Bitcoin cold storage - HACKED easily - page 10.

Meuh6879

legendary

Activity: 1512

Merit: 1012

Quote from: mayax on January 16, 2015, 09:23:56 AM

These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."

False, very false ... we have revision display system to view the only added code (followed by name of author and reputation).
And even with this, the contribution are not allowed "like easy added" on the bitcoin core.

qwk

donator

Activity: 3542

Merit: 3413

Shitcoin Minimalist

Quote from: mayax on January 16, 2015, 09:23:56 AM

what you it seems that you do not understand or you do not want to say is that :
[...]
These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."
So, COLD Storage can be easily hacked.

You seem to have little to zero experience with large collaborative software projects.
The specific attack we're talking about would require changing the code of a subroutine that's probably not been touched for years, since it's basically part of the fundamental core of the system.
With version control systems, such things don't go unnoticed.

It's like waving a red flag with the words "hey, I'm going to do something incredibly stupid and/or important" and hoping no one will notice.

RainVein

newbie

Activity: 4

Merit: 0

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

1Referee

legendary

Activity: 2170

Merit: 1427

Quote from: Guido on January 16, 2015, 09:12:11 AM

media do a horrible job on stories so if they get hold of this (when), price will dump

Nothing new...

If people read that article, and I mean READ that article, then it's more funny than being informative.

Average joe might think Bitcoin is hacked, broken, exploded, killed, etc. That's the sort of group of people who do believe these articles.

In a nutshell : Nothing is 100% safe.

RadBrad

newbie

Activity: 2

Merit: 0

Misleading title this has always been known....cold storage is safe if you take the correct precautions.

R2D221

hero member

Activity: 658

Merit: 500

Quote from: mayax on January 16, 2015, 09:23:56 AM

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."

So, COLD Storage can be easily hacked.

That is true for any open source project, even the Linux kernel.

mayax

legendary

Activity: 1470

Merit: 1004

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."

So, COLD Storage can be easily hacked.

Guido

legendary

Activity: 1061

Merit: 1001

media do a horrible job on stories so if they get hold of this (when), price will dump

Meuh6879

legendary

Activity: 1512

Merit: 1012

Quote

The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection',

are you release what you say ... ?
you ONLY can do that when you install corrupted version of bitcoin core highly modified with this.
even in P2P file sharing client ... this sort of thing don't exist.

or for dumb people : DON'T DOWNLOAD official client from others places than https://bitcoin.org/bin

lucasjkr

hero member

Activity: 644

Merit: 500

If cold storage is vulnerable, then it would stand to reason that every wallet is vulnerable?

But my reading of the coinbase article leads me to believe that the attacker would need to have installed a compromised version of Bitcoin on the airgapped machine? Or else the upstream version of Bitcoin would need to be compromised? Or Armory, Electrum, etc, whichever wallet software the user is using. Am I wrong?

So, yes, if malicious actors gain commit privileges on the Bitcoin source, then offline wallets are compromisable, as are every other wallet. And if a malicious actor gains access to your airgapped machine in order to replace your binaries, you're also vulnerable. That's my interpretation. Doesn't seem like it's too much a worry, honestly. I mean, if an attacker gains such access, then it's game over regardless of which method of attack they use.

Or am I missing something?

BaselessBitcoin

newbie

Activity: 14

Merit: 0

Until we see this theorized exploit in action you have no reason to believe cold storage wasn't as safe it was yesterday.

ChuckBuck

hero member

Activity: 1372

Merit: 783

better everyday ♥

Quote from: mayax on January 16, 2015, 08:33:21 AM

Quote from: ChuckBuck on January 16, 2015, 08:30:54 AM

Read the article just now also. This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

How do you know that it was not hacked?

Hacking reports are daily including with the exchangers.

What the article wants to say is that the cold storage is not safe at all.

Only reports of hacks are of the online, hot wallet variety.

Cold storage is perfectly safe if you take the proper precautions. From the article:

Quote

Conventional wisdom has it that coins in cold storage are safe from attacks because the private keys never come in contact with the Internet or any other network.

In general, this is true. Even if the cold storage device could be compromised by malware, stolen private keys would fail to be transmitted to a thief because it isn't connected to the Internet.

mayax

legendary

Activity: 1470

Merit: 1004

Quote from: ChuckBuck on January 16, 2015, 08:30:54 AM

Read the article just now also. This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

How do you know that it was not hacked?

Hacking reports are daily including with the exchangers.

What the article wants to say is that the cold storage is not safe at all.

Puppet

legendary

Activity: 980

Merit: 1040

Yeah, title is nonsensical and sensationalist. If you created the cold wallet on a compromised PC, of course its not going to be secure and there are 100x easier ways to steal the coins from such wallet.

Madness

hero member

Activity: 644

Merit: 500

My goal is becaming a billionaire.

Quote from: mayax on January 16, 2015, 08:26:55 AM

Quote from: Madness on January 16, 2015, 08:23:43 AM

Quote from: mayax on January 16, 2015, 08:20:11 AM

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf

many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Sorry, I was faster. It happens to me so often(I am modest too) haha

Well, of course it is not comfortable to know that your funds can disappear any time. You wanna bet that some people will say:

"neah, it cannot happen to me" EVEN so there are many hacking reports daily.

Rofl

I don't wanna bet because I just said the same thing to my self to be honest . I never got hacked in my life and planning to stay that way Roll Eyes

but Everything have a first Cry

ChuckBuck

hero member

Activity: 1372

Merit: 783

better everyday ♥

Read the article just now also. This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

Kazimir

legendary

Activity: 1176

Merit: 1011

Quote from: mayax on January 16, 2015, 08:20:11 AM

many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

Complete nonsense. This requires a backdoor being built into the software you're using to sign your transactions. I.e. using a compromised wallet.

Well duh, if I'm using compromised wallet software, then obviously my coins aren't safe to begin with.

FUD.

qwk

donator

Activity: 3542

Merit: 3413

Shitcoin Minimalist

TL;DR of the news:
if you're able to install software on someone else's computer or modify the code he compiles, you can steal his coins.
Duh.

You should read the news before you post something like:

Quote from: mayax on January 16, 2015, 08:20:11 AM

Your funds are not safe neither in "cold storage". Read:

mayax

legendary

Activity: 1470

Merit: 1004

Quote from: Madness on January 16, 2015, 08:23:43 AM

Quote from: mayax on January 16, 2015, 08:20:11 AM

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf

many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Sorry, I was faster. It happens to me so often(I am modest too) haha

Well, of course it is not comfortable to know that your funds can disappear any time. You wanna bet that some people will say:

"neah, it cannot happen to me" EVEN so there are many hacking reports daily.

Blazr

hero member

Activity: 882

Merit: 1006

Old news. This attack (bugged ECDSA implementation) has been known about for a long long time, before Bitcoin even existed.

Quote

The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection', which was first described in a 1997 paper by Adam Young and Moti Yung.

One of the weaknesses of cold storage is if your cold storage machine is compromised, you're fucked and there is almost nothing you can do to prevent that. There are many many ways an attacker can exfiltrate the private keys from a compromised cold storage machine, including as used in this case a bugged ECDSA implementation.

Topic: Bitcoin cold storage - HACKED easily - page 10. (Read 12634 times)