This message was too old and has been purged

[Evil-Knievel]

This message was too old and has been purged

[1715225559]

1715225559

[1715225559]

1715225559

[1715225559]

1715225559

[instagibbs]

I totally believe you. Dang it where's my sarcasm font?

[Evil-Knievel]

This message was too old and has been purged

[entertainment]

You should use https://www.vinumeris.com/lighthouse

 

[ncsupanda]

You should use https://www.vinumeris.com/lighthouse

 

I agree. I follow a lot of the projects you are working on Evil and I could see a Lighthouse writeup doing well if you are able to prove what you're claiming here.

I would give BTC for this. Thanks!

Edit: For some projects and people who stumble here, this may be interesting:
https://tip4commit.com/projects

[Evil-Knievel]

This message was too old and has been purged

[cr1776]

Hello,

I was just curious if there is any sort of bitcoin bug bounty?
I have discovered a serious bug in all previous (and current) bitcoin reference clients which would allow a denial of service on an arbitrary number of bitcoind nodes (as run by exchanges for example).
While this bug may not leak any private data, it allows you to shoot down bitcoin nodes that you are directly connected to. Arbitrary code execution may be possible (but was not tested).

The denial of service works, tested locally in Bitcoin 0.9 and 0.10 branches.
Newspapers or Journalists may ask me for a demonstration in private.

If anyone is intrested in a disclosure, I am asking 10 BTC for my time doing a write-up
including detailed explanations: 1LaV9xQvmd1gR4fYYWgFMpPXEgAwBYCQN1

If the balance will not reach 10 BTC, I will pay all amounts back. I will also cover the transaction costs myself.

Hi,
A question: DOS vs " shoot down" vs "arbitrary code execution may be possible". Can you explain more? Are you crashing bitcoind "merely" DOSing the server while connected?

Down thread you said "make your node connect to mine".  Did you mean any node that connects to your node will crash bitcoind?

[Evil-Knievel]

This message was too old and has been purged

[cr1776]

Hi,
A question: DOS vs " shoot down" vs "arbitrary code execution may be possible". Can you explain more? Are you crashing bitcoind "merely" DOSing the server while connected?

Down thread you said "make your node connect to mine".  Did you mean any node that connects to your node will crash bitcoind?

Well, the only thing that is required to "shoot down" a node, is that the node is somehow connected to you. It does not matter who initiated the connection.
The handshake must have already occured (basically the version message sent and accepted) so it does not work on nodes that block you. Usually that should not be the case anyway.

Now, shooting down means that the bitcoind server completely stops. It can be restarted by hand, but until someone physically walks up to the server and resets the application it will remain in an infinite loop and stop working at all.

Thanks.  I was just curious as to what you were seeing. ;-)   

btw, one thing I was clear about was whether your node is set to do this automatically to anyone who connects to it or you have to trigger it.

I'd ask you to share the details, but given the first post, I presume that is pointless.   

[entertainment]

Someone published the link to this thread on reddit: http://www.reddit.com/r/Bitcoin/comments/2ukp87/researcher_discovers_major_dos_vulnerability_in/

[Blazr]

You can't seriously expect people to pay you UPFRONT for such a disclosure?!

If you actually know of such an exploit, contact the devs privately and responsibly disclose it ASAP. Then you can ask for your bounty, and you'll probably get more than 10BTC.

[cr1776]

You can't seriously expect people to pay you UPFRONT for such a disclosure?!

If you actually know of such an exploit, contact the devs privately and responsibly disclose it ASAP. Then you can ask for your bounty, and you'll probably get more than 10BTC.

It is much more likely there is a bug in the software as compared to the odds there is a 'bug' in the math. :-)

Some reading on the ECDSA claims:
https://bitcointalk.org/index.php?topic=437220.msg4808560#msg4808560
https://bitcointalk.org/index.php?topic=421842.0

[bassguitarman]

Hello,

I was just curious if there is any sort of bitcoin bug bounty?
I have discovered a serious bug in all previous (and current) bitcoin reference clients which would allow a denial of service on an arbitrary number of bitcoind nodes (as run by exchanges for example).
While this bug may not leak any private data, it allows you to shoot down bitcoin nodes that you are directly connected to. Arbitrary code execution may be possible (but was not tested).

The denial of service works, tested locally in Bitcoin 0.9 and 0.10 branches.
Newspapers or Journalists may ask me for a demonstration in private.

If anyone is intrested in a disclosure, I am asking 10 BTC for my time doing a write-up
including detailed explanations: 1LaV9xQvmd1gR4fYYWgFMpPXEgAwBYCQN1

If the balance will not reach 10 BTC, I will pay all amounts back. I will also cover the transaction costs myself.

I'm also a developer, and if you're interested, i can verify your claims if needed

[gmaxwell]

I guess you didn't learn after your prior stunts resulting in negative trust?  (For some context Evil-Knievel incorrectly (and seemingly dishonestly) claimed to have compromises for ECDSA in the past and tried charging for them; conduct which he currently bears negative trust for.)

If you believe you have some DOS attack please report it responsibly to bitcoin-security@lists.sourceforge.net  (or feel free to report it encrypted privately to any of the Bitcoin core committers if you think its super critical), just like anyone else does. We consider DOS attacks to be important, but fundamentally you cannot prevent DOS because an attacker can just exhaust your bandwidth, instead DOS is prevented by not exposing your critical infrastructure to the public network directly.  We usually fix several DOS-ish issues in each release, it may also be that anything you know about is already known and a coordinated fix is in progress. In any case, you'll be credited for your contribution.  Demanding an enormous bounty for what sounds like something that is not terribly concerning is unreasonable and isn't likely to happen (it would be incredibly counterproductive to pay you when other people have done _far_ more work and found far more serious issues in the past).

If your actions caused foreseeable and preventable harm to others you may find yourself subject to civil litigation by the harmed parties. I would strongly encourage you to behave responsibly.

[Evil-Knievel]

This message was too old and has been purged

[gmaxwell]

Maybe I would have acted differently if you would have reacted differently back then, meaning facing my ideas with interest (even if they were wrong, as you correctly pointed out) instead of immediate negative trust.

Immediate? Only your continued deceptive behavior earned you that negative trust. Your post was on January 18th, the down rating was on March 18th, in between there there was a half dozen posts by me. You never even backed out your deceptive claims.

[Evil-Knievel]

This message was too old and has been purged

[gmaxwell]

You are right, I was not always transparent, not always right, and not very communicative. But I was working day and night to understand every single part of the software and the protocol, sometimes I was right sometimes I was wrong.Anyways ... I am preparing a video for you right now demonstrating the DOS on a stock Bitcoin 0.9 node (of mine) and send it to you in private.

Why use year old software? I'm not sure what a video is supposed to prove. The bogus ECDSA "cracker" had a proof video too.

[Evil-Knievel]

This message was too old and has been purged

[gmaxwell]

A possible attack scenario would be to shoot down mining pools so that others are favourized. Also netsplits are being a lot easier now, this is a serious bug in my humble opinion.

Mining pools hide their private mining nodes from the network, so it's not quite so simple.

I am just thinking on how to disclose it, because I would like to have my time honored in some manner.
If someone would promise me, to honor my time in a proper way in case the bug really works, I would disclose it (to you privately if preferred) immediately.
I would be also willing to donate all my bitcoins to the bitcoin foundation in case my DOS is not working ;-)

I have a proof of concept script, that will shoot down your local (or any other node that you can reach by its ip) in a manner of microseconds. Ready when you are.

If it's really as simple as send a few messages and crash a node and effects 0.10 then I agree it needs to be fixed right away... You'd be credited in the commit for the fix (and likely a CVE, if its an outright crash), like anyone else who has reported a similar issue. This is the reasonable and customary way things are handled in open source projects, and the only reasonably scalable one (even if you put in 'a lot' of time, it pales in comparison to the thousands of hours put in by others; besides who do you think can afford that? non-technical people don't give a crap about this stuff... they think the software is magic).  I'd also remove the negative trust I have against you here on the forum, since you made good; and not harass you in the future about initial asking for a huge out-of-the-norm bounty in this case. Thats all I can offer.  Otherwise, if something exists here that is unknown, it'll have to wait until someone else rediscovers it.

[Evil-Knievel]

This message was too old and has been purged

[Evil-Knievel]

This message was too old and has been purged

[ncsupanda]

Quickseller just gave me a negative feedback claiming that the bug does not exist.
I was right now preparing a private message to you explaining the bug in detail ... but if this is the way it works in this community, I am definitely done here :-(

I am interested in this method for the sake of reporting it. I'm not sure if my lack of trust will prevent you from messaging me about it, but it's worth a shot.

Something like this ought to be fixed.

[Evil-Knievel]

This message was too old and has been purged

[redsn0w]

EDIT:

Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

[msin]

EDIT:

Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

Why not?  Some people like to get paid for finding exploits.  If it's a major flaw, then he deserves more than 10BTC.

[Evil-Knievel]

This message was too old and has been purged

[redsn0w]

EDIT:

Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

Why not?  Some people like to get paid for finding exploits.  If it's a major flaw, then he deserves more than 10BTC.

Yes , but first report the bug and after "maybe" the bitcoin core devs will send you a bounty. Not  in the other way , if he is serious.

[redsn0w]

EDIT:
Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

Was just hoping for some kind of support, was sitting over a month doing code reviews in the bitcoin code tree and still have to pay my bills somehow.
Anyway, you are right so I have contacted gmaxwell about this in private with a proof of concept.

Then good luck, if you are right I think quickseller and gmaxwell  will remove the feedback agains your (there will not be a problem of course).

[msin]

EDIT:

Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

Why not?  Some people like to get paid for finding exploits.  If it's a major flaw, then he deserves more than 10BTC.

Yes , but first report the bug and after "maybe" the bitcoin core devs will send you a bounty. Not  in the other way , if he is serious.

Yeah, but it's a "maybe"?  He could sell the exploit to a mining pool in China for a lot more than 10 BTC, but he didn't.  I don't think there is anything wrong with someone asking to get paid for a major exploit found.  It's more productive then short selling market manipulators who are destroying the price of BTC.

[redsn0w]

EDIT:

Why are you asking for 10 btc ? I think it would be better report that "bug" to bitcoin core devs   and after maybe someone will send you a donation.

Why not?  Some people like to get paid for finding exploits.  If it's a major flaw, then he deserves more than 10BTC.

Yes , but first report the bug and after "maybe" the bitcoin core devs will send you a bounty. Not  in the other way , if he is serious.

Yeah, but it's a "maybe"?  He could sell the exploit to a mining pool in China for a lot more than 10 BTC, but he didn't.  I don't think there is anything wrong with someone asking to get paid for a major exploit found.  It's more productive then short selling market manipulators who are destroying the price of BTC.

If the bug exist, but now we should only wait a confirm from gmaxwell. I'm sure Evil-Knievel will receive a bounty (if he has right).

[msin]

Yeah, but it's a "maybe"?  He could sell the exploit to a mining pool in China for a lot more than 10 BTC, but he didn't.  I don't think there is anything wrong with someone asking to get paid for a major exploit found.  It's more productive then short selling market manipulators who are destroying the price of BTC.

If the bug exist, but now we should only wait a confirm from gmaxwell. I'm sure Evil-Knievel will receive a bounty (if he has right).

I'll throw him a BTC if it's legit.  Also, idiot members shouldn't leave him negative trust without explanation here.  It's the wrong way to deal with exploits.

[Quickseller]

This guy is a scammer. If he actually had the exploit that he claims to have, he could easily sell it to an exchange who would potentially stand to lose hundreds of millions of dollars if the exploit were to be used against them.

The same is true for mining pools although they do not have quite as much money at stake.

Again the same is true for casino operators. Oh wait this guy scammed Casinobitcoin out of 5 BTC to provide evidence of such exploit (see his trust). Additionally this person was trying to get people to pay him for another "exploit" several months ago.

He is offering to show the "media" evidence of such an exploit however the media does not have a technical background and would  not be capable of questioning if this would actually work or not.

[Evil-Knievel]

This message was too old and has been purged

[Quickseller]

You are clearly trying to profit off of this exploit. The difference between my suggest and what you are asking is for the community to pay you up front to reveal the exploit verses you likely having to reveal the exploit first to the exchange (or whoever you are selling it to).

[redsn0w]

You are clearly trying to profit off of this exploit. The difference between my suggest and what you are asking is for the community to pay you up front to reveal the exploit verses you likely having to reveal the exploit first to the exchange (or whoever you are selling it to).

No I don't think , he should reveal the "bug" to bitcoin core devs not to the various exchange. I think they will send a big bounty if the bug exist.

[Evil-Knievel]

This message was too old and has been purged

[amacar]

Just put donations address to one of trusted members and problem is solved. If there is no bug he will return BTC, else you will receive the whole amount.

[cr1776]

Thank you for sending to to GM.  That was the right thing to do.

You are clearly trying to profit off of this exploit. The difference between my suggest and what you are asking is for the community to pay you up front to reveal the exploit verses you likely having to reveal the exploit first to the exchange (or whoever you are selling it to).

So what is wrong with that?
Let's say you work at a fast food restaurant, then you also try to profit from the time you invest to roast all those hamburgers, don't you?
So what is wrong with doing careful code reviews and trying to live from that?

Also, I see no problem with asking for a payment upfront? When you order something online you also have to pay upfront before you receive the goods, don't you?
You are criticising all those points, that you do in the same manner in your regular life in exactly the same way (except you are an unemployed guy, who orders goods without paying for them before, which I hope you aren't)

[bitcoinpaul]

Waiting for gmaxwell.

[TylerJordan]

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

[DannyHamilton]

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

If you feel strongly about this, then you should start one.  The only reason that a strong bounty system doesn't exist is because nobody has bothered creating one.  It's an open system, feel free to be the guy that is responsible for creating and maintaining a reliable and trustworthy bounty program.

[msin]

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

If you feel strongly about this, then you should start one.  The only reason that a strong bounty system doesn't exist is because nobody has bothered creating one.  It's an open system, feel free to be the guy that is responsible for creating and maintaining a reliable and trustworthy bounty program.

That's BS.  Why wouldn't the "Foundation" have one?  You expect random users to start an important security related program for BTC?  Perhaps we wouldn't have issues like malleability if the Foundation was more proactive about this kind of stuff.  I guess they can discuss it at their Caribbean retreat meanwhile hacks continue.

[DannyHamilton]

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

If you feel strongly about this, then you should start one.  The only reason that a strong bounty system doesn't exist is because nobody has bothered creating one.  It's an open system, feel free to be the guy that is responsible for creating and maintaining a reliable and trustworthy bounty program.

That's BS.  Why wouldn't the "Foundation" have one?

"The Foundation" is simply a private club of bitcoin enthusiasts. There is nothing official about them.  You are welcome to start your own club and call it "The Bitcoin Association" if you want.  Unless you are a member of their club, they are not beholden to any of your personal interests.  If you want them to have a bounty program, then join their club and campaign for it.

You expect random users to start an important security related program for BTC?

Yes.  The bitcoin system is decentralized and open.  There is no "Bitcoin Company".  If anything ever gets done in the bitcoin community, it is only because a random user decided that it needed to be done, so they did it.

Perhaps we wouldn't have issues like malleability if the Foundation was more proactive about this kind of stuff.

Malleability was known about from very early on.  It wasn't addressed because there weren't any "random users" that felt it was important enough to address.

I guess they can discuss it at their Caribbean retreat meanwhile hacks continue.

It's their retreat. They can discuss whatever they want.  Meanwhile, you are welcome to sit on your whining butt and continue to complain to the universe about how it doesn't operate the way you want it to.

[msin]

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

If you feel strongly about this, then you should start one.  The only reason that a strong bounty system doesn't exist is because nobody has bothered creating one.  It's an open system, feel free to be the guy that is responsible for creating and maintaining a reliable and trustworthy bounty program.

That's BS.  Why wouldn't the "Foundation" have one?

"The Foundation" is simply a private club of bitcoin enthusiasts. There is nothing official about them.  You are welcome to start your own club and call it "The Bitcoin Association" if you want.  Unless you are a member of their club, they are not beholden to any of your personal interests.  If you want them to have a bounty program, then join their club and campaign for it.

You expect random users to start an important security related program for BTC?

Yes.  The bitcoin system is decentralized and open.  There is no "Bitcoin Company".  If anything ever gets done in the bitcoin community, it is only because a random user decided that it needed to be done, so they did it.

Perhaps we wouldn't have issues like malleability if the Foundation was more proactive about this kind of stuff.

Malleability was known about from very early on.  It wasn't addressed because there weren't any "random users" that felt it was important enough to address.

I guess they can discuss it at their Caribbean retreat meanwhile hacks continue.

It's their retreat. They can discuss whatever they want.  Meanwhile, you are welcome to sit on your whining butt and continue to complain to the universe about how it doesn't operate the way you want it to.

Thank you for the lessons wise one, until now I thought Bitcoin was a company run by the Foundation who was orchestrating Malleability hacks on exchanges.  I guess I should get off my whinny butt, after all, I've been here longer than you and haven't had the severely limited time to reach Legendary status. 

[zanzibar]

Malleability was known about from very early on.  It wasn't addressed because there weren't any "random users" that felt it was important enough to address.

That's the point of a bounty program, to find exploits of known bugs.  I'm also really surprised there isn't a bug bounty program in place.  The Foundation would be able to easily organize something like this with the most exposure.  We are past the "everybody needs to contribute" days, need to be more organized for mass adoption.

[TylerJordan]

Evil-K has found hard bugs before, he's proven he's capable. I think he should have been taken very seriously from the beginning.

On another note, I'm really shocked that there isn't a strong bounty system in place for catching bugs in the bitcoin code-base.  shocked!  If bitcoiner's wanted serious hard looks at the code, then IMO they'd consider looking into implementing a rewards/bounty program.

If you feel strongly about this, then you should start one.  The only reason that a strong bounty system doesn't exist is because nobody has bothered creating one.  It's an open system, feel free to be the guy that is responsible for creating and maintaining a reliable and trustworthy bounty program.

I feel strongly about being shocked. However as I don't use bitcoin anymore, except transitionally to buy NXT and MAIDSAFE, I'll leave the implementation of a bounty system to those who are invested in bitcoin and who would like to see the code analyzed with a fine-tooth comb.

but I tell ya....I'm shocked!   

[redsn0w]

@gmaxwell , can you tell if Evil-Knievel has right or not ? Thanks for the attention.

[noma]

Even though he has sent the bug to gmaxwell to be reviews, why did he already get a negative trust ?

[Evil-Knievel]

This message was too old and has been purged

[alani123]

You'd expect that something as big as bitcoin with an entire foundation behind it would have at least a small bug bounty. Yet we get to hear that no one cared enough to create one.

[mtwelve]

Sent pm

[ABitNut]

Even though he has sent the bug to gmaxwell to be reviews, why did he already get a negative trust ?

Self-proclaimed internet-sheriff's blind anger. Questionable behaviour, I agree.

Speaking about questionable behaviour... To me "Hey, I found a critical bug. I will inform you about it for BTC10" sounds an awful lot like "Hey, I can break your legs. For $2000 I won't".

[bitspill]

Even though he has sent the bug to gmaxwell to be reviews, why did he already get a negative trust ?

Self-proclaimed internet-sheriff's blind anger. Questionable behaviour, I agree.

Speaking about questionable behaviour... To me "Hey, I found a critical bug. I will inform you about it for BTC10" sounds an awful lot like "Hey, I can break your legs. For $2000 I won't".

No, because then he'd be saying if you don't pay me the 10 btc I'm going to start shooting down every node I see until it's fixed.

Rather he simply wants to be compensated for his time spent digging into the code and finding a vulnerability.


To those who believe the Bitcoin Foundation should not offer these bounties I ask why does the EFF offer bounties and prizes?



Edit: Has gmaxwell verified the claim sent by PM yet?

[thompete]

Edit: Has gmaxwell verified the claim sent by PM yet?

I don't think so it has been verified yet. All I see is a negative trust back in 2013 March by gmaxwell himself for a similar claim.
So I am confused about the whole situation right now.

[ABitNut]

Even though he has sent the bug to gmaxwell to be reviews, why did he already get a negative trust ?

Self-proclaimed internet-sheriff's blind anger. Questionable behaviour, I agree.

Speaking about questionable behaviour... To me "Hey, I found a critical bug. I will inform you about it for BTC10" sounds an awful lot like "Hey, I can break your legs. For $2000 I won't".

No, because then he'd be saying if you don't pay me the 10 btc I'm going to start shooting down every node I see until it's fixed.

Rather he simply wants to be compensated for his time spent digging into the code and finding a vulnerability.


To those who believe the Bitcoin Foundation should not offer these bounties I ask why does the EFF offer bounties and prizes?



Edit: Has gmaxwell verified the claim sent by PM yet?

I realise that, which is why I said "sounds an awful lot like". Obviously he wants compensation for his work, which is alright. He's just not packaging his request that nicely. He's obviously rubbing people the wrong way. If he were to present it nicer he would be more likely to get what he wants^tm.

Also the EFF offers those bounties to give people an incentive to go out and find issues. Evil-Knievel doesn't need such an incentive. He goes out looking with no prospect of a reward, only to request it upon finding something.

It's like finding someone's wallet. If you return it do you demand $10? Or do you just give it back and accept whatever reward they give? And how does that change if the owner put out posters offering a reward for finding their wallet?

Anyway, bottom line is that if he found an issue he deserves something. But there's no obligation for anyone to give him what he deserves.

[redsn0w]

However why not "make" this bug and "turn off" some bitcoin node? I think it will be a valid proof. What do you think guys ?

[xyzzyx]

However why not "make" this bug and "turn off" some bitcoin node? I think it will be a valid proof. What do you think guys ?

As long as he gets permission from the node operator first, I think that's an excellent idea.

[bitspill]

However why not "make" this bug and "turn off" some bitcoin node? I think it will be a valid proof. What do you think guys ?

That's exactly what your not supposed to do when trying to disclose a bug.

http://mashable.com/2013/08/18/facebook-hacker-zuckerberg-timeline/

[redsn0w]

However why not "make" this bug and "turn off" some bitcoin node? I think it will be a valid proof. What do you think guys ?

That's exactly what your not supposed to do when trying to disclose a bug.

http://mashable.com/2013/08/18/facebook-hacker-zuckerberg-timeline/

I know , but  if he gets permission I think that is the best idea for prove he has right.

[Evil-Knievel]

This message was too old and has been purged

[alani123]

So no more replies from gmaxwell? Were his claims credible?

[redsn0w]

Just for the record: The bitcoind node, that redsn0w has set up on a VPS Server was shotdown within less than 10 seconds; the bitcoind node consumed so much CPU and memory that the entire server stopped working. Even a login via SSH was not possible anymore.

I can "confirm" but it was only a small droplet with the basic specifics. These were the ghraps:





I don't know what he did, I've suggested him to try with other linux machine (not vps) and maybe someone here can help him.

[Throwaway_Acc]

Even though he has sent the bug to gmaxwell to be reviews, why did he already get a negative trust ?

Self-proclaimed internet-sheriff's blind anger. Questionable behaviour, I agree.

Speaking about questionable behaviour... To me "Hey, I found a critical bug. I will inform you about it for BTC10" sounds an awful lot like "Hey, I can break your legs. For $2000 I won't".

No, because then he'd be saying if you don't pay me the 10 btc I'm going to start shooting down every node I see until it's fixed.

Rather he simply wants to be compensated for his time spent digging into the code and finding a vulnerability.


To those who believe the Bitcoin Foundation should not offer these bounties I ask why does the EFF offer bounties and prizes?



Edit: Has gmaxwell verified the claim sent by PM yet?

I realise that, which is why I said "sounds an awful lot like". Obviously he wants compensation for his work, which is alright. He's just not packaging his request that nicely. He's obviously rubbing people the wrong way. If he were to present it nicer he would be more likely to get what he wants^tm.

Also the EFF offers those bounties to give people an incentive to go out and find issues. Evil-Knievel doesn't need such an incentive. He goes out looking with no prospect of a reward, only to request it upon finding something.

It's like finding someone's wallet. If you return it do you demand $10? Or do you just give it back and accept whatever reward they give? And how does that change if the owner put out posters offering a reward for finding their wallet?

Anyway, bottom line is that if he found an issue he deserves something. But there's no obligation for anyone to give him what he deserves.

If I am not mistaken, Evil Knievel discovered a flaw in the NXT code last year and received a reward. So I think he should be taken seriously.

While some may not like his approach, there is nothing illegal or wrong or unethical about it. He spent his own time and resources to discover the exploit, and if he feels he deserves 10BTC for it, then so be it. Whether anyone takes up his offer is another matter altogether. Leaving him negative ratings and attacking his motives sets a negative precedent for the future. Not everyone is just willing to volunteer their time and effort for free, open source or otherwise. Isn't Bitcoin all about free market?

He could have sold the exploit to a short selling whale or a Bitcoin detractor and get paid more than 10BTC. Bitcoin as a whole would've suffered.

I suggest everyone keep their judgement GMaxwell responds.

[Evil-Knievel]

This message was too old and has been purged

[MadCow]

So no more replies from gmaxwell? Were his claims credible?

[xyzzyx]

Yes, the NXT developers have a very good bounty program. It made fun to hack for a month back then, and afterall I received 100.000 NXT as a bounty.

We Nxt people like it when others break our toys.     It benefits us to make our platform stronger.

[alani123]

So Evil-Knievel, care to enlighten us on what happened? Give us your version.

[TylerJordan]

Perhaps gmaxwell doesn't want to say anything until there is a fix -- keeping a lid on the problem so it doesn't become a problem for the network.

[bitspill]

Perhaps gmaxwell doesn't want to say anything until there is a fix -- keeping a lid on the problem so it doesn't become a problem for the network.

If that's the case it'd be good if he can at least confirm it does exist and is being worked on so both quickseller and him remove their negative feedbacks.

[BCwinning]

Out of curiosity have you attempted this on the namecoin network lately?
I'm sure it will work there too but that isn't the reason I ask.

[Evil-Knievel]

This message was too old and has been purged

[bitcoinpaul]

News?

[bitcoinpaul]

I guess no news are no news.

[Daedelus]

Shame. I'd feel pretty badly treated if I were EK, nothing but venom hurled his way and then didn't even acknowledge his ideas when he gave them away for free.

[Eisenhower34]

Yes, we truly do need some sort of decentralized bounty reward system for users who contribute to fixing exploits and bugs. It does take a considerable amount of time and resources to work and fix flaws and exploits such as these. It's in the best interest of everyone involved within Bitcoin to have these problems addressed and remedied.

I see both sides of the spectrum here and depending on the severity of the exploit and the effort used to research it should depend on the bounty paid. This is the only problem with Open Source software and developers working on these projects. It's hard to financially justify dedicating hours and hours of free work with little reward rather than recognition and self improvement. Once a decentralized bounty system is in place then I believe we will truly see great effort put forth in all of our favorite OSS projects (Tor, Gnupgp, Bitcoin, Keepass, etc).

Thanks for your time and effort spent in researching this, and I do appreciate and hope you responsibly handle your discoveries rather than illicitly exploiting them for personal gain.

[instagibbs]

Shame. I'd feel pretty badly treated if I were EK, nothing but venom hurled his way and then didn't even acknowledge his ideas when he gave them away for free.

Check his claims history. Big waster of time, historically.

[JorgeStolfi]

No comments from @gmaxwell yet?

[Daedelus]

Shame. I'd feel pretty badly treated if I were EK, nothing but venom hurled his way and then didn't even acknowledge his ideas when he gave them away for free.

Check his claims history. Big waster of time, historically.

So that makes what appears to be a proven exploit less significant? Get down off your high horse

[lolled]

No comments from @gmaxwell yet?

Doesn't look like it

[abyrnes81]

No comments from @gmaxwell yet?

Doesn't look like it

Maybe he is busy and he can't reply I do not know. Is this bug real or not ? Because now a lot of people (various nodes) have updated their client.

[lolled]

No comments from @gmaxwell yet?

Doesn't look like it

Maybe he is busy and he can't reply I do not know. Is this bug real or not ? Because now a lot of people (various nodes) have updated their client.

EvilKnievel has a negative rep for a similar thing from gmaxwell back in 2014. Not sure if he would take him seriously on this now.

[Daedelus]

Just for the record: The bitcoind node, that redsn0w has set up on a VPS Server was shotdown within less than 10 seconds; the bitcoind node consumed so much CPU and memory that the entire server stopped working. Even a login via SSH was not possible anymore.

I can "confirm" but it was only a small droplet with the basic specifics. These were the ghraps:





I don't know what he did, I've suggested him to try with other linux machine (not vps) and maybe someone here can help him.

How do you explain this? ^

[Evil-Knievel]

This message was too old and has been purged

[Quickseller]

EvilKnievel has a negative rep for a similar thing from gmaxwell back in 2014. Not sure if he would take him seriously on this now.

Please check again.

Evil-Knievel, I wanted to follow up with you. I previously said that I thought you were lying about this exploit, however you were able to show a "real world" demonstration with redsn0w's full node (with his permission) and it appears the gamaxwell has evaluated your claim and apparently your claim checked out

[ncsupanda]

https://vinumeris.com/_lighthouse/crowdfund/project/bug-bounty-requested-10-btc-for-dos-bug-in-current-clients

Edit: Dead link atm. Not sure why.

[JorgeStolfi]

Do we have six confirmations yet? 

[ABitNut]

The silence is becoming slightly awkward. It seems that there is indeed an issue. Is this issue being addressed at the moment? Is there a discussion about it elsewhere that I'm not aware of?

What gives?

[bitspill]

Doesn't look like it's the DOS bug but here is gmaxwell crediting Evil with finding a bug https://github.com/bitcoin/bitcoin/pull/5770

[ABitNut]

Doesn't look like it's the DOS bug but here is gmaxwell crediting Evil with finding a bug https://github.com/bitcoin/bitcoin/pull/5770

Actually being able to get a third party to process control characters would be a vector for some shenanigans. Nice catch by Evil Knievel there.

Thanks for linking to that pull request.

[Evil-Knievel]

This message was too old and has been purged

[msin]

Doesn't look like it's the DOS bug but here is gmaxwell crediting Evil with finding a bug https://github.com/bitcoin/bitcoin/pull/5770

This is a completely different topic, but thanks to Gmaxwell for the credits. I really appreciate that.

I would assume their silence means they are actively working on a solution.  Great to see these bugs addressed and credited in the proper way. 

[abyrnes81]

Has he received any bounty for discovering this bug? If the reply is yes, how much he has received?

[ncsupanda]

Lighthouse approved the posting this afternoon, so fundraising should be possible.

[Evil-Knievel]

This message was too old and has been purged

[ncsupanda]

Lighthouse approved the posting this afternoon, so fundraising should be possible.

Wow, you guys are such a great community. Do you have a link to the project file?

Evil

The file is on my desktop - the link it created is a few posts up. I'm away from my computer but as soon as I get back I will post the link to it.

Should be about an hour or so.

EDIT:

https://vinumeris.com/_lighthouse/crowdfund/project/bug-bounty-requested-10-btc-for-dos-bug-in-current-clients

[wr104]

Bump.

Was this really a DoS bug in the client?  Did it get fixed?

[unamis76]

I'm also curious about the outcome on this. I see OP doesn't have negative trust anymore, so this bug was most likely real and important.

[MaliceRed]

I third that notion, would very much like to see the outcome of this whole situation.

[unamis76]

Was this bug (if it was a bug) fixed in 0.10.1?

EDIT: apparently yes https://bitcointalk.org/index.php?topic=1039713.0