
How I Stole a User's Siacoin - mtlynch
https://mtlynch.io/stole-siacoins/
======
dantillberg
I often wish that password entry for things fully under your control (i.e.
when there are no retry limits aside from brute computational power) would
come with limited brute forcing support.

Such password dialogs could just let you type your best effort, and they could
use the things you type to inform the guessing process; you could fat-finger a
character or two, and it would just take a moment longer to log in as it uses
the accurate parts of the data to make educated guesses of the password. For
old encrypted files, for example, I often don't remember which password or
which combination of passwords I might have used, but I can provide all the
important bits and a smart program could easily guess the right combination.

~~~
ktta
(offtopic - misunderstood comment. Let's assume the parent comment said 'we
should prevent bruteforcing')

As the other commenter said, there's nothing you can do to prevent brute
forcing. What you _can_ do, is have a _very_ expensive KDF. So for every
password you enter the wallet will take a very long time to 'unlock', which is
basically the process of deriving the key from the input.

'Expensive KDF' sounds cryptic, but often just having some memory/CPU
requirements for an instance of the KDF should suffice.

Fun fact: There is a reason why when you enter a wrong password for `su` or
`sudo` it seems to take longer to throw the wrong password dialogue than to
log you in. That's because the password authentication module (called PAM)
artificially delays you to prevent brute forcing. You can go and change it if
you want. (I would discourage it)

Of course, this won't stop everyone. One can just put the harddrive in a
different computer to get the hash of the password and crack it within a day
with proper resources. This is the problem with trying to 'stop' bruteforcing
at the input level. You must already asssume the attacker has the hash, then
the difficulty must be determined. That's the point of people arguing about
password hashes (for fun, of course)

~~~
no_protocol
The post you responded to was asking for an easier way to support multiple
attempts without having to sit there typing all the nearby variants of a
mostly-known passphrase. I'm not sure what part of this post addressed the
parent post.

~~~
ktta
>I often wish that password entry for things fully under your control (i.e.
when there are no retry limits aside from brute computational power) would
come with limited brute forcing support.

This part. I misunderstood the comment. I thought by 'limited brute forcing
support' they meant to limit the brute forcing process. The sibling comment
also thought the same thing so I didn't doubt it.

------
bubbabojangles
I used to mine Bitcoin back in 2011 and I lost my wallet.dat file (through
several stupid moves on my part). It's got approx 103 BTC in it, anyone is
welcome to it, I've given up trying.

[https://blockchain.info/address/166BuLPWHUjqoqiYp5rGE3B5r5Am...](https://blockchain.info/address/166BuLPWHUjqoqiYp5rGE3B5r5AmqgHpoL)

~~~
illumin8
My brother accidentally deleted his wallet.dat from Dropbox a few years ago -
he had given it a random filename and encrypted it with GPG so it was
unrecognizable to hackers (and apparently him as well).

It had 1,000 BTC in it! He had received them from a generous Bitcoin
contributor in the early days who said "here you go, hold on to it, it will be
worth something someday."

I still give him a hard time about his $3 million USD mistake...

~~~
sweettea
Did he try Dropbox support to see if they have a backup?

~~~
illumin8
Oh yeah, completely exhausted that route - it was over a year before he
realized it and way past their retention period...

~~~
zulln
"Hi Dropbox support! You get $1m USD if you figure this out."

------
jancsika
So what are both "ionic" and "tonic" in the same dictionary for a _human
readable_ entropy library?

~~~
tonyhb
EFF has a new wordlist which can be used for things like this. It focuses on
phonetic and spelling differences across each word so that this doesn't
happen, plus it prevents words from "duplicating" when you combine them (ie
the two words `in put` and `input` being the same).

[https://www.eff.org/deeplinks/2016/07/new-wordlists-
random-p...](https://www.eff.org/deeplinks/2016/07/new-wordlists-random-
passphrases)

~~~
r00fus
This is awesome. I had no idea my EFF money was doing great things like this
in addition to fighting for net freedom :)

------
markc

        A wise wife tagged and jagged and nagged
        Her aptitude had altitude to push the lush
        He bore the brunt with a grunt and tonic
        His music was ionic sonic
        Their topic too toxic to adapt
        And they, too adept to adopt

------
logicallee
This was an amazing story, but there are LOT more take-aways here!!!

First of all, let's look at something: the burden of memorizing 29 words was
SO great, that despite carefully writing it down and double-checking it, the
user failed to memorize it or even come close: after trying _500_ times, they
could not tell that ionic was a different word from tonic. No doubt they had
looked at each handwritten word very carefully during the 500 attempts, but
just could not do it. By the way, if you write the word ionic down in your own
handwriting, you could easily see that it might look exactly like your own
handwritten tonic.

There is something else about these 29 words. You can find the number of bits
of entropy in a dictionary you'd pick one word from at random by taking the
log2 of the number of entries. (In a pinch you do log 2 by taking the log and
dividing by the log of 2). That shows that 1626 words (the number of entries
in the dictionary) have 10 bits of entropy.[1]

So by making the user "remember" (write down) 29 such words, you are making
them memorize (write down) 290 bits of entropy.

2^290 is 1.9892929e+87. There are about 10^80 atoms in the ENTIRE universe (a
hundred billion galaxies with a hundred billion stars each). You'd have to get
every atom in our entire universe -- every planet's every atom, every sun's,
every black hole's, every one of the atoms anywhere in the world, to try
10,000,000 operations each, before you got an answer.

That is _WAY_ too much.

But despite having such an incredible amount of extra information in there
(base-64 encoding 290 bits would take 48 characters - six bits per character),
it does not contain enough of a checksum to correct against a single
transcription error.

So this is a great example of a solution that is very user-hostile: so long
that the user is forced to write it down, but despite its length so fragile
that it does not contain any help against any amount of corruption. And very
clearly, the longer it is, the greater the possibility of user error: could
you hand-write an entire Dickens novel without a single error anywhere for
example? What about a 12-character alphanumeric password? So the latter is
_stronger_ than the former! The latter is a better password.

I am not sure what kind of passwords would have redundancy built-in (so that a
slightly wrong version would be corrected and accepted) but this would be a
good time to find out.

One last thing. Does anyone know how long it takes to try a combination? I'm
surprised that the blog poster went through the trouble of finding Levenshtein
distance, since I would think from a coding standpoint it would be faster to
code trying all 1625 other possibilities for the 1st word (leaving the rest
unchanged), trying the other 1625 possibilities for the 2nd word, and so
forth. Since there are 29 words this is just 47125 possibilities in total
which doesn't seem like it's that many. (Then again, some 'treasure hunter'
the blog poster was "competing with" might have had that script running
already when the blog poster got there first!)

[1]
[https://www.google.com/search?q=(log+1626)+%2F+(log+2)](https://www.google.com/search?q=\(log+1626\)+%2F+\(log+2\))

~~~
codys
The need for embedded some form of error correcting codes into readable keys
like these is a really good point.

While not the same, I'm reminded of the issue with etherium addresses where
they've (after initially having no extra checking) started using mixed case to
provide a checksum to detect incorrect entries. Otherwise, it's really easy to
send coins to a very slightly different address due to a typo.

With Saicoin, it seems like just adding 1 more word could allow correction of
mistakes like these. (And you'd end up with a round 30 words :).

~~~
sp332
It does have a checksum. That means error-correcting works just like in the
article, by picking the nearest valid code. This could be built-in to the
software.

~~~
Taek
It would take about 0.5 seconds of brute forcing for the library to figure out
if you had gotten a word wrong, so that's actually reasonable.

------
RichardHeart
I'd pay to discover the error I made :)

------
awalton
So I can overlook the misdemeanor pocketing of a few bucks with the intent on
giving it back, but you basically admit and _brag_ about breaking the Computer
Fraud and Abuse Act as some kind of exercise of how clever you are for doing a
dictionary attack against a weak and exposed key?

Good luck sir.

~~~
problems
Would CFAA really apply here? He's not accessing any computer illegitimately,
the blockchain is public record, the key was posted to a public website. He's
accessing the public siacoin network, posting transactions that anyone has
permission to.

~~~
IanCal
I'm not convinced that "posting to a public network" gets you out of the
sketch. Sections 5-7 seem at least partially relevant, but then I'm neither in
the US nor am I a lawyer anywhere else.

Posting data to a remote system, with the clear intent of taking a thing of
value from another person without permission. Perhaps it falls between the
cracks, but I'd be reasonably surprised if it doesn't come under this or
another similar act.

[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
thefifthsetpin
He didn't just post the passphrase, he also posted this:

"If someone figures it out, I will send you free sias"

I'd call that a clear invitation/authorization for anyone to try to crack his
passphrase.

~~~
IanCal
Reasonable, but not an invitation to transfer the entire amount then setup an
automated process to transfer any remaining amount to your own address.

~~~
kyle-rb
I don't know, I think transferring it was the reasonable thing to do, rather
than leaving it in the compromised wallet.

It's like if you find someone's (real) wallet, and you pick it up and contact
the owner to ask where to drop it off. Rather than leaving it there and just
telling the owner what street corner it's on.

~~~
averagewall
I recently heard about a guy who was arrested and charged for exactly that. He
took a phone home that he found in a carpark, the owner texted it saying
"please return to Subway" He went there the next day to hand it in and the
police were waiting! Apparently he was supposed to have turned it in to any
nearby business at the time he found it. Not tried to find out who owned it
the next day.

~~~
creepydata
Any nearby business? I thought lost property was to be turned into the police
station​. Otherwise the owner could call the cops on the business employees "I
was never at Dunkin Donuts yesterday."

