I see these headlines and I put on my math bib and pick up my math fork and get ready for a hefty meal. But all for naught each time; it inevitably comes down to, "Oh yeah someone doesn't protect against nonce reuse and then lols occur."
It should no longer be the case that platform vendors are able to abrogate responsibility for bad RNGs or RNG bugs. The stakes are too high for people to get it wrong. Even in 2016 we're still seeing repeats of browsers and OS's with "predictable random number generator" bugs even though we have a pretty clear handle in the literature for how to do it well.
The graph displayed of ECDSA duplicate r-value exploits shows 2 prominent "columns" of addresses, the latter of which was in April/May 2014.
That latter column was directly related to a commit that I made to the bitcoinjs-lib master branch (which was undergoing major refactoring at the time).
The issue itself was that a `Buffer` was being interpreted as `0` by crypto-js's cryptographic hash functions in our implementation of RFC6979, thus creating a case of duplicate `k` values.
The second most interesting point was the majority of the funds (>20k USD) stolen from Counterparty (the only known users of our master branch at that time) was returned by a grey hat.
Theft is theft when value is converted or transferred without consent. If someone leaves their house unlocked and the door open and a neighbor pinches objects, it is still a crime to take said things. Most jurisdictions recognize this even if the actual mode of theft or the goods are somewhat unprecedented so long as you can demonstrate that it is property.
Bitcoin's classification in the US means that it's SUPPOSED to be subject to all the scrutiny and protections that convertible currencies are supposed to have, although I can't speak to the regulation of that.
I think in some juridictions you might be viewed as having provoked the theft. And provoking the theft seems to annihilate the prosecution at least when it is done by police (eg leaving laptop on seat in car under surveillance to arrest thieves), as has been the case in the past in (I think) belgium.
> I think in some juridictions you might be viewed as having provoked the theft.
That's a question of intent and reasonable interpretation. I'm fairly sure "I didn't audit the browser PRNG," will not be looked upon by any court you can name as a reasonable thing to expect people to do.
