You are viewing a single comment's thread from:

RE: EOS BP Security Statement

in #eos7 years ago

The eosio::net_api_plugin was made optional for this very reason. No producer or public endpoint should be running with this plugin and it is a simple config file change.

I feel like the intro to this post is overly alarmist way to support an otherwise worthwhile effort at securing block producing nodes.

Sort:  

I feel like the intro to this post is overly alarmist

Yeah, especially that all those are pretty much basic and obvious do's and dont's (don't run plugins you don't need on a witness node, do not expose API to public that you don't want to be public, etc, etc. :-) ) and everyone who is familiar with this family of blockchains already knows that
Well, at least those running for the office should ;-)
(no, I'm not, too busy with Steem)

We are sorry you feel that way @gtg

The effort was honest and others in the Trinity group are saying it isn't resolved this easily. Let's let the dust settle and see how these groups resolve this issue before discounting anyones work on strengthening the EOS network.

We have tried to explain the problems and suggest solutions in public and private Telegram chat rooms for over two months.

To add to the points of @dan and @gtg, just curious why was the public disclosure not made littler earlier since you are considering the plugin bug a serious issue ?

Personally I think the answer for this post is

RTFM.

Aside from BOOT BIOS group not being able to stand up the chain after 3-4 days, there were still dependancies required for the plugin in question to still work.

From my observations, a lot of politics and back-channeling was done to dissuade people just like you, that's all the happened.

Same exact stuff that happens at big companies when IT tries to communicate this stuff. No one listens and then when there is any disclosure it's met with this type of tribalism because no one wants to take blame.

Now these guys are the people launching the chain in case you didn't know. Doh!

All I was saying that we should be as transparent as possible. I am not mad about EOS or any project as such but support FOSS and free knowledge sharing. So all I meant to say is that any vulnerability after giving reasonable time for the developers/companies to fix, should be released to the pucblic. In this case since there is no production network even now, your disclosure was pretty much on time. When you posted, I was under the impression that the methods and procedures for Etherium snapshot, validation and deciding on the initial token supply and main net launch all are tested and frozen and the staging network which will be used to performance - pentest will be ready in less than 24 hours time. I was not aware that these procedures are just getting planned or tested. In a nutshell, since you sounded like the production mainnet is just 2 or 3 days away from the date of publication of this post, I said it could have been done earlier. Thats all.

Sorry guys but eat some humble pie on all the judgments that some put on this group for trying to bring all this up prior to the launch. No one listened.

Now here we are 2-3 days later and BOOT BIOS didn't deliver. All that hype. All that political BS, pomp and circumstance, etc... and in the end, they feel flat on their face.

Funny the difference that just a few days makes. ;)

In the end, the very people you put in question ended up being the talent that will launch the chain.

Are you aware of the Ghostbusters project?