[THEORY] Reverse exploiting Bitcoin - page 2.

Este Nuno

legendary

Activity: 826

Merit: 1002

amarha

Quote from: justusranvier on June 04, 2014, 07:56:30 AM

Quote from: franky1 on June 04, 2014, 03:00:58 AM

so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core

Haven't you ever heard of this NSA crowdsourcing program?

http://en.wikipedia.org/wiki/Underhanded_C_Contest

Quote

The Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs.

That is pretty wild. I had never heard of this. I wonder how many people have been caught trying to pull something like this on open source projects? I also wonder how many people(if any) have gotten away with inserting such code(intentionally of course) in to any major open source projects.

jonald_fyookball

legendary

Activity: 1302

Merit: 1008

Core dev leaves me neg feedback #abuse #political

The most critical part of bitcoin is arguably the implementation of ECDSA, which would probably be the most scrutinized and heavily reviewed code. Thus, it would seem unlikely that a serious exploit could be introduced.

justusranvier

legendary

Activity: 1400

Merit: 1013

Quote from: franky1 on June 04, 2014, 03:00:58 AM

so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core

Haven't you ever heard of this NSA crowdsourcing program?

http://en.wikipedia.org/wiki/Underhanded_C_Contest

Quote

The Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs.

AGD

legendary

Activity: 2070

Merit: 1164

Keeper of the Private Key

Quote from: franky1 on June 04, 2014, 03:00:58 AM

people dont simply dump compiled exe's into the bitcoin dev project area. they put in lins of code, which get reviewed by the other dev's before its then added into the main code area, and then tested to ensure it does not cause other things to fall apart or become exploitable.

so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core

I agree, that new implementations are reviewed over and over by expert coders until they are released, but this is not the relevant part of it.
SSL had a flaw that was indeed exploitable until the core devs were convinced, that they had to change the code and release v 0.9.0.
Before that, the guys either didn't know about the Heartbleed bug or they thought it was not necessary to update. This means, that a code - even after multiple reviews by good programmers - can contain bugs/flaws/exploitable parts, which either still has to be found or - in my example - was already found, but kept secret.

shwackd

newbie

Activity: 25

Merit: 0

To be perfectly honest:

If the sun was blocked out of the sky for JUST long enough to cause the surface temperature of hydrated driving surface to drop below the freezing point of deionized water we could possibly cause an an automobile accident that would delay an important bitcoin foundation meeting JUST long enough to postpone the next update until our super virus elite hacker skills technician can compromise the mainframe.

franky1

legendary

Activity: 4410

Merit: 4788

Quote from: AGD on June 04, 2014, 02:55:56 AM

I had this idea. Dunno if it is realistic, maybe its BS, but need to let it go Cheesy

When the Heartbleed bug was found, the Bitcoin core was quickly updated to version 0.9.0 (then shortly after updated to 0.9.1)

Since it was a "major security issue" I assume, that alot of people already updated their client and the new version is more ore less accepted by the majority of the network. Noone wants to get hacked ...

Now, what if some expert hacker invents an exploit that targets an issue, which is still not implemented in Bitcoin core, but - with a good reason - COULD be implemented in future versions, because of another big security issue, that will convince the majority of the community to update to the new version.

If this expert hacker has a possibility to convince the key persons behind the BitcoinFoundation to update the source code with the reasonable security update (like it was done with the Heartbleed bug), he would be the only person with an exploit to the new implementation.

This sounds like a quite realistic cenario to me. What do you think?

people dont simply dump compiled exe's into the bitcoin dev project area. they put in lins of code, which get reviewed by the other dev's before its then added into the main code area, and then tested to ensure it does not cause other things to fall apart or become exploitable.

so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core

AGD

legendary

Activity: 2070

Merit: 1164

Keeper of the Private Key

I had this idea. Dunno if it is realistic, maybe its BS, but need to let it go Cheesy

When the Heartbleed bug was found, the Bitcoin core was quickly updated to version 0.9.0 (then shortly after updated to 0.9.1)

Since it was a "major security issue" I assume, that alot of people already updated their client and the new version is more ore less accepted by the majority of the network. Noone wants to get hacked ...

Now, what if some expert hacker invents an exploit that targets an issue, which is still not implemented in Bitcoin core, but - with a good reason - COULD be implemented in future versions, because of another big security issue, that will convince the majority of the community to update to the new version.

If this expert hacker has a possibility to convince the key persons behind the ~~BitcoinFoundation~~ Bitcoin Development to update the source code with the reasonable security update (like it was done with the Heartbleed bug), he would be the only person with an exploit to the new implementation.

This sounds like a quite realistic cenario to me. What do you think?

Topic: [THEORY] Reverse exploiting Bitcoin - page 2. (Read 2451 times)