Author

Topic: Security bounties (Read 167598 times)

?
Activity: -
Merit: -
October 29, 2024, 06:35:42 AM
#93
Regarding your question about the bug category, it seems like the focus is primarily on accessing sensitive user information without their interaction or consent. If any additional details about users are revealed in a similar manner—like viewing private messages or account settings—those would likely also fall under this category, especially if they compromise user privacy or security.

As for associating an email with a username, if you find a method that allows you to easily correlate the two without proper authorization, it's worth reporting. Even if it's not a direct breach of sensitive information like passwords or email addresses, it could still pose a risk to user privacy. It's always better to err on the side of caution and inform the relevant parties about potential vulnerabilities.
administrator
Activity: 5222
Merit: 13032
June 06, 2024, 09:18:45 AM
#92
Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?

That's not valid at all.

For bug of this category

If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.

Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?

For other data, it will not be considered as part of that bounty, but I may award some amount, depending on the details.
full member
Activity: 1442
Merit: 108
June 06, 2024, 08:20:09 AM
#91
For bug of this category

If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords.

Will any other details related to users if revealed with the bug be considered in this category or is it limited to only the options mentioned above?


Also, associating email to username is not valid in any case at all ? If there is some easy way to associate email to username , should I report it or is it not considered valid in any case at all ?
member
Activity: 210
Merit: 31
April 16, 2024, 09:31:59 AM
#90
A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.

Thank for your answers to my questions. The intention isn't to simply run Burp Suite Active Scan++ and then send a list of boring TLS/SSL cipher and protocol recommendations. It's really only worth raising findings that have a material impact or risk. I will poke my nose around and see if I find anything.
administrator
Activity: 5222
Merit: 13032
April 08, 2024, 03:07:00 PM
#89
1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?

No.

2) Is it acceptable to use newly created / generic sock puppet accounts for testing?

Yes.

3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)

Probably only for the listed security bounties.

4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?

IPs are only banned for making too many requests, not for suspicious behavior. So just don't make more than one request per second.

A lot of people try to run "website security scanners", and then report the "bugs" that these software packages find. Please don't do that. These scanners only ever report little configuration things which some people consider less than ideal, like allowing certain TLS ciphers, or sending/not-sending certain HTTP headers, and stuff like that. It's not useful.
member
Activity: 210
Merit: 31
April 03, 2024, 12:53:47 AM
#88
I have a few questions related to performing security testing on this site, particularly as I don't want to get my current account banned by accident.

1) Is it required to have a persistent custom HTTP header in all requests, e.g. "X-Bug-Bounty: {bitcointalk username}"?
2) Is it acceptable to use newly created / generic sock puppet accounts for testing?
3) Is the "The Glider" forum badge assigned in all cases where a vulnerability is disclosed and patched, or only when a payment bug bounty is provided? (I am curious if this badge will be given out for low to medium risk findings that are not eligible for a payment bounty, but could still be useful)
4) If my genuine IP or testing accounts are banned for suspicious use whilst performing bug bounty testing, will my normal BitcoinTalk account remain unaffected?
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
September 05, 2021, 02:28:08 AM
#87
Or was SMF 1.1.19 modified in some way or another?
There are several features added to the SMF 1.1.19 codebase, and I don't believe the code for these features is public. Some of the modifications to SMF 1.1.19 may have been to close security holes/issues.

While following the terms in the OP (which primarily consist of the requirement that PenTesters not cause disruption to the forum, and not access 3rd party data, you can find security weaknesses in the forum software, and collect the respective bounties.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 04, 2021, 05:45:11 PM
#86
I'm not sure how building forums with software like SMF works, but if BitcoinTalk is 'just' a specific configuration of SMF 1.1.19, are we essentially looking for bugs in SMF 1.1.19?
Or was SMF 1.1.19 modified in some way or another?

I'm asking because it usually makes sense to look for bugs in a locally installed version of software opposed to pentesting a live system.
copper member
Activity: 2562
Merit: 2510
Spear the bees
August 17, 2021, 04:35:22 AM
#85
only once in your posting history, once you reach 1337 posts.
Unless you delete your posts after the fact Wink

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg.
IIRC this is just a native SMF easter egg: simply part of the toolkit. It just wasn't removed like a few of the other things as it has no significant impact.
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
August 12, 2021, 09:08:26 AM
#84
Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.

As Xal0lex provided some examples, yes, there is no problem with the "leet" you saw at the profile, icopress. In case there is still any misunderstanding, this is a sort of easter egg, a perk, which appears only once in your posting history, once you reach 1337 posts. In Internet slang, the number 1337 is sometimes spelled as leet or l33t. This number / word is used instead of elite. So when someone tries to say s/he is part of the elite, in Internet slang s/he can write as leet, l33t or 1337.

This is the story of the leet and here, on the forum, I think it was implemented as a funny easter egg. However, the "leet" is not displayed with other occasions - such as when reaching 1337 merits, so it is only once in your life when you see it in your posting history. I am glad you took a screenshot of the moment Smiley

All in all, it's supposed to be something funny. Similar to the pic below:




staff
Activity: 2436
Merit: 2347
August 04, 2021, 11:16:22 AM
#83
legendary
Activity: 1456
Merit: 5874
light_warrior ... 🕯️
August 04, 2021, 06:54:32 AM
#82
Has anyone ever come across such a display of the number of posts? I disabled the extension used but the situation has not changed.



In order not to create a new thread, I will leave my observation here due to the fact that this thread is associated with possible errors found.
legendary
Activity: 2912
Merit: 1309
July 30, 2021, 04:01:50 AM
#81
Maybe i missed it but why the bounties are in US$ and not in XAU anymore?



copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
April 04, 2021, 10:21:00 AM
#80
Any one can invest here and can growing their trade because It has good security.
All investments posted here are actually held on other websites, what bitcointalk can only offer is safety and secured forum due to previous hacks/attacks that leaks user's privacy including emails, phone number, locations posted on pm when dealing someone.
newbie
Activity: 264
Merit: 0
April 04, 2021, 09:34:58 AM
#79
This is probably the highest security bounty of any forum.I am new here but I know it's security is high for this reason I love bounties.Any one can invest here and can growing their trade because It has good security.
newbie
Activity: 6
Merit: 0
December 04, 2020, 10:49:52 PM
#78
You should put this bounty into SMF Forum's core also.
legendary
Activity: 2338
Merit: 1261
Heisenberg
October 05, 2020, 04:26:49 PM
#77
Is only bitcointalk.org domain considered for this or any other also ?
Like it is said in the OP. The security bounties are exclusively for the forum (bitcointalk.org). Why would admin create security bounties for other domains that the forum is not affiliated with?

The forum is offering bounties for security vulnerabilities.
jr. member
Activity: 187
Merit: 2
October 04, 2020, 09:32:46 AM
#76
Is only bitcointalk.org domain considered for this or any other also ?
newbie
Activity: 14
Merit: 1
August 29, 2019, 06:17:33 PM
#75
Hello theymos.

I quote here two post regarding BitcoinTalk's security and I hope you will do what I recommended.

@theymos If I'm you I would remove Google reCaptcha before a DoS hits your main server! The sitekey my boy, the sitekey... I also did some research around the SSL certificates you got from Sectigo... Later I will contact you when I decided what to do with all this.

You don't want to keep that Google reCaptcha there mainly not only because I was able to indentify your server behind cloud but you don't need that at all! Before the cloud it was useful but now you can use just one captcha... better for you.

Quick tips for mitigation: Remove Google reCaptcha and implement Argo Tunnel

administrator of this forum without any knowledge of programming. I have read his post from the very first one and nothing indicates he had any knowledge of programming.
Bitcointalk are Big forum have over 2.6 Million member need knowledge of management. And not necesarry know about programing.
Manager can recruit people who have knowledge about it.
That is correct DroomieChikito!  Wink

If @theymos do what I recommended to him here: https://bitcointalksearch.org/topic/doubt-about-bitcointalk-5179950 and in PM than he never again would need to even think about that something bad happens to the server(s) of BitcoinTalk. In the current state BitcoinTalk is vulnerable. If he does what I recommended it will mitigate all types of attacks once and forever.

This topic will loose it relevance immediately: https://bitcointalksearch.org/topic/m.3326091 meaning that no more bounty. Some regarding the forum and email can be still ongoing but he would need to rewrite the entire post.

Cheers!



I can't reply to your PM theymos Cheesy I'm to new here...  Roll Eyes
I got your PGP key. I will send you what you asked. Right now I'm busy with something else. I can assure you soon you will get the response in PM or in an encrypted email.

Is this yours?
Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQMuBExwwKsRCADZL8C3DWzSohJv6qcrZ2r0jdhY/BhUKzs8utbpa+wbPrBztNCN
9Gxu+6PUiFVuEhpdXpCKGy2sf+CyzOTdGYJtlIykH6jdEW/PLyW5a23SKZEHvI4S
RNWZCPF9kqujRHb++mrf6t6ehiMUkFcn0aQOYMMrk/pVrdx3LmmUSgsvOvCRRWS3
vo1uNJdlnqOA7pc6sgOs7bZI32zVk4p+1QVgZ6gKAOx2ga8IBILs3KMzt72WFdF1
1W0k92T/xQ+FHf0O9nMdeN/qKRBSZn1CMoJgaG23Kj8O3K3AwEgijBD60ByvIHOL
7WjFJ8IVA/obhn/Xoa1ZD91rDYvH/18kldVXAQDTdgjwDHNd4AItspbLTMvtovK8
RxWvNiHy7nE6j/BmlQgAl02c0soZXL2VhGw0gX+gIUZY3jD2pWQSFqdUb+dXNqVI
ISjINPqD35xm7Hll4B5CSlsjz5j+gJc8xrfWw1YAjK6SJxhQcevI+wbXBqfX3pYj
MYeOgszkSHAcs5EsW03EdYQ9SlrFk+5+4hsUBp86hEb3xaqkj3a2X3cO1J3erZ2R
ScFayjr7aTCuSmdguCsslSSyn/xW+N7f0s/C4JPgnVznfw1/BpNm7gFTfKidGmlx
ib4JtrxlwuYwNRbEFsynFHA+hjHa+NyJBHdf+MUyTQ/bzpiEhxL9QXKRDBTAGVMx
f44qR07JtFfZjogEXSWt1NP2fJhMsqWyFHJq7n7Kegf+NMPvIOiVJiAKjEQ5j2+6
X+DbBcjRgKr0vNdYeP7dnGK47LPRfX3EE+dTQerawlWunPoHBRkRmDShjxxwlV1F
eTf+buj5yFCBPNCAxKsnXi1EN78iPNkTbnWgKutTDup/fKY+1MZbK/FiymMvHes0
77n0HvzVrQIRaqmk6/jPC6o8f7IuZzpmYFnyUha2v0kdX0VcJATV/AzcIIVFJc5X
YLdcpRxW7qxIvOAJqpHvxl7Gdj7oYBwvnbnU/2Hl3HWh9Lo4AjfD+KpfT/F+iMiK
A4k5geMKtdJk+BLVZYos4qCAZX6VXraTDP2lVWXYzWGP9HKuos19H4V/y/LgJGFe
pbQnTWljaGFlbCBNYXJxdWFyZHQgPG1pY2hhZWxfbStwZ3BAbW0uc3Q+iIAEExEI
ACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgKCQsDBRYDAgEAAAoJEMZV
VpPatZHnOagBALomn7hramaFsh4W/UfP7dUIXE9BMzgGzHM5rxIkmkSHAP0SAFRV
PBjl2xMYWJWIFnzVMX6odojMv6hneChqjhCTCLQbdGhleW1vcyA8dGhleW1vcytw
Z3BAbW0uc3Q+iIAEExEIACgCGwMCHgECF4AFAkxww8QLCwkNCAwHCwoDBAIGFQgK
CQsDBRYDAgEAAAoJEMZVVpPatZHn4isBAKTwaR9MGR6lKAdS74C+8fgDalbEf4uh
6/mAVFhQYp+GAP9quUjlRyr/po10gTEKStoXOAZ9sRhrb3TlxDRf8C1BWrkCDQRW
DgiMEAgAvWIlg2CjBwhtmMgy+RoS6/HeevH0Qnz3PntfWsTqZuw4kNcu/Xk6HCmY
clN/Lqy8nn/FTaplKTAJS14J20F16nCv5fpzJKB/5i8HLpNz16xpSSPErn1whsKV
/wFCheQ/oFGcJFZvcmauB6iJ3XBvJbAQqF7+mH2ijAHVnwb7V7ANlWyqjbYxPoyb
ro69HUoRojh5MTNv/xGLIajjNH8Ckp9J2XUCWtavj4xJEIoWB3i3C/A0NVQuPGS5
1MqvhWaRvbVlrdhqAuNN1culvZpSLu1y+2vLiyLolLn70viuyH/ouoV/NRo4yFpP
yA1PXDxk+51petVxXPXbVdqvun9Y0wADBQgAmKTl1iwmUr5ncMIc13Bkj5nzF+w8
11OPZ3P98J7Cos0cIXpqLf8FgDr0xU2oPoq33i59xK0SIrj1TqjiSWC4S5YkJNEm
/hgyb+UOk2D2Xm0SKr+2BDMSREEsLhYO1vSi1O0ND1g2QgoQNQ91aMVZ92IX4V8h
++/8smxxcjLkCRc9YrzsRLeuP3PE489n8MzdYbui7vU+RJhKL7mlKKWDKxko3sVH
kmy3CBjjyp04KNAGJwpQzY8G3XmK9eRSypc71ST0ziJxFk5+DPEM8IPZGbHvCS0k
a2yf8Gp5oaCDkSKxNoAnMKcM7fTkFuekAvRKBGB/u+71anvpRCxKslc1gYh+BBgR
CAAmAhsMFiEEXms/O6lhGTxcm0Q1xlVWk9q1kecFAl1bRX0FCQzw13EACgkQxlVW
k9q1kedNhgD+Pp0ZBMuN9VUtzuIsS9gp0DiMmehOdCV99SifqH0phWEBAISGZ6Zl
bY8GhzbuuorCW/UUPHDODxiuBvHI9+/qFjDx
=39Rd
-----END PGP PUBLIC KEY BLOCK-----
STT
legendary
Activity: 4088
Merit: 1452
July 18, 2019, 11:12:44 PM
#74
I will speak to someone next week who does this vulnerability testing professionally.   Maybe he will tip me if he has a trick from work and manages to do anything :p


Is there any plans to increase the bounty awards?
They increase every day so long as the gold price does


Sorry, but what is XAU exactly?
https://www.xe.com/currencycharts/?from=XAU&to=USD&view=10Y

XAG is silver

https://www.xe.com/iso4217.php#X

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
The forum is internationally based could be one point but mostly I think of Dollar as the pre nixon standard of being fixed to gold hence its always reasonable to offer gold long term especially to an international audience.   If I have no liabilities in dollars then the gold could be preferable, dollars do depreciate over time and this topic is years old.   Honestly everyone should keep a little gold, maybe I'm biased or maybe people forgot +10% interest rates, etc. I havent.
administrator
Activity: 5222
Merit: 13032
September 12, 2018, 11:28:36 PM
#73
Sorry, but what is XAU exactly?

Troy ounces of gold.
jr. member
Activity: 98
Merit: 2
September 12, 2018, 07:35:31 PM
#72
And what about current stats ?

Doing a quick count, it looks like a total of about 11.4 XAU has been paid in security bounties since inception.

Sorry, but what is XAU exactly?
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
September 11, 2018, 06:51:44 AM
#71
https:// bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?
If you feel that truly that site is a phishing one why not deactivate the link so no one mistakenly falls prey to it. But I seem not to see anything different from that site as it is the same with our BTT in spelling and all that.
administrator
Activity: 5222
Merit: 13032
July 22, 2018, 05:24:23 PM
#70
And what about current stats ?

Doing a quick count, it looks like a total of about 11.4 XAU has been paid in security bounties since inception.
jr. member
Activity: 32
Merit: 1
July 22, 2018, 01:25:55 AM
#69
If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?

Just yours so far. (A CSRF.)

And what about current stats ?
full member
Activity: 1442
Merit: 108
July 21, 2018, 07:31:48 AM
#68
https://bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?

There are setting in different browsers to block certain websites completely.

You will have to follow tutorial online for the specific browser you are using.

If by doing sometime about it, you meant that you would like to get that website down, that is a very long route.
member
Activity: 136
Merit: 16
July 20, 2018, 03:09:26 AM
#67
Bullshit offer.
If you are sincere in solving any security breach, you should seek paid professionals.

All big companies like FB, Google take the same route even after they have paid professionals hired full time for this work. Users can be the best judge especially for new features.
jr. member
Activity: 71
Merit: 3
July 13, 2018, 10:44:18 AM
#66
Is there any plans to increase the bounty awards?

Will you submit the bug only if the bounty reward is increased ?  Share with the admin and he will compensate accordingly. Also, the current rewards are very much in accordance with standard payouts given by reputed websites. The admin mentioned this somewhere in this thread.
full member
Activity: 490
Merit: 110
July 10, 2018, 08:50:28 AM
#65
https://bitcointalk.org/ is a copy cat and one time I almost entered my password there. Good thing I did not, but is there anyhthing, anyone can do about that site?
newbie
Activity: 65
Merit: 0
July 09, 2018, 07:19:27 AM
#64
Is there any plans to increase the bounty awards?
administrator
Activity: 5222
Merit: 13032
June 19, 2018, 01:53:27 PM
#63
Admin, I have a question regarding this :  1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.

If I am able to confirm the email from different possible email id for an account , is it acceptable ? Like confirming the email id of DefaultTrust from among possible 100 mail ids.

No, if you have someone's email address then there are several known ways of finding their username. I don't consider this a bug.
full member
Activity: 1442
Merit: 108
June 16, 2018, 06:05:23 AM
#62
Admin, I have a question regarding this :  1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.

If I am able to confirm the email from different possible email id for an account , is it acceptable ? Like confirming the email id of DefaultTrust from among possible 100 mail ids.
legendary
Activity: 2702
Merit: 2053
Free spirit
April 22, 2018, 10:09:05 AM
#61
Oh look 2 post copying robots in a row


Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
jr. member
Activity: 85
Merit: 5
April 16, 2018, 03:03:47 PM
#60
Sorry about my question, what is SMF ?

It's a forum "engine". You use it to create forums, exactly like has been done for bitcointalk.org. You (or anyone who's actually reading this) can find more info on their official website: https://www.simplemachines.org/
newbie
Activity: 52
Merit: 0
April 06, 2018, 03:57:43 PM
#59
Hello Theymos Im send u message plz check
member
Activity: 392
Merit: 27
http://radio.r41.ru
February 13, 2018, 11:22:31 PM
#58
theymos I sent you a personal message with a description, I hope help
copper member
Activity: 2562
Merit: 2510
Spear the bees
January 15, 2018, 09:24:58 PM
#57
Sorry about my question, what is SMF ?
Simple Machines Forum.

It's the foundation of the forum.
Read more about it on the official site: https://www.simplemachines.org/

You'll find a lot of layout similarities Wink
newbie
Activity: 1
Merit: 0
January 15, 2018, 07:41:32 PM
#56
Sorry about my question, what is SMF ?
jr. member
Activity: 115
Merit: 8
December 10, 2017, 08:16:12 PM
#55
So, looking at this thread and reading an old thread from 2014 on forum improvements / upgrades, is there a plan to ever move on from SMF? This is outdated software and you'd have much better luck (as I'm sure you know) moving onto bigger and better things. I mean, you're not even running anything close to the newest version of SMF either.
newbie
Activity: 46
Merit: 0
December 09, 2017, 11:35:59 AM
#54
sweet, but i think that is already in progress isnt it?
administrator
Activity: 5222
Merit: 13032
November 16, 2017, 04:19:55 PM
#53
Added:

Extra bounties

These bounties use a separate system of calculation, but are subject to the same conditions as above.

- 1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.
hero member
Activity: 854
Merit: 503
|| Web developer ||
November 02, 2017, 03:16:06 AM
#52
I have sent Theymos a PM.
member
Activity: 350
Merit: 10
Global loyalty & rewards
October 24, 2017, 11:54:15 PM
#51
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. "Time-share" term was later appropriated by the vacation real-estate salesmen, so the computer salesmen renamed their "time-shares" to "cloud computing".

But the bullshit stayed the same.

You have a rich imagination.  Grin
member
Activity: 420
Merit: 13
October 14, 2017, 01:01:24 PM
#50
Bullshit offer.
If you are sincere in solving any security breach, you should seek paid professionals.
sr. member
Activity: 373
Merit: 262
September 17, 2017, 09:18:41 PM
#49
No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped.
Quote from: TradeFortress
In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.
These people really seem to know what they're doing, and theymos keeps doing it despite stupid comments from people who blurt out whatever without doing any research about what they're talking about. It's nice to be on a forum that's so well run.
full member
Activity: 228
Merit: 100
October 11, 2016, 04:19:22 PM
#48
when will the Iron tank forum be released?
legendary
Activity: 4592
Merit: 1851
Linux since 1997 RedHat 4
October 07, 2016, 07:22:53 PM
#47
In case you didn't notice Theymos ...
It would appear that the email harvesting from the 2015 hack, has recently put the forum email addresses from back then into spam lists.
https://bitcointalksearch.org/topic/forum-database-compromised-1635595

Looks like you need to up the bounties and/or find someone who can be rewarded them Smiley
administrator
Activity: 5222
Merit: 13032
October 05, 2016, 09:18:23 PM
#46
Mods don't have access to the server(s) that host bitcointalk, right?

They do not.
legendary
Activity: 1232
Merit: 1030
give me your cryptos
October 05, 2016, 08:37:27 PM
#45
Just asking regarding you mentioning mod-related vulnerabilities in the OP.

Mods don't have access to the server(s) that host bitcointalk, right? Only you and maybe Badbear?
legendary
Activity: 2128
Merit: 1073
November 28, 2015, 07:34:17 PM
#44
Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. ....
Some years off in that one...1970 was mostly punched cards.  I'd guess timeshared computer services maxed out in parallel with the first five or ten years of the PC.
Not in the USA and other relatively advanced economies. There the order was approximately:

196x) organization-owned mainframes
197x) shared rented mainframes (provider-owned)
198x) departmental minicomputers (back to organization-owned)
199x) personal computers (both organization-owned and individual-owned)

Also, I'm talking about broad industrial/commercial/academic trends, not about various niches.

Edit: added one more decade and ownership qualification

legendary
Activity: 2926
Merit: 1386
November 28, 2015, 01:47:51 PM
#43
Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. ....

Some years off in that one...1970 was mostly punched cards.  I'd guess timeshared computer services maxed out in parallel with the first five or ten years of the PC.
legendary
Activity: 2128
Merit: 1073
May 27, 2015, 10:34:18 AM
#42
Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. "Time-share" term was later appropriated by the vacation real-estate salesmen, so the computer salesmen renamed their "time-shares" to "cloud computing".

But the bullshit stayed the same.
full member
Activity: 238
Merit: 100
May 27, 2015, 04:55:29 AM
#41
>> Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?

My previous post is a set of ideas for theymos to think about, while he studies PHP and that "new" Javascript ...  Shocked
He can pick something useful from it...
as he tries to stay behind of time and progress, he maybe will accept some ideas at least  Roll Eyes
So it looks eclectic and messed dish just bcoz i feed  conservators Tongue

>> Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

yes, would be nice to have different options for password recovery, tweakable in profile,
with safest option set on by default.

>> Not storing IPs def will be bad against spam / trolls / etc.

My point was : to store IPs and other sensitive info ( emails too ) in special separated storage, preferably in member's browser.
I did not say : "never store IPs !!!"

>> Seriously, "don't use passwords" is easier said than done.

Yes, not easy. But why cant we have a choice : power members can log in with keys, bitcoin addresses, good wishes etc AND just members can log in with passwords ?!
It can be done for sure.

>> Performance of decentralized forum software at this point will be very shit AFAIK.

the same will  be true for Epochtalk i guess. which is alfa, unaudited engine.
My point here was : if theymos will stuck with traditional approaches,
he will lose community due to aftermath of next hacks, social engineering "accidents" etc.
BTW we are now on Romania based hoster.
are romanian front desk guys safer when it comes to social engineering, than NL based ones ?! Tongue

Code:
SummaryIP Address Root Domain Hosting Provider
198.251.81.170 bitcointalk.org FranTech Solutions
Hosting Provider's DetailTitle Statistics
Country United States
Flag
City Cheyenne
ISP FranTech Solutions
Organization Voxility S.R.L.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
May 27, 2015, 03:43:18 AM
#40
i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley
Performance of decentralized forum software at this point will be very shit AFAIK. And usability probably bad too (gotta download client?)

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).
You want people to sign a message with a bitcoin address every time they login?

Seriously, "don't use passwords" is easier said than done. Login with Trezor Connect would be cool though. And 2FA should obv be option.

iii) never store hashes and IPs in Internet-hosted DB.
Not storing IPs def will be bad against spam / trolls / etc.

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).
Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??
Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?



Not disagreeing with all points, but some things are easier said than done Wink
full member
Activity: 238
Merit: 100
May 27, 2015, 03:19:21 AM
#39
of course i was joking about dedicated server in basement.
such setup will have issues with load balancing and speed of connection likely.
also it will be stil centralised service.

If theymos wanna save his income and keep community here,
he should :

i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).

iii) never store hashes and IPs in Internet-hosted DB.
     take a look : https://unhosted.org/

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).

iiiii) drop "security question checking" feature for password recovery.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??

At least theymos should go to several federated servers for forums...
I am not sure what is the year right now for theymos and team ?!
Are we really in 2015 ?! Tongue
legendary
Activity: 1484
Merit: 1002
Strange, yet attractive.
May 27, 2015, 02:19:17 AM
#38
If I may, the main problem with security vulnerabilities is our lack to understand that most of them are based on breaking some very simple rules. For instance, anyone who has the ability to physically access my computer is -in theory- able to retrieve ANY password that I have stored inside my web-browser and/or key-chain. You may be now thinking "oh, this is not possible" but please take some time to use some good UN-delete software together with a web-browser password retriever utility and most probably you will get the job done in less than 10 mins. Brute forcing is another way, but will take more time.

@Theymos:
It's been sometime now that I thought about the possible attacks this (and similar) sites will get within the next BTC bubble. I expect this will get much worse. Restricting user access via Tor blocking (I know this will hurt me as well, because I'm using tor from my work to access the site) will definitely rule out some of the most significant attacks. Cloudflare is also a way, but I'd go for a dedicated person(s) service. You can hire one that you trust, most possible near where you live. This would've been the best case scenario I'd choose, if I were you.

Best of luck sorting this out.
full member
Activity: 238
Merit: 100
May 26, 2015, 02:09:36 AM
#37
Time for social engineering to be added as a valid attack?
to kill all "social engineers" theymos must host forums in his basement
 on dedicated server with fat connectivity.  Cool
Problem solved !
vip
Activity: 1316
Merit: 1043
👻
May 25, 2015, 08:49:39 PM
#36
Time for social engineering to be added as a valid attack?
newbie
Activity: 42
Merit: 0
March 25, 2015, 05:40:40 AM
#35
Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?

Thanks !
member
Activity: 84
Merit: 10
November 16, 2014, 11:36:31 AM
#34
The only major flaw in this forum that I can see is that you are using SMF as your forum software. Can't wait until the new platform arrives.
legendary
Activity: 1274
Merit: 1000
★ BitClave ICO: 15/09/17 ★
September 10, 2014, 06:29:46 PM
#33
I've sent a pm to theymos, I hope he doesn't miss it Grin
(it's not a code hack etc.)
administrator
Activity: 3934
Merit: 3143
September 08, 2014, 04:48:01 PM
#32
I was meaning to raise awareness about people using different characters to make their usernames visually similar to some trustworthy members on bitcointalk.
Example: ṣatoshi, theymoṣ, ṫheymos etc.*
Why not limit the charset to UTF-8, and maybe some non-visually interfering symbols?

*As of yet, there aren't any usernames containing the characters and , but I could compile a list of such characters just to show how easy it is to try and register such a username.
administrator
Activity: 5222
Merit: 13032
September 08, 2014, 03:54:54 PM
#31
Does changing your display name, or registering a new username with prohibited strings (e.g. Satoshi) count as something that would receive a bounty?

It's not covered in this bounty, but I'd probably pay a little for info about some bugs of that sort. Some things (like various ways to visually defeat prohibited strings) are known bugs that aren't likely to be fixed.
vip
Activity: 1316
Merit: 1043
👻
September 08, 2014, 04:54:04 AM
#30
Does changing your display name, or registering a new username with prohibited strings (e.g. Satoshi) count as something that would receive a bounty?
vip
Activity: 1316
Merit: 1043
👻
September 08, 2014, 04:53:06 AM
#29
Does this count as an exploit?






<----- it has nothing to do with security but still...
Edit: it got fixed. Got 0.03 btc for it.
what was it? unicode control codes?
hero member
Activity: 602
Merit: 500
August 12, 2014, 03:31:34 PM
#28
So should we test this on this actual website or should I test for vulnerabilities on a local host and the contact admin if I find any vulnerabilities on the same version? I don't want to risk getting into trouble testing on this forum just in case I do get into something I'm not suppose to unless it's allowed as long as you report it.
legendary
Activity: 1540
Merit: 1001
Crypto since 2014
August 12, 2014, 05:42:00 AM
#27
Does this count as an exploit?






<----- it has nothing to do with security but still...
Edit: it got fixed. Got 0.03 btc for it.
legendary
Activity: 882
Merit: 1000
May 25, 2014, 03:04:54 PM
#26
This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
If you are finished with this bug bounty program, you can have a look at the 30+ other bug bounty programs that pay Bitcoins Smiley Overview of Bug Bounty Programs for Bitcoins > https://bitcointalksearch.org/topic/overview-of-bug-bounty-programs-for-bitcoins-483195

Neat. Thanks a lot for the link. I'll get a few of my netsec friends to take a look at the list and see if they can find anything. Everything at bitcointalk seems pretty secure from what I've tried so far.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
May 24, 2014, 11:12:30 PM
#25
This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
If you are finished with this bug bounty program, you can have a look at the 30+ other bug bounty programs that pay Bitcoins Smiley Overview of Bug Bounty Programs for Bitcoins > https://bitcointalksearch.org/topic/overview-of-bug-bounty-programs-for-bitcoins-483195
legendary
Activity: 882
Merit: 1000
May 23, 2014, 11:50:54 PM
#24
This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
member
Activity: 66
Merit: 10
March 22, 2014, 07:25:12 AM
#23
if I find anything I will surely tell you about it.
Goodluck and hopefully there arent many vulnerabilities
sr. member
Activity: 350
Merit: 251
March 13, 2014, 07:41:29 AM
#22
Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?
full member
Activity: 126
Merit: 100
CAUTION: Angry Man with Attitude.
February 02, 2014, 03:41:34 PM
#21
Hmm, Java script ? Exploits,
legendary
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
January 12, 2014, 09:43:00 AM
#20
If i were you i would pay someone to code new forum from zero then transfer everything, this way you not have to worry and spend too much about flaws.

That is already in progress, however after the new forum is done, it will most likely be months before it goes public. Then we have to find all of the flaws in the new version, that we may have already found in the older version.
sr. member
Activity: 266
Merit: 250
January 07, 2014, 07:27:19 AM
#19
If i were you i would pay someone to code new forum from zero then transfer everything, this way you not have to worry and spend too much about flaws.
newbie
Activity: 21
Merit: 0
December 04, 2013, 05:35:40 PM
#18
Just thought I would leave this here so that security researchers know that the bounty isn't only limited to bugs in SMF or the server:

Quote from: theymos on reddit
If you can cause serious damage to the forum with any sort of bug, and you responsibly disclose this bug, you will be given a lot of money.

BTW, I've contacted you about payment for the vulnerability I disclosed a few weeks back.
newbie
Activity: 13
Merit: 0
November 26, 2013, 04:49:51 PM
#17
good job using a password manager, theymos.
I agree with you.
member
Activity: 102
Merit: 10
Crypto Pros
November 15, 2013, 10:46:15 AM
#16
good job using a password manager, theymos.
administrator
Activity: 5222
Merit: 13032
November 10, 2013, 12:41:06 AM
#15
If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?

Just yours so far. (A CSRF.)
legendary
Activity: 1246
Merit: 1077
November 09, 2013, 11:43:42 PM
#14
If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?
hero member
Activity: 952
Merit: 1009
October 31, 2013, 03:37:07 AM
#13
But you are aware about the SOL-Injection vulnerability that is still wide open?

The fact that you confuse O and Q is not helping your case. These two letters aren't even close to each other on the keyboard.

They are in fact right next to each other. On a Dvorak keyboard.
legendary
Activity: 1246
Merit: 1077
October 27, 2013, 10:32:01 AM
#12
But you are aware about the SOL-Injection vulnerability that is still wide open?

The fact that you confuse O and Q is not helping your case. These two letters aren't even close to each other on the keyboard.
hero member
Activity: 588
Merit: 500
October 17, 2013, 09:10:05 PM
#11
Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

I was paid for this by July 10, 2012, and the price of Bitcoin at the end of that day was $7.20. That day, gold closed at $1587.30. This makes this, at the time, about 0.181 ounces of gold.

Though, it all went to Mt. Gox at about $12/BTC... Oh, hindsight.
hero member
Activity: 896
Merit: 532
Former curator of The Bitcoin Museum
October 17, 2013, 03:33:09 AM
#10
Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

You got lucky.

I think word will get out and you'll have hackers everywhere looking for exploits.  Security holes will get plugged faster than wet cement slipping through pantyhose.

Your effort to improve the forum (although a little late) is appreciated. Smiley
legendary
Activity: 3472
Merit: 1722
October 16, 2013, 01:34:23 PM
#9
So does this mean that everybody can now freely try to crack your site without fear to be busted: "No, I was not hacking, I just trying to gain the bounty!" ?

So? So long as they don't exploit the vulnerabilities they find in a way that could harm the forum or its users, I think theymos will be happy to make the forums more secure.

It is also in their interest to eliminate or minimize the impact of their exploiting of the site because if it causes "substantial disruptions" the reward they will get will be considerably smaller.

I don't think I'll find anything but I'll try my luck in 4-5 weeks when I should have a lot more time than now.

@theymos

I mentioned it on IRC when the site was down and know it can be a problem for you, but if you find some time in the near future, please consider releasing the full code and configuration that's behind bitcointalk.org with the sensitive information removed.

edit: hopefully SMF would give their consent to this
http://www.simplemachines.org/about/smf/license.php
donator
Activity: 1419
Merit: 1015
October 15, 2013, 12:08:31 PM
#8
I see what this is about now.  There was a buttcoin.org article making fun of Thermos for not using Cloudflare so now you guys have to come up with reasons why it wasn't done. 

You're overvaluing flippant criticism of the forum by folks that know no details surrounding the hack yet think throwing out buzzwords or the "latest tech terms" are the equivalent of Mazlow's hammer. Cloudflare's anti-hacking filters would have done nothing to protect from this. There is maybe once or twice in the past where using Cloudflare would have prevented previous DDoS attacks, but that's about it. BarbarianBob identified a specific weakness and came up with a novel way to exploit it. There isn't some automated tool to prevent this.

Quote
then a self-signed certificate where the warning box pups up is the way to go.

If it's self-signed then you're completely subjected to a MitM attack. You could install the certificate manually, but you'd still have to first get it through a trustable transfer mechanism. This is almost too-silly of a recommendation to even comment on, I honestly can't tell if you are trolling or just so wrapped up in wanting to help you're throwing out buzzwords as possible recommendations.

In order to help me determine your purpose, maybe you can answer a question. What was the point of going through and replacing most of the text in your previous posts this year with ".."?
hero member
Activity: 952
Merit: 1009
October 14, 2013, 09:09:12 AM
#7
Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.
administrator
Activity: 5222
Merit: 13032
October 14, 2013, 07:55:42 AM
#6
BTW - How come it is alright that Geotrust has the key?  These Geotrust rapid SSL certs are about $10/year.  They don't have access to the traffic like Clouflare would, but still.  I assume that is all you can get since the true owners are not in the whois records and a legitimate SSL cert would never had been issued since one of the purposes is to verify the ownership of the web site. 

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.
administrator
Activity: 5222
Merit: 13032
October 13, 2013, 09:15:23 PM
#5
I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.

This is probably the highest security bounty of any forum. It's only a little less than Google's security bounties. After this attack, the forum spent over 100 BTC on security-related stuff. Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Contrary to common belief, there is no magic wishing well into which you can throw money and instantly get good results. Often, it's better not to spend money, especially when growth is not the forum's main goal. You always seem to want me to spend thousands of bitcoins as quickly as possible. This would be a great way for the forum to lose a lot of its money without gaining much value in return.

If you don't like how I spend the forum's money, you can:
- Use reasonable arguments (not just trollish demands/complaints) to try and convince me; or
- Create your own organization, generate 6000+ BTC (mostly not from donations), and try some alternative strategy.

I already explained to you that you need to start by using a reverse proxy service such as cloudflare.  They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits.  $200/month.

No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped. Same for any automatic exploit detection based on patterns. Unless DoS attacks get really bad, I won't be willing to give up control of the forum's HTTPS keys.
vip
Activity: 1316
Merit: 1043
👻
October 13, 2013, 08:28:55 PM
#4
I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.  

I already explained to you that you need to start by using a reverse proxy service such as cloudflare.  They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits.  $200/month.

The next thing you need to do is take some training so you know what to ask.  For instance, you confuse "vulnerability" and "exploit" and you use them interchangeably when they are not.  A "vulnerability" is a configuration on your server that can be exploited.  An exploit is something that is done to attack a vulnerability.  A vulnerability can have many exploits.   Try an Ethical Hacking class and getting a CISSP certification.

In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.
administrator
Activity: 5222
Merit: 13032
October 13, 2013, 07:12:21 PM
#3
Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.

I prefer not to denominate values in any single country's currency here, but BTC is too unstable. XAU is pretty stable.
legendary
Activity: 1246
Merit: 1077
October 13, 2013, 06:57:21 PM
#2
Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
administrator
Activity: 5222
Merit: 13032
October 12, 2013, 12:09:00 PM
#1
Bitcointalk.org offers large security bounties. See: https://bitcointalk.org/sbounties.php
Jump to: