From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 52C2EC000D for ; Thu, 30 Sep 2021 20:36:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 2EDB74045F for ; Thu, 30 Sep 2021 20:36:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.901 X-Spam-Level: X-Spam-Status: No, score=0.901 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1] autolearn=no autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOIb67fMhBWh for ; Thu, 30 Sep 2021 20:36:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by smtp4.osuosl.org (Postfix) with ESMTPS id D47894045E for ; Thu, 30 Sep 2021 20:36:20 +0000 (UTC) Received: by mail-yb1-xb2c.google.com with SMTP id v10so16012965ybq.7 for ; Thu, 30 Sep 2021 13:36:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=cMDXtyK8bBLO/DhHy9L0mTRgeXqIk4P9Qtt7eI1e6hI=; b=oFy8kgF3E6gj0WatzSM/wrSgfULCBSbbxYNUQurAKctgm8MbDzul6k0kwHczvsauO2 Gh51BGHIdcElTb0YCtilAFRYI7WVyyYrmEBypHRiHJ5S0qcHqJ7oT79W/YyqmZC2lj3s rUXEeCXN9vPeYN/quHBSoFELNe54XWUs0ides9yh1Y2yb6lTrOMvFWyOeuhVxAeNXAmw g4OeVq1cO1pmFxRui3gO9hAyCwYvQmeprKga80ToNhqSfSH8Aq73pvB90j8RTmVATa+5 /TXSfQtXNVw2WLbkssINvqhl4N+6YBD+fuvDRO/3aCH1/DTBLwpzSvw9WY4B+w+vRaXA Pn4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cMDXtyK8bBLO/DhHy9L0mTRgeXqIk4P9Qtt7eI1e6hI=; b=5Z9Z2R7jbTKkUy70bg8tXD7UEQfPQzWI0nUjavs2gJ0qFHztoK6tevIFSMtcAbqE4w aelbIV2769lCWeVXa7SdC7W8reQ/zUuXj++U4tFbTflDMYmMjXbE2XdwfgF6NQq2kgD2 9icwis9EftuH7UalfCErjRXDhWvxbMEUGpWr+deRH2OD4u/uVZzIM1jjzLV+lchxgLcS Vz0AY6fHiIfxmnylb0AAB1Fw9eTWJCFnLKKu3knLP0To4oDtb9uVq4T2drDXs0k+F8jX J4y+1rqhSIDlgjDiaFcNPgmRy9GWOirIlX13AG2tl4j37BlbyTnbNKhZmki2RadGq/WG W6lw== X-Gm-Message-State: AOAM532wHK615bDy4FH5+qLwBrUqHSmnINMjfIHeYO3unsjrK+h8LBO1 v+b1bXSYB3LnZn+FOubMxd2uD8ekysjSk7/nYwN0gKiitGk= X-Google-Smtp-Source: ABdhPJwiFX7w6Mip5q0CwaqWyNWkD0veogoQwle2TWhlsPg9VFSXqEQ4kqY8L642Z+KbGCF2BR7K0gu86tFlxxE8QhE= X-Received: by 2002:a25:ba83:: with SMTP id s3mr1465989ybg.450.1633034179833; Thu, 30 Sep 2021 13:36:19 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ruben Somsen Date: Thu, 30 Sep 2021 22:36:08 +0200 Message-ID: To: Prayank , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000031f16905cd3c66a4" X-Mailman-Approved-At: Thu, 30 Sep 2021 20:37:55 +0000 Subject: Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Sep 2021 20:36:22 -0000 --00000000000031f16905cd3c66a4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Prayank, While I can see how this can come from a place of good intentions, I=E2=80= =99d strongly advise you to tread carefully because what you are suggesting is quite controversial. A related event occurred in the Linux community and it did not go over well. See https://lkml.org/lkml/2021/5/5/1244 and https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ . The main point of contention is that your research comes at the expense of the existing open source contributors =E2=80=93 you=E2=80=99d be one-sidedl= y deceiving them, encouraging an environment of increased mistrust, and causing them a lot of work in order to gather the data you=E2=80=99re interested in. For t= his reason, it would be appropriate to check first whether your plan is actually appreciated. Speaking on behalf of the bitcoin-dev moderators, please ensure your plan is welcomed by the contributors, prior to proceeding. Best regards, Ruben Somsen On Tue, Sep 28, 2021 at 10:05 AM Prayank via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Hi ZmnSCPxj, > > Thanks for suggestion about sha256sum. I will share 10 in next few weeks. > This exercise will be done for below projects: > > 1.Two Bitcoin full node implementations (one will be Core) > 2.One Lightning implementation > 3.Bisq > 4.Two Bitcoin libraries > 5.Two Bitcoin wallets > 6.One open source block explorer > 7.One coinjoin implementation > > Feel free to suggest more projects. There are no fixed dates for it > however it will be done in next 6 months. All PRs will be created within = a > span of few days. I will ensure nothing is merged that affects the securi= ty > of any Bitcoin project. Other details and results will be shared once > everything is completed. > > x00 will help me in this exercise, he does penetration testing since few > years and working for a cryptocurrencies derivatives exchange to manage > their security. His twitter account: https://twitter.com/1337in > > > -- > Prayank > > A3B1 E430 2298 178F > > > > Sep 27, 2021, 15:43 by ZmnSCPxj@protonmail.com: > > Good morning Prayank, > > Good morning Bitcoin devs, > > In one of the answers on Bitcoin Stackexchange it was mentioned that some > companies may hire you to introduce backdoors in Bitcoin Core: > https://bitcoin.stackexchange.com/a/108016/ > > While this looked crazy when I first read it, I think preparing for such > things should not be a bad idea. In the comments one link was shared in > which vulnerabilities were almost introduced in Linux: > https://news.ycombinator.com/item?id=3D26887670 > > I was thinking about lot of things in last few days after reading the > comments in that thread. Also tried researching about secure practices in > C++ etc. I was planning something which I can do alone but don't want to > end up being called "bad actor" later so wanted to get some feedback on > this idea: > > 1.Create new GitHub accounts for this exercise > 2.Study issues in different important Bitcoin projects including Bitcoin > Core, LND, Libraries, Bisq, Wallets etc. > 3.Prepare pull requests to introduce some vulnerability by fixing one of > these issues > 4.See how maintainers and reviewers respond to this and document it > 5.Share results here after few days > > Let me know if this looks okay or there are better ways to do this. > > > > This seems like a good exercise. > > You may want to hash the name of the new Github account, plus some > randomized salt, and post it here as well, then reveal it later (i.e. > standard precommitment). > e.g. > > printf 'MyBitcoinHackingName > 2c3e911b3ff1f04083c5b95a7d323fd4ed8e06d17802b2aac4da622def29dbb0' | > sha256sum > f0abb10ae3eca24f093a9d53e21ee384abb4d07b01f6145ba2b447da4ab693ef > > Obviously do not share the actual name, just the sha256sum output, and > store how you got the sha256sum elsewhere in triplicate. > > (to easily get a random 256-bit hex salt like the `2c3e...` above: `head > -c32 /dev/random | sha256sum`; you *could* use `xxd` but `sha256sum` > produces a single hex string you can easily double-click and copy-paste > elsewhere, assuming you are human just like I am (note: I am definitely > 100% human and not some kind of AI with plans to take over the world).) > > Though you may need to be careful of timing (i.e. the creation date of th= e > Github account would be fairly close to, and probably before, when you po= st > the commitment here). > > You could argue that the commitment is a "show of good faith" that you > will reveal later. > > Regards, > ZmnSCPxj > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000031f16905cd3c66a4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Prayank,

While I can see how this can come from = a place of good intentions, I=E2=80=99d strongly advise you to tread carefu= lly because what you are suggesting is quite controversial. A related event= occurred in the Linux community and it did not go over well. See https://lkml.org/lkml/2021/5/5/124= 4 and https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.c= om/ .

The main point of contention is that your research c= omes at the expense of the existing open source contributors =E2=80=93 you= =E2=80=99d be one-sidedly deceiving them, encouraging an environment of inc= reased mistrust, and causing them a lot of work in order to gather the data= you=E2=80=99re interested in. For this reason, it would be appropriate to = check first whether your plan is actually appreciated.

Speaking on b= ehalf of the bitcoin-dev moderators, please ensure your plan is welcomed by= the contributors, prior to proceeding.

Best regards,
Ruben Somse= n

On Tue, Sep 28, 2021 at 10:05 AM Prayank via bitcoin-dev &= lt;bitcoin-dev@lis= ts.linuxfoundation.org> wrote:
=20 =20 =20
Hi ZmnSCPxj,

Th= anks for suggestion about sha256sum. I will share 10 in next few weeks. Thi= s exercise will be done for below projects:

=
1.Two Bitcoin full node implementations (one will b= e Core)
2.One Lightning implementation
=
3.Bisq
4.Two Bitcoin libraries=
5.Two Bitcoin wallets
6.= One open source block explorer
7.One coinjoi= n implementation

Fee= l free to suggest more projects. There are no fixed dates for it however=20 it will be done in next 6 months. All PRs will be created within a span=20 of few days. I will ensure nothing is merged that affects the security=20 of any Bitcoin project. Other details and results will be shared once=20 everything is completed.

x00 will help me in this exercise, he does penetration testing since few=20 years and working for a cryptocurrencies derivatives exchange to manage=20 their security. His twitter account: https://twitter.com/1337in

<= div dir=3D"auto">
--
Prayank
A3B1 E430 2298 178F

<= br>

Sep 27, 2021, 15:43 by ZmnSCPxj@protonmail.com:
Good morning Prayank,
G= ood morning Bitcoin devs,

In one of the answer= s on Bitcoin Stackexchange it was mentioned that some companies may hire yo= u to introduce backdoors in Bitcoin Core: https://bitcoin.stackexchange.com/= a/108016/

While this looked crazy when I f= irst read it, I think preparing for such things should not be a bad idea. I= n the comments one link was shared in which vulnerabilities were almost int= roduced in Linux: https://news.ycombinator.com/item?id=3D26887670

I was thinking about lot of things in last few d= ays after reading the comments in that thread. Also tried researching about= secure practices in C++ etc. I was planning something which I can do alone= but don't want to end up being called "bad actor" later so w= anted to get some feedback on this idea:

1.Cre= ate new GitHub accounts for this exercise
2.Study issues in d= ifferent important Bitcoin projects including Bitcoin Core, LND, Libraries,= Bisq, Wallets etc.
3.Prepare pull requests to introduce some= vulnerability by fixing one of these issues
4.See how mainta= iners and reviewers respond to this and document it
5.Share r= esults here after few days

Let me know if this= looks okay or there are better ways to do this.


This seems like a good exercise.

You may want to hash the name of the new Github account, = plus some randomized salt, and post it here as well, then reveal it later (= i.e. standard precommitment).
e.g.

printf 'MyBitcoinHackingName 2c3e911b3ff1f04083c5b95a7d323fd4ed8e06= d17802b2aac4da622def29dbb0' | sha256sum
f0abb10ae3eca24f= 093a9d53e21ee384abb4d07b01f6145ba2b447da4ab693ef

Obviously do not share the actual name, just the sha256sum output, and s= tore how you got the sha256sum elsewhere in triplicate.

<= /div>
(to easily get a random 256-bit hex salt like the `2c3e...` above= : `head -c32 /dev/random | sha256sum`; you *could* use `xxd` but `sha256sum= ` produces a single hex string you can easily double-click and copy-paste e= lsewhere, assuming you are human just like I am (note: I am definitely 100%= human and not some kind of AI with plans to take over the world).)

Though you may need to be careful of timing (i.e. the= creation date of the Github account would be fairly close to, and probably= before, when you post the commitment here).

Y= ou could argue that the commitment is a "show of good faith" that= you will reveal later.

Regards,
ZmnSCPxj

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000031f16905cd3c66a4--