Nxt source code flaw reports

[FrictionlessCoin]

It seem to be a personal crusade of FrictionlessCoin against nxt 

Have you ever been in a code review?   The criticism I am providing is actually quite tame.

My assessment,  throw this garbage out and start again correctly.

[FrictionlessCoin]

I am curious,  is the NXT algorithm described anywhere?

A paper somewhere,  a specification or a simulation?

Or perhaps we are just making this up on the go?

[newsilike]

Thrilled that my small investment in NXT is being represented by someone who uses "u" instead of "you."

 

Then get the fuck out man.
Couldn't be more irrelevant.
I haven't seen ONE example of someone who's against NXT while delivering founded reasons to have disbelieve in it.

[xibeijan]

I am curious,  is the NXT algorithm described anywhere?

A paper somewhere,  a specification or a simulation?

Or perhaps we are just making this up on the go?

Use the source.... luke... use the source....

[Come-from-Beyond]

I am curious,  is the NXT algorithm described anywhere?

A paper somewhere,  a specification or a simulation?

Or perhaps we are just making this up on the go?

Use the source.... luke... use the source....

FrictionlessCoin is a very funny troll. I'll unignore her.

[FrictionlessCoin]

Thrilled that my small investment in NXT is being represented by someone who uses "u" instead of "you."

 

Then get the fuck out man.
Couldn't be more irrelevant.
I haven't seen ONE example of someone who's against NXT while delivering founded reasons to have disbelieve in it.

I think your over investment in NXT is blinding you to the reality.

The code is just made up on the fly.   It doesn't really work.  It really isn't secure.

Distributed consensus in precense of adversarial participants is a damn difficult thing to cook up.  That is why Satoshi Nakomoto's Bitcoin is utterly brilliant.  

NXT is just some code that some junior programmer is trying to cook up one the fly.  

Take it from an expert in these coding matters.

Don't believe me,  well good luck with your NXT investments.

[GröBkAz]

I am curious,  is the NXT algorithm described anywhere?

A paper somewhere,  a specification or a simulation?

Or perhaps we are just making this up on the go?

Use the source.... luke... use the source....

FrictionlessCoin is a very funny troll. I'll unignore her.

+1

Very good. You did a great job.

[FrictionlessCoin]

I am curious,  is the NXT algorithm described anywhere?

A paper somewhere,  a specification or a simulation?

Or perhaps we are just making this up on the go?

Use the source.... luke... use the source....

Well you confirmed it... making this all up on the go.

You guys have no clue as to what you're building.  Absolutely no clue.

[laowai80]

FrictionlessCoin is a very funny troll. I'll unignore her.

She had too few frictions recently, too grudgy

[ferment]

Thrilled that my small investment in NXT is being represented by someone who uses "u" instead of "you."

 

Using "u" might be a good way to avoid textual analysis.

[ferment]

Dude...  where are the unit tests?  If you don't care for style,  you should care that it is at least  tested.

This code is so bad, that I'm just itching to fork it!

Looking forward to your pull requests.

[xibeijan]

It seem to be a personal crusade of FrictionlessCoin against nxt  

Have you ever been in a code review?   The criticism I am providing is actually quite tame.

My assessment,  throw this garbage out and start again correctly.

This is a typical kind of response from a good software developer who sees crap code.  Fair enough, but I must point out (again) that we are not investing in source code, we are investing in the algorithms, the big ideas (BCNext) and the huge community supporting NXT.

Source code clean up is a minor issue and will come as the project develops.  Some great developers have joined the NXT team (e.g. Jean-Luc) and are improving the software engineering practices as we speak.

I think the point about cleaning up, refactoring the code has been made and taken.  I think it was kind of obvious and expected by all, especially given how rapidly the software has been developed.

The truth is, sometimes big amazing ideas start out with a small bit of crappy code.  And, I think, is where NXT is.

However, let us get back to the point.  This is a code review for security issues, so let's try to focus on those.

So, perhaps FrictionlessCoin has found some non-superficial security issue he would like to share?  Or are we going to keep beating this issue to death?

[ferment]

It seem to be a personal crusade of FrictionlessCoin against nxt 

Have you ever been in a code review?   The criticism I am providing is actually quite tame.

My assessment,  throw this garbage out and start again correctly.

This thread is for reporting the injected flaws. Did you find one in your review?

[FrictionlessCoin]

It seem to be a personal crusade of FrictionlessCoin against nxt  

Have you ever been in a code review?   The criticism I am providing is actually quite tame.

My assessment,  throw this garbage out and start again correctly.

This is a typical kind of response from a good software developer who see crap code.  Fair enough, but I must point out (again) that we are not investing in source code, we are investing in the algorithms, the big ideas (BCNext) and the huge community supporting NXT.

Source code clean up is a minor issue and will come as the project develops.  Some great developers have joined the NXT team (e.g. Jean-Luc) and are improving the software engineering practices as we speak.

However, let us get back to the point.  This is a code review for security issues, so let's try to focus on those.

I think the point about cleaning up, refactoring the code has been made and taken.

So, perhaps FrictionlessCoin has found some non-superficial security issue he would like to share?

Ok... so if you are investing on the algorithm.... then were can I find a specification of the algorithm?  (if you answer look at the source, then it is clear that you have no specification)

[FrictionlessCoin]

NXT is just some code that some junior programmer is trying to cook up one the fly.  

Take it from an expert in these coding matters.

Don't believe me,  well good luck with your NXT investments.

So... how come you 're not spitting out ALL THREE FLAWS then?

Is this not plain and simple B.S.?



"Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward
"


If he knews of the flaws,  then why is he asking this forum?

How do you create a hash of something you don't know exists?

Besides,  what the heck are you even hashing?  Some text that describes the flaw?


The B.S. is unbelievable and you folks are just too ignorant to see it.

[Come-from-Beyond]

Ok... so if you are investing on the algorithm.... then were can I find a specification of the algorithm?  (if you answer look at the source, then it is clear that you have no specification)

Cunicula was going to publish the whitepaper. He is still on holidays, I suppose, coz I don't see him online. U can find description of the algo here - https://bitcointalk.org/index.php?topic=345619.0. Or I can answer ur questions if u don't want to read the thread.

[jl777]

sendToAllPeers line 2833:
for (Peer peer : peers)
{
    if ( enableHallmarkProtection && peer.getWeight() < pushThreshold )
    {
        break;
    }
    if (peer.blacklistingTime == 0 && peer.state == Peer.STATE_CONNECTED && peer.announcedAddress.length() > 0)
    {
        peer.send(request);
    }   
}

I am not sure if code flaws include config and network configurations that are not handled properly. If so, the code will not send to any peers if hallmark protection is enabled and pushThreshold is set to be higher than the "heaviest" peer. I might have the sort direction wrong, in that case if all peers have weight of 0 and pushThreshold is set to 1, it will terminate without sending to any peer.

This might be by design, but having sendToAllPeers sending to nobody doesn't seem correct.

James

[FrictionlessCoin]

Ok... so if you are investing on the algorithm.... then were can I find a specification of the algorithm?  (if you answer look at the source, then it is clear that you have no specification)

Cunicula was going to publish the whitepaper. He is still on holidays, I suppose, coz I don't see him online. U can find description of the algo here - https://bitcointalk.org/index.php?topic=345619.0. Or I can answer ur questions if u don't want to read the thread.

Well if you wrote the code, then shouldn't you have the specification handy?

The link you sent,  that's called a feature list,  that's not a specification of an algorithm that does distributed consensus.

This is becoming more comical by the minute!

[Come-from-Beyond]

If he knews of the flaws,  then why is he asking this forum?

Well, if u know about JUnit u should know how to find logical bugs in algos. One of the approaches is to inject flaws and let the others to find them. If u injected 10 flaws and 15 r reported, then u count proportion of injected flaws to assess number of unknown ones that r not found yet.

[FrictionlessCoin]

If he knews of the flaws,  then why is he asking this forum?

How do you create a hash of something you don't know exists?

Besides,  what the heck are you even hashing?  Some text that describes the flaw?


The B.S. is unbelievable and you folks are just too ignorant to see it.

Ok... you clearly just proved to everybody that you DO NOT even realize that the flaws are there intentionally.

IGNORE!

If the flaws were intentional,  then why then did the author point me to the source as being the specification?

So, are you saying that the source code was actually never released and this entire exercise is a gimmick?