[NelsonMinar]

"On Libbitcoin Explorer 3.x versions, bx seed uses the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time."

That's a hell of an amateur mistake to make. 50/50 odds whether it was incompetence or deliberate fraud. Maybe 80/20; that flaw is so simple anyone can attack it. Which apparently is happening right now. It's much better if your crypto library generates keys only you can hack.

[alyandon]

A non-cryptographic PRNG with a 32 bit seed and yet all the other maths/details are correct? I refuse to believe that that is anything but deliberate fraud.

[astrange]

Mersenne Twister is an attractive nuisance. It's complicated and insecure, but a CSPRNG can be done in a few lines of code.

I think people pick it because it has a cool sounding name.

[technion]

Seeing it declared a WONTFIX to me helps answer which of those it was. If it was fraud, you'd expect a fake apology and a fix at this point.

[nullc]

Why? The regress is infinite, it's zero information. A malicious party can anticipate any public-information rational for dismissing their actions and pretend to be whatever flavor of fool you might accept.

"Now, a clever man would put the poison into his own goblet, because he would know that only a great fool would reach for what he was given. I am not a great fool, so I can clearly not choose the wine in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the wine in front of me. ... Because iocane comes from Australia, as everyone knows, and Australia is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me, so I can clearly not choose the wine in front of you."

[djbusby]

This quote is from "The Princess Bride" movie. The actor who spoke this was also, IIRC, the Grand Nagus in ST:DS9. Brilliant in both roles.

[Terr_]

Wallace Shawn also has some memorable voice roles, such as the T-Rex in Tony Story, and the insurance-company boss in The Incredibles, etc.

[qingcharles]

Tony Story.. that movie got two thumbs up.

"Tony Story" has you laughing straight out of the gate. Billed as an action-comedy, it's the ultimate clash of the titans between machismo and mirth.

The film follows our hero, Tony, a middle-aged man who wakes up one morning to find himself inexplicably transformed into a small plastic action figure. The plot thickens as he learns he's the star of a beloved, but sadly discontinued, line of 90s toys.

Tony is forced to navigate the wild world of suburban backyards, dodging ferocious pet chihuahuas and the sticky hands of sugar-fueled toddlers. His quest for a return to normality is as hilarious as it is heartwarming.

The brilliant use of slapstick humor, a dash of existential dread, and a sprinkling of well-timed puns are skillfully mixed into a cocktail of laughs. The film's standout moment involves Tony, a malfunctioning Roomba, and a perplexed cat, in a scene that will leave you in stitches.

The voice acting is second to none, with Tony's gruff, action-hero voice (think Clint Eastwood meets Optimus Prime) contrasting hilariously with his miniature plastic form. The supporting cast of misfit toys, including a neurotic yo-yo and a sassy Barbie doll, add to the hilarity.

"Tony Story" is a wild roller coaster of laughter that reminds us all not to take life too seriously. As Tony himself puts it, "I may be small, but my problems sure aren't!" This film truly delivers a unique blend of comedy and action that will leave you chuckling long after the credits roll.

[rebelchicken]

I logged in for the first time in a decade to say that I am sad this movie isn't real.

[Terr_]

Alas, my new phone doesn't transcribe/edit quite the same as the old one.

Awl sew, thee spiel checquer frowned know tissues bee four eye clacked.

[aidenn0]

Would a CSPRNG be at all an improvement with only a 32 bit seed? Couldn't you still brute force it?

[a-dub]

i think the bigger problem is that the seed is easily guessed or found, so all the output can be regenerated.

so it's not even 32 bits of entropy, it's some tiny fraction of that. (system times for a few years interval)

[ryanatdistrust]

As discussed elsethread, it used the lower bits of the time value, so while there is is a fraction of the 2^32 space due to precision loss in the OS time calculations, it is not as simple as "between when this software was released and now, in seconds".

[ryanatdistrust]

That is correct, you still have 2^32 permutations of possible values.

[marginalia_nu]

Given it's seeded with system time, depending on the resolution, that may in practice be as low as tens of thousands of possible values (as in time(2) )

[ryanatdistrust]

2^32 is still incredibly small for crypto and is inexcusable.

[nullc]

A fact which was unambiguously well known to the authors prior to the report: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022...

[Zenul_Abidin]

It was actually an intentional change but a very dumb one because they never warned enough that bx seed should not be used to store money with in the first place.

[yieldcrv]

if it’s something only you can attack then there is no plausible deniability if you become accused as the code contributor

[ryanatdistrust]

To verify, this is something anyone can attack, as was proven by our brute force lookup service: https://lookup.milksad.info.

[comboy]

Why is it a mistake?

[ryanatdistrust]

The difference between 32 bits and 64 bits is the amount of people on Earth compared to (EDIT) the amount of grains of sand on Earth. 32 bits is nothing when it comes to entropy, and it can take a security researcher (like us) only $100 to rent a machine to completely brute force it. Nowadays, only values less than 128 or 256 bits (which are exponentially bigger) are seen as appropriate.

[comboy]

You mean time is the only source of entropy there? I don't think number of bits would even matter for it to be bad in such case.

[ryanatdistrust]

That is correct, time is the only entropy for the command, and the function they use to generate random numbers is also flawed in that it can only produce 2^32 possible outputs.

[wmf]

As the article explains, 32 bits of entropy isn't enough for any cryptographic secret because it can be easily brute-forced.

[NelsonMinar]

Also if it's really the date it's nowhere near 32 bits of entropy. I'm guessing you can pretty easily guess to the day when a Bitcoin wallet was created, so that's about 16 bits of entropy. Less if you know the time, possibly 0.

[ryanatdistrust]

It actually uses the most precise 32 bits of the date, so it's any, like, nanosecond between 0 and some other small amount of seconds. You can't brute force a wallet by knowing approximately when it was made, but you can brute force every mnemonic if you have the time or a bit of cash to throw at a server.

EDIT: It loops around to 0 every 4.something seconds, so it's not like everything after 4 is the same key. It's just a more random distribution than what you may be thinking.

[aidenn0]

There is often very low entropy in the lowest few bits of system time as well (due to the underlying clock having a different resolution than the system call). Given that every bit you lose halves the time for a brute-force, that's a problem.