from the no-one-noticed-anything-missing? dept.
Last summer, Adrian Bednarek was mulling over ways to steal the cryptocurrency Ethereum. He's a security consultant; at the time, he was working for a client in the theft-plagued cryptocurrency industry. Bednarek had been drawn to Ethereum, in particular, because of its notorious complexity and the potential security vulnerabilities those moving parts might create. But he started instead with the simplest of questions: What if an Ethereum owner stored their digital money with a private key—the unguessable, 78-digit string of numbers that protects the currency stashed at a certain address—that had a value of 1?
To Bednarek's surprise, he found that dead-simple key had in fact once held currency, according to the blockchain that records all Ethereum transactions. But the cash had already been taken out of the Ethereum wallet that used it—almost certainly by a thief who had thought to guess a private key of 1 long before Bednarek had. After all, as with Bitcoin and other cryptocurrencies, if anyone knows an Ethereum private key, they can use it to derive the associated public address that the key unlocks. The private key then allows them to transfer the money at that address as though they were its rightful owner.
That initial discovery piqued Bednarek's curiosity. So he tried a few more consecutive keys: 2, 3, 4, and then a couple dozen more, all of which had been similarly emptied. So he and his colleagues at the security consultancy Independent Security Evaluators wrote some code, fired up some cloud servers, and tried a few dozen billion more.
"You have a thief here that amassed this fortune and then lost it all when the market crashed.
In the process, and as detailed in a paper they published Tuesday, the researchers not only found that cryptocurrency users have in the last few years stored their crypto treasure with hundreds of easily guessable private keys, but also uncovered what they call a "blockchain bandit." A single Ethereum account seems to have siphoned off a fortune of 45,000 ether—worth at one point more than $50 million—using those same key-guessing tricks.
"He was doing the same things we were doing, but he went above and beyond," Bednarek says. "Whoever this guy or these guys are, they're spending a lot of computing time sniffing for new wallets, watching every transaction, and seeing if they have the key to them."
Related Stories
When Canadian developer Peter Todd found out that a new HBO documentary, Money Electric: The Bitcoin Mystery, was set to identify him as Satoshi Nakamoto, the creator of Bitcoin, he was mostly just pissed. "This was clearly going to be a circus," Todd told WIRED in an email.
[...]
The mystery has proved all the more irresistible for the trove of bitcoin Satoshi is widely believed to have controlled, suspected to be worth many billions of dollars today. When the documentary was released on October 8, Todd joined a long line of alleged Satoshis.
[...]
Since the documentary aired, Todd has repeatedly and categorically denied that he created Bitcoin: "For the record, I am not Satoshi," he alleges. "I think Cullen made the Satoshi accusation for marketing. He needed a way to get attention for his film."
[...]
The search for the creator of Bitcoin has dragged into its orbit a colorful cast of characters, among them Hal Finney, recipient of the first ever bitcoin transaction; Adam Back, designer of a precursor technology cited in the Bitcoin white paper; and cryptographer Nick Szabo, to name just a few. Journalists at Newsweek, The New York Times, and WIRED, among others, have all taken stabs at solving the Satoshi riddle. But irrefutable proof has never been unearthed.
[...]
The case for Sassaman was first outlined in 2021 by Evan Hatch, founder of crypto gaming platform Worlds. Whenever speculation about Sassaman bubbles periodically to the surface, the spotlight is thrown on his widow, software developer Meredith Patterson, who believes the theory is unfounded."People used to be really fucking nosy and entitled. I'd get people writing me with a two-page list of dates and locations, asking where I was at such and such a time or place," says Patterson. "Where do you get off? A complete stranger walking up to a widow and trying to interrogate her. It's like, fuck off Sergeant Joe Friday."
[...]
"I was relieved for myself and my family that they named Peter Todd," says Patterson. "But I feel sorry for Peter Todd. Frankly, nobody deserves getting a target painted on their back."
[...]
Todd expects that "continued harassment by crazy people" will become the indefinite status quo. But he says the potential personal safety implications are his chief concern—and the reason he has gone into hiding.
[...]
Hoback sees things very differently. Though there have been cases where violent extortionists have targeted crypto holders, plenty of people have been unmasked as Satoshi before—and nothing terrible is known to have happened to them, he argues. "I think the idea that it puts their life [at risk] is a little overblown," says Hoback.
(Score: 2, Insightful) by Anonymous Coward on Thursday April 25 2019, @11:16AM (6 children)
Clearly blockchain is the answer to everything, including poor security and anonymous theft.
The competing thieves were a pretty nice touch. Who knows what other weaknesses there are in all of these super duper solutions?
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @11:33AM (5 children)
To be fair, your physical wallet and back pocket are pretty insecure, but there's no easy way to access or exploit them remotely, yet...
Point being: People have not been conditioned to secure, well, basically fucking anything, since even govs run on MS windoze. My PWs are generated per site / platform by a salted hash algorithm I wrote myself. The NSA and a few other agencies know my passwords, but using it would reveal themselves... and they typically value secrecy above affect. [schneier.com] This leaves the system vulnerable to "paranoids" who (autonomously) try to detect if they've been exploited, such as the mafia, and such.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @12:28PM (1 child)
That's what I thought about my rental agent's systems which have my real name, bank account, address, and other details. Then I found that they moved their software to The Cloud.
Now I am waiting for the day when some script kiddie steals a few thousand or identity hacks me.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @02:06PM
I use two bank accounts. One is always near zero until I transfer money to pay bills electronically or make online purchases. Of course this doesn't help the identity theft part of the equation, but it's easier to deal with identity theft when you still have all of your money.
(Score: 1, Funny) by Anonymous Coward on Thursday April 25 2019, @02:48PM (2 children)
I use a George Constanza wallet, which is about the size of a double cheeseburger. I even have trouble getting it out of my pocket, so someone will need to cut my pants to be able to sneak it out.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @03:33PM (1 child)
Not a problem. Everyone around here has a box-cutter type knife in their pocket for just such emergencies.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @03:48PM
https://countycomm.com/products/pocket-straight-razor-survival-tool [countycomm.com]
Small, disposable and ridiculously sharp. They dull rather quickly, but are otherwise great. You can find them from the manufacturer in boxes of 100.
(Score: 1, Insightful) by Anonymous Coward on Thursday April 25 2019, @11:34AM (7 children)
When you put your money in a block chain, you do it saying
"Here's a riddle, if you solve it,the money is your's."
Crypto may make the riddle hard to solve, but a user putting in money appears to be able to fix this.
So if some third party solves the riddle, who's money should it be?
If someone leaves cash lying around unattended, it doesn't give one the right to just pick it up and keep it.
One is expected to try to get the cash back to the rightful owner and that failing, perhaps keep it.
On the other hand, an important property of block chain is that the first valid transaction gets the cash period.
To preserve that property, the transaction has to stand, but that doesn't preclude going after the bandit.
Blockchain morals are still new. They need to evolve, but it's not clear to me what direction they should go?
(Score: 5, Insightful) by GreatAuntAnesthesia on Thursday April 25 2019, @12:00PM
> When you put your money in a block chain, you do it saying
> "Here's a riddle, if you solve it,the money is your's."
No, not really. If I lock my house do I say "Here is a lock. If you can pick it, my stuff is yours"?
Even if you pick the lock, it's still my stuff, and taking it is still stealing.
(Score: 1) by khallow on Thursday April 25 2019, @12:02PM (3 children)
There's not enough money in the world to solve those riddles when the password is made hard. Just get that $5 wrench instead.
(Score: 1, Touché) by Anonymous Coward on Thursday April 25 2019, @04:18PM (2 children)
Getting the $5 wrench is easy. But how to find the person to apply it to?
(Score: 2) by edIII on Thursday April 25 2019, @06:39PM
Test people. Ask them if they have more than $6. $$Profit$$
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by khallow on Friday April 26 2019, @01:34AM
Assuming the person hasn't already told you their address (since buying stuff via bitcoins means one often provides shipping and billing addresses as well).
1) find their IP address and MAC.
2) Go to the ISP and social engineer the user information you need. For example, in the US you could claim the user at that IP address and MAC was pirating music. Or just bribe someone who has access to the data a little. Either way you got the user's address. True, it's more than $5, but not much more.
3) Get that $5 wrench.
4) Hilarity ensues.
(Score: 5, Insightful) by driverless on Thursday April 25 2019, @12:11PM (1 child)
No, you're saying "here's a bunch of buggy software hacked together by random people you've never met who sometimes know a bit of what they're trying to do, which is really, really complex and easy to get wrong, and who are motivated by getting things done quickly and shipped with minimal effort. If there are any holes anywhere in any of that, your money is someone else's".
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @05:16PM
Seems pretty good compared to money printed at an interest that requires more money to be printed to the advantage of a guys who claims to be at loss because he lent money. The only problem being that you store that kind of money in the block chain.
(Score: 5, Informative) by Fnord666 on Thursday April 25 2019, @12:18PM (3 children)
Just to be clear, this is neither a blockchain issue not is it a password issue. This is a software issue in the Etherium software. When you create a "wallet" in the various cryptocoin systems, you are really creating a public/private RSA key pair. The public key becomes your wallet address and is used to transfer coins into your wallet. Your private key is used to sign transactions moving coins out of that wallet. Apparently at some point the Etherium client implementation created wallets that had simple, easy to guess private keys. It's unlikely that it is happening today. My guess is that this occurred early on in the development of Etherium when it was in testing/beta to make things simple for testing and at that time there was no real money involved. Either that version of the client software went live in which case these were real people's wallets, or the blockchain with those wallets in them and funded went live with the rollout. Either way it's real money now if the coins ever got cashed out. If they did then like all cryptocoins, this is the point at which the money gets de-anonymized.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @12:56PM (2 children)
No, you're wrong.
RSA isn't used anywhere. It's asymmetric encryption and digital signing, but it utilizes elliptic curves via ECDSA.
As for the rest of it, you're also wrong. It's not an ethereum dev thing. It's a wallet implementer thing. It all boils down to shoddy implementers not writing tests correctly, or even knowing what to test nor how.. But nothing like this every made it into mainline wallets or their support libraries.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @02:11PM (1 child)
FTFY
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @02:34PM
Well nothing in the github repos anyways.
(Score: 5, Insightful) by Anonymous Coward on Thursday April 25 2019, @12:44PM (9 children)
This is actually a result of shit implementation and not a flaw in Ethereum or other blockchains.
Any private key for any asymmetric encryption scheme is just a number. This is true of RSA, it's true of ECDSA and it's true of ALL asymmetric schemes.
The trick then it to choose number which is unguessable by man or machine.
In the case of Ethereum this number is anywhere from 0 to 2^256, and the same is true of bitcoin since they both use ECDSA with Sec256k1 and their signature verification schemes.
The trick is to choose a random number that is so high as to be effectively unguessable via brute force.
If you pick a number that is below some several quintillions, you can expect that anyone can have your private key just by counting that high, computing the public address and laying in wait for it.
Thus all proper wallets actually exclude keys which are lower than this 2^64 for the simple reason that they are easily guessed.
Once you start getting past 2^64 you need the resources of nation state in order to monitor for that many addresses.
Keep in mind that 2^65 is twice as large a search space as 2^64, so even adding or removing just 1 bit does incredible things here mathematically.
Now we have a problem. Other's can't guess your key, but it's too damned big to memorize and writing it down will take a long time too.
Thus you have systems that generate keys from a large entropy pool, but this pool is actually a list of 2048 words and your random generator is choosing between 12 and 24 of these words.
That's great, it's called diceware or bip39 (Bitcoin Improvement Process document 39, also used in Ethereum) and it does what it's supposed to do, it generates a very large seed with enormous amounts of entropy.
From this seed you apply a one way hashing function such as SHA256 and you get a private key that is all but guaranteed to be 2^65 or higher.
But what if you need 2 accounts?
Well that's easy, just introduce an nonce and hash seed+1 then seed+2 etc.
This is called an HD or Heirarchical Deterministic Wallet.
Here is where the problem comes in.
Some developers don't think to check that seed value before hashing. I've literally seen this in live code.
It seems to be limited to Javascript developers, especially "fullstack" developers who think everything soup to nuts, client and server should all be in JS (hint, JS sucks at math) and the same types that believe webpack is a great way to distribute code.
One would normally expect that the return value from the seed generator is a very large number.
And it is, but to access that number you need to call something like toHexString on it. Otherwise what you have is either an object, or if the checksum failed you get null.
So people pass in their seed and it's either "[object Object]" or null and of course the nonce which is 1,2,3,4...
That's where this is coming from. Amateur programmers who don't know enough to know that they don't know what they're doing.
Put another way, if you let an amateur do security the best you can hope for is amateur security.
I can't wait until this so called "security expert" discovers "brain wallets"...
https://allprivatekeys.com/brain-wallet.php [allprivatekeys.com]
(Score: 1, Interesting) by Anonymous Coward on Thursday April 25 2019, @01:48PM (3 children)
But if you are excluding everything below 2^64, you are excluding exactly half of that search space, so the remaining search space is still exactly the same as with a maximum of 2^64 and all numbers allowed. For breaking it, just start counting at 2^64.
Of course if you have a range of 2^256, then removing 2^64 numbers from that doesn't make a significant difference. OTOH, if your random 2^256 bit number lands in those 2^64 first numbers, you should check your random number generator. While it is not impossible, it's extremely unlikely. To be exact, the probability is 2^-192, or about 1.6*10^-58. That probability is comparable to the probability of winning the jackpot of a typical lottery 7 times in a row.
If you get a number in that range twice, you can be sure that your random number generator is broken.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @01:56PM (2 children)
My point was only that at 2^65 i.e. adding just 1 bit you double the search space compared to 2^64.
Not that anyone in their right minds would actually permit a private key in 2^65.
But an SHA256 below 2^65 is perfectly valid, just highly unlikely.
Yet it is exactly this "find an n where hash256(...totaltxHashes+n) 2^d)", wherein d is difficulty level that powers all proof of work systems. So it's reasonable to assume you can get a key (which is just a hash of something), in that range too. Just really, really unlikely.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @02:00PM (1 child)
My above formula is missing a less than sign that I know I typed in.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @02:44PM
You are not allowed to use < in comments. You need to use < instead.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @02:36PM (4 children)
One of the best posts I've seen on S/N. Bravo!
I'd be interested to know what you think about increasing key length by a couple orders of magnitude? My understanding is that this is an upper limit to the amount of CPU time that can be expected to be used by consumers, vs. the lower limit of CPU time that has to be used to insure the transactions are secure. This window will slide as CPU cycles get cheaper. It could also be effected by the difference in handset vs. desktop CPU cycle capacity.
I don't know much other than a little theory. But If you'd like to comment further, I'd love to hear it.
(Score: 1, Funny) by Anonymous Coward on Thursday April 25 2019, @03:38PM
Your phrasing prompts this lighthearted troll post:
If you'd like to comment less, I'd love to hear it.
(Score: 2, Interesting) by Anonymous Coward on Thursday April 25 2019, @05:05PM (2 children)
Well thanks! Original AC here.
So here's the deal with key length. It depends on what you're protecting and for how long. Primary thing to consider is "effective strength".
The choice of algorithm is important because it determines effective strength.
For RSA keys (not used in crypto currencies, but are used as a reference), the recommendation is that for a 20 year horizon you should use a key size > 2x the bit size of what you're trying to protect.
Ergo an RSA key of 4096 bits can protect 2048 bits of data effectively.
But using ECDEA (Elliptic Curve Digital Encryption Algorithm), you get the same 4096 bits of protection from a key size as small as 128 bits.
However this is encryption only! Signing it it's own beast.
With signing what you're really worried about is the potential for forgery. This is possible if the algorithm leaks enough bits of the private key with each signing and almost all DSAs do leak at least a little. This is why Bitcoin has "change addresses" and why the bitcoin community at large discourages key re-use. Once you've sent money from a key you shouldn't re-use that key ever. But since a little bit does leak at each signing, a larger key does give you more protection.
For a private key dA, any integer between between 1 and 2^256 - 1, the public key Q is simply dA X G.
No one really knows how much leaks, but one thing is known for certain. If you reuse something called an "r" value, then your private key is toast.
This is a thing that has happened in the past...
https://bitcoinist.com/r-values-more-stolen-bitcoins/ [bitcoinist.com]
Both Ethereum and Bitcoin use the exact same algorithms under the hood. Elliptic Curve Digital Signature Algorithm (ECDSA) with Secp256k1 as the curve.
When signing a message you supply the message (or it's hash), a cryptographically secure random value k (r is derived from k via r = k * G) and r is part of the signature (r,s) where s = a really long complicated function against r and k https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm [wikipedia.org]
Since r is part of the signature and r = k * G it becomes possible to recover dA if r is reused.
The r value is not the only concern here, but it is the one that seems to get screwed up the most often.
Notice that the public key Q = dA * G which yields a new point on the curve. In theory for a good curve there should be no two dA for which dA X G equals the same Q.
This is not yet proven, and there are some weaker curves for which this is in fact possible and it was posited by Satoshi that there might be conditions where this is possible even in the chosen Secp256k1 curve.
His words "I guess whoever spends first, gets the coins".
But there's another problem in bitcoin land.
People don't publish their public key until it is time to spend. In order to receive money you make public the result of
Q -> SHA256 -> SHA256 -> RIPEMD160 -> BASE58
Notice that RIPEMD160 step? This reduces the address size to something manageable, but it's also cutting nearly 100 bits from the security against a collision attack.
Putting it another way, that RIPEMD160 is making it significantly likely that there are multiple instance of public key Q that could match any given address.
Of course there are a HUGE number of Qs to try to find any duplicated addresses, but if there is ever a flaw found in RIPEMD160 that number could be reduced dramatically.
I do fully expect one day we will find a flaw similar to this one.
https://natmchugh.blogspot.com/2014/10/how-i-created-two-images-with-same-md5.html [blogspot.com]
So the point is that we can have all the security we want, all of the algorithms are mathematically easy and designed to be one way. Simply computing a bigger space doesn't do much when the time to find a single 256 bit number already exceeds the lifetime to the universe.
https://i.redd.it/ed1hmobx1d511.jpg [i.redd.it]
However in order for humans to deal with them there needs to be a way of making them small enough that humans can input them in a reasonable time frame and striking the right balance between security and usability is truly the hardest part of crypto.
(Score: 0) by Anonymous Coward on Friday April 26 2019, @11:18AM (1 child)
Sounds not very good, given that with an OTP, I can protect 4096 bits effectively (and indefinitely) with a 4096 bit key.
(Score: 0) by Anonymous Coward on Friday April 26 2019, @12:57PM
Well yeah assuming your OTP is sufficiently random and you have a secure way of transporting it. Otherwise the 1/2 rule applies. Then you do other tricks like hashing the key with an incrementing nonce to encrypt 1/2 byte length at a time with 1/2 byte length corresponding to a value called blocksize.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @03:39PM (5 children)
This "security consultant" is a thief like the other thieves too. No one just mulls around ways to steal the cryptocurrency Ethereum for fun. You were coming up with ways to steal it for yourself. Don't try and use weasel words to spin your actions as helpful. You are just as guilty as the bastard(s) who were stealing it outright in the first place. You're only sharing your knowledge now to give you some sort of moral vindication for your actions. You should be charged and jailed just like the other people.
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @04:32PM
No, he is not a thief, as he didn't steal anything (as far as we know).
Can you substantiate that claim with anything other than just "proof by assertion"?
I could just as well claim that the whole reason of your post is that you are angry that you didn't think of it first, and that you actually would have stolen those coins if you had the opportunity. And yes, I have exactly the same amount of evidence for my claim as you have for your claim.
(Score: 1, Funny) by Anonymous Coward on Thursday April 25 2019, @05:22PM
Spotted the guy whose wallet was hacked.
No seriously, penetration testing is all about that. You find lots of relevant sites by searching for "penetration".
(Score: 2) by edIII on Friday April 26 2019, @01:24AM
Your obnoxious stupidity is often why security researchers are afraid to say anything.
Dmitri Skylarov was a security researcher, NOT a thief. Your backasswards logic though, was well present in the FBI who did exactly what you wanted; They arrested and jailed his ass.
Security through obscurity is shitty security, and that's all your position will lead towards. The illegality of information, and the dangers of disclosing poor states of security around you. Yet, if we asked perfect dumbasses like yourself, you would say that we were wrong. "Look around you, everything is secure, unless you want to go to jail for disagreeing".
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by khallow on Friday April 26 2019, @01:37AM (1 child)
Even if that were true, there's still the matter that the bastard who is merely guilty doesn't have the bitcoins, the bastard who stole the bitcoins has the bitcoins.
(Score: 0) by Anonymous Coward on Friday April 26 2019, @04:20AM
Not to be pedantic, but it was Ethers not Bitcoin... This time
(Score: 0) by Anonymous Coward on Thursday April 25 2019, @05:03PM
By market do you mean
Collection of individuals investing in something they dont understand, all they understand is the price is going up and
Theyre going to get rich. In hindsight, yeah it was tulip bulbs.