= 27d567bc2d48d9f40e9ccc20ea370b15)
skeptical_lurker comments on Why you should consider buying Bitcoin right now (Jan 2015) if you have high risk tolerance - Less Wrong
You are viewing a comment permalink. View the original post to see all comments and the full post content.
= 783df68a0f980790206b9ea87794c5b6)
Loading…= b715d02e85f7b3b4ae65ca3d3e450868)
Subscribe to RSS Feed
Powered by Reddit
= f037147d6e6c911a85753b9abdedda8d)
Comments (136)
ASICs are used to mine bitcoin now. If you have a botnet, you would use it to mine altcoins, most of which uses memory-intensive POW to render ASICs ineffective.
How much does it cost to hack the ASIC controllers?
I think that depends whether the PC the ASIC is plugged into has been downloading dodgy files. I don't think you can just pay a certain amount of money to hack into any arbitrary computer.
Plus, if you can hack computers, you might as well just steal the bitcoin wallets.
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
http://www.zdnet.com/article/hackonomics-street-prices-for-black-market-bugs/
http://1337day.com/
Found by Googling "zero day exploit market".
Did you know that there was a bug in Windows for 19 years only fixed recently and still not for XP? http://www.pcworld.com/article/2846004/microsoft-fixes-severe-19-year-old-windows-bug-found-in-everything-since-windows-95.html
Yes, you can pay a certain amount of money to hack into any arbitrary computer. Just ask N̶o̶r̶t̶h̶ ̶K̶o̶r̶e̶a̶ whoever http://sony.attributed.to/ says it is today.
WEll, those links are generally worrying, not just for bitcoin but for anyone who doesn't want hackers stealing intellectual property/bank details/watching you through your webcam.
But I still don't think its insurmountable. Sony were presumably not expecting a state to try to hack them, and perhaps should have taken more precautions. AFAIK these zero-day exploits require someone to visit a dodgy website or open an email attachment or run a file or whatever. From your link:
If you have expensive ASICs then the simple solution is to hook them up to a cheap rasberry pi, and then use this computer for nothing but mining. You wouldn't be using win XP, you'red be using a security-concious version of linux, perhaps.
The problem of securing wallets is more difficult. One tactic is to put most of your bitcoins in cold storage, and a few in a 'hot wallet' for immediate spending.
Hacking is worrying from many points of view, but given that the large majority of bitcoins have not been stolen, I really doubt its that easy.
As you seem to have missed it, http://sony.attributed.to/ is a parody. Refresh to see a different source blamed.
For the right budget, anything can be hacked. Many large banks have been hacked before, despite spending lots and lots on security. I'm sure whatever operating system is running on a pi has zero day exploits that don't require phishing. My point in mentioning the 19 year bug was that up until a few months ago, every windows computer out there had a bug that could be exploited by anyone for remote access. There was a huge openssl exploit last year also, and a big bash one.
The large majority of bitcoins are either held in small individual wallets which would be time consuming to go after and not worth it, or held in cold wallets.
There was a $5 million hack of bitstamp just 2 weeks ago.
A mining setup can't be held in a cold wallet, because blocks must be transmitted to the network.
Counterexample: Snowden and people around him (Greenwald, Poitras). I think the spooks tried very hard to hack them; I also think they failed in that.
Hm. If I had a billion dollar budget I could do it. I don't think the NSA can just put a billion into hacking a single person.
If you disagree with either of these points I'll try to defend them.
I disagree with both, but I don't think arguing over them is worthwhile as they both are not falsifiable.
But, if you spend a billion developing a zero-day exploit, surely you can use the exploit against anyone with the same operating system, or using the same program. In which case you are not paying a billion just to hack one person.
Snowden is sort of a special case here, as he uses Tails, which has very low adoption, and the value of an exploit is not as large as the value of an exploit in Windows. That said, there have been exploits in Tails:https://www.schneier.com/blog/archives/2014/07/security_vulner_4.html http://www.forbes.com/sites/thomasbrewster/2014/07/21/exploit-dealer-snowdens-favourite-os-tails-has-zero-day-vulnerabilities-lurking-inside/. NSA could probably find one for a few million (consider that a wild guess).
But just a zero day in Tails wouldn't be enough to get Snowden. It would maybe let them get into his accounts, which we would have no idea about unless someone told us, but to silence him, they'd need to delete the files or find where he was. For whatever reason, they are unable to kill him while he's in Russia, and I doubt Snowden keeps the only copy of the files hooked up to his computer while he's online. You can do all your work offline, and only go online while sending something.
(I think they haven't gone and killed Snowden yet because Russia would respond with World War 3. The probability of Russia doing that is high enough to justify inaction. Or in other words, the NSA knows how to lose.)
Also, the NSA has a $10 billion budget. The Snowdon revelations are incredibly embarrassing to them, and I think they would easily spend a little over a month's budget in order to hack him.
By the time they already knew who it was, much of those document were already in too many hands to hide. If I was Snowden, I'd have some set up on hidden prepaid hosting set to leak automatically if I didn't keep on cancelling well before anything at all goes public. They wouldn't just have to hack him, but every journalist who may have made copies, anywhere he may have copied it to, etc.
I don't think it's likely that their procedures on spending are that fast. By the time they got approval from whoever needs to approve it, it would be too late to be effective. Most of the damage was already done when Snowden handed over the first batch of documents, and if he suddenly disappeared, media wouldn't forget about him.
Ok, well I only breifly skimmed http://sony.attributed.to/ , but its a fairly subtle parody until you refresh it.
Large banks have lots of employees, which provides lots of opportunities for persuading someone to run programs they shouldn't. A bitcoin mine can be run with only one person having access.
Are you telling me that if I had found this exploit first, I could just have decided to read the NSA's files, Obama's email, stolen blueprints and conducted insider trading without any further work?
The NSA's files probably aren't hooked up to the Internet. They might not use Windows, either.
What you're looking for is the Heartbleed bug. That would have allowed you to hack perhaps 2 thirds of websites http://www.huffingtonpost.com/2014/04/08/heartbleed-66-percent_n_5112793.html (There are different estimates given, but many of the top websites were compromised.)
This Windows bug could have made you millions if you'd known about it earlier. Insider trading would have worked if you get someone into the right networks. Blueprint could be stolen. Obama's email: that depends on whether any computers that have access to it are Windows and on a network, probably not, but you could with a few more zero days. The really expensive hacks "burn" multiple zero days.
Put it this way: if you knew everything in the public domain today about computers and went back 5 years, you pwn >99% of computers out there, and I fully expect the same to be true in 5 years. For starters, you can impersonate any website by using an md5 collision attack. (This was fixed in 2008, so more than 5 years, but you get the point.)
Have I convinced you to change careers yet?
I understand that websites are vulnerable - after all, they are public and have to interact with users. But what about a computer sitting in a basement, not publicising its IP address and just interacting with the blockchain?
Contrary to your assumptions, I am not a bitcoin miner, just an interested layperson. Even if I was, I would simply move my coins into cold storage at regular intervals, and assume that the hackers know they can make more money insider trading and carding then going after a security-conscious bitcoin miner. And if I lost one hot wallet, its not the end of the world.
You have made me worry more about AI and BCI however, imagining a 'Ghost in the shell' future where people can hack into each other's brains.
Incidentally, are you a computer security professional of any form?
Every computer getting info from the blockchain publicises its IP address. But you can use proxies which make it harder, or a pool which has its own servers. But pools have websites, and they make up the majority of mined coins, so there's an attack vector.
I see I wasn't clear again; my "Have I convinced you to change careers yet" was asking if you were planning to become a hacker (or the cleaner version, "security researcher" or "bounty hunter").
I've done my good deed for the day, then.
No, at least not formally. I have gotten paid for fixing people's computers as a hobby. (I recently got the code for someone's ransomware encrypted computer without having to pay by exploiting the attackers' bitcoin setup. Not as cool as it sounds, they basically used the same address for multiple infections, which was a hole.) I've done a little freelance work in web design and SEO.
I read a lot of Hacker News stuff and elsewhere, use Linux for my own computer (plus Whonix for really sensitive things), but I'm not "officially there". I do want to be someday.
Right, so you go in, pwn a box -- oh, look! a whole bunch of juicy info, let me grab it...
And a... slightly alternative view: "What a n00b, blundered into our network, triggered all the IDS systems and is now glued to the honeypot downloading the stuff we prepared for him... Think he's ripe for swatting?"
X-D
If this is serious, then I'd point out that most of these exploits weren't known by anyone 5 years ago, so they couldn't have been on the lookout for them.
If someone's network was still open after these exploits have been revealed, then they are likely be a honeypot, but the chances of (X is a honeypot: X is vulnerable to this exploit that no one will know about for years) is pretty much the chances of any random computer being a honeypot.
Personally, I think if the NSA had known about Heartbleed as soon as it was introduced (around 2 years before it was fixed), it would have been fixed sooner. Maybe you milk all the data you can out of it, then get it fixed, but having that kind of thing open is a disaster waiting to happen, and NSA would try to fix it sooner.