262
263

BU 1.0.1.1 Hotfix released! (github.com)

0xf3e 投稿

全 197 件のコメント
並べ替え:
ベスト
トップ新着論争中古い順Q&A

[–]bitp 160 ポイント161 ポイント  (113子コメント)

This bug was identified by a BU dev. Core supporters found out about this bug AFTER a fix was committed into the code. And of course, the core supporters started attacking the network before anyone could update. Good job guys.

Anyways, this is more evidence that we need multiple clients. If BU was the standard, then clients written by other teams and clients written in other languages would not have this bug.

[–]BitcoinIsTehFuture 32 ポイント33 ポイント  (52子コメント)

Is this true? Did BU devs actually discover this first? It sounded like Peter Todd found it first. Or was he just the loudest?

[–]Helvetian616 92 ポイント93 ポイント  (31子コメント)

As of writing this, the fix was committed to the dev branch 4 hours ago, PT's tweet was 3 hours ago.

https://github.com/BitcoinUnlimited/BitcoinUnlimited/tree/dev

https://twitter.com/petertoddbtc/status/841703197723021312

[–]BitcoinIsTehFuture 36 ポイント37 ポイント  (10子コメント)

That's good to know. So it was really just Todd taking advantage of something already known (not surprising of his character). But if it was such a serious bug, how come it wasn't urgently released when discovered?

(Never a dull day in Bitcoin land.)

[–]Helvetian616 17 ポイント18 ポイント  (4子コメント)

Testing and building takes time.

[–]BitcoinIsTehFuture 4 ポイント5 ポイント  (2子コメント)

Well, it didn't take long for exploiters to "test it". Seems like it should have been a higher priority for inclusion into binaries.

[–]Helvetian616 5 ポイント6 ポイント  (0子コメント)

Yes, in hindsight the binaries should have been prepared first

[–]mmouse- 1 ポイント2 ポイント  (0子コメント)

You are aware that you talk about a few hours, not more? Todd lost no time to tweet about it after the fixing commit showed up on github.

[–]bitusher -1 ポイント0 ポイント  (0子コメント)

No its about the fact that this bug existed for almost a year , was merged only one hour after the commit, with no commit description of what it was, There was one reviewer on that particular pull request: https://github.com/BitcoinUnlimited/BitcoinUnlimited/pull/43 , and than to make this all worse was patched in the most insecure manner possible which allowed the attacker to take down 2/3rds of all BU nodes ...

How many levels of fucked up is this? ... and BU supporters are simply brushing it off like nothing happened and this should be normal with a 20Billion dollar network .... which is another level of what is disturbing with this.

[–]moleccc 5 ポイント6 ポイント  (4子コメント)

when was it discovered?

[–]ferretinjapan 67 ポイント68 ポイント  (8子コメント)

Wow, Todd really is a spiteful, destructive POS.

[–]ForkiusMaximus 16 ポイント17 ポイント  (1子コメント)

That's what we have to be ready for, and he was nice enough to do it on a less critical bug.

[–]wummm 3 ポイント4 ポイント  (0子コメント)

Being able to trivially shut down all nodes is critical in my book.

[–]beancc 3 ポイント4 ポイント  (0子コメント)

the Blockstream business model is to keep full blocks at all costs to push people onto its sidechains. The immaturity and ego of todd is sad to see in the community.

[–]bigslimvdub 0 ポイント1 ポイント  (0子コメント)

He's a businessman. That's what they do

[–]Thann -2 ポイント-1 ポイント  (0子コメント)

Maybe he was just helping notify BU'ers about the issue, so they can update ^.^

Or just generally inform the community about the stability/reliability of the BU implementation.

[–]tobixen 10 ポイント11 ポイント  (0子コメント)

https://github.com/BitcoinUnlimited/BitcoinUnlimited/tree/dev

https://github.com/BitcoinUnlimited/BitcoinUnlimited/commit/99d4062c570471d43b36b2ad0d416f36817a1743 seems to be a more precise URL.

[–]muyuu 3 ポイント4 ポイント  (1子コメント)

This zero-day was posted to github without warning node operators about it.

That is not very responsible IMO. People watch github repositories.

It was in /r/bitcoin immediately after github and much earlier than Todd posted about it. I assume he found out in reddit.

[–]fatoshi 0 ポイント1 ポイント  (0子コメント)

This, I agree with. Handling this sort of crisis requires intense coordination. What was done is the complete opposite.

[–]mindragon 0 ポイント1 ポイント  (0子コメント)

https://np.reddit.com/r/Bitcoin/comments/5zdp8j/peter_todd_bu_remote_crash_dos_wtf_bug_assert0_in/dexmeei/

/u/petertodd needs to follow proper security protocols.

[–]moleccc -3 ポイント-2 ポイント  (2子コメント)

maybe he disclosed it to BU devs earlier than tweeting about it?

[–]Helvetian616 14 ポイント15 ポイント  (0子コメント)

No, they seem to be monitoring the githup repo.

[–]________________mane 0 ポイント1 ポイント  (0子コメント)

This could be true. I'm in the BU slack and the only one who knows is thezerg who is away at the moment.

[–]EightEqualsEqualsDe -1 ポイント0 ポイント  (2子コメント)

yeah but he linked a github commit which had the bug since June 10th, 2016

I support Segwit and I also support bigger blocks, let's not spread misinformation. we're a community, we need to remain objective

[–]Helvetian616 10 ポイント11 ポイント  (1子コメント)

Once the fix was committed it was an easy thing to go back in the history to see how long the code had been that way.

[–]gotamd 60 ポイント61 ポイント  (8子コメント)

The fix was already checked into BU. Peter Todd likely saw it and then tweeted. Given that the fix was already in (but not released), I don't see why there would be any legitimate reason to tweet about it. Given that the vulnerability is being actively exploited almost immediately, my suspicion is that the tweet was put out in order to either encourage attacks or as a smokescreen for running his own attack and claiming that it was some random internet stranger who read his tweet.

[–][deleted] 40 ポイント41 ポイント  (0子コメント)

Because Peter Todd is a dangerous idiot, which he proves time and time again with his immature little stunts like this.

He could have just let the fix occur quietly, but no, he got out his soap box, took time out of his busy day ruining whatever code he was touching, and loudly announced it to every malcontent coder on Earth so BU could be attacked while it was literally being patched.

Seriously, fuck you Peter, this is why you don't deserve any place here and are a disgrace to open source. Blockstream is lucky to have you.

[–]timetraveller57 19 ポイント20 ポイント  (0子コメント)

I tend to say Core lot act disgracefully, but this is another new low for them..

How people continue to trust them with Core I will never know (but expect the censorship has a lot to do with it)

smh

[–][削除されました]  (1子コメント)

[removed]

    [–]Shock_The_Stream 4 ポイント5 ポイント  (0子コメント)

    Those vandals still believe that such unspellable disgusting behavior is a help to their agenda.

    [–]rbtkhn -3 ポイント-2 ポイント  (3子コメント)

    The legitimate reason for tweeting about it is that because the vulnerability had existed in BU for a long time without being detected, it exposes the lack of competence of the BU dev team. That is something everyone should know. Do you think it should be swept under the rug and hidden from the Bitcoin community? I am grateful people like Peter Todd bring this information to the forefront so I can make an informed investment decision.

    [–]gotamd 23 ポイント24 ポイント  (2子コメント)

    That is bullshit. Todd tweeted this a few hours after the fix was merged. He could have started the exact same "conversation" about BU's competence after a build with the fix had been publicly released and it would not have caused malicious attacks. This was absolutely childish and destructive behavior on Peter Todd's part.

    [–]redlightsaber 16 ポイント17 ポイント  (7子コメント)

    https://twitter.com/el33th4xor/status/841752751432327168

    He seemed to have been monitoring the git for new changes... to try and exploit any fixes before they could make it out to production.

    I love this because on the other sub everyone is shitting on BU, and claiming this as the perfect example for why we should stick with Core forever, without realising a) how fucking disgustingly unethical this was, and b) that that's the exact opposite of where we need to be going. We need multiple implementations and a decent fucking specification. Anything else is insanity when we're talking about a distributed system managing 11bn$.

    [–]ICheckedOut 6 ポイント7 ポイント  (5子コメント)

    Bitcoin Market Cap: $20,147,158,552

    [–]redlightsaber 5 ポイント6 ポイント  (4子コメント)

    Well, I'm a bit outdated. It just outlines my point even more.

    Also, extremely relevant username?

    [–]ICheckedOut 1 ポイント2 ポイント  (3子コメント)

    Also, extremely relevant username?

    You're supposed to say "User Name Checks out." But nobody ever does.

    [–]redlightsaber 7 ポイント8 ポイント  (2子コメント)

    I'm not a dad yet, my pun game is sub-par still, I'm afraid.

    [–]wummm 0 ポイント1 ポイント  (0子コメント)

    There are plenty of implementations. They implement the same consensus rules, though.

    [–]tobixen 5 ポイント6 ポイント  (0子コメント)

    I can see that his first twitter message references the pull request, so yes ... the fix was obviously committed before Todd could reference it.

    [–]Dzuelu 0 ポイント1 ポイント  (0子コメント)

    Just took a look at the repo and the BU fix was submited on Mar 14, 2017, 11:16 AM EDT, Source here and Peter Todd's tweet was at 10:30 AM - 14 Mar 2017 Source here. Not sure if their was discussion in private about this but this is what's public that I can find.

    EDIT: Is twitter time stamp not in computers local time? If so I'm wrong.

    [–]RuffledFeathers411 10 ポイント11 ポイント  (17子コメント)

    Can someone ELI5 this for me

    [–]DaSpawn 42 ポイント43 ポイント  (6子コメント)

    a bug was noticed and a fix committed, core seen the fix and announced the bug for others to attack BU

    multiple development teams ensure a single bug does not take down all of the network

    [–]bitusher -4 ポイント-3 ポイント  (5子コメント)

    core seen the fix and announced the bug for others to attack BU

    The attack started way before Todd's tweet and was due to reckless method in the way this patch was released.

    [–]DaSpawn 2 ポイント3 ポイント  (4子コメント)

    updating a public code repository was required to implement the fix. announcing the fixed venerability via twitter was downright intentionally malicious

    my BU node did not restart until an hour after Todds repeated twitter post on reddit

    [–]wraithstk 1 ポイント2 ポイント  (1子コメント)

    How is announcing a bug fix on twitter any different than announcing it on Github or on this post?

    [–]DaSpawn 0 ポイント1 ポイント  (0子コメント)

    unless people are actively looking for exploitable fixes the majority of people would never know about the fix until it was already not a problem

    this is people looking for problems for the specific purpose of attacking the Bitcoin network the same way the ETH network was attacked after their fork

    [–]bitusher 1 ポイント2 ポイント  (1子コメント)

    updating a public code repository was required to implement the fix.

    No , devs should have private repos , they could have merged the code, issued the binaries , and made a public announcement at the same time . Additionally, they shouldn't have immediately documented the fixing of this vulnerability until most the users upgraded.

    Completely irresponsible.

    [–]DaSpawn 0 ポイント1 ポイント  (0子コメント)

    unless people are actively looking for exploitable fixes the majority of people would never know about the fix until it was already not a problem

    this is people looking for problems for the specific purpose of attacking the Bitcoin network the same way the ETH network was attacked after their fork

    [–]ABlockInTheChain 27 ポイント28 ポイント  (7子コメント)

    tl;dr: Bitcoin Core "cypherpunks" are terrorists.

    1. BU commits a bug fix to their repository (all software has bugs)
    2. Bitcoin Core developers pounce on the opportunity to unleash the black hat attacks they've been hoarding (their announcement of the public commitment of the bug fix gives them plausible deniability).

    They are sadistically attempting to put BU developers in a no-win situation: If BU devs don't fix any bugs, then the Core terrorists will spread FUD about unfixed bugs. If BU developers do fix bugs, Core terrorists will punish them by exploiting the bugs immediately as soon as the fixes hit the BU Gitub repository.

    [–]2ndEntropy 2 ポイント3 ポイント  (1子コメント)

    Can confirm, just got home to upgrade my node and it was taken offline. First time it's crashed for me, someone has exploited it...

    [–]redfacedquark 3 ポイント4 ポイント  (0子コメント)

    Ditto with one of mine. The other I'd left off. Now I have two up again on 1.0.1.1, yay!

    コメントをもっと表示する (2 返事)

      [–]moleccc 6 ポイント7 ポイント  (1子コメント)

      Exactly. The defense against bugs like this is implementation diversity.

      [–]LovelyDay 1 ポイント2 ポイント  (0子コメント)

      This.

      And not only running Satoshi-style clients, but a variety of languages and platforms.

      [–]tobixen 4 ポイント5 ポイント  (3子コメント)

      It's probably needed with procedures for dealing with security-related upgrades. It's quite normal that security-related bugs are kept under the wraps until the bugfix is released, and that the release of the bugfix is announced in advance ("please pay attention - friday the 13th at 13:00 there will be a security-related release - please stay ready to upgrade your nodes")

      [–]steb2k 1 ポイント2 ポイント  (2子コメント)

      How would you keep fixes in an open source project hidden?

      [–]tobixen 7 ポイント8 ポイント  (0子コメント)

      This is regular practice in many open source projects and linux distributions. Security-related bug reports are not to be reported through the regular, open channels, the bug is discussed in a closed group, the patches are withheld from public scrutiny, there won't be any publicly available pull request on github - and the users are only told "please be prepared that there will be an urgent patch coming at Friday the 13th at 13:00".

      Of course at Friday the 13th at 13:00 the cat will be let out of the bag. Everything should eventually be disclosed for the public. I'm not sure, possibly the disclosure can be done gradually, with fresh binaries coming first, patches later, full discussion of the bug even later and concept-code exercising the bug could be released the very last.

      [–]jokasx 1 ポイント2 ポイント  (0子コメント)

      The term you are looking for is "Responsible disclosure". Used everywhere where software is involved with security, specially with open source. Check things like bounties for open source projects, project zero from google (example cloudbleed), how distros handle it, how the kernel handles it, etc.

      https://en.wikipedia.org/wiki/Responsible_disclosure

      [–][deleted] 6 ポイント7 ポイント  (0子コメント)

      Desperate times, desperate measures.

      Peter got to stand on his soap box, while this was corrected, good for him.

      [–]BowlofFrostedFlakes 2 ポイント3 ポイント  (21子コメント)

      Is classic vulnerable to this as well?

      [–]ThomasZanderThomas Zander - Bitcoin Developer 20 ポイント21 ポイント  (16子コメント)

      No.

      https://zander.github.io/posts/Statement-03-14/

      [–]satoshis_sockpuppet 14 ポイント15 ポイント  (0子コメント)

      The beauty of having different implementations! :) We'll see more Classic nodes in the next days I guess.

      [–]BowlofFrostedFlakes 5 ポイント6 ポイント  (9子コメント)

      Thank you, running classic now. Node diversity is always a good thing :)

      [–]bitmegalomaniac -2 ポイント-1 ポイント  (8子コメント)

      Node diversity is always a good thing :)

      Interestingly, satoshi said the exact opposite.

      [–]nikize 2 ポイント3 ポイント  (7子コメント)

      Indeed he did, at the time for good reason. To be specific wasn't it should be only one client as long as possible, but SPV was never implemented in the satoshi client, and then came wallets.

      [–]bitmegalomaniac 0 ポイント1 ポイント  (6子コメント)

      To be specific wasn't it should be only one client as long as possible, but SPV was never implemented in the satoshi client, and then came wallets.

      Don't rewrite history, his exact words were:

      "I don't believe a second, compatible implementation of Bitcoin will ever be a good idea."

      (emphasis mine)

      [–]nikize 1 ポイント2 ポイント  (4子コメント)

      Indeed, do you have a link to that post at the bitcoin forum as well?

      [–]bitmegalomaniac 0 ポイント1 ポイント  (3子コメント)

      I do:

      https://bitcointalk.org/index.php?topic=195.msg1611#msg1611

      Another nugget from that post:

      ".... a second implementation would be a menace to the network"

      [–]LovelyDay 2 ポイント3 ポイント  (0子コメント)

      which the bcoin guys actually have a sweatshirt of :-)

      [–]nikize 0 ポイント1 ポイント  (1子コメント)

      Lets take the whole thing to get it in context: "I don't believe a second, compatible implementation of Bitcoin will ever be a good idea. So much of the design depends on all nodes getting exactly identical results in lockstep that a second implementation would be a menace to the network."

      Totaly agree with the issues in regards to compability, but this has since been destroyed by the satoshi client itself, many things have change which makes incompatible changes, so we can even go so far as to say that each version of the client is a "menace" to the previous one, version 0.8 is a great example.

      [–]LovelyDay 0 ポイント1 ポイント  (0子コメント)

      I'm just going to have to get bitcoind to compile for my embedded system...

      [–]knight222 0 ポイント1 ポイント  (0子コメント)

      Keep rollin'

      [–]aceat64 0 ポイント1 ポイント  (3子コメント)

      You might want to talk to Andrew Stone about why his BUIR implies Classic is also effected.

      [–]ThomasZanderThomas Zander - Bitcoin Developer 3 ポイント4 ポイント  (2子コメント)

      I sent him a private message on his slack asking to revise the blog post.

      [–]steb2k 1 ポイント2 ポイント  (1子コメント)

      It's updated now

      [–]aceat64 1 ポイント2 ポイント  (0子コメント)

      It's still implying that other clients were effected though :\ kind of dishonest

      [–]muyuu 0 ポイント1 ポイント  (0子コメント)

      https://np.reddit.com/r/Bitcoin/comments/5zfxv7/classic_and_bu_remote_crash_exploit_code_poc/

      [–]bitusher 0 ポイント1 ポイント  (2子コメント)

      Looks like Classic may also be affected ...

      https://np.reddit.com/r/bitcoin_uncensored/comments/5zfvjq/bitcoin_classic_remote_crash_exploit_poc/

      I would seriously doubt the competence of BU or classic devs

      [–]BowlofFrostedFlakes 0 ポイント1 ポイント  (1子コメント)

      Nope, it has not happened to classic, running it now. Besides there is already a fix for BU.

      [–]muyuu 0 ポイント1 ポイント  (0子コメント)

      There is a separate exploit for classic, apparently.

      [–]dskloet 4 ポイント5 ポイント  (0子コメント)

      We especially need more clients written in languages that aren't unsafe like C/C++.

      [–]________________mane 1 ポイント2 ポイント  (0子コメント)

      Please give a citation for this if possible, thanks.

      [–]TotesMessenger 1 ポイント2 ポイント  (0子コメント)

      I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

      If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)

      [–]yogibreakdance 0 ポイント1 ポイント  (0子コメント)

      There are vulnerabilities in unlimited which have been privately reported to you in Unlimited by Bitcoin Core folks which you have not acted on, sadly. More severe than this one, in fact. :(

      Nullc to thezerg1

      [–]bitusher -3 ポイント-2 ポイント  (1子コメント)

      Wow , there are several other bugs reported by Greg M. more serious than this , that have yet to be fixed --

      https://np.reddit.com/r/Bitcoin/comments/5zdp8j/peter_todd_bu_remote_crash_dos_wtf_bug_assert0_in/dexfzuy/

      [–]TanksAblazment -1 ポイント0 ポイント  (0子コメント)

      The thing with Greg M is, his perpetual dishonesty and sliminess in conservation means that no one who talks to him once, trusts him twice.

      Some people might like them but greg and luke dashjr and their co all seem very dishonest and untrustworthy

      [–]0xf3e[S] 37 ポイント38 ポイント  (12子コメント)

      Soon binaries will be published here: https://www.bitcoinunlimited.info/download

      [–]BowlofFrostedFlakes 8 ポイント9 ポイント  (1子コメント)

      Good, will update ASAP.

      [–]zaphod42 0 ポイント1 ポイント  (0子コメント)

      You can always run a classic node while you're waiting for unlimited binaries. Bitcoin Classic isn't affected by the bug. https://bitcoinclassic.com/downloads/index.html

      [–]veroxii 7 ポイント8 ポイント  (3子コメント)

      Can I ask why the assert even got executed? Do you build the binaries in debug mode? Shouldn't production code use NDEBUG to be in release mode... which will disable asserts?

      [–]1BitcoinOrBust 5 ポイント6 ポイント  (2子コメント)

      If you don't compile the assert, you need something else that executes when the specific condition is triggered. For example:

      x = ReadInputFromNetwork();

if (x == 0) {
  DoThis();
} else if (x == 1) {
  DoThat();
} else {
  // Should never happen
  assert(0);
}

Process(x);

      If you suppress the assert and do nothing, you end up calling Process() on an invalid value of x, which is dangerous.

      [–]veroxii 3 ポイント4 ポイント  (1子コメント)

      I agree that you need to do something else. It's obviously a bug and that is what the fix does - it adds a return so the execution path doesn't continue.

      However your answer does not really address why binaries are not release builds? Your answer says why in this specific case it was lucky that asserts were executed, but I'm asking more about why it's the general policy?

      [–]jojva 0 ポイント1 ポイント  (0子コメント)

      From what I heard, Bitcoin Core are actually compiling asserts in release.

      [–]mauline 2 ポイント3 ポイント  (2子コメント)

      Switched to Classic in the mean time.

      I have no words describing how unethically this behavior by /u/petertodd is. It is comparable to the regular DDoS attacks against Classic nodes some time ago.

      This was so unnecessary and stupid. We already have a civil war in the bitcoin community. Now the BU side will cry revenge and next time it might be core nodes that get DDoSed, hacked or whatever. Is this really how we want to treat each other?

      [–]redfacedquark 0 ポイント1 ポイント  (0子コメント)

      Now the BU side will cry revenge

      I don't think we would do anything to jeopardise our current position over a few minutes of downtime of some nodes? The negative PR fallout on BSC will still put us up after this I think.

      [–]ErdoganTalk 0 ポイント1 ポイント  (0子コメント)

      Revenge is not a socially accepted action in this family, so no.

      [–]BowlofFrostedFlakes 1 ポイント2 ポイント  (1子コメント)

      Are the binaries up yet?

      [–]vertisnow 0 ポイント1 ポイント  (0子コメント)

      Are the binaries up yet?

      Yes

      [–]MeowMeNot 0 ポイント1 ポイント  (0子コメント)

      They are up, just updated my nodes

      [–]bitp 22 ポイント23 ポイント  (8子コメント)

      /u/BitcoinXio can you please pin this?

      [–]BowlofFrostedFlakes 12 ポイント13 ポイント  (3子コメント)

      Yes /u/BitcoinXio, please pin this.

      [–]BitcoinIsTehFuture 6 ポイント7 ポイント  (2子コメント)

      Probably a good idea, considering all the nodes that need to upgrade. And not all of them may look at Reddit today.

      [–]tobixen 3 ポイント4 ポイント  (0子コメント)

      Without a working alert system, it's paramount with a BU-announcement mailing list that everyone is strongly encouraged to subscribe, so it's possible to reach out to node owners.

      [–]AliceWonderMisc 0 ポイント1 ポイント  (0子コメント)

      Hence why Peter Todd did us a service. A lot of them are far more likely now to know they need to.

      [–][deleted] 19 ポイント20 ポイント  (5子コメント)

      BU IS DEAD...oh wait its already fixed

      *come on guys I am being sarcastic

      [–]Zyoman 11 ポイント12 ポイント  (0子コメント)

      it was fixed before Core report it and made the attack.

      [–]overtmind 7 ポイント8 ポイント  (0子コメント)

      That's because they only knew to attack it because it was fixed

      [–]H0dl 3 ポイント4 ポイント  (0子コメント)

      lol

      [–]gheymos 0 ポイント1 ポイント  (0子コメント)

      lol, love it

      [–]sreaka 0 ポイント1 ポイント  (0子コメント)

      Yeah, unless the entire network is running BU, and aren't able to update on a whim, yes it's really funny

      [–]BitcoinIsTehFuture 11 ポイント12 ポイント  (9子コメント)

      I am thinking this attack on BU nodes will also drop the BU hashrate temporarily until those mining pools update their software, since they are running nodes too, to mine.

      [–]Rawlsdeep 19 ポイント20 ポイント  (5子コメント)

      I doubt they are allowing inbound connections though. I know if I was a pool operator I would not allow direct access to my mining node over the internet.

      [–]H0dl 6 ポイント7 ポイント  (4子コメント)

      yes, they don't even run Xthins

      [–]Rawlsdeep 3 ポイント4 ポイント  (1子コメント)

      Ah. I didn't realize that. I thought it was beneficial to the miners to run xthin.

      [–]xor_rotate -1 ポイント0 ポイント  (1子コメント)

      Even if they don't run XThins if all 8 of their outgoing peers are BU nodes running XThin then someone can disconnect them from the network.

      [–]H0dl 0 ポイント1 ポイント  (0子コメント)

      Patch is available These are miners with way more connections then that

      [–]H0dl 4 ポイント5 ポイント  (0子コメント)

      no, miners don't use Xthins

      [–]satoshis_sockpuppet 4 ポイント5 ポイント  (1子コメント)

      Apparently they don't use Xthin/Compactblocks etc.

      [–]notR1CH 9 ポイント10 ポイント  (5子コメント)

      I do wonder if we need another implementation that just handles block size increase. There's an awful lot of unrelated code in Unlimited that makes review much harder and the quality of the code is also questionable if bugs like this make it through review.

      [–]dj50tonhamster 5 ポイント6 ポイント  (0子コメント)

      There's an awful lot of unrelated code in Unlimited that makes review much harder and the quality of the code is also questionable if bugs like this make it through review.

      That's what a lot of people are missing when they cheer on this hotfix. As best I can tell, most of the code pushed onto GitHub is just handed down from the devs. Sure, there are PRs, but they either don't take outside feedback or, more likely, no one with the proper technical chops cares to review their PRs. (That is, when they're not just plucking whatever they want from Core, which is a fair number of the PRs.) So, de facto, it's the same 3-4 people looking at the code. As they move further and further away from Core, they make it more difficult for people who do want to jump in to do proper reviews. Those who do know what to look for - the Peter Todds and Greg Maxwells and such - have far better things to do with their time than help people who they believe are hazardous to the Bitcoin ecosphere.

      [–]gavinandresenGavin Andresen - Bitcoin Dev 4 ポイント5 ポイント  (3子コメント)

      Like Bitcoin Classic?

      https://zander.github.io/posts/Statement-03-14/

      [–]xhiggy 0 ポイント1 ポイント  (0子コメント)

      Classic is awesome.

      [–]bitusher -1 ポイント0 ポイント  (0子コメント)

      Unfortunately, classic appears to be merging much of BU code so same problem applies.

      [–]notR1CH 0 ポイント1 ポイント  (0子コメント)

      Well my classic node is also segfaulting. Someone really wants to hurt the network right now.

      [–]knight222 15 ポイント16 ポイント  (1子コメント)

      Wow that was quick!

      [–]veroxii 13 ポイント14 ポイント  (0子コメント)

      It was already fixed. Just needed to be put in a release.

      [–]andruman 7 ポイント8 ポイント  (0子コメント)

      Ouch. Plx provide fixed binaries fast. Was it really discovered by BUdevs? They could have waited with the source code release until the fixed binaries were ready for grabs on the downloadpage. We need to get more Devs on board for BU to prevent such things in the future.

      [–]Dude-Lebowski 6 ポイント7 ポイント  (0子コメント)

      Certainly seems like some bad acting going on by some bad actors.

      [–]peoplma 4 ポイント5 ポイント  (2子コメント)

      No binaries yet? Are they still building?

      [–]BitcoinIsTehFuture 2 ポイント3 ポイント  (1子コメント)

      Are they still building?

      That's my guess.

      If you've ever tried building bitcoin binaries, they take some time!

      [–]moleccc 1 ポイント2 ポイント  (0子コメント)

      not really. roughly 7 minutes here.

      Of course the "official" build process involves quite a bit more complexity and target platforms than my private little "./autogen.sh && ./configure && make -j8" here.

      [–]MeowMeNot 4 ポイント5 ポイント  (2子コメント)

      When will the PPA and Windows installation be updated?

      [–]Rawlsdeep 0 ポイント1 ポイント  (1子コメント)

      Looks like the PPA has been updated. Just upgraded and got 1.0.1.1.

      [–]MeowMeNot 0 ポイント1 ポイント  (0子コメント)

      Yeah, just updated, thanks

      [–]aj0936 7 ポイント8 ポイント  (0子コメント)

      ty for the quick fix

      [–]mohrt 4 ポイント5 ポイント  (0子コメント)

      Patched and up, thanks for the release!

      [–]gheymos 2 ポイント3 ポイント  (0子コメント)

      But I thought the world was coming to an end? at least thats what the parrot-chamber is saying.

      [–]greatwolf 2 ポイント3 ポイント  (0子コメント)

      There's a py script published in pastebin that executes this exploit: http://pastebin.com/xsZEnZJ3

      [–]xbt_newbie 5 ポイント6 ポイント  (1子コメント)

      Please big pool operators, contribute some funding to the BU developer team. We need to help each other!

      [–]sandakersmann 1 ポイント2 ポイント  (0子コメント)

      This is how you build the hotfix on Linux:

      git clone https://github.com/BitcoinUnlimited/BitcoinUnlimited.git

cd BitcoinUnlimited

BITCOIN_ROOT=$(pwd)

BDB_PREFIX="${BITCOIN_ROOT}/db4"

mkdir -p $BDB_PREFIX

wget 'http://download.oracle.com/berkeley-db/db-4.8.30.NC.tar.gz'

echo '12edc0df75bf9abd7f82f821795bcee50f42cb2e5f76a6a281b85732798364ef  db-4.8.30.NC.tar.gz' | sha256sum -c

tar -xzvf db-4.8.30.NC.tar.gz

cd db-4.8.30.NC/build_unix/

../dist/configure --enable-cxx --disable-shared --with-pic --prefix=$BDB_PREFIX

make install

cd $BITCOIN_ROOT

git checkout release

./autogen.sh

./configure LDFLAGS="-L${BDB_PREFIX}/lib/" CPPFLAGS="-I${BDB_PREFIX}/include/"

make

      bitcoin-qt will end up in the src/qt folder.

      [–]utu_ 1 ポイント2 ポイント  (0子コメント)

      how do I install this?

      [–]moYouKnow 1 ポイント2 ポイント  (0子コメント)

      Is it just me or has this not made it into the official compiled releases yet? They still have 1.0.1 on their website.

      [–]MorgUK 0 ポイント1 ポイント  (2子コメント)

      Weird how this thread was bumped above the main bug thread, even though it has less votes and comments.

      [–]combatopera 0 ポイント1 ポイント  (1子コメント)

      Not weird, threads are sorted by hot and this one is "hotter"

      [–]4axioms 0 ポイント1 ポイント  (1子コメント)

      I'm curious, has there been any indication when binaries of BU 1.0.1.1 will be available?

      [–]4axioms 0 ポイント1 ポイント  (0子コメント)

      Never-mind...it looks like the binaries have just been released.

      [–]mohrt 0 ポイント1 ポイント  (0子コメント)

      I used apt-get to update, its working:

      # do this first if you don't already have the repo in your list
#sudo add-apt-repository ppa:bitcoin-unlimited/bu-ppa
sudo apt-get update
sudo apt-get install bitcoind
bitcoind

      [–]ErdoganTalk 0 ポイント1 ポイント  (0子コメント)

      Great, had to restart my node 3 times tonight. So thanks for the fix.

      [–]537311 0 ポイント1 ポイント  (0子コメント)

      there you go... baby steps

      [–]heffer2k 0 ポイント1 ポイント  (2子コメント)

      My upgraded BU node keeps randomly segfaulting... Running core seems fine.

      [–]heffer2k 1 ポイント2 ポイント  (0子コメント)

      My bad, I'm running 1.0.1 as this doesn't seem to have made it into official release. I'd sort this out fast.

      [–]undystains 0 ポイント1 ポイント  (0子コメント)

      Yeesh. Does BU even review their code?

      [–]GoneUp 0 ポイント1 ポイント  (0子コメント)

      Oh wow. So many things went wrong.
      - The assert should never have made it into the code. (more review..)
      - The Fix shouldn't have been public (did they understand what the actually fixed?)
      - Core shouldn't promote a active vulnerability (Unethical..)

      [–]FjorXD 0 ポイント1 ポイント  (0子コメント)

      Can someone tell me where I can buy cloud BU or classic nodes? Or a BU node donation address? (expensive electricity where I live).

      I have been subbed to both /r/btc and /r/bitcoin for quite some time. But reading /r/bitcoin right now gives me eye cancer. On a normal day it's all about the bitcoin price and now they are literally attacking the bitcoin community. Shame. Either they lack a basic economic understanding or haven't realized that BU/Classic supporters won't stay with core. I for one won't pay several dollars for a transaction - even my bank is cheaper than the current recommended fee. Why limit bitcoin.. If anyone can answer my first question I will happily pay for a handful nodes.

      [–]bigslimvdub 0 ポイント1 ポイント  (0子コメント)

      Cool.

      Another /r/bitcoin vs /r/btc thread

      People going to exploit when they can exploit.

      [–]bigslimvdub 0 ポイント1 ポイント  (0子コメント)

      Just out of curiosity, because I don't mine (yet), doesn't BU and Core have programs set up to pay people to check their software for bugs before release like major software companies so shit like this doesn't happen?

      Or are the developers in the mindset that their software is immaculate because they made it?

      [–]bitusher -3 ポイント-2 ポイント  (2子コメント)

      Can you imagine what would happen to investor confidence and the price of bitcoin if the BU fork had gone through and most were running BU nodes when this happened? This would be Mtgox levels of embarrassment!

      It is a good thing most serious businesses don't trust BU nodes.

      [–]DavidMc0 1 ポイント2 ポイント  (1子コメント)

      I don't know if I can expect a balanced answer, but out of interest, what might have happened?

      Would all BU nodes have crashed, leaving only other nodes on the network until a fix was applied? What impact would that have had on the network if, say 60%, of network nodes all crashed at once?

      Would it be likely that the bug would have remained unfixed for so long with a significantly more well resourced dev team, which you'd need to assume if BU were the majority client?

      [–]bitusher 4 ポイント5 ポイント  (0子コメント)

      What impact would that have had on the network if, say 60%, of network nodes all crashed at once?

      The minimum that would happen is horrible PR , all over mainstream news, price crash , lack of confidence in bitcoin that would last years much like Mtgox or perhaps worse.

      If this attack was combined with other attacks like malicious sybil nodes remaining to steal funds from IBD clients coming online than funds could be stolen. If miners were using this BU code than real money would be lost on crashed nodes.

      Would it be likely that the bug would have remained unfixed for so long with a significantly more well resourced dev team, which you'd need to assume if BU were the majority client?

      One cannot assume this because the whole BU project has a culture that doesn't think security is paramount otherwise they wouldn't release code without proper testing and peer review, they wouldn't be promoting code that has worse unpatched vulnerabilities than this, and they wouldn't be suggesting , just trust the miners as they would never attack bitcoin. Even the activation of BU is done in the most reckless and insecure manner...

      https://np.reddit.com/r/Bitcoin/comments/5z6d56/a_summary_of_bitcoin_unlimiteds_critical_problems/

      [–]k0_arrows_k0 -1 ポイント0 ポイント  (0子コメント)

      First public disclosure-. https://np.reddit.com/r/bitcoin_uncensored/comments/5zekz0/bitcoin_unlimited_remote_crash_exploit_0day_poc/. looks like BU is a despiteful, destructive POS.