A botnet in control of a huge quantity of bitcoin's, throwing them at the miners network in minimal transactions sounds like a miners delight to me. There is a minimum mining fee, so while in the short term it might cause the bitcoin miners to gag on their feast, in the long term all it will do is transfer that huge quantity of bitcoins to the miners. Why on earth would anybody do that?

As for traditional DDoS - the history of bitcoin is one DDoS after another. Just recently some bright spark must have decided that because mtgox said there was a transaction malleability flaw it must be true, and started modifying every transaction they could get their hands on. In other words: if every there was a network battle hardened against DDoS's, it's bitcoin.

Yes, it is huge compared to today's transaction fees. But mining fees will continue for some time yet. The bet is by the time they become insignificant mining fees won't be so small. A clue is the credit card network current roughly 10,000 transaction per second. If bitcoin managed that at 0.6c per kilobyte (the fee bitcoin relays demand) mining fees would be $72,000 per block.

To gain an insight into the odds of that happening, Paypal processes around 9 million transactions per day, or 100 per second. Paypal's revenues were $6.6 billion last year. That translates to Paypal making over $2 per transaction. Bitcoin doesn't offer the same service of course, but it currently charges $0.002 for a single transaction. (A transaction takes roughly 360 bytes).

You forget there are users of these coins - be they bitcoins or altcoins. In the end it is the users that pay the mining costs, be they transaction fees or mining rewards. In a word of competing altcoins, this translates to only the users having a vote on what the best set of rules are. What the miners think of the rules is largely immaterial. If you think this isn't true, try and set up a altcoin with spectacular miners rewards and see how many users you get. Maybe you will succeed where all other altcoin founders have failed.

The bitcoin foundation seems to be very aware of this underlying reality, and is behaving accordingly.

Just about all mining is done using ASIC now, and ASIC's are in an unenviable position. Unlike CPU's and GPU's or even FPGA's, they are utterly useless outside of bitcoin. So they will remain deployed until they cost more in power to run than they get in mining fees. This means the current mining power isn't going away any time soon.

Botnet's can earn a return from a variety of sources, not just mining. So the question becomes "is it worth competing against the ASIC's"? In terms of power cost a top end Intel CPU's is roughly 100,000 worse than an ASIC. So even if some miners drop out Botnet's are unlikely to win more than a minor percentage. If the rewards of mining have dropped so much that ASIC's are dropping out, then it's a minor percentage of a small number. Add to that mining's soaking up 100% of CPU time makes an infection by the bot stand out, which decreases the half life of your botnet ... and yeah, I expect it will continue even when there are only transaction fees.

Then there is the whole other question of "does it matter?" If a botnet does take over the mining pool, there is the little issue that bitcoin is intrinsically worth nothing. It's not like they have taken over a pot of gold. Bitcoin is only worth something if people trust it. So if they don't undermine it, they have something that will pay out forever. If they do undermine it, they have got control of 2^51 bits that no one in the right mind would buy and their source of transaction fees has dried up.

It's weird actually. Claiming bitcoin can never succeed because it is worth nothing has to be one of the more popular meme's. The reality is being worth nothing is one of bitcoin's core defences. So far all currencies that have been based on something tangible (like e-Gold) have lacked that defence, and have failed.

Said like a person who doesn't have a clue about the shear amount of resources being thrown at bitcoin mining.

Currently, the bitcoin mining network is doing 6,549,663,840,000,000 SHA-256 hashes per second. Lets say you have a botnet of 1 million Haswell's. The fastest Intel CPU there is, a Xeon, and it can't do more than 20M hashes per second. So your 1 million Haswell botnet will manage to capture 0.3% of the bitcoin networks mining power.

Yes, people have speculated in the past that bitcoin might be susceptible to botnets. Even if was true the vulnerability window has well and truly closed.

Firstly, there already is a "tax" of the sort they say is needed. Currently the bitcoin relays don't accept transactions containing a tip of less than 0.6cents per kilobyte.

Secondly, there is nothing to force a miner to pick up a transaction, now. Right now, if a transaction doesn't contain a fee there is no incentive for the miner to include it in the block they are working on. Regardless of whether the miner includes transactions or not, they still get the mining reward.

Transaction fees are like an auction. The customer puts in a bid at the lowest price he thinks the miners will accept, each miner decides whether that fee makes it worth his while to include the block. If the customer wants the transaction processed quickly he will put a comparatively high fee on it so every miner will be interested. If not, they put a low fee on it.

This is called a market. It is how bitcoin is supposed to work.

Yes, +1000. Oh, if only I had mod points.

Both X509 and the "web-of-trust" are bloody terrible. Out of the two X509 is marginally better. If you are dealing with a shop unknown to you, X509 does give you a small amount of confidence their web sites cert is controlled by them. A GPG key signed by 100's of people you don't know doesn't. Unfortunately SSL then weakens this to being almost useless by not creating a new trust relationship with that store's cert, and ignoring the X509 PKI infrastructure from then on. A basic security tenant is if you must trust Trent, you do it for as little as possible. X509 requires you to do it forever, rendering you vulnerable to failures in it's PKI forever. At least GPG does allow you to bypass Trent.

The root cause is that both require to put your trust in some arbitrary thing - be it X509 or the web-of-trust. In reality when I go to debian or mozilla or a web store, I've already made my decision I'm going to trust them. Rarely (if ever) do the assertions of the PKI networks have a bearing on the decision. Debian then seals that trust by installing a certs in the install image, so I can be sure every upgrade from then on come from Debian. I presume the Mozilla does the same thing. In both cases they take responsibility for their own security once I have made my decision. The reason I want an encrypted connection to the web store is to protect the funds transfer. The people who I put in charge to manage the security of those funds is the bank, who make me sign lots of pieces of paper and use lots of passwords to prove who I am. Everywhere, that is, except the 'net, where they rely on X509 PKI to ensure I really am talking to their web site and not Mr Slimeball.Phising's web site. Seriously, what is wrong with sending me an X509 cert and insisting I identify myself with that? It almost as if they believe the 'net is the safest place on the planet, rather than than the one of the most infested phishers, con artists, and NSA types.

You don't say why. But I'm guessing if I follow you logic the people who programmed Deep Blue were better at chess than Deep Blue itself, or the people who programmed Watson were better at Jeopardy than Watson. Since computers did these tasks better than the best people in the world clearly they weren't, and by a large margin.

Technically computers can do some things better than us. For example, they can store a series of images of someone responding to pain perfectly for long periods of time. Humans can't. A direct consequence is humans must make their decision on a facial expression within a second or so. Computer's on the other hand can take as long as they want. So if you give them 20 minutes they can multiply whatever power they have at hand by over 1000 (since 20 minutes is over a 1000 seconds).

The reality is that the issue isn't the about of computer power a computer can bring to the table. It is true humans have huge brains, but it has to be split over many tasks. For any single task it is now easy to throw order's of magnitude more compute power at it than a human can. So the problem isn't that the brain is more powerful than a computer, the problem is the programmers figuring how to do the task. One they do that - well Facebook is now better at recognising faces in photographs that a human is.

Yeah, you could be forgiven for thinking that from the headline, or indeed the linked story. Both are wrong.

Yes, there transaction malleability issues were fixed. But no, mtgox woes weren't caused by transaction malleability. Yes, I realise mtgox claims they were, and I realise the popular media swallowed that line without questioning it too much. In reality it was at best tangentially related and mtgox's statements on the issue were PR statements designed to keep customers, not an explanation of what happen. To date they have released any resembling that.

There were a number of transaction malleability problems. The most serious were fixed a year ago. The one fixed a year ago was the bitcoin core software accepted numbers with leading zero's, thus there were several ways to write down the same transaction. This was never intentional, and the fix was to ban numbers with leading zeros. To my knowledge that form of malleability was never exploited. Mtgox's problem was their software produced transactions with leading zero's, so their transactions were rejected by the mining network after the fix. Hackers found a way to exploit that, due to a second bug in the mtgox software.

The headline is also miss-leading on the shear number of changes. Like the web, bitcoin software has several parts. Among them are a GUI client part people use to manage their wallets, a part that can do mining, and a core part the defines the bitcoin protocol and messages. It is the core part that is the equivalent of the HTML 4.01 spec. It was the bit tightened to prevent transaction malleability, a better definition for OP_RETURN and a few other tweaks. The bulk of the changes were in the rest. However, "the rest" is to bitcoin like web browsers, proxies specific servers are to the HTML 4.01 spec. Very few people actually use the reference bitcoin wallet, for instance.

I am not sure what you mean. Every spend of your bitcoins has to be signed by your private key. It doesn't have to be submitted by you, but it must be authorised by you by that signature.

Hmmm. What do you think bitcoin is good for? Do you think it is the equivalent of storing your life's savings under a mattress, or doing transactions?

You can use it to do either. The mattress scenario is easy enough. You just print your private keys out a few times on a piece of paper, and put them in safe deposit boxes. To put money under the mattress you just transfer funds to that key. You don't need access to the private key to do that. To get a large lump out of the mattress is appropriately more difficult and tedious. You disconnect the network, boot off a live CD, create the necessary transaction and put it on a USB key, reboot and send the transaction. It may be painful (although maybe not as painful as having to visit a bank), but it's safe from virus and hackers.

However, the mattress isn't what bitcoin is meant to be good at. It's forte is doing transactions cheaply and quickly. A far more likely scenario is putting the amount of cash you would normally carry around in your wallet into your phone instead. Just like traditional cash, this is an amount of money you can afford to lose.

Actually, it isn't. True, traditional PC's aren't secure. But Android and iOS devices together with their TPM's are more than secure enough. They are so secure not even the FBI can crack an encrypted iPhone - they have to be sent back to Apple. Just like a wallet the risk comes more from losing the damned thing rather than it being cracked by a remote hacker. But unlike a real wallet, these devices can actively assist with security. They can demand PIN's, or fingerprints. They can restrict how many bitcoins can be paid out to an unknown keys in a day.

However, the reality is that in the country I live in at least, direct transfers between banks are already so fast (read: seconds), and so cheap (read: free, between any bank in the country, regardless of who owns it or how far away it is) that bitcoin is going to have a hard time competing. I gather the US still uses cheques and bankers deliberately make dealing with competitors difficult. They may have created fertile ground for new weeds like bitcoin to grow in. When it comes to international transfers, where I wear all the risk and yet it still costs a 10's of dollars to transfer money, things are definitely different. And surprise, surprise, it is in international transfers that bitcoin is seeing the most use right now.

I thought I was pretty clear when I said it wasn't.

Again no, as far as I know it was never exploited. But I can see you prefer to believe an internet echo chamber confirming your world views over me over me, who is saying you are just plain wrong. More on the dangers of doing that later. For now I assume you really are willing to discard your tin foil hat if you understood what happened. Unfortunately that is going to require going into some detail.

The transaction malleability problem we are discussing here is actually about how the transaction signature is represented. As I said, there are other causes of malleability, some of which haven't been fixed. The transaction signature is particularly important because the bitcoin protocol uses it to identify the transaction. When used in that manner the same piece of information is called a transaction id. Because it does uniquely identify a transaction once it is accepted into the block chain bitcoin exchanges sometimes use the transaction id to match for transactions they have generated.

The different ways of representing a transaction id doesn't effect the core operators of bitcoin, so it was never regarded as serious. The reason it didn't effect bitcoin is two otherwise identical transactions with different transaction id's look like a double spend. Naturally the bitcoin protocol rejects all but the first attempt, so it doesn't matter how many different transaction id's you throw at it. Bitcoin is based on the premise that there is one and only one true and correct transaction history – and that is the block chain. You can throw any rubbish you like at it (and there have been many attempts at DDOS it by doing just that), but as far as bitcoin is concerned the only transactions that exist are the ones that get appended to the block chain. So if there are transactions with multiple id's, it is the id that gets into the block chain that is the official one. The rest never happened.

So far I expect this matches your understanding of the root cause of the problem. It is about now we depart from that.

The transaction signature / id is a ECDSA signature. Here is a real one: 770a723381d3edbcbfd06cecdd7b9f8569e9691d3a06a8a9c8972dd6fcbc8493 . It looks remarkably like a fixed length SHA checksum doesn't it? It's not. An ECDSA signature is two large numbers, which in bitcoin is encoded in DER format. DER format is used because, quoting from that Wikipedia link: “DER is a subset of BER providing for exactly one way to encode an ASN.1 value the shortest possible length encoding must be used”. Which sort of begs the question “how it be malleable”? It isn't. But, the software the reference bitcoin software uses to produce and decode these signatures is openssl, and like all good internet software openssl follows Postel's Law: “"Be liberal in what you accept, and conservative in what you send”. So OpenSSL always generates valid bitcoin signatures, but it accepts invalid ones, and in particular numbers with leading zeros. Whether you call this a bug or feature is more a matter of taste than anything else.

This bug / feature was noticed by the bitcoin developers some 3 years ago. It wasn't viewed as serious. As I said, it doesn't effect the bitcoin protocol at all, and even if an exchange make themselves susceptible to the malleable transaction id, it's damned difficult to exploit. The only way to exploit it is to pick up a transaction from the “to be processed pool”, modify it, then re-issue it. Then you have to get very lucky, because you are relying on some miners seeing your version before they see the original – and then those miners winning the block. It's made doubly difficult because exchanges like mtgox are very close to the miners in internet terms. Still, they decided it should be fixed, and did so about 1 year ago. Thereafter miners rejected any transactions signatures that weren't properly formatted DER. Bitcoin is effectively an open source project, so this like any bug was discussed in open forums, a patch issued on a public platform, and then noted in the release notes. They developers claim they sent mtgox an email about it.

Now read this very carefully: To my knowledge this malleability issue was never exploited before it was fixed.. And of course after it was fixed it could not be exploited.

So what did happen? The next key fact is mtgox doesn't use the reference bitcoin software. They wrote their own. They may have had a good reason for doing this, but nonetheless it gave them the opportunity to introduce brand new bugs that weren't in the reference implementation. And they did introduce at least one, because it appears they treated the ECDSA signature like the SHA checksum it resembles, and treated it as fixed length. That's a guess. What isn't a guess is mtgox was generating transactions with malformed signatures – they had leading zeros. This is the bug number 1 I referred to earlier. Assuming the guess at the reason is correct there was a 1 chance in 256 of the leading byte in the signature being 0, and so 1 in every 256 bitcoin transactions created by mtgox has an invalid signature. It might be higher – remember there are two numbers in the signature.

Thus one year ago the miners started dropping mtgox transactions. Maybe around 1 in 256 of them. The real effect show up like this. When you trade bitcoins on mtgox there will be a stage when the traded bitcoins sit in their accounts. This is no different to any other broker – be it bitcoins or stamps. To get them back into your control you have to ask mtgox to transfer them to you, which is quick and easy because they provided a web page to do just that. But after the malleability fix, 1 in 256 of those transfers would fail. If this happened to you, when you noticed the transaction didn't appear on the block chain you had to contact mtgox. When you did they generated a new transfer. Unless you were 65536 times unlucky, that worked, and everyone was happy.

Contacting a understaffed corporation in a foreign country isn't easy at the best of times, and some bright spark hit upon an idea. He could see the malformed transaction in the mining pool. All he had to do was delete the offending leading 0 and send it to the mining pool, and it would be accepted. There is no race here – his version would always win, and he would get paid without the hassle of contacting mtgox. But then whoever did this must have noticed something very odd. Even though he had been paid, at mtgox it looked for all the world like it hadn't happened. Mtgox has said that was because there were relying on the transaction id (which hasn't been accepted by the block chain, thus wasn't trustworthy) to identify the transaction. Bug 2. At this point an honest person would have contacted mtgox and told them what was going on. Evidently that didn't happen. Instead they contacted mtgox, and asked them to fix the “problem”. Which they did, without doing a full check on the audit trail first. Bug number 3. And we had our first double spend.

Now at this point it becomes important to appreciate the scale of what is happening. Mtgox does millions upon millions of transfers over the course of a year. Hundred's of thousands of transactions must have been effected over the year once invalid transactions were dropped. Mtgox said they knew something usual was going on, but geeze how does a company worth $30M manually authorise $350M worth of double spends? We don't know, but however they pulled it off is bug number 4. Without bug numbers 3 and 4 this would be minor news. Had mtgox done what any other sane organisation does upon noticing anomalies in their accounts and audited them, the losses would have been minor. Whether you still insist this is a bitcoin protocol bug or not, the fact is the effect should have been no more than an irritation.

That it's not only a minor irritation, but mtgox doesn't know where the money has gone speaks volumes. In order to buy and sell bitcoins you have to transfer money in or out of mtgox. Either way you run into various countries Anti Money Laundering laws. The end result is you have to send mtgox id. Not just any id – passports, drivers licences and credit cards. Ergo they should be able to track down the double spends, and get the money back right? Well no, not if upon noticing the numerous bugs, someone did bitcoin transfers without triggering the laws. In order words, if they didn't transfer money into or out of mtgox. But that would mean they transferred bitcoins into mtgox, then transferred them out again in small lumps, hoping to hit the 1 in 256 bug. You only need give mtgox a fake email address to do that. But no one legitimately does that on a large scale because all it does is generate fees for the miners. Yet mtgox still didn't notice.

Eventually they did become alarmed, and they finally shut down and did a full reconciliation of their accounts versus the one true and correct record – the block chain. They never re-opened.

So back to your tin foil hat. You understand that mtgox is a commercial organisation, and when they issued their statements they were hoping to re-open, yes? All statements they issued weren't full and correct explanations of what happened. So far, they haven't bothered to issue anything remotely resembling that, and so we can't be sure what really happened. Instead they published PR fluff, designed to prepare their customers for their triumphant return. Granted you would never know that given the reception they got from the internet echo chamber who seems to falling over themselves to accept mtgox's version of events, but it should be obvious. No thinking person would base their opinion on bitcoin's viability on mtgox's press releases to date, which blame anything but mtgox. But apparently you do.

But maybe you thought that like Enron, mtgox was a upstanding and competent company, whose PR releases were done in good faith. I could sort of swallow that. But then we come to Tech Crunch's re-posting of Silk Road's 2 blog post. Silk Road 2 is a anonymous criminal organisation. They say their customers, who have no way of tracking down Silk Road 2, have lost all their bitcoins due to the malleability problem. And you accept this blog post at face value? Even more unbelievable, you then go onto to claim because mtgox could not add up two numbers to save themselves, and a pack of criminals say they “lost” their customers bitcoins the underlying bitcoin ecosystem is not ready for prime time?

Look, I have some news – what makes the news is the surprising stuff. Like Enron losing billions of investors money, and Lehman Brothers losing even more. It's surprising precisely because it's unusual. Granted bitcoin is unusual. Granted, there has been the occasional failure, they are listed here. I count around 30 of them. In that same time period, there have been over 30 million transactions, all recorded without error in the block chain. It's a pity my bank wasn't so accurate.

Yes. But this is only because the banks can and do make mistakes, signatures can be forged and so on. One of the fundamentals bitcoin is built on is it never makes a mistake like that. Every addition to the block chain is checked by every miner, so if some random miner suffers a bit error in RAM, it will be rejected by the network. The whim part is taken care of by requiring the customer to sign the transaction using a digital signature. It can't be forged. Either the customer authorised the transaction, or they did the equivalent of giving away their banking password.

And since bitcoin can't make mistakes like the ones you are alluding to, it can uphold the normal banking standards you describe and yet not need to do a reversals.

True. But what does that have to do someone breaking into a bank vault? Mtgox isn't a bank. They are a broker - they buy and sell bitcoins. Some people gave them bitcoins to sell, but they lost (by double spending them) them instead.

As I said elsewhere in this thread, here we have yet another example of someone who don't have a clue about what bitcoin is or how it operates, making a comment demonstrating his ignorance in spades and that comment modded to +5.

Right answer, wrong reason.

Every good engineer I know, software or otherwise, can't resist learning how the next new shiny works and seeing if they can't put it to good use. In fact I sometimes feel guilty of wasting inordinate amounts of time doing that sort of thing. Thus I know I can learn new tricks because I do it all the time.

They reality is it I hadn't done that all my life, I would be in the dust bin now. I learnt to program in the 70's, on punch cards. Our uni lecturers tried to get us to imagine the shiny's we would have now, I guess as a way of preparing us for continual learning. It's funny now I look back on it, but among the many things we didn't think of are the internet, mobile phones, public-key cryptography, or cryptographic hash functions. It's been a remarkable time to live through.

If the submitter doesn't know he can learn new things too, he is in deeper shit than he realises. It's not a question of whether he can or can't - he almost certainly can. But if he hasn't been doing continually, there is soooo much to catch up on.

Only for some definition of "totally" that does mean 100% of transactions. And when you get to the the space bitcoin is trying to compete in - international direct transfers, your "totally" becomes close to 0%.

From http://www.globalgrainsvn.com/GGS/MT103.html:

How do you know? It has never happened. There is only one bitcoin banker - it's the miners. There is only one bank statement issued by those bankers, and that's the block chain. So far the miners have never lost a bitcoin. You can verify that yourself. The block chain is a public document. I think it's fair to said bitcoin is built on the fact that they never will. It's a pretty safe bet, because if the bitcoin software adheres to the protocol description, mathematically, they never can.

If you give your bitcoins to a broker like mtgox, well anything can happen. In fact if you can name something an imbecile or criminal could do to you if trusted them with your money, then in the bitcoin world it probably has happened. Some brokers didn't bother with backups. Some were minors, and literally stole the bitcoins they were given. Some (including mtgox) leaked passwords they were given. The list is beyond belief, and is responsible for all the headlines you see.

But your fantasy of the the vault all bitcoin is stored in being raided - that has never happened. One of the beauties of bitcoin is it is probably impossible. Indeed bitcoin is immune to most of the foibles of normal bankers. The bitcoin banker doesn't loan bitcoins. It doesn't make mistakes. Unlike fiat currencies the people who control it can't inflate it into worthlessness.