1 2012-04-12 00:04:36 <pigeons> I used to stay up until the change at 2am or whenever to see if they would replay the same tv shows
2 2012-04-12 00:44:35 <splatster> I have a pretty serious problem.
3 2012-04-12 00:44:43 <luke-jr> we know
4 2012-04-12 00:44:51 <splatster> 100 BTC seem to have been sent without my knowing.
5 2012-04-12 00:44:57 <luke-jr> :o
6 2012-04-12 00:45:00 <splatster> I didn't import the addy or anything.
7 2012-04-12 00:45:35 <splatster> I turned on my computer and as the blocks were downloading I got a growl notification saying 100 BTC sent
8 2012-04-12 00:45:55 <luke-jr> did you leave a copy of your wallet anywhere?
9 2012-04-12 00:46:34 <Diablo-D3> splatster: I STOLE YOUR MONEIES
10 2012-04-12 00:46:59 <splatster> I had a copy in my dropbox, but it was encrypted with truecrypt, not in the public folder, blah blah blah.
11 2012-04-12 00:48:19 <enquirer> maybe trojan in your computer
12 2012-04-12 00:48:29 <Diablo-D3> lol macs
13 2012-04-12 00:48:42 <enquirer> stole your dropbox and tuecrypt passwords
14 2012-04-12 00:48:46 <splatster> I have a mac, and I don't download torrented software.
15 2012-04-12 00:48:57 <Diablo-D3> doesnt matter
16 2012-04-12 00:49:01 <Diablo-D3> theres a mac virus going around
17 2012-04-12 00:49:05 <luke-jr> splatster: Macs are the most vulnerable OS to hacking nowadays
18 2012-04-12 00:49:14 <Diablo-D3> it isnt a trojan
19 2012-04-12 00:49:18 <enquirer> macs are known to be contain trojans
20 2012-04-12 00:49:39 <Diablo-D3> yeah, they bust open and little steve jobs flood out
21 2012-04-12 00:49:51 <enquirer> because mac is for the blondes
22 2012-04-12 00:50:05 <splatster> Can you guys be serious about this?
23 2012-04-12 00:50:14 <Diablo-D3> nope.
24 2012-04-12 00:50:24 <enquirer> yeap
25 2012-04-12 00:50:30 <luke-jr> splatster: Diablo-D3 can't.
26 2012-04-12 00:50:56 <Diablo-D3> why did you even have 100btc?
27 2012-04-12 00:51:46 <splatster> Because I did.
28 2012-04-12 00:51:59 <enquirer> luke-jr is guilty; we would have 2 sigs already working if not for him
29 2012-04-12 00:52:27 <nanotube> enquirer: the extra discussion and deliberation were probably good.
30 2012-04-12 00:52:39 <luke-jr> enquirer: no u
31 2012-04-12 00:52:47 <nanotube> splatster: do you see that transaction in bbe etc?
32 2012-04-12 00:52:56 <nanotube> does that constitute your entire balance or just part of it?
33 2012-04-12 00:53:01 <luke-jr> enquirer: we'd have *better* multisig if BIP16 fanboys weren't so hard-headed :P
34 2012-04-12 00:53:02 <splatster> Part
35 2012-04-12 00:53:09 <splatster> bbe?
36 2012-04-12 00:53:12 <splatster> oh
37 2012-04-12 00:53:16 <nanotube> bitcoin block explorer :)
38 2012-04-12 00:53:17 <mod6> splatster: maybe ~/.bitcoin/debug.log has something to tell?
39 2012-04-12 00:53:28 <nanotube> do you recognize the destination address?
40 2012-04-12 00:53:46 <splatster> No, the destination addy is completely new to me.
41 2012-04-12 00:53:57 <splatster> Yes, it is in blockexplorer
42 2012-04-12 00:54:28 <luke-jr> splatster: txnid?
43 2012-04-12 00:58:37 <splatster> one sec
44 2012-04-12 00:58:47 <splatster> This is the addy the funds were sent to: 1AuL5JB6ykgNQzEuyWVQYw9Gh9Bh32f5C2
45 2012-04-12 00:59:54 <luke-jr> splatster: http://luke.dashjr.org/-splatster
46 2012-04-12 01:00:54 <splatster> Umm, what do I do there?
47 2012-04-12 01:00:57 <luke-jr> nothing, it's a 404
48 2012-04-12 01:01:04 <splatster> Ya
49 2012-04-12 01:01:33 <luke-jr> do you use Tor or anything?
50 2012-04-12 01:01:41 <splatster> Nope
51 2012-04-12 01:02:01 <luke-jr> is your wallet encrypted in bitcoin?
52 2012-04-12 01:02:07 <splatster> yes
53 2012-04-12 01:02:12 <luke-jr> hmmm
54 2012-04-12 01:02:22 <enquirer> are you blond?
55 2012-04-12 01:02:25 <luke-jr> you use Bitcoin-Qt?
56 2012-04-12 01:02:30 <splatster> luke-jr: yes
57 2012-04-12 01:02:57 <luke-jr> the only thing I can see as possibly happening is, you have a trojan
58 2012-04-12 01:03:04 <splatster> enquirer: I asked for you to be serious
59 2012-04-12 01:03:06 <luke-jr> splatster: when did you turn your PC on?
60 2012-04-12 01:03:32 <splatster> luke-jr: I just turned it on a half hour ago
61 2012-04-12 01:04:14 <luke-jr> splatster: when did you last unlock your wallet?
62 2012-04-12 01:04:24 <luke-jr> I presume not since booting this time?
63 2012-04-12 01:04:46 <splatster> 3 days ago
64 2012-04-12 01:05:18 <luke-jr> splatster: was your PC on at all today, before 30 mins ago?
65 2012-04-12 01:05:29 <splatster> Ya it was on this morning.
66 2012-04-12 01:05:49 <luke-jr> from what time, to what time?
67 2012-04-12 01:07:10 <enquirer> here's a free trojan scanner for macs http://www.freedrweb.com/drweb+mac+light/
68 2012-04-12 01:07:26 <splatster> From about 10 PM (23 hours ago) to 6 AM (15 hours ago)
69 2012-04-12 01:08:15 <luke-jr> OK, so this was stolen while it was off.
70 2012-04-12 01:08:25 <luke-jr> I'm going to stick to the trojan theory.
71 2012-04-12 01:08:52 <splatster> This is really, really bad
72 2012-04-12 01:09:31 <luke-jr> yes
73 2012-04-12 01:10:20 <splatster> That 100 BTC was the reserve funds for S???CM
74 2012-04-12 01:10:38 <luke-jr> splatster: know anyone in Germany?
75 2012-04-12 01:10:40 <splatster> ie. my own money meant to cover defaulting investments
76 2012-04-12 01:10:48 <splatster> luke-jr: Umm, no.
77 2012-04-12 01:11:07 <luke-jr> splatster: that's where it was transferred at
78 2012-04-12 01:11:20 <luke-jr> http://www.horlemann.de/ in fact
79 2012-04-12 01:28:05 <splatster> luke-jr: It's weird that they didn't completely clear me out.
80 2012-04-12 01:28:20 <luke-jr> I concur.
81 2012-04-12 01:30:03 <splatster> luke-jr: Maybe you could take a peek at the script that TX redeemed, could there have been something weird/wrong about it?
82 2012-04-12 01:31:28 <luke-jr> looks pretty normal
83 2012-04-12 01:40:07 <splatster> I'm still confused as to why they would only take the funds from one addy
84 2012-04-12 01:41:41 <splatster> luke-jr: Could it be that they might have injected a key into my wallet?
85 2012-04-12 01:42:36 <luke-jr> splatster: rather unlikely without you knowing it
86 2012-04-12 02:00:28 <splatster> luke-jr: Is it weird that the funds are just sitting there? I would think that after so many hours that they would be gone.
87 2012-04-12 02:00:44 <luke-jr> splatster: it's not been very long
88 2012-04-12 02:00:52 <luke-jr> only about 10 hours now
89 2012-04-12 02:04:21 <splatster> I have cleared out all remaining funds from my wallet and sent them to a trusted person.
90 2012-04-12 02:04:50 <splatster> So I'm gearing for reformatting the hard drive and starting completely fresh.
91 2012-04-12 02:04:53 <copumpkin> you should probably wipe your computer
92 2012-04-12 02:05:12 <luke-jr> I'd try to confirm the trojan first.
93 2012-04-12 02:05:16 <luke-jr> maybe dissect it
94 2012-04-12 02:05:34 <splatster> "confirm the trojan"
95 2012-04-12 02:05:44 <copumpkin> if you find it and it isn't a known thing, I wouldn't mind taking a look
96 2012-04-12 02:05:47 <splatster> Anywhere I might see some obvious signs
97 2012-04-12 02:05:53 <splatster> ok
98 2012-04-12 02:06:20 <copumpkin> check for weird processes running in the background, and I think one of them runs just as a loaded library in another program
99 2012-04-12 02:06:22 <copumpkin> "safari?"
100 2012-04-12 02:06:23 <splatster> I'm thinking about just greping for the addy
101 2012-04-12 02:06:46 <copumpkin> http://www.npr.org/blogs/thetwo-way/2012/04/05/150063548/security-company-says-about-600-000-macs-infected-with-trojan-virus
102 2012-04-12 02:06:56 <copumpkin> http://gizmodo.com/5899352/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected
103 2012-04-12 02:07:13 <splatster> I haven't installed flash
104 2012-04-12 02:07:20 <splatster> (in the past year)
105 2012-04-12 02:07:27 <splatster> It came with the comp
106 2012-04-12 02:07:41 <lianj> ^^
107 2012-04-12 02:09:17 <doublec> splatster: it doesn't target just flash
108 2012-04-12 02:09:25 <splatster> Checked for the trojan, no signs
109 2012-04-12 02:09:32 <doublec> splatster: it can targets java vulnerability for example
110 2012-04-12 02:09:44 <splatster> Yes, I understand.
111 2012-04-12 02:10:18 <doublec> if it was a trojan I'd imagine you'd have been completely cleaned out anyway
112 2012-04-12 02:11:07 <lianj> or a kext
113 2012-04-12 02:13:29 <splatster> I guess I'm more worried about getting all my crap secured.
114 2012-04-12 02:13:41 <splatster> Are my GPG keys vulnerable?
115 2012-04-12 02:15:36 <splatster> luke-jr: ^
116 2012-04-12 02:16:08 <luke-jr> splatster: unknown.
117 2012-04-12 02:16:16 <luke-jr> splatster: depends on if you used them during the keylogging session
118 2012-04-12 02:16:57 <splatster> Yes, I did. In fact I used them to otc-auth before -qt had caught up on the blocks
119 2012-04-12 02:17:12 <BlueMatt> revoke and make new ones, Id say
120 2012-04-12 02:18:04 <splatster> How can I prove that it's me who issues the new one?
121 2012-04-12 02:18:10 <splatster> (GPG ain't my thing)
122 2012-04-12 02:18:21 <BlueMatt> if your gpg key is compromised, you cant
123 2012-04-12 02:18:33 <BlueMatt> you can sign it with your old key, but if its compromised, well...
124 2012-04-12 02:18:38 <BlueMatt> still, do that,
125 2012-04-12 02:19:00 <BlueMatt> so, a. make new key, b. sign with old key, c. revoke old key
126 2012-04-12 02:19:03 <splatster> Well what's stopping someone from jumping in and claiming to be me?
127 2012-04-12 02:19:06 <BlueMatt> d. push them all to your favorite key server
128 2012-04-12 02:19:16 <splatster> ok
129 2012-04-12 02:19:21 <BlueMatt> nothing, thats why you do it now, so that later they are late to the party
130 2012-04-12 02:20:32 <splatster> Should I even do it on this comp?
131 2012-04-12 02:20:53 <BlueMatt> I wouldnt, but then...well you only lost stuff from one addr...
132 2012-04-12 02:20:59 <BlueMatt> which is...odd
133 2012-04-12 02:21:41 <luke-jr> splatster: btw, by "without you knowing it", I mean I presume you didn't import a key yourself
134 2012-04-12 02:22:13 <splatster> No, I have imported one key, however, but that was a different addy and it was some time ago.
135 2012-04-12 02:22:42 <luke-jr> do you know what addy?
136 2012-04-12 02:23:12 <splatster> Yes, the addy that I imported was my donations addy
137 2012-04-12 02:23:38 <splatster> 1PAiD5ACB37FHmLaapxU2Tj2mQCxoVvn4j <-- Kinda sorta vanity addy
138 2012-04-12 02:24:41 <splatster> BlueMatt: I'm not sure what to do. As of now I am going to backup my drive and nuke this comp ASAP
139 2012-04-12 02:25:08 <BlueMatt> backup gpg key first
140 2012-04-12 02:25:13 <BlueMatt> and other stuff, ofc
141 2012-04-12 02:36:28 <splatster> I'm going to have to go offline for a bit while I get everything going.
142 2012-04-12 02:37:03 <splatster> I have my phone on me, so send me an email (the one in my GPG key) if needed/urgent in the next few hours.
143 2012-04-12 02:44:48 <splatster> Well, maybe not.
144 2012-04-12 02:46:34 <splatster> The stolen funds have moved.
145 2012-04-12 02:47:08 <splatster> 20 or so minutes ago according to blockchain.info
146 2012-04-12 02:47:48 <bitfoo> ouch
147 2012-04-12 02:47:53 <bitfoo> how much did you lose, splatster?
148 2012-04-12 02:48:03 <splatster> 100 BTC, *poof*
149 2012-04-12 02:48:11 <Diablo-D3> sigh
150 2012-04-12 02:48:14 <bitfoo> :(
151 2012-04-12 02:48:15 <Diablo-D3> I wish they were moving to me
152 2012-04-12 02:48:18 <Diablo-D3> but lets face it
153 2012-04-12 02:48:22 <Diablo-D3> nothing awesome like that ever happens
154 2012-04-12 02:48:50 <splatster> Diablo-D3: If they were moving to you, I would hope you would have the integrity to send them back
155 2012-04-12 02:49:04 <Diablo-D3> splatster: why?
156 2012-04-12 02:49:11 <Diablo-D3> why should I have any fucking integrity
157 2012-04-12 02:49:18 <Diablo-D3> integrity doesnt put food on the goddamned table does it
158 2012-04-12 02:49:37 <Eliel> it does, actually. Just not directly.
159 2012-04-12 02:49:38 <splatster> Wow, that really makes me -not- trust you...
160 2012-04-12 02:50:01 <Diablo-D3> splatster: who cares, its not like I actually _do_ anything
161 2012-04-12 02:50:14 <splatster> If you did something like that, though, I would definitely offer you a reward and everyone would hold you up as a good person.
162 2012-04-12 02:50:33 <Diablo-D3> being a good person doesnt pay the bills.
163 2012-04-12 02:50:43 <splatster> Diablo-D3: **I Care**
164 2012-04-12 02:50:57 <Diablo-D3> CARING DOESNT PRODUCE MONEY
165 2012-04-12 02:51:11 <bitfoo> it produces happiness
166 2012-04-12 02:51:21 <Diablo-D3> bitfoo: not to me it doesnt.
167 2012-04-12 02:51:39 <splatster> Diablo-D3: If you had 100 BTC stolen and they wound up with me, I would gladly send them back to you, even if I was starving
168 2012-04-12 02:51:40 <bitfoo> well, each for himself
169 2012-04-12 02:51:57 <Diablo-D3> splatster: I dont think Ive had 100 BTC in one spot for the past 2 years.
170 2012-04-12 02:52:09 <Eliel> Diablo-D3: caring makes it easier to make money. Of course, it's not the only thing that's needed.
171 2012-04-12 02:52:11 <Diablo-D3> hell, I dont think Ive EVER had 100 btc at once
172 2012-04-12 02:52:18 <splatster> Diablo-D3: Ah, sorry.
173 2012-04-12 02:52:55 <splatster> FYI, this addy looks somewhat active, so this person might have stolen more than just my money in this thing.
174 2012-04-12 02:54:02 <splatster> Stolen coins are at this addy: http://blockchain.info/address/13zrw56zQgh4oqP9xGambw5BaAS3UJy8S4
175 2012-04-12 02:54:19 <splatster> s/are at/were moved to/
176 2012-04-12 02:55:50 <MasterChief> Diablo-D3 complete lack of integrity gets you Detroit
177 2012-04-12 02:56:03 <MasterChief> enjoy your $500 real estate
178 2012-04-12 03:02:48 <splatster> Imma bounce in and out in a sec
179 2012-04-12 03:04:22 <splatster> ok back
180 2012-04-12 03:06:18 <Cryo> how much was in your wallet
181 2012-04-12 03:06:34 <gjs278> over 9000
182 2012-04-12 03:07:24 <splatster> gjs278: Stop trolling.
183 2012-04-12 03:07:36 <Cryo> ha, welcome to the Internet.
184 2012-04-12 03:07:40 <gjs278> splatster, what does it say about my trolling over
185 2012-04-12 03:07:44 <gjs278> [00:06] <gjs278> over 9000
186 2012-04-12 03:07:49 <gjs278> fuck
187 2012-04-12 03:07:51 <gjs278> level
188 2012-04-12 03:07:56 <Cryo> anyway, how much more than 100 was the wallet
189 2012-04-12 03:08:12 <splatster> 107.4 BTC was in the wallet, 100 BTC was stolen.
190 2012-04-12 03:08:36 <splatster> The remaining funds were sent to a trusted person.
191 2012-04-12 03:08:45 <Cryo> probably rounding to try to eliminate tracking
192 2012-04-12 03:08:45 <splatster> The compromised wallet is empty.
193 2012-04-12 03:08:55 <Cryo> if it were 107.4, that would have been easy to spot
194 2012-04-12 03:09:14 <splatster> I know the addy it was sent to, Cryo
195 2012-04-12 03:09:20 <splatster> I'm watching it right now.
196 2012-04-12 03:09:21 <Cryo> yeh, but there's nothing you can do
197 2012-04-12 03:09:46 <luke-jr> splatster: have you done the police report yet?
198 2012-04-12 03:09:51 <splatster> Ya, and there's nothing I could've done if they had stolen 107.4 BTC, either.
199 2012-04-12 03:09:55 <splatster> luke-jr: No.
200 2012-04-12 03:10:08 <splatster> And I hope you're joking.
201 2012-04-12 03:11:41 <splatster> luke-jr: Not sure if you saw, but the coins were moved off to a different addy, and it looks like the addy has been used for laundering in the past. Addy is 13zrw56zQgh4oqP9xGambw5BaAS3UJy8S4
202 2012-04-12 03:11:43 <Cryo> make sure you get the java 2012 -002 update from apple
203 2012-04-12 03:12:37 <sturles> Sounds like another dropbox victim to me. How strong was the passphrase?
204 2012-04-12 03:12:40 <Cryo> nice round numbers
205 2012-04-12 03:12:43 <splatster> Cryo: I'm nuking this comp. Right now I'm running salvage and backup and getting ready to start with a completely fresh install.
206 2012-04-12 03:12:56 <MasterChief> dropbox victim?
207 2012-04-12 03:13:08 <Cryo> you kept your wallet on dropbox?
208 2012-04-12 03:14:03 <splatster> sturles: Strong enough that it takes me a decent amount of time to type it. It has caps, numbers, symbols, abreviations, inside jokes from college, shit that can't be brute forced.
209 2012-04-12 03:14:54 <splatster> Cryo: A backup, yes. But it was encrypted many times over.
210 2012-04-12 03:16:17 <splatster> No passphrase is strong enough to beat a keylogger, though.
211 2012-04-12 03:17:01 <midnightmagic> splatster: the whole point of a revocation is that anyone with the secret key can revoke, and it doesn't matter that the secret key is compromised. there's no point at all in signing the new key, the signature will be marked as invalid as soon as other gnupg people receive your revocation. to properly reintroduce the new key, the idea is to enter it via the WoT: the other people who know you and sign keys in person and vouch for
212 2012-04-12 03:17:07 <midnightmagic> you.
213 2012-04-12 03:17:58 <midnightmagic> and then, again ideally, everyone is connected enough that the people here can verify through the wot sigs that the new key is yours.
214 2012-04-12 03:18:24 <Cryo> from now on, generate a revocation key
215 2012-04-12 03:18:25 <splatster> How can I prove me to be me without my GPG?
216 2012-04-12 03:18:35 <Cryo> same way you got people to sign it before
217 2012-04-12 03:19:23 <splatster> Revoking the key isn't that urgent, so I'd rather do it later just in case
218 2012-04-12 03:19:26 <Cryo> since you're on the machine, can you pastebin a few things for me?
219 2012-04-12 03:19:29 <midnightmagic> splatster: in person is best, with people you know. if you didn't know anyone you can phone and verify fingerprints with.. like a brother or friend or something..
220 2012-04-12 03:20:47 <Cryo> kextstat -l and ps -fecl
221 2012-04-12 03:20:58 <Cryo> see if there's anything that's easily spotted
222 2012-04-12 03:21:13 <splatster> ok
223 2012-04-12 03:23:54 <Cryo> my key is ancient, I have to open a crypt and beat a mummy to death
224 2012-04-12 03:24:18 <splatster> Cryo: Nothing there is at all suspicious.
225 2012-04-12 03:24:51 <splatster> I've already combed through each process and it's open files/ports
226 2012-04-12 03:24:52 <midnightmagic> Cryo: well long as you don't have to burn the crypt, because then you'd have to start making demos
227 2012-04-12 03:26:51 <Cryo> I should check if my signers are even still alive.
228 2012-04-12 03:26:54 <Cryo> heh
229 2012-04-12 03:27:15 <midnightmagic> i would have loved to have fred fish' sig on an old key.
230 2012-04-12 03:27:23 <midnightmagic> oh well
231 2012-04-12 03:27:30 <Cryo> oh man, that's a name I haven't heard in ages. I miss him.
232 2012-04-12 03:28:03 <Cryo> though he apologized for typoing cryoutils into cyroutils
233 2012-04-12 03:30:36 <Cryo> splat, if you can't find anything, I'd be hard-pressed to proclaim you have a 0-day, since you did have a backup on dropbox.. that would be a potential culprit. If dropbox would provide access logs to that file, it might help find out if you were really compromised on your system
234 2012-04-12 03:32:06 <splatster> Cryo: I'm far less concerned about the source of the compromise than I am of limiting the damage
235 2012-04-12 03:33:16 <MasterChief> if you dont know how you got fucked how can you prevent it next time
236 2012-04-12 03:33:25 <Cryo> maybe bitcoin keys need signatures too :)
237 2012-04-12 03:33:42 <BlueMatt> 2-factor auth is coming
238 2012-04-12 03:33:51 <splatster> MasterChief: By not handling anything important on this comp.
239 2012-04-12 03:34:17 <luke-jr> Cryo: if the wallet wasn't encrypted, I'd say Dropbox is certain
240 2012-04-12 03:34:26 <MasterChief> i think the security myth of mac is coming to an end
241 2012-04-12 03:34:31 <luke-jr> the real question is, how did someone get his passphrase without a keylogger?
242 2012-04-12 03:34:36 <splatster> 100 BTC is only $500. Don't get me wrong, I'm pissed, but I could've had my identity stolen and my bank account hacked.
243 2012-04-12 03:34:38 <Cryo> I never believed that myth anyway :)
244 2012-04-12 03:34:59 <Cryo> or you could be arrested for child pron
245 2012-04-12 03:35:10 <Cryo> all sorts of things people can do on your machine to make your life hell.
246 2012-04-12 03:35:13 <MasterChief> maybe theres a 0day in the wallet encryption
247 2012-04-12 03:35:18 <splatster> luke-jr: The wallet does wind up in memory when it is unlocked, correct?
248 2012-04-12 03:35:40 <Cryo> unless mac and pc are treated differently
249 2012-04-12 03:35:41 <luke-jr> splatster: but you didn't unlock it around the time of the theft
250 2012-04-12 03:35:47 <Cryo> you'd see a rash of thefts
251 2012-04-12 03:36:03 <Diablo-D3> we just dont knoiw about it yet
252 2012-04-12 03:36:12 <splatster> I did unlock it soon after I rebooted my comp.
253 2012-04-12 03:36:14 <Cryo> that's comforting :)
254 2012-04-12 03:36:20 <luke-jr> splatster: you said 3 days ago.
255 2012-04-12 03:36:31 <luke-jr> plus, it occured at 7:15 PM UTC
256 2012-04-12 03:36:32 <splatster> And if -qt has a memory leak...
257 2012-04-12 03:36:52 <Cryo> yeh, about -qt& I need free time to fix that.
258 2012-04-12 03:37:02 <splatster> luke-jr: My comp was off at that time.
259 2012-04-12 03:37:10 <luke-jr> splatster: my point exactly.
260 2012-04-12 03:37:13 <luke-jr> splatster: also, that's not a leak.
261 2012-04-12 03:37:20 <luke-jr> it's impossible to use keys without decrypting them in memory.
262 2012-04-12 03:37:57 <splatster> luke-jr: Bottom line is that my computer is infected.
263 2012-04-12 03:38:00 <splatster> Period.
264 2012-04-12 03:38:30 <splatster> With what, I don't know. How, I don't know. The extent of the damage, I don't know.
265 2012-04-12 03:38:40 <splatster> I do know that I have to nuke it ASAP.
266 2012-04-12 03:38:53 <midnightmagic> luke-jr: actually i think it might be possible to use them without decrypting them..
267 2012-04-12 03:39:15 <splatster> I'm making a clone for probing purposes and then this disk is gonna be zeroed out to hell.
268 2012-04-12 03:39:29 <midnightmagic> splatster: remember! only one pass is enough!
269 2012-04-12 03:39:44 <Cryo> meh, dd is faster
270 2012-04-12 03:40:29 <splatster> I think I might see about flashing the firmware, too.
271 2012-04-12 03:40:34 <copumpkin> has anyone considered setting up a non-profit "bitcoin foundation" that we can donate to (in a tax-exempt manner, with USD, or just with btc) to fund research and advance the project as a whole?
272 2012-04-12 03:40:47 <Cryo> flashing what firmware? what kind of mac is this? :)
273 2012-04-12 03:40:55 <midnightmagic> copumpkin: lots and often, even back to Dec '10 or so.
274 2012-04-12 03:41:14 <luke-jr> Cryo: every PC has firmware to flash.
275 2012-04-12 03:41:16 <copumpkin> did anything come of it? were there specific objections, or just nobody wants to deal with the legal shit?
276 2012-04-12 03:41:16 <splatster> Cryo: Macs have firmware. Firmware is essential to what makes a computer run.
277 2012-04-12 03:41:24 <Cryo> copumpkin, I think it would be more likely with a 1.0.0 release to show the group is "serious"
278 2012-04-12 03:41:33 <midnightmagic> splatster: if you're going that far, technically your ethernet card is a vector too. don't go too paranoid.
279 2012-04-12 03:41:35 <Cryo> splat, really? :)
280 2012-04-12 03:41:51 <copumpkin> Cryo: yep
281 2012-04-12 03:42:01 <midnightmagic> lol..
282 2012-04-12 03:42:15 <brwyatt> Don't newer Macs pretty much have OSX installed in Firmware?
283 2012-04-12 03:42:16 <Cryo> and USB fobs, and and and
284 2012-04-12 03:42:20 <brwyatt> At least a small amount?
285 2012-04-12 03:42:21 <copumpkin> brwyatt: not really :P
286 2012-04-12 03:42:31 <Cryo> no, that's the emergency/rescue partition
287 2012-04-12 03:42:33 <midnightmagic> Cryo: well I still remember who you are dude. :)
288 2012-04-12 03:42:36 <copumpkin> they have EFI
289 2012-04-12 03:42:37 <splatster> brwyatt: Kinda, not really
290 2012-04-12 03:42:42 <splatster> they have efi
291 2012-04-12 03:42:46 <splatster> damn
292 2012-04-12 03:42:47 <Cryo> midnightmagic, oh you're an old fart? refresh my brain!
293 2012-04-12 03:42:52 <brwyatt> If you boot it with a blank drive, it will connect to your network and download OSX from Apple or from your Time Capsule, won't it?
294 2012-04-12 03:42:55 <splatster> copumpkin beat me to it.
295 2012-04-12 03:42:56 <Cryo> I've lost so many braincells since back then
296 2012-04-12 03:43:10 <MasterChief> back in my day we called it bios
297 2012-04-12 03:43:25 <splatster> Apple has released updates that actually flash the EFI in the past.
298 2012-04-12 03:43:33 <midnightmagic> it's okay i'm in a new name you're not forgetting anything.
299 2012-04-12 03:43:38 <copumpkin> MasterChief: now it can connect to secured wi-fi networks :P
300 2012-04-12 03:43:51 <brwyatt> I think someone also found that Macs will connect to open WiFi networks in their pre-boot state too, won't they? I remember something about that... it involved an interesting UEFI memory bug.
301 2012-04-12 03:44:01 <splatster> EFI makes it look pretty :)
302 2012-04-12 03:44:19 <copumpkin> brwyatt: there's explicit support for it, especially now with the macbook airs
303 2012-04-12 03:44:23 <copumpkin> but it was there before
304 2012-04-12 03:44:28 <copumpkin> and I do remember it being exploitable
305 2012-04-12 03:44:51 <brwyatt> There are a lot of unpatched exploitable goodies.
306 2012-04-12 03:44:57 <MasterChief> so yah whats wrong with dropbox for wallets
307 2012-04-12 03:45:21 <splatster> copumpkin: I don't even remember how many times they have had an EFI update...
308 2012-04-12 03:45:26 <Cryo> there isn't enough encryption for me to put it on S3 or Dropbox
309 2012-04-12 03:45:50 <copumpkin> Cryo: rot13 60000 times
310 2012-04-12 03:45:51 <MasterChief> its AES
311 2012-04-12 03:46:02 <brwyatt> copumpkin: LOL
312 2012-04-12 03:46:13 <copumpkin> this is where the beauty of involutions comes in
313 2012-04-12 03:46:14 <Cryo> I'll take truecrypt on a dmg on a usb fob
314 2012-04-12 03:46:20 <Cryo> no way.. ROT26
315 2012-04-12 03:46:27 <Cryo> easier to remember the password.
316 2012-04-12 03:46:33 <splatster> copumpkin: No, I think rot26 30000 times would be better :P
317 2012-04-12 03:46:39 <copumpkin> oh ok :)
318 2012-04-12 03:46:45 <Cryo> 2x the rotation! must be more secure!
319 2012-04-12 03:47:15 <BlueMatt> openssl aes-256-cbc -d -in infile -out outfile
320 2012-04-12 03:47:24 <BlueMatt> easy as pie
321 2012-04-12 03:47:31 <copumpkin> pfft, cbc
322 2012-04-12 03:47:40 <copumpkin> real hax0rz use ecb
323 2012-04-12 03:47:55 <Cryo> but aes...
324 2012-04-12 03:48:11 <BlueMatt> copumpkin: yea...
325 2012-04-12 03:48:59 <Cryo> I'm tired of openssl having vulns too
326 2012-04-12 03:49:08 <BlueMatt> its plain aes
327 2012-04-12 03:49:22 <MasterChief> so yah whats wrong with dropbox for wallets really?
328 2012-04-12 03:49:38 <BlueMatt> i have never heard of a vuln in plain aes methods in ossl...
329 2012-04-12 03:49:38 <copumpkin> nothing, just don't symlink straight to your dropbox dir
330 2012-04-12 03:50:28 <splatster> Just for kicks I looked at MD2 on wikipedia: "Although MD2 is no longer considered secure, even as of 2010 it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA."
331 2012-04-12 03:50:29 <MasterChief> an encrypted wallet is enver saved decrypted again though right
332 2012-04-12 03:50:30 <Eliel> MasterChief: nothing wrong as such, it's just quite easy to leak your wallet to someone who shouldn't have it that way :P
333 2012-04-12 03:51:36 <MasterChief> how though
334 2012-04-12 03:51:42 <phantomcircuit> splatster, MD2 is used by a good number of root certificates still
335 2012-04-12 03:51:58 <splatster> phantomcircuit: Am I the only who finds that... sad?
336 2012-04-12 03:52:06 <phantomcircuit> nope
337 2012-04-12 03:52:15 <phantomcircuit> but i've never been able to think of a way to exploit it
338 2012-04-12 03:52:16 <phantomcircuit> so
339 2012-04-12 03:52:17 <phantomcircuit> meh
340 2012-04-12 03:53:40 <Diablo-D3> we'd be done mining them by the end of the week.
341 2012-04-12 03:53:43 <copumpkin> some certs use nice exponents of 3, too
342 2012-04-12 03:53:49 <copumpkin> anyone ever implemented the bleichenbacher attack?
343 2012-04-12 03:54:02 <Diablo-D3> copumpkin: I wish someone would explain why the fuck an exponent of 3 is bad
344 2012-04-12 03:54:13 <Diablo-D3> because all I heard was some really bad WAAAAARGBLe
345 2012-04-12 03:54:25 <copumpkin> it's actually how we did the first iphone unlock
346 2012-04-12 03:54:42 <copumpkin> let me find you the original email about it
347 2012-04-12 03:55:54 <Cryo> heh, waarglbe gif of skydiver& most enlightening.
348 2012-04-12 03:57:57 <copumpkin> hmm, the email I used to refer to for it is nowhere to be found
349 2012-04-12 03:58:11 <Diablo-D3> copumpkin: <3 the fucking tubes
350 2012-04-12 03:58:46 <splatster> For MD4, "generating a collision is now as cheap as verifying it."
351 2012-04-12 03:58:55 <copumpkin> but basically it boils down to the fact that if you don't enforce the padding requirements on RSA (as many homegrown implementations, like those in modem firmwares, did), simply cubing the number won't necessarily cause you to "roll over" your modulus
352 2012-04-12 03:58:59 <copumpkin> you can pad the rest with junk
353 2012-04-12 03:59:23 <Diablo-D3> you know, that'd be a hilarious way of doing bitcoin
354 2012-04-12 03:59:24 <copumpkin> and sign things that should not have been signed, assuming the checker does not check the padding
355 2012-04-12 03:59:34 <Diablo-D3> take a collidable algo
356 2012-04-12 03:59:41 <Diablo-D3> diff is now producing x collisions
357 2012-04-12 04:00:19 <copumpkin> not sure if we used exactly bleichenbacher's attack, but it was basically taking advantage of what I described
358 2012-04-12 04:00:31 <copumpkin> (higher exponents would cause your modulus to actually become relevant)
359 2012-04-12 04:00:58 <copumpkin> 74^3 mod 10000000 is just 74^3, basically
360 2012-04-12 04:02:49 <Diablo-D3> ffffffffffff
361 2012-04-12 04:02:52 <Diablo-D3> thats _bad_
362 2012-04-12 04:03:40 <copumpkin> yeah, and it's actually made worse by higher-bit keys
363 2012-04-12 04:03:50 <copumpkin> since a bigger modulus gives you more room to screw around with
364 2012-04-12 04:04:30 <Diablo-D3> ppl r dum
365 2012-04-12 04:04:43 <copumpkin> so, usual advice applies: don't roll your own crypto, or if you do, make sure you understand why all the bits and pieces (like the fancy padding schemes in RSA) are in place
366 2012-04-12 04:04:59 <copumpkin> but really, just don't roll your own crypto :P
367 2012-04-12 04:05:03 <Diablo-D3> rolling your own crypto isnt even that bad
368 2012-04-12 04:05:12 <Diablo-D3> just make sure you understand the code you're cribbing off of
369 2012-04-12 04:05:18 <copumpkin> yeah, I guess :)
370 2012-04-12 04:05:24 <copumpkin> I guess it depends on the purpose of the crypto
371 2012-04-12 04:06:16 <copumpkin> if it's the kind of stuff that might be susceptible to timing or other side-channel attacks, you probably want to stick to something tried and tested
372 2012-04-12 04:06:40 <copumpkin> if it's just offline sig checking or stuff that doesn't have access to sensitive data, you can probably roll your own if you're careful
373 2012-04-12 04:07:23 <copumpkin> Diablo-D3: speaking of dum, do you know the major ingredient that made the Wii hackable?
374 2012-04-12 04:07:43 <Diablo-D3> japanese schoolgirls?
375 2012-04-12 04:07:45 <Cryo> people?
376 2012-04-12 04:07:46 <copumpkin> lol
377 2012-04-12 04:08:02 <copumpkin> they used strcmp on binary hash output to make sure you were legit
378 2012-04-12 04:08:11 <Diablo-D3> bfsdzhfdssgsdgsdtgwsetwstgg
379 2012-04-12 04:08:13 <Diablo-D3> eatgatawrtaetydudestusrusruy
380 2012-04-12 04:08:15 <Diablo-D3> wyteysysysrhysryhsrshysyhs
381 2012-04-12 04:08:36 <Diablo-D3> https://www.youtube.com/watch?v=nW5CapRMkGQ
382 2012-04-12 04:08:40 <Diablo-D3> this is what I feel like right now
383 2012-04-12 04:08:41 <copumpkin> so you just needed to brute force until you found a hash that matched an arbitrarily short prefix + \0 of the verification key
384 2012-04-12 04:08:58 <copumpkin> lol
385 2012-04-12 04:09:01 <splatster> Wow... just wow.
386 2012-04-12 04:10:45 <copumpkin> and the PS3 implemented all their crypto correctly except that their PRNG always spat out the same value
387 2012-04-12 04:11:07 <copumpkin> lots of gems out there
388 2012-04-12 04:11:19 <Diablo-D3> int rand() { return 3; }
389 2012-04-12 04:11:23 <splatster> Should I have Gox mark the coins as stolen? (I don't know if they even do anything about heists of coins)
390 2012-04-12 04:11:35 <Diablo-D3> splatster: just leave it be.
391 2012-04-12 04:11:37 <copumpkin> splatster: I think MagicalTux usually asks for a police report
392 2012-04-12 04:11:43 <Diablo-D3> yeah or that
393 2012-04-12 04:11:44 <splatster> ah.
394 2012-04-12 04:11:54 <copumpkin> meaning he probably won't mark them as stolen unless you show him one
395 2012-04-12 04:12:36 <splatster> $500 isn't even worth the time of dealing with the cops and having a 0 chance of getting them back
396 2012-04-12 04:13:20 <copumpkin> yeah, frustrating though. Sorry it happened to you :/
397 2012-04-12 04:14:16 <splatster> Ya, I don't think I'll even be keeping anything important on my fresh install besides a copy of my GPG key.
398 2012-04-12 04:15:17 <MasterChief> what does marking coins as stolen do
399 2012-04-12 04:15:27 <splatster> Also, that's the other thing about BTC for me: all of the money I have in BTC, I didn't expect to have in the first place.
400 2012-04-12 04:15:44 <splatster> MasterChief: Not much other than that gox won't take them.
401 2012-04-12 04:17:48 <Eliel> gox will take them allright, they'll just not accept your being anonymous after that. As in, your account will be frozen until you provide identification.
402 2012-04-12 04:18:26 <splatster> Regardless, it isn't worth it.
403 2012-04-12 04:19:53 <splatster> Kinda sad to have my TX history go, though. :/
404 2012-04-12 04:22:20 <MasterChief> umm what if you randomly end up with marked coins
405 2012-04-12 04:24:27 <splatster> Anybody have some freelancing that pays 100 BTC ;)
406 2012-04-12 04:25:16 <splatster> JK, I'll earn it back like I earned all my coins in the first place.
407 2012-04-12 04:25:26 <MasterChief> so exchanges are policing bitcoin now?
408 2012-04-12 04:25:47 <[Tycho]> Some of them.
409 2012-04-12 04:25:55 <[Tycho]> ICBIT doesn't :)
410 2012-04-12 04:26:11 <gjs278> when I got scammed 16 coins
411 2012-04-12 04:26:14 <gjs278> back at the $18 level
412 2012-04-12 04:26:21 <gjs278> I found the guy's work and emailed him there
413 2012-04-12 04:26:21 <luke-jr> [Tycho]: does ICBIT comply with the relevant regulations?
414 2012-04-12 04:26:26 <gjs278> and his boss answered and he was fired
415 2012-04-12 04:26:31 <[Tycho]> luke-jr: what regulations ?
416 2012-04-12 04:26:38 <luke-jr> [Tycho]: standard banking regulations
417 2012-04-12 04:26:46 <luke-jr> KYC and such
418 2012-04-12 04:26:47 <MasterChief> shitty noss
419 2012-04-12 04:26:55 <[Tycho]> Currently we don't care about banking regulations.
420 2012-04-12 04:27:00 <gjs278> he actually paid me back 4 of the coins too
421 2012-04-12 04:27:03 <luke-jr> [Tycho]: so you operate illegally?
422 2012-04-12 04:27:07 <[Tycho]> Especially about KYC.
423 2012-04-12 04:27:08 <Cryo> meh KYC
424 2012-04-12 04:27:18 <Cryo> should mean keep your cash
425 2012-04-12 04:27:19 <gjs278> pretty sure tycho is russia
426 2012-04-12 04:27:21 <gjs278> or something
427 2012-04-12 04:27:27 <luke-jr> gjs278: so?
428 2012-04-12 04:27:35 <gjs278> so how would kyc apply to him
429 2012-04-12 04:27:42 <gjs278> only the c's in this case would be doing something wrong
430 2012-04-12 04:27:44 <luke-jr> Russia probably has KYC regulations
431 2012-04-12 04:27:47 <gjs278> maybe
432 2012-04-12 04:27:48 <[Tycho]> I'm not in USA, we don't have anything named KYC.
433 2012-04-12 04:27:50 <JFK911> I've never had KYC problems at a real bank. I'm pretty sure that's a scam for mtgox to trim their reserve fraction
434 2012-04-12 04:27:57 <MasterChief> because TEAM AMERICA WORLD POLICE
435 2012-04-12 04:28:10 <luke-jr> JFK911: you've never shown ID to your real bank?
436 2012-04-12 04:28:24 <[Tycho]> And the exchange is not operating in USA or Russia. Why would I follow those regulations ?
437 2012-04-12 04:28:29 <luke-jr> even if Russia doesn't have KYC regulations, US regulations apply if they do business with people in the US
438 2012-04-12 04:28:34 <gjs278> I just guessed russia
439 2012-04-12 04:28:41 <JFK911> Actually, my current banking arrangement has never seen my ID, and they have no physical address for me.
440 2012-04-12 04:28:52 <gjs278> tycho is currently on the moon, he was able to pay for a space shuttle with deepbit earnings
441 2012-04-12 04:29:03 <luke-jr> JFK911: I bet they have you flagged as "showed ID" on paper, at least.
442 2012-04-12 04:29:11 <JFK911> If they do, I didn't.
443 2012-04-12 04:29:18 <luke-jr> gjs278: regardless, doing business in the USA subjects you to USA regulations
444 2012-04-12 04:29:25 <[Tycho]> luke-jr: ok, so if you are US citizen and you can't use any service that don't have your ID then you may don't use it.
445 2012-04-12 04:29:32 <MasterChief> i bet he could buy glorious peoples buran shuttle
446 2012-04-12 04:29:47 <gjs278> good luck extraditing him
447 2012-04-12 04:29:56 <gjs278> they'll have agents just kill him in his sleep
448 2012-04-12 04:30:03 <gjs278> or lord of war him
449 2012-04-12 04:30:03 <luke-jr> XD
450 2012-04-12 04:30:07 <JFK911> yeah and i'd like to see mtgox get burned for not sending 1099's
451 2012-04-12 04:30:15 <Diablo-D3> [Tycho]: it doesnt work that way
452 2012-04-12 04:30:19 <JFK911> theres no regulation
453 2012-04-12 04:30:23 <Diablo-D3> JFK911: and mtgox wouldnt be able to send 1099s
454 2012-04-12 04:30:30 <Diablo-D3> bitcoins, financially, do not exist
455 2012-04-12 04:30:34 <luke-jr> JFK911: you didn't get your 1099?
456 2012-04-12 04:30:37 <Diablo-D3> and I dont think you meant 1099 either
457 2012-04-12 04:30:40 <JFK911> there are dollars in and dollars out
458 2012-04-12 04:30:44 <[Tycho]> Diablo-D3: so this means that I should ban all US IPs ? :)
459 2012-04-12 04:30:45 <JFK911> i got no 1099
460 2012-04-12 04:30:52 <gjs278> you shouldnt have
461 2012-04-12 04:30:56 <luke-jr> [Tycho]: and most countries
462 2012-04-12 04:30:58 <JFK911> mtgox would email it to me or what? lol
463 2012-04-12 04:31:04 <Diablo-D3> [Tycho]: yes, unless you want your bank accounts closed and your house bombed by drone
464 2012-04-12 04:31:12 <Diablo-D3> [Tycho]: and the deepbit domain stolenm
465 2012-04-12 04:31:13 <gjs278> yes you are going to be droned one day
466 2012-04-12 04:31:26 <[Tycho]> luke-jr: it doesn't work that way.
467 2012-04-12 04:31:30 <luke-jr> yes it does
468 2012-04-12 04:31:40 <gjs278> you will be droned, then we will be droned for knowing you
469 2012-04-12 04:32:17 <[Tycho]> luke-jr: ok. Forget about the exchange :)
470 2012-04-12 04:32:27 <JFK911> mtgox could 1099 if they wanted to, but they never collected any information from me that they'd need to do it
471 2012-04-12 04:32:38 <MasterChief> theyll take your domain minimum
472 2012-04-12 04:32:40 <JFK911> 1099 is just EDI
473 2012-04-12 04:32:49 <luke-jr> JFK911: have you used MtGox in a way that trigger their requirement to mail a 1099?
474 2012-04-12 04:33:03 <JFK911> i got many USD from it
475 2012-04-12 04:33:10 <gjs278> you can report it yourself really
476 2012-04-12 04:33:10 <JFK911> enough to buy a new car
477 2012-04-12 04:33:13 <gjs278> you dont need them to
478 2012-04-12 04:33:17 <luke-jr> JFK911: pretty sure you need a minimum withdrawl per month, or balance
479 2012-04-12 04:33:33 <luke-jr> JFK911: specifically, the maximums they let you withdraw without verifying
480 2012-04-12 04:33:37 <JFK911> i think the IRS will tell you its some dollars during a year
481 2012-04-12 04:33:56 <gjs278> the dollars is how much you made
482 2012-04-12 04:34:14 <gjs278> if you really only had bitcoins the only time I dont know what you'd have to do
483 2012-04-12 04:34:19 <luke-jr> JFK911: in other words, you *can't* trigger a 1099 requirement for them, unless you first provide the info they need to comply
484 2012-04-12 04:34:34 <JFK911> i've been 1099'd for less
485 2012-04-12 04:34:41 <luke-jr> optional != required
486 2012-04-12 04:34:58 <JFK911> now why would an accountant waste time with something he doesn't need?
487 2012-04-12 04:34:59 <Diablo-D3> yeah, theres a $400/no limit
488 2012-04-12 04:35:02 <luke-jr> I'm sure companies are free to send you a 1099 for any amount
489 2012-04-12 04:35:13 <luke-jr> JFK911: accountant? 1099s are most likely 100% computer automated.
490 2012-04-12 04:35:23 <Diablo-D3> you wont get a 1099 for less than $5
491 2012-04-12 04:35:42 <JFK911> it's EDI, but those datasets have to be audited in the future.
492 2012-04-12 04:41:38 <JFK911> anyway, i'm done. i quit selling bitcoin related stuff
493 2012-04-12 04:42:17 <JFK911> my lawyer told me that because i know that silkroad exists and have a general idea of what it does, i could be liable to some federal law about helping people buy drugs on the internet
494 2012-04-12 04:42:30 <JFK911> by doing anything to further it
495 2012-04-12 04:42:51 <Diablo-D3> JFK911: yes, but then you can also no longer use tor, computers, the internet, USD
496 2012-04-12 04:43:03 <Diablo-D3> infact, even having water available is in violation of this law
497 2012-04-12 04:43:12 <Diablo-D3> water is often used in the manufacturing of drugs
498 2012-04-12 04:43:48 <JFK911> have you ever fought against the DoJ?
499 2012-04-12 04:43:56 <JFK911> it seems like something you want to do?
500 2012-04-12 04:45:12 <JFK911> for me, after having received this advice, setting up a mining pool or exchange would be much more dangerous for me than running "buywateronline.com"
501 2012-04-12 04:45:38 <Cryo> buy oil online!
502 2012-04-12 04:46:46 <Diablo-D3> JFK911: you'd be surprised
503 2012-04-12 04:46:52 <Diablo-D3> if the government wants to end you, _they dont need a reason_
504 2012-04-12 04:46:55 <JFK911> well, that's the nature of courts
505 2012-04-12 04:47:04 <Diablo-D3> everything you do is illegal according to federal law
506 2012-04-12 04:47:25 <JFK911> if you want to feed them, go right ahead, but i think it is a bad idea
507 2012-04-12 04:47:38 <splatster> "BuyWaterOnline.com is for sale (Buy Water Online) Click here to buy BuyWaterOnline.com for $2,695"
508 2012-04-12 04:47:44 <JFK911> haha $2700
509 2012-04-12 04:47:48 <Diablo-D3> wat
510 2012-04-12 04:47:48 <splatster> *facepalm*
511 2012-04-12 04:47:59 <JFK911> how about eWater.com ?
512 2012-04-12 04:48:01 <splatster> http://buywateronline.com/
513 2012-04-12 04:48:36 <splatster> JFK911: Yup, It's a real site, not for sale
514 2012-04-12 04:48:53 <JFK911> omg HAARP banner
515 2012-04-12 04:49:05 <JFK911> i see, it's water accessories, not water.
516 2012-04-12 04:49:11 <mod6> maybe waterforbitco.in
517 2012-04-12 04:49:33 <mod6> heheh
518 2012-04-12 04:51:00 <gjs278> irc is probably illega
519 2012-04-12 04:51:02 <gjs278> l
520 2012-04-12 04:51:13 <JFK911> depends on what you do with it
521 2012-04-12 04:51:30 <splatster> This chat we are having right now is legal
522 2012-04-12 04:51:46 <gjs278> implyiing jfk did 9/11 is illegal
523 2012-04-12 04:52:13 <JFK911> ok smart guy, then who was the 20th hijacker?
524 2012-04-12 04:52:36 <Diablo-D3> john f kennedy
525 2012-04-12 04:52:40 <mod6> successful troll #20?
526 2012-04-12 04:52:58 <gjs278> you should ask your lawyer if you could get in trouble for your username
527 2012-04-12 04:53:04 <gjs278> I bet he could find a reason
528 2012-04-12 04:53:12 <JFK911> it had to be him. jackie said it wasn't his body lying in state
529 2012-04-12 04:53:25 <JFK911> if she were still here she'd tell us again
530 2012-04-12 05:34:34 <Graet> <gjs278> implyiing jfk did 9/11 is illegal << not in my country...
531 2012-04-12 05:42:32 <gjs278> Graet what country are you in
532 2012-04-12 05:42:56 <gjs278> there's a 50% chance I may go to jail for just denying the holocause where you live
533 2012-04-12 05:43:32 <Graet> mm nup
534 2012-04-12 05:43:38 <Graet> guess again....
535 2012-04-12 05:45:04 <gjs278> keep that place a secret before it is ruined then
536 2012-04-12 05:45:15 <Graet> lol
537 2012-04-12 06:25:07 <Joric> oddly enough but germany provides the most serious punishment against denying the holocaust
538 2012-04-12 06:28:43 <Joric> luckily you can't be sued in US due to the 1st amendment
539 2012-04-12 06:30:45 <MasterChief> why shouldnt people be able to deny the holocaust
540 2012-04-12 06:30:52 <MasterChief> everyone else is free to ostracise them
541 2012-04-12 06:31:05 <MasterChief> making freedom of speech exceptions is how it always starts
542 2012-04-12 07:02:43 <da2ce7> sipa: how is you HD Wallet spec comming along?
543 2012-04-12 11:26:45 <vvfff> bmr isnt working
544 2012-04-12 11:30:51 <vvfff> helo?
545 2012-04-12 11:31:05 <alephozee> bmr?
546 2012-04-12 11:32:18 <helo> ?
547 2012-04-12 11:33:15 <vvfff> black market reloaded
548 2012-04-12 11:43:11 <Graet> so what?
549 2012-04-12 13:05:58 <gavinandresen> Just me, or broken for everybody: src/qt/bitcoingui.cpp:391: error: �openBitcoinAction� was not declared in this scope
550 2012-04-12 13:11:48 <sipa> works here
551 2012-04-12 13:12:20 <gavinandresen> it's an #ifdef MAC thing
552 2012-04-12 13:12:41 <gavinandresen> I'll push a fix in a minute....
553 2012-04-12 13:19:44 <jgarzik> hrm
554 2012-04-12 13:20:06 <jgarzik> the build tree is growing a bunch of tiny .h files, several under 50 lines
555 2012-04-12 13:20:13 <jgarzik> that wants consolidation
556 2012-04-12 13:20:37 <jgarzik> 17 init.h
557 2012-04-12 13:20:38 <jgarzik> 13 irc.h
558 2012-04-12 13:20:41 <jgarzik> that's a bit silly
559 2012-04-12 13:28:25 <gavinandresen> jgarzik : ?
560 2012-04-12 13:28:33 <gavinandresen> what build tree?
561 2012-04-12 13:29:26 <sipa> i suppose he means the source tree
562 2012-04-12 13:29:56 <gavinandresen> oh, init.h is only 17 lines long, not that there are 17 little init.h's
563 2012-04-12 13:30:12 <sipa> haha
564 2012-04-12 13:30:22 <gavinandresen> (I thought maybe the auto-generate-includes was doing something wacky)
565 2012-04-12 13:30:30 <gavinandresen> auto-generate-depends....
566 2012-04-12 13:36:34 <MasterChief> .
567 2012-04-12 14:00:18 <TD> good afternoon
568 2012-04-12 14:07:35 <jgarzik> gavinandresen: a new file for 3 lines of code (irc.h) seems like overkill
569 2012-04-12 14:08:45 <jgarzik> gavinandresen: obviously not a big deal, just... odd
570 2012-04-12 14:11:11 <alephozee> i think we should have 2 files for every 5 lines of code
571 2012-04-12 14:11:13 <alephozee> :/
572 2012-04-12 14:21:50 <TD> oh, pubsub is going away?
573 2012-04-12 14:24:37 <gavinandresen> it is dead code right now. dead code belongs in git history....
574 2012-04-12 14:25:20 <[Tycho]> gavinandresen: hello.
575 2012-04-12 14:25:26 <gavinandresen> howdy tycho
576 2012-04-12 14:25:47 <[Tycho]> gavinandresen: can you give me a link to the commit that adds multisig redeeming functionality ?
577 2012-04-12 14:25:58 <[Tycho]> Can't see how to search at github...
578 2012-04-12 14:27:07 <gavinandresen> according to git blame it is commit e679ec96
579 2012-04-12 14:27:42 <TD> yeah
580 2012-04-12 14:28:01 <TD> well some of it is
581 2012-04-12 14:28:08 <TD> i thought you could actually set up pubsub topics and it'd work
582 2012-04-12 14:28:10 <TD> albiet, nobody ever tried it
583 2012-04-12 14:28:18 <TD> the ebay style gui was definitely unfinished though
584 2012-04-12 14:28:40 <[Tycho]> gavinandresen: how can I see it ?
585 2012-04-12 14:28:46 <gavinandresen> [Tycho]: the commit history is messy, though, because most of the work was done for OP_EVAL and then modified
586 2012-04-12 14:28:52 <gavinandresen> https://github.com/bitcoin/bitcoin/commit/e679ec96
587 2012-04-12 14:29:06 <[Tycho]> Thanks.
588 2012-04-12 14:29:19 <gavinandresen> The core code is in script.cpp, IsMine() and Solver()
589 2012-04-12 14:29:36 <[Tycho]> BTW, do you know that I successfully redeemed a P2SH TX ? :)
590 2012-04-12 14:30:33 <gavinandresen> great-- i've been meaning to send some through the main network and see how long it takes them to get mined, just haven't gotten around to it
591 2012-04-12 14:31:23 <[Tycho]> I had to force it because now it checks the inputs for being standard too...
592 2012-04-12 14:32:38 <[Tycho]> http://blockexplorer.com/tx/7eaa56d72ef929deaf1323b18c1781b87ba203c2653a5278840b43aaa3f8586d#o1
593 2012-04-12 14:33:28 <jgarzik> [Tycho]: nice! :)
594 2012-04-12 14:33:31 <[Tycho]> Now I'm trying to find out how to redeem a multisig with two separate signatures.
595 2012-04-12 14:40:13 <sipa> [Tycho]: sig1 p
596 2012-04-12 14:40:21 <sipa> [Tycho]: pub1 sig1 pub2 sig2 script
597 2012-04-12 14:41:04 <[Tycho]> I was talking about the process of signing.
598 2012-04-12 14:41:46 <[Tycho]> Two receiving parties can just tell each other their signatures ?
599 2012-04-12 14:41:53 <[Tycho]> Who will broadcast ?
600 2012-04-12 14:42:41 <[Tycho]> Hm, looks like there is no difference.
601 2012-04-12 14:56:26 <jgarzik> ugh
602 2012-04-12 14:56:54 <jgarzik> coinpy source code spread out across four-deep levels of directories
603 2012-04-12 14:58:08 <jgarzik> script stuff is in coinpy-lib/src/coinpy/model/scripts/* and coinpy-lib/src/coinpy/lib/script/* and one or two other directories
604 2012-04-12 14:58:41 <sirk390> carfull :) i'm the one who wrote it lol
605 2012-04-12 15:00:23 <sirk390> the idea is to remove source code dependencies.
606 2012-04-12 15:00:48 <sirk390> most directories can be copied and reused independently
607 2012-04-12 15:09:30 <wumpus> right, related functionality should be grouped together, but is is better to have unrelated functionality in separate files
608 2012-04-12 15:15:48 <jgarzik> sirk390: it's OOP overkill when you're spreading out script code across many files -and- directories. if you're not the primary developer, who has all this code in his head already :), it is painful to try and simply _read_ and understand such code, and trace through it.
609 2012-04-12 15:16:17 <jgarzik> yes, it's nicely organized. A German would be proud :)
610 2012-04-12 15:18:36 <sirk390> yes maybe sometimes it is a little overkill, but it is not finished yet
611 2012-04-12 15:18:51 <sirk390> and it will probably never be
612 2012-04-12 15:19:48 <sirk390> but I like the idea of splitting between the model and functionality
613 2012-04-12 15:21:19 <sirk390> I could indead merge "coinpy-lib/src/coinpy/lib/vm" and "src/coinpy/lib/script" somehow
614 2012-04-12 17:08:16 <imsaguy> http://phil.lavin.me.uk/wp-content/uploads/2012/04/opensource-fun.png
615 2012-04-12 17:33:11 <jm9000> BlueMatt: I got another question about connections. Is keepalive currently being utilized by clients to see if connections are stale?
616 2012-04-12 17:35:01 <t7> what does a linux user use for contraception ?
617 2012-04-12 17:35:59 <jm9000> Linux
618 2012-04-12 17:42:02 <jm9000> I'm pretty sure that talking about Linux will turn off a female as fast as possible. I guess abstinence isn't really contraception, but it will work better.
619 2012-04-12 18:19:38 <ghastly> are confirmations shown by the client only from other nodes the client is connectected to?
620 2012-04-12 18:22:44 <TuxBlackEdo> confirmations is the number of blocks that your transaction has been included in
621 2012-04-12 18:23:25 <gribble> New news from bitcoinrss: dooglus opened pull request 1084 on bitcoin/bitcoin <https://github.com/bitcoin/bitcoin/pull/1084>
622 2012-04-12 18:26:34 <TuxBlackEdo> rather, confirmations is the number of blocks that have been built upon the block that includes your transaction
623 2012-04-12 18:29:37 <ghastly> TuxBlackEdo: Is this because the merkle root is included in newly found blocks?
624 2012-04-12 18:30:26 <TuxBlackEdo> well every new block contains a hash for the previous root
625 2012-04-12 18:31:31 <TuxBlackEdo> https://en.bitcoin.it/wiki/Block <- explains it better then i could
626 2012-04-12 18:32:14 <TuxBlackEdo> previous block*
627 2012-04-12 18:38:06 <BlueMatt> heh, wtf? the spacex ceo was on the daily show...
628 2012-04-12 18:38:25 <BlueMatt> also, didnt realize he founded spacex from his profits from founding paypal...
629 2012-04-12 18:44:05 <ghastly> how does confirmation prevent double spending?
630 2012-04-12 18:44:31 <BlueMatt> it becomes hard to reverse the transaction with a second spend
631 2012-04-12 18:44:50 <BlueMatt> and thus you can trust that after its confirmed, no one will be able to reverse the tx with a double spend
632 2012-04-12 18:45:05 <BlueMatt> in terms of directly preventing double spends, it doesnt, really...everyone does that
633 2012-04-12 18:45:13 <BlueMatt> by checking every block they receive against double spends
634 2012-04-12 18:45:41 <BlueMatt> and you assume that no one is going to mine double spends because they would be wasting a /lot/ of cpu power
635 2012-04-12 18:46:03 <gmaxwell> ghastly: comfirmation provides a total order of all transactions. Once you know the order of transactions you can validate for yourself that there are no double spends.
636 2012-04-12 18:46:19 <BlueMatt> ...or that
637 2012-04-12 18:46:51 <gmaxwell> BlueMatt: thats a big misleading sounding. "you assume" sounds like you'll get tricked if they do. :) (No one would be tricked, because the software checks and rejects blocks that do)
638 2012-04-12 18:46:56 <gmaxwell> s/big/bit/
639 2012-04-12 18:47:04 <BlueMatt> well, ok, yea
640 2012-04-12 18:47:06 <ELT> i think there should be a simple wiki version of the current wiki
641 2012-04-12 18:47:20 <BlueMatt> ELT: contributions welcome ;)
642 2012-04-12 18:47:43 <ELT> ya, just gotta compile it and make sure its concise before i add anything
643 2012-04-12 18:48:22 <ELT> i explain using food concepts
644 2012-04-12 18:48:24 <BlueMatt> (in response to gmaxwell)
645 2012-04-12 18:48:38 <ELT> although not sure how that would go over on the wiki
646 2012-04-12 18:48:50 <BlueMatt> food...interesting
647 2012-04-12 18:49:40 <ELT> ya described the cpu pipeline as a restaurant ticket line and the kitchen as the processor
648 2012-04-12 18:49:59 <BlueMatt> heh, sounds...close
649 2012-04-12 18:50:07 <ELT> its close enough really
650 2012-04-12 18:50:12 <BlueMatt> yea, by far
651 2012-04-12 18:50:31 <ELT> but for bitcoin might be a challenge lol
652 2012-04-12 18:50:42 <BlueMatt> yea...
653 2012-04-12 18:51:22 <ELT> The pie represents the bitcoin economy, it is delicious, so eat the pie, don't question what or how it was made.
654 2012-04-12 18:52:02 <BlueMatt> heh, perfect
655 2012-04-12 18:52:33 <ELT> well now im hungry
656 2012-04-12 18:52:43 <BlueMatt> same
657 2012-04-12 18:52:52 <ghastly> is satoshi an organization?
658 2012-04-12 18:53:00 <BlueMatt> no one knows
659 2012-04-12 18:53:19 <copumpkin> I'm pretty sure satoshi knows
660 2012-04-12 18:53:26 <ghastly> bitcoin just looks too well designed to be made by one person.
661 2012-04-12 18:53:38 <ELT> i doubt that copumpkin
662 2012-04-12 18:53:41 <copumpkin> hey, there's that bug in that opcode
663 2012-04-12 18:53:46 <ghastly> i mean, the whitepaper.
664 2012-04-12 18:55:30 <jm9000> BlueMatt: Is keepalive currently being utilized by clients to see if connections are stale?
665 2012-04-12 18:55:40 <ELT> should hire the csi people and find satoshi's reflection in the pdf imprinted off his monitor while he wrote it
666 2012-04-12 18:55:46 <BlueMatt> what kind of clients, also, why tag me?
667 2012-04-12 18:55:59 <BlueMatt> ELT: oh how I wish that could work...
668 2012-04-12 18:56:17 <ELT> i don't cause i've written some papers in not so clothed moods
669 2012-04-12 18:56:26 <BlueMatt> heh
670 2012-04-12 18:57:03 <jm9000> Speaking more generally, but having desktop and mobile clients in mind. Because you know everything.
671 2012-04-12 18:57:16 <BlueMatt> uhhh...yea...okkk
672 2012-04-12 18:57:23 <BlueMatt> clients of what?
673 2012-04-12 18:57:37 <BlueMatt> bitcoin-> rpc? no, other stuff? keepalive???
674 2012-04-12 18:57:50 <BlueMatt> http? well, what does that gave to do with bitcoin
675 2012-04-12 18:57:54 <jm9000> Yeah, I guess I was a little vague there.
676 2012-04-12 18:58:35 <jm9000> I'm talking about the P2 connections between clients.
677 2012-04-12 18:58:40 <jm9000> P2P
678 2012-04-12 18:59:31 <jm9000> The change to add a nonce to the ping reply has been tumbling around in my head for a while.
679 2012-04-12 18:59:32 <BlueMatt> we dont ever kill connections, so I dont know what you mean by keepalive...
680 2012-04-12 18:59:56 <BlueMatt> we dont bother to do any checks on connections aside from what tcp does and basic timeouts
681 2012-04-12 18:59:59 <BlueMatt> iirc
682 2012-04-12 19:00:19 <jm9000> Yes, I was talking about the TCP keep alive.
683 2012-04-12 19:00:45 <BlueMatt> we dont manage that, the os does...
684 2012-04-12 19:00:58 <BlueMatt> so, yes its used
685 2012-04-12 19:01:08 <BlueMatt> the os will tell us if the tcp connection times out according to its timeout
686 2012-04-12 19:02:16 <jm9000> The ping-pong request still seems redundant to me. If TCP will tell you if the connection is stale, then you only need to know if the client is busy. Why do a ping-pong request when you could just make the request out right?
687 2012-04-12 19:02:47 <BlueMatt> we arent able to see what the results of tcp keepalives are
688 2012-04-12 19:03:27 <BlueMatt> nor can we control them
689 2012-04-12 19:04:00 <BlueMatt> and they also dont tell us if the bitcoin node is slow (if we do do all the work to do them manually)
690 2012-04-12 19:04:45 <BlueMatt> because the os responds to those, not the bitcoin node
691 2012-04-12 19:04:58 <BlueMatt> s/slow/busy/
692 2012-04-12 19:05:56 <jm9000> Busy nodes aside, can't it be assumed that the connection is open? Wouldn't the connection be dropped by the OS if it was stale?
693 2012-04-12 19:06:35 <BlueMatt> in a normal case, its usually safe, the primary motivation for the ping/pong stuff is for mobile
694 2012-04-12 19:06:40 <BlueMatt> and there connections get...tricky
695 2012-04-12 19:08:36 <BlueMatt> and, yea the os will still drop the connection if its stale, but it takes a while to timeout
696 2012-04-12 19:08:59 <BlueMatt> and if you are sitting around sending requests to a connection before it times out you are wasting your time
697 2012-04-12 19:11:04 <ghastly> will there come a time when blocks are too difficult to make?
698 2012-04-12 19:11:21 <BlueMatt> the difficulty adjusts to keep them generated at ~constant time
699 2012-04-12 19:12:06 <ghastly> another question, what will be the motivation for block generation when all 21million coins are mined?
700 2012-04-12 19:12:18 <BlueMatt> transaction fees
701 2012-04-12 19:12:21 <BlueMatt> (are paid to miners)
702 2012-04-12 19:12:27 <Diablo-D3> ghastly: magic and goodwill
703 2012-04-12 19:12:40 <BlueMatt> but the transaction fees @ 21mill gets...complicated
704 2012-04-12 19:13:01 <Diablo-D3> I expect by then, in the year 2100, all disease will be cured, death will be a figment of the past
705 2012-04-12 19:13:04 <BlueMatt> the motivations behind transaction fees and miners is complicated at that point
706 2012-04-12 19:13:06 <Diapolo> I never understood, why the fees are not obligatory btw.
707 2012-04-12 19:13:09 <Diablo-D3> and we'll be traveling the stars
708 2012-04-12 19:13:15 <Diablo-D3> Diapolo: they "are"
709 2012-04-12 19:13:20 <BlueMatt> Diapolo: free market?
710 2012-04-12 19:13:29 <Diablo-D3> bitcoin typically sorts by fee
711 2012-04-12 19:13:34 <ghastly> or we may have destroyed ourselves by 2100
712 2012-04-12 19:13:41 <Diablo-D3> if a block becomes full, only the most profitable tx go in
713 2012-04-12 19:14:32 <Diapolo> So not all fees for tx that get in a block are summed and distributed to the nodes that process the tx?
714 2012-04-12 19:14:50 <BlueMatt> only the miners
715 2012-04-12 19:14:54 <Diablo-D3> Diapolo: no? its distributed to _the_ miner
716 2012-04-12 19:15:02 <Diablo-D3> pools are the only way to split up rewards
717 2012-04-12 19:15:05 <BlueMatt> tx fees are counted no differently than the 50 btc
718 2012-04-12 19:15:08 <Diapolo> that was what I meant sorry
719 2012-04-12 19:15:26 <ghastly> so each block that is generated is "saved" with the transactions made after the previous block was found?
720 2012-04-12 19:15:40 <BlueMatt> thats the point of blocks
721 2012-04-12 19:15:44 <BlueMatt> they contain a list of txes
722 2012-04-12 19:16:47 <Diapolo> I had the idea, that simply running a node, who holds the chain and answers to requests and thus helps the network could get some of the tx fees.
723 2012-04-12 19:17:03 <Diablo-D3> nope
724 2012-04-12 19:17:07 <Diablo-D3> because that takes zero work
725 2012-04-12 19:17:21 <Diablo-D3> and eventually only big mining companies will run full clients
726 2012-04-12 19:17:39 <Diablo-D3> ie, governments, banks, the amazon/walmarts, etc
727 2012-04-12 19:17:40 <pjorrit> a bit more than zero, but there's tons of competition
728 2012-04-12 19:19:05 <Diapolo> Btw. what brings the future in terms of the blockchain? It will grow very large I think ^^.
729 2012-04-12 19:19:56 <Diapolo> more users, more tx, more coins ... more space needed for the BDB
730 2012-04-12 19:21:26 <Diablo-D3> Diapolo: no
731 2012-04-12 19:21:32 <Diablo-D3> eventually people will use bitcoin banks
732 2012-04-12 19:21:47 <Diablo-D3> and the banks themselves will settle what they owe to each other more regularly
733 2012-04-12 19:22:00 <Diapolo> big datacenters store the chain? sth. like that?
734 2012-04-12 19:22:12 <Diablo-D3> thats not what I mean
735 2012-04-12 19:22:24 <Diablo-D3> the blockchain wont grow if theres only a few hundred tx a day
736 2012-04-12 19:22:38 <Diablo-D3> it WILL if theres millions or billions
737 2012-04-12 19:23:28 <ghastly> how is the network kept from segmenting?
738 2012-04-12 19:23:55 <Diablo-D3> ghastly: its not
739 2012-04-12 19:24:13 <Diablo-D3> but each node basically belongs to a network wide quorum, and they follow the longest chain
740 2012-04-12 19:24:19 <Diablo-D3> so if the chain forks, they follow the longest branch
741 2012-04-12 19:24:39 <Diapolo> did that happen in the past?
742 2012-04-12 19:24:47 <Diablo-D3> what, a massive split? once
743 2012-04-12 19:24:56 <ghastly> when forks are discarded, are some payments reversed?
744 2012-04-12 19:25:02 <Diablo-D3> ended up needing to be fixed with a one time rollback
745 2012-04-12 19:25:08 <helo> ghastly: not in practice, but it is possible
746 2012-04-12 19:25:09 <Diablo-D3> ghastly: not reversed: they never happened.
747 2012-04-12 19:25:27 <Diablo-D3> and you need a fork that is over 6 blocks to double spend coins
748 2012-04-12 19:25:43 <Diablo-D3> which is very goddamned impossible
749 2012-04-12 19:26:16 <Diapolo> Diablo-D3: When did that happen in the beginning? Perhaps speaking in client version ;)?
750 2012-04-12 19:26:38 <Diablo-D3> Diapolo: oh, like a year ago
751 2012-04-12 19:26:47 <Diablo-D3> I forget why it happened though
752 2012-04-12 19:26:58 <Diablo-D3> ask sipa or gmaxwell
753 2012-04-12 19:29:17 <Diapolo> this should be in the books or in the Wiki ^^
754 2012-04-12 19:29:22 <BlueMatt> it is
755 2012-04-12 19:29:47 <Diablo-D3> it is
756 2012-04-12 19:30:52 <gmaxwell> Incidents
757 2012-04-12 19:31:03 <gmaxwell> But thats not a normal thing, it was a result of fixing a bug.
758 2012-04-12 19:31:18 <Diablo-D3> yeah
759 2012-04-12 19:31:26 <Diablo-D3> its a one time thing as far as Im concerned
760 2012-04-12 19:31:42 <gmaxwell> I'm not actually sure what the real question was above. The longest chain rule is in effect and there is forking happening every day.
761 2012-04-12 19:31:59 <Diablo-D3> gmaxwell: what happens if theres a fork
762 2012-04-12 19:32:01 <gmaxwell> But forks of longer lengths become exponentially less likely.
763 2012-04-12 19:32:48 <gmaxwell> Diablo-D3: the longest chain wins eventually.
764 2012-04-12 19:34:43 <Diablo-D3> I said if the fork is less than 6 blocks, theres nothing to worry about, you cant accidently get double spended on
765 2012-04-12 19:35:17 <Diablo-D3> and I think the longest dead chain is 4 (after the incident, anyways)
766 2012-04-12 19:36:09 <gmaxwell> Diablo-D3: only if you're waiting 6 blocks for all your confirmations.
767 2012-04-12 19:38:19 <Diapolo> I was looking for the in german "Super GAU" in the history ... the biggest incident security wise.
768 2012-04-12 19:38:30 <gmaxwell> Thats also a special case.
769 2012-04-12 19:38:51 <Diablo-D3> gmaxwell: well yes
770 2012-04-12 19:39:18 <Diablo-D3> if you're waiting less, you're a dumbass
771 2012-04-12 19:39:25 <gmaxwell> No, you're not. Different transactions have different risks.
772 2012-04-12 19:39:54 <gmaxwell> Diapolo: https://en.bitcoin.it/wiki/Incidents#Value_overflow
773 2012-04-12 19:40:24 <Diapolo> thanks :) reading...
774 2012-04-12 19:42:21 <Diapolo> 184 billion bitcoins that would lower the value a bit ^^
775 2012-04-12 19:42:58 <Diapolo> Were there any exploits in the client code that could be or were used for remote-code-exec?
776 2012-04-12 19:43:14 <BlueMatt> none that anyone knows of afaik
777 2012-04-12 19:47:08 <jrmithdobbs> Diapolo: that's a bunch of useless warnings in the case of bitcoin where everything should be unsigned but gets passed into sys calls that expect signed chars, it's meh
778 2012-04-12 19:47:25 <BlueMatt> _W_: then I guess I mean it represents a fundamental misunderstanding of how oss works at the top
779 2012-04-12 19:47:32 <Diapolo> alright then
780 2012-04-12 19:48:08 <Diapolo> What about that stack-protection thing on Windows, how much "safer" would this make the client really?
781 2012-04-12 19:49:22 <BlueMatt> we still do stack randomization
782 2012-04-12 19:49:29 <BlueMatt> but, yea stack protection would be nice
783 2012-04-12 19:49:43 <Diapolo> you mean IMPLEMENT_RANDOMIZE_STACK?
784 2012-04-12 19:49:54 <BlueMatt> yea
785 2012-04-12 19:49:56 <jm9000> In terms of creating a "safer" client, would be a language like Java be more suited?
786 2012-04-12 19:50:08 <Diapolo> I used that for my IPC work too ... at least I learned a lot :D.
787 2012-04-12 19:50:39 <Diapolo> A JavaRE is much mor unsafe I would say ^^ at least on Windows.
788 2012-04-12 19:50:48 <BlueMatt> bitcoin is pretty safe, but, yea a language like java tends to be "safer" (all the vulns in the jvm aside...)
789 2012-04-12 19:51:56 <Diapolo> in terms of the sandbox idea you mean?
790 2012-04-12 19:52:03 <Diapolo> or the lang in general?
791 2012-04-12 19:52:08 <BlueMatt> yea, and java is harder to shoot yourself in the foot with
792 2012-04-12 19:52:16 <BlueMatt> both
793 2012-04-12 19:52:18 <jrmithdobbs> jm9000: tell the 500k mac users that java is safer
794 2012-04-12 19:52:27 <BlueMatt> java isnt really that well "sandboxed" though
795 2012-04-12 19:53:00 <jm9000> jrmithdobbs: Yes I heard about the flashback thing to.
796 2012-04-12 19:53:13 <ghastly> initially, does the client only need the genesis block to build the chain?
797 2012-04-12 19:53:17 <jrmithdobbs> jm9000: or the thousands of other exploits in java software
798 2012-04-12 19:53:28 <ELT> do it in ADA
799 2012-04-12 19:53:32 <Diapolo> at least we don't use any Flash HRHR
800 2012-04-12 19:53:35 <jm9000> Didn't hear about that.
801 2012-04-12 19:53:38 <BlueMatt> ghastly: that and a connection to someone else who has the chain
802 2012-04-12 19:53:41 <BlueMatt> jm9000: java has a rich history of security vulnerabilities in the jvm
803 2012-04-12 19:53:43 <Diapolo> and Genesis is hard-coded
804 2012-04-12 19:53:49 <BlueMatt> (not quite as bad as flash, but still...)
805 2012-04-12 19:53:54 <jrmithdobbs> BlueMatt: and invidual java apps, on the whole, tend to have horrible security track records too
806 2012-04-12 19:53:59 <BlueMatt> well, yea
807 2012-04-12 19:54:02 <Diapolo> I think Oracles JavaRE on Windows is more unsecure than Windows :D.
808 2012-04-12 19:54:04 <jrmithdobbs> (since we're speaking in generalization)
809 2012-04-12 19:54:25 <lianj> Diapolo: only the hash of it, or the block aswell?
810 2012-04-12 19:54:28 <BlueMatt> Diablo-D3: thats like saying I think this browser is more insecure than that tv
811 2012-04-12 19:54:29 <jrmithdobbs> lianj: just the hash is enough
812 2012-04-12 19:54:32 <BlueMatt> Diapolo: *
813 2012-04-12 19:54:33 <lianj> jrmithdobbs: i know ,)
814 2012-04-12 19:54:36 <Diapolo> :-D
815 2012-04-12 19:56:52 <Diapolo> Another idea, is it possible to enable DEP and ASLR flags for the client? Like: http://www.ziki.com/fr/gcouprie+37899/post/enable-dep-and-aslr-with-mingw+10897502
816 2012-04-12 20:01:06 <gribble> 175418
817 2012-04-12 20:01:06 <phantomcircuit> ;;bc,blocks