38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
-
Not Synced1
00:00:00,000 --> 00:00:01,800
[Transcribed by Pekka P] -
Not Synced2
00:00:01,800 --> 00:00:03,243
(KYBS2004 course assignment at JYU.FI) -
Not Synced3
00:00:03,243 --> 00:00:14,693
♪ (38C3 intro music) ♪ -
Not Synced4
00:00:15,095 --> 00:00:16,225
*clap* -
Not Synced5
00:00:16,600 --> 00:00:17,800
Hey everyone, -
Not Synced6
00:00:17,800 --> 00:00:19,300
it's an honor to be here, -
Not Synced7
00:00:19,300 --> 00:00:21,200
and it's great to see so many familiar faces -
Not Synced8
00:00:21,200 --> 00:00:23,640
and so many new faces. -
Not Synced9
00:00:24,140 --> 00:00:26,500
I know it's 11 a.m. on the last day, -
Not Synced10
00:00:26,500 --> 00:00:29,080
so I'm impressed to see so many people here. -
Not Synced11
00:00:30,000 --> 00:00:32,820
And welcome to the chaos of everything. -
Not Synced12
00:00:33,820 --> 00:00:34,560
I'm John Nolte. -
Not Synced13
00:00:34,780 --> 00:00:35,820
I'll be speaking today. -
Not Synced14
00:00:36,860 --> 00:00:38,500
Someone who's not on stage -
Not Synced15
00:00:38,500 --> 00:00:40,800
but is in each and every slide here -
Not Synced16
00:00:40,800 --> 00:00:42,280
is Christian, the lead researcher -
Not Synced17
00:00:42,280 --> 00:00:44,620
for the MilkSAD team. -
Not Synced18
00:00:45,320 --> 00:00:47,800
I'm going to be talking about the story of MilkSAD, -
Not Synced19
00:00:47,800 --> 00:00:51,200
the story of researching cryptocurrency wallet theft -
Not Synced20
00:00:51,200 --> 00:00:53,000
in 2023, -
Not Synced21
00:00:53,000 --> 00:00:55,980
and very happy to do so. -
Not Synced22
00:00:56,620 --> 00:00:58,000
Very honored to be here. -
Not Synced23
01:00,000 --> 00:01:01,580
There's a whole team of people. -
Not Synced24
00:01:02,520 --> 00:01:03,660
Here's some of their names. -
Not Synced25
00:01:04,420 --> 00:01:05,580
You see them as names. -
Not Synced26
00:01:05,660 --> 00:01:07,500
I see them as friends, as trusted colleagues, -
Not Synced27
00:01:07,500 --> 00:01:09,000
ex-coworkers, -
Not Synced28
00:01:09,000 --> 00:01:10,800
random people I've never met -
Not Synced29
00:01:10,800 --> 00:01:11,580
on the internet. -
Not Synced30
00:01:12,940 --> 00:01:15,500
The only thing we had in common for the most part -
Not Synced31
00:01:15,500 --> 00:01:18,000
was we were all in the same Matrix channel -
Not Synced32
00:01:18,000 --> 00:01:19,800
diving into a problem. -
Not Synced33
00:01:19,800 --> 00:01:23,960
Listeners, beware. -
Not Synced34
00:01:24,620 --> 00:01:26,500
I might not be 100% factual -
Not Synced35
00:01:26,500 --> 00:01:27,800
with everything I say. -
Not Synced36
00:01:28,600 --> 00:01:30,500
I am excited to be here, -
Not Synced37
00:01:30,500 --> 00:01:32,840
a little nervous to be here. -
Not Synced38
00:01:33,500 --> 00:01:36,180
And there's a lot of information to go over. -
Not Synced39
00:01:36,180 --> 00:01:38,500
So, it's too much for a 30-minute talk, -
Not Synced40
00:01:38,500 --> 00:01:41,440
too much for a 45-minute talk. -
Not Synced41
00:01:42,160 --> 00:01:45,140
And there's just a lot of research that the team did. -
Not Synced42
00:01:45,700 --> 00:01:48,640
It's well represented at MilkSAD.info. -
Not Synced43
00:01:48,900 --> 00:01:51,000
You can see the talk notes, -
Not Synced44
00:01:51,000 --> 00:01:52,140
slash 38C3. -
Not Synced45
00:01:52,700 --> 00:01:54,200
You can scan this QR code. -
Not Synced46
00:01:54,880 --> 00:01:55,700
Trust me, it's safe. -
Not Synced47
00:01:56,700 --> 00:01:57,540
I hope. -
Not Synced48
00:01:59,700 --> 00:02:00,260
Yeah. -
Not Synced49
00:02:00,500 --> 00:02:01,680
And let's go over this talk. -
Not Synced50
00:02:02,660 --> 00:02:06,520
We're going to get a little intro to cryptocurrency wallets. -
Not Synced51
00:02:07,240 --> 00:02:08,880
Who here has ever heard of cryptocurrency? -
Not Synced52
00:02:11,160 --> 00:02:11,720
Okay. -
Not Synced53
00:02:11,800 --> 00:02:14,500
There's people that drank their herbamatas -
Not Synced54
00:02:14,500 --> 00:02:16,220
and their coffee today. -
Not Synced55
00:02:16,300 --> 00:02:17,820
It's nice to see some reactions. -
Not Synced56
00:02:18,680 --> 00:02:20,500
We're going to talk about a theft -
Not Synced57
00:02:20,500 --> 00:02:22,800
that happened about a year and a half ago -
Not Synced58
00:02:22,800 --> 00:02:24,040
in July of 2023. -
Not Synced59
00:02:24,040 --> 00:02:26,500
Then some of the additional work we did -
Not Synced60
00:02:26,500 --> 00:02:29,000
and a lot of the ethical dilemmas and conflict -
Not Synced61
00:02:29,000 --> 00:02:32,460
inside and outside of the team. -
Not Synced62
00:02:33,620 --> 00:02:36,040
How many here are security researchers? -
Not Synced63
00:02:36,600 --> 00:02:39,060
I'd like to know a little bit about the audience I'm addressing. -
Not Synced64
00:02:40,040 --> 00:02:40,240
Okay. -
Not Synced65
00:02:40,320 --> 00:02:40,980
So, there's a few. -
Not Synced66
00:02:41,700 --> 00:02:44,500
So, there might be people who haven't been exposed -
Not Synced67
00:02:44,500 --> 00:02:47,000
to discovering vulnerabilities in the wild -
Not Synced68
00:02:47,000 --> 00:02:49,200
and all the things that can happen there. -
Not Synced69
00:02:49,460 --> 00:02:50,660
So, I'll make sure to cover that. -
Not Synced70
00:02:50,660 --> 00:02:53,500
And then we'll also just talk about the story -
Not Synced71
00:02:53,500 --> 00:02:56,000
of people losing money on the internet -
Not Synced72
00:02:56,000 --> 00:02:58,000
with magic internet money -
Not Synced73
00:02:58,000 --> 00:03:00,500
and maybe ways to defend -
Not Synced74
00:03:00,500 --> 00:03:02,680
against that type of thing. -
Not Synced75
00:03:04,420 --> 00:03:05,800
So, to start, -
Not Synced76
00:03:05,800 --> 00:03:08,140
let's talk about cryptocurrency wallets. -
Not Synced77
00:03:08,840 --> 00:03:09,020
Okay. -
Not Synced78
00:03:09,080 --> 00:03:09,540
Another question. -
Not Synced79
00:03:09,660 --> 00:03:11,960
Who here has ever used a cryptocurrency wallet? -
Not Synced80
00:03:11,960 --> 00:03:14,300
I feel so sorry for you. -
Not Synced81
00:03:14,400 --> 00:03:16,000
It's so hard -
Not Synced82
00:03:16,000 --> 00:03:18,720
and there's just a lot of stuff that happens when you set up a wallet. -
Not Synced83
00:03:19,120 --> 00:03:21,320
A lot of things aren't well explained. -
Not Synced84
00:03:21,500 --> 00:03:23,500
You just kind of go, -
Not Synced85
00:03:23,500 --> 00:03:25,240
you install your app or run your software. -
Not Synced86
00:03:25,600 --> 00:03:28,000
You get sometimes 12 magic words -
Not Synced87
00:03:28,000 --> 00:03:30,980
or 24 magic words and you put them in your pocket. -
Not Synced88
00:03:31,500 --> 00:03:33,500
You, you know, take a picture -
Not Synced89
00:03:33,500 --> 00:03:35,980
and put that up on your cloud storage. -
Not Synced90
00:03:35,980 --> 00:03:39,000
You know, really no one walks you through -
Not Synced91
00:03:39,000 --> 00:03:42,000
what a safe way to do cryptocurrency wallet stuff, -
Not Synced92
00:03:42,000 --> 00:03:43,340
you know. -
Not Synced93
00:03:43,480 --> 00:03:45,040
So, it can be really confusing. -
Not Synced94
00:03:45,420 --> 00:03:47,500
At the end of the day, what happens -
Not Synced95
00:03:47,500 --> 00:03:49,780
is you're trying to capture some type of entropy. -
Not Synced96
00:03:50,260 --> 00:03:52,680
You're trying to generate some type of random seed. -
Not Synced97
00:03:52,860 --> 00:03:55,000
And from that seed, derive a bunch -
Not Synced98
00:03:55,000 --> 00:03:56,840
of private keys and public keys. -
Not Synced99
00:03:56,840 --> 00:04:02,700
A lot of cryptographic operations and cryptocurrencies based on asymmetric cryptography. -
Not Synced100
00:04:03,380 --> 00:04:04,840
So, there's a public-private key pair. -
Not Synced101
00:04:05,480 --> 00:04:07,520
Your public key, you can share to the world. -
Not Synced102
00:04:07,840 --> 00:04:10,540
They can identify you by that key. -
Not Synced103
00:04:10,820 --> 00:04:12,360
So, you know, be warned. -
Not Synced104
00:04:12,600 --> 00:04:15,000
It is a tool to track that particular address, -
Not Synced105
00:04:15,000 --> 00:04:17,520
that particular identity. -
Not Synced106
00:04:18,280 --> 00:04:19,420
And then there's a private part. -
Not Synced107
00:04:19,880 --> 00:04:21,640
And it really is like a private part. -
Not Synced108
00:04:21,760 --> 00:04:23,480
Like, you don't really want to show that everywhere. -
Not Synced109
00:04:23,480 --> 00:04:28,160
So, you know, there's these public-private keys. -
Not Synced110
00:04:28,440 --> 00:04:32,000
And long ago, people were just generating single keys -
Not Synced111
00:04:32,000 --> 00:04:34,480
and storing them, backing them up. -
Not Synced112
00:04:36,060 --> 00:04:37,460
And it was quite a hassle. -
Not Synced113
00:04:38,240 --> 00:04:41,500
So, the Bitcoin folks and community -
Not Synced114
00:04:41,500 --> 00:04:44,000
came up with this improvement proposal, BIP39, -
Not Synced115
00:04:44,000 --> 00:04:46,340
where they're like, -
Not Synced116
00:04:46,340 --> 00:04:49,000
why don't we keep this little seed, -
Not Synced117
00:04:49,000 --> 00:04:52,000
this magic little seed of entropy into words, -
Not Synced118
00:04:52,000 --> 00:04:54,000
you know, mnemonics, -
Not Synced119
00:04:54,000 --> 00:04:56,300
mnemonic seed phrases. -
Not Synced120
00:04:56,820 --> 00:05:00,000
It's a lot easier to remember 12 words or 24 words -
Not Synced121
00:05:00,000 --> 00:05:04,500
than it is to remember a bunch of random characters -
Not Synced122
00:05:04,500 --> 00:05:07,760
that are maybe base 58 or base 64 encoded. -
Not Synced123
00:05:07,760 --> 00:05:11,500
And so, BIP39 was a way to make things a little bit more human-readable -
Not Synced124
00:05:11,500 --> 00:05:13,800
to keep a secret safe. -
Not Synced125
00:05:14,400 --> 00:05:17,700
And from that secret, you could derive a bunch of private keys. -
Not Synced126
00:05:18,500 --> 00:05:22,000
And BIP32 is the Bitcoin improvement proposal, number 32, -
Not Synced127
00:05:22,000 --> 00:05:25,380
to have hierarchical deterministic wallets. -
Not Synced128
00:05:25,380 --> 00:05:28,500
So, from an initial seed, you can derive -
Not Synced129
00:05:28,500 --> 00:05:33,420
a large number of public-private key pairs. -
Not Synced130
00:05:34,080 --> 00:05:36,020
And you can use those for all kinds of things. -
Not Synced131
00:05:36,520 --> 00:05:40,000
If I have a wallet, I might want to receive money -
Not Synced132
00:05:40,000 --> 00:05:42,880
with one address and send money with another. -
Not Synced133
00:05:43,560 --> 00:05:46,260
I sometimes don't want to reuse my address. -
Not Synced134
00:05:46,260 --> 00:05:50,000
And there's a number of reasons of why I might not want to do that, -
Not Synced135
00:05:50,000 --> 00:05:52,500
one being privacy, another being security -
Not Synced136
00:05:52,500 --> 00:05:56,080
and some elements of cryptography with non-swe use and whatnot. -
Not Synced137
00:05:56,360 --> 00:05:59,500
But at the end of the day, the moral is, -
Not Synced138
00:05:59,500 --> 00:06:03,020
with a simple seed, you can have a large number of private keys. -
Not Synced139
00:06:03,680 --> 00:06:06,740
And that composed together is a cryptocurrency wallet. -
Not Synced140
00:06:07,480 --> 00:06:09,460
There's software to help you do this. -
Not Synced141
00:06:09,600 --> 00:06:10,840
And some of it is good. -
Not Synced142
00:06:11,020 --> 00:06:12,580
Some of it is bad. -
Not Synced143
00:06:12,580 --> 00:06:17,760
But today, I think most of it is just awkward for the regular user. -
Not Synced144
00:06:19,460 --> 00:06:22,000
Another thing to note is, -
Not Synced145
00:06:22,000 --> 00:06:24,060
in order to do this, you need randomness. -
Not Synced146
00:06:24,300 --> 00:06:25,980
You need chaos from the universe. -
Not Synced147
00:06:26,300 --> 00:06:29,000
You need to acquire that chaos somehow -
Not Synced148
00:06:29,000 --> 00:06:31,500
and put it in your little bits and bytes -
Not Synced149
00:06:31,500 --> 00:06:34,420
and package it in a safe, secure way. -
Not Synced150
00:06:35,580 --> 00:06:38,460
And so, you know, cryptography needs this as a core primitive. -
Not Synced151
00:06:38,460 --> 00:06:41,500
And if you don't have good randomness, -
Not Synced152
00:06:41,500 --> 00:06:44,680
terrible things will happen, not to be too foreboding. -
Not Synced153
00:06:46,060 --> 00:06:49,400
The problem is, computers are really bad at generating good randomness. -
Not Synced154
00:06:49,740 --> 00:06:51,660
They're really great at following instructions. -
Not Synced155
00:06:52,260 --> 00:06:53,900
They're really bad at doing random things. -
Not Synced156
00:06:53,980 --> 00:06:55,040
They like to do what they're told. -
Not Synced157
00:06:55,360 --> 00:06:58,620
You know, I don't know about new age quantum cryptography -
Not Synced158
00:06:58,620 --> 00:07:02,480
or computers or whatnot. But, like, the computers I've been working with are pretty random. -
Not Synced159
00:07:02,960 --> 00:07:03,900
Or not pretty random. -
Not Synced160
00:07:04,020 --> 00:07:05,160
They're pretty just regular. -
Not Synced161
00:07:05,500 --> 00:07:07,480
They do what you tell them, and that's what they do. -
Not Synced162
00:07:08,560 --> 00:07:14,260
So there's a lot of reasons why you need randomness in your compute. -
Not Synced163
00:07:14,460 --> 00:07:17,000
If you're making video games, -
Not Synced164
00:07:17,000 --> 00:07:19,300
you want your characters to maybe start in random places. -
Not Synced165
00:07:19,300 --> 00:07:22,500
If you're making API keys, maybe you want to, -
Not Synced166
00:07:22,500 --> 00:07:25,900
you know, you don't want them to be predictable. -
Not Synced167
00:07:26,600 --> 00:07:29,800
And so you need to have a good way to get random numbers. -
Not Synced168
00:07:30,620 --> 00:07:34,000
There's good ways, and there's easy ways, -
Not Synced169
00:07:34,000 --> 00:07:37,120
and there's these cryptographically secure ways to get random numbers. -
Not Synced170
00:07:37,740 --> 00:07:38,860
They're used for different purposes. -
Not Synced171
00:07:39,160 --> 00:07:42,960
Some are lightweight, fast, and don't require a lot of compute resources. -
Not Synced172
00:07:42,960 --> 00:07:46,000
Others may take up more resources -
Not Synced173
00:07:46,000 --> 00:07:49,500
but give you outputs that are not predictable -
Not Synced174
00:07:49,500 --> 00:07:52,780
and don't reveal any of the inputs. -
Not Synced175
00:07:53,020 --> 00:07:57,000
And so cryptographically secure PRNGs, -
Not Synced176
00:07:57,000 --> 00:08:04,380
the pseudo-random number generators, are kind of the ideal in a lot of situations when you're dealing with generating keys for wallets. -
Not Synced177
00:08:06,240 --> 00:08:07,680
So that's randomness. -
Not Synced178
00:08:07,680 --> 00:08:11,500
And another thing to note is this is a talk about cryptocurrency, -
Not Synced179
00:08:11,500 --> 00:08:17,240
but people use BIP39 mnemonic seed phrases to back up all kinds of things. -
Not Synced180
00:08:17,860 --> 00:08:19,760
I don't know who here has heard of PGP. -
Not Synced181
00:08:21,240 --> 00:08:23,000
Yeah, nice, nice, nice, nice. -
Not Synced182
00:08:23,140 --> 00:08:25,880
So other places that would be like, what's that? -
Not Synced183
00:08:26,060 --> 00:08:26,980
Well, it's pretty good privacy. -
Not Synced184
00:08:27,440 --> 00:08:31,000
But there's ways to have, like, a 24-word mnemonic seed phrase -
Not Synced185
00:08:31,000 --> 00:08:34,260
be used to derive PGP keys, which is pretty cool. -
Not Synced186
00:08:34,260 --> 00:08:37,660
But anyways, the point there is, like, it's not just cryptocurrency. -
Not Synced187
00:08:39,300 --> 00:08:40,480
Let's talk about the theft. -
Not Synced188
00:08:40,840 --> 00:08:43,500
So I've never seen a bank get robbed -
Not Synced189
00:08:43,500 --> 00:08:45,460
except in Hollywood movies. -
Not Synced190
00:08:46,620 --> 00:08:49,540
And, oh, the slides aren't showing. -
Not Synced191
00:08:51,360 --> 00:08:52,800
Did they just stop showing -
Not Synced192
00:08:52,800 --> 00:08:53,740
or have they not been showing? -
Not Synced193
00:08:54,500 --> 00:08:57,500
Okay, I'll do the good old plug it. -
Not Synced194
00:08:58,420 --> 00:08:58,860
Okay. -
Not Synced195
00:08:59,840 --> 00:09:01,340
Thanks for the call out. -
Not Synced196
00:09:02,140 --> 00:09:03,140
So anyways, a theft. -
Not Synced197
00:09:03,580 --> 00:09:04,540
Who's ever seen a robbery? -
Not Synced198
00:09:05,720 --> 00:09:06,520
I haven't. -
Not Synced199
00:09:06,640 --> 00:09:07,680
I hope you never have to. -
Not Synced200
00:09:08,280 --> 00:09:10,220
But on Reddit, it kind of looks like this. -
Not Synced201
00:09:10,960 --> 00:09:12,760
You just see someone, hey, my money's gone. -
Not Synced202
00:09:13,280 --> 00:09:15,280
I think a bunch of other people's money's gone. -
Not Synced203
00:09:15,680 --> 00:09:16,340
What happened? -
Not Synced204
00:09:17,920 --> 00:09:20,700
And that's not where our journey started. -
Not Synced205
00:09:20,700 --> 00:09:24,000
My journey started when I got a message from a friend -
Not Synced206
00:09:24,000 --> 00:09:27,920
saying, hey, do you still have your Bitcoin? -
Not Synced207
00:09:28,380 --> 00:09:29,320
I was like, what? -
Not Synced208
00:09:30,460 --> 00:09:31,080
I don't know. -
Not Synced209
00:09:31,140 --> 00:09:31,720
Let me go check. -
Not Synced210
00:09:31,840 --> 00:09:34,000
So I have to go swim into my underwater cave, -
Not Synced211
00:09:34,000 --> 00:09:37,160
feed the alligators, pop up, open the vault. -
Not Synced212
00:09:38,200 --> 00:09:39,080
Yeah, it's still there. -
Not Synced213
00:09:39,520 --> 00:09:40,480
Actually, it's not that hard. -
Not Synced214
00:09:40,620 --> 00:09:42,740
You can just, if you know your addresses, you can just look. -
Not Synced215
00:09:42,740 --> 00:09:46,780
But, yeah, my Bitcoin was there. -
Not Synced216
00:09:47,020 --> 00:09:49,500
My money, you know, I don't know what money is, -
Not Synced217
00:09:49,500 --> 00:09:52,520
but I like to think of Bitcoin as money that I like to use. -
Not Synced218
00:09:53,960 --> 00:09:55,600
And I was like, dude, where's yours? -
Not Synced219
00:09:55,600 --> 00:09:59,880
And they were like, it's not there anymore. -
Not Synced220
00:10:01,840 --> 00:10:02,640
That sucks. -
Not Synced221
00:10:03,580 --> 00:10:06,600
It's not, you know, you open your wallet and a dollar bill's there today. -
Not Synced222
00:10:06,740 --> 00:10:08,740
And then tomorrow you look and it's not there. -
Not Synced223
00:10:09,000 --> 00:10:10,680
You know, paper doesn't just evaporate. -
Not Synced224
00:10:10,820 --> 00:10:13,260
Maybe it gets wet and disintegrates, but there's still remnants. -
Not Synced225
00:10:13,980 --> 00:10:16,640
People put, like, ceramic disks in that stuff, you know. -
Not Synced226
00:10:16,700 --> 00:10:19,040
And there's always a trace of where money went. -
Not Synced227
00:10:19,320 --> 00:10:20,740
And on the blockchain, it's no different. -
Not Synced228
00:10:20,740 --> 00:10:24,000
So, we saw that a bunch of money moved -
Not Synced229
00:10:24,000 --> 00:10:28,180
and was consolidated. -
Not Synced230
00:10:28,860 --> 00:10:32,680
And we knew two people in our social group. -
Not Synced231
00:10:32,880 --> 00:10:35,500
You know, I don't have a lot of friends, -
Not Synced232
00:10:35,500 --> 00:10:39,020
so this is like a large portion of my social network had been compromised. -
Not Synced233
00:10:39,580 --> 00:10:43,560
And I was curious to understand how and why. -
Not Synced234
00:10:44,100 --> 00:10:46,720
Maybe I'll never understand why, except for human greed. -
Not Synced235
00:10:46,720 --> 00:10:49,500
But the how was very interesting for me, -
Not Synced236
00:10:49,500 --> 00:10:51,500
because this is magic math, -
Not Synced237
00:10:51,500 --> 00:10:53,660
and magic math is no different than regular math. -
Not Synced238
00:10:54,140 --> 00:10:57,780
It just takes sometimes a little bit more for muggles like me to understand. -
Not Synced239
00:10:58,980 --> 00:11:02,280
So, overall, we saw a 37-bitcoin move at this time. -
Not Synced240
00:11:03,440 --> 00:11:06,000
And, you know, we saw that it wasn't just two people -
Not Synced241
00:11:06,000 --> 00:11:08,480
that were in my friend's group. -
Not Synced242
00:11:08,620 --> 00:11:09,800
We saw many other people. -
Not Synced243
00:11:10,980 --> 00:11:12,680
So, a team forms, you know. -
Not Synced244
00:11:12,740 --> 00:11:13,740
And we're not like the Avengers. -
Not Synced245
00:11:13,960 --> 00:11:15,080
We don't have fancy suits. -
Not Synced246
00:11:15,080 --> 00:11:18,560
I work in a garage in my house. -
Not Synced247
00:11:18,860 --> 00:11:20,720
And other people work all over the world. -
Not Synced248
00:11:22,500 --> 00:11:25,000
The good thing is we did have people -
Not Synced249
00:11:25,000 --> 00:11:27,100
who knew how they generated their keys. -
Not Synced250
00:11:27,260 --> 00:11:28,620
They knew how they stored them. -
Not Synced251
00:11:28,780 --> 00:11:31,500
They knew the security models they were up against were... -
Not Synced252
00:11:31,920 --> 00:11:33,420
They took precautions, let's say. -
Not Synced253
00:11:33,560 --> 00:11:37,340
They weren't just downloading an app, running something on an online computer. -
Not Synced254
00:11:37,340 --> 00:11:40,500
They were very tight about the attack surface -
Not Synced255
00:11:40,500 --> 00:11:45,500
and generated keys and air-gapped machines -
Not Synced256
00:11:45,500 --> 00:11:48,500
that had never touched the light of the internet, -
Not Synced257
00:11:48,500 --> 00:11:52,300
running minimal Linux operating systems. -
Not Synced258
00:11:52,300 --> 00:11:54,960
And so, it was very curious. -
Not Synced259
00:11:56,060 --> 00:11:59,000
What we discovered in our research -
Not Synced260
00:11:59,000 --> 00:12:04,180
was the common denominator was a software called LibBitcoin Explorer. -
Not Synced261
00:12:04,180 --> 00:12:07,500
And so, you know, you try and understand how your well gets poisoned -
Not Synced262
00:12:07,500 --> 00:12:09,500
and you look upstream -
Not Synced263
00:12:09,500 --> 00:12:11,940
and, you know, or downstream. -
Not Synced264
00:12:12,240 --> 00:12:14,800
We stand upon the shoulders of giants -
Not Synced265
00:12:14,800 --> 00:12:17,420
and sometimes those giants just rot and die. -
Not Synced266
00:12:17,420 --> 00:12:21,000
And in this case, we discovered some rot -
Not Synced267
00:12:21,000 --> 00:12:26,420
and we decided to take a closer look at this software. -
Not Synced268
00:12:28,420 --> 00:12:30,800
Now, LibBitcoin Explorer is kind of a random software. -
Not Synced269
00:12:30,800 --> 00:12:34,500
And one of the questions some people were asking is, like, -
Not Synced270
00:12:34,500 --> 00:12:37,760
well, how did these people even start using this software? -
Not Synced271
00:12:39,060 --> 00:12:41,640
Well, they tried to do things by the book, literally. -
Not Synced272
00:12:42,240 --> 00:12:45,500
The problem with dead trees is they don't get updated -
Not Synced273
00:12:45,500 --> 00:12:48,180
as often as digital bits and bytes. -
Not Synced274
00:12:49,140 --> 00:12:52,280
And what's true yesterday is not always true today. -
Not Synced275
00:12:52,280 --> 00:12:56,000
So, when a book says something, generate a random seed -
Not Synced276
00:12:56,000 --> 00:12:59,500
using operating system random number generator, -
Not Synced277
00:12:59,500 --> 00:13:03,000
and your operating system is Linux, you feel like you have some guarantees -
Not Synced278
00:13:03,000 --> 00:13:06,500
with a thousand eyes, all bugs are shallow, -
Not Synced279
00:13:06,500 --> 00:13:10,840
or whatever that saying is. -
Not Synced280
00:13:11,920 --> 00:13:14,880
Unfortunately, this turned out not to be true. -
Not Synced281
00:13:14,880 --> 00:13:18,500
The bxseed command from LibBitcoin generates wallets -
Not Synced282
00:13:18,500 --> 00:13:21,000
via the Mersenne Twister, -
Not Synced283
00:13:21,000 --> 00:13:23,760
and it's not just a little dance here. -
Not Synced284
00:13:24,000 --> 00:13:26,000
We're talking, like, you know, just numbers and stuff. -
Not Synced285
00:13:26,200 --> 00:13:28,700
But numbers can dance, too, if you look at them right. -
Not Synced286
00:13:29,120 --> 00:13:29,860
Some of them wiggle. -
Not Synced287
00:13:30,080 --> 00:13:30,840
Some of them squirm. -
Not Synced288
00:13:31,620 --> 00:13:35,000
And in this case, with this variant of Mersenne Twister, -
Not Synced289
00:13:35,000 --> 00:13:38,000
this whole MT19937, -
Not Synced290
00:13:38,000 --> 00:13:40,460
I'd be curious if anyone knows what that number is. -
Not Synced291
00:13:41,460 --> 00:13:42,600
It's a prime number. -
Not Synced292
00:13:42,600 --> 00:13:44,740
2 to the 119th. -
Not Synced293
00:13:44,780 --> 00:13:48,000
Anyways, 32 bits of initial state -
Not Synced294
00:13:48,000 --> 00:13:52,620
was all that was allowed in this implementation for generating random numbers. -
Not Synced295
00:13:53,440 --> 00:13:56,000
Now, 32 bits seems like a number, -
Not Synced296
00:13:56,000 --> 00:14:01,540
but it's not a very – it doesn't allow for a lot of possibility, possible outcomes. -
Not Synced297
00:14:02,040 --> 00:14:05,000
And when we saw this, our heads kind of exploded -
Not Synced298
00:14:05,000 --> 00:14:08,500
because we were expecting 256 bits of chaos and entropy -
Not Synced299
00:14:08,500 --> 00:14:11,040
entering our little random number generator. -
Not Synced300
00:14:11,040 --> 00:14:14,000
So, to not see that was a shock, -
Not Synced301
00:14:14,000 --> 00:14:18,220
and definitely we felt like we were on the right track. -
Not Synced302
00:14:19,420 --> 00:14:22,000
And so, you know, again, these numbers, -
Not Synced303
00:14:22,000 --> 00:14:25,600
32 bits is a little over 4 billion. -
Not Synced304
00:14:25,600 --> 00:14:29,000
And 128 bits is a little over 360 – -
Not Synced305
00:14:29,000 --> 00:14:33,520
340 undecillion, I guess. -
Not Synced306
00:14:33,580 --> 00:14:34,560
It's like 10 to the 36. -
Not Synced307
00:14:34,760 --> 00:14:35,080
I don't know. -
Not Synced308
00:14:35,380 --> 00:14:36,760
Undecillion is an interesting word. -
Not Synced309
00:14:37,760 --> 00:14:40,880
In British English, it means something different. -
Not Synced310
00:14:41,880 --> 00:14:43,780
And it also – yeah, anyways, look it up. -
Not Synced311
00:14:43,840 --> 00:14:44,260
Undecillion. -
Not Synced312
00:14:44,260 --> 00:14:48,000
But, yeah, so once an attacker knows your master key, -
Not Synced313
00:14:48,000 --> 00:14:50,000
it's game over -
Not Synced314
00:14:50,000 --> 00:14:53,520
because this whole key derivation stuff. -
Not Synced315
00:14:53,700 --> 00:14:57,000
Like, once they know the initial state of how you derived all these other keys, -
Not Synced316
00:14:57,000 --> 00:15:00,500
they can just walk down your path and check -
Not Synced317
00:15:00,500 --> 00:15:03,600
and see if there's any cherries left over. -
Not Synced318
00:15:03,680 --> 00:15:06,280
In this case, cherries are cryptocurrencies, you know, assets. -
Not Synced319
00:15:06,280 --> 00:15:10,180
And so, theft is trivial. -
Not Synced320
00:15:10,520 --> 00:15:14,140
With 32 bits, you can rent a cheap box at Hetzner. -
Not Synced321
00:15:14,360 --> 00:15:18,000
You can have a gaming computer brute force this -
Not Synced322
00:15:18,000 --> 00:15:20,420
in a matter of days, if not less. -
Not Synced323
00:15:20,420 --> 00:15:24,500
And also, it's – this is not just Bitcoin. -
Not Synced324
00:15:24,820 --> 00:15:28,000
People were using this, you know, for Ethereum, -
Not Synced325
00:15:28,000 --> 00:15:31,000
a bunch of other cryptocurrencies, -
Not Synced326
00:15:31,000 --> 00:15:33,000
and, yeah, it's – you know, maybe people were using it -
Not Synced327
00:15:33,000 --> 00:15:36,320
for PGP, too. -
Not Synced328
00:15:36,460 --> 00:15:36,880
I don't know. -
Not Synced329
00:15:37,040 --> 00:15:39,620
But, anyways, we're talking about cryptocurrency here. -
Not Synced330
00:15:41,280 --> 00:15:42,320
So, what did we do? -
Not Synced331
00:15:42,500 --> 00:15:44,820
We saw an active exploit. -
Not Synced332
00:15:44,960 --> 00:15:46,780
And by we, I mean the Milkside team. -
Not Synced333
00:15:47,760 --> 00:15:49,840
We saw that this was happening in the wild. -
Not Synced334
00:15:49,840 --> 00:15:53,000
We knew that this was – there was some entity -
Not Synced335
00:15:53,000 --> 00:15:55,500
that was moving money, -
Not Synced336
00:15:55,500 --> 00:15:58,000
and it wasn't the entity that was originally owning that money -
Not Synced337
00:15:58,000 --> 00:16:00,500
or owning that currency. -
Not Synced338
00:16:01,020 --> 00:16:04,000
So, with active exploits, we wanted to expedite -
Not Synced339
00:16:04,000 --> 00:16:06,500
the disclosure process and inform the public -
Not Synced340
00:16:06,500 --> 00:16:10,000
so they could have an informed decision what to do with their assets. -
Not Synced341
00:16:10,740 --> 00:16:13,220
Now, you know, it's a social norm to do 90 days. -
Not Synced342
00:16:13,440 --> 00:16:16,500
With Google Project Zero, they kind of set a standard for this -
Not Synced343
00:16:16,500 --> 00:16:18,420
for, like, seven days if you see active in the wild. -
Not Synced344
00:16:18,420 --> 00:16:21,360
And that's what we did. -
Not Synced345
00:16:21,600 --> 00:16:22,380
We filed a CVE. -
Not Synced346
00:16:23,060 --> 00:16:24,880
We did a detailed public write-out. -
Not Synced347
00:16:25,220 --> 00:16:29,000
We reached the – you know, reached out to the maintainers of the software -
Not Synced348
00:16:29,000 --> 00:16:32,700
and told them before we were doing this to have a coordinated disclosure. -
Not Synced349
00:16:32,700 --> 00:16:35,500
They didn't see the world as we saw the world, -
Not Synced350
00:16:35,500 --> 00:16:37,620
and that's okay. -
Not Synced351
00:16:38,020 --> 00:16:40,500
But when people's money is on the line, -
Not Synced352
00:16:40,500 --> 00:16:42,500
we had to make a choice, -
Not Synced353
00:16:42,500 --> 00:16:47,360
and we decided to make the choice that made us sleep peacefully at night. -
Not Synced354
00:16:47,560 --> 00:16:49,640
We wanted to tell the people to protect them. -
Not Synced355
00:16:49,640 --> 00:16:54,280
And the name – I love the name Milk Sad. -
Not Synced356
00:16:54,700 --> 00:16:57,000
I felt very sad when I learned about this, -
Not Synced357
00:16:57,000 --> 00:16:59,380
and people didn't lose just, you know, their milk money. -
Not Synced358
00:16:59,560 --> 00:17:00,420
They lost their savings. -
Not Synced359
00:17:00,600 --> 00:17:03,500
They lost a belief in the rigidity -
Not Synced360
00:17:03,500 --> 00:17:06,060
of a cryptocurrency system. -
Not Synced361
00:17:06,060 --> 00:17:09,220
And that's a hard thing to build back. -
Not Synced362
00:17:09,220 --> 00:17:12,000
When we first discovered that the initial state -
Not Synced363
00:17:12,000 --> 00:17:14,000
was reproducible, -
Not Synced364
00:17:14,000 --> 00:17:16,500
that we could generate the same mnemonic seed phrase -
Not Synced365
00:17:16,500 --> 00:17:19,000
over and over again by setting some parameters -
Not Synced366
00:17:19,000 --> 00:17:22,000
and depending supposedly on, like, system entropy -
Not Synced367
00:17:22,000 --> 00:17:25,500
and getting the same mnemonic seed phrase, -
Not Synced368
00:17:25,500 --> 00:17:30,380
we were kind of stunned. -
Not Synced369
00:17:30,380 --> 00:17:33,000
And we realized, you know, kind of what the problem was, -
Not Synced370
00:17:33,000 --> 00:17:36,000
everything else after that was just diving into the problem, -
Not Synced371
00:17:36,000 --> 00:17:38,500
fully understanding it, -
Not Synced372
00:17:38,500 --> 00:17:40,500
fully documenting it, -
Not Synced373
00:17:40,500 --> 00:17:43,880
and preparing public disclosures for that. -
Not Synced374
00:17:45,800 --> 00:17:49,000
We also, again, like, we were curious about how the attackers did this -
Not Synced375
00:17:49,000 --> 00:17:51,500
and how big this problem was, -
Not Synced376
00:17:51,500 --> 00:17:54,500
and was it just us using this software? -
Not Synced377
00:17:57,720 --> 00:18:00,000
Or were there other softwares out there, -
Not Synced378
00:18:00,000 --> 00:18:02,520
cryptocurrency wallet implementations that had similar issues? -
Not Synced379
00:18:03,380 --> 00:18:06,140
Again, you don't need advanced degrees in cryptography. -
Not Synced380
00:18:06,420 --> 00:18:08,980
You don't need specialized hardware to do what we did. -
Not Synced381
00:18:09,540 --> 00:18:12,820
You just need to understand how these numbers work. -
Not Synced382
00:18:12,820 --> 00:18:16,000
And once you understand initial PRNG seed states -
Not Synced383
00:18:16,000 --> 00:18:18,500
for these systems, -
Not Synced384
00:18:18,500 --> 00:18:22,000
you can simply enumerate over all the potential address space -
Not Synced385
00:18:22,000 --> 00:18:25,500
that you want to spend time deriving -
Not Synced386
00:18:25,500 --> 00:18:30,320
and checking if that address had ever been used on the blockchain. -
Not Synced387
00:18:30,320 --> 00:18:33,000
And if so, you can see that address was vulnerable, -
Not Synced388
00:18:33,000 --> 00:18:35,500
and that money was vulnerable, -
Not Synced389
00:18:35,500 --> 00:18:38,920
and maybe it was stolen, maybe it wasn't. -
Not Synced390
00:18:39,680 --> 00:18:43,000
But voila, you get answers to how much money -
Not Synced391
00:18:43,000 --> 00:18:46,140
moved through these weak wallet systems. -
Not Synced392
00:18:46,140 --> 00:18:50,000
This was a lot of time to dive through all the aftereffects -
Not Synced393
00:18:50,000 --> 00:18:52,500
of this attack and exploit, -
Not Synced394
00:18:52,500 --> 00:18:55,500
and we can still spend hours, days, months, years -
Not Synced395
00:18:55,500 --> 00:19:01,220
diving into everything. -
Not Synced396
00:19:02,040 --> 00:19:04,500
You can be your crypto sleuth like ZachXBT -
Not Synced397
00:19:04,500 --> 00:19:06,640
and trace where all the money went. -
Not Synced398
00:19:07,100 --> 00:19:08,360
We didn't do that. -
Not Synced399
00:19:09,080 --> 00:19:12,580
You know, we didn't find all the answers to all the questions. -
Not Synced400
00:19:12,580 --> 00:19:16,000
And, yeah, there's a lot of other coins out there, -
Not Synced401
00:19:16,000 --> 00:19:20,660
cryptocurrencies that we could have looked at that we didn't. -
Not Synced402
00:19:21,840 --> 00:19:25,500
Bitcoin, Ethereum, Doge, XRP, -
Not Synced403
00:19:25,500 --> 00:19:28,000
these are all, like, cryptocurrencies, -
Not Synced404
00:19:28,000 --> 00:19:33,740
and these are all systems that were affected by this compromise. -
Not Synced405
00:19:34,860 --> 00:19:36,300
We're also not alone here. -
Not Synced406
00:19:36,460 --> 00:19:39,000
There were other researchers that were working on this problem, -
Not Synced407
00:19:39,000 --> 00:19:43,020
and from them we drew inspiration, and, in some ways, collaboration. -
Not Synced408
00:19:47,020 --> 00:19:51,040
I don't know who here, any Drake fans here? -
Not Synced409
00:19:53,220 --> 00:19:55,820
Okay, I feel sorry for the one person that raised their hand. -
Not Synced410
00:19:58,600 --> 00:20:01,000
So, TrustWallet, not like us. -
Not Synced411
00:20:01,860 --> 00:20:03,820
They didn't like the users in some ways. -
Not Synced412
00:20:03,820 --> 00:20:06,000
They made some mistakes, -
Not Synced413
00:20:06,000 --> 00:20:09,380
and not just one mistake. -
Not Synced414
00:20:09,480 --> 00:20:12,000
They made multiple mistakes, -
Not Synced415
00:20:12,000 --> 00:20:14,000
which is sad for the downstream users, -
Not Synced416
00:20:14,000 --> 00:20:17,800
sad for the team that built this product and built a reputation around trust. -
Not Synced417
00:20:18,460 --> 00:20:20,500
If I say, trust me, bro, -
Not Synced418
00:20:20,500 --> 00:20:22,840
you're going to trust me, I'm sure. -
Not Synced419
00:20:23,380 --> 00:20:24,400
Maybe, you know. -
Not Synced420
00:20:24,840 --> 00:20:26,080
But probably not. -
Not Synced421
00:20:26,160 --> 00:20:28,280
I'm just a stranger on the Internet most of the time. -
Not Synced422
00:20:28,280 --> 00:20:33,420
And it's just, again, this is in the wild. -
Not Synced423
00:20:33,620 --> 00:20:35,160
These weren't vulnerabilities we found. -
Not Synced424
00:20:35,260 --> 00:20:36,160
These are just out there. -
Not Synced425
00:20:36,240 --> 00:20:37,080
You can look them up. -
Not Synced426
00:20:38,840 --> 00:20:41,500
And in this case, the PRNG was seeded with time, -
Not Synced427
00:20:41,500 --> 00:20:43,900
which is really not a good idea. -
Not Synced428
00:20:44,080 --> 00:20:46,000
Unix time starts in 1970, -
Not Synced429
00:20:46,000 --> 00:20:48,060
and we're in 2024. -
Not Synced430
00:20:48,060 --> 00:20:50,500
So, like, no matter what, -
Not Synced431
00:20:50,500 --> 00:20:52,500
it's just not a lot of years to go through, -
Not Synced432
00:20:52,500 --> 00:20:56,280
which is why I always set my clock 100 years in advance. -
Not Synced433
00:20:57,700 --> 00:20:59,300
My plots are measured in centuries. -
Not Synced434
00:21:00,040 --> 00:21:03,320
And just for this meme, you know, I don't know what Drake is all about. -
Not Synced435
00:21:03,460 --> 00:21:05,500
He just is a super predictable person, though. -
Not Synced436
00:21:06,020 --> 00:21:07,820
And he just doesn't like the good stuff. -
Not Synced437
00:21:07,900 --> 00:21:08,800
He's just not like us. -
Not Synced438
00:21:08,940 --> 00:21:10,620
So, we avoid him. -
Not Synced439
00:21:10,780 --> 00:21:12,180
We try not to be like him. -
Not Synced440
00:21:12,280 --> 00:21:13,760
I'm sorry if he's your idol. -
Not Synced441
00:21:14,620 --> 00:21:15,700
This is my opinion. -
Not Synced442
00:21:15,700 --> 00:21:19,820
I'm not speaking on behalf of the Milksed research team or anyone else here. -
Not Synced443
00:21:20,420 --> 00:21:21,840
And if I offend you, I apologize. -
Not Synced444
00:21:22,260 --> 00:21:24,640
I just like to be honest with myself and the audience. -
Not Synced445
00:21:26,500 --> 00:21:28,300
But, yeah, what the highlights, you know? -
Not Synced446
00:21:28,360 --> 00:21:28,940
We're done with Drake. -
Not Synced447
00:21:29,700 --> 00:21:32,500
There were nine wallets that we discovered -
Not Synced448
00:21:32,500 --> 00:21:35,760
with lots of money. -
Not Synced449
00:21:35,980 --> 00:21:38,480
So, in cryptocurrency land, they call them whales. -
Not Synced450
00:21:39,040 --> 00:21:41,680
And these whales had quite the dork of a wallet. -
Not Synced451
00:21:42,500 --> 00:21:44,940
67,000-plus bitcoins. -
Not Synced452
00:21:45,700 --> 00:21:47,540
Went through these wallets. -
Not Synced453
00:21:48,120 --> 00:21:51,920
At the time, that's about a billion dollars. -
Not Synced454
00:21:52,260 --> 00:21:56,860
At 20,000 U.S. dollars per Bitcoin. -
Not Synced455
00:21:57,560 --> 00:21:59,760
Today, that's five times as much. -
Not Synced456
00:21:59,840 --> 00:22:01,960
I think Bitcoin hovers around $100,000. -
Not Synced457
00:22:02,600 --> 00:22:05,600
In my world, one Bitcoin will always equal one Bitcoin. -
Not Synced458
00:22:05,600 --> 00:22:09,120
And everything else is everything else. -
Not Synced459
00:22:10,080 --> 00:22:12,500
But, again, this shows you that it wasn't just retail, -
Not Synced460
00:22:12,500 --> 00:22:15,120
random people reading books. -
Not Synced461
00:22:15,200 --> 00:22:18,500
This was people who were spending a lot of time and energy, -
Not Synced462
00:22:18,500 --> 00:22:21,980
had a lot of assets involved and vulnerable, -
Not Synced463
00:22:21,980 --> 00:22:25,500
which was quite impressive and surprising. -
Not Synced464
00:22:26,200 --> 00:22:27,820
We don't know what happened with this money. -
Not Synced465
00:22:27,820 --> 00:22:31,000
We don't know if these people or entities -
Not Synced466
00:22:31,000 --> 00:22:34,880
that had control of these wallets moved them safely. -
Not Synced467
00:22:34,880 --> 00:22:36,220
We kind of assumed they did. -
Not Synced468
00:22:36,300 --> 00:22:40,160
We don't know if they knew what was happening here in 2020. -
Not Synced469
00:22:40,540 --> 00:22:43,080
Mind you, we discovered this issue in 2023. -
Not Synced470
00:22:43,460 --> 00:22:44,440
So, it was three years later. -
Not Synced471
00:22:45,380 --> 00:22:47,840
But, yeah, just kind of crazy. -
Not Synced472
00:22:48,260 --> 00:22:53,080
That's a lot of money to just float around the Internet and be able to be grabbed. -
Not Synced473
00:22:54,380 --> 00:22:54,820
Cake. -
Not Synced474
00:22:54,980 --> 00:22:55,740
I like cake. -
Not Synced475
00:22:56,240 --> 00:22:59,680
I hate when my cake has poison in it or razor blades. -
Not Synced476
00:23:00,220 --> 00:23:02,680
If you ever eat an apple on Halloween, be careful. -
Not Synced477
00:23:02,980 --> 00:23:03,620
Check it twice. -
Not Synced478
00:23:04,120 --> 00:23:04,880
Some people are naughty. -
Not Synced479
00:23:05,000 --> 00:23:05,920
Some people are nice. -
Not Synced480
00:23:06,720 --> 00:23:09,240
And, in this case, Cake Wallet was not so nice. -
Not Synced481
00:23:11,160 --> 00:23:15,820
You know, a lot of programming languages have, like, random SDKs. -
Not Synced482
00:23:15,860 --> 00:23:19,740
It's just easy native library implementations where you can get randomness. -
Not Synced483
00:23:19,740 --> 00:23:23,500
And, a lot of them don't have secure, cryptographically secure randomness -
Not Synced484
00:23:23,500 --> 00:23:26,280
by default, which I find really awkward. -
Not Synced485
00:23:27,000 --> 00:23:29,160
I think that's something we should talk about here. -
Not Synced486
00:23:29,340 --> 00:23:33,000
Like, why don't we provide safe defaults -
Not Synced487
00:23:33,000 --> 00:03:37,780
for all the programming languages as, you know, a primitive? -
Not Synced488
00:23:38,440 --> 00:23:40,440
So, something to think about if you're developing languages. -
Not Synced489
00:23:41,120 --> 00:23:43,000
Default to safety first, please. -
Not Synced490
00:23:43,000 --> 00:23:46,000
And, yeah, we knew that this was insecure, -
Not Synced491
00:23:46,000 --> 00:23:52,280
but a lot of people didn't know how or, you know, how to derive these addresses. -
Not Synced492
00:23:52,660 --> 00:23:56,000
And, luckily, lead researcher Christian, -
Not Synced493
00:23:56,000 --> 00:23:58,000
our knight in shining armor, -
Not Synced494
00:23:58,000 --> 00:24:01,120
saw the puzzle and decided he needed to break it. -
Not Synced495
00:24:01,360 --> 00:24:03,340
You know, he was kind of nerd-sniped by this. -
Not Synced496
00:24:03,340 --> 00:24:07,000
And, a lot of us were not spending as much time -
Not Synced497
00:24:07,000 --> 00:24:11,280
diving into Cake Wallet because we already were moving on to things. -
Not Synced498
00:24:11,280 --> 00:24:15,360
But, the fixation Christian, you know, spent was well worth it. -
Not Synced499
00:24:16,380 --> 00:24:20,000
He discovered that they weren't using 32 bits of seeding -
Not Synced500
00:24:20,000 --> 00:24:23,260
when you expected 128 or 256. -
Not Synced501
00:24:23,940 --> 00:24:25,880
They were actually using 20 bits. -
Not Synced502
00:24:26,800 --> 00:24:31,160
You know, and 20 bits means I can almost do the calculations with my hands and toes. -
Not Synced503
00:24:31,700 --> 00:24:34,500
But, I lost a lot of touch in my pinky toes -
Not Synced504
00:24:34,500 --> 00:24:36,540
due to frostbite. -
Not Synced505
00:24:36,540 --> 00:24:39,500
So, it would be difficult for me, but if you are talented -
Not Synced506
00:24:39,500 --> 00:24:42,780
with all your digits, you can show me how to calculate stuff with them. -
Not Synced507
00:24:42,840 --> 00:24:44,200
That would be super cool to do by nay. -
Not Synced508
00:24:45,100 --> 00:24:46,620
But, 20 bits is not a lot. -
Not Synced509
00:24:46,920 --> 00:24:48,480
So, easy to brute force. -
Not Synced510
00:24:49,420 --> 00:24:53,660
And, Cake Wallet is a software product that a lot of people use. -
Not Synced511
00:24:54,160 --> 00:24:54,780
It's great. -
Not Synced512
00:24:54,960 --> 00:24:57,760
It has... It's not great. -
Not Synced513
00:24:57,880 --> 00:24:58,240
I don't know. -
Not Synced514
00:24:58,380 --> 00:24:59,100
I shouldn't say that. -
Not Synced515
00:24:59,320 --> 00:25:00,760
It is what it is. -
Not Synced516
00:25:00,760 --> 00:25:03,500
But, the cool thing about it is you can reach out to the users, -
Not Synced517
00:25:03,500 --> 00:25:06,140
unlike open source projects, which is a little bit harder. -
Not Synced518
00:25:06,360 --> 00:25:08,320
You know, you can send out something to the mailing list or not. -
Not Synced519
00:25:08,420 --> 00:25:11,500
So, our team, Christian, reached out to Cake Wallet people, -
Not Synced520
00:25:11,500 --> 00:25:14,000
and they're like, yeah, we'll throw a notification up, -
Not Synced521
00:25:14,000 --> 00:25:16,240
and we'll tell people. -
Not Synced522
00:25:16,400 --> 00:25:18,700
The problem is, people don't update their software. -
Not Synced523
00:25:18,900 --> 00:25:20,100
They didn't get the notification. -
Not Synced524
00:25:20,960 --> 00:25:23,180
They probably just set it and forget it, you know. -
Not Synced525
00:25:23,180 --> 00:25:26,000
And, we waited six months -
Not Synced526
00:25:26,000 --> 00:25:30,100
until we disclosed this issue. -
Not Synced527
00:25:30,800 --> 00:25:33,700
Six months of just sitting there, hoping things were going to be good. -
Not Synced528
00:25:34,480 --> 00:25:37,500
Two days after disclosure, the remaining funds -
Not Synced529
00:25:37,500 --> 00:25:40,360
in those vulnerable wallets were removed. -
Not Synced530
00:25:41,200 --> 00:25:46,040
We suspect they were removed by not the originators of those funds. -
Not Synced531
00:25:47,200 --> 00:25:48,120
Sad times. -
Not Synced532
00:25:48,560 --> 00:25:50,360
Sad times. Sad times. -
Not Synced533
00:25:51,860 --> 00:25:55,340
So, back to our team and what we were up to. -
Not Synced534
00:25:55,920 --> 00:25:57,720
There was a lot of debate, a lot of turmoil. -
Not Synced535
00:25:57,980 --> 00:26:01,000
I would say, you know, I trust everyone that I worked with, -
Not Synced536
00:26:01,000 --> 00:26:03,180
and you had to. -
Not Synced537
00:26:03,360 --> 00:26:07,000
Because, when there's a big bag of money on the ground, -
Not Synced538
00:26:07,000 --> 00:26:09,500
and anyone can just pull up and pick it up, -
Not Synced539
00:26:09,500 --> 00:26:11,620
anyone in our team could have done this. -
Not Synced540
00:26:11,620 --> 00:26:14,000
Anyone in the world who knew about this -
Not Synced541
00:26:14,000 --> 00:26:16,500
could have done this, who reviewed the open source software. -
Not Synced542
00:26:16,960 --> 00:26:18,580
And, you know, what do you do with that? -
Not Synced543
00:26:18,580 --> 00:26:21,000
As a good Samaritan, you see -
Not Synced544
00:26:21,000 --> 00:26:22,440
a 100-year-old note or something on the ground. -
Not Synced545
00:26:22,520 --> 00:26:25,520
You might take it to the police station and say, hey, I found this money. -
Not Synced546
00:26:25,720 --> 00:26:27,900
I don't know who it belongs to, but I'm sure they need it. -
Not Synced547
00:26:28,060 --> 00:26:28,580
They want it. -
Not Synced548
00:26:29,260 --> 00:26:32,000
But, in cryptocurrency land, how do you verify, -
Not Synced549
00:26:32,000 --> 00:26:34,500
like, that indeed was the person that, you know, -
Not Synced550
00:26:34,500 --> 00:26:37,200
how does anyone verify that that's their 100-year-old note? -
Not Synced551
00:26:37,200 --> 00:26:39,980
It's kind of tricky. -
Not Synced552
00:26:40,080 --> 00:26:41,860
Maybe there's CCTVs in the area. -
Not Synced553
00:26:41,980 --> 00:26:44,500
You can see someone slip, you know, slip their glove, -
Not Synced554
00:26:44,500 --> 00:26:46,560
and a dollar falls out or whatever. -
Not Synced555
00:26:47,240 --> 00:26:49,200
But, in cryptocurrency land, it can be quite difficult. -
Not Synced556
00:26:49,560 --> 00:26:52,660
And there's a lot of legal and tax implications. -
Not Synced557
00:26:52,660 --> 00:26:55,500
And we come from many jurisdictions, -
Not Synced558
00:26:55,500 --> 00:26:57,440
from Canada, the U.S., Germany. -
Not Synced559
00:26:58,120 --> 00:27:01,000
I don't know where all our research team comes from, -
Not Synced560
00:27:01,000 --> 00:27:04,120
but we definitely debated this, and it was a hot topic. -
Not Synced561
00:27:06,020 --> 00:27:10,600
Another hot topic was, do we open source the code that we use to derive these addresses? -
Not Synced562
00:27:11,420 --> 00:27:12,480
Do we share it with the world? -
Not Synced563
00:27:12,640 --> 00:27:13,780
We're proud of the work we did. -
Not Synced564
00:27:13,940 --> 00:27:14,980
We spent a lot of hours. -
Not Synced565
00:27:14,980 --> 00:27:18,500
We spent a lot of time working together, -
Not Synced566
00:27:18,500 --> 00:27:21,380
making sure we understood the scope of some of these issues. -
Not Synced567
00:27:22,300 --> 00:27:25,000
And we didn't get unanimous consent -
Not Synced568
00:27:25,000 --> 00:27:27,760
to release all the source code. -
Not Synced569
00:27:28,340 --> 00:27:30,440
We had a lot of disagreements. -
Not Synced570
00:27:30,560 --> 00:27:33,000
There's some people who live and die -
Not Synced571
00:27:33,000 --> 00:27:35,520
by the open source sword in our social group, in our research team. -
Not Synced572
00:27:36,180 --> 00:27:40,240
And to them, it was a tragedy to not share this with the commons. -
Not Synced573
00:27:40,240 --> 00:27:44,000
And then there was others who just don't want to give people -
Not Synced574
00:27:44,000 --> 00:27:47,500
who don't want to spend the time understanding the situation, -
Not Synced575
00:27:47,500 --> 00:27:52,000
even if they have bad intent, easy resources to do this for cryptocurrencies -
Not Synced576
00:27:52,000 --> 00:27:56,000
and extend it to other potential networks -
Not Synced577
00:27:56,000 --> 00:27:59,500
that might not have been compromised in the initial attack. -
Not Synced578
00:27:59,720 --> 00:28:02,740
So, again, it was a tricky situation. -
Not Synced579
00:28:04,000 --> 00:28:06,720
We wanted to share some things with the public. -
Not Synced580
00:28:06,860 --> 00:28:08,580
We didn't want to share everything with the public. -
Not Synced581
00:28:08,580 --> 00:28:12,000
We did allow people to look up to see -
Not Synced582
00:28:12,000 --> 00:28:15,020
if they had compromised mnemonic seed phrases. -
Not Synced583
00:28:15,740 --> 00:28:18,500
You could go to a website, provide a SHA-256 hash -
Not Synced584
00:28:18,500 --> 00:28:21,500
of the seed phrase, and check to see -
Not Synced585
00:28:21,500 --> 00:28:24,400
if it was in our database. -
Not Synced586
00:28:25,120 --> 00:28:28,000
Obviously, that was even discussed internally, -
Not Synced587
00:28:28,000 --> 00:28:31,380
because what if people put their entire seed phrase in there and then blame us for being compromised? -
Not Synced588
00:28:31,860 --> 00:28:34,720
And that is a tricky, sticky situation. -
Not Synced589
00:28:34,720 --> 00:28:38,500
But we did want to provide some type of public service -
Not Synced590
00:28:38,500 --> 00:28:41,260
for people to check before they swept their funds. -
Not Synced591
00:28:41,260 --> 00:28:44,000
But, yeah, some numbers, -
Not Synced592
00:28:44,000 --> 00:28:48,320
lots of money through this. -
Not Synced593
00:28:48,420 --> 00:28:50,440
This isn't money that was necessarily stolen. -
Not Synced594
00:28:51,280 --> 00:28:53,500
This, and by money, I just mean Bitcoin, -
Not Synced595
00:28:53,500 --> 00:28:55,420
or, you know, that's what we're looking at here. -
Not Synced596
00:28:55,620 --> 00:29:01,460
But these are Bitcoins that move through compromised wallets that could have been stolen at any point in time. -
Not Synced597
00:29:01,460 --> 00:29:03,880
And I just find that fascinating. -
Not Synced598
00:29:04,160 --> 00:29:05,580
This is world-changing money. -
Not Synced599
00:29:06,160 --> 00:29:08,680
This can fund your nuclear arsenal. -
Not Synced600
00:29:09,020 --> 00:29:11,500
This can buy you many islands -
Not Synced601
00:29:11,500 --> 00:29:13,700
or politicians or Twitters or whatever. -
Not Synced602
00:29:13,920 --> 00:29:14,860
Actually, maybe not Twitters. -
Not Synced603
00:29:14,960 --> 00:29:15,280
I don't know. -
Not Synced604
00:29:15,340 --> 00:29:16,160
It depends on the price. -
Not Synced605
00:29:17,380 --> 00:29:18,740
But, yeah, this is a lot. -
Not Synced606
00:29:18,940 --> 00:29:22,000
And it was crazy to see so much of this asset -
Not Synced607
00:29:22,000 --> 00:29:25,340
go through weak systems. -
Not Synced608
00:29:25,340 --> 00:29:29,080
It just felt weird. -
Not Synced609
00:29:30,780 --> 00:29:31,400
What can you do? -
Not Synced610
00:29:32,160 --> 00:29:33,100
That's a good question. -
Not Synced611
00:29:33,400 --> 00:29:35,240
As a developer, how can you protect yourself? -
Not Synced612
00:29:35,740 --> 00:29:38,240
How can you protect the people you're building software for? -
Not Synced613
00:29:38,360 --> 00:29:40,320
A lot of us are building software for people. -
Not Synced614
00:29:41,800 --> 00:29:45,000
Sometimes people are building software for, like, robots -
Not Synced615
00:29:45,000 --> 00:29:46,780
and stuff and non-peoples. -
Not Synced616
00:29:47,340 --> 00:29:48,640
But that's also great. -
Not Synced617
00:29:48,760 --> 00:29:50,680
You should still protect those entities as well. -
Not Synced618
00:29:51,700 --> 00:29:52,600
Question everything. -
Not Synced619
00:29:52,940 --> 00:29:54,640
My mom always told me to question authority. -
Not Synced620
00:29:55,440 --> 00:29:57,680
And I carry that with me everywhere I go. -
Not Synced621
00:29:58,300 --> 00:30:00,200
I really doubt everything I see. -
Not Synced622
00:30:00,900 --> 00:30:04,000
And really have to strive for understanding -
Not Synced623
00:30:04,000 --> 00:30:07,000
to feel confident and comfortable -
Not Synced624
00:30:07,000 --> 00:30:11,220
to use technology that I would use in a secure system. -
Not Synced625
00:30:11,320 --> 00:30:14,080
And when I'm building software, I always like to check it twice. -
Not Synced626
00:30:14,200 --> 00:30:15,680
I like to get it externally audited. -
Not Synced627
00:30:15,680 --> 00:30:18,500
And, you know, when you're using randomness, -
Not Synced628
00:30:18,500 --> 00:30:20,420
make sure you're not just doing silly mistakes. -
Not Synced629
00:30:20,420 --> 00:30:24,000
And this is a question of how we get people -
Not Synced630
00:30:24,000 --> 00:30:27,860
to break this cycle of repeating the same mistake over and over again. -
Not Synced631
00:30:27,860 --> 00:30:31,000
So, as the average user, if you entrust your money to software, -
Not Synced632
00:30:31,000 --> 00:30:34,500
if you entrust critical things like your privacy to software systems, -
Not Synced633
00:30:34,500 --> 00:30:38,000
demand security audits, you know, request them, -
Not Synced634
00:30:38,000 --> 00:30:40,500
demand them, pay for them. -
Not Synced635
00:30:44,300 --> 00:30:47,000
Do what you can to help the systems -
Not Synced636
00:30:47,000 --> 00:30:49,760
keep your stack updated. -
Not Synced637
00:30:49,760 --> 00:30:51,220
So, again, this is not a full enumeration. -
Not Synced638
00:30:51,220 --> 00:30:54,320
These are just useful, you know, things I find useful. -
Not Synced639
00:30:54,320 --> 00:30:58,000
One thing to note with the BIP39 setup mnemonic seed phrase -
Not Synced640
00:30:58,000 --> 00:31:01,000
is if people added a password, which is part of the BIP39 spec, -
Not Synced641
00:31:01,000 --> 00:31:04,500
a passphrase, to their setup, they probably wouldn't have been compromised -
Not Synced642
00:31:04,500 --> 00:31:07,940
in the initial attack. -
Not Synced643
00:31:09,300 --> 00:31:13,000
People, the attackers would have had to try and crack the password -
Not Synced644
00:31:13,000 --> 00:31:16,760
in order to then enumerate all of the downstream addresses. -
Not Synced645
00:31:16,760 --> 00:31:20,500
So, that was something interesting about this particular incident -
Not Synced646
00:31:20,500 --> 00:31:23,500
is some people were protected just by adding that simple passphrase. -
Not Synced647
00:31:25,180 --> 00:31:28,000
But, yeah, open source is great, -
Not Synced648
00:31:28,000 --> 00:31:31,720
but it doesn't guarantee safety, as we all know. -
Not Synced649
00:31:32,660 --> 00:31:35,500
In conclusion, chaos is required for some things -
Not Synced650
00:31:35,500 --> 00:31:39,020
in compute and in life, as we know in the Chaos Congress. -
Not Synced651
00:31:39,020 --> 00:31:42,000
There's often good chaos everywhere, -
Not Synced652
00:31:42,000 --> 00:31:45,100
and you try to avoid the bad chaos. -
Not Synced653
00:31:45,680 --> 00:31:46,080
Be careful. -
Not Synced654
00:31:46,520 --> 00:31:51,380
It is used everywhere in passwords, session tokens, all this stuff. -
Not Synced655
00:31:52,180 --> 00:31:53,860
Try not to let it happen to you. -
Not Synced656
00:31:54,180 --> 00:31:57,000
Try to understand and do your research -
Not Synced657
00:31:57,000 --> 00:32:01,000
and do what you can to build confidence in the technology you're using, -
Not Synced658
00:32:01,000 --> 00:32:03,800
and that's for everything. -
Not Synced659
00:32:05,420 --> 00:32:06,500
Where do we go from here? -
Not Synced660
00:32:06,500 --> 00:32:10,000
Well, we spent a lot of work proving over 20,000 weak wallets -
Not Synced661
00:32:10,000 --> 00:32:12,500
existed in the cryptocurrency space. -
Not Synced662
00:32:12,760 --> 00:32:15,500
A lot of us have full-time jobs, families, -
Not Synced663
00:32:15,500 --> 00:32:19,340
mouths to feed, breaks to take, you know, sleep. -
Not Synced664
00:32:20,100 --> 00:32:23,000
And so, we're doing a bunch of other things, -
Not Synced665
00:32:23,000 --> 00:32:25,000
but we're still very interested in this area, -
Not Synced666
00:32:25,000 --> 00:32:27,220
and there's a lot of research and investigations that can still happen here. -
Not Synced667
00:32:27,220 --> 00:32:31,000
So, we're constantly pushing out updates, -
Not Synced668
00:32:31,000 --> 00:32:36,060
and by we, I typically mean Christian, but the lead researcher. -
Not Synced669
00:32:36,060 --> 00:32:39,500
If you have anything interesting or, you know, comments or feedback -
Not Synced670
00:32:39,500 --> 00:32:41,500
or you want to learn more, -
Not Synced671
00:32:41,500 --> 00:32:43,680
always feel free to reach out to us. -
Not Synced672
00:32:43,680 --> 00:32:46,500
And we're hosting a longer Q&A session -
Not Synced673
00:32:46,500 --> 00:32:49,760
with the research team. -
Not Synced674
00:32:49,760 --> 00:32:53,000
You know, I'm just a puppet here being pulled by the slides, -
Not Synced675
00:32:53,000 --> 00:32:56,000
but if you want to meet more of us, please do so. -
Not Synced676
00:32:59,860 --> 00:33:02,500
We'll be in Sol 6, which is, I think, a floor below us, -
Not Synced677
00:33:02,500 --> 00:33:05,000
and love to see your faces, -
Not Synced678
00:33:05,000 --> 00:33:07,200
love to talk to you about this problem -
Not Synced679
00:33:07,200 --> 00:33:11,500
and find solutions that can really break the cycle -
Not Synced680
00:33:11,500 --> 00:33:14,780
of bad entropy in good intended systems. -
Not Synced681
00:33:15,540 --> 00:33:17,460
Also, shout-out to Mo at Millieways. -
Not Synced682
00:33:18,860 --> 00:33:21,000
These slides and the template come from him, -
Not Synced683
00:33:21,000 --> 00:33:24,000
and originally that was derived from the 38C3 design team, -
Not Synced684
00:33:24,000 --> 00:33:26,480
and I just love the design. -
Not Synced685
00:33:26,700 --> 00:33:30,000
So, thank you very much, everyone, for coming here -
Not Synced686
00:33:30,000 --> 00:33:32,000
to listen to this talk, -
Not Synced687
00:33:32,000 --> 00:33:35,780
and I'd love to field your questions for what I can answer -
Not Synced688
00:33:35,780 --> 00:33:38,000
and for anything I can't, -
Not Synced689
00:33:38,000 --> 00:33:40,740
I will just shepherd you downstairs to Sol 6. -
Not Synced690
00:33:51,740 --> 00:33:54,500
John Nolte and the Milk Set team, thanks a lot for this research, -
Not Synced691
00:33:54,500 --> 00:33:56,500
thanks a lot for the presentation, -
Not Synced692
00:33:56,500 --> 00:33:58,760
thanks a lot for the disclosure. -
Not Synced693
00:34:00,660 --> 00:34:02,600
Anybody coming up with questions? -
Not Synced694
00:34:02,700 --> 00:34:03,540
I see some questions here. -
Not Synced695
00:34:03,720 --> 00:34:05,160
However, hold on for a second. -
Not Synced696
00:34:05,160 --> 00:34:07,500
We want to have a look at the internet. -
Not Synced697
00:34:07,720 --> 00:34:08,960
Are there online questions? -
Not Synced698
00:34:10,160 --> 00:34:10,640
Yeah, please. -
Not Synced699
00:34:12,880 --> 00:34:16,000
The first question from the internet would be, -
Not Synced700
00:34:16,000 --> 00:34:19,000
were all wallets using Mercy and Twister -
Not Synced701
00:34:19,000 --> 00:34:21,640
to generate the seed at that point? -
Not Synced702
00:34:22,340 --> 00:34:26,420
If not, how did the hackers identify the ones which did use it? -
Not Synced703
00:34:26,420 --> 00:34:31,000
So, I don't know how the hackers identified the weak wallets in their systems, -
Not Synced704
00:34:31,000 --> 00:34:34,000
but the answer to the first question is no. -
Not Synced705
00:34:37,700 --> 00:34:39,420
They weren't all using Mercy and Twister. -
Not Synced706
00:34:40,380 --> 00:34:44,000
You can look at the other implementations in our write-ups, -
Not Synced707
00:34:44,000 --> 00:34:47,000
but yeah, there was a few implementations -
Not Synced708
00:34:47,000 --> 00:34:52,720
and issues there. -
Not Synced709
00:34:52,720 --> 00:34:57,060
Is there anything else from the internet? -
Not Synced710
00:34:57,060 --> 00:34:59,400
Yes, we have one more. -
Not Synced711
00:34:59,400 --> 00:35:04,000
The question is if this flaw is still out in the wild, -
Not Synced712
00:35:04,000 --> 00:35:09,400
especially for non-Bitcoin cryptocurrencies. -
Not Synced713
00:35:09,400 --> 00:35:13,740
Is the flaw still out in the wild? -
Not Synced714
00:35:13,740 --> 00:35:16,000
Yeah, the software, you know, -
Not Synced715
00:35:16,000 --> 00:35:18,500
once you publish the software version, -
Not Synced716
00:35:18,500 --> 00:35:20,880
it's there forever, most of the time. -
Not Synced717
00:35:21,140 --> 00:35:23,500
You know, there's people who archive all kinds of things, -
Not Synced718
00:35:23,500 --> 00:35:25,520
so most things on the internet don't die. -
Not Synced719
00:35:28,160 --> 00:35:29,540
What's dead can never die. -
Not Synced720
00:35:29,540 --> 00:35:32,000
And as far as active exploits, -
Not Synced721
00:35:32,000 --> 00:35:35,000
if you put money in one of these compromised wallets, -
Not Synced722
00:35:35,000 --> 00:35:37,500
it'd be a fun game to see how fast it moves -
Not Synced723
00:35:37,500 --> 00:35:42,320
by not your hands, not your system. -
Not Synced724
00:35:42,320 --> 00:35:45,500
I assume now there's just people who are listening -
Not Synced725
00:35:45,500 --> 00:35:48,000
or systems that are listening, -
Not Synced726
00:35:48,000 --> 00:35:50,500
waiting for money to enter a weak wallet -
Not Synced727
00:35:50,500 --> 00:35:53,300
and snatching that money immediately. -
Not Synced728
00:35:53,300 --> 00:35:56,000
A fun game to play would be to see -
Not Synced729
00:35:56,000 --> 00:35:58,340
if they pay more gas than the money's worth. -
Not Synced730
00:35:59,020 --> 00:36:01,200
If they're sophisticated, they'll check that first. -
Not Synced731
00:36:01,360 --> 00:36:03,020
If they're unsophisticated, they won't. -
Not Synced732
00:36:04,720 --> 00:36:06,800
But yeah, it's definitely still active. -
Not Synced733
00:36:07,100 --> 00:36:07,980
There's still these issues. -
Not Synced734
00:36:08,860 --> 00:36:12,800
And there's, you know, systems that we haven't identified yet. -
Not Synced735
00:36:12,980 --> 00:36:15,820
So that's still up in the open. -
Not Synced736
00:36:15,820 --> 00:36:19,000
Okay, for everybody else in the room, -
Not Synced737
00:36:19,000 --> 00:36:21,960
just line up at the microphones. -
Not Synced738
00:36:22,320 --> 00:36:24,420
Therefore, microphone number three, please. -
Not Synced739
00:36:25,040 --> 00:36:25,440
Thank you. -
Not Synced740
00:36:25,500 --> 00:36:26,120
Great talk. -
Not Synced741
00:36:26,200 --> 00:36:29,480
I would like to know whether this applies to Monero as well. -
Not Synced742
00:36:29,640 --> 00:36:33,640
And have you looked into Microsoft Research Z3? -
Not Synced743
00:36:35,760 --> 00:36:37,960
Answering second question first, I haven't. -
Not Synced744
00:36:38,060 --> 00:36:39,940
I'd love to know what that is. -
Not Synced745
00:36:41,140 --> 00:36:43,000
And so I'll mentally note that down, -
Not Synced746
00:36:43,000 --> 00:36:45,000
but probably forget it. -
Not Synced747
00:36:45,000 --> 00:36:47,080
So I'll try and write it down later. -
Not Synced748
00:36:47,880 --> 00:36:48,960
But it's recorded. -
Not Synced749
00:36:49,160 --> 00:36:50,760
So I'll just actually I'll just watch the recording. -
Not Synced750
00:36:52,140 --> 00:36:56,000
But yeah, as far as Monero and other cryptocurrencies are compromised, -
Not Synced751
00:36:56,000 --> 00:37:00,420
it's outside of the realm of cryptocurrencies. -
Not Synced752
00:37:01,280 --> 00:37:06,060
It's more in the realm of the cryptographic implementation for the wallet is flawed. -
Not Synced753
00:37:06,280 --> 00:37:11,240
And people were using these mnemonic seed phrases for all kinds of things, not just Bitcoin, not just Ethereum. -
Not Synced754
00:37:11,940 --> 00:37:14,960
I don't know if we we didn't do any research in Monero. -
Not Synced755
00:37:15,000 --> 00:37:18,840
So that's an interesting field for privacy coins. -
Not Synced756
00:37:20,220 --> 00:37:21,860
I think we did see Zcash. -
Not Synced757
00:37:21,960 --> 00:37:24,720
Not everyone like makes Zcash private, I guess. -
Not Synced758
00:37:25,080 --> 00:37:29,000
So but but yeah, I would assume Monero -
Not Synced759
00:37:29,000 --> 00:37:32,000
Monero wallets would be compromised -
Not Synced760
00:37:32,000 --> 00:37:35,620
if they generated their their seeds with this software stack. -
Not Synced761
00:37:36,400 --> 00:37:37,240
OK, thank you. -
Not Synced762
00:37:37,460 --> 00:37:37,920
Thank you. -
Not Synced763
00:37:38,700 --> 00:37:40,560
And again, microphone number three, please. -
Not Synced764
00:37:40,560 --> 00:37:45,000
So using a non cryptographically secure pseudonym PRNG, -
Not Synced765
00:37:45,000 --> 00:37:48,400
it's kind of a basic pentest finding. -
Not Synced766
00:37:48,520 --> 00:37:51,320
At least that's what my experience in my professional deformation, I guess. -
Not Synced767
00:37:52,180 --> 00:37:55,000
So I would be kind of scared when I see it -
Not Synced768
00:37:55,000 --> 00:37:59,240
in software like like this, that's supposed to be all that that's supposed to be developed by competent developers. -
Not Synced769
00:37:59,840 --> 00:38:03,160
Have people considered this to be a supply supply chain attack on the ecosystem? -
Not Synced770
00:38:03,160 --> 00:38:08,100
I mean, a compromised supply chain, that's what happened here. -
Not Synced771
00:38:08,100 --> 00:38:10,600
So, yeah, like the well was poisoned. -
Not Synced772
00:38:11,100 --> 00:38:14,000
People trusted software and they stood upon the shoulders of giants -
Not Synced773
00:38:14,000 --> 00:38:17,000
and they realized those giants didn't have a strong foundation -
Not Synced774
00:38:17,000 --> 00:38:23,360
and everything they had kind of crumpled into dust. -
Not Synced775
00:38:23,360 --> 00:38:26,500
So 110% supply chain problem, -
Not Synced776
00:38:26,500 --> 00:38:30,000
definitely recommend having supply chain security solutions -
Not Synced777
00:38:30,000 --> 00:38:34,120
to, you know, mitigate against this. -
Not Synced778
00:38:34,540 --> 00:38:36,620
And that's where a lot of code review comes in. -
Not Synced779
00:38:38,480 --> 00:38:41,940
But yeah, it was mostly like code review probably would have caught this. -
Not Synced780
00:38:42,120 --> 00:38:45,000
It wasn't a fancy thing like no one compromised the build server -
Not Synced781
00:38:45,000 --> 00:38:48,000
and there was a build release artifact published -
Not Synced782
00:38:48,000 --> 00:38:50,200
that was at issue. -
Not Synced783
00:38:50,200 --> 00:38:53,320
But the source code was clean, like SolarWinds or whatnot. -
Not Synced784
00:38:53,620 --> 00:38:57,540
So, yeah, it was just bad code put into the system. -
Not Synced785
00:38:57,800 --> 00:38:58,940
Flawed, I guess, code. -
Not Synced786
00:38:59,780 --> 00:39:01,280
Maybe the, I don't know. -
Not Synced787
00:39:01,640 --> 00:39:01,720
Yeah. -
Not Synced788
00:39:02,360 --> 00:39:02,700
Okay. -
Not Synced789
00:39:03,020 --> 00:39:04,740
Yeah, it's fair that I'm not that paranoid about it. -
Not Synced790
00:39:04,860 --> 00:39:05,780
But yeah, shit happens. -
Not Synced791
00:39:05,880 --> 00:39:06,600
Definitely be paranoid. -
Not Synced792
00:39:06,840 --> 00:39:10,880
Every pull request is a potential input for compromise. -
Not Synced793
00:39:11,380 --> 00:39:13,900
So, constant vigilance. -
Not Synced794
00:39:14,100 --> 00:39:15,820
That's one of my favorite Harry Potter characters. -
Not Synced795
00:39:16,120 --> 00:39:16,960
Mad-Eye Moody would say. -
Not Synced796
00:39:17,760 --> 00:39:18,620
He was compromised. -
Not Synced797
00:39:18,620 --> 00:39:20,700
Anyways, yeah, by a supply chain attack. -
Not Synced798
00:39:21,600 --> 00:39:22,640
But yeah, cool. -
Not Synced799
00:39:23,040 --> 00:39:23,760
Any other questions? -
Not Synced800
00:39:24,040 --> 00:39:24,620
No, thanks. -
Not Synced801
00:39:26,300 --> 00:39:28,140
Well, in here, microphones are empty. -
Not Synced802
00:39:28,280 --> 00:39:28,960
What about the internet? -
Not Synced803
00:39:29,160 --> 00:39:30,100
Some more questions from there? -
Not Synced804
00:39:30,180 --> 00:39:00,380
No. -
Not Synced805
00:39:31,320 --> 00:39:35,180
Anybody interested in anything particular here from John? -
Not Synced806
00:39:36,940 --> 00:39:37,420
No? -
Not Synced807
00:39:37,580 --> 00:39:40,880
Well, then, let's thank John again for this. -
Not Synced808
00:39:40,880 --> 00:39:45,940
*clap* -
Not Synced809
00:39:45,940 --> 00:39:51,000
♪ (38C3 outro) ♪ -
Not Synced810
00:39:51,000 --> 00:39:52,500
[Transcribed by Pekka P] -
Not Synced811
00:39:52,500 --> 00:39:54,060
(KYBS2004 course assignment at JYU.FI)
- Title:
- 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
- Description:
-
more » « less
We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'.
The fatal flaw? Not enough chaos. - Video Language:
- English
- Duration:
- 39:55
