From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WDK9i-00042W-IC for bitcoin-development@lists.sourceforge.net; Tue, 11 Feb 2014 20:42:10 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.128.175 as permitted sender) client-ip=209.85.128.175; envelope-from=namanhd@gmail.com; helo=mail-ve0-f175.google.com; Received: from mail-ve0-f175.google.com ([209.85.128.175]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WDK9g-0008Q5-N3 for bitcoin-development@lists.sourceforge.net; Tue, 11 Feb 2014 20:42:10 +0000 Received: by mail-ve0-f175.google.com with SMTP id c14so6459829vea.6 for ; Tue, 11 Feb 2014 12:42:03 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.58.229.4 with SMTP id sm4mr14714551vec.10.1392151323162; Tue, 11 Feb 2014 12:42:03 -0800 (PST) Received: by 10.221.49.8 with HTTP; Tue, 11 Feb 2014 12:42:02 -0800 (PST) In-Reply-To: <52F9377D.9010405@gmail.com> References: <20140210144003.2BDCCDDAEFC@quidecco.de> <20140210163055.GJ3180@nl.grid.coop> <20140210182506.GM3180@nl.grid.coop> <52F91E66.6060305@gmail.com> <20140210190703.GO3180@nl.grid.coop> <20140210192308.GA17359@savin> <20140210194032.GD17359@savin> <52F9377D.9010405@gmail.com> Date: Wed, 12 Feb 2014 02:12:02 +0530 Message-ID: From: naman naman To: Vocatus Gate Content-Type: multipart/alternative; boundary=047d7bdca04617422c04f2277d82 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (namanhd[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WDK9g-0008Q5-N3 Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] MtGox blames bitcoin X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 20:42:10 -0000 --047d7bdca04617422c04f2277d82 Content-Type: text/plain; charset=ISO-8859-1 I was talking about a DOS attack in https://bitcointalk.org/index.php?topic=458608.0 (ofcourse only applicable to entitys doing the tracking with txids). Amazing how I did not get a response from any of the devs (except Greg's response https://bitcointalk.org/index.php?topic=458608.msg5063789#msg5063789 but that too was short and not concerning the attack scenario plausibiity as I replied to him). Today they are apparently at work here https://github.com/bitcoin/bitcoin/pull/3651 Amazing how nobody acknowledges it until later when the attack already happens. The devs need to show some greater level of responsibility. Don't get me wrong - I am not trying to claim credit for the attack scheme described (though I do not know of any other place where this was mentioned earlier as an attack scheme), but I am trying to make the point that people should just be around and at least make others feel that their concerns are being read. Now putting this on some place like reddit will only give the community a bad name. On a lighter note I messaged some of the devs (as my previous mail says) saying the attack should be called "thenoblebot" attack (after my handle, which would inspire me to pursue crypto studies further). It was meant to be a lame joke. But I had no idea how it would start causing so much disruption in the ecosystem. Regards thenoblebot On Tue, Feb 11, 2014 at 2:03 AM, Vocatus Gate wrote: > It's quite simple, really: > > Unique transaction == (Inputs+Outputs+ReceivingAddress) > > Problem solved. Simply don't rely on TxID for tracking. Can we put this > issue to rest and move on? > > > > > On 2014-02-10 12:40 PM, Peter Todd wrote: > > On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote: > > Hi guys, > > Please check this threadhttps://bitcointalk.org/index.php?topic=458608.0for a possible attack > scenario. > > Already mailed Gavin, Mike Hearn and Adam about this : > > See if it makes sense. > > That's basically what appears to have happened with Mt. Gox. > > Preventing the attack is as simple as training your customer service > people to ask the customer if their wallet software shows a payment to a > specific address of a specific amount at some approximate time. Making > exact payment amounts unique - add a few satoshis - is a trivial if > slightly ugly way of making sure payments can be identified uniquely > over the phone. That the procedure at Mt. Gox let front-line customer > service reps manually send funds to customers without a proper > investigation of why the funds didn't arrive was a serious mistake on > their part. > > Ultimately this is more of a social engineering attack than a technical > one, and a good example of why well-thought-out payment protocols are > helpful. Though the BIP70 payment protocol doesn't yet handle busines to > individual, or individual to indivudal, payments a future iteration can > and this kind of problem will be less of an issue. > > Similarly stealth addresses have an inherent per-tx unique identifier, > the derived pubkey, which a UI might be able to take advantage of. > > > > > ------------------------------------------------------------------------------ > Androi apps run on BlackBerry 10 > Introducing the new BlackBerry 10.2.1 Runtime for Android apps. > Now with support for Jelly Bean, Bluetooth, Mapview and more. > Get your Android app in front of a whole new audience. Start now.http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Bitcoin-development mailing listBitcoin-development@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > --047d7bdca04617422c04f2277d82 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I was talking about a DOS attack in=A0https://bitcointalk.org/index.ph= p?topic=3D458608.0 (ofcourse only applicable to entitys doing the track= ing with txids).

Amazing how I did not get a response from any of the devs (e= xcept Greg's response https://bitcointalk.org/index.php?topic= =3D458608.msg5063789#msg5063789=A0but that too was short and not concer= ning the attack scenario plausibiity as I replied to him).

Today they are apparently at work here=A0https://github.com/bitcoin/bitco= in/pull/3651

Amazing how nobody acknowledges i= t until later when the attack already happens. The devs need to show some g= reater level of responsibility.

Don't get me wrong - I am not trying to claim credi= t for the attack scheme described (though I do not know of any other place = where this was mentioned earlier as an attack scheme), but I am trying to m= ake the point that people should just be around and at least make others fe= el that their concerns are being read. Now putting this on some place like = reddit will only give the community a bad name.

On a lighter note I messaged some of the devs (as my pr= evious mail says) saying the attack should be called "thenoblebot"= ; attack (after my handle, which would inspire me to pursue crypto studies = further). It was meant to be a lame joke. But I had no idea how it would st= art causing so much disruption in the ecosystem.

Regards=A0
thenoblebot=A0


On Tue, Feb 11, 2014 = at 2:03 AM, Vocatus Gate <vocatus.gate@gmail.com> wrote= :
=20 =20 =20
It's quite simple, really:

Unique transaction =3D=3D (Inputs+Outputs+ReceivingAddress)

Problem solved. Simply don't rely on TxID for tracking. Can we put this issue to rest and move on?




On 2014-02-10 12:40 PM, Peter Todd wrote:
On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
Hi guys,

Please check this thread
https://bitcointalk.org/index.php?topic=3D458608.0for a possib=
le attack
scenario.

Already mailed Gavin, Mike Hearn and Adam about this :

See if it makes sense.
That's basically what appears to have happened with Mt. Gox.

Preventing the attack is as simple as training your customer service
people to ask the customer if their wallet software shows a payment to a
specific address of a specific amount at some approximate time. Making
exact payment amounts unique - add a few satoshis - is a trivial if
slightly ugly way of making sure payments can be identified uniquely
over the phone. That the procedure at Mt. Gox let front-line customer
service reps manually send funds to customers without a proper
investigation of why the funds didn't arrive was a serious mistake on
their part.

Ultimately this is more of a social engineering attack than a technical
one, and a good example of why well-thought-out payment protocols are
helpful. Though the BIP70 payment protocol doesn't yet handle busines t=
o
individual, or individual to indivudal, payments a future iteration can
and this kind of problem will be less of an issue.

Similarly stealth addresses have an inherent per-tx unique identifier,
the derived pubkey, which a UI might be able to take advantage of.



------------------------------------=
------------------------------------------
Androi apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D124407151&iu=3D/4140/ostg.clktrk


_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment


--047d7bdca04617422c04f2277d82--