Forensic Bitcoin cracking: as easy as 1, 3, 7...

Since its release at DEFCON 23, I've done quite a bit of work on brainflayer. First, I added support for a few other brainwallet-like schemes and hex-encoded private keys. Then, in October, I integrated some code provided by Dr. Nicolas T. Courtois and Guangyan Song from UCL that sped up brainflayer by about 150%. With a subsequent optimization that yielded a further 65% speedup, it is now over four times faster than the initial release.

In January, I added specialized code for brute force private key search. While trying it out, I found something very interesting.

Read more...

HTTPS subresource validation fail

In the spring of 2014, I found a bug in several browsers, including Epiphany, Xombrero, Opera Mini and Midori. They were loading subresources, such as scripts, from HTTPS servers without doing proper certificate validation. I tracked this down to some bad defaults in webkit which have since been fixed.

Read more...

Why I'm releasing a brainwallet cracker at DEFCON 23

On August 7th I will be giving a talk at DEF CON about cracking brainwallets. As part of that talk, I will be releasing a fast[1] brainwallet cracker. I'm writing this post to provide a little insight as to why I'm giving away a tool that could be used to steal. I also hope that people who are currently using brainwallets will take notice and move to a more secure storage method.

Read more...

Why Bitcoin mining ASICs won't crack your password

I've seen a lot of people expressing concern that Bitcoin mining ASICs are going to lead to some sort of password cracking apocalypse.

They won't.

Read more...