Title: [Full Disclosure] ClearCoin CSRFs Post by: jrmithdobbs on June 19, 2011, 10:26:45 PM Code: From: Doug Huff <dhuff@jrbobdobbs.org> http://sourceforge.net/mailarchive/forum.php?thread_name=2B2201C1-E59F-47D4-BF67-08FDB0DDE386%40jrbobdobbs.org&forum_name=bitcoin-development Sorry Gavin. (Gavin has already pulled clearcoin offline to address the issue.) Edit: Adding f-d link for posterity. http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081574.html Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: Durr on June 19, 2011, 10:33:25 PM Who trusts Gavin anyway?
Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: Gavin Andresen on June 19, 2011, 10:36:13 PM Yes, don't trust me, please. I am human and will make mistakes.
The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack. Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: Andrew Vorobyov on June 19, 2011, 10:40:52 PM You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++ :)
Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: jrmithdobbs on June 19, 2011, 10:43:15 PM Yes, don't trust me, please. I am human and will make mistakes. The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack. Thank you for your timely response and correction of the issue. Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: done on June 20, 2011, 12:05:34 AM Great job guys
Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: gigitrix on June 20, 2011, 12:55:25 AM You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++ :) Hahah, never has a truer word been spoken! Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: Batouzo on June 20, 2011, 12:56:32 AM Who trusts Gavin anyway? Well... the FBI? (conference) ;) Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: unk on June 20, 2011, 01:03:32 AM this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.
this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago. Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: NghtRppr on June 20, 2011, 01:16:32 AM this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians. this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago. I take offense to lumping all of us libertarians together as if we are the problem. Please look over my post history and you will see that I simply don't engage in personal attacks or abusive behavior in general, even when viciously insulted. The people that are decrying anything that could devalue BTC are the people that are just into Bitcoin to make a few quick bucks. I'm in it for the long haul because I value economic freedom as a libertarian. I'd rather see the currency stabilize than make money. I have a source of income. I don't need to speculate. I also welcome disclosure of vulnerabilities because it puts pressure on administrators to fix the problem as well as notifies the community that they should think twice about trusting the keys to the kingdom without considering risk. Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency. Title: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 02:09:52 AM this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians. this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago. I, too, Blame Ayn Rand for all evil in the world and especially on this forum. /s That's actually more lulzy than petulant. I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. And not using the same l/p. And due diligence. Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: TriumVir on June 20, 2011, 02:22:07 AM Amateur hour all the way around.
Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: unk on June 20, 2011, 02:36:43 AM I, too, Blame Ayn Rand for all evil in the world and especially on this forum. 'for some ridiculous and extreme attitudes among teenagers' is not the same thing as 'all the evil in the world'. but bitcoin2cash is right. i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'. Quote I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 04:04:09 AM i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'. Many teens have yet not learned to tolerate the ignorant hypocrisy of those whose knee jerk objections to bitcoin not only are specifically addressed by the design, but obviously apply to the fiat money created by the State. That's a good thing. I like people who stand up and vigorously defend their values and beliefs. If you, or the other guy who left, can't look past their enthusiasm, vehemence, and zeal that's your problem. Even a reasonable adult might get sick having to repeatedly point out that federal reserve notes are way more of a fake Ponzi rip-off scam than any form of cryptocash. Quote http://www.seo.com/wp-content/uploads/2010/08/gijoe1.jpg these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves. Nice try, gotcha guy. But it turns out that the supposed MtGox "hack" was an inside job. It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: unk on June 20, 2011, 04:07:18 AM Nice try, gotcha guy. But it turns out that the supposed MtGox "hack" was an inside job. It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring. mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.) Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 04:54:36 AM Nice try, gotcha guy. But it turns out that the supposed MtGox "hack" was an inside job. It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring. mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.) Nobody is debating whether the XSRF vulnerability existed any longer, as it was demonstrated on Friday night. It's been fixed and had nothing to do with the break-in, which was the fault of MtGox's finance auditor AND NOT THE RESULT OF XSRF, SQL, TROJANS, TEMPEST, OR WHATEVER YOUR BUDDY WAS MOANING ABOUT. Now the issue is that so many were so quick to point fingers immediately following the MtGox breach, without bothering to confirm or verify anything with the principals involved. You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview. There are/were a lot of expert opinions, ie, wild guesses being thrown around. Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery. You may rest assured that I understand the difference between a XSRF and SQL injection. I get paid to make damn sure such things keep running smoothly. I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: unk on June 20, 2011, 05:00:04 AM You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview. There are/were a lot of expert opinions, ie, wild guesses being thrown around. i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken. Quote Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery. You may rest assured that I understand the difference between a XSRF and SQL injection. I get paid to make damn sure such things keep running smoothly. I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself. this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 05:11:59 AM You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview. There are/were a lot of expert opinions, ie, wild guesses being thrown around. i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken. Quote Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery. You may rest assured that I understand the difference between a XSRF and SQL injection. I get paid to make damn sure such things keep running smoothly. I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself. this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward. It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG. Your petulant lack of humor is far more childish than my poking fun at the idea of technobabble as a compelling explanation for the MtGox situation. Your humorless, grumpy inference regarding my technical understanding of the concepts at hand was not reasonable, especially given my previous posts and demonstrated hash rate. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: unk on June 20, 2011, 05:21:23 AM It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG. and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems. i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: jrmithdobbs on June 20, 2011, 05:42:16 AM It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG. That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.Considering their recent track record of responding to (more like: not responding to) privately disclosed security issues. (It took *a week* for tux to respond to someone trying to report those csrfs. He only responded once it was made public. It was not confirmed friday. It was confirmed much earlier in the week.) The SQL injection issues that were fixed in the last few days on mtgox with no announcement or disclosure. Etc. Tux's behaviour is what prompted me to disclose this the way I did. I think going forward that all bitcoin-related security issues should get the full disclosure treatment to discourage another mtgox. (Really am sorry Gavin. I know you would have responded appropriately had this been privately disclosed.) Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 06:51:22 AM It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG. That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight: The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 07:08:14 AM It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG. and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems. i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please. The vulnerability at ClearCoin is ancient history, as announced upthread. Despite this, you had to vent, with self-admitted petulance, in a rambling attack on rude libertarians and how kids today won't listen when you warn them to stay off your lawn and fix obsure web bugs. For this, you were put in your place (not by me) and you responded by retreating into generalities about how "any criticism of the bitcoin protocol must be motivated by a brainwashing." THIS IS WHERE THE CONVERSATION, AT YOUR BEHEST, STOPPED BEING SPECIFICALLY ABOUT CLEARCOIN AND THE TOPIC CHANGES TO A LESS LIMITED FOCUS ON HOW: Quote http://www.seo.com/wp-content/uploads/2010/08/gijoe1.jpg these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves. No problems ever manifested themselves at ClearCoin, and the problem that did manifest at MtGox was not the result of an SQL or XSRF attack. Do try and keep up! Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: hugolp on June 20, 2011, 07:20:02 AM This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight: The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector. MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof. Title: lex parsimoniae Post by: iCEBREAKER on June 20, 2011, 07:31:35 AM This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight: The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector. MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof. The staff at MtGox is a primary source. As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth. Unless you have some evidence that would damage their credibility, of course. Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses. The simplest explanation is the best. And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits. Time will tell. Time, and a couple boatloads of lawyers. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: unk on June 20, 2011, 08:02:29 AM For this, you were put in your place (not by me) and you responded by retreating into generalities are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me? the problems with cross-site request forgeries clearcoin and other websites weren't 'ancient history'. they were reported this week and brought the sites down for maintenance, all the while exposing potentially significant systems vulnerabilities that could have easily been addressed months ago if people had listened. whether or not significant damage in fact resulted isn't for me to say, as i don't run any of these sites. i was pointing out a complacency that is all too common in the bitcoin community. if you intend to critique what i'm saying, please read the conversation and what i in fact said. you seem to have misunderstood the flow of the conversation and my intent in it, and that is not a problem i usually have except when people don't pay close enough attention and assume i'm saying things that i'm not. if you don't like that i criticised the strident teenage libertarians who are so prominent in these forums, you could have responded to that, rather than attributing positions to me that aren't mine. this is very tiresome, though, so i'm done in this thread. for the record, however, others should not believe what you say about my own positions, as you've either childishly or negligently mischaracterised me every step of the way. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: iCEBREAKER on June 20, 2011, 08:17:39 AM For this, you were put in your place (not by me) and you responded by retreating into generalities are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me? Nope. I triple-checked and bitcoin2cash is definitely talking to you, about your problematic slurs against libertarians, here: this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians. this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago. I take offense to lumping all of us libertarians together as if we are the problem. ... Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency. Oh no, not a DISTINCT recollection! Zomg, that's the worst kind of recollection of all!!1! You *did* apologize in advance and libertarians can be prickly too, so.... Let's just be friends! :-* Title: Re: lex parsimoniae Post by: mouse on June 20, 2011, 08:18:30 AM The staff at MtGox is a primary source. As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth. Unless you have some evidence that would damage their credibility, of course. Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses. The simplest explanation is the best. And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits. I would have to say that the CSRF issue was enough evidence to to question their (security) credibility. Further, the have a clear conflict of interest in reporting the events, since they have a lot to lose. I'm not saying that they are actually lying, they're probably not, but to assume that they MUST be telling the truth, or that they are to be the most trusted source of it, is clearly silly. Human nature my friend. Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: Bind on June 20, 2011, 09:06:03 AM Public Disclosure of Vulnerabilities are important.
The positives by far outweigh the negatives, because all negatives are self-serving for the programmers and companies behind any product or service (eg- liability). The positives are:
which all the above by far outweigh the only negative, which:
The latter of which is why most do not want public disclosures, as exemplified by Gavins response to this public disclosure posted over at sourceforge: (https://sourceforge.net/mailarchive/message.php?msg_id=27675246), "Some of us take private disclosures of vulnerabilities very seriously". Sorry, but public disclosures and the rammifications of problems you created with your products and services are the cost of doing business, and you should be liable since you created it in the first place and placed it out there in the market as a solution to a consumers needs. Eat it up, do it right the first time, do better research and product/service testing before releasing it, or get out of the business. nothing personal. Title: Re: Tested by fire: adversity makes bitcoin stronger. Post by: NghtRppr on June 20, 2011, 01:05:59 PM as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems If I remember correctly, the user in question didn't point out anything specifically. He just said a bunch of websites were exploitable. He didn't give any details of how to exploit them and he was treated with an understandable level of skepticism. The fact that some ClearCoin vulnerability was recently disclosed still doesn't vindicate him since he could have been full of it and this is just a coincidence. It's his fault for not disclosing some kind of evidence. Talk is cheap. Anyone can say that a website is exploitable. It's a different matter to actually prove it. So, all your finger wagging isn't actually warranted. Title: Re: [Full Disclosure] ClearCoin CSRFs Post by: n0m4d on June 20, 2011, 02:57:44 PM Speaking as and for all Libertarians, I would just like to say that recently we have started wearing deodorant around non-Libertarians, and that any you've met that haven't - please have them check their email.
|