RE: under investigation: some tweets poped up about security issues in Gridcoin
External security is not the only outside industry which is going to critique Gridcoin. The mere fact that we are getting sec. tested for WOOT is a great sign in itself. The write-up regarding the GRC exploits is well done and very detailed. I would recommend everyone with technical interests read through it -- it also talks about BOINC and other facets of GRC.
The main problem with this whole situation is that the sec. testers were not able to maintain contact with Rob, who is the main contact for Gridcoin. We are looking into ways to solve this issue: Github. If a sec. tester cannot contact an entity, they will publish their work. It makes sense.
This post, however, is a huge problem. Nothing as serious as exploits/attack vectors should still be "under investigation" when a public post is made. That is irresponsible and invites malicious attacks.
The error is not with the sec. testers which put hours of work into finding and fixing an exploit and trying to pass that information on to Rob. They are doing what they do, and are doing it well.
The error is with Gridcoin. In its inaccessibility and in this very public presentation of attack vectors.
Did you all know that some of the sec. testers work was actually implemented into the GRC code already?! The system to tie CPID and private/public key pairs together with beacons is their idea and was sent to Rob last year!
You would if there was an ounce of effort put into research and confirmation before this post was made.
@erkan, you post a lot of statistics and great information. I ask that next time any of that information has to do with the security of the Gridcoin protocols or most importantly the security of User's privacy, please put in some due diligence.
You are aware that Martin posted his findings - in public - on his blog on August 13 (let me look, I have now Aug.16 here),
they talked about it on a security conference + it is tweeted by 'em all over on twitter with hashtag Gridcoin
and you are telling me now... what ?
Yes. There is a difference between a sec. posting a security flaw to people most likely in the sec. community and posting a flaw in a community which the sec. flaw affects. Those sec. devs most likely aren't going to use the exploits but there is a higher probability that someone in the crypto scene will.
And I want to stress, the problem is not that you posted the issue, the problem is that you posted it without doing some research first. A post discussing issues which can effect user's security should not be delivered in a post that is "under development". That is FUD. FUD is bad. Calm, collected, and complete information is good.
Further, you cannot control their actions, but you can control your own. So take a minute, double check, then post. Also, I'm asking, not telling. = )
This has been temporarily resolved. Currently the gridcoin.us site redirects the user to the slack signup on clicking the "Contact Us" button. This was implemented as a temporary measure. Our plan is to create a full "Contact Us" page soon which will have several links to different parts of the community for folks to get in touch with us.