In Part 1 I exposed SamouraiDev’s sockpuppetry. In Part 2 I showed how they bully respected developers in the space for raising concerns about their wallet. While pointing out malintent is important and I only scratched the surface, this time I’ll move onto extreme incompetence.
Note that, you will NOT find irresponsible security disclosure in here. I am going to bring new light to one of the largest, if not the largest cases of developer incompetence in the history of Bitcoin: Blockchain.info’s random number generator issues that resulted in many get their bitcoins hacked.
As a matter of lesser known fact, SamouraiDev and SamouraiWallet accounts were behind the curtain of the company and they earned the ridicule of the infosec community with an “incredible cascade of bad decisions” when they were working at Blockchain.info.
Mandrik was the first employee of Blockchain.info (he left because of the SegWit2x drama.) To verify his claims I found the GitHub commits posted on Reddit. Unfortunately Blockchain.info did succeed to take those commits down, but the url tells that the commits were made into the
Android-Wallet-2 app. And indeed the developer of that app was William Hill, also known as SamouraiDev.
The Bugs Explained
As I noted, Blockchain.info deleted the commits, so I cannot cite the actual code, but Reddit explains it clearly.
SamouraiDev used a custom
LinuxSecureRandom implementation that is being seeded from
random.org . However when this wasn’t available, “instead of screaming bloody murder like any sensible implementation would” he fell back to the standard
SecureRandom class. Seeding this class does not add additional entropy, but replaces it entirely. This resulted in numerous users generating wallets from seeding solely with
The next mistake was that he was “using
HTTP instead of
HTTPS to make the webservice call to
But on January 2015,
random.org started enforcing
HTTPS. However SamouraiDev made a mistake even here: instead of acknowledging the error, as any reasonable person would do, he silently ignored it and “since that date, the entropy has actually been the error message.”
Added bonus is that, in his “fix” he is still using
Make no mistake. Randomness is the holy grail of Bitcoin development. What would you do if you wake up for your bitcoin wallet emptied? You could even use a cold storage, you are damned if someone generates the same keys as you.
It’s the single most important piece of code in a Bitcoin software, where one bug is disastrous in itself, but I am struggling to find an adjective for a chain of bugs. Not even talking about that even “the fix” was a bug. And according to the original Reddit poster this wasn’t even the first: “It was their BUGS on PRNG again!”.
This has found its way to infosec Twitter and we’re all kinda sitting around gawking at it in sheer disbelief that someone would seed for Bitcoin from random.org (problematic), over plaintext (deal breaker), and then not even trap results other than 200 OK (mind blower). An incredible cascade of bad decisions. — /u/abadidea
“deal breaker” here starts at the thought of using
random.orgfor generating private keys. — /u/alithediamonds
Since they’re not using HTTPS, they don’t even need to MTM it, just tap it. — /u/ex_ample