
Tarsnap exploit bounty - zdw
http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html
======
tptacek
I will match this bounty. Colin's word on whether it should be awarded is
final, and Colin can reach out to me to tell me who I have to pay up to (or,
if the recipient would prefer, I can transfer money to Colin and he can just
double the bounty).

Colin: if you post this bounty publicly anywhere, you have my permission to
note also my commitment to match the bounty, which will remain ongoing until
either (a) your bounty changes, or (b) I notify you otherwise (which is
unlikely).

Good luck, everyone. I will be surprised and happy if this HN comment costs me
anything. :)

~~~
cperciva
Funny, I was just about to send you an email asking if you wanted to try your
hand at this, given that you're much better at this sort of thing than I am.
:-)

 _you have my permission to note also my commitment to match the bounty_

Thanks! I've updated the blog post with a link to this comment.

~~~
tptacek
Just to be candid: putting an extra $1000 into the pot is _way_ less costly
than me spending the time trying (and almost certainly failing) to get a heap
overflow in Tarsnap working (even if were an easy one). Also: it's an easy bet
for me to make, because at the figures we're talking about, I think we might
be unlikely to attract the right talent. :P

But if there was anyone whose code I would bet on, your name at the top of the
list anyways!

~~~
cperciva
To be equally candid: I didn't think you would want the $1000, but I thought
you might enjoy the challenge. Similarly, I think the people who are most
likely to win this are going to be more interested by the puzzle than by the
money. The $1000 is there mainly as linkbait to increase the odds that the
right people hear about this.

 _But if there was anyone whose code I would bet on, your name at the top of
the list anyways!_

Well, we've already established that the code was wrong...

~~~
e12e
> Well, we've already established that the code was wrong...

Hah, it's been a while since I read:

[http://www.daemonology.net/blog/2011-01-18-tarsnap-
critical-...](http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-
security-bug.html)

Makes me feel a little less bad for the Debian issue with (way!) too low
entropy in key-generation.

Refactoring code using crypto dangerous :-/

Have you considered creating a 2.0 on top of NaCL? I could see that it would
probably not be a good idea to _actually_ throw out all the existing tarsnap-
code etc -- I generally just mean if you'd want to move to a simple, yet
"batteries-included"/shrink-wrapped crypto library?

~~~
cperciva
That's part of why I have code in libcperciva which is shared with other
projects -- the new AESNI code in tarsnap was all tested via its inclusion in
spiped and scrypt before it came into this tarsnap release.

------
gus_massa
Just to be 200% clear: cperciva is offering $1000 for an exploit of a bug in
Tarsnap 1.0.35 that he already fixed in the current 1.0.36 version?!

~~~
cperciva
Yes. Or more precisely, for a demonstration of how the bug can be exploited --
I'm not looking for something "weaponized".

I think if someone manages to exploit this bug, the details will be very
interesting, and I think it's worth paying for "interesting".

~~~
tptacek
I also like the very public illustration of how not all memory corruption bugs
are easily exploitable (or, occasionally, meaningfully exploitable at all).

Also an illustration of how unlikely it is that serious exploit developers are
going to spend time writing a complicated Tarsnap exploit. :)

~~~
cperciva
You may be right, but I hope people won't take away the message that bugs like
this don't matter.

Fix bugs! Update your systems! If in doubt, assume that potential
vulnerabilities are exploitable!

~~~
aidenn0
My takeaway has always been "It's easier to fix a memory corruption bug than
it is to determine if the bug is exploitable"

------
mostafah
> No bounty if you're in Iran, North Korea, or some other problem countries.

I’m a Tarsnap user from Iran. I’m not interested in these bounties anyways,
but the phrase “problem countries” feels a little strange to me.

~~~
cperciva
As elahd hypothesized, this is the trade-sanctions thing -- if someone from
Iran would win and there's some way I can legally pay out the bounty, I'll do
it, but I don't want to be in the position of owing someone a bounty but
having geopolitics prevent me from paying it.

The reference to "other problem countries" is simply because I can't keep
track of which countries are on the list right now... I'm pretty sure Iraq,
Syria, and Libya have all gone onto Canada's list at some point recently but
some or all of them may be back off the list. Sorry if it seemed a bit pithy;
given how often I see no-sanctioned-countries clauses online I figured that
residents of said countries would know if they were likely to be affected.

~~~
gpvos
I'm not from any of those countries, but the wording struck me as really
unfortunate. People from those countries could likely take it as a slight upon
themselves. I think it is fair that people, who are not causing these
"problems" themselves, identify themselves with their country because of its
history and culture, even though they possibly do not agree with their
government's policies. They already have to suffer enough because of the
policy of many Western countries towards their country.

~~~
cperciva
_the wording struck me as really unfortunate_

You're right. In hindsight I should have been clearer about the issue I was
trying to address there. I _am_ clearer in the bug bounty page on the tarsnap
website, but my blog is written in less formal language, and I allowed myself
to slip from informal into imprecise.

------
arielby
Original reporter here. I was starting to worry when this will ever get fixed.
I am not skilled in exploit development and I basically just found the bug by
accident so I won't take the challenge.

------
nickpsecurity
Props to Tarsnap team for doing stuff like this. They set quite a good example
for others in design, implementation, and combating exploits. Always liked
their work. Especially the hilarious and overly-generous pricing scheme. Truly
original. ;)

~~~
grayclhn
You're going to be _even more_ impressed when you realize that "they" should
be "he." :)

~~~
koenigdavidmj
Colin actually commented a couple days ago that he finally hired a minion.

~~~
grayclhn
Oh, cool. Thanks for letting me know.

------
jessaustin
ISTM this could cost you more than $1000? Wouldn't Ariel Ben Yehuda deserve a
bonus over the $100 if the reported bug could be exploited?

~~~
cperciva
Yes, I might reassess that bounty.

------
admax88q
I don't understand why people still consider it acceptable to write security
critical software in languages like C.

~~~
sarciszewski
> I don't understand why people still consider it acceptable to write security
> critical software in languages like C.

What would you rather it be written in, a language that is itself written in
C?

~~~
geofft
Most languages I can think of that would be better than C have solid non-C
implementations. Ada has GNAT, a free software compiler that is itself written
in Ada. Rust's compiler is in Rust (and, years ago, OCaml), though it uses
LLVM, which is C++, for code generation. Go's reference implementation is I
believe fully Go, although parts are mechanically translated from C. OCaml is
mostly written in OCaml. etc.

Besides, the problem is not that C is malware, it's that it's a bad language
to write in. Once code exists in C, you _can_ make it solid
([https://sel4.systems](https://sel4.systems) is the logical extreme of that).
So using a C-language compiler but doing actual development in not-C gives you
way more defense-in-depth than doing day-to-day work in C.

~~~
vvanders
As much as I love Rust, I think it's a bit early to be using it in heavy
production.

