I am not sure why no one suggested this before, but maybe the best option is to forget about 0.13 ver and don't upgrade Bitcoin Core at all?
Wait for version 0.14 or something? It this a feasible solution?
Topic: 0.13.0 Binary Safety Warning - page 2. (Read 2337 times)
Potential drama or is this something really serious? "State sponsored attacks" sounds really serious and I wish that someone who knows something posts what's really going on here.
Maybe you should sticky this?
Sounds like laying the groundwork for a disinfo campaign when Chinese miners fork to a larger max blocksize. Sowing the seeds now to favor an adversarial mindset when it comes to plans coming from China.
Stop trolling.Nah, I’m probably just wish thinking… More likely that “cobra” is just acting like a petty tyrant again, similar to the last time he showed up, wanting to edit satoshi’s whitepaper.
There's nothing tyrannic about this nor his suggestion to add an updated version of the whitepaper. Also Lauda your the CEO of BTCE arnt you?
I may or may not be. Please refrain from creating consecutive posts.Can you explain this MIM attack more precisely, are you saying that data will be forged for a long time, would they need to attack both sender and receiver at the same time
A simple Google search would give you the required information (changing data in between the two of them).is this attack going after transactions or miners confirming transactions, and what kinds of alerts will be prompted if the Binaries aren't correct,
No alert will be prompted, that's the problem.Is the attacking of the binaries a new angle to take control of the network, or just a attempt to steal a bunch of coins and to discredit the security of a decentralized network? If this succeeded, we would have been in serious problems.
Generally, it is unfortunate that only a handful of people compile and build their own binaries (which is recommended).
You should securely verify the signature and hashes before running any Bitcoin Core binaries.
So just checking the hash is insufficient?
So just checking the hash is insufficient?
there is a difference between checking the integrity and checking the Authenticity of a downloaded file.
checking the hashes (CheckSums) with only computing the hash using MD5, SHA or CRC will only let you verify the integrity of the downloaded file and it is vulnerable to collision attack.
that is why you should always check the signature of the file using GnuPG (GNU Privacy Guard). this way you make sure of both authenticity (owner) and integrity (content) of a downloaded file.
Is the attacking of the binaries a new angle to take control of the network, or just a attempt to steal a bunch of coins and to discredit the security of a decentralized network? If this succeeded, we would have been in serious problems. Good work catching this early and sending out warning notices before it happened. ^smile^
I recommend taking this threat very seriously.
--snip--
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Based on the message on bitcoin.org, it looks like the Chinese government would be behind the attack; is this a correct assumption? --snip--
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Is the motive behind the (anticipated) attack known?
How might this state sponsored agency attack the Bitcoin network? Why would they need to infect existing Bitcoin users to attack the network? I would assume that most state sponsored (hacking) agencies would have budgets exceeding that of the market cap of bitcoin, and as a result would be able to launch attacks against the network without the help of malware infected machines.
Market cap could exceed these budgets within a matter of hours if the price jumped to say $5000 a coin and that's precisely what would happen if an attack like this occurred because
all of a sudden it would mean Bitcoin is very special, which we know it already is
also dont forget the amount of coins out their through exchange leverage means total coin numbersis in the 100's of millions,
I also do not think the value of bitcoin would increase if this kind of attack took place, I would think the price would dramatically fall, especially if any substantial number of users (especially large companies) were successfully attacked.
Can you explain this MIM attack more precisely, are you saying that data will be forged for a long time, would they need to attack both
sender and receiver at the same time, is this attack going after transactions or miners confirming transactions, and what kinds of alerts
will be prompted if the Binaries aren't correct,
sender and receiver at the same time, is this attack going after transactions or miners confirming transactions, and what kinds of alerts
will be prompted if the Binaries aren't correct,
I recommend taking this threat very seriously.
--snip--
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Based on the message on bitcoin.org, it looks like the Chinese government would be behind the attack; is this a correct assumption? --snip--
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Is the motive behind the (anticipated) attack known?
How might this state sponsored agency attack the Bitcoin network? Why would they need to infect existing Bitcoin users to attack the network? I would assume that most state sponsored (hacking) agencies would have budgets exceeding that of the market cap of bitcoin, and as a result would be able to launch attacks against the network without the help of malware infected machines.
Market cap could exceed these budgets within a matter of hours if the price jumped to say $5000 a coin and that's precisely what would happen if an attack like this occurred because
all of a sudden it would mean Bitcoin is very special, which we know it already is
also dont forget the amount of coins out their through exchange leverage means total coin numbersis in the 100's of millions,
I recommend taking this threat very seriously.
--snip--
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Based on the message on bitcoin.org, it looks like the Chinese government would be behind the attack; is this a correct assumption? --snip--
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Is the motive behind the (anticipated) attack known?
How might this state sponsored agency attack the Bitcoin network? Why would they need to infect existing Bitcoin users to attack the network? I would assume that most state sponsored (hacking) agencies would have budgets exceeding that of the market cap of bitcoin, and as a result would be able to launch attacks against the network without the help of malware infected machines.
Sounds like laying the groundwork for a disinfo campaign when Chinese miners fork to a larger max blocksize. Sowing the seeds now to favor an adversarial mindset when it comes to plans coming from China.
Nah, I’m probably just wish thinking… More likely that “cobra” is just acting like a petty tyrant again, similar to the last time he showed up, wanting to edit satoshi’s whitepaper.
Nah, I’m probably just wish thinking… More likely that “cobra” is just acting like a petty tyrant again, similar to the last time he showed up, wanting to edit satoshi’s whitepaper.
theymos on /r/bitcoin - https://www.reddit.com/r/Bitcoin/comments/4y8m76/0130_binary_safety_warning_bitcoinorg/d6m0z16
That guide for verifying Bitcoin Core is also available here: https://bitcointalksearch.org/topic/verifying-bitcoin-core-1588906 . I added a news entry pointing there as well.
I recommend taking this threat very seriously. It's possible that bitcoin.org has received bad info, or maybe the attackers will give up now that they've been outed, but it's better to assume that it is a real, serious threat.
And it's not just bitcoin.org that could be targeted. bitcointalk.org, /r/Bitcoin, individual Core devs, etc. could also be targeted. Triple-check everything. If any major sites get taken over, try to spread the word as quickly and widely as you can.
Of course, you should always be very careful and verify Bitcoin Core software (and other software!), but this is a reason to be especially careful.
So just checking the hash is insufficient?
You have to check the hash against some reference hash. The most secure way to make sure that the reference hash is reliable is to check that it's signed by someone you trust.
You should securely verify the signature and hashes before running any Bitcoin Core binaries.
So just checking the hash is insufficient?
theymos on /r/bitcoin - https://www.reddit.com/r/Bitcoin/comments/4y8m76/0130_binary_safety_warning_bitcoinorg/d6m0z16
Quote
Here's a guide on verifying Bitcoin Core: https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core
I've heard that almost nobody in the Chinese Bitcoin community verifies signatures. If anyone speaks Chinese, it'd be helpful to write a similar guide in Chinese and advertise this issue more.
Everyone should be on high alert when 0.13.0 is released. In fact, I recommend not even updating highly sensitive systems to 0.13.0 until at least 3-8 weeks after it's released.
I wouldn't blindly trust Linux package repositories. Oftentimes packages there are managed by relatively unknown volunteers, and there's not much oversight/checking.
I've heard that almost nobody in the Chinese Bitcoin community verifies signatures. If anyone speaks Chinese, it'd be helpful to write a similar guide in Chinese and advertise this issue more.
Everyone should be on high alert when 0.13.0 is released. In fact, I recommend not even updating highly sensitive systems to 0.13.0 until at least 3-8 weeks after it's released.
I wouldn't blindly trust Linux package repositories. Oftentimes packages there are managed by relatively unknown volunteers, and there's not much oversight/checking.
Saw the warning and came here to post, when I saw this thread. I am very concerned about this, pretty curious on who's threatening Bitcoin binary distribution and what does it have to win with this...
By the way the above is written it seem as though they may have an idea who will be leading these "state sponsored attacks"
They say they have a "reason to suspect" do we know what that reason is?
They say they have a "reason to suspect" do we know what that reason is?
The text is specific about "state-sponsored attacks", and implies knowledge about both the origin and target of the attack. Extraordinary claims (not saying the requisite extraordinary proof doesn't exist, but I would like to see that proof for myself nonetheless). RNG bugs in GPG don't tell that story (and what a curious bug: like the Bash bug from last year, it's been in Linux for decades. Revoke all the keys!!!)
They say they have a "reason to suspect" do we know what that reason is?
From what I know so far, the person who applied the change to the website has not provided (at least not public) an explanation."State sponsored attacks"... From my understanding that would be implying that the bitcoin.org has info that a government has the intention to maliciously attack bitcoin, or are funding hackers?
No. We are talking about stuff in the lines of MITM attacks; there are a different number of approaches that could be attempted here (someone mentioned SSL MITM with rogue certificates). Quote
Summary
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.
Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
Currently found on Bitcoin.org. There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)?Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.
Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
They say they have a "reason to suspect" do we know what that reason is?
"State sponsored attacks"... From my understanding that would be implying that the bitcoin.org has info that a government has the intention to maliciously attack bitcoin, or are funding hackers?
After doing a little search, I can't find anything on what the "reason" is.
Quote
Summary
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.
Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
Currently found on Bitcoin.org. There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)?Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.
Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
They say they have a "reason to suspect" do we know what that reason is?
Because of this, should I not download the next version of qt until this problem is solved?
You shouldn't download the next version from the website until this resolves just to be sure. However, Bitcoin Core 0.13.0 is not ready yet (currently RC3).Or should I download from github and compile it myself?
That's always the preferred option. Jump to: