[Full Disclosure] Live mtgox.com trade matching bug.

[Tasty Champa]

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

Another non sequitur.

In reference to your own or do you have comprehension issues?

[1714118132]

1714118132

[1714118132]

1714118132

[1714118132]

1714118132

[1714118132]

1714118132

[davout]

Please leave possible exploits away from the public.
In other words, keep it private.
Work with them behind closed doors.

Definitely no.

Doesn't mean you shouldn't give the code owner a couple of hours to fix it and advertise the deadline.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

You can only be sure if the source is open

[Tasty Champa]

Where are the full disclosure and exploits for this forum?

I'm assuming everyone is behind i2p, swarm and/or the onion router, reading this through lynx/links correct?

shouldn't everyone know what you trannys are up to?

[davout]

I'm assuming everyone is behind i2p, swarm and/or the onion router, reading this through lynx/links correct?

There is discrepancy between your imagination and reality.

[bitbot]

MagicalTux is really taking all problems seriously, and has been working almost 24 hours per day last week to resolve issues while being bombarded with crap from all sides.

I can honestly say that man has not been working anywhere near 24 hours per week but the last part is true.

[jrmithdobbs]

He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

He also has (by his own admission) written his own in house mysql DAO code instead of using a public, well vetted one. He say it doesn't use bind values. He doesn't understand why this is bad.:

(This is edited to leave irrelevant pieces out, please feel free to verify with anyone else logging #mtgox.)

[17:57:31] <MagicalTux> dehuman: we had been working on security, I can guarantee there is no SQLi right now
[17:57:45] <go1dfish> MagicalTux: how can you say so with confidence?
[17:57:51] <go1dfish> are you using parameterized queries?
[17:58:01] <go1dfish> everywhere
[17:58:07] <MagicalTux> go1dfish: because I know each and every line of the code, and we mostly use either DAO
[17:59:21] <MagicalTux> just make good code and things are fine
[17:59:49] <dehuman>  @MagicalTu : just make good code and things are fine
[17:59:58] <dehuman> thats kinda a slap in the face dont you think?
[18:00:08] <MagicalTux> dehuman: healthy code is important for a healthy security & business
[18:00:46] <MagicalTux> we've been busy for 2 months rewriting Mt.Gox
[18:00:49] <dehuman> you exposed 60,000 client's information
[18:01:02] <dehuman> i wouldn't talk about healthy code, healthy security, healthy business
[18:01:06] <dehuman> not yet
[18:01:08] <MagicalTux> dehuman: new code is healthy
[18:01:10] <dehuman> quite a bit premature for that
[18:01:30] <go1dfish> MagicalTux: looks like DAO doesn't protect against SQLi by default
[18:01:36] <go1dfish> your using bound parameters everywhere?
[18:02:23] <MagicalTux> go1dfish: DAO makes SQLi impossible, since queries are not built by the dev
[18:02:36] <MagicalTux> go1dfish: now it just depends how you do that
[18:03:18] <go1dfish> good show, you shouldn't be writing sql by hand for mt gox
[18:03:42] <MagicalTux> go1dfish: \DB::DAO('Table')->insert(array('Field' => $value));
[18:04:36] <go1dfish> MagicalTux: cool, yeah that should be pretty resiliant against injection assuming the underling DAO implementation is sane
[18:05:02] <MagicalTux> go1dfish: the DAO implementation was written by us, and makes sure everything is escaped correctly, including table & field names
[18:05:15] <Ox41> you wrote your own DAO?
[18:05:20] <Ox41> why the hell would you want to do that?
[18:05:25] <dehuman> so does this mean previously mtgox didn't use any type of DAO pattern?
[18:05:27] <Ox41> I mean, im no EXPERT...
[18:05:34] <go1dfish> Ox41: I'm hoping thats a misunderstanding
[18:05:39] <dehuman> 'dont reinvent the wheel'
[18:05:41] <Ox41> go1dfish: I doubt it is
[18:05:47] <MagicalTux> Ox41: it's part of our framework

Just sayin'.

Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure

They are two separate but related concepts. I subscribe to the former and deem the latter unnecessary in cases such as these where the company in question has a track record like mtgox.

[psyborgue]

Well.  I hope OP is happy he got what he wanted:

http://www.thinq.co.uk/2011/6/28/mt-gox-flaw-opens-door-free-bitcoins/

They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

[ius]

They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

You can't blame him for 'journalists' writing about matter they have little to no knowledge about.

[Dirt Rider]

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

I was there the other day - allows logins via http!

p.s.  This OP was very much a dick move.  Either a fool or someone intent on causing as much trouble for the Bitcoin community would create such a post without at least giving the site operator a little time to address the issue.

[psyborgue]

They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

You can't blame him for 'journalists' writing about matter they have little to no knowledge about.

Oh I very much CAN blame him, as he started the false implication.  The journalist was merely repeating (accurately) what he read in the OP.

[julz]

I don't even understand why it's a bug. (unless it affects the current price calculations)

I've put in buy orders without the USD to cover it - based on the assumption that the buy would only occur if my sell orders had executed to provide the funds.
It's a feature!

[Shinobi]

How are you blaming the OP? The OP is trying to make trading safer and more accurate. MT has shown that he doesn't do anything unless his hand is forced.

[jrmithdobbs]

They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

Read the comments on that article. I posted a gpg signed comment (that got mangled by their crappy site) calling the author out for irresponsible journalism. Before you even posted this. He made no attempt to contact me and only a cursory attempt to contact tux so that he could add a derisive comment in his "article."

Crappy journalist is crappy. Surprise, surprise.

[Dirt Rider]

If the original poster can't adjust the original post such that it stops implying there is some exploit, an admin should remove the post all together. 

Are we really sure this isn't a feature?

[andes]

Although I dont share the timing of the OP disclosure, I would rather encourage total (and sometimes brutal) honesty in our comunity, rather than half truths and compromises.

Our world is mess right now because of too much double standards, compromises, and falsehood (environmentaly, socially, politically), not because of too much honesty.

Once you start to compromise on truth and openness, you will never know exactly where to draw the line between what is a right compromise, and what is a wrong one. The OP may not know how to compromise on honesty, but I would rather prefer to have people like him in our comunity, than not having them. They are the fresh air on opennes our society needs.

[bitsnbytes]

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

Yes, it is all our fault:

Today 16:51 GMT on #mtgox
<molecular> anyone know what that weird spike around 18:00 is? looks erroneous to me, no? it went up to 17.52 apparently, but my order at 17.25 did not get filled.
<MagicalTux> molecular: it's the closing of a bug, some orders were blocked and are now freed

It is because we let such people have our money!

[Dirt Rider]

I don't think anyone is suggesting anything but truth and honesty and disclosure, but when someone doesn't even give the site admin a chance to correct a potential problem (good thing this wasn't actually a serious exploit), they are just being irresponsible towards the users of the site in question and the community as a whole.  I for one hope that when/if someone does discover some potentially damaging exploit that they won't put us all at risk by instantly sharing it with everyone, including those who will jump at an opportunity to take advantage, at least until site admin has had an opportunity to take action.

[jrmithdobbs]

I for one hope that when/if someone does discover some potentially damaging exploit that they won't put us all at risk by instantly sharing it with everyone, including those who will jump at an opportunity to take advantage, at least until site admin has had an opportunity to take action.

If you're so worried feel free to stop using the services provided by companies with horrible security records or, as previously stated, petition said service providers to open their code and/or make public the results of 3rd party code/security audits.

To everyone sending me hate-filled PMs:

I don't care. See the above.

Additionally:

It is not my responsibility to enforce responsible journalism. If the blog d'jour is posting ill-informed "articles" about your pet bitcoin project, petition them to hold themselves to a higher standard of journalism.

I thought this forum was full of lolbertarians who believe in "absolutely free market capitalism?" Vote with your feet and your wallet.

Oh wait, I get it, your idealistic "free market" concepts only apply when they work in your favor. Brilliant!

[BTC Economist]

I applaud the OP.  The idiots who still trust in Mt Gox deserve to get defrauded in every way possible.  I'd recommend informing hacker forums every time you find an exploit in that shithole of a business.

[Dirt Rider]

If you're so worried feel free to stop using the services provided by companies with horrible security records or, as previously stated, petition said service providers to open their code and/or make public the results of 3rd party code/security audits.

So what alternative services would you recommend, that are guarenteed to be perfect?