Foreverrising Blog

August 30, 2011

BitCoin Part 1: A Brief Look & its Volatile History

Filed under: Software — Tags: , , , , , , , , , — foreverrising @ 3:58 pm

The peer-to-peer currency BitCoin (BTC) recently entered the mainstream media after news of the silk road, Lulzsec, and the flash crash grabbed second rate headlines. There was even news that an Australian IT guy had misused company hardware to mine BTC. Oddly enough, these things are synonymous with BitCoin in the news spotlight– but BitCoin is not aligned with any of them. Think of BitCoin as an online medium of exchange.

BitCoin is a digital currency. In terms of currency that we can hold in our hands, like a Euro or a US Dollar, we could associate the same sensationalist media stories. Along the same lines we could see the headline “Cash used as an anonymous was to buy crack cocaine- 20 Bill remains bill of choice for dealers.” I could buy drugs in a real world situation with reasonable anonymity with cash, I could make an anonymous donation to a hacker group with cash, so we’ll just dismiss those as tabloid headlines. What draws great interest in the economy of BitCoin is the flash crash of MtGox, and the wallet.dat theft. Let’s take a look at the flash crash first.

The flash crash happened over approximately ten minutes. In that time, the MtGox exchange was flooded with BTC contained in a compromised account. The mass sell-off intentionally caused prices to drop from around 16.50USD to a penny.

The sell-off happened by setting in motion a series of sell offers as well as a series of ever lowering buy offers, in effect inflating the currency at an unprecedented rate. This was because MtGox had a withdraw limit. 1000 USD per day or the equivalent of 1000 USD worth of BTC. The intent seems to have been to withdraw BTC, not money, as the money would instantly be linked with other accounts in order to convert it to a more familiar currency. With built in pseudo-anonymity, the attacker could send the BTC to a new address without revealing any other information in the transaction.

With the limit, the compromised account, and the price of BTC at around 16.50, the most that could be stolen from the account would have been 60.6 BTC. With that knowledge, the attack initiated the huge sell off, eventually filling every offer to buy down to .01 USD. In effect, the amount of BTC that could be withdrawn was 100,000 BTC at .01 USD.

The MtGox flash crash happened over about twenty minutes. While I sat watching the price drop, I pulled my BTC out under the assumption that the site had been compromised. After several days of waiting, the official explanation about the crash had to do with a spear attack of a pen testers computer being hacked. The computer apparently had a list of unused accounts and hashed passwords.

After the mass sell off, an undisclosed amount of BTC was withdrawn from the hacked account at MtGox. So after all was said and done, the exchange was frozen for seven days in order to reexamine security and roll back what it deemed to be fraudulent transactions. MtGox was forced to bite the bullet and replace the BTC which were withdrawn prior to the freeze.

MtGox also stated that the exchange, which was started as a hobby project, had exponentially outgrown its security. It was also known in the BitCoin community that the site was vulnerable to cross site scripting attacks. Even the BitCoin wiki had best practice recommendations for more secure browsing when dealing with BitCoin.

So, as the value of the BitCoin kept rising, and security stayed the same, it was only a matter of time before exploits were found. In question was that unpatched or poorly configured computer with as admin privileged account.

Tracing the exact route of attack includes details which are not public knowledge. The sensitive information which has come to light are files which were posted for sale to the highest bidder on PasteBin (http://pastebin.com/). PasteBin is a message board of sorts for pirates, hackers, pr0n lovers and harmless John Does alike, where it is easy to communicate with relative anonymity using Tor. The first database contained inactive accounts. MtGox claimed this information came from a hacked computer.

Also, originally posted was a for-sale offer for Mtg ox’s user database– over 60,000 accounts in all. About a week later that accounts database was posted in a comma separated file. The contents of that file proved worthless, as MtGox was frozen, bit it did show that the site had been successfully exploited. SQL injection was described to be the method of obtaining the active account data, which included the user name, optional e-mail, and hashed password of each account.

Shortly after the accounts file came to light, all of the accounts with simple passwords were cracked and posted on paste bin as well. One interesting thing to note is the hardware currently involved in mining also has the Accelerated Parallel Processing power to be applied to hash cracking. BitCoin mining computers use APP with AMD graphics cards to hash solutions for the blockchain in the first place, as the AMD chipset can perform the calculations with a fraction of the instructions that an Nvidia card would require. A mining rig equipped with 4 ATI Radeon 5970’s running whitepixel could approach 33 billion brute force password hashes per second. Check out Whitepixel at http://whitepixel.zorinaq.com/ for an example of hash auditing software.

The purpose of a block is to verify all the timestamped transactions to prevent double-spending. The block itself contains a ledger of all recent transactions. “The timestamp proves that the data must have existed at that time, obviously in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.”

BitCoin mining uses a proof-of-work chain in order to verify and incorporate new transactions into each block. The solution to a block is found by “[…] scanning for a value that when hashed, such as with sha-256, the hash begins with a number of zero bits.” The zero bits vary with difficulty based upon the strength of the network to prevent over-issuing BitCoins. Currently, 50 BTC (which will lower over time at a fixed rate) is awarded to the solution finder to compensate for the computational power used to verify the transactions. The difficulty changes to adjust the block solves so that there is one approximately every ten minutes.

Once the solution of a block is found, the client which found the solution sends the block to all of its connected peers. Each of those connected peers verifies the solution to the block and in turn send it out to its connected peers as well, in a ‘best-effort’ manner.

Each and every block must mature in the blockchain, and each block generated after incorporates the hash of the previous block to show the longest proof of work chain. Any attempt to alter transactions in a block would require rehashing the entire blockchain, or successively solving blocks faster than the entire network and basing the subsequent blocks’ hash on the original altered on. The amount of computer power required to do this would not likely be available, and even Amazon’s cloud services couldn’t scale to alter a block. The website Block Explorer (http://blockexplorer.com/) makes examining the transactions and various data in the block chain easier, and I recommend everyone take a look.

Occasionally, more than one client will produce a solution to the same block at the same time. If this is the case, whichever block is used to generate the next block will be the valid solution. The other block will be considered an orphan and disregarded, except that any unincluded transactions will be re-added to the queue to be re-included in a future block.

Advertisements

June 15, 2011

What is BitCoin and What is BitCoin Mining?

Filed under: Software — Tags: , , , , — foreverrising @ 9:38 pm

I tried to break it down to someone yesterday. It went like this: BitCoin is a digital Internet currency. Think of it as an counterfeit-proof electronic dollar which is not manipulated by a central authority such as the Federal Reserve. It’s a basis of trade for goods, just as any other currency. Value is based on scarcity, and new BitCoins are only minted at a predictable rate once a Block is solved…

The BitCoin currency is a peer-to-peer solution for the problems which are seen in any system of currency. Every BitCoin transaction is recorded in a public ledger, which is found at Block Explorer. Each transaction is hashed into a block, the specifics of which I don’t want to get into, but are explained in the original paper Bitcoin: A Peer-to-Peer Electronic Cash System by BitCoin creator Satoshi Nakamoto. After the solution to the block is found, it is replicated throughout the peer-to-peer network, and all transactions are then verified by the BitCoin client software, which I might add is open-source. Any attempts at forging a block are rejected by the network as invalid. It is by solving a block which rewards the solver with 50 BitCoins which further propagates the BitCoin economy.

Which brings me to mining. To solve the block, a value must be solved through mathematic computation of the block. I’m not a math guy, so I couldn’t functionally explain this part, except that there are more intelligent folks which set this up. So, we use our processor power to search for the solution. As the complexity of the solution has risen to adjust the fixed rate of BitCoin dispersal, a CPU is no longer sufficient to solve a block in a reasonable amount of time. At the time of this writing, the current difficulty factor is 567385. So, if your CPU could perform at a rate of 4,000,000 hashes per second, it would take you over 19 years to solve a block, not factoring in the eventual rise of the difficulty. This, we use accelerated parallel processing, which involves harnessing the computational power of a graphics processing unit, or GPU (Why?). It’s optimal to hash on AMD cards, which is explained here. So, if I use my computer to generate BitCoins (by further supporting the BitCoin economy by verifying transactions), I am Mining BitCoins.

Take a quick look a BitCoin Part 1, a brief look and its volatile history. I ran through a couple questions that typically come up in BitCoin for the Masses, cause everyone will ask how anonymous BitCoin actually is, or how exactly do bitcoins have any value.

Create a free website or blog at WordPress.com.