Published on: 2013-04-04T10:04:22+00:00
The email conversation revolves around the security measures in Bitcoin and its repositories. Mike Hearn suggests using automatic updates with threshold signatures for bitcoinj based wallets, combined with regular audits for new user downloads to ensure developer integrity. Grarpamp agrees that hardware is important for security but warns that it must be trusted and have secure crypto exchanges with the host. The discussion then moves onto repository integrity, with both parties agreeing that it needs improvement. They note that oddity detection and alerting should be implemented to prevent potential malicious actions from going unnoticed. Finally, they acknowledge that open-source security still has a long way to go, but progress is being made.The author's hope for bitcoinj based wallets is to have automatic updates with threshold signatures, combined with regular audits of initial downloads for new users. This would result in a safe system that is immune to rogue developers. The use of hardware security modules (HSM) for multisig addresses is suggested, but the author notes that it is only effective if the crypto is done within the hardware and the hardware can be trusted. Repository integrity is also discussed as a general problem applicable to many things, and the need for strong repo structures is highlighted for better auditing of the BTC codebase. The lack of verification structures in some repos is noted, along with issues of filesystems that accept bitrot. The need for oddity detection and alerting in repository security is also emphasized. Finally, the author suggests that improvements in these areas could bring about a stronger audit trail for the open-source world in the future.Hardware encryption is only effective if it's integrated properly. Fingerprint readers, for example, are often insecure because they present raw fingerprint scans to software instead of hashing them internally for better security. Multisig addresses are a step in the right direction, requiring transactions to be signed off by a hardware security module (HSM). Although repository integrity is important, Bitcoin specialists should focus on improving Bitcoin security measures while other experts work on improving repository security overall. One way to improve repositories is with oddity detection and alerting. Some repos have weak internal verification structures and are susceptible to bitrot. However, some people are working toward better tools and migrating things to create a more secure and auditable open-source world.The context discusses the impossibility of eliminating the risk of downloading a trojaned client for Bitcoin. Even with a secure passphrase, a hacked Windows box will allow the hacker to spend the coins as easily as the owner. Additionally, secondary remote spendauth sigs into the network chain will be similarly compromised. Securely hashchecking the trojaned client is also difficult from cracked userspace on a hacked dll/kernel with uefi backdoor and a trojaned hasher. The author suggests that it's easier for a few developers to meet in person to init and sig a new repo than to try fixing the world's userland and users. This way, something verifiable can be obtained back to the root.Gavin Andresen emphasizes the need to prioritize the safety of users' bitcoins even if their bitcoin software is compromised. He suggests eliminating the risk of a bad bitcoin-qt.exe entirely as a possible single point of failure instead of worrying about unlikely scenarios such as a timing attack in between ACKs/pulls. By doing so, one can ensure that users are protected and their bitcoins remain secure. Andresen's statement highlights the significance of focusing on security measures when it comes to dealing with cryptocurrencies.The author of a post discusses the importance of reading code when acknowledging it. They mention that signing commits, like in the Linux kernel, is important but reading the code is even more crucial. The author also wonders if there is a possibility for a race to occur just before they click "pull" where someone could sneakily rebase the branch to something evil. In response to this concern, the author suggests looking into monotone.ca, which integrates crypto and review primitives into the workflow and has reliable network distribution models that work well over things like Tor. They note that once you have the crypto, the human risk factors such as rogue, password, and cracks become harder to deal with.In an email conversation between Wladimir and Jeff Garzik on April 2, 2013, a suggestion was made to start gpg signing commits for Bitcoin like the Linux kernel. However, it was pointed out that this would rule out using GitHub for merging without manual steps. Jeff Garzik acknowledged this but noted that he personally reads the code before approving it, which is more important than the author. He also expressed concern about the possibility of a race where someone uploads an innocent branch, creates a pull request, and then rebases the branch to something evil just before the merge. Jeff Garzik is affiliated with exMULTI, Inc.The email thread discusses the feasibility of a SHA-1 collision attack to insert a malicious pull request into the Bitcoin code repository.
Updated on: 2023-08-01T04:36:24.308600+00:00