Yahoo Announces 500m Accounts Were Compromised

It’s been announced that at least 500m Yahoo accounts have been breached.

Personal data includes names, passwords, emails, phone numbers, and security questions. Yahoo was officially hacked in early 2014 by a state-sponsored hacking collective. Yahoo is currently investigating the hack in cooperation with law enforcement. Yahoo stated that it does not believe any bank or credit card details were compromised in the hack.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank information are not stored in the system that te investigation has found to be affected,” Yahoo said in a statement.

Yahoo has begun notifying users who were affected. Anyone who hasn’t changed the password to their Yahoo account since 2014 should probably change it now. Yahoo also stated that they did not breach security questions, so there will be no way for hackers to get access to the accounts.

“Yahoo encourages users to check their online accounts for suspicious activity and to change their password and security question and answers for any other accounts on which they use the same or similar information used for their Yahoo account,” the statement went on.

Yahoo also says users should be careful, and watch for any emails from Yahoo containing links, attachments, or downloads, and that Yahoo is not asking for any personal information from its users.

U.S. Senator Mark Warner describes the breach as being a huge serious problem.

“White its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today,” he stated.

Kurt Baumgartner from Kaspersky Lab said:

“The company has demonstrated that it isn’t quick to implement best practices and available security technologies, such as the delay in encrypting IM communications, implementing https for its web properties and more. These types of breaches highlight why all companies, need to be cybersecurity leaders, not followers.”

The post Yahoo Announces 500m Accounts Were Compromised appeared first on Deep Dot Web.

from Deep Dot Web

Why Bitcoin Mining Pools Aren’t Incentivized to Broadcast Blocks Quickly

It is generally accepted that latency in block propagation is one of the bottlenecks for Bitcoin scaling. This is why many of Bitcoin’s most active developers and researchers have presented a series of solutions to compress blocks and speed up propagation over the past years.

It is not as well known that these solutions may not suffice on their own. Due to a practice called “spy mining” or “pool-watcher mining,” Bitcoin mining has increasingly come to rely on the data and network infrastructure provided by mining pools.

As a result, many mining pools are not necessarily incentivized to broadcast their blocks to the network as fast as they can — regardless of latency in block propagation.

Selfish mining

To understand how this is possible, let’s first take a brief look at an older concept: “selfish mining”.

In short, selfish mining is a type of attack where miners find new blocks, but do not immediately broadcast these blocks to the network. The miners do, however, mine on top of any new found block they find themselves: they are mining “selfishly.” This gives them a head start to find the next block, while all other competitors are wasting their resources mining on top of an older block.

But hiding a new block is also risky. While a selfish miner hides a block, competitors may find a competing block. If this competing block makes its way through the network before the selfish miner’s block does, the selfish miner would have wasted its own resources by hiding the block: the block is now worthless.

For selfish mining to be profitable, therefore, the attacker requires a significant amount of hash power on the network — some 25 to 30 percent at least. And more than half of all hash power on the network is surely enough. Though, with a majority of hash power, the attack perhaps starts to resemble a 51 percent attack and not just a selfish mining attack.

A “selfish 51-percent attack,” if you will.

Luckily, no miner (or mining pool) currently controls over half of all hash power on the Bitcoin network, or even 25 percent. At least not directly…

Validationless mining

A lot of miners do engage in a type of “validationless mining” or (less accurately termed) “SPV mining”.

A Bitcoin block consists of several pieces of data: transactions, a timestamp, a nonce and more. One important piece of data is a reference to the previous block: the block header hash. The block header hash can only be generated using the block header of the previous block, which can in turn only be generated using all data in that block. The idea is that a miner cannot mine a new block before it has seen the previous block.

But there is a bit of a loophole. Using onlythe block header hash, miners can try and find the next block just as well — even without knowing the previous block header, nor any of the other data in the previous block.

This can potentially come in handy. If miners can get a block header hash before receiving an actual block, they can try and find a new block more quickly, which allows them to be more profitable.

And as it turns out, there is indeed a way for miners to often get a block header hash before receiving an actual block.

Spy mining

The mining pools that today account for most blocks mined on the network really consist of many individual miners: e.g., “hashers.” These hashers are all trying to find a new block on behalf of their pool, using a block header hash they received from their pool.

A pool, of course, wants its connected hashers to mine on top of a new block as soon as possible. So if a pool finds a new block, it immediately sends the block header hash to all its hashers for them to mine on top of. And since this block header hash consists of minimal data, and because there is a direct connection between the pool and all hashers, the block header hash typically gets to these hashers very quickly.

This is where spy mining comes in.

Competing miners (including competing mining pools) can receive this block header hash from the mining pool as well. They simply need to connect to the pool, much like all the hashers. But instead of hashing for the pool, these miners then take the block header hash and mine on top of it for themselves. They’re spy mining.

The pool that has the block header hashes may not even notice the difference between real hashers, and the spy miners. And if the pool does notice the difference, it may not even care. There’s no real disadvantage for the pool.

Perhaps unsurprisingly, therefore, over half of all miners on the network (by hash power) currently engage in spy mining.

Smaller problems

Unfortunately, spy mining — like all validationless mining — does present some problems.

Spy miners can’t check block header hashes for validity; they need all the other block data for that (the transactions, the nonce, etc). As such, spy miners have to place some trust in the mining pools they get the block header hashes from. This means that if the mining pool mines invalid blocks, it can — in a worst case scenario — lead to blockchain forks. (Much like the 2015 BIP66 blockchain fork.)

Additionally, mining pools can abuse the trust placed in them, especially if they can identify their spy mining competitors; for example, by feeding corrupt block header hashes to (some of) the spy miners. This tactic can cause spy miners to waste their resources, in turn making the Bitcoin network less secure.

And, until they receive the full block, spy miners can only mine empty blocks; that’s the only way to ensure they don’t include any double-spend transactions. This means that the total number of transactions throughput on the Bitcoin network is lower than it could be.

Luckily, however, in part thanks to several safeguards applied by spy miners, these problems are all relatively minor. While probably not ideal, risks to the Bitcoin network are limited.


Widespread engagement in spy mining, however, enables a bigger problem.

Because so many miners (and pools) are spy mining, each time a mining pool finds a block and transmits the block header hash, this mining pool effectively directs a majority of all hash power to mine on top of that block — immediately. As such, there is no longer a big risk of this block being rejected and discarded for a competing block. Most of the network already accepts this block through the block header hash.

This practice, in turn, allows mining pools to launch selfish 51 percent attacks, simply by delaying broadcasting their new blocks to the network. More specifically, it allows mining pools to launch selfish 51 percent attacks against any miner that does not engage in spy mining, and against some identified spy miners. While a mining pool and its spy miners get a headstart mining on top of the new block, all other miners waste their resources. (At least for some time, depending on the safeguards imposed by spy miners.)

Amazingly, this even means that mining pools can gain advantage by being sloppy. Mining pools can, for instance, benefit from buggy software that delays broadcasting blocks by a few seconds — or more than a few.

Although mining pools should want to broadcast their blocks to the network as fast as they can, widespread engagement in spy mining seems to have skewed these incentives for the worse — with no clear solution in sight.

The post Why Bitcoin Mining Pools Aren’t Incentivized to Broadcast Blocks Quickly appeared first on Bitcoin Magazine.

from Bitcoin Magazine

Synereo and NFX Guild Launch Strategic Partnership to Build a Decentralized Internet

In a major step forward for collaboration in building decentralized apps on blockchain technology, NFX Guild, a Silicon Valley startup accelerator and Tel Aviv-based blockchain tech company Synereo have signed a partnership agreement to build an ecosystem of decentralized applications (dApps) on Synereo’s Blockchain 2.0 platform.

The proposed “decentralized internet” will use Synereo’s own blockchain technology to enable apps, websites and web-services to work without a central location or authority to verify the authenticity of the transactions between actors.

Synereo calls its “World Computer” “the perfect decentralized social network…a virtual machine, capable of running decentralized applications (dApps), designed for massive use at blazing speeds.”

The company claims that the full Synereo tech stack, which has been in development for 5 years, has matured into a generic decentralized computation and storage platform, suitable for billions of users.

Hackathon Will Select Three Teams to Start

NFX Guild wants to find the best three teams for its dApp development program by sponsoring a hackathon. Hackathon winners along with “laureates” from Synereo’s grant program will be invited to apply for the NFX Accelerator Program.

The winning three teams will receive $120,000 in investment funds from NFX and an AMP grant from Synereo to build dApps on the blockchain.

James Currier, Managing Partner at NFX, explained the Guild’s decision to choose Synereo’s technology for the project, stating:

“We have been looking at digital currencies, Blockchain, and the decentralized economy for over a decade. We’ve been looking for a time and a group that was not just cryptonerds, but that was practical, who wanted to build applications, who wanted to make it about the users experience of something great — not just about the technology and the math.”

Gigi Levy-Weiss, NFX Founding Partner, added:

“We found the Synereo team to have a unique combination of cryptocurrency and modern digital finance understanding alongside a real understanding of developer requirements and the know-how of how to build strong developer tools.”

Synereo’s website shows a total of $3.4 m raised in their current fundraising campaign during which the company is offering its AMP cryptocurrency at a fixed price and equity to qualifying investors at BnkToTheFuture.

Synereo’s Full Stack Blockchain Technology

Synereo was one of the first companies to design its own blockchain “stack” rather than using Ethereum’s or any other blockchain designs because, according to a blog on their website:

“Contemporary Blockchain solutions are still slow, wasteful and impossible to scale, and are overall unsuited to support the types of applications we’re used to on the net or for operating at the scale of Facebook or Twitter + Visa or Mastercard.”

The blog talks about Synereo’s own “World Computer” with billions of personal devices connected without a server farm or central point of control.

“Such a world computer wouldn’t only make the Internet virtually untouchable and censorship-resistant, it would also level the playing field and allow the commons to compete against the highly centralized leviathans of the contemporary tech industry.”

The company maintains that all the major players in the decentralization space have gone with their own blockchain technology, mainly to control and “own” the technology at the base of their stack.

As described in a recent article here, the Synereo blockchain stack can be described as:

“A four-layer system consisting of (from bottom-up): new blockchain technology called “RChain” or “Blockchain 2.0”; a distributed storage and content delivery protocol called “SpecialK”; its programming language for smart contracts and distributed apps called Rholang; and then the applications themselves.”

RChain: The Core Element of Synereo’s World Computer

According to the company, RChain can solve well-known problems of classical blockchain technology and is able to make blockchain based systems faster, cheaper to maintain and “infinitely scalable.”

RChain’s consensus protocol is based on the ‘Casper’ Proof of Stake design designed by developers including Vitalik Buterin and Vlad Zamfir of  Ethereum, Synereo’s CTO Greg Meredith, Ethan Buchman of Tendermint, Rick Dudley of Eris Industries, and Aron Fisher of Colony. Casper provides a model where consensus is as cheap as possible for everyone, except for hackers conducting an attack.

Synereo’s most prominent application to date is the Social Network, which launchedas an alpha version in August.

Like Steemit, the Social Network offers content on the network and rewards participants with Synereo’s currency AMP.

The post Synereo and NFX Guild Launch Strategic Partnership to Build a Decentralized Internet appeared first on Bitcoin Magazine.

from Bitcoin Magazine