Saturday, 22 September 2018

To address concerns about my identity

Doubts about my identity seem to crop up, so I like to address all those once more. Hopefully in a comprehensive way.

First of all, to explain the situation from my article again, originstamp.org is my go-to service. Usually, 24h is plenty and suffices to timestamp everything.

But in this case, Core went quickly ahead with release information, which made the 24h window (due to fees) too small to conclusively prove ownership on the BTC chain.

But let's have a look in detail. This is the text that I wrote:

BitcoinABC does not check for duplicate inputs when processing a block, only when inserting a transaction into the mempool. This is dangerous as blocks can be generated with duplicate transactions and then sent through e.g. compact block missing transactions and avoid hitting the mempool, creating money out of thin air. /u/awemany 

If you SHA256 this, it calculates to: 5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6

Exhibit A: I timestamped that here: https://originstamp.org/s/5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6

Note that there is a timestamp when it entered their system, which is before anything else became public and which is:

17.9.2018, 14:54:19 CEST

It shows it in your local time zone in your browser, a fact that Peter Todd apparently tripped over as well: https://archive.fo/W1gdf

Scroll down to "Submission to OriginStamp" at the end.

This timestamp is, however, just from their service and thus centralized. But if you think I faked that, that would mean that I must have hacked their service in time to do so. In the last few days. Furthermore, the window for this hack would be quite small, as there is also a later submission into the blockchain. So if you doubt this information alone, it would mean I'd had to hack the service in time (within a few hours window) just to claim this identity, leave no trace of all of this, face the risk of being called out by the true finder of the bug (who'd be different then) and write this long article ...

But there's more:

Exhibit B: For anyone who is a member of the BU slack, I posted a message that was the above hash (as I said in my medium article) and which is still sitting unedited on the slack as well, in the #general channel. There are likely several hundred members of this slack, and all of them who read it should have seen this message in time. I believe there are also (well-behaved) Core supporters in there. I would need to have hacked that service in an undetected way as well and fool or collude with all active members therein as well. That now creates a pretty big collusion, don't you think?

Exhibit C: Finally, let me close with this PGP signed message. I created a PGP key just to keep my identity separate, at least for a while, from my main pseudonym awemany. And in the email I send out to the developers, I have added myself as a recipient. Even though the message has not been signed (I didn't see any reason to do so at the time of release), my full key id is still in this message. And that is, as far as I know, a 128-bit hash for which it is practically impossible to find a preimage for. This explicit 'encrypt-to-self' is because I fucked up with PGP encryption in the past (because, as I say in my article, mistakes just happen) and I wanted to at least be able to read my own encrypted message later. I have created sitations for myself where I wasn't able to read my own encrypted emails. Yes, call me a crypto noob, say PEBKAC or whatever, it is exactly an example of why I am saying that I am not perfect but so is no one else!

Here is this message, which I am sure anyone owning the original disclosure email is happy for you to confirm that it is the same key id:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This messsage is signed by the beardnboobies GPG key that I created just in time for the vulnerability disclosure. In reality, I am /u/awemany on reddit and elsewhere. -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEERGszUXtt2s3Wfkt1yydp8d93NcQFAlumBkAACgkQyydp8d93 NcQvegwAmcfqKSp/RZVE6HIyN9gbxa5oz2YFaaoeVCoQTsDZPX08zjBjp7jzMUGW izraVk+yOz8Yxdv7re8G+CBqnpgfpNvMoHPe75bgoyKzavTtukVSScDUHZ9Tu9D7 xQcfWnwZhsUjsTsxFD7B6PLAWzeh7cA3d0xUwrFJoa//hlOylnlC/76cbBspqSll ispvQgBcEM6NfKvmCTb9LItts2/QrXX891LK9I4vPC1WpOrXPA9lNnuuP8/S/ey9 O7iqwW+oCwGKLELQJE58hgwt7keQukrPEfwUtBXACW77gtk1dXaxRL5RqCkmMsMn rBMkTGmjDit+AVE/5oW+flds8/Hq+kQDXUZfaLbnOrleW50LTTi+etA/PPhHxe45 CUD7Jm8d2LbTIjFWsZT/Rq2Djsy3gBcHeKqFMRXEBI7WoFe431q38gVSyfvbCrPR R4AJsg2eGgysu0E/SZecHHULc4CU6RdLmCRrORRSv1T9tOyJcRpfwRlE4FnT9LTC /+5v9mXI =k2oE -----END PGP SIGNATURE----- 

And here is the public key which matches that key Id and which has likewise not been made public yet:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBFufufgBDADJ3N5xocCOSyRrF42nvrujUZXRPnaq+X3E0GjNlCwuCFZELNE9 l950cR4l+sNFbjcvWtlCgAdHPAggED3ZeutTO3fAIClN+LOgnyEF4txjdG72j9L4 NnCVMfKhT2yc7JZQh3lS+GHFSBS8joLq09GxllTORvdawuW34yzV4rzFZZ3NfK+/ 8BtNAf+nXvtafugw4Nlln5LPvGna9bmh/74RlZTAJeV52a/WsucBQ7kVuWTAERMy N+DuvUIxh7gG9KbSQXsPQ+1ZleO9+nWJs4pgX3ro6ZRMYvN9jeJsDjx2uQoL77zM RwMKNis5ifxnkHmExOG01SQxz3j9tw1anC8dFi2zs9jlr+qjUofSUT0RctKNJlga BgDV1dsu8dg11xxo4slH93D5LqJJs3lg+RjxHeWE6Oxvpz4SQpU+sLT4T73xOh/d GDw4UmLMUgKjjlYexVhlNk6FUamAkpYzuTgN35AeUt1iGj9D9XAbbi0G3MjKYSX6 tPkBC5h7XIGDzGcAEQEAAbQuQmVhcmQnbidib29iaWVzIDxiZWFyZG5ib29iaWVz QHByb3Rvbm1haWwuY29tPokB1AQTAQoAPhYhBERrM1F7bdrN1n5LdcsnafHfdzXE BQJbn7n4AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEMsnafHf dzXEi0gMAL0StgXSH4mbHPeyj0pJOmzOpEsfm7S05EKoGnMzmB/ZfCxag9YvDSSQ Jz28jOmPIrnLLkuOFcf0BnSKmys2WbEpGm5SgRU0anSTiiaTy2RjPa8eC34F6X/q LjgJ6J4hvOoDkQAjOzfspayRjRmFewNzssMHn6JC2NWvP+8+nClsJA959E9rxJ5F xaPmPZ9g4AJFah/vpRXbv44JQGbjr42CdB2JUTYW3rd7WjYFdcGcPU0UQhRQSflL 2ZOCw8bJCdPRRXpy2xTewTPE4eVcrclvmbKDhDbDNkY9cqDSPqag2JG8GoPsl3Ym 33uwzN1Y5qkocfGoVxr3eEEFQgkPnqX27OyGAL1+MoEOYuLuhUaNX2E/WmPZwtU3 E5JdjdIRfVfzI+oWs6Mfn1mbxeePBikjHgNgr4vs2+DkujeenS8UsD5Y6qrk9Ypt Erh5GRT0BauSSV52U3mEboMyxRHriObFT+BQAK0cJ4ZZ9aAUVLZcC4TXps2PKcjZ ozJYgvFm1rkBjQRbn7n4AQwAx7JiWJSuwAidK0AcPS2kt5gpzsESgxq1qyoeELYg tNb6G2SihbFj4hVMjc8Ol+a0wtcd+3D7Wcyu5EDbfnIydfmytIvF6CABWCkKtulG lxKSydMg16QGMwWixqTLRo1FoCdAzvKJktTshIlARoRt1cII/5n0C+Ny33kdm809 c+5EPFW22Hu5cNZR6xjYkONoM+Gw9JVIo5O9DY1l2s7qaQhnnTQDMBJLZjtOVFZF l/QQjnM5SJZr7lkzNMOgdA3saCbjk7NVMnV8ledLHYZguR3lDfsfdwWvw9Q3tEp9 Ii5P3AHzzV7eu0g6T7xpjV4LNssP1abvrBBd/RFfA6A3ec9wXEWTk2ewXpZLkicm 9VBy3nsz5bedoAvcyTVB0HF80yHbo99eSwEUenlrs0K0Yv97hxJ2ioPrhx4y7M9Q XRWRXFRaLBgLT5GxvIs9jRWJq7jwtKknA7GSun06UFKnOmiT81dmVf4Dne1F9y/R U7ld9Doo7IARUYP11/twEh5HABEBAAGJAbwEGAEKACYWIQREazNRe23azdZ+S3XL J2nx33c1xAUCW5+5+AIbDAUJA8JnAAAKCRDLJ2nx33c1xMiGDACbqHLuXMZ2937O aDfuchIYJ7BoqLiY+Po0V78jenYcx4pXXnau2rL44f02B6nV5RK21b+PwFDX+SMh usQfAYdBBRxIb0uDePKx2/Vb0UC5yb456eprYBXOIN7odl0J68PpjUQik5kqizig n/vyrIMMQehnFFee88xdSUYK495I6URJtIp6YLCYoalFs49l3szLJZK57OcCmfsR gzQbBIsPqQ7uqKZlGYZY9a/PYEZd3Lb6qLF693jZyNjDZ8IIfBjvJa3ZwJiTtNXi NknfmW2KcokFljOa5Fvs6Gu11Q9KpbVRpkKeHF79TSN5lPSwvBjsBbx9j4KoFBum yNNQTclRMe+AWHfcnoIXooFemiv27n6HEwoFEyoKm3ita1V+RiDuZ1e3FEA4zUPO XlZv6e7p+Cd0coP4FDWR5mq1ck+SOFoFuqNrqpEIumrHEC4wKcIA7iy/jJ5frgab UjEcFa/MBAaZ7If9+3kHh2kpfPwLOT+7Mm7i9kD1Yu3UBvwoYOE= =DyTh -----END PGP PUBLIC KEY BLOCK----- 

I am not going to disclose the original email just yet, because there is exploit code in there. Even though I think that exploit code is quite simple and will likely not do harm, there is no reason to add more risk and this could also still be used against me by trolls by being called irresponsible. So I hope folks understand why I refrain from that for now.

submitted by /u/awemany
[link] [comments]

source https://www.reddit.com/r/btc/comments/9hyg3o/to_address_concerns_about_my_identity/

No comments:

Post a Comment