00:18:27kanzure:StealthMonger is a rather curious critter:
00:19:19kanzure:"anonget facilitates browsing the Internet with strong anonymity via urlmixnym.net [1]. Given a list of URLs, anonget encrypts the list and a fresh random key and formats it for mailing by mixmaster [2] to urlmixnym.net through a chain of anonymizing remailers. The request contains nothing to identify you or your site, and the outgoing mail is indistinguishable from other remailer traffic that you may generate. ...
00:19:25kanzure:... urlmixnym.net then gets the requested information from the Internet, encrypts it to the fresh key, and broadcasts it worldwide on Usenet newsgroup alt.anonymous.messages. The fresh key (saved by anonget) is used to recognize and decrypt the reply. No one, not even the mixnym.net administrator, is able to link content being fetched with any particular user, or with other requests."
00:20:11op_mul:what is the point of that.
00:21:15kanzure:"Of course, you are taking a full feed of a.a.m at all times without interruption, separating wheat from chaff only after it's all behind closed doors. Otherwise, the world is informed about which articles you find interesting. Remember, long random latency is part of the price of anonymity. It can't be done with TOR or any other low-latency method."
00:32:11kanzure:"Organization: dizum.com - The Internet Problem Provider"
00:54:24kanzure:backwards compatible back to python1 https://github.com/mixminion/mixminion/blob/35b33d945afb89a0a7438219c2e89906e0191e61/lib/mixminion/Main.py
01:00:55Guest48054:Guest48054 is now known as mr_burdell
01:14:54jbenet_:jbenet_ is now known as jbenet
01:36:35EasyAt_:EasyAt_ is now known as EasyAt
01:42:57Pan0ram1x:Pan0ram1x is now known as Guest88134
02:05:37kanzure:what happened to http://lists.zooko.com/mailman/listinfo/p2p-hackers
05:28:08op_mul:oh here's a new one. an altcoin which uses shitty "super secure hashing" for more than just the PoW.
05:30:13op_mul:"Coinshield has upgraded the private keys to a non prime based elliptical curve encryption of 571 bits. This was the largest algorithm that was available, and also not dependent on prime numbers. The reason for this is simple: Coinshield CPU Miners are searching for very large prime numbers, so if any 'discoveries' happen from such actions, it could compromise the whole private key system."
05:30:52op_mul:"The Unified Time System synchronizes your clocks worldwide from an initial time seed. This seed is then propagated through the network, and maintained. Once the seed is held in the network, it can be retrieved from any node making this a Decentralized, Trustless, Clock synchronization method.
05:31:27op_mul:I love how much effort these altcoin people pretend to be expending.
05:35:08gmaxwell:op_mul: go point out that 571 is a prime to them and try to get them to switch to a version that doesn't use a prime!
05:35:19gmaxwell:* gmaxwell will laugh his ass off if you are successful.
05:35:38sipa:sure it's 571 and npot 521?
05:36:01gmaxwell:sipa: I assume it's over 2^571.
05:36:06sipa:ah, right
05:36:16sipa:the 521-bit one is still modulo a prime
05:36:43gmaxwell:If so it's essential that 571 is prime to the security. otherwise weil descent is possible.
05:37:20sipa:Also impressive that they use encryption!
05:37:23gmaxwell:(also halarious because characteristic-2 is more or less busted in general)
05:38:14gmaxwell:hilarious too
05:38:40sipa:i was wondering what it had to do with funny halal food
05:38:55kanzure:i was recently informed that andytoshi has like 500 minions and he needs tasks to assign to them
05:39:15kanzure:(cryptography tasks)
05:39:23sipa:i am unaware of said minions, but i'm sure he'd have tasks for the,
05:39:38kanzure:i thought he had like <10 minions but nope
05:39:55op_mul:what type of minions?
05:41:13gmaxwell:Obviously the first thing to do with many minions is to set them in action fabricating more minions.
05:42:03sipa:hmmm... genetic algorithm?
05:42:10op_mul:mechanical tolerances mean you just wear our your minions making more minions that have increasingly sloppy attributes.
05:42:33op_mul:sure you might have millions of them, but with such low precision that they are useless for any given task.
05:43:05kanzure:he was seeking a set of samples of crypto mistakes (ideally, algebraic) to give them, and ideally bitcoin-related to catch their interest
05:43:24sipa:op_mul: i believe there was a book about the mythical minion month
05:43:33kanzure:anywho, i am entering sleepmode but will reply through lucid dream interface shortly
05:45:17gmaxwell:oh interesting.
05:46:48op_mul:you know an altcoin is going to be a good read when it's given objective is "51% attack proof".
05:48:51justanotheruser:op_mul: I disagree. It's always no reorgs or central authority.
05:49:10kanzure:by "good read" satoshi means "funny"
05:49:40justanotheruser:yes, but it isn't amusing anymore. it's always the same
05:50:31gmaxwell:well he'll be here in a couple hours. One thing I might suggest is that we've been thinking about having a contest for libsecp256k1 where the goal is to add a plausable bug which the tests pass. (blocking on me getting some of the remaining out of tree tests merged)
05:50:58op_mul:this one is sort of novel, it adds new ways of losing consensus by having nodes reject blocks which they see as "forked chain"s.
05:51:17justanotheruser:so no reorgs?
05:51:40gmaxwell:yea, no, fun would be implementing ECC involving no primes _at all_ so we could have fun implementing fun cryptographic attacks against it.
05:52:36op_mul:fun would be giving a bunch of wizards a black box STM32 device that signed messages using trezor-crypto and seeing who manages to get the private key out first.
05:53:02jcorgan:setting aside pump and dump, why are so many people so motivated to "fix" bitcoin?
05:53:58sipa:jcorgan: because people mistake difficulty of understanding for wrong
05:54:40sipa:tbh, i have no idea whether i'd even get into bitcoin, if it would discover it now
05:55:08sipa:the bar for entry seems much higher
05:55:37op_mul:jcorgan: excluding the pump and dumps, I think it's because a lot of these things sound simple until you actually look properly into how bitcoin works. told that a mjroty can alter history, most people will come back with "well fix that", without realising it's a core part of the design.
05:55:37jcorgan:i mean, you don't see thousands of variations on TCP/IP
05:56:03gwillen:jcorgan: thank god most people don't realize you can modify TCP
05:56:19gwillen:it basically relies on the fact that endpoints do not behave selfishly
05:56:28gwillen:if people realized they could modify their TCP to behave selfishly, it'd all be over
05:56:41op_mul:* op_mul sets their evil bit
05:56:47sipa:wait, what?
05:56:48gwillen:(this isn't exactly true but it's not exactly false either)
05:57:03gwillen:(you can already use UDP selfishly and mostly there's plenty of excess bandwidth so nobody dies)
05:57:09phantomcircuit:to be fair i doubt anybody actually implements tcp/ip only from RFCs
05:57:36gwillen:phantomcircuit: there is a series of semi-standards with various names on TCP tuning
05:57:41gwillen:phantomcircuit: I'm not sure if they are RFC-codified
05:57:53gwillen:but the People Who Do These Things sort of agree on how to do them
05:58:10gwillen:see http://en.wikipedia.org/wiki/TCP_congestion-avoidance_algorithm which lists a number of them
05:58:47gwillen:but in general TCP implementations are careful to cooperate with other TCP implementations, and there's no local downside to making your TCP not do that
05:59:09gwillen:but in general people who are in the position to write TCP implementations are writing them to be run on many thousands of computers so they're incentivized to make them cooperative
06:00:11sipa:also, i believe the purpose of TCP is cooperation (=communication)
06:00:18op_mul:I don't think any of these "fix bitcoin" altcoins are designed to do anything at all but look pretty for the pump. clearly evidenced by the fact that they are all based on ancient 0.6 bitcoin forks with piles of security issues.
06:00:20sipa:or am i missing something?
06:00:54sipa:op_mul: but missing the fundamental design flaw of 51% attacks is much more important that some stupid DoS attack fixes, right?
06:00:57phantomcircuit:gwillen, i know i was just trying to be clear that tcp is full of weird things like "stack x does y so we do y also"
06:01:07gmaxwell:sipa: you want to communicate with your far end, but other people on your ISP are competition.
06:01:15gwillen:phantomcircuit: oh I believe it
06:01:15sipa:oh, ok
06:01:23gwillen:yes, what gmaxwell said
06:01:37gwillen:or more generally other people sharing any pipe with you along the way
06:01:38gmaxwell:gwillen: there is some balancing, since people have been known to block varrious TCP unfriendly things in the past.
06:01:43gwillen:* gwillen nods
06:01:44op_mul:sipa: ah, but a trivial remote crash nobody backported the fix for isn't a 51% attack. you're trying to distract from the awesomeness of the coin.
06:02:18gmaxwell:(also highly concurrent TCP (parallel connections) is TCP unfriendly; so you don't necessarily have to change any stack code to be abusive to TCP)
06:02:45sipa:ooh, idea!
06:02:54sipa:we should make 8 connections to each peer in bitcoin
06:03:10sipa:and then shard the block transfers
06:03:17sipa:parallellism, bitches
06:03:32gmaxwell:octocoin. 8 blocks in a single turn of the round trip time.
06:03:42jcorgan:it's webscale
06:04:01sipa:is there a cloudcoin yet?
06:04:21op_mul:sipa: you're close to an altcoin in which every peer in the network connects to every other peer in the network.
06:05:00sipa:op_mul: sure, my single-node centralizedcoin accomplishes that
06:05:45gmaxwell:op_mul: https://bitcointalk.org/index.php?topic=657601.msg10262838#msg10262838
06:06:15op_mul:gmaxwell: <3
06:06:23gmaxwell:op_mul: I think a everyone connects to everyone alternative transport would be pretty interesting for bitcoin; though careful though needs to go into congestion management.
06:07:41op_mul:I suspect you would run into issues with home routers and that system, I know a lot turn into mush if you try to use bittorrent through them, and that's only maybe 100 connections at most.
06:08:11phantomcircuit:it's gonna be really funny when the constants for sha3 get changed and all their stuff is broken
06:08:56jcorgan:op_mul: yeah, some home routers have very small NAT tables
06:09:59phantomcircuit:jcorgan, which is 99% of the time just poor configuration
06:10:00op_mul:my router tells me I have 187 active connections.
06:11:04gmaxwell:op_mul: re: stm32 there was a mystery hunt puzzle (in 2012 I think?) where each team got a microcontroller that you had to talk to to solve a puzzle. I think every team tried timing attacking it right away.
06:12:22phantomcircuit:did it work?
06:13:52gmaxwell:phantomcircuit: not that I'm aware of. the initial steps were timing attack immune, the later parts were not but I don't think anyone tried twice.
06:14:05op_mul:gmaxwell: sadly from what I've read pretty much all the readout protection on the STM32 series is broken
06:18:51gmaxwell:op_mul: in any case what you want the dohicky to do is to sign a message... whatever is sent in, in order to prove it contains a private key of interest.
06:25:37op_mul:* op_mul sighs
06:25:46gwillen:gmaxwell: it was 2012, yeah. I am told it was not immune and that we could have attacked it successfully if we'd tried harder
06:25:55gwillen:gmaxwell: instead of, you know, trying to solve the puzzle, which is what we did instead
06:26:15gwillen:also, I hear it did not have the code protect bit set, although I find that bizzarre and I hope whoever told me that was wrong
06:26:27op_mul:why is it even the people making hardware wallets don't understand EC sidechannels ;_;
06:29:03op_mul:that's not even quite the right term for it. but RFC6979 signatures can absolutely leak private information, as nobody but the signer are able to verify that RFC6979 is being followed at all.
06:29:31gmaxwell:op_mul: correct.
06:32:25gmaxwell:it's magical thinking, I guess.. just assuming attackers follow the rules too.
06:32:46gmaxwell:I guess I should publish a demo?
06:33:47op_mul:might be best not to publish actual source code, but I guess.
06:34:28gmaxwell:I've already done the no-sourcecode version.
06:34:47gmaxwell:(long enough now that my code is all rotten and won't apply to anything useful)
06:34:55jcorgan:it is indeed difficult. many engineers are so used to optimizing systems with passive entities that it becomes difficult to think about how active entities (agents with motivation) affect systems
06:36:51gmaxwell:see also thread on bct where people are babbling about adding 'hashes' to protect your local utxo set against an attacker who can freely modify your files on disk.
06:37:18op_mul:jcorgan: it's something you want to have already thought about if you are designing and selling a hardware wallet though. it's like the first thing when I thought of when I was conceptualising a hardware MITM for the trezor.
06:38:09gmaxwell:I think some people just think that attackers are always the people from math word problems that seem to always have 27 mellons and two trains approaching at 15 miles per hour, while one of their legs is tied to a pendulum.
06:38:27op_mul:the MITM intercepts the message to be signed and the master pubkey from the wire, does a timing attack on the signature to recover the privkey, uses the privkey + MPK to recover the master private key, then alters the return signature to leak the master private key.
06:40:26jcorgan:gmaxwell: your math word problem memories from your youth are rather different from mine :)
06:40:42op_mul:gmaxwell: I think the trezor in particular expects people to act in certain ways. when you use their web interface with the trezor, it asks you things like to check if the address displayed matches the one showed on the device. almost security theater, though I don't know if it is intentional or not.
06:41:25op_mul:(obviously if there was malware on the computer targeting thr trezor it would be able to alter both instances of the address being changed, making the whole thing a totally pointless task)
06:42:07gmaxwell:well security is hard, and making an effort is usually a good thing to do.
06:43:36op_mul:you do risk burning user's good will though. for example the trezor's bootloader is burnt into the device. if the stack overflow bug hadn't been caught before they did a big production run, you'd have had piles of worthless trezors in people's hands.
06:45:09op_mul:hm, that bug might have been a firmware issue which would make my statement there incorrect.
06:46:39op_mul:yeah. the code execution bug was firmware not bootloader, I retract that.
06:46:52p15:how do you know your trezor hasn't been package intercepted and replaced with an evil trezor
06:47:02op_mul:oh you don't at all.
06:49:00p15:if trezor could sign multi sig transactions maybe it wouldn't matter so much since they'd need to get you two ways
06:49:29jcorgan:never trust silicon you didn't purify, etch, and package yourself :)
06:50:50op_mul:jcorgan: won't hold my breath for a local hackerspace with a 110nm fab.
06:52:18op_mul:gmaxwell: that UTXO thread is like, the least interesting thing someone could do if they compromised lots of miners.
07:30:15phantomcircuit:op_mul, i wonder what the most modern process you could do with raw silicon would be
07:33:07op_mul:phantomcircuit: duno. they used to have trouble even on the huge process nodes to begin with. the yeilds were like. zero if I remember rightly.
07:36:22phantomcircuit:op_mul, i wonder if you could get equipment to do something like
07:36:32phantomcircuit:1000 nm process
07:36:46phantomcircuit:at some not insane price
07:37:10jcorgan:i'd guess that it would be more cost effective to 3D-print organic semiconductors
07:37:12op_mul:knowing old hardware like that you can probably get it on ebay mislabeled as a bench mixer.
07:40:51jcorgan:some random blog post from 2013: http://www.chipestimate.com/blogs/IPInsider/?p=1503
07:42:41phantomcircuit:mostly interested in whether you could strongly control the supply chain
08:06:26andytoshi:hi guys, i'm afraid my minions are actually undergraduate crypto students, there are only like 100 of them, and most of them likely can't code at all
08:06:46andytoshi:and they will need to be tricked, since they think i am their TA, not their master..
08:09:22andytoshi:i can assign them bitcoin stuff but it has to be related to the class .. unfortunately that excludes all consensus stuff as well as ECDSA (which is academically boring since it has no analytic results accessible to undergrads). also i can't assume they are good programmers
08:18:00op_mul:andytoshi: asking your students to reproduce might be a bit too far, too.
08:36:17lclc_bnc:lclc_bnc is now known as lclc
09:05:13weber.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
09:05:13weber.freenode.net:Users on #bitcoin-wizards: andy-logbot hearn bepo CoinMuncher cbeams damethos p15 weex NewLiberty koshii dgenr8 orik Emcy thrasher` coiner TheSeven nullbyte d1ggy_ Guest88134 RoboTedd_ jb55 ebfull catcow btc___ c0rw1n PFate delll_ copumpkin nick1234abcd__ justanotheruser e1782d11df4c9914 davout Starduster v3Rve phedny HM2 so imposter Meeh mappum jbenet platinuum Oizopower jcorgan K1773R brand0 NikolaiToryzin Fistful_of_Coins luny PRab_ CodeShark nsh Aquent xabbix mortale
09:05:13weber.freenode.net:Users on #bitcoin-wizards: nuke1989 ryanxcharles GAit epscy_ Aesthetic EasyAt jaromil Tjopper1 mr_burdell dasource forrestv amiller TD-Linux midnightmagic cfields Dyaheon sdaftuar_ bobke__ Anduck espes___ Eliel_ grubles Luke-Jr MoALTz_ morcos le_killer veox nanotube Iriez s1w [d__d] stonecoldpat Keefe gavinand1esen sl01_ Cory bbrittain tacotime__ petertod1 PaulCapestany hashtag op_mul CryptOprah artifexd bsm117532 Guest99326 Muis grandmaster devrandom Adlai HaltingState
09:05:13weber.freenode.net:Users on #bitcoin-wizards: mkarrer cryptowest kumavis [\\\] fanquake bosma spinza Hunger- jgarzik Graftec BananaLotus gmaxwell tromp__ qwopqwop_ roasbeef_ DoctorBTC jaekwon sipa smooth starsoccer iddo @ChanServ Xzibit17 Alanius null_radix ryan-c ajweiss wizkid057 hollandais warren otoburb ahmed_ phantomcircuit gribble lechuga_ Apocalyptic michagogo kinlo andytoshi gwillen gnusha burcin a5m0 btcdrak sneak wumpus BrainOverfl0w hguux_ yoleaux lnovy tromp_ SubCreative deego
09:05:13weber.freenode.net:Users on #bitcoin-wizards: warptangent d9b4bef9 berndj crescend1 Taek azariah eric BlueMatt livegnik isis asoltys_ LarsLarsen Krellan pigeons catlasshrugged fluffypony kanzure heath poggy lclc dansmith_btc JonTitor yrashk fenn Adrian_G nickler_ throughnothing helo Graet comboy_ MRL-Relay optimator_ earlz wiz coryfields_ harrow` brad___
09:33:41lclc:lclc is now known as lclc_bnc
10:04:09lclc_bnc:lclc_bnc is now known as lclc
10:48:04op_mul:so ethereum is asking for people to find consensus bugs, and they'll pay a bounty. but only if you give up your real name a proof of identity.
10:49:41moa:ummm, because a real name is an important bug validation indicator?
10:50:37op_mul:me nods
10:52:34wumpus:hmm, not a good idea to put too much requirements on people submitting bugs
10:53:47moa:op_mul: i guess ethereum don't want satoshi debugging ...
10:55:30Luke-Jr:maybe the bounty amount has tax reporting obligations?
10:55:46cbeams:Luke-Jr: yes: https://bounty.ethdev.com/ search: "How are bounties paid out?"
10:56:19op_mul:Luke-Jr: seems funny for them to stop trying to get around the law at this stage of the game.
10:56:42moa:sounds suitably arcane for ethereum
12:14:57kanzure:op_mul: you don't need a 110nm fab. you can get very far with 50-100 micron resolution.
12:15:31kanzure:phantomcircuit: here are my notes on such a scheme http://diyhpl.us/wiki/homecmos
13:00:02lclc:lclc is now known as lclc_bnc
13:04:18lclc_bnc:lclc_bnc is now known as lclc
13:08:18imposter:imposter is now known as Imposter
13:32:59lclc:lclc is now known as lclc_bnc
13:38:42Imposter:Imposter is now known as imposter
13:44:07imposter:imposter is now known as Imposter
13:58:37SDCDev:SDCDev is now known as steb4s
14:06:06lclc_bnc:lclc_bnc is now known as lclc
14:06:40steb4s:steb4s is now known as Rynomster
14:14:33jgarzik:jgarzik is now known as jgarzik_
14:54:04Guest99326:Guest99326 is now known as maaku
16:35:18jgarzik_:jgarzik_ is now known as jgarzik
18:58:13phantomcircuit:op_mul, they should write the bug bounty program as an ethereum contract of course!
18:58:23phantomcircuit:oh right you cant do that
18:58:33phantomcircuit:kanzure, interesting
18:58:46pigeons:yeah at tleast they aren't paying out in ETH
18:59:25phantomcircuit:kanzure, "type words and put them here"
19:04:08kanzure:i think that's my job description, even
21:02:46instagibbs:oh hey they are paying out for solutions to "51% and other X% attacks." so if you guys have been holding out until now feel free
21:03:26op_mul:instagibbs: oh drat. I've got one sitting right here but they want a copy of my ID. oh well.
21:05:18kanzure:is that a part of their bug bounty program?
21:05:30kanzure:also, someone should suggest proof of work
21:05:35instagibbs:yes just search for that phrase
21:05:35instagibbs:i know
21:05:42instagibbs:i want to troll them o nthe PoS
21:05:48instagibbs:but I'd have to sign up...
21:05:59kanzure:since when is it okay to demand solutions. it's their cryptosystem, not mine. i just break things.
21:06:42kanzure:welp, at least there's an official statement on the matter though ("we know it's broken and we're actively soliciting solutions")
21:07:17instagibbs:ok didn't want to continue a jerk, just found that snippet funny heh
21:07:20op_mul:I thought vitalik fixed PoS?
21:07:41instagibbs:someone please send me solution to 51% attack I'll give you some NXT
21:08:09adam3us:op_mul: i think the fixes dont quite work.
21:08:19kanzure:adam3us: op_mul is joking
21:08:26instagibbs:adam3us: a bit of understatement ;D
21:08:42adam3us:instagibbs: ah failed irony detector :) ok
21:10:39instagibbs:Proof of Blockchain.info is how I phrase the solution after thinking about it like 10 minutes
21:25:09instagibbs:a little hard to care further when consensus failure is simply shrugged at by those dealing out bug bounties.
21:35:41op_mul:that is how they work though. if broken, add additional complexity to stop people bothering to break it again in the future.
22:30:38lclc:lclc is now known as lclc_bnc
23:37:39fanquake_:fanquake_ is now known as fanquake