Sarah Jamie Lewis announces her candidacy for the Major Grants Review Committee

I’d just like to say (speaking for myself) that I’m very strongly in favour of this. Indeed I think it’s absolutely critical that this kind of auditing happen — and funding it is a worthy use of MGRC funds.

In response to some of the comments above, I don’t believe that concerns about the overheads of things like FIPS certification etc. are very relevant here. The kind of security audits we’re talking about would probably be similar to the ones that ECC has commissioned for network upgrades (from specialist auditing companies like Coinspect, NCC, QED-it, etc.), and those have been extremely useful.

7 Likes

Hey! I’d like to pay some ZEC to get access to your book. Do you think we can work that out?

In particular I am curious whether you’d consider installing:

to generate a zaddr and receive ZEC.

I actually wondered about this before the most recent discussion in this thread, and now I am much more interested in your response.

1 Like

Ive worked with them before. They audited our crypto hardware (datacryptors). Really good bunch of people.

It is surprisingly hard to find companies with their skills. After trying 7 or 8 of them, NGSS/NCC were the only ones that actual stood up to our due diligence. +1 for NCC

1 Like

Hi Sarah,

I think you have misunderstood my question.

I am not concerned about your personal ethics. I am concerned about what professional ethics you are accoutable to.

For example, here are the guidelines I have followed for disclosure for years. Other people can check them and check my conduct against them.

It is worth noting, that my response in this instance would be bound by my ethics, I would have to had made reasonable good faith attempts.

That is when you resort to Full Disclosure by my professional ethical standard.

Would you please point me to a resource where I can see what professional ethical standards you were adhering to in the tweet.

Seeing as the MGRC is a new activity, would you be willing to compromise on some of your current professional ethics for the sake of different professional ethics when you are acting on behalf of the MGRC.

I was not asking you to alter your personal ethics, we are trying to create a set of professional ethics.

note: a doctor or lawyer has different personal and professional ethics, indeed a doctor on the MGRC would have different ethics when on the MGRC and when at work.

2 Likes

I did not.

This is a meaningless distinction. If your personal and professional ethics are not aligned then you are, at all times, acting in cognitive dissonance. To elevate from all the painful ethics-101 rehashing, my ethical framework is fundamentally rooted in harm reduction and consequentialism. I don’t believe that any prescriptive framework is fundamentally moral. Further, I don’t believe intent should be a significant factor when determining the morality of an action. Having said that, as an anarchist I try not to miss opportunities to decentralize both power and knowledge.

It is is abundantly clear to be that the “responsible” approach to security disclosure standards in the industry has done incalculable harm over the years - creating a hierarchy of corporations who are able to patch and secure their systems before others - and thus develop a market advantage. Not to mention bugs being intercepted from private disclosure processes and exploited by government agencies.

“Responsible” disclosure has left both commercial and digital public infrastructure in complete disarray, removing evolutionary pressures that would otherwise obliterate vendors who refuse to respect the people who rely on their systems and thus, making all systems weaker.

Vendors who publish broken software do not have a right to keep that fact secret.

I have already answered this question. I’m not going to compromise my long standing ethics to serve contemporary politics. I trust that CAP members will understand that I have the integrity to do what I think is right, just and harm reductive, not what is expected by some arbitrary, prescriptive standard designed to propagate hierarchies of power.

1 Like

Awesome. Since the minimum price of the e-book is now free, I generally ask people to donate any amount to Open Privacy - you can do so with zcash: zs1q05tlyvk7ztesjv7gskq5rtkuqd4a2tfck7rv6y8n6mqw8ly4q5wuj6z5ht4nuk0t4ur5sv53z5 - then DM me and I’ll happily email you a copy.

I run several Zcash full nodes (and have done since launch day, both as part of my job and for personal research). Why would I install a light wallet for this transaction?

1 Like

I’m not sure if a guide is the best approach. Most good security review processes should also consider privacy. I think the work recently done to iterate the light client threat model is a good start to getting a firmer grounding on some of these principles out into the wider ecosystem, but at some point you start having to address implementation details of specific frameworks and at that point the amount of work grows exponentially - it is far better that individual projects become able to access the resources to do that work themselves (and then open it for the rest of the community to learn from) - than one person trying to encapsulate everything in a single guide.

2 Likes

Can we move this along a bit? Next topic perhaps ?? Its getting bogged down here.

2 Likes

I am sorry you feel that way. I am trying to make things very clear so CAP members who do not understand the nuance of disclosure can get a bit more insight.

I really didn’t think this would be that difficult of a question.

Does this mean you do not think the MGRC should write down a set of ethical standards and have the community hold them to those standards? The community just needs to trust the MGRC? Where is the verify?

I outlined my views on this 3 months ago in the Code of Ethics thread. And at several points in the main MGRC thread.

RE: Accountability. The community will hold members to whatever standard the community collectively enforces through the ZIP and elections procedures. The MGRC will hold each other accountable through whatever processes it puts in place to ensure accountability. If the community doesn’t like the behavior of a particular candidate or an elected member then they are free to vote against that member, or appeal to the committee to adopt a process around that behavior if it is within the MGRCs remit.

As I have stated multiple times, if elected I will vote for proposals that demand transparency and enforce strict procedures regarding MGRC members actual or perceived conflicts of interest.

Should any other candidates wish to outline what policies they would like the MGRC to adopt I will happily consider them and document my reasons for voting for or against them, but I’m not going to comment on hypothetical/unwritten/unseen/latent codes of ethics.

1 Like

I’d like to state for the record that when @sarahjamielewis discovered the Zecwallet Security issues, she DID NOT notify me or even let me know that she had discovered the issue. She did not notify me before tweeting out the bug, and did not notify me after either.

[Moderation edit for factual accuracy by @daira: it is clear that Sarah Jamie Lewis did in fact notify Aditya, approximately 4 minutes after the tweet, via GitHub.]

Some alert Zecwallet users noticed the tweets and let me know, after which I fixed the issues, each within 24 hours of me being notified.

I consider that a serious breach of personal and professional ethics on part of @sarahjamielewis. I fail to see how tweeting out security bugs without notifying the developer of them helps Zecwallet users.

It’s hard enough to build software in this space, and this kind of unethical behaviour by someone calling themselves a security researcher makes things harder still.

12 Likes

This is demonstrably false. The github issue I opened synchronously with the tweet is right here: CRITICAL: This release has a MITM Vulnerability that allows anyone to intercept requests · Issue #40 · adityapk00/zecwallet-lite · GitHub

Your response was, as can be seen from the issue, “Ooh, oops.”

5 Likes

The tweet did not tag Zecwallet did not reply cc Zecwallet or even DM Zecwallet. No email either. It “quote tweeted” the Zecwallet account, which intentionally does not notify the account.

By the time the issue was filed, someone else had already reported the tweet to me, the issue had been identified and a fix was on the way.

That was the most irresponsible way to disclose a security issue, and this thread’s attempt to reframe that irresponsible disclosure as somehow ethical is beyond comprehension.

6 Likes

Kudos for getting so much done in the 2-3 minutes between when I clicked “Tweet” and submitted the issue (which I will note you acknowledged, seconds later - as can be sen from the github link).

I will kindly ask you to remove the inaccuracies in your previous tweet. You are entitled to you opinion on security disclosure, but you explicitly stated that I did not contact you at all - which is a lie, as I have demonstrated.

Also, I will note that I reported several other security issues in the full node version of Zecwallet prior to this incident via github issues - i.e a public disclosure process - at no time was I told to report these via different mechanisms.

But let’s set aside, those quibbles and allow me to make a broader point.

I tweeted to warn people that you had released a new version of the software with a critical MITM vulnerability. The bug was so severe and so blatant the only action users could take to stay safe is to not use zecwallet. The software had been plugged by high profile accounts earlier in the day and so both the chance of compromise and the number of users likely to be impacted were high.

There has been no public postmortem detailing how software with such a critical, trivially exploitable issue was released to users, and as far as I can tell there have been few changes to prevent such mistakes from happening again. I would still recommend people not use zecwallet unless they understand those risks.

Further, and more generally, the Zecwallet lite website advertises it as “fully private” despite that being impossible right now. There is also no indication of previous security issues listed on there to inform users.

Whatever you may think about the way I disclosed the MITM vuln, the way zecwallet lite was rushed out with that critical vulnerability was, and many of the continued practices in promoting the wallet are, irresponsible.

For the record, there are a lot of vendors who dislike my approach to life, who dislike me informing people who use their systems about the risks they are subjecting those people to. I don’t lose sleep over it.

3 Likes

You are misrepresenting what several of us have expressed concerns about. No one said anything about your ‘approach to life’ or not wanting users to be aware of risks.

This is about you publicly tweeting out details of a vulnerability (this is the key point, we are talking about details, not the mere existence of a bug) before giving the dev a chance to release a patch. This put users at risk no matter how you try to spin it.

If you had contacted the dev about the details privately and let him release a patch (which he was able to do very quickly), and then tweeted about your concerns, I do not think there would be any controversy here. Zec wallet users like me would be grateful to you in this alternative scenario.

Your behavior in this instance, and your refusal to simply say ‘I made a mistake and would not do something like this again in the future’, makes me question your ability to be a team player if your were on the MGRC. If you were elected, would you put the privacy and security concerns of Zcash users first?

6 Likes

In my opinion, you are just wrong, for example, how many people are at risk at the time of the release of the patch -100%, provided that someone will use this error, and the time for developing the patch is not known, so hushing up the problem is the wrong way out, stopping the use was goal, provided that 99.9 users cannot use the vulnerability to hack the wallet, and those who may not get access to some of the warned users.
When there is a threat to the finances or health of people, you will prefer to give time to specialists to fix the situation or give people the opportunity to save themselves (for example, get out of the bomb zone, or not use contaminated money). What does the team play have to do with it?
Only now I realized which team you are talking about, and which team are you in, in the zec user team who risk their money or in the development team who risk their reputation and funding?

1 Like

No one suggested ‘hushing up the problem’. A general warning like ‘there is a bug please don’t use the latest version of zec wallet until it’s patched’, would have been ok. A public discussion of the bug and how to assure it doesn’t happen in the future would then be appropriate, after user’s have been warned, and after the bug had been patched.

What Sarah’s tweets did was give specific details to attackers about how to attack zec wallet users.

I really don’t like how you phrased this like there are two opposing teams: Zcash users versus Zcash developers. I’m not a Zcash developer btw, I am a zec wallet user.

Zcash users, developers, and security researchers need to all be on the same team. I brought up being a team player because Sarah’s tweet made me feel, as a Zcash user, like she, a security researcher, was not on the same team as me.

5 Likes

Yes, there are different teams, it is naive to think that all altruists. Users are warned for their safety, not for fame, I remind you that saying not to use the wallet in this case is better than trying to fix the problem without publicity, because at the time of fixing an attack can be made. If you think that the behavior was not ethical, then according to which point of ethics. Attacking and blaming is also not ethical, and there are no conditions under which it was impossible to do this.

I agree with you on the point of disclosing the conditions of the attack, it was possible not to indicate in detail, but I do not think that this would change anything, few people can organize an attack, the probability is close to 0.

1 Like

(Speaking for myself. And specifically, not speaking for ECC because I know several people there disagree with me about this.)

Anyone can see from the timestamps on the tweet and the GitHub issue that the issue was opened only 4 minutes after the tweet. GitHub would have provided sufficient notification. There is objectively no basis on which to argue that Sarah didn’t notify Aditya about this vuln.

FWIW, I don’t believe software devs have any right to expect so-called “responsible disclosure”. We may ask for it, but that’s a different thing, and honestly it is mainly just to make our lives easier. (You can argue that perhaps it allows more thorough fixes under less time pressure, but even that’s debatable and only applies to some vulns, probably not including the one at issue here.)

4 Likes

I like that Sarah has not softened her position at all despite being criticized & pressured, says much about what she would bring to MGRC.

3 Likes