Funny how inflation bug was swept under the rug

mixoftix

full member

Activity: 135

Merit: 178

..

Quote from: HeRetiK on January 07, 2019, 05:18:58 PM

I don't think disclosure timelines usually include the "release date" of the bug, as the introduction of exploitable code can not always be easily pin-pointed (and in some cases it's been there all along and becomes exploitable as technology progresses). Heartbleed [1] and Cloudbleed [2] are other good examples of well documented timelines. (Bonus timeline: Remote installation of the original Doom on network enabled Canon printers [3])

[1] https://www.smh.com.au/technology/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html

True. the amazing part of your first reference about heartbleed vulnerability is this quote that asks for more information for understanding what may have occurred before discovering the vulnerability:

Quote

If you have further information or corrections - especially information about what occurred prior to March 21 at Google - please email the author..

anyways this exploit reminds me the principles of protecting from supply chain attacks by NIST [1][2] and now the question is how much the software supply chain in bitcoin follows it? (in other words, does this exploit fit in the concept of supply chain attack?)

[1] https://csrc.nist.gov/csrc/media/projects/supply-chain-risk-management/documents/ssca/2017-winter/ncsc_placemat.pdf
[2] mirror of [1]: http://www.mixoftix.net/knowledge_base/security/nist_suppy_chain_attack_.pdf

HeRetiK

legendary

Activity: 3122

Merit: 2178

Playgram - The Telegram Casino

Quote from: mixoftix on January 07, 2019, 04:43:47 PM

Quote from: HeRetiK on January 07, 2019, 10:51:21 AM

The bug was introduced with 0.15 [1] which was released in September 2017 [2], so the bug was around for about a year. Excellent response time nonetheless.

[1] https://bitcoincore.org/en/2018/09/20/notice/

thank you for correction. I directly jumped in timeline section, and unfortunately there was no information about bug release date - so it looked like the bug was in a release that published the same day.. however, I am still happy with the response time, but why such important information doesn't exist in timeline!?

It's right above the Timeline in the Technical Details section:

Quote from: https://bitcoincore.org/en/2018/09/20/notice/

In Bitcoin Core 0.15, as a part of a larger redesign to simplify unspent transaction output tracking and correct a resource exhaustion attack the assertion was changed subtly. Instead of asserting that the output being marked spent was previously unspent, it only asserts that it exists.

I don't think disclosure timelines usually include the "release date" of the bug, as the introduction of exploitable code can not always be easily pin-pointed (and in some cases it's been there all along and becomes exploitable as technology progresses). Heartbleed [1] and Cloudbleed [2] are other good examples of well documented timelines. (Bonus timeline: Remote installation of the original Doom on network enabled Canon printers [3])

[1] https://www.smh.com.au/technology/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html
[2] https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
[3] https://www.contextis.com/en/blog/hacking-canon-pixma-printers-doomed-encryption

mixoftix

full member

Activity: 135

Merit: 178

..

Quote from: HeRetiK on January 07, 2019, 10:51:21 AM

The bug was introduced with 0.15 [1] which was released in September 2017 [2], so the bug was around for about a year. Excellent response time nonetheless.

[1] https://bitcoincore.org/en/2018/09/20/notice/

thank you for correction. I directly jumped in timeline section, and unfortunately there was no information about bug release date - so it looked like the bug was in a release that published the same day.. however, I am still happy with the response time, but why such important information doesn't exist in timeline!?

gmaxwell

staff

Activity: 4284

Merit: 8808

Quote from: aplistir on January 06, 2019, 07:00:45 AM

the bug made it possible to "illegally" create new coins.

Well, not even quite that: All the vulnerable nodes would have crashed on restart-- when automatic start-up safety tests caught the issue-- and refused to start again if it were triggered, just as we saw on testnet.

I'm having a hard time figuring out what the original post in this thread is trying to say. It sounds like it's trying to allege that the issue still exists. It doesn't.

HeRetiK

legendary

Activity: 3122

Merit: 2178

Playgram - The Telegram Casino

Quote from: mixoftix on January 07, 2019, 05:33:03 AM

Quote

Timeline for September 17, 2018: (all times UTC)

>> 14:57 anonymous reporter reports crash bug to: Pieter Wuille, Greg Maxwell, Wladimir Van Der Laan of Bitcoin Core
>> 15:15 Greg Maxwell shares the original report with Cory Fields, Suhas Daftuar, Alex Morcos and Matt Corallo
>> 17:47 Matt Corallo identifies inflation bug
.
.
>> 23:21 Bitcoin Core version 0.17.0rc4 tagged

September 18, 2018:

>> 00:24 Bitcoin Core version 0.16.3 tagged

which means within 3 hours the bug identifies and patches in less than 10 hours.. this is a great benchmark. so a bug that only lived in 10 hours is really like it never exists. its an honor, not hilarious.

A bug that was known for 10 hours

The bug was introduced with 0.15 [1] which was released in September 2017 [2], so the bug was around for about a year. Excellent response time nonetheless.

[1] https://bitcoincore.org/en/2018/09/20/notice/
[2] https://github.com/bitcoin/bitcoin/releases/tag/v0.15.0

mixoftix

full member

Activity: 135

Merit: 178

..

Quote from: Butterscotch Cartman on January 01, 2019, 03:42:23 PM

People are acting like inflation bug never existed in bitcoin, hilarious.

bugs always exist in cyber world. the important part is the way you perform a debugging procedure. if I was an investor, I would find and invest on a coin that has the most quick reaction to a bug from identifying to patching it. so look at the analysis bellow:

Quote

Timeline for September 17, 2018: (all times UTC)

>> 14:57 anonymous reporter reports crash bug to: Pieter Wuille, Greg Maxwell, Wladimir Van Der Laan of Bitcoin Core
>> 15:15 Greg Maxwell shares the original report with Cory Fields, Suhas Daftuar, Alex Morcos and Matt Corallo
>> 17:47 Matt Corallo identifies inflation bug
.
.
>> 23:21 Bitcoin Core version 0.17.0rc4 tagged

September 18, 2018:

>> 00:24 Bitcoin Core version 0.16.3 tagged

which means within 3 hours the bug identifies and patches in less than 10 hours.. this is a great benchmark. so a bug that only lived in 10 hours is really like it never exists. its an honor, not hilarious.

aplistir

full member

Activity: 378

Merit: 197

Quote from: bones261 on January 01, 2019, 04:15:56 PM

Well, they are not a good "investor" if they do not do their due diligence and keep up with the risks of their investment.
I for one have only invested a very small amount in BTC and cryptocurrency in general. However, I have kept myself informed on what is going on. If someone is going to mortgage their house and not devote a 10th of the time that I have spent attempting to learn about it, then they are a gambler and not really an investor.

I have spend (too) much time in learning everything about bitcoin, but I had completely missed this bug. I did notice in September that you should update bitcoin core, but did not realise the bug made it possible to "illegally" create new coins.

Quote from: DaCryptoRaccoon on January 01, 2019, 04:21:27 PM

There is much talk about this subject a quick search of Bitcoin CVE or Bitcoin Exploit shows may topics regarding the issues both old and new.
https://bitcoincore.org/en/2018/09/20/notice/
https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362

Thanks for posting the links. Makes it much easier to understand what we are talking about

Syke

legendary

Activity: 3878

Merit: 1193

Quote from: Butterscotch Cartman on January 01, 2019, 04:03:42 PM

People need to be aware that bitcoin is not really 100% safe in a world where code is law.

Who is saying bitcoin is 100% safe?

HeRetiK

legendary

Activity: 3122

Merit: 2178

Playgram - The Telegram Casino

Quote from: DaCryptoRaccoon on January 01, 2019, 04:21:27 PM

Quote from: Butterscotch Cartman on January 01, 2019, 04:03:42 PM

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts. Not one bitcoin "investor" I have spoken to has even heard of the bug. People need to be aware that bitcoin is not really 100% safe in a world where code is law.

There is much talk about this subject a quick search of Bitcoin CVE or Bitcoin Exploit shows may topics regarding the issues both old and new.

https://bitcoincore.org/en/2018/09/20/notice/

https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362

While this was a serious flaw it had been fixed and no miners ever exploited it.

Also actual usage of any such exploit would have been fairly obvious to an outside observer. It's not like anyone could have covertly inflated the coin supply.

Critical bug? Sure. Swept under the rug? Hardly. The exploit was widely publicized with information readily available to anyone keeping track of crypto.

DaCryptoRaccoon

hero member

Activity: 1220

Merit: 612

OGRaccoon

Quote from: Butterscotch Cartman on January 01, 2019, 04:03:42 PM

Quote from: bones261 on January 01, 2019, 03:59:37 PM

Are you talking about the one discovered a few months ago or the one in 2010? What is amazing with the recent one is that the exploit was in the code for quite a bit of time and no miner exploited it. I'm happy the BU developer did the right thing and reported the exploit rather than give it over to one of the Bitcoin Cash advocates.
Just so you know, no miner in their right mind would have exploited this unless their motive was to destroy cryptocurrency as a whole. Most miners are in it for the profit and such a move would have killed the golden goose. Besides, if a miner had exploited the recent bug, the BTC developers and other miners would have just did something similar to what happened in 2010. (Although the 2010 bug was unlike this bug, since I believe the old bug was triggered by accident and not by deliberate intent.) In 2010, they came up with the patch and eventually the corrected chain had the most work and reorged the bad chain out of existence.
BTW: I would recommend that you don't use this thread that you created to try and launch a troll campaign against BTC. As soon as you start to derail this thread to fall off-topic, the moderators will probably lock it.

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts. Not one bitcoin "investor" I have spoken to has even heard of the bug. People need to be aware that bitcoin is not really 100% safe in a world where code is law.

There is much talk about this subject a quick search of Bitcoin CVE or Bitcoin Exploit shows may topics regarding the issues both old and new.

https://bitcoincore.org/en/2018/09/20/notice/

https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362

While this was a serious flaw it had been fixed and no miners ever exploited it.

bones261

legendary

Activity: 1806

Merit: 1828

Quote from: Butterscotch Cartman on January 01, 2019, 04:03:42 PM

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts. Not one bitcoin "investor" I have spoken to has even heard of the bug. People need to be aware that bitcoin is not really 100% safe in a world where code is law.

Well, they are not a good "investor" if they do not do their due diligence and keep up with the risks of their investment. The very fact that BTC is very volatile and has returned an insane amount of return since it's inception should give any good investor a clue that this is risky. (I mean we went from 10000 BTC buying a pizza to 1 being worth ~20000 USD at it's ATH)
I for one have only invested a very small amount in BTC and cryptocurrency in general. However, I have kept myself informed on what is going on. If someone is going to mortgage their house and not devote a 10th of the time that I have spent attempting to learn about it, then they are a gambler and not really an investor.

Butterscotch Cartman

jr. member

Activity: 108

Merit: 6

Quote from: bones261 on January 01, 2019, 03:59:37 PM

Are you talking about the one discovered a few months ago or the one in 2010? What is amazing with the recent one is that the exploit was in the code for quite a bit of time and no miner exploited it. I'm happy the BU developer did the right thing and reported the exploit rather than give it over to one of the Bitcoin Cash advocates.
Just so you know, no miner in their right mind would have exploited this unless their motive was to destroy cryptocurrency as a whole. Most miners are in it for the profit and such a move would have killed the golden goose. Besides, if a miner had exploited the recent bug, the BTC developers and other miners would have just did something similar to what happened in 2010. (Although the 2010 bug was unlike this bug, since I believe the old bug was triggered by accident and not by deliberate intent.) In 2010, they came up with the patch and eventually the corrected chain had the most work and reorged the bad chain out of existence.
BTW: I would recommend that you don't use this thread that you created to try and launch a troll campaign against BTC. As soon as you start to derail this thread to fall off-topic, the moderators will probably lock it.

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts. Not one bitcoin "investor" I have spoken to has even heard of the bug. People need to be aware that bitcoin is not really 100% safe in a world where code is law.

bones261

legendary

Activity: 1806

Merit: 1828

   Are you talking about the one discovered a few months ago or the one in 2010? What is amazing with the recent one is that the exploit was in the code for quite a bit of time and no miner exploited it. I'm happy the BU developer did the right thing and reported the exploit rather than give it over to one of the Bitcoin Cash advocates.
   Just so you know, no miner in their right mind would have exploited this unless their motive was to destroy cryptocurrency as a whole. Most miners are in it for the profit and such a move would have killed the golden goose. Besides, if a miner had exploited the recent bug, the BTC developers and other miners would have just did something similar to what happened in 2010. (Although the 2010 bug was unlike this bug, since I believe the old bug was triggered by accident and not by deliberate intent.) In 2010, they came up with the patch and eventually the corrected chain had the most work and reorged the bad chain out of existence.
   BTW: I would recommend that you don't use this thread that you created to try and launch a troll campaign against BTC. As soon as you start to derail this thread to fall off-topic, the moderators will probably lock it.

Butterscotch Cartman

jr. member

Activity: 108

Merit: 6

People are acting like inflation bug never existed in bitcoin, hilarious. Rarely hear about it , this forum is filled with shills trying to pump their bags.

Topic: Funny how inflation bug was swept under the rug (Read 446 times)