Foreverrising Blog

August 30, 2011

BitCoin Part 1: A Brief Look & its Volatile History

Filed under: Software — Tags: , , , , , , , , , — foreverrising @ 3:58 pm

The peer-to-peer currency BitCoin (BTC) recently entered the mainstream media after news of the silk road, Lulzsec, and the flash crash grabbed second rate headlines. There was even news that an Australian IT guy had misused company hardware to mine BTC. Oddly enough, these things are synonymous with BitCoin in the news spotlight– but BitCoin is not aligned with any of them. Think of BitCoin as an online medium of exchange.

BitCoin is a digital currency. In terms of currency that we can hold in our hands, like a Euro or a US Dollar, we could associate the same sensationalist media stories. Along the same lines we could see the headline “Cash used as an anonymous was to buy crack cocaine- 20 Bill remains bill of choice for dealers.” I could buy drugs in a real world situation with reasonable anonymity with cash, I could make an anonymous donation to a hacker group with cash, so we’ll just dismiss those as tabloid headlines. What draws great interest in the economy of BitCoin is the flash crash of MtGox, and the wallet.dat theft. Let’s take a look at the flash crash first.

The flash crash happened over approximately ten minutes. In that time, the MtGox exchange was flooded with BTC contained in a compromised account. The mass sell-off intentionally caused prices to drop from around 16.50USD to a penny.

The sell-off happened by setting in motion a series of sell offers as well as a series of ever lowering buy offers, in effect inflating the currency at an unprecedented rate. This was because MtGox had a withdraw limit. 1000 USD per day or the equivalent of 1000 USD worth of BTC. The intent seems to have been to withdraw BTC, not money, as the money would instantly be linked with other accounts in order to convert it to a more familiar currency. With built in pseudo-anonymity, the attacker could send the BTC to a new address without revealing any other information in the transaction.

With the limit, the compromised account, and the price of BTC at around 16.50, the most that could be stolen from the account would have been 60.6 BTC. With that knowledge, the attack initiated the huge sell off, eventually filling every offer to buy down to .01 USD. In effect, the amount of BTC that could be withdrawn was 100,000 BTC at .01 USD.

The MtGox flash crash happened over about twenty minutes. While I sat watching the price drop, I pulled my BTC out under the assumption that the site had been compromised. After several days of waiting, the official explanation about the crash had to do with a spear attack of a pen testers computer being hacked. The computer apparently had a list of unused accounts and hashed passwords.

After the mass sell off, an undisclosed amount of BTC was withdrawn from the hacked account at MtGox. So after all was said and done, the exchange was frozen for seven days in order to reexamine security and roll back what it deemed to be fraudulent transactions. MtGox was forced to bite the bullet and replace the BTC which were withdrawn prior to the freeze.

MtGox also stated that the exchange, which was started as a hobby project, had exponentially outgrown its security. It was also known in the BitCoin community that the site was vulnerable to cross site scripting attacks. Even the BitCoin wiki had best practice recommendations for more secure browsing when dealing with BitCoin.

So, as the value of the BitCoin kept rising, and security stayed the same, it was only a matter of time before exploits were found. In question was that unpatched or poorly configured computer with as admin privileged account.

Tracing the exact route of attack includes details which are not public knowledge. The sensitive information which has come to light are files which were posted for sale to the highest bidder on PasteBin (http://pastebin.com/). PasteBin is a message board of sorts for pirates, hackers, pr0n lovers and harmless John Does alike, where it is easy to communicate with relative anonymity using Tor. The first database contained inactive accounts. MtGox claimed this information came from a hacked computer.

Also, originally posted was a for-sale offer for Mtg ox’s user database– over 60,000 accounts in all. About a week later that accounts database was posted in a comma separated file. The contents of that file proved worthless, as MtGox was frozen, bit it did show that the site had been successfully exploited. SQL injection was described to be the method of obtaining the active account data, which included the user name, optional e-mail, and hashed password of each account.

Shortly after the accounts file came to light, all of the accounts with simple passwords were cracked and posted on paste bin as well. One interesting thing to note is the hardware currently involved in mining also has the Accelerated Parallel Processing power to be applied to hash cracking. BitCoin mining computers use APP with AMD graphics cards to hash solutions for the blockchain in the first place, as the AMD chipset can perform the calculations with a fraction of the instructions that an Nvidia card would require. A mining rig equipped with 4 ATI Radeon 5970′s running whitepixel could approach 33 billion brute force password hashes per second. Check out Whitepixel at http://whitepixel.zorinaq.com/ for an example of hash auditing software.

The purpose of a block is to verify all the timestamped transactions to prevent double-spending. The block itself contains a ledger of all recent transactions. “The timestamp proves that the data must have existed at that time, obviously in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.”

BitCoin mining uses a proof-of-work chain in order to verify and incorporate new transactions into each block. The solution to a block is found by “[...] scanning for a value that when hashed, such as with sha-256, the hash begins with a number of zero bits.” The zero bits vary with difficulty based upon the strength of the network to prevent over-issuing BitCoins. Currently, 50 BTC (which will lower over time at a fixed rate) is awarded to the solution finder to compensate for the computational power used to verify the transactions. The difficulty changes to adjust the block solves so that there is one approximately every ten minutes.

Once the solution of a block is found, the client which found the solution sends the block to all of its connected peers. Each of those connected peers verifies the solution to the block and in turn send it out to its connected peers as well, in a ‘best-effort’ manner.

Each and every block must mature in the blockchain, and each block generated after incorporates the hash of the previous block to show the longest proof of work chain. Any attempt to alter transactions in a block would require rehashing the entire blockchain, or successively solving blocks faster than the entire network and basing the subsequent blocks’ hash on the original altered on. The amount of computer power required to do this would not likely be available, and even Amazon’s cloud services couldn’t scale to alter a block. The website Block Explorer (http://blockexplorer.com/) makes examining the transactions and various data in the block chain easier, and I recommend everyone take a look.

Occasionally, more than one client will produce a solution to the same block at the same time. If this is the case, whichever block is used to generate the next block will be the valid solution. The other block will be considered an orphan and disregarded, except that any unincluded transactions will be re-added to the queue to be re-included in a future block.

August 26, 2011

BitCoin: FAQ for the masses

Filed under: Software — Tags: , , , , , , — foreverrising @ 10:14 pm

Recently I have had various questions asked about BitCoin. My favorite is my wife’s typical “How’s the money laundering going?” — Which always makes me chuckle. But let’s take a Q & A approach to some general questions that the not-so-familiar will ask about BitCoin.

Where does the money come from?

A: In VERY general terms, the money is awarded from the network. Think of it as similar to the federal mint printing money and shipping it to banks. Just take away the Federal Reserve, and central banks, and you have a form of currency which is more like BitCoin.

BitCoin is electronic money. As such, the currency is tracked through transactions which are verified by the BitCoin network. All recent transactions (typically over the last 10-15 minutes) are included in a block, which is a publicly distributed ledger. The block is downloaded by each BitCoin client, and is verified to ensure it contains the correct hash and thus is valid.

BitCoin mining is the process of searching for the correct hash value of the next block. It involved specialized software running on computers typically overloaded with ATI graphics cards capable of performing incredible amounts of calculations per second. Once a miner finds the correct hash for a block, and the block is verified by the network, that miner is awarded for its efforts with BitCoins. That’s where the currency comes from.

The value of BitCoin, in regard to other currencies, comes from its acceptance as a form of trade. The value varies over time due to the constant flux of supply and demand. Since it hit the news it has drawn interest by investors which seek only to buy low and cash out high. The speculators can be a dangerous mix into BitCoin. But when it all comes down to it, its value is determined by what someone will trade for BitCoin, and similarly the value is linked to cash.

There are similarities to BitCoin and government issued fiat currencies, but at the end of the day, neither are backed by gold.

The largest difference is that you really can’t hold your money in your hands like cash. You keep your BitCoins in your wallet.dat file, which keeps track of how many BTC you have and also tracks your transactions.

The Wallet.dat file keeps track of all of your transactions– What about anonymity?

A: BitCoin is PSUEDO-anonymous. There is a level of anonymity which is inherited by the way the BTC are sent through the network. Don’t be mistaken either. You can spend your coins to a brand new wallet file, and $shred your last wallet.

Other best practices are to use a new address for EACH and EVERY transaction. Also, NEVER PUBLISH a BTC address in a public forum. If you were to publish your address, your transactions can be tracked through BlockExplorer.

Older Posts »

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.