Nxt source code flaw reports

[xibeijan]

It seem to be a personal crusade of FrictionlessCoin against nxt  

Have you ever been in a code review?   The criticism I am providing is actually quite tame.

My assessment,  throw this garbage out and start again correctly.

This is a typical kind of response from a good software developer who see crap code.  Fair enough, but I must point out (again) that we are not investing in source code, we are investing in the algorithms, the big ideas (BCNext) and the huge community supporting NXT.

Source code clean up is a minor issue and will come as the project develops.  Some great developers have joined the NXT team (e.g. Jean-Luc) and are improving the software engineering practices as we speak.

However, let us get back to the point.  This is a code review for security issues, so let's try to focus on those.

I think the point about cleaning up, refactoring the code has been made and taken.

So, perhaps FrictionlessCoin has found some non-superficial security issue he would like to share?

Ok... so if you are investing on the algorithm.... then were can I find a specification of the algorithm?  (if you answer look at the source, then it is clear that you have no specification)

Thing's don't always have to start with a spec.  Ya know, this isn't a big software house.

Anything more useful to contribute, if not pure rage?

[FrictionlessCoin]

If he knews of the flaws,  then why is he asking this forum?

Well, if u know about JUnit u should know how to find logical bugs in algos. One of the approaches is to inject flaws and let the others to find them. If u injected 10 flaws and 15 r reported, then u count proportion of injected flaws to assess number of unknown ones that r not found yet.

Inject flaws and have people manually find the flaws?  What the hell is the point in that?

So... I am still waiting for the specification... if its not the source (coz you claim to have injected flaws)... then where is it?

[Come-from-Beyond]

I am not sure if code flaws include config and network configurations that are not handled properly.

No, they don't.

[FrictionlessCoin]

It seem to be a personal crusade of FrictionlessCoin against nxt  

Have you ever been in a code review?   The criticism I am providing is actually quite tame.

My assessment,  throw this garbage out and start again correctly.

This is a typical kind of response from a good software developer who see crap code.  Fair enough, but I must point out (again) that we are not investing in source code, we are investing in the algorithms, the big ideas (BCNext) and the huge community supporting NXT.

Source code clean up is a minor issue and will come as the project develops.  Some great developers have joined the NXT team (e.g. Jean-Luc) and are improving the software engineering practices as we speak.

However, let us get back to the point.  This is a code review for security issues, so let's try to focus on those.

I think the point about cleaning up, refactoring the code has been made and taken.

So, perhaps FrictionlessCoin has found some non-superficial security issue he would like to share?

Ok... so if you are investing on the algorithm.... then were can I find a specification of the algorithm?  (if you answer look at the source, then it is clear that you have no specification)

Thing's don't always have to start with a spec.  Ya know, this isn't a big software house.

Anything more useful to contribute, if not pure rage?

You don't have a spec. for a distributed consensus algorithm?

So you think you can seriously conjure up one that is secure without actually spending quality time thinking of a specification?


As I said in the beginning,  this is amateur hour.

[Come-from-Beyond]

Inject flaws and have people manually find the flaws?  What the hell is the point in that?

The point is to assess number of unknown bugs.

So... I am still waiting for the specification... if its not the source (coz you claim to have injected flaws)... then where is it?

Can't help with this until I talk to Cunicula, sorry. But I could answer questions.

[Come-from-Beyond]

You don't have a spec. for a distributed consensus algorithm?

Ah, if u need only distributed consensus algorithm then u could read about Bitcoin's algo. They r the same.

[FrictionlessCoin]

You don't have a spec. for a distributed consensus algorithm?

Ah, if u need only distributed consensus algorithm then u could read about Bitcoin's algo. They r the same.

No they are not,  Bitcoin uses proof of work to create the block chain.

Maybe you can tell me in a few lines, what exactly is the algorithm here.

[xibeijan]

I've had enough friction for today.  

He's just so... so angry.

[xibeijan]

You don't have a spec. for a distributed consensus algorithm?

Ah, if u need only distributed consensus algorithm then u could read about Bitcoin's algo. They r the same.

He obviously doesn't have much experience with this stuff...

And he also forgot to read up on what this source release is about and the injected flaws and the highly logical reasons for doing this.  (Anyone have the link for him?)

[Come-from-Beyond]

No they are not,  Bitcoin uses proof of work to create the block chain.

Maybe you can tell me in a few lines, what exactly is the algorithm here.

Just replace PoW with PoS.

Or look at lines 1275 - 1283.

[Come-from-Beyond]

He obviously doesn't have much experience with this stuff...

And he also forgot to read up on what this source release is about and the injected flaws and the highly logical reasons for doing this.  (Anyone have the link for him?)

If we manage to explain him then all other newbies will get this for sure. It's a good opportunity to create FAQ.

[FrictionlessCoin]

Inject flaws and have people manually find the flaws?  What the hell is the point in that?

The point is to assess number of unknown bugs.

So... I am still waiting for the specification... if its not the source (coz you claim to have injected flaws)... then where is it?

Can't help with this until I talk to Cunicula, sorry. But I could answer questions.

You know when having a meeting with a customer,  its always not a good idea to bring with a sales person a technical guy.

The reason is, the sales person can always say, "I don't know the answer, but I can ask my technical folk".  

Is it not very strange that a technical person like you is saying... "I'm sorry, but some other dude wrote the spec.  Let him come back from vacation and I'll have an answer".

[mcjavar]

I've had enough friction for today.  

He's just so... so angry.

But he is having some valid points.

[FrictionlessCoin]

No they are not,  Bitcoin uses proof of work to create the block chain.

Maybe you can tell me in a few lines, what exactly is the algorithm here.

Just replace PoW with PoS.

Or look at lines 1275 - 1283.

You can't even explain the algorithm in a few words.   

C'mon you can do it.  Just a couple of sentences explaining your PoS algorithm.

C'mon you can do it.

Waiting...

[xibeijan]

I've had enough friction for today.  

He's just so... so angry.

But he is having some valid points.

True, though a bit off topic for this thread.

I do hope CfB (or one of the developers) will answer him.

[pandaisftw]

NXT is just some code that some junior programmer is trying to cook up one the fly.  

Take it from an expert in these coding matters.

Don't believe me,  well good luck with your NXT investments.

So... how come you 're not spitting out ALL THREE FLAWS then?

Is this not plain and simple B.S.?



"Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward
"


If he knews of the flaws,  then why is he asking this forum?

How do you create a hash of something you don't know exists?

Besides,  what the heck are you even hashing?  Some text that describes the flaw?


The B.S. is unbelievable and you folks are just too ignorant to see it.

I normally don't call people trolls, but:

1) It is clear you have not been following anything related to NXT. Injected flaws (in an otherwise working base code) with bounty payouts is meant to encourage people to take a very hard look a the code. Also, read the 1st post again, c-f-b explained this.
2) Bashing how "clean" the code looks. Really? If you're so good at this, why didn't you come up with a better NXT first? It's probably because you can't (hence you have to fork NXT's code... how ironic).

[Come-from-Beyond]

You can't even explain the algorithm in a few words.   

C'mon you can do it.  Just a couple of sentences explaining your PoS algorithm.

C'mon you can do it.

Waiting...

Forging is a distributed consensus system that is used to confirm waiting transactions by including them in the block chain. It enforces a chronological order in the block chain, protects the neutrality of the network, and allows different computers to agree on the state of the system. To be confirmed, transactions must be packed in a block that fits very strict cryptographic rules that will be verified by the network. These rules prevent previous blocks from being modified because doing so would invalidate all following blocks. Forging also creates the equivalent of a competitive lottery that prevents any individual from easily adding new blocks consecutively in the block chain. This way, no individuals can control what is included in the block chain or replace parts of the block chain to roll back their own spends.

I can't explain details in a couple of sentences.

[Vega]

FrictionlessCoin, I don't know a thing about coding, so I can't make a judgement about who is right.
But what you are doing here, strongly reminds me of something. I've been a professional poker player for 10 years.
During that time I met a lot of people who were good at poker. But I was better, and when I beat them, they behaved the same way you are doing now. They were making statments about my shitty play, and how I am a lucky idiot.
They did this, because while they knew their way around a poker table, they simply weren't capable of thinging at my level.

Granted, I may be way off base here, but not from what I seen so far.
How about you do as some of the others asked, and instead of making grand statement about high school project you point out specific problems. Fundamental errors. Examples of bad logic, security flaws. Something. You know just to be ontopic for a change.

[xibeijan]

I've had enough friction for today.  

He's just so... so angry.

But he is having some valid points.

True, though a bit off topic for this thread.

I do hope CfB (or one of the developers) will answer him.

To be fair, you guys really do need a whitepaper to avoid these kinds of reactions from skeptics.  Anyway, I suppose their questions need to be answered.

[FrictionlessCoin]

I normally don't call people trolls, but:

1) It is clear you have not been following anything related to NXT. Injected flaws (in an otherwise working base code) with bounty payouts is meant to encourage people to take a very hard look a the code. Also, read the 1st post again, c-f-b explained this.
2) Bashing how "clean" the code looks. Really? If you're so good at this, why didn't you come up with a better NXT first? It's probably because you can't (hence you have to fork NXT's code... how ironic).

So your are admiting that this indeed is not the 'real source code' but some variant of it that doesn't really work.

I thought the purpose of releasing source code is to have other people to review if it is correct.

Well... I may just create a much better NXT.   Something that

(1) Has a very clear specification of the distributed consensus algorithm that people can review for flaws.
(2) Follow best practice Java coding standards.
(3) Gone through extensive static code analysis.
(4) Have a battery of unit tests to exhaustive test out the code.
(5) Ensure that tests perform 100% test coverage.

but unfortunately none of that exists for NXT.   It is just a high school project that some folks invested 21 BTC to get a stake on it.