Read on Twitter
1/10 It seems like a good time to mention all the security measures Bitcoin development goes through to make sure what he’s describing doesn’t happen. https://twitter.com/FranckLeroy_/status/1385696522680012802
2/10 1st claim: Hack Github.
Even if GitHub is hacked, there’s nothing to control from that perspective. Github controls no keys that maintainers use to push code changes. Github is just a mirror for developer’s own local copy of the Bitcoin code.
Even if GitHub is hacked, there’s nothing to control from that perspective. Github controls no keys that maintainers use to push code changes. Github is just a mirror for developer’s own local copy of the Bitcoin code.
3/10
In addition, every code change is what’s called a “git commit” and it has a hash commitment. This means that if any content of the code changes for this means the hash commitment is also different. This makes it really easy to tell if the code has changed.
In addition, every code change is what’s called a “git commit” and it has a hash commitment. This means that if any content of the code changes for this means the hash commitment is also different. This makes it really easy to tell if the code has changed.
4/10 Some may say that since git hasn’t fully transitioned to sha2, it’s possible to create a same hash commitment (this is quite expensive to do), Bitcoin merge commits use sha512 on top of the git hash commitment to prevent this from happening. http://github.com/bitcoin-core/bitcoin-maintainer-tools/blob/master/github-merge.py
5/10
Also notifying @github and @natfriedman that there’s people trying to stir up a movement to attack GitHub.
Also notifying @github and @natfriedman that there’s people trying to stir up a movement to attack GitHub.
6/10
2nd claim: Introduce a backdoor in one dependencies of the core code
Bitcoin development takes in this aspect of the attack seriously. Bitcoin build process uses Gitian signing, which means that multiple people will build Bitcoin and compare the result.
2nd claim: Introduce a backdoor in one dependencies of the core code
Bitcoin development takes in this aspect of the attack seriously. Bitcoin build process uses Gitian signing, which means that multiple people will build Bitcoin and compare the result.
7/10
To include malicious code, you must attack all the Gitian signers. You can also be a Gitian signer! @jonatack
To include malicious code, you must attack all the Gitian signers. You can also be a Gitian signer! @jonatack
8/10
Bitcoin is also one of the very few projects that consider the threat of the compiler being possibly malicious. @dongcarl’s work on building Bitcoin software without trusted toolchains makes Bitcoin’s attack surface even smaller. http://github.com/bitcoin/bitcoin/blob/master/contrib/guix/README.md
Bitcoin is also one of the very few projects that consider the threat of the compiler being possibly malicious. @dongcarl’s work on building Bitcoin software without trusted toolchains makes Bitcoin’s attack surface even smaller. http://github.com/bitcoin/bitcoin/blob/master/contrib/guix/README.md
9/10
3rd claim: Wait for it (the vulnerability) to be deployed
Developers are not the only ones that are part of the security of Bitcoin. Users also play an important role in being a rule-enforcer. Since users are in control of their nodes, a single entity cannot just “deploy”
3rd claim: Wait for it (the vulnerability) to be deployed
Developers are not the only ones that are part of the security of Bitcoin. Users also play an important role in being a rule-enforcer. Since users are in control of their nodes, a single entity cannot just “deploy”
10/10
Likely what would happen is that the code with the malicious code would be banned by other Bitcoin nodes that are enforcing the rule.
Therefore, it’s really important that you run your own Bitcoin node. It helps you and the entire network. Just do it.
Likely what would happen is that the code with the malicious code would be banned by other Bitcoin nodes that are enforcing the rule.
Therefore, it’s really important that you run your own Bitcoin node. It helps you and the entire network. Just do it.
11/10
Finally if you’d like to fund the people working on Bitcoin, you can donate directly to developers on http://bitcoindevlist.com . For tax deductible donations, donate to the Bitcoin Development Fund Campaign that @HRF is running on http://hrf.kindful.com or to @bitcoinbrink.
Finally if you’d like to fund the people working on Bitcoin, you can donate directly to developers on http://bitcoindevlist.com . For tax deductible donations, donate to the Bitcoin Development Fund Campaign that @HRF is running on http://hrf.kindful.com or to @bitcoinbrink.
