Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <andreas@antonopoulos.com>) id 1V8al3-0002c9-5j for bitcoin-development@lists.sourceforge.net; Sun, 11 Aug 2013 18:52:53 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of antonopoulos.com designates 209.85.214.173 as permitted sender) client-ip=209.85.214.173; envelope-from=andreas@antonopoulos.com; helo=mail-ob0-f173.google.com; Received: from mail-ob0-f173.google.com ([209.85.214.173]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1V8al1-0004Cy-Lu for bitcoin-development@lists.sourceforge.net; Sun, 11 Aug 2013 18:52:53 +0000 Received: by mail-ob0-f173.google.com with SMTP id ta17so8211758obb.18 for <bitcoin-development@lists.sourceforge.net>; Sun, 11 Aug 2013 11:52:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=B1oHWCch7NuncnwTxbQ4FmvXYgq5ALbP76K3pL7G8Ek=; b=K7Kusb0VLA3UsriobIkeIOe1BzYE3nHrCV23ppGfeo9sXO1tl0SrLNRGzmKQ1KPI+w NNw9sqyw++dopsBEGQkVy+jCFAUp1z5KH+l+iO06/C9j1hh9X9o95q+VP6/E5s2ihBF1 WJMOnQvk50jUjtmhYe8tJIQbAg5Rx3z/barjOL8nYoiRGLUdNG6hQb8tqdO9RHVo+EaA xOP5CxexEUAxZCG72LKYHkahxNRmzjEn74ezMQsXChDijpEm7ZQNBLzC6etfiss29E41 klrdvMn4PjXKC5cBmm49qG8VBNvGC8F5vtV7t2RQydHEtjLMl6oYpDRF6zQOPfLeXSoM l9hQ== X-Gm-Message-State: ALoCoQnVh3g6bdX/ErlPaqIw+vy2Y86al1gUZENRSwxwW5BOK6E7lHfROi2prPsJ76mf1mn2XrjZ MIME-Version: 1.0 X-Received: by 10.182.118.129 with SMTP id km1mr8130891obb.15.1376245289028; Sun, 11 Aug 2013 11:21:29 -0700 (PDT) Sender: andreas@antonopoulos.com Received: by 10.182.72.136 with HTTP; Sun, 11 Aug 2013 11:21:28 -0700 (PDT) In-Reply-To: <5207BB9D.3090701@plan99.net> References: <5207BB9D.3090701@plan99.net> Date: Sun, 11 Aug 2013 11:21:28 -0700 X-Google-Sender-Auth: ZYS5MPSChmRA94PJlTPZJphfvGM Message-ID: <CAFmyj8yTCFQVBisW3sfCF_yGYhLBccXV8GX8hxseB5KAxAo71w@mail.gmail.com> From: "Andreas M. Antonopoulos" <andreas@rooteleven.com> To: mike@plan99.net Content-Type: multipart/alternative; boundary=089e0116141e93a1a804e3b01358 X-Spam-Score: -0.4 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Headers-End: 1V8al1-0004Cy-Lu Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> Subject: Re: [Bitcoin-development] Android key rotation X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Sun, 11 Aug 2013 18:52:53 -0000 --089e0116141e93a1a804e3b01358 Content-Type: text/plain; charset=ISO-8859-1 Who would be the best person to interview who could explain this issue and workaround/resolution? I'd like to get an audio segment for the Let's Talk Bitcoin show ASAP, as this will be a big concern for many users who will not know what to do or be able to understand the problem. Any volunteers for a 15 min audio interview in the next 2 days? On Sun, Aug 11, 2013 at 9:28 AM, Mike Hearn <mike@plan99.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hello, > > I hope you are having a pleasant weekend. A few days ago we learned > that the Android implementation of the Java SecureRandom class > contains multiple severe vulnerabilities. As a result all private keys > generated on Android phones/tablets are weak and some signatures have > been observed to have colliding R values, allowing the private key to > be solved and money to be stolen. > > The public security alert is here: > > http://bitcoin.org/en/alert/2013-08-11-android > > I will shortly post in the bitcointalk forums as well. > > An update for the Bitcoin Wallet app has been prepared that bypasses > the system SecureRandom implementation and reads directly from > /dev/urandom instead, which is believed to be functioning correctly. > All unspent outputs in the wallet are then respent to this new key. > > The process is automatic and does not involve user intervention. > Andreas can control the process via a percentage throttle, which we > will use to slow things down if the memory pool load gets too high. > > A fixed APK is available here: > > > https://code.google.com/p/bitcoin-wallet/downloads/detail?name=bitcoin-wallet-3.15-beta.apk&can=2&q= > > Andreas plans to release this to beta either today or tomorrow. Once > some reasonable population of users has completed testing the > automated re-keying process, it will be released via the Play Store. > All users will get a notification informing them of the new version > and some will be upgraded automatically. > > Other wallet maintainers have also been notified and are working on > similar updates. > > thanks > - -mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.20 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9 > QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES > 7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x > YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+ > /ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw > FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU= > =bZtl > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --089e0116141e93a1a804e3b01358 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><div>Who would be the best person to interview who co= uld explain this issue and workaround/resolution?<br><br></div>I'd like= to get an audio segment for the Let's Talk Bitcoin show ASAP, as this = will be a big concern for many users who will not know what to do or be abl= e to understand the problem.<br> <br></div>Any volunteers for a 15 min audio interview in the next 2 days?<b= r></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Su= n, Aug 11, 2013 at 9:28 AM, Mike Hearn <span dir=3D"ltr"><<a href=3D"mai= lto:mike@plan99.net" target=3D"_blank">mike@plan99.net</a>></span> wrote= :<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br> Hash: SHA512<br> <br> Hello,<br> <br> I hope you are having a pleasant weekend. A few days ago we learned<br> that the Android implementation of the Java SecureRandom class<br> contains multiple severe vulnerabilities. As a result all private keys<br> generated on Android phones/tablets are weak and some signatures have<br> been observed to have colliding R values, allowing the private key to<br> be solved and money to be stolen.<br> <br> The public security alert is here:<br> <br> <a href=3D"http://bitcoin.org/en/alert/2013-08-11-android" target=3D"_blank= ">http://bitcoin.org/en/alert/2013-08-11-android</a><br> <br> I will shortly post in the bitcointalk forums as well.<br> <br> An update for the Bitcoin Wallet app has been prepared that bypasses<br> the system SecureRandom implementation and reads directly from<br> /dev/urandom instead, which is believed to be functioning correctly.<br> All unspent outputs in the wallet are then respent to this new key.<br> <br> The process is automatic and does not involve user intervention.<br> Andreas can control the process via a percentage throttle, which we<br> will use to slow things down if the memory pool load gets too high.<br> <br> A fixed APK is available here:<br> <br> <a href=3D"https://code.google.com/p/bitcoin-wallet/downloads/detail?name= =3Dbitcoin-wallet-3.15-beta.apk&can=3D2&q=3D" target=3D"_blank">htt= ps://code.google.com/p/bitcoin-wallet/downloads/detail?name=3Dbitcoin-walle= t-3.15-beta.apk&can=3D2&q=3D</a><br> <br> Andreas plans to release this to beta either today or tomorrow. Once<br> some reasonable population of users has completed testing the<br> automated re-keying process, it will be released via the Play Store.<br> All users will get a notification informing them of the new version<br> and some will be upgraded automatically.<br> <br> Other wallet maintainers have also been notified and are working on<br> similar updates.<br> <br> thanks<br> - -mike<br> -----BEGIN PGP SIGNATURE-----<br> Version: GnuPG/MacGPG2 v2.0.20 (Darwin)<br> Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:= //gpgtools.org</a><br> Comment: Using GnuPG with Thunderbird - <a href=3D"http://www.enigmail.net/= " target=3D"_blank">http://www.enigmail.net/</a><br> <br> iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9<br> QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES<br> 7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x<br> YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+<br> /ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw<br> FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU=3D<br> =3DbZtl<br> -----END PGP SIGNATURE-----<br> <br> ---------------------------------------------------------------------------= ---<br> Get 100% visibility into Java/.NET code with AppDynamics Lite!<br> It's a free troubleshooting tool designed for production.<br> Get down to code-level detail for bottlenecks, with <2% overhead.<br> Download for free and get started troubleshooting in minutes.<br> <a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D48897031&iu= =3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam= pad/clk?id=3D48897031&iu=3D/4140/ostg.clktrk</a><br> _______________________________________________<br> Bitcoin-development mailing list<br> <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo= pment@lists.sourceforge.net</a><br> <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development= " target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment</a><br> </blockquote></div><br></div> --089e0116141e93a1a804e3b01358--