Forgot your password?
typodupeerror
Bitcoin Upgrades

Bitcoin's Software Gets Security Fixes, New Features 173

Posted by Unknown Lamer
from the don't-modify-that-transaction dept.
itwbennett (1594911) writes "The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin's software, 0.9.0, contains more than a half dozen fixes for transaction malleability, according to the release notes for the software. Bitcoin Core also contains a new feature for payment requests. Previously, merchants couldn't attach a note describing an invoice, and people also could not supply a refund address to a merchant. The latest version automatically supplies a refund address." This wouldn't have prevented the Mt. Gox implosion since they weren't using the reference implementation. The foundation also renamed the software to "Bitcoin Core" to avoid confusion between Bitcoin-the-network and Bitcoin-the-reference-implementation,
This discussion has been archived. No new comments can be posted.

Bitcoin's Software Gets Security Fixes, New Features

Comments Filter:
  • What? (Score:3, Funny)

    by DogDude (805747) on Thursday March 20, 2014 @10:32AM (#46534723) Homepage
    Are you fucking kidding me? Bug fixes for a currency?

    I'd be real curious to see how many Bitcoin users are also Amway and Herbalife salesmen.
    • Re:What? (Score:5, Informative)

      by pla (258480) on Thursday March 20, 2014 @11:04AM (#46535091) Journal
      Are you fucking kidding me? Bug fixes for a currency?

      Why? The Federal reserve calls these "Quantitative Easing". We've had three major patches in as many years, along with quite a few minor updates to those outside the normal update release cycle.
      • Re:What? (Score:5, Interesting)

        by TheCarp (96830) <sjc@cGINSBERGarpanet.net minus poet> on Thursday March 20, 2014 @11:27AM (#46535379) Homepage

        Um actually I believe you mean the treasury calls this "A new series". You know, like that line of purple spooge they put across some of the new bills.

        Turns out, older series of the "Cash" currency had bugs which allowed for unscrupulous parties to make copies and double spend. So the treasury has released a patch, which is rolled out as they get their hands on older series bills and destroy them to be replaced by the new ones.

        Don't get me wrong, I am ready willing and able to get into some fed hate, but, this is just a better example.

        • by pla (258480)
          Um actually I believe you mean the treasury calls this "A new series". You know, like that line of purple spooge they put across some of the new bills.

          Ah, good point, that does make a better example than mine. :)
        • by DaveV1.0 (203135)
          That is not a bug fix because it wasn't a bug. That is making an upgrade to cope with technological change. In essence you are saying that the Unix password hash was buggy because technology improvements made it possible to brute force it thus making it necessary to implement the shadow file.
          • by ultranova (717540)

            In essence you are saying that the Unix password hash was buggy because technology improvements made it possible to brute force it thus making it necessary to implement the shadow file.

            Yes, it was a bug to leave password hashes in a publicly readable file. Even if hashing was a magical algorithm that always took the same amount of time regardless of CPU, leaving the hash in the open allowed a potential attacker to try a dictionary attack without alerting anyone. It was simply idiotic.

            • by DaveV1.0 (203135)
              If the dictionary attack were to take an average of 2 trillion years to guess a single password, would it still be "simply idiotic"? Remember that most encryption would fall in that time frame.
              • by TheCarp (96830)

                A DICTIONARY ATTACK..... takes.... "Trillions of years"? I don't think so. Maybe a brute force, but, password standards TODAY lead to passwords that can be easily guessed by machines. Exposed hashes allow the attack to be done offline at the attacker's leisure.... it was never a good idea, and the level of protection you are postulating never existed for those very reasons.

                But yes, I guess its true, if you have really good, "lifetime of the universe to guess" passwords, and ALL of the passwords on the syste

          • by TheCarp (96830)

            I was thinking some more about this and really....isn't it just semantics at this point? You could say it wasn't a bug in bitcoin that was fixed either. A number is the same number zero padded or not.... that is why transactions were "mutable", not because the signature number changes, but because zero padding doesn't change a number.

            The bug was not even in bitcoin really. Bitcoin protocol specified that hashes should not be zero padded, and gox was zero padding. Thats bthe bug. In fact, if you really want

      • by DaveV1.0 (203135)
        Um, no. You don't understand the term Quantitative Easing if you actually believe that.
      • by 1s44c (552956)

        Are you fucking kidding me? Bug fixes for a currency?
        Why? The Federal reserve calls these "Quantitative Easing". We've had three major patches in as many years, along with quite a few minor updates to those outside the normal update release cycle.

        Thats nothing like the same thing. The Fed prints more money to bail out their irresponsible friends. Bitcoin adds features that do something useful.

    • by Chrisq (894406)

      Are you fucking kidding me? Bug fixes for a currency?

      Not unprecedented in the real world: New pound coin designed to combat counterfeiting [bbc.co.uk]

    • Are you fucking kidding me? Bug fixes for a currency?

      Governments are often adding security features to curtail counterfeiting... that's a real world bug fix of currency. And just as in the digital world it is a battle of escalation. "He pulls a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue!" In any case Sean Connery gets a royalty check...

    • by 1s44c (552956)

      Are you fucking kidding me? Bug fixes for a currency?

      Software gets updated now and then for enhancements and improvements. Don't you know anything about software? I thought this was slashdot.

    • by toddestan (632714)

      Well, it's not unprecedented. Off the top of my head:

      * The relief on the design was lowered after the first year of the Peace Dollar (1921) because the original relief kept breaking the dies.
      * The original design of the Morgan dollar has eight feathers in the tail of the eagle. Eagles always have an odd number of tail feathers so the design was changed to 7 sometime during the first year of minting (1878).
      * The original 1883 Nickel had only "V" as the denomination (no cents) which lead to people dipping t

  • by Anonymous Coward on Thursday March 20, 2014 @10:34AM (#46534747)

    Thanks, Dorian!

  • LOL .. 0.9.0? (Score:2, Insightful)

    by gstoddart (321705)

    Do people expect someone to take seriously a piece of software to manage financial transactions with a version like that?

    Sorry, but some of us have always looked at BitCoin and thought some combination of "why?" and "no frigging way".

    New stories over the last few months aren't doing anything to change that.

    This whole thing sounds like it's several years away from being trustworthy, by which point it will either be regulated by governments, or controlled by corporations.

    But, hey, if you want to put your mone

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      While I do agree calling it something like 0.9.0 is stupid would it make a difference if it was called 9.0? It's the same software.

      • by gstoddart (321705)

        While I do agree calling it something like 0.9.0 is stupid would it make a difference if it was called 9.0? It's the same software.

        Major vendors do the same thing.

        The thing is, the customers still know you went from 1.1 to 9.2, and they assume it's a steaming heap of beta and stay away from it for a while.

        But, for me, between the news coverage and relative newness of this, I just don't see why I would be inclined to either want it or trust it.

        That doesn't mean it doesn't sound vaguely cool. But it also isn

        • Rules and laws aren't for the rich and powerful, they are for us commoners. The rich and powerful have their own rules, which mostly fall around making rules and laws for everyone else to obey. Feinstein didn't care about spying on Americans until it hit her, then she became outraged. The game is corrupted beyond comprehension. The only recourse we have is complete and utter disdain for all rules and laws that are used to control us, that do not apply the rich and powerful.

        • by Kremmy (793693)
          The system of rules and laws are really important to bring up in this context, and the reason for that is because of the protections that people enjoy due to the banking system. I've seen some arguments talking about how BitCoin is vulnerable to all kinds of things that fiat isn't, and the reasons they bring up are the banks and the banking system. But the problem with that in my eyes comes from the fact that the fiat currency doesn't have any of those protections whatsoever, they come only from the banking
      • Yes, it would make a difference. Any other questions?
      • 0.9.0 usually indicates that the developers themselves dont believe it is production quality.

    • The nature of capital investment: getting in early gives you high profit expectation, with high risk of spectacular failure. Getting in late when things have stabilized, gives lower risk with low expected return.
    • Re:LOL .. 0.9.0? (Score:4, Interesting)

      by QuasiSteve (2042606) on Thursday March 20, 2014 @10:53AM (#46534953)

      Do people expect someone to take seriously a piece of software to manage financial transactions with a version like that?

      Sure, why not?

      Apparently we can't take FireFox seriously because it's at version 28(!) (nevermind that Chrome is at 33.0.1750.154 (dude what?)) either.

      So, should everything just be labeled v1.0 eternally (or v2.0 for the people who never trust first releases) based on the psychological effects of a version number?

      • It's not a psychological effect but a very well-known convention that the major version number 0 is reserved for beta releases.
        • So would you prefer unstable software labeled "release quality" with a version number of 9.0?

          • by 1s44c (552956)

            So would you prefer unstable software labeled "release quality" with a version number of 9.0?

            Heh. Windows users. Heh.

        • Which, in turn, means nothing more than "we think this release is pretty good, but we want everybody to hammer away at it until we can be sure"; which is exactly what happened, and why there was another release. Note that the issue found wasn't nearly as devastating as a myriad of issues surrounding Bitcoin that has nothing to do with the reference client and protocol.

          Perhaps it's time to re-evaluate what version numbers actually mean. Or, as many other developers seem to have done, let version numbers go

          • by DaveV1.0 (203135)
            Appearances matter. What does it say that the developers and project managers don't think a piece of software is ready after 2, 5, even 10 years of "we think this release is pretty good, but we want everybody to hammer away at it until we can be sure"?

            Why is it that the output of the process is never deemed to meet the design specifications? Is it that the specifications keep changing? Is it that the developers aren't up to the task? Is it that the design is fundamentally flawed? Why is it that the softw
            • Appearances matter. What does it say that the developers and project managers don't think a piece of software is ready after 2, 5, even 10 years

              You're still arguing that 0.x means they don't think it's 'ready'. Maybe they really do think that, hell if I know - as per your second paragraph, 'ready' may well be a moving target as it is. Does that mean it "doesn't pass muster"?

              How many people adopted Gmail *in production* even though it was in beta, explicitly labeled as such, for years?

              OP's beef was clearly

              • by DaveV1.0 (203135)
                If they thought it was ready, they would move it out of beta and give it a version number of one. Otherwise, they are publicly saying, whether they mean to or not, that the software does not pass muster in their own eyes.

                A moving target for being "ready" is a sign of bad design and/or bad management.

                Many people doing one thing is not a reason nor an excuse to do a different thing. (this is the fallacy that two wrongs make a right)

                While you may be right, this is caused by the abuse of the standard ver
      • by DaveV1.0 (203135)
        That would be FireFox version number 28.0.0 and Chrome major version 33, minor version 0, patch level 1750, build 154.

        Or, don't you know how version numbers work?
        • Oh I do, but what does it actually tell me?

          Should I be waiting for build 1 of patch level 1751 because clearly patch level 1750 needed 154 builds just to make it out and I don't know if I can trust a patch level that needs that many builds.

          Or better yet, major version 34.0.0.0? Or would that again be bad because first releases are always still going to have residual bugs that don't pop up until millions of people have worked with it?

          I know what it technically tells me, but apparently we're mostly going off

          • by DaveV1.0 (203135)
            Seeing as you don't know if there will be a major version 34.0.0.0, or if it will be worth waiting for it, you are asking a foolish question akin to "Should I not date this woman because I might meet someone better later?" Does version 28 do what you need and want while whatever version or other software you are using now doesn't? Yes? Then use it. Otherwise, why change? Version changes are solely due to bugs. New requested features, user requested changes to the UI, even changes in standards or outside A
            • Your argument relies on ignoring the "why" and "what" of the change while asking "should I adopt the change", making the question unanswerable.

              Which is different from what people further up in the comment stream have been trying to say, by ignoring the actual merits of the version and instead concentrating on the version number and equating that to a presumed state, how?

              Or is it only special when it's < 1.0 ?

              • by DaveV1.0 (203135)
                Seeing as anything under version 1.0 is considered a beta version, yes. That is the point.
          • It tells you that 28 versions ago Mozilla believed, themselves, that Firefox was ready for production.

        • by reikae (80981)

          They work exactly like the developers in question want.

      • by sootman (158191)

        > So, should everything just be labeled v1.0 eternally
        > (or v2.0 for the people who never trust first releases)
        > based on the psychological effects of a version number?

        Yes. And the price should end in 99. :-)

    • Re:LOL .. 0.9.0? (Score:4, Interesting)

      by ratboy666 (104074) <fred_weigel AT hotmail DOT com> on Thursday March 20, 2014 @10:54AM (#46534965) Homepage Journal

      But... I assume you are in the US or Canada. Didn't your currency just get a bug fix update for anti counterfeiting? An update to the US $100 bill was released October 2013. Obviously, you can't trust that yet -- give it a few years.

      As to being "regulated" by government, -- what is that, exactly? BTC is one possible crypto-currency, so it is of interest what you think this "regulation" should look like.

      • by gstoddart (321705)

        As to being "regulated" by government, -- what is that, exactly? BTC is one possible crypto-currency, so it is of interest what you think this "regulation" should look like.

        Banking laws. Deposit protection. Rules about how they can't just decide that your money is now their money. Legal oversight.

        There's also a huge difference between issues of government notes (which are still legal tender even if someone counterfeits them), and the underlying system of transfers and transactions.

        To me, Bitcoin and all

        • by hodet (620484)

          Whose replacing all of their money with bitcoin? It's not a replacement, it's just another option for some circumstances and it will get better as time goes on. Really, it's not football game, there is no home team, you can use both if you so choose.

        • by Agent0013 (828350)

          Rules about how they can't just decide that your money is now their money. Legal oversight.

          I think the government can just decide that all your money is now their money. If it's in a bank account they can freeze it without you even getting a trial. Perhaps after a trial you may get it back, but how do you afford your attorney without your money is your problem. And if you have it as cash, the police have seized it without any evidence or trial that it must be drug money and so they can confiscate it. One poor couple I read about was going out to buy a car with cash and had the cops take all their

        • Banking laws. Deposit protection. Rules about how they can't just decide that your money is now their money. Legal oversight.

          You're talking about online wallets, not Bitcoin. Bitcoin isn't banking, and doesn't have deposits, just a note in a shared database that says a certain number of bitcoins were sent to your address, and can be sent on to someone else if you supply a transaction signed with a certain key (or set of keys). It's all just communication and consensus, which puts any attempt to regulate Bitcoin itself on fairly shaky ground with regard to the First Amendment in the U.S., or freedom of speech in general internatio

      • by DaveV1.0 (203135)
        You are confusing a problem fix with a change to cope with improved technology. This is like saying lack of wifi support in software developed before there was wifi is a bug.
    • Re:LOL .. 0.9.0? (Score:5, Insightful)

      by Jeremi (14640) on Thursday March 20, 2014 @10:57AM (#46534993) Homepage

      Do people expect someone to take seriously a piece of software to manage financial transactions with a version like that?

      Apparently people do take it seriously, so it looks like the answer is yes.

      Staying in the 0.x range for a long time is typical for open-source software -- a lot of packages don't go to 1.0 until they have been in use for many years. It doesn't necessarily imply anything bad (or good) about the reliability of the software.

      If BitCoin was commercial software, no doubt it would be up to Version 7 Professional Platinum Collector's Edition now... but then again, if it was commercial software, it would probably be closed source, and therefore nobody would trust it enough to use it, and we wouldn't be having this conversation.

      • by DaveV1.0 (203135)

        Staying in the 0.x range for a long time is typical for open-source software -- a lot of packages don't go to 1.0 until they have been in use for many years. It doesn't necessarily imply anything bad (or good) about the reliability of the software.

        This is an abuse of the standard version numbering system so that when a critical bug appears, they can say "but it is still in beta so what do you expect". That so much open source software is in perpetual beta is not a good thing, especially when one is trying to sell one's bosses on using it and they see anything under version 1.0.0 as being beta software and thus unreliable.

        Personally, I see perpetual beta as an attempt to abdicate responsibility for the software by never saying it is ready for use b

        • by reikae (80981)

          There is no need to covertly adbicate responsibility, when it's spelled out clearly in every license I've ever read that the developers take no responsibility whatsoever.

    • Re:LOL .. 0.9.0? (Score:5, Informative)

      by Animats (122034) on Thursday March 20, 2014 @10:59AM (#46535027) Homepage

      The base Bitcoin technology is surprisingly good. Nobody has been able to double-spend yet. The "mallability" bug has to do with programs which incorrectly decide a transaction didn't go through and redo it.

      Most of Bitcoin's problems aren't with the software. Bitcoin's irrevocable money sends to anonymous remote parties are the con man's dream. At last, you can rip people off without ever giving them enough info to find you. That's why Bitcoin is such a scumbag magnet.

      Mt. Gox's problems stem from a combination of incompetence and criminal activity. They're not technical. Karpeles was running a business that handled a billion dollars a year without an accountant, a controller, an inside auditor, an outside auditor, or a compliance officer. You can't do that and succeed. You have to have enough separation of functions that no employee can steal without detection. Mt. Gox didn't have that. Probably so that Karpeles could steal.

      • Re:LOL .. 0.9.0? (Score:4, Insightful)

        by IamTheRealMike (537420) <mike@plan99.net> on Thursday March 20, 2014 @11:30AM (#46535401) Homepage

        Most of Bitcoin's problems aren't with the software. Bitcoin's irrevocable money sends to anonymous remote parties are the con man's dream. At last, you can rip people off without ever giving them enough info to find you. That's why Bitcoin is such a scumbag magnet.

        You can turn that around and make the same criticism of credit cards, from the sellers perspective. They're also a scumbag magnet. Trying to sell anything with credit cards is a fraud nightmare. Banks routinely approve transactions that are later reversed due to card detail theft, and the seller is just expected to suck it up. I've seen what big sellers have to do to control fraud. And sellers matter: it takes two to tango!

        That said, Bitcoin can theoretically do dispute mediated transactions (where they could be reversed later in case of seller fraud). However the user interfaces and workflows for this are immature and so in practice it's not done much today. Perhaps this year we will see that change.

    • Re:LOL .. 0.9.0? (Score:5, Insightful)

      by IamTheRealMike (537420) <mike@plan99.net> on Thursday March 20, 2014 @10:59AM (#46535029) Homepage

      The point of using such a version number is exactly to remind people that Bitcoin is new and experimental. It's quite possible to understand that something is a risky experiment, yet still take it seriously - these two things are not incompatible.

      But, hey, if you want to put your money into a currency which is still getting bug fixes, go right ahead. That's your choice.

      Banks and governments routinely have to upgrade banknotes and other forms of security on their own money, which you can see as "fixing bugs" in the sense that the ability to counterfeit is a bug. Development never really stops, so a 0.9 vs 1.0 is an entirely arbitrary line in the sand.

    • So, essentially it has nothing to do with facts to you, but rather image. I guess they just need to call it Bitcoin 13.04.

      • by 1s44c (552956)

        So, essentially it has nothing to do with facts to you, but rather image. I guess they just need to call it Bitcoin 13.04.

        You are exactly right, but don't underestimate the effects of image. Why not just add a 1. to the start of the number? Sun did pretty much that with their Solaris version numbers.

    • by higuita (129722)

      you don't use computer right? when did a version number had anything to do with the quality of the software?

    • This whole thing sounds like it's several years away from being trustworthy

      The currency is trustworthy, to the best of anybody's knowledge. The systems around it are very immature.

      Some friends of mine run a medical first aid charity and just yesterday all of their donations were stolen [fr33aid.com] from their blockchain.info account.

      Aside: apparently the way this works is you log onto the site and enter your password, and Google Authenticator, and then it downloads your wallet to the local machine, where it's decrypted

    • by Kremmy (793693)
      I feel that you likely don't understand the process of development and the meaning of the version number.
      The version number, "0.9.0", in this case represents a Pre-Release snapshot of the software code. You can tell because the first number, the Major version number, is 0. This usually means that the software is currently in development and is hopefully actively being worked on. In this case, we're being given information about a NEW release, which is versioned '0.9.0'. In other words, things are progressi
    • by 1s44c (552956)

      Have you seen the current banking system? Credit cards have the same username and password. It's written in big numbers on the front of the card. Checks only need one easily faked signature. PIN numbers on bank cards are only 4 digit numbers. Magnetic strip bank cards can be easily copied with cheap equipment. Identity theft is rampant due to insecurity everywhere. North Korea has been printing US dollar notes for years now, the copies are so good US banks can't even tell the difference.

      BitCoin, or somethin

  • by Anonymous Coward

    If you want to join the experiment and get some Bitcoin, this software is not a good choice for your wallet. The official Bitcoin client does not support any way of securing your Bitcoins against theft through malware. While the wallet can be encrypted, you have to decrypt it to use it, and at that time, your BTC are up for grabs by any of a multitude of BTC stealing trojans. (The official client software is what's called a hot wallet. You shouldn't use a hot wallet for any amount that you can't afford to l

  • To me, a version 1.00 means it's not ready for primetime. I'd say that's accurate, even though the crap we're hearing about isn't the software itself.

  • But I was told that manipulating currencies was always bad, and that Bitcoin was completely different than The Dreaded Fed (TM)!

    • Of course Bitcoin can be changed. You can make a version of Bitcoin in which, for example, the supply is raised. All you then need to do is convince the network that your version is the authoritative version, and all you need for that is to bribe a few pool operators who have unsurprisingly little interest in that sort of thing happening.

      The currency can't practically be manipulated at this time. The market can always be manipulated, of course.

  • A better title would be: Bitcoin protocol is insecure if used badly

  • ....after the Bitcoin horse has bolted
    • by ras (84108)

      Yeah, you could be forgiven for thinking that from the headline, or indeed the linked story. Both are wrong.

      Yes, there transaction malleability issues were fixed. But no, mtgox woes weren't caused by transaction malleability. Yes, I realise mtgox claims they were, and I realise the popular media swallowed that line without questioning it too much. In reality it was at best tangentially related and mtgox's statements on the issue were PR statements designed to keep customers, not an explanation of what h

Facts are stubborn, but statistics are more pliable.

Working...