[ 3 / biz / cgl / ck / diy / fa / ic / jp / lit / sci / vr / vt ] [ index / top / reports ] [ become a patron ] [ status ]
2023-11: Warosu is now out of extended maintenance.

/biz/ - Business & Finance

View post   
File: 37 KB, 630x630, 1538342870787.jpg [View same] [iqdb] [saucenao] [google]
12632063 No.12632063 [Reply] [Original]

The firm used a severely low level spam attack to "confirm" that spam as an attack vector was secure, but admitting that in real life a much larger spam attack will occur [and most likely crash the network].

While 3rd party review is important, it is important to look at who is doing the review. Red4Sec (nor their founder) has no name recognition or clout in the security world. They sprung up very recently and all of the clients are cryptocurrencies, with varying degrees of legitimacy.

The report follows a basic pentest format, but has unprofessional elements scattered throughout, such as bold text, irrelevant sections (likely a template they use for literally everything), and references to sections that don't exist (Annex B). They don't show the actual results of the automated scan (thought this was the full report) and they find barely anything in the manual review (any project will have plenty of low/informational and usually some mediums). I would never give an assessment of this quality to a client

Looking at this critically, you could be very suspicious. You should be suspicious of most everything in crypto at this point. Pentests and code audits are important, but rare because they cost 6 or 7 figures for a legitimate one. Based on the circumstances and the quality of this report, it is my suspicion that Red4Sec is a shop that offers a rubber stamped code review for a huge discount. This report can then be marketed heavily (as nano did) and most people don't know any better. They've also marketed this in small chunks so they get more headlines out of it. They announce the plans to do the assessment, they announce it's complete, they announce no criticals, they announce the pentest was completed, now the VA report, within a week I'm sure we'll see the pentest report of similar low quality

>> No.12632101
File: 541 KB, 656x913, 1539011817472.png [View same] [iqdb] [saucenao] [google]
12632101

>>12632063
>Marketed heavily
A medium post and some Reddit thread?
Dude you got hurt real bad by this coin didn't ya?

>> No.12632177

>>12632063
Can i please here some more FUD i feel like i am FOMOING IN. please help me, post some Screen shots of conversation of why we are being scammed please

>> No.12632187

>>12632177
Buy at least 133 of them, that's 21 BTC of the network. Ignore the fud because miners are so fucking scared of this coin, it's ridiculous.

>> No.12632251

>>12632177
Imagine money flowing back into crypo, and completely avoiding BTC. Miners would cry

>> No.12632282

>>12632063
Code review is a very established field with plenty of reputable vendors. It says something that they chose an unknown group instead. Reputation is important because they are responsible for their assessments. Red4Sec could close down tomorrow, open up under another name and nobody would know the difference

The report doesn't even say the attacks are impossible:

Implicit defenses against DoS and PoW precomputation. While Section V of the specification acknowledges multiple attack scenarios which can work in tandem to cause denial of service attacks, none of the presented defenses sufficiently rule out the threats discussed.

Precomputed PoW Attack.While Nano does discuss the potential for pre-calculating Proof of Work values, no real mitigation is provided.

>> No.12632296

>>12632101
>>12632177
>>12632187
>>12632251
Lots of Nano rage comments from the monkey cage.

>> No.12632304

>>12632282
Ask yourself, why would someone spend so much time and energy fudding this. You already know the answer.

>> No.12632308

>>12632296
Please spread your wisdom. Im fomoing in. People say buy 133 nanos and ill make it. Should i buy?

>> No.12632341
File: 1.95 MB, 400x314, grabembythepussy.gif [View same] [iqdb] [saucenao] [google]
12632341

>>12632063
>>12632282
the fact that they had a security test at all proves its a legit project. Yes the security at this moment is questionable but don't all the projects have their own issues?


why would they go to an high costing audit at this point in time, doesn't make sense. and since the company did audits of other crypto projects why not. The nano foundation isn't that rich, they only had 5% of the supply at the start, probably 3% left right now.

you can check this thread on github
https://github.com/nanocurrency/nano-node/issues/1645 it clearly shows that the issues are being investigated and worked on.

but good that you did this checkup on the Security audit.


take care.

>> No.12632378

>>12632063
from le ledit info:

If I understood correctly, they spam tested and found Nano's defense worked, so it was fine. But they pointed out that stronger spam attacks would occur in practice. However the Nano version they tested didn't have dynamic PoW which will be a part of the protocol by version 20 I think, in a few months. My understanding is that dynamic PoW and a transaction dequeuing mechanism will defend effectively against powerful spam attacks.

>> No.12632442

>>12632282
>While Nano does discuss the potential for pre-calculating Proof of Work values, no real mitigation is provided.
Would like to hear a counter-argument to this if anyone has one.
>>12632304
>Ask yourself, why would someone spend so much time and energy fudding this. You already know the answer.
It's fun to fud bad projects. I do it often. You're not convincing me.
>why would they go to an high costing audit at this point in time
Because their reputation is in tatters and they're asking people to trust them as a large-scale money transmitter.

>> No.12632495

>>12632442
its not fud, the spam issue is a valid concern in the nano camp.

if they fix this issue they become best Delegated Proof of Stake coin there is though. ( I don't really like PoS, but I have some positions in various different techs, nano was my DPoS / PoW DAG Tech bet. not a bad one if you ask me.

>> No.12632937

>>12632063
So they have no defence against spam attacks?
Nano is such a shitcoin!

>> No.12633529

Nano is already spam-resistant, via its requirement for every transaction to have a small Proof of Work (which a laptop can do in 2s, on around 0.000112 kWh of electricity.) For any single user, that time gets lost in the noise, but for a spammer, it makes it impossible to spam at thousands of transactions per second.

Given however that a really serious spammer could get around this by renting an illegal botnet, the dev team is, right now, extending this PoW to make Nano spamproof. As of the last release, nodes now queue transactions by PoW difficulty, so that a botnet's 2s-PoW transactions are ignored by nodes when processing those of any users willing to perform 2.1s proofs. The recommended OoW difficulty is about to become dynamic, rising only as the network nears capacity.

Wallets will select the appropriate PoW difficulty to allow the users transaction to be processed immediately.

>> No.12633661

>>12632063
But Nano schizo, you don't know jack shit about any of this stuff.