1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <melvincarvalho@gmail.com>) id 1Ucb1E-0002AC-0Q
for bitcoin-development@lists.sourceforge.net;
Wed, 15 May 2013 12:41:20 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.215.52 as permitted sender)
client-ip=209.85.215.52; envelope-from=melvincarvalho@gmail.com;
helo=mail-la0-f52.google.com;
Received: from mail-la0-f52.google.com ([209.85.215.52])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1Ucb1A-0002bl-FY
for bitcoin-development@lists.sourceforge.net;
Wed, 15 May 2013 12:41:19 +0000
Received: by mail-la0-f52.google.com with SMTP id fo13so1690634lab.39
for <bitcoin-development@lists.sourceforge.net>;
Wed, 15 May 2013 05:41:09 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.112.144.165 with SMTP id sn5mr17480972lbb.48.1368621669691;
Wed, 15 May 2013 05:41:09 -0700 (PDT)
Received: by 10.112.143.38 with HTTP; Wed, 15 May 2013 05:41:09 -0700 (PDT)
In-Reply-To: <20130515113827.GB26020@savin>
References: <20130515113827.GB26020@savin>
Date: Wed, 15 May 2013 14:41:09 +0200
Message-ID: <CAKaEYh+7uXvipQL6Qn1_t44H97Y18ywvk6brr_Wv3u-C5qef-A@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary=047d7b3a84367436bd04dcc110aa
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(melvincarvalho[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1Ucb1A-0002bl-FY
Cc: Bitcoin-Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] 2BTC reward for making probabalistic
double-spending via conflicting transactions easy
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2013 12:41:20 -0000
--047d7b3a84367436bd04dcc110aa
Content-Type: text/plain; charset=ISO-8859-1
On 15 May 2013 13:38, Peter Todd <pete@petertodd.org> wrote:
> Now that I have the replace-by-fee reward, I might as well spread the
> wealth a bit.
>
>
> So for all this discussion about replace-by-fee and the supposed
> security of zero-conf transactions, no-one seems to think much about how
> in practice very few vendors have a setup to detect if conflicting
> transactions were broadcast on the network simultaneously - after all if
> that is the case which transaction gets mined is up to chance, so much
> of the time you'll get away with a double spend. We don't yet have a
> mechanism to propagate double-spend warnings, and funny enough, in the
> case of a single txin transaction the double-spend warning is also
> enough information to allow miners to implement replace-by-fee.
>
>
> So I'm offering 2BTC for anyone who comes up with a nice and easy to use
> command line tool that lets you automagically create one version of the
> transaction sending the coins to the desired recipient, and another
> version sending all the coins back to you, both with the same
> transaction inputs. In addition to creating the two versions, you need
> to find a way to broadcast them both simultaneously to different nodes
> on the network. One clever approach might be to use blockchain.info's
> raw transaction POST API, and your local Bitcoin node.
>
> If you happen to be at the conference, a cool demo would be to
> demonstrate the attack against my Android wallet. I'll buy Bitcoins off
> of you at Mt. Gox rates + %10, and you can see if you can rip me off.
> Yes, you can keep the loot. :) This should be videotaped so we can put
> an educational video on youtube after.
>
Isnt it potentially inviting trouble by encouraging people to insert double
spends into the block chain?
Sure, zero conf isnt 100% safe, we all know that.
But neither is the postal service. Doesnt mean we should be going around
promoting the creation of tools to go into people's maiilboxes and open
their letters!
>
> --
> 'peter'[:-1]@petertodd.org
> 00000000000000bafd0a55f013e058cc2a672ee0c66b9265a02390d80e4748f5
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
--047d7b3a84367436bd04dcc110aa
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On 15 May 2013 13:38, Peter Todd <span dir=3D"ltr"><<a href=3D"m=
ailto:pete@petertodd.org" target=3D"_blank">pete@petertodd.org</a>></spa=
n> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Now that I have the replace-by-fee reward, I=
might as well spread the<br>
wealth a bit.<br>
<br>
<br>
So for all this discussion about replace-by-fee and the supposed<br>
security of zero-conf transactions, no-one seems to think much about how<br=
>
in practice very few vendors have a setup to detect if conflicting<br>
transactions were broadcast on the network simultaneously - after all if<br=
>
that is the case which transaction gets mined is up to chance, so much<br>
of the time you'll get away with a double spend. We don't yet have =
a<br>
mechanism to propagate double-spend warnings, and funny enough, in the<br>
case of a single txin transaction the double-spend warning is also<br>
enough information to allow miners to implement replace-by-fee.<br>
<br>
<br>
So I'm offering 2BTC for anyone who comes up with a nice and easy to us=
e<br>
command line tool that lets you automagically create one version of the<br>
transaction sending the coins to the desired recipient, and another<br>
version sending all the coins back to you, both with the same<br>
transaction inputs. In addition to creating the two versions, you need<br>
to find a way to broadcast them both simultaneously to different nodes<br>
on the network. One clever approach might be to use <a href=3D"http://block=
chain.info" target=3D"_blank">blockchain.info</a>'s<br>
raw transaction POST API, and your local Bitcoin node.<br>
<br>
If you happen to be at the conference, a cool demo would be to<br>
demonstrate the attack against my Android wallet. I'll buy Bitcoins off=
<br>
of you at Mt. Gox rates + %10, and you can see if you can rip me off.<br>
Yes, you can keep the loot. :) This should be videotaped so we can put<br>
an educational video on youtube after.<br></blockquote><div><br></div><div>=
Isnt it potentially inviting trouble by encouraging people to insert double=
spends into the block chain?<br><br></div><div>Sure, zero conf isnt 100% s=
afe, we all know that.<br>
<br>But neither is the postal service.=A0 Doesnt mean we should be going ar=
ound promoting the creation of tools to go into people's maiilboxes and=
open their letters!</div><div>=A0</div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
'peter'[:-1]@<a href=3D"http://petertodd.org" target=3D"_blank">pet=
ertodd.org</a><br>
00000000000000bafd0a55f013e058cc2a672ee0c66b9265a02390d80e4748f5<br>
</font></span><br>---------------------------------------------------------=
---------------------<br>
AlienVault Unified Security Management (USM) platform delivers complete<br>
security visibility with the essential security capabilities. Easily and<br=
>
efficiently configure, manage, and operate all of your security controls<br=
>
from a single console and one unified framework. Download a free trial.<br>
<a href=3D"http://p.sf.net/sfu/alienvault_d2d" target=3D"_blank">http://p.s=
f.net/sfu/alienvault_d2d</a><br>___________________________________________=
____<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div></div>
--047d7b3a84367436bd04dcc110aa--
|