Bitcoin Forum
November 11, 2024, 08:19:37 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 »  All
  Print  
Author Topic: Security bounties  (Read 166578 times)
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
October 12, 2013, 05:09:00 PM
Last edit: April 12, 2021, 05:05:15 PM by theymos
Merited by EFS (20), Vod (5), LoyceV (1), albert0bsd (1), theyoungmillionaire (1), selectaselectine (1)
 #1

Bitcointalk.org offers large security bounties. See: https://bitcointalk.org/sbounties.php

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
dree12
Legendary
*
Offline Offline

Activity: 1246
Merit: 1078



View Profile
October 13, 2013, 11:57:21 PM
 #2

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
October 14, 2013, 12:12:21 AM
 #3

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.

I prefer not to denominate values in any single country's currency here, but BTC is too unstable. XAU is pretty stable.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
October 14, 2013, 01:28:55 AM
 #4

I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.  

I already explained to you that you need to start by using a reverse proxy service such as cloudflare.  They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits.  $200/month.

The next thing you need to do is take some training so you know what to ask.  For instance, you confuse "vulnerability" and "exploit" and you use them interchangeably when they are not.  A "vulnerability" is a configuration on your server that can be exploited.  An exploit is something that is done to attack a vulnerability.  A vulnerability can have many exploits.   Try an Ethical Hacking class and getting a CISSP certification.

In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
October 14, 2013, 02:15:23 AM
 #5

I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.

This is probably the highest security bounty of any forum. It's only a little less than Google's security bounties. After this attack, the forum spent over 100 BTC on security-related stuff. Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Contrary to common belief, there is no magic wishing well into which you can throw money and instantly get good results. Often, it's better not to spend money, especially when growth is not the forum's main goal. You always seem to want me to spend thousands of bitcoins as quickly as possible. This would be a great way for the forum to lose a lot of its money without gaining much value in return.

If you don't like how I spend the forum's money, you can:
- Use reasonable arguments (not just trollish demands/complaints) to try and convince me; or
- Create your own organization, generate 6000+ BTC (mostly not from donations), and try some alternative strategy.

I already explained to you that you need to start by using a reverse proxy service such as cloudflare.  They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits.  $200/month.

No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped. Same for any automatic exploit detection based on patterns. Unless DoS attacks get really bad, I won't be willing to give up control of the forum's HTTPS keys.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
October 14, 2013, 12:55:42 PM
 #6

BTW - How come it is alright that Geotrust has the key?  These Geotrust rapid SSL certs are about $10/year.  They don't have access to the traffic like Clouflare would, but still.  I assume that is all you can get since the true owners are not in the whois records and a legitimate SSL cert would never had been issued since one of the purposes is to verify the ownership of the web site. 

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
greyhawk
Hero Member
*****
Offline Offline

Activity: 952
Merit: 1009


View Profile
October 14, 2013, 02:09:12 PM
 #7

Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.
Raize
Donator
Legendary
*
Offline Offline

Activity: 1419
Merit: 1015


View Profile
October 15, 2013, 05:08:31 PM
 #8

I see what this is about now.  There was a buttcoin.org article making fun of Thermos for not using Cloudflare so now you guys have to come up with reasons why it wasn't done. 

You're overvaluing flippant criticism of the forum by folks that know no details surrounding the hack yet think throwing out buzzwords or the "latest tech terms" are the equivalent of Mazlow's hammer. Cloudflare's anti-hacking filters would have done nothing to protect from this. There is maybe once or twice in the past where using Cloudflare would have prevented previous DDoS attacks, but that's about it. BarbarianBob identified a specific weakness and came up with a novel way to exploit it. There isn't some automated tool to prevent this.

Quote
then a self-signed certificate where the warning box pups up is the way to go.

If it's self-signed then you're completely subjected to a MitM attack. You could install the certificate manually, but you'd still have to first get it through a trustable transfer mechanism. This is almost too-silly of a recommendation to even comment on, I honestly can't tell if you are trolling or just so wrapped up in wanting to help you're throwing out buzzwords as possible recommendations.

In order to help me determine your purpose, maybe you can answer a question. What was the point of going through and replacing most of the text in your previous posts this year with ".."?
malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1724



View Profile
October 16, 2013, 06:34:23 PM
 #9

So does this mean that everybody can now freely try to crack your site without fear to be busted: "No, I was not hacking, I just trying to gain the bounty!" ?

So? So long as they don't exploit the vulnerabilities they find in a way that could harm the forum or its users, I think theymos will be happy to make the forums more secure.

It is also in their interest to eliminate or minimize the impact of their exploiting of the site because if it causes "substantial disruptions" the reward they will get will be considerably smaller.

I don't think I'll find anything but I'll try my luck in 4-5 weeks when I should have a lot more time than now.

@theymos

I mentioned it on IRC when the site was down and know it can be a problem for you, but if you find some time in the near future, please consider releasing the full code and configuration that's behind bitcointalk.org with the sensitive information removed.

edit: hopefully SMF would give their consent to this
http://www.simplemachines.org/about/smf/license.php

Signature space available for rent.
DobZombie
Hero Member
*****
Offline Offline

Activity: 896
Merit: 532


Former curator of The Bitcoin Museum


View Profile
October 17, 2013, 08:33:09 AM
 #10

Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

You got lucky.

I think word will get out and you'll have hackers everywhere looking for exploits.  Security holes will get plugged faster than wet cement slipping through pantyhose.

Your effort to improve the forum (although a little late) is appreciated. Smiley

Tip Me if believe BTC1 will hit $1 Million by 2030
1DobZomBiE2gngvy6zDFKY5b76yvDbqRra
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
October 18, 2013, 02:10:05 AM
 #11

Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

I was paid for this by July 10, 2012, and the price of Bitcoin at the end of that day was $7.20. That day, gold closed at $1587.30. This makes this, at the time, about 0.181 ounces of gold.

Though, it all went to Mt. Gox at about $12/BTC... Oh, hindsight.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
dree12
Legendary
*
Offline Offline

Activity: 1246
Merit: 1078



View Profile
October 27, 2013, 03:32:01 PM
 #12

But you are aware about the SOL-Injection vulnerability that is still wide open?

The fact that you confuse O and Q is not helping your case. These two letters aren't even close to each other on the keyboard.
greyhawk
Hero Member
*****
Offline Offline

Activity: 952
Merit: 1009


View Profile
October 31, 2013, 08:37:07 AM
 #13

But you are aware about the SOL-Injection vulnerability that is still wide open?

The fact that you confuse O and Q is not helping your case. These two letters aren't even close to each other on the keyboard.

They are in fact right next to each other. On a Dvorak keyboard.
dree12
Legendary
*
Offline Offline

Activity: 1246
Merit: 1078



View Profile
November 10, 2013, 04:43:42 AM
 #14

If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13410


View Profile
November 10, 2013, 05:41:06 AM
 #15

If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?

Just yours so far. (A CSRF.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
fligen
Member
**
Offline Offline

Activity: 102
Merit: 10


Crypto Pros


View Profile WWW
November 15, 2013, 03:46:15 PM
 #16

good job using a password manager, theymos.

agent007
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
November 26, 2013, 09:49:51 PM
Last edit: December 03, 2013, 02:21:20 AM by Maged
 #17

good job using a password manager, theymos.
I agree with you.
Yazuki
Newbie
*
Offline Offline

Activity: 21
Merit: 0


View Profile
December 04, 2013, 10:35:40 PM
 #18

Just thought I would leave this here so that security researchers know that the bounty isn't only limited to bugs in SMF or the server:

Quote from: theymos on reddit
If you can cause serious damage to the forum with any sort of bug, and you responsibly disclose this bug, you will be given a lot of money.

BTW, I've contacted you about payment for the vulnerability I disclosed a few weeks back.
hostmaster
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile WWW
January 07, 2014, 12:27:19 PM
 #19

If i were you i would pay someone to code new forum from zero then transfer everything, this way you not have to worry and spend too much about flaws.
SaltySpitoon
Legendary
*
Offline Offline

Activity: 2590
Merit: 2156


Welcome to the SaltySpitoon, how Tough are ya?


View Profile
January 12, 2014, 02:43:00 PM
 #20

If i were you i would pay someone to code new forum from zero then transfer everything, this way you not have to worry and spend too much about flaws.

That is already in progress, however after the new forum is done, it will most likely be months before it goes public. Then we have to find all of the flaws in the new version, that we may have already found in the older version.
Pages: [1] 2 3 4 5 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!