Author

Topic: Funny how inflation bug was swept under the rug (Read 454 times)

full member
Activity: 135
Merit: 178
..
I don't think disclosure timelines usually include the "release date" of the bug, as the introduction of exploitable code can not always be easily pin-pointed (and in some cases it's been there all along and becomes exploitable as technology progresses). Heartbleed [1] and Cloudbleed [2] are other good examples of well documented timelines. (Bonus timeline: Remote installation of the original Doom on network enabled Canon printers [3])

[1] https://www.smh.com.au/technology/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html

True. the amazing part of your first reference about heartbleed vulnerability is this quote that asks for more information for understanding what may have occurred before discovering the vulnerability:

Quote
If you have further information or corrections - especially information about what occurred prior to March 21 at Google - please email the author..

anyways this exploit reminds me the principles of protecting from supply chain attacks by NIST [1][2] and now the question is how much the software supply chain in bitcoin follows it? (in other words, does this exploit fit in the concept of supply chain attack?)

[1] https://csrc.nist.gov/csrc/media/projects/supply-chain-risk-management/documents/ssca/2017-winter/ncsc_placemat.pdf
[2] mirror of [1]: http://www.mixoftix.net/knowledge_base/security/nist_suppy_chain_attack_.pdf
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
The bug was introduced with 0.15 [1] which was released in September 2017 [2], so the bug was around for about a year. Excellent response time nonetheless.

[1] https://bitcoincore.org/en/2018/09/20/notice/

thank you for correction. I directly jumped in timeline section, and unfortunately there was no information about bug release date - so it looked like the bug was in a release that published the same day.. however, I am still happy with the response time, but why such important information doesn't exist in timeline!?


It's right above the Timeline in the Technical Details section:

In Bitcoin Core 0.15, as a part of a larger redesign to simplify unspent transaction output tracking and correct a resource exhaustion attack the assertion was changed subtly. Instead of asserting that the output being marked spent was previously unspent, it only asserts that it exists.

I don't think disclosure timelines usually include the "release date" of the bug, as the introduction of exploitable code can not always be easily pin-pointed (and in some cases it's been there all along and becomes exploitable as technology progresses). Heartbleed [1] and Cloudbleed [2] are other good examples of well documented timelines. (Bonus timeline: Remote installation of the original Doom on network enabled Canon printers [3])

[1] https://www.smh.com.au/technology/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html
[2] https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
[3] https://www.contextis.com/en/blog/hacking-canon-pixma-printers-doomed-encryption
full member
Activity: 135
Merit: 178
..
The bug was introduced with 0.15 [1] which was released in September 2017 [2], so the bug was around for about a year. Excellent response time nonetheless.

[1] https://bitcoincore.org/en/2018/09/20/notice/

thank you for correction. I directly jumped in timeline section, and unfortunately there was no information about bug release date - so it looked like the bug was in a release that published the same day.. however, I am still happy with the response time, but why such important information doesn't exist in timeline!?

 
staff
Activity: 4284
Merit: 8808
the bug made it  possible to "illegally" create new coins.
Well, not even quite that:  All the vulnerable nodes would have crashed on restart-- when automatic start-up safety tests caught the issue-- and refused to start again if it were triggered, just as we saw on testnet.

I'm having a hard time figuring out what the original post in this thread is trying to say. It sounds like it's trying to allege that the issue still exists. It doesn't.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
Quote
Timeline for September 17, 2018: (all times UTC)

>> 14:57 anonymous reporter reports crash bug to: Pieter Wuille, Greg Maxwell, Wladimir Van Der Laan of Bitcoin Core
>> 15:15 Greg Maxwell shares the original report with Cory Fields, Suhas Daftuar, Alex Morcos and Matt Corallo
>> 17:47 Matt Corallo identifies inflation bug
.
.
>> 23:21 Bitcoin Core version 0.17.0rc4 tagged

September 18, 2018:

>> 00:24 Bitcoin Core version 0.16.3 tagged

which means within 3 hours the bug identifies and patches in less than 10 hours.. this is a great benchmark. so a bug that only lived in 10 hours is really like it never exists. its an honor, not hilarious.

A bug that was known for 10 hours Smiley

The bug was introduced with 0.15 [1] which was released in September 2017 [2], so the bug was around for about a year. Excellent response time nonetheless.

[1] https://bitcoincore.org/en/2018/09/20/notice/
[2] https://github.com/bitcoin/bitcoin/releases/tag/v0.15.0
full member
Activity: 135
Merit: 178
..
People are acting like inflation bug never existed in bitcoin, hilarious.

bugs always exist in cyber world. the important part is the way you perform a debugging procedure. if I was an investor, I would find and invest on a coin that has the most quick reaction to a bug from identifying to patching it. so look at the analysis bellow:

Quote
Timeline for September 17, 2018: (all times UTC)

>> 14:57 anonymous reporter reports crash bug to: Pieter Wuille, Greg Maxwell, Wladimir Van Der Laan of Bitcoin Core
>> 15:15 Greg Maxwell shares the original report with Cory Fields, Suhas Daftuar, Alex Morcos and Matt Corallo
>> 17:47 Matt Corallo identifies inflation bug
.
.
>> 23:21 Bitcoin Core version 0.17.0rc4 tagged

September 18, 2018:

>> 00:24 Bitcoin Core version 0.16.3 tagged

which means within 3 hours the bug identifies and patches in less than 10 hours.. this is a great benchmark. so a bug that only lived in 10 hours is really like it never exists. its an honor, not hilarious.

full member
Activity: 378
Merit: 197

     Well, they are not a good "investor" if they do not do their due diligence and keep up with the risks of their investment.
     I for one have only invested a very small amount in BTC and cryptocurrency in general. However, I have kept myself informed on what is going on. If someone is going to mortgage their house and not devote a 10th of the time that I have spent attempting to learn about it, then they are a gambler and not really an investor.
I have spend (too) much time in learning everything about bitcoin, but I had completely missed this bug.   I did notice in September that you  should update bitcoin core, but did not realise the bug made it  possible to "illegally" create new coins.

There is much talk about this subject a quick search of Bitcoin CVE or Bitcoin Exploit shows may topics regarding the issues both old and new.
https://bitcoincore.org/en/2018/09/20/notice/
https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362
Thanks for posting the links. Makes it much easier to understand what we are talking about Smiley
legendary
Activity: 3878
Merit: 1193
People need to be aware that bitcoin is not really 100% safe in a world where code is law.

Who is saying bitcoin is 100% safe?
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts.  Not one bitcoin "investor" I have spoken to has even heard of the bug.  People need to be aware that bitcoin is not really 100% safe in a world where code is law.

There is much talk about this subject a quick search of Bitcoin CVE or Bitcoin Exploit shows may topics regarding the issues both old and new.

https://bitcoincore.org/en/2018/09/20/notice/

https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362

While this was a serious flaw it had been fixed and no miners ever exploited it.

Also actual usage of any such exploit would have been fairly obvious to an outside observer. It's not like anyone could have covertly inflated the coin supply.

Critical bug? Sure. Swept under the rug? Hardly. The exploit was widely publicized with information readily available to anyone keeping track of crypto.
hero member
Activity: 1241
Merit: 623
OGRaccoon
    Are you talking about the one discovered a few months ago or the one in 2010? What is amazing with the recent one is that the exploit was in the code for quite a bit of time and no miner exploited it. I'm happy the BU developer did the right thing and reported the exploit rather than give it over to one of the Bitcoin Cash advocates.
     Just so you know, no miner in their right mind would have exploited this unless their motive was to destroy cryptocurrency as a whole. Most miners are in it for the profit and such a move would have killed the golden goose. Besides, if a miner had exploited the recent bug, the BTC developers and other miners would have just did something similar to what happened in 2010. (Although the 2010 bug was unlike this bug, since I believe the old bug was triggered by accident and not by deliberate intent.) In 2010, they came up with the patch and eventually the corrected chain had the most work and reorged the bad chain out of existence.
    BTW: I would recommend that you don't use this thread that you created to try and launch a troll campaign against BTC. As soon as you start to derail this thread to fall off-topic, the moderators will probably lock it.

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts.  Not one bitcoin "investor" I have spoken to has even heard of the bug.  People need to be aware that bitcoin is not really 100% safe in a world where code is law.

There is much talk about this subject a quick search of Bitcoin CVE or Bitcoin Exploit shows may topics regarding the issues both old and new.

https://bitcoincore.org/en/2018/09/20/notice/

https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362

While this was a serious flaw it had been fixed and no miners ever exploited it.

legendary
Activity: 1806
Merit: 1828

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts.  Not one bitcoin "investor" I have spoken to has even heard of the bug.  People need to be aware that bitcoin is not really 100% safe in a world where code is law.

     Well, they are not a good "investor" if they do not do their due diligence and keep up with the risks of their investment. The very fact that BTC is very volatile and has returned an insane amount of return since it's inception should give any good investor a clue that this is risky. (I mean we went from 10000 BTC buying a pizza to 1 being worth ~20000 USD at it's ATH)
     I for one have only invested a very small amount in BTC and cryptocurrency in general. However, I have kept myself informed on what is going on. If someone is going to mortgage their house and not devote a 10th of the time that I have spent attempting to learn about it, then they are a gambler and not really an investor.
jr. member
Activity: 108
Merit: 6
    Are you talking about the one discovered a few months ago or the one in 2010? What is amazing with the recent one is that the exploit was in the code for quite a bit of time and no miner exploited it. I'm happy the BU developer did the right thing and reported the exploit rather than give it over to one of the Bitcoin Cash advocates.
     Just so you know, no miner in their right mind would have exploited this unless their motive was to destroy cryptocurrency as a whole. Most miners are in it for the profit and such a move would have killed the golden goose. Besides, if a miner had exploited the recent bug, the BTC developers and other miners would have just did something similar to what happened in 2010. (Although the 2010 bug was unlike this bug, since I believe the old bug was triggered by accident and not by deliberate intent.) In 2010, they came up with the patch and eventually the corrected chain had the most work and reorged the bad chain out of existence.
    BTW: I would recommend that you don't use this thread that you created to try and launch a troll campaign against BTC. As soon as you start to derail this thread to fall off-topic, the moderators will probably lock it.

Yes I'm talking about the recent one, I'm concerned fools are being tricked into investing into Bitcoin without knowing all the facts.  Not one bitcoin "investor" I have spoken to has even heard of the bug.  People need to be aware that bitcoin is not really 100% safe in a world where code is law.
legendary
Activity: 1806
Merit: 1828
     Are you talking about the one discovered a few months ago or the one in 2010? What is amazing with the recent one is that the exploit was in the code for quite a bit of time and no miner exploited it. I'm happy the BU developer did the right thing and reported the exploit rather than give it over to one of the Bitcoin Cash advocates.
     Just so you know, no miner in their right mind would have exploited this unless their motive was to destroy cryptocurrency as a whole. Most miners are in it for the profit and such a move would have killed the golden goose. Besides, if a miner had exploited the recent bug, the BTC developers and other miners would have just did something similar to what happened in 2010. (Although the 2010 bug was unlike this bug, since I believe the old bug was triggered by accident and not by deliberate intent.) In 2010, they came up with the patch and eventually the corrected chain had the most work and reorged the bad chain out of existence.
    BTW: I would recommend that you don't use this thread that you created to try and launch a troll campaign against BTC. As soon as you start to derail this thread to fall off-topic, the moderators will probably lock it.
jr. member
Activity: 108
Merit: 6
People are acting like inflation bug never existed in bitcoin, hilarious.  Rarely hear about it , this forum is filled with shills trying to pump their bags.

Jump to: