public inbox for
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd•org>
To: "David A. Harding" <dave@dtrt•org>
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
Date: Wed, 27 Mar 2024 20:30:34 +0000	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

[-- Attachment #1: Type: text/plain, Size: 2493 bytes --]

On Wed, Mar 27, 2024 at 09:50:20AM -1000, David A. Harding wrote:
> On 2024-03-27 08:04, Peter Todd wrote:
> > I was able to verify independently that the relevant people had seen
> > the email and weren't planning on replying.
> Can you provide detail on this?

I'm not going because I don't want anyone else subject to harassment over this.

> > You're just harassing me here; I highly
> > suspect you'd have said nothing at all if I hadn't brought up
> > disclosure.
> I think I would have said something.  Any time I'm writing a description for
> Optech about an attack that affects existing Bitcoin software and was
> responsibly disclosed, I back link to it from a special page [1].  In cases
> of ambiguity about whether or not an attack was responsibly disclosed, I
> investigate.
> I'm sorry this feels to you like harassment.  To me it feels like whiplash:
> I inferred responsible disclosure based on your original text, learned it
> might not have been, and now am being told by you that it was indeed
> responsible.

I'm not the only person who thinks this looks like harassment. The fact is you
started this conversation with: "I'm especially concerned given your past
history of publicly revealing vulnerabilities before they could be quietly
patched and the conflict of interest of you using this disclosure to advocate
for a policy change you are championing."

You haven't substantiated any of this. Nor have you even tried to argue that my
take on the vulnerability is incorrect: it's just an interesting variation of
well-known attacks that doesn't substantially change the situation.

Anyway, this conversation is just wasting everyones' time. If this actually is
a deal-breaking exploit that must be fixed quickly and quietly - the type of
exploit for which responsible disclosure is necessary - what we should be
talking about is how to fix it. I proposed two different design changes that
mitigates it. One of which fixes other issues too. Antoine Riard also proposed
potential mitigations.

Do you have a useful comment on these proposals?

-- 'peter'[:-1]

You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2024-03-27 21:56 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-27 17:18 David A. Harding
2024-03-27 18:04 ` Peter Todd
2024-03-27 19:50   ` David A. Harding
2024-03-27 20:30     ` Peter Todd [this message]
2024-03-27 22:05       ` Steve Lee
2024-03-28 18:34         ` Antoine Riard
2024-03-28 19:16           ` Peter Todd
  -- strict thread matches above, loose matches on Subject: below --
2024-03-18 13:21 Peter Todd
2024-03-19 12:37 ` Nagaev Boris
2024-03-19 13:46   ` Peter Todd
2024-03-23  0:29     ` Nagaev Boris
2024-03-26 18:36 ` David A. Harding
2024-03-27  6:27   ` Antoine Riard
2024-03-27 12:54     ` Peter Todd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \
    --to=pete@petertodd$(echo .)org \ \
    --cc=dave@dtrt$(echo .)org \
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox