Bitcoin Android Flaw

It’s an issue with java.security.SecureRandom

This isn’t a Java problem. Android uses its own version of Java that is not the same as the desktop version. One of the biggest differences is that Android doesn’t use the Java Virtual Machine that desktop applications use.

So people made up money and hoped that other people would use it? People are using it and now it’s worth something?

more-or-less

Lol, Java blows dick at everything. It just fucking sucks. Too bad Android is really surrounded by it.

http://www.digifail.com/images/research/entropy2.png

Entropy

http://www.forbes.com/sites/kashmirhill/2013/08/12/every-important-person-in-bitcoin-just-got-subpoenaed-by-new-yorks-financial-regulator/

If you want to learn more about bitcoin, there was a really well done planet money podcast on it a few weeks back

Yeah,hopefully this doesn’t happen…

http://blog.libertyreserve.com/index.html

It is pretty awesome and how it is built. I love the idea behind it but wonder its long term benefit with these mining pools getting so powerful and the 51% attack being something possible now.

"The Android security team has been investigating the root cause of the compromise of a bitcoin transaction that led to the update of multiple Bitcoin applications on August 11.

We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG. Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom.

Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. A suggested implementation is provided at the end of this blog post. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.

In addition to this developer recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.

We would like to thank Soo Hyeon Kim, Daewan Han of ETRI and Dong Hoon Lee of Korea University who notified Google about the improper initialization of OpenSSL PRNG."