Bitcoin Warns Of State Attack In Binaries
https://bitcoin.org/en/alert/2016-08-17-binary-safety 0.13.0 Binary Safety Warning 17 August 2016 Summary Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website. In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers. Mitigation The hashes of Bitcoin Core binaries are cryptographically signed with this key. We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
On Thu, Aug 18, 2016 at 02:23:06AM -0400, grarpamp wrote:
https://bitcoin.org/en/alert/2016-08-17-binary-safety Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
Is this a joke? What is the difference between running backdoored bitcoin client and backdoored porn viewer? Not to mention malware and OSes backdoored by default (I suspect all major OSes). If the state can own their binaries, likely it can own a lot of other binaries.
On 8/18/16, Georgi Guninski <guninski@guninski.com> wrote:
Is this a joke?
Guessing this means they think Equation Group can and wants to get to their servers. Though the Chinese thing is a harder guess, other than for some reason bitcoin.org wants to protect them, even if only because Chinese effectively are bitcoin.
At work I've seen a Bitcoin miner trojan (it's a Windows nullsoft exe masked as a .scr file wrapped up in a file called info.zip) trying to propagate itself through the couple of ftp servers we have open to the world, one of which has a few places that the anonymous guest user can dump (but not list or download) files.... All the attacks have come within the past two weeks from IP addresses all over India.... I don't have the sha256 at hand to send the virustotal link but it's this fucker: https://brica.de/alerts/alert/public/1004599/obfuscated-bitcoin-miner-propag... Luckily no users have been infected :). (AFAICT && I fucking hope & pray) John On August 18, 2016 2:23:06 AM EDT, grarpamp <grarpamp@gmail.com> wrote:
https://bitcoin.org/en/alert/2016-08-17-binary-safety 0.13.0 Binary Safety Warning 17 August 2016 Summary
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers. Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (3)
-
Georgi Guninski
-
grarpamp
-
John