Topic: Re: Mining pools list - page 18. (Read 803 times)

Why did you make a public disclosure in Russian of a security bug in software written and maintained by people who probably don't understand Russian?
The proper procedure for such things is to privately get in touch with the maintainers so they have an opportunity to fix it before public disclosure - especially for bugs easily exploited.

While it's a pretty stupid bug, I don't think I'd automatically assume malice.

Why do you say Eloipool is affected? It checks for duplicate submissions in binary.

For whatever it is worth, I think SockThing is vulnerable to this (my bad).

I've pushed a change that should fix it:
https://github.com/fireduck64/SockThing/commit/cf7cf1c04be5df747ce0c124be96702f694933e1

I've sent a message to some involved people and pool owners mail list.

Though there is no sense because we have found this vulnerability a month ago after experiencing the misterious unluck and checking the share log. So I guess it has been exploited for a while... Maybe a few months or even few years.


wizkid057

I didn't check eloipool myself so yep, I can be wrong there. But stratum-mining and node stratum are definetely affected.

Yes, they are. Same thing with Bitminter. I would expect most pools are using their own software and are not vulnerable.

I thought ghash had their own implementation as well. Although of course they could have made the same mistake.

I hope you contacted these pools and gave them a chance to fix the issue before going public with it.

Hi guys.

Read an article yesterday, and I think I know why some pools are so "unlucky".

In fact they're not unlucky, they're attacked through share multiplication issue. There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago.

Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution.


This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method:


As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable. Example of affected pools is ghash.io... Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software.

On ckpool Pure solo there is no minimum payout
No restarts every 4 years are needed. The only restart you need is to  catch up with git commits and that is all..

Still curious about my comments? When were you curious before?

I'm curious why you are running a pool when you can't even edit the software to resolve such a trivial problem but instead comment on how the value you've used is to save you from restarting the pool once every 4 years ... ... ... ...

That sort of comment raises a major flag IMO.

I've made comment about this before around the forum about people running pools who are unable to fully manage the pool.
I guess when there comes a problem with the pool and you are unable to change/fix the code, then anyone who chose to mine on your pool is now in the situation of waiting until you find someone (trustworthy? or omg I better grab the first person I can find) to fix the problem.

People seem to think they can run a pool on their home internet connection or some tiny vps worth $10 a month
Then of course there's issues like tuning the server to handle a large number of connections.
Then the obvious stuff like ensuring the pool has a very good connection to the bitcoin network so that miners aren't throwing hashes at you and getting regular orphans - even big pools like Eligius fail at doing that
I wonder where your pool wallet is? Is it on a server that you may know next to nothing about managing?
Do you know all the services running on the server and what they do?
Do you monitor the connections and keep an eye on server access and security?

These sorts of things become an issue down the track when the pool operator says OMG someone hacked the pool and stole all the BTC. Sorry.
It's happened quite a few times in the past with pools.

Seems the latest trend is people seeing some free pool download software and thinking OMG I can make a fortune running a pool.
Being able to fully run a pool may be no where in their repertoire.

Why should I have to do extra work when I could simply put a 0.01 payout and it doesn't effect anything?

I'm still curious on why you're even commenting on trivial issues as if it is going to effect you somehow. 

Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that.
Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value
As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that.
Maybe he should fix the code ... ... ... ... ... ... ...

I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.

Good-oh, list had been updated.

Eh?
Do you even know what a solo mining pool is?

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.



No, I suppose not.  Just didn't know how to word it.

Is this different to other solo-mining pools?

A solo pool with a minimum payout

Updated original post as well.

Perfect.
Thanks!

Done. Please check for errors.

Pool:                      GIVE-ME-COINS.com
Website:                 http://give-me-coins.com
Proxy:                    No
Generation address: 17wqvgUuKPBesXbGDBMKfPdwtdfQXzCuKG
Coinbase signature: GIVE-ME-COINS.com
Payout method:        PPLNS
Fee:                        0%
Pay Tx Reward:        Yes
Vardiff:                   12 SPM
Local Work:             stratum
Pay Orphans:           No
Min Withdrawal:       0.01
Merge Mining:          Currently disabled. Will be re-enabled soon