Bitcoin Forum
December 11, 2016, 12:07:22 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: [Full Disclosure] ClearCoin CSRFs  (Read 7855 times)
iCEBREAKER
Legendary
*
Online Online

Activity: 1512


Crypto is the separation of Power and State.


View Profile WWW
June 20, 2011, 06:51:22 AM
 #21

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.
That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector.

The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy.  David Chaum 1996
Fungibility provides privacy as a side effect.  Adam Back 2014
"Monero" : { Private - Auditable - 100% Fungible - Flexible Blocksize - Wild & Free® - Intro - Wallets - Podcats - Roadmap - Dice - Blackjack - Github - Android }


Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016
Blocks must necessarily be full for the Bitcoin network to be able to pay for its own security.  davout 2015
Blocksize is an intentionally limited resource, like the 21e6 BTC limit.  Changing it degrades the surrounding economics, creating negative incentives.  Jeff Garzik 2013


"I believed @Dashpay instamine was a bug & not a feature but then read: https://bitcointalk.org/index.php?topic=421615.msg13017231#msg13017231
I'm not against people making money, but can't support questionable origins."
https://twitter.com/Tone_LLT/status/717822927908024320


The raison d'être of bitcoin is trustlessness. - Eric Lombrozo 2015
It is an Engineering Requirement that Bitcoin be “Above the Law”  Paul Sztorc 2015
Resiliency, not efficiency, is the paramount goal of decentralized, non-state sanctioned currency -Jon Matonis 2015

Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016

Technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months. - Phil Zimmerman 2013

The only way to make software secure, reliable, and fast is to make it small. Fight Features. - Andy Tanenbaum 2004

"Hard forks cannot be co
1481458042
Hero Member
*
Offline Offline

Posts: 1481458042

View Profile Personal Message (Offline)

Ignore
1481458042
Reply with quote  #2

1481458042
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481458042
Hero Member
*
Offline Offline

Posts: 1481458042

View Profile Personal Message (Offline)

Ignore
1481458042
Reply with quote  #2

1481458042
Report to moderator
1481458042
Hero Member
*
Offline Offline

Posts: 1481458042

View Profile Personal Message (Offline)

Ignore
1481458042
Reply with quote  #2

1481458042
Report to moderator
1481458042
Hero Member
*
Offline Offline

Posts: 1481458042

View Profile Personal Message (Offline)

Ignore
1481458042
Reply with quote  #2

1481458042
Report to moderator
iCEBREAKER
Legendary
*
Online Online

Activity: 1512


Crypto is the separation of Power and State.


View Profile WWW
June 20, 2011, 07:08:14 AM
 #22

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems.

i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please.

The vulnerability at ClearCoin is ancient history, as announced upthread.

Despite this, you had to vent, with self-admitted petulance, in a rambling attack on rude libertarians and how kids today won't listen when you warn them to stay off your lawn and fix obsure web bugs.

For this, you were put in your place (not by me) and you responded by retreating into generalities about how "any criticism of the bitcoin protocol must be motivated by a brainwashing."

THIS IS WHERE THE CONVERSATION, AT YOUR BEHEST, STOPPED BEING SPECIFICALLY ABOUT CLEARCOIN AND THE TOPIC CHANGES TO A LESS LIMITED FOCUS ON HOW:


Quote

these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

No problems ever manifested themselves at ClearCoin, and the problem that did manifest at MtGox was not the result of an SQL or XSRF attack.  Do try and keep up!

The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy.  David Chaum 1996
Fungibility provides privacy as a side effect.  Adam Back 2014
"Monero" : { Private - Auditable - 100% Fungible - Flexible Blocksize - Wild & Free® - Intro - Wallets - Podcats - Roadmap - Dice - Blackjack - Github - Android }


Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016
Blocks must necessarily be full for the Bitcoin network to be able to pay for its own security.  davout 2015
Blocksize is an intentionally limited resource, like the 21e6 BTC limit.  Changing it degrades the surrounding economics, creating negative incentives.  Jeff Garzik 2013


"I believed @Dashpay instamine was a bug & not a feature but then read: https://bitcointalk.org/index.php?topic=421615.msg13017231#msg13017231
I'm not against people making money, but can't support questionable origins."
https://twitter.com/Tone_LLT/status/717822927908024320


The raison d'être of bitcoin is trustlessness. - Eric Lombrozo 2015
It is an Engineering Requirement that Bitcoin be “Above the Law”  Paul Sztorc 2015
Resiliency, not efficiency, is the paramount goal of decentralized, non-state sanctioned currency -Jon Matonis 2015

Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016

Technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months. - Phil Zimmerman 2013

The only way to make software secure, reliable, and fast is to make it small. Fight Features. - Andy Tanenbaum 2004

"Hard forks cannot be co
hugolp
Hero Member
*****
Offline Offline

Activity: 742



View Profile
June 20, 2011, 07:20:02 AM
 #23

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector.

MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof.
iCEBREAKER
Legendary
*
Online Online

Activity: 1512


Crypto is the separation of Power and State.


View Profile WWW
June 20, 2011, 07:31:35 AM
 #24

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector.

MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof.

The staff at MtGox is a primary source.  As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth.  Unless you have some evidence that would damage their credibility, of course.

Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses.

The simplest explanation is the best.  And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits.

Time will tell.  Time, and a couple boatloads of lawyers.

The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy.  David Chaum 1996
Fungibility provides privacy as a side effect.  Adam Back 2014
"Monero" : { Private - Auditable - 100% Fungible - Flexible Blocksize - Wild & Free® - Intro - Wallets - Podcats - Roadmap - Dice - Blackjack - Github - Android }


Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016
Blocks must necessarily be full for the Bitcoin network to be able to pay for its own security.  davout 2015
Blocksize is an intentionally limited resource, like the 21e6 BTC limit.  Changing it degrades the surrounding economics, creating negative incentives.  Jeff Garzik 2013


"I believed @Dashpay instamine was a bug & not a feature but then read: https://bitcointalk.org/index.php?topic=421615.msg13017231#msg13017231
I'm not against people making money, but can't support questionable origins."
https://twitter.com/Tone_LLT/status/717822927908024320


The raison d'être of bitcoin is trustlessness. - Eric Lombrozo 2015
It is an Engineering Requirement that Bitcoin be “Above the Law”  Paul Sztorc 2015
Resiliency, not efficiency, is the paramount goal of decentralized, non-state sanctioned currency -Jon Matonis 2015

Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016

Technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months. - Phil Zimmerman 2013

The only way to make software secure, reliable, and fast is to make it small. Fight Features. - Andy Tanenbaum 2004

"Hard forks cannot be co
unk
Member
**
Offline Offline

Activity: 84


View Profile
June 20, 2011, 08:02:29 AM
 #25

For this, you were put in your place (not by me) and you responded by retreating into generalities

are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me?

the problems with cross-site request forgeries clearcoin and other websites weren't 'ancient history'. they were reported this week and brought the sites down for maintenance, all the while exposing potentially significant systems vulnerabilities that could have easily been addressed months ago if people had listened. whether or not significant damage in fact resulted isn't for me to say, as i don't run any of these sites. i was pointing out a complacency that is all too common in the bitcoin community.

if you intend to critique what i'm saying, please read the conversation and what i in fact said. you seem to have misunderstood the flow of the conversation and my intent in it, and that is not a problem i usually have except when people don't pay close enough attention and assume i'm saying things that i'm not. if you don't like that i criticised the strident teenage libertarians who are so prominent in these forums, you could have responded to that, rather than attributing positions to me that aren't mine.

this is very tiresome, though, so i'm done in this thread. for the record, however, others should not believe what you say about my own positions, as you've either childishly or negligently mischaracterised me every step of the way.
iCEBREAKER
Legendary
*
Online Online

Activity: 1512


Crypto is the separation of Power and State.


View Profile WWW
June 20, 2011, 08:17:39 AM
 #26

For this, you were put in your place (not by me) and you responded by retreating into generalities

are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me?

Nope.  I triple-checked and bitcoin2cash is definitely talking to you, about your problematic slurs against libertarians, here:

this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

I take offense to lumping all of us libertarians together as if we are the problem. ... Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency.

Oh no, not a DISTINCT recollection!  Zomg, that's the worst kind of recollection of all!!1!

You *did* apologize in advance and libertarians can be prickly too, so.... Let's just be friends!  Kiss

The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy.  David Chaum 1996
Fungibility provides privacy as a side effect.  Adam Back 2014
"Monero" : { Private - Auditable - 100% Fungible - Flexible Blocksize - Wild & Free® - Intro - Wallets - Podcats - Roadmap - Dice - Blackjack - Github - Android }


Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016
Blocks must necessarily be full for the Bitcoin network to be able to pay for its own security.  davout 2015
Blocksize is an intentionally limited resource, like the 21e6 BTC limit.  Changing it degrades the surrounding economics, creating negative incentives.  Jeff Garzik 2013


"I believed @Dashpay instamine was a bug & not a feature but then read: https://bitcointalk.org/index.php?topic=421615.msg13017231#msg13017231
I'm not against people making money, but can't support questionable origins."
https://twitter.com/Tone_LLT/status/717822927908024320


The raison d'être of bitcoin is trustlessness. - Eric Lombrozo 2015
It is an Engineering Requirement that Bitcoin be “Above the Law”  Paul Sztorc 2015
Resiliency, not efficiency, is the paramount goal of decentralized, non-state sanctioned currency -Jon Matonis 2015

Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016

Technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months. - Phil Zimmerman 2013

The only way to make software secure, reliable, and fast is to make it small. Fight Features. - Andy Tanenbaum 2004

"Hard forks cannot be co
mouse
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 20, 2011, 08:18:30 AM
 #27

The staff at MtGox is a primary source.  As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth.  Unless you have some evidence that would damage their credibility, of course.

Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses.

The simplest explanation is the best.  And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits.

I would have to say that the CSRF issue was enough evidence to to question their (security) credibility. Further, the have a clear conflict of interest in reporting the events, since they have a lot to lose.

I'm not saying that they are actually lying, they're probably not, but to assume that they MUST be telling the truth, or that they are to be the most trusted source of it, is clearly silly. Human nature my friend.

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction.
Bind
Sr. Member
****
Offline Offline

Activity: 252

DO NOT ACCEPT PAYPAL FOR BTC YOU WILL GET BURNED


View Profile
June 20, 2011, 09:06:03 AM
 #28

Public Disclosure of Vulnerabilities are important.

The positives by far outweigh the negatives, because all negatives are self-serving for the programmers and companies behind any product or service (eg- liability).

The positives are:
  • accountability
  • transparency
  • consumer protection
  • forces fast reaction to the threats by the developers
  • adds legitimacy to the product/service
  • adds positive public perception
  • lets the consumer know there is a problem so they can react accordingly - like protecting their own customers if they rely on the product/service and advising them accordingly, which decreased their own potential liability
  • lets the consumer know the maker is not a trusted serious resource provider if they do not fix them efficiently and effectively (lets face it some programmers should not be programming with their limited skillsets)
  • lets the consumer know how serious and professional the maker is by the speed and quality of the fix

which all the above by far outweigh the only negative, which:
  • places liability and negative publicity on those responsible for the vulerabilities.

The latter of which is why most do not want public disclosures, as exemplified by Gavins response to this public disclosure posted over at sourceforge:, "Some of us take private disclosures of vulnerabilities very seriously".

Sorry, but public disclosures and the rammifications of problems you created with your products and services are the cost of doing business, and you should be liable since you created it in the first place and placed it out there in the market as a solution to a consumers needs.

Eat it up, do it right the first time, do better research and product/service testing before releasing it, or get out of the business.

nothing personal.

"... He is no fool who parts with that which he cannot keep, when he is sure to be recompensed with that which he cannot lose ..."

"... history disseminated to the masses is written by those who win battles and wars and murder their heroes ..."


1Dr3ig3EoBnPWq8JZrRTi8Hfp53Kj
NghtRppr
Sr. Member
****
Offline Offline

Activity: 476


View Profile
June 20, 2011, 01:05:59 PM
 #29

as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems

If I remember correctly, the user in question didn't point out anything specifically. He just said a bunch of websites were exploitable. He didn't give any details of how to exploit them and he was treated with an understandable level of skepticism. The fact that some ClearCoin vulnerability was recently disclosed still doesn't vindicate him since he could have been full of it and this is just a coincidence. It's his fault for not disclosing some kind of evidence. Talk is cheap. Anyone can say that a website is exploitable. It's a different matter to actually prove it. So, all your finger wagging isn't actually warranted.
n0m4d
Member
**
Offline Offline

Activity: 68


View Profile
June 20, 2011, 02:57:44 PM
 #30

Speaking as and for all Libertarians, I would just like to say that recently we have started wearing deodorant around non-Libertarians, and that any you've met that haven't - please have them check their email.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!