Pages:
Author

Topic: Verifying Bitcoin Core - page 7. (Read 206038 times)

legendary
Activity: 1049
Merit: 1009
TRX: TCRKDukYt2zDie9vJDhToKrP3tyTV29U48
August 24, 2016, 12:08:50 AM
#37
What does it mean the sentences of "Be extra vigilant when downloading binaries from our website for the upcoming 0.13.0 release". I found on https://bitcoin.org/en/download

what happens with bitcoin core 0.13?  why we must be vigilant

full member
Activity: 182
Merit: 100
August 23, 2016, 02:50:02 PM
#36
What I want to know is, what "State" is sponsoring this malicious attack? Is it China? The USA? I would imagine a collective of countries conversing on this and funding the attackers with Bitcoin, since fiat is so traceable nowadays.

I think he found direct evidence of GFW doing a DNS MITM for bitcoin.org.  That to me is the most reasonable and most likely explanation.  Sure it could be another state sponsored attack, but all the other major state players just ban it and make it unpopular and whatnot.  China's the only one to just implement technical measures first and do other stuff later.  I think the GFW got updated to redirect bitcoin.org traffic.

This is of course entirely speculation without any shred of merit.

Can you tell me what GFW is? I may know what it is, but I do not know that acronym. Apologies for my ignorance and thank you for the information.
hero member
Activity: 1652
Merit: 593
August 23, 2016, 02:48:34 PM
#35
Thankyou Sir for this helpful information...
legendary
Activity: 1188
Merit: 1001
August 22, 2016, 03:48:19 PM
#34
i'm no expert but something like this can be used to certify the files for the wallets, even the code on github, the only problem is that need a source that certify the files are originals :

https://eternitywall.it/notarize


legendary
Activity: 3220
Merit: 1363
www.Crypto.Games: Multiple coins, multiple games
August 20, 2016, 03:24:55 PM
#33
This post is very important in order to stay safe on the Bitcoin network. I've heard that soon we'll be getting the Seg Wit protocol so it will be a major improvement towards helping Bitcoin reach mainstream status. Scalability and security is the most important thing here so I hope that with Seg Wit we could finally get somewhere.  Cheesy
legendary
Activity: 1161
Merit: 1001
Don`t invest more than you can afford to lose
August 20, 2016, 01:23:48 PM
#32
Thanks for the heads up!
full member
Activity: 171
Merit: 100
August 19, 2016, 07:28:20 AM
#31
a very important post, thanks.
legendary
Activity: 2422
Merit: 1451
Leading Crypto Sports Betting & Casino Platform
August 19, 2016, 04:43:56 AM
#30
The news about the announcement spread like wildfire...
hero member
Activity: 793
Merit: 1026
August 19, 2016, 03:51:25 AM
#29
Is Electrum still safe to use?

Electrum is no more or less safe than it has always been.  You should of course be PGP verifying your Electrum downloads.

Animazing's key is 9914864DFC33499C6CA2BEEA22453004695506FD, and Thomas V's key is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.
hero member
Activity: 793
Merit: 1026
August 19, 2016, 03:48:54 AM
#28
What I want to know is, what "State" is sponsoring this malicious attack? Is it China? The USA? I would imagine a collective of countries conversing on this and funding the attackers with Bitcoin, since fiat is so traceable nowadays.

I think he found direct evidence of GFW doing a DNS MITM for bitcoin.org.  That to me is the most reasonable and most likely explanation.  Sure it could be another state sponsored attack, but all the other major state players just ban it and make it unpopular and whatnot.  China's the only one to just implement technical measures first and do other stuff later.  I think the GFW got updated to redirect bitcoin.org traffic.

This is of course entirely speculation without any shred of merit.
jr. member
Activity: 33
Merit: 1
August 18, 2016, 10:58:16 PM
#27
My thoughts about hash storage and actual storage of the sig's and software aren't fully articulated, but I understand they are separate and would need to be considered separately, though that's not to say a data storage model couldn't have a built-in hash storage/verification model as well. I just understand that space usage is an important consideration in a decentralized model that you want to keep as decentralized as possible. Thanks for reading my ramblings Smiley
jr. member
Activity: 33
Merit: 1
August 18, 2016, 10:52:11 PM
#26

...

PGP has the concept of a "PGP Web of Trust" that people are theoretically supposed to use to prevent this sort of thing, but it's complicated and doesn't work very well, so pretty much no one actually uses it. ...



Thanks for the info Theymos, very in-depth and helpful.

I hope this isn't too far off topic but, related to the quote above, I've been thinking about the concept of a 'web of trust' and how bitcoin and the p2p blockchain are basically exactly that, it's a currency whose veracity is enforced by a web of trust (among other things of course, but nodes operate on a similar concept I believe, of course they rely on a percentage of participators to be rationally motivated to be good players).

I've also been thinking of a post I just read by u/cannon-c on r/bitcoin about the need to decentralize data (such as the bitcoin repository, and any important open-source repository).

It seems that both of those things (gpg signature storage and open-source software repositories) could benefit from a decentralized p2p storage model, and possibly the security of being written to a/the blockchain (side-chains come to mind, but I'm by no means a programmer so could be off in my expectations there).

In any case, taking Namecoin as an example, I think open-source software and signature repositories are the exact kind of things that could benefit from bitcoin's model.

I'm truly a noob so there could be things I'm not considering. Thanks for any thoughts you have

hero member
Activity: 926
Merit: 1001
weaving spiders come not here
August 18, 2016, 06:28:47 PM
#25
Thank you for this valuable information.
administrator
Activity: 5222
Merit: 13032
August 18, 2016, 03:09:19 PM
#24
The suggested HashTab tool is not useful on Windows.  If you get it and check the properties tab, the sha256 sum is not there.  Either additional instructions to enable it are required or a different tool should be suggested: (such as http://www.labtestproject.com/using_windows/step_by_step_using_sha256sum_on_windows_xp.html)

Otherwise, reddit and/or forum could get inundated with posts from windows users who will report that their windows system got a compromised 13th version when they download it.

Thanks, I changed it to a built-in utility that SENPAI_NOTICES_YOU mentioned on Reddit.

Is Electrum still safe to use?

Probably this most recent thing doesn't change much. I consider Electrum to be reasonably safe, though not very private at all.

One way you can lose money is that the Electrum server can say that you received x BTC that you didn't really receive, and then you could irreversibly send out some product in response to this non-payment. (This might require some mining power to pull off, I'm not sure.) This is more of a threat for automated services, though.
sr. member
Activity: 310
Merit: 250
August 18, 2016, 02:00:32 PM
#23
Is Electrum still safe to use?

It's help window says it connects to a single server to get your transaction history, and I assume that server is backed by a single Bitcoin core node.

In addition, its help says it connects to several nodes to get the headers and uses them to verify the transaction history sent from the single server.

Even if the server and all nodes a wallet uses were compromised I can't think of a way your Bitcoins could be at risk of theft if you sign Electrum transactions offline, and only transmit them through a watching only wallet connected to the internet.



legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
August 18, 2016, 02:00:06 PM
#22
Wouldn't it be cool to have the hashes of the downloads stored in the blockchain, in such a way that Bitcoin Core 0.12.1 can be used to verify the download for version 0.13.0?
Of course an attacker could add fake hashes to the blockchain again, so it has to be done by a - somehow - trusted address.
member
Activity: 111
Merit: 26
August 18, 2016, 01:47:18 PM
#21
Thanks, Theymos, for the core devs' pubkeys + importing & signing instructions.  I found that I also had to do a 'gpg --edit-key' on each key in question and trust it absolutely.  Otherwise, 'gpg --verify' issues the following complaint:

   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
staff
Activity: 3500
Merit: 6152
August 18, 2016, 01:34:21 PM
#20

Note that it isn't the greatest to trust random pages on the Internet when importing keys. For example, a bitcointalk.org moderator could replace the above keys with different keys that are all under his control and then post an emergency "urgent upgrade required!" link somewhere pointing to wallet-stealing malware signed by the keys that he placed here.

You could simply sign a message with one of your known public addresses, if you are concerned that a forum moderater could change your post. Sign the whole post (if a signed message that long is possible) or else only sign a message with the PGP keys.

What would that change ? even If we quote him , moderators have the ability to delete our posts. (If not edit them as well - depends on the privileges theymos gave them)
donator
Activity: 2352
Merit: 1060
between a rock and a block!
August 18, 2016, 01:09:10 PM
#19
Get the sha256 hash of the Bitcoin Core release you downloaded. On Windows, this requires an extra tool such as HashTab.

The suggested HashTab tool is not useful on Windows.  If you get it and check the properties tab, the sha256 sum is not there.  Either additional instructions to enable it are required or a different tool should be suggested: (such as http://www.labtestproject.com/using_windows/step_by_step_using_sha256sum_on_windows_xp.html)

Otherwise, reddit and/or forum could get inundated with posts from windows users who will report that their windows system got a compromised 13th version when they download it.
hero member
Activity: 812
Merit: 500
August 18, 2016, 12:23:34 PM
#18
I am having a hard time to understand why 0.13.0 ? When next to release is 0.12.2 with Segwit Code. My guess is that 0.13.0 doesn't have public binaries and no yet compiled. How can a binary can be compromised in a way like that? I mean seriously they put a warning on a far in future code to be public that is under their control isn't it? This means the whole code can be compromised?

There's no flaw in 0.13.0 itself. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.

I understand, thanks for explanation. So that means between the dev and hosting server a MITM might happen? And that is the warning for, in order to learn people to be more vigilant. I am correct?
Pages:
Jump to: