[Bitcoin-development] MtGox blames bitcoin

naman naman namanhd at gmail.com
Tue Feb 11 20:42:02 UTC 2014 

I was talking about a DOS attack in
https://bitcointalk.org/index.php?topic=458608.0 (ofcourse only applicable
to entitys doing the tracking with txids).

Amazing how I did not get a response from any of the devs (except Greg's
response
https://bitcointalk.org/index.php?topic=458608.msg5063789#msg5063789 but
that too was short and not concerning the attack scenario plausibiity as I
replied to him).

Today they are apparently at work here
https://github.com/bitcoin/bitcoin/pull/3651

Amazing how nobody acknowledges it until later when the attack already
happens. The devs need to show some greater level of responsibility.

Don't get me wrong - I am not trying to claim credit for the attack scheme
described (though I do not know of any other place where this was mentioned
earlier as an attack scheme), but I am trying to make the point that people
should just be around and at least make others feel that their concerns are
being read. Now putting this on some place like reddit will only give the
community a bad name.

On a lighter note I messaged some of the devs (as my previous mail says)
saying the attack should be called "thenoblebot" attack (after my handle,
which would inspire me to pursue crypto studies further). It was meant to
be a lame joke. But I had no idea how it would start causing so much
disruption in the ecosystem.

Regards
thenoblebot


On Tue, Feb 11, 2014 at 2:03 AM, Vocatus Gate <vocatus.gate at gmail.com>wrote:

>  It's quite simple, really:
>
> Unique transaction == (Inputs+Outputs+ReceivingAddress)
>
> Problem solved. Simply don't rely on TxID for tracking. Can we put this
> issue to rest and move on?
>
>
>
>
> On 2014-02-10 12:40 PM, Peter Todd wrote:
>
> On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
>
>  Hi guys,
>
> Please check this threadhttps://bitcointalk.org/index.php?topic=458608.0for a possible attack
> scenario.
>
> Already mailed Gavin, Mike Hearn and Adam about this :
>
> See if it makes sense.
>
>  That's basically what appears to have happened with Mt. Gox.
>
> Preventing the attack is as simple as training your customer service
> people to ask the customer if their wallet software shows a payment to a
> specific address of a specific amount at some approximate time. Making
> exact payment amounts unique - add a few satoshis - is a trivial if
> slightly ugly way of making sure payments can be identified uniquely
> over the phone. That the procedure at Mt. Gox let front-line customer
> service reps manually send funds to customers without a proper
> investigation of why the funds didn't arrive was a serious mistake on
> their part.
>
> Ultimately this is more of a social engineering attack than a technical
> one, and a good example of why well-thought-out payment protocols are
> helpful. Though the BIP70 payment protocol doesn't yet handle busines to
> individual, or individual to indivudal, payments a future iteration can
> and this kind of problem will be less of an issue.
>
> Similarly stealth addresses have an inherent per-tx unique identifier,
> the derived pubkey, which a UI might be able to take advantage of.
>
>
>
>
> ------------------------------------------------------------------------------
> Androi apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Bitcoin-development mailing listBitcoin-development at lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140212/2c00092c/attachment.html>

More information about the bitcoin-dev mailing list