Put bounties for proven exploits in a test environment chainblock, under the condition of not making them public until fixed.
Agreed. And the condition is very important.Which is precisely why bounties are needed.
Topic: Proposed: We Should Hire Respectable White Hats to Audit Bitcoin's Security (Read 2374 times)
February 06, 2012, 07:22:22 PM
Which is precisely why bounties are needed.
February 06, 2012, 06:17:05 PM
Put bounties for proven exploits in a test environment chainblock, under the condition of not making them public until fixed.
Agreed. And the condition is very important.
February 06, 2012, 11:54:23 AM
Put bounties for proven exploits in a test environment chainblock, under the condition of not making them public until fixed.
Agreed. And the condition is very important. February 06, 2012, 11:51:40 AM
Most white hats are corporate parasites or lamers who are not smart enough to be black ones.
Often, but not always. You lose nothing by having a bounty on the test network, so people who really mean no harm can try stuff.
Bitcoin is in wild. It is looked over and over again by some really smart people. The Satoshi client is still standing. Is there a need for any more proof?
Yep, strongest reason why bitcoins are worth something right now.
February 06, 2012, 10:50:10 AM
Most white hats are corporate parasites or lamers who are not smart enough to be black ones.
Bitcoin is in wild. It is looked over and over again by some really smart people. The Satoshi client is still standing. Is there a need for any more proof?
Bitcoin is in wild. It is looked over and over again by some really smart people. The Satoshi client is still standing. Is there a need for any more proof?
February 05, 2012, 09:36:38 AM
Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox.
Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc.
If such coins would be stolen it would be very visible in the blockchain, and speculators would firesale anticipating a crash in confidence in the whole bitcoin system. Speculators and basically anyone who'd get wind of the news.
February 04, 2012, 09:58:55 PM
Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox.
Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc.
The size of the current market is right now, you would be very lucky to cash out 100K.
Let's look at mtgox order book:
Quote
2.70 809 (4) 214855 1001710
You can cash more than $1,000,000 worth of bitcoins right this moment, and only drop the price to $2.70. There is plenty of money available for the taking in the blockchain. 
February 04, 2012, 09:47:42 PM
edit
February 04, 2012, 05:49:47 PM
The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?
Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox. The size of the current market is right now, you would be very lucky to cash out 100K. This is because are not "good currency" for themselves as is, and must be converted in scale.
Moreover, for some reason we only seem to care about the security of the whole blockchain, when that's not by any means all there is to it. There's individual wallet security, punctual double-spending, etc and all that needs proving.
February 04, 2012, 05:40:22 PM
The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?
February 04, 2012, 07:38:02 AM
I think in these months the whole system has been already attacked by pretty much everyone trying to steal money. And they almost always failed (yeah except for wallet stealer virus and connecting to the RPC interface with fail password and stealing everything)
February 04, 2012, 07:36:19 AM
Isn't it a bit too early for this? The protocol is still undergoing significant changes and every modification introduces new bugs.
February 04, 2012, 06:54:40 AM
Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.
Having it even discussed in the Senate would skyrocket the popularity of bitcoin and the strength of the network.
February 04, 2012, 04:36:44 AM
As said earlier, create a fund with a bounty which any new proven attacks will get if they contact gavin and keep them secret for atleast 6 month?
This kind of things will get easier when we can have multiple adresses needed to control an account. This means that Gavin and some others Casascius etc can hold the different keys for this account.
This kind of things will get easier when we can have multiple adresses needed to control an account. This means that Gavin and some others Casascius etc can hold the different keys for this account.
February 04, 2012, 01:10:57 AM
Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.
February 03, 2012, 09:32:07 PM
coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.
What if there are more bugs like the encryption bug in 0.4? People trusted that their wallets were secure, but OOPS they weren't.
Having someone paid to look for holes is a good thing.
What if there are more bugs like the encryption bug in 0.4? People trusted that their wallets were secure, but OOPS they weren't.
Having someone paid to look for holes is a good thing.
I don't believe it's bullet proof at all; I listed 2 of the biggest flaws that NEED to be addressed right away. A [block]chain is only as strong as its weakest link.
I agree that having someone paid to look for holes is a good thing but I think that is better achieved by paying bounties for exploits to anyone who finds them. I don't see the point in trying to raise tens or hundreds of thousands of dollars to pay some hardcore commercial netcode/crypto analysts to spend months auditing bitcoin for flaws, and I doubt they would accept BTC as payment. I'm not trying to be negative, just realistic on what would be more effective. I'll gladly contribute to bounties for finding exploits.
February 03, 2012, 08:05:37 PM
So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).
I support this idea.
February 03, 2012, 06:49:16 PM
coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.
What if there are more bugs like the encryption bug in 0.4? People trusted that their wallets were secure, but OOPS they weren't.
Having someone paid to look for holes is a good thing.
What if there are more bugs like the encryption bug in 0.4? People trusted that their wallets were secure, but OOPS they weren't.
Having someone paid to look for holes is a good thing.
February 03, 2012, 06:40:33 PM
Mitigation summary:
1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol
2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)
+1 There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol. The main areas that need tightening are the pools because they concentrate so much power. Most all of the possible attacks would REQUIRE a pool or more money (in hardware) then the attack would capture.
There is a bounty for blackhats. Some people wouldn't just steal a bunch of coins from an unsuspecting user. So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).
February 03, 2012, 06:29:38 PM
Mitigation summary:
1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol
2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)
+1 There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol. The main areas that need tightening are the pools because they concentrate so much power. Most all of the possible attacks would REQUIRE a pool or more money (in hardware) then the attack would capture.
Jump to: