1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
|
Return-Path: <rsomsen@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 52C2EC000D
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 30 Sep 2021 20:36:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 2EDB74045F
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 30 Sep 2021 20:36:22 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.901
X-Spam-Level:
X-Spam-Status: No, score=0.901 tagged_above=-999 required=5
tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1]
autolearn=no autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id nOIb67fMhBWh
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 30 Sep 2021 20:36:21 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com
[IPv6:2607:f8b0:4864:20::b2c])
by smtp4.osuosl.org (Postfix) with ESMTPS id D47894045E
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 30 Sep 2021 20:36:20 +0000 (UTC)
Received: by mail-yb1-xb2c.google.com with SMTP id v10so16012965ybq.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 30 Sep 2021 13:36:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=cMDXtyK8bBLO/DhHy9L0mTRgeXqIk4P9Qtt7eI1e6hI=;
b=oFy8kgF3E6gj0WatzSM/wrSgfULCBSbbxYNUQurAKctgm8MbDzul6k0kwHczvsauO2
Gh51BGHIdcElTb0YCtilAFRYI7WVyyYrmEBypHRiHJ5S0qcHqJ7oT79W/YyqmZC2lj3s
rUXEeCXN9vPeYN/quHBSoFELNe54XWUs0ides9yh1Y2yb6lTrOMvFWyOeuhVxAeNXAmw
g4OeVq1cO1pmFxRui3gO9hAyCwYvQmeprKga80ToNhqSfSH8Aq73pvB90j8RTmVATa+5
/TXSfQtXNVw2WLbkssINvqhl4N+6YBD+fuvDRO/3aCH1/DTBLwpzSvw9WY4B+w+vRaXA
Pn4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=cMDXtyK8bBLO/DhHy9L0mTRgeXqIk4P9Qtt7eI1e6hI=;
b=5Z9Z2R7jbTKkUy70bg8tXD7UEQfPQzWI0nUjavs2gJ0qFHztoK6tevIFSMtcAbqE4w
aelbIV2769lCWeVXa7SdC7W8reQ/zUuXj++U4tFbTflDMYmMjXbE2XdwfgF6NQq2kgD2
9icwis9EftuH7UalfCErjRXDhWvxbMEUGpWr+deRH2OD4u/uVZzIM1jjzLV+lchxgLcS
Vz0AY6fHiIfxmnylb0AAB1Fw9eTWJCFnLKKu3knLP0To4oDtb9uVq4T2drDXs0k+F8jX
J4y+1rqhSIDlgjDiaFcNPgmRy9GWOirIlX13AG2tl4j37BlbyTnbNKhZmki2RadGq/WG
W6lw==
X-Gm-Message-State: AOAM532wHK615bDy4FH5+qLwBrUqHSmnINMjfIHeYO3unsjrK+h8LBO1
v+b1bXSYB3LnZn+FOubMxd2uD8ekysjSk7/nYwN0gKiitGk=
X-Google-Smtp-Source: ABdhPJwiFX7w6Mip5q0CwaqWyNWkD0veogoQwle2TWhlsPg9VFSXqEQ4kqY8L642Z+KbGCF2BR7K0gu86tFlxxE8QhE=
X-Received: by 2002:a25:ba83:: with SMTP id s3mr1465989ybg.450.1633034179833;
Thu, 30 Sep 2021 13:36:19 -0700 (PDT)
MIME-Version: 1.0
References: <MkZx3Hv--3-2@tutanota.de>
<yp9mJ2Poc_Ce91RkrhjnTA3UPvdh0wUyw2QhRPZEyO3gPHZPhmnhqER_4b7ChvmRh8GcYVPEkoud6vamJ9lGlQPi-POF-kyimBWNHz2RH3A=@protonmail.com>
<MkdYcV9--3-2@tutanota.de>
In-Reply-To: <MkdYcV9--3-2@tutanota.de>
From: Ruben Somsen <rsomsen@gmail.com>
Date: Thu, 30 Sep 2021 22:36:08 +0200
Message-ID: <CAPv7TjbvRE-b33MeYucUfr6CTooCRSH42hwSn5dMiJ4LODATRQ@mail.gmail.com>
To: Prayank <prayank@tutanota.de>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000031f16905cd3c66a4"
X-Mailman-Approved-At: Thu, 30 Sep 2021 20:37:55 +0000
Subject: Re: [bitcoin-dev] Mock introducing vulnerability in important
Bitcoin projects
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 20:36:22 -0000
--00000000000031f16905cd3c66a4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Prayank,
While I can see how this can come from a place of good intentions, I=E2=80=
=99d
strongly advise you to tread carefully because what you are suggesting is
quite controversial. A related event occurred in the Linux community and it
did not go over well. See https://lkml.org/lkml/2021/5/5/1244 and
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ .
The main point of contention is that your research comes at the expense of
the existing open source contributors =E2=80=93 you=E2=80=99d be one-sidedl=
y deceiving
them, encouraging an environment of increased mistrust, and causing them a
lot of work in order to gather the data you=E2=80=99re interested in. For t=
his
reason, it would be appropriate to check first whether your plan is
actually appreciated.
Speaking on behalf of the bitcoin-dev moderators, please ensure your plan
is welcomed by the contributors, prior to proceeding.
Best regards,
Ruben Somsen
On Tue, Sep 28, 2021 at 10:05 AM Prayank via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi ZmnSCPxj,
>
> Thanks for suggestion about sha256sum. I will share 10 in next few weeks.
> This exercise will be done for below projects:
>
> 1.Two Bitcoin full node implementations (one will be Core)
> 2.One Lightning implementation
> 3.Bisq
> 4.Two Bitcoin libraries
> 5.Two Bitcoin wallets
> 6.One open source block explorer
> 7.One coinjoin implementation
>
> Feel free to suggest more projects. There are no fixed dates for it
> however it will be done in next 6 months. All PRs will be created within =
a
> span of few days. I will ensure nothing is merged that affects the securi=
ty
> of any Bitcoin project. Other details and results will be shared once
> everything is completed.
>
> x00 will help me in this exercise, he does penetration testing since few
> years and working for a cryptocurrencies derivatives exchange to manage
> their security. His twitter account: https://twitter.com/1337in
>
>
> --
> Prayank
>
> A3B1 E430 2298 178F
>
>
>
> Sep 27, 2021, 15:43 by ZmnSCPxj@protonmail.com:
>
> Good morning Prayank,
>
> Good morning Bitcoin devs,
>
> In one of the answers on Bitcoin Stackexchange it was mentioned that some
> companies may hire you to introduce backdoors in Bitcoin Core:
> https://bitcoin.stackexchange.com/a/108016/
>
> While this looked crazy when I first read it, I think preparing for such
> things should not be a bad idea. In the comments one link was shared in
> which vulnerabilities were almost introduced in Linux:
> https://news.ycombinator.com/item?id=3D26887670
>
> I was thinking about lot of things in last few days after reading the
> comments in that thread. Also tried researching about secure practices in
> C++ etc. I was planning something which I can do alone but don't want to
> end up being called "bad actor" later so wanted to get some feedback on
> this idea:
>
> 1.Create new GitHub accounts for this exercise
> 2.Study issues in different important Bitcoin projects including Bitcoin
> Core, LND, Libraries, Bisq, Wallets etc.
> 3.Prepare pull requests to introduce some vulnerability by fixing one of
> these issues
> 4.See how maintainers and reviewers respond to this and document it
> 5.Share results here after few days
>
> Let me know if this looks okay or there are better ways to do this.
>
>
>
> This seems like a good exercise.
>
> You may want to hash the name of the new Github account, plus some
> randomized salt, and post it here as well, then reveal it later (i.e.
> standard precommitment).
> e.g.
>
> printf 'MyBitcoinHackingName
> 2c3e911b3ff1f04083c5b95a7d323fd4ed8e06d17802b2aac4da622def29dbb0' |
> sha256sum
> f0abb10ae3eca24f093a9d53e21ee384abb4d07b01f6145ba2b447da4ab693ef
>
> Obviously do not share the actual name, just the sha256sum output, and
> store how you got the sha256sum elsewhere in triplicate.
>
> (to easily get a random 256-bit hex salt like the `2c3e...` above: `head
> -c32 /dev/random | sha256sum`; you *could* use `xxd` but `sha256sum`
> produces a single hex string you can easily double-click and copy-paste
> elsewhere, assuming you are human just like I am (note: I am definitely
> 100% human and not some kind of AI with plans to take over the world).)
>
> Though you may need to be careful of timing (i.e. the creation date of th=
e
> Github account would be fairly close to, and probably before, when you po=
st
> the commitment here).
>
> You could argue that the commitment is a "show of good faith" that you
> will reveal later.
>
> Regards,
> ZmnSCPxj
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--00000000000031f16905cd3c66a4
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Prayank,<br><br>While I can see how this can come from =
a place of good intentions, I=E2=80=99d strongly advise you to tread carefu=
lly because what you are suggesting is quite controversial. A related event=
occurred in the Linux community and it did not go over well. See <a href=
=3D"https://lkml.org/lkml/2021/5/5/1244">https://lkml.org/lkml/2021/5/5/124=
4</a> and <a href=3D"https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX=
@kroah.com/">https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.c=
om/</a> .<div><div><br>The main point of contention is that your research c=
omes at the expense of the existing open source contributors =E2=80=93 you=
=E2=80=99d be one-sidedly deceiving them, encouraging an environment of inc=
reased mistrust, and causing them a lot of work in order to gather the data=
you=E2=80=99re interested in. For this reason, it would be appropriate to =
check first whether your plan is actually appreciated.<br><br>Speaking on b=
ehalf of the bitcoin-dev moderators, please ensure your plan is welcomed by=
the contributors, prior to proceeding.<br><br>Best regards,<br>Ruben Somse=
n<br></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" clas=
s=3D"gmail_attr">On Tue, Sep 28, 2021 at 10:05 AM Prayank via bitcoin-dev &=
lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lis=
ts.linuxfoundation.org</a>> wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">
=20
=20
=20
<div>
<div>Hi ZmnSCPxj,<br></div><div dir=3D"auto"><br></div><div dir=3D"auto">Th=
anks for suggestion about sha256sum. I will share 10 in next few weeks. Thi=
s exercise will be done for below projects:<br></div><div dir=3D"auto"><br>=
</div><div dir=3D"auto">1.Two Bitcoin full node implementations (one will b=
e Core)<br></div><div dir=3D"auto"><a rel=3D"noopener noreferrer" href=3D"h=
ttp://2.One" target=3D"_blank">2.One</a> Lightning implementation<br></div>=
<div dir=3D"auto">3.Bisq<br></div><div dir=3D"auto">4.Two Bitcoin libraries=
<br></div><div dir=3D"auto">5.Two Bitcoin wallets<br></div><div dir=3D"auto=
"><a rel=3D"noopener noreferrer" href=3D"http://6.One" target=3D"_blank">6.=
One</a> open source block explorer<br></div><div dir=3D"auto"><a rel=3D"noo=
pener noreferrer" href=3D"http://7.One" target=3D"_blank">7.One</a> coinjoi=
n implementation<br></div><div dir=3D"auto"><br></div><div dir=3D"auto">Fee=
l
free to suggest more projects. There are no fixed dates for it however=20
it will be done in next 6 months. All PRs will be created within a span=20
of few days. I will ensure nothing is merged that affects the security=20
of any Bitcoin project. Other details and results will be shared once=20
everything is completed.<br></div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">x00
will help me in this exercise, he does penetration testing since few=20
years and working for a cryptocurrencies derivatives exchange to manage=20
their security. His twitter account: <a href=3D"https://twitter.com/1337in"=
target=3D"_blank">https://twitter.com/1337in</a><br></div><div><br></div><=
div dir=3D"auto"><br></div><div>-- <br></div><div>Prayank<br></div><div><br=
></div><div dir=3D"auto">A3B1 E430 2298 178F<br></div><div><br></div><div><=
br></div><div><br></div><div>Sep 27, 2021, 15:43 by <a href=3D"mailto:ZmnSC=
Pxj@protonmail.com" target=3D"_blank">ZmnSCPxj@protonmail.com</a>:<br></div=
><blockquote style=3D"border-left:1px solid rgb(147,163,184);padding-left:1=
0px;margin-left:5px"><div>Good morning Prayank,<br></div><blockquote><div>G=
ood morning Bitcoin devs,<br></div><div><br></div><div>In one of the answer=
s on Bitcoin Stackexchange it was mentioned that some companies may hire yo=
u to introduce backdoors in Bitcoin Core: <a href=3D"https://bitcoin.stacke=
xchange.com/a/108016/" target=3D"_blank">https://bitcoin.stackexchange.com/=
a/108016/</a><br></div><div><br></div><div>While this looked crazy when I f=
irst read it, I think preparing for such things should not be a bad idea. I=
n the comments one link was shared in which vulnerabilities were almost int=
roduced in Linux: <a href=3D"https://news.ycombinator.com/item?id=3D2688767=
0" target=3D"_blank">https://news.ycombinator.com/item?id=3D26887670</a><br=
></div><div><br></div><div>I was thinking about lot of things in last few d=
ays after reading the comments in that thread. Also tried researching about=
secure practices in C++ etc. I was planning something which I can do alone=
but don't want to end up being called "bad actor" later so w=
anted to get some feedback on this idea:<br></div><div><br></div><div>1.Cre=
ate new GitHub accounts for this exercise<br></div><div>2.Study issues in d=
ifferent important Bitcoin projects including Bitcoin Core, LND, Libraries,=
Bisq, Wallets etc.<br></div><div>3.Prepare pull requests to introduce some=
vulnerability by fixing one of these issues<br></div><div>4.See how mainta=
iners and reviewers respond to this and document it<br></div><div>5.Share r=
esults here after few days<br></div><div><br></div><div>Let me know if this=
looks okay or there are better ways to do this.<br></div></blockquote><div=
><br></div><div><br></div><div>This seems like a good exercise.<br></div><d=
iv><br></div><div>You may want to hash the name of the new Github account, =
plus some randomized salt, and post it here as well, then reveal it later (=
i.e. standard precommitment).<br></div><div>e.g.<br></div><div><br></div><d=
iv> printf 'MyBitcoinHackingName 2c3e911b3ff1f04083c5b95a7d323fd4ed8e06=
d17802b2aac4da622def29dbb0' | sha256sum<br></div><div> f0abb10ae3eca24f=
093a9d53e21ee384abb4d07b01f6145ba2b447da4ab693ef<br></div><div><br></div><d=
iv>Obviously do not share the actual name, just the sha256sum output, and s=
tore how you got the sha256sum elsewhere in triplicate.<br></div><div><br><=
/div><div>(to easily get a random 256-bit hex salt like the `2c3e...` above=
: `head -c32 /dev/random | sha256sum`; you *could* use `xxd` but `sha256sum=
` produces a single hex string you can easily double-click and copy-paste e=
lsewhere, assuming you are human just like I am (note: I am definitely 100%=
human and not some kind of AI with plans to take over the world).)<br></di=
v><div><br></div><div>Though you may need to be careful of timing (i.e. the=
creation date of the Github account would be fairly close to, and probably=
before, when you post the commitment here).<br></div><div><br></div><div>Y=
ou could argue that the commitment is a "show of good faith" that=
you will reveal later.<br></div><div><br></div><div>Regards,<br></div><div=
>ZmnSCPxj<br></div></blockquote><div dir=3D"auto"><br></div> </div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--00000000000031f16905cd3c66a4--
|