Author

Topic: Interview with johoe, the White Hat Hacker Who Returned 800+ Bitcoins. (Read 1184 times)

hero member
Activity: 1680
Merit: 505
I am surprised that he is as honest as he is. Most people that are running these kinds of programs are far from honest and are doing so in hopes of stealing other people's money (usually from stealing brainwallets)
hero member
Activity: 714
Merit: 503
bitcoin community is so lucky to have these good people

if it was a bad hacker it would have pulled 800 bitcoins  Undecided
legendary
Activity: 2226
Merit: 1052
Hey, that's my article! Smiley Glad you guys liked it!!

Nice interview Jonathan Smiley
hero member
Activity: 907
Merit: 1003
Nice to see some good-intentioned people in the bitcoin space amongst all the scammers and thieves.

You wouldn't believe how many fraudulent emails i get trying to steal my btc. It makes me kind of sick.
sr. member
Activity: 252
Merit: 250
very nice !!

valley and very apena read
newbie
Activity: 20
Merit: 0
Hey, that's my article! Smiley Glad you guys liked it!!

I really liked it, I shared it with my Twitter followers aswel. I'm glad he's on our fence  Grin

Mainstream media should report on bitcoin stories like this, don't you agree?

sr. member
Activity: 277
Merit: 250
Hey, that's my article! Smiley Glad you guys liked it!!
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
800 BTC ? damn.... getting more and more ... Shocked
newbie
Activity: 20
Merit: 0
Yeah it's a good read, what a story!  Smiley It's an impressive thing for a person to do!
legendary
Activity: 1512
Merit: 1012
newbie
Activity: 20
Merit: 0
I had to share this interview I just read on twitter!  Smiley

Quote
How did you initially discover the issue with the reused R values on Blockchain.info?

I have a script that I run regularly that scans for repeated R values. There has been another program producing them since September, so I took a habit of watching that daily. The problem is not new for me. I followed it since April 2013. The program I use is my own one, that I wrote in 2013.

What program was this, and how many bitcoins did you sweep out of those addresses?

The one in Summer 2013 was the Android bug. The buggy RNG [Random Number Generator]. I didn’t sweep much, a few mBTC. But others were doing it as well. That it was Android I only noticed when I searched for one of the broken addresses and found a post at bitcointalk. This was when I created the [bitcointalk] account. I told him that his program was buggy and asked him which [bitcoin client] he used.

Which wallet would you recommend for the average user of Bitcoin that combines security with ease of use?

For small amounts of money one can probably use everything that one finds convenient. I would suggest using some tools that use deterministic wallets, so that one doesn’t have to worry so much about backups. Of course, if one uses a program on the desktop, one should set a wallet password and keep it clean from malware. For larger amounts, that one doesn’t need to access regularly a paper wallet should be used, preferably with the key generated on an offline computer. I use my trezor for this, though.

What is your opinion on the security of Blockchain.info’s webwallet following these incidents?

The bug shows that there is a problem. The patch was changing security critical code and it should have been reviewed more thoroughly. It was just a missing variable initialisation. Careful inspection of the code should have revealed it. JavaScript is also not really meant to program security critical applications. For example, it has no type checking.

How did you verify that the addresses you sweeped were generated on Blockchain.info?

If an address was generated on Blockchain.info at that day it was produced by the random number generator, so it was in my list of random numbers. But I could also attack addresses from which money was spent on that day. In that case the signature contains one random number from my list. I actually didn’t check that I accidentally broke an address that wasn’t related to this problem. There is still some other tool producing the duplicated R values and I’m still wondering which.

But if it happened they should see the note that they should contact Blockchain support. So it is okay Smiley I’m thinking I found most of the money, but I know that 105.9 BTC were stolen already in the evening (probably by some lucky guy who accidentally created the same address).

Can you explain a bit more about this other program producing duplicated R values?

We are still wondering about it. It has a different pattern. It uses a random R value, but it uses it in one transaction for all inputs. amaclin analyzed some of the transactions and said that they spent to a BTC-e address, but we don’t know much more. Since the program is usually not reusing keys often, there have been not so many broken keys and I think only very few sweeped accounts. I think I still have 0.9 BTC from one account. So if we ever find out [which program has the issue] I will offer it back.

https://www.cryptocoinsnews.com/interview-johoe-hacker-returned-800-bitcoins/

Best wishes,

Seven. 
Jump to: