[HN Gopher] White hat hacker awarded $2M for fixing ETH-creation...
___________________________________________________________________
White hat hacker awarded $2M for fixing ETH-creation bug
Author : cristiandima
Score : 450 points
Date : 2022-02-13 12:42 UTC (10 hours ago)
(HTM) web link (cryptoadventure.com)
(TXT) w3m dump (cryptoadventure.com)
| colesantiago wrote:
| This just proves how insecure the blockchain / web3 /
| cryptocurrency space is.
|
| It's good to see white hat hackers in this space trying to fix
| what is already broken.
|
| But sorry to be that person, just a timely reminder of the truth:
| All cryptocurrencies and 'DeFi projects' are ponzi scams
| including Orchid.
| vmception wrote:
| It just proves that particular project had an exploit and a
| decent bug bounty program. Its nice that this person used the
| bug bounty program.
|
| Other organization bounties should go higher. Especially Web2
| ones.
| __MatrixMan__ wrote:
| Do you think that a bank or a government would've handled
| fixing such a flaw as well has optimism did?
|
| All tokenization schemes are ponzi scams including USD, it's
| just that some use violence to stay relevant, and other use bug
| bounties.
| jollybean wrote:
| "Do you think that a bank or a government would've handled
| fixing such a flaw as well has optimism did?"
|
| It's irrelevant. We don't use 'algorithms as ownership' in
| the real world. We use social agreements like contract law to
| undo problems.
|
| "All tokenization schemes are ponzi scams including USD, it's
| just that some use violence to stay relevant, and other use
| bug bounties."
|
| We use the law to maintain civil infrastructure. Yes, if
| someone wants to murder you or someone else, or launder
| billions, we'll use violence to stop them.
|
| An algorithm that is effectively used as a Pyramid Scheme is
| not going to save your from anything.
| __MatrixMan__ wrote:
| It can take years for contract law to get in front of a
| judge and be enforced, often the damage that can be done in
| that interval is significant. So I think they timeliness is
| indeed relevant.
|
| As for your murder comment, I'm not saying that violence is
| strictly unnecessary, just that the coincidence of "we have
| the guns" with "we issue the ponzi tokens" is probably not
| the only way to enforce the law.
| jokethrowaway wrote:
| I agree the government would be way worse at dealing with
| this flaw - but they probably would have just reversed
| whatever exploited transactions they needed. Or even just
| printed some more money to make everyone pay at the latest.
| skizm wrote:
| Banks or stock exchanges would just revert any bad
| transactions like they do with most scams, thefts, or
| accidents. It is built into the current system by design.
| __MatrixMan__ wrote:
| They revert the money (if they like you), but usually if
| money flows one way, something else flows the other way,
| and they can't revert that half of the fraudulent
| transactions without great expenditure. Often it's not
| worth it and they just write it off and the whole economy
| bears the cost.
|
| I'm not saying it's a better or worse plan than whatever
| might happen under an alternative system, but just that
| it's not exactly a clean solution either.
| NovemberWhiskey wrote:
| I think your premise is fundamentally wrong there. Say I
| buy something my credit card but it's never delivered. My
| bank will reverse that transaction - exactly because half
| of the transaction never occurred.
|
| The way that the credit card system works in the US is
| fundamentally biased towards consumer protection, because
| that's an explicit policy objective. The same with the
| Direct Debit guarantee in the UK, or the various laws
| which limit the maximum exposure due to fraudulent use of
| payment cards.
|
| And when exchanges break trades, they undo the entire
| transaction - you don't end up with one party out cash or
| shares.
| __MatrixMan__ wrote:
| The lack of agility shows up when I buy something with
| your credit card number. It gets delivered, and then the
| bank reverses the transaction because they later learn
| that I'm not you.
|
| Now I get a bank-subsidized thing and you're not missing
| any money. It creates a drag on the whole economy,
| because instead of doing productive work to get the
| thing, it's often easier to play games with the system.
|
| The fact that credit cards use a symmetric key to
| authorize spend is a glaring flaw. The technology to fix
| it (asymmetric key cryptography) has been around for
| decades. But instead of fixing it, the credit card
| companies just keep writing off the instances of fraud.
| NovemberWhiskey wrote:
| In the situation you describe, the one who is "out" is
| the merchant. In the card-not-present situation, the
| merchant has the option to use tools like CVV and address
| validation to reduce the risk in the transaction, and
| always has the option to decline a transaction that seems
| risky.
|
| That seems, to me, like a sensible risk balancing
| approach. In the cryptocurrency "all sales are final"
| world - you're the loser. I don't really see that the
| economic drag is larger one way or the other.
|
| AFAIK the use of symmetric key cryptography in card
| capture and payment processing is not in any way a
| significant factor in payment card fraud - where do you
| get that information from?
| __MatrixMan__ wrote:
| Whether it's the merchant or the bank that's left holding
| the bag often depends on the particulars like whether it
| was a chip or a magstripe transaction, but the larger
| point is that in card-not-present scenarios you can't pay
| once without also exposing secrets that allow whoever
| gets them to make subsequent transactions without your
| permission.
|
| Better would be to have whatever secret authorizes spend
| (private key) be separate from the account identifier
| (public key) and to push money, rather than sharing a
| symmetric secret which authorizes whoever has it to pull
| money.
| encoderer wrote:
| Just imagine for a second if there was a bug in the US
| Treasury that let anybody order the treasury to print new
| money and deliver it to their bank account. That would
| rightly be seen as total incompetence by the treasury and
| cast doubts on the soundness of the entire monetary
| system.
|
| But with ETH we have the community patting themselves on
| the back for it. It's madness.
|
| You are making a false equivalency when you compare
| crypto with usd.
| solean wrote:
| Are you sure there doesn't exist such a bug in the US
| Treasury? They would never in a million years let the
| public know if an exploit occurred, there's zero
| transparency
| colesantiago wrote:
| I have no problem with white hat hackers, I'm saying more
| power to them in the broken web3 space, which that is a
| complete scam.
|
| However, I can use USD, GBP or any fiat currency in my local
| grocery store.
|
| Can I use Bitcoin, Shib, Doge, or even Orchid at my grocery
| store without waiting hours in the queue for the transaction
| to complete and no huge fees?
| tenuousemphasis wrote:
| Bitcoin has a system built on top of it called Lightning,
| which allows for millions of cheap transactions per second
| inside of payment channels. Only the opening and closing of
| channels requires a transaction on the blockchain.
| colesantiago wrote:
| Lightning isn't really using Bitcoin is it?
|
| The strike app (which uses Lightning) is not available
| worldwide which really doesn't give the image that
| Bitcoin lightning is decentralised at all.
| aspenmayer wrote:
| Anyone can run their own Bitcoin and/or Lightning node.
| Both Bitcoin and Lightning Network are totally
| decentralized.
| __MatrixMan__ wrote:
| Not yet, but I don't think that we're too far away from
| using USD, GBP or any fiat currency as a unit of account at
| the POS and letting software handle ensuring that the buyer
| loses whatever assets they want to pay in and the seller
| receives whatever assets they want to be paid in.
|
| But that's orthogonal to how quickly the maintainers of
| these tokens can make changes in response to threats.
| colesantiago wrote:
| So no then?
|
| Over a decade later and I still cannot use any of them at
| the restaurant or without waiting in the queue for the
| transaction to settle and paying more for the fees than
| the goods itself.
| __MatrixMan__ wrote:
| It took 100 years for steam engines to start
| outperforming horses, why is it so damning that crypto
| isn't yet outperforming fiat after a decade and change?
| Aeolun wrote:
| > But that's orthogonal to how quickly the maintainers of
| these tokens can make changes in response to threats.
|
| Never mind that the entire threat class doesn't exist in
| traditional finance?
| Sparkyte wrote:
| To be fair we should be weary of both systems. Crypto isn't
| something sustainable in the long run. USD isn't a ponzi
| scheme, it is backed by commerce. Crypto isn't the multi
| sales and trades of goods are what dictate the value of the
| currency.
| birracerveza wrote:
| >But sorry to be that person, just a timely reminder of the
| truth: All cryptocurrencies and 'DeFi projects' are ponzi scams
| including Orchid.
|
| Seems like just an opinion to me, and a poorly opinionated one
| at that.
| NovemberWhiskey wrote:
| I think it's a bit pointless to argue about whether
| cryptocurrencies are Ponzi schemes or not.
|
| What I would say is that _most_ cryptocurrencies have no
| fundamental value, and are therefore bubbles. I don 't know
| what the term is for when someone deliberately creates an
| asset bubble with the intention of profiting from it. It's
| something like a very long-form, deliberative pump-and-dump.
| birracerveza wrote:
| I agree that the majority of cryptocurrencies are vaporware
| at best and deliberate scams at worst, but to claim that
| "All cryptocurrencies and 'DeFi projects' are ponzi scams
| including Orchid" is outright wrong.
| colesantiago wrote:
| Can you name any examples of cryptocurrencies being used that
| are not scams, ponzi schemes or for speculative purposes?
|
| All I see are people holding coins and not using them at all
| for anything else other than 'I want coin to go up'.
| pg5 wrote:
| Helium has practical uses - a cheaper alternative to
| cellular data for stuff like Lime scooters.
| colesantiago wrote:
| This can be done without the need for a blockchain.
|
| Adding a new technology + blockchain + a coin still makes
| it ponzi scheme scam, even worse when the price of this
| coin comes crashing down.
| vmception wrote:
| Nobody wants a corporatecurrency
|
| And there is no human coordination mechanism without the
| freely convertible currency
|
| Blockchains provide the open source rails of all the
| account management and distribution, easing development
| costs. The infrastructure is already built compared to
| alternate ways of attempting to do this
|
| have fun doing that without a blockchain
| kristofferR wrote:
| Why would individuals buy relatively expensive equipment,
| set it up and manage it, without the potential for return
| on their investments?
|
| The only reason Helium's LoRaWAN coverage is expanding
| rapidly is due to the crypto aspects of it.
| colesantiago wrote:
| So basically a ponzi scheme that is expensive to join
| with guaranteed diminishing returns in mining.
|
| If I would like to lose my money in style this would be
| it.
| vmception wrote:
| > If I would like to lose my money in style this would be
| it.
|
| Well get in line, the backlog for receiving hotspots
| across all distributors is 6-9 months long.
| pshc wrote:
| I was looking into Helium yesterday due to news coverage.
| "Proof of coverage" is a bunch of hot air, sorry. It's
| not resistant to Sybil attacks and GPS location is easily
| forged. Seems like a scheme to push hardware units that
| will topple once the token value runs out.
| vmception wrote:
| Sort of, Helium no longer sells hardware and the
| community votes on third party manufacturers to be
| approved for authorization on the Helium network. This
| has helped distributed hardware delivery more than any
| single organization was prepared to do, with the
| semiconductor and supply chain issues.
|
| There is definitely an _opportunity_ to sell overpriced
| hardware into the community then.
|
| There are some other antenna-blockchain systems out there
| that look _more_ like "schemes to sell hardware", such
| as Match X. There is a big and burgeoning market for
| these "passive income" things, people install hardware to
| earn a cryptocurrency.
|
| It is definitely worthwhile to sell the hardware if you
| can.
| tenuousemphasis wrote:
| Speculative investment is not the same as a Ponzi scheme.
| Not so subtle goalpost moving there.
| colesantiago wrote:
| The are used for both.
| birracerveza wrote:
| https://thegraph.com is one example.
|
| Tokens are used to have a stake as an indexer (data
| provider) and to pay for query fees (data consumption), and
| if indexers tamper with the data they lose their stake.
|
| It was released last year and has a long way ahead to
| mature, but it's an amazing product and tokens/blockchain
| is essential to its decentralized nature. Simply put, there
| is no way to accomplish this if the network didn't adopt
| its own cryptocurrency.
| colesantiago wrote:
| Again, this can be done without using a blockchain.
|
| Just like all the other coins, the only use case is
| burning up the planet by using Ethereum, BTC, etc,
| racking up high fees and being used by speculators while
| everyone else who invests in the ponzi scheme lose their
| money when it all crashes.
|
| Nothing has changed.
| [deleted]
| birracerveza wrote:
| >Again, this can be done without using a blockchain.
|
| How so?
|
| I won't bother with the rest of the post as it's your
| usual crypto bad spiel that has absolutely nothing to do
| with the discussion we're currently having and has
| absolutely nothing to back up its claims (as do the rest
| of your posts, which I'm surprised aren't flagged/dead
| yet considering their low quality, but I guess HN is ok
| with them since they're anti crypto), but I'm curious to
| see how you would build a decentralized system that lets
| developers build data indexing programs, allows anyone to
| join the decentralized network as a data provider to run
| those programs, and lets consumers query that data from
| the network while also ensuring that the data is valid
| and hasn't been tampered with by the providers without
| blockchain/tokens.
|
| Please, do enlighten me, I'm curious.
| whitepaint wrote:
| Tell me you don't know what DeFi is without telling me you
| don't know what DeFi is.
| colesantiago wrote:
| What is the process of getting your money back from a hacked
| DeFi project?
|
| Why do I have to pay more fees to swap tokens on
| decentralised exchanges making them unusable, and how exactly
| is DeFi decentralised?
| SparkyMcUnicorn wrote:
| ETH is not the only chain out there. Transaction fees on
| Polygon and Harmony average between $0.001 - $0.02, and
| have all the things you'd expect from DeFi like Uniswap,
| Curve, and Aave.
|
| The decentralized part of DeFi is the smart contracts. If
| you can interact with the contracts without any centralized
| help, then how exactly is it centralized in your opinion?
| whitepaint wrote:
| > Why do I have to pay more fees to swap tokens on
| decentralised exchanges making them unusable
|
| Wait for ETH 2.0. It's a really difficult problem to solve.
| In the meantime though, use Polygon (or other side chains).
| Swap tokens for a cent or two.
|
| > how exactly is DeFi decentralised
|
| Take a protocol like app.uniswap.org or pooltogether.com.
| If you have an internet connection, no one can stop you
| from using these protocols (and many other protocols). No
| arbitrary rules imposed by governments or companies. Your
| funds are your funds, there are no arbiters (just tens of
| thousands of Ethereum nodes which are responsible for
| settling transactions).
|
| > What is the process of getting your money back from a
| hacked DeFi project?
|
| Use protocols that have been around for a long time and
| have hundreds of millions, billions, or even tens of
| billions of dollars locked in. That decreases chances of
| you losing funds. But it is a problem, I agree, hopefully
| somehow we will make it better.
| colesantiago wrote:
| > Why do I have to pay more fees to swap tokens on
| decentralised exchanges making them unusable
|
| So I still have to wait at least 2023 (2025 or 2026 for a
| realistic possibility of merchant adoption) for ETH 2.0
| to be used?
|
| I don't think merchants would want to wait for something
| that is not complete and unregulated.
|
| You do realise that ETH 2.0 has nothing to do with
| lowering fees? So all the DeFi apps using it will still
| be unusable anyway.
|
| > If you have an internet connection, no one can stop you
| from using these protocols (and many other
| protocols)...(just tens of thousands of Ethereum nodes
| which are responsible for settling transactions).
|
| Aren't most of these Ethereum nodes and DeFi exchanges on
| AWS like dydx? It went down a few months ago no? [0]
|
| That doesn't sound decentralised to me.
|
| > Use protocols that have been around for a long
| time...That decreases chances of you losing funds. But it
| is a problem
|
| So I can't get my money back then? I see DeFi hacks
| everyday and not getting my money back doesn't help
| either.
|
| Makes robbing a bank less attractive for criminals and
| instead target DeFi projects.
|
| [0] https://twitter.com/dydxprotocol/status/1468293558360
| 805381
| baobabKoodaa wrote:
| Title is misleading, since the bug doesn't actually allow
| creating ETH.
| jollybean wrote:
| In other words: ETH was an insecure blockchain and once
| compromised, there is no legal or operational recourse, with the
| implication that issues could indeed exist today. House of Cards.
| bannedbybros wrote:
| VectorLock wrote:
| Ethereum has forked to roll-back hacks in the past, likely for
| something as big as making ETH from thin air they'd do the same
| with even less hesitation.
| berkes wrote:
| No. This was neither ETH, nor the Ethereum blockchain. Nor does
| this imply more issues indeed exist today.
| jollybean wrote:
| From the bounty: "The Summary On 2/2/2022, I reported a
| critical security issue to Optimism--an "L2 scaling solution"
| for Ethereum--that would allow an attacker to replicate money
| on any chain using their "OVM 2.0" fork of go-ethereum (which
| they call l2geth)."
|
| No - sorry - ETH doesn't get a 'pass' on this.
|
| The 'Rest Of The World' is tired of the Crypto Scam Delusion
| masquerading as something reasonable and watching these
| critical failures getting swept under the rug.
|
| This issue demonstrates that critical failures will exist in
| the wild (and it's wrong to suggest that they won't come up
| in the future - they will) creating an existential flaw for
| systems in which there is no intrinsic remedy. Forks by
| 'completely arbitrary central powers' entirely defeat the
| purpose.
|
| Just last week we had the FBI arrest criminals laundering
| literally billions in Crypto.
|
| It's a tiring fraud absorbing enormous amounts of attention
| and energy for no apparent benefit but entertainment.
|
| The concept is currently fundamentally flawed, it belongs in
| 'side project' territory for now, not in the mainstream.
| fastball wrote:
| By definition an "L2 scaling solution" is _not_ the
| Ethereum blockchain.
|
| Ethereum itself clearly _is_ a secure blockchain given the
| fact that it has not been exploited directly _ever_ , as
| far as I am aware. Smart contracts running in the EVM
| obviously have exploits galore, but that is different from
| Ethereum itself being vulnerable. Just like it is different
| when the Java Virtual Machine itself has an exploit
| (uncommon) vs when a program that runs in the JVM does
| (very common).
|
| You can of course argue that the lack of inherent soundness
| / correctness in Ethereum smart contracts makes the entire
| chain less useful since running smart contracts is kinda
| the whole point, but then you should make _that_ argument
| rather than saying dumb things like:
|
| > ETH was an insecure blockchain
| pshc wrote:
| This was a critical success for Optimism's bug bounty
| program, if anything? No one got rug pulled. Optimism's
| liquidity could have been drained in the worst case, and
| still ETH L1 would remain unaffected.
| jollybean wrote:
| It's great for a 'bounty program' - but it speaks
| negatively to the intercity of a system that is not
| supposed to have any centralised control.
| pshc wrote:
| I think it speaks to the reality of a development process
| lead by humans in uncharted territory. Figure it out,
| audit it, test it for a long time, eventually cross
| fingers and blow the fuses. After that, either it
| successfully becomes a permanent public fixture, or maybe
| there's a small chance it implodes one day, who knows?
|
| Certainly anything that's absolutely mission critical
| should not live on these L2 networks yet.
| davidmurdoch wrote:
| This is like saying that because someone is able to write buggy
| money transference software that lets users change their own
| account balance within _that buggy software_ that your personal
| bank is now insecure.
| jollybean wrote:
| No it's not, though.
|
| I expect that my bank is not perfectly secure. And when it
| fails, there will be ways to redress the problem, i.e.
| account insurance, bank refunds, legal recourses etc..
|
| Blockchains have 'no way out'. When there is a problem, it
| breaks everything. Recently, there was a grift on ETH and to
| overcome the problem, there was a massive fork, which is
| enormously hypocritical because it implies that there are
| 100% 'Central Authorities' with ETH, who are unarmed,
| unrestrained by any regulation or oversight, policy and
| probably any legality. Etc.
|
| The only way for Blockchains to maintain their ideological
| integrity is if they are 'perfect'. But they are not
| 'perfect' and require 'maintenance and oversight'. Ergo they
| are self defeating their own purpose.
|
| Ultimately, it's a ruse or will mostly be used as such.
| everfree wrote:
| The title isn't really accurate. It wasn't a bug to create ETH,
| it was a bug to steal ETH from the Optimism contract.
| ThrustVectoring wrote:
| That's not exactly accurate either - if I understand the
| situation correctly, it's a bug that allows counterfeiting of
| the contract's outputs. This could be a higher magnitude event
| if the counterfeiters could generate more purported liabilities
| than the contract can cover.
| [deleted]
| vinnymac wrote:
| > Had the issue not been promptly resolved, malicious users on
| the chain could have exploited the flaw. This means a cyber actor
| could have gained access to the unlimited generation of fresh ETH
| tokens.
|
| I am curious, would it be easy to detect an individual who was
| exploiting this vulnerability?
| saurik wrote:
| In my post-mortem I go into this a bit: someone had actually
| triggered the bug (on accident while debugging the Etherscan
| block explorer) but it hadn't been noticed by anyone (and the
| person at Etherscan didn't realize the ramifications). I
| believe, due to the atypical mechanism used to store the
| account balance state on Optimism (which is discussed in detail
| in my post-mortem as this is also what I claim to be the root
| cause of the bug), it would have taken quite a long time to
| notice someone taking advantage of this issue if they weren't
| being egregiously ostentatious with it (and even then it would
| have taken "too long" before tons of extremely-difficult-or-
| arguably-even-impossible-to-unwind economic confusion and
| damage would have resulted as the whole ecosystem is so heavily
| automated).
| vinnymac wrote:
| Thanks, I only read the article linked and had not yet dug
| any further. I appreciate how much work you put into this!
|
| For anyone who may have missed the link in the article or
| thread, this is it: https://www.saurik.com/optimism.html
| SodiumMerchant0 wrote:
| ForHackernews wrote:
| How much did he give up by not exploiting it? Whatever happened
| to 'code is law'?
|
| How sad to see web3 rehashing the failures of webs 1 through two.
| VectorLock wrote:
| I feel like this title should more accurately reflect this wasn't
| a bug with Etherum and real ETH couldn't be created.
| system2 wrote:
| I wonder when we are going to see a full Bitcoin crash due to a
| major hack. These type of news make people trust centralized
| currencies even more.
| rrjjww wrote:
| There is some discussion about this above, but I'm curious - does
| the $2M reward count as ordinary income? Would persons on work
| visas (i.e. H1B) be able to collect without jeopardizing their
| immigration status? Could you employer consider it moonlighting?
| dboreham wrote:
| Headline is misleading. Creation of wrapped ETH tokens on
| Optimism, thereby allowing _theft_ of ETH from contract escrowed
| funds.
| evv wrote:
| Thanks. As somebody with a very basic understanding of ETH, it
| seemed super unlikely that a L2 would be able to able to mint
| arbitrary ETH. (That would obviously be vulnerability in the
| L1)
| vmception wrote:
| Right, this kind of exploit is in vogue right now.
|
| Minting supply inflation bugs happen all the time, but not
| usually for something redeemable for something so liquid and
| valuable.
|
| The bridges are a new unique target.
| dylanz wrote:
| I remember walking down the main street in my hometown on my way
| to drink at a bar and seeing saurik and some friends at a bars
| all with their laptops out and hacking on something. What caught
| my eye was a terminal open and a Vim session. I walked up and we
| all chatted for a bit. Back in the day you didn't run into that
| very often where we lived so it was pretty cool to see. That
| boosted my conviction for my choice of IDE and I started bringing
| my laptop out to the bars in the evenings as well. Years later my
| friend and I built a business and pretty much all the code was
| written in the evenings at one of those bars. You can be social
| and code at the same time it turns out, and coding prevented me
| from drinking too much while I was out. No real morale to the
| story, just an anecdote I wanted to share. That said, congrats on
| the bounty saurik!
| quickthrower2 wrote:
| Wow the only time i have seen anything like that in a bar was
| the bar everyone went to after a functional programming
| conference! The only geeky things ive seen "in the wild" are
| swag (like AWS T-shirts)
| hbbio wrote:
| It's not just any white hat hacker, it's saurik who was behind
| the original jailbreaking tools for iOS and the creator of Cydia,
| the unofficial app store back then. He is also now the "CTO" (if
| the term applies) of a well-known blockchain-based VPN, Orchid.
|
| Edit: He has a great write-up about the vulnerability and its
| discovery on his blog:
|
| https://www.saurik.com/optimism.html
|
| (which was on HN a couple days ago)
| andrewmcwatters wrote:
| CXO titles in organizations do not exist without a board of
| directors. Businesses otherwise simply have members, managers,
| employees, contractors or vendors, or volunteers. You can
| pretend you're a CEO/CTO, but if you answer to no board, you're
| not.
| cowsandmilk wrote:
| Orchid is a Delaware C corp with SEC filings for its
| offering. Do you think it lacks a board of directors?
| andrewmcwatters wrote:
| > (if the term applies)
|
| I'm responding to whether the term applies.
| saurik wrote:
| > For Orchid, while I have no official/ratified title, I am
| "in charge of technology".
| aerique wrote:
| A jailbroken iPhone 3GS is the phone I've had the longest
| (nearing 5 years I think) and it was a joy to use, so thanks
| saurik and enjoy the bounty!
| tomas789 wrote:
| Jay Freeman is the man who found the bug. He is also author of
| the infamous Cydia - tool to install software on jailbroken iOS
| devices.
| m4tthumphrey wrote:
| Was it paid cash or in ETH?
| saurik wrote:
| The bounty amount was denominated in USD and is being paid in
| USDC (a stable coin, which is means it is intended to map
| effectively 1:1 with--in this case--USD).
| devoutsalsa wrote:
| At the moment, USDC is the only stable coin I'm comfortable
| holding. Are there are any other stable coins that are like
| backed by hard assets?
| easrng wrote:
| IIRC USDP (Formerly PAX) is audited and completely backed.
| sammyq wrote:
| What's the reason of holding USDC, isn't that same as
| holding cash in bank?
| pmlamotte wrote:
| It can be used in smart contracts, DeFi (such as a
| decentralized crypto exchange or earning interest), and
| can be used for very fast transfers between centralized
| exchanges/services that might not allow actual USD
| deposits/withdrawals or that require waiting for an ACH
| transfer to go through. Several cryptocurrencies are good
| for transferring between centralized services, but USDC
| will be price stable in comparison. Fees can be a problem
| though.
| sfe22 wrote:
| The problem is other stable coins are not transparent,
| and are very likely not fully funded so they can collapse
| any time. USDC is by coinbase and a little more
| transparent, thus less likely to collapse in case of mass
| withdrawal.
| koolba wrote:
| Keeping your money on chain but not subject to price
| fluctuations.
|
| There's also pro and anti arguments for being in control
| of your assets.
| eanc wrote:
| saurik wrote:
| Prior discussion of this incident (and the $2M bounty) here on
| Hacker News:
|
| https://news.ycombinator.com/item?id=30289240
|
| My (I'm the hacker) article / post-mortem this blog post is
| referring to:
|
| https://www.saurik.com/optimism.html
|
| At the time of this last getting traction a few days ago, some
| people were sad that the title of my article and the discussion
| that resulted focused more on the bug instead of the bounty
| (which my article gets into near the end as part of some high-
| level thoughts on ethics), which is maybe why I am suddenly
| seeing this appear here again this morning (as this news article
| is instead focussing on the bounty angle)?
|
| FWIW, the $2M bounty--which was actually listed as $2,000,042 (as
| they wanted it to sort higher on the list at Immenufi, lol)--was
| potentially (none of us realized this at the time I "won", and I
| am honestly still not 100% sure of it now, though I haven't yet
| come across any counter-examples) the largest single bug bounty
| payout ever (...though, by only $42 ;P).
| mocmoc wrote:
| Saurik you are a true legend
| cosmosgenius wrote:
| It's so nice to hear from you. Hope you are doing well.
| secondaryacct wrote:
| But you should have sat on it, laundered it through FBI
| honeypots and then made a rap album about it !! What have you
| done telling them about it :D
| gfd wrote:
| Pretty sure this is referencing the $3.6B hack
| https://news.ycombinator.com/item?id=30260787 where the wife
| is a rapper.
|
| Though it's pretty weird that I wasn't sure whether you were
| referencing geohot's (another infamous hacker, mentioned in
| the article) rap songs at first:
| https://soundcloud.com/tomcr00se
|
| Not sure why it's a thing for prominent hackers to have
| aspirations to become soundcloud rappers.
| aaaaaaaaata wrote:
| Is this the reference?
| https://www.youtube.com/watch?v=SSHrpYeyYV8
| baby wrote:
| That's what I thought too, but it looks like someone got a bit
| more than you a few weeks before:
| https://medium.com/immunefi/polygon-lack-of-balance-check-bu...
|
| (Dec 28 2021)
|
| > Polygon is paying out a bounty of $2.2m in stablecoins to
| Leon Spacewalker and 500,000 MATIC to Whitehat2, which
| according to current market value is worth $1,262,711. The
| $2.2m exceeds the maximum value of Polygon's critical bounty in
| recognition of the severity of the vulnerability.
|
| More info about the bug: https://medium.com/immunefi/polygon-
| lack-of-balance-check-bu...
|
| Interestingly, this reminds me of a report I wrote a long time
| ago about the dangers of ecrecover (as it can give ambiguous
| results)
| saurik wrote:
| Ooof... so close!!
| kristofferR wrote:
| You misspelled Immunefi btw, I went looking for it, but
| googling "Immenufi" only lead back to your comment.
|
| Immunefi turns out to be the correct spelling (weird that
| Google didn't figure that one out).
| saurik wrote:
| https://immunefi.com/
| kristofferR wrote:
| Thanks, I found it, but wanted you to correct it for
| others. I forgot about the 2h edit limit though.
| rschachte wrote:
| Really cool to see Saurik posting here casually. You're work on
| Cydia when I was 12 years old is what got me into programming
| in the first place. Nice work!
| mandarax8 wrote:
| Wow I knew I recognised that name from somewhere, Cydia
| brings back some memories of 10yo me too. Glad he's still on
| it after all this time.
| sturza wrote:
| ceva wrote:
| saurik wrote:
| So, while I knew that this had been offered in back channels, I
| failed to realize that this was not only confirmed to me in
| e-mail as well as publicly announced: Boba (one of the forks of
| Optimism that was affected by this same bug) has additionally
| extended to me their maximum bug bounty reward of $100k, making
| the "updated total" awarded for this bug (so far ;P) $2,100,042
| (which more firmly might be setting a new record).
|
| https://twitter.com/bobanetwork/status/1491989915336388618?s...
| worldmerge wrote:
| Congratulations!
|
| Also, thank you for Cydia, I used it in middle school and high
| school. It definitely made an impression, thank you.
|
| Orchid looks cool too!
| sersi wrote:
| Congratulations! Couldn't happen to a better person. Thanks a
| lot for Cydia!
| ndugu wrote:
| Congrats on the bug bounty, but even greater congrats on
| Orchid! Hope you continue to change the face of technology and
| privacy!
| saagarjha wrote:
| I'm glad you seem to be happy with your payout, but can we talk
| for a moment about how much you got? For an exploit like this,
| especially given how much effort was put into it and how much
| the market rate of a security engineer like this would be, plus
| given how much this could be worth on the exploit market, $2
| million is literally pennies. This could've easily been a bug
| worth hundreds of millions of dollars. I guess Optimism is
| lucky that people like you are willing to do "the right thing"
| even if you're not being compensated fairly for it, but
| exploits like these are going to keep happening (and we've seen
| a bunch in this space already) unless bounties go up to match
| their true value.
| [deleted]
| aaaaaaaaata wrote:
| Morals aside, which seems to be popular in sec communities,
|
| Do you not understand the immense amount of effort they would
| have needed to expend to hide, not to mention the ongoing
| stress involved afterward?
| saagarjha wrote:
| Surely someone with the skills to find bugs like these
| would be an expert in cashing out on those bugs?
| revax wrote:
| Those skills are unrelated.
| saurik wrote:
| Yeah... and as the person in question who found and
| exploited this particular bug ;P, I can definitely state
| that I _would not_ feel comfortable betting the rest of
| my life on my ability to safely launder a giant pile of
| crypto back through to fiat (and then, further, keep that
| secret for the rest of my life, which shouldn 't be
| downplayed).
|
| I am much happier being able to get a bunch of clean
| money and then be able to give talks on the subject at
| conferences and get a lot of "street cred" in the tech
| community for my effort than spending the rest of my life
| wondering if there's someone from a real-world mob out
| there trying to hunt me down to recover the $100M I "owe
| them".
| jacquesm wrote:
| The whole assumption that your ethics have a pricetag
| attached is faulty, it's not as if the choices were
| 'commit crime / get bounty'.
| sillysaurusx wrote:
| Everyone's ethics have a price tag. It's better not to
| pretend otherwise, since it clarifies a lot of human
| behavior.
| jacquesm wrote:
| I _strongly_ disagree with that. You really can 't claim
| to speak for everybody.
| sillysaurusx wrote:
| If you don't play ball in certain parts of the world, you
| end up in a river. The price tag is just different.
|
| Yours would likely be family or close relatives.
|
| I think you'd take money to do something untoward if that
| was the alternative. Almost everybody would. And there's
| nothing wrong with admitting that.
| snowwrestler wrote:
| Positive and negative consequences are not the same thing
| in ethics.
|
| Compare "kill this person to save your son's life" with
| "kill this person to earn $1 million." They're not
| equivalent, even if both might be metaphorically referred
| to as a price.
| sillysaurusx wrote:
| On the contrary -- the decisions you have to make to
| avoid negative consequences are often the best test of
| your ethics. Consider how many people would've been
| punished for speaking out against what plantation owners
| were doing in the 1800's, for example.
|
| The illusion that they feel different is extremely
| powerful. It's worth resisting. It helps uncover all
| kinds of ways that we contribute to unethical behavior,
| if only through inaction.
|
| The concept of having a price attached to your ethics is
| essential. Without it, people fool themselves into
| believing they're above temptation. In my experience
| those same people tend to be the most vulnerable to it.
| jancsika wrote:
| > If you don't play ball in certain parts of the world,
| you end up in a river.
|
| OP branched here: "it's not as if the choices were
| 'commit crime / get bounty'."
|
| Any example relevant to OP's branch _cannot_ end with the
| subject in a river. The very fact that you are discussing
| it proves we 've jumped to the other branch of the
| conditional-- the one where the choice _is_ exclusively
| between `commit crime / get bounty` (by threat of death
| in your example)
|
| tldr; goto considered harmful on HN
| jacquesm wrote:
| My 'goalposts moved' detector just twitched.
| sillysaurusx wrote:
| If you say so. It's the same thing, even if it's more
| comfortable to believe it's not.
|
| It helps to frame it this way, because once you accept
| that you'd do that, you're more likely to accept you
| would do something unethical for a billion dollars if it
| had no consequences to you. And from there, it's a binary
| search to determine exactly what your price is.
|
| Would you be able to say you wouldn't lie to your wife if
| it meant you'd walk away with a billion dollars?
| Certainly this is contrived, but all examples in this
| territory are contrived.
| maxerickson wrote:
| If you believe everyone has a price shouldn't your goal
| be to not find your own?
|
| (Like, work to avoid creating the situation where you
| have to compromise, if possible)
| sillysaurusx wrote:
| That's a very interesting question. Thanks for that.
|
| The way I view it is that it's important to seek out
| yours ahead of time --- to game out different scenarios,
| and to consider whether you would do X or Y if forced to
| choose. That way, when you're in a situation where you
| feel like compromising, you'll remember your limits.
|
| In other words, I was less tempted to act unethically in
| the moment than I would have been if I'd been surprised
| by the opportunity.
|
| This is especially important in scientific circles. It's
| often trivial to falsify data, and the rewards for doing
| so are generally high. It's also not always an active,
| conscious decision; it's easy to make small mistakes that
| have favorable outcomes for yourself.
|
| The exercise has helped me steer far away from any of
| those. I've watched peers fall into a trap that I'd label
| "scientific hype," i.e. claim that you're doing something
| impressive when in reality you're nowhere close. This is
| a very easy mistake to make, and if I hadn't mentally
| found my boundaries ahead of time then I'd have been
| vulnerable to making the same error. Or I may have stayed
| silent when my peers were doing something naughty.
| jacquesm wrote:
| Yes, but that's not what we're discussing, because then I
| can counter with:
|
| "Would you sell your mother or your children at any
| price?"
|
| And I hope - admittedly, that's speculation - I know what
| the answer to that would be.
|
| So this is now an absurd discussion, whereas it started
| off from a rational point of view: there exist such
| people whose ethics can not be corrupted. The fact that
| you believe this is not the case says nothing about
| people in general.
| sillysaurusx wrote:
| People did in fact sell their children when faced with
| hard times, by the way. The 1920's era was rough.
| https://www.ranker.com/list/story-behind-photo-of-
| children-f...
|
| You are asking what I would personally do. But it's
| better to think of limit cases that everyone would do --
| such as lie to their wife for a billion dollars. Since
| it's guaranteed you fall into the bucket of "everybody",
| that means you can locate your ethical price tag.
|
| It's helpful for people to do this mental exercise. At
| least, I find it comforting knowing my own price tags in
| advance.
| jacquesm wrote:
| You are still moving the goalposts.
|
| My statement is pretty simple: ethical people exist.
|
| You countered with "Everyone's ethics have a price tag.
| It's better not to pretend otherwise, since it clarifies
| a lot of human behavior."
|
| And have been moving the goalposts ever since. The fact
| that unethical people exist was never up for debate.
| sillysaurusx wrote:
| I had to scroll up and re-read to make sure we were on
| the same page.
|
| Since you're misquoting yourself, it sounds like you
| don't want to have this debate, or you may not have
| realized what you said. But "The whole assumption that
| ethics have a price tag attached is faulty" is not at all
| the same thing as "ethical people exist." It's not a
| pedantic distinction; one is debating whether people will
| take compensation for acting unethically, even if they
| feel they're the most ethical person on the planet -- I
| think the answer is "yes" -- whereas "ethical people
| exist" is a point no one could disagree with.
|
| It's a bit unexpected for you to omit your "price tag"
| words and then continue with my argument.
|
| But we're past the point that readers are having a nice
| time reading this. If you'd like to continue, I'm happy
| to do so, but we need to restrict ourselves to a high
| caliber of debate, if only for HN's sake.
| jacquesm wrote:
| The distinction is pedantic because you are making it so.
|
| Whereas in fact it is anything but pedantic.
|
| "The whole assumption that ethics have a price tag
| attached is faulty"
|
| For everyone.
|
| > But we're past the point that readers are having a nice
| time reading this.
|
| You seem to be in a habit of projecting your own feelings
| onto everybody else.
|
| > If you'd like to continue, I'm happy to do so, but we
| need to restrict ourselves to a high caliber of debate,
| if only for HN's sake.
|
| Suit yourself.
| sillysaurusx wrote:
| I'm saddened that a repeat of our debate from seven years
| ago won't be forthcoming today.
| https://news.ycombinator.com/item?id=8901682 I was
| looking forward to it.
|
| If you ever do want to probe deeper into the question of
| ethics vs cost, I think it would be interesting. But
| since you keep talking about me rather than the idea, the
| interest feels one-sided.
| jacquesm wrote:
| Three different people have now made the same point in
| three different ways and you simply ignore it, consider
| the possibility that you are simply wrong about
| something.
|
| Ethics problems typically do not lend themselves to be
| translated into a caricature of the market economy. The
| habit of assigning price tags to stuff can help if the
| original problem is cost related, but it tends to be a
| crutch when things of a more principal nature are
| discussed, which would have a valid meaning absent such
| things as money or physical rewards. As long as you keep
| framing it like that you won't get further.
| [deleted]
| dahart wrote:
| > If you don't play ball in certain parts of the world,
| you end up in a river. The price tag is just different.
|
| Aside from the problems of this statement being a
| completely vague and unspecific and extreme hypothetical,
| isn't there a problem with switching from talking about
| incentives to talking about threats? Being threatened
| with death isn't the same as being offered money, and
| this ground has been well covered by philosophers who
| point out that there are things wrong with "admitting
| that" as you call it. Calling it a price tag seems
| misleading at best. There's further a massive problem
| with suggesting a person's ethics might be based on what
| someone threatening them with death wants them to do, no?
| If the action isn't something you are choosing to do, and
| isn't something you would do if not threatened, for any
| amount of money, then why would you consider it your
| actions or part of your ethics?
| saurik wrote:
| Yeah: I definitely agree with this, and I think it is an
| endemic problem to discussion of ethics in technology: we
| tend to focus on "but I _could_ "--which sometimes
| ignores the law but even when it doesn't tends to then
| get bogged down arguing the exact boundaries of the law--
| without instead trying to judge people on whether they
| "should" (maybe based on the ramifications it has on
| other people) or "would".
|
| I just think it is also worth noting that, even if we
| _do_ accept the false dichotomy, I would _not_ be an
| effective criminal... which seems to continually
| disappoint some people ;P. (I 'm sorry to be such a let
| down! lol)
| jacquesm wrote:
| Indeed, not everything that is permitted is ethical.
| 323 wrote:
| This is $2 mil of clean money.
|
| > _This could've easily been a bug worth hundreds of millions
| of dollars_
|
| That doesn't mean that you could find someone to give you
| $100 mil, clean or unclean.
| rosndo wrote:
| We have atomic swaps to monero now, cleaning your stolen
| eth is easier than ever.
| aqme28 wrote:
| How are you going to turn that into actual goods and
| services though? You'll still need to go through an
| exchange with KYC and AML and the IRS will still be
| asking questions.
| rosndo wrote:
| IRS doesn't care as long as you pay taxes on the money.
|
| KYC and AML? Just lie that you mined the monero on a now
| defunct pool. I have a plenty of coins that I genuinely
| acquired in such manner and haven't had issues selling
| them. The bank only cares about hearing a vaguely
| consistent story, they aren't cops.
|
| The KYC stuff will only become a problem if you get
| caught via some other means, because lying to the bank is
| a crime.
| jacquesm wrote:
| A reminder not to take legal advice from HN.
| capableweb wrote:
| > IRS doesn't care as long as you pay taxes on the money.
|
| Lol, you never actually handled the sums the submission
| is about right? The IRS will definitely ask questions
| about where the money you spend come from, if you end up
| on their radar. And if the answer is not satisfactory,
| they will grill you on it.
| rosndo wrote:
| IRS isn't going to do a deep dive into your purported
| monero mining activities unless you go out of your way to
| give them cause to do so.
|
| And even if you did, there's no way for them to ever
| prove where your monero came from unless you fucked up
| during either the hack or the swap to monero.
|
| Even if the IRS suspected that you're lying to them, how
| could they prove it?
| ycombobreaker wrote:
| Yeah these subthreads always remind me of the Money
| Laundering subplot in Office Space.
| blendergeek wrote:
| Or, the criminal could buy goods and services with the
| monero directly.
|
| The IRS will ask questions of _those_ people, but not the
| black hat "security researcher".
| aqme28 wrote:
| I want a mansion. How do I buy that with monero?
| blendergeek wrote:
| Land will be harder (though not impossible) to purchase
| with crypto. next, find a construction company ready to
| accept payment in crypto. Mansion attained. Perhaps, buy
| said mansion in Keene, New Hampshire where more crypto
| users live.
| rosndo wrote:
| You could fly to Dubai.
| colinmhayes wrote:
| Swap to monero, buy an NFT from yourself, convert to
| fiat, pay taxes. Now your money is clean, taxed, and you
| have an explanation for where it came from.
| boeingUH60 wrote:
| No, money laundering is never this easy...I see people on
| internet forums always suggesting stuff like this; Swap
| to monero >> NFT (or whatever else) >> clean
| money...Sounds good in theory but in execution, you'll
| likely make a mistake along the way and get caught
| saagarjha wrote:
| In past threads I've heard about exploit brokers and how
| their rates are typically much higher than bug bounties. If
| Hacker News commenters know about these avenues I'm sure
| bug hunters can find ways to cash out for more money.
| Calling it unclean is stupid anyways, since the company
| clearly isn't paying enough for bugs in their own
| service...this is the same kind of thinking that leads to
| "responsible disclosure" and all that junk.
| saurik wrote:
| If we choose to value everything we touch by way of "the next
| highest bidder might have paid $X for this" while fully
| ignoring their intentions (and so allowing black market sales
| to be in scope for the implied auction), I think you won't
| _actually_ enjoy the society you end up with :(. Like, as a
| security researcher yourself, it might feel interesting to
| posit the exact addition of value we protect per incident,
| but I think the ramifications on how other work gets valued
| as well as what adverse side effects result from this mental
| model are scary.
|
| It is thereby really only "required" (for the world to
| function) that there is sufficient monetary motivation for
| people who don't want to spend the rest of their life feeling
| either the guilt or stress (even if merely due to the
| ramifications of people finding out) of having done something
| "wrong" (which I put in quotes as I feel the "code is law"
| argument that can result at this point isn't actually that
| useful in a discussion of morality) to bother to then go out
| of their way to help (as opposed to not searching hard in the
| first place, looking the other way instead of reporting, or
| merely hoarding the bug as a parlor trick).
|
| And so like, while I totally see how this bug could easily be
| worth at least tens of millions of dollars to _someone_ , it
| isn't clear to me that finding and reporting this bug should
| imply that I would need to be paid (and "by who?" is a then a
| hard question to answer even if we think this, one which
| might bleed into "and how?" a bit as the first answer is
| probably awkwardly decentralized in scope) the tens (or even
| hundreds) of millions of dollars that that hypothetical black
| hat might have figured out how to extract (which I make a bit
| theoretical as profiting from crypto hacks is harder than
| people often assume, something I touch on in my article; I
| think you might have to go for extortion, and even that
| didn't work for the Wormhole hacker)... most people simply
| aren't of the moral constitution to be black hats (which is
| probably a good thing).
|
| (In this case, the main lingering ethics question related to
| this bounty that I come back to occasionally is that there
| are projects--such as Metis--that forked Optimism and now
| _compete with it_ using Optimism 's own code and vision...
| projects that (in the case of Metis) are actually of similar
| size to it (based on "total value locked", which is imprecise
| but probably the best measure here for potential impact: Defi
| Llama lists Optimism at $344M and Metis at $347M) which are
| still relying on Optimism to motivate the security efforts
| for their platform... it feels at least awkward to me that
| they should get a "free pass" here simply because their
| listed bounties were lower than Optimism's? Like, even if you
| don't think _I_ should get money from them, maybe they should
| be helping compensate Optimism?)
| mentat wrote:
| Really exceptional response. A surprising number of people
| aren't aware of moral constitution, practically, even
| though this was a core topic for at least the last few
| hundred years. Interesting times we live in.
| MarcoZavala wrote:
| berkes wrote:
| When you sell your car, and someone is paying more than
| usual. Should you keep looking for someone who might pay ten
| times that amount?
|
| That person is there, maybe not today, maybe not within 10km.
| By wait a few years, or drive a few thousand KM or both.
|
| Does that make the first, already above-average offer
| 'pennies'?
|
| Off course not.
| ycombobreaker wrote:
| This post openly advocates being an accessory to fraud to
| maximize profit.
|
| The true value of exploits is NOT the cost of the damage they
| could do, because that externalizes various costs to the
| perpetrator: evade law enforcement for the rest of your life,
| lose access to friends and family, become a high-value target
| for traditional organized crime, etc. For many people that is
| a net negative, even for a 9-figure payout. And that is a
| good thing, I think.
| doopy1 wrote:
| gtfo with that. it's a generous payout.
| jbirer wrote:
| Why not just hack and watch the world burn?
| sillysaurusx wrote:
| So how many lambos are you buying?
|
| More seriously, will you keep it in the bank and extract $100k
| a year the rest of your life? What are you going to do?
| stepanhruda wrote:
| Don't forget about taxes. Most of it is getting taxed at
| least 37%
| flatiron wrote:
| Not on capital gains. At least in the US that's only taxed
| at 15% with no tiering. The deck is stacked for the
| investment class
| NovemberWhiskey wrote:
| Capital gains for higher earners are taxed at 20%, and
| also subject to the Net Investment Income Tax at 3.8%.
| harikb wrote:
| Even long term capital gain for "the investment class" is
| more like 20%. This is not even a capital gain - this is
| straight income at 35+
| SilasX wrote:
| LTCG tax for the rich is more like 23.8%, when you
| include the net investment income tax of 3.8% (which I
| had two financial advisors miss).
|
| Plus state income taxes.
|
| https://www.schwab.com/taxes/net-investment-income-taxes
| offmycloud wrote:
| If this is a reward or payment for services, it is taxed
| as regular income, not as an investment. The FICA tax
| (SS/Medicare) will either be payed by the payer (shown on
| W-2) or the payee as self-employment tax when filing a
| Schedule C.
| TomVDB wrote:
| You're wrong in many different ways:
|
| - Long term vs short term
|
| - different rates
|
| - state capital gains taxes
|
| In this case, with the receiver being a CA resident, he
| pays almost certainly more than 50% in taxes on this
| bounty.
| mentat wrote:
| I don't think big bounties are capital gains.
| bushbaba wrote:
| You forget taxes. It's roughly 1M post income tax.
| mushbino wrote:
| Closer to $1,260,000
| TomVDB wrote:
| 13% CA income tax included?
| saurik wrote:
| I do not expect to make any major expensive lifestyle changes
| as a result of having more money (and to the extent to which
| I have already been being paid better recently due to working
| on Orchid, I have only barely done so and usually only quite
| temporarily), which I realize disappoints some people who had
| wanted me to post a concrete picture of something expensive I
| purchase to help motivate others to reach for bug bounties
| ;P.
|
| (FWIW, I maybe _should_ at some point buy a car--as I
| currently waste money on renting one; pre-pandemic I was
| using a combination of ZipCar and Lyft, but both services
| suck now--but I can 't imagine myself buying a pointlessly
| extravagant car; and, sadly, now is a bad time to buy a car
| anyway... which I think is related to the ZipCar issue: I
| imagine they might have sold their fleet? Maybe ZipCar will
| return in force when prices rebalance.)
| rdiddly wrote:
| I would tend to look at your use of car services more like
| spending money you can now afford, to deal with cars only
| temporarily and reap only the benefits, rather than being
| stricken with the albatross of ownership.
|
| That said, I do concur that Zipcar sucks now, compared to
| what it was. I've still never used Lyft or Uber, so can't
| comment on those. Oh wait hold on, I did try once to gift
| some Lyft rides to someone via the website and was
| literally unable to successfully give Lyft money. Still, I
| would say it makes less sense now to buy a car (even
| electric) than at any other point in history.
| jack_pp wrote:
| You can buy a very nice car that might even appreciate in
| value so you get to have your cake and eat it too, I
| recommend you do research on this.
| rubicon33 wrote:
| For what it's worth - I love that you have this
| perspective. There's absolutely nothing wrong with just
| saving the money.
| csdvrx wrote:
| > I can't imagine myself buying a pointlessly extravagant
| car; and, sadly, now is a bad time to buy a car anyway
|
| Get a fun car that can be a hacking project :)
|
| I was suggested a police car by a friend. They are cheap at
| auctions, more or less well maintained (tax payer money)
| and have interesting internals (check sites like
| https://www.dippy.org/upgrade/dipcop.html) especially for
| electrical circuits where a police-taxi-module lets you
| hook up to other functions.
|
| And the laptop mount is a geek dream: your laptop right by
| you, charging, which doubles as a make-do coffee table at
| the drive through :)
| jimmaswell wrote:
| I want to convert an 80s-style car to powerful electric
| someday, cyberpunk style. Z31 300ZX probably. If I had a
| lot of money like that I'd build a big garage and do
| things like that.
| worldmerge wrote:
| That sounds like such a fun project!
| dralley wrote:
| > I was suggested a police car by a friend. They are
| cheap at auctions, more or less well maintained (tax
| payer money)
|
| Except that
|
| 1) a lot of them are Dodge Chargers which are terribly
| unreliable
|
| 2) they spend incredible amounts of time idling, which
| isn't good for the engine of a sports car
| csdvrx wrote:
| So what? If it's to have fun and hack, does it matter?
| heliodor wrote:
| Please read this thread to see the pitfalls that might
| potentially lie ahead: https://www.reddit.com/r/AskReddit/c
| omments/24vo34/comment/c...
|
| It's about winning the lottery but still applicable to some
| extent, and shows how people's lives go horribly wrong.
| ge96 wrote:
| wth you can get sued for making someone else look bad by
| being better? ha
| wesapien wrote:
| One relies on solving a problem and providing a service.
| The other one relies on having the ability to go to a
| convenience store and fork over the cost of a lottery
| ticket. Not even in the same reality.
| kristofferR wrote:
| I think this link is way more useful:
|
| https://www.bogleheads.org/wiki/Managing_a_windfall
| dahart wrote:
| Boy do we have the strangest hang ups over people getting
| lucky. Your link is mostly spinning an untrue story. It's
| only a tiny collection of anecdotes, and it's cherry
| picking and mostly not true.
|
| This bankruptcy thing is a myth that seems to have been
| made up and won't die. I've looked into this in the past
| and the only stats I could find that back it up are based
| on small winnings, not large winnings, contrary to your
| redditor's claims, and the bankruptcy rates were
| temporary. Get this: the bankruptcy rates went _down_ 2
| years after winning between $50k-$150k, and then 3 years
| after that they returned back to normal. The returning
| back to normal from a low point was cherry-picked and
| reported widely as bankruptcy rates going up. Misleading,
| right? Here's the Florida study this misinformation was
| based on:
| https://eml.berkeley.edu/~cle/laborlunch/hoekstra.pdf
|
| The National Endowment for Financial Education has issued
| a press release about this bankruptcy misinformation:
| https://www.nefe.org/news/2018/01/research-statistic-on-
| fina...
| kingcharles wrote:
| Wow, that's depressing.
|
| I was in jail with a guy who was a total mess. Nice, but
| seemed pretty mentally-disabled.
|
| One day a new guy came on the block. "Wow, what is George
| doing in here?" "You know him?" "Yeah, I know him. He is
| one of the greatest musicians I ever met. He can play any
| instrument like a savant. I knew him a few years ago,
| just after he inherited $4m when his father passed. He
| ended up getting in drugs and everyone would hang out at
| his house." "Wow, who was his dealer?" "Who was his
| dealer?! EVERYONE was his dealer!"
|
| I'd been keeping George in coffee, because he didn't have
| a single cent on his commissary account (which is rare in
| jail, even the worst criminals usually have someone out
| there). Poor George had snorted or injected $4m of drugs
| and everyone had sold them to him and partied with him
| until all the money was gone and George's brain was
| cooked and he went around shaking his fist at the sky
| until he was arrested. And not one of his hundreds of
| "friends" would put a cent on his account.
| sizzle wrote:
| I bet if he was allowed to pick up an instrument and play
| it would be therapeutic for him. Sad story, hope he
| bounces back.
| nathanvanfleet wrote:
| A Jack Chick track right here in the middle of a comment
| thread.
| jacquesm wrote:
| Interesting: I knew a guy that came into a lot of money.
| A serious lot. And he found that he had a whole entourage
| of new friends. Fancy house, gurus, admirers, tons of
| interesting investment proposals most of which he
| accepted. And when he died and the accounts were made up
| it was all gone. Everything. Not a single person around
| him that did not in some way take advantage of him. I
| still have a hard time getting around people not being
| able to deal with their money, especially because in this
| case it was quite hard earned. Some of the hangers on
| still haven't recovered from the fact that their 'source
| of funds' has dried up.
| boeingUH60 wrote:
| Something similar happened to Tony Hsieh, founder of
| Zappos (acquired by Amazon for $1.2B), though he still
| left a considerable fortune after death.
|
| https://news.yahoo.com/zappos-founder-tony-hsieh-
| didnt-17410...
| jacquesm wrote:
| That's on yet another level. But the parallels are eerie.
| I wonder how common this is.
| renewiltord wrote:
| Funny. This exemplifies the HN community and its distaste
| for startups. It's because everyone here performs total
| population averages. Perhaps it's likely that most HN
| members do behave as a total population average.
|
| I am grateful for this insight.
| capableweb wrote:
| Not sure it's actually applicable. That Reddit comment is
| about poor people winning lots of money by chance, not
| smart people earning lots of money by working. The risks
| are very different, not to say that the scale between 2
| million and 170 million is way bigger than you seem to
| think.
| heartbreak wrote:
| > is about poor people winning lots of money by chance,
| not smart people earning lots of money
|
| Assuming that was unintentional, now might be a good
| opportunity to reflect on unconscious bias.
| wonnage wrote:
| The first example he gives is an already-rich guy though
| slavik81 wrote:
| > Whittaker wasn't a typical lottery winner either. His
| net worth at the time of his winnings was in excess of
| $15 million, owing to his ownership of a successful
| contracting firm in West Virginia.
|
| That Reddit comment is not about 'poor people', though
| it's true the scale is a bit different.
| eli wrote:
| Poor people aren't stupid
| jokethrowaway wrote:
| That's a generalisation and it's invalid like all
| generalisations.
|
| That said, it's more likely that someone whose life ended
| in poverty is not as smart as someone who can live
| comfortably. IQ generally correlates with income (you can
| google a few studies).
|
| There are surely tons of reasons that can push smart
| people into poverty (bad health, poor environment leading
| to poor choices) but that shouldn't obscure the general
| trend.
|
| That said, I think over a certain IQ, other traits of
| your personality or the environment will have the
| predominant effect in determining whether you'll end up
| poor or not.
|
| Similarly, over a certain amount of money, I'm sure there
| will be more variance. Making 5k more than your peers
| doesn't mean you're smarter than them - and the fact that
| you're all able to earn a living and save some money
| means you're all smart.
| toolz wrote:
| If you're poor and gambling, then you're making a stupid
| financial decision. So the odds of you being financially
| stupid seem likely to be high.
| phphphphp wrote:
| For most people, gambling isn't a financial decision,
| it's an entertainment decision. The value of thinking
| about winning (regardless of how unlikely it is) is worth
| the $1 cost of a lottery ticket, so labelling gambling a
| "stupid financial decision" is like labelling owning a TV
| while poor a "stupid financial decision"... but poor
| people deserve entertainment as much as rich people.
| emiliobumachar wrote:
| The people who buy a _lot_ of tickets are overrepresented
| among the winners, to the exact proportion of the size of
| the ticket pile.
| toolz wrote:
| Gambling is not a human right, no one deserves to be able
| to waste resources they have no matter how much they may
| or may not enjoy it.
| teawrecks wrote:
| What? So startups should not be allowed? 90% of them fail
| after all. The odds of a startup being successful is
| literally gambling.
| toolz wrote:
| Are you being sarcastic? I said it _is not_ a human right
| - no one should guarantee anyone the ability to start a
| business as it isn 't societies responsibility to pay the
| cost of some individuals risk tolerance.
|
| I'm saying the opposite of what you seem to be implying.
| I'm saying anyone can gamble or start a business, but
| it's no ones responsibility to make sure they have the
| option to do so.
| MathCodeLove wrote:
| Who are you arguing against? I don't think anyone is
| implying that gambling itself is a fundamental human
| right.
| fire wrote:
| I feel like the difference is that companies are
| generally intended to be a concerted effort of one or
| more individuals, as opposed to an actual roll of the
| dice.
|
| Like without getting into nits, you can actually directly
| effect the direction and value of a company, but you
| can't affect the roll of dice or the output of a random
| number generators.
|
| Risk in and of itself doesn't imply the entire thing is
| gambling; that said, investing by itself would be way
| closer to gambling in that context, imo
| samatman wrote:
| Time to trot out my favourite paraphrase of Babbbage: I
| am not able rightly to apprehend the kind of confusion of
| ideas that could provoke such a statement.
|
| Suppose another ape and I are out enjoying the State of
| Nature, and we both should have a round troy ounce of
| silver in our pockets, with heads and tails as an agreed
| convention. Suppose I were to say to the other ape, "on
| whose face does Fortune shine her rays?" and we were to
| flip both rounds, such that whomever showed heads had the
| better of it: were it both of us, we would exchange, but
| one head and one tails, well, one ape will leave the
| gamble richer and the other skint.
|
| Tell me toolz, how should you prevent this encounter
| without committing a _human rights violation_? Show your
| work, please.
| toolz wrote:
| Why would I prevent this encounter? Did two adults
| consent to behavior they both felt benefited them? Who
| are you or I to suggest our ideals are better than
| theirs?
|
| All I've said is that you, nor I, should be responsible
| for making this behavior possible - you seem to have
| misinterpreted my intent completely if you think the
| absence of a right is the same as a mandate against
| someones ability to participate freely as they wish with
| other consenting adults.
| kortilla wrote:
| You're confusing rights and entitlements.
| karamanolev wrote:
| I'd argue that for most gambling, it's not a decision,
| but an addiction or false hope financial decision. Those
| that treat it as a entertainment don't really gamble that
| much money.
|
| Not sure if that's true by number of gamblers, but my gut
| says it's mostly true weighed by the amount of money
| gambled away. I say mostly, because we don't count rich
| kids / oligarchs wasting money for fun, who might
| dominate the value chart.
| HWR_14 wrote:
| If I'm about to be evicted or declare bankruptcy, does
| having $1 really change anything? Meanwhile, does having
| a small chance of staying in my house change anything?
|
| It's easy to say "well, lotteries have a negative
| expected payoff". And that's true, but it can still have
| a less negative payoff than a payday loan or having your
| car repossessed.
| memonkey wrote:
| This applies to people who are gamblers.
|
| Most people who are the poorest are usually the ones who
| know exactly where their dollars are going. They can tell
| you exactly how much a carton of eggs and milk are.
| odonnellryan wrote:
| No. People buy lottery tickets for a lot of reasons. It
| is a fun bit of escapism and entertainment that costs
| just a few dollars.
|
| You're making the assumption that everyone plays the
| lottery because they think it is a smart financial
| decision.
| tomc1985 wrote:
| My only beef with lottery players is that they always
| take forever in the convenience store line.
| hunter-gatherer wrote:
| Before I read this I was thinking this exactly!
| toolz wrote:
| I don't assume nor do I have to assume anything about
| someones intent to know that gambling is stupid.
| Entertainment can be had in so many forms today that even
| the poorest of the poor in developed countries can have
| choice paralysis from having so many options. Gambling is
| a stupid waste of resources, if you enjoy doing stupid
| things I have no moral/ethical qualms with your choices,
| but it's still stupid.
| mrep wrote:
| I don't really like gambling outside of playing poker
| with my friends but your comment is reeking with a bias
| for what you define as "Entertainment".
| faangiq wrote:
| Why don't they get jobs at FAANG then?
| throwuxiytayq wrote:
| [deleted]
| capableweb wrote:
| That's not what I said either. Again, the Reddit thread
| is about people with a small amount of money winning a
| large amount of money. A person like Saurik working for a
| bug bounty and getting paid for it is not nearly the same
| scenario.
| xeromal wrote:
| The poster you replied to didn't say stupid. He said
| money coming from work and money coming from gambling are
| going to have different outcomes.
| kortilla wrote:
| No, but they usually don't have great money management
| skills due to not having said money to manage. It's not
| any different than warning first time farmers about all
| of the ways running a farm can go bad.
| GaylordTuring wrote:
| You mean they aren't stupid by necessity or that there
| isn't a correlation on the population level?
| boeingUH60 wrote:
| Not the guy you replied too, but I don't think he was
| implying that poor people are stupid. It's more like
| people who work for their money and earn it step-by-step
| are better suited to manage and grow it further. Earning
| money gradually gives you leeway to slowly adjust your
| lifestyle to your upgraded monetary status.
|
| I'm not sure this is a sound analogy, but imagine someone
| picking up cigarettes for the first time and building up
| tolerance over time as they go from one cig a day to two,
| three, four and so on. Now, compare that to someone
| suddenly smoking 10 cigs per day. The latter person is
| more likely to get wrecked from the side effects.
|
| Edit: I checked your profile and saw that you're the co-
| founder of Industry Dive, damn. I love your newsletters
| and websites!...especially Payments and Banking Dive.
| heliodor wrote:
| I did say that it's applicable _to some extent_ and I 'd
| bet that extent is more than you think!
|
| There are plenty of horror stories that are below $10
| million.
| alisonkisk wrote:
| kristofferR wrote:
| This wiki contains tons of good information about how to
| best handle the windfall:
| https://www.bogleheads.org/wiki/Managing_a_windfall
|
| Make sure to read it.
| [deleted]
| gumby wrote:
| Unless you live in the sticks, you probably aren't
| "wasting" your money by using rentals and Lyft.
|
| The problem with a car is for most people it's their most
| expensive or second most expensive capital asset, yet has a
| very low utilization rate (often less than 5%). If interest
| rates rise their op ex in servicing it (fuel, insurance,
| loan interest) will exceed that!
|
| A few years ago I sold all my cars. I found I only drove at
| all a few times a week at most (walk/bike instead). Like
| you I switched to ridershare/rent and it was fine. My
| motivation wasn't really to save money but just eliminate
| the hassle of having all those cars.
| fortran77 wrote:
| Assuming his Government will get half, are you assuming he
| will only live 10 more years?
| toyg wrote:
| 5% yoy risk-free is optimistic, realistically he can count on
| 50-60k. Close to fuck-you money but, for a lot of people, not
| there yet.
| NavinF wrote:
| Ok, but who really cares about "risk-free"? He's not
| retired. He can get double that return on average with a
| more reasonable allocation.
| sillysaurusx wrote:
| Rich people of HN, is this true? I'd always heard each
| million is worth about $50k a year. Was that just during
| boom times, or simply mistaken?
| toyg wrote:
| I'm not rich but I talk to a lot of finance people for
| work. It all depends on the degree of risk you're willing
| to accept, and it has less to do with booming than with
| central bank rates.
| zeven7 wrote:
| It sounds about right to me. The person replying to you
| is assuming you don't want to spend any of the $2 mil and
| only live on interest and being very conservative. 5% a
| year historically makes sense. Years where you don't get
| that return, you can spend some of the bank to make up
| the difference. Other years you should get a little extra
| to add to the bank. During a drought maybe you reduce
| expenses. But you should still be able to target 100k
| most years, unless you get really unlucky. (We currently
| happen to be living in a time where I think you could get
| really unlucky, 7.5% inflation and all that.)
| seanmcdirmid wrote:
| You mean in bad times when interest rates are higher, you
| can safely get that much from a million bucks. How during
| boom times when (at least these days) interest rates are
| cut to the bone, you'll have to play the market for any
| kind of decent return (and take risks associated with).
| tinyhouse wrote:
| > Not even close. There's no reliable way to get a fixed
| income, and inflation is very high.
|
| The market historically has been going up, so at least
| historically it's been reliable to get a fixed income. I
| don't think $2M is sufficient to retire very early,
| mostly because of bad years and that your initial capital
| loses value over the years, but it can generate a nice
| income and most people can have something on the side
| that generates some extra money as needed. With $4M I
| would be more comfortable retiring at 40 let's say,
| depending on cost of living of course.
| ycombobreaker wrote:
| > least historically it's been reliable to get a fixed
| income
|
| "Fixed Income" is more about structurally reliable and
| consistent returns, rather than historical average
| returns.
|
| An outlier bad year can easily wipe a huge percentage of
| capital invested in stock--but the younger you are, and
| the more buffer you have, the less likely this is to be a
| problem. But don't mistake that for fixed income!
|
| Fixed income usually refers to interest rate products,
| and as mentioned above in this thread, the inflation-
| adjusted rates have been pretty bad. Pretty much since
| the start of Quantitative Easing, I believe.
| arn wrote:
| Historically, 4% withdrawal rate is likely to last you at
| least 30 years with funds invested.*
|
| Currently people are pessimistic about stock market
| returns going forward so it could be lower (3-3.5%). And
| even lower if you want it to last longer than 30 years.
|
| * https://en.wikipedia.org/wiki/Trinity_study
| toyg wrote:
| The key is risk. Funds are definitely not risk-free. If
| you rely on funds to produce cash, chances are that, when
| 2008 happens, you get to spend a few years living on
| ramen. Sure, they might recover eventually, but in the
| meantime you have to sell the car to keep the lights on.
| toomuchtodo wrote:
| $40k/year per $1M in invested assets.
| fortran77 wrote:
| Not even close. There's no reliable way to get a fixed
| income, and inflation is very high.
| toyg wrote:
| State-issued debt from eurozone countries or the US is
| essentially risk-free. Any of them defaulting would mean
| they effectively stopped to print cash, at which point
| one should probably start growing their own chickens.
| mymllnthaccount wrote:
| >no reliable way to get a fixed income
|
| You could buy an annuity from an insurance company. A
| quick Google search shows that $2mil should buy a 40 year
| old about $70k/year for the rest of their life.
| fortran77 wrote:
| An annuity would not be a good deal unless you're in
| extremely good health and over 75 or so.
| deanmoriarty wrote:
| That would be an incredibly awful deal for a 40yo, since
| it's not inflation adjusted, so in 10 years you'll be
| kicking yourself for having converted real assets into
| fixed nominal returns.
|
| Annuities really just work well if you are 80+ and want
| to insure against longevity risk.
| fortran77 wrote:
| He can buy half a house in Sunnyvale, California. (And after
| he pays his income tax, 1/3 or 1/4 of a house.)
|
| https://www.zillow.com/sunnyvale-ca-94087/luxury-
| homes/?sear...
| hedora wrote:
| Don't forget the property tax. Also, some of those are fix-
| er-uppers, and basic remodels are $100k's out here.
|
| Edit: Don't want to sound too negative. This is a great
| windfall. Simply sticking it into an investment account
| should pull in financial independence/retirement by 5-20
| years, depending on his age.
| fortran77 wrote:
| > basic remodels are $100k's out here
|
| My _kitchen_ remodel in 94087 cost over $100k
| csdvrx wrote:
| Hopefully, he will just keep creating interesting things, or
| even maybe use that as a seed to make his next idea come
| true, so we can all benefit from his cool hacks!
|
| Yesterday I was reading "how to drop out", to me it seemed
| like a bad plan overall:
| https://news.ycombinator.com/item?id=30318285
|
| Some people want to learn to live on the cheap to drop out,
| or to fatFIRE (which is another way to do the same).
| Personally, I love working and doing interesting things, and
| being with other people and society itself!
|
| So my personal plan is the opposite of fatFIRE: work until I
| die regardless of what happens on the side, because I enjoy
| what I do, so stopping what I do just because something
| happened on the side would be like punishing myself, then
| waiting to die out of boredom?
|
| Doesn't seem like such a bright idea to me. Maybe it's
| different (if you don't like modern society, or maybe other
| people, or the idea of work itself?
| alisonkisk wrote:
| sprite wrote:
| Congrats. Love your work and glad you got a proper bounty!
| MarcoZavala wrote:
| gus_massa wrote:
| Congratulations.
|
| I'm not sure if this was discussed in the previous thread, but
| does the bug allow the creation of real ETH coins, or it just
| increase the counter in the Optimism database (or whatever
| system they are using)?
| saurik wrote:
| Optimism is a blockchain quite a bit like Ethereum, so the
| "database" mental model might be a bit confusing for a frame
| here (as it isn't like they are some centralized service),
| but no: this doesn't let you directly create ETH (which would
| be much _much_ more devastating); it only lets you create
| something we might call "OETH", which is Optimism-specific.
|
| The native currency on Optimism (used to pay gas, like ETH is
| used on Ethereum) is _effectively_ ETH; but, as it isn 't
| Ethereum, that ETH on Optimism has to actually live on
| Ethereum: it gets locked into a contract there which acts as
| a repository/reserve for all of the ETH being used on
| Optimism.
|
| When you deposit ETH in this reserve on Ethereum you get
| credited the same amount on Optimism in the form of
| cryptocurrency IOUs (which we might call "OETH"), and you can
| later withdraw that money back to Ethereum, whereupon the
| OETH is destroyed and ETH is unlocked from the reserve
| contract.
|
| The bug here (which I go into detail in in my post-mortem,
| along with another / different description of how these
| "bridges" work) was in the VM used for the smart contract
| behaviors on Optimism, which would mean you could arbitrarily
| replicate OETH (the IOUs for ETH).
|
| For avoidance of any doubt: you couldn't use this bug to
| create an arbitrary amount of ETH/Ether, but the issue is
| that a lot of people call the money on Optimism--which is
| normally backed 1:1 with ETH--"ETH". (There is a discussion
| about what it should be called in the Ethereum chains
| database; I personally think what we need is a terminology
| for describing the full path whenever you have "ETH via an
| indirect path".)
| ro-_-b wrote:
| That's very interesting! Thanks for explaining! Let's
| assume some people would have wanted to bridge OETH back to
| Ethereum: with the potentially increased supply would it
| have meant that all the ETH on optimism could have become
| potentially worthless?
| SilasX wrote:
| But you could drain out all the ETH in the Optimism reserve
| by asking to withdraw, since you've fooled the network into
| thinking you own an arbitrary amount of OETH? Which would
| keep working until the main L1 Eth network rejects
| transactions for transferring ETH it doesn't have?
| londons_explore wrote:
| Or until someone notices...
|
| All the balances and stuff are public on the blockchain.
| It only takes one person to write a script to verify that
| the locked up amount matches the number of tokens out
| there. and when it doesn't, alert.
|
| That then means any attacker will have to be very quick
| with their theft, and if so, there is still a good chance
| whatever coins they get will end up blacklisted or the
| transactions reversed by a sufficiently large army of
| upset users who fork the eth network or the L2 network.
| easrng wrote:
| Just get the ETH into Tornado Cash ASAP, that should
| avoid any potential blacklisting.
| sizzle wrote:
| I mean even if you got it in there after blacklisting,
| how would they know the wallet that received it?
| pshc wrote:
| The folks at Optimism would certainly hit the pause
| button on that withdrawal before it escaped, if there
| aren't already limits and automatic controls in place. It
| takes 7 days to withdraw L2->L1 via the standard bridge.
|
| (They have administrative controls for now during
| development, at some point they're supposed to turn it
| completely permissionless...)
| SilasX wrote:
| You don't have to use the standard bridge though; I've
| withdrawn in less than five minutes using the Hop
| bridge/network, which I _think_ just involves an
| additional fee to a middleman (my L1 transaction for it
| shows it spending ~0.02 ETH). I can 't speak to what
| additional checks that protocol may have that would have
| prevented conversion of excess OETH though. Here's the
| FAQ for it:
|
| https://help.hop.exchange/hc/en-
| us/sections/4405172442509-FA...
|
| Edit: O...kay? Apparently the parent of this comment is
| aware of alternate, much-faster ways of withdrawing
| L2->L1, and what _their_ constraints are, but still
| elected to leave those out and imply the one-week lag was
| a binding constraint?
|
| (Would have posted as a reply, but my comment rate is
| getting throttled for some reason.)
| pshc wrote:
| I've used Hop too. Transfers are naturally limited to
| however much liquidity Hop has, though.
|
| Edit: Sorry for being disingenuous and unnecessarily curt
| in my reply. I didn't mean to. I'm in some kind of weird
| zombie mode this morning.
| djangelic wrote:
| Thank you for Cydia!! Like another commenter here, it also made
| a big impression on me!
| Aulig wrote:
| Wow, really cool to see this. I remember your name from seeing
| it in Cydia all the time when I was 11 and had my iPod 2 haha.
|
| Congrats on the bounty, glad to see you don't plan on blowing
| through it mindlessly :) With a worldwide diversified ETF
| portfolio you should be able to live off of this amount of
| money indefinitely.
| mhitza wrote:
| Your postmortem page throws a "Error code:
| SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM" in Firefox under
| Fedora.
| saurik wrote:
| Hah! When I added SSL to my site a few days ago, I really
| cranked those settings hard trying to optimize for "security"
| on the Qualy's SSL Server Test. Do you know what the most
| secure cipher suite you actually support is (and are you sure
| the issue isn't that you aren't merely using a particularly-
| out-of-date copy of Firefox)?
| einichi wrote:
| If his browser doesn't support any of the ciphers you have
| enabled, that's a problem with his version of Firefox
| and/or his default TLS library. These ciphers have been
| around for years and are supported by even some pretty old
| browsers.
|
| Your TLS config is good for now, unless another padding
| oracle attack comes along and makes those CBC ciphers weak
| again, or some other vuln.
|
| (your cert is expiring next month btw, might be a good
| opportunity to set up LetsEncrypt)
| mhitza wrote:
| Seems to be because of Fedora hardened policy and your site
| might be supporting SHA1 for use in signatures. One of the
| three changes with the default tweaks policy that probably
| makes sense https://fedoraproject.org/wiki/Changes/StrongCr
| yptoSettings2...
|
| When I set the crypto policy in Fedora to Legacy, which
| lifts those restrictions, I can visit your website.
|
| Chrome doesn't have this problem in Fedora because it ships
| with its own SSL/TLS specific things bundled (or something
| along the lines, didn't care to get deeper in the topic).
| saurik wrote:
| Interesting! I had went out of my way to add support for
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384--because I consider
| older versions of Safari critical for my audience--but
| the way I did that dragged in
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; I've gone ahead and
| filtered out SHA1 (so maybe / hopefully this will help).
| justinclift wrote:
| As a data point, the Mozilla "SSL Configuration Generator"
| seems to be well regarded:
|
| https://ssl-config.mozilla.org
|
| I tend to use it for generating config's for static Nginx
| sites, though it can do much more. :)
| notanote wrote:
| I can confirm this issue. It's related to Fedora's crypto-
| policies which are more restrictive than Firefox. In this
| case it seems to be caused by the SHA1 DigiCert root in
| your cert chain, not by your nginx settings.
|
| Edit to add: It's possible to run update-crypto-policies
| --set=DEFAULT:SHA1 and avoid enabling the whole LEGACY
| policy
| saurik wrote:
| Ah... OK, well, I'm not going to mess with that in the
| near future (sorry) :(. If it makes you feel any better
| (or worse!! ;P) my personal website didn't support SSL at
| all until this past week. I might reconsider the
| certificate chain I use in another month or so when I
| have to update my certificates anyway.
| fabianhjr wrote:
| No such issue under Firefox 97 on NixOS; are you using a
| recent version of firefox + ssl lib?
| mhitza wrote:
| Yes. Seems to be because of a hardened policy setting in
| Fedora, as per my previous comment
| https://news.ycombinator.com/item?id=30322615
| shawnk wrote:
| bla3 wrote:
| Cool hack and writeup!
| daqhris wrote:
| Dude that is karma points accumulated throughout your life.
| Proud that you won! I may have used and enjoyed for FREE some
| of your software while jailbreaking or bricking mobile devices
| in my university dorm room (Beijing, 2014). Stay blessed!
___________________________________________________________________
(page generated 2022-02-13 23:00 UTC)