Satoshi: how Craig Wright’s deception worked
My previous post shows how anybody can verify Satoshi using a GUI. In this post, I'll do the same, with command-line tools (openssl). It's just a simple application of crypto (hashes, public-keys) to the problem.I go through this step-by-step discussion in order to demonstrate Craig Wright's scam. Dan Kaminsky's post and the redditors comes to the same point through a different sequence, but I think my way is clearer.
Step #1: the Bitcoin address
We know certain Bitcoin addresses correspond to Satoshi Nakamoto him/her self. For the sake of discussion, we'll use the address 15fszyyM95UANiEeVa4H5L6va7Z7UFZCYP. It's actually my address, but we'll pretend it's Satoshi's. In this post, I'm going to prove that this address belongs to me.
The address isn't the public-key, as you'd expect, but the hash of the public-key. Hashes are a lot shorter, and easier to pass around. We only pull out the public-key when we need to do a transaction. The hashing algorithm is explained on this website [http://gobittest.appspot.com/Address]. It's basically base58(ripemd(sha256(public-key)).
Step #2: You get the public-key
Hashes are one-way, so given a Bitcoin address, we can't immediately convert it into a public-key. Instead, we have to look it Continue reading
Satoshi: That’s not how any of this works
In this WIRED article, Gaven Andresen says why he believes Craig Wright's claim to be Satoshi Nakamoto:“It’s certainly possible I was bamboozled,” Andresen says. “I could spin stories of how they hacked the hotel Wi-fi so that the insecure connection gave us a bad version of the software. But that just seems incredibly unlikely. It seems the simpler explanation is that this person is Satoshi.”That's not how this works. That's not how any of this works.
The entire point of Bitcoin is that it's decentralized. We don't need to take Andresen's word for it. We don't need to take anybody's word for it. Nobody needs to fly to London and check it out on a private computer. Instead, you can just send somebody the signature, and they can verify it themselves. That the story was embargoed means nothing -- either way, Andresen was constrained by an NDA. Since they didn't do it the correct way, and were doing it the roundabout way, the simpler explanation is that he was being bamboozled.
Below is an example of this, using the Electrum Bitcoin wallet software:
This proves that the owner of the Bitcoin Address has signed the Message Continue reading
Securing BGP: A Case Study (9)
There are a number of systems that have been proposed to validate (or secure) the path in BGP. To finish off this series on BGP as a case study, I only want to look at three of them. At some point in the future, I will probably write a couple of posts on what actually seems to be making it to some sort of deployment stage, but for now I just want to compare various proposals against the requirements outlined in the last post on this topic (you can find that post here).
The first of these systems is BGPSEC—or as it was known before it was called BGPSEC, S-BGP. I’m not going to spend a lot of time explaining how S-BGP works, as I’ve written a series of posts over at Packet Pushers on this very topic:
Part 1: Basic Operation
Part 2: Protections Offered
Part 3: Replays, Timers, and Performance
Part 4: Signatures and Performance
Part 5: Leaks
Considering S-BGP against the requirements:
- Centralized versus decentralized balance:S-BGP distributes path validation information throughout the internetwork, as this information is actually contained in a new attribute carried with route advertisements. Authorization and authentication are implicitly centralized, however, with the Continue reading
Touch Wipe: a question for you lawyers
Whether the police can force you to unlock your iPhone depends upon technicalities. They can't ask you for your passcode, because that would violate the 5th Amendment right against "self incrimination". On the other hand, they can force you to press your finger on the TouchID button, or (as it has been demonstrated) unlock the phone themselves using only your fingerprint.So I propose adding a new technicality into the mix: "Touch Wipe". In addition to recording fingerprints to unlock the phone, Apple/Android should add the feature where users record fingerprints to wipe (erase) the phone. For example, I may choose my thumb to unlock, and my forefinger to wipe.
Indeed, I may record only one digit to unlock, and all nine remaining digits to wipe. Or even, I may decide to record all 10 digits on both hands to wipe, and not use Touch ID at all to unlock (relying solely on the passcode).
This now presents the problem for the police. They can't force me to unlock the phone. They can't get around that by using my fingerprints, because they might inadvertently destroy evidence.
The legal system is resilient against legal trickery such as this. If think you've Continue reading
Juniper Reports Q1 on the Lower End of Guidance
On the plus side: a new firewall for containers.
Errata Security 2016-04-27 17:48:00
Who's your lawyer. Insights & Wisdom via HBO's Silicon Valley (S.3, E. 1)
The company's attorney may be your friend, but they're not your lawyer. In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) looks at the common misconception highlighted in this week's Silicon Valley episode.
by Elizabeth Wharton
Amidst the usual startup shenanigans and inside-valley-jokes, HBO's Silicon Valley Season 3, Episode 1 contained a sharp reminder: lawyer loyalty runs with the "client," know whether you are the client. A lawyer hired by a company has an entity as its client, not the individuals or officers of that company. If you want an attorney then hire your own.
Silicon Valley Season 3, Episode 1- Setting the Scene (without too many spoilers, I promise)
Upon learning of a board room ouster from the CEO to the CTO role, the startup company's founder Richard storms into the meeting with two board "friends" in Continue reading
My next scan
So starting next week, running for a week, I plan on scanning for ports 0-65535 (TCP). Each probe will be completely random selection of IP+port. The purpose is to answer the question about the most common open ports.This would take a couple years to scan for all ports, so I'm not going to do that. But, scanning for a week should give me a good statistical sampling of 1% of the total possible combinations.
Specifically, the scan will open a connection and wait a few seconds for a banner. Protocols like FTP, SSH, and VNC reply first with data, before you send requests. Doing this should find such things lurking at odd ports. We know that port 22 is the most common for SSH, but what is the second most common?
Then, if I get no banner in response, I'll send an SSL "Hello" message. We know that port 443 is the most common SSL port, but what is the second most common?
In other words, by waiting for SSH, then sending SSL, I'll find SSH even it's on the (wrong) port of 443, and I'll find SSL even if it's on port 22. And all other ports, too.
Continue reading
TIA’s NFV Security Group Reflects Carriers’ Unease With Open Source
Carriers trust open source - but not too much.
Securing BGP: A Case Study (8)
Throughout the last several months, I’ve been building a set of posts examining securing BGP as a sort of case study around protocol and/or system design. The point of this series of posts isn’t to find a way to secure BGP specifically, but rather to look at the kinds of problems we need to think about when building such a system. The interplay between technical and business requirements are wide and deep. In this post, I’m going to summarize the requirements drawn from the last seven posts in the series.
Don’t try to prove things you can’t. This might feel like a bit of an “anti-requirement,” but the point is still important. In this case, we can’t prove which path along which traffic will flow. We also can’t enforce policies, specifically “don’t transit this AS;” the best we can do is to provide information and letting other operators make a local decision about what to follow and what not to follow. In the larger sense, it’s important to understand what can, and what can’t, be solved, or rather what the practical limits of any solution might be, as close to the beginning of the design phase as possible.
In the Continue reading
Technology Short Take #65
Welcome to Technology Short Take #65! As usual, I gathered an odd collection of links and articles from around the web on key data center technologies and trends. I hope you find something useful!
Networking
- Michael Ryom has a nice (but short) article on using Log Insight along with a NetFlow proxy to help provide more detailed visibility into traffic flows between VMs on NSX logical networks.
- Brent Salisbury has an article on GoBGP, a Go-based BGP implementation. BGP seems to be emerging as an early front-runner for a standards-based control plane for software networking. Couple something like GoBGP with IPVLAN L3 (see Brent’s article) and you’ve got a new model for your data center network.
- Andy Hill has an article on doing rolling F5 upgrades using Ansible.
- Filip Verloy has an article that discusses the integration between Nuage Networks and Fortinet.
- This should probably go in the “Cloud Computing/Cloud Management” section, but the boundaries between areas are getting more and more blurry every day. (Thankfully, due to LASIK my vision is sharper than ever.) In any case, here’s a post by Marcos Hernandex on the use of subnet pools in OpenStack. Although Marcos’ post discusses them Continue reading
A Look Back at One Year of Docker Security
Security is one of the most important topics in the container ecosystem right now, and over the past year, our team and the community have been hard at work adding new security-focused features and improvements to the Docker platform. … ContinuedSimSpace Replicates Massive Cyber Attacks in the Cloud
The startup plays cyber wargames in the public cloud.
Securing BGP: A Case Study (7)
In the last post on this series on securing BGP, I considered a couple of extra questions around business problems that relate to BGP. This time, I want to consider the problem of convergence speed in light of any sort of BGP security system. The next post (to provide something of a road map) should pull all the requirements side together into a single post, so we can begin working through some of the solutions available. Ultimately, as this is a case study, we’re after a set of tradeoffs for each solution, rather than a final decision about which solution to use.
The question we need to consider here is: should the information used to provide validation for BGP be somewhat centralized, or fully distributed? The CAP theorem tells us that there are a range of choices here, with the two extreme cases being—
- A single copy of the database we’re using to provide validation information which is always consistent
- Multiple disconnected copies of the database we’re using to provide validation which is only intermittently consistent
Between these two extremes there are a range of choices (reducing all possibilities to these two extremes is, in fact, a misuse of the Continue reading
IoT Must Learn to Serve the Connected Cow
IoT devices need to get cheaper and battery life to get longer.
Defining “Gray Hat”
WIRED has written an article defining “White Hat”, “Black Hat”, and “Grey Hat”. It’s incomplete and partisan.Black Hats are the bad guys: cybercriminals (like Russian cybercrime gangs), cyberspies (like the Chinese state-sponsored hackers that broke into OPM), or cyberterrorists (ISIS hackers who want to crash the power grid). They may or may not include cybervandals (like some Anonymous activity) that simply defaces websites. Black Hats are those who want to cause damage or profit at the expense of others.
White Hats do the same thing as Black Hats, but are the good guys. The break into networks (as pentesters), but only with permission, when a company/organization hires them to break into their own network. They research the security art, such vulnerabilities, exploits, and viruses. When they find vulnerabilities, they typically work to fix/patch them. (That you frequently have to apply security updates to your computers/devices is primarily due to White Hats). They develop products and tools for use by good guys (even though they sometimes can be used by the bad guys). The movie “Sneakers” refers to a team of White Hat hackers.
Grey Hat is anything that doesn’t fit nicely within these Continue reading
2016 Security Infrastructure Survey is Here!
Take survey and enter to win one of two $200 Amazon Gift Cards.
Securing BGP: A Case Study (6)
In my last post on securing BGP, I said—
The CAP theorem post referenced above is here.
Before I dive into the technical issues, I want to return to the business issues for a moment. In a call this week on the topic of BGP security, someone pointed out that there is no difference between an advertisement in BGP asserting some piece of information (reachability or connectivity, take your pick), and an advertisements outside BGP asserting this same bit of information. The point of the question is this: if I can’t trust you to advertise the right thing in one setting, then why should I trust you to advertise the right thing in another? More specifically, if you’re using Continue reading
Real-Life Software Defined Security @ Troopers 16
The organizers of Troopers 16 conference published the video of my Real-Life Software Defined Security talk. The slides are available on my web site.
Hope you’ll enjoy the talk; for more SDN use cases watch the SDN Use Cases webinar.
No, Internet should be capitalized
The AP Stylebook and others are now declaring that "Internet" should no longer be capitalized, that you should just say "internet" instead. This is wrong, because the Internet is just an internet.Internet is short for internetwork. This was a term developed in the 1970s to describe interconnecting networks together.
There were many internetworks back then. Each major computer manufacturer had its own, incompatible internetworking "protocol". IBM with it's SNA, DEC with it's DECnet, Xerox with XNS, and later Apple with its AppleTalk.
Since it would be nice to interconnect all computers, and not be locked into a single manufacturer, many efforts were taken to standardize internetworking protocols, so that all computers could be placed on the same network. Most people put their support behind GOSIP, the "Government Open Systems Interconnect Profile", a standard created by the biggest corporations and the biggest governments.
However, in 1982, the DoD paid a consulting company to added Xerox's XNS and a research project called "TCP/IP" into an early form of Unix. This form of Unix, called "BSD", was popular among universities. The DoD's goal was to make it easier for researchers who it funded to talk to each other. After this point, universities Continue reading
Technology Short Take #64
Welcome to Technology Short Take #64. Normally, I try to publish Short Takes on Friday, but this past Friday was April Fools’ Day. Given the propensity for “real” information to get lost among all the pranks, I decided to push this article back to today. Unlike most of what is published around April Fools’ Day, hopefully everything here is helpful, informative, and useful!
Networking
- Phil Gervasi has an article on fate sharing in the network core, where he discusses some of the advantages—and disadvantages—of centralizing the control plane in network designs. The examples Phil uses include StackWise, Virtual Switching System, and Virtual Port Channels.
- Alban Crequy has a post on using Linux queueing disciplines (qdiscs, for short) to help with testing application behavior under degraded network conditions. This is really interesting and something that I want to explore in more detail.
- Cumulus Networks has added another hardware partner to its list of supported hardware partners; this time it’s Mellanox, as outlined in this SDx Central article.
- Carlos Cardenas has a great post that does a great job of explaining SAI (Switch Abstraction Interface) and switchdev, two key abstraction layers involved in building Linux-based network operating systems (NOSes). Carlos Continue reading