Today, I had the privilege of chatting with johoe, the white hat hacker who swept over 800 bitcoins from addresses generated with a security error on Blockchain.info’s web wallet. After learning that the insecure addresses were generated on Blockchain.info, johoe returned all of the bitcoins he obtained to Blockchain.info, so they could refund users who lost their bitcoins. johoe is considered to be a white-hat hacker because he hacked ethically. johoe continues to return bitcoins to Blockchain.info as he finds them. johoe has received praise from bitcoiners on reddit, BitcoinTalk, and other community forums on the internet for returning the bitcoins.

Users have called him a crypto superhero, a great man, and are asking how to tip him (you can tip him at 15qALUZH5Yg7uMnkyBh8Ub9ZkmVsAVWJie).

CCN.com Interview with johoe

Here’s the interview:

How did you initially discover the issue with the reused R values on Blockchain.info?

I have a script that I run regularly that scans for repeated R values. There has been another program producing them since September, so I took a habit of watching that daily. The problem is not new to me. I followed it since April 2013. The program I use is my own one, that I wrote in 2013.

What program was this, and how many bitcoins did you sweep out of those addresses?

The one in Summer 2013 was the Android bug. The buggy RNG [Random Number Generator]. I didn’t sleep much, a few mBTC. But others were doing it as well. That it was Android I only noticed when I searched for one of the broken addresses and found a post at bitcointalk. This was when I created the [bitcointalk] account. I told him that his program was buggy and asked him which [bitcoin client] he used.

Which wallet would you recommend for the average user of Bitcoin that combines security with ease of use?

For small amounts of money, one can probably use everything that one finds convenient. I would suggest using some tools that use deterministic wallets so that one doesn’t have to worry so much about backups. Of course, if one uses a program on the desktop, one should set a wallet password and keep it clean from malware. For larger amounts, that one doesn’t need to access regularly a paper wallet should be used, preferably with the key generated on an offline computer. I use my trezor for this, though.

What is your opinion on the security of Blockchain.info’s web wallet following these incidents?

The bug shows that there is a problem. The patch was changing security-critical code and it should have been reviewed more thoroughly. It was just a missing variable initialization. A careful inspection of the code should have revealed it. JavaScript is also not really meant to program security-critical applications. For example, it has no type checking.

How did you verify that the addresses you swept were generated on Blockchain.info?

If an address was generated on Blockchain.info on that day it was produced by the random number generator, so it was in my list of random numbers. But I could also attack addresses from which money was spent on that day. In that case, the signature contains one random number from my list. I actually didn’t check that I accidentally broke an address that wasn’t related to this problem. There is still some other tool producing the duplicated R values and I’m still wondering which.

But if it happened they should see the note that they should contact Blockchain support. So it is okay :) I’m thinking I found most of the money, but I know that 105.9 BTC were stolen already in the evening (probably by some lucky guy who accidentally created the same address).

Can you explain a bit more about this other program producing duplicated R values?

We are still wondering about it. It has a different pattern. It uses a random R-value, but it uses it in one transaction for all inputs. amaclin analyzed some of the transactions and said that they spent to a BTC-e address, but we don’t know much more. Since the program is usually not reusing keys often, there have been not so many broken keys and I think only very few swept accounts. I think I still have 0.9 BTC from one account. So if we ever find out [which program has the issue] I will offer it back.