1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
Return-Path: <prayank@tutanota.de>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
by lists.linuxfoundation.org (Postfix) with ESMTP id F3050C000D
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 01:52:45 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id DC3156067B
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 01:52:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.601
X-Spam-Level:
X-Spam-Status: No, score=0.601 tagged_above=-999 required=5
tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=tutanota.de
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id iF6z6afr-UzI
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 01:52:44 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from w1.tutanota.de (w1.tutanota.de [81.3.6.162])
by smtp3.osuosl.org (Postfix) with ESMTPS id BA3CE6062D
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 01:52:44 +0000 (UTC)
Received: from w3.tutanota.de (unknown [192.168.1.164])
by w1.tutanota.de (Postfix) with ESMTP id B1B86FA0244
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 01:52:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1632707561;
s=s1; d=tutanota.de;
h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:Sender;
bh=rJ/o/q7VSToUG9PKVv2Z4EM9bAIu2UsOEtSOqlhNv1E=;
b=WU7xVNanOoFUCuTldIvgU2GnWylR4h/dB9pVZ8FmmUxAZyNI8aONm+GqWOdCOIbv
NMNloAm38uif9jRW1rYAep6NmoYYMGg0AjJSdPWa8v+HaaPN+4YRY4FTfAEhZq9qPGK
/gubZXLKL1jGIDwK/7pG0ggnK24VsnZ62BtSulQ0/o2I7l6DLskhb5e9JBDczf4Ssza
bvoM3sv5cAchyS1yx4X8VeDej/L/M9eURrPg9BoefhmvrmRgvStwJMaH3MSdnam+nT9
oWDF+3b0MBJ5pcBJUiCGVCau0obh63yCxQvkemIFBNpqFMw+rlvZYgfCECRA2UaFdd2
vH2PIQeOPg==
Date: Mon, 27 Sep 2021 03:52:41 +0200 (CEST)
From: Prayank <prayank@tutanota.de>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <MkZx3Hv--3-2@tutanota.de>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_507717_571247029.1632707561715"
X-Mailman-Approved-At: Mon, 27 Sep 2021 08:02:15 +0000
Subject: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin
projects
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2021 01:52:46 -0000
------=_Part_507717_571247029.1632707561715
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Good morning Bitcoin devs,
In one of the answers on Bitcoin Stackexchange it was mentioned that some companies may hire you to introduce backdoors in Bitcoin Core: https://bitcoin.stackexchange.com/a/108016/
While this looked crazy when I first read it, I think preparing for such things should not be a bad idea. In the comments one link was shared in which vulnerabilities were almost introduced in Linux: https://news.ycombinator.com/item?id=26887670
I was thinking about lot of things in last few days after reading the comments in that thread. Also tried researching about secure practices in C++ etc. I was planning something which I can do alone but don't want to end up being called "bad actor" later so wanted to get some feedback on this idea:
1.Create new GitHub accounts for this exercise
2.Study issues in different important Bitcoin projects including Bitcoin Core, LND, Libraries, Bisq, Wallets etc.
3.Prepare pull requests to introduce some vulnerability by fixing one of these issues
4.See how maintainers and reviewers respond to this and document it
5.Share results here after few days
Let me know if this looks okay or there are better ways to do this.
--
Prayank
A3B1 E430 2298 178F
------=_Part_507717_571247029.1632707561715
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF-8=
">
</head>
<body>
<div>Good morning Bitcoin devs,<br></div><div dir=3D"auto"><br></div><div d=
ir=3D"auto">In one of the answers on Bitcoin Stackexchange it was mentioned=
that some companies may hire you to introduce backdoors in Bitcoin Core: h=
ttps://bitcoin.stackexchange.com/a/108016/<br></div><div><br></div><div dir=
=3D"auto"><div>While this looked crazy when I first read it, I think prepar=
ing for such things should not be a bad idea. In the comments one link was =
shared in which vulnerabilities were almost introduced in Linux: https://ne=
ws.ycombinator.com/item?id=3D26887670<br></div><div><br></div><div>I was th=
inking about lot of things in last few days after reading the comments in t=
hat thread. Also tried researching about secure practices in C++ etc. I was=
planning something which I can do alone but don't want to end up being cal=
led "bad actor" later so wanted to get some feedback on this idea:<br></div=
><div><br></div></div><div dir=3D"auto">1.Create new GitHub accounts for th=
is exercise<br></div><div dir=3D"auto">2.Study issues in different importan=
t Bitcoin projects including Bitcoin Core, LND, Libraries, Bisq, Wallets et=
c.<br></div><div dir=3D"auto">3.Prepare pull requests to introduce some vul=
nerability by fixing one of these issues<br></div><div dir=3D"auto">4.See h=
ow maintainers and reviewers respond to this and document it<br></div><div =
dir=3D"auto">5.Share results here after few days<br></div><div dir=3D"auto"=
><br></div><div dir=3D"auto">Let me know if this looks okay or there are be=
tter ways to do this.<br></div><div dir=3D"auto"><br></div><div>-- <br></di=
v><div>Prayank<br></div><div><br></div><div dir=3D"auto">A3B1 E430 2298 178=
F<br></div> </body>
</html>
------=_Part_507717_571247029.1632707561715--
|
