A Lost Bitcoin Wallet Passcode Helped Uncover a Major Security Flaw 22
After a tech entrepreneur and investor lost his password for retrieving $100,000 in bitcoin and hired experts to break open the wallet where he kept it, they failed to help him. But in the process, they discovered a way to crack enough other software wallets to steal $1 billion or more. From a report: On Tuesday, the team is releasing information about how they did it. They hope it's enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off what would be one of the largest heists of all time.
Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven't been told, often because their wallets were created at cryptocurrency websites that have gone out of business. The story of those wallets' vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee. "Open-source ages like milk. It will eventually go bad," said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.
Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven't been told, often because their wallets were created at cryptocurrency websites that have gone out of business. The story of those wallets' vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee. "Open-source ages like milk. It will eventually go bad," said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.
The Accidental Bug Hunter's Guide to Lost Bitcoin (Score:2)
Re: (Score:3)
Re: (Score:3)
Since going retro is all the rage these days, I fully expect those bitcoin "hackers" to be recognized Nigerian royalty.
You'll sell clicks like vinyl albums that way.
Re: (Score:2)
Better turn on the fax machine.
This doens't sound legit (Score:5, Insightful)
> They hope it's enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off ..
In other words, "Your money is at risk. We can tell you a little bit about why. But can't tell you a whole lot. Just know that we are the only ones who can help you secure it. We are trying to get the word out, because we are the good guys with honest intentions."
Anybody else see a problem here?
Re: This doens't sound legit (Score:2)
The best is that their online public key vulnerability checking tool Keybleed requires a functional email address to tell you the results. Apparently they mail them. It asks for a name too.
With apologies to Taylor Swift (Score:4, Funny)
Anybody else see a problem here?
Bitcoin: It's me, hi, I'm the problem, it's me.
Re: (Score:1)
Re: This doens't sound legit (Score:2)
Ages like milk (Score:5, Insightful)
Open source ages like milk, it will eventually go bad
Implies closed source does neither of those things...
Re: (Score:2)
Exactly, the open source dig was just garbage.
Random numbers are really hard (Score:5, Interesting)
If I was going to be malicious in putting a back door in a product the random number generator is the first place I would compromise. In fact there were errors in every non black berry (RIM) device that passed the FIPS 140 certifications back in 2003-2004. Vendors actually had to put the weakness in to pass the tests. Only RIM refused to do it.
Re: (Score:2)
Already, exists, CVE-2023-39910
Re: (Score:3)
Uh ya, no shit, no one should be using mt19937 PRNGs for anything involving money. They are not cryptographically secure. Mersenne Twisters are linear recursion algorithms, and all linear recursion-based algos generate random sequences that can be predicted if you have access to a sufficiently long sequence.
I see the crypto bros are as incompetent as ever.
Re: (Score:2)
I was trying to write a random number generator back in the day, part of a data / file encryption scheme. But I wasn't sure how to test the output, to see if it really was random or not. (And we didn't have the Internet back then to look up answers.)
I decided to (1) generate a small block of data (like 256 bytes); (2) start up a stream of "encrypted" data; (3) check every 256 bytes against my test block to see if there were any matches. (I'd found a really fast data comparison algorithm; forget its name
Uh, Ok (Score:5, Informative)
That's an awfully broad statement with absolutely nothing to back it up. If he's referring to abandoned projects, then of course they'll go bad and that is not unique to open source software at all. If he's suggesting that open source is inherently less secure than closed source, then a quick comparison of the track records of Windows and OpenBSD would clearly demonstrate the ridiculousness and ignorance of that statement.
Open AND close-source code ages like a garden (Score:3, Insightful)
If you don't maintain it, it eventually goes bad.
The difference is that with open-source, anyone with the skills and interest can help maintain it.
With closed-source, if the owners choose not to maintain it, it goes bad and everyone using it is out of luck.
I hope they find a flaw in the main algorithm (Score:2)
Re: (Score:2)
I noticed the shills have moved on to AI stuff now. The blood is in the water.
Blame open-source says “security” comp (Score:2)