I'm actually shocked that someone used a zero-day Android exploit to steal $5,700 of BTC. Couldn't they have sold it for significantly more on the black market?
It may not have been identified specifically as an Android exploit -- there are people (I used to be one of them, though I wouldn't have used the result to exploit wallets) who constantly run crypto attacks on transactions in the blockchain to identify weak wallet keys. The person who stole the BTC probably automated the attack, left it running against the blockchain, and never even knew what the real vulnerability was.
They didn't use an Android exploit specifically, they simply scanned the blockchain for vulnerable private keys. They probably didn't even know that Android was the culprit - it could be hardware wallet, a buggy homebrew client or whatever.
Depends on the attackers attitude to risk: $5,700 worth of BTC might be a lot harder to track than the sale of an exploit. He doesn't have to trust any other human beings (i.e. the person he is selling to at least) not to dob him in at a moment's notice. A safe 5K might be very much preferable to him than a less safe 20+K.
(caveat: unless otherwise stated numbers in this post, and many of my others, are plucked from thin air)
Yes, $5,700 seems a bargain to uncover a flaw like this. Shows an interesting potential use of bitcoin, can act as a warning system to identify bugs or insecure systems, like a honeypot. If the bitcoins are taken you know there is a weakness somewhere.
We don't really know that. The other obvious implication would be that we now might need new/expanded openssl/ssh key blacklists, for keys generated on Android devices.
This is a failure of the CSPRNG. What "not implementing your own crypto" usually means is trying to cobble together primitives like AES, RSA, and some mode of operation (and, if you're lucky, there's a MAC algorithm in there too), which would still probably have been horribly broken in some way. That's completely orthogonal to this issue.
Are you insinuating that explicitly seeding the CSPRNG with information from the OS' CSPRNG is somehow a bad thing, or that it is frowned upon, or that it constitutes "implementing your own crypto"?
Random blocks when waiting for entropy. Urandom is "unblocking random" and will return strictly predictable results when the pool becomes drained enough.
[+] [-] flyt|12 years ago|reply
[+] [-] panarky|12 years ago|reply
http://android-developers.blogspot.com/2013/08/some-securera...
[+] [-] enraged_camel|12 years ago|reply
[+] [-] gsibble|12 years ago|reply
[+] [-] zorpner|12 years ago|reply
[+] [-] qnr|12 years ago|reply
[+] [-] dspillett|12 years ago|reply
(caveat: unless otherwise stated numbers in this post, and many of my others, are plucked from thin air)
[+] [-] mike-cardwell|12 years ago|reply
[+] [-] cstavish|12 years ago|reply
[+] [-] kirian|12 years ago|reply
[+] [-] e12e|12 years ago|reply
[+] [-] marshray|12 years ago|reply
[+] [-] gcb0|12 years ago|reply
[+] [-] lvh|12 years ago|reply
This is a failure of the CSPRNG. What "not implementing your own crypto" usually means is trying to cobble together primitives like AES, RSA, and some mode of operation (and, if you're lucky, there's a MAC algorithm in there too), which would still probably have been horribly broken in some way. That's completely orthogonal to this issue.
Are you insinuating that explicitly seeding the CSPRNG with information from the OS' CSPRNG is somehow a bad thing, or that it is frowned upon, or that it constitutes "implementing your own crypto"?
[+] [-] marshray|12 years ago|reply
[+] [-] marshray|12 years ago|reply
[+] [-] Afforess|12 years ago|reply
[+] [-] VikingCoder|12 years ago|reply
[+] [-] plasma|12 years ago|reply
I thought urandom should only be used for crypto.
[+] [-] aa0|12 years ago|reply
[+] [-] nwh|12 years ago|reply
[+] [-] gsibble|12 years ago|reply