pnosker
|
|
July 01, 2014, 10:59:32 AM |
|
Pretty sure I was able to crash veribit with a few lines of code. I'll stop once I prove it works.
No your IP just got auto banned for flooding. That and we deactivated the web service. You may have done this afterwards, but I was seeing a wall of errors before that was done. Continuing to downplay what I'm finding and pretending it is not real is less healthy for your service than admitting it and working with me to fix these issues, right now you are just putting band-aids on them. I'm not being silicious, I'm giving you essentially free pen-testing (because I work for more than 75 an hour normally). Pretty sure I could bypass your IP flood and deconstruct the API from your wallet code. Lol, took 1 second to find the new URL on github: http://verisend.vericoin.info/apisendbtcThere goes the idea you closed down webservices. http://verisend.vericoin.info/apisendbtc?sendto=1NsqLEmk7bckyxocJToBYmgkte2j5KMGZp&amount=1You really shouldn't keep talking to me like I'm stupid, your system clearly doesn't automatically ban IP addresses, you didn't ban mine. There is also no automatic price adjustment as you claimed before (which would have been clever if it were real, but also easy to exploit as well). Talking to you like you're stupid? When did that happen? What I see are developers trying to engage with you directly. Didn't pnosker thank you, and give you a bug bounty already? What more do you want? An ego massage? As in directly lying to me when it is easy to disprove his claims. He seems to think if he lies to me that I will just believe it and not try to confirm myself, which I did and realized what he was claiming was untrue. This is not about ego this is about having a straightforward discussion without deception. I really don't think anyone is intentionally trying to deceive you. And it appears to be about ego when you say dipshit things like "You really shouldn't talk to me like I'm stupid" - when that was evidently not the case. Perhaps VericoinDev3 misunderstood and a different IP was banned? Who fucking knows? But before you go on any more of these fucking tirades at least give the man a chance to respond. You are ignoring the several other claims that are clearly untrue, he is treating me like I'm stupid because he assumes I can't easily check the claims and find out they are false. He talked about features in the software that simply do not exist to downplay the damage that could have been caused by a script like the one I shared. What are you talking about? We saw a flood of over 2000 requests starting from 2 min after your first exploit post. Your IP was banned by the software from processing any trades. So no, I didn't lie about anything. Did you try to trade at all? And reducing the exploit time window is not just a patch. It is effective because it is unnecessary due to the way the wallet sends the transaction quickly. We could probably use better flood detection but you're simply DoSing at that point. Anyway, I'll say it again: if you were truly concerned, you would talk privately about this like any legitimate security researcher rather than publicly disclaiming the code and suspecting it of failing. VeriBit has not lost any loaned money and has not kept any sent money without paying out. Thanks again for the criticism. We take it seriously but it is unfounded.
|
Support the VeriFund Endowment. VRC: VFEndownxxnHea9mv59kZx8c7TysGbndYx
|
|
|
techbytes
Legendary
Offline
Activity: 1694
Merit: 1054
Point. Click. Blockchain
|
|
July 01, 2014, 11:11:41 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
|
|
|
|
buy4crypto
|
|
July 01, 2014, 11:15:15 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
A lot of people want to "help" the community, especially VeriCoin lately, by openly making slanderous claims, that they cannot even substantiate. Things must be going well. You only get attacked when your on top.
|
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬████ - freecrypto.top - btcinfo.top - DIGITAL CURRENCY DIRECTORIES - freeMonero.com - funbtc.xyz ████▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
|
|
|
yourstruly
|
|
July 01, 2014, 11:15:27 AM |
|
Pretty sure I was able to crash veribit with a few lines of code. I'll stop once I prove it works.
No your IP just got auto banned for flooding. That and we deactivated the web service. You may have done this afterwards, but I was seeing a wall of errors before that was done. Continuing to downplay what I'm finding and pretending it is not real is less healthy for your service than admitting it and working with me to fix these issues, right now you are just putting band-aids on them. I'm not being silicious, I'm giving you essentially free pen-testing (because I work for more than 75 an hour normally). Pretty sure I could bypass your IP flood and deconstruct the API from your wallet code. Lol, took 1 second to find the new URL on github: http://verisend.vericoin.info/apisendbtcThere goes the idea you closed down webservices. http://verisend.vericoin.info/apisendbtc?sendto=1NsqLEmk7bckyxocJToBYmgkte2j5KMGZp&amount=1You really shouldn't keep talking to me like I'm stupid, your system clearly doesn't automatically ban IP addresses, you didn't ban mine. There is also no automatic price adjustment as you claimed before (which would have been clever if it were real, but also easy to exploit as well). Talking to you like you're stupid? When did that happen? What I see are developers trying to engage with you directly. Didn't pnosker thank you, and give you a bug bounty already? What more do you want? An ego massage? As in directly lying to me when it is easy to disprove his claims. He seems to think if he lies to me that I will just believe it and not try to confirm myself, which I did and realized what he was claiming was untrue. This is not about ego this is about having a straightforward discussion without deception. I really don't think anyone is intentionally trying to deceive you. And it appears to be about ego when you say dipshit things like "You really shouldn't talk to me like I'm stupid" - when that was evidently not the case. Perhaps VericoinDev3 misunderstood and a different IP was banned? Who fucking knows? But before you go on any more of these fucking tirades at least give the man a chance to respond. You are ignoring the several other claims that are clearly untrue, he is treating me like I'm stupid because he assumes I can't easily check the claims and find out they are false. He talked about features in the software that simply do not exist to downplay the damage that could have been caused by a script like the one I shared. What are you talking about? We saw a flood of over 2000 requests starting from 2 min after your first exploit post. Your IP was banned by the software from processing any trades. So no, I didn't lie about anything. Did you try to trade at all? And reducing the exploit time window is not just a patch. It is effective because it is unnecessary due to the way the wallet sends the transaction quickly. We could probably use better flood detection but you're simply DoSing at that point. Anyway, I'll say it again: if you were truly concerned, you would talk privately about this like any legitimate security researcher rather than publicly disclaiming the code and suspecting it of failing. VeriBit has not lost any loaned money and has not kept any sent money without paying out. Thanks again for the criticism. We take it seriously but it is unfounded. I offered to talk about it privately but you never private messaged me. Also, I'm used of discussing issues publicly because the Bitcoin community is traditionally an open source community where we have open discussion about issues. We are all about transparency in the open source world. I have not tried to steal from veribit, I could have drained the fund by now and done this all in silence and you would have never noticed. I'm taking time out of my other projects to come here and let you know about your security issues and you continue to downplay them and make up claims about your service. Should it be that easy to DoS your service with a 3 line script? There are definitely engineering solutions for that.
|
|
|
|
yourstruly
|
|
July 01, 2014, 11:16:51 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues.
|
|
|
|
buy4crypto
|
|
July 01, 2014, 11:17:59 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues. And your true intentions are clear. Well done. All of us idiots see right through you. Appreciate the help. You act a certain way, because thats how / who a person is. Developers respond in a respectful manor to your claims, pay you a bounty. Your response? Calling them names, saying they insulted you? You need to take a step back and realize your help has been heard, and they took action. What more do you want? Now your losing any credibility you had with your concerns to being a FUD'in troll now.
|
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬████ - freecrypto.top - btcinfo.top - DIGITAL CURRENCY DIRECTORIES - freeMonero.com - funbtc.xyz ████▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
|
|
|
yourstruly
|
|
July 01, 2014, 11:18:33 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
a lot of people want to "help" the community, especially VeriCoin lately, by openly making slanderous claims, that they cannot even substantiate. Things must be going well. You only get attacked when your on top. My claims were not slanderous, I even provided code that could exploit the system in place. I do this because this coin has a 8 million dollar market cap and its built on flimsy software. If this falls and major news agencies follow the story, it makes everyone in the ecosystem look bad. But you are too focused on your personal investment to see the bigger picture.
|
|
|
|
yourstruly
|
|
July 01, 2014, 11:19:33 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues. And your true intentions are clear. Well done. If I wanted to hurt Vericoin I could have done it, I have not done anything malicious if you weren't too narrow minded you would see that I'm actually providing a very valuable free service to the developer.
|
|
|
|
T.Stuart
|
|
July 01, 2014, 11:22:27 AM |
|
I'm actually providing a very valuable free service to the developer.
Could I ask, why don't you just PM him yourself and carry on this help directly rather than in a group discussion, which wastes a lot of time?
|
|
|
|
pnosker
|
|
July 01, 2014, 11:23:23 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues. VeriBit makes us no money... In the long run it probably costs money with server costs.
|
Support the VeriFund Endowment. VRC: VFEndownxxnHea9mv59kZx8c7TysGbndYx
|
|
|
T.Stuart
|
|
July 01, 2014, 11:26:19 AM |
|
Hope you don't mind me posting this pnosker! Quick question: will the new wallet be adapted for Android anytime soon?
|
|
|
|
yourstruly
|
|
July 01, 2014, 11:26:55 AM |
|
I'm actually providing a very valuable free service to the developer.
Could I ask, why don't you just PM him yourself and carry on this help directly rather than in a group discussion, which wastes a lot of time? Because open source projects are usually discussed in a group setting, because they are open by nature. If he insist on making it private that is his prerogative and he has not chosen to do so.
|
|
|
|
T.Stuart
|
|
July 01, 2014, 11:28:27 AM |
|
Because open source projects are usually discussed in a group setting, because they are open by nature. If he insist on making it private that is his prerogative and he has not chosen to do so.
He wouldn't have "insisted" anyway - you invited him!
|
|
|
|
buy4crypto
|
|
July 01, 2014, 11:28:40 AM |
|
I'm actually providing a very valuable free service to the developer.
Could I ask, why don't you just PM him yourself and carry on this help directly rather than in a group discussion, which wastes a lot of time? Because open source projects are usually discussed in a group setting, because they are open by nature. If he insist on making it private that is his prerogative and he has not chosen to do so. SECURITY needs to be in the open? Thats a new one. The next time I hear the Security team talking about the next big project in an open forum I'll let you know. You are not here to help, you can help by PM'in the DEV with security concerns. Why give others an idea before you can close the loop, create a solution. Thats what someone with concerns for a problem does, You solve it. Seems like your idea is to come here, cause FUD in open discussion even though your concerns have been addressed several times.
|
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬████ - freecrypto.top - btcinfo.top - DIGITAL CURRENCY DIRECTORIES - freeMonero.com - funbtc.xyz ████▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
|
|
|
yourstruly
|
|
July 01, 2014, 11:29:36 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues. VeriBit makes us no money... In the long run it probably costs money with server costs. I understand that, your fee is 1 VRC which is one of the reasons it makes it a good target for malicious attacks. When designing systems like this, like when designing an exchange you have to assume the worse will happen, like someone will try to DOS you. You appear to have nothing in place to stop these basic attacks which could be solved many ways. Here is the updated version of the code that will work with your web services turned off and timed with 2 minutes: require 'net/http' require 'json' # Would need to write code to manage number of threads # and stagger their start times to maximize attack surface #Thread.new do while true @time_up = Time.now + (60*2) uri = URI(' http://verisend.vericoin.info/apisendbtc?sendto=1NsqLEmk7bckyxocJToBYmgkte2j5KMGZp&amount=1') arbitrage = JSON.parse(Net::HTTP.get(uri)) @vrc_amount = arbitrage['Amount'] @vrc_address = arbitrage['Address'] p @vrc_amount p @vrc_address while @time_up > Time.now p "Time remaining: #{@time_up - Time.now}" uri = URI(' https://api.mintpal.com/v1/market/stats/VRC/BTC') market_data = JSON.parse(Net::HTTP.get(uri)).first last_price = market_data['last_price'] # You would need to add in trading fees price_per_bitcoin = 1 / last_price.to_f p price_per_bitcoin if @vrc_amount.to_f < price_per_bitcoin difference = price_per_bitcoin - @vrc_amount.to_f p "Difference of #{difference}" if difference > 500 p "Good time to send money!" system("./vericoind sendmoneyto #{vrc_address} #{@vrc_amount}") end end end p "Times up! Time to try again!" end #end
|
|
|
|
yourstruly
|
|
July 01, 2014, 11:31:28 AM |
|
I'm actually providing a very valuable free service to the developer.
Could I ask, why don't you just PM him yourself and carry on this help directly rather than in a group discussion, which wastes a lot of time? Because open source projects are usually discussed in a group setting, because they are open by nature. If he insist on making it private that is his prerogative and he has not chosen to do so. SECURITY needs to be in the open? Thats a new one. The next time I hear the Security team talking about the next big project at starbucks I'll let you know. You are not here to help, you can help by PM'in the DEV. Yes security typically discussed is open, especially on open source projects which this one is based on. That is why there are services that openly report all security bugs so open source developers can read through them an attempt to fix them. You are really showing you know very little about computer science and software development right now.
|
|
|
|
buy4crypto
|
|
July 01, 2014, 11:32:58 AM |
|
I'm actually providing a very valuable free service to the developer.
Could I ask, why don't you just PM him yourself and carry on this help directly rather than in a group discussion, which wastes a lot of time? Because open source projects are usually discussed in a group setting, because they are open by nature. If he insist on making it private that is his prerogative and he has not chosen to do so. SECURITY needs to be in the open? Thats a new one. The next time I hear the Security team talking about the next big project at starbucks I'll let you know. You are not here to help, you can help by PM'in the DEV. Yes security typically discussed is open, especially on open source projects which this one is based on. That is why there are services that openly report all security bugs so open source developers can read through them an attempt to fix them. You are really showing you know very little about computer science and software development right now. Never claimed to, I just know when I see someone with malicious intentions. You and your friend didn't take long to come up with a clever theft plot. Is it something you are familiar with? Do you use these codes to steal often? How many people have you stole from in the past? Didn't seem to take you a long time to make a code you claim is capable of theft.
|
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬████ - freecrypto.top - btcinfo.top - DIGITAL CURRENCY DIRECTORIES - freeMonero.com - funbtc.xyz ████▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
|
|
|
techbytes
Legendary
Offline
Activity: 1694
Merit: 1054
Point. Click. Blockchain
|
|
July 01, 2014, 11:35:21 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues. Regardless if you are being paid or not, if you come out sounding arrogant, not too many people will listen even if your claims are true. Telling people how much you make is meaningless in the virtual world... -tb-
|
|
|
|
yourstruly
|
|
July 01, 2014, 11:36:07 AM |
|
I'm actually providing a very valuable free service to the developer.
Could I ask, why don't you just PM him yourself and carry on this help directly rather than in a group discussion, which wastes a lot of time? Because open source projects are usually discussed in a group setting, because they are open by nature. If he insist on making it private that is his prerogative and he has not chosen to do so. SECURITY needs to be in the open? Thats a new one. The next time I hear the Security team talking about the next big project at starbucks I'll let you know. You are not here to help, you can help by PM'in the DEV. Yes security typically discussed is open, especially on open source projects which this one is based on. That is why there are services that openly report all security bugs so open source developers can read through them an attempt to fix them. You are really showing you know very little about computer science and software development right now. Never claimed to, I just know when I see someone with malicious intentions. You and your friend didn't take long to come up with a clever theft plot. Is it something you are familiar with? Do you use these codes to steal often? How many people have you stole from in the past? Didn't seem to take you a long time to make a code capable of theft. If I had malicious intentions I would have never made a single post in this thread. It didn't take us long because we are well rounded software developers who are always thinking how a system can be broken so it can be improved, in computer science this is called hacking. So yes this is something we are familiar with because we built enterprise level software and you can't assume everyone on the internet won't break your system. You are being immature right now and wasting my time. You should really exit this conversation since you have nothing of value to add.
|
|
|
|
yourstruly
|
|
July 01, 2014, 11:37:26 AM |
|
For a guy who claimed to be paid $75/hour, he doesn't sound too professional about it. Sounds more like whining for attention. So I wouldn't pay no mind to his claims.
-tb-
I actually get paid more than 75 an hour when I do security consulting, and why do I have to act professional with someone who is not paying me, lying to me, building closed source projects off open source roots to make money and has a community of greedy idiots who try to deflect any claims that there are issues. Regardless if you are being paid or not, if you come out sounding arrogant, not too many people will listen even if your claims are true. Telling people how much you make is meaningless in the virtual world... -tb- You can cherry pick what I said to make me sound arrogant, but in my opinion it is more arrogant to run an 8 million dollar economy on shoddy closed source software and dismiss claims there might be issues with your centralized services.
|
|
|
|
|