Hot search keywords

Hot search keywords

Blockchain software security report by China CERT, Ripple the worst

In December 2016, China CERT released a 17-page security audit report of blockchain software. As per the report, the audit was conducted in October 2016 and released later as “open” document. The report examined 25 open-source blockchain projects, categorizing the vulnerabilities found into 9 classes. A total of 746 high-level attack vectors are detected. Ripple is rated the most insecure one with over 223 highly risky bugs.

warning sign focused in loupe and programming code background.

China CERT,  the National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC) , was founded in September 2002. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China’s cybersecurity emergency response community. The CERT lab speaks highly of the global development around blockchain technology but also reiterates the importance of blockchain software security.

“Any vulnerability may result in huge property loss”.

The statistics in the report comes from scanner tools and manual review. The report only analyzes vulnerabilities from a coding perspective. Due to the restriction of the deployment environment and security equipment, some of the vulnerabilities may not be verified via penetration test.

 

Overview of 25 projects being audited
Based on the number of user group, followers and commit frequency, the CERT lab selected 25 blockchain with well-known reputation and extensive community both at home and abroad. These software were written with C, C + +, Java, Python, PHP and other programming languages.
Below is the overview of projects being reviewed:

blockchain-project-overview

Table 1: Overview of 25 blockchain projects

9 vulnerability categories
This test covers a variety of commonly seen security vulnerabilities, which are divided into 9 categories by the following criteria: formation cause of security vulnerabilities, the possibility of being exploited, the degree of harm and the difficulty to solve.

1. Input Validation and Representation
Input validation and representation problems are usually caused by special characters, encodings, and numerical representations. Such problems occur as a result of input trust. These problems include: buffer overflow, cross-site scripting, SQL injection, command injection and so on.
2. API Abuse
The API is a convention between the caller and the callee, and most API abuses are caused by the caller not understanding the purpose of the convention. Security problems can also arise when the API is not used properly.
3. Security Features
This category contains vulnerabilities in authentication, access control, confidentiality, password usage, and privilege management.
4. Memory Management
Memory management is a common type of vulnerability associated with memory operations, including memory leaks, post-release use, double-release and so on. This type of vulnerability usually leads to system performance degradation, program crashes and a common type of flaws in C / C + + language.
5. Time and State
Distributed computing is time and state dependent. The interaction between threads and processes and the order in which tasks are executed are often determined by shared state, such as semaphores, variables, file systems and so on. The vulnerabilities associated with distributed computing include race conditions, blocking misuse and so on.
6. Error and Exception Handling Errors
This type of vulnerability is related to error and exception handling, and the most common type of vulnerability is that there is no proper processing mechanism (or errors are not processed), resulting in unexpected termination of program. Another vulnerability is that the error generated provides potential attacker with too much information.
7. Code Quality
Poor code quality can lead to unpredictable behavior. For the attacker, the poor code enables them to threaten the system in unexpected ways. Common types of vulnerabilities include dead code, null pointer dereferences and resource leak.
8. Encapsulation and hidden defects
Reasonable encapsulation means that the distinction between verified and unverified data, distinction between data of different users, or distinguish data that is visible or invisible to users. Common vulnerabilities include hidden fields, information leakage, cross-site request forgery and so on.
9. Flaws in Code Runtime Environment
These types of vulnerability is external to the source code, such as runtime configuration issues, sensitive information management issues and so on, which are critical to the product security.

The first eight types of vulnerabilities are related to security flaws in the source code. They can be the target of malicious attacks. Once exploited, they can cause serious consequences such as information leak, authorization lift and command execution. The last type of vulnerability describes security concerns that are external to the actual code. They are likely to cause abnormal operation of the software, data loss and other serious problems.

Rating of vulnerability 

The lab classified the source code security issues into three levels: High, Medium, and Low. Criteria for measuring the level include two dimensions, confidence and severity. Confidence refers to the probability if the problem is found to be accurate. For example, strcpy () call flagged as a buffer overflow vulnerability has low confidence. Severity refers to the seriousness of a problem if the test technique is authentic. For example a buffer overflow, which is often a more serious security issue than a null pointer dereference. The combination of these two factors can be accurately classified for security issues, as shown in Figure 1.

figure-1-confidence-and-severity

 

Ripple the most insecure project
746 high-level and 3,497 medium-level bugs were detected among the 25 projects with Ripple taking the lead by 223 highly risky loopholes. Figure 2 shows the statistics of high and medium level security vulnerabilities detected in the 25 projects. The red line indicates the number of vulnerabilities per thousand lines of code (total number of bugs / code lines * 1000)

fig2-high-level-vulnerability-allocation

Figure 2 Statistics of vulnerabilities detected in 25 projects

“It is noteworthy that among all the projected being audited this time, Ripple is likely to be the most widely used one with the most users. At the time of writing, the software company has received 100 million USD investments from Google and Accenture. Some large financial institutions have announced their joining the payment network, including Standard Chartered, Westpac, Shanghai Huarui Bank and so on. Given the fact that Ripple is directly dealing with financial assets, should these loopholes be exploited by hackers, the institutions may suffer unimaginable losses.”

Ethereumj comes as the second most risky project with 110 high-level vulnerabilities. Bitshares contains 4 high-risk bugs and 665 medium ones, the highest number among all projects.
Ethereum Wallet, Hlp-candidate and OmniJ are found bearing zero or only one high-level bugs and therefore considered the most secure projects among all units being audited.

High-level vulnerability Analysis

Most of the vulnerabilities fall into the category of “input validation and presentation”, which mainly results from the incomplete verification of user inputs. Malicious input may trigger arbitrary command execution, full access to files and other serious security issues.

figure-3-distribution-of-high-level-vulnerabilities

“For example, some Java blockchain software, like Ripple, with the JNI framework use other language such C, C++ to manipulate memory and other operating system resources, bypassing the Java memory protection mechanism, making the program vulnerable to buffer overflow attacks.”

Another category with high frequency is “Code quality issue”, which results from the “the lack of security awareness of developers” and “unstandardized coding”. Such vulnerabilities may lead to memory overflow, resource depletion and other security concerns. Worst scenario may include abnormal operation of the system or even system crash. As the blockchain software is often integrated into the operating system of financial institutions, system crash will bring intolerable losses.
“Security features” also accounts for a certain percentage of vulnerabilities, such vulnerabilities mainly cover identity authentication, authorization management, password management and other issues. Attacker can exploit the loopholes to gain unauthorized access, steal private infos. Encryption function is the core of blockchain software in maintaining the integrity of the entire whole ledger. However, according to the test results, there are a number of “unsafe random numbers” issues, which will compromise the software’s defense against encryption attacks.

JNI and random number generator vulnerabilities
Of the 25 projects tested, the two most common types of vulnerabilities are insecure JNI (16.22%, 121) and insecure random numbers (21.72%, 162).

figure-4-allocation-of-medium-and-high-vulnerabilities

Figure 4 Allocation of Medium and High Vulnerabilities (by specific categories)

1.Insecure JNI ( under the category of “input validation and representation”)
When a Java application uses JNI to call code written in another programming language, improper calling can make Java applications vulnerable to security breaches in other languages. Although there is a Java-provided memory protection mechanism, this protection mechanism does not apply to source code written in other languages and accessed through the Java Native Interface (JNI). Precautionary measure proposed is to carefully check the operation of the native language contained in the Java code and implement a rigorous input validation.

2. Insecure random number (the security feature)
In a security demanding environment, the use of a predictable value of the function as a random data source will reduce the ability of the system against encryption attacks, resulting in serious vulnerabilities like easy-to-guess password, predictable encryption keys, session hijacking attacks and DNS spoofing.
Precautions: The cryptographic pseudo random number generator should be used and the information with the largest information entropy should be used as the seed. If information entropy is not available, the threat can be reduced by changing its seed when using a cryptographic pseudo random number generator.

Medium-level Vulnerability Analysis
The medium and low risk vulnerabilities may present less risks in the real operating environment.  However, these bugs can reflect the code quality, the developer’s awareness of  security to some extent. Figure 5 shows the distribution of security vulnerabilities. Although the medium-level problems will not lead to serious security vulnerabilities, there are still pose significant threat to the system. If exploited, they may lead to serious risks like system crash. A possible cause is that some of the tests are intermediate versions that have not yet been officially released, resulting in some residue of “process code”.

figure-5-allocation-of-all-security-vulnerabilities

Figure 6 further demonstrates the allocation of various security vulnerabilities. It is noteworthy that 87 vulnerabilities with less than 10 occurrence, such as “inappropriate type conversion”, “residual debugging information” and other code quality, API-related vulnerabilities are classified as “Others” to facilitate the data presentation. The two most common vulnerabilities are unused local variables (13.94%, 1,181) and insecure string functions (13.20%, 1,118). At the end of the report, counter measures are also proposed for these two bugs.

figure-6-allocation-of-all-security-vulnerabilities

The report is the first security audit conducted by Chinese national cybersecurity institutions. The sheer number of bugs may present a setback to potential adopters.

“The 746 high-level vulnerabilities reveal that there are serious safety risks that must not be ignored.

Feedback from developers are expected to clarify the situation.

Chinese report and PDF file download.

Update: Ripple released an official response to the CERT report.

COMMENTS(132)

  • BitcoinAllBot
    4 months ago BitcoinAllBot

    Here is the link to the original comment thread. Or you can comment here to start a discussion. Author: 8btccom

  • rancymancy
    4 months ago rancymancy

    The report claims to analysis over 1 million lines of code across 8 languages and 25 projects. That’s a mammoth undertaking if you’re actually going to do it properly. Most of the projects would be so far advanced from the point they were tested by the time the report is completed that any results it turned up would likely be inapplicable anyway, and unless they specifically employed members of the projects themselves to help them understand the subtleties of the respective codebase – I can’t see how they could even do it.

    The real-world test of vulnerabilities in software is whether there’ve been exploits. Further, if there is money to be made by exploits, it’s extremely likely they will have been used. It’s possible to run analysis software with no understanding of the codebase being analysed and turn up false positives all day (what I suspect was done). Ripple has been running as a live distributed exchange and payment network for four years, and hasn’t been hacked despite almost a quarter billion dollars worth of motivation to. To me that casts significant doubt on the relevance of this report.

  • captchu
    4 months ago captchu

    That confirms my worries. Thanks for sharing.

  • OldFartWithBeard
    4 months ago OldFartWithBeard

    We need more of those! While such software audits are not the be-all-end-all they do give us a nice reality check, and comparing projects such as in this report gives me new insights.

    Seeing that this is by a CERT can we safely assume that CVE’s have been created for all these vulnerabilities? Does the Chinese text mention this?

    • OldFartWithBeard
      4 months ago OldFartWithBeard

      Well, this is turning into a disappointment…

    • Batsukh
      4 months ago Batsukh

      May I ask what’s CVE?

  • HandyNumber
    4 months ago HandyNumber

    Good link!

    I’m not sure how rigorous that report is, but that result doesn’t look good for Ripple. Were they asked for input/comment?

    Not surprised that Ethereum is high – a smart contract platform must have a much much higher attack surface than cryptocurrencies which are value-exchange only.

    I’d expect value-exchange only x-currencies such as Bitcoin to be lower.

  • lakerz690
    4 months ago lakerz690

    China is sketchy as fuck and that entire country is full of propaganda. They’ll lie about anything just to a profit from it. That being said, don’t believe anything these clowns say.

  • karalabe
    4 months ago karalabe

    Hmm, so there are two major players in Ethereum land, and they opt to audit a third implementation. Seems a bit odd 😛

  • TonyMcCarp
    4 months ago TonyMcCarp

    Ethereum Wallet, Hlp-candidate and OmniJ are found bearing zero or only one high-level bugs and therefore considered the most secure projects among all units being audited

  • CommodoreHodlor
    4 months ago CommodoreHodlor

    this is what you would call ‘signalling’. It’s a major one at that.

  • itsnotlupus
    4 months ago itsnotlupus

    Tantalizing, but stops short of interesting for me without an English version of the study.

    I don’t really care about pie charts and graphs when it comes to security problems. I care about the actual problems.

    230 high severity problems in Ripple sounds really bad, but what does it actually mean? Is not checking the length of a textfield in a native client UI considered a severe input validation bug, same as letting a network packet overflow a buffer?

    Security audits are notoriously difficult. Did they really do one on all those projects, or did they just run a generic tool and use its output?

    If this is a serious study, I hope an English translation pops up soon.

    • homakov
      4 months ago homakov

      Looks very lame visualization of automated scan. 230 high severity problems? This article is a joke.

    • 8btccom
      4 months ago 8btccom

      That’s basically the whole report. Only a little omission at the end.

  • xedd
    4 months ago xedd

    “It is noteworthy that among all the projected being audited this time, Ripple is likely to be the most widely used one with the most users. At the time of writing, the software company has received 100 million USD investments from Google and Accenture. …”
    .
    This is a surprise to me… Most widely used?

  • 3esmit
    4 months ago 3esmit

    They should have added Geth and Parity, guess they didn’t wanted to pump ethereum, so they just don’t added those. BTW, EthereumJ seems great.

  • sjoelkatz
    4 months ago sjoelkatz

    Nik Bougalis posted a response to this a few days ago: https://www.xrpchat.com/topic/2674-fud-or-legit/#comment-24048

    The short version is this: We run these same kinds of tests ourselves. Automated testing tools produce lots of false positives. Also, their reference to JNI (which has no applicability to rippled whatsoever) suggests they may have scanned repositories other than rippled that contain unsupported or experimental tools that don’t have any security implications anyway.

    • 8btccom
      4 months ago 8btccom

      Thanks for the pointer.

  • gjsteele71
    4 months ago gjsteele71

    I think the study is worthless because they did not compare enough currencies and their personal opinions played a role in the decision, but if you are bored…

  • rancymancy
    4 months ago rancymancy

    I’m really dubious of this report. Here are four reasons:

    1) The claims are too big. Accurately analysing over 1 million lines of code, in 8 different languages and 25 projects for this many vulnerabilities would be a huge undertaking. How could this have been done accurately without understanding the subtleties of each codebase? It seems highly likely they’ve used software to automate analysis – but you can run analysis software on code and turn up false-positives, errors that simply don’t apply to your use case, etc – as much as you want. Unless you’re intimately familiar with the codebase in question, it’d be difficult to configure such software to return applicable, trustworthy results.

    2) Real-world results. In the case of Ripple for instance, it’s been running as a distributed value exchange for four years, and hasn’t had one instance of hacking, or even spam attacks. In terms of real-world experience, it seems to be one of the most secure, or at the very least, demonstrably less susceptible to attack than Ethereum for example, at least in the spam category.

    3) The unclaimed prizes. Most of these projects involve value-exchange. In Ripple, there’s a quarter billion dollars worth of motivation for someone to make money out of these “223” vulnerabilities, and they expect us to believe that hasn’t happened even once?

    4) If it’s true, why not give the teams the chance to fix their code? If they truly believe their own claims, it’s tremendously irresponsible not to contact the teams involved and provide them with the details of the exploits. To my knowledge, that has not occurred. To me that makes the authors either trustworthy and also a bunch of total assholes, or just not trustworthy.

    TL;DR – some untrustworthy people have misused code analysis software to make sensationalist claims.

  • rancymancy
    4 months ago rancymancy

    I’m really dubious of this report. Here are four reasons:

    1) The claims are too big. Accurately analysing over 1 million lines of code, in 8 different languages and 25 projects for this many vulnerabilities would be a huge undertaking. How could this have been done accurately without understanding the subtleties of each codebase? It seems highly likely they’ve used software to automate analysis – but you can run analysis software on code and turn up false-positives, errors that simply don’t apply to your use case, etc – as much as you want. Unless you’re intimately familiar with the codebase in question, it’d be difficult to configure such software to return applicable, trustworthy results.

    2) Real-world results. In the case of Ripple for instance, it’s been running as a distributed value exchange for four years, and hasn’t had one instance of hacking, or even spam attacks. In terms of real-world experience, it seems to be one of the most secure, or at the very least, demonstrably less susceptible to attack than Ethereum for example, at least in the spam category.

    3) The unclaimed prizes. Most of these projects involve value-exchange. In Ripple, there’s a quarter billion dollars worth of motivation for someone to make money out of these “223” vulnerabilities, and they expect us to believe that hasn’t happened even once?

    4) If it’s true, why not give the teams the chance to fix their code? If they truly believe their own claims, it’s tremendously irresponsible not to contact the teams involved and provide them with the details of the exploits. To my knowledge, that has not occurred. To me that makes the authors either trustworthy and also a bunch of total a**holes, or just not trustworthy.

    TL;DR – some untrustworthy people have misused code analysis software to make sensationalist claims.

    • 8btccom
      4 months ago 8btccom

      Very good arguments. We will try to forward your opinion to the author.

      • rancymancy
        4 months ago rancymancy

        Thank you, I’d be interested to hear his thoughts.

        Also, David Schwartz of Ripple has just posted an official response on the Ripple website.

  • GBG-glenn
    4 months ago GBG-glenn

    ALOT of financial institutions are working with Ripple, and experementing to see if it could be used as a new type of “settlement system”. I guess one of the reasons is because it’s one of the most centralized crypto-projects out there. It could also reduce operating costs by 60%.

  • MrDuke67
    4 months ago MrDuke67

    Here you can find more info on this “affair”.

    https://www.xrpchat.com/topic/2674-fud-or-legit/

  • Hueristic
    4 months ago Hueristic

    Quote from: dranster on January 13, 2017, 03:01:00 AM
    Most inaccurate title…..  Did you learn your English from a baby or u must be an illiterate..BTS is the most secure blockchain

    Red Herring much?Thanks for that post OP!

  • Hueristic
    4 months ago Hueristic

    Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/“Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

    Looks like their response is the illiterate one of the two. Fixed that first one for them. And further, am not touching that last sentence.

  • tommytrain
    4 months ago tommytrain

    Please qualify “most centralized”, in terms of development team and current network topology, yes, but since individual banks prefer to not share data or control with other banks on the network it can be used in an entirely decentralized manner, I.e. With privately issued tokens the way rippleConnect allows bank branches to trade internal self issued currency for inter-branch ledger reporting, balancing, and settlement.

    The “Centralized” bogeyman is a nebulous red-herring without context.

  • tommytrain
    4 months ago tommytrain

    Copy pasta of Ripple dev NikB’s response over at XRPchat:

    Just to reiterate what I wrote in the chatbox and was pasted above in convenient image form:

    I routinely run static and dynamic analysis on the rippled codebase – there have been no critical vulnerabilities discovered through that process, and the things that have been found are usually false-positives or intentional (e.g.: a case statement not terminated by a break, when the intention is to fall through to the next). In addition to using automated scanning tools, manual reviews of the code by multiple people have failed to identify a single vulnerability and the minor things have been found (typically, variable shadowing or throw clauses outside a try block when the intention is to invoke terminate) have long been fixed. I doubt that a single, actual vulnerability has been identified in rippled. But if they will produce specifics, then I’m happy to take a closer look.

    Now, let me be a bit more specific: the latest static analysis run was against 0.50.0-b1; before human review, the static analyzer determined that the defect rate of rippled was 0.58 – this is below the 0.7 that is typical for open source projects. This figure is not only before a human reviews the results to weed out the false positives but includes things which may not even be bugs.

    Let’s break it down a bit more: in the last static analysis run, 10 items were identified as “high priority” issues and; some were in external sources after review, <u>every single one</u> was either a false-positive, caused by the analysis engine proceeding down an impossible code execution path, or intentional.

    Most of the medium and low priority items involved members variables that the analyzer reported were not initialized inside constructors: of those, approximately 60% were, properly, initialized by the member variable’s own default constructor. The rest were, intentionally, left uninitialized either because an appropriate value was not available or because it was not needed.

    Manual inspection revealed that in all those instances the variables are properly initialized by a write before being actually read. The “low priority” issues focused mostly around indentation involving our use of  the JLOG macro.

    After triage and weeding out of false-positives and intentional items identified as high priority, and just a few of the “medium priority” items that are the result of the analyzer not properly understanding the semantics of the code, the defect ratio plummets to ~0.2. What still remains is… well… not very much and it would be possible to eliminate them with some changes to the code base, but some of those changes might impair the overall readability and structure of the code.

    I’d rather not inconvenience humans for the benefit of a program.

    Ironically enough, our code auditing and static analysis efforts have found more bugs with external code that with rippled code. For example, we identified and fixed defects with [url=https://github.com/facebook/rocksdb/pulls?utf8=%E2%9C%93&q=is%3Apr%20is%3Aclosed%20author%3Anbougalis]RocksDB[/url] and [url=https://github.com/boostorg/coroutine/pulls?utf8=%E2%9C%93&q=author%3Anbougalis]Boost Coroutines[/url]. At least bugs are getting fixed, right? [emoji3]

    Anyways, to make a long story short, there are two points I want to make:

    If the number quoted in this study is supposed to represent vulnerabilities in the rippled C++ codebase, then I can only imagine that someone run the code through a static analysis engine with the settings cranked to high and blindly copied a number without doing any manual review or triage of the code. As such, the figure is not only unreliable but useless.

    My coworkers on the C++ team, through hard work during development and harder work during review, produce code of exceptional quality. And we go beyond careful coding and thorough internal reviews: we use various different static and dynamic analysis tools and other techniques to continually audit the codebase and ensure its short- and long-term health.

  • ShadowOfHarbringer
    4 months ago ShadowOfHarbringer

    I don’t know about the tests, but is Ripple still a thing ?

    I mean seriously, who even uses that thing ? What is even the point of it existing ?

    • Schleicher65
      4 months ago Schleicher65

      Looks like it is still a thing.
      https://www.bitstamp.net/article/bitstamp-introduces-xrp-trading/

    • rancymancy
      4 months ago rancymancy

      Who uses it? How about this list?

      As for the point of it, it’s a distributed and (at least potentially) decentralised exchange. It’s like Bitstamp or Poloniex except that users have the ability to choose for themselves which assets can be traded (you can issue your own coin in a single transaction), and unlike one of those centralised exchanges, the accounts and transaction databases are truly secure and can’t be hacked, in the same way properly derived and stored Bitcoin accounts can’t be. It’s positioned well to become the de facto upgrade the core of the banking system of value transfer between institutions. Currently, banks using it can save up to 60% in settlement costs. It also has a “block-time” of 3-4 seconds, so transfers as cryptographically secure as Bitcoin can happen in near real-time. * (“block-time” isn’t really the right term given the way Ripple works, but it’s analogous enough.)

      It’s very useful. I also use it, and there is an active user base at the above linked forum. Ripple has been largely in a testing and R&D phase for the past couple of years whilst also working behind the scenes to forge banking relationships and overcome significant regulatory hurdles – something that may likely end up benefiting other blockchain and crypto projects.

  • kelsey
    4 months ago kelsey

    Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    expressly state that this report identifies no actionable items

    well i can think of atleast one painfully obvious reason why  Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    and our review, in response to it, found none either.”

    which validates the rating  

  • PetarPetrovicTrades
    4 months ago PetarPetrovicTrades

    Well if they released the paper covering their tests we should bring this to doge dev team to look at these vulnerabilities as they are not welcomed here.

  • sciototrails
    4 months ago sciototrails

    Out of the 25 they charted dogecoin ranked 21rst for having the most vulnerabilities. If I am reading the chart right. Title is misleading because CERT is according to the article independent of the government.

  • FranklinScudder
    4 months ago FranklinScudder

    most github stars (rightmost column)

  • tomcarbon
    4 months ago tomcarbon

    seems like a pretty decent report card. Pretty hard not to see the word DOGECOIN at the top of the list. I like the placement.

    +/u/dogetipbot 98 doge verify

  • dogetipbot
    4 months ago dogetipbot

    [wowsoverify]: /u/tomcarbon->/u/sciototrailsÐ98Dogecoins ($0.0192913)[help]

  • hl5460
    4 months ago hl5460

    Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/“Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

    That’s really quick response.

  • 8btccom
    4 months ago 8btccom

    That’s correct. CERT believed that’s the most popular one.

  • 4 months ago JoelKatz

    I have now posted an official response to this report. https://ripple.com/dev-blog/response-china-cert-report/

    An excerpt: “Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

    • 4 months ago Joy

      Hey, glad ripple has given the response. 8btc has Chinese news site. I wish 8btc can translate Ripple’s response into Chinese and see how CERT will answer back. I think it’s a good thing for CERT to report its audit on Blockchain softwares. Oversight from outside and discipline from inside all contribute to high-quality software. Of course, outside monitoring should disclose more details.

      • 4 months ago JoelKatz

        We are having it translated and will forward it both to 8btc and to the authors of the report.

        This kind of automated testing produces almost entirely false positives. You do it because it might find one or two real issues in the hundreds of things it detects and that makes it worth it. When you run these kinds of tools on projects that already use them, they will produce nothing but false positives because all the issues that can be found by these tools have already been found.

        The rippled code is open source. That’s why these guys were able to run these tests without our cooperation. Anyone can do it. And if they find an exploitable bug, they can exploit it to steal assets. Or they can report it to us to claim a bug bounty.

        There are not going to be a number of bugs that are this easy to find that have actual security implications. There are probably real bugs in there, no software is perfect, but you can’t count them this easily.

  • dawangzi
    4 months ago dawangzi

    omni=holy shit

  • sjoelkatz
    4 months ago sjoelkatz

    I have now posted an official response: https://ripple.com/dev-blog/response-china-cert-report/

    The key part: “Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

  • GeriGeriGeri
    4 months ago GeriGeriGeri

    http://imgur.com/a/mffsA

  • shibe5
    4 months ago shibe5

    Interesting, Dogecoin has much more lines of code than Litecoin.

  • Spoetnik
    4 months ago Spoetnik

    Quote from: jacafbiz on January 13, 2017, 09:03:28 AM
    There are some things common to both Ripple and Bitshares1. Both are Proof of Stake coin2. Both have more than  billion tokens3. Both are centralisedI’m not surprised about the report at all. I think we need independent research like this to expose flaws like this to protect investors

    How about crooked unfair rigged launches ? Does that interest you ?Funny how i never hear anyone bring up that shit..Doesn’t seem to matter if Zcash has a genius tax for example.The only REAL question is.. how much ROI’z can i get at Polo for them ?

  • Astrosin
    4 months ago Astrosin

    Yea noticed to. Maybe it’s trajectory calculations already on board for this moon thing….

  • MrDuke67
    4 months ago MrDuke67

    The official response from Ripple by David Schwartz:

    https://ripple.com/dev-blog/response-china-cert-report/

  • llildur
    4 months ago llildur

    like a boss 🙂

  • OldFartWithBeard
    4 months ago OldFartWithBeard

    It is an international naming system for found security vulnerabilities. ‘a CVE’ is shorthand for one such assigned name.

    https://cve.mitre.org/

    https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

  • -o-o-o
    4 months ago -o-o-o

    Bruce Wanker has not weighed in yet I think I’ll wait for his opinion.

  • dazlightyear
    4 months ago dazlightyear

    Just in case anyone was taking this report seriously, here is the official Ripple response:

    https://ripple.com/dev-blog/response-china-cert-report/

  • dranster
    4 months ago dranster

    The OP does not know how to read reportsBTS2.0 is the most secure blockchain project as per that reporthttps:[email protected][email protected]e-ripple-is-the-least

  • hl5460
    4 months ago hl5460

    In December 2016, China CERT released a 17-page security audit report of blockchain software. As per the report, the audit was conducted in October 2016 and released later as “open” document. The report examined 25 open-source blockchain projects, categorizing the vulnerabilities found into 9 classes. A total of 746 high-level attack vectors are detected. Ripple is rated the most insecure one with over 223 highly risky bugs.http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worst

  • JoelKatz
    4 months ago JoelKatz

    My official response is here: https://ripple.com/dev-blog/response-china-cert-report/TL;DR: It looks like they just ran a static analysis tool against a combination of security sensitive and irrelevant code, totaling the number of potential issues detected by automated, static analysis. This is almost completely meaningless because the vast majority of issues reported by such tools are false positives with no actual security implication. But it’s doubly meaningless when you use it on code that already uses that exact same methodology because every issue that can be identified by this method has already been found and fixed.

  • JoelKatz
    4 months ago JoelKatz

    Quote from: kelsey on January 13, 2017, 04:20:34 AM

    Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    expressly state that this report identifies no actionable items

    well i can think of atleast one painfully obvious reason why  Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    and our review, in response to it, found none either.”

    which validates the rating  
    Did you read my reply? Their methodology appears to be totaling the number of potential issues detected by automated, static analysis. This is almost completely meaningless because the vast majority of issues reported by such tools are false positives with no actual security implications. But it’s doubly meaningless when you use it on code that already uses that exact same methodology because every issue that can be identified by this method has already been found and fixed. In fact, due to our use of this very same methodology, we’ve found and fixed bugs in third-party libraries we use such as RocksDB and Boost.https://github.com/facebook/rocksdb/pull/333https://github.com/boostorg/coroutine/pull/20

  • Hueristic
    4 months ago Hueristic

    Quote from: dranster on Today at 03:01:00 AM
    Most inaccurate title…..  Did you learn your English from a baby or u must be an illiterate..BTS is the most secure blockchain

    Red Herring much?Thanks for that post OP!

  • Gekko463
    4 months ago Gekko463

    Relative price stability, volume and market cap make it a good way to launder thousands of dollars, if not millions anymore into BTC to move on out.

  • dadingsda
    4 months ago dadingsda

    Quote from: jacafbiz on January 13, 2017, 09:03:28 AM
    There are some things common to both Ripple and Bitshares1. Both are Proof of Stake coin2. Both have more than  billion tokens3. Both are centralisedI’m not surprised about the report at all. I think we need independent research like this to expose flaws like this to protect investors

    Why is BTS centralised?

  • Hueristic
    4 months ago Hueristic

    Quote from: JoelKatz on Today at 03:19:55 AM
    We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/“Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

    Looks like their response is the illiterate one of the two. Fixed that first one for them. And further, am not touching that last sentence.

    • 4 months ago JoelKatz

      Do you disagree with our assessment that they just counted the number of potential issues reported by automated detection software without actually looking at whether the potential issues were actual issues with security implications?

  • Spoetnik
    4 months ago Spoetnik

    Quote from: dadingsda on January 13, 2017, 10:26:39 PM

    Quote from: jacafbiz on January 13, 2017, 09:03:28 AM
    There are some things common to both Ripple and Bitshares1. Both are Proof of Stake coin2. Both have more than  billion tokens3. Both are centralisedI’m not surprised about the report at all. I think we need independent research like this to expose flaws like this to protect investors

    Why is BTS centralised?

    Because it’s another ICO scam.

  • abolish_karma
    4 months ago abolish_karma

    NUMBER #1! NUMBER #1!

  • Spoetnik
    4 months ago Spoetnik

    All i would have to think about Ripple is if the system is controlled by a central closed source point..then if that point is exploited then the whole entire thing falls apart like a house of cards.Then we could end up with another GOX or Cryptsy going on where they would end up lying for ages and cooking the books behind closed doors.I would say those are the last coins on earth i would touch.I have never owned a Ripple coin or Bitshares nor would i.All records of my activity on any site would prove this easily too.I don’t support ICO scam scheme coins for profit.Guys, just imagine all those Big Banks the Ripple guys say are using Ripple..What happens with them when they get hacked ? 

    • 4 months ago JoelKatz

      There is no central closed source point. All the source code used to operate the network is public. There is no way to cook the books (unless there’s a bug in the public, open source code) because the only way to change a balance is to provide a transaction signed by the owner of that balance. That’s the fundamental design concept for pretty much all public ledger software.

  • abolish_karma
    4 months ago abolish_karma

    For some reason it’s pretty enjoyable seeing an operational tipbot, all the while most other tipbots(inluding several bitcoin ones) has given up the ghost.

  • jacafbiz
    4 months ago jacafbiz

    There are some things common to both Ripple and Bitshares1. Both are Proof of Stake coin2. Both have more than  billion tokens3. Both are centralisedI’m not surprised about the report at all. I think we need independent research like this to expose flaws like this to protect investors

  • dranster
    4 months ago dranster

    Most inaccurate title…..  Did you learn your English from a baby or u must be an illiterate..BTS is the most secure blockchain

  • JoelKatz
    4 months ago JoelKatz

    We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/“Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

  • buwaytress
    4 months ago buwaytress

    Always healthy to have as much scrutiny from as many different sources, independent and otherwise.Is Ripple the only one who finds the report and its methodology flawed and, therefore, unactionable? I find it unlikely that ALL these would result in false positives and it seems even Ripple concurs.

  • lethos3
    4 months ago lethos3

    Notice the amount of critical bugs in Bitcoin clones, all you had to do is merge updates from Bitcoin  altcoins are a failure.

  • kelsey
    4 months ago kelsey

    Quote from: JoelKatz on Today at 03:19:55 AM
    expressly state that this report identifies no actionable items

    well i can think of atleast one painfully obvious reason why  Quote from: JoelKatz on Today at 03:19:55 AM
    and our review, in response to it, found none either.”

    which validates the rating  

    • 4 months ago JoelKatz

      Did you actually read the reply that you’re criticizing?

      Their methodology appears to be totaling the number of potential issues detected by automated, static analysis. This is almost completely meaningless because the vast majority of issues reported by such tools are false positives with no actual security implications. But it’s doubly meaningless when you use it on code that already uses that exact same methodology because every issue that can be identified by this method has already been found and fixed. In fact, due to our use of this very same methodology, we’ve found and fixed bugs in third-party libraries we use such as RocksDB and Boost.
      https://github.com/facebook/rocksdb/pull/333
      https://github.com/boostorg/coroutine/pull/20

      Do you disagree with our assessment that this was their methodology? Or do you want to defend that methodology?

      If you want to disagree with someone’s conclusions, when they’ve disclosed how they reached them, you also have to disagree with how they reached them. Otherwise, your complaint is just that they reached a conclusion that isn’t in accord with your bias.

  • hl5460
    4 months ago hl5460

    Quote from: JoelKatz on Today at 03:19:55 AM
    We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/“Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

    That’s really quick response.

  • JoelKatz
    4 months ago JoelKatz

    Quote from: buwaytress on January 14, 2017, 12:22:05 PM
    Always healthy to have as much scrutiny from as many different sources, independent and otherwise.Is Ripple the only one who finds the report and its methodology flawed and, therefore, unactionable? I find it unlikely that ALL these would result in false positives and it seems even Ripple concurs.
    For projects that don’t use this form of analysis already, typically between 1 to 2 in 100 of these reports on security critical code reflect an actual issue. But without surveying a statistical sample of them in that particular code base, you’re really just guessing.When we ran the first such report on rippled, we debated “fixing” every issue to get the number down to zero. The advantage would be that it would make it easier to scan future versions of the code as you wouldn’t have a large number of false positives to wade through. We ultimately decided not to because in many cases it would require making the code harder to understand and maintain.I wonder, if we had done so, would this report said we were the most secure or would they just have left us out? (And, to be clear, it would have also been absurd to say that a zero count from a tool like this makes us the most secure.)

  • GBG-glenn
    4 months ago GBG-glenn

    Sorry, a bit unclear. What i meant was that it’s a system that will be in control of the financial institutions. It’s a project where they have a big finger in the game compared to other cryptos where they don’t get to decide anything in terms of development and rules.

  • Spoetnik
    4 months ago Spoetnik

    Nice SIG.. an “employee” of an open source fair launch decentralized free market currency ?Let me guess you have a CEO and a CTFO etc too  Ripple..  “Big Banks”    No others in Crypto are as scammy with their scheme and as persistent as Ripple douche nozzles.

  • poloniexwhale
    4 months ago poloniexwhale

    Quote from: dranster on January 13, 2017, 09:06:03 AM
    The OP does not know how to read reportsBTS2.0 is the most secure blockchain project as per that reporthttps:[email protected][email protected]e-ripple-is-the-least

    How to define the most secure? You heard this from BTS devs? They are braggers, I don’t trust them.

  • r0ach
    4 months ago r0ach

    Quote from: JoelKatz on January 13, 2017, 03:19:55 AM
    We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/“Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either.”

    Just politely tell the Chinese that Ripple is not a decentralized currency in the first place (such a thing may not even be possible).  Problem solved.

  • goodvibeswanted2
    4 months ago goodvibeswanted2

    I agree. Changetip is shutting down, and I will miss it dearly. I used it exclusively until today in fact. I’ve just started to learn about dogecoin and more about cryptocurrancy.

  • goodvibeswanted2
    4 months ago goodvibeswanted2

    I thought that was Taiwan.

  • tommytrain
    4 months ago tommytrain

    Fair enough, probably not quite entirely accurate given there are 60+ countries making each their own rules for banking regulation and this is the major hurdle to interoperability which cross-border FX solutions like Bitcoin and Ripple are attempting to address. If FIs were more properly organized and “centralized” protocols for improving interoperability wouldn’t be needed, instead there is a still a healthy competitive market for FX services.

  • Monerobuyer
    4 months ago Monerobuyer

    How is this thing blockchain? It uses 32 federated servers.The developers release 73k coins per month correct? Why does a coin have value? Why not have a set price to insert a factoid at their website: i.e. 15 cents per  factoidI feel like I’m losing my mind but is factom not incredibly stupid?

  • pereira4
    4 months ago pereira4

    Im trying to find the right coin to invest, but that, I can’t find. I wish that the possibility of a coin giving us performance like Bitcoin existed, but we will never get that again.With the exception of Monero’s insane pump, or ETH’s… what else is out there?Those are already beaten horses. We need to find a project that has real possibilities to pump hard that’s really cheap right now, and the pump must have STRONG solid volume (those flash pumps and dumps are useless), and I see nothing but bullshit out there.Are the times of getting rich with an alt over?

  • tiggytomb
    4 months ago tiggytomb

    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

  • thejaytiesto
    4 months ago thejaytiesto

    Quote from: Monerobuyer on January 23, 2017, 03:19:14 PM
    How is this thing blockchain? It uses 32 federated servers.The developers release 73k coins per month correct? Why does a coin have value? Why not have a set price to insert a factoid at their website: i.e. 15 cents per  factoidI feel like I’m losing my mind but is factom not incredibly stupid?

    I think it’s something like the usenet system with coins… im not sure how it works if there are centralized servers it does sound a bit dumb.It’s also a bit dumb to invest in inflationary currencies if you are expecting to make gains long term as well.

  • pereira4
    4 months ago pereira4

    Quote from: tiggytomb on January 23, 2017, 03:56:10 PM
    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

    What do you in any of those coins that make you think they can deliver massive % of profits?They have limited supply or are inflationary? I dont see why anybody would invest in inflationary currencies unless they offer something revolutionary to the table.

  • tiggytomb
    4 months ago tiggytomb

    Quote from: pereira4 on January 23, 2017, 04:24:53 PM

    Quote from: tiggytomb on January 23, 2017, 03:56:10 PM
    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

    What do you in any of those coins that make you think they can deliver massive % of profits?They have limited supply or are inflationary? I dont see why anybody would invest in inflationary currencies unless they offer something revolutionary to the table.

    Obviously you can review each one in your own time and decide if any of them interest you, I am not trying to coerce anyone into supporting these coins.XEM – 9 billion supply total no inflation, source from scratch, has been consistently developed since it’s inception and it’s next update is pretty impressive https://medium.com/nem-distributed-ledger-technology-blockchain/nems-next-generation-core-codename-catapult-unveils-its-power-for-productive-use-confirmed-e1888b2a92bf#.68bfkew0x COVAL – A bit of a funny one this, initially started out as RBR then turned into VOCAL and now COVAL, it is partnered with Loyyal which has been getting a lot of positive attention recently, COVAL is currently looking to move over onto Counterparty.bitcointalk is not at the forefront of their minds, you will find little to no information on here, they tend to stick to slack and blogs.I think it was mid last year RBR was up at 700 briefly, currently COVAL sits at 98 and nothing has been released yet, I imagine that when they do release VOCAL platform that at least in the short term we could see a jump up to that level again.https://medium.com/covalWBB – 2 million coins.  Their thread has turned into an absolute mess, again the dev does not focus on this forum much and tends to just get on with things and update on slack etc.  They have developed their own OS and are about to release an v5 of their wallet, this has been up and down but one I’m hanging around for just to see how it all develops.Again, just a couple of the ones I am watching entirely up to you to spend the time looking into them and if you do jump on board don’t blame me if it all goes to pot If they all work out then you can of course blame me.

  • vanarebane
    4 months ago vanarebane

    Quote from: tiggytomb on January 23, 2017, 03:56:10 PM
    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

    Forget coval and wbb, they are not top coins, either reliable projects, both are dead ones. XEM is decent, but market cap is big enough. I personally recommend Stratis(extremely undervalued now, 10X is possible) and factom(will be new ATH above 0.01 BTC).

  • Spoetnik
    4 months ago Spoetnik

    Who cares..Find a coin you want to “support”Reward will follow.. as i have said NON STOP for years…one of these days you will all get smartNOTPS:If you are asking that question you are already broke but don’t know it yet or it just happened yet.Ask yourselves.. what happens when you stay at the table gambling at a crooked casino permanently ?

  • Devnant
    4 months ago Devnant

    Quote from: pereira4 on January 23, 2017, 03:40:55 PM
    Im trying to find the right coin to invest, but that, I can’t find. I wish that the possibility of a coin giving us performance like Bitcoin existed, but we will never get that again.With the exception of Monero’s insane pump, or ETH’s… what else is out there?Those are already beaten horses. We need to find a project that has real possibilities to pump hard that’s really cheap right now, and the pump must have STRONG solid volume (those flash pumps and dumps are useless), and I see nothing but bullshit out there.Are the times of getting rich with an alt over?

    Have a look at NXS. Talented dev and an ambitious project. Already valued about 333.33%. Started @ 300 satoshi, and now it’s worth 10,000 satoshi and climbing.

  • Rockie1234
    4 months ago Rockie1234

    I heard something about its proof of existence mechanism. In essence, it means a certain document existed in a particular form (to stop altering?) at a certain time. I think governments and businesses were interested since it could help a lot with legal cases and just records in general.

  • Rockie1234
    4 months ago Rockie1234

    Quote from: vanarebane on January 23, 2017, 04:56:26 PM

    Quote from: tiggytomb on January 23, 2017, 03:56:10 PM
    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

    Forget coval and wbb, they are not top coins, either reliable projects, both are dead ones. XEM is decent, but market cap is big enough. I personally recommend Stratis(extremely undervalued now, 10X is possible) and factom(will be new ATH above 0.01 BTC).

    XEM’s market cap isn’t already very high. It had a surge in price a while ago which brought it from relative obscurity to where it is now. However, during that surge the market cap reached close to $100 mil, and now it’s like 30 mil.I’d like to point out I am a fan of this coin, but I get confused because many people on this forum seem to think the coin is scammy without having done any proper research.

  • Enjorlas
    4 months ago Enjorlas

    Look up ICONOMIIf you aren’t convinced that it will be the #3 in market cap within 2 years I will buy you a pizza and have it shipped to your door. Your choice of toppings.

  • klaaas
    4 months ago klaaas

    Keep a good eye on poloniex and news that isnt al over the net yet.It still will be a gamble with just released tokens/coins but you only need 1 coin to pop trough to cover the losses from the rest.

  • cryptohunter
    4 months ago cryptohunter

    BAY – although do your own DD. I’m sure there are others out there too.

  • alyssa85
    4 months ago alyssa85

    Quote from: klaaas on January 23, 2017, 06:33:05 PM
    Keep a good eye on poloniex and news that isnt al over the net yet.

    And join all the slack channels where developers and speculators chat. If a coin markets itself well it usually gets a boost once it hits one of the bigger exchanges.

  • TaunSew
    4 months ago TaunSew

    Quote from: pereira4 on January 23, 2017, 04:24:53 PM

    Quote from: tiggytomb on January 23, 2017, 03:56:10 PM
    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

    What do you in any of those coins that make you think they can deliver massive % of profits?They have limited supply or are inflationary? I dont see why anybody would invest in inflationary currencies unless they offer something revolutionary to the table.

    You been a member since 2014 and you’re asking these questions?!   (should be ashamed of yourself)By the way, people had been recommending XEM for years and hardly anyone paid attention or listened.  Even though it did 2300% ROI in 2016 and ended the year in the top 10, even to this day most people just don’t seem to pay attention.   People here were only paying attention to projects that were constantly spamming Bitcointalk and, except for Monero / Ethereum, most were craptastic and went nowhere.   If NEM had Monero or Pot Coin’s spam army then it would probably had passed the moon and left the solar system by now.  http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worst- XEM has best quality code in Blockchain (according to China CERT it is the most secured blockchain.  Only things more secure were 2 explorers).- XEM is the #1 alternate in Japan, Malaysia and Korea in terms of usage and adoption.  XEM is being used for barter and retail in Japan. A lot of XEM holders hold important positions in Japan’s Blockchain consortium.  If I recall too, the Malaysian government has some kind of agreement / relationship with the XEM Malaysian chapter. – XEM has partnered and done tests with multiple banks in Japan, Malaysia and Hong Kong.- XEM brings other miscellaneous innovations to the table, including POI, Eigentrust++, blockchain multisignature, et al.  Soon it will bring Mijin too. XEM looks like it can only go up in the long term and I think it is one of the best competitors to Bitcoin and Ethereum but it has done a pretty poor job of acquiring interest among English-speakers so far.  Which I think is probably a good thing for new investors.  NEM is still technically very cheap and under-priced for what it brings to the table and thus it can easily generate another 1000% ROI.

  • cengsuwuei
    4 months ago cengsuwuei

    much coin is incraese price until reach 1000%is compare first , early price or ico selling pricelist coin is big incraese, monero, ethereum, xem(nem) coin and morebut if you write the next coin1 iconomi coin2 qtum3 litecoin4 ETC

  • Raja_MBZ
    4 months ago Raja_MBZ

    Times of getting rich can’t be over in cryptos, that’s the true essence of it! You get good chances often.Quote from: tiggytomb on January 23, 2017, 03:56:10 PM
    I think we are all trying to find that one that will take us to the top, a few that I am in and watching for a long time are:XEM – https://bitcointalk.org/index.php?topic=654845.0COVALhttps://bitcointalk.org/index.php?topic=1652345.0WBBhttps://bitcointalk.org/index.php?topic=952619.0Oh and Chronobank seems decent, you never know!Are the times of getting rich with an alt over? Nah, there will always be one.

    Well those four, seem pretty good. I just checked them up after your advice. Surely going to investigate them more myself.

  • kelsey
    4 months ago kelsey

    Quote from: TaunSew on January 23, 2017, 09:23:37 PM
    By the way, people had been recommending XEM for years and hardly anyone paid attention or listened.  

    hardly any ie none of the XEM pushers mention the fact that XEM distribution was scammed by the distributor., in a big way.

  • XbladeX
    4 months ago XbladeX

    Quote from: kelsey on January 23, 2017, 09:44:46 PM

    Quote from: TaunSew on January 23, 2017, 09:23:37 PM
    By the way, people had been recommending XEM for years and hardly anyone paid attention or listened.  

    hardly any ie none of the XEM pushers mention the fact that XEM distribution was scammed by the distributor., in a big way.

    Not really scammed just 1/4 people just didn’t redeem them on time and most coins were divided by 1000 bttusers some coins are locked in development fund under multisignature keys. NEM was low price long time before it got pumped some distribution part take over year.Some early adopters dumped some stay like me and keep stake. Allways some distribution could be better but it was ok at that time and possible solution.

  • TaunSew
    4 months ago TaunSew

    Quote from: kelsey on January 23, 2017, 09:44:46 PM

    Quote from: TaunSew on January 23, 2017, 09:23:37 PM
    By the way, people had been recommending XEM for years and hardly anyone paid attention or listened.  

    hardly any ie none of the XEM pushers mention the fact that XEM distribution was scammed by the distributor., in a big way.

    Every project has trolls fudding about something.    It hasn’t stopped Monero or Dash or even XEM. XEM is less popular because PoS and PoS variants always had an uphill battle in terms of bootstrapping a community and adoption.  PoW is free money on the streets and this gets people excited.  PoS and PoS variants do not have that allure.  Nevertheless, judging by the top 10 of 2016, I think NEM has been the most successful PoS / PoS variant since NXT died from exchange hacks.  NEM’s distribution probably convinced people a bit (a lot of animosity against PoS is “rich get richer”) but I think it was more the quality of the blockchain and adoption in Asia which led to its’ success.

  • numismatist
    4 months ago numismatist

    Quote from: pereira4 on January 23, 2017, 03:40:55 PM
    Im trying to find the right coin to invest, but that, I can’t find. I wish that the possibility of a coin giving us performance like Bitcoin existed, but we will never get that again.With the exception of Monero’s insane pump, or ETH’s… what else is out there?Those are already beaten horses. We need to find a project that has real possibilities to pump hard that’s really cheap right now, and the pump must have STRONG solid volume (those flash pumps and dumps are useless), and I see nothing but bullshit out there.Are the times of getting rich with an alt over?

    Bitcoin has been a black swan event, of course. However crypto still beeing all infant at best you can imagine some further progress in the future following! Stay tuned.

  • BTCLovingDude
    4 months ago BTCLovingDude

    not so long ago this board was filled with ethereum topics, to a point that it got annoying. so what happened?did they stop paying the shills to post for them?or maybe they are getting ready for a massive pump so they are holding back on making any sound and silently accumulating! the volume is still high!what do you think?

  • agustina2
    4 months ago agustina2

    Quote from: BTCLovingDude on January 25, 2017, 03:32:53 PM
    not so long ago this board was filled with ethereum topics, to a point that it got annoying. so what happened?did they stop paying the shills to post for them?or maybe they are getting ready for a massive pump so they are holding back on making any sound and silently accumulating! the volume is still high!what do you think?

    ETH have been on a slow price movement now and volume established today are not that interesting to make day trades. So for this kind of price movement, it’s better to just hold ETH and expect for some highlights again. Take note of the issues back then that’s why it turned out to what is it today.Im too annoyed for those ETH threads that even considered as the next bitcoin just because the price rose to really large percent. And now look at what happen for their speculation.

  • BOSA.io
    4 months ago BOSA.io

    Ethereum hype is dead, yet the price remains fairly stable.. They need a major announcement to get new investors on board..

  • Ayers
    4 months ago Ayers

    Quote from: BOSA.io on January 25, 2017, 04:05:01 PM
    Ethereum hype is dead, yet the price remains fairly stable.. They need a major announcement to get new investors on board..

    The price is strong because the marketcap is also very strong and big enough to not get dumped to the ground, you can’t kill  a coin with 1 billion marketcap so easily, but i believe that the pow turning into pos will make etheruem in trouble, it will fade away slowly until forgotten like litecoin or other big old coin

  • eckmar
    4 months ago eckmar

    Well ones who keep posting those threads are miners and traders. For miners ethereum is no longer most profitable coin and I guess traders moved on to something more profitable for them too.

  • Devnant
    4 months ago Devnant

    Quote from: BOSA.io on January 25, 2017, 04:05:01 PM
    Ethereum hype is dead, yet the price remains fairly stable.. They need a major announcement to get new investors on board..

    Not after the DAO disaster. They won’t.

  • annie9771
    4 months ago annie9771

    yes its true , 2 months one of my friend was saying “annie trust me invest in ETH after February 2017 , Eth will be next bitcoin and price will be more then 300$ “

  • pearlmen
    4 months ago pearlmen

    It seems the developers are really asleep despite the fact that etherum has proven to be a great project but the problem I have seen it that part that developers are to easy to give up insupporting their project. After a while they just stop the support thinking everything will continue flowing hoepefully they can just wake up from their slumbers..,

  • Febo
    4 months ago Febo

    Quote from: BTCLovingDude on January 25, 2017, 03:32:53 PM
    not so long ago this board was filled with ethereum topics, to a point that it got annoying. so what happened?did they stop paying the shills to post for them?or maybe they are getting ready for a massive pump so they are holding back on making any sound and silently accumulating! the volume is still high!what do you think?

    People are trading coins that run on Ethereum and are spamming threads of coins that exist on Ethereum blockchain and they dont even know that.   I remember one guy on Poloniex trollbox, he wanted to pull one coin off Poloniex in his wallet and was asking if Ethereum wallet is only one he can use since he dont really like Ethereum and would love to use something else. This is what happened. But in general Etherum have same old problems they had a year ago. They will not just go away if they will keep having closed eyes.

  • TaunSew
    4 months ago TaunSew

    I remember what the Ethereum community was like before the big rally to $1 billion – it was a virtual ghost town on their official forums and even their slightly-more-popular Reddit page was snail’s pace.   It tells you most of the Ethereum community are fairweather friends – only around when the price goes up and, when it stagnates / declines like it is right now, then the ghost town becomes apparent.  A lot of this is because Ethereum has zero users and only speculators and the speculators are leaving after repeated lies and hacks.

  • TaunSew
    4 months ago TaunSew

    Quote from: Devnant on January 25, 2017, 05:44:17 PM

    Quote from: BOSA.io on January 25, 2017, 04:05:01 PM
    Ethereum hype is dead, yet the price remains fairly stable.. They need a major announcement to get new investors on board..

    Not after the DAO disaster. They won’t.

    Bitcoin still has never recovered to MtGox $1250.  I would be surprised if Ethereum ever recovered to DAO $20+.  Investors may not waste their time on social media but I think they have a decent memory and don’t want to risk their money on things with precedented security issues.http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worstNEM is flying under the radar still but China Cert’s report indicated NEM has the best quality code and security for a blockchain.  NEM did 2300% ROI in 2016 and I think it will do another 1000%+ in 2017.  Don’t let FakeNews Coindesk persaude you to put another dollar into Ripple, Ethereum or even dogchit Doge.

  • Rockie1234
    4 months ago Rockie1234

    I think it’s just the question of what’s interesting. Ethereum is still important but not nearly as much as before, ever since the DAO hack and then Ethereum Classic, it just lost all the momentum it had. Similar to how people used to bash people for supporting Monero/Dash as their prices rose. Now that the prices are stable, there’s nothing that interesting to talk about; doesn’t mean people don’t care.

  • shinratensei_
    4 months ago shinratensei_

    Quote from: BOSA.io on January 25, 2017, 04:05:01 PM
    Ethereum hype is dead, yet the price remains fairly stable.. They need a major announcement to get new investors on board..

    So, wake up from your delusional, dude. at least every investor or holder who have made some of the bucks for their pouch won’t be giving a cent for you. PoS Casper will be releasing soon. and what’s next it seems ETH will be the hybrid PoW and PoS. 

  • Herbert2020
    4 months ago Herbert2020

    Quote from: Ayers on January 25, 2017, 05:21:46 PM

    Quote from: BOSA.io on January 25, 2017, 04:05:01 PM
    Ethereum hype is dead, yet the price remains fairly stable.. They need a major announcement to get new investors on board..

    The price is strong because the marketcap is also very strong and big enough to not get dumped to the ground, you can’t kill  a coin with 1 billion marketcap so easily, but i believe that the pow turning into pos will make etheruem in trouble, it will fade away slowly until forgotten like litecoin or other big old coin

    you don’t know how the marketcap works and it actually because of this huge marketcap will die slowly over time. just the same way Dogecoin is dying right now. these coins with a huge supply and an increasing supply have always been getting dumped as fast too.but the same as Dogecoin or other coins that doesn’t mean they won’t get pumped and ethereum has a big pump overdue.

  • Immakillya
    4 months ago Immakillya

    I haven’t read any thread about ethreum for a long time. Just this one only. The price surge huge amount and the forum is talking about ethereum. So what happen now guys? I guess because of hard forking issues. The community were splitted in to 2. But the marketcap is still in good amount. I just dont see a significant sign that it will pump anytime soon. Maybe it will take time to pump again.

  • jacaf01
    4 months ago jacaf01

    This is a normal thing in life, people move where the money is, Ethereum price has plateaued out and the probability of growth has decrease drastically because of the level of uncertainty that surround the project.

  • Spoetnik
    4 months ago Spoetnik

    That was 1 year ago during the great hype + pump.Time to move on..People follow the money (what ever is pumped up etc)Why are you all surprised ? This is not about being a project supporter but a greedy god damn leech.Quit being naive low hanging crypto-fruit noobs.

  • robelneo
    4 months ago robelneo

    Quote from: BTCLovingDude on January 25, 2017, 03:32:53 PM
    not so long ago this board was filled with ethereum topics, to a point that it got annoying. so what happened?did they stop paying the shills to post for them?or maybe they are getting ready for a massive pump so they are holding back on making any sound and silently accumulating! the volume is still high!what do you think?

    Yes that’s true if I remember there was at least 5 to 7 topics about ethereum that are always in the first page of this sections and since I’m not into Ethereum I seldom visit this section,now I rarely gor 2 top topics about ethereum.

  • robelneo
    4 months ago robelneo

    Quote from: BTCLovingDude on January 25, 2017, 03:32:53 PM
    not so long ago this board was filled with ethereum topics, to a point that it got annoying. so what happened?did they stop paying the shills to post for them?or maybe they are getting ready for a massive pump so they are holding back on making any sound and silently accumulating! the volume is still high!what do you think?

    Yes that’s true if I remember there was at least 5 to 7 topics about ethereum that are always in the first page of this sections and since I’m not into Ethereum I seldom visit this section,now I rarely gor 2 top topics about ethereum.

  • BTCLovingDude
    4 months ago BTCLovingDude

    Quote from: Spoetnik on January 26, 2017, 07:48:16 AM
    That was 1 year ago during the great hype + pump.Time to move on..People follow the money (what ever is pumped up etc)

    there is no argument there. i have also followed the money by catching up on the pre-hype and buying some pre-pump and make lots of bitcoin in the process of the pump(s).and now that another big dip happened and i bought some at the bottom, i am not ashamed to admit i am waiting for another possible pump but at the same time i have my eyes out for any other possibility. and besides one of the main features of these manipulation coins such as ETH is that the owner and the whales are never done with them that easily.

  • freigeist
    4 months ago freigeist

    Quote from: Rockie1234 on January 23, 2017, 05:50:24 PM
    I heard something about its proof of existence mechanism. In essence, it means a certain document existed in a particular form (to stop altering?) at a certain time. I think governments and businesses were interested since it could help a lot with legal cases and just records in general.

    For that purpose of notarization and time stamping it would be easier to use NEM Apostille system:https://bitcointalk.org/index.php?topic=1672157.msg16790318#msg16790318or for land registry this: http://landstead.atraurablockchain.com/#!/which was developed based on the above system.

  • TaunSew
    4 months ago TaunSew

    Quote from: freigeist on January 26, 2017, 02:33:03 PM

    Quote from: Rockie1234 on January 23, 2017, 05:50:24 PM
    I heard something about its proof of existence mechanism. In essence, it means a certain document existed in a particular form (to stop altering?) at a certain time. I think governments and businesses were interested since it could help a lot with legal cases and just records in general.

    For that purpose of notarization and time stamping it would be easier to use NEM Apostille system:https://bitcointalk.org/index.php?topic=1672157.msg16790318#msg16790318or for land registry this: http://landstead.atraurablockchain.com/#!/which was developed based on the above system.

    Factom More money spent on advertisement & marketing =/= a better product.  Even Ripple, which has living high as a hog on investor’s money, has been audited by non-profit 3rd party cybersecurity firms and their code was discovered to be rubbish and insecure.http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worstNEM Project actually has the best code for a blockchain according to CERT.  NEM is still flying under the radar but that’s because it is a undetectable stealth ninja fighter.  

  • BitcoinNational
    4 months ago BitcoinNational

    Quote from: Monerobuyer on January 23, 2017, 03:19:14 PM
    How is this thing blockchain? It uses 32 federated servers.The developers release 73k coins per month correct? Why does a coin have value? Why not have a set price to insert a factoid at their website: i.e. 15 cents per  factoidI feel like I’m losing my mind but is factom not incredibly stupid?

    insert factoid into steemit … they pay you (sometimes).same federated servers scheme but called ‘witnesses’ and they are democratically elected (#coin = #votes; just like actual democraptsyies)

  • instacalm
    3 months ago instacalm

    Perhaps it’s just not that interesting to stick around here — Ethereum founders and fans do not need (and never really had?) to push it on Bitcointalk all that much for people to become aware of its existence as it has already established itself (and in the meantime, has become uninteresting as it is not successful in what it originally set out to do — that’s how I kinda feel). Ethereum has a long time ago “transcended” this space and focused on expansion and partnerships out there in the “real world”.

  • Arvydas77
    3 months ago Arvydas77

    Very interesting report was published by Chinese CERT:Quote
    In December 2016, China CERT released a 17-page security audit report of blockchain software. As per the report, the audit was conducted in October 2016 and released later as “open” document. The report examined 25 open-source blockchain projects, categorizing the vulnerabilities found into 9 classes. A total of 746 high-level attack vectors are detected. Ripple is rated the most insecure one with over 223 highly risky bugs.
    Quote
    China CERT,  the National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT or CNCERT/CC) , was founded in September 2002. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China’s cybersecurity emergency response community. The CERT lab speaks highly of the global development around blockchain technology but also reiterates the importance of blockchain software security.
    Overview of 25 projects being audited:The 9 vulnerability categories were chosen for auditing:1. Input Validation and Representation2. API Abuse3. Security Features4. Memory Management5. Time and State6. Error and Exception Handling Errors7. Code Quality8. Encapsulation and hidden defects9. Flaws in Code Runtime EnvironmentVulnerability rating:Results: Ripple the most insecure projectQuote
    It is noteworthy that among all the projected being audited this time, Ripple is likely to be the most widely used one with the most users. At the time of writing, the software company has received 100 million USD investments from Google and Accenture. Some large financial institutions have announced their joining the payment network, including Standard Chartered, Westpac, Shanghai Huarui Bank and so on. Given the fact that Ripple is directly dealing with financial assets, should these loopholes be exploited by hackers, the institutions may suffer unimaginable lossesEthereumj comes as the second most risky project with 110 high-level vulnerabilities. Bitshares contains 4 high-risk bugs and 665 medium ones, the highest number among all projects.Ethereum Wallet, Hlp-candidate and OmniJ are found bearing zero or only one high-level bugs and therefore considered the most secure projects among all units being audited.
    It is very interesting analysis noteworthy to study accuratelly:http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worst

  • adanufgail
    2 weeks ago adanufgail

    I do find it fitting that the one meant to be used by banks is the worst, considering how broken and vulnerable the actual banking systems are.

Please sign in first