Yet another Bitcoin fail



  •  http://eprint.iacr.org/2013/734.pdf (page 9 and 10)

    Money was stolen because of bad randomness:

    However, we find that one address, 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj, appears to have stolen bitcoins from 10 of these addresses. This account made 11 transactions between March and October 2013. Each transaction contained inputs from addresses that duplicated signature nonces, and appear in our list. These transactions have netted this account over 59 bitcoins (approximately $12,000 USD).

     

     



  •  ECDSA is not rocket science. There is basically only one way to really screw it up. So why do I keep seeing people reuse the nonce? You would think that people would check for that while reviewing their code. I mean, this is the same thing that bit Sony in the ass.


  • Trolleybus Mechanic

    @aristurtle said:

    So why do I keep seeing people reuse the n<font color="red" face="Comic Sans MS" size="200">once</font>?
     

    You may make a poster out of this. You're welcome.



  • Well this is from 2013. It sounds like the problem Android wallets had where the OS generated not-really-random random numbers. I haven't heard of newer cases of this being exploited. Also somewhat similar to the famous Debian OpenSSL bug.

    Those are all implementation bugs though. Now that the big companies have finally decided to fund and review critical software, maybe we'll have a secure cryptographic library in 5-10 years.



  • @aristurtle said:

    ECDSA is not rocket science. There is basically only one way to really screw it up.

    That's not true at all; ECDSA is much easier to screw up than other asymmetric algorithms.



  •  The bug was in Android. Bitcoin was a victim.



  • @joelkatz said:

     The bug was in Android. Bitcoin was a victim.

    Yeah, but trusting your Bitcoins to Android is like me trusting my money to Bernie Madoff nowadays: I might technically be a victim, but sympathy is going to be hard to come by.



  •  I agree with whatever Morbs just said!



  • Trusting anything to Android is like walking into a lions den after not feeding them for a week. The whole system is set up in a way that applications can do whatever they want (or claim to need when installing) and there is no way to (dis)allow anything selectively out-of-the-box.

    If you can't even control what applications can do then any application that has the SD-card option and the internet option will be a liability. The fact that you need a third-party app like LBE is ridiculous to put it mildly.



  • @martijntje said:

    Trusting anything to Android is like walking into a lions den after not feeding them for a week. The whole system is set up in a way that applications can do whatever they want (or claim to need when installing) and there is no way to (dis)allow anything selectively out-of-the-box.

    If you can't even control what applications can do then any application that has the SD-card option and the internet option will be a liability. The fact that you need a third-party app like LBE is ridiculous to put it mildly.

    The CyanogenMod people have added a feature where you can revoke permissions from apps. It's pretty slick, and is one of the reasons I stick to phones I can install CyanogenMod on.



  • @martijntje said:

    The fact that you need a third-party app like LBE is ridiculous to put it mildly.

    I'm always stunned at my need for a task killer app. When I got my first Android phone, the VZW employee actually suggested I install one. And it comes in handy, sadly.

    Android: Like a Windows 95 computer for your pocket



  • @morbiuswilters said:

    @martijntje said:
    The fact that you need a third-party app like LBE is ridiculous to put it mildly.

    I'm always stunned at my need for a task killer app. When I got my first Android phone, the VZW employee actually suggested I install one. And it comes in handy, sadly.

    Android: Like a Windows 95 computer for your pocket

    Maybe on 2.3 or whatever locked-down and themed-to-hell version Verizon is foisting on you, but Android does a pretty good job managing processes by itself in newer versions.


  • Trolleybus Mechanic

    @drurowin said:

    The CyanogenMod people have added a feature where you can revoke permissions from apps. It's pretty slick, and is one of the reasons I stick to phones I can install CyanogenMod on.
     

    Kinda sad that there's no CyanogenMod for my phone yet (Samsung Galaxy Discover-- aka, the cheapest fucking model they had when my other phone broke). I did root it and shove XPrivacy on there, which allows you to grant/deny  permissions with extreme granularity. I have no desire to just hand over all my contacts, SMS, phone messages and internet history just to check movie listing times (for example), so both yay for shit like XPrivacy existing, but fuck for the fact that shit like XPrivacy has to exist in the first place, and fucking shit what?!? for it only existing as 3rd party software.



  • @drurowin said:

    @morbiuswilters said:
    @martijntje said:
    The fact that you need a third-party app like LBE is ridiculous to put it mildly.

    I'm always stunned at my need for a task killer app. When I got my first Android phone, the VZW employee actually suggested I install one. And it comes in handy, sadly.

    Android: Like a Windows 95 computer for your pocket

    Maybe on 2.3 or whatever locked-down and themed-to-hell version Verizon is foisting on you, but Android does a pretty good job managing processes by itself in newer versions.

    It's a fairly new version.. 4.1, maybe? But, no, you're wrong, I still have to manually kill processes when memory starts running low, or else mobile Chrome runs like shit.



  • @Lorne Kates said:

    @drurowin said:

    The CyanogenMod people have added a feature where you can revoke permissions from apps. It's pretty slick, and is one of the reasons I stick to phones I can install CyanogenMod on.
     

    Kinda sad that there's no CyanogenMod for my phone yet (Samsung Galaxy Discover-- aka, the cheapest fucking model they had when my other phone broke). I did root it and shove XPrivacy on there, which allows you to grant/deny  permissions with extreme granularity. I have no desire to just hand over all my contacts, SMS, phone messages and internet history just to check movie listing times (for example), so both yay for shit like XPrivacy existing, but fuck for the fact that shit like XPrivacy has to exist in the first place, and fucking shit what?!? for it only existing as 3rd party software.

    This is why I only have a couple of apps installed, like Facefook and SnatchChat. Well, that and the fact that it seems idiotic to me to install an app to, say, check movie times when I can get that data from the web much faster and with less bullshit.



  • @morbiuswilters said:

    SnatchChat
    +1



  • @morbiuswilters said:

    It's a fairly new version.. 4.1, maybe? But, no, you're wrong, I still have to manually kill processes when memory starts running low, or else mobile Chrome runs like shit.

    You don't need a task killer though, if you go to the active apps overview (button right to home) and long-press on the app you want to kill you can select "close".

    At least, in the standard launcher (e.g. on Nexus phones). I don't even want to know what telco's do to it.



  • @El_Heffe said:

    @morbiuswilters said:

    SnatchChat
    +1

    Those boudoir photos of an "18" year old girl don't just JUMP on your phone, you know.



  • @dtech said:

    the active apps overview (button right to home)

    Is that what that is? I thought that was just your recent apps, I didn't know it was all running apps.

    @dtech said:

    long-press on the app you want to kill you can select "close".

    Hmm, mine says "Remove From List", but I'm assuming it's closing the app.

    Still, my point stands: Android now just supports as stock what used to be third-party. It hasn't fixed the core problem (at least for me) of apps I haven't used in a month still using memory, it's just made it so I can manually close those apps. So I amend my comment thusly:

    Android: Like carrying a Windows 95 PC around in your pants. Except now it has a Task Manager. Although Windows 95 actually had a Task Manager, so shut up.



  • @morbiuswilters said:

    @dtech said:
    the active apps overview (button right to home)

    Is that what that is? I thought that was just your recent apps, I didn't know it was all running apps.

    @dtech said:

    long-press on the app you want to kill you can select "close".

    Hmm, mine says "Remove From List", but I'm assuming it's closing the app.

    Swipe them off to the left or right to close, long press + remove from list to make them unmanageable by the OS until the next time they're launched.



  • @drurowin said:

    long press + remove from list to make them unmanageable by the OS until the next time they're launched.

    Unmanageable by the OS? What does that mean?



  • @morbiuswilters said:

    @drurowin said:
    long press + remove from list to make them unmanageable by the OS until the next time they're launched.

    Unmanageable by the OS? What does that mean?

    Similar to a "zombie" process on a regular Linux system.



  • @drurowin said:

    Similar to a "zombie" process on a regular Linux system.

    A zombie process is a process that's finished but which the kernel is holding a record for so the parent process can read the return code (called "reaping".) Too many zombie procs or zombie procs that linger for very long are an indication of a problem. So if Android lets the end-user zombie processes, that would be a WTF.

    Android: Is that a zombie in your pocket, or are you just awful at task management?



  • @morbiuswilters said:

    @drurowin said:
    Similar to a "zombie" process on a regular Linux system.

    A zombie process is a process that's finished but which the kernel is holding a record for so the parent process can read the return code (called "reaping".) Too many zombie procs or zombie procs that linger for very long are an indication of a problem. So if Android lets the end-user zombie processes, that would be a WTF.

    Android: Is that a zombie in your pocket, or are you just awful at task management?

    I couldn't help thinking of this thread when the following email subject appeared in my inbox this morning:
    @TigerDirect said:
    No-Brainer: 7" Android Tablet ..."



  • @drurowin said:

    @morbiuswilters said:
    @drurowin said:
    long press + remove from list to make them unmanageable by the OS until the next time they're launched.

    Unmanageable by the OS? What does that mean?

    Similar to a "zombie" process on a regular Linux system.
    Eh? Are you sure it just doesn't just make it invisible in the task manager?

    As in: the OS still manages the process, it just won't appear on the list?

    As in: "remove from list" does exactly that?

    Edit: I'm not being rhetorical, I'm genuinely curious. Also line breaks.



  • Yes my bad, removing it from the list doesn't actually kill it. In the same list choosing "App info" bring you to a screen with a "Force Stop"/"Stop now" (don't have english android, so string might be slightly different) button.

    Also, I must say that I have about 20 which I regularly use and never notice slowness (Nexus 4). In my experience Android does a pretty ok job in managing background apps (suspended apps shouldn't use CPU, apps are killed when RAM is needed). Maybe it's just a badly behaving app that slows your phone down?



  • Notice it's the users with a nexus or running cyanogen mod that are saying they don't have a problem with memory management. It's the manufacturer bloatware that is slowing down Morbs's phone. And Android by default will keep the current home app (i.e. bloated ass touchwiz or blinkfeed in this case) in memory, potentially causing his issues. Oh, and the task manager running in the background as well constantly scanning every process.



  • @DrakeSmith said:

    It's the manufacturer bloatware that is slowing down Morbs's phone.

    There's no manufacturer bloatware on my phone, you retarded jackass.

    @DrakeSmith said:

    And Android by default will keep the current home app (i.e. bloated ass touchwiz or blinkfeed in this case) in memory, potentially causing his issues.

    I agree with you there: it's the bloated-ass piece of shit called the Android default.

    @DrakeSmith said:

    Oh, and the task manager running in the background as well constantly scanning every process.

    Um, no, that's not how it works. And it doesn't run in the background, anyway.

    Sorry, fanboi, it's the OS. Android is a piece of shit written by sub-literate, mouth-breathing, cousin-humpin' retards. And the fabois are even worse.



  • @morbiuswilters said:

    @DrakeSmith said:
    It's the manufacturer bloatware that is slowing down Morbs's phone.

    There's no manufacturer bloatware on my phone, you retarded jackass.

    @DrakeSmith said:

    And Android by default will keep the current home app (i.e. bloated ass touchwiz or blinkfeed in this case) in memory, potentially causing his issues.

    I agree with you there: it's the bloated-ass piece of shit called the Android default.

    @DrakeSmith said:

    Oh, and the task manager running in the background as well constantly scanning every process.

    Um, no, that's not how it works. And it doesn't run in the background, anyway.

    Sorry, fanboi, it's the OS. Android is a piece of shit written by sub-literate, mouth-breathing, cousin-humpin' retards. And the fabois are even worse.

    I'll admit I'm a bit of an Android fanboy. I just assumed that the manufacturer bloatware was responsible - I see similar things in my nexus versus my galaxy (and the nexus has a slower processor and fewer cores). And most people run a task manager that keeps a persistent notification - that persistent notification is to keep a service running without Android closing it.



    I'm not a blind fanboy either - I will admit that iPhones run smoother since the OS is in so much more control, and from a developer's view it is much faster to quickly whip up some CRUD app for iOS than Android. I will admit that Windows Phones have a clean looking, easy to use UI (although that doesn't translate well to the PC...). I just prefer the extra control I have with Android (of course only available through third parties and add ons, but still).



  • @DrakeSmith said:

    I'll admit I'm a bit of an Android fanboy.

    Good, I'll apologize for flaming you. I just get annoyed when people act like I'm an idiot because my phone has problems. One of the first things I did was nuke all of the carrier-provided crap. I even nuked a lot of the Google-provided crap because I don't want it. I have very few third-party apps, less than a dozen I'd say, and most never even get launched.



  • @morbiuswilters said:

    @DrakeSmith said:
    I'll admit I'm a bit of an Android fanboy.

    Good, I'll apologize for flaming you. I just get annoyed when people act like I'm an idiot because my phone has problems. One of the first things I did was nuke all of the carrier-provided crap. I even nuked a lot of the Google-provided crap because I don't want it. I have very few third-party apps, less than a dozen I'd say, and most never even get launched.

    I wasn't trying to imply anything about your intelligence, more complaining about companies like Samsung and HTC.



    I love my android phone, nexus tablet, my laptop triple booting Mint, Bodhi, and Windows, my wife loves her iPhone, iPad, and Macbook, and we don't fight about it. I'm not a rabid fanboi, because I agree - rabid fanbois are annoying no matter what they're creaming their panties over. I laugh at the arguments about Marvel vs. DC, Goku vs. Superman*, or fedora wearing atheists smug in their belief that religion equates to lack of intelligence vs. white trash religious fanatics who have never studied the bible and merely regurgitate what they read on facebook, etc.



    *Although Goku totally wins, I mean come on...


  • Considered Harmful

    @DrakeSmith said:

    @morbiuswilters said:
    @DrakeSmith said:
    I'll admit I'm a bit of an Android fanboy.

    Good, I'll apologize for flaming you. I just get annoyed when people act like I'm an idiot because my phone has problems. One of the first things I did was nuke all of the carrier-provided crap. I even nuked a lot of the Google-provided crap because I don't want it. I have very few third-party apps, less than a dozen I'd say, and most never even get launched.

    I wasn't trying to imply anything about your intelligence, more complaining about companies like Samsung and HTC.



    I love my android phone, nexus tablet, my laptop triple booting Mint, Bodhi, and Windows, my wife loves her iPhone, iPad, and Macbook, and we don't fight about it. I'm not a rabid fanboi, because I agree - rabid fanbois are annoying no matter what they're creaming their panties over. I laugh at the arguments about Marvel vs. DC, Goku vs. Superman*, or fedora wearing atheists smug in their belief that religion equates to lack of intelligence vs. white trash religious fanatics who have never studied the bible and merely regurgitate what they read on facebook, etc.



    *Although Goku totally wins, I mean come on...




  • @joe.edwards said:

    Pfft.. Batman's a pussy. He couldn't even beat Commie Superman and chose the shame of suicide instead.



  • Batman would win, because the more under the underdog, the harder the Hollywood script writers jerk off to their improbability porn.

    Seriously, am I the only one rooting for Goliath?



  • @Faxmachinen said:

    Seriously, am I the only one rooting for Goliath?

    Goliath was shown to have a fatal defect millennia ago. I mean, sure, at the time I might have rooted for Goliath, but I would have jumped on the David Train before Goliath's head was fully cut off.


    Today I root for Vladimir Putin, because he's the strongest man on Earth.


Log in to reply