Author Topic: BTS 2.0 was detected with 669 code securities issues by China research agency  (Read 2354 times)

0 Members and 1 Guest are viewing this topic.

Offline btswildpig

  • Hero Member
  • *****
  • Posts: 1424
    • View Profile
669 issues in main program.  (most medium danger level)
21 issues in bitshares-2-ui


though it's a static code issues check.

dogecoin with 282 issues .
EthereumJ 127 issues (most are high danger issues )
Ripple with 230 high danger issues.
BitShares0.x version:  1261 issues
« Last Edit: December 29, 2016, 07:48:47 am by btswildpig »
这个是私人账号,表达的一切言论均不代表任何团队和任何人。This is my personal account , anything I said with this account will be my opinion alone and has nothing to do with any group.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12884
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Any details? Links? What re the concrete issues? What kind of issues have been found?
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline svk

Any way for us to know what the actual issues were so they can be worked through and fixed?
Worker: dev.bitsharesblocks

Offline btswildpig

  • Hero Member
  • *****
  • Posts: 1424
    • View Profile
Any details? Links? What re the concrete issues? What kind of issues have been found?

in Chinese , not usable to english users.

did not publish detailed info, just the amount of issues .

it did say issues of individual piece of cod are not necessary = bugs because issues of some lines of code may not be a issue in the whole collective program's operation for platform limitations, OS limitations , etc.

the detection tool uses standard method to check issues with API abuse, Memory Management, Time and State, Encapsulation , input processing ....
« Last Edit: December 29, 2016, 09:02:39 am by btswildpig »
这个是私人账号,表达的一切言论均不代表任何团队和任何人。This is my personal account , anything I said with this account will be my opinion alone and has nothing to do with any group.

Offline nmywn

  • Sr. Member
  • ****
  • Posts: 266
    • View Profile
What about contact that agency and ask them for more data? There is a slight chance that they won't money for that.

Offline infovortice2013

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 521
    • View Profile
    • BitShares en español
  • BitShares: traderx
BTS need this kind of security checks ,,,, if can solve all issues BTS will win a gold medal.

when bts has colectected some medals maybe someone have the enought security to deposit his money into BTS.

just devs saying bts is moar secure than whatever looks like isnt enought for investors use it.

New Keyoteeid: 5rUhuLCDWUA2FStkKVRTWYEqY1mZhwpfVdRmYEvMRFRD1bqYAL
new08/21 id 5Sjf3LMuYPSeNnjLYXmAoHj5Z6TPCmwmfXD6XwDmg27dwfQ

Offline mike623317

  • Hero Member
  • *****
  • Posts: 637
    • View Profile

Is there a link to this? I cant find anything on google.

Offline abit

  • Committee member
  • Hero Member
  • *
  • Posts: 3589
    • View Profile
    • Steemit Blog
  • BitShares: abit
  • GitHub: abitmore
Link for report download:
link

//Edit: I think it's best if we can get the detailed risk list, perhaps request from them via a [member=73]bitshares[/member].org email address. [member=120]xeroc[/member] ?
« Last Edit: December 29, 2016, 06:53:52 pm by abit »
BTS account: abit
BTS committee member: abit
BTS witness: in.abit

Offline mike623317

  • Hero Member
  • *****
  • Posts: 637
    • View Profile
Link for report download:
link

//Edit: I think it's best if we can get the detailed risk list, perhaps request from them via a [member=73]bitshares[/member].org email address. [member=120]xeroc[/member] ?

Thank you Abit.

Thats a good suggestion to email them directly from a BitShares email address to get a list of what they consider vulnerabilities. We should do that and see if they reply.

Offline Chris4210

  • Sr. Member
  • ****
  • Posts: 431
  • Keep Building!
    • View Profile
    • www.payger.com
  • BitShares: chris4210
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.

Vote Chris4210 for Committee Member http://bit.ly/1WKC03B! | www.Payger.com - Payments + Messenger | www.BitShareshub.io - Community based fanpage for the BitShares Blockchain

Offline mike623317

  • Hero Member
  • *****
  • Posts: 637
    • View Profile
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.

Thanks Chris.  +5%

Offline abit

  • Committee member
  • Hero Member
  • *
  • Posts: 3589
    • View Profile
    • Steemit Blog
  • BitShares: abit
  • GitHub: abitmore
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.
IMHO that agency IS something. They do have reasons to not reveal the details to public.
BTS account: abit
BTS committee member: abit
BTS witness: in.abit

Offline btswildpig

  • Hero Member
  • *****
  • Posts: 1424
    • View Profile
This topic has been discussed in the Telegram channel and mainly debunked. The source "China research agency" is not a credible source. The report also does not mention any details about the security issues, how the code was tested and what really was found.

National Computer Network Emergency Response Technical Team/Coordination Center of China
1.  Brief Introduction
The National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC) was founded in September 2002. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China’s cybersecurity emergency response community. As a national CERT, CNCERT strives to improve nation’s cybersecurity posture, and protect critical infrastructure cybersecurity. CNCERT leads efforts to prevent, detect, warn and coordinate the cybersecurity threats and incidents, according to the guideline of “proactive prevention, timely detection, prompt response and maximized recovery”.
CNCERT has branches and offices in 31 provinces, autonomous regions and municipalities across mainland China. As the key coordination organization of China’s cybersecurity emergency response system, CNCERT organizes enterprises, schools, non-governmental groups and research institutes that are specialized in cybersecurity and coordinates ISPs, domain name registrars and other emergency response organizations in a joint effort to build the cybersecurity emergency response system of China and handle major cyber security incidents.
As an important non-governmental organization to assist in the cross-border handling of cyber security incidents, CNCERT actively carries out international cooperation in cybersecurity and is committed to establishing a mechanism of prompt response and coordinated handling for cross-border cybersecurity incidents. CNCERT is a member of the world-renowned Forum of Incident Response and Security Teams (FIRST) and one of the founders of Asia Pacific Computer Emergency Response Team (APCERT). As of 2015, CNCERT has established “CNCERT International Cooperation Partnership” with 165 organizations in 66 nations and regions.
 
2. Mission Statement
Incident Detection: Leveraging on the cybersecurity detecting platform, CNCERT performs proactive detection of security incidents for critical infrastructure. It also discovers cybersecurity threats and incidents by sharing data and information with domestic and foreign partners and by receiving cyber security incident reports from domestic and foreign customers through hotline, fax, email and website.
Early Warning: By making comprehensive analysis of big data and acquiring information from multiple channels, CNCERT can warn cybersecurity threats, report cybersecurity incidents and analysis cybersecurity posture. It provides customers with such services as information on cybersecurity situation and sharing of cybersecurity technology and information.
Emergency Response: If incidents of serious threat are proactively discovered or received, CNCERT will respond in a timely manner and actively coordinate the handling. Priorities include incidents that affect Internet operation security, affect a large scope of Internet users, involve key government departments and critical infrastructure, cause major consequences users complaint, as well as all kinds of cybersecurity incidents reported by national emergency response organizations of foreign countries.
Security Evaluation: As a professional organization of cybersecurity evaluation, CNCERT provides security testing services for government departments, public institutions and enterprises guided by the principle of “supporting the regulatory, serving the society” and through scientific methods, standard procedures, impartial attitude, independent judgment and relative standards.
 
3. Incident Handling Procedures
Report: CNCERT has set up a 24*7 mechanism to accept the report of cybersecurity incidents. Both domestic and foreign users can report an incident to CNCERT in the following ways: website, email, hotline and fax.
Ø Website: http://www.cert.org.cn/
Ø Email: [email protected]
Ø Hotline: +8610 82990999, 82991000(EN)
Ø Fax: +8610 82990399
Acceptance: Cybersecurity incidents undertaken by CNCERT mainly include the following types: malware, defacement, backdoor, phishing, vulnerability, information destruction, denial of service attack, abnormal domain, router hijacking, unauthorized access, spam, mixed cyber security incidents and other cyber security incidents.
Handling: After confirming that the incident is true by sufficient evidences, CNCERT will perform emergency handling based on the prompt response mechanism which has established with domestic and foreign ISPs, domain name registrars and cybersecurity service vendors.
Feedback: When each of the three steps above - report, acceptance and handling - is completed, CNCERT will provide feedback to the reporter, including receipt of the report, whether it is accepted and for what reason, and the handling results.
这个是私人账号,表达的一切言论均不代表任何团队和任何人。This is my personal account , anything I said with this account will be my opinion alone and has nothing to do with any group.

Offline abit

  • Committee member
  • Hero Member
  • *
  • Posts: 3589
    • View Profile
    • Steemit Blog
  • BitShares: abit
  • GitHub: abitmore
OK, we got the detailed report.

Here is some progress after done some investigation:

* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.

* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
BTS account: abit
BTS committee member: abit
BTS witness: in.abit

Offline 天籁

  • Hero Member
  • *****
  • Posts: 692
    • View Profile
OK, we got the detailed report.

Here is some progress after done some investigation:

* among the 4 high-risk issues:
** 3 are related to udt4 which I believe is not being used in the code, so it's safe to ignore or remove the code entirely
** the other 1 looks like a false positive. We're in contact with the "agency", waiting for a confirmation or more discussions.

* among the moderate-risk issues: I checked some of them and found that we do have some issues in the code, but no critical ones are found so far.
+5%