Bitcoin Forum>Bitcoin>Bitcoin Discussion
Pages:
Author

Topic: 0.13.0 Binary Safety Warning (Read 2337 times)

Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
0.13.0 Binary Safety Warning
August 22, 2016, 10:13:22 AM
#46
Quote from: unamis76 on August 19, 2016, 11:51:46 AM
Then the information isn't there. There should at least be an explanation on why the information isn't being disclosed in case it's something private. Sorry being so critical about this, but this is what I think.
I forgot to answer this post. This doesn't mean that they don't have a reasoning behind the warning, it just means that they don't want to disclose it with the public.

Quote from: unamis76 on August 19, 2016, 11:51:46 AM
I guess I'll have to start hanging around on IRC.
It can end up being useful for you.
This really needs more visibility as 0.13.0 has been tagged. Verify your downloads or optimally build from source yourself!
unamis76
legendary
Activity: 1512
Merit: 1012
Re: 0.13.0 Binary Safety Warning
August 19, 2016, 11:51:46 AM
#45
Quote from: Lauda on August 19, 2016, 11:32:08 AM
Quote from: unamis76 on August 19, 2016, 11:06:30 AM
2 days later, 3 pages later and there is still no clue as to what this threat may be and how to cut this issue from the root up.
I guess the information is there, but it isn't public. I do recall reading on IRC that maxwell talked to cobra.

Then the information isn't there. There should at least be an explanation on why the information isn't being disclosed in case it's something private. Sorry being so critical about this, but this is what I think.

I guess I'll have to start hanging around on IRC.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: 0.13.0 Binary Safety Warning
August 19, 2016, 11:32:08 AM
#44
Quote from: Quantus on August 19, 2016, 10:36:05 AM
A Bitcoin specific video tutorial on how to confirm the Integrity and Authenticity of binaries and then compile them into a working program for windows would make me feel all warm and fuzzy inside.
That's a good suggestion. IMO it is generally better to have video walkthroughs than just written guides. This applies to both building Bitcoin from source and verifying the authenticity of the download. It would really be helpful if someone created one (I do wonder why nobody did do that so far?).

Quote from: Quantus on August 19, 2016, 10:36:05 AM
Bonus points if you can find a perky enthusiastic middle aged girl to do it Smiley
You're asking for too much.

Quote from: Quantus on August 19, 2016, 10:36:05 AM
Dose the Bitcoin community have its own intelligence arm now? Do we have our own spies informants? If so thats really cool.  
We do, the BSA - Bitcoin Security Agency.  Cheesy

Quote from: unamis76 on August 19, 2016, 11:06:30 AM
2 days later, 3 pages later and there is still no clue as to what this threat may be and how to cut this issue from the root up.
I guess the information is there, but it isn't public. I do recall reading on IRC that maxwell talked to cobra.
Carlton Banks
legendary
Activity: 3430
Merit: 3080
Re: 0.13.0 Binary Safety Warning
August 19, 2016, 11:11:33 AM
#43
Quote from: Quantus on August 19, 2016, 10:36:05 AM
I took the short bus to school you guys are asking a lot of me.
If you ask the community to jump threw all these hoops every time they update your going to lose a lot of people.

A Bitcoin specific video tutorial on how to confirm the Integrity and Authenticity of binaries and then compile them into a working program for windows would be really nice.

Bonus points if you can find a perky enthusiastic middle aged girl to do it Smiley


Alot of people might lose some money if they don't practice this, though. I can understand it would be frustrating if you're not confident, but we were all ignorant about PGP once.

My strong advice to anyone: take control of your computer. Learn the fundamentals about hardware and software, learn about using a command prompt, learn basic HTML and CSS. All these kind of basics (which children should all learn going into the 21st century) are the new basics; the old basics are beyond simple now, children can learn those just by watching others do it. Just as we're currently divided into computer users and neo-Ludd technophobes today, when those technophobes barely register in real life any more, the divided will between hands-on computer people and people who demand that it "just works" (i.e. "please don't make me think too much"). PGP wouldn't seem so daunting to those with the hands-on approach.
unamis76
legendary
Activity: 1512
Merit: 1012
Re: 0.13.0 Binary Safety Warning
August 19, 2016, 11:06:30 AM
#42
2 days later, 3 pages later and there is still no clue as to what this threat may be and how to cut this issue from the root up. Domain admin has probably seen these kinds of posts already, so I think it's imperative for him or someone more knowledgeable of this situation to give us a bit of update on why this warning was issued.
Quantus
legendary
Activity: 883
Merit: 1005
Re: 0.13.0 Binary Safety Warning
August 19, 2016, 10:36:05 AM
#41
I took the short bus to school you guys are asking a lot of me.
If you ask the community to jump threw all these hoops every time they update your going to lose a lot of people.

A Bitcoin specific video tutorial on how to confirm the Integrity and Authenticity of binaries and then compile them into a working program for windows would make me feel all warm and fuzzy inside.

Bonus points if you can find a perky enthusiastic middle aged girl to do it Smiley


It would also be nice to know why the origin of this threat can't be revealed.  Dose the Bitcoin community have its own intelligence arm now? Do we have our own spies informants? If so thats really cool.  
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: 0.13.0 Binary Safety Warning
August 19, 2016, 03:46:57 AM
#40
Quote from: billotronic on August 18, 2016, 10:42:28 AM
https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md

it's all there... ready to go.
learn to use the tools that are given to you. gitian building is the second sexist thing about bitcoin and anyone reading this thread should be thinking long and hard about taking control of your own bins.
That process needs to be more streamlined and a better guide needs to be made (one that is less complex). Keep in mind that it may very well be difficult for non tech savy users to follow it. Additionally, errors/problems during the process are also not uncommon.

Quote from: eddie13 on August 18, 2016, 10:42:35 AM
If the headlines in 6 months are "NSA attacks BTC, BTC wins, NSA cries" - then Moon, super confidence..
-snip-
If we do assume that this is the case, what makes you think that the NSA would admit this/leave traces of it? Additionally, what makes you think that the major media would run a story like this?
Bumping this up for visibility due to its importance. It's being pushed down by spam.
theymos
administrator
Activity: 5222
Merit: 13032
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 12:16:14 PM
#39
Quote from: Hazir on August 18, 2016, 09:57:52 AM
I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
Wait for version 0.14 or something? It this a feasible solution?

There's no flaw in 0.13.0. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.

Quote from: Mr Felt on August 18, 2016, 11:02:30 AM
Do we know whether Cobra was hacked or something?

Cobra signs all of his commits to bitcoin.org. Unless his PGP key and several of his accounts were compromised, he's the same person

Quote from: Mr Felt on August 18, 2016, 11:02:30 AM
@Theymos - Do you guys have a protocol in place in the event one of the bitcoin.org maintainers becomes compromised (not suggesting that happened here - just thinking hypothetically)?

Cobra has full control of the domain name. I'm the backup in case he gets hit by a bus or something. To my knowledge, there's no way to improve this "one person compromised -> domain compromised" situation without creating some sort of legal entity (and even then I'm not so sure).
Mr Felt
hero member
Activity: 493
Merit: 518
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 11:02:30 AM
#38
Do we know whether Cobra was hacked or something?  How can we be certain there is genuine concern about state-sponsored attacks and that yesterday's Cobra is the same a prior Cobras? 

@Theymos - Do you guys have a protocol in place in the event one of the bitcoin.org maintainers becomes compromised (not suggesting that happened here - just thinking hypothetically)?
eddie13
legendary
Activity: 2296
Merit: 2262
BTC or BUST
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:42:35 AM
#37
This is actually kinda cool and has the potential for a positive spin..

If it really comes down to it, NSA Vs. BTC, or China gov Vs. BTC, then WHEN (not if) BTC whoops their asses BTC will go to $10k for sure..

Just one more thing for BTC's resume, like a world champion UFC belt..

I say bring it on and lets get this forlong proposed dual out of the way. Maybe the sooner the better..

If the headlines in 6 months are "NSA attacks BTC, BTC wins, NSA cries" - then Moon, super confidence..

People have been wondering and some unconfident about this possibility since the inception of crypto, if we can finally put it to bed and come out on top we will come out WAY on top..
billotronic
legendary
Activity: 1610
Merit: 1000
Crackpot Idealist
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:42:28 AM
#36
Quote from: YIz on August 18, 2016, 10:15:10 AM
Is there no way of distributing a file more safely than uploading to bitcoin.org's server? for example, if the devs upload the file to Google Drive, wouldn't it be safer?

ffs people,

https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md

it's all there... ready to go.

learn to use the tools that are given to you. gitian building is the second sexist thing about bitcoin and anyone reading this thread should be thinking long and hard about taking control of your own bins.
BitcoinSupremo
copper member
Activity: 1442
Merit: 529
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:34:21 AM
#35
NSA has been hacked lately but I guess this has not anything to do with it. I read at the hacker news that the hackers were asking 560 mln USD in bitcoin in order to give back the hacking tools of NSA. Is electrum still safe as that's the wallet I use ? Or it is related to the bitcoin core ? Thanks in advance for clearing my doubts. I never used bitcoin core but I want to know if my coins are at risk or not ?
YIz
hero member
Activity: 686
Merit: 502
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:32:23 AM
#34
Quote from: Lauda on August 18, 2016, 10:23:52 AM
Quote from: YIz on August 18, 2016, 10:15:10 AM
for example, if the devs upload the file to Google Drive, wouldn't it be safer?
If we are talking about state-sponsored attacks, what makes you think that Google would be safer?

I assume they will have more trouble compromising it than bitcoin.org servers. I was just asking.
Quickseller
copper member
Activity: 2996
Merit: 2374
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:31:17 AM
#33
Quote from: Lauda on August 18, 2016, 03:23:02 AM
Quote from: AliceGored on August 17, 2016, 10:43:05 PM
Sounds like laying the groundwork for a disinfo campaign when Chinese miners fork to a larger max blocksize. Sowing the seeds now to favor an adversarial mindset when it comes to plans coming from China.
Stop trolling.
This is actually one of the first things that I thought of when I read the warning. I would say the above is likely the case until questions like these, and questions about how this information was obtained can be answered. As of now all we have to go on is the word of someone who has zero reason to be trusted, and has many reasons to be distrusted.

Most major bitcoin entities will most likely be using custom software that is built from scratch anyway, so verifying the signatures of the blockstream core devs is mostly a moot point.


Quote from: Hazir on August 18, 2016, 09:57:52 AM
I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
Wait for version 0.14 or something? It this a feasible solution?
If what is being described in the OP is true, then the attacker would simply wait for 0.14 to be released to infect their targets.

Quote from: Pursuer on August 18, 2016, 10:13:37 AM
p.s. to my knowledge since they are uploading the binaries on https://bitcoin.org unless their ssl keys are not compromised there is no way of messing with the uploaded files. right?
No. An attacker can use different https keys, and use other means to trick trick a user into thinking that the https keys are correct. Or, an attacker can potentially steal the https keys from bitcoin.org, which by design, must remain online at all times.

Quote from: YIz on August 18, 2016, 10:15:10 AM
Is there no way of distributing a file more safely than uploading to bitcoin.org's server? for example, if the devs upload the file to Google Drive, wouldn't it be safer?
Google drive would not be safer.
BillyBobZorton
legendary
Activity: 1204
Merit: 1028
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:29:56 AM
#32
Soroscoin is finally here :p
Anyway, it's funny how /r/btc trolls always find a way to blame everything on blockstream. Those guys are real schizos.

Quote from: Hazir on August 18, 2016, 09:57:52 AM
I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
Wait for version 0.14 or something? It this a feasible solution?

just verify the file... you should be doing this since day 1.
RodeoX
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:25:07 AM
#31
It's time for users to learn about cryptographically signed keys and how to compare hashes.

P.S. Is this related to the NSA tool kit release?
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:23:52 AM
#30
Quote from: eddie13 on August 18, 2016, 09:45:27 AM
Maybe you should sticky this?
There's a stickied thread regarding verification in Begginers & Help. I'm not sure about making this one sticky as well. I guess putting in on temporarily wouldn't harm.

Quote from: Wind_FURY on August 18, 2016, 09:50:34 AM
Potential drama or is this something really serious?
General rule: Better safe than sorry.

Quote from: Hazir on August 18, 2016, 09:57:52 AM
I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
This isn't a solution of any sort. You're mitigating the upgrade process; there's nothing that prevents this from happening from the next major release.

Quote from: Pursuer on August 18, 2016, 10:13:37 AM
to my knowledge since they are uploading the binaries on https://bitcoin.org unless their ssl keys are not compromised there is no way of messing with the uploaded files. right?
That's a common misconception. SSL is secure if all of the 'pre-conditions' are set (e.g. server key is not stolen). Look up the term "dSniff" -  this was the first public implementation of MITM vs. SSL (IIRC).

Quote from: YIz on August 18, 2016, 10:15:10 AM
for example, if the devs upload the file to Google Drive, wouldn't it be safer?
If we are talking about state-sponsored attacks, what makes you think that Google would be safer?
YIz
hero member
Activity: 686
Merit: 502
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:15:10 AM
#29
Is there no way of distributing a file more safely than uploading to bitcoin.org's server? for example, if the devs upload the file to Google Drive, wouldn't it be safer?
Pursuer
legendary
Activity: 1638
Merit: 1163
Where is my ring of blades...
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:13:37 AM
#28
Quote from: Hazir on August 18, 2016, 09:57:52 AM
I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
Wait for version 0.14 or something? It this a feasible solution?

first of all I think it is more of a drama than anything else and I wish they'd explained more about the situation already.

second of all, this risk is not a new thing (although the attack itself in a bigger size is new) and you should always check the signature of these sensitive file when your money is involved regardless of the current situation.
p.s. to my knowledge since they are uploading the binaries on https://bitcoin.org unless their ssl keys are not compromised there is no way of messing with the uploaded files. right?
edit: reading more about https and compromises I realize there are many other ways this can go down!
achow101
staff
Activity: 3458
Merit: 6793
Just writing some code
Re: 0.13.0 Binary Safety Warning
August 18, 2016, 10:07:39 AM
#27
If the binaries hosted on bitcoin.org are compromised or down, some of the developers host their own builds of the binaries. Since these are deterministically built, the hashes should all be the same. These hashes for all of the files are stored in the gitian.sigs repo and they are all signed with the PGP keys of all the signers. The organization of that signature repo is self explanatory.

I host my gitian build on my GitHub repo here: https://github.com/achow101/bitcoin/releases. IIRC Jonas Schnelli also hosts the binaries on his website, but I don't remember where they are.
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Discussion
Jump to: