11 Best Bitcoin Mining Software 2020 (Mac, Windows, Linux)
11 Best Bitcoin Mining Software 2020 (Mac, Windows, Linux)
Data Shows the US Economy Was Collapsing 5 Months Before
Best mining rigs and mining PCs for Bitcoin, Ethereum and
Bitcoin hashrate may be recovering, but network needs more
6 Best Bitcoin Mining Hardware ASICs Comparison In 2017
Discord Log from Ravencoin Open Developer Meeting - Oct 19, 2018
RavencoinDev - Today at 2:03 PM Hello Everybody, sorry we're getting started a couple of minutes late today.Today we wanted to make sure that everybody was aware of the Bug Bounty program and discuss it.Has everybody seen the information at https://github.com/RavenProject/Ravencoin/wiki?GitHubRavenProject/RavencoinProject staging tree. Contribute to RavenProject/Ravencoin development by creating an account on GitHub.📷
Hans_Schmidt - Today at 2:06 PM
Yes. I'm working on it...📷1
RavencoinDev - Today at 2:07 PM
I have seen that @Hans_Schmidt Thank you for really digging into the code. You have found some really good ones.Did you get an address posted in the issues so we can reward you for your efforts?
Hans_Schmidt - Today at 2:08 PM
Yes I sent it to Tron and blondfrogs. Thanks.
[Dev] Blondfrogs - Today at 2:08 PM
I got hans address, and updated the wiki accordingly
RavencoinDev - Today at 2:09 PM
Nice! thanks guys, we'll get that sent out today.
brianmct - Today at 2:09 PM
Wow that's a lot of RVN!
Hans_Schmidt - Today at 2:09 PM
The next one is proving harder to find. That is a good thing 📷
[Dev] Blondfrogs - Today at 2:09 PM
Please @Scotty and @Hans_Schmidt look at the wiki, and make sure the address next to the issues you created is the correct address where you would like payment.(edited)
MSFTserver-mine more @ MinerMore - Today at 2:09 PM
just a heads up im renaming this channel to just development meetings
RavencoinDev - Today at 2:09 PM
We feel it's worth the amount for sure to find and fix those type of issues.
brianmct - Today at 2:10 PM
Probably shouldn't keep the addresses on the wiki, since it's publicly editable?
RavencoinDev - Today at 2:10 PM
@MSFTserver-mine more @ MinerMore okay
[Dev] Blondfrogs - Today at 2:11 PM
We will look into the github wiki permissionsand verify addresses before sending payment
RavencoinDev - Today at 2:11 PM
Thats a good point, and reach out to the individuals directly to ensure it's their correct address.
brianmct - Today at 2:12 PM
Actually it's not publicly editable. My bad. Still good to confirm directly though
RavencoinDev - Today at 2:12 PM
brianmct - Today at 2:12 PM
Probably have people put their address on the issue when reporting it
[Dev] Blondfrogs - Today at 2:12 PM
brianmct - Today at 2:12 PM
Don't want any MITM attacks :P
RavencoinDev - Today at 2:13 PM
No we don't.
Chatturga - Today at 2:13 PM
Putting a public address out there is asking to get sent certain asset tokens when it goes live. 📷📷1
RavencoinDev - Today at 2:13 PM
Any questions about the issues that were found thus far?
Hans_Schmidt - Today at 2:14 PM
I verified that my address is correct.
[Dev] Blondfrogs - Today at 2:14 PM
Hans_Schmidt - Today at 2:15 PM
Will you send a dust send first to verify (for bitcoin we do that as standard procedure for large amounts)
[Dev] Blondfrogs - Today at 2:15 PM
Yes, that is the process we follow also
Hans_Schmidt - Today at 2:15 PM
RavencoinDev - Today at 2:16 PM
Just an FYI some of the developers were at the Free State Blockchain conference last week.We also spoke at the MIT Business schoolIt was great to see our community members there!
UserJonPizza™FlyToTheNorthRaven - Today at 2:17 PM
Are you guys 100% on the 31st? Ik prob been asked a million times but...
RavencoinDev - Today at 2:18 PM
Thanks to all that helped with the conference.📷1
[Dev] Blondfrogs - Today at 2:18 PM
The current code base will start voting on the 31st.
Chatturga - Today at 2:18 PM
Yes Its in the code.
RavencoinDev - Today at 2:18 PM
Any other questions about the Bug Bounty?
Hans_Schmidt - Today at 2:19 PM
What's the plan for next formal release?
[Dev] Blondfrogs - Today at 2:20 PM
Should be early next week, we are planning a 2.1.1 release, with the latest bug fixes in it.We thought we would give it a couple more days to see if any additional bugs are found.
RavencoinDev - Today at 2:21 PM
Agreed, there will be one more binary release before the end of the month.
[Master] Roshii - Today at 2:21 PM
Sorry late again
Hans_Schmidt - Today at 2:21 PM
I'm not pushing for the release, just asking. I prefer to have a few days to see if I can get my next attack attempt to work
SpyderDev - Today at 2:22 PM
@[Master] Roshii - were your ears burning?
[Dev] Blondfrogs - Today at 2:22 PM
Yep. You got it, keep attacking the chain!
RavencoinDev - Today at 2:23 PM
Yes please we would encourage everybody to help us find additional chain splitting or consensus defects.Other defects are also welcome, just not part of the bounty at this point.
Hans_Schmidt - Today at 2:24 PM
It would be helpful to know if someone is methodically verifying that the fixes work and also cover the minor variations, because I am not doing that.
[Dev] Blondfrogs - Today at 2:25 PM
Yes. I am personally verifying all bug fixes, and so are the other developers
SpyderDev - Today at 2:25 PM
We are also creatimg tests for them.
Hans_Schmidt - Today at 2:25 PM
Like I payed unique asset creation into the wrong burn address. But there are other variations. Your fix looks like it covers it all.
[Dev] Blondfrogs - Today at 2:26 PM
That is correct. We appreciate the bugs found and expand off of them to fix all other small variations of them.
Hans_Schmidt - Today at 2:26 PM
Great. I focus on new angles.
[Dev] Blondfrogs - Today at 2:26 PM
SpyderDev - Today at 2:26 PM
Chatturga - Today at 2:27 PM
RavencoinDev - Today at 2:27 PM
@Tron isn't able to be here but he wanted me to share this.
Hi All. I’m sorry I’m not able to make it to this development discussion. I’ve been invited to be on a Cryptocurrency and ICO/STO panel at the Federal Bar Council Fall Retreat. I've been informed that many of the attendees are judges from the Second Circuit Court of Appeals which is the Circuit Court for the state of NY. These presidentially appointed judges are just below the US Supreme Court and before whom the SEC and CFTC would be mere litigants. I’m on the panel with some heavyweight crypto and securities attorneys and my role will be talking primarily about the technology (blockchain, tokenized assets, smart contracts, etc.) while allowing the other distinguished panelists to address the legal aspects of this new technology. This is an amazing opportunity to introduce the audience to the best aspects of crypto-currencies and crypto-assets.
Pathfinder - Today at 2:28 PM
wow that's awesome
SpyderDev - Today at 2:28 PM
We are all hoping @Tron will not get arrested.
mapple - Today at 2:28 PM
yesand yes to the not arrested :))
RavencoinDev - Today at 2:29 PM
I told him the mask thing was probably a bad idea for that event...
Hans_Schmidt - Today at 2:29 PM
The Raven mask or the Guy Falkes?
RavencoinDev - Today at 2:29 PM
We need a Tron with judges Meme @PathfinderYes to both.
Skan - Today at 2:29 PM
ITS A TRAP
RavencoinDev - Today at 2:30 PM
Hans_Schmidt - Today at 2:30 PM
A Tron Trap?
mapple - Today at 2:30 PM
i was asked on telegram a few days ago about timeframes for all phases (currently announced) to be completed - are there estimates I've missed?I've properly looked through githubi've not lol
RavencoinDev - Today at 2:31 PM
We are hoping to complete the remaining phases by the end of Q1 but have provided no hard dates.
mapple - Today at 2:32 PM
OK - so march 2019 estimate if anyone asks again would be fair at the moment
RavencoinDev - Today at 2:33 PM
One of the topics I would like to cover for all our web developers is the ravencoin.com website.
gwrg - Today at 2:33 PM
Does it include Phase 7 which was added recently?
RavencoinDev - Today at 2:34 PM
That's not been fully thought through to this point so it's not likely.I wanted to make sure you all knew that Ravencoin.com is a community website, the source is posted and web developers are free to submit pull requests to make changes.
Vincent - Today at 2:35 PM
Chatturga had mentioned a plan to somehow modify the asset creation cost in the future...is that part of the qtr 1 plan?
RavencoinDev - Today at 2:36 PM
We'll be watching closely how the asset creation and RVN burn goes once it goes live.
Chatturga - Today at 2:37 PM
I did say that the rate is 500 RVN for now so that actual data can be gathered, which can then be applied to proposed changes. Speculative data just isnt enough.(edited)
That's amazing.I think Pathfinder could get paid to make memes for a company...@Under Has done some great work migrating web based bitcoin tools to Raven.I would love to see a web dev kit that allowed web/mobile developers to easily incorporate Raven into their projects.
SpyderDev - Today at 2:51 PM
When is the meme bounty program?
Hans_Schmidt - Today at 2:51 PM
Just wondering- is anyone tracking use of post-2.04 client use on the mainnet? It would be good to know if the non-asset stuff is continuing to work without issues on main.
[Master] Roshii - Today at 2:52 PM
@RavencoinDev I have some ideas for mobile integration kit
[Dev] Blondfrogs - Today at 2:52 PM
Everything seems to be in order on Mainnet.
RavencoinDev - Today at 2:52 PM
Awesome @[Master] RoshiiLet's open it up for General Q&A for the last 10 minutes. Anybody have a question they have been dying to ask?
Under - Today at 2:53 PM
I’d really like to know about the build system.The solution I use is pretty reliable.
cade - Today at 2:53 PM
What would you like to know about it?
Under - Today at 2:54 PM
I’d be glad to train you up on mine
RavencoinDev - Today at 2:54 PM
We are working to incorporate the work that you have put in there. Still struggling with the Mac build part of it.
Hans_Schmidt - Today at 2:54 PM
Do you track wallet version usage on main. Any idea how many people are using newer versions?
cade - Today at 2:54 PM
The current build system we're using is based on what you've doneJust modified to fit into our CI process
[Dev] Blondfrogs - Today at 2:55 PM
@Hans_Schmidt We don't have a rolling tally but you can use the explores to view node versions.
RavencoinDev - Today at 2:55 PM
We do check what's being run on the network periodically but don't have a dashboard type view into the version data.
Vincent - Today at 2:55 PM
is the burn rate going to be tracked and charted on the asset explorer?
Under - Today at 2:55 PM
Rather than incorporating it, it vanilla in a vanilla Ubuntu 18 box works pretty well. CI like Travis could run on a fully gitian build, which I’m glad to work on too
RavencoinDev - Today at 2:56 PM
@Vincent There was talk of creating an RPC call that would show how much has been burned and for what purpose.Anybody want to take a shot at writing that?
@Under We have processes and tools that are in use within our organization and we leverage those tools for all of our projects. We have taken the awesome work you've done and tailored it to fit within our toolsets.📷2
Under - Today at 2:59 PM
I can understand that, but I’d counter that the process I describe is simply a copy of bitcoins and allows for it to be replicated in a larger community of developer outside of the Medici teamIt makes the build process trustless and decentralized if it can be replicated by anyone.But I get why you have your ways of doing it.
Hans_Schmidt - Today at 3:00 PM
If you drop the burn address into the web explorer, it tells you how much went there.
Vincent - Today at 3:00 PM
charts are nicer📷2📷1
RavencoinDev - Today at 3:01 PM
I would like a burned endpoint that coinmarketcap can easily call to use in their circulating supply metric.
Vincent - Today at 3:01 PM
burn and rewards can only go one way.... 📷
RavencoinDev - Today at 3:02 PM
Alright, thank you all for being here today. Thank you for your support and for all your effort on Ravencoin platform!
Neo-Geo - Today at 3:02 PM
While we are aware of the dev team’s commitment to ASIC resistance, are there any assurances that RVN dev will find a solution to stay GPU exclusive for optimal decentralization? Monero’s commitment to fork every 6 months (currently on CryptoNightV8) has been wildly successful in keeping AMD’s cards pointing predominantly at their network. RVN is quickly replacing Ethereum as the defacto coin to mine for Nvidia owners (the world’s most popular video card), but the rise of FPGAs can ruin the incentive for GPU miners and lead to hash centralization.📷2
Vincent - Today at 3:02 PM
as a noob...glad to be part of this...great job by all
cade - Today at 3:03 PM
@Under We will be releasing our build process to the community
RavencoinDev - Today at 3:03 PM
Yes @Neo-Geo we are committed to ASIC resistance and we are watching Monero closely.Thanks again everybody. Now go find some BUGS!
Under - Today at 3:04 PM
Cool thanks guys
[Dev] Blondfrogs - Today at 3:04 PM
BTW. QT wallet GUI update is coming. hahahah. have a good day everyone📷1
There is a big cognitive dissonance within the crypto community. The dream of decentralization and censorship resistance is dominated by big centralized exchanges centralized empires like Binance and Coinbase. Speculation still drives the market and fuels the continued growth of centralized exchanges. One of the leading factors fueling the revenue stream of exchanges is new coins, namely ICOs and in future STOs. ICOs became nothing more than a way of Flipping Tokens. Most ICOs used and continue to used Proof of Greater Fool to push forward their blockchain. People invest in something that they know is probably worthless and extremely overpriced, hoping that they can sell that worthless overpriced digital token to a "Greater Fool". In the end, all ICO investors are fools because even if Fool #1 manages to Flip the token at 3x the price he bought it at, he is still the fool compared to the ''ICO that now holds millions** collected by all the #1 fools. Essentially ICOs that list on exchanges right away that have nothing to offer and no product are basically Ponzi schemes, with ICO team at the top, ICO Buyers second Layer and people on the exchange at the bottom of the pyramid. The IEO (Initial Exchange Offering) is a natural evolution of this Ponzi scheme: Now with ICO and Exchanges working together to pump up the price, being able to freely manipulate the price of the token and print free money. As Cryptocurrencies are a totally unregulated market they are pretty much free to do whatever they want. Cryptocurrency exchanges basically became empires fueled by greed, trading fees, listing fees, and so much more. These empires have no interest in changing the system, similar to how banks do not want to give away power. It is expected of anyone in power to be very corrupt in a totally uncontrolled market.
BUIDL VS Initial Exchange Offerings
In 2019, for the first time in 3 years, projects that focused on tech, product, and business development came out of the darkness. Most people pretended to work to look good to raise money, however, some actually worked to solve problems. 2019 was also the year that we started to see Initial Exchange Offerings. ICOs conducted on exchanges compared to publicly. The original purpose of ICOs was to take away the monopoly of fundraising away from stock exchanges and brokerage firms. An IEO is well explained in that scene of Wolf of Wall Street, when they opened an IPO for Steve Madden shoes. Remember when a centralized entity is responsible for issuing a new stock? It probably has a vast interest in pumping that price, but is it legal in the traditional financial space? ICOs that are actually working hard to build their product also understand that in order for their projects to become successful they need to become decentralized. They need to get their tokens in as many hands as possible. Of course, the person that is attached to that hand should also bring value to the project. The best example of the power of useful decentralization is Bitcoin. Bitcoin has a pretty old tech, had a few bugs in their source code, is super slow, but yet it has by far the best community and strongest social consensus. Hashrate doesn't mean much, after all, Bitcoin Cash had a bigger hash rate for a brief while, but it was the social consensus of the mining community that decided not to implement the new changes introduced by Rodger and Bitmain. Now BCH is less than 96% of the market Cap it used to be. The value of cryptocurrencies is defined by nothing more than censorship resistance, game theory, and token holders. In the long term, these three factors will be decisive determining which coin will have the biggest market cap. Bitcoin has by far the most censorship resistance, probably one of the best game theories and by far the best community. The value of a coin is pretty much all about: how hard it is to change the information saved on the block * (sum of all useful skills and influence amongst all token holders) that can be leveraged by game theory within the ecosystem.
Best case vs Worst Case outcome for an ICO
An ICO that is used for its actual purpose and not as a vehicle to facilitate scamming, can be seen as the big bang of any new blockchain ecosystem. Successful ICOs understand that they need to act like economies, not companies. Usually, economies filled with smart people that can utilize their skills to push their ecosystem that is also run by the good government (good game theory) do very well, compared to economies that have a very small set of inhabitants that can bring economic value for influence and skill sets. The optimal scenario for an ICO would be if the tokens were magically distributed among the best developers, business integrators, influencers, politicians and basically anybody that would be willing and capable of bringing value to the new blockchain ecosystem. Bitcoin’s mechanism to achieve this magical community was via mining and its 4-year reward halving cycle. It takes a great deal of passion and technical skills to start mining. Also, the low token price during the first few years motivated the best developers, who are also deeply interested in the technology, to jump onboard and help on its development efforts. This also allowed them to acquire a lot of tokens in the process. The 4 year Bitcoin Pump and Dumps enable very smart individuals to join the bitcoin ecosystem every 4 years and accumulate at low prices. Regulators love crypto once they’ve also bought a bag. Therefore the best outcome is the magical distribution of tokens to all the best developers, business integrators, influencers, politicians and basically anybody that would be willing and able to help that new blockchain ecosystem. The worst case would be an ICO whose tokens holders are mostly speculators, also known as an initial Exchange offering.
The blocksize debate, the personal attacks against reputable members of the community, and the Craig Wright revelations are all part of a well orchestrated campaign against Bitcoin. Proof inside?
Uber TL;DR: Craig Wright, anonymously via a report relating to the PGP key from December, attempted to smear and discredit members of the Bitcoin development community, accused Bitcoin Core of hijacking Bitcoin by imposing a blocksize limit, attacked small-block supporters, and heavily promoted big blocks. I hypothesize that the on-going blocksize campaign and Craig are highly connected. Scroll down for a non-Uber TL;DR, or just read the whole thing (yes, its long :)). First, some background. After the December leaks, a paper pertaining to disprove Greg Maxwell's (nullc) allegations of backdating the PGP key has been released by an unknown (at the time) author, titled "Appeal to authority: A failure of trust".
Abstract: In December 2015, a Motherboard article suggested that cryptographic keys ... were created using technology that was not available on the dates they were supposedly made ... in this paper we present evidence that disproves this claim ... In addition, a warning is rung regarding the onset of centralised authority in the control of bitcoin that has been achieved through Blocksize restrictions. These restrictions have led to centralisation of Bitcoin via the dogma of the core development team ...
As for the backdated keys revealed in the December outing, Mr Wright presents a report by First Response, a computer-forensics firm, which states that these keys could have been generated with an older version of the software in question.
While they do not explicitly state that this is the same paper linked above, what are the odds that two different papers were written to support Craig's claims? In all likelihood, Economist refers to the same "Appeal to authority: A failure of trust" paper, mentioning that it was written by a computer forensics firm named First Response. Now, to the interesting part. Within the paper (supposedly written by an independent third party firm), we have the following text:
Generally, an appeal to authority is fallacious when we cite those who have no special expertise. This is of greater concern when we have an individual believed or purporting to be an expert who abuses trust. Even experts have agendas and the only means to ensure that trust is valid is to hold those experts to a greater level of scrutiny.
That very same text (the bold portion) is also mentioned in that same Economist article, but this time attributed to Craig Wright himself:
In an article in the press kit accompanying the publication of his blog post, he takes aim at Gregory Maxwell, one of the leading bitcoin developers, who first claimed that the cryptographic keys in Mr Wright’s leaked documents were backdated. “Even experts have agendas,” he writes, “and the only means to ensure that trust is valid is to hold experts to a greater level of scrutiny.”
This could mean one of two things: either that Craig wrote that report (and presented it as-if it was written by an independent third party forensics company), or that The Economist mis-attributed the text to Craig instead of to the First Response report. However, they already refer to this report earlier in the very same article (the second quote on this post) and attribute it to First Response. It is very unlikely that they later in the same article they would mis-attribute this report to Craig. In addition, what does a forensics company has to do with Bitcoin politics? Why would they even mention that subject? And how would they even have the knowledge to do so? My conclusion is: this report was written by none other than Craig Wright himself, who later used similar phrasing for self-attributed texts in his press kit. He then managed to get First Response to sign-off on that report (or simply just lied about them being involved - would be interesting to try and check that). Now, to the disturbing part. The author of this paper goes out of his way to attack and discredit Gregory Maxwell, over and over, throughout the entire article. He also repeatedly attacks the Bitcoin Core development community, the Bitcoin governance model, and those advocating for smaller blocks. I would say that 70%-80% of that paper is focused on politics, personal attacks against the Bitcoin technical community and heavy promotion for big blocks (later, in the Economist article, he's also advocating for 340GB blocks), in various phrasing that repeat over and over, with only 20%-30% of it actually being related to the technical questions surrounding the PGP key. Here are some selected quotes (there are many more!):
We may either conclude that Gregory Maxwell understood what he was asserting and has intentionally misled the community in stating that the PGP keys referenced had been backdated, or that a Bitcoin core developer did not understand the workings of PGP sufficiently.
In addition, a warning is rung regarding the onset of centralised authority in the control of bitcoin that has been achieved through Blocksize restrictions.
There is an inherent warning in the foregoing discussion with regard to the growing power of individuals who may not fully grasp the full potential of the Blockchain but who nevertheless have a disproportionate level of influence.
In limiting the size of the Block, the issue of control and the use of the protocol is centralised to a limited number of developers.
The bitcoin core protocol was never designed to be a single implementation maintain by a small cabal acting to restrain the heretics. In restricting the Blocksize, the end is the creation of a centralised management body.
Several core developers, including Gregory Maxwell have assumed a mantle of control. This is centralisation. It is not companies that we need to ensure do not violate our trust, but individuals.
Gregory Maxwell has been an avid supporter in limiting Blocksize. The arguments as to the technical validity of this change are political and act against the core principles of Bitcoin. The retention of limits on Block size consolidates power into the hands of a few individuals.
The position that has been assumed by those seeking centralisation of Bitcoin for many years is to create an artificial scarcity within Bitcoin associated with the limits on the Blocksize.
Those with power need to be held to a higher standard.
We can clearly assert that the evidence Maxwell has presented to justify his assertions to Motherboard that the PGP keys is false. His motives in this remain a mystery.
This report also uses the strawman logical fallacy, attributing Greg with claims that he never made while avoiding quoting his exact words (instead, optin to quote the press's paraphrase of Greg's words). While Greg said that the algorithms weren't in wide use at the alleged time of the key creation, they repeatedly mis-quote him as claiming that it was impossible to generate such a key at the time. Based on this strawman, they build mountains and hillsides, claiming that they can prove their claim in absolute logical terms ("This is a binary outcome and there cannot be any other result. Either creating the keys was possible, or the evidence reported by Motherboard was unfounded"). That was what Greg actually wrote:
Incidentally; there is now more evidence that it's faked. The PGP key being used was clearly backdated: its metadata contains cipher-suites which were not widely used until later software.
This is what the report claims:
In the logical analysis of evidence, we cannot have contradictions. Where such a contradiction exists, we need to check our premises. In this process that we are exploring together, either we can recreate a similar key along the lines of the one Maxwell has stated could not have existed (WAS NEVER SAID! N.I.) and must have been backdated, or we cannot. If we can create a key using the GnuPG software from 2007 and add the attributes of the disputed keys to a newly created key pair, then Maxwell is wrong. If we cannot complete this process, then he was correct and the keys could have been backdated. This is a binary outcome and there cannot be any other result. Either creating the keys was possible, or the evidence reported by Motherboard was unfounded.
We see here the default hash list of “2.8.3” as Maxwell asserts is the only available choice. (WAS NEVER SAID! N.I.)
The importance of this statement is that Maxwell has firmly asserted that the algorithms, “8,2,9,10,11” have only been added from a later period in 2009 ... We have engaged in this exercise in order to demonstrate that the former statement made by Maxwell is incorrect.
This exercise proves that those algorithms that had been stated to not exist at the time within GnuPG 1.4.7 had indeed been implemented. Maxwell’s assertion is false.
That report is, of course, total and utter nonsense. The algorithms did exists in PGP (no one claimed otherwise), but there was no ciphersuite that combined them together. It was indeed possible to manually select that ciphersuite, the command to do so would look like that:
There's no way that anyone would choose these exact algorithms under the exact same order before it was added as the default to PGP. Its important to note that the ciphersuite was chosen by the open source community after much discussions and knowledge acquired over time regarding the algorithms, which showed this combination to be the most secure. Foreseeing that this suite is going to be the state of the art, a few years before the PGP community figured it out, is extremely unlikely. TL;DR
After Greg exposed Craig's bluff regarding the PGP key from December, Craig writes a report that allegedly proves his key wasn't backdated. It is published on late December '15 - Early January '16 (anyone has an exact date?).
That entire article is based on a strawman, and doesn't really prove anything. It shows that it could be technically possible to create such a key at the alleged time, but completely disregards the fact that the likelihood of that happening is practically zero.
He released this report anonymously, not attributing it to anyone.
He uses this opportunity to discredit Greg, repeatedly attacking his personal integrity and technical competence. He also attacks Bitcoin Core with claims of an hostile takeover by a "small cabal" that wants to control Bitcoin by restricting the blocksize. He smears the "small blocks camp", while heavily advocating for larger blocks. He does that using personal attacks and severe words pointed at highly respected members of the community. About 70%-80% of the report isn't related to the PGP key at all, but rather to politics and attacks.
In his press kit for the revelation, he attaches this report, this time attributed to a forensics company called First Response. In addition to the report, he attaches more attacks against Greg, which he does attribute to himself. The phrasing of his self-attributed attacks strikes an extraordinary resemblance to the attacks in the report.
Having read this report, I now believe that what we're seeing is another stage of a well orchestrated attack on Bitcoin, whose goal is to discredit reputable members of the Bitcoin community, create factions within the community and to sow distrust among community members. This attack hasn't started now. The opening shot was the block size campaign, which was designed to spread toxicity and dissent, promote personal attacks against thought leaders and technical experts, and split the community into two opposing camps. The goal is to dissemble the human and social fabric of Bitcoin, to subvert our trust in the cypher-punk "leaders" of the bitcoin space and to create chaos and confusion, in order to prepare the ground for the second stage - an hostile takeover of the Bitcoin protocol development via a person claiming to be Satoshi Nakamoto, which will support this new development team and lead people after him. I don't usually tend to be overly conspirative, but this report is highly disturbing. It has the very clear agenda of attacking Bitcoin Core and the consensus mechanism, while heavily promoting big blocks. We have appealing evidence that it was written by Craig, which also continues his attack as part of his press release. All of that leads me to believe that the blocksize campaign, the non-stop attacks against the Bitcoin development community and thought leaders, and the Craig revelation as "being Satoshi" are all tightly connected as part of an orchestrated attack. And all of that follows repeating evidence of ongoing sock-puppets and rating manipulation within our online communities, Sybilattackson the P2P network to create a false image of Classic support, and DDoS attacks. (interesting to note that voting manipulation was put into use with greater vigor during the Craig revelations, according to theymos - "there's substantial vote manipulation in /Bitcoin right now"). I truly believe that this is the real thing. We're witnessing an orchestrated full-scale attack on Bitcoin, by a well-organized entity with significant financial means. Buckle up!
Mike Hearn posted this on the Bitcoin Developer Mailing List:
I'm pleased to announce the release of bitcoinj 0.11, a library for writing Bitcoin applications that run on the JVM. BitcoinJ is widely used across the Bitcoin community; some users include Bitcoin Wallet for Android, MultiBit, Hive, blockchain.info, the biteasy.com block explorer (written in Lisp!), Circle, Neo/Bee (Cypriot payment network), bitpos.me, Bitcoin Touch, BlueMatt's relay network and DNS crawler, academic advanced contracts research and more. The release-0.11 git tag is signed by Andreas Schildbach's GPG key. The commit hash is 410d4547a7dd. This paragraph is signed by the same Bitcoin key as with previous releases (check their release announcements to establish continuity). Additionally, this email is signed using DKIM and for the first time, a key that was ID verified by the Swiss government. Key: 16vSNFP5Acsa6RBbjEA7QYCCRDRGXRFH4m Signature for last paragraph: H3DvWBqFHPxKW/cdYUdZ6OHjbq6ZtC5PHK4ebpeiE+FqTHyRLJ58BItbC0R2vo77h+DthpQigdEZ0V8ivSM7VIg=
Thanks to Mike Belshe, the wallet can now send to P2SH addresses.
Thanks to Matt Corallo, the network layer was rewritten from scratch. It no longer depends on Netty, and it now supports both blocking and non-blocking sockets. In practice that means Java's built in support for transparent SSL and SOCKS becomes available again, which in turn means connecting via Tor is now possible. The new framework is lightweight, easy to understand and has been running a DNS seed crawler for some months now.
Thanks to Kevin Greene, we've added some support for the BIP70 payment protocol. Wallet authors can now consume payment requests, check their signatures and submit payments with the new easy to use PaymentSession class. The wallet-tool command line UI has support and an article explains how to use it.
Thanks to Miron Cuperman, the wallet can now watch arbitrary addresses and scripts. The wallet could previously watch an address as long as the public key was known. Now it's possible to watch for addresses even when the public key is not known.
Also thanks to Miron, Bloom filtering was also improved. The system now tracks false positive rates and cleans the filter when FP rates get too high. Unfortunately, some privacy bugs in Bloom filtering remain, which could (amongst other things) allow a malicious remote peer to test whether you own a particular key.
Thanks to Alex Taylor (bitpos.me), a new PostgreSQL based pruning block store was added. This block store is fast, and indexes the UTXO set, allowing for fast lookup of the balance of any given address.
A Java 8 based wallet template app is now included. The template is designed for people writing contract based applications. It provides a simple app that can be copy/pasted, which connects to the P2P network, manages a wallet, and provides a GUI that shows progress, balance, address+qrcode for receiving money and has a button that is used to empty the wallet out. It's designed to have an attractive and modern look, with tasteful animations and artwork.
Micropayment channels got many big improvements to the API and implementation. The release in 0.10 can be seen as a beta, in this release the micropayments code has been taken for a test drive for a couple of real apps and many rough edges polished as a result.
The default USER_THREAD executor can now be replaced, allowing a 1-line switch of all callbacks onto a thread of your choice instead of needing to override each callback, each time. This should simplify and clean up the GUI code of wallet apps significantly.
The WalletTool command line app has a more convenient user interface now.
A new DNS seed has been added. The seed is run by Christian Decker, from ETH Zurich.
bitcoinj 0.11 will shortly be available via Maven Central. Please use the dependency verifier plugin and/or check the PGP signatures on the uploads, if you use this!
We finished adding nullity annotations to the API. You should now be able to assume that any method not annotated with @Nullable won't ever return null values.
The WalletAppKit got a bunch of new features and convenience APIs.
The wallet will now create inputs with dummy signatures if the private key for an output is missing, rather than throwing an exception. You can then edit the input later to substitute in a real signature. This is useful when the signing is being done elsewhere, outside of the library.
In full verification mode, execution of scripts (i.e. checking signatures) can now be switched off. This is useful if you trust the source of the chain and just want to calculate the UTXO set.
The wallet risk analysis code is now pluggable, better documented and checks for finality in a more sensible way.
Various memory usage and flow control optimisations were made to allow much larger wallets to sync on Android.
The transaction broadcast algorithm was changed to be more robust.
Double spend handling in the wallet was improved.
Generated signatures now use canonical S values. This will aid a future hard-forking rule change which bans malleable signatures.
Some fixes were made for enable usage with the Orchid Tor library. Further support for Tor is planned for future releases.
Notable bug fixes
Some hard-forking full verification bugs were fixed.
Thanks to Miron, PeerGroup now performs exponential backoff for peer connections, for instance if we cannot connect to them or if they disconnect us. This resolves an annoying bug in which if the library was configured with a single peer that was down, it would spin in a tight loop consuming battery.
Some functionality of the Wallet class was moved into separate classes under the wallet package.
The micropayments API and protocol changed. New clients/servers are not compatible with apps running against previous releases.
The Wallet sendCoins/completeTx methods no longer return booleans or null to indicate failure, they now throw InsufficientMoneyException?or a subclass if the transaction cannot be completed. The exception object typically contains information on how much money is missing.
Some mis-named methods in the HD key derivation API were renamed.
The WalletEventListener interface has an extra method for watching scripts now.
Peer discovery classes moved under the net.discovery package
Any APIs that relied on Netty are now different.
An article on the networking API
Info on testing your apps, and how to use regtest mode to make a private Bitcoin network that allows you to mine blocks instantly.
A reference table showing which API's implement which Bitcoin Improvement Proposals (BIPs).
--1-- Introduction I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple it is, and to hopefully inform and inspire you to go out and hack shit. If you have no experience with programming or hacking, some of the text below might look like a foreign language. Check the resources section at the end to help you get started. And trust me, once you've learned the basics you'll realize this really is easier than filing a FOIA request. -- 2 -- Staying Safe This is illegal, so you'll need to take same basic precautions:
(Optional) While just having everything go over Tor thanks to Whonix is probably sufficient, it's better to not use an internet connection connected to your name or address. A cantenna, aircrack, and reaver can come in handy here.
As long as you follow common sense like never do anything hacking related outside of Whonix, never do any of your normal computer usage inside Whonix, never mention any information about your real life when talking with other hackers, and never brag about your illegal hacking exploits to friends in real life, then you can pretty much do whatever you want with no fear of being v&. NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable for some things like web browsing, when it comes to using hacking tools like nmap, sqlmap, and nikto that are making thousands of requests, they will run very slowly over Tor. Not to mention that you'll want a public IP address to receive connect back shells. I recommend using servers you've hacked or a VPS paid with bitcoin to hack from. That way only the low bandwidth text interface between you and the server is over Tor. All the commands you're running will have a nice fast connection to your target. -- 3 -- Mapping out the target Basically I just repeatedly use fierce.pl, whois lookups on IP addresses and domain names, and reverse whois lookups to find all IP address space and domain names associated with an organization. For an example let's take Blackwater. We start out knowing their homepage is at academi.com. Running fierce.pl -dns academi.com we find the subdomains:
Doing a whois lookup on academi.com reveals it's also registered to the same address, so we'll use that as a string to search with for the reverse whois lookups. As far as I know all the actual reverse whois lookup services cost money, so I just cheat with google:
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more whois lookups and repeat the process until you've found everything. Also just google the organization and browse around its websites. For example on academi.com we find links to a careers portal, an online store, and an employee resources page, so now we have some more:
If you repeat the whois lookups and such you'll find academiproshop.com seems to not be hosted or maintained by Blackwater, so scratch that off the list of interesting IPs/domains. In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com was simply a whois lookup of finfisher.com which found it registered to the name "FinFisher GmbH". Googling for:
"FinFisher GmbH" inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com ...so now you've got some idea how I map out a target. This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it. -- 4 -- Scanning & Exploiting Scan all the IP ranges you found with nmap to find all services running. Aside from a standard port scan, scanning for SNMP is underrated. Now for each service you find running:
Is it exposing something it shouldn't? Sometimes companies will have services running that require no authentication and just assume it's safe because the url or IP to access it isn't public. Maybe fierce found a git subdomain and you can go to git.companyname.come/gitweb/ and browse their source code.
Is it horribly misconfigured? Maybe they have an ftp server that allows anonymous read or write access to an important directory. Maybe they have a database server with a blank admin password (lol stratfor). Maybe their embedded devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's default password.
Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap will often find running on nonstandard ports, I usually:
Browse them. Especially on subdomains that fierce finds which aren't intended for public viewing like test.company.com or dev.company.com you'll often find interesting stuff just by looking at them.
Run nikto. This will check for things like webserve.svn/, webservebackup/, webservephpinfo.php, and a few thousand other common mistakes and misconfigurations.
Identify what software is being used on the website. WhatWeb is useful
First try that against all services to see if any have a misconfiguration, publicly known vulnerability, or other easy way in. If not, it's time to move on to finding a new vulnerability: 5) Custom coded web apps are more fertile ground for bugs than large widely used projects, so try those first. I use ZAP, and some combination of its automated tests along with manually poking around with the help of its intercepting proxy. 6) For the non-custom software they're running, get a copy to look at. If it's free software you can just download it. If it's proprietary you can usually pirate it. If it's proprietary and obscure enough that you can't pirate it you can buy it (lame) or find other sites running the same software using google, find one that's easier to hack, and get a copy from them. For finsupport.finfisher.com the process was:
Start nikto running in the background.
Visit the website. See nothing but a login page. Quickly check for sqli in the login form.
See if WhatWeb knows anything about what software the site is running.
WhatWeb doesn't recognize it, so the next question I want answered is if this is a custom website by Gamma, or if there are other websites using the same software.
I view the page source to find a URL I can search on (index.php isn't exactly unique to this software). I pick Scripts/scripts.js.php, and google: allinurl:"Scripts/scripts.js.php"
I find there's a handful of other sites using the same software, all coded by the same small webdesign firm. It looks like each site is custom coded but they share a lot of code. So I hack a couple of them to get a collection of code written by the webdesign firm.
At this point I can see the news stories that journalists will write to drum up views: "In a sophisticated, multi-step attack, hackers first compromised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group..." But it's really quite easy, done almost on autopilot once you get the hang of it. It took all of a couple minutes to:
google allinurl:"Scripts/scripts.js.php" and find the other sites
Notice they're all sql injectable in the first url parameter I try.
Realize they're running Apache ModSecurity so I need to use sqlmap with the option --tamper='tampemodsecurityversioned.py'
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it's database admin! For MySQL this means you can read and write files. It turns out the site has magicquotes enabled, so I can't use INTO OUTFILE to write files. But I can use a short script that uses sqlmap --file-read to get the php source for a URL, and a normal web request to get the HTML, and then finds files included or required in the php source, and finds php files linked in the HTML, to recursively download the source to the whole site. Looking through the source, I see customers can attach a file to their support tickets, and there's no check on the file extension. So I pick a username and password out of the customer database, create a support request with a php shell attached, and I'm in! -- 5 -- (fail at) Escalating < got r00t? >
Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester, and unix-privesc-check. finsupport was running the latest version of Debian with no local root exploits, but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer so I add to /etc/cron.hourly/webalizer: