under investigation: some tweets poped up about security issues in Gridcoin
update:
- news here
- "Thx, Martin! I'll share with others. From what I see u looked at Gridcoin 3.5.9.8 version (17 days old) + it seems u got no replies by dev" (tweet <- includes also link to the new blog article by Martin Grothe)
- Gridcoin and its future improved disclosure channels (in repo of: Ruhr University Bochum - Chair for Network and Data SECURITY), link
- Martin Grothe has just updated his blog after joining us in chat (see pic below)
---
Since some minutes a few tweets came up by - it seems - attendees of the 26th Usenix Security Symposium (August 16-18) ( USENIXSecurity #woot17):
- Until this is more investigated, please look only at the tweets (and follow their links only in a secure environment)...
If you know more about the context, please share... thanks!
---
"Nice talk by @ashitaka007 on the insecurity of Gridcoin. Also see: gridcoin-attacks dot org"
https://twitter.com/Daeinar/status/897523050928717824
"Don't use #gridcoin -- some good advice from @USENIXSecurity #woot17"
https://twitter.com/ryanmaple/status/897522287007551488
"Breaking and fixing Gridcoin"
https://www dot usenix dot org/conference/woot17/workshop-program/presentation/grothe … #woot17
Thank you @erkan!
You've just spread an outdated analyze of the old CPID system that Gridcoin used over a year ago. Their paper talks about the OLD way that Gridcoin used to work BEFORE we started using Public and Private CPID Keys.
Their analyze is no longer valid and out of date with how the current system works.
How about ever checking your sources BEFORE you post something?
More of the same from @erkan. Spreading FUD without even reading the documents he shares.
He should hang out with that @greatvideos guy. Ultimate FUD team.
now that you have been proven wrong i think you should remove your downvotes here ..
This is just perfect!
read the title of this post: "under investigation: ..."
you should have investigated before you posted.
Shoot first, ask questions later?
External security is not the only outside industry which is going to critique Gridcoin. The mere fact that we are getting sec. tested for WOOT is a great sign in itself. The write-up regarding the GRC exploits is well done and very detailed. I would recommend everyone with technical interests read through it -- it also talks about BOINC and other facets of GRC.
The main problem with this whole situation is that the sec. testers were not able to maintain contact with Rob, who is the main contact for Gridcoin. We are looking into ways to solve this issue: Github. If a sec. tester cannot contact an entity, they will publish their work. It makes sense.
This post, however, is a huge problem. Nothing as serious as exploits/attack vectors should still be "under investigation" when a public post is made. That is irresponsible and invites malicious attacks.
The error is not with the sec. testers which put hours of work into finding and fixing an exploit and trying to pass that information on to Rob. They are doing what they do, and are doing it well.
The error is with Gridcoin. In its inaccessibility and in this very public presentation of attack vectors.
Did you all know that some of the sec. testers work was actually implemented into the GRC code already?! The system to tie CPID and private/public key pairs together with beacons is their idea and was sent to Rob last year!
You would if there was an ounce of effort put into research and confirmation before this post was made.
@erkan, you post a lot of statistics and great information. I ask that next time any of that information has to do with the security of the Gridcoin protocols or most importantly the security of User's privacy, please put in some due diligence.
You are aware that Martin posted his findings - in public - on his blog on August 13 (let me look, I have now Aug.16 here),
they talked about it on a security conference + it is tweeted by 'em all over on twitter with hashtag Gridcoin
and you are telling me now... what ?
Yes. There is a difference between a sec. posting a security flaw to people most likely in the sec. community and posting a flaw in a community which the sec. flaw affects. Those sec. devs most likely aren't going to use the exploits but there is a higher probability that someone in the crypto scene will.
And I want to stress, the problem is not that you posted the issue, the problem is that you posted it without doing some research first. A post discussing issues which can effect user's security should not be delivered in a post that is "under development". That is FUD. FUD is bad. Calm, collected, and complete information is good.
Further, you cannot control their actions, but you can control your own. So take a minute, double check, then post. Also, I'm asking, not telling. = )
This has been temporarily resolved. Currently the gridcoin.us site redirects the user to the slack signup on clicking the "Contact Us" button. This was implemented as a temporary measure. Our plan is to create a full "Contact Us" page soon which will have several links to different parts of the community for folks to get in touch with us.
I would suggest deleting it as long as it is not confirmed.
Erkan, I actually appreciate this post. I had a peer at work who would shield negative information / developments from our SVP (Senior Vice President) which ultimately, after a few years, led to her demotion. Rather than having a difficult and timely conversation to mitigate future problems she painted the all so pretty "Everything is going great in my department / No issues here!" picture month after month.
Whether the security issues were already fixed, or they currently being addressed, its never a bad idea to raise your hand and share it with the team for the appropriate individuals to review.
After reading the various replies I am hesitant to bring any news, good or bad, for fear of being pushed into the corner and chastised.
I do have a serious question for the team but I'm certainly not going to ask anyone here!
Yes because if we are not all " happy go lucky" Gridcoin investors and voice ourselves and own personal opinions that differ from others we are Gridcoins cancers , its a wonderful community model and makes us such a wonderful team to be a part of!
Disclaimer: I am just a bot trying to be helpful.
Read those reports:
https://web-in-security.blogspot.com.ee/2017/08/gridcoin-good.html
https://web-in-security.blogspot.com.ee/2017/08/gridcoin-bad.html
It's possible to:
not a big deal...
but what if to target pool's CPIDs (grcpool.com for example), then what?
Both of the above issues are no longer vulnerabilities in the production gridcoin client. There's the edge case of attempting to steal a cpid when a beacon expires but we can delete the beacon or the pool could force a cpid change.
You really aught to follow the developers responses to this on slack, you're behind on information.