📅 Original date posted:2022-01-01 📝 Original message:Hello World, What? Remove ...

Why Nostr? What is Njump?

Prayank [ARCHIVE] /

npub1xw…c2lxh

2023-06-07 23:01:58

in reply to nevent1q…m24k

📅 Original date posted:2022-01-01
📝 Original message:Hello World,

What?

Remove all *notify options from Bitcoin Core (full node implementation used by 99% nodes)

Or one of the below:

notifications.dat
not use system() in runCommand()
Use a new setting in settings.json file, notifypolicy which is 0 by default (restricted) and can be set to 1 (unrestricted)

Why?

They can help attackers in doing almost anything on machines running Bitcoin Core with some social engineering.

How?

Everything is explained several times in different issues, PRs etc. to different people including few reviewers who even NACKed a PR that would help in adding such options but with some documentation. I won't comment much about the reviewers but some of them were clueless about issue and how things work.

Example: Calling something misleading and ludicrous when you don't even know what works in Windows shortcut and could not share one example of financial application https://github.com/bitcoin/bitcoin/issues/23412#issuecomment-1003496126

TL;DR

https://github.com/bitcoin/bitcoin/pull/23395#issuecomment-956353035

https://github.com/bitcoin/bitcoin/issues/23412#issuecomment-970480769

To be honest, neither I have energy left to highlight the importance of these issues nor most of the people look interested in this space to address it. This email is a part of my efforts to share things with everyone which I even tried with documentation. There is something seriously wrong if few people including maintainers acknowledge the issues with *notify options but nobody wants to fix it or document it, I will leave it for people to form their own opinions about it.

Last but not least I was even asked to not review and comment in https://github.com/bitcoin/bitcoin/pull/23395 when I was just responding to others.

This will be helpful in my security project which was already shared in mailing list to highlight what users expect from developers and future of money, review process etc. and what is the ground reality.

Happy New Year

--
Prayank

A3B1 E430 2298 178F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220101/f8eafc5e/attachment-0001.html>;

Author Public Key

npub1xwdym5sne88xldc5809azwrgasp60ze27easgew8e7p3vj7qr7ssjc2lxh

Seen on

wss://relay.noswhere.com wss://relay.nostr.band

Show more details

Published at

2023-06-07 23:01:58

Kind type

1 Short Text Note

Event JSON

{ "id": "6c85181c1cab54b09fbd87edbacf2c1210001a5c260595eec5ed546ac14d4f3f", "pubkey": "339a4dd213c9ce6fb7143bcbd13868ec03a78b2af67b0465c7cf83164bc01fa1", "created_at": 1686178918, "kind": 1, "tags": [ [ "e", "f44b3010eed966d4bb7887b28235c3943b9a66b19441436dbc2559f13c19e5a3", "", "reply" ], [ "p", "a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0" ] ], "content": "📅 Original date posted:2022-01-01\n📝 Original message:Hello World,\n\nWhat?\n\nRemove all *notify options from Bitcoin Core (full node implementation used by 99% nodes)\n\nOr one of the below:\n\nnotifications.dat\nnot use system() in runCommand()\nUse a new setting in settings.json file, notifypolicy which is 0 by default (restricted) and can be set to 1 (unrestricted)\n\nWhy?\n\nThey can help attackers in doing almost anything on machines running Bitcoin Core with some social engineering.\n\nHow?\n\nEverything is explained several times in different issues, PRs etc. to different people including few reviewers who even NACKed a PR that would help in adding such options but with some documentation. I won't comment much about the reviewers but some of them were clueless about issue and how things work.\n\nExample: Calling something misleading and ludicrous when you don't even know what works in Windows shortcut and could not share one example of financial application https://github.com/bitcoin/bitcoin/issues/23412#issuecomment-1003496126\n\nTL;DR\n\nhttps://github.com/bitcoin/bitcoin/pull/23395#issuecomment-956353035\n\nhttps://github.com/bitcoin/bitcoin/issues/23412#issuecomment-970480769\n\nTo be honest, neither I have energy left to highlight the importance of these issues nor most of the people look interested in this space to address it. This email is a part of my efforts to share things with everyone which I even tried with documentation. There is something seriously wrong if few people including maintainers acknowledge the issues with *notify options but nobody wants to fix it or document it, I will leave it for people to form their own opinions about it.\n\nLast but not least I was even asked to not review and comment in https://github.com/bitcoin/bitcoin/pull/23395 when I was just responding to others. \n\nThis will be helpful in my security project which was already shared in mailing list to highlight what users expect from developers and future of money, review process etc. and what is the ground reality.\n\nHappy New Year\n\n-- \nPrayank\n\nA3B1 E430 2298 178F\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220101/f8eafc5e/attachment-0001.html\u003e", "sig": "69fad5633c58ac34beee8abe32a4d1947c2b99134095a115f68ab1c495d0026a70691246d6bddc124abd83b76f32370411fe692bfafb552c64be22f50f7075ac" }