FOREWORD: A lot of people have suffered substantial life altering losses on MtGox. I do want to provide false hope to anyone because it is not helpful (as Bain says in DKR "there can be no true despair without hope"). However, I do want to bring to people's attention an outlier possibility, together with a call to action for pressure to be brought on the right people to help eliminate this. This idea comes from my experiences working as an engineer with secret and private key cryptography and also brute force attacks some years ago.
I am this guy http://ift.tt/1fvBfld
Why am I writing this? Firstly I believe there is a small possibility that Mark Karpeles has "lost" private keys to Gox wallets containing large amounts of coins and that under huge pressure, and perhaps after realizing he lost keys in 2011 and running Gox as a fractional reserve thereafter, he decided it would be less shameful to blame all losses on the transaction malleability hacks they recently suffered (i.e. the malleability attacks did occur, but were used as a convenient excuse to cover up the additional and possibly larger key related wallet losses).
Karpeles lent weight to this idea the other day saying: "Well technically they’re not ‘lost’ just yet, just temporarily unavailable". Furthermore, it stretches credulity that 850,000 coins can have been lost from a cold wallet system (but who knows, this is Karpeles!)
If this is private key/wallet loss, this is how it may have happened:
- Mark creates software for creating wallets with key pairs
- The software exports the private keys for later use
- Mark deposits coin in the wallets and withdraws coin from the wallets no problem
- Mark sees no reason to check this system. We know that his development code does not have TestUnits to test for regression bugs (new bugs that are introduced when you change your software code)
- A code change introduces a regression bug (a new bug which might not be obvious initially)
- Mark continues depositing coins into the wallets trusting that he has the private keys, but now the private keys that are being generated are invalid
- At some point he tries to retrieve the coin in cold storage and finds the keys don't work
So is all lost now? If he has "lost" the private keys is the conventional sense it is definitely computationally infeasible to find the keys by brute force and get the coins back.
However, if the loss scenario described above is correct, not necessarily. Specifically, if he has access to the code changes that caused the regression bug, then very likely it might be possible for a sophisticated cryptographer to brute force the keys with much less work than otherwise needed by using the faulty keys and knowledge about how they were generated as a starting point. Given the amount of money at stake, half of AWS could be put to work doing this.
Because there are outlier possibilities like this, it is essential that the BTFC and bitcoin main players who have access to Karpeles such as Roger Ver urgently get on a plane to Tokyo and establish exactly what has happened (and then report what has happened to the world).
Every minute lost is potentially critical, as Mark may destroy or lose for example old code or faulty keys that in fact can be used to create feasible brute force attacks. This is especially likely if he wants to defend a lie that all coins were lost to hackers. Hence time is of the essence (Mark if you are reading this, and this is true, do the right thing dude!)
The community now needs to show support for this and pressure BTF and main players to get on with this job ASAP
submitted by jahebipa
[link] [5 commentaires]
from Bitcoin http://ift.tt/1d4kvTH
Aucun commentaire:
Enregistrer un commentaire