Topic: [Full Disclosure] ClearCoin CSRFs (Read 8696 times)

Speaking as and for all Libertarians, I would just like to say that recently we have started wearing deodorant around non-Libertarians, and that any you've met that haven't - please have them check their email.

If I remember correctly, the user in question didn't point out anything specifically. He just said a bunch of websites were exploitable. He didn't give any details of how to exploit them and he was treated with an understandable level of skepticism. The fact that some ClearCoin vulnerability was recently disclosed still doesn't vindicate him since he could have been full of it and this is just a coincidence. It's his fault for not disclosing some kind of evidence. Talk is cheap. Anyone can say that a website is exploitable. It's a different matter to actually prove it. So, all your finger wagging isn't actually warranted.

Public Disclosure of Vulnerabilities are important.

The positives by far outweigh the negatives, because all negatives are self-serving for the programmers and companies behind any product or service (eg- liability).

The positives are:

• accountability
• transparency
• consumer protection
• forces fast reaction to the threats by the developers
• adds legitimacy to the product/service
• adds positive public perception
• lets the consumer know there is a problem so they can react accordingly - like protecting their own customers if they rely on the product/service and advising them accordingly, which decreased their own potential liability
• lets the consumer know the maker is not a trusted serious resource provider if they do not fix them efficiently and effectively (lets face it some programmers should not be programming with their limited skillsets)
• lets the consumer know how serious and professional the maker is by the speed and quality of the fix

which all the above by far outweigh the only negative, which:

• places liability and negative publicity on those responsible for the vulerabilities.

The latter of which is why most do not want public disclosures, as exemplified by Gavins response to this public disclosure posted over at sourceforge:, "Some of us take private disclosures of vulnerabilities very seriously".

Sorry, but public disclosures and the rammifications of problems you created with your products and services are the cost of doing business, and you should be liable since you created it in the first place and placed it out there in the market as a solution to a consumers needs.

Eat it up, do it right the first time, do better research and product/service testing before releasing it, or get out of the business.

nothing personal.

I would have to say that the CSRF issue was enough evidence to to question their (security) credibility. Further, the have a clear conflict of interest in reporting the events, since they have a lot to lose.

I'm not saying that they are actually lying, they're probably not, but to assume that they MUST be telling the truth, or that they are to be the most trusted source of it, is clearly silly. Human nature my friend.

Nope.  I triple-checked and bitcoin2cash is definitely talking to you, about your problematic slurs against libertarians, here:


Oh no, not a DISTINCT recollection!  Zomg, that's the worst kind of recollection of all!!1!

You *did* apologize in advance and libertarians can be prickly too, so.... Let's just be friends! 

are you confusing me with someone else? what you're saying seems incoherent; you seem to think i've been proven wrong about something, but you can't communicate what it is. are you just 'trolling' me?

the problems with cross-site request forgeries clearcoin and other websites weren't 'ancient history'. they were reported this week and brought the sites down for maintenance, all the while exposing potentially significant systems vulnerabilities that could have easily been addressed months ago if people had listened. whether or not significant damage in fact resulted isn't for me to say, as i don't run any of these sites. i was pointing out a complacency that is all too common in the bitcoin community.

if you intend to critique what i'm saying, please read the conversation and what i in fact said. you seem to have misunderstood the flow of the conversation and my intent in it, and that is not a problem i usually have except when people don't pay close enough attention and assume i'm saying things that i'm not. if you don't like that i criticised the strident teenage libertarians who are so prominent in these forums, you could have responded to that, rather than attributing positions to me that aren't mine.

this is very tiresome, though, so i'm done in this thread. for the record, however, others should not believe what you say about my own positions, as you've either childishly or negligently mischaracterised me every step of the way.

The staff at MtGox is a primary source.  As such, what they say in an on-the-record public interview is considered to be our best bet for an accepted version of The Truth.  Unless you have some evidence that would damage their credibility, of course.

Otherwise we'd have to violate Occam's Razor and postulate some hidden entities, whose conspiratorial machinations are responsible for their MtGox representative puppets' phony baloney 'blame-the-accountant' excuses.

The simplest explanation is the best.  And a simple end-run through an untrustworthy third party seems more likely than exotic browser exploits.

Time will tell.  Time, and a couple boatloads of lawyers.

MtGox credibility is going down quickly and I dont believe that statement. Its basically a leap of faith because they offered no proof.

The vulnerability at ClearCoin is ancient history, as announced upthread.

Despite this, you had to vent, with self-admitted petulance, in a rambling attack on rude libertarians and how kids today won't listen when you warn them to stay off your lawn and fix obsure web bugs.

For this, you were put in your place (not by me) and you responded by retreating into generalities about how "any criticism of the bitcoin protocol must be motivated by a brainwashing."

THIS IS WHERE THE CONVERSATION, AT YOUR BEHEST, STOPPED BEING SPECIFICALLY ABOUT CLEARCOIN AND THE TOPIC CHANGES TO A LESS LIMITED FOCUS ON HOW:



No problems ever manifested themselves at ClearCoin, and the problem that did manifest at MtGox was not the result of an SQL or XSRF attack.  Do try and keep up!

This is a basic technical concept, which was clearly expressed by MtGox in their interview tonight:

That interview proved nothing except that the rep of mtgox present said some things with no evidence presented except for their willingness to make public statements without seeking legal counsel first and that they do not understand basic technical concepts.

Considering their recent track record of responding to (more like: not responding to) privately disclosed security issues. (It took *a week* for tux to respond to someone trying to report those csrfs. He only responded once it was made public. It was not confirmed friday. It was confirmed much earlier in the week.) The SQL injection issues that were fixed in the last few days on mtgox with no announcement or disclosure. Etc.

Tux's behaviour is what prompted me to disclose this the way I did. I think going forward that all bitcoin-related security issues should get the full disclosure treatment to discourage another mtgox.

(Really am sorry Gavin. I know you would have responded appropriately had this been privately disclosed.)

and where do you think i ever claimed that i knew the cause of the problems on mt. gox? i wasn't even talking about them. note that we're in a discussion about a cross-site forgery problem on clearcoin. i brought up mt. gox only after you called me 'gotcha guy' and seemed to suggest they had never been vulnerable to such request-forgery problems.

i know this is an internet forum and all, and reading comprehension may not be your strength, but it might be worth actually reading what i'm saying before criticising it, calling me a 'bozo', and referring to my 'e-peen'. grow up, please.

It's not that hard: the interview tonight (did you watch it?) about the break-in proved that ALL the people who were claiming they knew the cause of the MtGox heist were WRONG.

Your petulant lack of humor is far more childish than my poking fun at the idea of technobabble as a compelling explanation for the MtGox situation.

Your humorless, grumpy inference regarding my technical understanding of the concepts at hand was not reasonable, especially given my previous posts and demonstrated hash rate.

i'm not clear what you think i said that has been 'proven wrong', but i believe you're mistaken.


this again is just the sort of childish response that i'm critiquing. you referred to 'XCHMLL bugs that cause HTXL->BTC overflows or whatever'; a reasonable inference from that kind of a comment is that you have little technical understanding of the concepts we're discussing. if that is not true, you can't fault me for picking up on an anti-intellectual mannerism you intentionally put forward.

Nobody is debating whether the XSRF vulnerability existed any longer, as it was demonstrated on Friday night.

It's been fixed and had nothing to do with the break-in, which was the fault of MtGox's finance auditor AND NOT THE RESULT OF XSRF, SQL, TROJANS, TEMPEST, OR WHATEVER YOUR BUDDY WAS MOANING ABOUT.

Now the issue is that so many were so quick to point fingers immediately following the MtGox breach, without bothering to confirm or verify anything with the principals involved.

You aren't the only "OMG we tried to warn them but they DINT LISEN" bozo who was proven wrong by tonight's interview.  There are/were a lot of expert opinions, ie, wild guesses being thrown around.

Spare us the "it's not worth debating this if you're not a technical person yourself" snobbery.  You may rest assured that I understand the difference between a XSRF and SQL injection.  I get paid to make damn sure such things keep running smoothly. 

I'm sure your e-peen is so massive it would stampede the women and scare the children, so please keep it private and to yourself.

mt. gox was, within the last week and by their own admission, vulnerable to cross-site request forgeries. i don't recall "s" ever saying anything about sql injection, which is harder to detect without access to the code. (it's not worth debating this if you're not a technical person yourself.)

Many teens have yet not learned to tolerate the ignorant hypocrisy of those whose knee jerk objections to bitcoin not only are specifically addressed by the design, but obviously apply to the fiat money created by the State.  That's a good thing.  I like people who stand up and vigorously defend their values and beliefs.

If you, or the other guy who left, can't look past their enthusiasm, vehemence, and zeal that's your problem.

Even a reasonable adult might get sick having to repeatedly point out that federal reserve notes are way more of a fake Ponzi rip-off scam than any form of cryptocash.



Nice try, gotcha guy.  But it turns out that the supposed MtGox "hack" was an inside job.  It had NOTHING to do with XSRF, SQL, or whatever technical point the oversensitive guy (who ran away rather than debate mean, stinky libertarians) was previously belaboring.

'for some ridiculous and extreme attitudes among teenagers' is not the same thing as 'all the evil in the world'. but bitcoin2cash is right. i really just have a particular type of poster in mind. it's not everyone who happens to be a libertarian; it's the rabid, often teenage ones who think that any criticism of the bitcoin protocol must be motivated by a brainwashing from the 'state'.


these were not lessons to learn; these are obvious to anyone with even the slightest experience in systems security. as i said, a good critical user who visited the forum for a week pointed them out, specifically, along with a variety of other problems. either there's too much noise or too much complacency for people to listen or learn before the problems manifest themselves.

Amateur hour all the way around.

I, too, Blame Ayn Rand for all evil in the world and especially on this forum.

/s

That's actually more lulzy than petulant. 

I think we've all learned some valuable lessons today, about boring web standards' XCHMLL bugs that cause HTXL->BTC overflows or whatever. 

And not using the same l/p.  And due diligence.