This flaw is rank amateurism. Prompting the evergreen cryptocurrency question: incompetence or deliberate fraud?

In the Hacker News discussion one of the security researchers clarified that it's using the least significant bits of time, so it goes through all 2^32 options in about 4 seconds. That's good in that it's not really predictable externally unless you know to the millisecond when a wallet was created (as opposed to, say, the year.) It's bad if the system clock doesn't really have that fine grained a time entropy. Either way it's just terrible though.
posted by Nelson at 12:10 PM on August 9, 2023 [4 favorites]

The purpose of a system is what it does, therefore cryptocurrency is for scams, thieves, grift and rent-seeking.
posted by Rev. Irreverent Revenant at 12:17 PM on August 9, 2023 [10 favorites]

This flaw is rank amateurism.

The only good thing about smart contracts is that they come with a built-in bug bounty program worth 100% of whatever is in the contract.
posted by mhoye at 12:25 PM on August 9, 2023 [32 favorites]

Cool, anything that continues to make this garbage less attractive is good in my book.
posted by Ferreous at 12:31 PM on August 9, 2023 [2 favorites]

Can someone ELI5 what exactly's happening here? This is my best guess:

bx seed applies some mathematical operation to the random seed in order to generate a key.
It either uses the same mathematical operation each time or some relatively small set of operations to generate the key.
Because the random seed is only 32 bits there are only the 4.3 billion possible random seeds.
Hackers can then apply the mathematical operation or operations to those seeds and so can eventually end up with the correct key.
The key itself is like a password so once you have the correct one you can access the wallet.
The wallet doesn't have any timeouts for incorrect keys so the hackers can try their billions of possible keys without worry.

Is that it or is this working in some other way? The level of my cryptographic knowledge was learning the RSA algorithm in algebra class 25 years ago so I'm well out of my depth here.
posted by any portmanteau in a storm at 12:35 PM on August 9, 2023

I bet those folks feel like they got hit by a Mersenne twister
In fact a CSPRNG won't help since they only have 32 bits of entropy.
posted by jeffburdges at 12:37 PM on August 9, 2023 [3 favorites]

It'll be hilarious if Satoshi's account gets hacked one-day, perhaps by exploiting old PRNG weaknesses.

At present Satoshi's head is an icicle at Alcor now, or maybe melted in one of their failures, so not like he'll raise any objections.
posted by jeffburdges at 12:56 PM on August 9, 2023 [1 favorite]

At present Satoshi's head is an icicle at Alcor

I wasn’t sure if you were really staking a claim about who it was or just making a joke about what kind of person it was. For those curious, it seems to be the former, Hal Finney was in fact frozen by Alcor.
posted by atoxyl at 1:07 PM on August 9, 2023 [1 favorite]

> The wallet doesn't have any timeouts for incorrect keys so the hackers can try their billions of possible keys without worry.

The key *is* the wallet. If you have the private key, you can tell the network you're moving the funds. You don't need to interact with the owner's copy of the wallet at all.

As the disclosure page notes:

The attack works independent of the owner’s current copy of the wallet secrets. In other words, even if you keep your paper wallet in a bank safe, your funds can still be stolen remotely. Crazy, right?

lol, hax.
posted by automatronic at 1:15 PM on August 9, 2023 [7 favorites]

So then are these hackers just spamming the network with all possible keys or are they able to verify the keys some other way and then just use the verified key?
posted by any portmanteau in a storm at 1:21 PM on August 9, 2023

portmanteau, your summary seems more or less right to me. The key thing is there's only four billion possible secret keys for these wallets. That sounds like a lot but it's not, you can test all of them in a single day on an ordinary home computer. Which means basically all of the accounts ever created with this flawed system are entirely owned. A proper system would have at least 256 bits of entropy instead of 32, which thanks to exponential scaling means it'd take zillions of years to crack a key and not just a day.

Like I said, this is a very rank amateur mistake to make. No working software developer should be making this mistake in the modern era, and certainly not one building cryptographic software. Which gets me back to the "incompetence or fraud" question. The flaw is so stupid I'd initially written off deliberate fraud as the explanation; if you're creating backdoors you'd prefer one only you can exploit. OTOH as was pointed out to me on HN, this particular flaw has plausible deniability because it doesn't require special insider knowledge to exploit.
posted by Nelson at 1:36 PM on August 9, 2023 [5 favorites]

So then are these hackers just spamming the network with all possible keys or are they able to verify the keys some other way and then just use the verified key?

It's asymmetric cryptography. The wallet consists of a public and a private key. The public key is published - you can find it in the transaction history on the blockchain.

When the owner wants to move some of the funds associated with that public key, they sign a transaction with their private key and publish that transaction. Everyone on the network can verify a transaction against its public key. Transactions are grouped into blocks and those blocks are added to the blockchain. The network won't accept a block unless all its transactions verify correctly.

To brute-force the private key, an attacker can use the same verification function. Normally that attack would be intractable due to the size of the keys, but this hilarious cockup means the key space has been reduced to 2^32 which can be brute forced in hours.
posted by automatronic at 1:41 PM on August 9, 2023 [5 favorites]

OK, I think I know what is going on here now, thank you for the explanations.

A 32 bit key in 2023 is ridiculous, I remember using 256+ bit keys to PGP sign emails 20+ years ago when computing power was a fraction of what it is now.
posted by any portmanteau in a storm at 2:05 PM on August 9, 2023

As a rule, I think "incompetence or fraud" ignores the incompetence level of frauds, especially in blockchain, but yeah here it's a fair question. In fact, bitcoiners have kinda perfected making this mistake over the years, so even incompetent people could learn that this represents a viable attack.
posted by jeffburdges at 2:39 PM on August 9, 2023 [1 favorite]

One little somewhat off-topic detail: the security of a particular key size depends on the crytographic system. RSA (based on number theory, factoring) requires larger key sizes for equivalent security -- the current recommendation is to use 2048-bit keys, which is an equivalent strength of around 112 bits. Elliptic curve systems are "better", you only need a (approx) 224 bit key for 112 bit security. Wikipedia has a pretty good page on key size.
posted by phliar at 2:44 PM on August 9, 2023

Of course, if crypto wasn’t built on the “feature” of an immutable* decentralized** blockchain, obviously fraudulent activity could be rolled back or cancelled, but that was the design….

* for some definition of immutable
** for some definition of decentralized
posted by GenjiandProust at 2:58 PM on August 9, 2023 [4 favorites]

Crypto isn't great, but it's better than nothing for unbanked people, like sex workers. Now it's being taken away from them.
posted by Nancy Lebovitz at 3:17 PM on August 9, 2023

Crypto isn't great, but it's better than nothing for unbanked people, like sex workers. Now it's being taken away from them.

Indeed, I worked at a coffee shop and the only people who used the BitCoin ATM we randomly had was sex workers.

They never bought coffee so I can't be snarky on if they were good tippers (or not).
posted by alex_skazat at 3:51 PM on August 9, 2023 [2 favorites]

Oh no, I said to myself, this is bad and then ' popular tool used to generate private keys for cryptocurrency wallets'

oh. Anyway.
posted by 922257033c4a0f3cecdbd819a46d626999d1af4a at 4:47 PM on August 9, 2023 [4 favorites]

The ELI5 version is imagine a game of guess the number between a billion and one hundred billion. If you guess the number you can take all the persons money and you can guess as often as you want. It’s probably going to take you a long time you to guess the number. However suppose there is a problem where instead it is a number between one billion and one billion ten. (1,000,000,000 and 1,000,000,010). That’s what happened.
posted by interogative mood at 4:52 PM on August 9, 2023 [2 favorites]

I dunno, from what I've read and heard, crypto has never been good for sex workers or the unbanked. That's a story that tech people who want to push the "no, crypto has positive uses, really!" story use. It was never a good method for payments, and speculation pretty much destroyed that use, especially once government agencies became interested in the unregistered securities aspects.

The way sex workers (and other marginal people) get treated by the banking and financial systems, but crypto, if it ever was a solution, stopped being so a long time ago.
posted by GenjiandProust at 4:55 PM on August 9, 2023 [3 favorites]

ELI5 version:

* in BitCoin, "your" Bitcoins are encrypted in your "e-Wallet", and the eWallet is seeded with random value to generate a private key. ANYONE has (or guessed) the private key to the matching wallet, controls the wallet.

* the seeded random value needs to be huge (jargon term: "strong entropy") to make it prohibitively expensive to brute-force. A seed value with weak entropy can be more easily brute-forced.

* a common Bitcoin eWallet private key generator using Libbitcoin Explorer (bx) was found to have used a very weak seed: the last 32-bits of system time, which is already low, and it's suspected the "effective entropy" may be even lower than 32-bits, and it could be system dependent. (NOTE: I haven't found someone who actually did an entropy analysis on the RTC clock. )

* While the private key may be much longer than 32-bits, the fact that it was seeded with a 32-bit number means the key it generated can be guessed since the algorithm is available. So they are "effectively" 32-bit numbers, and as stated, a modern PC can guess that in less than a day, esp. if it has a GPU to assist. Though in reality, this is probably done every several days of data churning and trying various private keys.

* Some Bitcoin eWallets have been mysteriously drained perhaps as early as May, but certainly in 12 July, 2023. It is suspected that these have their private keys "guessed" by hackers who simply brute-forced the private key.

Did I miss anything?
posted by kschang at 5:09 PM on August 9, 2023 [2 favorites]

Asking for a friend: is using this to 'drain' other people's wallets actually illegal? Something that interpol or the like would be interested in investigating? Say, if the friend doing the draining was in a different country than the owner of the wallet?
Cause my friend might happen to have a spare gaming PC...
posted by signal at 5:52 PM on August 9, 2023

I'd expect they were all drained before the CVE appeared. At each of those 2^32 entries, the attackers does one secp256k1 scalar multiplication and one lookup in a database, which they've preprocessed form the blockchain. I'd expect they found all targets before they started draining wallets, and then drained the largest wallets first.
posted by jeffburdges at 6:12 PM on August 9, 2023

It's theft, but let's just say, cryptocurrency is only "somewhat regulated" in most jurisdictions.
posted by kschang at 6:12 PM on August 9, 2023

The Bitfinex hackers are finally facing charges, so your theoretical friend will find out how illegal it is when some law enforcement wants it to be so. And then the only notionally valuable beans you’ve got are valued at the highest possible price for sentencing. It’s a win-win situation! For someone….
posted by GenjiandProust at 7:03 PM on August 9, 2023

Unless I can't run a calculator at this time of the evening, it would take up to 71,014.6 weeks to run every possible value of a 32 bit seed... if there was a forced 10 second wait between every try at accessing the target with a new key.

Just sayin'.
posted by Artful Codger at 8:11 PM on August 9, 2023

> Asking for a friend: is using this to 'drain' other people's wallets actually illegal?

What do you even mean by "other people's wallets"? Cryptocurrency is controlled by whoever has the private key. There's no other form of identity in the system. The key isn't a password to a named account; the key *is* the name. If someone guesses your key, they're not just pretending to be you: they are you.
posted by automatronic at 8:23 PM on August 9, 2023 [1 favorite]

If there was a forced 10 second wait between every try at accessing the target with a new key.

You might want to read automatronic's generous explanation of how attacks work. There's no way to create a "forced 10 second wait" because "everyone on the network can verify a transaction against its public key".
posted by Nelson at 8:46 PM on August 9, 2023 [2 favorites]

What do you mean by theft? Do you think there's an important difference between taking a bitcoin wallet and taking other sorts of property?
posted by Nancy Lebovitz at 10:49 PM on August 9, 2023

The key isn't a password to a named account; the key *is* the name. If someone guesses your key, they're not just pretending to be you: they are you.

I wanna say, "no wonder the inventor of bitcoin decided to be anonymous, that's seems like a terrible idea.", but I'm in no way a cryptography expert (and it doesn't seem to be a bug introduced by the creators of bitcoin except allowing such a weak seed to work). Other than using a much stronger seed, what's another (better) way to secure this? Or is really, "See this thing that was stupid to do? Don't do this stupid thing!".
posted by alex_skazat at 11:21 PM on August 9, 2023

> So then are these hackers just spamming the network

A full copy of the blockchain, with all its wallets and transactions, is 500 GB: Bitcoin Blockchain Size (I:BBS) 502.06 GB for Aug 09 2023

I'm fuzzy on this - I think all they need to is your public key and something signed with your private key, like a single transaction stored on the blockchain or your wallet, then they test 2^32 prospective private keys against that ("test 5: does a_5 factor into b? ... no. Test 6 ... ) , find your private key, and now they're done. They now use your private key to empty your wallet on the network.
posted by sebastienbailard at 11:31 PM on August 9, 2023

The way sex workers (and other marginal people) get treated by the banking and financial systems, but crypto, if it ever was a solution, stopped being so a long time ago.

I’d be pretty surprised if cryptocurrency is not still used for black market-y stuff. A good solution, no not really, but a workable one in some circumstances, sure.
posted by atoxyl at 11:41 PM on August 9, 2023

> Asking for a friend: is using this to 'drain' other people's wallets actually illegal?

7 years ago, the greatest minds available tried to answer this: https://www.reddit.com/r/Bitcoin/comments/457knb/is_stealing_bitcoin_a_crime/

I mistakenly saved my private key as a QR code at a public university library and someone ended up spending it.

I am not sure if I have a case or not and how this would be viewed by the police or the law. Does anyone have experience with this? My wallet had 3.1 btc

(I'm not really interested in their answers, more just impressed with the Currency of the Future™'s intrinsic multispectral fuckupidness.)

But it looks like the US courts have treated crypto assets as property, in money exchange, bankruptcy fraud, and tax cases, as per this 2018 article.

https://www.bestlawyers.com/article/is-cryptocurrency-property

"Certain features of cryptocurrencies challenge traditional notions of property—in particular, the fact that they’re essentially a record of transfers on the blockchain - makes it difficult to recognize them as property. Nonetheless, crypto assets have been treated as personal property by the U.S. legal system. In one 2013 case involving online money exchangers who failed to register with the Financial Crimes Enforcement Network (FinCEN), the Maryland District Court held bitcoins to be subject to civil forfeiture under 18 U.S.C. §1960, a statute that applies to forfeiture of real or personal property. A U.S. bankruptcy court likewise held that bitcoin was property for purposes of the fraudulent-transfer provisions of the bankruptcy code. And the IRS has ruled that, for federal tax purposes, virtual currency must be treated as personal property"

Canada Revenue is also of the opinion that crypto assets are property ... for tax purposes, anyway.

(There's probably successfully prosecuted theft cases, but my interest is flagging.)

So, yes, illegal, if rather difficult to investigate.

Follow best practices - VPNs, tumblers to launder the funds, don't drive your new sports car in an unsafe manner, etc.

And pay your taxes.
posted by sebastienbailard at 11:59 PM on August 9, 2023

There's no way to create a "forced 10 second wait" because "everyone on the network can verify a transaction against its public key".

Specifically, all an attacker needs to do is collect a public key from the network, once. The process of guessing private keys to see whether any of the guesses matches that public key can then be run on machinery controlled by the attacker with no further network involvement until it's time to spend all the moneys.

I'm fuzzy on this - I think all they need to is your public key and something signed with your private key, like a single transaction stored on the blockchain or your wallet

"Something signed with your private key" is not needed; all an attacker needs to do is encrypt something with your public key, then check again and again and again whether decrypting the result with a guess at your private key recovers their original plaintext, until a guess works or they get bored waiting for it to.

it doesn't seem to be a bug introduced by the creators of bitcoin except allowing such a weak seed to work

It's not really practicable to disallow private keys generated in stupid ways ahead of time, because that would require anticipating all the ways in which human beings could possibly be stupid and we already know where that goes.

Best that can be done is maintaining a list of keys that might have been generated in a stupid way after such a way has been noticed and documented, and arranging for access to resources secured by any key on that list to fail - as for example the Debian project was forced to do after a similar but worse version of this issue came to light in 2008.

Unlike for a fair dice roll, he number of possible 256-bit keys is so monstrously huge that even if such a list were to grow very large, the chance of a non-stupidly-chosen key ending up on it is negligible; the very existence of such a list is not going to reduce the key space enough to weaken security.
posted by flabdablet at 12:16 AM on August 10, 2023 [5 favorites]

There is a different usage of weak randomness which makes "something signed with your private key" relevant. Yes, bitcoin wallets have made this mistake many times too.

In fact, elliptic curve cryptography winds up incredibly robust and well understood: Use good randomness, etc. If possible choose better curves than secp256k1 and avoid cofactors.

All those lattice based schemes winning the NIST post-quantum crypto competition? Afaik, there were never so many footguns packed into one standard in all of human history, hence the NSA's recommendation that everybody use lattice based crypto and nothing else.

Absolutely do use NIST selected lattice based crypto, because they're super cool, but use them in hybrid protocols together with elliptic curves, and avoid implementations by Joe Ethereum or whoever.
posted by jeffburdges at 4:07 AM on August 10, 2023 [3 favorites]

OMG I forgot you could just download the entire blockchain and make your attempts essentially offline before committing to a transaction. That's, *chef's kiss*. I say we let those "thieves" keep the money.

The chance there's going to be a clever and creative attack on the blockchain to steal funds again is going to be 100% given there's no way to monitor if attack attempts happen. I can't even get into my bank account for like 2 days if I flub up my own password 3x.

Good luck, Bitcoin!
posted by alex_skazat at 7:54 AM on August 10, 2023 [4 favorites]

I’d be pretty surprised if cryptocurrency is not still used for black market-y stuff. A good solution, no not really, but a workable one in some circumstances, sure.

Way less than you think. Crypto has the fatal problem of persistent publicly-viewable transactions. If law enforcement can identify the holders of wallets, that’s a big problem for the crime-doers. There are ways to obscure what is happening to funds, but they aren’t really safe. My impression is that high level crime still happens with really anonymous transfers — bags full of cash. The one place where there is criminal activity on the blockchain is nations avoiding sanctions, since there’s no effective law enforcement, which is why exchanges suspected of such activity are being shut down decisively. Criminal use of crypto seems to be very much at the level of “individuals who think they won’t get caught.”
posted by GenjiandProust at 8:16 AM on August 10, 2023 [1 favorite]

I forgot you could just download the entire blockchain and make your attempts essentially offline before committing to a transaction.

The entire design of the thing is predicated on the idea that given a non-stupid method of generating private keys, you could run brute-force attacks against them until the heat death of the Universe and still get nowhere.

That idea is correct, and non-stupid encryption methods that rely on it to much the same extent are in widespread use for all kinds of purposes. The vulnerability under discussion doesn't proceed from a fundamental flaw in the design of Bitcoin, but from a Bitcoin manipulation tool that includes a key generation feature that's not only based on Mersenne Twister, a pseudorandom number generator well known not to be cryptographically secure, but forces that PRNG to generate one of only 2³² possible sequences by seeding it incompetently.

Given that every operating system under which that tool can run provides cryptographically secure randomness as a system service, choosing to roll their own PRNG inside the tool was an entirely stupid design decision.
posted by flabdablet at 8:33 AM on August 10, 2023 [2 favorites]

The technical writeup is very approachable and even people who don't code should be able to get the gist by bleeping out details that don't make sense.
posted by flabdablet at 8:39 AM on August 10, 2023

Given that every operating system under which that tool can run provides cryptographically secure randomness as a system service, choosing to roll their own PRNG inside the tool was an entirely stupid design decision.

Uh-huh and that's the main rule of cryptography: don't roll your own!

I guess in a perfect world - and I understand why this currently can't be enforced – there shouldn't be a chance that this is possible, and perhaps even a way to update your private key to use better seeds/algorithms as they become available . I don't know how reasonable that is in a blockchain en-mass (except individually transferring funds from one wallet to another without uh imposing a fee?) since there needs to be an agreement of v1 of the blockchain a v...n, but that always seemed to be a weakness in the distributed system.

As someone that has held out from cryptocurrency but has a modicum of software knowledge, it's still not passing the sniff test to me, especially if people keep losing their wallet funds because of exploits and shoddy engineering beyond their control. With it being taxed now, and not a good idea to use to buy meth, I'm not sure what use it is to me.
posted by alex_skazat at 9:23 AM on August 10, 2023

The technical writeup flabdabet links above has a lot of details on thefts so far that they've seen on the blockchain. There was "the big theft" on 2023-07-12 of about $850,000 worth of Bitcoin. And a series of thefts in May of a small amount. Also hints that similar thefts have been happening on other platforms, unmeasured. Anyway it still all totals to less than $1M. And on further analysis they didn't find many other wallets generated by this broken code. That's interesting in and of itself, perhaps this library isn't that popular?

Just to re-iterate how dumb this bug is, generating more than 32 bits of entropy is not hard. It is no problem for code to generate the ~256 bits needed to make a Bitcoin wallet secure. There's no need for other elaborate security measures. Bitcoin relies 100% on the quality of the random numbers and it's not hard to make them in small but useful quantities.

The other half of the dumb bug is their use of Mersenne Twister as a random number generator. I swear that RNG is a n00b trap, people pick it because it has a cool name. It's a bad RNG. Worse, it's not a cryptographic RNG. It's absolutely inappropriate for this purpose and anyone with a passing understanding of crypto coding knows that. Still can't explain why this Bitcoin library made that terrible choice. It doesn't really matter — even a strong library would still be foiled by the 32 bit seed. But it doesn't help and is more evidence of incompetence or deliberate fraud.
posted by Nelson at 9:39 AM on August 10, 2023

These hacked transfers of cryptocurrency aren't a big problem. The victims can just call the cryptobank and get the transactions reversed.
posted by AlSweigart at 9:43 AM on August 10, 2023 [2 favorites]

Nelson: Anyway it still all totals to less than $1M. And on further analysis they didn't find many other wallets generated by this broken code. That's interesting in and of itself, perhaps this library isn't that popular?

They mentioned that examples of using the insecure tool are given in "Mastering Bitcoin", but that some documentation for the tool has said that it is insecure for a few years now. So perhaps it's a "missing stair" sort of situation, where beginners try it out but, if they stick around, are soon told, "Nah, brah, don't use that tool, it's no good."

I noticed that "Mastering Bitcoin" still hasn't been updated to remove the "bx seed" examples, despite the developers posting a warning (but not updating their code!) as far back as 2014.
posted by clawsoon at 9:59 AM on August 10, 2023

Reminder than NIST recommended ECC with a "back door" known to the NSA.
posted by a robot made out of meat at 10:13 AM on August 10, 2023

Crypto has the fatal problem of persistent publicly-viewable transactions. If law enforcement can identify the holders of wallets, that’s a big problem for the crime-doers.

One really big deterrent should be that this is fully retroactive but you have no way of knowing whether any of the parties involved has been compromised. The hardcore cryptocurrency salespeople either ignore this or pretend it’s just user error (always a sign of a successful system!) but it’d be like if Al Capone paid for an ice cream using the wrong wallet and that gave the police a notarized list of every transaction he’d made for years. It effectively makes everyone in a criminal network into potential “mob banker” busts like the police used to spend years setting up.

On a tangent more applicable to most of us, this is why I consider it so reprehensible for cryptocurrency marketers to push it for things which aren’t approved by some relevant government such as supporting political dissidents in other countries. I’m not sure anyone is capable of safely using such a poorly designed “all mistakes are irrevocable” system which provides so much information to prosecutors. For example, maybe you donated to some opposition group in Russia and they did everything perfectly to keep that private … and then 5 years later some random merchant is compromised and their transaction history goes into the dark web, and now the FSB has proof that a bitcoin wallet controlled by an American transferred funds to someone they’ve been watching. Repeat for, say, donations to a gay or abortion rights group which wasn’t illegal at the time some Floridian donated, etc. The idea of building up long histories like that seems far more dangerous than any perceived benefit.

(This is often when someone brings up things like Monero, which at least tries to be private rather than just fraudulently claiming to be so like the far more popular Bitcoin/Ethereum, but has never been exhaustively tested against an adversary with significant resources and is quite a gamble to say will hold up over the rest of your life.)
posted by adamsc at 10:25 AM on August 10, 2023 [5 favorites]

The honor system, but on the blockchain
posted by chavenet at 2:04 PM on August 10, 2023 [2 favorites]

My faith in humanity is inversely proportional to the price of Bitcoin and crypto.
posted by interogative mood at 2:31 PM on August 10, 2023 [1 favorite]

I noticed that "Mastering Bitcoin" still hasn't been updated to remove the "bx seed" examples, despite the developers posting a warning (but not updating their code!) as far back as 2014.

On any Unix-like system (e.g. Mac OS, *BSD, Linux including under WSL2), head -qc16 /dev/random | xxd -p is a drop-in replacement for bx seed that does produce cryptographically secure randomness.
posted by flabdablet at 2:31 AM on August 11, 2023

> Crypto has the fatal problem of persistent publicly-viewable transactions. If law enforcement can identify the holders of wallets, that’s a big problem for the crime-doers.

That comes up here:

https://www.cnn.com/2023/08/05/politics/fentanyl-cryptocurrency-cartels-federal-agents-catch-up/index.html#:~:text=Washington,Americans%20buy%20fentanyl.

"Washington
CNN
 — 
The Biden administration has intensified its focus on tracing cryptocurrency payments that some of the most dangerous Mexican drug cartels use to buy fentanyl ingredients from Chinese chemical companies, the latest step in a renewed attempt to crack down on the multibillion-dollar fentanyl trade that kills thousands of Americans each year.

The use of digital currency has exploded among fentanyl traffickers, with transactions for fentanyl ingredients surging 450% in the last year through April, according to data from private crypto-tracking analysis firm Elliptic.

Federal agents are doing everything they can to catch up. While US diplomats have made fentanyl a point of emphasis in high-level talks with Mexican and Chinese counterparts, behind the scenes, a multi-agency effort is underway to keep pace with the rapidly changing nature of how fentanyl is financed and trafficked into the US. The work goes beyond the cartels to include tracking dark-web forums where Americans buy fentanyl.

..."

posted by sebastienbailard at 3:07 AM on August 11, 2023 [1 favorite]

> Reminder than NIST recommended ECC with a "back door" known to the NSA.

As stated, this is miss-leading, confused, or wrong..

Dual_EC_DRBG is a random number generator backdoored by the NSA. It is not elliptic curve cryptography (ECC) in the usual sense, but it does use ECC for its backdoor.

Amusingly..

China hacked OPM after the NSA backdoored Juniper routers via Dual_EC_DRBG, OPM installed Juniper routers, and China stole the backdoor,

OPM tracks all personal secrets of everyone with a security clearance, except CIA agents, so OPM knows every time they cheated on their spouse, etc. OPM is a databae of how to blackmail everyone who holds a security clearance.

Also, academic cryptographers invented the Dual_EC_DRBG backdoor before the NSA, mostly for their own amusement. Elaine Barker was the NSA's person who drove the Dual_EC_DRBG standard. I think she became some executive in charge of cryptography at Amazon or something.

Impressive promotion by incompetence there: Read academic warning-joke paper in the published literature. Convince NIST to standardize it, and others to deploy it, likely resulting in maybe the worst intelligence self-p0wn since the cold war, become executive at Amazon.
posted by jeffburdges at 6:41 AM on August 11, 2023 [2 favorites]

It's almost as if all those thousands of security researchers who have spent years pointing out that putting backdoors in cryptographic protocols is a terrible idea were right.
posted by flabdablet at 6:59 AM on August 11, 2023 [2 favorites]

It's almost as if all those thousands of security researchers who have spent years pointing out that putting backdoors in cryptographic protocols is a terrible idea were right.

And yet it served the American intelligence community very well for many decades.
posted by clawsoon at 2:13 PM on August 11, 2023

I think there's a useful distinction to be made between backdooring cryptographic products and backdooring cryptographic protocols. The former is occasionally quite magnificently defensible. But backdooring protocols that then end up getting widespread use breaks everything everywhere all at once when knowledge of the backdoor's existence eventually leaks, as it inevitably must once it actually gets used for something.

It also means that the people who think they control the backdoor are creating a huge monitoring task for themselves to make sure nobody anywhere else is using it against them, given that it's going to show up in equipment they're not actively exploiting as appears to have been the case with those Juniper appliances.

For example, if the NSA knows that e.g. Juniper gear specifically has a backdoor, they could presumably have a quiet word to somebody in Procurements over at OPM and make sure they end up choosing some other vendor (after completion of the usual transparent, rigorous and unbiased tender evaluation process, naturally). But once a backdoored protocol has become The Standard, how are they supposed to stop any sensitive department installing anybody's new equipment? Wouldn't work.
posted by flabdablet at 11:46 PM on August 11, 2023

Appears serde_derive was shipped as a binary, but the author works for Palantir. lol
posted by jeffburdges at 1:27 PM on August 22, 2023