Topic: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! (Read 761 times)

For most PRNGs it is not too hard to determine the seed just from seeing the output and often the seed is big enough to avoid finding it by guessing.  For a CSPRNG you cannot find the seed from the output (because the derivation function is cryptographic) or by guessing (because the state space is too big).  This makes all the difference in the world.

There are but they're kinda dangerous.  The issue is that it's often easy for a hardware RNG to fail in a way that makes it still look random but in reality it is somewhat predictable to an attacker.  The best way to use one is to take a lot of output from one, feed it to an expensive cryptographic hash, and use the output as a seed to a CSPRNG.  if its done this way then the result will be secure so long as there was enough randomness anywhere in the data to get the CSPRNG securely seeded.

If you want to be paranoid, after starting up that CSPRNG, get randomness by xoring the CSPRNG and the hardware RNG.  So then the result is secure if either the initial seeding and CSPRNG is good enough or the hardware stream is good enough.

Not an expert in this field but from what I have read about PRNGs is that they are some sort of state machine which is seeded by some initial value, usually called a seed value. This seed value determines all future pseudo-random values that the PRNG generates based on some suitable algorithm. Same seed for the PRNG generates the same future pseudo-random number series. Therefore it is crucial to input good entropy as seed to a PRNG. Here Libbitcoin failed completely with known results.

The algorithm which generates the pseudo-random values of a PRNG should ideally have a very large periodicity and numbers generated should be evenly distributed without a bias. There has been a lot of research in this area for apparent reasons and this also determines the "quality" of a PRNG.

TL;DR Every PRNG is to my knowledge deterministic. If you know or can predict or guess the seed, you know all future pseudo-random numbers a PRNG will output. I believe this also applies to CSPRNG, but I would've to dig deeper what distinguishes a CSPRNG from a PRNG.

Never attribute something to malfeasance when it can be attributed to incompetence.
I don't think they are leaving holes in because they want to, a lot of security people even agree with me on that.

They are trying to put so much in so quickly, there is exactly 0 possibility to do all the QC needed.

One engineer lecturer said it the best. Between final tape out and production to do a full attack vector scan on something as complex as a modern processor is probably going to take 18 months. Meanwhile your competition did not bother doing that and are now 1 1/2 to 2 generations ahead of you.

Which brings us back to this. People are lazy and want it yesterday and make it quick and simple and make sure everything is perfect.
Should this code have been used. No. Should people have looked deeper. Yes. Did anyone? Well, we know the answer to that.

The more things change, the more they stay the same.

Something I have posted a few times over the years about bad chip design from decades and decades ago:


The last one takes the cake, you can make a programming mistake and damage your chip. Say what? Not overclocking, not over powering, just try to do a blank with using DMA and oops *poof*. Yet, that made it out the door.

-Dave

Don't worry, Sandy Bridge has it's own bugs and flaws, and if you apply all fixes they slow down processor speed a lot  

Sorry but you are wrong about this.
Do better research what TRUE RNG is and how it can be generated, I won't go offtopic with that anymore.

It's not that vague or hard at all... just roll casino dices enough time and you have it, and something similar can be done with hardware devices.
If something can easily be repeated and reproduced than it's not really random.

I know, and they are doing it on purpose (probably)  

Reminds me, wasn't there someone that stole a few thousand BTC a litttle less than a decade ago from Primedice that way? Fuzzy memory, but I thought they read-out the current output of "random" numbers and with this information were able to determine the seed that was used to generate these numbers. With the seed they could then predict the upcoming outputs from the RNG.

Also, aren't there Hardware-RNGs - Pokerstars for example claims/claimed to have one in use to "shuffle" their virtual cards. I think it uses radioactive decay to create this kind of true randomness.

Edit, did a little research, seems they use a LASER beam - my guess is it's actually a quantum effect, nothing to do with radioactive decay. (?)
Not too much real info here, but still entertaining: https://www.youtube.com/watch?v=-DkHzOUzDjc

Nah, Intel has been screwing up for decades. https://en.wikipedia.org/wiki/Pentium_FDIV_bug
Different world back then, but still the same problems. Big glaring issues with people trying to figure out how it made it past testing.



I do (did) have funds in cake. Finally moved them out last night. It was a non trivial amount but not enough to loose sleep over if they vanished.
But I do know several other people using it and they had no issues either. Wonder how vulnerable it really was.

I only had 2 alts in there and only only because it was the easiest one to deal with when someone wanted to pay me with an alt and it was the 1st one that looked decent. And then when someone else wanted to pay with an alt it wound up in there too.

Makes you wonder if cake is legit vulnerable how many people have some funds sitting in it for years like I did, and were planning to move them out soon. And just never did.

-Dave

you can recover the MT state from the output even if the seed is big and random.  But it takes a lot of output and bx seed only outputs a single thing then quits.

So MT with secure seeding would probably be okay in bx seed (though fishy smelling), but wouldn't be okay in some other contexts.

Personally I'd never use MT for anything these days. There are alternatives that are much faster and have better properties, even where security isn't an issue.  It's a buzzword PRNG because it came into existence a time when people were using a lot of stuff that sucked a lot worse (and maybe because it has a cool name).

Thanks for clarifying. My understanding is indeed that MT is a not CSPRNG, as it will always deterministically produce fixed numbers, but that with enough bits in the seed it is practically impossible to detect the pattern. The problem with Libbit pin is exactely the low entropy in the seed.

That might create an unhelpful equivalence.

There are CSPRNG  -- cryptographically secure pseudorandom number generators.  Once you feed in enough (say 256 bits) of genuine randomness they run deterministically and spout out as much random numbers as you want, which are generally just as good as new random values-- arguably better in that you're not exposed to a hardware trng flaking out or being slow.  Their main downside is that their state is a secret you have to protect.

Then there are non-CS PRNGs, like mersenne twister.   The output from those shouldn't be used for security relevant purposes because attackers can predict them from seeing some earlier output (or sometimes without seeing any output at all, for really bad ones).

Since bx seed just outputs a random value and quits the fact that it used MT itself wasn't really a problem, if it were seeded with enough cryptographically strong randomness the MT wouldn't have caused a practical harm in the context of bx seed.  It's the use of a 32-bits of seeding and that it came from the time rather than a source which had any chance of being secure.

Not really on modern computers-- they're equipped with a hardware TRNG.  And even without them computers with a user sitting at them have pretty good sources of timing randomness-- from keypress timings and mouse movements which the operating system records--  older hardware with no TRNG and computers with no local user are a more difficult matter.

There is nothing random in Marsenne Twister. If you feed it the same seed, you will always get the same output.
True randomness for a computer is extremely difficult and a really vague concept.

Looks like it only affects intel core 6th to 11th gen, so at least my Sandy Bridge server is not affected


A true RNG uses numbers that are created from noise entropy like from your mouse, keyboard, disk. The kernel collects the inputs and turns them into bits of entropy, which can then be read out by a true RNG function call. But if your algorithm is just generating numbers from a seed and state machine which is updated by previous numbers, then that is not secure at all.

It's really obvious in the code to anyone who reads it:

https://github.com/libbitcoin/libbitcoin-system/pull/559/commits/6d5a06e283d81260165e0eab95175069bf03b408#diff-e212c578b1951f97c871396a74c4224de9182ed922c8a95db56f995951743d17R42


        return static_cast(now.time_since_epoch().count());
        ...
        // Seed with high resolution clock.
        twister.reset(new std::mt19937(get_clock_seed()));


It says directly that it's seeded with 32 bits of a high resolution clock.

Your comment conflates two concepts:

A deterministic wallet is one that can be backed up. Without determinism your backup is invalid as soon as you send funds or generate a new address, and that is obviously pretty unsafe and impractical.  A wallet using determinism works the same as one that doesn't except backups actually work.  It's possible to footgun yourself due to backups working, but I think backups not working is a much bigger footgun as it is highly surprising.  And one should be careful to not emphasize protection against theft over protection against loss:  at the end of the day if your coins are gone they're gone and it doesn't matter if they were stolen or if you just lost them another way.  Prior to determinism wallets would contain a small buffer of pre-generated keys, which didn't make backups actually safe but made their failure modes rather weird and inexplicable.

Users handling "seeds" (or private keying material) directly, as they're forced to if they use bx explorer, is obviously dangerous even for experts (as *every* user of bx seed must have been to some extent), and that isn't anything I proposed and I've also generally cautioned against. (In fact, BIP-39 has a warning against its use written by me on its comments page, in fact.).  Sometimes the two concepts get treated as one because if every key is randomly generated then manually handling the individual keys would be very clunky and inconvenient, so any kind of user handled seed scheme will in practice also be a deterministic wallet scheme both because of that practicality and because every wallet today is (because backups exploding is not desirable!).

While I worked on Bitcoin Core it didn't implement any user handled "seed" functionality because of how error prone it is.  (Though arguably if it did some of the people who used bx seed would have been saved: had bitcoin core had this functionality it would have been reviewed and implemented correctly...)

In this case BX's only function for generating keying material was insecure, this meant any keys generated using it (be they bare private keys or BIP39 seeds) were insecure -- so I don't think you can say that determinism OR 'seeds' were particularly relevant to the risk here.

I am wondering, what is an insecure key, what does it look like, and were these compromised keys easier than our 1000 bitcoin puzzle keys?  They had to know something, was there any hint in the code itself telling you what to look for?

I wouldn't trust any wallet, open source/ closed source, reviewed by all the experts or not, you just need to flip a coin to be safe.  In general I consider deterministic wallets/ seeds a vulnerability, gmaxwell was the first dev coming up with this idea right? It's only good and safe if you know what you are doing.   Bitcoin is only good to keep if you know what you are doing, that's the reason why masses don't rush into it, because it takes time and effort to learn how to do things.

You're confusing issues.

Libbitcoin explorer was only using 32-bit timestamps to generate keys via its 'bx seed' command.

The downfall thing is an issue on some processors where if you run malicious code on a processor it can steal parts of memory from other processes.  As you note, it's a concern for shared systems like cloud deployments.  But cloud deployments have MANY serious problems and downfall is only the latest in a long series of similar issues.   Certainly a concern but far far far less of a risk than just using 32-bits to generate keys.

I saw this news few days ago, and it's not only the problem with Libbitcoin Explorer but with all devices with Intel processors.
Everyone who is using computers and laptops with Intel processor should consider their devices as not secure anymore, and I wouldn't use them as my main cold storage.
Call me conspiracy realists, but I think this flaws were intentionally there from start and they are coming from inside Intel, but AMD is probably doing something similar.

Downfall Attacks is affecting billions of modern processors and cloud computers, and this is even more dangerous:
https://downfall.page/

Anyone keeping sensitive information in cloud at this point is playing russian roulette right now.  

I don't think this is a true random generator, but I could be wrong.
This is much bigger topic and there is a big difference between pseudo-random and random number generation.

So you're basically saying that a weak random number generator such as Mersenne Twister was used for generating seed phrase entropy in Cake Wallet and Trust wallet? (!)

These projects are totally screwed. How can you use such a basic pseudorandom number generator for generating something that will store people's life savings?

Until it reaches at least $1 million, it won't appear in the mainstream media, and maybe not even then, considering that such things have become quite common in the world of cryptocurrencies. All this that is happening is just proof that no matter how safe something seems, we should always question whether there is a loophole in the system that hackers will use sooner or later.


I even have some dust in the Trust wallet, although I don't see that this altcoin is currently in danger, and even if it is, I'm somehow too lazy to send it to another wallet. I guess I apply to myself that unwritten rule "invest (or in this case save) only as much as you are ready to lose"

CoinDesk also takes up the topic again in an article: Disappearance of $900K Puts Focus on Vintage Bitcoin Project Libbitcoin


Source: Disappearance of $900K Puts Focus on Vintage Bitcoin Project Libbitcoin

According to the security firm Distrust, at least ~$900k was stolen on multiple chains.

Similar problems were also found with the two well-known multi-coin wallets Cake Wallet and Binance's Trust Wallet. Especially Trust Wallet in particular is likely to be used by many forum members due to its aggressive marketing by Binance. Another reason to withdraw your coins from any Binance product.

As John Wick would say, "Everything has a price."

Yes.

Cannot is a little strong, but it would be slightly surprising.  OTOH, it would be less surprising than the original error in libbitcoin explorer itself.

I could imagine some web service wallet thing using it on the backend but it would be an odd choice... or managing to copy the vulnerable code into other software though there was nothing subtle about it.

I am not familiar with this tool, so maybe ththis is a stupid question: Do we know if the Libbitcoin explorer wallet (seed) generation method was utilized by any mobile or desktop wallets?
Or is this just a tool you use similar to a paper-wallet generator and cannot be included as part of code for a wallet project?

I would be careful about assuming this was the only flaw.

it's hard to square that with the current position that there isn't even a bug and that it's working as designed.

This is an interesting theory:



The images are the following:

	Yamane_Keto sr. member Activity: 406 Merit: 443 Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 10:18:33 AM #15 Quote from: Artemis3 on August 10, 2023, 09:33:30 AM The question is related to the title of this thread: Wallets (seed words) created with libbitcoin (which wallets?) You will find the list with a wiki link https://en.bitcoin.it/wiki/Libbitcoin Quote Projects Using Libbitcoin Airbitz Bitprim Cancoin Chip-Chap Darkleaks Darkwallet Darkmarket Mastering_Bitcoin Metaverse OpenBazaar Teechan Most of these projects are dead or have been renamed, for example Airbitz has been renamed to EdgeApp and you will find Libbitcoin https://github.com/EdgeApp/libbitcoin-client otherwise popular wallets do not use Libbitcoin Artemis3 legendary Activity: 1988 Merit: 1561 CLEAN non GPL infringing code made in Rust lang Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 09:33:30 AM #14 So, the Milk Sad announcement is nice and all, but which projects have this libbitcoin dependency? Leaving closed wallets aside, shouldn't there be a list of affected programs so that people can take measures? I imagine a security patch and recompile would be needed too. The question is related to the title of this thread: Wallets (seed words) created with libbitcoin (which wallets?) Yamane_Keto sr. member Activity: 406 Merit: 443 Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 08:23:17 AM #13 Quote from: digaran on August 09, 2023, 07:07:05 PM Are there any educational articles on the security of wallets/ tools and anything related to private keys on this forum? For ordinary users, well they don't know how to review the code if the code is available. You can start with this topic https://bitcointalksearch.org/topic/--5316005 It explains well the concept of the private key and the entropy behind it, there are some videos in YouTube but they go into the details without giving a background. Quote from: Pmalek on August 10, 2023, 03:00:47 AM What crypto wallets use this library? at some time https://openbazaar.org and Cody Wilson & @genjix DarkWallet (no longer working now) was using it. I don't know if there is any new wallet uses this library, but I wouldn't be surprised if one of the closed source wallets used it. NotATether legendary Activity: 1568 Merit: 6660 bitcoincleanup.com / bitmixlist.org Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 08:19:13 AM #12 Quote from: Pmalek on August 10, 2023, 08:16:01 AM Quote from: NotATether on August 10, 2023, 07:12:23 AM Regarding the second part, the bx seed instructions and appendix in the book was a pull request by a libbitcoin developer in 2015. At the time, it did not use a pseudorandom generator. But about a year later, they changed it, which unfortunately was soon after the book was published. Nobody has audited libbitcoin explorer for security weaknesses previously as far as I know. So, would it be fair to say that the vulnerability where you could generate a seed using weak and not random enough entropy was there from 2016 at earliest? I am asking because according to the report, the first misuses are believed to have been recorded in May 2023. If it was there for such a long time before someone figured out what they could do with it, it's quite positive that they figured out what was wrong. Additionally, it's share luck that someone didn't understand how to abuse it earlier or they did but no one knew about it. Certainly! With reservations though, because depending on the operating system, there is a chance that even older versions of bx seed are using unsafe random number generators (this is because previously it was using std::random_device which in turn uses the OS random number generator). Apparently, nobody figured out that this new code could be exploited until a few months ago. Pmalek legendary Activity: 2730 Merit: 7065 Farewell, Leo. You will be missed! Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 08:16:01 AM #11 Quote from: NotATether on August 10, 2023, 07:12:23 AM Regarding the second part, the bx seed instructions and appendix in the book was a pull request by a libbitcoin developer in 2015. At the time, it did not use a pseudorandom generator. But about a year later, they changed it, which unfortunately was soon after the book was published. Nobody has audited libbitcoin explorer for security weaknesses previously as far as I know. So, would it be fair to say that the vulnerability where you could generate a seed using weak and not random enough entropy was there from 2016 at earliest? I am asking because according to the report, the first misuses are believed to have been recorded in May 2023. If it was there for such a long time before someone figured out what they could do with it, it's quite positive that they figured out what was wrong. Additionally, it's share luck that someone didn't understand how to abuse it earlier or they did but no one knew about it. NotATether legendary Activity: 1568 Merit: 6660 bitcoincleanup.com / bitmixlist.org Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 07:12:23 AM #10 Quote from: Pmalek on August 10, 2023, 06:58:36 AM Quote from: NotATether on August 10, 2023, 03:54:40 AM As we speak, I am looking at the codebase of bx and it has an AGPL v3+ license, so yes it is open-source Do we know of any security experts or companies that have reviewed that open-source code and given it thumbs up as being safe with strong-enough entropy generation? It's too bad that Andreas recommended or talked about this Bitcoin library in his Mastering Bitcoin book. I wonder how long it was out there before someone realized how it can be exploited...  Regarding the second part, the bx seed instructions and appendix in the book was a pull request by a libbitcoin developer in 2015. At the time, it did not use a pseudorandom generator. But about a year later, they changed it, which unfortunately was soon after the book was published. Nobody has audited libbitcoin explorer for security weaknesses previously as far as I know. Pmalek legendary Activity: 2730 Merit: 7065 Farewell, Leo. You will be missed! Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 06:58:36 AM #9 Quote from: NotATether on August 10, 2023, 03:54:40 AM As we speak, I am looking at the codebase of bx and it has an AGPL v3+ license, so yes it is open-source Do we know of any security experts or companies that have reviewed that open-source code and given it thumbs up as being safe with strong-enough entropy generation? It's too bad that Andreas recommended or talked about this Bitcoin library in his Mastering Bitcoin book. I wonder how long it was out there before someone realized how it can be exploited...  NotATether legendary Activity: 1568 Merit: 6660 bitcoincleanup.com / bitmixlist.org Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 06:33:33 AM #8 Quote from: ?? on ?? I already know libbitcoin has some problem/limitation, but i would never expect it used weak entropy. Quote from: NotATether on August 10, 2023, 03:54:40 AM EDIT: I give up. The build system used by libbitcoin-explorer is extremely convoluted, requires a C++20 compiler, at least Boost 1.76 (this is later than what Ubuntu 22.04 has), and works via a script "install.sh", instead of normal CMake or Automake, and trying to circumvent all these limitations by using containers has so far lead to all kinds of build configuration errors. IMO it's good thing you give up early. Based on my short experience, libbitcoin is one of least friendly full node implementation where i also had difficulty to compile[1] and also prone to corruption[2]. [1] https://bitcointalksearch.org/topic/m.56770963 [2] https://bitcointalksearch.org/topic/m.56832879 Regarding your second link: It's been years and still version4 (what master branch points to) is still unfinished and hence non-functional. Obelisk has also been discontinued apparently in order to develop libbitcoin-server, and 80% of the libbitcoin repositories are all broken with the message: "Please use version 3 branch instead". Last commit to most of these repos was on May 9. So yeah, it seems more and more like vaporware with every passing day. NotATether legendary Activity: 1568 Merit: 6660 bitcoincleanup.com / bitmixlist.org Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 03:54:40 AM #7 Quote from: Pmalek on August 10, 2023, 03:00:47 AM Quote from: digaran on August 09, 2023, 07:07:05 PM One other thing is educating people to never use closed source tools to generate private keys. I don't know much about Libbitcoin or under what license the code was released, but I was under the impression that we are talking about a publicly verifiable library of tools for the Bitcoin blockchain. Was the code not publicly available for scrutiny? The source says the first thefts started occurring in May 2023, but how long was the software available in that form before someone found out how to exploit it? What crypto wallets use this library? As we speak, I am looking at the codebase of bx and it has an AGPL v3+ license, so yes it is open-source: Code: /**  * Copyright (c) 2011-2022 libbitcoin developers (see AUTHORS)  *  * This file is part of libbitcoin.  *  * This program is free software: you can redistribute it and/or modify  * it under the terms of the GNU Affero General Public License as published by  * the Free Software Foundation, either version 3 of the License, or  * (at your option) any later version.  *  * This program is distributed in the hope that it will be useful,  * but WITHOUT ANY WARRANTY; without even the implied warranty of  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the  * GNU Affero General Public License for more details.  *  * You should have received a copy of the GNU Affero General Public License  * along with this program.  If not, see .  */ EDIT: I give up. The build system used by libbitcoin-explorer is extremely convoluted, requires a C++20 compiler, at least Boost 1.76 (this is later than what Ubuntu 22.04 has), and works via a script "install.sh", instead of normal CMake or Automake, and trying to circumvent all these limitations by using containers has so far lead to all kinds of build configuration errors. It looks like "bx seed" was really intended to be NOT SECURE AT ALL, so why the hell didn't they make an announcement about that when they made the change? Pmalek legendary Activity: 2730 Merit: 7065 Farewell, Leo. You will be missed! Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 03:00:47 AM #6 Quote from: digaran on August 09, 2023, 07:07:05 PM One other thing is educating people to never use closed source tools to generate private keys. I don't know much about Libbitcoin or under what license the code was released, but I was under the impression that we are talking about a publicly verifiable library of tools for the Bitcoin blockchain. Was the code not publicly available for scrutiny? The source says the first thefts started occurring in May 2023, but how long was the software available in that form before someone found out how to exploit it? What crypto wallets use this library? NotATether legendary Activity: 1568 Merit: 6660 bitcoincleanup.com / bitmixlist.org Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 10, 2023, 02:20:40 AM #5 Any chance that somebody can create a stopgap version of libbitcoin explorer with a secure random number generator, just so that book authors and other website portals have an alternate version of 'bx' to point to instead? (although if we do go that route I fear the situation will be similar to that of chrome extensions such as The Great Suspender and Tab Auto Refresh who sold out to malicious buyers and now there's 5 clones of them in the Chrome Web Store, each of which may or may not also be malicious.) digaran copper member Activity: 1330 Merit: 899 🖤😏 Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 09, 2023, 07:07:05 PM #4 Are there any educational articles on the security of wallets/ tools and anything related to private keys on this forum? For ordinary users, well they don't know how to review the code if the code is available. One other thing is educating people to never use closed source tools to generate private keys. Also, what are the most secure and properly reviewed tools good for cryptography use? They all should be listed and updated somewhere like in a book or a site, wait this bx was in a book which everyone kept using as a reference for newbies. What an irony! gmaxwell staff Activity: 4158 Merit: 8382 Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 09, 2023, 05:56:26 PM #3 You should never have used any closed source wallet-- but being open source is not enough. In this case the rng was replaced with an obviously broken toy and no one noticed because the project has no reviewers. Some extra relevant links: https://github.com/libbitcoin/libbitcoin-system/pull/559 The pull request adding the vulnerability, the lack of review or collaboration is worth noticing. The prior code was already dubious in that AFAIK std::random_device library doesn't promise that the randomness is suitable for cryptography. I believe on common systems where this code was run the old code was not likely to be exploitable, but I wouldn't bet my money on it. https://twitter.com/evoskuil/status/1688657656620167169 Developer commentary on this issue. I can't figure out what "long-documented intended usage" a seed command that mandates 128-bits of output but never has more than 32-bits of entropy would have. https://archive.is/A7Jn6 The documentation the tweet references. I don't know how the 'Pseudorandom seeding' warning there would be distinguishable from warnings against CSPRNGs in favor of dice rolls or whatever, perhaps this is an example of the harm that chicken-little crying about CSPRNGS causes. Nor can I figure out for whose convenience this function would serve except attackers. In any case, this is the only place I found any kind of warning and the warning postdates the mastering bitcoin usage (as well as the change that made the command unconditionally unsafe). https://archive.is/HDe8h Current libbitcoin-explorer instructions telling users to use the seed command to generate private keys. https://archive.is/fhm5J#selection-12915.2-12915.10 Current libbitcoin-explorer instructions telling users to use the seed command to generate BIP39 seeds (also private keys). https://archive.is/PWLKJ Current libbitcoin-explorer documentation on randomness noting that bx seed is the ONLY source of randomness available to users in the package, and that all other commands that need randomness require the user to provide it. It also notes that 'bx seed' will not function if less than 128-bits are requested. The private key and bip39 seed usage (above) sure appears to be the "intended usage" in their documentation, but the "bx seed" function as currently implemented (since 2016) is unambiguously not fit for those purpose. Yamane_Keto sr. member Activity: 406 Merit: 443 Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 09, 2023, 10:32:33 AM #2 This looks very interesting, restricts the entropy from 128/256 bits to 32 bits. I wouldn't be surprised if this was the reason for hacking some closed source wallets like Atomic Wallet, and I wouldn't be surprised if they were using deterministic random number generators. I think we have enough reasons to stop using closed source wallets because we don't know exactly what updates they make and whether they check entropy is really random or they rely on outdated libraries for PRNG. cygan legendary Activity: 3122 Merit: 7618 Cashback 15% Re: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! August 09, 2023, 09:55:24 AM #1 Bitcoin wallets created with the so-called Libbitcoin explorer are very insecure due to a cryptographically poorly implemented random number generator and should be cleared as soon as possible. the Libbitcoin explorer, more commonly known by its abbreviation 'bx', is a handy tool for the command line, with all sorts of functions for Bitcoin key and wallet management. among them is the ability to use the 'bx' seed command to create a supposedly secure new wallet with 12 or 24 recovery words. Libbitcoin explorer is best known for its prominent mention in the technical Bitcoin book 'Mastering Bitcoin' written by author Andreas M. Antonopoulos. an entire article is dedicated to how the tool works and how to use it. David A. Harding, who is busy writing the revised and third edition of this book, sent the following tweet about it today: https://twitter.com/hrdng/status/1689022029142560771 under the following link you can find more information about the vulnerability: https://milksad.info/ Pages: Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software Jump to: Please select a destination: Bitcoin => Bitcoin Discussion ===> Legal ===> Press ===> Meetups ===> Important Announcements => Development & Technical Discussion ===> Wallet software =====> Electrum =====> Bitcoin Wallet for Android =====> BitcoinJ =====> Armory =====> Mycelium =====> Hardware wallets => Bitcoin Technical Support => Project Development => Mining ===> Mining support ===> Pools ===> Mining software (miners) ===> Hardware =====> Group buys ===> Mining speculation Economy => Economics ===> Speculation => Marketplace ===> Currency exchange ===> Gambling =====> Games and rounds =====> Investor-based games =====> Gambling discussion ===> Lending =====> Long-term offers ===> Securities ===> Auctions ===> Service Announcements =====> Micro Earnings ===> Service Discussion =====> Web Wallets =====> Exchanges ===> Goods =====> Computer hardware =====> Digital goods =======> Invites & Accounts =====> Collectibles ===> Services => Trading Discussion ===> Scam Accusations ===> Reputation Other => Meta ===> New forum software ===> Bitcoin Wiki => Beginners & Help => Off-topic => Serious discussion ===> Ivory Tower => Archival ===> Chinese students ===> Obsolete (buying) ===> Obsolete (selling) ===> MultiBit ===> CPU/GPU Bitcoin mining hardware ===> Корзина => Politics & Society Alternate cryptocurrencies => Altcoin Discussion => Announcements (Altcoins) ===> Tokens (Altcoins) => Mining (Altcoins) ===> Pools (Altcoins) => Marketplace (Altcoins) ===> Service Announcements (Altcoins) ===> Service Discussion (Altcoins) ===> Bounties (Altcoins) => Speculation (Altcoins) Local => العربية (Arabic) ===> العملات البديلة (Altcoins) =====> النقاشات ===> إستفسارات و أسئلة المبتدئين ===> التعدين ===> النقاشات الأخرى ===> منصات التبادل => Bahasa Indonesia (Indonesian) ===> Mining (Bahasa Indonesia) ===> Altcoins (Bahasa Indonesia) ===> Trading dan Spekulasi ===> Ekonomi, Politik, dan Budaya ===> Topik Lainnya ===> Marketplace (Bahasa Indonesia) => 中文 (Chinese) ===> 跳蚤市场 ===> 山寨币 ===> 媒体 ===> 挖矿 ===> 离题万里 => Hrvatski (Croatian) ===> Trgovina ===> Altcoins (Hrvatski) =====> Announcements (Hrvatski) ===> Off-topic (Hrvatski) => Français ===> Vos sites et projets ===> Hors-sujet ===> Actualité et News ===> Débutants ===> Discussions générales et utilisation du Bitcoin ===> Mining et Hardware ===> Économie et spéculation ===> Place de marché =====> Produits et services =====> Petites annonces =====> Échanges ===> Le Bitcoin et la loi ===> Wiki, documentation et traduction ===> Développement et technique ===> Altcoins (Français) =====> Annonces => India ===> Mining (India) ===> Marketplace (India) ===> Regional Languages (India) ===> Press & News from India ===> Alt Coins (India) ===> Buyer/ Seller Reputations (India) ===> Off-Topic (India) => Italiano (Italian) ===> Guide (Italiano) ===> Progetti ===> Discussioni avanzate e sviluppo ===> Trading, analisi e speculazione ===> Mercato =====> Mercato valute =====> Beni =====> Servizi =====> Esercizi commerciali =====> Hardware/Mining (Italiano) =====> Gambling (Italiano) ===> Accuse scam/truffe ===> Mining (Italiano) ===> Alt-Currencies (Italiano) =====> Annunci ===> Raduni/Meeting (Italiano) ===> Crittografia e decentralizzazione ===> Off-Topic (Italiano) => Nederlands (Dutch) ===> Markt ===> Gokken/lotterijen ===> Mining (Nederlands) ===> Beurzen ===> Alt Coins (Nederlands) ===> Off-topic (Nederlands) ===> Meetings (Nederlands) => 한국어 (Korean) ===> 대체코인 Alt Coins (한국어) => Русский (Russian) ===> Новички ===> Бизнес =====> Барахолка =====> Обменники ===> Идеи ===> Кодеры ===> Майнеры ===> Политика ===> Трейдеры ===> Альтернативные криптовалюты =====> Токены =====> Бayнти и aиpдpoпы ===> Хайпы ===> Работа ===> Разное ===> Oбcyждeниe Bitcoin =====> Новости =====> Юристы => Română (Romanian) ===> Anunturi importante ===> Presa ===> Offtopic ===> Market =====> Discutii Servicii ===> Minerit ===> Tutoriale ===> Bine ai venit! ===> Altcoins (Monede Alternative) =====> Anunturi Monede Alternative => Skandinavisk => Türkçe (Turkish) ===> Bitcoin Haberleri ===> Ekonomi ===> Servisler =====> Fonlar ===> Alternatif Kripto-Paralar =====> Madencilik (Alternatif Kripto-Paralar) =====> Duyurular (Alternatif Kripto-Paralar) ===> Pazar Alanı ===> Madencilik ===> Proje Geliştirme ===> Konu Dışı ===> Yeni Başlayanlar & Yardım ===> Buluşmalar => Português (Portuguese) ===> Primeiros Passos (Iniciantes) ===> Economia & Mercado ===> Criptomoedas Alternativas ===> Brasil ===> Portugal ===> Mineração em Geral ===> Desenvolvimento & Discussões Técnicas => עברית (Hebrew) => Pilipinas ===> Altcoins (Pilipinas) =====> Altcoin Announcements (Pilipinas) ===> Pamilihan ===> Others (Pilipinas) => 日本語 (Japanese) ===> アルトコイン => Español (Spanish) ===> Mercado y Economía =====> Servicios =====> Trading y especulación ===> Hardware y Minería ===> Esquina Libre ===> Mercadillo =====> Mexico =====> Argentina =====> Centroamerica y Caribe =====> España ===> Primeros pasos y ayuda ===> Altcoins (criptomonedas alternativas) =====> Servicios =====> Minería de altcoins =====> Tokens (Español) => Deutsch (German) ===> Mining (Deutsch) ===> Trading und Spekulation ===> Projektentwicklung ===> Off-Topic (Deutsch) ===> Treffen ===> Presse ===> Altcoins (Deutsch) =====> Announcements (Deutsch) ===> Marktplatz =====> Auktionen =====> Suche =====> Biete ===> Anfänger und Hilfe => Ελληνικά (Greek) ===> Αγορά ===> Mining Discussion (Ελληνικά) ===> Altcoins (Ελληνικά) =====> Altcoin Announcements (Ελληνικά) =====> Altcoin Mining (Ελληνικά) => Other languages/locations => Polski ===> Tablica ogłoszeń ===> Alternatywne kryptowaluty =====> Nowe kryptowaluty i tokeny =====> Tablica ogłoszeń (altcoiny) => Nigeria (Naija) ===> Politics and society (Naija) ===> Off-topic (Naija) go