AWARD-WINNING

CASINO CRYPTO EXCLUSIVE

CLUBHOUSE 1500+

GAMES 2 MIN

CASH-OUTS 24/7

SUPPORT 100s OF

FREE SPINS PLAY NOW Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertised sites are notendorsed bthe Bitcoin Forum.They may be unsafe, untrustworthy,or illegal inyour jurisdiction. Advertise here.

instagibbs



Offline



Activity: 114

Merit: 10







MemberActivity: 114Merit: 10 Re: delete February 02, 2015, 10:00:35 PM #2 I totally believe you. Dang it where's my sarcasm font?

ncsupanda



Offline



Activity: 1316

Merit: 1002









LegendaryActivity: 1316Merit: 1002 Re: delete February 02, 2015, 10:56:42 PM #5 Quote from: entertainment on February 02, 2015, 10:54:00 PM





You should use https://www.vinumeris.com/lighthouse

I agree. I follow a lot of the projects you are working on Evil and I could see a Lighthouse writeup doing well if you are able to prove what you're claiming here.



I would give BTC for this. Thanks!



Edit: For some projects and people who stumble here, this may be interesting:

https://tip4commit.com/projects I agree. I follow a lot of the projects you are working on Evil and I could see a Lighthouse writeup doing well if you are able to prove what you're claiming here.I would give BTC for this. Thanks!Edit: For some projects and people who stumble here, this may be interesting:



https://pandamanshop.com Planning to purchase games for cheap? Check out my website.

cr1776



Offline



Activity: 2730

Merit: 1105







LegendaryActivity: 2730Merit: 1105 Re: delete February 02, 2015, 11:17:44 PM #7 Quote from: Evil-Knievel on February 02, 2015, 09:50:39 PM Hello,



I was just curious if there is any sort of bitcoin bug bounty?

I have discovered a serious bug in all previous (and current) bitcoin reference clients which would allow a denial of service on an arbitrary number of bitcoind nodes (as run by exchanges for example).

While this bug may not leak any private data, it allows you to shoot down bitcoin nodes that you are directly connected to. Arbitrary code execution may be possible (but was not tested).



The denial of service works, tested locally in Bitcoin 0.9 and 0.10 branches.

Newspapers or Journalists may ask me for a demonstration in private.



If anyone is intrested in a disclosure, I am asking 10 BTC for my time doing a write-up

including detailed explanations: 1LaV9xQvmd1gR4fYYWgFMpPXEgAwBYCQN1



If the balance will not reach 10 BTC, I will pay all amounts back. I will also cover the transaction costs myself.



Hi,

A question: DOS vs " shoot down" vs "arbitrary code execution may be possible". Can you explain more? Are you crashing bitcoind "merely" DOSing the server while connected?



Down thread you said "make your node connect to mine". Did you mean any node that connects to your node will crash bitcoind?



Hi,A question: DOS vs " shoot down" vs "arbitrary code execution may be possible". Can you explain more? Are you crashing bitcoind "merely" DOSing the server while connected?Down thread you said "make your node connect to mine". Did you mean any node that connects to your node will crash bitcoind?

cr1776



Offline



Activity: 2730

Merit: 1105







LegendaryActivity: 2730Merit: 1105 Re: delete February 03, 2015, 12:08:58 AM #9 Quote from: Evil-Knievel on February 02, 2015, 11:23:17 PM Quote from: cr1776 on February 02, 2015, 11:17:44 PM Hi,

A question: DOS vs " shoot down" vs "arbitrary code execution may be possible". Can you explain more? Are you crashing bitcoind "merely" DOSing the server while connected?



Down thread you said "make your node connect to mine". Did you mean any node that connects to your node will crash bitcoind?







Well, the only thing that is required to "shoot down" a node, is that the node is somehow connected to you. It does not matter who initiated the connection.

The handshake must have already occured (basically the version message sent and accepted) so it does not work on nodes that block you. Usually that should not be the case anyway.



Now, shooting down means that the bitcoind server completely stops. It can be restarted by hand, but until someone physically walks up to the server and resets the application it will remain in an infinite loop and stop working at all.

Well, the only thing that is required to "shoot down" a node, is that the node is somehow connected to you. It does not matter who initiated the connection.The handshake must have already occured (basically the version message sent and accepted) so it does not work on nodes that block you. Usually that should not be the case anyway.Now, shooting down means that the bitcoind server completely stops. It can be restarted by hand, but until someone physically walks up to the server and resets the application it will remain in an infinite loop and stop working at all.

Thanks. I was just curious as to what you were seeing. ;-)



btw, one thing I was clear about was whether your node is set to do this automatically to anyone who connects to it or you have to trigger it.



I'd ask you to share the details, but given the first post, I presume that is pointless.



Thanks. I was just curious as to what you were seeing. ;-)btw, one thing I was clear about was whether your node is set to do this automatically to anyone who connects to it or you have to trigger it.I'd ask you to share the details, but given the first post, I presume that is pointless.

Blazr



Offline



Activity: 882

Merit: 1004









Hero MemberActivity: 882Merit: 1004 Re: delete February 03, 2015, 12:22:50 AM #11 You can't seriously expect people to pay you UPFRONT for such a disclosure?!



If you actually know of such an exploit, contact the devs privately and responsibly disclose it ASAP. Then you can ask for your bounty, and you'll probably get more than 10BTC. My PGP key: 0x5C34AC7629163393 || Keybase

cr1776



Offline



Activity: 2730

Merit: 1105







LegendaryActivity: 2730Merit: 1105 Re: delete February 03, 2015, 01:07:42 AM

Last edit: February 03, 2015, 03:31:20 AM by cr1776 #12 Quote from: Blazr on February 03, 2015, 12:22:50 AM You can't seriously expect people to pay you UPFRONT for such a disclosure?!



If you actually know of such an exploit, contact the devs privately and responsibly disclose it ASAP. Then you can ask for your bounty, and you'll probably get more than 10BTC.



It is much more likely there is a bug in the software as compared to the odds there is a 'bug' in the math. :-)



Some reading on the ECDSA claims:

https://bitcointalk.org/index.php?topic=437220.msg4808560#msg4808560

https://bitcointalk.org/index.php?topic=421842.0

It is much more likely there is a bug in the software as compared to the odds there is a 'bug' in the math. :-)Some reading on the ECDSA claims:

bassguitarman



Offline



Activity: 728

Merit: 500









Hero MemberActivity: 728Merit: 500 Re: delete February 03, 2015, 02:16:41 AM #13 Quote from: Evil-Knievel on February 02, 2015, 09:50:39 PM Hello,



I was just curious if there is any sort of bitcoin bug bounty?

I have discovered a serious bug in all previous (and current) bitcoin reference clients which would allow a denial of service on an arbitrary number of bitcoind nodes (as run by exchanges for example).

While this bug may not leak any private data, it allows you to shoot down bitcoin nodes that you are directly connected to. Arbitrary code execution may be possible (but was not tested).



The denial of service works, tested locally in Bitcoin 0.9 and 0.10 branches.

Newspapers or Journalists may ask me for a demonstration in private.



If anyone is intrested in a disclosure, I am asking 10 BTC for my time doing a write-up

including detailed explanations: 1LaV9xQvmd1gR4fYYWgFMpPXEgAwBYCQN1



If the balance will not reach 10 BTC, I will pay all amounts back. I will also cover the transaction costs myself.



I'm also a developer, and if you're interested, i can verify your claims if needed I'm also a developer, and if you're interested, i can verify your claims if needed

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: delete February 03, 2015, 02:38:06 AM

Last edit: February 03, 2015, 02:54:35 AM by gmaxwell #14



If you believe you have some DOS attack please report it responsibly to



If your actions caused foreseeable and preventable harm to others you may find yourself subject to civil litigation by the harmed parties. I would strongly encourage you to behave responsibly. I guess you didn't learn after your prior stunts resulting in negative trust? (For some context Evil-Knievel incorrectly (and seemingly dishonestly) claimed to have compromises for ECDSA in the past and tried charging for them; conduct which he currently bears negative trust for.)If you believe you have some DOS attack please report it responsibly to bitcoin-security@lists.sourceforge.net (or feel free to report it encrypted privately to any of the Bitcoin core committers if you think its super critical), just like anyone else does. We consider DOS attacks to be important, but fundamentally you cannot prevent DOS because an attacker can just exhaust your bandwidth, instead DOS is prevented by not exposing your critical infrastructure to the public network directly. We usually fix several DOS-ish issues in each release, it may also be that anything you know about is already known and a coordinated fix is in progress. In any case, you'll be credited for your contribution. Demanding an enormous bounty for what sounds like something that is not terribly concerning is unreasonable and isn't likely to happen (it would be incredibly counterproductive to pay you when other people have done _far_ more work and found far more serious issues in the past).If your actions caused foreseeable and preventable harm to others you may find yourself subject to civil litigation by the harmed parties. I would strongly encourage you to behave responsibly.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: delete February 03, 2015, 08:32:25 AM #18 Quote from: Evil-Knievel on February 03, 2015, 07:51:15 AM You are right, I was not always transparent, not always right, and not very communicative. But I was working day and night to understand every single part of the software and the protocol, sometimes I was right sometimes I was wrong.Anyways ... I am preparing a video for you right now demonstrating the DOS on a stock Bitcoin 0.9 node (of mine) and send it to you in private.

Why use year old software? I'm not sure what a video is supposed to prove. The bogus ECDSA "cracker" had a proof video too. Why use year old software? I'm not sure what a video is supposed to prove. The bogus ECDSA "cracker" had a proof video too.