WEll, those links are generally worrying, not just for bitcoin but for anyone who doesn’t want hackers stealing intellectual property/bank details/watching you through your webcam.
But I still don’t think its insurmountable. Sony were presumably not expecting a state to try to hack them, and perhaps should have taken more precautions. AFAIK these zero-day exploits require someone to visit a dodgy website or open an email attachment or run a file or whatever. From your link:
Initial introduction of malware to the SPE computing environment. Malware is delivered using a “spear phishing” message targeted at a high level executive with subject line “More fallout from Buchwald v. Paramount.”
If you have expensive ASICs then the simple solution is to hook them up to a cheap rasberry pi, and then use this computer for nothing but mining. You wouldn’t be using win XP, you’red be using a security-concious version of linux, perhaps.
The problem of securing wallets is more difficult. One tactic is to put most of your bitcoins in cold storage, and a few in a ‘hot wallet’ for immediate spending.
Hacking is worrying from many points of view, but given that the large majority of bitcoins have not been stolen, I really doubt its that easy.
For the right budget, anything can be hacked. Many large banks have been hacked before, despite spending lots and lots on security. I’m sure whatever operating system is running on a pi has zero day exploits that don’t require phishing. My point in mentioning the 19 year bug was that up until a few months ago, every windows computer out there had a bug that could be exploited by anyone for remote access. There was a huge openssl exploit last year also, and a big bash one.
The large majority of bitcoins are either held in small individual wallets which would be time consuming to go after and not worth it, or held in cold wallets.
There was a $5 million hack of bitstamp just 2 weeks ago.
A mining setup can’t be held in a cold wallet, because blocks must be transmitted to the network.
Also, the NSA has a $10 billion budget. The Snowdon revelations are incredibly embarrassing to them, and I think they would easily spend a little over a month’s budget in order to hack him.
By the time they already knew who it was, much of those document were already in too many hands to hide. If I was Snowden, I’d have some set up on hidden prepaid hosting set to leak automatically if I didn’t keep on cancelling well before anything at all goes public. They wouldn’t just have to hack him, but every journalist who may have made copies, anywhere he may have copied it to, etc.
I don’t think it’s likely that their procedures on spending are that fast. By the time they got approval from whoever needs to approve it, it would be too late to be effective. Most of the damage was already done when Snowden handed over the first batch of documents, and if he suddenly disappeared, media wouldn’t forget about him.
But, if you spend a billion developing a zero-day exploit, surely you can use the exploit against anyone with the same operating system, or using the same program. In which case you are not paying a billion just to hack one person.
But just a zero day in Tails wouldn’t be enough to get Snowden. It would maybe let them get into his accounts, which we would have no idea about unless someone told us, but to silence him, they’d need to delete the files or find where he was. For whatever reason, they are unable to kill him while he’s in Russia, and I doubt Snowden keeps the only copy of the files hooked up to his computer while he’s online. You can do all your work offline, and only go online while sending something.
(I think they haven’t gone and killed Snowden yet because Russia would respond with World War 3. The probability of Russia doing that is high enough to justify inaction. Or in other words, the NSA knows how to lose.)
Many large banks have been hacked before, despite spending lots and lots on security.
Large banks have lots of employees, which provides lots of opportunities for persuading someone to run programs they shouldn’t. A bitcoin mine can be run with only one person having access.
My point in mentioning the 19 year bug was that up until a few months ago, every windows computer out there had a bug that could be exploited by anyone for remote access.
Are you telling me that if I had found this exploit first, I could just have decided to read the NSA’s files, Obama’s email, stolen blueprints and conducted insider trading without any further work?
Are you telling me that if I had found this exploit first, I could just have decided to read the NSA’s files, Obama’s email, stolen blueprints and conducted insider trading without any further work?
The NSA’s files probably aren’t hooked up to the Internet. They might not use Windows, either.
This Windows bug could have made you millions if you’d known about it earlier. Insider trading would have worked if you get someone into the right networks. Blueprint could be stolen. Obama’s email: that depends on whether any computers that have access to it are Windows and on a network, probably not, but you could with a few more zero days. The really expensive hacks “burn” multiple zero days.
Put it this way: if you knew everything in the public domain today about computers and went back 5 years, you pwn >99% of computers out there, and I fully expect the same to be true in 5 years. For starters, you can impersonate any website by using an md5 collision attack. (This was fixed in 2008, so more than 5 years, but you get the point.)
I understand that websites are vulnerable—after all, they are public and have to interact with users. But what about a computer sitting in a basement, not publicising its IP address and just interacting with the blockchain?
Have I convinced you to change careers yet?
Contrary to your assumptions, I am not a bitcoin miner, just an interested layperson. Even if I was, I would simply move my coins into cold storage at regular intervals, and assume that the hackers know they can make more money insider trading and carding then going after a security-conscious bitcoin miner. And if I lost one hot wallet, its not the end of the world.
You have made me worry more about AI and BCI however, imagining a ‘Ghost in the shell’ future where people can hack into each other’s brains.
Incidentally, are you a computer security professional of any form?
Every computer getting info from the blockchain publicises its IP address. But you can use proxies which make it harder, or a pool which has its own servers. But pools have websites, and they make up the majority of mined coins, so there’s an attack vector.
I see I wasn’t clear again; my “Have I convinced you to change careers yet” was asking if you were planning to become a hacker (or the cleaner version, “security researcher” or “bounty hunter”).
You have made me worry more about AI and BCI however, imagining a ‘Ghost in the shell’ future where people can hack into each other’s brains.
I’ve done my good deed for the day, then.
Incidentally, are you a computer security professional of any form?
No, at least not formally. I have gotten paid for fixing people’s computers as a hobby. (I recently got the code for someone’s ransomware encrypted computer without having to pay by exploiting the attackers’ bitcoin setup. Not as cool as it sounds, they basically used the same address for multiple infections, which was a hole.) I’ve done a little freelance work in web design and SEO.
I read a lot of Hacker News stuff and elsewhere, use Linux for my own computer (plus Whonix for really sensitive things), but I’m not “officially there”. I do want to be someday.
Since there are a small number of mining pools there are presumable only a small number of avenues of attack which must be secured, which helps.
I see I wasn’t clear again; my “Have I convinced you to change careers yet” was asking if you were planning to become a hacker (or the cleaner version, “security researcher” or “bounty hunter”).
Well, I have hacked into an email account to prove it could be done (with consent), but in general I have no knowledge of any hacking anywhere near as advanced as finding zero-day exploits. Even disregarding interesting moral questions such as “is it ok to steal money if you give half of it to effective altruism?”, I think there are probably easier & safer legal ways to make large amounts of money.
Isn’t Hacker News mostly about startups are random stuff, not hacking in the sense of breaking into computers?
I use Linux too, plus I try to run anything which might be hostile within a virtual machine. Whonix looks interesting. Dare I ask what sort of really sensitive things you get up to, or would that be completely missing the point?
Here’s the kinds of things having to do with actual hacking I find on Hacker News (just going through my browser history now, so it may not catch everything; anything I didn’t see the comments on is missed):
That should give you an idea of the kinds of stuff I read. There are a lot of posts on HN detailing exactly how someone broke down a system. Not all of these are “breaking into computers”, but a lot are very similar.
Isn’t Hacker News mostly about startups [...] not hacking in the sense of breaking into computers?
Yes. And about “hacking” in the older sense of (very crudely) “doing clever things with computers” and the even older sense of (very crudely) “doing clever things”.
Right, so you go in, pwn a box—oh, look! a whole bunch of juicy info, let me grab it...
And a… slightly alternative view: “What a n00b, blundered into our network, triggered all the IDS systems and is now glued to the honeypot downloading the stuff we prepared for him… Think he’s ripe for swatting?”
If this is serious, then I’d point out that most of these exploits weren’t known by anyone 5 years ago, so they couldn’t have been on the lookout for them.
If someone’s network was still open after these exploits have been revealed, then they are likely be a honeypot, but the chances of (X is a honeypot: X is vulnerable to this exploit that no one will know about for years) is pretty much the chances of any random computer being a honeypot.
Personally, I think if the NSA had known about Heartbleed as soon as it was introduced (around 2 years before it was fixed), it would have been fixed sooner. Maybe you milk all the data you can out of it, then get it fixed, but having that kind of thing open is a disaster waiting to happen, and NSA would try to fix it sooner.
And I’d point out that proper computer security is mutli-layered and does not depend on which particular ’sploit is used against it. Snort, for example, does not care at all whether you got in with a zero-day or not.
How would Snort detect the Heartbleed exploit? It looks exactly like a regular request, and from what I understand the IP address it comes from isn’t even stored in logs at the point you’re exploiting. Not all zero days are equal. It could look like legitimate activity.
How about this? Set up a website using only software and hardware that’s at least 5 years old, make sure you don’t apply any updates, and offer a bounty to anyone that hacks it. I predict anything over $500 will get you results. Do you disagree?
Hm. I don’t think that’s accurate (as either how I think about it, nor how it works). There are a few lines you could draw where anything beyond one line is definitely bad and anything not beyond a different line is not too bad, but not a single line that does that.
What would convince you that my claim about 5 year old software not being secure (or rephrase that however you want that satisfies what you consider enough of a hack) is correct?
I proposed an experimental test, do you have a better/cheaper one in mind? I realize mine is kind of difficult (and probably the hardware can be faked to make it easier, or just use new hardware), so what would you suggest?
WEll, those links are generally worrying, not just for bitcoin but for anyone who doesn’t want hackers stealing intellectual property/bank details/watching you through your webcam.
But I still don’t think its insurmountable. Sony were presumably not expecting a state to try to hack them, and perhaps should have taken more precautions. AFAIK these zero-day exploits require someone to visit a dodgy website or open an email attachment or run a file or whatever. From your link:
If you have expensive ASICs then the simple solution is to hook them up to a cheap rasberry pi, and then use this computer for nothing but mining. You wouldn’t be using win XP, you’red be using a security-concious version of linux, perhaps.
The problem of securing wallets is more difficult. One tactic is to put most of your bitcoins in cold storage, and a few in a ‘hot wallet’ for immediate spending.
Hacking is worrying from many points of view, but given that the large majority of bitcoins have not been stolen, I really doubt its that easy.
As you seem to have missed it, http://sony.attributed.to/ is a parody. Refresh to see a different source blamed.
For the right budget, anything can be hacked. Many large banks have been hacked before, despite spending lots and lots on security. I’m sure whatever operating system is running on a pi has zero day exploits that don’t require phishing. My point in mentioning the 19 year bug was that up until a few months ago, every windows computer out there had a bug that could be exploited by anyone for remote access. There was a huge openssl exploit last year also, and a big bash one.
The large majority of bitcoins are either held in small individual wallets which would be time consuming to go after and not worth it, or held in cold wallets.
There was a $5 million hack of bitstamp just 2 weeks ago.
A mining setup can’t be held in a cold wallet, because blocks must be transmitted to the network.
Counterexample: Snowden and people around him (Greenwald, Poitras). I think the spooks tried very hard to hack them; I also think they failed in that.
Hm. If I had a billion dollar budget I could do it. I don’t think the NSA can just put a billion into hacking a single person.
If you disagree with either of these points I’ll try to defend them.
I disagree with both, but I don’t think arguing over them is worthwhile as they both are not falsifiable.
Also, the NSA has a $10 billion budget. The Snowdon revelations are incredibly embarrassing to them, and I think they would easily spend a little over a month’s budget in order to hack him.
By the time they already knew who it was, much of those document were already in too many hands to hide. If I was Snowden, I’d have some set up on hidden prepaid hosting set to leak automatically if I didn’t keep on cancelling well before anything at all goes public. They wouldn’t just have to hack him, but every journalist who may have made copies, anywhere he may have copied it to, etc.
I don’t think it’s likely that their procedures on spending are that fast. By the time they got approval from whoever needs to approve it, it would be too late to be effective. Most of the damage was already done when Snowden handed over the first batch of documents, and if he suddenly disappeared, media wouldn’t forget about him.
But, if you spend a billion developing a zero-day exploit, surely you can use the exploit against anyone with the same operating system, or using the same program. In which case you are not paying a billion just to hack one person.
Snowden is sort of a special case here, as he uses Tails, which has very low adoption, and the value of an exploit is not as large as the value of an exploit in Windows. That said, there have been exploits in Tails:https://www.schneier.com/blog/archives/2014/07/security_vulner_4.html http://www.forbes.com/sites/thomasbrewster/2014/07/21/exploit-dealer-snowdens-favourite-os-tails-has-zero-day-vulnerabilities-lurking-inside/. NSA could probably find one for a few million (consider that a wild guess).
But just a zero day in Tails wouldn’t be enough to get Snowden. It would maybe let them get into his accounts, which we would have no idea about unless someone told us, but to silence him, they’d need to delete the files or find where he was. For whatever reason, they are unable to kill him while he’s in Russia, and I doubt Snowden keeps the only copy of the files hooked up to his computer while he’s online. You can do all your work offline, and only go online while sending something.
(I think they haven’t gone and killed Snowden yet because Russia would respond with World War 3. The probability of Russia doing that is high enough to justify inaction. Or in other words, the NSA knows how to lose.)
Ok, well I only breifly skimmed http://sony.attributed.to/ , but its a fairly subtle parody until you refresh it.
Large banks have lots of employees, which provides lots of opportunities for persuading someone to run programs they shouldn’t. A bitcoin mine can be run with only one person having access.
Are you telling me that if I had found this exploit first, I could just have decided to read the NSA’s files, Obama’s email, stolen blueprints and conducted insider trading without any further work?
The NSA’s files probably aren’t hooked up to the Internet. They might not use Windows, either.
What you’re looking for is the Heartbleed bug. That would have allowed you to hack perhaps 2 thirds of websites http://www.huffingtonpost.com/2014/04/08/heartbleed-66-percent_n_5112793.html (There are different estimates given, but many of the top websites were compromised.)
This Windows bug could have made you millions if you’d known about it earlier. Insider trading would have worked if you get someone into the right networks. Blueprint could be stolen. Obama’s email: that depends on whether any computers that have access to it are Windows and on a network, probably not, but you could with a few more zero days. The really expensive hacks “burn” multiple zero days.
Put it this way: if you knew everything in the public domain today about computers and went back 5 years, you pwn >99% of computers out there, and I fully expect the same to be true in 5 years. For starters, you can impersonate any website by using an md5 collision attack. (This was fixed in 2008, so more than 5 years, but you get the point.)
Have I convinced you to change careers yet?
I understand that websites are vulnerable—after all, they are public and have to interact with users. But what about a computer sitting in a basement, not publicising its IP address and just interacting with the blockchain?
Contrary to your assumptions, I am not a bitcoin miner, just an interested layperson. Even if I was, I would simply move my coins into cold storage at regular intervals, and assume that the hackers know they can make more money insider trading and carding then going after a security-conscious bitcoin miner. And if I lost one hot wallet, its not the end of the world.
You have made me worry more about AI and BCI however, imagining a ‘Ghost in the shell’ future where people can hack into each other’s brains.
Incidentally, are you a computer security professional of any form?
Every computer getting info from the blockchain publicises its IP address. But you can use proxies which make it harder, or a pool which has its own servers. But pools have websites, and they make up the majority of mined coins, so there’s an attack vector.
I see I wasn’t clear again; my “Have I convinced you to change careers yet” was asking if you were planning to become a hacker (or the cleaner version, “security researcher” or “bounty hunter”).
I’ve done my good deed for the day, then.
No, at least not formally. I have gotten paid for fixing people’s computers as a hobby. (I recently got the code for someone’s ransomware encrypted computer without having to pay by exploiting the attackers’ bitcoin setup. Not as cool as it sounds, they basically used the same address for multiple infections, which was a hole.) I’ve done a little freelance work in web design and SEO.
I read a lot of Hacker News stuff and elsewhere, use Linux for my own computer (plus Whonix for really sensitive things), but I’m not “officially there”. I do want to be someday.
Since there are a small number of mining pools there are presumable only a small number of avenues of attack which must be secured, which helps.
Well, I have hacked into an email account to prove it could be done (with consent), but in general I have no knowledge of any hacking anywhere near as advanced as finding zero-day exploits. Even disregarding interesting moral questions such as “is it ok to steal money if you give half of it to effective altruism?”, I think there are probably easier & safer legal ways to make large amounts of money.
Isn’t Hacker News mostly about startups are random stuff, not hacking in the sense of breaking into computers?
I use Linux too, plus I try to run anything which might be hostile within a virtual machine. Whonix looks interesting. Dare I ask what sort of really sensitive things you get up to, or would that be completely missing the point?
Here’s the kinds of things having to do with actual hacking I find on Hacker News (just going through my browser history now, so it may not catch everything; anything I didn’t see the comments on is missed):
https://news.ycombinator.com/item?id=8876929 https://news.ycombinator.com/item?id=8608941 https://news.ycombinator.com/item?id=8854330 https://news.ycombinator.com/item?id=8839265 https://news.ycombinator.com/item?id=8834595 https://news.ycombinator.com/item?id=8834275 https://news.ycombinator.com/item?id=8814901 https://news.ycombinator.com/item?id=8651675 https://news.ycombinator.com/item?id=6148347 https://news.ycombinator.com/item?id=8758196 https://news.ycombinator.com/item?id=8693980 https://news.ycombinator.com/item?id=8712277 https://news.ycombinator.com/item?id=8808754
That should give you an idea of the kinds of stuff I read. There are a lot of posts on HN detailing exactly how someone broke down a system. Not all of these are “breaking into computers”, but a lot are very similar.
Yes. And about “hacking” in the older sense of (very crudely) “doing clever things with computers” and the even older sense of (very crudely) “doing clever things”.
Also see “hacker”.
Right, so you go in, pwn a box—oh, look! a whole bunch of juicy info, let me grab it...
And a… slightly alternative view: “What a n00b, blundered into our network, triggered all the IDS systems and is now glued to the honeypot downloading the stuff we prepared for him… Think he’s ripe for swatting?”
X-D
If this is serious, then I’d point out that most of these exploits weren’t known by anyone 5 years ago, so they couldn’t have been on the lookout for them.
If someone’s network was still open after these exploits have been revealed, then they are likely be a honeypot, but the chances of (X is a honeypot: X is vulnerable to this exploit that no one will know about for years) is pretty much the chances of any random computer being a honeypot.
Personally, I think if the NSA had known about Heartbleed as soon as it was introduced (around 2 years before it was fixed), it would have been fixed sooner. Maybe you milk all the data you can out of it, then get it fixed, but having that kind of thing open is a disaster waiting to happen, and NSA would try to fix it sooner.
And I’d point out that proper computer security is mutli-layered and does not depend on which particular ’sploit is used against it. Snort, for example, does not care at all whether you got in with a zero-day or not.
How would Snort detect the Heartbleed exploit? It looks exactly like a regular request, and from what I understand the IP address it comes from isn’t even stored in logs at the point you’re exploiting. Not all zero days are equal. It could look like legitimate activity.
How about this? Set up a website using only software and hardware that’s at least 5 years old, make sure you don’t apply any updates, and offer a bounty to anyone that hacks it. I predict anything over $500 will get you results. Do you disagree?
You seem to think about computer security in a very binary manner: pwned or not pwned. In reality it’s, ahem, a bit more complicated.
Hm. I don’t think that’s accurate (as either how I think about it, nor how it works). There are a few lines you could draw where anything beyond one line is definitely bad and anything not beyond a different line is not too bad, but not a single line that does that.
What would convince you that my claim about 5 year old software not being secure (or rephrase that however you want that satisfies what you consider enough of a hack) is correct?
I proposed an experimental test, do you have a better/cheaper one in mind? I realize mine is kind of difficult (and probably the hardware can be faked to make it easier, or just use new hardware), so what would you suggest?