Stories
Slash Boxes
Comments

SoylentNews is people

The Quest to Liberate $300,000 of Bitcoin From an Old ZIP File

posted by Fnord666 on Tuesday August 11 2020, @03:08PM   Printer-friendly
from the as-the-bitcoin-turns dept.

upstart writes in with an IRC submission:

The quest to liberate $300,000 of bitcoin from an old ZIP file:

In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys—and wanted Stay's help getting his $300,000 back.

It wasn't a total surprise that The Guy, as Stay calls him, had found the former Google security engineer. Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in.

In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.

[...] "If we find the password successfully, I will thank you," The Guy wrote with a smiley face. After an initial analysis, Stay estimated that he would need to charge $100,000 to break into the file. The Guy took the deal. After all, he'd still be turning quite the profit.

[...] That's partly why the work was priced so high. Newer generations of zip programs use the established and robust cryptographic standard AES, but outdated versions—like the one used in The Guy's case—use Zip 2.0 Legacy encryption that can often be cracked. The degree of difficulty depends on how it's implemented, though. "It's one thing to say something is broken, but actually breaking it is a whole different ball of wax," says Johns Hopkins University cryptographer Matthew Green.

From a massive pool of passwords and encryption keys, Stay was able to narrow it down to something on the order of quintillions.

[...] By February, four months after that first LinkedIn message, they queued it all up and started the attack.

That initial attempt took 10 days to run... and did not work. Further sleuthing finally uncovered a bug. They were, ultimately, able to successfully extract the contents.

Original Submission

 
This discussion has been archived. No new comments can be posted.
The Quest to Liberate $300,000 of Bitcoin From an Old ZIP File | Log In/Create an Account | Top | 51 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by iWantToKeepAnon on Tuesday August 11 2020, @05:12PM (3 children)

    by iWantToKeepAnon (686) on Tuesday August 11 2020, @05:12PM (#1035019) Homepage Journal

    After all, he'd still be turning quite the profit.

    Um, no. More like:

    After all, he'd be reducing his total loss.

    --
    "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Osamabobama on Tuesday August 11 2020, @06:03PM (2 children)

    by Osamabobama (5842) on Tuesday August 11 2020, @06:03PM (#1035052)

    $300,000 sale price, minus $10,000 purchase price equals $290,000 gross profit. Expenses of $100,000 reduce net profit to $190,000.

    --
    Appended to the end of comments you post. Max: 120 chars.

    • (Score: 2) by iWantToKeepAnon on Tuesday August 11 2020, @09:09PM (1 child)

      by iWantToKeepAnon (686) on Tuesday August 11 2020, @09:09PM (#1035165) Homepage Journal

      Except the 300k is already in his wallet ... although misplaced; he just paid a finder fee. Besides that, I think your values are off:

      In the end, the infrastructure costs to run the attack were $6,000 to $7,000 instead of the roughly $100,000 they had originally estimated, Foster says. The Guy paid about a quarter of the original price tag.

      Sounds like he paid $25k; which is a bargain but $0 would have been better by writing down the password.

      --
      "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy

      • (Score: 3, Touché) by FatPhil on Wednesday August 12 2020, @06:03AM

        by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday August 12 2020, @06:03AM (#1035423) Homepage
        > Except the 300k is already in his wallet

        Nonsense. The wallet contained neither dollars nor proxies thereof.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves