse ... even if you rotate off people may be 'refunding' you money to compromised keys.
00:13:30dsnrk:ah yes, blockchain.info uses cryptojs too
00:14:47gmaxwell:why are all these things using "Cryptojs" the bitcoinjs code has a window.crypto based rng (though in a try block to guarentee doom if something unexpected happens).
00:15:09pigeons:dsnrk: yes they had users generate new keys and sweep funds from the old ones
00:15:58dsnrk:gmaxwell: what does prefixing wind.crypto with an underscore do in javascript?
00:18:18dsnrk:I'm not even sure if that is used for anything actually.
00:18:21dsnrk:window 5
00:20:41gmaxwell:dsnrk: in isolation? nothing, _window doesn't eixst.
00:20:43gmaxwell:er exist
00:21:01gmaxwell:presumably they're doing something 'fancy' elsewhere.
00:21:13gmaxwell:(reasons you know none of this code has been audited)
00:21:47dsnrk:there's at least 2 different modified copies of that SecureRandom function in different files, both neutered
00:22:55gmaxwell:they do this elsewhere,
00:22:55gmaxwell:./bitcoinjs-lib/src/crypto-js/crypto.js: var _window = {};
00:22:55gmaxwell:./bitcoinjs-lib/src/crypto-js/crypto.js: var _window = window;
00:22:55gmaxwell:./bitcoinjs-lib/src/crypto-js/crypto.js:var Crypto = _window.Crypto = {};
00:22:59gmaxwell:which makes it work.
00:23:14dsnrk:... why
00:23:54dsnrk:the blame on that change says something about "fixing" IE support
00:24:17gmaxwell:the last time those lines were change it was in "Fix IE js error" ... but the change there was to just add some random ^M (0_o)
00:25:03dsnrk:what is "typeof Int32Array != 'undefined'" meant to be testing for?
00:25:14gmaxwell:Navigator 4 level JS, I believe.
00:25:57dsnrk:ah right, that's where they broke it by forking in webworkers which didn't have that
00:27:19gmaxwell:the _window stuff was added in a commit "Added SMS Notifications" 1bfc9813ba40b90609fb7726926fcdb2f66d691b Appears to be an intentionally hidden change or a mistaken commit, it has nothing to do with the rest of the commit.
00:30:48dsnrk:makes sense. I suppose they're not immediately vulnerable then. why that fallback even exists is beyond reason though.
00:31:25gmaxwell:I can't believe they didn't remove it after getting burned by it once.
00:32:37dsnrk:I'm sure their security officer will find it when he audits their code.
00:33:27dsnrk:as he says in one of his talks, the RNG is everything
00:39:45maaku:maaku is now known as Guest95144
01:29:24[\\\]:bit late, but chrome on win8.1 0000000000000000000000000000000000000000000000000000000000000000
01:33:54dsnrk:only one we have missed then is Opera really, and I doubt anybody really used that.
01:51:24Guest95144:Guest95144 is now known as maaku
03:33:02justanotheruser:dsnrk: 0000000 on seamonkey
03:34:14justanotheruser:let me download every dead/obscure browser and test it. brb
03:35:08dsnrk:I think the result is fairly clear, no *no* platform is the RNG anywhere near good enough for Bitcoin
03:37:54justanotheruser:dsnrk: Could you please explain how replacing Math.floor(Math.random()*256) with Math.floor(0) and the result being 0 implies it isn't a good RNG?
03:38:06justanotheruser:I mean, wouldn't the expected result be 0?
03:38:37dsnrk:it's meant to be using window.crypto as a CSRNG. it doesn't though, it's just using Math.random which is a PRNG.
03:39:04dsnrk:if it *was* using window.crypto as it is supposed to be, replacing math.random would have no effect.
03:39:38justanotheruser:dsnrk: Did the code imply it was using window.crypto?
03:40:14justanotheruser:ok, makes sense then
03:40:41dsnrk:the hacky change is just to prove it.
03:40:43justanotheruser:OT, but does window.crypto get random numbers from the OS?
03:41:32dsnrk:I think in browsers it's supposed to just be a pipe to /dev/urandom
03:42:02justanotheruser:ok thanks
05:29:46fanquake:fanquake has left #bitcoin-wizards
05:55:48roidster:roidster is now known as Guest11838
05:57:14Guest11838:Guest11838 is now known as zzyzx
06:20:24justanotheruser:justanotheruser is now known as Caled
06:20:50Caled:Caled is now known as justanotheruser
06:37:27OneFixt_:OneFixt_ is now known as OneFixt
07:22:12Pasha:Pasha is now known as Cory
15:40:04gmaxwell:oy, so after spending a non-totally-trivial amount of effort trying to get this working, I see they've updated the paper: http://www.cs.princeton.edu/~stevenag/bitcoin_threshold_signatures.pdf
15:57:07iddo:i argued with them about pros/cons versus multisig in the comments of https://freedom-to-tinker.com/blog/stevenag/new-research-better-wallet-security-for-bitcoin/
19:41:21HobGoblin:HobGoblin is now known as Guest29935
19:43:15paavo_:paavo_ is now known as paavo
20:00:51Guest29935:Guest29935 is now known as UukGoblin
21:31:48forrestv_:forrestv_ is now known as forrestv
22:15:35phantomcircuit:if somebody told you they had made a crypto break that made bitcoin mining more efficient, would anybody here believe them?
22:24:35GAit:not by default but i'd listen
22:27:10gavinandresen:phantomcircuit: I've heard that claim at least three times before. But if you're talking about making hardware ASICs marginally more efficient… meh. plausible, but not very interesting.
22:30:21GAit:gavinandresen: claim as in it was vaporware?
22:31:03phantomcircuit:gavinandresen, talking 10%+ more efficient
22:31:15GAit:i remember at some point someone was mining blocks with number of transaction => some power of 2
22:47:52andytoshi:eh, i'll bet a lot of people do that because they have broken merkle tree code. do it with powers of 3 and i'll believe it's the same person
22:55:58gmaxwell:GAit: those were KNC blocks, they were that way because of eloipool defaults to use power of two sized blocks. Eloipool has that option because before the second preimage vulnerability was fixed in bitcoin it was possible for an attacker to cause blocks of non-power of two sizes to get orphaned... and luke is too clever for his own good.
22:59:49GAit:i seem to remember some of Luke's patches around this
23:00:08gmaxwell:Unrelated. Electrum closed my "UI looks like you can only use 5 addresses" bug today as fixed.
23:12:43maaku:maaku is now known as Guest98607
23:27:46pigeons_:pigeons_ is now known as pigeons