Pages:
Author

Topic: Is StrongCoin's 'hybrid wallet' a lie? (Or rather, are ALL hybrid wallet a lie?) (Read 5823 times)

sr. member
Activity: 378
Merit: 250
Born to chew bubble gum and kick ass

The weak link is the browser.  You're being sent javascript and having the browser execute it - sight unseen.

Is biaddress.org service of generating keys and addresses safe then? You are using their java app that uses a browser, aren't you?
member
Activity: 77
Merit: 10
IMO this confirms again that shared wallet/third party services are insecure by nature and thus should be avoided, regardless of super strong passwords, encryption, 2 factor authorization, etc. etc. etc.

The weak link is the browser.  You're being sent javascript and having the browser execute it - sight unseen.  Are you really looking at the javascript crypto and *what* its signing?

Still, hybrid wallets are a step up from hosted wallets (where the host holds the private keys) in that it requires your action to spend something and the host (or some thief) can't just grab all the wallet.dat files from the server and make a run for it.

blockchain.info could presumably do the same sort of thing.
legendary
Activity: 1148
Merit: 1018
Well, what happened to this?

Quote
What is a hybrid wallet ?
A hybrid wallet allows you to send and receive Bitcoins just like any other wallet. However, the Bitcoin private key which is required to send money is encrypted in your browser before it reaches our servers.

Therefore our servers only hold encrypted private keys and neither we nor anyone else can spend your Bitcoins. Only you.

How was dogisland able to "seize" those funds to return them back to Graet? Maybe he modified the site, so all the transaction originated by the thief went to an address controlled by him?

IMO this confirms again that shared wallet/third party services are insecure by nature and thus should be avoided, regardless of super strong passwords, encryption, 2 factor authorization, etc. etc. etc.

It's a pity because really secure third party services are need for BTC (for example for trading)
legendary
Activity: 4760
Merit: 1283
...I didn't know much about Strongcoin but I do need to split up my on-line wallet holdings a bit more and this is a damn good reason to start a wallet there.

...Or maybe not.  I don't see a 'strongcoin' announcement on this forum...although the search functions are pretty broken it seems.  Nor do I see an 'about us' on the web page.

blockchain.info seems to be done by a guy who does not mind putting his name on things and supplying decent information about the business.  It also seems to let one use the service without supplying an e-mail addy (whether or not that is a good idea.)  Both of these things are meaningful to me.

legendary
Activity: 4760
Merit: 1283
Geez, just look at the facts.

Strongcoin never knew the private keys.  If they did, even more BTC would have been recovered than was.

All its owner did was deliver modified JS to the thief (only) that replaced the change and "To" addresses with dogisland's address.  It took the thief (from what I can see) about 5 transactions before she realized she was 0wned.  Stilll the thief has done very well for herself with 300+ BTC.  I wonder if she was smart enough to figure out how to reclaim her remaining coins (if any) without using Strongcoin's WebUI..... or is she stuck.

Ha-ha-ha-ha!  Nice ownage!  I wish I could have seen the look on the perp's face as these 5+ transactions went down.  Especially at the magical moment when the lightbulb went on.

Happy-ish endings like this are rare in Bitcoinland so it's nice to see this little tidbit.  I didn't know much about Strongcoin but I do need to split up my on-line wallet holdings a bit more and this is a damn good reason to start a wallet there.

If course if there was a mis-understanding and the accused really did by a car with an NDA I'm sure they will have no problem going through the court system to obtain their rightful property.  I don't think I'll hold my breath waiting for this to go down.

hero member
Activity: 518
Merit: 500
Personally, I feel that anyone that trusts putting coins in a browser environment is insane.

Trust isnt a binary thing. Its just a matter of how much you trust it.

For instance, like all miners I always have at least a tiny balance at the pool I mine. Am I certain it wont get hacked? Clearly not, but  Im only risking ~0.1 BTC there.
I tend to keep a bigger amount of BTC on my blockchain.info wallet, so I can access it from my smartphone. I absolutely do not have 100% trust in that either, but enough that its practicality warrants the risk of a few BTC. I have more BTC stored in Casascius coins. I dont have absolute trust in that either, but once again sufficient trust for the amount I invested in it. Well, at least at the price I paid almost 2 years ago. I may have to reassess. I have balances at exchanges, at online poker sites, betsofbitcoin and other places that are at risk of getting hacked or scamming me. Case in point, I will probably lose a fair amount of money on the bitcoin-24 debacle.

A significant portion of my BTC reside in my qt wallet, but one shouldnt fully trust that either, its not impossible my PC gets hacked or infected, no matter what OS you use or security provisions you take. Lastly, the bulk of my BTC are in cold storage. Thats as secure as it gets, but you guessed it, even that isnt 100% sure.

So its all a matter of weighing the risks. And that applies to investing in bitcoin anyway, no matter what medium you use to store them.
member
Activity: 77
Merit: 10
Strongcoin never knew the private keys.  If they did, even more BTC would have been recovered than was.

All its owner did was deliver modified JS to the thief (only) that replaced the change and "To" addresses with dogisland's address.  It took the thief (from what I can see) about 5 transactions before she realized she was 0wned.  Stilll the thief has done very well for herself with 300+ BTC.  I wonder if she was smart enough to figure out how to reclaim her remaining coins (if any) without using Strongcoin's WebUI..... or is she stuck.

I find the irony delicious.  The hacker injected some code to ozcoin's backend and caused ozcoin to pay the hacker instead of the miners.  The hacker showed the way and strongcoin used the same basic technique against them.

While I agree this is a slippery slope, I'm glad that the strongcoin folks chose to spend (burned) a considerable amount of goodwill to execute this.  I can't imagine it was an easy decision to make.  They would have known they'd take a lot of heat for it.

it's also a good reality check and a reminder that you Do Not(TM) trust a third party to hold your coins - even if the keys are encrypted.  Especially not when you're running third party javascript, sight unseen.

Personally, I feel that anyone that trusts putting coins in a browser environment is insane.
legendary
Activity: 2632
Merit: 1023
A large flaw in your position is in relation to the "law"

the Law is essentially an instrument of stupidity, unfairness and for the Govt and large Corps / Rich to crush you.

I would argue the the strongest point of CC's is the elision of sovereignty from the state to the individual, with all that entails






I have an Android phone and have some of my Bitcoins stored on it using Andreas Schildbach's bitcoin wallet for Android. I like many others update my software without looking at it particularly hard. I have not done much programming for a long time.

Andreas could easily pull the same stunt that StrongCoin did and put a special bit of code that steals back stolen funds. It gets worse even. Andreas's software depends on bitcoinj, written by Mike Hearn, who has repeatedly written about blacklists and also does not particularly value anonymity, and does believe Bitcoin can and should be regulated.

Would he sneak some code into bitcoinj itself to steal back stolen funds? Probably not but I can never be sure. (edit: to be clear I mention Mike not because I think he would, but rather because for someone whose views I oppose so strongly I still am trusting him surprisingly directly with hundreds of dollars)

Trust is a very hard problem.

Seeing as you invoked me here, allow me to respond.

Firstly, we are all aware that wallet developers are weak points in the trust chain. I have already started tackling this problem for the case of the Android wallet by researching and obtaining code that can do genuine RSA threshold signing using the Shoup algorithm. I can assure you it was not easy to track down a real threshold RSA library, as far as I can tell none are publicly available (fortunately the one I obtained is open source, just oddly enough it's not distributed).

At the moment the Android wallet isn't being signed using threshold keys but that's just because I didn't get around to it yet. This will come with time, assuming Andreas agrees of course. Once that's done only a quorum of people could make new releases that phones and the Play Store accept. It'd make backdooring a wallet much harder. At any rate, there's no good way to find out via block chain analysis that someone is using Bitcoin Wallet or MultiBit so the same kind of dilemma dogisland faced won't come up.

The second thing I want to comment on is your trolling about what I believe or my trustworthiness. Like a lot of other people, you seem incapable of distinguishing writing about a future possibility with actually supporting it or believing it's a good idea.

In my posts on this forum over the years I've explored many ideas - some of them people here really like such as peer to peer exchanges/credit or how to implement lightweight SPV clients ... and others that a lot of people don't, such as how governments might tax or regulate Bitcoin users. Exploring these ideas doesn't imply wanting to actually make them happen, no more than Gregory writing about StorJ implied that he thinks autonomous lifeforms that evolve and hire humans is a good idea. It's just an intriguing possibility that's worth thinking and writing about.

There's another distinction you're (probably deliberately) failing to make. Just because I think Bitcoin users can be regulated doesn't mean I think all those regulations are a great idea. The fact that users can be regulated is unarguable at this point, lots of people who were running exchanges have had their bank accounts shut down because they didn't follow all the rules, and in the past police (in the USA) have busted people as apparently innocuous as car dealerships for failing to do the right paperwork when accepting cash transactions. If you think using Bitcoin makes you immune to the law, then you're gonna get slapped in the face by reality the moment you scale up your business and get noticed. I mean, it's easy to bluster about sticking it to the man when all you do is generate forum posts. Once you start running a real business, unless you can somehow do it entirely online and perfectly anonymously like the Dread Pirate does, well you're going to have to get in line or go to jail. That's not an opinion, just fact.

Now no reasonable person would be stupid enough to argue blindly for or against "regulations" in general, all that word means is rules and only the most extreme anarchists believe society should have no rules at all. Even libertarians believe that the state should enforce contracts, and contract law is large and complex. Our worlds are full of regulations on everything from finance to the labelling of meat products. You have to weigh up the cost and benefit of specific rules on a case by case basis to figure out if you support them or not. As it happens, I feel the value of many financial regulations are rather questionable. You can easily see how they evolved the way they did and each step along the way probably seemed reasonable at the time, but it was a "road to hell paved with good intentions" type thing. The costs are really high and the benefits often don't seem to be there. Maybe the best possible solution is no financial regulations at all, or maybe there's some in-between sort of compromise solution that helps society keep a lid on thieves, hackers and other scummy types whilst not impinging on civil liberties or creating red-tape overload. That's a topic worth thinking about and exploring, and I personally haven't made my mind up yet. I don't much like the current way finance and crime-fighting intersect, but I haven't decided if I dislike the general concept or just the way it works today.

Regardless, my own opinions on the matter don't affect existing laws or enforcement of them.
legendary
Activity: 1526
Merit: 1134
I have an Android phone and have some of my Bitcoins stored on it using Andreas Schildbach's bitcoin wallet for Android. I like many others update my software without looking at it particularly hard. I have not done much programming for a long time.

Andreas could easily pull the same stunt that StrongCoin did and put a special bit of code that steals back stolen funds. It gets worse even. Andreas's software depends on bitcoinj, written by Mike Hearn, who has repeatedly written about blacklists and also does not particularly value anonymity, and does believe Bitcoin can and should be regulated.

Would he sneak some code into bitcoinj itself to steal back stolen funds? Probably not but I can never be sure. (edit: to be clear I mention Mike not because I think he would, but rather because for someone whose views I oppose so strongly I still am trusting him surprisingly directly with hundreds of dollars)

Trust is a very hard problem.

Seeing as you invoked me here, allow me to respond.

Firstly, we are all aware that wallet developers are weak points in the trust chain. I have already started tackling this problem for the case of the Android wallet by researching and obtaining code that can do genuine RSA threshold signing using the Shoup algorithm. I can assure you it was not easy to track down a real threshold RSA library, as far as I can tell none are publicly available (fortunately the one I obtained is open source, just oddly enough it's not distributed).

At the moment the Android wallet isn't being signed using threshold keys but that's just because I didn't get around to it yet. This will come with time, assuming Andreas agrees of course. Once that's done only a quorum of people could make new releases that phones and the Play Store accept. It'd make backdooring a wallet much harder. At any rate, there's no good way to find out via block chain analysis that someone is using Bitcoin Wallet or MultiBit so the same kind of dilemma dogisland faced won't come up.

The second thing I want to comment on is your trolling about what I believe or my trustworthiness. Like a lot of other people, you seem incapable of distinguishing writing about a future possibility with actually supporting it or believing it's a good idea.

In my posts on this forum over the years I've explored many ideas - some of them people here really like such as peer to peer exchanges/credit or how to implement lightweight SPV clients ... and others that a lot of people don't, such as how governments might tax or regulate Bitcoin users. Exploring these ideas doesn't imply wanting to actually make them happen, no more than Gregory writing about StorJ implied that he thinks autonomous lifeforms that evolve and hire humans is a good idea. It's just an intriguing possibility that's worth thinking and writing about.

There's another distinction you're (probably deliberately) failing to make. Just because I think Bitcoin users can be regulated doesn't mean I think all those regulations are a great idea. The fact that users can be regulated is unarguable at this point, lots of people who were running exchanges have had their bank accounts shut down because they didn't follow all the rules, and in the past police (in the USA) have busted people as apparently innocuous as car dealerships for failing to do the right paperwork when accepting cash transactions. If you think using Bitcoin makes you immune to the law, then you're gonna get slapped in the face by reality the moment you scale up your business and get noticed. I mean, it's easy to bluster about sticking it to the man when all you do is generate forum posts. Once you start running a real business, unless you can somehow do it entirely online and perfectly anonymously like the Dread Pirate does, well you're going to have to get in line or go to jail. That's not an opinion, just fact.

Now no reasonable person would be stupid enough to argue blindly for or against "regulations" in general, all that word means is rules and only the most extreme anarchists believe society should have no rules at all. Even libertarians believe that the state should enforce contracts, and contract law is large and complex. Our worlds are full of regulations on everything from finance to the labelling of meat products. You have to weigh up the cost and benefit of specific rules on a case by case basis to figure out if you support them or not. As it happens, I feel the value of many financial regulations are rather questionable. You can easily see how they evolved the way they did and each step along the way probably seemed reasonable at the time, but it was a "road to hell paved with good intentions" type thing. The costs are really high and the benefits often don't seem to be there. Maybe the best possible solution is no financial regulations at all, or maybe there's some in-between sort of compromise solution that helps society keep a lid on thieves, hackers and other scummy types whilst not impinging on civil liberties or creating red-tape overload. That's a topic worth thinking about and exploring, and I personally haven't made my mind up yet. I don't much like the current way finance and crime-fighting intersect, but I haven't decided if I dislike the general concept or just the way it works today.

Regardless, my own opinions on the matter don't affect existing laws or enforcement of them.
staff
Activity: 4284
Merit: 8808
I believe that blockchain works in a different way then strongcoin.
If you use the browser extension I believe you are relatively safe from arbitrary code changes like the one we witnessed at StrongCoin.[/quote]
That is not correct to the best of my understanding. The extension only makes sure the JS matches the JS on github and does not prevent additional pre-loaded JS from manipulating the execution environment.

Quote
Next step in security is probably to have an hardware wallet with the private key that can sign the transaction without ever letting the computer see the private key.
The makes a nice example of why security is hard: This isn't secure either— if you're using a single point of trust webwallet the wallet can still lie to you about having confirmed payments that aren't real or cause you to sign away the bulk of your coins to fees.
sr. member
Activity: 434
Merit: 250
All well and good sir gmaxwell, If I may suggest the issues is the ability to redirect funds in this way makes StongCoin and Blockchain.info fundamentally compromised

I believe that blockchain works in a different way then strongcoin.

If you use the browser extension I believe you are relatively safe from arbitrary code changes like the one we witnessed at StrongCoin.

Next step in security is probably to have an hardware wallet with the private key that can sign the transaction without ever letting the computer see the private key.
sr. member
Activity: 362
Merit: 252
Leave StrongCoin. They lost all reason to trust them. It is like leaving your Bitcoins with a junkie. Your choice.
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
All well and good sir gmaxwell, If I may suggest the issues is the ability to redirect funds in this way makes StongCoin and Blockchain.info fundamentally compromised

I believe that blockchain works in a different way then strongcoin.
legendary
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
Waiting for StrongCoin to be hacked in 3... 2... 1...
hero member
Activity: 488
Merit: 500
All morality questions aside this is a clear warning:

If you use a hybrid/browser wallet you have a high risk of being compromised.

Although this has been discussed before multiple times i think this is the first time it actually happened. If the operator can do this kind of change the hacker of the site can do exactly the same.
legendary
Activity: 2632
Merit: 1023
All well and good sir gmaxwell, If I may suggest the issues is the ability to redirect funds in this way makes StongCoin and Blockchain.info fundamentally compromised




I think people who are hating on strongcoin are taking away the wrong thing from this.  This is the reasonable and expected outcome.

I suggest meditating on some words from Satoshi:
Quote
Then strong encryption became available to the masses, and trust was no longer required. Data could be secured in a way that was physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter what.

Used correctly Bitcoin is secure no matter how good the "excuse" is and in this case the excuse is exceptionally good:  Someone who ripped off infrastructure important to many of our community members, screwing both the users and a the operator (a rightfully well respected member of our community)— is utter scum. It would be wrong of us to expect anyone to protect him, he didn't protect Bitcoin— he didn't protect Ozcoin's users— he didn't look out for anyone but himself.  I agree that this can begin slippery slope of "excuses"— but Bitcoin has an answer to that that slippery slope: Build systems that don't depend on trust. But Bitcoin's trustlessness can't protect you if you go around delegating the actual use of Bitcoin to third parties.

When you use a webwallet you're trusting that the JS is not replaced out from under you— you're trusting that any 'validator' tool validates against something useful (and not just some copy the same operator can replace), and that no additional JS is being inserted which e.g. rebinds half the JS language and keeps the validated code the same while changing its operation, that the web browser environment— which wasn't designed for this kind of security at all and lacks basic features like mlocking data to keep it out of swap— is secure. You're trusting that the operator doesn't phish your passphrase— as they trivially can— or brute force it. You're trusting that the site gives you faithful information about the blockchain as none of the webclients have even SPV security. You're trusting that the site operators description of their service as secure is truthful and that there aren't subtle weaknesses that you don't personally understand. You're trusting a lot of things ... and especially if you're a disreputable thieving source there can be no basis for that trust.  It would have been wrong of us to demand that the operator of a service turn down a well substantiated request in a case like this, it would make them a villain to the kind and honest people their decision harmed. We shouldn't create a world where people have to make choices like that.

The webwallet wasn't the only problem here: For example, the address reuse made identifying the wallet vendor trivial.  These aren't new security issues, but a lot of people won't believe them without concrete examples.

Ultimately the problem here is one of introducing trust needlessly. Expecting this not to fail for a villain would be to expect inhuman behavior from the site's operators... and even a wallet service operated by the least human most profit oriented sort would have some "excuse" that was sufficient: Perhaps for some it's a crime that ought to be solved, for others it an attractive bribe, someone else might be motivated by a court order— or by a literal gun held to their head. Whatever the exact contours of the breaking point is— it exists.  Bitcoin was designed to liberate us from so much dependance on trust, but it can only do that if we use it— and not thin-clients that kinda-sorta-approximate it.

I'm glad that the example here is one where a really obvious thief gets screwed over and not someone less deserving. Hopefully the honest folks will learn and change their behaviors faster than the thieves do.


[I'm sure this is going to get discussed in a dozen different places— I'm not going to bother trying to track them all down. If you see it discussed elsewhere and you thought my comments were interesting, please feel free to drop a link back to here]
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
Geez, just look at the facts.

Strongcoin never knew the private keys.  If they did, even more BTC would have been recovered than was.

All its owner did was deliver modified JS to the thief (only) that replaced the change and "To" addresses with dogisland's address.  It took the thief (from what I can see) about 5 transactions before she realized she was 0wned.  Stilll the thief has done very well for herself with 300+ BTC.  I wonder if she was smart enough to figure out how to reclaim her remaining coins (if any) without using Strongcoin's WebUI..... or is she stuck.

And you don't think this is worse? That one doesn't even need your private key- which at least you could 'track' when someone steals your coins, but in this case  you could be injected with javascript that takes control of your wallet?
donator
Activity: 668
Merit: 500
Geez, just look at the facts.

Strongcoin never knew the private keys.  If they did, even more BTC would have been recovered than was.

All its owner did was deliver modified JS to the thief (only) that replaced the change and "To" addresses with dogisland's address.  It took the thief (from what I can see) about 5 transactions before she realized she was 0wned.  Stilll the thief has done very well for herself with 300+ BTC.  I wonder if she was smart enough to figure out how to reclaim her remaining coins (if any) without using Strongcoin's WebUI..... or is she stuck.
staff
Activity: 4284
Merit: 8808
We as OP pointed out Strongcoin makes a point about how they don't have your private keys, meaning they shouldn't have been able to return the funds at all.
They have the same access that all JS webwallets have. People have been telling all of you that their "private key on the client" model isn't comparable in security to a normal Bitcoin client and you've just continued blabbering on about 'BUT PRIVATE KEY ONLY ON MY COMPUTER' ...  Even here you seem to be speculating that maybe it wasn't really on your computer. IT WAS and thats _not sufficient_.

People have been telling everyone since these JS wallets have come into existence that they have an inferior security model compared to SPV nodes which have an inferior security model compared to full nodes. If people insist on ignoring the experts who are looking out for their interests because they think they know better ... well. Expected result is expected.

As an aside I ran into a nice quote from Jacob Appelbaum on system security, an I thought it nicely repeated some of the points I made above.
Quote
We should consider that if the architecture of a system, even a mostly
*technically* secure system, is optimized for surveillance to the
company's benefit - it *will* almost certainly be forced to hand your
data over when ordered. Simply because it *is able to do so* at all,
we've learned that the law in the US is interpreted to suggest that such
companies must and they must do so silently. And it seems to be the case
that when the US has no legal recourse, it may use other methods for
jurisdictions beyond their direct legal reach. It might happen through
legal means, it might happen through general blackhattery, it might
happen through kidnapping a family member - compliance is possible and
there exists a case where compliance *will* happen.
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
Bottom line: it's time for folks to stop using hybrid wallets--or at the very least, StrongCoin in particular. Both ability and willingness were displayed in this case, and that's a sure sign to flee the premises.

And I find it funny that he's "intercepted" the funds but chosen to keep the sender anonymous. If any action were to be taken at all, I would have imagined leaving the funds untouched but publicizing the incident as much as seems necessary (note: as in making public, not as in running to the cops) would have been the morally upright choice. As it stands, the owner of StrongCoin just destroyed his own business, and possibly his entire business model.

Hope it turns out that it actually was stolen funds that were "intercepted," and that that the proper owner was identified. That's about the only thing that might make this entire outcome worth it.


We as OP pointed out Strongcoin makes a point about how they don't have your private keys, meaning they shouldn't have been able to return the funds at all. We can argue the moral and legal points of confiscating the money (I think it's probably illegal) but the real question is has Strongcoin been unfaithful to it's users all along? They said they only see your encrypted keys but that turns out not to be true, the obviously have access (and any hacker would have access- and I suspect a large number of hackers might now turn their sights on strongcoin having realized the encrypted private key thing was a ruse) to all the coins.
Pages:
Jump to: