Reading time: 15 minutes.
In the world of cyber-security responsible disclosure is an important subject.
Responsible disclosure is the timely reporting of issues as you find them, to authorities and vendors (and not the general population). I can not really add much to the responsible disclosure discussion. It has matured in my lifetime from hackers seeking vendor emails on the BugTraq mailing list to a NIST managed database of CVEs, bounties and prizes and more.
To better define responsible disclosure, we might contrast it with it's antonym of irresponsible disclosure. So, what is irresponsible disclosure?
Firstly, the aim of responsible disclosure is keeping information about vulnerabilities away from adversaries with malicious intent, so as to mitigate and patch those vulnerabilities in products and services before publication of said vulnerabilities. Which can and does invite exploits to be developed around them.
It's then safe to assume irresponsible disclosure is when a vulnerability is published without regard to any impacts. However there is always more to civic responsibility than a narrow, technical impact assessment, and more basic -- dare I say political questions -- should be asked like 'what will be done with the vulnerability report?' - 'How will the recommendations be implemented?' - These management decisions are always a part of the security picture, even if not in reporting scope.
Stingy security
Not all vendors operate with the same regard to security, it might go without saying, and an emerging threat is vendors who churn products out without supporting and patching firmware over their usable lifetime. Other words for this include enshittification or planned obsolescence. It's a lament of the cyber-security researcher that on technical merit if looking at things like AppArmour, the Mirai botnet should not be a thing in 2024, but here we are, living in the Internet of Shit.
Hackers will fight fatigue until 4am timing a glitch attack on NOR flash to bypass signed boot-loaders, a million dollars of security wrecked in one night, only for a vendor to go 'lol firmware? if you want cash sign this NDA and STFU'. Of course, I'm exaggerating to make a point, that there's not a lot of love from some vendors considering the effort involved in researching vulnerabilities.
In fairness to said companies no one likes receiving bad news and especially not shareholders, but there aren't even any responsible disclosure-type bug bounties for breaking Bitcoin, only some exchanges and wallet clients or services offer bounties, and I don't help criminals. So, what's in it for independent researchers working to test Bitcoin itself? Nothing, is what. What incentive is dangled for researchers? Some silly "blockchain" token and 400 more kilograms of CO2 in the atmosphere? Keep it, I need cash for food and fuel.
With that in mind there is a missing discussion around Bitcoin, and how it has not responded to reports of what by my estimation would be a Common Vulnerability Scoring System (CVSS) 8.0, first raised over a decade ago now. CVSS goes up to 10.0 so that's a really bad bug and yes, I am comparing Bitcoin's security to the woeful state of cheap router and IP camera firmware. Although even the Microsofts and Palo Altos of this world can wear a CVSS 9 and barely take a hit to their share price. I find that mystifying in it's own right.
Showing it's age
Bitcoin has not significantly improved it's security posture in 10 years. What seems to most concern users is availability, denial-of-services have occurred, and the mempool grew in response but that is completely uninteresting to me. The biggest scare to date was probably the vanity address saga which resulted in new address types, but no one deprecated the old ones, and technology on the factorization side of things has come a long way since "AI" became a thing.
It probably can't be stressed enough how much has changed in 10 years on the ground in cyber-security, while Bitcoin has rested on plagiarized laurels, and that leads me to think about the size of "crypto" markets and how they amass to a three trillion dollar Pyramid or Ponzi scam. This gigantic mess is in a weakening security position, and we know bubbles go pop, the interesting questions are when and how.
With a high attack complexity (AC:H, in CVSS parlance) straight cracking Bitcoin with no compromise of systems or wallets by other means, was entirely theoretical and condescendingly joked about when first reported. To break that you would need to break SHA, was the orthodox thought.
Hold my beer
However orthodoxy and hacking do not mix. I recall our team leader once told me with a confidence I'll never understand, that the old Heartbleed bug, mysterious and new at the time, was "far too complex" for anyone except a nation state to pull off, and we shouldn't even test for AC:H bugs because of time constraints. But I don't appreciate being told to do a shit job to cover for someone else's failures, scoping jobs incorrectly then covering ass, so I put a juicy RSA key into my next report by exploiting it (redacted, of course).
Had an interesting meeting afterwards where they told me not to do that, ever again. The biggest fear of a security researcher is missing a bug, so we have peer review process and one or two surely slipped by me, which we luckily found. But I think they did not like me exploiting bugs they had missed. First day on another job I found a CVSS 9 or 10 (leading to the krbtgt on their domain) which they had missed after years of previous review and was not picked up in peer review, things did not become easier for me after that. FWIW this company went under soon after I left, and I heard through the grapevine that person later got into "crypto" and did well out of it. Good luck to them.
Fast forward a decade and a Bitcoin brute force vulnerability can no longer be easily discounted, like Heartbleed was then, with unexplained thefts seen in the wild. Additionally there exists a suspiciously-fast growing crypto asset recovery industry that seems to have no bloody clue what's going on, sometimes so suspiciously clueless about "crypto" I can't help but wonder if they are simply in on the Pyramid scam. It's true direct key compromise due to implementation weakness remains a relatively low threat, compared to the easier route of pinching wallets off of filesystems with some sneaky JavaScript after a cute email or whatever, but it is none the less a realistic threat and only becoming more practically exploitable with time.
It might shock readers to know a WordPress or Drupal site like this one employs stronger password hashing than Bitcoin uses to secure all it's balances. Microsoft deprecated the RIPEMD function Bitcoin constructs addresses with a decade ago, and like MD5 you have to hack it back into a modern TLS/SSL library on Linux or BSD because no-one would be insane enough to use hash functions deprecated 10 years ago, right?
"Vendor" Response
Well the Bitcoin community is, and their response to this brings to mind images of tumbleweeds: it never resulted in any change. Instead, a response came from an unknown person who created the 'puzzle transaction' as a kind of cryptographic canary in the Bitcoin-mines. Which is very interesting because since "Satoshi" vanished, this is easily the most significant contribution to Bitcoin in a strictly cryptographic sense. Vanity addresses were just people being dumb, not malicious. Satoshi stacking non-injective functions back-to-front is bit harder to communicate and a bit more serious, but like climate change is easy to disregard because the time-scales involved make disaster appear far away on the horizon. Until it is too late to avoid.
The puzzle transaction contains 160 keys of increasing bit-wise size (or complexity) and growing unspent outputs (as rewards) up to the key ceiling introduced by this vulnerability, but now the puzzle transaction is missing 125 of 160 pieces, with odd 5-bit intervals going missing faster because the RIPEMD-160 layer was apparently broken, and the SHA bruted, exposing the EC public key's private part to traditional or 'Newtonian' (brute) search methods, some of which are impressively un-brutal, even elegantly advanced now.
This 5 bit step is mysterious, and an explanation surely exists, but the thing to remember about the puzzle transaction is it's game over for the unspent transaction outputs, known as the UTXO set when it gets up near to 160. Having two types of newer address hasn't solved this because fees make the simpler PK hash more attractive to use.
That should seriously concern crypto proponents, yet many continue to promote Bitcoin unaware, unwilling or unable to understand the truly flaky nature of this Pyramid scam. And of course Ethereum has also failed to deprecate RIPEMD, despite also receiving vulnerability reports. It's important to note a 125-bit key is still huge, for a single given target key likely impractical to crack in a linear search, but due to Shannon's limit if you can smash ~136 bits you'll own ~50% of the UTXOs and it's probably 'gg' at that point. Such an exploit is of little or no use to 'tainted' crypto recovery agents, I think of it more like taking a bat to the whole digital pinata: only 10 or 12 bits to go and you get the whole prize.
But I can only speculate because whoever found that 125 bit key is not coming forward or saying how, and why would they? So it is also important to note the puzzle transaction is only indicative of what is confessed to or bragged about being found: the puzzle transaction rewards are relatively small compared to playing pinata with the UTXO sums, and relies on a kind of honesty completely absent in the community: the best methods stopped evolving publicly years ago.
The numbers game
I can reach ~400 peta-keys per second on an 5 year old Ryzen, there are now various Bitcoin 'cracking' projects on GitHub to choose from, and 400e15 keys/s sounds impressive until seen against the massive search space, but this does move the goalposts favourably towards a commodity hardware facility busting the blockchain in a matter of years, not until the 'heat death of the universe' or whatever. I can only surmise Moore's Law is well and truly ignored by the Bitcoin community, a problem compounded due to a broken threat model which incorrectly supposes mining is the principal security feature. It does not surprise if the Bitcoin community can only exist in this constant state of self-deception about mining, if that mask slips the whole casino is laid bare.
A brute force attack is impractical over SHA at 256 bits: the fabled "Sybil" attack is complete nonsense, but we do know that the actual search space has been reduced by Satoshi being a paranoid fucking idiot who distrusted the NIST and NSA, not unlike his libertarian contemporaries after the whole Clipper chip thing. In another line of thought, entertaining this Sybil nonsense is great cover for creating a collision corpus that helps factorize SHA for a fast inverse function, which would leave things like GOST Streeborg the strongest unbroken one way function... but I digress.
Because of Satoshi's "wisdom" in ordering operations in the address format, 256-160 (which is the SHA word size minus RIPEMD's) leaves a difference of 96^2 keys per Bitcoin address. A significant number of collisions exist in this suspiciously unnecessary, surjective function stack because they must, and so the interesting discussion is not any Dunning-Coiner babble about whether this is possible, but further improving the efficiency of relevant search algorithms, engineering advances like bloom filters entirely on-cache and so forth.
In a word to any crypto proponents, it'd be naive to assume only the puzzle transaction and not entire UTXO set would be targeted, if going to the effort to craft these tools, which people clearly have! You can fit the whole non-zero balance set into the L3 of an IBM Power processor these days, it's at about 80MB last I looked. That was not a realistic threat when Bitcoin was designed, plus there's enough registers to run RIPEMD in a native word size with the IBM virtual address width modes? Old IBM Power machines don't even sell on eBay, they're cheap, powerful and unwanted so it seems like a massive fucking risk, should someone not invested into Bitcoin, and with the inclination to break it decide to lift a finger. If at this point anyone still thinks "mining" hash power secures the blockchain, they need a whack with a security engineering manual.
Hackers don't give a shit about hypothetical Sybil attacks and absolutely would smash the whole fucking pinata at once, for fun and not profit, because life is too short to waste time on worthless threat models that misidentify burning fossil fuels as a security feature. The lesson from ASIC growth is maybe relevant, such tools are not proliferated in the community when gold is struck; they are coveted because who asks the farmer to see the Golden Goose?
There's a "TL;DR" from this in that "mining" stopped being optimal late 2017, if I am not mistaken. If you have the skill, have the time and have the money (choose any two, right?), cold taking Bitcoin is a thing and the best part is no one will probably ever know because by it's nature current account balances are increasingly consolidated amongst fewer and fewer addresses, allowing for 'organic' movement of older balances with weaker keys as they are likely found first, in a standard distribution. Words like 'perfect crime' do come to mind. If this is the case, don't quote me yet, it may also be well hidden from analysis with Benford's law. Companies like ChainAlysis would be none-the-wiser, with their methodologies being built around the same old assumptions "mining" is impenetrable security.
The reporting dilemma
The moral dilemma I perceive with such a Bitcoin vulnerability is: is it responsible to even report a vulnerability, in the first instance, to white-collar criminals who obfuscate a Pyramid scam with blockchain technobabble?
From the cyber-security business perspective, reporting on "crypto" bugs is helping out a nightmare customer who attacks your other customers: the only wise thing to do is show them the door, and in my personal experience good faith engagement with Bitcoiners is reciprocated with insults and abuse. As a rule the "crypto" community gets toxic when challenged about their cult beliefs around security and mining. A waste of time dealing with them, and somehow seems no different than reporting to a disinterested or untrustworthy vendor located in an authoritarian state.
As a business you have the right to refuse customers, and analogies are never 100% accurate but to indulge, why help criminals make a stronger safe for their loot? If knowing fully well that safe won't be used to store innocent grocery shopping money? Bitcoin isn't some apolitical dual use thing it's a primarily illicit use case: Pyramid schemes are illegal, even used to raise money for wars against democracies. Would you report a vulnerability in Streebog to the Russian GOST, part of a government currently waging a war in violation of UN resolutions and long-recognised borders (even Krushev said Ukraine would "never be Russian"), or the USA's NSA & NIST, etc?
I think asking ourselves the answers to such questions can help decide whether a disclosure is responsible, or irresponsible. Who benefits is the core question. In the case of Pyramid scams, the person most-benefiting is probably not you, and there are mathematical proofs of that.
Like it or not, politics is a part of security threat modelling and technology is not apolitical, every tool has a use and if Bitcoin is the software of monetary expansionism, I'd say it is most akin to the Reichsmark being used to cause domestic inflation in economies the Nazis were attacking, and there's maybe also a relevant history lesson in knowing that Stalin took most of that machinery and printed even more Marks than the Nazis did, without regard for the post-war German economy. Nor is there any financial emancipation in creating a new technocracy, where issuance of capital is given not to democratic process but to selected, already privileged barons of some new Silicon empire.
It's also ironic to think of disclosing Bitcoin bugs "responsibly" to the community, because no one owes Bitcoin any favours like that. It got to where it is with a toxic fervor for fully and unredacted, open disclosure: in the libertarian politics of Bitcoin, full disclosure is more often than not some 'hill to die on'.
In practice things like 'no card up my sleeve' numbers do exist in hash function design, because they are lossy compression functions and it's not like JPEG was ever a successful image format... the actual security principle here is named Kirchoff's principle and is certainly not any invention in Bitcoin. The idea is older than Napoleon.
Kirchoff's principle simply states that all else being equal, no crypto-system is more secure than it's key management practices. Similar concepts can also be found in the Aesop fables, Chengdu and so forth: it is general wisdom. I've seen the concept called other things, which are probably all just as correct but the etymologist in me prefers this term. The name Kirchoff is also famous for the fundamental network equations used in electronics circuit design. Those equations are less recognized than but just as important as Ohm's Law.
My main question is open, I have no good answers, what exactly is the collateral damage on 'pulling the pin' on something like Bitcoin with full disclosure? If retirement funds who can and should know better are deceived to the point of being in harms way, what is truly irresponsible disclosure in the circumstances? If they bet the house on Lucky blockchain number 7 and did not perform due diligence, qualitative and quantitative analysis?
I actually did reach out to a retirement fund, they seemed disinterested in receiving any kind of 'heads up' about Bitcoin issues or vulnerabilities. They had sadly bought into the hype and lies with no sign of coming back to reality, but I feel better for having warned them Bitcoin is not 'up to spec'.
Conclusion
This overdue discussion about 'what if' Bitcoin breaks will hopefully happen before something bad does, but as much as I'd celebrate it I'm not any kind of vigilante trying to accelerate it's demise, please rest assured. Even imaginary Internet money has value to people so long as value is subjective.
I also don't know what will happen to Bitcoin, my feeling is just that it's never been more dangerous to have a cent in it, because Bitcoin would not pass a modern security assessment. Brute forcing has become a practical enough attack for me to worry about a Bitcoin bombe going off and fallout spreading to non-crypto markets. Not a literal bomb, of course, I mean a fast and accurate-enough approximation of an essential one-way function, as in the Enigma-cracking 'bombe' computer.
It'd be another kind of irresponsible non-disclosure to avoid discussing a 'cryptopocalypse', with all that is riding on Bitcoin. An approximate solution to RIPEMD is likely to do a lot of damage, if combined with linear search techniques, and straight factorisation attempts (pre-AI, by a Japanese high schooler) made good-enough headway into it for deprecation out of official standards like FIPS. If I can find weak keys but the weak keys are all gone, then it's safe to assume there's more of this going on, and likely at a scale I can never achieve personally. The energy cost involved, over yield from this type of key 'recovery' is definitely more attractive than mining: the notion that hash "power" is security has always been a myth.
The Bitcoin community ignoring reports (and later proof-of-concepts) of this CVSS ~8, out of nothing more than sheer hubris and perceptions of superiority, going on about the heat death of the universe happening first is a story in it's own right which I suspect time will tell. The advent of gradient descent optimization frameworks, machine learning and tensor-heavy and even newer (2024) 'wide branching' processor designs can and will change the security situation for Bitcoin. Even the Playstation 3 changed Bitcoin mining like nothing else, until ASICs and later the TSMC BM-series came along. Before ASICs, for maybe 2 years no GPU could compete in the Joule per hash stakes against the IBM Power in the PS3, the one metric which decides if scaling-out works.
I hope to be clear I'm not sitting on any Bitcoin zero-day, no special hacking tools either sorry, this risk has just grown in good proportion to both the growing market capitalization and advances in technology. Many would prefer to not hear the Crypto Emperor named "Satoshi" has no clothes, and doubled up non-injective functions THE WRONG WAY ROUND, decimating the practical search space. This is the quality of "blockchain" security. A complete fucking joke, but it "works" if an orgy of fossil fuel consumption by computers was the goal, and if you ask questions about that in the crypto community prepare for a 'Galileo' experience.
It's history now, but for the longest time MD5 was considered just as un-crackable as Bitcoin (ie; SHA) is today. You wouldn't joke about it, or maybe you would joke about people going cray with a Cray trying. But a fast approximation changed that, methods improved and a sufficiently accurate (not complete) factorization on a well piloted Pentium 75 did what was previously considered impossible until the 'heat death of the universe', as some like to confidently say.
Thank you for your time, and to finish with a sly smile, please enjoy this Bob song ;-)
Bob Marley - Big Tree, Small Axe