1) Can you already rule out that the same (or similar) attack can be mounted again?
2) Can you already rule out conclusively that no lasting damage was done (as in: according to the pre-attack ownership situation)? Any chance that some subtle damage was done that'll be discovered only later?
I'll answer both at the same time. This particular attack can't be mounted again. We haven't pushed out the official fix yet, but exploit it requires growing the blocks sizes, which takes time. We'd never let that happen. The full fix will be out soon. This hole is plugged.
Any software can have vulnerabilities and exploits. This is exacerbated by the fact that we got the code from a bunch of lying scammers who despite that character flaw, happen to have some talent when it comes to cryptography and to a lesser extent coding. We are reviewing the code and paying qualified people to review the code in order to identify and correct problems to the greatest extent possible. Further we will be restructuring, refactoring, and/or replacing some of the code in order to further increase its robustness and trustworthiness (removing obfuscation for example).
I think you need to take a break. You are unintentionally saying stupid things.
This particular attack can't be mounted again.
Implies - so other attacks are still possible?
Any software can have vulnerabilities and exploits.
Implies - don't trust Monero with your anonymity just yet.
we got the code from a bunch of lying scammers who despite that character flaw, happen to have some talent when it comes to cryptography and to a lesser extent coding.
Where do you start with this statement.
Implies
- We didn't have the technical skill in the first place, so we are just using anything we could find
- Quality assurance in the code was never a priority
We are reviewing the code and paying qualified people to review the code in order to identify and correct problems
Implies - We haven't got a clue. So we are paying for temporary help.
Get some sleep. For investors, this sort of loose talk, from someone that is an established part of the team, gives zero confidence in the project.
This isn't stupid at all - he's being accurate. If you heard someone from the dev team saying anything except what smooth just posted, you should be running.
Yes, of
course there are other attacks that can, and, if the coin continues to be successful,
will be mounted against Monero and the other cryptonote coins.
It's a new codebase, and it
was inherited from an unknown set of developers whose motivations, competence, and trustworthiness are unknown.
If you're buying Monero or any other coin based on the codebase, you'd damn well better be doing it with your eyes open: These coins are new. They're not based on a fork of the bitcoin codebase. They're
different, and they come will all sorts of attendant risks of bugs and vulnerabilities. That's also part of what makes them interesting, and not just a blah-blah "i cp'd bitcoin and tweaked a parameter".
Don't rail at the developers for being honest with you. Thank them for assuming you're adult enough to deal with reality, and thank them for not misrepresenting what they're working on.
You're criticizing the developers for bringing in external expertise? Give me a break. Taking over a foreign codebase that's got interesting cryptography and implements a distributed system is
hard.
As I said about an earlier Monero bug:
https://bitcointalksearch.org/topic/m.7988816the test is how the team responds, whether they're able to identify and fix the bug, and whether the quality of the code and the process for preventing bugs improves over time.
So I have a very concrete suggestion for you: Shut up for a moment. Give all of the devs involved a day or two to recover from what must have been an annoying and stressful bug hunt. And then ask *politely* if they'll include in the next Missives a summary of the things they're doing to improve the codebase and the development process for the coin, such as progress on regression testing and the ability to do things on testnets, elimination of buggy coding patterns, etc. See what's been changed, if anything, from the previous bugs, and if there's improvement going on, and then decide for yourself whether the trajectory is good or not.
