|
Title: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: jimbobway on September 17, 2012, 09:49:31 PM Quote Sergio Demian Lerner @SDLerner At #Ekoparty Security Conference, I'll give a sneak peek (not the full disclosure) of AVALANCHE, a #Bitcoin vulnerability I found. http://twitter.com/SDLerner/status/247725013975834624 Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: Severian on September 17, 2012, 09:57:04 PM .
Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: dree12 on September 17, 2012, 10:01:34 PM Uh-oh. I'm not going to make any transactions, so that the chain rollback (if it happens) will be less painful. Hopefully the nosedive doesn't occur this time.
Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: DeathAndTaxes on September 17, 2012, 10:02:43 PM Wonder why he wouldn't informed the developers here:
https://bitcointalk.org/index.php?action=profile;u=24826 Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: Severian on September 17, 2012, 10:04:59 PM Wonder why he wouldn't informed the developers here: https://bitcointalk.org/index.php?action=profile;u=24826 I just asked him. Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: Raoul Duke on September 17, 2012, 10:05:11 PM Wonder why he wouldn't informed the developers here: https://bitcointalk.org/index.php?action=profile;u=24826 Maybe he did and they're keeping quiet. Or maybe he's lying lol Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: apetersson on September 17, 2012, 10:06:39 PM i would guess he is disclosing
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2012-3789 which is fixed in all recent versions of bitcoin. since he disclosed it responsibly and it has been fixed i do not mind that he now takes credit for his discovery publicly. Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: jimbobway on September 17, 2012, 10:14:35 PM He said he is only doing a partial disclosure and not a full disclosure. I imagine he will do a full disclosure after the conference and will talk to Gavin.
I am guessing he just wants some credit for discovering this vulnerability. Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: jimbobway on September 17, 2012, 10:20:49 PM Uh-oh. I'm not going to make any transactions, so that the chain rollback (if it happens) will be less painful. Hopefully the nosedive doesn't occur this time. Here is Gavin's description of a serious vs critical vulnerability. https://bitcointalk.org/index.php?topic=88892.0 Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: Etlase2 on September 17, 2012, 10:21:27 PM I trust that Sergio is working with bitcoin's best interests and there is nothing to fear, but this thread reminds me of someone who claimed to have found a vulnerability several months back on some website, but I don't remember what (or if anything) became of it.
Title: Re: Security 'expert' clams bitcoin vulnerability. Presenting at Ekoparty Conf. Post by: Sergio_Demian_Lerner on September 18, 2012, 02:23:49 PM Hi!
Don't worry! First, the dev team has already fixed this in 7.0. I hope the new stable release is ready soon and everybody upgrades. Secondly, I won't be saying anything that can help an attacker exploit the vuln. I will talk about many aspects of Bitcoin, and only one of them being the existence of DoS vulnerabilities, past heists in the ecosystem, and how Bitcoin has managed to handle them. I will also talk about scalability, which has always been my deepest concern. The conference titled "Bitcoin, Mavepay and the future of crytprocurrencies" is scheduled for Thursday 14:20 local time, Buenos Aires, Argentina at Ekoparty. Obviously I will also talk about my own proposals (Mavepay). Come to Buenos Aires! Juliano Rizzo and Thai Duong will be talking about CRIME, a devastating vulnerability they found in SSL! Best regards, Sergio. |