BitShares Forum
Main => General Discussion => Topic started by: btswildpig on December 29, 2016, 07:43:03 am
-
669 issues in main program. (most medium danger level)
21 issues in bitshares-2-ui
though it's a static code issues check.
dogecoin with 282 issues .
EthereumJ 127 issues (most are high danger issues )
Ripple with 230 high danger issues.
BitShares0.x version: 1261 issues
-
Any details? Links? What re the concrete issues? What kind of issues have been found?
-
Any way for us to know what the actual issues were so they can be worked through and fixed?
-
Any details? Links? What re the concrete issues? What kind of issues have been found?
in Chinese , not usable to english users.
did not publish detailed info, just the amount of issues .
it did say issues of individual piece of cod are not necessary = bugs because issues of some lines of code may not be a issue in the whole collective program's operation for platform limitations, OS limitations , etc.
the detection tool uses standard method to check issues with API abuse, Memory Management, Time and State, Encapsulation , input processing ....
-
What about contact that agency and ask them for more data? There is a slight chance that they won't money for that.
-
BTS need this kind of security checks ,,,, if can solve all issues BTS will win a gold medal.
when bts has colectected some medals maybe someone have the enought security to deposit his money into BTS.
just devs saying bts is moar secure than whatever looks like isnt enought for investors use it.
-
Is there a link to this? I cant find anything on google.
-
Link for report download:
link (http://lab.cert.org.cn/download/2016%E5%B9%B4%E5%BC%80%E6%BA%90%E9%A1%B9%E7%9B%AE%E7%AC%AC%E4%B8%89%E5%AD%A3%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E6%8A%A5%E5%91%8A.pdf)
//Edit: I think it's best if we can get the detailed risk list, perhaps request from them via a @bitshares.org email address. @xeroc ?
-
Link for report download:
link (http://lab.cert.org.cn/download/2016%E5%B9%B4%E5%BC%80%E6%BA%90%E9%A1%B9%E7%9B%AE%E7%AC%AC%E4%B8%89%E5%AD%A3%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E6%8A%A5%E5%91%8A.pdf)
//Edit: I think it's best if we can get the detailed risk list, perhaps request from them via a @bitshares.org email address. @xeroc ?
Thank you Abit.
Thats a good suggestion to email them directly from a BitShares email address to get a list of what they consider vulnerabilities. We should do that and see if they reply.
-
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.
-
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.
Thanks Chris. +5%
-
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.
IMHO that agency IS something. They do have reasons to not reveal the details to public.
-
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.
National Computer Network Emergency Response Technical Team/Coordination Center of China
1. Brief Introduction
The National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC) was founded in September 2002. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China’s cybersecurity emergency response community. As a national CERT, CNCERT strives to improve nation’s cybersecurity posture, and protect critical infrastructure cybersecurity. CNCERT leads efforts to prevent, detect, warn and coordinate the cybersecurity threats and incidents, according to the guideline of “proactive prevention, timely detection, prompt response and maximized recovery”.
CNCERT has branches and offices in 31 provinces, autonomous regions and municipalities across mainland China. As the key coordination organization of China’s cybersecurity emergency response system, CNCERT organizes enterprises, schools, non-governmental groups and research institutes that are specialized in cybersecurity and coordinates ISPs, domain name registrars and other emergency response organizations in a joint effort to build the cybersecurity emergency response system of China and handle major cyber security incidents.
As an important non-governmental organization to assist in the cross-border handling of cyber security incidents, CNCERT actively carries out international cooperation in cybersecurity and is committed to establishing a mechanism of prompt response and coordinated handling for cross-border cybersecurity incidents. CNCERT is a member of the world-renowned Forum of Incident Response and Security Teams (FIRST) and one of the founders of Asia Pacific Computer Emergency Response Team (APCERT). As of 2015, CNCERT has established “CNCERT International Cooperation Partnership” with 165 organizations in 66 nations and regions.
2. Mission Statement
Incident Detection: Leveraging on the cybersecurity detecting platform, CNCERT performs proactive detection of security incidents for critical infrastructure. It also discovers cybersecurity threats and incidents by sharing data and information with domestic and foreign partners and by receiving cyber security incident reports from domestic and foreign customers through hotline, fax, email and website.
Early Warning: By making comprehensive analysis of big data and acquiring information from multiple channels, CNCERT can warn cybersecurity threats, report cybersecurity incidents and analysis cybersecurity posture. It provides customers with such services as information on cybersecurity situation and sharing of cybersecurity technology and information.
Emergency Response: If incidents of serious threat are proactively discovered or received, CNCERT will respond in a timely manner and actively coordinate the handling. Priorities include incidents that affect Internet operation security, affect a large scope of Internet users, involve key government departments and critical infrastructure, cause major consequences users complaint, as well as all kinds of cybersecurity incidents reported by national emergency response organizations of foreign countries.
Security Evaluation: As a professional organization of cybersecurity evaluation, CNCERT provides security testing services for government departments, public institutions and enterprises guided by the principle of “supporting the regulatory, serving the society” and through scientific methods, standard procedures, impartial attitude, independent judgment and relative standards.
3. Incident Handling Procedures
Report: CNCERT has set up a 24*7 mechanism to accept the report of cybersecurity incidents. Both domestic and foreign users can report an incident to CNCERT in the following ways: website, email, hotline and fax.
Ø Website: http://www.cert.org.cn/
Ø Email: cncert@cert.org.cn
Ø Hotline: +8610 82990999, 82991000(EN)
Ø Fax: +8610 82990399
Acceptance: Cybersecurity incidents undertaken by CNCERT mainly include the following types: malware, defacement, backdoor, phishing, vulnerability, information destruction, denial of service attack, abnormal domain, router hijacking, unauthorized access, spam, mixed cyber security incidents and other cyber security incidents.
Handling: After confirming that the incident is true by sufficient evidences, CNCERT will perform emergency handling based on the prompt response mechanism which has established with domestic and foreign ISPs, domain name registrars and cybersecurity service vendors.
Feedback: When each of the three steps above - report, acceptance and handling - is completed, CNCERT will provide feedback to the reporter, including receipt of the report, whether it is accepted and for what reason, and the handling results.
-
OK, we got the detailed report.
Here is some progress after done some investigation:
* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.
* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
-
OK, we got the detailed report.
Here is some progress after done some investigation:
* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.
* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
+5%
-
thx bitcarb
more details http://titigoo.com/downloads/bitshares-2.rar (http://titigoo.com/downloads/bitshares-2.rar)
-
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.
National Computer Network Emergency Response Technical Team/Coordination Center of China
1. Brief Introduction
The National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC) was founded in September 2002. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China’s cybersecurity emergency response community. As a national CERT, CNCERT strives to improve nation’s cybersecurity posture, and protect critical infrastructure cybersecurity. CNCERT leads efforts to prevent, detect, warn and coordinate the cybersecurity threats and incidents, according to the guideline of “proactive prevention, timely detection, prompt response and maximized recovery”.
CNCERT has branches and offices in 31 provinces, autonomous regions and municipalities across mainland China. As the key coordination organization of China’s cybersecurity emergency response system, CNCERT organizes enterprises, schools, non-governmental groups and research institutes that are specialized in cybersecurity and coordinates ISPs, domain name registrars and other emergency response organizations in a joint effort to build the cybersecurity emergency response system of China and handle major cyber security incidents.
As an important non-governmental organization to assist in the cross-border handling of cyber security incidents, CNCERT actively carries out international cooperation in cybersecurity and is committed to establishing a mechanism of prompt response and coordinated handling for cross-border cybersecurity incidents. CNCERT is a member of the world-renowned Forum of Incident Response and Security Teams (FIRST) and one of the founders of Asia Pacific Computer Emergency Response Team (APCERT). As of 2015, CNCERT has established “CNCERT International Cooperation Partnership” with 165 organizations in 66 nations and regions.
2. Mission Statement
Incident Detection: Leveraging on the cybersecurity detecting platform, CNCERT performs proactive detection of security incidents for critical infrastructure. It also discovers cybersecurity threats and incidents by sharing data and information with domestic and foreign partners and by receiving cyber security incident reports from domestic and foreign customers through hotline, fax, email and website.
Early Warning: By making comprehensive analysis of big data and acquiring information from multiple channels, CNCERT can warn cybersecurity threats, report cybersecurity incidents and analysis cybersecurity posture. It provides customers with such services as information on cybersecurity situation and sharing of cybersecurity technology and information.
Emergency Response: If incidents of serious threat are proactively discovered or received, CNCERT will respond in a timely manner and actively coordinate the handling. Priorities include incidents that affect Internet operation security, affect a large scope of Internet users, involve key government departments and critical infrastructure, cause major consequences users complaint, as well as all kinds of cybersecurity incidents reported by national emergency response organizations of foreign countries.
Security Evaluation: As a professional organization of cybersecurity evaluation, CNCERT provides security testing services for government departments, public institutions and enterprises guided by the principle of “supporting the regulatory, serving the society” and through scientific methods, standard procedures, impartial attitude, independent judgment and relative standards.
3. Incident Handling Procedures
Report: CNCERT has set up a 24*7 mechanism to accept the report of cybersecurity incidents. Both domestic and foreign users can report an incident to CNCERT in the following ways: website, email, hotline and fax.
Ø Website: http://www.cert.org.cn/
Ø Email: cncert@cert.org.cn
Ø Hotline: +8610 82990999, 82991000(EN)
Ø Fax: +8610 82990399
Acceptance: Cybersecurity incidents undertaken by CNCERT mainly include the following types: malware, defacement, backdoor, phishing, vulnerability, information destruction, denial of service attack, abnormal domain, router hijacking, unauthorized access, spam, mixed cyber security incidents and other cyber security incidents.
Handling: After confirming that the incident is true by sufficient evidences, CNCERT will perform emergency handling based on the prompt response mechanism which has established with domestic and foreign ISPs, domain name registrars and cybersecurity service vendors.
Feedback: When each of the three steps above - report, acceptance and handling - is completed, CNCERT will provide feedback to the reporter, including receipt of the report, whether it is accepted and for what reason, and the handling results.
Ok great, thanks for pointing that out. It is good to know that they analyzed our code base. Maybe they found some valuable information for us? Thanks for Bitcrab to collect the full report!
-
OK, we got the detailed report.
Here is some progress after done some investigation:
* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.
* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
Update:
The one high-risk issue is confirmed, we're evaluating its impact (whether/how it can be used to attack the system).
-
OK, we got the detailed report.
Here is some progress after done some investigation:
* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.
* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
Update:
The one high-risk issue is confirmed, we're evaluating its impact (whether/how it can be used to attack the system).
Good job abit +5% +5%
Thanks for looking in to this.
-
OK, we got the detailed report.
Here is some progress after done some investigation:
* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.
* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
+5%
-
OK, we got the detailed report.
Here is some progress after done some investigation:
* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.
* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
+5%
+5%