Verifying Bitcoin Core - page 7. | Bitcointalksearch.org

Gumballinabattleaxeninja

full member

Activity: 182

Merit: 100

Quote from: luv2drnkbr on August 19, 2016, 04:48:54 AM

Quote from: Gumballinabattleaxeninja on August 17, 2016, 11:26:34 PM

What I want to know is, what "State" is sponsoring this malicious attack? Is it China? The USA? I would imagine a collective of countries conversing on this and funding the attackers with Bitcoin, since fiat is so traceable nowadays.

I think he found direct evidence of GFW doing a DNS MITM for bitcoin.org. That to me is the most reasonable and most likely explanation. Sure it could be another state sponsored attack, but all the other major state players just ban it and make it unpopular and whatnot. China's the only one to just implement technical measures first and do other stuff later. I think the GFW got updated to redirect bitcoin.org traffic.

This is of course entirely speculation without any shred of merit.

Can you tell me what GFW is? I may know what it is, but I do not know that acronym. Apologies for my ignorance and thank you for the information.

lucky80

hero member

Activity: 1652

Merit: 593

Thankyou Sir for this helpful information...

mamamae

legendary

Activity: 1188

Merit: 1001

i'm no expert but something like this can be used to certify the files for the wallets, even the code on github, the only problem is that need a source that certify the files are originals :

https://eternitywall.it/notarize

Abiky

legendary

Activity: 3108

Merit: 1351

www.Crypto.Games: Multiple coins, multiple games

This post is very important in order to stay safe on the Bitcoin network. I've heard that soon we'll be getting the Seg Wit protocol so it will be a major improvement towards helping Bitcoin reach mainstream status. Scalability and security is the most important thing here so I hope that with Seg Wit we could finally get somewhere. Cheesy

tutorialevideo

legendary

Activity: 1161

Merit: 1001

Don`t invest more than you can afford to lose

Thanks for the heads up!

Divorcion

full member

Activity: 171

Merit: 100

a very important post, thanks.

alani123

legendary

Activity: 2366

Merit: 1403

Leading Crypto Sports Betting & Casino Platform

The news about the announcement spread like wildfire...

luv2drnkbr

hero member

Activity: 793

Merit: 1016

Quote from: biggus dickus on August 18, 2016, 03:00:32 PM

Is Electrum still safe to use?

Electrum is no more or less safe than it has always been. You should of course be PGP verifying your Electrum downloads.

Animazing's key is 9914864DFC33499C6CA2BEEA22453004695506FD, and Thomas V's key is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.

luv2drnkbr

hero member

Activity: 793

Merit: 1016

Quote from: Gumballinabattleaxeninja on August 17, 2016, 11:26:34 PM

What I want to know is, what "State" is sponsoring this malicious attack? Is it China? The USA? I would imagine a collective of countries conversing on this and funding the attackers with Bitcoin, since fiat is so traceable nowadays.

I think he found direct evidence of GFW doing a DNS MITM for bitcoin.org. That to me is the most reasonable and most likely explanation. Sure it could be another state sponsored attack, but all the other major state players just ban it and make it unpopular and whatnot. China's the only one to just implement technical measures first and do other stuff later. I think the GFW got updated to redirect bitcoin.org traffic.

This is of course entirely speculation without any shred of merit.

Itoo

jr. member

Activity: 33

Merit: 1

My thoughts about hash storage and actual storage of the sig's and software aren't fully articulated, but I understand they are separate and would need to be considered separately, though that's not to say a data storage model couldn't have a built-in hash storage/verification model as well. I just understand that space usage is an important consideration in a decentralized model that you want to keep as decentralized as possible. Thanks for reading my ramblings

Itoo

jr. member

Activity: 33

Merit: 1

Quote from: theymos on August 17, 2016, 08:34:48 PM

...

PGP has the concept of a "PGP Web of Trust" that people are theoretically supposed to use to prevent this sort of thing, but it's complicated and doesn't work very well, so pretty much no one actually uses it. ...

Thanks for the info Theymos, very in-depth and helpful.

I hope this isn't too far off topic but, related to the quote above, I've been thinking about the concept of a 'web of trust' and how bitcoin and the p2p blockchain are basically exactly that, it's a currency whose veracity is enforced by a web of trust (among other things of course, but nodes operate on a similar concept I believe, of course they rely on a percentage of participators to be rationally motivated to be good players).

I've also been thinking of a post I just read by u/cannon-c on r/bitcoin about the need to decentralize data (such as the bitcoin repository, and any important open-source repository).

It seems that both of those things (gpg signature storage and open-source software repositories) could benefit from a decentralized p2p storage model, and possibly the security of being written to a/the blockchain (side-chains come to mind, but I'm by no means a programmer so could be off in my expectations there).

In any case, taking Namecoin as an example, I think open-source software and signature repositories are the exact kind of things that could benefit from bitcoin's model.

I'm truly a noob so there could be things I'm not considering. Thanks for any thoughts you have

Bitware

hero member

Activity: 926

Merit: 1001

weaving spiders come not here

Thank you for this valuable information.

theymos

administrator

Activity: 5166

Merit: 12850

Quote from: CanaryInTheMine on August 18, 2016, 02:09:10 PM

The suggested HashTab tool is not useful on Windows. If you get it and check the properties tab, the sha256 sum is not there. Either additional instructions to enable it are required or a different tool should be suggested: (such as http://www.labtestproject.com/using_windows/step_by_step_using_sha256sum_on_windows_xp.html)

Otherwise, reddit and/or forum could get inundated with posts from windows users who will report that their windows system got a compromised 13th version when they download it.

Thanks, I changed it to a built-in utility that SENPAI_NOTICES_YOU mentioned on Reddit.

Quote from: biggus dickus on August 18, 2016, 03:00:32 PM

Is Electrum still safe to use?

Probably this most recent thing doesn't change much. I consider Electrum to be reasonably safe, though not very private at all.

One way you can lose money is that the Electrum server can say that you received x BTC that you didn't really receive, and then you could irreversibly send out some product in response to this non-payment. (This might require some mining power to pull off, I'm not sure.) This is more of a threat for automated services, though.

biggus dickus

sr. member

Activity: 310

Merit: 250

Is Electrum still safe to use?

It's help window says it connects to a single server to get your transaction history, and I assume that server is backed by a single Bitcoin core node.

In addition, its help says it connects to several nodes to get the headers and uses them to verify the transaction history sent from the single server.

Even if the server and all nodes a wallet uses were compromised I can't think of a way your Bitcoins could be at risk of theft if you sign Electrum transactions offline, and only transmit them through a watching only wallet connected to the internet.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Wouldn't it be cool to have the hashes of the downloads stored in the blockchain, in such a way that Bitcoin Core 0.12.1 can be used to verify the download for version 0.13.0?
Of course an attacker could add fake hashes to the blockchain again, so it has to be done by a - somehow - trusted address.

mmgen-py

member

Activity: 110

Merit: 26

Thanks, Theymos, for the core devs' pubkeys + importing & signing instructions. I found that I also had to do a 'gpg --edit-key' on each key in question and trust it absolutely. Otherwise, 'gpg --verify' issues the following complaint:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

OmegaStarScream

staff

Activity: 3402

Merit: 6065

Quote from: ?? on ??

Quote from: theymos on August 17, 2016, 08:34:48 PM

Note that it isn't the greatest to trust random pages on the Internet when importing keys. For example, a bitcointalk.org moderator could replace the above keys with different keys that are all under his control and then post an emergency "urgent upgrade required!" link somewhere pointing to wallet-stealing malware signed by the keys that he placed here.

You could simply sign a message with one of your known public addresses, if you are concerned that a forum moderater could change your post. Sign the whole post (if a signed message that long is possible) or else only sign a message with the PGP keys.

What would that change ? even If we quote him , moderators have the ability to delete our posts. (If not edit them as well - depends on the privileges theymos gave them)

CanaryInTheMine

donator

Activity: 2352

Merit: 1060

between a rock and a block!

Quote from: theymos on August 17, 2016, 08:34:48 PM

Get the sha256 hash of the Bitcoin Core release you downloaded. On Windows, this requires an extra tool such as HashTab.

The suggested HashTab tool is not useful on Windows. If you get it and check the properties tab, the sha256 sum is not there. Either additional instructions to enable it are required or a different tool should be suggested: (such as http://www.labtestproject.com/using_windows/step_by_step_using_sha256sum_on_windows_xp.html)

Otherwise, reddit and/or forum could get inundated with posts from windows users who will report that their windows system got a compromised 13th version when they download it.

SpiryGolden

hero member

Activity: 812

Merit: 500

Quote from: theymos on August 18, 2016, 01:06:57 PM

Quote from: SpiryGolden on August 18, 2016, 01:01:54 PM

I am having a hard time to understand why 0.13.0 ? When next to release is 0.12.2 with Segwit Code. My guess is that 0.13.0 doesn't have public binaries and no yet compiled. How can a binary can be compromised in a way like that? I mean seriously they put a warning on a far in future code to be public that is under their control isn't it? This means the whole code can be compromised?

There's no flaw in 0.13.0 itself. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.

I understand, thanks for explanation. So that means between the dev and hosting server a MITM might happen? And that is the warning for, in order to learn people to be more vigilant. I am correct?

theymos

administrator

Activity: 5166

Merit: 12850

Quote from: SpiryGolden on August 18, 2016, 01:01:54 PM

I am having a hard time to understand why 0.13.0 ? When next to release is 0.12.2 with Segwit Code. My guess is that 0.13.0 doesn't have public binaries and no yet compiled. How can a binary can be compromised in a way like that? I mean seriously they put a warning on a far in future code to be public that is under their control isn't it? This means the whole code can be compromised?

There's no flaw in 0.13.0 itself. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.

Topic: Verifying Bitcoin Core - page 7. (Read 177719 times)