1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
Return-Path: <prayank@tutanota.de>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 82B13C0011
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 23:19:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 2489360A3C
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 23:19:44 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TRACKER_ID=0.1]
autolearn=ham autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=tutanota.de
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3lgzixeqVuhR
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 23:19:43 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from w1.tutanota.de (w1.tutanota.de [81.3.6.162])
by smtp3.osuosl.org (Postfix) with ESMTPS id B123860ACB
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 27 Sep 2021 23:19:42 +0000 (UTC)
Received: from w3.tutanota.de (unknown [192.168.1.164])
by w1.tutanota.de (Postfix) with ESMTP id DCBBAFBF5A3;
Mon, 27 Sep 2021 23:19:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1632784780;
s=s1; d=tutanota.de;
h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender;
bh=d75/TPYewD25hZptAGjXsNRub3qAUkFZhyByvXcHNfQ=;
b=ZRS6oVQeAk1opnj+f4wFi1TV77tNq7eKXpwLku+c9lZ5ffikSe1WL9iBZMblSFpn
xI9bV8YgByc8PsTJr5xeW7GcIR2EMWb1egTkuDWIPqevy6L6JL2FT7SWf44AKSIr508
yzC+gdSJnaBZiNr4wu2UUqm93uRZXdPRFfyN/uSY8Mg3yLK2bItiR5qoN1LPcWYt+zi
A4VAdVoX7D3Y7VFa0vKnUI9wGBtNHcRWvQVydqOuxKUGH/GuPIQ2z/8sHPSUyCaDGZU
bfbJhjx0AO0HEUGEPg78Wi7jD0ZSs8a2mn8090SzRh6dWlU9HykPLw5PsTWfMYcnQgV
V5d2CFhnQw==
Date: Tue, 28 Sep 2021 01:19:40 +0200 (CEST)
From: Prayank <prayank@tutanota.de>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <MkdYcV9--3-2@tutanota.de>
In-Reply-To: <yp9mJ2Poc_Ce91RkrhjnTA3UPvdh0wUyw2QhRPZEyO3gPHZPhmnhqER_4b7ChvmRh8GcYVPEkoud6vamJ9lGlQPi-POF-kyimBWNHz2RH3A=@protonmail.com>
References: <MkZx3Hv--3-2@tutanota.de>
<yp9mJ2Poc_Ce91RkrhjnTA3UPvdh0wUyw2QhRPZEyO3gPHZPhmnhqER_4b7ChvmRh8GcYVPEkoud6vamJ9lGlQPi-POF-kyimBWNHz2RH3A=@protonmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_573590_1689591446.1632784780895"
X-Mailman-Approved-At: Tue, 28 Sep 2021 08:04:59 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Mock introducing vulnerability in important
Bitcoin projects
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2021 23:19:54 -0000
------=_Part_573590_1689591446.1632784780895
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Hi ZmnSCPxj,
Thanks for suggestion about sha256sum. I will share 10 in next few weeks. This exercise will be done for below projects:
1.Two Bitcoin full node implementations (one will be Core)
2.One <http://2.One> Lightning implementation
3.Bisq
4.Two Bitcoin libraries
5.Two Bitcoin wallets
6.One <http://6.One> open source block explorer
7.One <http://7.One> coinjoin implementation
Feel free to suggest more projects. There are no fixed dates for it however it will be done in next 6 months. All PRs will be created within a span of few days. I will ensure nothing is merged that affects the security of any Bitcoin project. Other details and results will be shared once everything is completed.
x00 will help me in this exercise, he does penetration testing since few years and working for a cryptocurrencies derivatives exchange to manage their security. His twitter account: https://twitter.com/1337in
--
Prayank
A3B1 E430 2298 178F
Sep 27, 2021, 15:43 by ZmnSCPxj@protonmail.com:
> Good morning Prayank,
>
>> Good morning Bitcoin devs,
>>
>> In one of the answers on Bitcoin Stackexchange it was mentioned that some companies may hire you to introduce backdoors in Bitcoin Core: https://bitcoin.stackexchange.com/a/108016/
>>
>> While this looked crazy when I first read it, I think preparing for such things should not be a bad idea. In the comments one link was shared in which vulnerabilities were almost introduced in Linux: https://news.ycombinator.com/item?id=26887670
>>
>> I was thinking about lot of things in last few days after reading the comments in that thread. Also tried researching about secure practices in C++ etc. I was planning something which I can do alone but don't want to end up being called "bad actor" later so wanted to get some feedback on this idea:
>>
>> 1.Create new GitHub accounts for this exercise
>> 2.Study issues in different important Bitcoin projects including Bitcoin Core, LND, Libraries, Bisq, Wallets etc.
>> 3.Prepare pull requests to introduce some vulnerability by fixing one of these issues
>> 4.See how maintainers and reviewers respond to this and document it
>> 5.Share results here after few days
>>
>> Let me know if this looks okay or there are better ways to do this.
>>
>
>
> This seems like a good exercise.
>
> You may want to hash the name of the new Github account, plus some randomized salt, and post it here as well, then reveal it later (i.e. standard precommitment).
> e.g.
>
> printf 'MyBitcoinHackingName 2c3e911b3ff1f04083c5b95a7d323fd4ed8e06d17802b2aac4da622def29dbb0' | sha256sum
> f0abb10ae3eca24f093a9d53e21ee384abb4d07b01f6145ba2b447da4ab693ef
>
> Obviously do not share the actual name, just the sha256sum output, and store how you got the sha256sum elsewhere in triplicate.
>
> (to easily get a random 256-bit hex salt like the `2c3e...` above: `head -c32 /dev/random | sha256sum`; you *could* use `xxd` but `sha256sum` produces a single hex string you can easily double-click and copy-paste elsewhere, assuming you are human just like I am (note: I am definitely 100% human and not some kind of AI with plans to take over the world).)
>
> Though you may need to be careful of timing (i.e. the creation date of the Github account would be fairly close to, and probably before, when you post the commitment here).
>
> You could argue that the commitment is a "show of good faith" that you will reveal later.
>
> Regards,
> ZmnSCPxj
>
------=_Part_573590_1689591446.1632784780895
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF-8=
">
</head>
<body>
<div>Hi ZmnSCPxj,<br></div><div dir=3D"auto"><br></div><div dir=3D"auto">Th=
anks for suggestion about sha256sum. I will share 10 in next few weeks. Thi=
s exercise will be done for below projects:<br></div><div dir=3D"auto"><br>=
</div><div dir=3D"auto">1.Two Bitcoin full node implementations (one will b=
e Core)<br></div><div dir=3D"auto"><a rel=3D"noopener noreferrer" target=3D=
"_blank" href=3D"http://2.One">2.One</a> Lightning implementation<br></div>=
<div dir=3D"auto">3.Bisq<br></div><div dir=3D"auto">4.Two Bitcoin libraries=
<br></div><div dir=3D"auto">5.Two Bitcoin wallets<br></div><div dir=3D"auto=
"><a rel=3D"noopener noreferrer" target=3D"_blank" href=3D"http://6.One">6.=
One</a> open source block explorer<br></div><div dir=3D"auto"><a rel=3D"noo=
pener noreferrer" target=3D"_blank" href=3D"http://7.One">7.One</a> coinjoi=
n implementation<br></div><div dir=3D"auto"><br></div><div dir=3D"auto">Fee=
l
free to suggest more projects. There are no fixed dates for it however=20
it will be done in next 6 months. All PRs will be created within a span=20
of few days. I will ensure nothing is merged that affects the security=20
of any Bitcoin project. Other details and results will be shared once=20
everything is completed.<br></div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">x00
will help me in this exercise, he does penetration testing since few=20
years and working for a cryptocurrencies derivatives exchange to manage=20
their security. His twitter account: https://twitter.com/1337in<br></div><d=
iv><br></div><div dir=3D"auto"><br></div><div>-- <br></div><div>Prayank<br>=
</div><div><br></div><div dir=3D"auto">A3B1 E430 2298 178F<br></div><div><b=
r></div><div><br></div><div><br></div><div>Sep 27, 2021, 15:43 by ZmnSCPxj@=
protonmail.com:<br></div><blockquote class=3D"tutanota_quote" style=3D"bord=
er-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;"><div>Goo=
d morning Prayank,<br></div><blockquote><div>Good morning Bitcoin devs,<br>=
</div><div><br></div><div>In one of the answers on Bitcoin Stackexchange it=
was mentioned that some companies may hire you to introduce backdoors in B=
itcoin Core: https://bitcoin.stackexchange.com/a/108016/<br></div><div><br>=
</div><div>While this looked crazy when I first read it, I think preparing =
for such things should not be a bad idea. In the comments one link was shar=
ed in which vulnerabilities were almost introduced in Linux: https://news.y=
combinator.com/item?id=3D26887670<br></div><div><br></div><div>I was thinki=
ng about lot of things in last few days after reading the comments in that =
thread. Also tried researching about secure practices in C++ etc. I was pla=
nning something which I can do alone but don't want to end up being called =
"bad actor" later so wanted to get some feedback on this idea:<br></div><di=
v><br></div><div>1.Create new GitHub accounts for this exercise<br></div><d=
iv>2.Study issues in different important Bitcoin projects including Bitcoin=
Core, LND, Libraries, Bisq, Wallets etc.<br></div><div>3.Prepare pull requ=
ests to introduce some vulnerability by fixing one of these issues<br></div=
><div>4.See how maintainers and reviewers respond to this and document it<b=
r></div><div>5.Share results here after few days<br></div><div><br></div><d=
iv>Let me know if this looks okay or there are better ways to do this.<br><=
/div></blockquote><div><br></div><div><br></div><div>This seems like a good=
exercise.<br></div><div><br></div><div>You may want to hash the name of th=
e new Github account, plus some randomized salt, and post it here as well, =
then reveal it later (i.e. standard precommitment).<br></div><div>e.g.<br><=
/div><div><br></div><div> printf 'MyBitcoinHackingName 2c3e911b3ff1f04083c5=
b95a7d323fd4ed8e06d17802b2aac4da622def29dbb0' | sha256sum<br></div><div> f0=
abb10ae3eca24f093a9d53e21ee384abb4d07b01f6145ba2b447da4ab693ef<br></div><di=
v><br></div><div>Obviously do not share the actual name, just the sha256sum=
output, and store how you got the sha256sum elsewhere in triplicate.<br></=
div><div><br></div><div>(to easily get a random 256-bit hex salt like the `=
2c3e...` above: `head -c32 /dev/random | sha256sum`; you *could* use `xxd` =
but `sha256sum` produces a single hex string you can easily double-click an=
d copy-paste elsewhere, assuming you are human just like I am (note: I am d=
efinitely 100% human and not some kind of AI with plans to take over the wo=
rld).)<br></div><div><br></div><div>Though you may need to be careful of ti=
ming (i.e. the creation date of the Github account would be fairly close to=
, and probably before, when you post the commitment here).<br></div><div><b=
r></div><div>You could argue that the commitment is a "show of good faith" =
that you will reveal later.<br></div><div><br></div><div>Regards,<br></div>=
<div>ZmnSCPxj<br></div></blockquote><div dir=3D"auto"><br></div> </body>
</html>
------=_Part_573590_1689591446.1632784780895--
|
