From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id ABDA5900 for ; Tue, 12 Sep 2017 05:18:16 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io0-f177.google.com (mail-io0-f177.google.com [209.85.223.177]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1A7FAE0 for ; Tue, 12 Sep 2017 05:18:16 +0000 (UTC) Received: by mail-io0-f177.google.com with SMTP id d16so39783409ioj.3 for ; Mon, 11 Sep 2017 22:18:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=3yj9tNzhlRLWvohG5tKAPbkGAwP9dpqJamuEEWPRkcs=; b=T4gMU2SN/f/TsiZuenWAzGUOX2HgzGnS+mKW+QilIWP360VmEWHyGQlkZF0wJfN1I2 aGrXO2nAYiI8DGKjxsjwwG/f5Z6wKgR+GZz66Ft+Cy6R/asYSMmKdiAkfK7koXPOvG6E upt0T+bIe7Epay6w+ZWlqdOC2GxoJY1mkRqbCaY8aFq8jYVVkWdfRLA/HPM7HW3J903i iQHQ4/DiKspXp4+K5NQdxkF96EwwLXoUg2T+FLB/feNDGIvcM3SO03S4/H99y8qXNvuj CDB7lO1UrCHe9UPO/IVlFSUIEVzbNYHKEK03G8clYSUqKYb/18giPr/QsL4dx/eCXy+g zGlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=3yj9tNzhlRLWvohG5tKAPbkGAwP9dpqJamuEEWPRkcs=; b=FufK8/i4mXjJLNMIDLjb2pk23L9i1v9qG1JfX7++Ws75n2SdAl4FaC/vfrY45t80HJ 6JagcoUtOG8rsaHQvYJYp5ulFHnu7jmEdFxonYuyzaJwWZbGiu9dEJBsB/E54aZKf0bD aftCW2P+Y2pz3p1HmXptuEJ7MZftLGci3MnKAsR82BRWOcPhrt4Momac274V0afucIXJ /Sq7QP73dwjj0KFU+QZg99pYkh3lZj3A3abK5T5a4GVK9ztTR/wsrpT+2LzvELHC6DF1 AqsgptbwlTIB9LSpKgWw6fnt409hdNwOs6OhCiERMTax8Dd9jNn68+jFZwS6t88AvSAh 6KEg== X-Gm-Message-State: AHPjjUihQUWWH5jgE0uspUY6B1+rkM187h5CFu6qCWpHV4zxMCzN0+rl dHjynY1IY3/SOT8xOXJPTcVD3OlqgQ== X-Google-Smtp-Source: AOwi7QC+/cSHp0pCZ1vzzk3LGcvrBSCUSpzDiO5YPTSOR5PAHDObdwwjmnH/vos/0GBnoHQIoPEcby5O7BwdgIF7g+c= X-Received: by 10.202.207.81 with SMTP id f78mr14448806oig.162.1505193495369; Mon, 11 Sep 2017 22:18:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.17.197 with HTTP; Mon, 11 Sep 2017 22:18:14 -0700 (PDT) In-Reply-To: <20170912033703.GD19080@erisian.com.au> References: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com> <20170911021506.GA19080@erisian.com.au> <20170912033703.GD19080@erisian.com.au> From: Bryan Bishop Date: Tue, 12 Sep 2017 00:18:14 -0500 Message-ID: To: Anthony Towns , Bitcoin Protocol Discussion , Bryan Bishop Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Responsible disclosure of bugs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Sep 2017 05:18:16 -0000 On Mon, Sep 11, 2017 at 10:37 PM, Anthony Towns via bitcoin-dev wrote: > All of those things seem like they'd help not just altcoins but bitcoin > investors/traders too, so it's not even a trade-off between classes of > bitcoin core users. And if in the end various altcoins aren't able to > keep up with security fixes, that's probably valuable information to > provide to the market... I have a reply to your point, but I want to clarify first that I am not trying to provide any sort of criticism of your character, and to any extent that my text is misinterpreted that way, that's entirely my fault here. Anyway, here goes. It's not enough to defend bitcoin and its users from active threats, there is a more general responsibility to defend all kinds of users and different software from many kinds of threats in whatever forms, even if folks are using stupid and insecure software that you personally don't maintain or contribute to or advocate for. Handling knowledge of a vulnerability is a delicate matter and you might be receiving knowledge with more serious direct or indirect impact than originally described. Besides the moral and ethical reasons to not unduly accelerate the exploitation of a vulnerability, there is also a reputational standpoint to consider, in that your position that your own (security) work is credible is actually harmed by showing negative care for other works by being first to publish either insecure software or knowledge of a vulnerability. And sometimes the opposite is true: by not disclosing knowledge of how a design is broken to someone inviting its review, you're showing negative care in that way too, such as by unintentionally encouraging the implementation of really bad ideas or entirely novel misunderstandings of what you once thought were clear concepts. So there is a difficult path to walk and especially in security not all may be as it seems; caution is highly recommended. Yes it would be good for "the market" to "get the signal" that altcoins are insecure, and that some altcoin vendors are literally and actively malicious entities, but I think everyone needs to take a step back here and very carefully consider the color of their hats, including those who advocate in the name of insecure downstream/forked software. The downside of the approach I've advocated for is that it requires knowledge, thinking and outsmarting the red teams; I am certainly aware of the allure of the approaches that involve absolutist statements like "anything weak [including bitcoin if it does have weaknesses] deserves to die and be actively exploited" but it's not something I am interested in espousing...nor do I think it would be healthy for this community to internalize that perspective. Instead we should continue to work on highly defensible software, and keep vigilant in regards to security. In "the [civilized] garden" I would expect there to be a general understanding that people collaborate and work together to build highly defensible evolving systems even if there exists knowledge of vulnerabilities. But we shouldn't be surprised when we don't go out of our way to contribute to alternative/parasitic systems... and we shouldn't be encouraging each other to actively bring about the eschaton by way of mishandling knowledge of vulnerabilities... I know these issues are difficult to get a handle on. Hopefully I've provided some useful perspective. - Bryan http://heybryan.org/ 1 512 203 0507