From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 27 Mar 2024 11:26:31 -0700 Received: from mail-oi1-f184.google.com ([209.85.167.184]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rpXyp-0007Aw-H8 for bitcoindev@gnusha.org; Wed, 27 Mar 2024 11:26:31 -0700 Received: by mail-oi1-f184.google.com with SMTP id 5614622812f47-3c3e1f6ce0fsf192924b6e.1 for ; Wed, 27 Mar 2024 11:26:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711563985; cv=pass; d=google.com; s=arc-20160816; b=B0lcM3iMiddhUE75aWBEQnt+uWZ4DqeaD3X5ETvSNRt/xnDPaeoKf56DPenc7ElJgo aA8XqeaTZl34mOGYjksi65otmzFLCdl3PlGyYTAh+KIr3dHzUdSgeA/jPkcuK9Diuja1 VueVUSlO34Pe3kqgukFPKbdYrJap2hlHEG6FFUxLzw/ClPIB44nHy7bV6hLbo7fxvxpc y8t+BkU5iBVfymDFnK2I2lCvi6sUs88hsqwzkVhds2Ft/9/7R0icUwjIB7SOs7yGfk5Y CBnkS+ZV/FKmWfCv4yVkwNmp4MKYAr99f+fKDGMQ+WhH8u+E1QAb6L+vPpD+S2JshfwN xIVA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:sender:dkim-signature; bh=BSSL1IVsbEXIsu8gT+pVqQAa2+Gtf0T/i0EEX4OoOEY=; fh=X7s6JDURtymzz6g3zEs9tJV945Y7vXrW24C0JVVXnT4=; b=qRC+3f5t9AWTJW7HObB+/RXKIRTUGglSIo9H8odh0pfMe+Ma4X6d6bcyPMreo3VJfT mZDU9fFAtZ8mZbBVw6ge3/99CHpXz8ZQVgyo/gW8yqatVdwZeR9nn90iz9IVuMySYEb6 fhNAo+LLnsrn7raMewu9oyzqxf0lNu0RA2VVmysUfkypifKLei6tqQje0TEHmZFjzDjg E4DQZNuR0LTGTP9s2WgpNie7iGV4iWJa43JrNiTaS6xDYHTqYVSC95i0cjM/BxQy+KRc IVvqjtRLe3QngKlCoFJkfnBT1bOd1pipBLyhYYHCJ8vb6S8CIPZ/lZq7kDIE3AqMjszS 1XRg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lCYMKAgr; spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) smtp.mailfrom=pete@petertodd.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1711563985; x=1712168785; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id:sender :from:to:cc:subject:date:message-id:reply-to; bh=BSSL1IVsbEXIsu8gT+pVqQAa2+Gtf0T/i0EEX4OoOEY=; b=o4Pv/GGGOAjNFXoPtatB10Wa658FDJ+lQNFK9CFmwVyNaHDLpXiblTC87NqBj9IWQo 27OVQ1YyyPveXZKN+u9YWTwr6jLlH5MXfPODPibxsjwbfG0xVlgjZTXsLTYLM4wmhGGN n9A8zGIhf+GvexTQOBsV4WAgBHRCRGDZ8RLu9H14HRbViluJtxOukI+NAKkwWp2F7i2C HzJpjbVsXHVrcTFX0Uv/SBlWwqBf10iJrA/emYZekxFjtdkiu4Q/guOP3Cz51KwJMKnG yNhRXJAUdExI6vuAuDBl9YMUk55Eix98xuDyPj9Ik0BOcNoZTJ+Ld5Fl1fCi2a2nk9QD llOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711563985; x=1712168785; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=BSSL1IVsbEXIsu8gT+pVqQAa2+Gtf0T/i0EEX4OoOEY=; b=tSP9+WlegeFFL9BSLwXSoZdKfdncW7dJVYPmyW6WisC8wRKRR0KQTrDISeZWeCoqJw zHLp7s8LGNYwXiNLGoLwxI2reRznoJ+JTS7U8icbsC38z4BPTIsPiEqjxKW+J0h3a1KF vXKrKwXO5YdYmx1d3X/WoBZYAU/ddHN+1rFqVUKWMvjSJFJaRCCoq2A5c20GyUtJJoUm AzSzyVyOQCRqj6Byq231Z7/UDbM/zpLXgnlevdVK0T2IQgKEL9mDJtgR7lU+QFVxbM2C /zNghRRrp1lf/FtN17QTBPp0QQunCsXT9TFd1APm5DrLEMieLX4ushiXJ1y0Ybjokxpo IqHA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVVXEai7TTQQ78iJOQQDP0gp5YoH7czlv2S21ZWFsEhIltxE970oyvsGJE65wU8Qenhf87zURP68crNDcoVOd649OkHmWM= X-Gm-Message-State: AOJu0YzX9ddKf95QLSz9cQvr6yFwCG2e7/D1ccUyIXoAkTpmXgejnyi/ 3mWSgTdnrkPEAK8qs391NX8QGVVp3WnLrbQHcUvOIYGcbZrJPr3w X-Google-Smtp-Source: AGHT+IFX5GHNvWBZHooIC3zULGjZhjKUJd2tyLwSGBUfzYpBhkNnH5hKfjerX7qLFsyJqoKoIOEAoQ== X-Received: by 2002:a05:6808:2905:b0:3c3:bd8b:b475 with SMTP id ev5-20020a056808290500b003c3bd8bb475mr686252oib.32.1711563985398; Wed, 27 Mar 2024 11:26:25 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:ac8:5bc4:0:b0:431:3419:79ef with SMTP id b4-20020ac85bc4000000b00431341979efls283759qtb.0.-pod-prod-07-us; Wed, 27 Mar 2024 11:26:24 -0700 (PDT) X-Received: by 2002:a05:622a:1ce:b0:431:3069:f1b8 with SMTP id t14-20020a05622a01ce00b004313069f1b8mr21922qtw.10.1711563984522; Wed, 27 Mar 2024 11:26:24 -0700 (PDT) Received: by 2002:a05:620a:2953:b0:78a:59df:2777 with SMTP id af79cd13be357-78b8a9a4eb1ms85a; Wed, 27 Mar 2024 11:04:53 -0700 (PDT) X-Received: by 2002:a05:6214:4a5c:b0:696:72ac:b84f with SMTP id ph28-20020a0562144a5c00b0069672acb84fmr270309qvb.10.1711562692858; Wed, 27 Mar 2024 11:04:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711562692; cv=none; d=google.com; s=arc-20160816; b=oFuQckSUT2udZQ+OmZZTIwWVsgseqG4a/e3a+BaMLFSFxCBd+F+f0o8PGhbJ6maI5k MAi86KDpXjYwBeMCUEw8IaDFpbLO8sw9IzaeYRYIFJBiorkOzuMLOXAn05RHh+0ICvPi PsCqqyg6pbnkWriWNHuiBD6sgajMA4imADiaMMLBoy2+rOIJKE6/iH8uwuzzm3AUkPHY N2KJm6fGA+2LKXr5lUVya0POyT5RKBCXgQ0t50ptnmMwHPcGC8GYQI/JbfcDGldLc0BH oQ0W17839apnoImtm/dm+H5f7+uZ1Ez8tkK+4zHtFfAgxWZEeCzHlW2GGQ44XyxmkSIE bChQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:dkim-signature; bh=ZmiS4Gop8l28ZBfcjtPAL9YbaWiawiuBQm0iOD5tGPQ=; fh=qAkUFgesXJOBZlEhHhc6qjOrC9x9vwcQK9K5cSmyNz0=; b=Imk7UA5Bb9+toZO0A77uSSpzll9XClDJ8+zYaWm5Y/FuRpmOcPUam3EwYBgs9twQL7 Au/54EwI2WDcitpO7DsLGL7eOkSXocYJuTrP4RjOxbQyyBL4zaETySVYyiV1Qjwgys8C AIkoyOksmHGcqco4leKWNkIuZkZleVZV92AxJ21MYSq5Vhrxf2LwdIU3gToBHzwD8M3y GARRKx35AUPeFD15XXrwkuRls+9drRhM8SVDwhWkQCWTRR0Huxz5moBqKkCSal8HH3fj 9UwjylwmgFGXZU0SQy5Y3kZeuDfxOGaEzUaeoCMBz2oQ/xQch/T49UYq6QBb/w1YmdRr qnLQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lCYMKAgr; spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) smtp.mailfrom=pete@petertodd.org Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com. [64.147.123.24]) by gmr-mx.google.com with ESMTPS id ep20-20020a05621418f400b0069694f92763si343626qvb.4.2024.03.27.11.04.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Mar 2024 11:04:52 -0700 (PDT) Received-SPF: pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) client-ip=64.147.123.24; Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.west.internal (Postfix) with ESMTP id 68BF43200A00; Wed, 27 Mar 2024 14:04:51 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Wed, 27 Mar 2024 14:04:51 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudduiedgkeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvvefukfhfgggtuggjsehgtd orredttddvnecuhfhrohhmpefrvghtvghrucfvohguugcuoehpvghtvgesphgvthgvrhht ohguugdrohhrgheqnecuggftrfgrthhtvghrnhepuddtffelkeeitdefgfetfeejhfffie ffveelgedthfeufeefjeevleejkeefhfeinecuffhomhgrihhnpehpvghtvghrthhouggu rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epphgvthgvsehpvghtvghrthhouggurdhorhhg X-ME-Proxy: Feedback-ID: i525146e8:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 27 Mar 2024 14:04:50 -0400 (EDT) Received: by localhost (Postfix, from userid 1000) id 52C035F834; Wed, 27 Mar 2024 18:04:46 +0000 (UTC) Date: Wed, 27 Mar 2024 18:04:46 +0000 From: Peter Todd To: "David A. Harding" Cc: bitcoindev@googlegroups.com Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6 Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="WIB19lrcLw7AqMfT" Content-Disposition: inline In-Reply-To: X-Original-Sender: pete@petertodd.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lCYMKAgr; spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) smtp.mailfrom=pete@petertodd.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --WIB19lrcLw7AqMfT Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline On Wed, Mar 27, 2024 at 07:18:08AM -1000, David A. Harding wrote: > On 2024-03-27 02:10, Peter Todd wrote: > > On Tue, Mar 26, 2024 at 08:36:45AM -1000, David A. Harding wrote: > > > Could you tell us more about the disclosure process you followed? > > > > see attached. > > Do I correctly infer from this that you privately reported the attack on > Thursday around 15:46 UTC, didn't receive any replies in four days > (including a weekend), and published the attack on Monday at 13:21 UTC? > > That's a very short timeline to use for going public due to not receiving a > response. I think it's typical to give triage at least 30 days to respond, > often while also prompting them additional times for a response if > necessary. I'm on the bitcoin-security mailing list. Every single plausible issue that has been raised in the past few years has gotten a response within two days. A few days is plenty of time to at least respond with a simple "give us more time" if needed. Secondly, I was able to verify independently that the relevant people had seen the email and weren't planning on replying. Which isn't surprising. It's just another way to perform an obvious, well known, class of attack. Anyway, I think the lesson to be learned here is I'd have been better off not disclosing to bitcoin-security first. You're just harassing me here; I highly suspect you'd have said nothing at all if I hadn't brought up disclosure. -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZgRfvrYatcpqPNRn%40petertodd.org. --WIB19lrcLw7AqMfT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmYEX7wACgkQLly11TVR LzdUvRAAnEHqY8tv/fTwr1iaFRJ4GsfcHxeY86z5DOxtBcIUnh/21n2fN3wEXMW0 sgMo0Zky2eKfciOukT8Waqiudaijed91KA2fFc3A53Cuhyufkn1HaQHOTpToVGbL VLWM0CEXltc0mQA1Yzj1BHa6UWJB/EbD4hdRdVcygbcsYgcl9+w22ghIHmtDAoEo BpO396x0KYnBUDZzozib6v/b+9LcnXnDCf6Pgicj+gIu3ymFT48XPT9d972jG9y2 jb3SXYVVOcSg4AI7Tz1vwN+5wK84assLJFvkrmMqDaP6lHPCiSWquLkNqFrQGZxA XXgoqCfdJc0pzH7t+QPt10mDXq8b/jZjWDGs7NN3Or4/dAgMb/HswgojGghMKJOF zUc6YcooB0QynuKmQ9g4BcGySo5flB/nArtoHLZ/Ru/PySO0sns+KTTAtb16N+VD FKHv7f8QXispApOZ//dG9SoZMQHSfGDjX92I+3EdEvVdD5dt0i2ET/wNohSQHWn9 W7KHa8kAXFibEytsrWOSrwBPBToKFwuQFjbdyFAZPLoZdYVOoQJ3PIXKPiRXWIqr Wck//SfIAyH6ovyhnbxjqQxGVUlJcSVk5KeRJFvj1Umn45rDmYOgyog8oXWxdc3U 7zZDW7h5PdQb0XUHxRnTYL/eT/Rrr6DqXl+AWZk8eBQqLcKrSx4= =LTSb -----END PGP SIGNATURE----- --WIB19lrcLw7AqMfT--