Explaining the ETH wallet collision

>Explaining the ETH wallet collision

The nodejs implementation of the wallet generator uses userspace tools to generate entropy instead of getting access to real hardware entropy via the kernel. In this case, NodeJS GetRandomBytes (which is used to generate the ETH wallet) uses OpenSSL to generate entropy on the system.

This is a problem and has caused collisions in crypto before.

sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

What needs to happen is for NodeJS to actually use a good RNG algo to make its wallets.

On top of this, the wallet address length is limited to only 155 bits in order to fit IBAN.

The moral of the story is that the wallet collision seen today has NOTHING to do with ethereum, it's simply the result of a shitty third party tool. NodeJS already has a pretty bad reputation, this will only hurt them more.

Other urls found in this thread:

github.com/nodejs/node/issues/5798
github.com/openssl/openssl/issues/898
github.com/ethereum/go-ethereum/releases/tag/v1.6.2
twitter.com/SFWRedditImages

Fucking lazy/stupid programming man. This is literally idiocy.

It WILL hurt Ethereum too

how can I use this to steal peoples eth?

have a loop generating addresses then checking if they exist, if so alert notify you then you can go in and steal the eth

I would use ethereumjs-wallet to generate wallets on a popular vanilla linux installation of something immutable like Tails linux

The odds are still low since the RNG uses a variety of userspace values but it could happen

The fact that it happened to an extremely well-known dev indicates to me that this was done purposefullly and likely for quite some time

this.

It's open season for Ethereum Wallets! ARGH!

he tried to warn you and you didn't listen. you only should trust the whitest of the whitest scientists of NIST for your randomness need

>inb4 massachusetts lottery site

More info:

Weaning nodejs off of openssl (never happened):
github.com/nodejs/node/issues/5798

OpenSSL realizes userspace /dev/urandom is flawed (not fixed):
github.com/openssl/openssl/issues/898

And that's how you get wallet collisions!

So basically it's not a problem with ETH, but a problem with a particular method of generating wallets?

The method of generating wallets is not sufficiently random (due to NodeJS GetRandomBytes), so if conditions are similar, the same wallet will be generated again?

Now the question is how many people actually use Node.js-based wallets

github.com/ethereum/go-ethereum/releases/tag/v1.6.2

A FUCKING NONCE

Which wallets are based on nodes?

That's what I'm trying to figure out

>im @ work
pls dont hack my eth

yes, exactly

It takes 3 months to get one wallet code, at that was by luck

U r by far the worst crypto pirate ive ever heard of

but you have heard of him

Did he actually talk about this? I know Templeos has its own RNG / oracle program.

Upvoted

>mfw all ETH wallets are based on node.js

LMFAO, ETH IS FUCKING FINISHED.

gg ETH, bitbean anyone?

You can't do shit and don't even understand the tech.

huh?

Selling my stash and shorting here

FUD you are all faggots

>tfw myetherWallet is running on parity who use node.js

Well, eth is sure getting ready to do...something...

seems like a good place to drop this.

Last summer after the DAO hack everyone in the tech community thought ethereum was basically dead and a shitty technology.

Did anything change? Just a few exchanges adopted eth and normies started buying shit they don't understand? I'm so confused by this. The entire project and having turing complete smart contracts is a joke. I especially hate when fags say "it's more complex than bitcoin!!!" like that is a good thing. You know nothing about software. This is a horrible thing. Single purpose modules are the key to software. Ethereum seems like a half baked ambitious idea and then they put a blockchain onto it because cryptos were popular and an easy way to raise funds for the project. The entire thing is basically a scam. In a few months they'll launch a crippled poker app (online poker has been around since the late 90s) and claim it a triumph and technological marvel. Fuck this scamcoin and all you pumpfags buying shit you don't understand.

...so all those companies who got on board with the EEA are all getting scammed too?! Really activated my almonds...

so where can i find this github?

>i-it's just a scam guys!

t. someone that didn't get to buy in when ETH was $40

>mfw you're right
>myEthWallet coincidentially had 1.2 ETH out of exchange wallets and different cryptos

Node is a great thing, so much possibility and flexibility. It just has the whole JavaScript problem, allowing people to do dumb shit. I hate JavaScript, but I love the flexibility of node.

Shame that this problem wasn't caught sooner.

Please stop falling for the fud guys. I know what he is saying may seem scary, but the randomness that is being used is cryptographically strong. This means that there are no patterns in it that we could use to narrow the key space. OpenSSL's randomness has been audited by both humans and by programs (which test the data to measure how "random" it is).

in b4 ethereum's 2nd colossal failure

how many of you even know about the DAO? and then they forked it undermining the fundamental tenets of crypto.

lmfao yall niggas just punting off stacks into shitcoins without having a clue

I laugh with the force of a thousand keks at the sight of these butthurt, moronic fucking idiots posting the most obvious FUD in the history of crypto.

Your day of the rope is coming. Until then, keep making me cry laughing