Why would Bitcoin.org say it has any reason to suspect that its website will likely be targeted by state sponsored attackers?
This is the question that has received varying answers in the last two days. It has raised a worrying concern particularly as not much information has been provided on the topic by the initiator of the warning. The Bitcoin.org contact form doesn’t seem to be functional and the press release has nothing more than the warning to be ‘extra vigilant when downloading the binaries from our website for the upcoming 0.13.0 release.’
Any cause for alarm?
It seems like a necessary but calculated message that plans not to say much. This could probably be an attempt to curb FUD within the Bitcoin community. However, considering the recent damage the hack on a Chinese exchange has caused on the community, another attack - especially from a government source - is the least Bitcoin enthusiasts would love to hear about right now.
A part of the warning says:
“As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.”
Bitcoin.org prescribed a way for users to be confident that the binaries they’re running are the same ones created by the Core Developers.
Our source from Bitcoin.org says there is no extra information concerning the warning than that already made public. He explains that the announcement came out of the blue even for him and suggests that users should heed to the advice and check signatures after downloading if they haven’t done it yet.
What can actually happen during Bitcoin software update?
While there haven’t been any concrete evidence that the attack is imminent, there are suggestions that the warning is just about safety precaution particularly as government agencies may be interested in tracking payments.
Theymos, Reddit /r/Bitcoin moderator, says:
“There's no flaw in 0.13.0 itself. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.”
A report called it the "most significant code change" for Segregated Witness which would be the next step in preparing it to be eventually deployed potentially in version 0.13.1. It says that with the addition of the codenow, Bitcoin Core devs believe SegWit will be smoother and safer when released.
Casting minds back to last year, one of the research questions by RAND Corporation in its National Security Implications of Virtual Currency report is to understand how a government or organization might successfully technologically disrupt a virtual currency deployment by a non-state actor, and the degree of cyber sophistication that would be required.
However, a part of its key findings says non-state actors cannot use established virtual currencies to disrupt sovereignty and increase political and/or economic power.