Author

Topic: A Mysterious Message Is Warning Bitcoiners About a 'State Sponsored' Attack (Read 502 times)

staff
Activity: 3458
Merit: 6793
Just writing some code
If you don't want this problem ... post binaries -executables !- on the main developper site : https://github.com/bitcoin/bitcoin/releases

 Roll Eyes i don't have a compiler to use a "source" code ...

The main site is actually https://bitcoincore.org/. The developers don't like having everything in the same place (i.e. github). It makes it a central point of failure and a huge target for attacks.
legendary
Activity: 3430
Merit: 3080

Uh-oh, it appears as if Motherboard/Vice are ripping off someone else's journalistic copy.
legendary
Activity: 1512
Merit: 1012
If you don't want this problem ... post binaries -executables !- on the main developper site : https://github.com/bitcoin/bitcoin/releases

 Roll Eyes i don't have a compiler to use a "source" code ...
legendary
Activity: 3906
Merit: 1373
What's another thread? There are warnings all over the world about how to handle your credit cards and online bank account. And Bitcoin is way more important.

Cool
legendary
Activity: 929
Merit: 1000
There's already a thread about this.

Lauda started one two days ago, and theymos stickied another thread explaining how to verify if downloaded binaries are legit. There's been no compromise to the Bitcoin core binaries, it's a warning that hackers might try a man in the middle attack when someone tries to download them via bitcoin.org.

https://bitcointalksearch.org/topic/0130-binary-safety-warning-1588866
legendary
Activity: 1512
Merit: 1012
There's already a thread about this.
legendary
Activity: 3906
Merit: 1373
A Mysterious Message Is Warning Bitcoiners About a 'State Sponsored' Attack





The next version of Bitcoin Core, one of the most popular bitcoin wallets in existence, might be replaced with a malicious version courtesy of government-backed hackers, a warning on Bitcoin.org, the site that hosts downloads for Core, states.

The message, posted on Wednesday, warns that the site could be compromised by "state sponsored attackers" so that anybody downloading an upcoming version of the Bitcoin Core wallet, which people use to store their bitcoin, will actually be given a hacked version of the software. In particular, the alert encourages Chinese bitcoin users and services to be vigilant "due to the origin of the attackers."

"In such a situation, not being careful before you download [the software] could cause you to lose all your coins," the alert on Bitcoin.org states. "This malicious software might also cause your computer to participate in attacks against the Bitcoin network."

If a government, or anybody else, were to compromise Bitcoin.org and disseminate a malicious copy of Bitcoin Core to enough people, it could be a crippling attack on bitcoin unlike any we've seen before, siphoning millions and millions of dollars out of the market. If the warning on Bitcoin.org is based on fact, it could be very serious.

"So long as you check signatures properly, even a state sponsored attacker would have a hard time compromising a [...] build of the Bitcoin Core software"

Bitcoin.org is maintained as an open-source project, meaning that a slew of contributors can upload a page to the site, and it has a peer review system for posts. The contributor who uploaded the alert, "Cobra-Bitcoin," is understood to be in control of Bitcoin.org, Core developer Peter Todd told me in an encrypted message, and so they were able to bypass the peer review process for posts to the site.

Core developer Eric Lombrozo told The Register that "there's absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state sponsored attackers that we know of at this point."

However, it's worth noting that in order to serve someone a fake version of Bitcoin Core, an attacker only needs to compromise the Bitcoin.org site, or fake a cryptographic certificate that would allow them to intercept someone's encrypted HTTPS connection to Bitcoin.org and replace the real download with a hacked one without anybody noticing. This is known as a man-in-the-middle attack.

To mitigate the effects of a possible hack, the post on Bitcoin.org encourages users to verify that the Bitcoin Core version they download hasn't been tampered with by checking it against a cryptographic key that marks official software as being created by the team of legitimate Core developers.

"So long as you check signatures properly, even a state sponsored attacker would have a hard time compromising a [...] build of the Bitcoin Core software," Todd wrote me in a message.

Verifying software is a fairly standard security practice, and so suggesting that users take this precaution doesn't indicate any sort of malice on the part of Cobra-Bitcoin, unless their intent is simply to sow chaos and paranoia about the next Bitcoin Core release.


Read more at http://motherboard.vice.com/read/a-mysterious-message-is-warning-bitcoiners-about-a-state-sponsored-attack.


Read more at Bitcoin.org at https://bitcoin.org/en/alert/2016-08-17-binary-safety.


Cool
Jump to: