Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Not yet available
Language
English
Abstract
We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'.
The fatal flaw? Not enough chaos.
Learn how we found and disclosed issues in affected open source wallet software, brute-forced thousands of individual affected wallets on a budget, and traced over a billion US dollars worth of prior transactions through them.

In July 2023, people in our circle of friends noticed a series of seemingly impossible cryptocurrency thefts, which added up to over one million US dollars.
A common denominator was discovered across the set of victims we knew: the wallet software `libbitcoin-explorer`. Vulnerable versions used a weak pseudorandom number generator when creating cryptocurrency wallets. Within a short period of time, we disclosed the vulnerability, [CVE-2023-39910](https://milksad.info/disclosure.html).
Using this weakness, attackers were able to compute private keys of victims, which is supposed to be impossible under normal circumstances.

In this talk we
* 📜 - tell the story of uncovering a digital currency heist
* 🌐 - dive into similar vulnerabilities
* 🔍 - trace the movement of coins
* ⚖ - outline ethical challenges of cryptocurrency security research
* 🛡 - explore methods to defend and protect against this bug class

Our intention is to share the story of how little details can have big consequences and the importance of quality chaos.

Talk ID
38c3-527
Event:
38c3
Day
4
Room
Saal GLITCH
Start
11 a.m.
Duration
00:40:00
Track
Security
Type of
Talk
Speaker
John Naulty
John Naulty
Talk Slug & media link
38c3-527-dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys

The video is not yet available