Bitcoin Forum

Guys...  I know people are trying to be helpful (and they are) but if there is a bug discovered that even has a remote chance of being a potential security threat,  you can't have the error publicly displayed on the forum.  

One user was attempting to be helpful (which he was)  but he posted the entire error message he found on the public forum as compared to a PM ..  this though was not malicious in nature could be used for people less than honest...  

Please make this post a sticky..  and this doesn't apply to just flexcoin,  I'm sure Tradehill,  Mt.Gox and everyone else wouldn't want any bugs posted publicly on a forum before they are given the chance to fix it.  



 

that is YOUR opinion.

i believe in full disclosure.

i don't like that you are trying to force YOUR opinion down around MY head.

if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.

I believe that is irresponsibility to the highest levels.    Posting a bug like that isn't helpful to anyone...  look I follow the Ubuntu policy on bug requests...  send it privately to the developers..  give them a chance to fix it.. then publish what went wrong...

You don't send it out the other way... where you publish it publicly .. allow a billion people to hack into the system...  then claim "i was doing the right thing" ...  that's not the right thing... that's akin to me publishing your banking username and password...  then saying "I was doing the right thing"  instead of telling you "you're username and password are compromised" ..

i believe in full disclosure as well... just give the guy a chance to fix it before you announce it...  I'm asking for a few hours... not a few days or weeks... 

you should be happy that im not trying to exploit it on my own. you should just be glad that i release it on the forum, instead of selling it to the highest bidder.

just do publish my banking username and password, feel free to do so.

kokjo ,

1 - I wouldn't do that with your banking crap because I don't have your banking crap to do it with..  and because that violates every ethical code I have believed in..  but alas it's just my belief .. you do as you want.

2 - we'll agree to disagree...   

thank you! now stop trying to enforce some bug policy, it only pisses me off and make me want to exploit the bugs i may find.

agree!

(end of discussion?)

We're fine...   then as a personal favour.. if you find something specifically related to my service...  I humbly request that you tell me first and give me a chance...     again as a personal request and not forced.

then i may do it, will not promise anything. :)

"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."

I have to side with the OP on this.
I think BTC businesses should also offer rewards like google for any bug find.
This should stop people from going:Ooh look at me I found a bug, I'm like all cool and stuff...

maybe you should just lock your door.

Yes, of course. But everyone makes mistakes once in a while, and this is especially true when it comes to software.

Who benefits from you informing everyone in town about my unlocked door, aside from burglars?

Actually "the founder (FlexCoin)" have the right definition of ethical full-disclosure. Releasing any bug before submitting to his developers is in fact not full-disclosure but a way that crackers work not hackers.

The only two reasons that hackers should go full-disclosure is if a developer don't worry much about it, go lazy not patching it after a reasonable time frame or if the developers try to silent patch without advice his customers by public advisories.

That's how ethical vulnerability researchers work and will always works. That's why full-disclosure have been made after all. To help users which are non aware of security bugs to stop using the software before a patch was made once a vulnerability have been discovered.

I also of course don't like the fact that "the founder (FlexCoin)" have to "force" his idea but I understand that this should be take with care.

Sorry, I strongly disagree with you as well.  It's irresponsible to make public "full disclosure" without giving the responsible party an opportunity to rectify it.  Only after they have slacked and failed to act is "full disclosure" the responsible thing to do.

The whole "tough guy" attitude is the same one you see in the poorest crime-infested neighborhoods (e.g. "that guy didn't lock his door so he deserves to have his stuff stolen").  It's non-constructive to a civil society and results in collective harm to everyone.  Bad karma too, if you believe in that.

what if i you want to inform other people that are using the service, to just get the hell out of there its insecure?

http://en.wikipedia.org/wiki/Full_disclosure:

see? wikipedia disagree with you.

Hmm not applying here, in fact just bad argument regarding full-disclosure. Cause it was made to protect users (not the developers) In this case the dev is the guy not locking his door and users none. Maybe saying he didn't lock the door to his wife after the second time you catch him will make his wife mad and wanting to make something for that won't happen.

I was just portraying his general attitude. But for a more extensive example:

Let's say I'm responsible for the money of a few of my friends. I keep the money stored in my house, in a safe. I always make sure to lock the door when I leave home, to protect my own property and the property of others that I am responsible for. However, one day when I leave home, I do remember to lock the door, but the lock somehow breaks without me noticing it. Someone else (like kokjo) notices the unlocked door, and tells everyone in town about this "security flaw", to protect the friends whose money I am responsible for.

However, by doing so, he is exposing their money to a security risk. If he hadn't told the whole town about the security flaw, no one might ever have known about my broken lock. If he had instead chosen to tell only me, so I could fix the lock, or tell me and the friends who store money in my house, the money would be much safer AND the problem would be solved.

The window of exposure that it's stated in this article is such a non-sense when involving coders more time to patch the soft than exploiting the bugs by script-kiddies. This will affect more users than if you just asked the coder to do his job. Then if he don't do it you warn people of course.

The same article also refer to responsible disclosure. Which is in fact the good way to work to reduce security incidents.

Responsible full disclosure means letting the developer know about it, with sufficient time to fix it before releasing the full details. This is how it's done by respectable security firms and hackers. They find the bug, they tell the developer, they also put a time line on when they are going public with the details unless there are good reasons to delay, e.g. developer IS working on a solution, shows evidence of such but the bug is such that they need more time to debug, test and deploy the fixed versions.

Otherwise, the only persons who benefits from such irresponsible disclosures are the criminals, and the only one who generally get hurts the most are the people you claim you want to warn to get out while they can.

Much much more better argument :) I'm gonna use it for customers I think.

Not really. Here's some more text from that wikipedia page (also, note that BTCrow wrote "ethical full-disclosure"):

uuhhh! people are really mad at me. :D
i do as i do, work with it!

say i found a flaw in mtgox, that allowed me to empty random accounts.
if i just publicly showed people how to do it, they would fastly abandon mtgox, beacuse it was insecure.

problem solved!  

It would be a better idea to follow these steps:

1. Inform MtGox about the flaw so they are given a chance to fix it.
2. If it is not fixed, tell people that there is a flaw that MtGox refuses to fix, so they should empty their accounts, but do not post any details.
2a. After people have been given a chance to withdraw their funds and abandon MtGox, post the full details.
3. If the problem is fixed, post the flaw, in full, on the forum. Then people can decide on their own if MtGox should be abandoned or not.

Otherwise, people may not even have a chance to abandon MtGox. All their money may get stolen, because of you.

i don't care, about the other users. i did nothing wrong. i published information, are you gonna censor me?
i is not responsibly to take care of mtgox's users.
its also too complicated the whole 3-4 step thing.
much simpler with a 1 step thing.

:P

I'd say it's everyone's responsibility to not be an asshole.

are you insulting me because of my opinion?

No, I'm calling you an asshole because you've made an asshole move.

"If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck."

are you an asshole too then?
non-asshole are not insulting people.

The point is that your act will create a higher risk of security incident for mtgox in this example.

The only benefit will be rewarded to you (and maybe not cause you're gonna be flamed lol) because you found a 1337 bug into.
So in this case only the ego of bug finder will benefit it.

Look, I didn't even directly call you an asshole. I said it was an asshole move to expose everyone's money to a security risk. You only took offense because you yourself have committed this act. This is akin to a murderer taking offense to someone saying murderers are criminals and sinners.

more flame more lol *popcorn*

are you saying that i have stolen?
say if i did have a exploit against mtgox.
i could steal anyone's money.
i did not do that, i just released the exploit to the forum.

how does that make me a bad person?
are locksmiths also bad then? they can unlock people doors?

Why do I get the feeling that's not a real penguin in kokjo's avatar but a troll in disguise? :D

Locksmiths in general are not bad, no. But if a locksmith handed out keys to the bank to everyone in town, then yes, that person is bad.

Professional Locksmiths are not unlocking people doors for stealing their money or just to prove to other that they are able to unlock whatever they want. Doing this again will only benefit their ego, not helping people who forgot their keys to come back home.

Nah, it's not bad. It's just like if I found a loaded gun, and I passed it to a kid and tell him just point it at Kokjo and pull the trigger. It's not my fault if you got killed, I'm not a murderer, I could have killed you, but I didn't, I just released the weapon to a kid that's all. I'm sure you will understand and not blame me for anything :D

Dear god I hope kokjo isn't given any actual responsibility in real life.

This is where you differ from most people in this thread. End thread?

kokjo, its pretty obvious that you're just trolling for attention. It does say "You are WRONG! :D" in your profile. Pretty much reflects how you're going about this conversation. You're acting like a child who doesn't give a crap about anything and anyone. Great way to be, really....

Full disclosure without giving the dev a reasonable amount of time to fix the issue is wrong. If there is a bug that no one has exploited yet and you tell the dev, they fix it, no one got screwed then you either make the dev publicly inform everyone, or if they refuse you do it for them... By then, no one has time to fuck the whole site and all the members included. You're not just harming the site. You're harming all the members, the bitcoin community. Its not like every member is listening to you waiting for you to say when something has a problem so they can bail. Lots of people stand to lose when you do that kind of shit.

With bitcoin being the way it is, anyone can start a service or exchange. There is no authority to certify the security of these sites. When one of them fucks up and lots of people lose, it screws with bitcoin as a whole. People lose faith. There's absolutely nothing positive behind what you're doing. Its not even positive for you if you have anything to do with bitcoin unless all you do is troll the forums.

Believe what you will. It doesn't make it right and it doesn't make your intentions honorable either.

it is not my responsibility that other people fuck up. really!

i have no problem taking care of my own shit, but i will not take care of others shit if they do not pay me for it.
 

What are you, 12?

You don't publicly reveal the inner workings of a bug you find without privately letting the developers know first. All this does is give those that have no morals the chance to exploit it. Is this really that hard to grasp?

You made an asshole move. Learn and move on.

no its not hard to grasp.

i could ask you the same question, is it really that hard to grasp that, i do what i do?

Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there.

(For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.)

Edit: Also, that's another problem. Private disclosure of website vulnerabilities allows the company to lie and pretend the vulnerability never existed because there's no way of proving it after it's been closed, so even if the reporter tries to disclose it publicly at that point they won't be believed. This causes users to get a false sense of security about the website; even if one vulnerability gets fixed it increases the odds there are other unfixed ones.

If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox.

It's only comparable to that if you take out a full page add in the newspaper to inform the owner that the door hasn't been locked.

Just want to enforce this point:

http://nvd.nist.gov/cvss.cfm?calculator&version=2

This is the calculator from NVD to calculate the severity scores of any potential or current vulnerability, this is how vendor and security professional can price vulnerability and calculate the security risk for most of the time.

Check the "Temporal Score Metrics" and put availability to high, fix to unavailable and verification to confirmed. You'll see it will put the security risk at a very high level compared to do ethical full-disclosure with right steps.

That's why discoverers usually only give the developers a week or two to do something before going public unless there are good reasons not to. It's not really possible to try to fool the discoverers who would usually be very competent technically about how long it's going to take to fix something. If the company isn't interested or proactive, nobody's going to blame the discoverer for being irresponsible.

A simple way for the discoverer to verify that they did give the developers warning is simply to send the initial warning without details via email CC to a few others. A simple "I've discovered what appears to be a flaw in your system. Please reply to all within 48 hours for details or I will publicly release the details of the exploit" would do. The CC'd people only need to know you're providing a warning and if the devs did bother to get back, and they can't fix it and claim it didn't exist.

If you can't trust anybody, routing it to yourself using a new account at a public webmail service like gmail or yahoo would also do in a pinch.

Or do what Wikileaks did and put an aes256 encrypted file with the details in public domain first :D

Sometimes, there is no other option than full disclosure because security issues go unanswered so far as to be adopted by other businesses as acceptable practices. Private reports are great if they are digested and responded to in a timely fashion, however usually this is not the case. Most people who do find Bitcoin bugs do indeed submit them to the team directly, or commit a patch themselves.

You'd think so, but the window for exploiting this kind of vulnerability once it's been publicly exposed generally seems to be too small for anyone to actually do so profitably. Generally the person publicly announcing it only provides a minimal proof-of-concept that's enough to show the issue exists and a lot of effort is still required to use it maliciously.

Most everyone that is running anything important is in the channel, so all you have to do is tell them privately there. Then if someone finds something, give them an adequate reward for not being a complete dip shit chicken little.

Do what I do...just pay the guy a bounty!

I put out a bounty to find bugs on my demo site and Kokjo stepped up and found some things I would have never thought of....like who knew 'inf' as a form input gets parsed as a valid float?

He sent me some bugs in PM and I appreciate his help.

you are a smart fellow. :)

Sums himself up right there perfectly.

I agree that Flexcoin should learn from this and lead the way by giving bounties and offering up a clear bug-resolution policy. Pay a reasonable fee for each vulnerability, allow the researcher to publish after a fixed period of time (regardless of whether the bug is fixed or not), and list all fixed vulnerabilities on the site along with the bounty paid.

A history of this sort of security policy would be strong evidence that sites that hold BTC are both secure and honest about their shortfalls.