Pages:
Author

Topic: what is the "scratch"? it's FUD or truth? - page 2. (Read 4340 times)

legendary
Activity: 1652
Merit: 2311
Chief Scientist
maybe you can explain the justification for not encrypting the wallet by default?

Here's the thinking:

Joe Random User finds out about bitcoin, and decides "what the heck, I'll check it out."

They run it.  First thing it does is ask him for a passphrase, with tons of "DO NOT FORGET YOUR PASSPHRASE" and/or "CHOOSE A LONG PASSPHRASE" warnings.  What does he do?  Many users will either:

1. Type "passphrase".

or

2. Bang on the keyboard to create a long, random passphrase: "b;lkaj425[09234kjvfda,nvfd;nkj34toht4"

He gets a little coin from the Faucet, writes me an email asking when they will arrive (because he hasn't yet downloaded the entire blockchain and didn't bother to read the information about that on the Faucet's "Sent!" page), and then shuts down the client.

Time passes.  Eventually the Faucet coins show up.

He decides Bitcoin really doesn't suck as much as he first thought, so he decides to buy some Bitcoin on Mt. Gox.

Time passes while Dwolla verifies his bank account and stuff.

Then he buys Bitcoin, and manages to send them and see them show up in his running Bitcoin.

Yay!

Time passes.  He decides he wants to spend the Bitcoin, and now he has to enter the passphrase that he set a week or three ago.  But back then, wallet security wasn't at all important to him.  He didn't have an Bitcoins to keep secure.

So either he forgot that his passphrase is "passphrase" or he remembers that he typed a bunch or random letters just so he could get past that annoying "enter passphrase" dialog box so he could just try the damn thing.

In short: wallet encryption is not the default because the right time to enter a passphrase to encrypt the wallet is when you KNOW that the wallet is valuable, and will take the steps necessary to protect it.
member
Activity: 84
Merit: 10
i'm sorry if expecting the most security possibly from a piece of financial software is a bore to you.
Actually, it is already available - run it in Linux, where viruses are statistically less prevalent, and you are automagically protected against several attack vectors. If you can't detect the keylogger until it grabs your password, it is already too late.

maybe you can explain the justification for not encrypting the wallet by default?

and while i understand what your saying, the worm was identified and antivirus definitions updated to deal with it.  if you hadn't input your password between infection and identification/update, then you wouldn't have lost any coins.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
i'm sorry if expecting the most security possibly from a piece of financial software is a bore to you.
Actually, it is already available - run it in Linux, where viruses are statistically less prevalent, and you are automagically protected against several attack vectors. If you can't detect the keylogger until it grabs your password, it is already too late.
member
Activity: 84
Merit: 10
Copying a file on a computer is not Bitcoin weakness. It's user fault for having an infected computer.

If my computer is infected everything is weak, i type a password and the virus read it for example.

the fact that the official bitcoin client stores the wallet in a vulnerable manner by default is indeed a weakness.
So since the password for an encrypted wallet can be grabbed by a keylogger, that is a vulnerability caused by the core dev team in the official client? Honestly, you bore me.

i'm sure you can see the difference between offering no protection, and offering the best protection you can reasonably be expected to offer.

inorder for the keylogger to be effective, it would have to remain undetected on the infected system until the person used their private key.  the fact that not everyone inputs their private key often, would allow time for detection and sanitation.  i'm sure many of the wallets that were stolen would have been saved if encryption was in place by default.

i'm sorry if expecting the most security possibly from a piece of financial software is a bore to you.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Copying a file on a computer is not Bitcoin weakness. It's user fault for having an infected computer.

If my computer is infected everything is weak, i type a password and the virus read it for example.

the fact that the official bitcoin client stores the wallet in a vulnerable manner by default is indeed a weakness.
So since the password for an encrypted wallet can be grabbed by a keylogger, that is a vulnerability caused by the core dev team in the official client? Honestly, you bore me.
member
Activity: 84
Merit: 10
Copying a file on a computer is not Bitcoin weakness. It's user fault for having an infected computer.

If my computer is infected everything is weak, i type a password and the virus read it for example.

the fact that the official bitcoin client stores the wallet in a vulnerable manner by default is indeed a weakness.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
Copying a file on a computer is not Bitcoin weakness. It's user fault for having an infected computer.

If my computer is infected everything is weak, i type a password and the virus read it for example.
member
Activity: 84
Merit: 10
Quote
Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.
Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  Roll Eyes And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

you could argue that the worm stealing wallets was a direct attack on bitcoin.
They didn't break the protocol.

no, but they exposed a weakness in the default client which is provided by the core dev team.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Quote
Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.
Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  Roll Eyes And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

you could argue that the worm stealing wallets was a direct attack on bitcoin.
They didn't break the protocol.
member
Activity: 84
Merit: 10
Quote
Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.
Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  Roll Eyes And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make

you could argue that the worm stealing wallets was a direct attack on bitcoin.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
Quote
Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.
Lol i missed that before.

Bitcoin has been the victim? Didn't know linode=bitcoin.  Roll Eyes And they want to find weaknesses in SHA256? Maybe it's SHA256 but they refer to AES seeing the mistakes they make
member
Activity: 84
Merit: 10
the guy himself said its just a scratch in the paint, not a deep rooted issue.
hero member
Activity: 714
Merit: 500
I guess the "vulnerability" of SHA256 may refers to BIP30 -- the same tx hash.


A Big Finding.
hero member
Activity: 714
Merit: 500
WangXiaoYun(王小云) uses 10 years to find the vulnerability of MD5 and SHA-1

This guy cracks SHA256, HE must be another WangXiaoYun!


donator
Activity: 826
Merit: 1060
why are so many so quick to write this off?  just because he works for a bank?
We are writing off this "news", because there isn't any news. At this point he's just pimping his conference presentation.

If he announces anything substantial, we can consider it on its merits.
hero member
Activity: 798
Merit: 1000
Also I love the " protect currency as valuable and widespread as Bitcoin."  Smiley

..

How exactly does he know Bitcoin has been a victim?  Unless he is talking about things like DDOS and thefts which have nothing to do with the vulnerability?

Hmm... Either he is full of shit trying to pump up his presentation ahead of the conference or his is the single most unethical cryptographer on the planet.

I love how on one hand you love what he said, then one sentence later you turn into a raving, rabid bitcoiner.

Obviously he was referring to other attacks. Does he really need to spell this out?
donator
Activity: 1218
Merit: 1079
Gerald Davis
Quote
Frans Lategan, who will be one of the expert speakers at the annual ITWeb Security Summit, in May, says he will reveal for the first time at the Summit newly-discovered weaknesses in the gold standard cryptography.  Describing the vulnerabilities as “scratches in the paintwork, rather than a train smash”, Lategan says his findings nevertheless indicate that vulnerabilities can exist even in trusted algorithms in use to protect currency as valuable and widespread as Bitcoin.

Ok so it is only academic.  Obviosuly one wouldn't wait 2+ months to release findings on a flaw unless it is minor ...

Also I love the " protect currency as valuable and widespread as Bitcoin."  Smiley

Quote
Lategan explains that Bitcoin, a fast-growing global digital currency that resides solely in the cloud, has already been the victim of attacks.

How exactly does he know Bitcoin has been a victim?  Unless he is talking about things like DDOS and thefts which have nothing to do with the vulnerability?

Hmm... Either he is full of shit trying to pump up his presentation ahead of the conference or his is the single most unethical cryptographer on the planet.

"I know of a vulnerability which is costing other money and undermining public trust in cryptography so I will wait for two months before telling anyone about it ... er I will tell me about it, just not what it is."
member
Activity: 84
Merit: 10
any vulnerability can and will be verified.  why are so many so quick to write this off?  just because he works for a bank?
donator
Activity: 2772
Merit: 1019
Someone was paid by the banking industry to discredit Bitcoin?


Doesn't seem that way to me.
Assuming he's correct... The bitcoin system has proved useful in revealing a minor issue with SHA256 ... which the banks (and military) also use.

what minor issue?
hero member
Activity: 531
Merit: 505
Bitcoin with its current hashrate may be the most powerfull SHA256 testing tool that has been running so far ...
Pages:
Jump to: