Skip to content

Blur v0.1.9.6 'Radiance'
Compare
Choose a tag to compare
@who-biz who-biz released this 24 May 19:21
· 302 commits to master since this release
v0.1.9.6
bac38c0

Blur v0.1.9.6 'Radiance' Release Brief

This update is STRONGLY RECOMMENDED for all nodes, as it includes very significant improvements to security and privacy. You may continue mining on the older versions, but hashrate should be improved noticeably with these changes.

This point release greatly lessens the potential for misuse of the network, so we strongly encourage everyone to update as soon as possible. Most of these updates are improvements upon our parent codebase, and are seen nowhere else in CryptoNote. If you are part of another CN community, please consider informing others about these changes, as they may reduce the likelihood that the network(s) are misused maliciously. Disclosures about relevant vulnerabilities were made where reasonably possible. Ultimately, we feel that patching these issues are the only way they will get fixed, and as a result, have included citations where the changes took place in each commit, as diligently as we could.

Please see the changelog below for a record of these changes/improvements.

Changelog

Changes since the last release (v0.1.9.5) include the following, from roughly 75 significant commits:

  • Removal of ALLOW_DEBUG_COMMANDS conditional which could make timing attacks a lot easier. (Technically from v0.1.9.5, but did not go into to detail until other projects were notified)
  • Removal of proof_of_trust function that caused every daemon who performed a handshake to hash a zeroed pubkey with keccak, as well as transmitting the host computer's operating system each time, in its response to a proof_of_trust p2p request.
    • The zeroed pubkey was removed from src/cryptonote_config.h. Within the global scope,P2P_REMOTE_DEBUG_PUB_KEY was defined as a string of zeroes.
    • This behavior facilitates a type of attack proven effective by Dan Bernstein in his paper on cache-timing attacks. The attack in the paper linked to, has a victim host computer hash a zeroed string repeatedly, so that the attacker can determine the victim's AES private keys. In CryptoNight, keccak is used to initialize the scratchpad, and within key expansion for the "AES" pseudo-rounds.
    • Additional known information about the host, improves efficacy of this attack further. This is the same vulnerability from the Spectre and Meltdown bugs. These changes (removal of code) prove that those aspects of the p2p protocol are entirely irrelevant to the network's primary functionalities.
  • Removal of SMTP-related code in epee library, as well as munin plugins (ca4cae4).
    • Note that these were entirely unutilized, but due to the epee library being a source of at least one large issue in the past (DoS bug - disclosed by Cisco Talos) this library will see further removal of unused code in an effort to prevent misuse.
    • SMTP-related functions were of particular concern, due to the fact that this library was employed in the past as part of a spam botnet. We will be moving away from this library as soon as practicable. (You can follow progress here: #51)
  • P2P no longer restores its state from peers_state.bin on each restart. Each time nodes are restarted, they will load a default (new) configuration. You may safely remove peers_state.bin. Full removal of the file has been held off until the de-initialization functions can be safely patched away from storing their state within that file (2f3d38a#diff-c02157891426370c008d7076b723128cL88)
  • Fix accounting for additional_tx_pubkeys or R' in scenarios where we have additional keys, but don't "need" to account for them. (https://github.com/blur-network/blur/blob/master/src/cryptonote_core/cryptonote_tx_utils.cpp#L320)
  • All DNS-related code has been removed, as well as all instances of the function get_address_from_str_or_url. The latter has been patched over with the get_address_from_str function seen elsewhere in code. (ab4f780). URI-endcoded addresses for QR-code generation, and etc. remain intact and functional.
  • Together with OpenAlias, the URL handling and DNS-specific code could lead to misuse of the network. As a result, the OpenAlias functions have also been excavated (9e96a69)
  • Without any need for DNS records or DNSSEC, the dependency in libunbound has been removed. (ab4f780)
  • Clean up of some p2p code for node communication. Sync speed is further improved.
  • Removal of extra parameters in start_mining command (i.e. allow_background_mining and ignore_battery). Prior to these changes, the miner would treat anything it was pointed at as a URL if it was not one of: testnet, stagenet, or mainnet addresses. This is no longer the case. (36e03a6#diff-ac8dafe790c54bf6385932af74b47a56R283)
  • Mining algorithm speed improved by optimizing for powers of two. (a6f4244)
  • Thread stack size was erroneously allocating over 5MB to each thread minimum, which was adversely impacting hashrates. This has been fixed to now allocate 524kB (0x80000), as should have been the case.
  • Hardfork height for version 11 has been delayed, pending investigation of possible issues found within the cryptonote-specific implementation of the ChaCha20 stream cipher and accompanying Poly1305 for MAC. A Similar issue is present within CVE 2019-1543.
  • Messages for PRNG from previous block and mining iterations have been moved to log level 2.
  • Removal of graphviz dependency and associated save_graph commands (p2p graphs).
  • Removal of functions determining whether the host computer is running on a rotating disk drive (we don't need to know this & user already knows).
  • Removal of a dangerous macro for LONG_PAYMENT_ID that had a return statement in it. (70f2236)
  • Removal of unsafe stack trace files (see: 5449839#diff-185b76a2878d92e392ebd20786466293L63)
  • Removal of unnecessary dependency packages from depends build system.
  • Addition of Makefile entries for cross-compiling on linux for non-native linux and windows, to chain build depends packages with the source build.
  • Fix for display of print_cn commands to be cleaner and thinner. (7888a68)
  • Removal of a macro for the name of a Windows service, that was not made a conditional (present on all platforms), and was taken as a argument on the command line. (212f1cb)
  • Removal of ZeroMQ dependency and associated files (f24aef0)
  • Removal of remote update notifications as well as any functions dealing with remote downloads.
  • Fix for pow_hash being used in incorrect places within RPC commands, due to changing from it being an optional inclusion in the header, to a mandatory one. (8cff01e).
  • Improvement to p2p protocol by making sure nettypes & seed nodes are handled better, and sync is a bit quicker (b056e90).
  • ANSI colors are made more appealing (66f85c7)
  • Package upgrades for OpenSSL and Readline within depends build system. The openssl upgrade to 1.0.2r addresses CVE 2019-1559.
  • MiniUPNP is no longer a dependency and universal plug and play functionality has been removed, as well as the --no-igd startup flag.
  • Seed node addresses have been changed.
  • Wallet API and Simplewallet were also updated to bring their code in line with the overall state of the codebase (Simplewallet: 500b262 & API: 23f9811).

Please verify the following sha256sums against those of the files you download:

blur-v0.1.9.6-linux-x86_64.tar.gz:
558fa78da73c66072908484eab67aadf0f466cc53706668f1093b6ad97564a36

blur-v0.1.9.6-mac-x86_64.zip:
92ce0b04624431696c93b258621d22fb09a3d2ec694e5db6adbdd3110e754d2b

blur-v0.1.9.6-win-x86_64.zip:
1ea79ef1ffaf6310acea85a0931bffd61d0efa2dbede9d1b7b43a70070aeafd3

Contents:


Seed Node Addresses:

Mainnet Nodes

  • Node 1: 66.70.188.178:52541
  • Node 2: 66.70.189.131:52541
  • Node 3: 66.70.189.183:52541

Linux & Mac Instructions

Download and unzip the compressed binaries. Start the daemon with the command ./blurd Your daemon will then begin to sync with the network.

Please add the seed node addresses below if you have trouble syncing.

Open a terminal and launch the daemon executable with the following options:

./blurd --add-priority-node=66.70.188.178:52541 --add-priority-node=66.70.189.183:52541 --add-priority-node=66.70.189.131:52541 --p2p-bind-port 52541 --rpc-bind-port 52542 --rpc-bind-ip 127.0.0.1

Wait for sync to complete, open a new tab or terminal window, and then start the wallet with:

./blur-wallet-cli

Follow the prompts to setup a new wallet. When prompted for the password, the CLI will not show a password as you type, as echo has been turned off for password entry.

Record the information for your wallet.

You can mine from your wallet, using the start_mining <threads> command -- but using that method directly from the wallet is NOT recommended.

Secure way to mine: Once you've generated a wallet address, issue the following command to a running daemon:

start_mining <address> <# of threads>

Example: start_mining bL4PdWFk3VVgEGYezGTXigHrsoJ3JGKgxKDi1gHXT7GKTLawFu3WMhu53Gc2KCmxxmCHbR4VEYMQ93PRv8vWgJ8j2mMHVEzLu 4

Or: Use the following startup flags when launching the daemon:

./blurd --start-mining <BLUR address> --mining-threads <num. threads>

Example: ./blurd --start-mining bL4PdWFk3VVgEGYezGTXigHrsoJ3JGKgxKDi1gHXT7GKTLawFu3WMhu53Gc2KCmxxmCHbR4VEYMQ93PRv8vWgJ8j2mMHVEzLu --mining-threads 4

You should see a message for each thread that reads: Mining started for thread[0] or something similar.

To view your hashrate in real-time, use the command show_hr.

Whenever you find a block, your daemon will show a bold message with the block # found. It is normal to experience a slight delay between that message and the balance reflecting in your wallet.

Windows Instructions

Download and unzip the compressed binaries. Double click the file named blurd.exe. Your daemon will then begin to sync with the network. Once it is fully synced, double click the blur-wallet-cli.exe to open the wallet.

For Sync issues on Windows:

Open Windows Powershell (Windows Key + X, then click powershell (non-admin) and type cd Downloads/blur-v0.1.9.6-win-x86_64 to switch to the directory you extracted the binaries into. Launch the daemon executable with the following options:

blurd.exe --add-priority-node=66.70.188.178:52541 --add-priority-node=66.70.189.183:52541 --add-priority-node=66.70.189.131:52541 --p2p-bind-port 52541 --rpc-bind-port 52542 --rpc-bind-ip 127.0.0.1

Start the daemon by double-clicking the blurd.exe file.

You will see a pop-up from your firewall. Be sure to check the box next to "Private Networks" if you are on a private network, or your daemon will not be able to sync with the network. If you daemon stalls while syncing, close and restart the program. You will not lose any blocks you have already synced with. Once your daemon is synced with the network...

Start the wallet by double-clicking the blur-wallet-cli file.

Follow the prompts to setup a new wallet. When prompted for the password, please note that the CLI will not show a password or indicate your keystrokes as you type.

Follow the prompts to setup a new wallet. When prompted for the password, the CLI will not show a password as you type, as echo has been turned off for password entry.

Record the information for your wallet.

You can mine from your wallet, using the start_mining <threads> command -- but using that method directly from the wallet is NOT recommended.

Secure way to mine: Once you've generated a wallet address, issue the following command to a running daemon:

start_mining <address> <# of threads>

Example: start_mining bL4PdWFk3VVgEGYezGTXigHrsoJ3JGKgxKDi1gHXT7GKTLawFu3WMhu53Gc2KCmxxmCHbR4VEYMQ93PRv8vWgJ8j2mMHVEzLu 4

Or: Use the following startup flags when launching the daemon, from Powershell:

blurd.exe --start-mining <BLUR address> --mining-threads <num. threads>

Example: blurd.exe --start-mining bL4PdWFk3VVgEGYezGTXigHrsoJ3JGKgxKDi1gHXT7GKTLawFu3WMhu53Gc2KCmxxmCHbR4VEYMQ93PRv8vWgJ8j2mMHVEzLu --mining-threads 4

You should see a message for each thread that reads: Mining started for thread[0] or something similar.

To view your hashrate in real-time, use the command show_hr.

Whenever you find a block, your daemon will show a bold message with the block # found. It is normal to experience a slight delay between that message and the balance reflecting in your wallet.

You should see the message: Mining started in daemon

Switch back to the terminal or tab in which your daemon is running, and type show_hr for real-time hashrate monitoring. For further commands in either the wallet or the daemon, type help into either CLI. Note that the commands for the daemon and wallet are different.

Whenever you find a block, your daemon will show a bold message with the block # found. There is a slight delay between that message and the balance reflecting in your wallet.

How To Verify These Binaries:

Download the zip archive of your choice and the accompanying '.asc' file. If you haven't already, download and install GnuPG.

Linux
Type the following command into a terminal: gpg --keyserver sks-keyservers.net --recv-keys D5C9054050576902

After downloading they public keys, check their fingerprint: gpg --fingerprint D5C9054050576902

You should see the output:

pub rsa4096 2018-06-07 [SC]
F3FE DCCF A90C 5683 1318 3C33 D5C9 0540 5057 6902
uid [ unknown] Blur Network (Blur: The Private Cryptocurrency) <[email protected]>
sub rsa4096 2018-06-07 [E]

Then, verify the files you've downloaded with: gpg --verify blur-v0.1.9.6-linux-x86_64.tar.gz.asc blur-v0.1.9.6-linux-x86_64.tar.gz The output should say "Good Signature." The warning message is due to no trust index being assigned to the signature, simply ignore it.

Windows
Open cmd.exe and type: "C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver sks-keyservers.net --recv-keys D5C9054050576902

After downloading they public keys, check their fingerprint: "C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint D5C9054050576902

You should see the output:

pub rsa4096 2018-06-07 [SC]
F3FE DCCF A90C 5683 1318 3C33 D5C9 0540 5057 6902
uid [ unknown] Blur Network (Blur: The Private Cryptocurrency) <[email protected]>
sub rsa4096 2018-06-07 [E]

Move into your downloads folder with cd C:\Users\[your username]\Downloads Then, verify the files you've downloaded with: "C:\Program Files\Gnu\GnuPg\gpg.exe" --verify blur-v0.1.9.6-win-x86_64.zip.asc blur-v0.1.9.6-win-x86_64.zip The output should say "Good Signature." The warning message is due to no trust index being assigned to the signature, simply ignore it.

Assets 8
Loading