Slashdot Mirror

← Back to Stories (view on slashdot.org)

MtGox's "Transaction Malleability" Claim Dismissed By Researchers

Posted by Unknown on from the did-you-check-the-couch-cushions? dept.

Martin S. (98249) writes "The Register reports on a paper at the arXiv (abstract below) by Christian Decker and Roger Wattenhofer analyzing a year's worth of Bitcoin activity to reach the conclusion that MtGox's claims of losing their bitcoins because of the transaction malleability bug are untrue. The Abstract claims: 'In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. ... In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox.'" Quoting El Reg: "By extracting transaction keys from the transaction set, the researchers say, they were able to identify more than 35,000 transaction conflicts and more than 29,000 “confirmed attacks” covering more than 300,000 Bitcoins." And less than 6000 were actually successful.

92 comments

  1. As it was weeks ago... by Anonymous Coward · · Score: 0

    Oh bit bitcoin brings in the hits... carry on.

    1. Re:As it was weeks ago... by erroneus · · Score: 2, Insightful

      This is all to be expected isn't it? It seems like when there is opportunity to scam people out of money, someone will set up an operation to exploit it. Every natural disaster results in hundreds of fake charities being set up to collect donations. And digital currency saw all manner of opportunists attempting to participate at every level from bitcoin mining viruses to setting up exchanges with disappearing money "bugs."

      Anyone who didn't expect it was born yesterday under a rock.

    2. Re:As it was weeks ago... by jythie · · Score: 5, Interesting

      Yeah, but it is still kinda cool to see people dissect exactly how it happens or how claims are untrue. Suspecting and knowing are two very different things.

    3. Re:As it was weeks ago... by BourneTolouse · · Score: 3, Informative

      I don't know what prompted the Red Cross comment, but is is easy enough to check through Charity Navigator. The Red Cross spends 4% on administration and 5.1% on fund raising; the rest goes to programs.

    4. Re:As it was weeks ago... by krakelohm · · Score: 1

      Can you please expand... Last time I looked Red Cross was donating 91 cents out of every dollar so about a 9% overhead.

      --
      You are all a bunch of idots.
    5. Re:As it was weeks ago... by Tom · · Score: 1

      It also gives Bitcoin a lot of reputation back. If you can actually trace what happens, then the resilience of the whole system is much higher than it appeared to be otherwise.

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. The fake is a lie. by Anonymous Coward · · Score: 1

    How can this guy not be abducted by mafia yet?

    1. Re:The fake is a lie. by Anonymous Coward · · Score: 0

      The mafia is too busy counting their new 100,000 bitcoins

    2. Re:The fake is a lie. by Bill,+Shooter+of+Bul · · Score: 1

      Obviously, the guy was a criminal, not an idiot. You *always* pay for protection.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    3. Re:The fake is a lie. by PRMan · · Score: 1

      Nobody has seen Karpeles lately, BTW.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  3. The scam unravels by NotDrWho · · Score: 4, Insightful

    The MtGox guys better get on a plane and head for their secret island.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:The scam unravels by Anonymous Coward · · Score: 2, Informative

      Unfortunately for them, they aren't allowed to (legally) leave the country.

    2. Re:The scam unravels by gstoddart · · Score: 4, Insightful

      I wonder how this plays into this bit coins they mysteriously found in another wallet later that they said they'd give the refunds from.

      Either this was a scam all along, or these guys really dropped the ball.

      And if the researchers are saying their explanation doesn't hold water, it's increasingly hard to believe them.

      --
      Lost at C:>. Found at C.
    3. Re:The scam unravels by 1s44c · · Score: 1

      Not guys. Guy. Just one man and everyone else was kept in the dark.

    4. Re:The scam unravels by jythie · · Score: 1, Insightful

      Actually, I think the research lines up rather nicely with them dropping the ball too. It could be an example of them having no clue what they are doing or having their own understanding of how things work. So 'incompetence' is still firmly in the running.

    5. Re:The scam unravels by prisoner-of-enigma · · Score: 2

      "Never attribute to malice that which can be explained by incompetence." -- Hanlon's Razor

      --
      In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
    6. Re:The scam unravels by DarkHelmet433 · · Score: 1

      Yes. This.

      Most likely, they screwed up and lost their private keys. ie: Plain old incompetence.

      The code that was leaked to pastebin made it look like they were storing these in something like instances on Amazon EC2. If it turned out they were storing it on ephemeral storage rather than EBS, I don't know if I'd laugh or cry. But it would be an explanation if it were true. Again tough, that would come back to incompetence.

    7. Re:The scam unravels by CrazyDuke · · Score: 1

      I find stupidity and malice frequently come hand in hand, sometimes in the same individual.

      --
      Any sufficiently advanced influence is indistinguishable from control.
  4. This seems to point the finger at MTGox. by Anonymous Coward · · Score: 0

    If the vulnerability is a smokescreen for their theft of bitcoins which they then "discover" in an "old configuration wallet"... that's kind of obvious isn't it?

  5. Money and marijuana don't mix by Anonymous Coward · · Score: 2, Funny

    A bank run by drug dealers and drug addicts won't keep your money safe, period.

    1. Re:Money and marijuana don't mix by Anonymous Coward · · Score: 1

      That's all banks. The only substantive difference is FDIC insuring your drug money.

    2. Re:Money and marijuana don't mix by Anonymous Coward · · Score: 1

      You got
      that
      right

    3. Re:Money and marijuana don't mix by Collective+0-0009 · · Score: 4, Insightful

      I'd trust a pot head over a money-grubbing corporate overlord. I have personally worked with the type of psychos that run a lot of companies. They are completely immoral. They often cannot even see their lack of integrity as they have rationalized their decisions long ago. They surround themselves with those that won't rock the boat; "yes men/women". And it's so easy to fall into when you are on top... nobody cares that the emperor has no clothes as long as they get the bonus and raise.

      Remember that commercial where they gave some poor dude 100k and asked him to watch it. Pot smokers don't steal it. Asshole libertarian, free market loving, usually conservative pricks steal*.

      So you keep the c-levels of ING, Chase, etc. I'll take The Dude any day.

      * = I am sorta libertarian, like the free market, and agree with some moderate conservatives. But it seems the psychos all LOVE these things and use them as the basis for their rationalizations.

      --
      I finally updated my sig, but now it's lame.
    4. Re:Money and marijuana don't mix by JustNiz · · Score: 1

      That probably applies to just about every bank.

    5. Re:Money and marijuana don't mix by Desler · · Score: 1

      You act like that isn't a huge difference. It is.

    6. Re:Money and marijuana don't mix by VortexCortex · · Score: 1

      A bank run by drug dealers and drug addicts won't keep your money safe, period.

      I know bankers are black, but are the drug lords green or white islandwalkers? Couldn't this disaster just be a big misunderstanding, like manna burn?

  6. Flawed assumption by 0dugo0 · · Score: 1, Interesting

    They wrongly assume that they were able to capture all MtGox transaction attempts. Many were posted on their API that were never broadcasted over the network because they were broken / invalid. That didn't stop people from fixing and / or malleating (sp?) them.

    1. Re:Flawed assumption by Anonymous Coward · · Score: 0

      ... it's funny how people refuse to believe that this is a ponzi scheme until all the money is gone and people are behind bars. It's pretty simple you are exchanging money for something that is virtual and has no real world value. If I give you a file that is your wallet can you magically make that buy you groceries? Hell invest in gold or silver if you don't want to have real currency at least you can sell that yourself to someone else.

    2. Re:Flawed assumption by Anonymous Coward · · Score: 1

      You don't seem to understand the purpose of Bitcoin, or what a Ponzi scheme is. Ponzi schemes have nothing to do with exchanging money for virtual items, and Bitcoin itself has nothing to do with investment (although some people might use it for speculative reasons). The cause of all these recent Bitcoin problems is shady characters running the exchanges. But that is a problem with all currency, virtual or not.

    3. Re:Flawed assumption by radiumsoup · · Score: 1

      I'm not sure you understand what a Ponzi scheme actually is. Bitcoin isn't one. MtGox, however, appears to have been simply a case of embezzlement.

      As for the rest of your rant, yes, you can buy groceries with Bitcoin. http://online.wsj.com/news/art...

    4. Re:Flawed assumption by Aaden42 · · Score: 2

      You don’t seem to understand the purpose of Bitcoin, or what a Ponzi scheme is...

      ... Or what money is. Fiat currency has no value other than to 1) Pay your taxes, and 2) Conduct business with others who mutually agree that said currency has an effective value. Within about 15 miles of me, there’s at least one pizza joint and one car dealer that will accept Bitcoin in exchange for their products.

      No argument that BTC is less widely accepted than most other currencies, but don’t conflate wide acceptance of a currency with it having an intrinsic value. At the end of the day, one dollar bill is worth exactly what I can exchange it for, no more (with the possible exception of it having some *limited* intrinsic value in terms of heating/energy should it prove more valuable to simply set fire to it rather than exchange it for some other fuel source). I could if I so wished exchange BTC for pizza or a car, so that’s value in my book.

      Granted, BTC’s volatility in terms of value makes it a risky choice as “money,” but it isn’t worthless.

    5. Re:Flawed assumption by PRMan · · Score: 1

      The blockchain is PUBLIC. The vulnerability they mentioned is legitimate. They found 6000 successful attempts on the blockchain of double-spending a change transaction (all bitcoin transactions have an initial transaction and a change transaction, unless the amount matches perfectly).

      These weren't related to known Mt. Gox addresses. How is this hard to understand that these guys know what they are talking about? Many of us in the bitcoin community could see this the very next day, as soon as we looked.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    6. Re:Flawed assumption by Anonymous Coward · · Score: 0

      Fiat currency has no value other than to 1) Pay your taxes, and 2) Conduct business with others who mutually agree that said currency has an effective value.

      So, one more use than Bitcoin?

    7. Re:Flawed assumption by lgw · · Score: 1

      Fiat currency has no value other than to 1) Pay your taxes, and 2) Conduct business with others who mutually agree that said currency has an effective value.

      None of that is unique to fiat currency. Gold just isn't that useful. Currency backed by something useful is sufficiently rare that it's clearly not important.

      Currency is a useful medium of exchange. Intrinsic value isn't important, only current value (thus the name). Bitcoin is still pretty iffy in its ability to buy anything anywhere, but that's the only hurdle it needs to jump. It prospered in a black market, sure, but as a "legit" currency it has yet to establish itself.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    8. Re:Flawed assumption by Maritz · · Score: 1

      None of that is unique to fiat currency. Gold just isn't that useful.

      Gold may not be incredibly useful, but it is (a) rare and (b) unreactive and (c) pretty and malleable. So it definitely has intrinsic properties that make it valuable. Probably scarcity above all though.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    9. Re:Flawed assumption by hawkfish · · Score: 0

      You don't seem to understand the purpose of Bitcoin, or what a Ponzi scheme is. Ponzi schemes have nothing to do with exchanging money for virtual items, and Bitcoin itself has nothing to do with investment (although some people might use it for speculative reasons). The cause of all these recent Bitcoin problems is shady characters running the exchanges. But that is a problem with all currency, virtual or not.

      You don't seem to understand why Bitcoins are a Ponzi scheme (and neither does the GP who brought it up.)

      Bitcoin mining is designed to decrease over time until all 21 million coins have been mined. This means that the folks who got in early (i.e. the inventors) make out like bandits and the late arrivals are left holding the bag. The best part is that they have all sorts of true believers out there running interference for them in tech forums like /. It's like printing (real) money. Oh, wait...

      --
      You will not drink with us, but you would taste our steel? - Walter Matthau, The Pirates
    10. Re:Flawed assumption by lgw · · Score: 1

      Gold's value as an industrial metal is quite small. The features you mention make it a good choice for specie-based currency. Having value in that it's well suited for use as currency is not intrinsic value, it's value-as-currency.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  7. sounds like it really was sheer incompetence.... by Mr+Krinkle · · Score: 2

    I mean, if you lost 64,564 bitcoins from a known and easy to research flaw....

    then I'm VERY sure that you had a LOT of other security flaws unpatched on your servers.

    I know that even on my home servers I try and do "enough" diligence to ensure all know flaws are patched.. And on work related boxes, we ALL verify constantly all known vectors are closed...
    The fact that they found 10% of the "lost" coins with publicly available information and widely known bugs, lets me know that there are SURE to be a LOT more hidden flaws bleeding bitcoins like crazy...

      (and I'm sure some employees stole some coins to buy private islands)

    --
    I am 31337 or something.
  8. Planning by squiggleslash · · Score: 1

    The thing I'd kinda like to know is, if this is an inside job (and things like "Mt. Gox is saying one thing but we've proven they're lying!" kinda implies that) then what was the end game?

    If your business goes bankrupt, then it becomes extremely difficult to launder your supposedly stolen assets. And it's one thing to steal from your company (in some way) if you think the company is going to last decades and you can be well clear once the scam is found out, like the guys who ran Adelphia or Worldcom presumably thought. But it should have been obvious from the beginning that Mt. Gox wouldn't last very long, particularly in an unstable market, if this alleged level of fraud was going on.

    Is it more likely that nothing dishonest is going on, simply bugs and other serious errors causing money to be transfered out of reach, misinterpreted as "Transaction Malleability", or were Mt. Gox's alleged scam conspirators unusually stupid?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:Planning by TheCarp · · Score: 1

      You are assuming that an inside job necessarily implicates the owner directly, and not some other technical employee, who may have even signed on to the company with the intention to rob them blind.

      I do agree that it sounds like an inside job, however it looks like an inside job by someone smart enough to be sneaky about it; not someone just reaching into the cookie jar.

      Then again, it could be a little of collumn A, a little of Collumn B, maybe the attack stole some, and someone else saw that and took the rest figuring that the original theft was a good cover and that whoever took a few was going to be a good patsy that the square community wouldn't care about. (well aren't they?)

      Lots of possibilities, but I wouldn't assume the guy at the top was necessarily in on it. Now if they suddenly find all the missing coins but somewhere around the number claimed in this article, that would be very suspicous indeed.

      --
      "I opened my eyes, and everything went dark again"
    2. Re:Planning by squiggleslash1636 · · Score: 1

      Not necessarily assuming the guy at the top. Regardless of who plans and executes the scam, a bankruptcy is going to suddenly result in massive focus on everything going on, every system and transaction and so on. Outsides who you're unfamiliar with (so can't use your usual bag of tricks to pull the wool over the eyes of) will be brought in, and will investigate what you were doing. Even regular management will suddenly find themselves having to justify their own actions and investigate things they never looked at before.

      To be honest, if I were a fraudster, the very last place I'd start is a business that is likely to go bankrupt even if it trades honestly, unless I can seriously expect my actions to be so inconsequential nobody would even dream of looking for them. In this case though, the amounts transfered out of Mt. Gox's legitimate control were huge.

    3. Re:Planning by cusco · · Score: 1

      or were Mt. Gox's alleged scam conspirators unusually stupid?

      Considering that most of the company's depositors were unusually stupid I don't think that's much of a stretch.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    4. Re:Planning by JustNiz · · Score: 1

      >> If your business goes bankrupt, then it becomes extremely difficult to launder your supposedly stolen assets.

      Well see that's the thing about a bitcoin wallet with a few million in... Its VERY easy to hide then when the shit has died down, later recover it and untraceably sell the bitcoins.

      The only thing the cops would have to go on would be after the suspect starts selling them, by watching any bank account they have access to and how it suddenly got a bunch of dollars credited to it. I'm sure there are plenty of ways around that if the suspect was even slightly clever about it. (offshore companies/anonymous bank accounts etc). Even just doing a few bucks every now and then rather than an high visibility giant transfer might be enough.

    5. Re:Planning by TheCarp · · Score: 1

      > To be honest, if I were a fraudster, the very last place I'd start is a business that is likely to go
      > bankrupt even if it trades honestly

      But that would assume the fraudster understands these particular dynamics and/or agrees it is likely to go bankrupt even if trading honestly. Frankly, I am not sure I agree with that assessment. Had they operated properly and not fucked up so royally (assuming it wasn't intentional) I don't see why they were likely to go bankrupt.

      It is also entirely possible they didn't even consider stealing until they realized how they could do it.

      Seriously, lots of criminals do things that you can point to and say are pretty stupid moves for a person in their position. Crime is seldom the result of a careful weighing of potential failure modes and consequences.

      Not to mention, an "inside job" could have been the setup. If I was going to do something like this, I would certainly want to be an ex-employee before the shit hit the fan.

      --
      "I opened my eyes, and everything went dark again"
    6. Re:Planning by PRMan · · Score: 2

      Karpeles IS unusually stupid (OK, let's say arrogant and naive). He claimed to have lost 2,000,000 bitcoins until people looked at the PUBLIC blockchain and found that he had previously had access to accounts where some of the "missing" bitcoins were still sitting. Then, all of a sudden, when the Japanese court threatened him with arrest, he was suddenly able to "find" and produce them.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    7. Re:Planning by PRMan · · Score: 1

      Some of the "missing" bitcoins were found in accounts that Karpeles forgot that he had previously told people he had control over. If he weren't the guilty party, wouldn't he have mentioned this upfront. Looks ultra-shady.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    8. Re:Planning by PRMan · · Score: 1

      The people that left their coins sitting on Mt. Gox's servers instead of getting them off immediately? Yes, those people are unusually stupid.

      The people that are buying Lambroghinis ( http://articles.latimes.com/20... ), apartments ( http://www.uproxx.com/webcultu... ) and even castles in Estonia ( http://thebitcoinnews.co.uk/20... ) for mere pennies on the dollar don't seem very stupid.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  9. Re:I blame Beta by 1s44c · · Score: 0

    Really? Is the Beta bashing still going on?

  10. Dear slashdot, by Orgasmatron · · Score: 5, Interesting

    This paper has already been widely dismissed by the bitcoin community. Not that we necessarily think that Mtgox was actually hit by a malleability attack. Just that this paper is nonsense.

    The very short version is that what these "researchers" were looking at isn't actually how the alleged bug would have worked.

    --
    See that "Preview" button?
    1. Re:Dear slashdot, by kasperd · · Score: 4, Interesting

      Just that this paper is nonsense.

      Care to answer a few questions then?

      • How did the transactions found by these researches happen, if not by a malleability attack?
      • If a malleability attack would not result in transactions looking like what was found by these researchers, then what would it look like?
      • What is the explanation for the spike found just after the announcement, if that was not due to copy-cats attempting malleability attacks?
      --

      Do you care about the security of your wireless mouse?
    2. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      Standard bitcoin community response to any bad news: it's not really bad.

    3. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      Dear Bitcoiner,

      I respect the slashdot community and its opinions more than anyone in the bitcoin community.

      Regards,
      Anonymous Tech Geek

    4. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      What is the substance of their dismissal? Telling us "this paper has already been widely dismissed" doesn't help us evaluate the evidence.

    5. Re:Dear slashdot, by radiumsoup · · Score: 1

      you are aware that the groups are not mutually exclusive, right?

    6. Re:Dear slashdot, by kasperd · · Score: 1

      Standard bitcoin community response to any bad news: it's not really bad.

      Except the comment you are replying to said the opposite. It was denying the statement made by these researches saying that the alleged theft did not happen. (I know that's a lot of negations, better count them before replying.)

      --

      Do you care about the security of your wireless mouse?
    7. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      > How did the transactions found by these researches happen, if not by a malleability attack?

      The transactions did happen by malleability attack. What makes you think they did not?

      > If a malleability attack would not result in transactions looking like what was found by these researchers, then what would it look like?

      It would look like any other transaction.

      > What is the explanation for the spike found just after the announcement, if that was not due to copy-cats attempting malleability attacks?

      Yes, this was copy-cats. They failed to steal anything, hence proving the MtGox story is bullshit. Remember that the spike happened after MtGox closed withdrawals.

    8. Re:Dear slashdot, by PRMan · · Score: 1

      Um, no. Transaction malleability is easy to find on any miner's log. I am sure these guys are correct.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    9. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      There are a good number of slashdot hating bitcoiners on reddit/r/bitcoin. Their argument is typically that slashdot does not "get" bitcoin. If you feed google a query such as: [site:reddit.com slashdot does not get bitcoin] you might notice it.

    10. Re:Dear slashdot, by kasperd · · Score: 1

      The transactions did happen by malleability attack. What makes you think they did not?

      The paper suggested they happened due to a malleability attack, I have no reason to think otherwise. It was not me who said that was nonsense.

      It would look like any other transaction.

      The paper carefully explained difference in the looks of the involved transactions. By saying an attack would look like any other transaction, you are contradicting the paper, and you are providing less evidence to support your case than the paper did. Hence the paper is more trustworthy than your statement.

      They failed to steal anything, hence proving the MtGox story is bullshit.

      First of all the paper did not say anything about who those were targeted at, neither if they succeeded. It is likely that they failed to steal anything, but unless the attacks were targeted at you, you cannot know if they succeeded.

      Even if we assume those copy-cats failed to steal anything, that doesn't prove anything.

      Remember that the spike happened after MtGox closed withdrawals.

      Yes, I already quoted that from the paper.

      The observation in the paper was that if it was true, when mtgox said in their announcement, that they have closed withdrawals, then those attacks could not have been directed at mtgox. So they could be excluded from the set of attacks, that could have stolen money from mtgox.

      The observation made in the paper was that the total number of attempted malleability attacks across the entire bitcoin network during the period were the alleged thefts happened were much fewer than the amount of bitcoins, that were allegedly stolen that way.

      I can't figure out who you are trying to say is right - mtgox or the researches. And I don't see much in your comment pointing one way or the other. For now the methodology used in the paper appears sound to me. I haven't seen the raw data though, and due to the nature of the attacks only half the raw data will be in the blockchain. If they did publish the raw data, I don't know if it is possible to independently verify the validity of said data.

      --

      Do you care about the security of your wireless mouse?
    11. Re:Dear slashdot, by Orgasmatron · · Score: 1

      The signature is two values (r,s). These values are stored and transmitted as binary strings. They have a maximum length, but not a minimum. So, if your calculated r is less than 2^248, the most significant byte is all zeros, ditto 2^240 and the next byte.

      The spec says to minimize the encoding, but openssl accepts the padded form. The bitcoin software started refusing to relay transactions with improperly padded transactions, even though they are still valid, if they make it into a block.

      So, as the new version got more popular, the odds of a padded transaction being spread from mtgox to a miner decreased. Note that this only matters for less than 1% of transactions from gox, those that by chance ended up with unusually small values.

      At some point, they basically never spread across the network, but were available through an API. The claimed attack is that people took these transactions, fixed them, and broadcast them. The fixed version would spread, but the original would not.

      In this case, you would never see these as modified transactions by looking at the network, which is what this paper was looking at.

      There are other ways to mutate transactions that are visible on the network, but they don't work very often, since it involves accepting a transaction over the p2p network, changing it, then broadcasting your version in hopes of winning the race to reach a miner first. These do happen, and the researchers do see them. But they aren't particularly useful for scamming mtgox (or anyone else).

      Oh, and did you notice that less than 1% of transactions were vulnerable to the real attack? To extract large sums, you'd need to constantly churn huge bitcoin values into and out of mtgox, profiting on roughly one cycle out of every 128. This would have left huge traces in the blockchain, which no one has noticed so far.

      --
      See that "Preview" button?
    12. Re:Dear slashdot, by Orgasmatron · · Score: 1

      In my opinion, this was most likely incompetence. Or, possibly Mtgox stole from their users (or Mark stole from his own company, which is the same, as far as I'm concerned).

      It is extremely unlikely, in my view, that transaction malleability played much of a role.

      A malleability exploit is something that people might be willing to accept as "could have happened to anyone", so I think it was tried as cover for incompetence of the more ordinary "not clever enough to safely hold other people's money" variety.

      --
      See that "Preview" button?
    13. Re:Dear slashdot, by Orgasmatron · · Score: 1

      I didn't say that mutated transactions didn't exist, or that the researchers haven't actually seen any.

      They certainly do exist, and I have no reason to doubt that the researchers have found some in the wild.

      I'm saying that if such an attack had been responsible for Mtgox's woes (which I and, I think, most others find extremely unlikely), they would not be visible using the methodology discussed in this paper.

      --
      See that "Preview" button?
    14. Re:Dear slashdot, by tulcod · · Score: 1

      This would have been a useful comment if facts would have been about your opinion.

    15. Re:Dear slashdot, by kasperd · · Score: 1

      The bitcoin software started refusing to relay transactions with improperly padded transactions, even though they are still valid, if they make it into a block.

      Are there any plans to stop accepting them in blocks?

      The claimed attack is that people took these transactions, fixed them, and broadcast them.

      I guess we can agree, that the article is not covering this attack, but rather a very different attack.

      but they don't work very often, since it involves accepting a transaction over the p2p network, changing it, then broadcasting your version in hopes of winning the race to reach a miner first.

      The paper says success rate is about 20%

      But they aren't particularly useful for scamming mtgox (or anyone else).

      Why not? If they have 20% success rate compared to the 0.4% success rate in the other rate, why not try it?

      profiting on roughly one cycle out of every 128.

      How do you get that to 128? One out of every 256 would sound more likely to me.

      Either way the conclusion appears to be that money was not stolen from mtgox using any version of the malleability attack. The paper only argued that they weren't attacked with one particular variant, which would still be correct, though an incomplete investigation.

      --

      Do you care about the security of your wireless mouse?
    16. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      It's actually good news if this paper is right - we'd have proof that mtgox is lying, so there'd be a chance of making Karpeles accountable and recovering the funds. On the other hand, the malleability attack is not a fatal flaw in the Bitcoin protocol - it was patched in the official implementation, and apparently also in the software used by some other exchanges.

    17. Re:Dear slashdot, by Orgasmatron · · Score: 1

      No, there is no intention to tighten the blockchain rules at this time. This would cause a hard fork, and breaking compatibility with old versions is not considered lightly.

      Mtgox's software is unique. The reference client, for example, can not be fooled by changing transaction IDs. The frequency of success at actually winning the race to get the modified version into a block only matters if you've written your own software that is totally reliant on transaction IDs.

      There are two values, each with a 1 in 256 chance. 1/256 + 1/256 = 1/128.

      Bitcoin tends to attract fame-seeking researchers making wild claims. This is no different. The paper would be correct if the claim was narrower, that "this one type of mutation out of the many kinds possible, and which no one has suggested as a culprit, was not involved". But the paper is written to make a much broader claim, and I haven't seen the authors going out of their way to mitigate that misunderstanding in the press, much the opposite.

      --
      See that "Preview" button?
    18. Re:Dear slashdot, by ras · · Score: 1

      The very short version is that what these "researchers" were looking at isn't actually how the alleged bug would have worked.

      That is far too short to be useful.

      Mtgox's malleability problem was caused, ironically, by the protocol fixing once source of it. When that happened the network started rejecting mtgox's transactions, in fact they weren't even relayed.

      The paper says the were no malleability attacks of the scale mtgox claims because they didn't see the required number of malleable transactions. This would have been reasonable if the attacker also depended on seeing the malleable transactions relayed by the network. But they didn't. Mtgox provided a web site service that allows you to see the transactions mtgox issued, thus allowing the attacker see every malleable transaction.

      Thus the attack could have been much larger than what the authors of the paper saw, thus invalidating some of the conclusions of the paper. Particularly the conclusions regarding mtgox, unfortunately.

    19. Re:Dear slashdot, by kasperd · · Score: 1

      No, there is no intention to tighten the blockchain rules at this time. This would cause a hard fork, and breaking compatibility with old versions is not considered lightly.

      And it should not be taken lightly. But as I understand it, such forks have been done in the past, and another one will be needed due to transaction volume approaching a hard limit imposed by the current rules. The particular tightening of the rules about signatures could piggyback on another update, which would cause a fork. Is there any reason not to piggyback it on the next fork?

      Mtgox's software is unique. The reference client, for example, can not be fooled by changing transaction IDs.

      And of course changing the reference implementation to mitigate security bugs in alternative implementations has far lower priority than getting the actual bugs in those alternative implementations fixed.

      There are two values, each with a 1 in 256 chance. 1/256 + 1/256 = 1/128.

      That makes sense. So the success probability is about 0.8%.

      But the paper is written to make a much broader claim, and I haven't seen the authors going out of their way to mitigate that misunderstanding in the press, much the opposite.

      The news sites I follow haven't picked up anything except from the original paper.

      I believe their research is incomplete, but is there anything incorrect in the research they did perform? And is there anything wrong about the conclusion they reached, which was that transaction malleability cannot explain the bitcoins disappearing from mtgox?

      --

      Do you care about the security of your wireless mouse?
    20. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      But as I understand it, such forks have been done in the past, and another one will be needed due to transaction volume approaching a hard limit imposed by the current rules.

      Sorry to reply off-topic, but this part isn't true. We'll just start using more off-chain transactions. If we forked every time transaction volume neared the limit then there would be no point in any limit at all, or in floating transaction fees.

    21. Re:Dear slashdot, by kasperd · · Score: 1

      Sorry to reply off-topic, but this part isn't true. We'll just start using more off-chain transactions.

      That's actually not off-topic at all. The description of off-chain transactions mention that one way to do it is through the use of trusted third parties such as Mt. Gox! It does proceed to describe how a system could potentially be designed with auditing that can prove if fraud is happening, which would be an improvement, but it does not suggest any way to avoid such fraud.

      If we forked every time transaction volume neared the limit then there would be no point in any limit at all

      Sure there would. Requiring manual action to increase the transaction volume could protect against some kinds of DoS attacks, which would be possible, if there was no limit.

      You can validate the chain of block headers without ever seeing the content of the blocks. The signature on individual transactions and their ancestors can be validated without ever seeing the full blocks, you just need a path from the block header to the transaction, which is only logarithmic in size. There are two reasons this is insufficient to solve the scalability problem. First of all the number of ancestors of a transaction could grow exponentially over time. Secondly checking for double spending requires a complete view of all the transactions in all the blocks. Solve those two problems, and you have solved the scalability problem.

      --

      Do you care about the security of your wireless mouse?
    22. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      The description of off-chain transactions mention that one way to do it is through the use of trusted third parties such as Mt. Gox! It does proceed to describe how a system could potentially be designed with auditing that can prove if fraud is happening, which would be an improvement, but it does not suggest any way to avoid such fraud [...] Requiring manual action to increase the transaction volume could protect against some kinds of DoS attacks, which would be possible, if there was no limit.

      There is no consensus yet as to how to avoid this fraud (which is why it shouldn't be on the wiki), but IMHO we should consider Open-Transactions servers. We could for example use multiple servers and trusted computing to vote (p2sh) on where large balances go, which would be much more secure than lone servers run by a single party like MtGox.

      Transaction fees prevent DoS attacks too, even with infinite block size.

      That being said, I still think that off-chain transactions are a bit of a kluge. Some way of infinitely scaling in-chain transactions, while still providing an incentive to mine long-term, would be awesome.

    23. Re:Dear slashdot, by kasperd · · Score: 1

      Transaction fees prevent DoS attacks too, even with infinite block size.

      I don't think so. Let's say somebody wants to perform a DoS attack spending as few bitcoins as possible. Just take a tiny amount of bitcoins and spend it all on transaction fees one satoshi at a time. With transactions spending one satoshi in fee and not actually transferring any bitcoins anywhere, miners would have incentive to include those transactions in the blocks. After all, if there is no limit on the block size, a miner may as well take that additional fee.

      That being said, I still think that off-chain transactions are a bit of a kluge.

      I absolutely agree.

      Some way of infinitely scaling in-chain transactions, while still providing an incentive to mine long-term, would be awesome.

      This I also agree with, except from one detail. The current proof-of-work approach is wasteful and must be replaced by something else. There are some ideas about proof-of-stake, which may be suitable at some point.

      --

      Do you care about the security of your wireless mouse?
    24. Re:Dear slashdot, by Anonymous Coward · · Score: 0

      Transaction fees prevent DoS attacks too, even with infinite block size.

      I don't think so. Let's say somebody wants to perform a DoS attack spending as few bitcoins as possible. Just take a tiny amount of bitcoins and spend it all on transaction fees one satoshi at a time. With transactions spending one satoshi in fee and not actually transferring any bitcoins anywhere, miners would have incentive to include those transactions in the blocks. After all, if there is no limit on the block size, a miner may as well take that additional fee.

      Good point; a 1-satoshi fee is practically a zero fee. I should have said "significant" fees prevent DoS attacks - if block size were infinite then transaction fees would need a minimum.

      The current proof-of-work approach is wasteful and must be replaced by something else. There are some ideas about proof-of-stake, which may be suitable at some point.

      If you think proof-of-stake is secure enough, then you should try "Peercoin" (also called PPCoin). It seems to be working out OK so far.

  11. Re:I blame Beta by Dishevel · · Score: 0

    Yes. It will continue till those who hate beta pick up and leave. I wonder if the final numbers will hurt Dice?

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  12. Re:I blame Beta by kaizendojo · · Score: 1

    Yes, because if you come here from an RSS link and choose to go to the classic site, you're looped right back into beta. It's more than an annoyance and it took me a few tries befoer I figured out that I was better off cut and pasting the link in direct. I'm really starting to sour on the whole experience - and since 90% of what /. posts lately is stuff that I've already seen on a number of my source feeds, the only reason to come here is for the comments - whcih beta is making it hard to get to. Give it a rest Dice. Slashdot is never going to be a major profit center. Either give it up, or lose all readership.

  13. Re:sounds like it really was sheer incompetence... by Aaden42 · · Score: 1, Insightful

    then I’m VERY sure that you had a LOT of other security flaws unpatched on your servers.

    Transaction malleability is a lot different than having an unpatched OpenSSL on your server or something. Security bugs in unpatched software are a thing that are well-understood by sysadmins and security researchers. Weaknesses in the cryptography underlying Bitcoin are truly understood by perhaps a handful of people on the Earth at this time. It would be nice to presume that an organization positioning itself as an exchange for Bitcoin would have that expertise on staff, but you can’t meaningfully compare the two things. Additionally, this isn’t an unpatched security flaw where upgrading to Bitcoin 1.1 would have fixed the issue. It’s a weakness inherent to the Bitcoin protocol which may or may not be able to be repaired without invaliding all existing BTC transactions.

    The research in TFA seems to confirm the existing belief that this attack is very unlikely to pull off in the real world, therefore the severity of it seems low.

    there are SURE to be a LOT more hidden flaws bleeding bitcoins like crazy

    Really? Please do share your cryptography credentials that qualify you to analyze the Bitcoin protocol and arrive at this certainty. Unless you’re prepared to present “a meaningful interpretive dance that compares and contrasts cache-based timing, and other side channel attacks and their countermeasures,” (http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html), I rather doubt you’ve got the background to comment meaningful on undiscovered weaknesses in the Bitcoin protocol.

  14. Re:sounds like it really was sheer incompetence... by PRMan · · Score: 1

    This was a KNOWN and PUBLISHED flaw since 2011, along with clear instructions about how to avoid it. Any casual first-time programmer of bitcoin would have seen this when learning how to program bitcoin (it's on the Wiki: https://en.bitcoin.it/wiki/Tra...). Mt. Gox, having been around since 2010, could have not noticed I suppose, except that Gavin Andreson (the lead bitcoin developer) is on record as having warned them about this flaw multiple times. And it was brought up in a Bitcoin Foundation meeting where Karpeles was present.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  15. Tom = multiple /. sockpuppet using scum by Anonymous Coward · · Score: 0

    Let's let TOM speak shall we:

    "I'm having great conversations on this site with one of my alias accounts" - by Tom (822) on Monday April 07, 2014 @02:29PM (#46686259) Homepage

    FROM -> http://slashdot.org/comments.p...

    BY THE WAY TOM: Using your sockpuppet fake /. registered luser accounts to downmod the 1st time I posted this, trying to *vainly* & effetely "hide it", since it serves in exposing you?

    Weak -> http://slashdot.org/comments.p...

    AND

    As was said there regarding your post I am replying to?

    It also explains your +5 up mod on that post of yours I replied to there exposing you in this...!

    (Easy to get using YOUR sockpuppets, admittedly, to mod up your other registered account posts too, isn't it? Yes, it is -> http://slashdot.org/comments.p... )

    It's going to be reposted again, anyhow - have fun blowing your modpoints, which you'll run DRY of, & then I'll just post it again... lol (I always, win).

    APK

    P.S.=> Tom *tried* to libel me & failed after I destroyed him in a technical debate on hosts files... result?

    Tom ended up "eating his words" here http://slashdot.org/comments.p... spiced with "the bitter taste of SELF-defeat" + HIS FOOT IN HIS MOUTH

    ... apk

  16. Re:sounds like it really was sheer incompetence... by mbkennel · · Score: 1


    Wouldn't that be more suggestive evidence of a scam? The bug/flaw was clearly and forcefully presented to MtGox, which intentionally didn't patch it because it would be useful cover for insider theft.

  17. Is it actually illegal? by Anonymous Coward · · Score: 0

    They weren't a bank as far as I know, so is there actually anything illegal about people giving you their money and then leaving with it?
    I mean if some guy on the street hands me $1000 and I don't hand him a receipt, how is he ever going to prove anything?
    As far as I'm concerned things like this are a stupid tax.

  18. yuor mom sucked on my befoer by Anonymous Coward · · Score: 0


     

  19. Re:sounds like it really was sheer incompetence... by ras · · Score: 1

    Security bugs in unpatched software are a thing that are well-understood by sysadmins and security researchers.

    Really? The bitcoin is valued at several billions of dollars. The reward for breaking Keccak was academic creds. The reward for breaking bitcoin is notoriety for life, and being set for life as well. Besides, you do know that nothing in Bitcoin is encrypted, right? There is one signature and a lot of hashing. There isn't even a nonce.

    Additionally, this isn’t an unpatched security flaw where upgrading to Bitcoin 1.1 would have fixed the issue. It’s a weakness inherent to the Bitcoin protocol which may or may not be able to be repaired without invaliding all existing BTC transactions.

    Said like a person who is eager to prove he doesn't know much about the subject he is commenting on. It wasn't the upgrade to bitcoin 1.1 that fixed the issue, it was the upgrade to bitcoin 0.9.0. It happened last month. It didn't invalidate anything.

  20. Well, that is the whole point of BitCoin. by Anonymous Coward · · Score: 0

    Isn't it? Scamming morons for their "real" money and property. At least the tulip bulbs were real!

  21. NSA and Cloudflare by Anonymous Coward · · Score: 0

    MtGox was subverted by Cloudflare and NSA. MtGox relied on Cloudflare for much of their hosting to counter denial-of-service attacks. NSA was aware of this and instructed Cloudflare to hook in and give them all sensitive data passing through. Cloudflare is a man in the middle, and any internet service handling sensitive data must stay away from them.

  22. Aaaaaandd by Anonymous Coward · · Score: 0

    It's gone!

  23. free bitcoins by Anonymous Coward · · Score: 0

    http://freebitcoin.wmat.pl/faucet/?id=4234