Pages:
Author

Topic: [Full Disclosure] Live mtgox.com trade matching bug. - page 3. (Read 15367 times)

full member
Activity: 406
Merit: 100
Quote
A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Ah! So there's your grief!
sr. member
Activity: 490
Merit: 250
I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure

Awww man... that disclosure got goxed.
full member
Activity: 406
Merit: 100
I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure
sr. member
Activity: 490
Merit: 250
Also good to know this is the only bug.

How do you infer this from the available information?

One cannot. It underlines the fact that more bugs are extremely likely.
hero member
Activity: 574
Merit: 513
appended to previous post

Mods: Delete this obnoxious (due to size) and useless post
hero member
Activity: 574
Merit: 513
jrmithdobbs,

You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.

I'm confused.

http://en.wikipedia.org/wiki/Zero-day_attack

Also good to know this is the only bug.

How do you infer this from the available information?

Maybe this?
At the very least this could be used to influence market conditions if it is only a display bug.
sr. member
Activity: 294
Merit: 252
Also good to know this is the only bug.

How do you infer this from the available information?
sr. member
Activity: 490
Merit: 250
Thanks to OP for info. Mt. Gox should have already addressed the price spikes.

Also good to know this is the only bug.
newbie
Activity: 67
Merit: 0
The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

He also ignored attempts to report the nasty CSRF, that came to light right before that all went down, for about a week. But, I digress.

I have no plans to "nail him to the wall" for every mistake. In fact, I will probably not be looking at mtgox at all after the next 72 hours.

And to clear things up, this is a little more than just a display bug. This is also the cause of the weirdness people have been reporting about it dropping from 17->15 etc without executing orders in-between.

Quote
Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

It is a trade matching bug. Trades are not revalidated on withdrawal/deposit to the account. I never claimed it was an exploit. "Exploiting" in the original text is the normal english use of the word, not the info-sec use. So no, I will not change the title.
newbie
Activity: 55
Merit: 0
Thank you to Mr. jrmithdobbs for reporting the issue and to MagicalTux for responding to it so quickly (especially given all the other urgent MtGox stuff MagicalTux must be dealing with).

This confirms that MtGox is absolutely committed to an extremely high level of security. Bitcoin is fortunate to have experts like jrmithdobbs helping the community defend against threats to our financial safety.

Muchos gracias to you both!
newbie
Activity: 28
Merit: 0
What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing

Fool.  You see no further than the immediate.  LulzSec did nothing more than create an excuse for the authorities to try and clamp down on the Internet and/or bit coin (how they were seen to be funded).  For an added bonus, they mixed in immigration and drug issues into their troll.  Now the average Joe will welcome the "protection" of our brand new, locked down, internet -- free from the dangers inherent to anonymity.  Technology may not exist now, or ever, but they, and the momentum they have created, will certainly create the demand.

Similarly, your actions reflect on bitcoin itself in the public eye, and you don't seem to care.  I wonder why.
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Are you sure about that? I've followed it a bit, and from what I read the security issues were solved pretty fast. Sometimes even before people could report them.

The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

Anyway whatever the real story is, I don't agree that gives you a reason to nail him to the pillory for every little issue you find after this.

Oh noo! a misspelled word in the interface! ... full disclosure!

Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

newbie
Activity: 67
Merit: 0
What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing?

I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox.

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
newbie
Activity: 28
Merit: 0
Happy,

Please don't repeat the OP's false insinuation that he somehow found an exploit.  It's a display bug.  Nothing more, and drawing such public (false) light to it serves no purpose but to make Mt. Gox and bit coin look bad.  Something the OP was seeking, i'd wager.  Yes, there is a time for full disclosure, but it's only after private channels have failed to fix the issue.
sr. member
Activity: 406
Merit: 251
@jrmithdobbs

Did you notify MT about this issue prior to disclosure? Ahh, I just caught your reply.

I don't have a strong infosec background so please excuse my naivety, can I ask, do you typically notify targets of vulns prior to public release or do you do both simultaneously or ??

I don't intend to start a debate of the pros/cons, just trying to get some info for when you probe my service. Smiley
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox. I think that makes you a dick. MagicalTux is really taking all problems seriously, and has been working almost 24 hours per day last week to resolve issues while being bombarded with crap from all sides.

You could have given him a chance by just reporting it to his personal mail and bug tracker. What would you prefer if you had built a site yourself?

full member
Activity: 125
Merit: 100
jrmithdobbs,

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.  You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.  I'd ban you from this forum if I was the administrator, and if you did this to a company in America you'd be arrested.  Technically you're aiding in securities / bank fraud.  If you were smart you'd delete this post or just delete your forum account.

Smiley have a nice day.  As much as MtGox has had problems, there's no need to add fuel to the already-large fire that bitcoin adopters are dense, immoral, psychotic libertarian-anarchists with no regard for common sense.

There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).
newbie
Activity: 67
Merit: 0
I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.

I could not confirm or deny that similar trades would execute without possibly committing fraud, so did not try. I explicitly stated this and the possibility that it was just a display bug. I posted (to f-d at least, here soon after) as soon as Tux started responding to me. The text was pre-prepared and not modified. Yes he did tell me that it would be fixed while we were talking.
newbie
Activity: 28
Merit: 0
Yeah, but your "full disclosure" was based on the assumption that the trade would execute.  It wouldn't.  It's a bug, yes, but hardly a showstopper.
newbie
Activity: 40
Merit: 0
After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
You're right, that should say possibly, not actually.

Um, maybe you missed something:

It will not execute, and I told you it'll be fixed in a couple of hours. Thanks for disclosing this before.

I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.
Pages:
Jump to: