[XMR] Monero - A secure, private, untraceable cryptocurrency - page 704.

dEBRUYNE

legendary

Activity: 2268

Merit: 1141

Quote from: Hueristic on January 15, 2016, 11:01:58 PM

Quote from: wpalczynski on January 15, 2016, 04:44:45 PM

...
If you can round up such people I am sure the dev team would be more than willing to accommodate their "testing/hacking" of testnet versions before release. Do you know such volunteers that would do it for the accolades?

Possibly, I don't doubt a thread looking for a security position on the team would not go unfilled. Maybe we should ask BTCExpress?

Quote from: fluffypony on January 15, 2016, 05:52:26 PM

...
I look forward to your first pull request, and thanks for offering to help!

Nice to see you back in the thread, been awhile. I know it's frustrating after all the work you guys put in but this edge case seems so basic. I'm guessing you guys don't have someone that's position is Project Manager? I can see how many people working on various parts of a project can allow these things to slip through but this is not a website we are talking about where people are buying tic-tacs. This has been in the works and delayed for quite awhile and the reason for that was because Of the testing going on, correct? AFA helping, well that's not possible, 20 years ago yes but not these days unfortunately. Could you answer my question on which devs are actively participating in the project currently?

BTW, does anyone have that link for voting on craptsy? I think it's about time we got added right?

Ohh and good job on the quick response guys.

We got added a while ago lol -> https://www.cryptsy.com/markets/view/XMR_BTC

Also, as a general remark to your post, bear in mind that most people working on Monero are merely volunteers and got day jobs, and/or companies to run as well. Therefore, their time is mostly limited. On top of that, resources are kind of limited.

Hueristic

legendary

Activity: 3836

Merit: 4969

Doomed to see the future and unable to prevent it

Quote from: wpalczynski on January 15, 2016, 04:44:45 PM

...
If you can round up such people I am sure the dev team would be more than willing to accommodate their "testing/hacking" of testnet versions before release. Do you know such volunteers that would do it for the accolades?

Possibly, I don't doubt a thread looking for a security position on the team would not go unfilled. Maybe we should ask BTCExpress?

Quote from: fluffypony on January 15, 2016, 05:52:26 PM

...
I look forward to your first pull request, and thanks for offering to help!

Nice to see you back in the thread, been awhile. I know it's frustrating after all the work you guys put in but this edge case seems so basic. I'm guessing you guys don't have someone that's position is Project Manager? I can see how many people working on various parts of a project can allow these things to slip through but this is not a website we are talking about where people are buying tic-tacs. This has been in the works and delayed for quite awhile and the reason for that was because Of the testing going on, correct? AFA helping, well that's not possible, 20 years ago yes but not these days unfortunately. Could you answer my question on which devs are actively participating in the project currently?

BTW, does anyone have that link for voting on craptsy? I think it's about time we got added right?

Ohh and good job on the quick response guys.

Drhiggins

sr. member

Activity: 306

Merit: 251

Thanks for the fast fix. Updated here.

fluffypony

donator

Activity: 1274

Merit: 1060

GetMonero.org / MyMonero.com

Quote from: Hueristic on January 15, 2016, 12:27:30 PM

After all this time on testnet I'm surprised to hear this, isn't there anyone on the team adept at at debugging and exploit testing?
Does anyone actually have a position that actively attack testnet before release? If not there are those out there that relish in this and do it for the accolades.
Not trying to be insulting hear as I know how hard you guys work on this but alpha/beta stages are there for a reason and really this is a simple expliot that should have been on the first error checks before release. I wish I it was 16 years ago, as I would have jumped on this just for the lulz.

Also are all the devs listed active? Did they all check this prior to release? What is the list that signed off on this?

We have a pretty comprehensive test suite, and this was an oversight in the tests - we missed adding one for this edge-case.

As always, this is an open-source project, feel free to submit a pull-request to expand the unit tests and core tests.

To get you started, here are all the unit tests: https://github.com/monero-project/bitmonero/tree/master/tests/unit_tests

And here are the hard fork unit tests we've created: https://github.com/monero-project/bitmonero/blob/master/tests/unit_tests/hardfork.cpp

I look forward to your first pull request, and thanks for offering to help!

wpalczynski

legendary

Activity: 1456

Merit: 1000

Quote from: Hueristic on January 15, 2016, 12:27:30 PM

Quote from: fluffypony on January 15, 2016, 08:04:23 AM

NB: https://forum.getmonero.org/1/news-announcements-and-editorials/2452/monero-network-malicious-fork-from-block-913193-updates-and-resolution

From that post (which will be kept updated) -

Hi all,

The Monero network was (once again) the subject of an attack. Due to an error during the development of 0.9, Hydrogen Helix, we omitted a check that allowed for v2 blocks to be added to the network prior to the hard fork block height. Thus instead of forking on March 20, at block height 1009827, a v2 block was added to the network at block height 913193.

This is obviously problematic as not all services have updated to 0.9, and the bulk of the network hash rate is still on 0.8.x. We are preparing a point release to 0.9 that resolves this, but in the meantime only if you are running 0.9 you can do the following as a quick patch:

Shut down your Monero daemon
Grab a checkpoints.json file from getmonero: https://downloads.getmonero.org/checkpoints.json
Put the file in your bitmonero working directory (eg. ~/.bitmonero or C:\ProgramData\bitmonero)
Restart the daemon
As soon as the patched point release is out you can remove the checkpoints.json file, if you wish, and run the updated version. The checkpoints.json patch is a quick fix and does not prevent the attacker from replaying their attack at a later block.

After all this time on testnet I'm surprised to hear this, isn't there anyone on the team adept at at debugging and exploit testing?
Does anyone actually have a position that actively attack testnet before release? If not there are those out there that relish in this and do it for the accolades.
Not trying to be insulting hear as I know how hard you guys work on this but alpha/beta stages are there for a reason and really this is a simple expliot that should have been on the first error checks before release. I wish I it was 16 years ago, as I would have jumped on this just for the lulz.

Also are all the devs listed active? Did they all check this prior to release? What is the list that signed off on this?

If you can round up such people I am sure the dev team would be more than willing to accommodate their "testing/hacking" of testnet versions before release. Do you know such volunteers that would do it for the accolades?

medusa13

sr. member

Activity: 453

Merit: 500

hello world

thanks for the fix. my node was stuck too.
give it some time, network will recover fast.

no matter how good the devs are, bugs will happen. i can imagine how it happend.

if you forget something you forget something..if you are unlucky, it was something important.

also i think its important to mention one of the testing principles here: testing can only show the presence of bugs, but never proove their absence

so the right amount of testing is always hard to find.

but i agree, its a mistake in a place where there definetely should not be one.

digicoin

legendary

Activity: 1106

Merit: 1000

Nice. Thanks. Upgraded

dEBRUYNE

legendary

Activity: 2268

Merit: 1141

** IMPORTANT **

Everyone that is running 0.9 needs to mandatory upgrade to 0.9.1!!

https://github.com/monero-project/bitmonero/releases/tag/v0.9.1

Again, mandatory upgrade for everyone that is running 0.9

This resolves the issues caused by the malicious fork which is described here -> https://forum.getmonero.org/1/news-announcements-and-editorials/2452/monero-network-malicious-fork-from-block-913193-updates-and-resolution

EDIT: All pools listed here seem to be on the correct chain -> https://monerohash.com/#network

binaryFate

legendary

Activity: 1512

Merit: 1012

Still wild and free

Quote from: smooth on January 15, 2016, 01:38:51 PM

The quoting above is misleading.

Sorry, I tried to clarify and messed up. Embarrassed

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: binaryFate on January 15, 2016, 01:37:14 PM

Quote from: smooth on January 15, 2016, 12:41:13 PM

Quote from: primer- on January 15, 2016, 10:36:36 AM

No harm done ? Look at the net hash rate, it has halved...

No apparent connection

Isn't the time window for the complexity small enough that the chain forking in two would have a visible impact on the computed hashrate?
If the miners work equally on each fork forever, the computed hashrate on each side is half of the initial one.

The quoting above is misleading. I was responding to:

Quote

So what, it had just doubled. Although that could have been the attacks. Any dev input on this?

There was no apparent connection to the increase in the hash rate earlier in the week.

binaryFate

legendary

Activity: 1512

Merit: 1012

Still wild and free

Quote from: smooth on January 15, 2016, 12:41:13 PM

Quote from: primer- on January 15, 2016, 10:36:36 AM

No harm done ? Look at the net hash rate, it has halved...

No apparent connection

Isn't the time window for the complexity small enough that the chain forking in two would have a visible impact on the computed hashrate?
If the miners work equally on each fork forever, the computed hashrate on each side is half of the initial one.

boolberry

sr. member

Activity: 378

Merit: 250

Quote from: c789 on January 15, 2016, 01:01:53 PM

I don't know of any major software that doesn't need patches or updates. Look at Bitcoin or Windows for obvious examples. So just because there was an issue is not the big deal since that happens with 99% of software. The main point is that the devs jumped on it quickly, provided a patch, and are continuously providing updates...that should be the focus imho.

Absolutely. If anything the community should have more trust (not less) in the Monero development team after this.

c789

hero member

Activity: 850

Merit: 1000

I don't know of any major software that doesn't need patches or updates. Look at Bitcoin or Windows for obvious examples. So just because there was an issue is not the big deal since that happens with 99% of software. The main point is that the devs jumped on it quickly, provided a patch, and are continuously providing updates...that should be the focus imho.

GingerAle

legendary

Activity: 1260

Merit: 1008

Quote from: Hueristic on January 15, 2016, 12:27:30 PM

Quote from: fluffypony on January 15, 2016, 08:04:23 AM

NB: https://forum.getmonero.org/1/news-announcements-and-editorials/2452/monero-network-malicious-fork-from-block-913193-updates-and-resolution

From that post (which will be kept updated) -

Hi all,

The Monero network was (once again) the subject of an attack. Due to an error during the development of 0.9, Hydrogen Helix, we omitted a check that allowed for v2 blocks to be added to the network prior to the hard fork block height. Thus instead of forking on March 20, at block height 1009827, a v2 block was added to the network at block height 913193.

This is obviously problematic as not all services have updated to 0.9, and the bulk of the network hash rate is still on 0.8.x. We are preparing a point release to 0.9 that resolves this, but in the meantime only if you are running 0.9 you can do the following as a quick patch:

Shut down your Monero daemon
Grab a checkpoints.json file from getmonero: https://downloads.getmonero.org/checkpoints.json
Put the file in your bitmonero working directory (eg. ~/.bitmonero or C:\ProgramData\bitmonero)
Restart the daemon
As soon as the patched point release is out you can remove the checkpoints.json file, if you wish, and run the updated version. The checkpoints.json patch is a quick fix and does not prevent the attacker from replaying their attack at a later block.

After all this time on testnet I'm surprised to hear this, isn't there anyone on the team adept at at debugging and exploit testing?
Does anyone actually have a position that actively attack testnet before release? If not there are those out there that relish in this and do it for the accolades.
Not trying to be insulting hear as I know how hard you guys work on this but alpha/beta stages are there for a reason and really this is a simple expliot that should have been on the first error checks before release. I wish I it was 16 years ago, as I would have jumped on this just for the lulz.

Also are all the devs listed active? Did they all check this prior to release? What is the list that signed off on this?

While I agree with your frustration, I think its continuously important to remember the big 0 in front of the version number of Monero (and hell, of bitcoin). Even at the active on-the-mainchain state, all of this software is beta. (of course, we're at 0.9 now... so, we gonna be seeing a lot more decimals put in? I don't know how versioning works. It always fails me when I write manuscripts).

And having been witness to all of the work that went into 0.9, shits gonna happen and your never going to reach perfection in the lab. And at some point you just push things so they *do* break.

Like I said, this kind of stuff can be frustrating and disappointing... but your other option is to wait for a big 1 to go in front of the version number, when the developers feel that their code is really ready for production.

For instance, if some alien entity came to us and said "hey, we don't use currency, but we kind of like how it helps your civilization work. How can we implement it?" We wouldn't try to "sell" them on our experimental new technology. We'd introduce them to our incredibly arcane (but functioning) central banking system and say "yeah we know it sucks, so we're working on version 2" and then show them cryptocurrencies.

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: primer- on January 15, 2016, 12:39:37 PM

Quote from: smooth on January 15, 2016, 12:38:58 PM

Quote from: primer- on January 15, 2016, 12:32:44 PM

There was no fucking attack, it was just a bug!

Oh really? Where did the version 2 block come from?

Buggy code!

OK, which line?

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: Hueristic on January 15, 2016, 12:31:47 PM

Quote from: primer- on January 15, 2016, 10:36:36 AM

Quote from: binaryFate on January 15, 2016, 10:35:11 AM

Nice try from the attackers. Very fast answer, thanks to everyone who worked on the fix.
No harm done I believe.

No harm done ? Look at the net hash rate, it has halved...

So what, it had just doubled. Although that could have been the attacks. Any dev input on this?

No apparent connection

Quote

What was the timeframe of the attack?

The block that caused the network to fork was 913193

Quote

This must be why withdrawals are locked on bittrex, are they locked on all exchanges?

We notified exchanges as soon as possible. How they responded is a function of their own operations.

dEBRUYNE

legendary

Activity: 2268

Merit: 1141

Quote from: Hueristic on January 15, 2016, 12:31:47 PM

Quote from: primer- on January 15, 2016, 10:36:36 AM

Quote from: binaryFate on January 15, 2016, 10:35:11 AM

Nice try from the attackers. Very fast answer, thanks to everyone who worked on the fix.
No harm done I believe.

No harm done ? Look at the net hash rate, it has halved...

So what, it had just doubled. Although that could have been the attacks. Any dev input on this?

What was the timeframe of the attack?

This must be why withdrawals are locked on bittrex, are they locked on all exchanges?

LOL I always buy at the "Interesting" times! Cheesy

Yes, Poloniex' wallet is disabled as well.

boolberry

sr. member

Activity: 378

Merit: 250

Kudos to the Monero development team for being alert and acting quickly to remedy the attack. Just like the fast response to the last major attack in 2014 the development team has proven itself. Thank you for being great stewards for Monero and continuing to improve upon the CryptoNote technology you inherited.

The Monero codebase looks nothing like it did in summer 2014 and that is a good thing. The Monero development team and Monero Research Lab deserve a tremendous amount of recognition for all of their work.

dnaleor

legendary

Activity: 1470

Merit: 1000

Want privacy? Use Monero!

Quote from: primer- on January 15, 2016, 12:32:44 PM

There was no fucking attack, it was just a bug!

It was an attack.

Someone created a block that can't be created by just using the 0.9 client.
So the attacker changed the code of 0.9 a bit so he/she/they was/were able to mine a block that was a v2block in stead of the default v1block.

primer-

legendary

Activity: 1092

Merit: 1000

Quote from: smooth on January 15, 2016, 12:38:58 PM

Quote from: primer- on January 15, 2016, 12:32:44 PM

There was no fucking attack, it was just a bug!

Oh really? Where did the version 2 block come from?

Buggy code!

Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 704. (Read 4670673 times)