[Full Disclosure] ClearCoin CSRFs

[iCEBREAKER]

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector.

[1714035413]

1714035413

[1714035413]

1714035413

[1714035413]

1714035413

[1714035413]

1714035413

[1714035413]

1714035413

[iCEBREAKER]

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems.

i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please.

The vulnerability at ClearCoin is ancient history, as announced upthread.

Despite this, you had to vent, with self-admitted petulance, in a rambling attack on rude libertarians and how kids today won't listen when you warn them to stay off your lawn and fix obsure web bugs.

For this, you were put in your place (not by me) and you responded by retreating into generalities about how "any criticism of the bitcoin protocol must be motivated by a brainwashing."

THIS IS WHERE THE CONVERSATION, AT YOUR BEHEST, STOPPED BEING SPECIFICALLY ABOUT CLEARCOIN AND THE TOPIC CHANGES TO A LESS LIMITED FOCUS ON HOW:

these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

No problems ever manifested themselves at ClearCoin, and the problem that did manifest at MtGox was not the result of an SQL or XSRF attack.  Do try and keep up!

[hugolp]

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector.

MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof.

[iCEBREAKER]

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

The security breakdown occurred because of penetration from a trusted third party (our financial auditor) and not because of any SQL or XSRF vector.

MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof.

The staff at MtGox is a primary source.  As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth.  Unless you have some evidence that would damage their credibility, of course.

Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses.

The simplest explanation is the best.  And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits.

Time will tell.  Time, and a couple boatloads of lawyers.

[unk]

For this, you were put in your place (not by me) and you responded by retreating into generalities

are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me?

the problems with cross-site request forgeries clearcoin and other websites weren't 'ancient history'. they were reported this week and brought the sites down for maintenance, all the while exposing potentially significant systems vulnerabilities that could have easily been addressed months ago if people had listened. whether or not significant damage in fact resulted isn't for me to say, as i don't run any of these sites. i was pointing out a complacency that is all too common in the bitcoin community.

if you intend to critique what i'm saying, please read the conversation and what i in fact said. you seem to have misunderstood the flow of the conversation and my intent in it, and that is not a problem i usually have except when people don't pay close enough attention and assume i'm saying things that i'm not. if you don't like that i criticised the strident teenage libertarians who are so prominent in these forums, you could have responded to that, rather than attributing positions to me that aren't mine.

this is very tiresome, though, so i'm done in this thread. for the record, however, others should not believe what you say about my own positions, as you've either childishly or negligently mischaracterised me every step of the way.

[iCEBREAKER]

For this, you were put in your place (not by me) and you responded by retreating into generalities

are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me?

Nope.  I triple-checked and bitcoin2cash is definitely talking to you, about your problematic slurs against libertarians, here:

this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

I take offense to lumping all of us libertarians together as if we are the problem. ... Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency.

Oh no, not a DISTINCT recollection!  Zomg, that's the worst kind of recollection of all!!1!

You *did* apologize in advance and libertarians can be prickly too, so.... Let's just be friends! 

[mouse]

The staff at MtGox is a primary source.  As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth.  Unless you have some evidence that would damage their credibility, of course.

Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses.

The simplest explanation is the best.  And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits.

I would have to say that the CSRF issue was enough evidence to to question their (security) credibility. Further, the have a clear conflict of interest in reporting the events, since they have a lot to lose.

I'm not saying that they are actually lying, they're probably not, but to assume that they MUST be telling the truth, or that they are to be the most trusted source of it, is clearly silly. Human nature my friend.

[Bind]

Public Disclosure of Vulnerabilities are important.

The positives by far outweigh the negatives, because all negatives are self-serving for the programmers and companies behind any product or service (eg- liability).

The positives are:

• accountability
• transparency
• consumer protection
• forces fast reaction to the threats by the developers
• adds legitimacy to the product/service
• adds positive public perception
• lets the consumer know there is a problem so they can react accordingly - like protecting their own customers if they rely on the product/service and advising them accordingly, which decreased their own potential liability
• lets the consumer know the maker is not a trusted serious resource provider if they do not fix them efficiently and effectively (lets face it some programmers should not be programming with their limited skillsets)
• lets the consumer know how serious and professional the maker is by the speed and quality of the fix

which all the above by far outweigh the only negative, which:

• places liability and negative publicity on those responsible for the vulerabilities.

The latter of which is why most do not want public disclosures, as exemplified by Gavins response to this public disclosure posted over at sourceforge:, "Some of us take private disclosures of vulnerabilities very seriously".

Sorry, but public disclosures and the rammifications of problems you created with your products and services are the cost of doing business, and you should be liable since you created it in the first place and placed it out there in the market as a solution to a consumers needs.

Eat it up, do it right the first time, do better research and product/service testing before releasing it, or get out of the business.

nothing personal.

[NghtRppr]

as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems

If I remember correctly, the user in question didn't point out anything specifically. He just said a bunch of websites were exploitable. He didn't give any details of how to exploit them and he was treated with an understandable level of skepticism. The fact that some ClearCoin vulnerability was recently disclosed still doesn't vindicate him since he could have been full of it and this is just a coincidence. It's his fault for not disclosing some kind of evidence. Talk is cheap. Anyone can say that a website is exploitable. It's a different matter to actually prove it. So, all your finger wagging isn't actually warranted.

[n0m4d]

Speaking as and for all Libertarians, I would just like to say that recently we have started wearing deodorant around non-Libertarians, and that any you've met that haven't - please have them check their email.