Update:Very busy. Just meetings, meetings, meetings.
It is skycoin Chinese drama week. I am just going to wait it out.
Project Priorities:Right now the priorities are
- improve project management
- have a place where everything that needs to be done, can be written down as a ticket so developers can find it
- get developers to implement the tickets
We not have a radical simplification of the consensus implementation and simplification of the meshnet/vpn/darknet and it is almost trivial. It should not be more than 2,000 lines for the core, but we need to make sure it gets implemented.
Finding good contractors and people to work on project has been very time consuming.
Development:Right now
- wallet cross compilation was done months ago
- We need to get gulp script working that dumps angular js 2.0 example app, into "dist" directory we can serve from golang. This is amazingly frustrating.
- we need to port the skycoin webwallet to angular 2.0 eventually (not high priority)
- We are having meeting and trying to get SKY/BTC exchange up as next priority
- we figured out how to simplify consensus implementation
The meshnet/vpn/darknet has undergone radical simplification. It very clear what is needed at this stage and is almost a joke. I do not have an excuse for not finishing this or hiring someone to do it. I have a triangle of three components, which depend on the other two components and together it just works.
Security:I do not even want to talk about this, because it is too depressing.
There was ANOTHER glibc remote code execution vulnerability in the DNS resolver.
- you open up a website
- your connection gets hijacked and they insert a URL into the webpage
- your computer resolves the URL, triggering buffer overflow and remote code execution
- they have control of your computer
Bitcoin Core, Bitcoin XT and Bitcoin Unlimited used the version of glibc, with the exploit.
Bitcoin Foundation (reference client) uses musl instead of glibc and was not affected by the exploit.
Many of the newly introduced Bitcoin forks, appear to be attempts to intentionally accelerate adaption of Bitcoin clients with inferior security policies.
Also see:
-
https://libreboot.org/faq/#amd-
https://libreboot.org/faq/#intel-
https://muchweb.me/systemd-nsa-attempt/Google Unveils Glibc DNS Client Vulnerability, Many Bitcoin Implementations Affected
http://qntra.net/2016/02/google-unveils-glibc-dns-client-vulnerability-many-bitcoin-implementations-affected/https://www.reddit.com/r/linux/comments/47s8a8/new_amd_microcode_vulnerability_from_unprivileged/- ring0, AMD microcode
The Memory Sinkhole: An x86 design flaw allowing ring -2 privilege escalation
-
https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole.pdfhttps://www.reddit.com/r/linux/comments/485jp9/openssl_cve20160799_heap_corruption_via_bio_printf/https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html- [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow
- The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9.
Malformed private keys lead to heap corruption in OpenSSL’s b2i_PVK_bio
https://wartalker.me/a/56d62d1aeff2a2688884a075There was also a recent RSA conference, where a speaker hinted at a backdoor of the microcode for the new Intel SHA256 acceleration function.
Almost every Bitcoin service is using PHP, can say with 100% certainty, they are going to have their coins stolen.
This is the backdoor in torcoin and lucky coin that allowed Cryptsy to be hacked.
-
https://github.com/alerj78/lucky7coin/issues/1
There are other security vulnerabilities I do not want to talk about.
Now, the exploits are being directly added to the operating system as "features". Computers are being force upgraded from Windows 7 to Window 10. Windows 10 can covertly uninstall your cypto apps and/or replace them with back doored versions of the same executable and you would not even know. The operating system has a built in key logger and
After going through information, the summary is
- all Intel/AMD CPUs are unsuitable for cryptographic applications or bitcoin. It is possible to hide backdoors both in the bios and in microcode.
- every system running SystemD is insecure. SystemD is a mega-project to subvert linux security and replace a range of modular applications, with an unsecure blob of code that cannot be removed, exposes the system to thousand of exploits and which is to tightly integrated with every part of the system, that no hardware can be initialized without it and few applications will run without it. It is a cancerous tumor, to destroy, what should be a bare minimum of well designed, loosely coupled components.
- glibc is unmaintained and too complicated to be secure. musl should be used instead
- openssl should not be used. All standards by NIST should be suspect.
- Redhat is a subsidiary of the NSA and exists to subvert linux enterprise security.
- Intel and Microsoft are subsidiaries of the NSA and exist to subvert enterprise security. AMD is now as bad as Intel, after the Saudi buyout.
- C/C++ must be deprecated for a memory safe language
- PCI/USB/SDA must be deprecated and new security architecture is needed.
- all binary blobs in the kernel must go. all drivers must be open source
- there is an attempt to tightly integrate the priority graphics drivers bootup process with systemD, so that secure or open source hardware or non-systemD distributions cannot even boot
- if you produce a secure linux distribution or hardware not subject to these vulnerabilities, then Redhat/NSA will buy your company and shut it down
- deletion, censorship, marginalization, redirection of wikipedia articles for secure VPN solutions, DNS encryption and non-backdoored linux distributions. Blog posts in popular media saying "You need to encrypt your traffic!" then telling people that OpenVPN is insecure and to use these "top three" compromised VPNs, or better yet, closed sourced VPNs created by what I assume to be front companies for shady oil equity firms, owned by families who were intensely involved in Iran-Contra, the Total Information Awareness Office and ....
I am slowly coming to the conclusion that
- software easily could be secure and safe in theory, but
- we are in the middle of a multi-decades cyber war entailing the intentional subversion and back dooring of every piece of hardware, software, operating system, library, application, and cryptography and network protocol for the past forty years.
During Skycoin development, we also found technology that is very interesting, but only useful for 1313 type systems and for things like drone swarms, machine tool virtualization and user interfaces for hybrid systems. The meshnet/darknet/vpn scripting language is based upon CSP and the pi-calculus and there are very interesting things you can do with this
-
https://en.wikipedia.org/wiki/Pi-calculus-
https://en.wikipedia.org/wiki/Process-oriented_programming
