Pages:
Author

Topic: Re: Mining pools list - page 17. (Read 818 times)

newbie
Activity: 29
Merit: 0
May 10, 2015, 03:03:41 PM
Hi

Reported this back in march, but nobody seemed to care.

https://bitcointalksearch.org/topic/bug-in-stratum-mining-software-1001603

Denis
donator
Activity: 2058
Merit: 1007
Poor impulse control.
May 07, 2015, 09:13:13 PM
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.

Source?

The big fat copyright notice at the bottom of their pool server webpage(its offline now). BTW they switched mining addresses to 1CdJi2xRTXJF6CEJqNHYyQDNEcM3X7fUhD and removed the coinbase tag.

Thanks for the info. I'll see if I can get independent confirmation.
sr. member
Activity: 261
Merit: 257
May 07, 2015, 08:47:10 PM
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.

Source?

The big fat copyright notice at the bottom of their pool server webpage(its offline now). BTW they switched mining addresses to 1CdJi2xRTXJF6CEJqNHYyQDNEcM3X7fUhD and removed the coinbase tag.
donator
Activity: 2058
Merit: 1007
Poor impulse control.
May 07, 2015, 04:32:28 PM
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.

Source?
sr. member
Activity: 261
Merit: 257
May 07, 2015, 11:33:41 AM
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.
legendary
Activity: 1148
Merit: 1018
It's about time -- All merrit accepted !!!
May 06, 2015, 05:11:15 PM
I am late on this, can't believe as much as I read on the forum I missed it....  thanks to the heavy hitters here who put the time/research in and disclosed this.
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
May 06, 2015, 01:04:31 PM

That's from March, so I guess this is still based on Balthazar's initial post? Nothing earlier than that?
https://bitcointalksearch.org/topic/m.11084506
That is April.
Or are you referring to something else?

March usually comes before April Smiley

https://github.com/slush0/stratum-mining/pull/12
is 42 days ago.
I will add, yet again, that this is highly unlikely to make up for their luck statistics.

It would depend on the % of the pool that were external miners and those miners % of shares submitted using this.

Blaming their luck on nefarious miners requires a high % of external miners and a high % of them withholding or doing this.

As stated before, if it was withholding, they would have the information already about who was doing it since the amount of withholding would need to be large enough to make it clear who was doing it and they would need to be external miners and a large % of the pool.
If it was this, then they'd have the share information to see who did it since it would be a LOT of such shares by a LOT of external miners who would have to be a large external % of the pool.
newbie
Activity: 57
Merit: 0
May 06, 2015, 08:17:55 AM
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
May 06, 2015, 01:36:39 AM

That's from March, so I guess this is still based on Balthazar's initial post? Nothing earlier than that?
https://bitcointalksearch.org/topic/m.11084506
That is April.
Or are you referring to something else?

March usually comes before April Smiley

https://github.com/slush0/stratum-mining/pull/12
is 42 days ago.
donator
Activity: 2058
Merit: 1007
Poor impulse control.
May 05, 2015, 11:50:26 PM

That's from March, so I guess this is still based on Balthazar's initial post? Nothing earlier than that?
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
donator
Activity: 2058
Merit: 1007
Poor impulse control.
May 05, 2015, 09:11:42 PM
There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago.
Why did you make a public disclosure in Russian of a security bug in software written and maintained by people who probably don't understand Russian?
The proper procedure for such things is to privately get in touch with the maintainers so they have an opportunity to fix it before public disclosure - especially for bugs easily exploited.

Balthazar contacted me a few days ago, mentioning the possibility of this bug causing poor 'luck' for GHash. I suggested posting an English translation on the pools board so I could see if there was a consensus that the attack was valid. I didn't even think about disclosure to GHash, but it should have been my first suggestion. Hassle me about that, not him. I'll certainly be forwarding GHash this discussion and see if that finally gets a response.

Nope.
But I read about it a long time ago:

https://github.com/simplecrypto/powerpool/issues/128

I assumed everyone had patched already.

Your link is from 21 days ago and uses the same example as Balthazar. Was there something from longer ago?
legendary
Activity: 1750
Merit: 1007
May 05, 2015, 01:58:13 PM
BTC Guild isn't affected as you mentioned.  The BTC Guild stratum server was actually written before Stratum even existed when I was working on a different mining protocol solution to prepare for ASICs.  Stratum was close-enough to my protocol proposal that it took just a few hours to adapt it to match stratum syntax.

Quite alarmed that such a simple bug is in the "official" stratum branch, I'm pretty sure I remember this same type of exploit existing in the early days of getwork mining servers.
full member
Activity: 186
Merit: 100
May 05, 2015, 12:15:30 PM
Nope.
But I read about it a long time ago:

https://github.com/simplecrypto/powerpool/issues/128

I assumed everyone had patched already.

We use eloipool too, so we are not affected. I found the problem in nodejs stratum. It was an easy patch.



I've seen an issue notification in the project... Was it yours?
legendary
Activity: 3108
Merit: 1359
May 05, 2015, 12:09:52 PM
We use eloipool too, so we are not affected. I found the problem in nodejs stratum. It was an easy patch.



I've seen an issue notification in the project... Was it yours?
full member
Activity: 186
Merit: 100
May 05, 2015, 12:06:38 PM
We use eloipool too, so we are not affected. I found the problem in nodejs stratum. It was an easy patch.


legendary
Activity: 2576
Merit: 1186
May 05, 2015, 12:03:03 PM
FWIW, I also checked CKPool, and (as expected) it is not affected either.
legendary
Activity: 3108
Merit: 1359
May 05, 2015, 12:02:05 PM
Confirming that eloipool is not vulnerable and that Eligius hasn't been subject to this attack I scanned the share database for duplicates since the last database cleanup (~week ago) and found no duplicate work credited.
Congratulations. By the way, I have always seen eligius as an example of good work. Wink
legendary
Activity: 1223
Merit: 1006
May 05, 2015, 11:58:11 AM
Confirming that eloipool is not vulnerable and that Eligius hasn't been subject to this attack I scanned the share database for duplicates since the last database cleanup (~week ago) and found no duplicate work credited.
legendary
Activity: 3108
Merit: 1359
May 05, 2015, 11:57:35 AM
Luke-Jr

OK, then it's fine. Smiley Again, I didn't check Eloipool myself because I had not so much free time. Sorry for that.
Pages:
Jump to: