Bitcoin's Software Gets Security Fixes, New Features

itwbennett (1594911) writes "The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin's software, 0.9.0, contains more than a half dozen fixes for transaction malleability, according to the release notes for the software. Bitcoin Core also contains a new feature for payment requests. Previously, merchants couldn't attach a note describing an invoice, and people also could not supply a refund address to a merchant. The latest version automatically supplies a refund address." This wouldn't have prevented the Mt. Gox implosion since they weren't using the reference implementation. The foundation also renamed the software to "Bitcoin Core" to avoid confusion between Bitcoin-the-network and Bitcoin-the-reference-implementation,

What?

[DogDude]

Are you fucking kidding me? Bug fixes for a currency?

I'd be real curious to see how many Bitcoin users are also Amway and Herbalife salesmen.

Re:What?

[pla]

Are you fucking kidding me? Bug fixes for a currency?

Why? The Federal reserve calls these "Quantitative Easing". We've had three major patches in as many years, along with quite a few minor updates to those outside the normal update release cycle.

Re:What?

[TheCarp]

Um actually I believe you mean the treasury calls this "A new series". You know, like that line of purple spooge they put across some of the new bills.

Turns out, older series of the "Cash" currency had bugs which allowed for unscrupulous parties to make copies and double spend. So the treasury has released a patch, which is rolled out as they get their hands on older series bills and destroy them to be replaced by the new ones.

Don't get me wrong, I am ready willing and able to get into some fed hate, but, this is just a better example.

Re:What?

[TheCarp]

A DICTIONARY ATTACK..... takes.... "Trillions of years"? I don't think so. Maybe a brute force, but, password standards TODAY lead to passwords that can be easily guessed by machines. Exposed hashes allow the attack to be done offline at the attacker's leisure.... it was never a good idea, and the level of protection you are postulating never existed for those very reasons.

But yes, I guess its true, if you have really good, "lifetime of the universe to guess" passwords, and ALL of the passwords on the system are all of that level of goodness.... and you are sure your hashes have no collisions with easier to guess passwords, then yes, you can leave your hashes in the password file....hell, at that point, you can post them in your SIG.

However, if you are wrong, then publishing them will mean someone can crack your password or an equivalent before doing anything that might have a chance of alerting you or a sysadmin.

Let me be the first to say

Thanks, Dorian!

LOL .. 0.9.0?

[gstoddart]

Do people expect someone to take seriously a piece of software to manage financial transactions with a version like that?

Sorry, but some of us have always looked at BitCoin and thought some combination of "why?" and "no frigging way".

New stories over the last few months aren't doing anything to change that.

This whole thing sounds like it's several years away from being trustworthy, by which point it will either be regulated by governments, or controlled by corporations.

But, hey, if you want to put your money into a currency which is still getting bug fixes, go right ahead. That's your choice.

Re:LOL .. 0.9.0?

While I do agree calling it something like 0.9.0 is stupid would it make a difference if it was called 9.0? It's the same software.

Re:LOL .. 0.9.0?

[indeterminator]

The nature of capital investment: getting in early gives you high profit expectation, with high risk of spectacular failure. Getting in late when things have stabilized, gives lower risk with low expected return.

Re:LOL .. 0.9.0?

[QuasiSteve]

Do people expect someone to take seriously a piece of software to manage financial transactions with a version like that?

Sure, why not?

Apparently we can't take FireFox seriously because it's at version 28(!) (nevermind that Chrome is at 33.0.1750.154 (dude what?)) either.

So, should everything just be labeled v1.0 eternally (or v2.0 for the people who never trust first releases) based on the psychological effects of a version number?

Re:LOL .. 0.9.0?

[ratboy666]

But... I assume you are in the US or Canada. Didn't your currency just get a bug fix update for anti counterfeiting? An update to the US $100 bill was released October 2013. Obviously, you can't trust that yet -- give it a few years.

As to being "regulated" by government, -- what is that, exactly? BTC is one possible crypto-currency, so it is of interest what you think this "regulation" should look like.

Re:LOL .. 0.9.0?

[Jeremi]

Do people expect someone to take seriously a piece of software to manage financial transactions with a version like that?

Apparently people do take it seriously, so it looks like the answer is yes.

Staying in the 0.x range for a long time is typical for open-source software -- a lot of packages don't go to 1.0 until they have been in use for many years. It doesn't necessarily imply anything bad (or good) about the reliability of the software.

If BitCoin was commercial software, no doubt it would be up to Version 7 Professional Platinum Collector's Edition now... but then again, if it was commercial software, it would probably be closed source, and therefore nobody would trust it enough to use it, and we wouldn't be having this conversation.

Re:LOL .. 0.9.0?

[Animats]

The base Bitcoin technology is surprisingly good. Nobody has been able to double-spend yet. The "mallability" bug has to do with programs which incorrectly decide a transaction didn't go through and redo it.

Most of Bitcoin's problems aren't with the software. Bitcoin's irrevocable money sends to anonymous remote parties are the con man's dream. At last, you can rip people off without ever giving them enough info to find you. That's why Bitcoin is such a scumbag magnet.

Mt. Gox's problems stem from a combination of incompetence and criminal activity. They're not technical. Karpeles was running a business that handled a billion dollars a year without an accountant, a controller, an inside auditor, an outside auditor, or a compliance officer. You can't do that and succeed. You have to have enough separation of functions that no employee can steal without detection. Mt. Gox didn't have that. Probably so that Karpeles could steal.

Re:LOL .. 0.9.0?

[IamTheRealMike]

The point of using such a version number is exactly to remind people that Bitcoin is new and experimental. It's quite possible to understand that something is a risky experiment, yet still take it seriously - these two things are not incompatible.

But, hey, if you want to put your money into a currency which is still getting bug fixes, go right ahead. That's your choice.

Banks and governments routinely have to upgrade banknotes and other forms of security on their own money, which you can see as "fixing bugs" in the sense that the ability to counterfeit is a bug. Development never really stops, so a 0.9 vs 1.0 is an entirely arbitrary line in the sand.

Re:LOL .. 0.9.0?

[gstoddart]

As to being "regulated" by government, -- what is that, exactly? BTC is one possible crypto-currency, so it is of interest what you think this "regulation" should look like.

Banking laws. Deposit protection. Rules about how they can't just decide that your money is now their money. Legal oversight.

There's also a huge difference between issues of government notes (which are still legal tender even if someone counterfeits them), and the underlying system of transfers and transactions.

To me, Bitcoin and all cyrpto currencies are in their infancy, and have yet to deal with all of the issues real banking systems have been doing for decades.

And, I'm sorry, but I'll go with decades of experience when it comes to my money. Because if the bank fucks up there's rules in place for how they deal with it. There's deposit insurance. There is established case law to determine what happens.

Cryptocurrency is pretty much the wild west, and is going to go through far more growing pains until it's 'respectable' to some people. And, like I said, by then it will be either regulated or under control of corporations.

Re:LOL .. 0.9.0?

[ameen.ross]

So would you prefer unstable software labeled "release quality" with a version number of 9.0?

Re:LOL .. 0.9.0?

[DaveV1.0]

Because it is generally accepted that the three digit version number system works as major.minor.patch_level. A 0 major version level means the software is still in beta and not fit for production use.

Does that answer your question, Trolio?

Re:LOL .. 0.9.0?

[QuasiSteve]

Which, in turn, means nothing more than "we think this release is pretty good, but we want everybody to hammer away at it until we can be sure"; which is exactly what happened, and why there was another release. Note that the issue found wasn't nearly as devastating as a myriad of issues surrounding Bitcoin that has nothing to do with the reference client and protocol.

Perhaps it's time to re-evaluate what version numbers actually mean. Or, as many other developers seem to have done, let version numbers go almost entirely.. hide them from view, number releases by date, etc.

Re:LOL .. 0.9.0?

[IamTheRealMike]

Most of Bitcoin's problems aren't with the software. Bitcoin's irrevocable money sends to anonymous remote parties are the con man's dream. At last, you can rip people off without ever giving them enough info to find you. That's why Bitcoin is such a scumbag magnet.

You can turn that around and make the same criticism of credit cards, from the sellers perspective. They're also a scumbag magnet. Trying to sell anything with credit cards is a fraud nightmare. Banks routinely approve transactions that are later reversed due to card detail theft, and the seller is just expected to suck it up. I've seen what big sellers have to do to control fraud. And sellers matter: it takes two to tango!

That said, Bitcoin can theoretically do dispute mediated transactions (where they could be reversed later in case of seller fraud). However the user interfaces and workflows for this are immature and so in practice it's not done much today. Perhaps this year we will see that change.

Re:LOL .. 0.9.0?

[QuasiSteve]

Oh I do, but what does it actually tell me?

Should I be waiting for build 1 of patch level 1751 because clearly patch level 1750 needed 154 builds just to make it out and I don't know if I can trust a patch level that needs that many builds.

Or better yet, major version 34.0.0.0? Or would that again be bad because first releases are always still going to have residual bugs that don't pop up until millions of people have worked with it?

I know what it technically tells me, but apparently we're mostly going off of psychology here ("0.x means beta means untrustable!").

Re:LOL .. 0.9.0?

[hodet]

Whose replacing all of their money with bitcoin? It's not a replacement, it's just another option for some circumstances and it will get better as time goes on. Really, it's not football game, there is no home team, you can use both if you so choose.

Re:LOL .. 0.9.0?

[LordLimecat]

It tells you that 28 versions ago Mozilla believed, themselves, that Firefox was ready for production.

Re:LOL .. 0.9.0?

[bill_mcgonigle]

This whole thing sounds like it's several years away from being trustworthy

The currency is trustworthy, to the best of anybody's knowledge. The systems around it are very immature.

Some friends of mine run a medical first aid charity and just yesterday all of their donations were stolen from their blockchain.info account.

Aside: apparently the way this works is you log onto the site and enter your password, and Google Authenticator, and then it downloads your wallet to the local machine, where it's decrypted. At that point the bitcoin malware steals your wallet and passphrase. But, back to the show:

The reddit thread about this event was severe.

What idiots for not having a hot wallet and several cold wallets. What idiots for not printing out their keys on paper and keeping them on a computer instead. What idiots for not booting a brand new machine with Tails, establishing an address, then wiping the hard drive and destroying the WiFi card and only ever using paper to get funds between them!

These redditors are insensitive assholes, but they're probably not wrong. That appears to be the level of security effort necessary to safely use bitcoin. The "be your own bank" mantra means you have to be as good as a bank, but if you are you have the same level of control as a bank.

So, buyer beware: bitcoin is a powerful tool, but so is a four foot chain saw. Use both carefully and appropriately. At some point there will be systems in place to not have to worry so much about these things (just like you can hire a guy to bring you a load of firewood).

Re:LOL .. 0.9.0?

[jones_supa]

There surely is no shortage of angry ACs today.

Re:LOL .. 0.9.0?

[Agent0013]

Rules about how they can't just decide that your money is now their money. Legal oversight.

I think the government can just decide that all your money is now their money. If it's in a bank account they can freeze it without you even getting a trial. Perhaps after a trial you may get it back, but how do you afford your attorney without your money is your problem. And if you have it as cash, the police have seized it without any evidence or trial that it must be drug money and so they can confiscate it. One poor couple I read about was going out to buy a car with cash and had the cops take all their savings.

Because if the bank fucks up there's rules in place for how they deal with it. There's deposit insurance..

FDIC insurance only covers you up to $250,000. That is a lot of money for sure, but for people who have millions it is a poor substitute for losing the rest.

All these things you like about our current banking industry are additions to regular cash, not a part of it. There is nothing stopping these regulations and insurance and rules being added to a digital currency. The cryptocurrency is just a version of cash that can be stored digitally as bits or sent over a wire. The rest of the banking industry would have to be built around it like it is with the US$. It is at the wild wist stage and mostly seems to be speculators at this point, but that doesn't mean there is no place for a digital currency. I think there are speculators that deal in the more traditional country currencies also, or at least in the differences in exchange rates from day to day. The only difference is with Bitcoin there is not enough regular transaction that the speculators end up effecting the price of the currency much more significantly.

A Warning to the Uninitiated

If you want to join the experiment and get some Bitcoin, this software is not a good choice for your wallet. The official Bitcoin client does not support any way of securing your Bitcoins against theft through malware. While the wallet can be encrypted, you have to decrypt it to use it, and at that time, your BTC are up for grabs by any of a multitude of BTC stealing trojans. (The official client software is what's called a hot wallet. You shouldn't use a hot wallet for any amount that you can't afford to lose.) Also, backups are an issue. You absolutely have to have a backup, or a hard disk crash or other computer problem can irrevocably wipe out your entire wallet. But backups are difficult with the official Bitcoin client: In order to be sure that all keys are in the backup, you have to keep making backups, because new information is added to the wallet file from time to time, and without that information, you can't access all your BTC.

Re:Just in time for another price dive

[Archangel+Michael]

Problem is, the value of BitCoins exceeds the market demand / use for them. This means it is well into "speculation" arena, and will remain so, until there is a large thawing of coins by the people currently hording them. As these people age, their goal of making a fortune will diminish as "unrealized" profit becomes lost to Bitcoin dustbin.

The problem with hording, is that the value is gone once the person who hid it is dead, and nobody knows it even existed. But unlike Gold, bitcoins burried will be lost forever if there is nobody to remember the password for the wallet.

http://www.cnn.com/2014/02/25/...

Once BitCoin starts to become viable alternative currency, actively traded for goods and services, then I'll become a believer in the value. The problem right now, the only people using BitCoins, are traders. It may end up being just a tool to hold accumulated wealth, and that would be a shame.

Re:Just in time for another price dive

[Archangel+Michael]

I know this because I can observe the marketplace, and understand how the market works. Right now, Bitcoins are exceedingly un-useful besides speculation. Speculation requires patience. When that patience wears thin, you'll see the real value in BitCoins.

If you can name, without Googling it, three major retailiers/service providers that take BitCoin, I'll be surprised. There are a few minor places that like being seen as "cutting edge" that take Bitcoin, but for the most part, there is no utility for BitCoins. When that changes, you'll start to see the real value of BitCoins.

There is a long term option that BitCoins become "Wealth Holders", where people store wealth apart from banking and government entities. I'm starting to think this might actually be the "killer app" of BitCoins.

Re:Just in time for another price dive

[higuita]

It is possible to have a wallet that requires 2 signature to make a valid transaction (good for companies) and also, a wallet that may be operated by one of 2 private keys ( good for couples or partners)

It is not much different from hiding the gold. if you are the only one that knows where it is, it may be lost after you are dead (people may find a "treasure" later, as people may "guess" a password later)

Re:Just in time for another price dive

[Glock27]

TigerDirect, Overstock.com, and Gyft.

Be surprised. :-)

I think BTC will do well in the long run, simply because of low transaction cost/friction. Not to mention the small size and light weight. ;-)