Pages:
Author

Topic: [ANNOUNCE] Android key rotation - page 9. (Read 66313 times)

sr. member
Activity: 322
Merit: 250
August 11, 2013, 08:12:56 PM
#94
i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
did you google the sending address?
newbie
Activity: 46
Merit: 0
August 11, 2013, 08:10:25 PM
#93
Regarding Electrum:

We need to look into this further but as far as I'm aware Electrum relies on python's random implementation which is usually the operating system's PRNG. This would make running Electrum on Android vulnerable to the same vectors as described in this post for other wallets.

Even If you created the seed on another platfrom it may be possible to reveal the ECDSA private key of one of the addresses by spending (signing) multiple times from one address on Android. The seed itself should be safe.

The userbase of Electrum on Android (SL4A) is small because of the cumbersome setup. Still, if you are a user and want to be safe don't spend from Android until further news are available and secure funds from addresses which you have spent from in Android and still have funds on.
legendary
Activity: 2618
Merit: 1007
August 11, 2013, 08:05:01 PM
#92
i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
Most likely not, either someone wanted to give a present to you or something else happened. It is not very likely that you would get MORE funds through this issue! Wink
sr. member
Activity: 266
Merit: 250
August 11, 2013, 07:58:34 PM
#91
i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
hero member
Activity: 826
Merit: 1000
°^°
August 11, 2013, 06:52:53 PM
#90
explains the price...
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
August 11, 2013, 06:22:06 PM
#89
Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random.
So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?
Ah, that's how Apple solved it?
Their phones have uranium in them Smiley
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
August 11, 2013, 05:48:08 PM
#88
So basically, Google pulled a Sony...




So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).

As I get my head wrapped around this, what comes to mind is after reading the above is that if a random number is picked from a finite set of 10K elements, e.g., a duplicate is more apt to appear then choosing a random number from a finite set of 10100,000 elements. Does this make sense?
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 11, 2013, 05:44:24 PM
#87
How "critical" is it? Has there been any successful attack using this weakness?

Sounds extremely critical, see links below.


done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley
legendary
Activity: 1441
Merit: 1000
Live and enjoy experiments
August 11, 2013, 05:35:07 PM
#86
How "critical" is it? Has there been any successful attack using this weakness?
sr. member
Activity: 292
Merit: 250
August 11, 2013, 04:35:41 PM
#85
Mike Hearn, you are the man now dog!
sr. member
Activity: 406
Merit: 250
August 11, 2013, 04:32:09 PM
#84
Thank god I have an iPhone Smiley
As far as apple is concerned. Bitcoin wallets don't exist for iOS. Tongue Security through obscurity is good, I think.
hero member
Activity: 483
Merit: 551
August 11, 2013, 04:16:25 PM
#83
Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.

At least its not running on Java, afaik. So it can't be affected by the same issues.
legendary
Activity: 1526
Merit: 1134
August 11, 2013, 04:09:19 PM
#82
Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.
sr. member
Activity: 350
Merit: 250
August 11, 2013, 04:09:07 PM
#81
Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html
The issue appears to be in the java implementation of secureRandom that Google uses.
sr. member
Activity: 393
Merit: 250
August 11, 2013, 04:02:35 PM
#80
Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html
sr. member
Activity: 441
Merit: 250
August 11, 2013, 03:43:36 PM
#79
2. It's an Android issue, not a Java issue.

Also, could we please get a link to the relevant Android bug tracker item?

It's a bit frustrating to piece together rumors in order to know what actually happened here.
hero member
Activity: 504
Merit: 500
August 11, 2013, 03:29:48 PM
#78
Nothing can generate a random number. Us included. Only pseudo-random.

That is an opinion...

Fact is... any number which is not sequential and read from a list, is random. Might not be "as random as you would like", but it is still random. Even pseudo-random selection is non-sequential and not read from a list. (Unless you start at the beginning, start at the same seed/list or the seed is the same seed/list as another seed. Which is the repeat of a list.)

But I digress...

The problem is that these devices and programs, made by programmers with little knowledge, failed to understand the devices they were working with. That is what happens when you just copy-n-paste code and don't actually KNOW what it is doing.

One year... This has been known about android since the first program "solitaire" which used random numbers to shuffle, released before the phone was even physically made, in the emulator.

Oh, and the comment about "Glad I have an i-phone"... LOL... Might want to look at all the exploits your phone has, before you open your mouth. You are worse-off than the android phone, because you are naive and oblivious to the reality of the flaws of the device in your hands. Yay, you don't have THIS FLAW... You have your own, and no-one is fixing shit for you, unless you pay them for the app to secure the flaws.
newbie
Activity: 55
Merit: 0
August 11, 2013, 03:25:36 PM
#77
Quote
If you are receiving miniscule amounts, then it doesn't matter. You can use common sense. The site isn't scam.
Ah thanks, I was hoping that, it also helps to confirm my limited understanding of this stuff.
hero member
Activity: 812
Merit: 1006
August 11, 2013, 03:21:53 PM
#76
I guess, or understand, that 'receive' addresses can be safely used more than once?
Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.
Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?


If you are receiving miniscule amounts, then it doesn't matter. You can use common sense. The site isn't scam.
sr. member
Activity: 353
Merit: 250
BITCOIN
August 11, 2013, 03:21:17 PM
#75
totally agree  Smiley

Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.
I wouldn't mind actually waiting some time if that meant my transaction was free. I didn't want or plan to transfer these funds in the first place and I don't mind them being stuck for some time in limbo. Once the TX is out there, it would be hard to double spend it anyways.

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.
Schildbach allowed this (0 fees) too some time ago so I consider it a regression. If I use PayPal, I pay for a service that goes beyond simple money transfer (I get fraud protection etc.).

I second this. While mining with deepbit, their tx fees are not included. One payment sat for almost 4 days before being picked up by eligius pool. Just send the penny.
This is just stupidity on deepbit's end - they could always include their payouts for free in their own blocks and I suggested something like that (pools accepting each other's payouts for free) long time ago. Back then it was anyways easy to get anything transacted for free, so they never went forward with it. I don't want to pay a whole penny for a few bytes of storage that will be pruned away sooner or later anyways.

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.
The wallet used to have a setting that let me set fees to 0 on my own risk. This setting seems to be gone...
Anyways, fee handling and transaction priorization is a big mess in my opinion still in Bitcoin, especially in the reference client that everyone seems to use unreflected without even thinking about the settings.


About receiving coins at the same address:
In the end it means that you potentially loose privacy (e.g. the free bitcoins site could link your IP to your address, then you sell a obile phone on the web and let them pay to the same address - now the free bitcoin site can see that you received some more coins + the buyer of the phone sees that you probably used this site). Security wise it means that once you send something from your address, you expose the public key belonging to that address. In this case, the signature generated with it is weakening security - there is also the possibility of a breach of ECDSA keys in general. As long as nothing has been transfered off an address, it is as safe as possible from a current security standpoint.
Pages:
Jump to: