david wong

Hey! I'm David, the author of the Real-World Cryptography book. I'm a crypto engineer at O(1) Labs on the Mina cryptocurrency, previously I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

Bitcoin Exchanges Under ‘Massive and Concerted Attack’ posted February 2014

The transaction malleability problem which troubled Mtgox a few days ago has also made Bitstamp shutdown.

Apparently a large scale attack using this problem is going on on multiple exchanges.

Antonopoulos, who is the chief security officer of Blockchain.info, said a DDoS attack is taking Bitcoin’s transaction malleability problem and applying it to many transactions in the network, simultaneously.

The article on coindesk here

It's interesting to watch actually, submit a transaction to the network at the moment and there's a rogue node that will mess with the padding of the signatures and rebroadcast it faster than the original. It confuses the reference client into duplicate display, which is what Gox is relying on for the failed/success display. That they're winning races over the normal related transactions isn't that unnatural as the transaction processing stuff has a 100ms sleep() in the middle of it.

From the discussion over at HN

PS : apparemment l'erreur a été corrigé il y a un an sur le client bitcoin officiel ici

comment on this story

Mtgox statement and transaction malleability posted February 2014

Mtgox, which is frozen while it is trying to fix its problems, has issued a press released explaining what is the problem

Bitcoin transactions are subject to a design issue that has been largely ignored, while known to at least a part of the Bitcoin core developers and mentioned on the BitcoinTalk forums. This defect, known as "transaction malleability" makes it possible for a third party to alter the hash of any freshly issued transaction without invalidating the signature, hence resulting in a similar transaction under a different hash. Of course only one of the two transactions can be validated. However, if the party who altered the transaction is fast enough, for example with a direct connection to different mining pools, or has even a small amount of mining power, it can easily cause the transaction hash alteration to be committed to the blockchain.

thread on bitcointalk forum

comment on this story

Manually making a transaction in bitcoins posted February 2014

Ken Shirriff has posted an amazing post on his blog on how he managed to manually make (meaning, he didn't use the official bitcoin application) a transaction in the bitcoin ecosystem.

I'm reading through it as I'm typing this, and it's really well explained, you get to see exactly what he does in Python and there are pictures!

you can read it here

comment on this story

How I Lost My $50,000 Twitter Username posted January 2014

So this guy owned @N on twitter and got extorted his account by a phishing attack. The story is well written and you should read it here : https://medium.com/p/24eb09e026dd

but for a tl;dr the attacker called his paypal account to ask them for his credit card's last 4 digits. Then he called godaddy to ask them to reset the password. They only asked him for the 2 first digits and the last 4s. The attacker just had to guess the 2 first digits (and he did it on the first try, he could have kept calling and trying otherwise).

Now that he had @N's domain's name, he could now see his emails. Took over @N's facebook account and started mailing him "threats".

It's pretty crazy how easy phishing is.

comment on this story