Bitcoin Forum
December 10, 2016, 01:14:57 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: [ANN] Critical vulnerability (denial-of-service attack)  (Read 23391 times)
lulzplzkthx
Sr. Member
****
Offline Offline

Activity: 322



View Profile WWW
May 15, 2012, 04:46:18 PM
 #21

Isn't Bitcoin meant to be public or something, not 'public when you want it to be'?

Fact is, a lot of software companies would never make it public. You're free to try to find the vulnerability in the code yourself, but nobody is obligated to tell you what it is. The code is public. Go read it.

Additionally, it will be made public. It's unimportant the details of what happened as long as a fix has been released. (At least in the short-term.)

1481332497
Hero Member
*
Offline Offline

Posts: 1481332497

View Profile Personal Message (Offline)

Ignore
1481332497
Reply with quote  #2

1481332497
Report to moderator
1481332497
Hero Member
*
Offline Offline

Posts: 1481332497

View Profile Personal Message (Offline)

Ignore
1481332497
Reply with quote  #2

1481332497
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481332497
Hero Member
*
Offline Offline

Posts: 1481332497

View Profile Personal Message (Offline)

Ignore
1481332497
Reply with quote  #2

1481332497
Report to moderator
1481332497
Hero Member
*
Offline Offline

Posts: 1481332497

View Profile Personal Message (Offline)

Ignore
1481332497
Reply with quote  #2

1481332497
Report to moderator
1481332497
Hero Member
*
Offline Offline

Posts: 1481332497

View Profile Personal Message (Offline)

Ignore
1481332497
Reply with quote  #2

1481332497
Report to moderator
Luke-Jr
Legendary
*
Offline Offline

Activity: 2100



View Profile
May 15, 2012, 05:01:11 PM
 #22

FWIW, the network is now 5% secure against CVE-2012-2459.

exahash
Sr. Member
****
Offline Offline

Activity: 276



View Profile
May 15, 2012, 06:54:35 PM
 #23

Huge thanks to Gavin and all involved for handling this professionally.  You are first class!
BadBear
v2.0
Administrator
Legendary
*
Offline Offline

Activity: 1652



View Profile WWW
May 15, 2012, 09:16:08 PM
 #24

Isn't Bitcoin meant to be public or something, not 'public when you want it to be'?

It is open and public, you could have looked through the code to find it yourself, don't be lazy and expect everyone else to tell you the results of their work.

1Kz25jm6pjNTaz8bFezEYUeBYfEtpjuKRG | PGP: B5797C4F

Tired of annoying signature ads? Ad block for signatures
kjlimo
Legendary
*
Offline Offline

Activity: 1498


View Profile WWW
May 15, 2012, 09:24:09 PM
 #25

FWIW, the network is now 5% secure against CVE-2012-2459.

I'm glad you understand what this means.  I assume it's a good thing.

Thanks to all of your programmers fighting the good fight!

CampBX for buying BTCs, Coinbase for selling BTCs or Vircurex or Cryptsy for trading alternate cryptocurrencies like DOGEs

PM me with any questions on these sites!  Happy to help!

Bitcoin Poker at Seals                  Strike Sapphire Casino  Free games every hour & day!
  Get Free Bitcoins here.

Spondoolies-Tech or KnC Miner for the fastest mining hardware available!

Bitpay to help your business accept bitcoin payments!
MysteryMiner
Legendary
*
Offline Offline

Activity: 910



View Profile
May 16, 2012, 01:24:53 AM
 #26

Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?

And when sf.net will have latest 0.4.x uploaded?

1LEaxxAh1LKFUvDKYVhiMEVAHRM7K5o7cF
Luke-Jr
Legendary
*
Offline Offline

Activity: 2100



View Profile
May 16, 2012, 01:31:33 AM
 #27

And when sf.net will have latest 0.4.x uploaded?
SourceForge uploads require 3 independent people to build the same binaries to verify their integrity. Want to volunteer to help out with 0.4.x? :p

westkybitcoins
Legendary
*
Offline Offline

Activity: 980

Firstbits: Compromised. Thanks, Android!


View Profile
May 16, 2012, 02:13:58 AM
 #28

Backports for older releases (0.5.5 and 0.4.6) are also available if
you cannot upgrade to version 0.6.2.

Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?

And when sf.net will have latest 0.4.x uploaded?

In light of Gavin's statements, this seemed like a very reasonable post to me.

Anyhow...

Thanks for the update, Gavin. And thanks to all the coders and testers involved with fixing this.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
May 16, 2012, 02:22:10 AM
 #29

Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
No, you didn't. I'm curious of this myself.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 16, 2012, 02:24:20 AM
 #30

Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
No, you didn't. I'm curious of this myself.
I don't know if it is relevant, but I happened to see the post when it was first put up, and I saw a signed statement, and upon refresh I saw the signature removed, and another refresh I saw the signature put back on. Unfortunately, I didn't keep any copies of the first post and its initial signature.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
May 16, 2012, 02:25:08 AM
 #31

Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?

The key Gavin used is signed by 0xBE38D3A8. It's his code-signing key.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Luke-Jr
Legendary
*
Offline Offline

Activity: 2100



View Profile
May 16, 2012, 02:26:21 AM
 #32

Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
I can't speak for why Gavin signed the message with his "CODE SIGNING KEY" rather than his normal one, but at least I can confirm that this key is 4096-bit (his normal one is only 1024-bit) and signed by the normal one. It's also the one he uses to sign all his release builds.

I don't know if it is relevant, but I happened to see the post when it was first put up, and I saw a signed statement, and upon refresh I saw the signature removed, and another refresh I saw the signature put back on. Unfortunately, I didn't keep any copies of the first post and its initial signature.
It's not relevant. The signature was removed when he edited the post to correct the stable version numbers (he had 1 higher than the correct versions), and he resigned the corrected message later.

MysteryMiner
Legendary
*
Offline Offline

Activity: 910



View Profile
May 16, 2012, 03:20:21 PM
 #33

First of all I did not doubt the genuinity of Gavin's post at all. I was surprised that the Gavin's key did not match one stored in my keyring, and I was lazy enough to not look for other signatures.
Quote
SourceForge uploads require 3 independent people to build the same binaries to verify their integrity. Want to volunteer to help out with 0.4.x? :p
Maybe. The wx version sure needs to live on, as it is better in all aspects than qt version in my opinion. The biggest problem is that I'm not a programmer. I can compile software from source, I can take look at the code and guess what it probably does, and that's all.

1LEaxxAh1LKFUvDKYVhiMEVAHRM7K5o7cF
Luke-Jr
Legendary
*
Offline Offline

Activity: 2100



View Profile
May 16, 2012, 03:48:16 PM
 #34

Quote
SourceForge uploads require 3 independent people to build the same binaries to verify their integrity. Want to volunteer to help out with 0.4.x? :p
Maybe. The wx version sure needs to live on, as it is better in all aspects than qt version in my opinion.
wxBitcoin is for all "official" purposes unmaintained and dead. I only support bitcoind 0.4.x, not wxBitcoin. If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...

The biggest problem is that I'm not a programmer. I can compile software from source, I can take look at the code and guess what it probably does, and that's all.
Getting stuff on SourceForge requires being able to compile with gitian, not much more. That requires Ubuntu right now. If you can help with this, ping me in #Bitcoin-Dev (IRC) and I'll try to help you through it.

MysteryMiner
Legendary
*
Offline Offline

Activity: 910



View Profile
May 17, 2012, 12:44:49 AM
 #35

Quote
I only support bitcoind 0.4.x, not wxBitcoin. If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Wasn't BitcoinD the same Bitcoin client in "headless" mode?
Quote
If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer Cheesy But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.

1LEaxxAh1LKFUvDKYVhiMEVAHRM7K5o7cF
Luke-Jr
Legendary
*
Offline Offline

Activity: 2100



View Profile
May 17, 2012, 01:41:46 AM
 #36

Quote
I only support bitcoind 0.4.x, not wxBitcoin. If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Wasn't BitcoinD the same Bitcoin client in "headless" mode?
Yes, wxBitcoin and bitcoind 0.4 share(d) the same codebase, and bitcoind 0.4.x is still built with wxBitcoin to avoid breaking anything subtle. But nobody is looking out for or fixing GUI-specific issues, for example. Ideally, someone would bring it up to speed with a port to the 0.6.x codebase too (which I could then just backport fixes from).

Quote
If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer Cheesy But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.
Maybe, but it'd need to be someone else doing it - I really hate wx Wink

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2030



View Profile
May 17, 2012, 05:33:02 AM
 #37

Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer Cheesy But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.

It might be more efficient to raise funds to fix whatever you don't like in the -qt GUI— even if there are irreconcilable differences maintaining a fork of the QT gui would be a lot less work than WX, it's easier to get people willing to work with QT, and the WX version is even a pain to build.
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
May 17, 2012, 10:31:49 AM
 #38

Oh my. I think I may have an idea what this is all about, and if I'm right this attack would be scarily easy to implement.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
MysteryMiner
Legendary
*
Offline Offline

Activity: 910



View Profile
May 17, 2012, 10:33:14 AM
 #39

Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer Cheesy But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.

It might be more efficient to raise funds to fix whatever you don't like in the -qt GUI— even if there are irreconcilable differences maintaining a fork of the QT gui would be a lot less work than WX, it's easier to get people willing to work with QT, and the WX version is even a pain to build.

Can Qt version be made to look and function indistinguishable from wx? I don't think so. There are some software based on Qt that look good and are intuitive to use, but not many.

What an offtopic.

1LEaxxAh1LKFUvDKYVhiMEVAHRM7K5o7cF
Luke-Jr
Legendary
*
Offline Offline

Activity: 2100



View Profile
May 17, 2012, 01:32:08 PM
 #40

Can Qt version be made to look and function indistinguishable from wx?
Probably. Does wx have a consistent look? I thought it just wrapped GTK+ :p
As for function, it should be possible, though probably a lot of work.

There are some software based on Qt that look good and are intuitive to use, but not many.
Qt doesn't have "looks"; Qt applications just adopt the appearance of your OS, whatever that may be (at least by default; I understand there's some way to "skin" Qt applications...).

Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!