Bitcoin Forum
December 04, 2016, 12:38:32 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: [Full Disclosure] Live mtgox.com trade matching bug.  (Read 14520 times)
trentzb
Sr. Member
****
Offline Offline

Activity: 406


View Profile
June 28, 2011, 04:35:42 AM
 #21

@jrmithdobbs

Did you notify MT about this issue prior to disclosure? Ahh, I just caught your reply.

I don't have a strong infosec background so please excuse my naivety, can I ask, do you typically notify targets of vulns prior to public release or do you do both simultaneously or ??

I don't intend to start a debate of the pros/cons, just trying to get some info for when you probe my service. Smiley
1480855112
Hero Member
*
Offline Offline

Posts: 1480855112

View Profile Personal Message (Offline)

Ignore
1480855112
Reply with quote  #2

1480855112
Report to moderator
1480855112
Hero Member
*
Offline Offline

Posts: 1480855112

View Profile Personal Message (Offline)

Ignore
1480855112
Reply with quote  #2

1480855112
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480855112
Hero Member
*
Offline Offline

Posts: 1480855112

View Profile Personal Message (Offline)

Ignore
1480855112
Reply with quote  #2

1480855112
Report to moderator
psyborgue
Newbie
*
Offline Offline

Activity: 28


View Profile
June 28, 2011, 04:37:01 AM
 #22

Happy,

Please don't repeat the OP's false insinuation that he somehow found an exploit.  It's a display bug.  Nothing more, and drawing such public (false) light to it serves no purpose but to make Mt. Gox and bit coin look bad.  Something the OP was seeking, i'd wager.  Yes, there is a time for full disclosure, but it's only after private channels have failed to fix the issue.

Donate to Thank Me:
1DTwRpHQPsmBfxG4EWEq3NYH8e9rAq5io7
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 28, 2011, 04:39:54 AM
 #23

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing?

Quote
You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder

Maybe YOU don't. Plenty of people do.

Quote
There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).

Not my problem. If you're so worried about this particular scenario maybe you should be lobbying the bitcoin vendors you use to open their systems or publicly disclose results of code/security audits, etc.

I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox.

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
June 28, 2011, 04:46:18 AM
 #24

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Are you sure about that? I've followed it a bit, and from what I read the security issues were solved pretty fast. Sometimes even before people could report them.

The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

Anyway whatever the real story is, I don't agree that gives you a reason to nail him to the pillory for every little issue you find after this.

Oh noo! a misspelled word in the interface! ... full disclosure!

Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?


Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
psyborgue
Newbie
*
Offline Offline

Activity: 28


View Profile
June 28, 2011, 04:51:16 AM
 #25

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing

Fool.  You see no further than the immediate.  LulzSec did nothing more than create an excuse for the authorities to try and clamp down on the Internet and/or bit coin (how they were seen to be funded).  For an added bonus, they mixed in immigration and drug issues into their troll.  Now the average Joe will welcome the "protection" of our brand new, locked down, internet -- free from the dangers inherent to anonymity.  Technology may not exist now, or ever, but they, and the momentum they have created, will certainly create the demand.

Similarly, your actions reflect on bitcoin itself in the public eye, and you don't seem to care.  I wonder why.

Donate to Thank Me:
1DTwRpHQPsmBfxG4EWEq3NYH8e9rAq5io7
ruhvix
Newbie
*
Offline Offline

Activity: 18


View Profile
June 28, 2011, 04:56:55 AM
 #26

Thank you to Mr. jrmithdobbs for reporting the issue and to MagicalTux for responding to it so quickly (especially given all the other urgent MtGox stuff MagicalTux must be dealing with).

This confirms that MtGox is absolutely committed to an extremely high level of security. Bitcoin is fortunate to have experts like jrmithdobbs helping the community defend against threats to our financial safety.

Muchos gracias to you both!
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 28, 2011, 04:58:49 AM
 #27

The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

He also ignored attempts to report the nasty CSRF, that came to light right before that all went down, for about a week. But, I digress.

I have no plans to "nail him to the wall" for every mistake. In fact, I will probably not be looking at mtgox at all after the next 72 hours.

And to clear things up, this is a little more than just a display bug. This is also the cause of the weirdness people have been reporting about it dropping from 17->15 etc without executing orders in-between.

Quote
Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

It is a trade matching bug. Trades are not revalidated on withdrawal/deposit to the account. I never claimed it was an exploit. "Exploiting" in the original text is the normal english use of the word, not the info-sec use. So no, I will not change the title.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
DrYe5
Member
**
Offline Offline

Activity: 112


View Profile
June 28, 2011, 05:15:05 AM
 #28

Thanks to OP for info. Mt. Gox should have already addressed the price spikes.

Also good to know this is the only bug.

tips: 14Z1Bwa8bgEWphjD2qqaXMTY9ucutwuTw8
BitterTea
Sr. Member
****
Offline Offline

Activity: 294



View Profile
June 28, 2011, 05:26:18 AM
 #29

Also good to know this is the only bug.

How do you infer this from the available information?
mizerydearia
Hero Member
*****
Offline Offline

Activity: 574



View Profile
June 28, 2011, 06:05:40 AM
 #30

jrmithdobbs,

You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.

I'm confused.

http://en.wikipedia.org/wiki/Zero-day_attack

Quote
A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer, also called zero-day vulnerabilities.

[You] never release 0-day exploits without notifying original coder?  Seems like 0-day, by definition means you always release 0-day exploits without notifying original coder, otherwise it is not a 0-day exploit.


Also good to know this is the only bug.

How do you infer this from the available information?

Maybe this?
At the very least this could be used to influence market conditions if it is only a display bug.
mizerydearia
Hero Member
*****
Offline Offline

Activity: 574



View Profile
June 28, 2011, 06:10:09 AM
 #31

appended to previous post

Mods: Delete this obnoxious (due to size) and useless post
DrYe5
Member
**
Offline Offline

Activity: 112


View Profile
June 28, 2011, 06:13:47 AM
 #32

Also good to know this is the only bug.

How do you infer this from the available information?

One cannot. It underlines the fact that more bugs are extremely likely.

tips: 14Z1Bwa8bgEWphjD2qqaXMTY9ucutwuTw8
kloinko1n
Full Member
***
Offline Offline

Activity: 177


View Profile
June 28, 2011, 06:20:21 AM
 #33

I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure
DrYe5
Member
**
Offline Offline

Activity: 112


View Profile
June 28, 2011, 06:24:39 AM
 #34

I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure

Awww man... that disclosure got goxed.

tips: 14Z1Bwa8bgEWphjD2qqaXMTY9ucutwuTw8
kloinko1n
Full Member
***
Offline Offline

Activity: 177


View Profile
June 28, 2011, 06:25:40 AM
 #35

Quote
A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Ah! So there's your grief!
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 28, 2011, 06:49:28 AM
 #36

MT and MtGox have been given every opportunity to to fix their system. Even after being told there were major exploits MT took his time to fix the exploits until the shit hit the fan. It is clear to me that MT is an egotistical programmer. He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

Every bug or security flaw found at MtGox should be disclosed publicly cutting MT out of the loop. If MT didnt know about the flaw then its his fault for not properly testing his system. Its time to leave MtGox for good. Let MtGox wither in their own mismanagement.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

If you continue to use a known flawed system then its you who deserves what you get. If you drive a cars that is always over heating and the motor burns up, well then you got what you deserved. You knew of the problem but you kept using the car.

Protect yourself and leave MtGox now!

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
June 28, 2011, 07:08:03 AM
 #37

MT and MtGox have been given every opportunity to to fix their system. Even after being told there were major exploits MT took his time to fix the exploits until the shit hit the fan. It is clear to me that MT is an egotistical programmer. He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

Every bug or security flaw found at MtGox should be disclosed publicly cutting MT out of the loop. If MT didnt know about the flaw then its his fault for not properly testing his system. Its time to leave MtGox for good. Let MtGox wither in their own mismanagement.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

If you continue to use a known flawed system then its you who deserves what you get. If you drive a cars that is always over heating and the motor burns up, well then you got what you deserved. You knew of the problem but you kept using the car.

Protect yourself and leave MtGox now!

HAHAHAHAH
My Gox what have done Bipolar internetz!
That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it. O.O /hides
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 28, 2011, 07:30:46 AM
 #38

That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it.

Could you be any more offencive? I guess thats just your social mores. We know where you stand on gender equality.

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
June 28, 2011, 07:37:38 AM
 #39

That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it.

Could you be any more offencive? I guess thats just your social mores. We know where you stand on gender equality.

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 28, 2011, 07:48:36 AM
 #40


Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

Another non sequitur.

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!