1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
Delivery-date: Wed, 27 Mar 2024 11:26:31 -0700
Received: from mail-oi1-f184.google.com ([209.85.167.184])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDRYHVHZTUGRBUGJSGYAMGQEGDTNJEI@googlegroups.com>)
id 1rpXyp-0007Aw-H8
for bitcoindev@gnusha.org; Wed, 27 Mar 2024 11:26:31 -0700
Received: by mail-oi1-f184.google.com with SMTP id 5614622812f47-3c3e1f6ce0fsf192924b6e.1
for <bitcoindev@gnusha.org>; Wed, 27 Mar 2024 11:26:31 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711563985; cv=pass;
d=google.com; s=arc-20160816;
b=B0lcM3iMiddhUE75aWBEQnt+uWZ4DqeaD3X5ETvSNRt/xnDPaeoKf56DPenc7ElJgo
aA8XqeaTZl34mOGYjksi65otmzFLCdl3PlGyYTAh+KIr3dHzUdSgeA/jPkcuK9Diuja1
VueVUSlO34Pe3kqgukFPKbdYrJap2hlHEG6FFUxLzw/ClPIB44nHy7bV6hLbo7fxvxpc
y8t+BkU5iBVfymDFnK2I2lCvi6sUs88hsqwzkVhds2Ft/9/7R0icUwjIB7SOs7yGfk5Y
CBnkS+ZV/FKmWfCv4yVkwNmp4MKYAr99f+fKDGMQ+WhH8u+E1QAb6L+vPpD+S2JshfwN
xIVA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:in-reply-to:content-disposition
:mime-version:references:message-id:subject:cc:to:from:date
:feedback-id:sender:dkim-signature;
bh=BSSL1IVsbEXIsu8gT+pVqQAa2+Gtf0T/i0EEX4OoOEY=;
fh=X7s6JDURtymzz6g3zEs9tJV945Y7vXrW24C0JVVXnT4=;
b=qRC+3f5t9AWTJW7HObB+/RXKIRTUGglSIo9H8odh0pfMe+Ma4X6d6bcyPMreo3VJfT
mZDU9fFAtZ8mZbBVw6ge3/99CHpXz8ZQVgyo/gW8yqatVdwZeR9nn90iz9IVuMySYEb6
fhNAo+LLnsrn7raMewu9oyzqxf0lNu0RA2VVmysUfkypifKLei6tqQje0TEHmZFjzDjg
E4DQZNuR0LTGTP9s2WgpNie7iGV4iWJa43JrNiTaS6xDYHTqYVSC95i0cjM/BxQy+KRc
IVvqjtRLe3QngKlCoFJkfnBT1bOd1pipBLyhYYHCJ8vb6S8CIPZ/lZq7kDIE3AqMjszS
1XRg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lCYMKAgr;
spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) smtp.mailfrom=pete@petertodd.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1711563985; x=1712168785; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:content-disposition:mime-version
:references:message-id:subject:cc:to:from:date:feedback-id:sender
:from:to:cc:subject:date:message-id:reply-to;
bh=BSSL1IVsbEXIsu8gT+pVqQAa2+Gtf0T/i0EEX4OoOEY=;
b=o4Pv/GGGOAjNFXoPtatB10Wa658FDJ+lQNFK9CFmwVyNaHDLpXiblTC87NqBj9IWQo
27OVQ1YyyPveXZKN+u9YWTwr6jLlH5MXfPODPibxsjwbfG0xVlgjZTXsLTYLM4wmhGGN
n9A8zGIhf+GvexTQOBsV4WAgBHRCRGDZ8RLu9H14HRbViluJtxOukI+NAKkwWp2F7i2C
HzJpjbVsXHVrcTFX0Uv/SBlWwqBf10iJrA/emYZekxFjtdkiu4Q/guOP3Cz51KwJMKnG
yNhRXJAUdExI6vuAuDBl9YMUk55Eix98xuDyPj9Ik0BOcNoZTJ+Ld5Fl1fCi2a2nk9QD
llOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1711563985; x=1712168785;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:content-disposition:mime-version
:references:message-id:subject:cc:to:from:date:feedback-id
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=BSSL1IVsbEXIsu8gT+pVqQAa2+Gtf0T/i0EEX4OoOEY=;
b=tSP9+WlegeFFL9BSLwXSoZdKfdncW7dJVYPmyW6WisC8wRKRR0KQTrDISeZWeCoqJw
zHLp7s8LGNYwXiNLGoLwxI2reRznoJ+JTS7U8icbsC38z4BPTIsPiEqjxKW+J0h3a1KF
vXKrKwXO5YdYmx1d3X/WoBZYAU/ddHN+1rFqVUKWMvjSJFJaRCCoq2A5c20GyUtJJoUm
AzSzyVyOQCRqj6Byq231Z7/UDbM/zpLXgnlevdVK0T2IQgKEL9mDJtgR7lU+QFVxbM2C
/zNghRRrp1lf/FtN17QTBPp0QQunCsXT9TFd1APm5DrLEMieLX4ushiXJ1y0Ybjokxpo
IqHA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVVXEai7TTQQ78iJOQQDP0gp5YoH7czlv2S21ZWFsEhIltxE970oyvsGJE65wU8Qenhf87zURP68crNDcoVOd649OkHmWM=
X-Gm-Message-State: AOJu0YzX9ddKf95QLSz9cQvr6yFwCG2e7/D1ccUyIXoAkTpmXgejnyi/
3mWSgTdnrkPEAK8qs391NX8QGVVp3WnLrbQHcUvOIYGcbZrJPr3w
X-Google-Smtp-Source: AGHT+IFX5GHNvWBZHooIC3zULGjZhjKUJd2tyLwSGBUfzYpBhkNnH5hKfjerX7qLFsyJqoKoIOEAoQ==
X-Received: by 2002:a05:6808:2905:b0:3c3:bd8b:b475 with SMTP id ev5-20020a056808290500b003c3bd8bb475mr686252oib.32.1711563985398;
Wed, 27 Mar 2024 11:26:25 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ac8:5bc4:0:b0:431:3419:79ef with SMTP id b4-20020ac85bc4000000b00431341979efls283759qtb.0.-pod-prod-07-us;
Wed, 27 Mar 2024 11:26:24 -0700 (PDT)
X-Received: by 2002:a05:622a:1ce:b0:431:3069:f1b8 with SMTP id t14-20020a05622a01ce00b004313069f1b8mr21922qtw.10.1711563984522;
Wed, 27 Mar 2024 11:26:24 -0700 (PDT)
Received: by 2002:a05:620a:2953:b0:78a:59df:2777 with SMTP id af79cd13be357-78b8a9a4eb1ms85a;
Wed, 27 Mar 2024 11:04:53 -0700 (PDT)
X-Received: by 2002:a05:6214:4a5c:b0:696:72ac:b84f with SMTP id ph28-20020a0562144a5c00b0069672acb84fmr270309qvb.10.1711562692858;
Wed, 27 Mar 2024 11:04:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711562692; cv=none;
d=google.com; s=arc-20160816;
b=oFuQckSUT2udZQ+OmZZTIwWVsgseqG4a/e3a+BaMLFSFxCBd+F+f0o8PGhbJ6maI5k
MAi86KDpXjYwBeMCUEw8IaDFpbLO8sw9IzaeYRYIFJBiorkOzuMLOXAn05RHh+0ICvPi
PsCqqyg6pbnkWriWNHuiBD6sgajMA4imADiaMMLBoy2+rOIJKE6/iH8uwuzzm3AUkPHY
N2KJm6fGA+2LKXr5lUVya0POyT5RKBCXgQ0t50ptnmMwHPcGC8GYQI/JbfcDGldLc0BH
oQ0W17839apnoImtm/dm+H5f7+uZ1Ez8tkK+4zHtFfAgxWZEeCzHlW2GGQ44XyxmkSIE
bChQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=in-reply-to:content-disposition:mime-version:references:message-id
:subject:cc:to:from:date:feedback-id:dkim-signature;
bh=ZmiS4Gop8l28ZBfcjtPAL9YbaWiawiuBQm0iOD5tGPQ=;
fh=qAkUFgesXJOBZlEhHhc6qjOrC9x9vwcQK9K5cSmyNz0=;
b=Imk7UA5Bb9+toZO0A77uSSpzll9XClDJ8+zYaWm5Y/FuRpmOcPUam3EwYBgs9twQL7
Au/54EwI2WDcitpO7DsLGL7eOkSXocYJuTrP4RjOxbQyyBL4zaETySVYyiV1Qjwgys8C
AIkoyOksmHGcqco4leKWNkIuZkZleVZV92AxJ21MYSq5Vhrxf2LwdIU3gToBHzwD8M3y
GARRKx35AUPeFD15XXrwkuRls+9drRhM8SVDwhWkQCWTRR0Huxz5moBqKkCSal8HH3fj
9UwjylwmgFGXZU0SQy5Y3kZeuDfxOGaEzUaeoCMBz2oQ/xQch/T49UYq6QBb/w1YmdRr
qnLQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=lCYMKAgr;
spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) smtp.mailfrom=pete@petertodd.org
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com. [64.147.123.24])
by gmr-mx.google.com with ESMTPS id ep20-20020a05621418f400b0069694f92763si343626qvb.4.2024.03.27.11.04.52
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 27 Mar 2024 11:04:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of pete@petertodd.org designates 64.147.123.24 as permitted sender) client-ip=64.147.123.24;
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48])
by mailout.west.internal (Postfix) with ESMTP id 68BF43200A00;
Wed, 27 Mar 2024 14:04:51 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
by compute7.internal (MEProxy); Wed, 27 Mar 2024 14:04:51 -0400
X-ME-Sender: <xms:wl8EZv3K3J7TIps07Rtr8bjRIxCGFx4hImc0f8ocWk9wI6mfyJ5xpQ>
<xme:wl8EZuHXk9HxQxO2GK43D7yG_YYCu2L5fvhejiK2oS7Za_KKn_qqbxSrvLT9aAvDH
i_g9ECWX2ASPyt7804>
X-ME-Received: <xmr:wl8EZv5osyhbGGWunqSH7RrO5SxQZxXWPX2-7vMcFzx0Gevak3Ab8qn1hQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudduiedgkeegucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvvefukfhfgggtuggjsehgtd
orredttddvnecuhfhrohhmpefrvghtvghrucfvohguugcuoehpvghtvgesphgvthgvrhht
ohguugdrohhrgheqnecuggftrfgrthhtvghrnhepuddtffelkeeitdefgfetfeejhfffie
ffveelgedthfeufeefjeevleejkeefhfeinecuffhomhgrihhnpehpvghtvghrthhouggu
rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh
epphgvthgvsehpvghtvghrthhouggurdhorhhg
X-ME-Proxy: <xmx:wl8EZk1Uw9emEEu0ODFsrX3Y_sgltZpzrwJmH0-uNheItCgHXTY1gw>
<xmx:wl8EZiHXJxUlYOtb0eGJEXXhIMm3Xpok3JCJEImyOIeJfXVPWNKnNQ>
<xmx:wl8EZl_bkD7TRHKJ0j-Pe1Eh4KDyk_TnfkQoAQ2P3iqs5xJjzYtnKw>
<xmx:wl8EZvlS9tjhYIAoivlR73JsxXZP001WJOfzPtjwZuv3bJ9s8VIuDw>
<xmx:wl8EZvMjUUN_qNadhEp7O3o9HowH7w7UwVhUYe_01lZ0dKO_9k3LTA>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
27 Mar 2024 14:04:50 -0400 (EDT)
Received: by localhost (Postfix, from userid 1000)
id 52C035F834; Wed, 27 Mar 2024 18:04:46 +0000 (UTC)
Date: Wed, 27 Mar 2024 18:04:46 +0000
From: Peter Todd <pete@petertodd.org>
To: "David A. Harding" <dave@dtrt.org>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
Message-ID: <ZgRfvrYatcpqPNRn@petertodd.org>
References: <f7fbeb4f58904fc5a24b6fc2d829036c@dtrt.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="WIB19lrcLw7AqMfT"
Content-Disposition: inline
In-Reply-To: <f7fbeb4f58904fc5a24b6fc2d829036c@dtrt.org>
X-Original-Sender: pete@petertodd.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@messagingengine.com header.s=fm2 header.b=lCYMKAgr; spf=pass
(google.com: domain of pete@petertodd.org designates 64.147.123.24 as
permitted sender) smtp.mailfrom=pete@petertodd.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
--WIB19lrcLw7AqMfT
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
On Wed, Mar 27, 2024 at 07:18:08AM -1000, David A. Harding wrote:
> On 2024-03-27 02:10, Peter Todd wrote:
> > On Tue, Mar 26, 2024 at 08:36:45AM -1000, David A. Harding wrote:
> > > Could you tell us more about the disclosure process you followed?
> >
> > see attached.
>
> Do I correctly infer from this that you privately reported the attack on
> Thursday around 15:46 UTC, didn't receive any replies in four days
> (including a weekend), and published the attack on Monday at 13:21 UTC?
>
> That's a very short timeline to use for going public due to not receiving a
> response. I think it's typical to give triage at least 30 days to respond,
> often while also prompting them additional times for a response if
> necessary.
I'm on the bitcoin-security mailing list. Every single plausible issue that has
been raised in the past few years has gotten a response within two days. A few
days is plenty of time to at least respond with a simple "give us more time" if
needed.
Secondly, I was able to verify independently that the relevant people had seen
the email and weren't planning on replying. Which isn't surprising. It's just
another way to perform an obvious, well known, class of attack.
Anyway, I think the lesson to be learned here is I'd have been better off not
disclosing to bitcoin-security first. You're just harassing me here; I highly
suspect you'd have said nothing at all if I hadn't brought up disclosure.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZgRfvrYatcpqPNRn%40petertodd.org.
--WIB19lrcLw7AqMfT
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmYEX7wACgkQLly11TVR
LzdUvRAAnEHqY8tv/fTwr1iaFRJ4GsfcHxeY86z5DOxtBcIUnh/21n2fN3wEXMW0
sgMo0Zky2eKfciOukT8Waqiudaijed91KA2fFc3A53Cuhyufkn1HaQHOTpToVGbL
VLWM0CEXltc0mQA1Yzj1BHa6UWJB/EbD4hdRdVcygbcsYgcl9+w22ghIHmtDAoEo
BpO396x0KYnBUDZzozib6v/b+9LcnXnDCf6Pgicj+gIu3ymFT48XPT9d972jG9y2
jb3SXYVVOcSg4AI7Tz1vwN+5wK84assLJFvkrmMqDaP6lHPCiSWquLkNqFrQGZxA
XXgoqCfdJc0pzH7t+QPt10mDXq8b/jZjWDGs7NN3Or4/dAgMb/HswgojGghMKJOF
zUc6YcooB0QynuKmQ9g4BcGySo5flB/nArtoHLZ/Ru/PySO0sns+KTTAtb16N+VD
FKHv7f8QXispApOZ//dG9SoZMQHSfGDjX92I+3EdEvVdD5dt0i2ET/wNohSQHWn9
W7KHa8kAXFibEytsrWOSrwBPBToKFwuQFjbdyFAZPLoZdYVOoQJ3PIXKPiRXWIqr
Wck//SfIAyH6ovyhnbxjqQxGVUlJcSVk5KeRJFvj1Umn45rDmYOgyog8oXWxdc3U
7zZDW7h5PdQb0XUHxRnTYL/eT/Rrr6DqXl+AWZk8eBQqLcKrSx4=
=LTSb
-----END PGP SIGNATURE-----
--WIB19lrcLw7AqMfT--
|