Bitcoin Forum

This message was too old and has been purged

I totally believe you. Dang it where's my sarcasm font?

This message was too old and has been purged

You should use https://www.vinumeris.com/lighthouse

 ;)

I agree. I follow a lot of the projects you are working on Evil and I could see a Lighthouse writeup doing well if you are able to prove what you're claiming here.

I would give BTC for this. Thanks!

Edit: For some projects and people who stumble here, this may be interesting:
https://tip4commit.com/projects

This message was too old and has been purged

Hi,
A question: DOS vs " shoot down" vs "arbitrary code execution may be possible". Can you explain more? Are you crashing bitcoind "merely" DOSing the server while connected?

Down thread you said "make your node connect to mine".  Did you mean any node that connects to your node will crash bitcoind?

This message was too old and has been purged

Thanks.  I was just curious as to what you were seeing. ;-)   

btw, one thing I was clear about was whether your node is set to do this automatically to anyone who connects to it or you have to trigger it.

I'd ask you to share the details, but given the first post, I presume that is pointless.    :)

Someone published the link to this thread on reddit: http://www.reddit.com/r/Bitcoin/comments/2ukp87/researcher_discovers_major_dos_vulnerability_in/

You can't seriously expect people to pay you UPFRONT for such a disclosure?!

If you actually know of such an exploit, contact the devs privately and responsibly disclose it ASAP. Then you can ask for your bounty, and you'll probably get more than 10BTC.

It is much more likely there is a bug in the software as compared to the odds there is a 'bug' in the math. :-)

Some reading on the ECDSA claims:
https://bitcointalk.org/index.php?topic=437220.msg4808560#msg4808560
https://bitcointalk.org/index.php?topic=421842.0

I'm also a developer, and if you're interested, i can verify your claims if needed

I guess you didn't learn after your prior stunts resulting in negative trust?  (For some context Evil-Knievel incorrectly (and seemingly dishonestly) claimed to have compromises for ECDSA in the past and tried charging for them; conduct which he currently bears negative trust for.)

If you believe you have some DOS attack please report it responsibly to bitcoin-security@lists.sourceforge.net  (or feel free to report it encrypted privately to any of the Bitcoin core committers if you think its super critical), just like anyone else does. We consider DOS attacks to be important, but fundamentally you cannot prevent DOS because an attacker can just exhaust your bandwidth, instead DOS is prevented by not exposing your critical infrastructure to the public network directly.  We usually fix several DOS-ish issues in each release, it may also be that anything you know about is already known and a coordinated fix is in progress. In any case, you'll be credited for your contribution.  Demanding an enormous bounty for what sounds like something that is not terribly concerning is unreasonable and isn't likely to happen (it would be incredibly counterproductive to pay you when other people have done _far_ more work and found far more serious issues in the past).

If your actions caused foreseeable and preventable harm to others you may find yourself subject to civil litigation by the harmed parties. I would strongly encourage you to behave responsibly.

This message was too old and has been purged

Immediate? Only your continued deceptive behavior earned you that negative trust. Your post (https://bitcointalk.org/index.php?topic=421842.0) was on January 18th, the down rating was on March 18th, in between there there was a half dozen posts by me. You never even backed out your deceptive claims.

This message was too old and has been purged

Why use year old software? I'm not sure what a video is supposed to prove. The bogus ECDSA "cracker" had a proof video too.

This message was too old and has been purged

Mining pools hide their private mining nodes from the network, so it's not quite so simple.

If it's really as simple as send a few messages and crash a node and effects 0.10 then I agree it needs to be fixed right away... You'd be credited in the commit for the fix (and likely a CVE, if its an outright crash), like anyone else who has reported a similar issue. This is the reasonable and customary way things are handled in open source projects, and the only reasonably scalable one (even if you put in 'a lot' of time, it pales in comparison to the thousands of hours put in by others; besides who do you think can afford that? non-technical people don't give a crap about this stuff... they think the software is magic).  I'd also remove the negative trust I have against you here on the forum, since you made good; and not harass you in the future about initial asking for a huge out-of-the-norm bounty in this case. Thats all I can offer.  Otherwise, if something exists here that is unknown, it'll have to wait until someone else rediscovers it.

This message was too old and has been purged

This message was too old and has been purged

I am interested in this method for the sake of reporting it. I'm not sure if my lack of trust will prevent you from messaging me about it, but it's worth a shot.

Something like this ought to be fixed.

This message was too old and has been purged

EDIT:

Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

Why not?  Some people like to get paid for finding exploits.  If it's a major flaw, then he deserves more than 10BTC.

This message was too old and has been purged

Yes , but first report the bug and after "maybe" the bitcoin core devs will send you a bounty. Not  in the other way , if he is serious.

Then good luck, if you are right I think quickseller and gmaxwell  will remove the feedback agains your (there will not be a problem of course).

Yeah, but it's a "maybe"?  He could sell the exploit to a mining pool in China for a lot more than 10 BTC, but he didn't.  I don't think there is anything wrong with someone asking to get paid for a major exploit found.  It's more productive then short selling market manipulators who are destroying the price of BTC.

If the bug exist, but now we should only wait a confirm from gmaxwell. I'm sure Evil-Knievel will receive a bounty (if he has right).

I'll throw him a BTC if it's legit.  Also, idiot members shouldn't leave him negative trust without explanation here.  It's the wrong way to deal with exploits.

This guy is a scammer. If he actually had the exploit that he claims to have, he could easily sell it to an exchange who would potentially stand to lose hundreds of millions of dollars if the exploit were to be used against them.

The same is true for mining pools although they do not have quite as much money at stake.

Again the same is true for casino operators. Oh wait this guy scammed Casinobitcoin out of 5 BTC to provide evidence of such exploit (see his trust). Additionally this person was trying to get people to pay him for another "exploit" several months ago.

He is offering to show the "media" evidence of such an exploit however the media does not have a technical background and would  not be capable of questioning if this would actually work or not.

This message was too old and has been purged

You are clearly trying to profit off of this exploit. The difference between my suggest and what you are asking is for the community to pay you up front to reveal the exploit verses you likely having to reveal the exploit first to the exchange (or whoever you are selling it to).

No I don't think , he should reveal the "bug" to bitcoin core devs not to the various exchange. I think they will send a big bounty if the bug exist.

This message was too old and has been purged

Just put donations address to one of trusted members and problem is solved. If there is no bug he will return BTC, else you will receive the whole amount.

Thank you for sending to to GM.  That was the right thing to do.

Waiting for gmaxwell.

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

If you feel strongly about this, then you should start one.  The only reason that a strong bounty system doesn't exist is because nobody has bothered creating one.  It's an open system, feel free to be the guy that is responsible for creating and maintaining a reliable and trustworthy bounty program.

That's BS.  Why wouldn't the "Foundation" have one?  You expect random users to start an important security related program for BTC?  Perhaps we wouldn't have issues like malleability if the Foundation was more proactive about this kind of stuff.  I guess they can discuss it at their Caribbean retreat ::) meanwhile hacks continue.

"The Foundation" is simply a private club of bitcoin enthusiasts. There is nothing official about them.  You are welcome to start your own club and call it "The Bitcoin Association" if you want.  Unless you are a member of their club, they are not beholden to any of your personal interests.  If you want them to have a bounty program, then join their club and campaign for it.


Yes.  The bitcoin system is decentralized and open.  There is no "Bitcoin Company".  If anything ever gets done in the bitcoin community, it is only because a random user decided that it needed to be done, so they did it.


Malleability was known about from very early on.  It wasn't addressed because there weren't any "random users" that felt it was important enough to address.


It's their retreat. They can discuss whatever they want.  Meanwhile, you are welcome to sit on your whining butt and continue to complain to the universe about how it doesn't operate the way you want it to.

Thank you for the lessons wise one, until now I thought Bitcoin was a company run by the Foundation who was orchestrating Malleability hacks on exchanges.  I guess I should get off my whinny butt, after all, I've been here longer than you and haven't had the severely limited time to reach Legendary status. 

That's the point of a bounty program, to find exploits of known bugs.  I'm also really surprised there isn't a bug bounty program in place.  The Foundation would be able to easily organize something like this with the most exposure.  We are past the "everybody needs to contribute" days, need to be more organized for mass adoption.

I feel strongly about being shocked. However as I don't use bitcoin anymore, except transitionally to buy NXT and MAIDSAFE, I'll leave the implementation of a bounty system to those who are invested in bitcoin and who would like to see the code analyzed with a fine-tooth comb.

but I tell ya....I'm shocked!   ;D

@gmaxwell , can you tell if Evil-Knievel has right or not ? Thanks for the attention.

Even though he has sent the bug to gmaxwell to be reviews, why did he already get a negative trust ?

This message was too old and has been purged

You'd expect that something as big as bitcoin with an entire foundation behind it would have at least a small bug bounty. Yet we get to hear that no one cared enough to create one.

Sent pm ;)

Speaking about questionable behaviour... To me "Hey, I found a critical bug. I will inform you about it for BTC10" sounds an awful lot like "Hey, I can break your legs. For $2000 I won't".

No, because then he'd be saying if you don't pay me the 10 btc I'm going to start shooting down every node I see until it's fixed.

Rather he simply wants to be compensated for his time spent digging into the code and finding a vulnerability.


To those who believe the Bitcoin Foundation should not offer these bounties I ask why does the EFF offer bounties and prizes?



Edit: Has gmaxwell verified the claim sent by PM yet?

I don't think so it has been verified yet. All I see is a negative trust back in 2013 March by gmaxwell himself for a similar claim.
So I am confused about the whole situation right now.

I realise that, which is why I said "sounds an awful lot like". Obviously he wants compensation for his work, which is alright. He's just not packaging his request that nicely. He's obviously rubbing people the wrong way. If he were to present it nicer he would be more likely to get what he wants^tm.

Also the EFF offers those bounties to give people an incentive to go out and find issues. Evil-Knievel doesn't need such an incentive. He goes out looking with no prospect of a reward, only to request it upon finding something.

It's like finding someone's wallet. If you return it do you demand $10? Or do you just give it back and accept whatever reward they give? And how does that change if the owner put out posters offering a reward for finding their wallet?

Anyway, bottom line is that if he found an issue he deserves something. But there's no obligation for anyone to give him what he deserves.

However why not "make" this bug and "turn off" some bitcoin node? I think it will be a valid proof. What do you think guys ?

As long as he gets permission from the node operator first, I think that's an excellent idea.

That's exactly what your not supposed to do when trying to disclose a bug.

http://mashable.com/2013/08/18/facebook-hacker-zuckerberg-timeline/

I know , but  if he gets permission I think that is the best idea for prove he has right.

This message was too old and has been purged

So no more replies from gmaxwell? Were his claims credible?

I can "confirm" but it was only a small droplet with the basic specifics. These were the ghraps:


https://i.imgur.com/Kd7l72S.png


I don't know what he did, I've suggested him to try with other linux machine (not vps) and maybe someone here can help him.

If I am not mistaken, Evil Knievel discovered a flaw in the NXT code last year and received a reward. So I think he should be taken seriously.

While some may not like his approach, there is nothing illegal or wrong or unethical about it. He spent his own time and resources to discover the exploit, and if he feels he deserves 10BTC for it, then so be it. Whether anyone takes up his offer is another matter altogether. Leaving him negative ratings and attacking his motives sets a negative precedent for the future. Not everyone is just willing to volunteer their time and effort for free, open source or otherwise. Isn't Bitcoin all about free market?

He could have sold the exploit to a short selling whale or a Bitcoin detractor and get paid more than 10BTC. Bitcoin as a whole would've suffered.

I suggest everyone keep their judgement GMaxwell responds.

This message was too old and has been purged

??????

We Nxt people like it when others break our toys.  ;)   It benefits us to make our platform stronger.

So Evil-Knievel, care to enlighten us on what happened? Give us your version.

Perhaps gmaxwell doesn't want to say anything until there is a fix -- keeping a lid on the problem so it doesn't become a problem for the network.

If that's the case it'd be good if he can at least confirm it does exist and is being worked on so both quickseller and him remove their negative feedbacks.

Out of curiosity have you attempted this on the namecoin network lately?
I'm sure it will work there too but that isn't the reason I ask.

This message was too old and has been purged

News?

I guess no news are no news.

Shame. I'd feel pretty badly treated if I were EK, nothing but venom hurled his way and then didn't even acknowledge his ideas when he gave them away for free.

Yes, we truly do need some sort of decentralized bounty reward system for users who contribute to fixing exploits and bugs. It does take a considerable amount of time and resources to work and fix flaws and exploits such as these. It's in the best interest of everyone involved within Bitcoin to have these problems addressed and remedied.

I see both sides of the spectrum here and depending on the severity of the exploit and the effort used to research it should depend on the bounty paid. This is the only problem with Open Source software and developers working on these projects. It's hard to financially justify dedicating hours and hours of free work with little reward rather than recognition and self improvement. Once a decentralized bounty system is in place then I believe we will truly see great effort put forth in all of our favorite OSS projects (Tor, Gnupgp, Bitcoin, Keepass, etc).

Thanks for your time and effort spent in researching this, and I do appreciate and hope you responsibly handle your discoveries rather than illicitly exploiting them for personal gain.

Check his claims history. Big waster of time, historically.

No comments from @gmaxwell yet?

So that makes what appears to be a proven exploit less significant? Get down off your high horse

Doesn't look like it

Maybe he is busy and he can't reply I do not know. Is this bug real or not ? Because now a lot of people (various nodes) have updated their client.

EvilKnievel has a negative rep for a similar thing from gmaxwell back in 2014. Not sure if he would take him seriously on this now.

How do you explain this? ^

This message was too old and has been purged

Evil-Knievel, I wanted to follow up with you. I previously said that I thought you were lying about this exploit, however you were able to show a "real world" demonstration with redsn0w's full node (with his permission) and it appears the gamaxwell has evaluated your claim and apparently your claim checked out

https://vinumeris.com/_lighthouse/crowdfund/project/bug-bounty-requested-10-btc-for-dos-bug-in-current-clients

Edit: Dead link atm. Not sure why.

Do we have six confirmations yet?  ;)

The silence is becoming slightly awkward. It seems that there is indeed an issue. Is this issue being addressed at the moment? Is there a discussion about it elsewhere that I'm not aware of?

What gives?

Doesn't look like it's the DOS bug but here is gmaxwell crediting Evil with finding a bug https://github.com/bitcoin/bitcoin/pull/5770

Actually being able to get a third party to process control characters would be a vector for some shenanigans. Nice catch by Evil Knievel there.

Thanks for linking to that pull request.

This message was too old and has been purged

I would assume their silence means they are actively working on a solution.  Great to see these bugs addressed and credited in the proper way.  :)

Has he received any bounty for discovering this bug? If the reply is yes, how much he has received?

Lighthouse approved the posting this afternoon, so fundraising should be possible.

This message was too old and has been purged

The file is on my desktop - the link it created is a few posts up. I'm away from my computer but as soon as I get back I will post the link to it.

Should be about an hour or so.

EDIT:

https://vinumeris.com/_lighthouse/crowdfund/project/bug-bounty-requested-10-btc-for-dos-bug-in-current-clients

Bump.

Was this really a DoS bug in the client?  Did it get fixed?

I'm also curious about the outcome on this. I see OP doesn't have negative trust anymore, so this bug was most likely real and important.

I third that notion, would very much like to see the outcome of this whole situation.

Was this bug (if it was a bug) fixed in 0.10.1?

EDIT: apparently yes https://bitcointalk.org/index.php?topic=1039713.0