BREAKING:
Elon Musk will officially acquire Twitter for $44 billion, sources say the deal will be announced by the end of today.
Try at least reading the last few pages before posting news. |
|
|
|
To the old timers: Is it just me or has Monero often seemed to want to do this against a weak BTC backdrop over the years.
It used to until the naked shorting. |
|
|
|
I remember how downcast so many were even 4 years ago...
After the 2017 bull, and brief altseason we have all been crushed so badly. It is understandable that many lost hope. After all, most alts are absolute garbage. Most have deserved the 90+% losses, and the ones that have remained closer to the top have NOT deserved to be there. The only caveat is their demise might bring some pain to all the alts... even the ... well fuck it. I honestly think there is only one that deserves attention.
That said 290-330 is the last stand of the shitcoin levels. If it can take all that? Well. It's just open skies above that, I think. And I do not think it has to stay under it's XMR/BTC ath either. I see it having a good chance of attacking as far as .09 BTC if not the whole .1
Historically .0082 should be the next major hurdle. |
|
|
|
“It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs.”
The bug, tracked as CVE-2022-21449, carries a severity rating of 7.5 out of a possible 10, but Madden said based on his assessment, he’d rate the severity at a perfect 10 “due to the wide range of impacts on different functionality in an access management context.” In its grimmest form, the bug could be exploited by someone outside a vulnerable network with no verification at all.
Other security experts also had strong reactions, with one declaring it “the crypto bug of the year.”
A mitigating factor is that Java versions 15 and above don’t appear to be as widely used as earlier versions. Data collected in February and March 2021 from security firm Snyk showed that Java 15, the latest version at that time, accounted for 12 percent of deployments. While Madden said that the specific ECDSA implementation flaw affected only Java 15 and higher, Oracle also listed versions 7, 8, and 11 as vulnerable. Madden said that the discrepancy may result from separate crypto bugs fixed in the earlier releases.
a/0 = valid signature
ECDSA signatures rely on a pseudo-random number, typically notated as K, that’s used to derive two additional numbers, R and S. To verify a signature as valid, a party must check the equation involving R and S, the signer’s public key, and a cryptographic hash of the message. When both sides of the equation are equal, the signature is valid.
In a writeup published Wednesday, security firm Sophos further explained the process:
S1. Select a cryptographically sound random integer K between 1 and N-1 inclusive.
S2. Compute R from K using Elliptic Curve multiplication.
S3. In the unlikely event that R is zero, go back to step 1 and start over.
S4. Compute S from K, R, the hash to be signed, and the private key.
S5. In the unlikely event that S is zero, go back to step 1 and start over.
For the process to work correctly, neither R nor S can ever be a zero. That’s because one side of the equation is R, and the other is multiplied by R and a value from S. If the values are both 0, the verification check translates to 0 = 0 X (other values from the private key and hash), which will be true regardless of the additional values. That means an adversary only needs to submit a blank signature to pass the verification check successfully.
Madden wrote:
Guess which check Java forgot?
That’s right. Java’s implementation of ECDSA signature verification didn’t check if R or S were zero, so you could produce a signature value in which they are both 0 (appropriately encoded) and Java would accept it as a valid signature for any message and for any public key. The digital equivalent of a blank ID card.
Below is an interactive JShell session Madden created that shows a vulnerable implementation accepting a blank signature as valid when verifying a message and public key:
| Welcome to JShell -- Version 17.0.1
| For an introduction type: /help intro
jshell> import java.security.*
jshell> var keys = KeyPairGenerator.getInstance("EC").generateKeyPair()
keys ==> java.security.KeyPair@626b2d4a
jshell> var blankSignature = new byte[64]
blankSignature ==> byte[64] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ... , 0, 0, 0, 0, 0, 0, 0, 0 }
jshell> var sig = Signature.getInstance("SHA256WithECDSAInP1363Format")
sig ==> Signature object: SHA256WithECDSAInP1363Format<not initialized>
jshell> sig.initVerify(keys.getPublic())
jshell> sig.update("Hello, World".getBytes())
jshell> sig.verify(blankSignature)
$8 ==> true
// Oops, that shouldn't have verified...
Organizations that are using any of the affected versions of Java to validate signatures should place a high priority on patching. It will also be important to monitor for advisories from app and product makers to see if any of their wares are made vulnerable. While the threat from CVE-2022-21449 appears limited to new Java versions, its severity is high enough to warrant vigilance.
https://arstechnica.com/information-technology/2022/04/major-crypto-blunder-in-java-enables-psychic-paper-forgeries/ |
|
|
|
I wrote about this on Twitter and in the latest issue of the Monero Moon, but thought it is such a prominent chart I'd share it here. After 4 years of Monero down-trending against Bitcoin, XMR has finally broken out upwards, and is looking like it will close the month out above resistance. This is a rare and unprecedented event for any cryptocurrency to break out from such a long downtrend on the BTC pair, and as far as I’m aware has never happened before. The last time XMR broke out of a long-term (22 month) downtrend against BTC was Feb 2016, before rallying 2600% against Bitcoin.  XMR has broken out of the 4+ year downtrend...  Appreciate it but infofront beat you to it earlier this page.  BTW, really enjoyed the Moon this week.  |
|
|
|
^ ^ It's starting imho. All it takes is a little bit more of critical thinking and for the people in the Bitcoin community to start asking questions. The most obvious one being why are there still lots of DNM users still continuing to use BTC? They should drop it as BTC isn't really built for keeping your wallets' blockchain info safe from the prying eyes of TPTB. Even their most prized use case of the store of value narrative isn't really that strong without Monero's features. And it is sad that the WO has gotten so out of hand.
I'm trying to remember when it wasn't. I've got nothing. I blame cAPSLOCK and Heuristic Just curious... What happened?  |
|
|
|
|
So someone said to me yesterday "Hey I got an email for the Johnson and Johnson suit right after we talked about it" and I was like...See.
I think I'm going to make them leave their phones outside from now on.
|
|
|
|
|
It must be 420, I'm seeing double.
|
|
|
|
|
I watched al the usfl games except the delayed one and enjoyed them all.
Quality play, beats the hell out of that college shitball.
|
|
|
|
XMR has broken out of the 4+ year downtrend... [/url] And its about fucking time! |
|
|
|
Don't keep your coins on an exchange. Same story as 8 years ago. Same story 8 years from now. Just don't.
N00bs need to be continually reminded unfortunately. |
|
|
|
I took a peek against my better judgement. The drone cam (or at least that's what I think the shaky-spinny footage was) makes me queasy... why move it around so much, looks like some kid's tiktok. Other than that, decent high school football. I enjoyed it, most of the players are former nfl and nfl practice squad. |
|
|
|
|
Show Posts
