130 sats \ 4 replies \ @theariard OP 14 Nov 2023 \ parent \ on: Taking a sabbatical from Bitcoin FOSS meta
Binance is a good example: their lightning node has $5 million worth of channel capacity without a public IP. And for outgoing connections, there's lots of anti- DoS proxies out there that terminate outgoing connections in such a way that people on the receiving end don't get a unique IP address to DoS attack.
I don’t need a node public IP to launch a channel jamming of your node, as long as you’re announcing your local topology to the rest of the network.
This feels like the rant of someone who is just butt hurt that their exploit didn't get > as much attention as they wanted. Or maybe they were annoyed that their "OMG > LIGHTNING IS BROKEN!" exploit got quickly fixed in multiple different ways, none > of which were invented by him.
Feel free to share your Lightning node pubkey. My pleasure to do a public demonstration of the fixes “robustness” at your own expenses. As a note, I suggested most of the fixes implemented by LN open-source maintainers.
Drama drama drama...
Lessons of human sciences, conflict is not necessarily a negative situation as it’s an opportunity for newer norms, ideas and solutions to emerge.
write
preview
0 sats \ 3 replies \ @anon 14 Nov 2023
Why don't you just release channel jamming code? If it's a real exploit, people should be experimenting with it openly.
reply
0 sats \ 2 replies \ @theariard OP 14 Nov 2023
First reason, I don’t know who you are, I have no public track records available on your intentions and what you would do with such offensive toolchain.
Second reason, I’m not your bitch and I don’t owe you this code.
As a side-note, other lightning researchers have already done demonstration of channel jamming: https://bitcoinmagazine.com/technical/good-griefing-a-lingering-vulnerability-on-lightning-network-that-still-needs-fixing
On replacement cycling attacks, I’m still looking for volunteers, you’re free to share me your lightning node pubkey, though I would need a social proof or fingerprint this is really your node and you’re fully consenting to your funds being powned as a bug bounty.
I’m sure the community will thank you for your financial contribution to the advance of Bitcoin research.
reply
0 sats \ 1 reply \ @anon 15 Nov 2023
First reason, I don’t know who you are, I have no public track records available on your intentions and what you would do with such offensive toolchain.
The fastest ways to get issues fixed is demonstrations. Same as the rest of the security industry has learned. And it may make for better fixes as more people can experiment with the issues and find ways to improve on the attacks.
reply
0 sats \ 0 replies \ @theariard OP 18 Dec 2023
As is posted on the mailing list at time of disclosure, I’ve been looking for someone among other lightning devs run and play the “defensive” side in replacement cycling attacks, in a traditional “blue / red” fashion. No one has raised the hand.
You’re still free to publish your mainet lightning node pubkey and give me your private consent for demonstration / experimentation. Beyond, I did test replacement cycling attacks locally and it was working well.
We did test some lightning attacks in the past in a real-world setup, though I think you’re missing point than you have so much known attacks affecting lightning that senior protocol devs don’t have time to test, experiment, research and fix them anymore. And as such, jeopardizing their end-users bitcoin financial interests.
reply