
I Tried Hacking Bitcoin and I Failed - mdelias
http://www.businessinsider.com/dan-kaminsky-highlights-flaws-bitcoin-2013-4
======
clarkm
Here are the slides from a talk that Dan Kaminsky gave about Bitcoin at
Toorcon Seattle a couple years ago:
<http://www.slideshare.net/dakami/bitcoin-8776098>

I like his "Security Inversion" slide:

> Normal Code:

> * Looks like it might be OK up front

> * Scratch the surface, it's actually really bad

> Bitcoin:

> * Looks really bad up front

> * Scratch the surface, it's actually surprisingly good

> * _We aren't used to systems with these characteristics_

> * This code has the mark of having been audited by People Like Us

~~~
fossuser
These weird coincidences along with bitcoin's very strange start (the
pseudonym, the fact that it seems like a group worked on it) are really
interesting. I'm surprised there's not more discussion about who really
created it.

~~~
asperous
The person that wrote the paper probably wanted it to go along with the idea
of decentralization that bitcoin is all about. More then likely it's someone
on the bitcoin.org board or perhaps even a group of people on that board.

------
zeteo
>The cost of regulating any network actually goes up exponentially with the
number of nodes that must be monitored (you need a hierarchy of systems to
perform ‘guard labor’ to make sure systems are behaving within declared
parameters).

This is at the core of the argument and doesn't make any sense. Worst comes to
worst, the cost of monitoring all interactions between n nodes is O(n^2) even
when adding monitors on top of monitors etc. The way banking is organized,
it's even less. Alice doesn't transfer money directly to Bob: she talks to her
bank, who talks to Bob's bank, who then talks to Bob. The banks have to
monitor one-on-one interactions with their customers and the government
monitors interactions between banks. This all is well within O(n), where n is
the total number of customers.

I'm not saying Bitcoin doesn't have any advantages, but easier monitoring of
fraud is not one of them. How do you even know the coins were indeed stolen?

~~~
polarix
Moreover, we should expect the zerocoin strategy to "solve" the traceability
of stolen funds.

~~~
A1kmm
Even limitations legislation will allow stolen Bitcoins to eventually re-enter
legal circulation.

For example, under New Zealand law, if someone (party A) stole BitCoins from
someone else (party B), kept them for 6 years, and then used them to buy
something from someone else (party C), party C would have be the sole legal
owner of the Bitcoins, because Party B lost their legal right to the property
(i.e. right to use the Bitcoins) by losing possession for more than 6 years.
Party A could be charged with theft even after the 6 years, but Party C could
not be charged with possession because they did not have possession at any
point in the first 6 years. Party C could be compelled to identify Party A if
they had evidence about Party A's identity.

With Bitcoin, Party C and Party A might be the same people, but using
different Bitcoin addresses, and it might be hard to definitively prove that
they are not the same, especially if Party C puts forward a credible and
difficult to disprove transaction in which they obtained the Bitcoins.

Disclaimer: IANAL.

------
RyanZAG
Premise here is pure madness - I'm sure I could ask a random security
researcher to hack Chrome and he would surely fail. But at the next Hack-a-day
or similar, Chrome WILL be cracked wide open when the whole world gets a shot.
So no - your inability to hack Bitcoin is not some grand statement of security
on Bitcoin, only a statement that you didn't manage to hack it. I'm sure you
didn't manage to hack thousands of other things that other did manage to hack,
too (unless you've somehow hacked just about everything else including Ruby -
not RoR?).

His point about how easy it is to monitor Bitcoin is unfortunately turning out
to be true, which is incredibly unfortunate as Bitcoin is currently being used
to purchase illegal drugs and similar. Once the FBI/NSA gets in on it, we're
probably going to see a bunch of pointless arrests.

~~~
marshray
Dan may be random, but he's no "random security researcher". And he has, in
fact, hacked "just about everything" a time or two by discovering and
exploiting common mode vulnerabilities.

His point of view is worth listening to.

~~~
deepblueocean
His point of view is certainly worth listening to, but Dan should know better
than anyone that the fact that _even he_ can't break something is _still_ not
an argument for (or even a suggestion of) its security.

~~~
Scaevolus
A skilled auditor finding no flaws in something is evidence in favor of there
being few flaws in it.

He never says there aren't any. He says there are surprisingly few.

------
ef4
His point on trace-ability is true, and one that lots of Bitcoin supporters
don't fully appreciate. The system is _not_ anonymous. It is pseudonymous,
which is not nearly the same thing.

Here's some interesting work on getting to real anonymity:

[http://blog.cryptographyengineering.com/2013/04/zerocoin-
mak...](http://blog.cryptographyengineering.com/2013/04/zerocoin-making-
bitcoin-anonymous.html)

~~~
logicalmind
I'm no bitcoin expert, and you seem to be more knowledgeable than me, so I
have a question regarding this trace-ability. As far as I understand it, every
transaction is essentially a digitally-signed source/dest/amount tuple. Where
source and dest are bitcoin wallet addresses. These wallets/addresses can be
created and destroyed at any time. So if I transfer bitcoins to a
wallet/address I generated that we'll call wallet1. And then later transfer
those bitcoins to another wallet I generated we'll call wallet2. If I now
delete wallet1, how is the flow of bitcoins traceable?

It's entirely possible that were discussing two types of traceability here.
The traceability of bitcoins from wallet/address to wallet/address will always
be possible. But the wallet/address to owner traceability seems impossible.
But maybe I'm misunderstanding.

~~~
shmageggy
Wallet/address to owner is potentially traceable when you sell coins for cash,
as that money has to go to a real account somewhere. I think that's the point
the author is making when he says none of the stolen coins have been spent
yet. I'm wondering though, if there's anyone watching these stolen coins to
see when they change hands. It seems like it would be fairly simple to flag
certain addresses as "in possession of stolen goods" and ban them from trades
on major hubs.

~~~
Andrew_Quentin
But that "real account" is no more than numbers and letters, i.e 1AfGbnmksjdk.
Or do you mean once they transfer the sold bitcoins to a real bank account?

~~~
shmageggy
The latter.

------
mrb
At the very end, Kaminsky says that large financial actors and nation states
have the ability to deploy massive mining farms, and that somehow this is a
bad thing.

I do not think so.

These actors would merely compete between each other, thereby enhancing the
security of the Bitcoin network, making it _harder for an individual actor to
perform majority attacks ("51% attack")_ and rewrite the block chain. A
successful attack, with large actors already participating in the mining
industry, would require collusion, which I think is unlikely.

Perhaps Kaminsky simply meant that deploying massive mining farms would help
them profit from Bitcoin more efficiently than the average user. This would be
false. Contrary to other industries, there is _no economy of scale_ in Bitcoin
mining. I witnessed this first hand when expanding my GPU ops from 2 Ghash/s
to ~60 Ghash/s in 2011. Indeed, the smaller you are, the more overhead costs
become negligible and eventually effectively "free". The student mining in his
university dorm, or the individual mining on his mini desktop ASIC or computer
at work, have _zero_ mining costs when operating: free electricity, free
hosting, free A/C, free network connectivity. However, the ones managing huge
farms have to pay for data centers, maintenance technicians, electricity, etc.
This is why Bitcoin mining is a long-tail system: most of the mining power
comes from a large number of small-time miners.

(I should add that at this moment, in 2013, there is a small window of
opportunity for a large actor to dominate mining. ASICs are barely starting to
hit the network, so in theory a large actor could deploy many of them and
represent more than half of the mining capacity. However this window is
rapidly closing. Most people estimate the network hash rate is going to grow
by 10-50x in the next 12 months.)

~~~
tlrobinson
I recently calculated the cost of 50% hashing power in ASICs, and it was
something like $1M.

Even if the hash rate grew 10-50x it would cost less than $50M. Well within
reach of governments or large corporations.

That said, as adoption and thus the value of Bitcoin increases, the incentive
to mine and thus secure the network rises, so there's a nice feedback loop.

~~~
mrb
Firstly, your numbers are off. If the hash rate grew by 50x, we would be at
3.5 Phash/s, so the attacker would need to deploy another 3.5 Phash/s to
attack the network. And Butterfly Labs's ASIC price is $50 per Ghash/s. So it
would cost $175M.

Secondly, you cannot buy $175M of ASICs from BFL; they are too small of a
company.

Thirdly, by the time you design, build, and deploy ASICs yourself (12
months+[1]), the network would have grown again, maybe by another 2x/5x/10x,
who knows... you would have needed to account for this by spending
respectively $350M/$875M/$1.75B !

So effectively by the time the network reach 3.5 Phash/s, it will be too late.

[1] For comparison it took more than a year for the DOE to deploy the #1
supercomputer, Titan, out of commodity hardware.

~~~
qdog
Avalon didn't take 12 months to ship, and I know someone who claims to have
one of them making money, so they appear to work. Why butterfly labs is so
late, I dunno.

If someone with money wanted to build asics for a 51% attack, it's possible.
I'm just not sure anyone with money wants to do it right now.

~~~
stevenrace
It's because they originally designed around a QFN packaged chip - later
switching to a flip chip BGA (FCBGA) package.

There was (and is) hardware on the market that could be adapted to work - but
the folks who sell hardware based AES256 applications tend to deal only in the
financial/military circles.

Being 'first to market' in btc ASICs didn't seem to be their top priority
(much to many peoples dismay).

------
afreak
>When $50K of BitCoins is stolen today, and is $500K of BitCoin five years
from now, every last cent of that filthy lucre can be monitored with acute
cryptographic precision until the end of time.

Unless I am mistaken we can also see Bitcoins get stopped dead in its tracks
after the user loses their wallet file due to data loss, no?

~~~
ambiate
Yes. This is true.

Also, on your quoted statement: I do not believe the author consider money
laundering with bitcoins. Say I steal $500k worth of bitcoins. I contact
launder XYZ and he places my $500k worth of coins with $5.5mil worth of coins,
then, funnels using smaller amounts to a multitude of addresses back to the
thief. Since there are so many transactions to/from in the Launder's wallet,
it would be hard to trace past that point where the $500k actually went.

~~~
marshray
So what does the launderer gain for the risk of taking the loss/blame for the
theft? Surely he must impose a healthy fee? Surely this fee would be
negotiable based on the good provenance of the coins.

This currency is a money-tracker's dream.

~~~
ambiate
A quick Google of 'bitcoin laundry' shows a typical commission rate of
1.5-3.5% and portion of bitcoins per transaction (to cover the costs of
transferring).

------
ck2
Try harder:

[https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposu...](https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures)

~~~
jacquesm
> Announced: 2013-05-15

How does that work? Is this a planned announcement of a known vulnerability or
a typo?

~~~
ck2
I've seen security issues given a reserved ticket number and then not
disclosed until the vendor is given a certain amount of headstart?

So they are maybe saying it will be disclosed in 30 days.

~~~
jacquesm
That's a leak in a way. It indicates that there is an unpatched vulnerability
that is serious enough to warrant immediate work.

------
fivre
I tried hacking MtGox, but it was down.

~~~
inovator
Maybe it was down because they knew you tried to hack ;)

~~~
ChuckMcM
I wonder if we'll see the blog post "I hacked Mt.Gox and now have 264,832 btc,
how do I sell that and turn it into dollars/rubles/yen/yuan/whatever?"

------
baltcode
I have a noob question if someone can answer it. It seems to me that mining is
a computationally wasteful exercise. Why don't crypto-currencies just reward
the computations needed to keep and confirm transactions, which is actually an
economically beneficial service?

~~~
ealloc
as lcampbell said, the point of mining is actually to keep and confirm
legitimate transactions. Mining needs to be a 'difficult' (but otherwise
useless) problem like cryptographic hashing in order to make it difficult to
fake transactions. Computations which might be useful in some other way are
too easy - only cryptographic hashing is 'difficult' enough to stop the fakes.

It's kind of like captchas - a seemingly pointless pain in the ass on purpose
to weed out the spam.

~~~
gbhn
I have a question. I read on the bitcoin site that currently the transaction
rate is limited (at 7tps). This seems like a good precaution, as otherwise
someone could try to flood the network, but what enforces that limit? Is it
that by and large miners use software with that limit, so transaction floods
are ignored?

------
gusgordon
This article really isn't that good or that interesting. I understand people
who hold bitcoins upvote anything that says something positive about the
currency, but come on, not this.

------
ph0rque
The bit about stolen money being forever traced is very interesting, and leads
me to an idea: can an ethics flag be added to the mining software to make your
client refuse to process transactions on stolen bitcoins?

Although now that I think about it, one could allege that your bitcoins, which
really belong to someone else, have been stolen, and thus effectively prevent
that person from spending those bitcoins. So you would need to have a very
high bar for determining those bitcoins were really yours.

~~~
shalmanese
I asked this on Quora a couple of months ago:
[http://www.quora.com/Bitcoin/Would-it-be-theoretically-
possi...](http://www.quora.com/Bitcoin/Would-it-be-theoretically-possible-to-
mark-certain-Bitcoins-as-dirty)

------
_pmf_
> Written in C++, which for all of its strengths is not usually the safest
> thing in the world to be reading random Internet garbage with

What kind of retarded nonsense is this? What the fuck does this guy think his
scripting toy languages are written in?

------
drivebyacct2
>Modern languages like JavaScript and Ruby are great, in that they do a huge
amount for you under the surface, but then you don’t actually know what
they’re going to do. Ruby got burned pretty badly recently when some systems
listening on the network were a little too … friendly. Engineering is a game
of tradeoffs. So, of course, is business.

That sounds... a bit... confused. Was there really such an issue with Ruby or
is he getting his wires crossed with the Rails problems of recent?

~~~
lmm
He's equated Ruby with Rails, which isn't so unreasonable given how they're
used in practice.

~~~
drivebyacct2
I guess, but Bitcoin's security comes from the protocol and network design,
not something inherent to C++.

~~~
betterunix
"Bitcoin's security comes from the protocol and network design"

If we ignore the already-known polynomial time attacks on that protocol, I
suppose that statement is true.

~~~
kirian
What are the already-known polynomial time attacks on the protocol? do you
have any links? thanks

~~~
betterunix
[https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_...](https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_computing_power)

Basically, someone who has the computing resources needed to do the same work
as the rest of the network combined could create malicious forks of the block
chain. They could then "reverse" transactions they had made, prevent other
transactions from being confirmed, and interfere with "mining."

This is polynomial time in the parameters of the system: it is just the sum of
the work done by the honest parties. The constant factor is small, and the
attack is not at all impractical; even if we generously assume that it would
take $100 million of ASICs to carry out the attack, the US government spent 10
times as much on one NSA datacenter in Utah.

~~~
moe
_even if we generously assume that it would take $100 million of ASICs_

You always conveniently ignore the fact that legitimate mining is at the verge
of shifting to ASICs, too.

Perhaps your $100mio figure is accurate _today_ , but it won't be long before
you have to apply quite a significant multiplier to that.

~~~
betterunix
In fact, $100 million is _much_ larger than the situation today. I have seen
estimates as low as $1 million and as high as $30 million.

~~~
moe
And you seriously assume an attacker with that kind of resources (be it
millions or billions) would be dumb enough not to realize that a crash of
bitcoin would merely spawn the next, more resilient crypto currency?

That would have to be quite a large irrational player because this isn't
compatible with today's corporate and government firmware (game theory) at
all.

~~~
betterunix
Is there some reason to think a more "resilient" protocol is even possible?
Can you even give a rigorous definition of the security properties these
protocols are trying to achieve?

That aside, do you really think the government would not try to destroy
Bitcoin _even_ if it meant a new system replaced it? Have you not been paying
attention to what happened with Megaupload? Governments are perfectly willing
to attack systems even when they know the systems will be replaced, just to
disrupt the users of the system and pressure people to avoid them.

~~~
moe
_Is there some reason to think a more "resilient" protocol is even possible?_

I'm not a bitcoin researcher but the first thing I'd have to note is that so
far it's holding up not bad at all. At non-trivial scale and under permanent
attack. Not a small feat for the first impl of a global, cross-platform P2P
crypto money system, don't you think? Just consider the history of infinitely
simpler systems (e.g. twitter).

Furthermore there are various efforts underway (e.g. SolidCoin) to address the
known weaknesses, even before we know whether any of them turns out to be a
bigger problem than the issues that we take for granted in our _current_
banking system (e.g. "too big to fail" or the perpetual banking crisis that
has been going on for the past 10 years).

 _That aside, do you really think the government would not try to destroy
Bitcoin even if it meant a new system replaced it?_

Personally yes, I doubt any half-sane government will equate bitcoin with
software piracy.

Bitcoin addresses one of the core mechanics of society (money exchange).
That's not even in the same ballpark as people downloading vampire movies
without paying for them.

 _just to disrupt the users of the system and pressure people to avoid them._

This is where I think the average government would be smarter than you.

You can't kill demand for something so useful unless you utterly convince a
majority that it can not possibly work - here your piracy-analogy holds water
again.

They may indeed pull a Napster (we've seen how that played out) but I think
it's much more likely they would try a very long-term, elaborate stealth
attack to erode trust in p2p money systems as a whole.

But just as with piracy this seems like a losing proposition. Unless a truly
insurmountable flaw is discovered that renders any system with the features of
bitcoin infeasible.

~~~
betterunix
"Unless a truly insurmountable flaw is discovered that renders any system with
the features of bitcoin infeasible."

Be careful with words like "infeasible." That has a meaning in cryptography
and in complexity theory, and it is not quite what you mean there. I think
what you are trying say is, "There might be _no_ protocol like Bitcoin that is
secure against polynomial time attacks."

That is not such an outlandish scenario. It has been proved that Merkle's
Puzzles cannot be secure no matter how they are instantiated; in fact,
Merkle's original system is _optimal_. I would not be surprised if the a
similar statement were true of digital cash systems without central
authorities: that there will _always_ be a polynomial time attack, no matter
how you instantiate them.

Of course, before such a statement could be proved, you would first need a
rigorous security definition for Bitcoin. What does it even mean for Bitcoin
to be secure? "Double spending" is not even well-defined for Bitcoin; the
existing rigorous definitions of double spending in digital cash systems
invoke a central authority. Without good security definitions, it is hard to
say whether or not Bitcoin is secure or _could_ be secure.

I doubt that even a minority of Bitcoin users are terribly concerned with the
lack of rigorous definitions or analysis. If they were, the system would never
have gained any traction. As you say, it would take a sustained attack on
these systems to really erode the trust in them (although by the second or
third system that was attacked, I think most people would just give up).

It is also worth pointing out that the end game might not even be to destroy
the system, but just to use it to cut off organizations like Wikileaks. The
same attack that can be used to double-spend in Bitcoin can be used to prevent
transactions from being confirmed; the government might just stop select
targets from using Bitcoin. This would probably shake people's trust in the
system, but perhaps not -- maybe the government would be very judicious, or
would try to frame the target and make it look like they are trying to cheat.

We could sit here coming up with possible motives for an attack all day long,
of course. That is yet another reason that rigorous definitions and formal
analysis are valuable: if we can show that _no_ feasible attacks exist, then
we do not need to try to guess what the attacker's purpose might be.

~~~
moe
Well, all your concerns may very well be provably correct, from a purely
academic perspective.

I just think the question you keep missing is: Does it matter in practice?

Our entire world runs on imperfect systems. Can we really already tell whether
bitcoin is worse?

Where is your mathematical proof that the _current_ monetary system is secure
against polynomial time attacks? Where is your rigorous security definition
for the _current_ monetary system?

Could it be we _are_ witnessing attacks on the current system right now,
resulting in enormous concentrations of wealth through interactions that we
barely understand[1]?

Could it be we _are_ witnessing the authorities abuse the current system to
cut off organizations like Wikileaks[2]?

You seem to demand a system that is perfect in every sense on day 1 and
replaces the US Dollar on day 2.

Yet couldn't it be that it is actually the academic imperfections, the
pragmatic approach of bitcoin that make it a success?

Who knows whether airtight mathematical security is even the most important
requirement? Perhaps the known attacks are "hard enough" already, or will be
after a few more patches? Perhaps bitcoin will fail spectacularly in a few
years due to scalability instead of security issues?

My point is: We simply don't know. We have no precedent, nothing even remotely
close (please correct me if I'm missing it, I honestly can't think of one).

Thus I disagree the case is nearly as clear cut as you make it out to be.

[1] [http://baselinescenario.com/2012/11/29/high-frequency-
tradin...](http://baselinescenario.com/2012/11/29/high-frequency-trading-and-
high-returns/)

[2] <http://wikileaks.org/Banking-Blockade.html>

------
CallingIit
Hooray, another Bitcoin related story! Please post more, maybe one more will
convince more marks to join this doomed financial farce.

~~~
rkuykendall-com
A doomed financial farce can still be fascinating, and can still be a huge
milestone in mankind's history. In fact, I would say a huge percentage of our
history is made up of doomed farces. The more spectacular the failure, the
bigger the impact. Bitcoin, doomed or not, is starting to become pretty
spectacular.

~~~
drivingmenuts
It's all fun and games until someone's economy gets _Really Unalterably_
trashed and then the guns come out.

The Bitcoiners live in some digital utopia where no one ever pulls a real gun
because of politics, but the rest of us are going to have to pick up the
pieces for their hubris.

