Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 03:49:53 PM Last edit: September 07, 2014, 04:02:21 PM by Fuserleer |
|
Hey Folks, This is a call out to all security experts and hackers, inviting you to take part in a pre-launch eMunie network stress and hack test with PRIZES!! We're getting pretty close to our next OB in a couple of weeks, hopefully followed soon after by our V1.0 launch, thus the time has come to weed out any possible exploits or issues with the system before they can cause loss or harm. I consider myself a good developer, I try to cover all angles of any scenario as much as possible. That said I'm not naive, nor have a galaxy sized ego which results in thinking my code is the best, most secure, or can never be exploited....I am human after all, humans miss things and make mistakes. I expect there to be issues, and the purpose of this test is not to prove there aren't any, but to find any that are and fix them! So, as we tend to do over here, I would like to set another industry first. I'm inviting anyone that thinks they have the means, to perform attacks on the network in an attempt to cause disruption in a test environment initially, which will be setup for this task, and also in a future open beta. The date for these tests to start is not yet planned, but should be within the next 4 weeks (depending on how many applicants and furnishing selected candidates with the needed information to perform thorough attacks). Disruption is anything from an outright DDOS of the entire network, to message sniffing, double spends and everything in between. I will provide detailed information regarding the packets and data structures sent around the network, the topology, and various other details to assist in any disruption attempts. Please do not ask for source code, as stated many times before, eMunie is and will remain closed source for at least 6 months post launch. There will be limited places available for this task, 2 reasons. 1. I don't want to manage 1000's of egos 2. 1000's of people cross flooding attacks on the network with only a small number of "honest" nodes will of course cause disruption and make it harder to pinpoint the real exploits. Those wishing to take part please communicate to me either via PM here, email contest@emunie.com or you can add me to Skype on thengonet ... if you are paranoid and would like to communicate via more secure means, please express such in your initial contact, I'm happy to download and install any required software to do so. A short list of candidates will be constructed, consisting of around 20 or for the initial test environment. As we plan to do a few of these before launch, these numbers will increase over time and subsequent contests will be held. Bounties are organized as follows: - 5 BTC for most serious disruption
- 3 BTC for 2nd most serious disruption
- 1 BTC for 3rd most serious disruption
- 0.25-0.5 for other disruptions classified as threats
To claim a bounty you must provide proof of your successful attack and provide full details on how it was achieved so that we can replicate it. If the attack can not be replicated, or sufficient details are not provided then the bounty will not be paid for that threat and the subsequent most serious threat will take that bounty. Decisions on the severity of discovered exploits will be made by forum members both here and at eMunie in a results thread. No accounts registered on either forum after 1st September 2014 will be allowed to vote, and those votes will be discounted. NOTE: If no disruptions are deemed severe enough to warrant the top 3 bounties, those bounties will be spread around any minor disruptions. Finally, this is a self-moderated thread as it is a serious topic for a serious project. I do not want it descending into a cock waving contest, about who's hacked what, and how many chicks you were able to lay because of bragging about it
|
|
|
|
okiefromokc
Member
Offline
Activity: 96
Merit: 10
|
|
September 07, 2014, 06:04:37 PM |
|
This is good to see, I do not have the expertise for the top 3, as I am not a Java coder ... but maybe some of the minor issues...
|
|
|
|
asdlolciterquit
|
|
September 07, 2014, 06:10:07 PM |
|
is this the first coin to do a public test like this? or i'm wrong?
|
|
|
|
theblazehen
|
|
September 07, 2014, 06:23:54 PM |
|
is this the first coin to do a public test like this? or i'm wrong?
Depends. Do you think this is the first coin? Then you are right.
|
BURST: BURST-ZRT2-GB5S-A6CS-HBVAE
|
|
|
coinsolidation
|
|
September 07, 2014, 06:38:35 PM |
|
can you link me to the code, pm or email is fine - I'll review then decide
|
|
|
|
Nullu
|
|
September 07, 2014, 06:41:28 PM |
|
Is it possible to communicate with eMunie via a web-scripting language such as PHP?
|
BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 06:45:02 PM |
|
Is it possible to communicate with eMunie via a web-scripting language such as PHP?
Yes there is an extensive REST API which you can call from any number of web platforms via standard AJAX/JSON calls. Almost all core functions of the client are possible to perform though these APIs, including transactions, messaging, DMP, chat etc etc can you link me to the code, pm or email is fine - I'll review then decide Escrow some of your most valuable assets as security and I'll send you my most valuable asset which is the code.
|
|
|
|
statdude
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
September 07, 2014, 06:52:01 PM |
|
F,
I'm unable to access emunie forums via any browser. Any thoughts?
|
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 06:59:38 PM |
|
F,
I'm unable to access emunie forums via any browser. Any thoughts?
We got a problem with Xenforo atm where unregistered/logged out users cant view threads and stuff. It's being fixed for the past couple of days trying to figure out whats wrong without screwing the post history. But you should be able to get to the forum and register if thats what you are trying to do
|
|
|
|
coinsolidation
|
|
September 07, 2014, 07:01:47 PM |
|
can you link me to the code, pm or email is fine - I'll review then decide Escrow some of your most valuable assets as security and I'll send you my most valuable asset which is the code. Well now I can't escrow you my family, friends, and brain - but you're welcome to escrow all of my opensource unlicensed code and every idea documented which is all public domain. Your asset is you brain and those around you, your code will be redundant in some time, as will mine, let us hope our brains and friends are not. I know one thing for sure, my own ideas and creations are better when merged with those of others, I was simply offering the same to you, to give another set of eyes to review your hard work, to help you, not to steal it. You are writing to me on the web which was given to us free, and mentioning fielding's rest which he gave us free, and about json and ajax also free, can you imagine the state of our world had they all been closed and protected? We wouldn't be speaking, and you wouldn't have a project, nor I. I digress. If you just have some binaries connecting to a network with no implementation details, then one can't really help, it's kind of impossible to review security by just hitting the thing to see if it breaks, somebody else may have a bigger or better hammer later, or more pertinently a little toothpick which opens it all right up.
|
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 07:09:20 PM |
|
can you link me to the code, pm or email is fine - I'll review then decide Escrow some of your most valuable assets as security and I'll send you my most valuable asset which is the code. Well now I can't escrow you my family, friends, and brain - but you're welcome to escrow all of my opensource unlicensed code and every idea documented which is all public domain. Your asset is you brain and those around you, your code will be redundant in some time, as will mine, let us hope our brains and friends are not. I know one thing for sure, my own ideas and creations are better when merged with those of others, I was simply offering the same to you, to give another set of eyes to review your hard work, to help you, not to steal it. You are writing to me on the web which was given to us free, and mentioning fielding's rest which he gave us free, and about json and ajax also free, can you imagine the state of our world had they all been closed and protected? We wouldn't be speaking, and you wouldn't have a project, nor I. I digress. If you just have some binaries connecting to a network with no implementation details, then one can't really help, it's kind of impossible to review security by just hitting the thing to see if it breaks, somebody else may have a bigger or better hammer later, or more pertinently a little toothpick which opens it all right up. I thought you were trolling, as this topic has come up many times regarding eMunie code. Its unfortunate, but after having so many ideas taken by others, then passed off as theirs with no credit given to me, coupled with the huge amount of time, effort, stress, heart ache and personal money vested in this, I simply refuse to give it out to every Tom, Dick and Harry that requests, or as is usual, demands it. However, your intelligent reply warrants both an apology from myself for jumping the gun (though I hope you can appreciate why), and a dose of respect. If you are indeed serious about performing a peer review, and would have no problem in a binding legal agreement of non-disclosure, then I would be happy to provide the code and be happy for you to review and assist making eMunie better.
|
|
|
|
coinsolidation
|
|
September 07, 2014, 07:21:48 PM |
|
can you link me to the code, pm or email is fine - I'll review then decide Escrow some of your most valuable assets as security and I'll send you my most valuable asset which is the code. Well now I can't escrow you my family, friends, and brain - but you're welcome to escrow all of my opensource unlicensed code and every idea documented which is all public domain. Your asset is you brain and those around you, your code will be redundant in some time, as will mine, let us hope our brains and friends are not. I know one thing for sure, my own ideas and creations are better when merged with those of others, I was simply offering the same to you, to give another set of eyes to review your hard work, to help you, not to steal it. You are writing to me on the web which was given to us free, and mentioning fielding's rest which he gave us free, and about json and ajax also free, can you imagine the state of our world had they all been closed and protected? We wouldn't be speaking, and you wouldn't have a project, nor I. I digress. If you just have some binaries connecting to a network with no implementation details, then one can't really help, it's kind of impossible to review security by just hitting the thing to see if it breaks, somebody else may have a bigger or better hammer later, or more pertinently a little toothpick which opens it all right up. I thought you were trolling, as this topic has come up many times regarding eMunie code. Its unfortunate, but after having so many ideas taken by others, then passed off as theirs with no credit given to me, coupled with the huge amount of time, effort, stress, heart ache and personal money vested in this, I simply refuse to give it out to every Tom, Dick and Harry that requests, or as is usual, demands it. However, your intelligent reply warrants both an apology from myself for jumping the gun (though I hope you can appreciate why), and a dose of respect. If you are indeed serious about performing a peer review, and would have no problem in a binding legal agreement of non-disclosure, then I would be happy to provide the code and be happy for you to review and assist making eMunie better. I'm happy to sign an NDA, if doing so under a pseudonym would be much use! Perhaps it would be easier to just send a few files from the core, I presume you've caught things generically for anything rest based, data too large or ill-formed and the like. Any client code is perhaps irrelevant, so we'd just be looking at the core, pick a few files you feel are important to review and I can look at them in a test-to-fail manner to see if I catch anything. I'm not a specialist but many sets of eyes are better than one or two. Does that work for you? Oops, which language? Warm regards, and apologies for not researching context and history first - now that you've said I remember some of the things you mentioned, sorry, Mark
|
|
|
|
mrvegad
|
|
September 07, 2014, 07:24:02 PM |
|
What's the chance of you taking my .dat file manipulation serious this time?
|
|
|
|
Nullu
|
|
September 07, 2014, 07:25:50 PM |
|
Is it possible to communicate with eMunie via a web-scripting language such as PHP?
Yes there is an extensive REST API which you can call from any number of web platforms via standard AJAX/JSON calls. Almost all core functions of the client are possible to perform though these APIs, including transactions, messaging, DMP, chat etc etc Well, in that case, colour me interested. I've sent over a skype invite. At the very least, if I don't manage to break something, I'll have some excellent future base code for eMunie services later on in the future, but I enjoy to tinker, so if there's anything exploitable there, I'll try to find it.
|
BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 07:36:03 PM |
|
can you link me to the code, pm or email is fine - I'll review then decide Escrow some of your most valuable assets as security and I'll send you my most valuable asset which is the code. Well now I can't escrow you my family, friends, and brain - but you're welcome to escrow all of my opensource unlicensed code and every idea documented which is all public domain. Your asset is you brain and those around you, your code will be redundant in some time, as will mine, let us hope our brains and friends are not. I know one thing for sure, my own ideas and creations are better when merged with those of others, I was simply offering the same to you, to give another set of eyes to review your hard work, to help you, not to steal it. You are writing to me on the web which was given to us free, and mentioning fielding's rest which he gave us free, and about json and ajax also free, can you imagine the state of our world had they all been closed and protected? We wouldn't be speaking, and you wouldn't have a project, nor I. I digress. If you just have some binaries connecting to a network with no implementation details, then one can't really help, it's kind of impossible to review security by just hitting the thing to see if it breaks, somebody else may have a bigger or better hammer later, or more pertinently a little toothpick which opens it all right up. I thought you were trolling, as this topic has come up many times regarding eMunie code. Its unfortunate, but after having so many ideas taken by others, then passed off as theirs with no credit given to me, coupled with the huge amount of time, effort, stress, heart ache and personal money vested in this, I simply refuse to give it out to every Tom, Dick and Harry that requests, or as is usual, demands it. However, your intelligent reply warrants both an apology from myself for jumping the gun (though I hope you can appreciate why), and a dose of respect. If you are indeed serious about performing a peer review, and would have no problem in a binding legal agreement of non-disclosure, then I would be happy to provide the code and be happy for you to review and assist making eMunie better. I'm happy to sign an NDA, if doing so under a pseudonym would be much use! Perhaps it would be easier to just send a few files from the core, I presume you've caught things generically for anything rest based, data too large or ill-formed and the like. Any client code is perhaps irrelevant, so we'd just be looking at the core, pick a few files you feel are important to review and I can look at them in a test-to-fail manner to see if I catch anything. I'm not a specialist but many sets of eyes are better than one or two. Does that work for you? Oops, which language? Warm regards, and apologies for not researching context and history first - now that you've said I remember some of the things you mentioned, sorry, Mark Lol pseudonym wouldn't really be of use no What you suggest is something I could work with I think, I would be comfortable sending none critical core stuff that wouldn't divulge any secrets at first until we build some form of rapport. Then we could drill into the more sensitive stuff as and when some trust is built. Language is Java, but as I come from a strong C background that style has very much followed (minimal nesting and abstracted Java functions). No problem, thanks for understanding Dan
|
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 07:36:50 PM |
|
What's the chance of you taking my .dat file manipulation serious this time?
I thought we proved multiple times that what you thought was happening wasn't the case...and more importantly, any glitches you did see were local and didn't jeopardize the network. Additionally even if you did jeopardize the network and I missed it, that was 8 months back, a lot has changed and been added since then, so it certainly wouldn't be the case now. Local glitches dont count for this test, it HAS to affect the network as a whole.
|
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 07:37:47 PM |
|
Is it possible to communicate with eMunie via a web-scripting language such as PHP?
Yes there is an extensive REST API which you can call from any number of web platforms via standard AJAX/JSON calls. Almost all core functions of the client are possible to perform though these APIs, including transactions, messaging, DMP, chat etc etc Well, in that case, colour me interested. I've sent over a skype invite. At the very least, if I don't manage to break something, I'll have some excellent future base code for eMunie services later on in the future, but I enjoy to tinker, so if there's anything exploitable there, I'll try to find it. Any eyes are better than no eyes, so if you would like to start playing with the API's and stuff, I'd be happy to oblige. I'm just off to eat, I'll jump on Skype when I get back
|
|
|
|
Nullu
|
|
September 07, 2014, 07:39:47 PM |
|
Is it possible to communicate with eMunie via a web-scripting language such as PHP?
Yes there is an extensive REST API which you can call from any number of web platforms via standard AJAX/JSON calls. Almost all core functions of the client are possible to perform though these APIs, including transactions, messaging, DMP, chat etc etc Well, in that case, colour me interested. I've sent over a skype invite. At the very least, if I don't manage to break something, I'll have some excellent future base code for eMunie services later on in the future, but I enjoy to tinker, so if there's anything exploitable there, I'll try to find it. Any eyes are better than no eyes, so if you would like to start playing with the API's and stuff, I'd be happy to oblige. I'm just off to eat, I'll jump on Skype when I get back Great. Just so you're aware I'm in GMT here, so I'll only have an hour or two left tonight, but I'll be on most evenings this week.
|
BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
|
|
|
coinsolidation
|
|
September 07, 2014, 07:40:36 PM |
|
What you suggest is something I could work with I think, I would be comfortable sending none critical core stuff that wouldn't divulge any secrets at first until we build some form of rapport. Then we could drill into the more sensitive stuff as and when some trust is built.
Language is Java, but as I come from a strong C background that style has very much followed (minimal nesting and abstracted Java functions).
Sounds good, I don't have unlimited time but fire something to mark@bitmark.co and I'll review when I can, expect random responses usually within 48 hours.
|
|
|
|
Fuserleer (OP)
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
September 07, 2014, 07:41:37 PM |
|
What you suggest is something I could work with I think, I would be comfortable sending none critical core stuff that wouldn't divulge any secrets at first until we build some form of rapport. Then we could drill into the more sensitive stuff as and when some trust is built.
Language is Java, but as I come from a strong C background that style has very much followed (minimal nesting and abstracted Java functions).
Sounds good, I don't have unlimited time but fire something to mark@bitmark.co and I'll review when I can, expect random responses usually within 48 hours. Sure thing, I'll send you some snippets over once I've got the next beta test version prepped, should be by the end of the week and we can go from there.
|
|
|
|
|