Topic: Security bounties - page 5. (Read 146006 times)

You got lucky.

I think word will get out and you'll have hackers everywhere looking for exploits.  Security holes will get plugged faster than wet cement slipping through pantyhose.

Your effort to improve the forum (although a little late) is appreciated.

So? So long as they don't exploit the vulnerabilities they find in a way that could harm the forum or its users, I think theymos will be happy to make the forums more secure.

It is also in their interest to eliminate or minimize the impact of their exploiting of the site because if it causes "substantial disruptions" the reward they will get will be considerably smaller.

I don't think I'll find anything but I'll try my luck in 4-5 weeks when I should have a lot more time than now.

@theymos

I mentioned it on IRC when the site was down and know it can be a problem for you, but if you find some time in the near future, please consider releasing the full code and configuration that's behind bitcointalk.org with the sensitive information removed.

edit: hopefully SMF would give their consent to this
http://www.simplemachines.org/about/smf/license.php

You're overvaluing flippant criticism of the forum by folks that know no details surrounding the hack yet think throwing out buzzwords or the "latest tech terms" are the equivalent of Mazlow's hammer. Cloudflare's anti-hacking filters would have done nothing to protect from this. There is maybe once or twice in the past where using Cloudflare would have prevented previous DDoS attacks, but that's about it. BarbarianBob identified a specific weakness and came up with a novel way to exploit it. There isn't some automated tool to prevent this.


If it's self-signed then you're completely subjected to a MitM attack. You could install the certificate manually, but you'd still have to first get it through a trustable transfer mechanism. This is almost too-silly of a recommendation to even comment on, I honestly can't tell if you are trolling or just so wrapped up in wanting to help you're throwing out buzzwords as possible recommendations.

In order to help me determine your purpose, maybe you can answer a question. What was the point of going through and replacing most of the text in your previous posts this year with ".."?

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.

This is probably the highest security bounty of any forum. It's only a little less than Google's security bounties. After this attack, the forum spent over 100 BTC on security-related stuff. Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Contrary to common belief, there is no magic wishing well into which you can throw money and instantly get good results. Often, it's better not to spend money, especially when growth is not the forum's main goal. You always seem to want me to spend thousands of bitcoins as quickly as possible. This would be a great way for the forum to lose a lot of its money without gaining much value in return.

If you don't like how I spend the forum's money, you can:
- Use reasonable arguments (not just trollish demands/complaints) to try and convince me; or
- Create your own organization, generate 6000+ BTC (mostly not from donations), and try some alternative strategy.


No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped. Same for any automatic exploit detection based on patterns. Unless DoS attacks get really bad, I won't be willing to give up control of the forum's HTTPS keys.

In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.

I prefer not to denominate values in any single country's currency here, but BTC is too unstable. XAU is pretty stable.

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.

Bitcointalk.org offers large security bounties. See: https://bitcointalk.org/sbounties.php