public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Eric Voskuil <eric@voskuil.org>
To: Gregory Maxwell <greg@xiph.org>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Completing the retirement of the alert system
Date: Fri, 9 Sep 2016 17:54:28 -0700	[thread overview]
Message-ID: <474CB187-0642-452C-AE1B-00D46FAE8BAF@voskuil.org> (raw)
In-Reply-To: <CAAS2fgTYOUSm07N4NYDCsjjwSbAo_ye84UvbQF--3JzhLHkG0Q@mail.gmail.com>

ACK

libbitcoin defines the message and includes the public key but only for completeness and reference purposes. It has never been used in the node.

e

> On Sep 9, 2016, at 5:42 PM, Gregory Maxwell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
> The alert system was a centralized facility to allow trusted parties
> to send messages to be displayed in wallet software (and, very early
> on, actually remotely trigger the software to stop transacting).
> 
> It has been removed completely in Bitcoin Core after being disabled for a while.
> 
> While the system had some potential uses, there were a number of
> problems with it.
> 
> The alert system was a frequent source of misunderstanding about the
> security model and 'effective governance', for example a years ago a
> BitcoinJ developer wanted it to be used to control fee levels on the
> network and few months back one of Bloq's staff was pushing for a
> scheme where "the developers" would use it to remotely change the
> difficulty-- apparently with no idea how abhorrent others would find
> it.
> 
> The system also had a problem of not being scalable to different
> software vendors-- it didn't really make sense that core would have
> that facility but armory had to do something different (nor would it
> really make sense to constantly have to maintain some list of keys in
> the node software).
> 
> It also had the problem of being unaccountable. No one can tell which
> of the key holders created a message. This creates a risk of misuse
> with a false origin to attack someone's reputation.
> 
> Finally, there is good reason to believe that the key has been
> compromised-- It was provided to MTGox by a developer and MTGox's
> systems' were compromised and later their CEO's equipment taken by the
> Japanese police.
> 
> In any case, it's gone now in Core and most other current software--
> and I think it's time to fully deactivate it.
> 
> I've spent some time going around the internet looking for all
> software that contains this key (which included a few altcoins) and
> asked them to remove it. I will continue to do that.
> 
> One of the facilities in the alert system is that you can send a
> maximum sequence alert which cannot be overridden and displays only a
> static key compromise text message and blocks all other alerts. I plan
> to send a triggering alert in the not-distant future (exact time to be
> announced well in advance) feedback on timing would be welcome.
> 
> There are likely a few production systems that automatically shut down
> when there is an alert, so this risks some small one-time disruption
> of those services-- but none worse than if an alert were sent to
> advise about a new system upgrade.
> 
> At some point after that, I would then plan to disclose this private
> key in public, eliminating any further potential of reputation attacks
> and diminishing the risk of misunderstanding the key as some special
> trusted source of authority.
> 
> Cheers,
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


  reply	other threads:[~2016-09-10  0:54 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-10  0:42 [bitcoin-dev] Completing the retirement of the alert system Gregory Maxwell
2016-09-10  0:54 ` Eric Voskuil [this message]
2016-09-10  0:58 ` Peter Todd
2016-09-10  1:48   ` Gregory Maxwell
2016-09-10  2:19     ` Peter Todd
2016-09-10  1:31 ` Andrew C
2016-09-10  5:51 ` Wladimir J. van der Laan
2016-09-10  9:41 ` Johnson Lau
2016-09-10 13:23   ` Andrew C
2016-09-10 14:57     ` Johnson Lau
2016-09-10 15:36     ` Gregory Maxwell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=474CB187-0642-452C-AE1B-00D46FAE8BAF@voskuil.org \
    --to=eric@voskuil.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=greg@xiph.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox