undefined | Better HN

0 points0wing8y ago0 comments

1. The vulnrability existed in their active codebase and network - only AFTER the research team contacted IOTA with the working exploit did they shut the entire (centralized) network down to patch the code.

  “In 2017, leaving your crypto algorithm vulnerable to 
  differential cryptanalysis is a rookie mistake. It says 
  that no one of any calibre analyzed their system, and that 
  the odds that their fix makes the system secure is low,” 
   

  Bruce Schneier, renowned security technologist, 
  about IOTA when we shared our attack.



  We discovered a vulnerability in IOTA after reviewing 
  their code on GitHub in July. We disclosed what we found 
  to the IOTA team on July 14th, and have been in contact 
  with them since then as we discovered new issues and 
  exploits. IOTA issued a patch that addresses the 
  vulnerabilities we found on August 7th. IOTA no longer has 
  the vulnerabilities we found, they have been fixed. To 
  learn more about the details of our attack, you can view 
  the full disclosure and review our attack examples.

https://github.com/mit-dci/tangled-curl/blob/master/vuln-iot...

https://github.com/mit-dci/tangled-curl

2. If every other cryptocurrency software team can impliment seed generation in their wallet software, why does IOTA refuse to?

3. Please read this comment from the CEO of IOTA, David Sønstebø on why he doesn't care if you lose money using IOTA: https://reddit.com/r/CryptoCurrency/comments/7gwl38/hello_gu...

0 comments

2 comments · 1 top-level

smrtfckr8y ago· 1 in thread

1) In order for the attack to succeed, the attacker would have to have access to the seed at which point the entire thing becomes moot.

2) The android wallet has seed generation. So it's not a question of "refusal", more a question of priotities. Seedgen had not been a priority of the team. We can argue if its good or bad but at the end of the day, it is what it is. Creating a seed is not hard and if you can't put in the effort, well nobody is forcing you to jump into cutting edge experimental technology in search of lambo when!!!

3) Please click "parent" on that comment in order to realize that, yes, this is not a reply to the original post of the thread but to another person unlike it was made out to be and context does matter. Who knew?

0wingOP8y ago

1. The attack the MIT team developed on IOTA was a way to efficiently brute force wallet key combos to forge transactions of funds.

2. Every other cryptocurrency has implemented the seed generator as it's the most basic and fundamental feature necessary for this type of software. It's so trivial to implement, it really begs the question of why the IOTA team didn't just include it in all their software releases.

3. The comment CEO David Sønstebø was directly replying to was just commenting on how confusing the software is compared to other cryptocurrency wallets:

  I know it sounds simple newb mistake, but even me I 
  probably would have made that mistake and having been 
  using crypto for a while.

  So to sum it up don't use same receive address in IOTA. 
  I'll try to burn that in the back of my brain.

To add insult to injury regarding the OP who lost $30,000, it sure sounded like David was indirectly referencing that users loss with his response to the above comment

  "Price to pay for quantum security :) " - David Sønstebø, IOTA CEO

j / k navigate · click thread line to collapse

“In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low,” Bruce Schneier, renowned security technologist, about IOTA when we shared our attack. We discovered a vulnerability in IOTA after reviewing their code on GitHub in July. We disclosed what we found to the IOTA team on July 14th, and have been in contact with them since then as we discovered new issues and exploits. IOTA issued a patch that addresses the vulnerabilities we found on August 7th. IOTA no longer has the vulnerabilities we found, they have been fixed. To learn more about the details of our attack, you can view the full disclosure and review our attack examples.