public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Pedro Worcel <pedro@worcel.com>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Proposal to address Bitcoin malware
Date: Tue, 03 Feb 2015 10:09:20 +1300	[thread overview]
Message-ID: <54CFE780.1040400@worcel.com> (raw)
In-Reply-To: <CB45FC36-3B3E-486D-95FE-596D7380C3D2@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3790 bytes --]

Where would you verify that?

On 2/3/2015 10:03 AM, Brian Erdelyi wrote:
> Joel,
>
> The mobile device should show you the details of the transaction (i.e. 
> amount and bitcoin address).  Once you verify this is the intended 
> recipient and amount you approve it on the mobile device.  If the 
> address was replaced, you should see this on the mobile device as it 
> won’t match where you were intending to send it.  You can then not 
> provide the second signature.
>
> Brian Erdelyi
>
>> On Feb 2, 2015, at 4:57 PM, Joel Joonatan Kaartinen 
>> <joel.kaartinen@gmail.com <mailto:joel.kaartinen@gmail.com>> wrote:
>>
>> If the attacker has your desktop computer but not the mobile that's 
>> acting as an independent second factor, how are you then supposed to 
>> be able to tell you're not signing the correct transaction on the 
>> mobile? If the address was replaced with the attacker's address, 
>> it'll look like everything is ok.
>>
>> - Joel
>>
>> On Mon, Feb 2, 2015 at 9:58 PM, Brian Erdelyi 
>> <brian.erdelyi@gmail.com <mailto:brian.erdelyi@gmail.com>> wrote:
>>
>>
>>     > Confusing or not, the reliance on multiple signatures as
>>     offering greater security than single relies on the independence
>>     of multiple secrets. If the secrets cannot be shown to retain
>>     independence in the envisioned threat scenario (e.g. a user's
>>     compromised operating system) then the benefit reduces to making
>>     the exploit more difficult to write, which, once written, reduces
>>     to no benefit. Yet the user still suffers the reduced utility
>>     arising from greater complexity, while being led to believe in a
>>     false promise.
>>
>>     Just trying to make sure I understand what you’re saying.  Are
>>     you eluding to that if two of the three private keys get
>>     compromised there is no gain in security?  Although the
>>     likelihood of this occurring is lower, it is possible.
>>
>>     As more malware targets bitcoins I think the utility is evident. 
>>     Given how final Bitcoin transactions are, I think it’s worth
>>     trying to find methods to help verify those transactions (if a
>>     user deems it to be high-risk enough) before the transaction is
>>     completed.  The balance is trying to devise something that users
>>     do not find too burdensome.
>>
>>     Brian Erdelyi
>>     ------------------------------------------------------------------------------
>>     Dive into the World of Parallel Programming. The Go Parallel Website,
>>     sponsored by Intel and developed in partnership with Slashdot
>>     Media, is your
>>     hub for all things parallel software development, from weekly thought
>>     leadership blogs to news, videos, case studies, tutorials and
>>     more. Take a
>>     look and join the conversation now.
>>     http://goparallel.sourceforge.net/
>>     _______________________________________________
>>     Bitcoin-development mailing list
>>     Bitcoin-development@lists.sourceforge.net
>>     <mailto:Bitcoin-development@lists.sourceforge.net>
>>     https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development


[-- Attachment #2: Type: text/html, Size: 8063 bytes --]

  reply	other threads:[~2015-02-02 21:17 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-31 22:15 [Bitcoin-development] Proposal to address Bitcoin malware Brian Erdelyi
2015-01-31 22:38 ` Natanael
2015-01-31 23:04   ` Brian Erdelyi
2015-01-31 23:37     ` Natanael
2015-01-31 23:41       ` Natanael
2015-02-01 12:49         ` Brian Erdelyi
2015-02-01 13:31           ` Martin Habovštiak
2015-02-01 13:46             ` Mike Hearn
2015-02-01 13:54             ` Brian Erdelyi
2015-02-01 13:48           ` Mike Hearn
2015-02-01 14:28 ` mbde
2015-02-02 17:40   ` Brian Erdelyi
2015-02-02 17:54     ` Martin Habovštiak
2015-02-02 17:59       ` Mike Hearn
2015-02-02 18:02         ` Martin Habovštiak
2015-02-02 18:25           ` Mike Hearn
2015-02-02 18:35             ` Brian Erdelyi
2015-02-02 18:45               ` Eric Voskuil
2015-02-02 19:58                 ` Brian Erdelyi
2015-02-02 20:57                   ` Joel Joonatan Kaartinen
2015-02-02 21:03                     ` Brian Erdelyi
2015-02-02 21:09                       ` Pedro Worcel [this message]
2015-02-02 21:30                         ` devrandom
2015-02-02 21:49                           ` Brian Erdelyi
2015-02-02 21:42                         ` Brian Erdelyi
2015-02-02 21:02                   ` Pedro Worcel
2015-02-03  7:38                   ` Eric Voskuil
2015-02-02 18:10         ` Brian Erdelyi
2015-02-02 18:07       ` Brian Erdelyi
2015-02-02 18:05     ` Eric Voskuil
2015-02-02 18:53       ` Mike Hearn
2015-02-02 22:54         ` Eric Voskuil
2015-02-03  0:41           ` Eric Voskuil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54CFE780.1040400@worcel.com \
    --to=pedro@worcel.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox