815400+ entries in 0.619s
Apocalyptic: if you're a well known corp like Vupen
there's no much risk for
the buyer
Apocalyptic: i somehow assumed in
this case of business
they pay prior
to delivery
copumpkin: the real one wouldn't call me
that
Apocalyptic: asciilifeform, what do you mean in
this specific case by CP risk ?
Apocalyptic: russian blackmarket or gov isn't
the same rate
Apocalyptic: was just interested if you were into
this kind of
thing
mikaeldice: In
that case,
there would be effectively no user who is root
mikaeldice: I'll leave your hint
to
this.. somewhere on
the system will be an administrative user who can access
the security software
to disable
these protections;
the system won't allow you
to remove
the last security administrator
mikaeldice: The job of
the contest is
to bypass
that protection
mikaeldice: I hadn't, but it'll be
taken into account now :D
Apocalyptic: asciilifeform, i assume it's
the standard uid=0 access
mikaeldice: I came here
to
try
to find
the best way
to prove it's not a scam,
the best I could come up with is escrow
Apocalyptic: <asciilifeform> it'll be mostly a footrace
though // don't be so sure :)
mikaeldice: Not a scam.. when I do actually post
the competition it'll be on
the forums, and with an escrow for
the BTC
mikaeldice: root for 1 BTC, or if you want
to break into SSH
then you can get it for free
mikaeldice: standard root access, but under restrictions from
the security software
mikaeldice: I can
throw in 1 myself, plus whatever competitors add
mikaeldice: I'd go
to 10 if my company would sponsor it, but I doubt
they would
Apocalyptic: they are loaded in memory at
the start I believe, so if one could dump
the memspace of bitcoind you have it
Apocalyptic: in
the sense
that with bitcoind you have another attack vector
to get
the privatekey
mikaeldice: No, it would protect other
things, like disabling program execution of setuid programs
that have been modified, and access
to
the administrative program
to
the security software
Apocalyptic: *way, is your security system preventing/monitoring
the access
to wallet.dat only ?
Apocalyptic: if you really want
to do
this bitcoind-hotwallet related
mikaeldice: true, but it lacks a certain panache.. I'd like
to see a hot wallet sitting on a server with open root access for a month unmolested
Apocalyptic: it's
the hotwallet problem reduced
to a more convenient layout
Apocalyptic: the one with
the knownledge of
the hash can claim
the btc price
Apocalyptic: just create a file with a randomhash and secure
that
mikaeldice: I dunno,
the excitement of it. I want
to show
that a hot wallet can be secured
Apocalyptic: it's not
the actual challenge, is it ? you're
trying
to prove you security system
Apocalyptic: but why couple
this with a running bitcoind on
the server
then ?
mikaeldice: and if
they can do
that,
they can grab
the whole pot. Or
the whole pot could be held in escrow
mikaeldice: Maybe I could have
the initial 1 BTC held in escrow,
to be given
to someone who can force
the webapp
to display
their own bitcoin address
Apocalyptic: I
think you don't really have a way
to proove it's
their
Apocalyptic: well mikaeldice,
the bad news is
the first broadcast IP can be easily spoofed
mikaeldice: Maybe
the webapp can sign a message every hour or something, but I don't know if
that'll include
the IP address where
the message was signed
mikaeldice: But
to go back
to
the original problem, I need a way
to prove
that
the wallet is
there
to begin with
mikaeldice: I'd be keeping a keylogger record of everything so I can see how it's broken if it is broken. Maybe I could
throw
that up on
the webapp for spectators
mikaeldice: Well,
there are unlimited free
tries if you want
to break SSH login as well
mikaeldice: I don't have
that
to
throw around. But I could probably start a bitbet for spectators who don't have access.
Apocalyptic: what about
to say it's kinda low
to be worth serious people's
time
kakobrekla: you need liek 100 btc
to get any srs
traction
mikaeldice: I'm not sure.. probably 1 BTC
to start with, plus whatever challengers
throw in
Apocalyptic: you will have a couple of challengers
then :)
mikaeldice: But yeah, it would be kernel level protection of
that sort, Apocalyptic
mikaeldice: There will be conditional access allowed, or
the webapp won't work
Apocalyptic: cause if you disable file access by inode
to
this wallet.dat file on
the kernel level,
there's no much we can or anyone do
kakobrekla: something unhackable
this week does not mean unhackable
Apocalyptic: "try breaking past
the rest of
the security" // i guess figuring
this out is a part of
the challenge
mikaeldice: I'd even make a little webapp
that interacts with bitcoind so
there's another vector for attack
mikaeldice: EC2's security groupings on ports other
than 80 and 22
mikaeldice: But I need a way
to prove
that
the wallet is
there
mikaeldice: Unencrypted, open SSH port, and optionally pay for a valid root login.
The payment gets added
to
the same wallet hosted on
the server
Apocalyptic: so you provide us with root access
to a machine containing a wallet.dat file with
the actual (pubkey,privkey)
to an address holding coins
Apocalyptic: mikaeldice, would
the wallet be encrypted ?
mikaeldice: lol,
truffles. It'd be a
test of sorts,
to prove
the security software out. If it can hold up
to an open invitation
to
the bitcoin community
to
try
to break it,
then I'd say it's relatively secure
truffles: cant
tell if ure
trying
to fix or exploit :D
mike_c: you know, i
tried urbit and asked for destroyers. never got an answer.
mikaeldice: Maybe I'd
throw something up on bitbet
too..
that would be fun
to watch
mikaeldice: People who can't get
the wallet, people who
think
that giving away root access is
too permissive and
that it's impossible
to block root
mikaeldice: Each
time someone buys
the root login,
the bitcoin would be added
to
the wallet for a
total pot.. I'd keep it after a month if nobody could break
the security
mikaeldice: But I need a provable way
to show
that
the wallet is on
that machine
that
they're given access
to, or people will yell scam
mikaeldice: Then
they can login and
try breaking past
the rest of
the security. Or
they can skip
the fee and break it without root's password
mikaeldice: hostname/IP.. I'd probably use linux on EC2,
then have
the machine run a little program
that interfaces with bitcoind and gives out
the password whenever someone gives it a bitcoin
nubbins`: by
the os install?
the hard drive?
the mobo? etc
nubbins`: how are you planning
to identify
the machine?
mikaeldice: I want
to make a bet on
the strength of
the security software being used on
the computer,
that given
the root password and an unencrypted wallet,
that still nobody could steal
the wallet
nubbins`: you could have a
thousand machines sharing an ip
mikaeldice: There's an ip address encoded into a
transaction, right? Maybe I can have
the machine sign a message or something
mikaeldice: I'm
trying
to
think of a way
to prove
that a wallet is on a specific machine
mikaeldice: My workplace bought one for us
to play with
mike_c: i can't
tell if
their webpage is broken or just really bad
nubbins`: i'm just not sure in what other context it would make sense
to have a service
that moves btc from one country
to another
jborkl: I guess
they
think
there is a shortage of ways
to get $ into mexico