Topic: Bitcoin Core 0.9.3 has been released - page 6. (Read 109203 times)

I installed it.!! it would take around a day or two to get in sync.!! uninstalled it.!! :/

For those needing to verify the downloaded files, it would be done like this:


If you already have Gavin's CODE SIGNING KEY on your key, the output for the second command above should include something like:

Which means Wladimir's key should be trusted.

Another question however is did anyone ever in person verify pgp  fingerprints from Gavin, Wladimir or other devs? When doing some reading on GPG, I see this is something that's recommended to do to establish trust, also calling someone and having them read their fingerprint out loud, if you already know them by person could be an option.

As Bitcoin is some very serious stuff, I can at least see persons responsible for larger amounts of funds in bitcoins, having the need to do fingerprint comparision to ensure keys are correct. Or do people in general just accept that downloaded keys should automatically be trusted?

The way to get Bitcoin Core, is to download it from https://bitcoin.org/bin/0.9.3/, then run sha256sum on the binary you downloaded, and verify output against the corresponding SHA256 Hash in the SHA256SUMS.asc file. And then this file itself has to be verified to see if it turns up valid. And if you do not have Wladimir's key, it needs to be retrieved as I described earlier in this post (you could always look it up on a gpg key server).

To verify the file:  , and get something like this:


Now if you already trust Gavin's key, then all should be swell. However, what if you just got hired to be the financial manager of finances at say Overstock.com, and you need to ensure that there's no friggin way that your 10 million dollars worth of BTC will be compromised in anyway, be it a malicious binary or otherwise.

Would it not be in the power of, let's say the NSA, or any other intel agencies to conduct a MITM? I don't know all the details, but there's been incidents of SSL certificates being stolen, so that an entity can claim to be somebody they're not, and serve malicious data to the user? And as such certificates can be stolen, I would think they could've been obtained through other methods as well..

Bitcoin.org's security certificate says: "You are connected to bitcoin.org which is run by (Unknown), Verified by GeoTrust, Inc., which is a US company.

So let's say that your download from bitcoin.org is compromized by an intel org which manages to make the site seem like everything's fine by connecting you over https but conducting a MITM. So you receive a malicious binary. Most users will not verify their download, and happily run Bitcoin Core. There's no instructions for verifying the downloads at the download page at bitcoin.org afaik.

So the amount of users who downloaded without verifying the downloads are now all compromised, the malicious software could do anything now really, like stealing all the bitcoins - installing a keylogger on the users machine, transferring private files, without the user knowing etc. Most likely, bitcoins would not be stolen, as this would alert the user base about the issue quite quickly, good thing is we have diversification in the bitcoin ecosystem, so not everyone is running the same software, or downloading from the same place all the time.

But let's say the download was MITM attacked, and the user wants to verify the download. He could just get Wladimir's key off a pgp-key-server and be done with it, but how can he be sure that the key  actually belongs to Wladimir? Could not also this download of the public key be compromized by a MITM attack? But, wait, Gavin has signed that key. Let's get Gavin's key? So we download it, from the web somewhere or from a public key server, we could still be mitm attacked.

So let's say you now have the binaries, the signature file, and you verify it against Wladimir's pubkey, which is signed by Gavins pubkey, and you think everything's good. The fact is that you could be fooled at this point. Does anyone remember the BGP Hijacking, where some clever hacker stole all the traffic for numerous miners, such that all the mined bitcoins would end up in his hands? He went off with 83K USD worth of bitcoins.

What if you're up against a more powerful entity, that really knows how to do MITM attacks? How could you secure yourself? What if your friend went to a bitcoin conference, then saw Gavin in person, and then he checked the fingerprint of Gavins CODE SIGNING KEY on his laptop and compared it to the actual fingerprint which Gavin could provide in person?

Then you would know that Gavin's CODE SIGNING KEY is legit, and by extension, if Gavin trusts Wladimir, then you should also trust Wladimir. However, Wladimir (no offence meant at all) could be associated with some intel org and he could inject malicious code into the binary, which any dev which had the right permissions could do, be it Gavin, Wladimir or anyone else that has the power to make a release of the Bitcoin Core software. So even, if we have established that fingerprints were correct, we would still need to trust the devs not to do anything nefarious.

The only other way to ensure we're 100% safe, is to study the source code, and then for every sucessive release, do a diff and check that nothing nefarious has snuck in. And then compile it ourselves, but then again, what guarantee is there that none of the libraries that the code depends on, or the compiler itself has been compromised?

The subject of Bitcoin security is quite complicated, but just imagine how much damage could be done for the right group of malicious hackers, if they manage to MITM attack quite a few users, they could monitor the users balances, and then at a given time, they could issue commands, if not preprogrammed in the binary, to empty the wallets completely, or upon next successful entering of the passphrase by the user, emptying the wallet completely.

Who knows if NSA or any other intel org not at this very moment has dedicated teams working on these scenarios.

Provided we do trust the developers, which I believe most do, we should also trust the software that they release, but how can we do that if we do not know with 100% accuracy that the pgp keys are actually belonging to who they're claimed to belong to?

Perhaps even more likely than the NSA scenario is one or a group of hackers working in concert. For instance, if such a group has access to all the traffic that goes through an ISP, they could manipulate the traffic anyway they'd like and with a stolen SSL certificate for bitcoin.org, they could redirect traffic and post malicious binaries for users to download, no? Of course, there's many hurdles to overcome, but there's some pretty advanced hackers out there that could pull of some serious tricks.

A market currently valuated at approx  5,000,000,000 USD is bound to atract some interest. I know the cap's just an imaginary number based on number of bitcoins multiplied with the current price, I digress..

But the final question would then be: How do a normal user ensure he's running Bitcoin Core safely, and how do a small business ensure they do not get wiped our completely, and how will major companies deal with the risk when they go heavily into the Bitcoin market? I would think such companies would have dedicated security engineers for such purposes.

So, I'm just thinking ahead, and wondering when we will see the most sophisticated attacks against the bitcoin infrastructure. Another problem would be the bad publicity, newspapers and TV-stations reporting about small businesses totally wiped out by the 'bitcoin hack', and then followed by very serious government types proclaiming that Bitcoins are inherently unsafe, and it's best to deal with regulated currencies that is issued and controlled by the state.

I'm not going into conspiracy territory with this, but knowing how relaxed many people are in regards to security, I would think there will be at least a few disasters ahead of us. Could that be prevented, and what measures are in place to prevent this from happening?

An answer could be, anybody could read the code, the code for all included libraries, and then compile it themselves. But who could do that? Could even a group of 5 experts do this and really understand everything in a short period of time? Sure, the source code is available, but for the majority of people, this is not something they'll ever concern themselves with.

If those running bitcoin.org reads this, it would be very interesting to know the stats, how many people download the binaries, as opposed to those downloading binaries and the checksum file? I would think many don't care about the verification.

Perhaps this was the wrong thread to ask these questions, but then the discussion could be branched out in a separate thread by a mod.

Also, I'm eternally thankful to everyone that works hard to make bitcoin exist, so this is by no way an attack on anyone, it's just an attempt at thinking about the different scenarios where users could be hurt, and wanting to learn others opinions about this, as I know there are very many smart people in this community.

Thank you, e-mail was sent earlier today which cc'd various including Cozz.  I appreciate the help!

https://bitcointalksearch.org/user/cozz-72619
https://github.com/cozz?tab=activity

Hello wumpus,

Thanks for your reply.  I am not sure what would be the best way to communicate with Cozz to relay my thoughts or request.  Please advise by private message in this forum if possible.

I've posted a reply here https://github.com/bitcoin/bitcoin/issues/3226#issuecomment-58226430
to an earlier comment from laanwj (git) which appears here: https://github.com/bitcoin/bitcoin/issues/3226#issuecomment-58159250

Again, thanks.

thanks for info

no, but ... in the future, if this append again ... instead of re-download the blockchain, i try this first.  
re-indexing blockchain take the whole day.

That's strange indeed. Probably a database (either the UTXO database or the block index) was corrupted in a sneaky way. You had tried a reindex before?

Anyhow, great to hear that your problem is solved.

It will be incorporated when someone implements it. It's an open source project, so there is no saying who will pick this up. AFAIK no one is working on wallet features in Bitcoin Core at the moment. The core developers are focused on improving the node infrastructure. Maybe Cozz (who got Coin Control to a state where it could be merged) would be interested, given incentive.

OK, after a complet download from the official torrent ... no crash of this version 0.9.3 on my WinXP SP3 + all KBs updates.
Strange that it have been located on the blockchain files  

So, the answer is : when bitcoin core crash without warning ... re-download the whole blockchain folder.  

ps : i don't  have changed anything in this computer ... and it's run only for network stuff (no private use).

I am very curious to know when CoinJoin might be incorporated as something fully supported and available from Core, and given recent concerns regarding state actors such as the Russian Federation or some proposals which have recently come out of the UNSC, I believe that it would be timely to clarify this issue and raise its priority.

Link to existing issue and my comment on the subject in development is here:
https://github.com/bitcoin/bitcoin/issues/3226#issuecomment-58085920

brief edit to this post:

CoinJoin development at this time has funding support of over 42 BTC.  Are there any impediments to the release of these funds to get this feature done, as well as any other privacy or anonymity options which might be considered development-worthy?
https://blockchain.info/address/3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk

Nice to see another release. I sure hope this fixes the transactions bug when sending coins rest of coins go into pending and have to close wallet and re open it again.

Great job devs. Keep up the good work.

Nice update, thanks. Downloading now.

When will there be new features released in the wallet?

no strange, read the debuglog file ... it download "by hell" too orphan block, now.
i'm stuck, too ... on the marker 1 years 10 weeks since 24 hours after many restart of the bitcoin core.

Linked question for "slow download" : https://bitcointalksearch.org/topic/m.9017061

Great to see another update to Bitcoin Core as it had been awhile without one.

i just updated mine and now it wont connect.  Says no block source available???  win32


after i updated, i added
maxconnections=2
connect=208.81.7.153
connect=204.27.61.162

in a conf file and still no connection?

Can't you enable the coin control features in the options menu? Maybe this helps...

I figured out my issue. I had bitcoin installed ages ago and was pretty sure I uninstalled but but I guess not. What I was doing was opening the 32bit version, as soon as I opened the 64bit version I could the 0.9.3

The now real issue is in 0.9.3 for windows x64 doesn't have an address book. I can't see my addresses, so I wanted to send someone bitcoins I would basically be screwed because I can't retrieve my wallet ID.

I sent as a set some bitcoin from another wallet to my bitcoin one (the same ID I had in the 32bit one) and coins are coming in but everything is kept secret I can't see where it's coming from. When I try to add my ID back to the 0.9.3 it comes back and say that Wallet ID is already in your address book. (which I can't see).

Bug? I don't know.. but you shouldn't be stopping people from seeing their Wallet ID's. 

If your backup wallet.dat file was stolen and it didnt have a password, there is a quite high chance that your coins were sent..


You can load your backup file into your normal bitcoin client and try to add/change the password.. If you had one, it will ask you to enter it before you can change it.
Make a backup of your current wallet.dat before trying an old one.