Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: jrmithdobbs on June 28, 2011, 02:55:41 AM

Title: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 02:55:41 AM
Step 1: Have USD available for spending on
Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5: ...(self explanatory)...

There's a bit of luck in being able to take advantage, obviously.

I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute:

Welcome <username removed> 0.00000000 ฿TC 424.44901
Buying  138468.901  0.01  Active  1384.69  06/26 15:27  cancel

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

At the very least this could be used to influence market conditions if it is only a display bug.


Title: Re: [Full Disclosure] Live trade matching bug.
Post by: MagicalTux on June 28, 2011, 03:05:34 AM
I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: BitcoinPorn on June 28, 2011, 03:09:05 AM
I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: bitbot on June 28, 2011, 03:10:13 AM
someone explain this

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: FooDSt4mP on June 28, 2011, 03:23:11 AM
someone explain this

The order isn't being removed on withdrawal.  Funds are being checked before it is executed.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: GeniuSxBoY on June 28, 2011, 03:31:58 AM
Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 03:33:22 AM
Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.


Funds are being checked before it is executed.

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: vragnaroda on June 28, 2011, 03:39:30 AM
Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.


Funds are being checked before it is executed.

Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.

After making yourself look like such an ass, you should really reconsider that.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Herodes on June 28, 2011, 03:39:56 AM

You show nothing but hostility totwards mtGox. The only motive I could think of is jealousy. If you think your technical expertice and knowledge is superior to that of MagicalTux's, then please go ahead and create the ultimate exchange. I believe you're already involved with ?

Seriously, acting like you do is of no good for nobody. Why waste your time talking shit and disclosing bugs when mtGox is actually working on it to fix it?

You'll be better off in the long run if you focuse on the things you do, and do them well, instead of talking negatively about other people. I think this says more about you, then it says about MT and mtGox.

I am sure you can mend your ways if you wanted to.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Klestin on June 28, 2011, 03:51:41 AM
Which means there's actually a race condition to be exploited as well. Admittedly hard to take advantage of but it exists.
Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 03:56:07 AM
After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
You're right, that should say possibly, not actually.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Meatpile on June 28, 2011, 03:58:52 AM
Well as shitty as security issues are.... its quite obvious that once its public, action will be taken.

I think that is a better option than letting a few select people take advantage of it covertly for possibly weeks or months?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: wumpus on June 28, 2011, 04:04:41 AM
I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: DrYe5 on June 28, 2011, 04:07:38 AM
Close Gox trading.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 04:09:47 AM
I believe you're already involved with ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

Full disclosure is the only real disclosure.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: vragnaroda on June 28, 2011, 04:11:27 AM
After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
You're right, that should say possibly, not actually.

Um, maybe you missed something:

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: psyborgue on June 28, 2011, 04:13:24 AM
Yeah, but your "full disclosure" was based on the assumption that the trade would execute.  It wouldn't.  It's a bug, yes, but hardly a showstopper.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 04:24:28 AM
I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.

I could not confirm or deny that similar trades would execute without possibly committing fraud, so did not try. I explicitly stated this and the possibility that it was just a display bug. I posted (to f-d at least, here soon after) as soon as Tux started responding to me. The text was pre-prepared and not modified. Yes he did tell me that it would be fixed while we were talking.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: HappyFunnyFoo on June 28, 2011, 04:29:49 AM

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.  You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.  I'd ban you from this forum if I was the administrator, and if you did this to a company in America you'd be arrested.  Technically you're aiding in securities / bank fraud.  If you were smart you'd delete this post or just delete your forum account.

:) have a nice day.  As much as MtGox has had problems, there's no need to add fuel to the already-large fire that bitcoin adopters are dense, immoral, psychotic libertarian-anarchists with no regard for common sense.

There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: wumpus on June 28, 2011, 04:34:42 AM
Because I firmly believe that this principle has shown time and time again to hold true:

Full disclosure is the only real disclosure.
I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox. I think that makes you a dick. MagicalTux is really taking all problems seriously, and has been working almost 24 hours per day last week to resolve issues while being bombarded with crap from all sides.

You could have given him a chance by just reporting it to his personal mail and bug tracker. What would you prefer if you had built a site yourself?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: trentzb on June 28, 2011, 04:35:42 AM

Did you notify MT about this issue prior to disclosure? Ahh, I just caught your reply.

I don't have a strong infosec background so please excuse my naivety, can I ask, do you typically notify targets of vulns prior to public release or do you do both simultaneously or ??

I don't intend to start a debate of the pros/cons, just trying to get some info for when you probe my service. :)

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: psyborgue on June 28, 2011, 04:37:01 AM

Please don't repeat the OP's false insinuation that he somehow found an exploit.  It's a display bug.  Nothing more, and drawing such public (false) light to it serves no purpose but to make Mt. Gox and bit coin look bad.  Something the OP was seeking, i'd wager.  Yes, there is a time for full disclosure, but it's only after private channels have failed to fix the issue.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 04:39:54 AM
What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing?

You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder

Maybe YOU don't. Plenty of people do.

There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).

Not my problem. If you're so worried about this particular scenario maybe you should be lobbying the bitcoin vendors you use to open their systems or publicly disclose results of code/security audits, etc.

I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox.

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: wumpus on June 28, 2011, 04:46:18 AM
A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Are you sure about that? I've followed it a bit, and from what I read the security issues were solved pretty fast. Sometimes even before people could report them.

The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

Anyway whatever the real story is, I don't agree that gives you a reason to nail him to the pillory for every little issue you find after this.

Oh noo! a misspelled word in the interface! ... full disclosure!

Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: psyborgue on June 28, 2011, 04:51:16 AM
What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing

Fool.  You see no further than the immediate.  LulzSec did nothing more than create an excuse for the authorities to try and clamp down on the Internet and/or bit coin (how they were seen to be funded).  For an added bonus, they mixed in immigration and drug issues into their troll.  Now the average Joe will welcome the "protection" of our brand new, locked down, internet -- free from the dangers inherent to anonymity.  Technology may not exist now, or ever, but they, and the momentum they have created, will certainly create the demand.

Similarly, your actions reflect on bitcoin itself in the public eye, and you don't seem to care.  I wonder why.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: ruhvix on June 28, 2011, 04:56:55 AM
Thank you to Mr. jrmithdobbs for reporting the issue and to MagicalTux for responding to it so quickly (especially given all the other urgent MtGox stuff MagicalTux must be dealing with).

This confirms that MtGox is absolutely committed to an extremely high level of security. Bitcoin is fortunate to have experts like jrmithdobbs helping the community defend against threats to our financial safety.

Muchos gracias to you both!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 04:58:49 AM
The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

He also ignored attempts to report the nasty CSRF, that came to light right before that all went down, for about a week. But, I digress.

I have no plans to "nail him to the wall" for every mistake. In fact, I will probably not be looking at mtgox at all after the next 72 hours.

And to clear things up, this is a little more than just a display bug. This is also the cause of the weirdness people have been reporting about it dropping from 17->15 etc without executing orders in-between.

Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

It is a trade matching bug. Trades are not revalidated on withdrawal/deposit to the account. I never claimed it was an exploit. "Exploiting" in the original text is the normal english use of the word, not the info-sec use. So no, I will not change the title.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: DrYe5 on June 28, 2011, 05:15:05 AM
Thanks to OP for info. Mt. Gox should have already addressed the price spikes.

Also good to know this is the only bug.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: BitterTea on June 28, 2011, 05:26:18 AM
Also good to know this is the only bug.

How do you infer this from the available information?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: mizerydearia on June 28, 2011, 06:05:40 AM

You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.

I'm confused.

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer, also called zero-day vulnerabilities.

[You] never release 0-day exploits without notifying original coder?  Seems like 0-day, by definition means you always release 0-day exploits without notifying original coder, otherwise it is not a 0-day exploit.

Also good to know this is the only bug.

How do you infer this from the available information?

Maybe this?
At the very least this could be used to influence market conditions if it is only a display bug.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: mizerydearia on June 28, 2011, 06:10:09 AM
appended to previous post

Mods: Delete this obnoxious (due to size) and useless post

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: DrYe5 on June 28, 2011, 06:13:47 AM
Also good to know this is the only bug.

How do you infer this from the available information?

One cannot. It underlines the fact that more bugs are extremely likely.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: kloinko1n on June 28, 2011, 06:20:21 AM
I believe you're already involved with ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

Full disclosure is the only real disclosure.
Did you fail to read the part about responsible disclosure?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: DrYe5 on June 28, 2011, 06:24:39 AM
I believe you're already involved with ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

Full disclosure is the only real disclosure.
Did you fail to read the part about responsible disclosure?

Awww man... that disclosure got goxed.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: kloinko1n on June 28, 2011, 06:25:40 AM
A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Ah! So there's your grief!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: MeSarah on June 28, 2011, 06:49:28 AM
MT and MtGox have been given every opportunity to to fix their system. Even after being told there were major exploits MT took his time to fix the exploits until the shit hit the fan. It is clear to me that MT is an egotistical programmer. He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

Every bug or security flaw found at MtGox should be disclosed publicly cutting MT out of the loop. If MT didnt know about the flaw then its his fault for not properly testing his system. Its time to leave MtGox for good. Let MtGox wither in their own mismanagement.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

If you continue to use a known flawed system then its you who deserves what you get. If you drive a cars that is always over heating and the motor burns up, well then you got what you deserved. You knew of the problem but you kept using the car.

Protect yourself and leave MtGox now!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 07:08:03 AM
MT and MtGox have been given every opportunity to to fix their system. Even after being told there were major exploits MT took his time to fix the exploits until the shit hit the fan. It is clear to me that MT is an egotistical programmer. He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

Every bug or security flaw found at MtGox should be disclosed publicly cutting MT out of the loop. If MT didnt know about the flaw then its his fault for not properly testing his system. Its time to leave MtGox for good. Let MtGox wither in their own mismanagement.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

If you continue to use a known flawed system then its you who deserves what you get. If you drive a cars that is always over heating and the motor burns up, well then you got what you deserved. You knew of the problem but you kept using the car.

Protect yourself and leave MtGox now!

My Gox what have done Bipolar internetz!
That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it. O.O /hides

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: MeSarah on June 28, 2011, 07:30:46 AM
That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it.

Could you be any more offencive? I guess thats just your social mores. We know where you stand on gender equality.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 07:37:38 AM
That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it.

Could you be any more offencive? I guess thats just your social mores. We know where you stand on gender equality.

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: MeSarah on June 28, 2011, 07:48:36 AM

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

Another non sequitur.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 08:42:19 AM

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

Another non sequitur.

In reference to your own or do you have comprehension issues?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: davout on June 28, 2011, 09:15:57 AM
Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.
Definitely no.

Doesn't mean you shouldn't give the code owner a couple of hours to fix it and advertise the deadline.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.
You can only be sure if the source is open :)

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 10:17:43 AM
Where are the full disclosure and exploits for this forum?

I'm assuming everyone is behind i2p, swarm and/or the onion router, reading this through lynx/links correct?

shouldn't everyone know what you trannys are up to?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: davout on June 28, 2011, 10:19:53 AM
I'm assuming everyone is behind i2p, swarm and/or the onion router, reading this through lynx/links correct?
There is discrepancy between your imagination and reality.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: bitbot on June 28, 2011, 11:24:28 AM
MagicalTux is really taking all problems seriously, and has been working almost 24 hours per day last week to resolve issues while being bombarded with crap from all sides.

I can honestly say that man has not been working anywhere near 24 hours per week but the last part is true.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 01:06:04 PM
He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.
He also has (by his own admission) written his own in house mysql DAO code instead of using a public, well vetted one. He say it doesn't use bind values. He doesn't understand why this is bad.:

(This is edited to leave irrelevant pieces out, please feel free to verify with anyone else logging #mtgox.)
[17:57:31] <MagicalTux> dehuman: we had been working on security, I can guarantee there is no SQLi right now
[17:57:45] <go1dfish> MagicalTux: how can you say so with confidence?
[17:57:51] <go1dfish> are you using parameterized queries?
[17:58:01] <go1dfish> everywhere
[17:58:07] <MagicalTux> go1dfish: because I know each and every line of the code, and we mostly use either DAO
[17:59:21] <MagicalTux> just make good code and things are fine
[17:59:49] <dehuman>  @MagicalTu : just make good code and things are fine
[17:59:58] <dehuman> thats kinda a slap in the face dont you think?
[18:00:08] <MagicalTux> dehuman: healthy code is important for a healthy security & business
[18:00:46] <MagicalTux> we've been busy for 2 months rewriting Mt.Gox
[18:00:49] <dehuman> you exposed 60,000 client's information
[18:01:02] <dehuman> i wouldn't talk about healthy code, healthy security, healthy business
[18:01:06] <dehuman> not yet
[18:01:08] <MagicalTux> dehuman: new code is healthy
[18:01:10] <dehuman> quite a bit premature for that
[18:01:30] <go1dfish> MagicalTux: looks like DAO doesn't protect against SQLi by default
[18:01:36] <go1dfish> your using bound parameters everywhere?
[18:02:23] <MagicalTux> go1dfish: DAO makes SQLi impossible, since queries are not built by the dev
[18:02:36] <MagicalTux> go1dfish: now it just depends how you do that
[18:03:18] <go1dfish> good show, you shouldn't be writing sql by hand for mt gox
[18:03:42] <MagicalTux> go1dfish: \DB::DAO('Table')->insert(array('Field' => $value));
[18:04:36] <go1dfish> MagicalTux: cool, yeah that should be pretty resiliant against injection assuming the underling DAO implementation is sane
[18:05:02] <MagicalTux> go1dfish: the DAO implementation was written by us, and makes sure everything is escaped correctly, including table & field names
[18:05:15] <Ox41> you wrote your own DAO?
[18:05:20] <Ox41> why the hell would you want to do that?
[18:05:25] <dehuman> so does this mean previously mtgox didn't use any type of DAO pattern?
[18:05:27] <Ox41> I mean, im no EXPERT...
[18:05:34] <go1dfish> Ox41: I'm hoping thats a misunderstanding
[18:05:39] <dehuman> 'dont reinvent the wheel'
[18:05:41] <Ox41> go1dfish: I doubt it is
[18:05:47] <MagicalTux> Ox41: it's part of our framework

Just sayin'.

Did you fail to read the part about responsible disclosure?
They are two separate but related concepts. I subscribe to the former and deem the latter unnecessary in cases such as these where the company in question has a track record like mtgox.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: psyborgue on June 28, 2011, 04:08:27 PM
Well.  I hope OP is happy he got what he wanted:

They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: ius on June 28, 2011, 04:20:13 PM
They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

You can't blame him for 'journalists' writing about matter they have little to no knowledge about.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Dirt Rider on June 28, 2011, 04:22:34 PM
CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

I was there the other day - allows logins via http!

p.s.  This OP was very much a dick move.  Either a fool or someone intent on causing as much trouble for the Bitcoin community would create such a post without at least giving the site operator a little time to address the issue.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: psyborgue on June 28, 2011, 04:24:16 PM
They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

You can't blame him for 'journalists' writing about matter they have little to no knowledge about.

Oh I very much CAN blame him, as he started the false implication.  The journalist was merely repeating (accurately) what he read in the OP.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: julz on June 28, 2011, 04:27:27 PM
I don't even understand why it's a bug. (unless it affects the current price calculations)

I've put in buy orders without the USD to cover it - based on the assumption that the buy would only occur if my sell orders had executed to provide the funds.
It's a feature!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Shinobi on June 28, 2011, 04:53:12 PM
How are you blaming the OP? The OP is trying to make trading safer and more accurate. MT has shown that he doesn't do anything unless his hand is forced.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 04:58:35 PM
They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

Read the comments on that article. I posted a gpg signed comment (that got mangled by their crappy site) calling the author out for irresponsible journalism. Before you even posted this. He made no attempt to contact me and only a cursory attempt to contact tux so that he could add a derisive comment in his "article."

Crappy journalist is crappy. Surprise, surprise.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Dirt Rider on June 28, 2011, 05:19:52 PM
If the original poster can't adjust the original post such that it stops implying there is some exploit, an admin should remove the post all together. 

Are we really sure this isn't a feature?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: andes on June 28, 2011, 05:41:58 PM
Although I dont share the timing of the OP disclosure, I would rather encourage total (and sometimes brutal) honesty in our comunity, rather than half truths and compromises.

Our world is mess right now because of too much double standards, compromises, and falsehood (environmentaly, socially, politically), not because of too much honesty.

Once you start to compromise on truth and openness, you will never know exactly where to draw the line between what is a right compromise, and what is a wrong one. The OP may not know how to compromise on honesty, but I would rather prefer to have people like him in our comunity, than not having them. They are the fresh air on opennes our society needs.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: bitsnbytes on June 28, 2011, 05:58:17 PM
I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

Yes, it is all our fault:

Today 16:51 GMT on #mtgox
<molecular> anyone know what that weird spike around 18:00 is? looks erroneous to me, no? it went up to 17.52 apparently, but my order at 17.25 did not get filled.
<MagicalTux> molecular: it's the closing of a bug, some orders were blocked and are now freed

It is because we let such people have our money!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Dirt Rider on June 28, 2011, 06:02:16 PM
I don't think anyone is suggesting anything but truth and honesty and disclosure, but when someone doesn't even give the site admin a chance to correct a potential problem (good thing this wasn't actually a serious exploit), they are just being irresponsible towards the users of the site in question and the community as a whole.  I for one hope that when/if someone does discover some potentially damaging exploit that they won't put us all at risk by instantly sharing it with everyone, including those who will jump at an opportunity to take advantage, at least until site admin has had an opportunity to take action.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: jrmithdobbs on June 28, 2011, 06:16:13 PM
I for one hope that when/if someone does discover some potentially damaging exploit that they won't put us all at risk by instantly sharing it with everyone, including those who will jump at an opportunity to take advantage, at least until site admin has had an opportunity to take action.
If you're so worried feel free to stop using the services provided by companies with horrible security records or, as previously stated, petition said service providers to open their code and/or make public the results of 3rd party code/security audits.

To everyone sending me hate-filled PMs:

I don't care. See the above.


It is not my responsibility to enforce responsible journalism. If the blog d'jour is posting ill-informed "articles" about your pet bitcoin project, petition them to hold themselves to a higher standard of journalism.

I thought this forum was full of lolbertarians who believe in "absolutely free market capitalism?" Vote with your feet and your wallet.

Oh wait, I get it, your idealistic "free market" concepts only apply when they work in your favor. Brilliant!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: BTC Economist on June 28, 2011, 06:22:43 PM
I applaud the OP.  The idiots who still trust in Mt Gox deserve to get defrauded in every way possible.  I'd recommend informing hacker forums every time you find an exploit in that shithole of a business.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Dirt Rider on June 28, 2011, 06:25:02 PM
If you're so worried feel free to stop using the services provided by companies with horrible security records or, as previously stated, petition said service providers to open their code and/or make public the results of 3rd party code/security audits.

So what alternative services would you recommend, that are guarenteed to be perfect?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: TraderTimm on June 28, 2011, 06:40:27 PM
Someone's 15 minutes of 'fame' are over, but like a bad houseguest, he just doesn't get the hint he should head home.

Maybe this will help:

"Okay, you are super-smart, good job propeller-head. Now go away."

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Shinobi on June 28, 2011, 07:09:06 PM
Everyone here who is mad because something less-than-perfect was disclosed and may threaten their investment is an absolute FOOL and are behaving in the same way as the investment bankers who tried to cover up the imperfections in the real market. Yet many of you are the same anti-establishment zealots who wear your militia jackets and talk about the underhanded skulduggery of the Federal Reserve and the powers-that-be. Look at yourselves.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 07:15:57 PM
I'm assuming everyone is behind i2p, swarm and/or the onion router, reading this through lynx/links correct?
There is discrepancy between your imagination and reality.

You imply this forum is secure?

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 07:22:22 PM
Everyone here who is mad because something less-than-perfect was disclosed and may threaten their investment is an absolute FOOL and are behaving in the same way as the investment bankers who tried to cover up the imperfections in the real market. Yet many of you are the same anti-establishment zealots who wear your militia jackets and talk about the underhanded skulduggery of the Federal Reserve and the powers-that-be. Look at yourselves.

I've seen things get fractured like this before in other like minded anarchist underground communities, it creates an us versus them mentality against it's very own, which essentially destroys the entire community, partitioning it into very small stagnant circle jerks.
You might think you are doing a favor to justice, but really it's just reaping what you sow.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: KMBTC11 on June 28, 2011, 09:01:35 PM
I've finally had enough of MtGox.  Orders not executing, security issues, poor communication, bugs and God knows what else have eroded my trust.  Until they get their act together and fix these lingering problems I'm moving out of their exchange. 

MT, if you're reading this, best of luck.  I'm taking my ball and going home. 

(read I took the small amount of cash and BTCs in my MtGox account and moved them to other exchange accounts I use)

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Shinobi on June 28, 2011, 09:29:24 PM
I've seen things get fractured like this before in other like minded anarchist underground communities, it creates an us versus them mentality against it's very own, which essentially destroys the entire community, partitioning it into very small stagnant circle jerks.

I'm not surprised, as this is the logical conclusion of anarchist philosophy.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: bolapara on June 28, 2011, 09:35:53 PM
Guys, the hate isn't necessary.  Full Disclosure vs. other methods is a (computer) age old debate that is like arguing Right Wing politics vs. Left Wing.  No one is right, no one is wrong.  They are opinions on how to handle these situations.  If MtGox wants people to minimize impact of disclosed security vulnerabilities, they need to fix them promptly.  I assume they are doing so.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: BitterTea on June 28, 2011, 09:50:15 PM
I've seen things get fractured like this before in other like minded anarchist underground communities, it creates an us versus them mentality against it's very own, which essentially destroys the entire community, partitioning it into very small stagnant circle jerks.

I'm not surprised, as this is the logical conclusion of anarchist philosophy.

I really doubt either of you have the slightest clue what "anarchist philosophy" actually is.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Shinobi on June 28, 2011, 09:52:59 PM
I really doubt either of you have the slightest clue what "anarchist philosophy" actually is.

Only to the extent that self-professed anarchists don't. Its always such an elusive thing, as every time something about it is mentioned, someone will conveniently float in to say that this or that "isn't true anarchist thought".

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: dazedtrader on June 28, 2011, 09:53:54 PM
Guys, the hate isn't necessary.  Full Disclosure vs. other methods is a (computer) age old debate that is like arguing Right Wing politics vs. Left Wing.  No one is right, no one is wrong.  They are opinions on how to handle these situations.  If MtGox wants people to minimize impact of disclosed security vulnerabilities, they need to fix them promptly.  I assume they are doing so.
Absolutely. And what people don't seem to realize is that Full Disclosure is infinitely better than No Disclosure, which was another option open to the OP.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Tasty Champa on June 28, 2011, 10:40:33 PM

thread went from this:

to this:

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Nescio on June 28, 2011, 11:57:15 PM
Well.  I hope OP is happy he got what he wanted:

This isn't any kind of serious journalism, it's some dyslexic hit piece ("psuedo-currency", also check out the article heading beneath: "Court scambles to accommdate Ryan Cleary" - noone even proof reads this stuff).

BTW, respect to OP's convictions.

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: CurbsideProphet on June 29, 2011, 12:15:42 AM
Dear MtGox:

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: akcom on June 29, 2011, 12:19:11 AM
I really appreciate people bringing this out in the open.  I'd rather know how insecure my trading platform is so I can make an informed decision to take my business somewhere else.

Thanks to the OP for keeping us in the loop!

Title: Re: [Full Disclosure] Live trade matching bug.
Post by: Dirt Rider on June 29, 2011, 03:33:17 AM
I really appreciate people bringing this out in the open.  I'd rather know how insecure my trading platform is so I can make an informed decision to take my business somewhere else.

Thanks to the OP for keeping us in the loop!

You do realize that there really was no problem to begin with, right?  This is complete BS and should simply be ignored.