With MtGox effectively dead, Bitcoin can now enter the third stage of evolution, explains BitGo CEO Will O'Brien in an extensive essay. More »
Erik Voorhees, a respected Bitcoin entrepreneur who created SatoshiDice and now runs Coinapult, shares his views about MtGox and the future of Bitcoin. More »
Hollywood could learn a lot from Silk Road 2 about heightening stakes and creating suspense in this epic whodunnit thriller where 4000 bitcoins were stolen! More »
In this extensive video, Bitcoin Leah interviews Brock Pierce, Alan Meckler, Sam Cole, and companies including BitGo, GoCoin, Lamassu and more. More »
Google’s Android Security Team Addresses Bitcoin Vulnerability
Last week, it was discovered that a vulnerability in Android may leave users of Bitcoin mobile apps at risk. This week, Google’s Android Security Team confirmed and addressed the security concerns on their blog:
The Android security team has been investigating the root cause of the compromise of a bitcoin transaction that led to the update of multiple Bitcoin applications on August 11.
We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG. Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the
HttpClientandjava.netclasses are not affected as those classes do seed the OpenSSL PRNG with values from/dev/urandom.Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from
/dev/urandomor/dev/random. A suggested implementation is provided at the end of this blog post. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such asSecureRandom,KeyGenerator,KeyPairGenerator,KeyAgreement, andSignature.In addition to this developer recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.
It appears from this notice that consumers should expect their apps to be fixed in short order.
Bitcoin.org also published a synopsis of the problem and suggested solutions.
We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.
After New York Inquiry, Senate Jumps on Bitcoin Bandwagon
First New York Inquiry, then Washington
In the same week that the New York State Department of Financial Services subpoenaed 22 companies in an effort to better understand the uses and implications of alternative currency Bitcoin, the Senate is launching its own inquiries.
As the New York Times reported,
The Senate’s committee on homeland security sent a letter this week to the major financial regulators and law enforcement agencies asking about the “threats and risks related to virtual currency.” These currencies, whose popularity has grown in recent years, are often used in online transactions that are not monitored by traditional financial institutions.
“This is something that is clearly not going away, and it demands a whole government response,” said a person involved in the Senate committee’s investigation, who spoke on the condition of anonymity because the inquiry is continuing.
22 Bitcoin Companies Issued Subpoena by New York Department of Financial Services
22 Companies Called to New York to Answer Questions about Bitcoin
The New York State Department of Financial Services has subpoenaed 22 companies in an effort to better understand the uses and implications of alternative currency Bitcoin.
“If virtual currencies remain a virtual Wild West for narcotraffickers and other criminals, that would not only threaten our country’s national security, but also the very existence of the virtual currency industry as a legitimate business enterprise,” said Benjamin M. Lawsky, Superintendent of Financial Services, in a release. “We believe that – for a number of reasons – putting in place appropriate regulatory safeguards for virtual currencies will be beneficial to the long-term strength of the virtual currency industry.”
Forbes published a list of 22 companies that were subpoenaed due to their involvement in Bitcoin.
- BitInstant
- BitPay
- Coinabul
- Coinbase Inc.
- CoinLab
- Coinsetter
- Dwolla
- eCoin Cashier
- Payward, Inc.
- TrustCash Holdings Inc.
- ZipZap
- Butterfly Labs
- Andreesen Horowitz
- Bitcoin Opportunity Fund
- Boost VC Bitcoin Fund
- Founders Fund
- Google Ventures
- Lightspeed Venture Partners
- Tribeca Venture Partners
- Tropos Funds
- Union Square Ventures
- Winklevoss Capital Management
Below is the full release providing context on the subpoena.
CC image by wallyg
Top Bitcoin News Last Week: Bitcoin is Money, BYU, Android Wallets, Mt. Gox
Bitcoin News
A roundup of the top Bitcoin news from August 5 to August 11:
Monday, August 5
Tuesday, August 6
Thursday, August 8
Friday, August 9
Sunday, August 11
Vulnerability Discovered for Android Bitcoin Wallets
Bitcoin.org just published an alert about Android wallet vulnerabilities.
We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.
In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommended you upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.
If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.
