Hier eine zusammenfassung der Attacke auf die BU-Nodes:
These guys moved fast. It went like this:
- BU devs found a bug in the code, and the fix was committed on Github.
- Only about 1 hour later, Peter Todd sees that BU devs found this bug. (Peter Todd did not find this bug himself).
- Peter Todd posts this
exploit vulnerability on twitter, and all BU nodes immediately get attacked. - r/bitcoin moderators, in coordination, then ban all mentions of the hotfix which was available almost right away.
- r/bitcoin then relentlessly slanders BU, using the bug found by the BU devs, as proof that they are incompetent. Only mentions of how bad BU is are allowed to remain.
Die BU-Nodes sind Teil des Bitcoin-Netzwerks und stellen momentan keine Gefahr dar, sondern unterstützen das Netzwerk so wie jede Core Node auch. Ein Angriff auf diese Nodes ist ein Angriff auf Bitcoin. Die Zensur des hotfixes finde ich genauso verwerflich wie die Attacke selbst.
Ganz unterstes Niveau mittlerweile.
das steht im gegensatz zu diesem bericht:
When contacting Bitcoin Magazine on Monday, Gardner did not immediately want to make the vulnerabilities public. That would have been irresponsible, she explained, as the bugs could still be exploited before the Bitcoin Unlimited development team had the chance to fix it.
But she did also submit the vulnerabilities to Mitres Common Vulnerabilities and Exposures (CVE) database. This ensures that Mitre discloses the bugs in one month from now, which pressures the developers to actually fix the problem in time.
However, even following this responsible disclosure, Gardner thought there was a risk that the vulnerabilities would be abused as soon as they were fixed in the Bitcoin Unlimited code repository. After all, at that point the problem isnt really solved: anyone running the released Bitcoin Unlimited software is still vulnerable until they download and run the new, revised version. This opens a window for attackers.
The problem is, the bugs are so glaringly obvious that when fixing it, it will be easy to notice for anyone watching their development process, she said.
It now appears that is exactly what has happened. While the Bitcoin Unlimited developers did indeed fix the issue shortly after it was pointed out to them, they did so with far too conspicuous a GitHub commit message, Gardner told Bitcoin Magazine once it appeared the bugs seemed fixed and before the attacks began.
Their commit message does ring alarm bells. Im not sure if anyone will notice, but they probably should have obfuscated the message a bit more. The wording might attract closer scrutiny. But if it went unnoticed for this long, maybe it will go unnoticed.
Clearly, it did not.
As Gardner warned, it didnt take long for attackers to exploit one of the vulnerabilities: the first attacks happened shortly after the bugs were fixed. A little later, user shinobimonkey took the issue to Reddit, Bitcoin Core developer Peter Todd tweeted about the bug and social media blew up.
https://bitcoinmagazine.com/articles/security-researcher-found-bug-knocked-out-bitcoin-unlimited/?utm_content=buffer6e884&utm_medium=social&utm_source=twitter.com&utm_campaign=bufferBU und teile der BU community auf r/btc sehen hier nicht gut aus, wenn der bericht stimmt.