Work on article 12, improve talk page, other Jekyll maintenance

2025-02-05 14:49:22 +01:00 · 2025-02-05 14:49:22 +01:00 · b9345dcd89
parent 6cc6eaa34d
commit b9345dcd89
7 changed files with 88 additions and 10 deletions
--- a/38c3.md
+++ b/38c3.md
@ -14,16 +14,28 @@ permalink: /38c3/
 <br/>
-## Talk Info
+## Talk Recording
-We presented a talk at the 38th Chaos Communication Congress (38C3) which takes place in Hamburg on 27–30 Dec 2024.
+We presented a talk at the 38th Chaos Communication Congress (38C3) which took place in Hamburg on 27–30 Dec 2024.
-Links:
+Click below to watch the talk:
 [Talk recording](https://media.ccc.de/v/38c3-dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys), [Talk schedule entry](https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/PEN9QU/)
-After the official short Q&A on-stage, we had an extended [Q&A workshop session](https://events.ccc.de/congress/2024/hub/en/event/qa-dude-wheres-my-crypto/) without recording right after the talk.
+<div id=videotarget>
  <a class="dummy" onclick="document.querySelector('#videotarget').innerHTML='<iframe width=&quot;1024&quot; height=&quot;576&quot; src=&quot;https://media.ccc.de/v/38c3-dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys/oembed&quot; frameborder=&quot;0&quot; allowfullscreen></iframe>';"><img src="/assets/base/38c3_talk_video_preview1.png"></a>
 </div>
-_In case you're reading this before the talk takes place, feel free to ask for us at the [Church of Cryptography](https://events.ccc.de/congress/2024/hub/en/assembly/CoC/) assembly, where our team member and talk speaker John Naulty (aka `sather`) will host [a number of cryptography related sessions](https://events.ccc.de/congress/2024/hub/en/user/sather/) on topics adjacent to Milk Sad. We're interested in your questions and comments on our work!_
+_Language: English, optional German translation available via gear icon in lower right corner._
 _See the [privacy page](https://media.ccc.de/about.html#privacy) for the video CDN hosting details._
 Direct links: [High-definition recording on media.ccc.de](https://media.ccc.de/v/38c3-dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys), [fallback variant on Youtube](https://www.youtube.com/watch?v=G3V4QjHD_yc).
 ## Context
 See the [talk schedule entry](https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/PEN9QU/) for the conference.
 After the official short Q&A on-stage, we had an extended [Q&A workshop room session](https://events.ccc.de/congress/2024/hub/en/event/qa-dude-wheres-my-crypto/) without recording right after the talk.
 Our previous announcement:
 > In case you're reading this before the talk takes place, feel free to ask for us at the [Church of Cryptography](https://events.ccc.de/congress/2024/hub/en/assembly/CoC/) assembly, where our team member and talk speaker John Naulty (aka `sather`) will host [a number of cryptography related sessions](https://events.ccc.de/congress/2024/hub/en/user/sather/) on topics adjacent to Milk Sad. We're interested in your questions and comments on our work!
 ## Talk Notes
 ### Intro
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -58,6 +58,7 @@ GEM
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
    observer (0.1.2)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
    public_suffix (6.0.1)
@ -84,6 +85,7 @@ DEPENDENCIES
  jekyll
  jekyll-feed
  jekyll-responsive-image
  observer
 BUNDLED WITH
   2.5.16
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2023 Milk Sad team
+Copyright (c) 2023-2025 Milk Sad team
 Copyright (c) 2023 Distrust, LLC
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
--- a/_config.yml
+++ b/_config.yml
@ -29,8 +29,8 @@ header_pages:
  - index.md
  - updates.md
  - disclosure.md
  - 38c3.md
  - faq.md
  - lookup.md
 style: dark # dark (default), light or hacker
 listen_for_clients_preferred_style: false # false (default) or true
--- a/_posts/2024-12-19-research-update-11.md
+++ b/_posts/2024-12-19-research-update-11.md
@ -33,11 +33,11 @@ They cover all five major PRNG ranges we looked at, and are split into different
 We hope that releasing lists of weak addresses gives interested researchers more opportunities to look into the complex and fascinating on-chain behavior of the different weak wallet ranges without having to discover or handle the weak wallet private keys themselves. Combined with suitable software such Electrum in watch-only wallet mode, they allow following and graphing overall usage trends, calculating transaction volume, identifying suspicious patterns of potential attacks, and observing the the unfortunate practical effects of weak keys on newly incoming transactions into weak wallets. If you have specific notes on this data or do something cool with it, let us know at [team@milksad.info](mailto:team@milksad.info). Knowing that this data gets used may also motivate us more to do future updates or release more specific data sets.
-Another new item in the data repository is a list of over 8700 hashes to identify mnemonics from vulnerable Cake Wallet users. This data has been public for over a year to allow client-side checks of weak wallet presence in patched Cake Wallet app versions. We now uploaded and documented this data in a more central location. 
+Another new item in the data repository is a list of over 8700 hashes to identify mnemonics from vulnerable Cake Wallet users. This data has been public for over a year to allow client-side checks of weak wallet presence in patched Cake Wallet app versions. We now uploaded and documented this data in a more central location.
 ## Early Research Code
-We also open-sourced more of the early [research code](https://git.distrust.co/milksad/code). We wrote this code back in July 2023 during our dash towards CVE-2023-39910, and it represents our first days of interacting with the subject of `bx seed` behavior, weak BIP39 mnemonics, derived keys and initial Bitcoin address checks. While experimental and not ready-to-use, this may still be useful for some other researchers in the future, and gives some credits to the team members who were involved in the early development and security research work. 
+We also open-sourced more of the early [research code](https://git.distrust.co/milksad/code). We wrote this code back in July 2023 during our dash towards CVE-2023-39910, and it represents our first days of interacting with the subject of `bx seed` behavior, weak BIP39 mnemonics, derived keys and initial Bitcoin address checks. While experimental and not ready-to-use, this may still be useful for some other researchers in the future, and gives some credits to the team members who were involved in the early development and security research work.
 Due to ethical concerns by the primary code author, the more advanced research code will not be completely public for the foreseeable future, but we'll revisit this again at a later time.
--- a/_posts/2025-02-05-research-update-12.md
+++ b/_posts/2025-02-05-research-update-12.md
@ -0,0 +1,64 @@
 ---
 layout: post
 title: "Update #12 - Taproot, Address Data, New PRNG Range, 38C3 Talk"
 author: ["Christian Reitter"]
 date: 2025-02-05 13:00:00 +0000
 ---
 We looked into a modern Bitcoin address format, released more weak addresses, investigated a new PRNG range, and found what looks like results of a weak vanity address generator.
 <div id="toc-container" markdown="1">
 <h2 class="no_toc">Table of Contents</h2>
 * placeholder
 {:toc}
 </div>
 <br/>
 ## Milk Sad Talk at 38C3
 Our [Milk Sad presentation at the 38C3 conference]({% link 38c3.md %}) was a success, and we also had an interesting discussion session in the workshop room afterwards! Thanks to the great VOC video team at CCC, the talk recording is available online on their video archive as well as Youtube. Head over to [our dedicated  talk page]({% link 38c3.md %}) if you're interested.
 ## Updated Research Data
 In [update #11]({% link _posts/2024-12-19-research-update-11.md %}#new-research-data), we outlined our publication of known weak cryptocurrency wallet addresses for Bitcoin and Ethereum in the [data](https://git.distrust.co/milksad/data) repository. We've now significantly extended this collection, primarily for the Bitcoin addresses, by including addresses of used sub-accounts and change accounts. We've also done newer scans over some of the ranges and added more documentation, showing a more recent view and highlighting potential changes between the different collections.
 Current statistics:
 * Number of unique weak Bitcoin wallet addresses: **40219**
    * Prefix 1: **4315**
    * Prefix 3: **20516**
    * Prefix bc1q: **15387**
    * Prefix bc1p: **1**
 * Number of unique weak Ethereum wallet addresses: **8932**
 ## Taproot
 Bitcoin has several different formats for addresses and transactions. During our research so far, we focused on the older and more popular address calculations (`P2PKH`, `P2WPKH`, `P2SH-P2WPKH`), and there were already some surprises such as the use of uncompressed public keys (see [update #2]({% link _posts/2023-12-06-research-update-2.md %}#uncompressed-public-keys-on-p2pkh)) or mismatched derivation paths / derivation standards / address types.
 A fairly recent and major new standard for Bitcoin is called `Taproot`, see [Wikipedia](https://en.wikipedia.org/wiki/List_of_bitcoin_forks#Taproot). It was introduced on-chain in November 2021, but is still optional and not supported by all actively developed cryptocurrency wallet implementations. For example, the `Electrum` software wallet [doesn't fully support it](https://github.com/spesmilo/electrum/issues/7544) yet. For us, the late introduction compared to the timeframe of many of the weak wallet issues meant that Taproot wasn't available at all for most users, and we suspected that it would only make up a small portion of vulnerable funds even now due to the limited software support.
 So far, our partial analysis of known weak wallet ranges confirms our assumptions. When searching for the "plain" `P2TR` Taproot usage for normal wallets without more advanced configurations (scripts, multiple signatures, ...), we only found usage with a known test key. This may change in the future if a Taproot-enabled wallet software uses bad PRNGs. It may already be relevant for other PRNG ranges or usage scenarios that we didn't look into. Still, for our prior work, Taproot doesn't seem to reveal more weak wallets - which is an interesting result.
 ## New PRNG Type
 Many PRNG implementations are very similar to each other in terms of their mathematical construction, but their designers pick different parameters with the goal of obtaining better properties. Our Trust Wallet research in [update #5]({% link _posts/2024-01-23-research-update-5.md %}) revolved around the so-called `minstd_rand0` PRNG, which is a so-called [linear congruential generator](https://en.wikipedia.org/wiki/Linear_congruential_generator) or LGC for short. That particular `minstd_rand0` configuration used in the Apple standard library environment by the affected iOS wallet app with `m = 2^31 - 1` and `a = 16807` seems to be [one of the oldest](https://en.wikipedia.org/wiki/Lehmer_random_number_generator#Parameters_in_common_use) common LGC configurations.
 We were curious if [a different variant](https://cplusplus.com/reference/random/minstd_rand/) of this LGC PRNG called `minstd_rand` (notice the missing `0` in the name) with `m = 2^31 - 1` and `a = 48271` had also generated some weak wallets. That variant is available in some C++ environments, as far as we understand.
 As it turns out, yes, there are weak wallets! Looking through the direct usage of some PRNG output pattern into `secp256k1` private keys, we found a handful of used `P2PKH` addresses, as you can see in the [data](https://git.distrust.co/milksad/data) repository.
 ## Bad Vanity Address Generator
 Additionally, we also searched through some other direct PRNG-to-private-key usages for 256 bit outputs and found a few, which are now in the `data` repository as well. Curiously, someone seems to have used the `minstd_rand0` PRNG as a [vanity address generator](https://en.bitcoin.it/wiki/Vanitygen), generating and using addresses with the `1Love[...]` and `1Shao[...]` prefixes:
 ```
 1Loveu9He9wDnLUBzio9XM47EbwKqoCyEX
 1LovEUjnQQF1yiYNGr2MJtpNu1UHwSCL1h
 1LovezS8pFiKWKfPZTJPmj7ZR7AUfvufGq
 1Shao1YrYoLdrgjjLgLTycQwVYyNRxKWL
 1ShaoJtnZc9ZyK4yXQqVDHnHRUntrpG72
 ```
 Given that there are only `2^31` potential PRNG starting configurations, this was a very poor choice not just for security reasons, but also for functional reasons, since the PRNG is very limited in the random address prefixes it can find.
 Based on the few used addresses, we expect that this was either an experiment or a custom tool setup, since it would have more users (victims) otherwise.
--- a/assets/base/38c3_talk_video_preview1.png
+++ b/assets/base/38c3_talk_video_preview1.png