Topic: Kaspersky and INTERPOL Say Blockchain is Vulnerable (Read 4230 times)

Bitcoin is a booming market and Kaspersky  makes their money off fear of electronic attacks. Probably Interpol with get a commission by supporting each other's claims to pump future Kaspersky products.

This is more recent - March '15: http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain-pollution-a-criminal-opportunity/

True. One can not argue with that.


Interpol does not make laws, it follows them, and if they have orders to do something, they do it Internationally (or at least where Interpol has juristiction).
Also, even though the word "organ" might be correct, the word organization is the preffered choice. "Organ" may refer to a body part such as a penis.


True and False at the same time.
They will - yes they will - attempt to get some of their money back, and that means the black markets.


I don't think you understood what I said, nor what Interpol said.
The blockchain is NOT vulnerable, on the contrary it's so solid that an abuser can host child abuse images on it indefinetely (and other malicious code).
Apart from that, Bitcoin gives ways for abusers to use it over money (fiat) due to it's (supposed) anonymity.
Also, criminals should not have ANY worries exploiting the blockchain because..... you know: coin mixers -> one time use address -> crime done and there forever.....
If that address is never to be used again then there is no chance they can track them.


Now, can you please stop being so "smart" and defensive about Bitcoin and pay attention to the details?
Or are you too busy playing bullshit ARG games (or covering up for the con artist) that you do not read between the lines?

Typical corporate FUD. And I don't think this is relevant for wallets that do not store your blockchain, and then again people running those that do (nodes) are knowledgeable enough to not get their computers infected.
Most average joes will be using blockchain.info or so, to deal with their BTC anyway.

You could always go and try to cause some buffer overflows. Back in the good old days it was quite common to try and write some executable code into the memory, build a large enough landing pad, and whooops: your code gets executed

I consider their research as "marketing activity" .

Again, any decentralized storage system is vulnerable in that regard.


Interpol does not make laws. They can not make anything illegal or legal. They are an organ to promote cooperation between police organisations in different countries. Who is this mysterious "they" you are referring to that can change all laws on a global scale?


Under the assumption that bitcoin have just been declare illegal, which business and/or exchange would be left? None, because all exchanges and business would now be bankrupt, unless they do not actually hold bitcoins.


Blatantly declaring Bitcoin's blockchain vulnerable is not protecting any (my) children. In order to store the picture of an abused child, the picture must have been taken previously, thus the abuse must have already happened. Attacking the symptoms is not a solution. I doubt there is much of the content they are warning about in the blockchain. The main reason for this believe is that there are other, cheaper and more discrete ways. The only advantage in using the blockchain I could see is that it would be very hard to erase the data. On the other hand criminals tend to have a reason to avoid this very property as it would also make it very hard to hide their tracks.

I think you guys are very sentimental about the subject.

Interpol is right : http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain-pollution-a-criminal-opportunity/


And when that happens (coz it will) kiss your Bitcoins goodbye.

Oh, and don't say how are they going to do it.
If they make any kind of purchase/exchange with BTC illegal and fine it with lifetime in jail,
no business or exchange will take your Bitcoins.
Then you will have to turn to a black market but we have all seen how they all fell like flies haven't we?

Once again, stop being so sentimental and pay attention to the details.
Interpol is trying to protect (your) children from abuse, and that is just one example of what the blockchain is capable of.

Keyword "naively." Publicly available data on the internet isn't really the problem since that's what the internet basically is. The problem is client-side whatever it is and that's on the end-user, not the fault of the network itself.

well besides the fact we have to save our passes and addresses and amounts in personal computer i mean does the hackers try to steal all in blockchain directly or go to personlal comuters and a change in blockchain need to ocurr in like 4000 net work computers its a very diff thing

> How would you “accidentally execute” a sequence of bytes? Unless you're using something similar to eval, which then it's not accidental anymore.

Well, that's how injection attacks work. A client would naively try to read the data, and the data would contain an escape sequence followed by the equivalent of "eval" on the target operation system or hardware architecture. It doesn't seem impossible as a conceptual attack.

Exactly this. They want to promote their products that way.
Where was Kaspersky the last 5-6 years since the blockchain release?

They just want to get involved in the Bitcoin game. They make money.

Well for this to happen, the virus or code has to execute arbitrary block chain data. It has to install a method of accessing that data, decoding it and executing it.

There are many other easier ways of doing this... A simple trojan virus in the executable of these games and apps, people are downloading "for free" from torrent sites, will do the trick. 

Yes, we do not deny, that it's not possible to inject malicious code into the blockchain, but it's not a VERY affective way to spread virusses. {It requires a lot of other things to be in place, before it can be executed}

In my opinion it's just another way for AV companies to spread FUD, to increase fear, and to get people to buy more of their products to counter it. {Very low risk}

How would you “accidentally execute” a sequence of bytes? Unless you're using something similar to eval, which then it's not accidental anymore.

CIYAM:
> You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable...

That's actually an interesting idea. If you embedded some injection-like escape sequence, followed by assembly code tailored to a specific microprocessor set, then could it possibly be executed by any standard client when it is "naively" attempting to access the OP_RETURN data? Clients / nodes written in loosely-typed languages seem like they might be more vulnerable...

They are just hyping their antivirus bloatware any way they can. Whats the next big thing in everyone's computer? Bitcoin. Then lets start selling how Bitcoin "can infect your computer thought the blockchain" and make some shekels.

They mean that the virus on the infected computer fetches the code from the blockchain and runs it, not an actual Bitcoin client. This isn't a security issue in bitcoin or anything per say, it's just Kaspersky pointing out that the Bitcoin blockchain or another blockchain could be used for communicating with infected machines (ones that are already infected) which would be harder to shut down than a regular c&c server.

Thanks, I was more thinking about the aspect of a permanent record of the conversation.

And that's a legitimate concern with any method of communicating over the internet.. whether you're using the blockchain, a centralized server, some other P2P mechanism like BitTorrent or (as you mentioned) even something like PasteBin. Theoretically a virus, trojan or other malware could just as easily use a GMail account for the same purpose. Any of those methods would probably be a lot easier and less expensive for the malware author than repeatedly paying to put messages in the Bitcoin blockchain (either as fake outputs or OP_RETURNs), but I can see how putting the messages in the blockchain would be much more resilient than most of the other methods I can think of.


Perhaps it's the way the article is written, then? I took to mean the same thing, especially since it specifically mentions "fetching information from transaction records and running it as code" and in that light it's nothing but FUD, no Bitcoin client does that and there's no need for any Bitcoin client to ever do that. Of course some hacker using it to send messages to control infected computers is a much more legitimate concern. Even worse, I'd think, would be a hacker using it to send messages from infected computers back to himself. But we already have viruses and keyloggers that do a pretty good job of phoning home without ever having to touch the blockchain.

maybe they were talking about ethereum where it can be used to run program, however this is fud and i wonder how bitcoin community should deal with these ?