Date   

Re: Big Data, AI and Blockchain

Cupid Chan <cchan@...>
 

Hello John:

Thanks for the follow up. I will check with the AI & BI SIG to determine the topic and will circle back to Hyperledger group.

Regards,

Cupid Chan
CTO, Index Analytics
www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...
SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3


On Jan 9, 2019, at 1:39 PM, John Mertic <jmertic@...> wrote:

Checking back in on this thread now after the holidays - what are next steps?

Thank you,

John Mertic
Director of Program Management - Linux Foundation
ASWF, ODPi, R Consortium, and Open Mainframe Project
Schedule time with me at https://calendly.com/jmertic



On Thu, Dec 20, 2018 at 4:23 PM Cupid Chan <cchan@...> wrote:
Hello Jay:

Thanks for your quick reply! The next step for us to do now is to identify a use case. My inner geek screams to add IoT as well but I am not sure if incorporating more may help or pull back the progress since adding AI and Blockchain to Big Data is already a big jump. With that being said, I am not opposing that at all. Just want to share my thought so that we are all aware. 

Before we jump on a call to discuss further, do you have some material that we can read and prepare?

Regards,

Cupid Chan
CTO, Index Analytics
www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...
SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3

<Email Footer.png>

On Dec 20, 2018, at 12:18 PM, Jay Chugh <jay.chugh@...> wrote:

Cupid, 

It is a good initiative to consider. Among my responsibilities at Oracle, I am also responsible for AI and Blockchain Go-to-market initiatives, and would be interested in what you are doing. 
There could be a number of interesting use cases that are enabled by combining AI and Blockchain, both of which require access to data. There are also synergies of AI, Blockchain with IoT in case you were interested to include IoT as well.

Look forward to connecting more on this in the new year.  

Jay Chugh | Senior Director, Product GTM - Blockchain, AI, and IoT Cloud Platforms
Office +1.650.506.0677 | Mobile +1.408.489.9200 
600 Oracle Parkway, M/S 6OP863, Redwood Shores, CA 94065





On Dec 20, 2018, at 6:54 AM, Cupid Chan <cchan@...> wrote:

Hello Hyperledger TSC:

My name is Cupid Chan and I am TSC from Linux Foundation ODPi and also the Champion for BI & AI project in that group. We are planning out our 2019 initiative and one idea I have is to combine AI and Blockchain on top of Big Data. I have connected with Acumos group and got some interested there. I would like to see if you are also interested and/or have already got some material in place so that we don’t need to start from scratch. 

Looking forward to your reply.

Regards,

Cupid Chan
CTO, Index Analytics
www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...
SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3

<Email Footer.png>

The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC


The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC

The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC


Re: Big Data, AI and Blockchain

Mic Bowman
 

I assume you’re proposing this as a working group? As with Jay… I’m interested in the IoT connections to blockchain applications: how do you bridge real world data/events into “trustworthy” blockchain events/computation. For example… it is not obvious what it means to have a highly resilient, byzantine fault tolerant smart contract act on potentially bogus data that is was fed from a single, unreliable external source (like a sensor).

 

--mic

 

 

From: tsc@... [mailto:tsc@...] On Behalf Of John Mertic
Sent: Wednesday, January 9, 2019 10:40 AM
To: Cupid Chan <cchan@...>
Cc: Jay Chugh <jay.chugh@...>; Susan Malaika <malaika@...>; tsc@...
Subject: Re: [Hyperledger TSC] Big Data, AI and Blockchain

 

Checking back in on this thread now after the holidays - what are next steps?


Thank you,

 

John Mertic

Director of Program Management - Linux Foundation

ASWF, ODPi, R Consortium, and Open Mainframe Project

Schedule time with me at https://calendly.com/jmertic

 

 

On Thu, Dec 20, 2018 at 4:23 PM Cupid Chan <cchan@...> wrote:

Hello Jay:

 

Thanks for your quick reply! The next step for us to do now is to identify a use case. My inner geek screams to add IoT as well but I am not sure if incorporating more may help or pull back the progress since adding AI and Blockchain to Big Data is already a big jump. With that being said, I am not opposing that at all. Just want to share my thought so that we are all aware. 

 

Before we jump on a call to discuss further, do you have some material that we can read and prepare?

 

Regards,

 

Cupid Chan

CTO, Index Analytics

www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...

SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3




On Dec 20, 2018, at 12:18 PM, Jay Chugh <jay.chugh@...> wrote:

 

Cupid, 

 

It is a good initiative to consider. Among my responsibilities at Oracle, I am also responsible for AI and Blockchain Go-to-market initiatives, and would be interested in what you are doing. 

There could be a number of interesting use cases that are enabled by combining AI and Blockchain, both of which require access to data. There are also synergies of AI, Blockchain with IoT in case you were interested to include IoT as well.

 

Look forward to connecting more on this in the new year.  

 

Jay Chugh | Senior Director, Product GTM - Blockchain, AI, and IoT Cloud Platforms
Office +1.650.506.0677 | Mobile +1.408.489.9200 
600 Oracle Parkway, M/S 6OP863, Redwood Shores, CA 94065

 

 

 



On Dec 20, 2018, at 6:54 AM, Cupid Chan <cchan@...> wrote:

 

Hello Hyperledger TSC:

 

My name is Cupid Chan and I am TSC from Linux Foundation ODPi and also the Champion for BI & AI project in that group. We are planning out our 2019 initiative and one idea I have is to combine AI and Blockchain on top of Big Data. I have connected with Acumos group and got some interested there. I would like to see if you are also interested and/or have already got some material in place so that we don’t need to start from scratch. 

 

Looking forward to your reply.

 

Regards,

 

Cupid Chan

CTO, Index Analytics

www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...

SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3


<Email Footer.png>

 

The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC

 

 

The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC


Re: Big Data, AI and Blockchain

John Mertic <jmertic@...>
 

Checking back in on this thread now after the holidays - what are next steps?

Thank you,

John Mertic
Director of Program Management - Linux Foundation
ASWF, ODPi, R Consortium, and Open Mainframe Project
Schedule time with me at https://calendly.com/jmertic



On Thu, Dec 20, 2018 at 4:23 PM Cupid Chan <cchan@...> wrote:
Hello Jay:

Thanks for your quick reply! The next step for us to do now is to identify a use case. My inner geek screams to add IoT as well but I am not sure if incorporating more may help or pull back the progress since adding AI and Blockchain to Big Data is already a big jump. With that being said, I am not opposing that at all. Just want to share my thought so that we are all aware. 

Before we jump on a call to discuss further, do you have some material that we can read and prepare?

Regards,

Cupid Chan
CTO, Index Analytics
www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...
SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3


On Dec 20, 2018, at 12:18 PM, Jay Chugh <jay.chugh@...> wrote:

Cupid, 

It is a good initiative to consider. Among my responsibilities at Oracle, I am also responsible for AI and Blockchain Go-to-market initiatives, and would be interested in what you are doing. 
There could be a number of interesting use cases that are enabled by combining AI and Blockchain, both of which require access to data. There are also synergies of AI, Blockchain with IoT in case you were interested to include IoT as well.

Look forward to connecting more on this in the new year.  

Jay Chugh | Senior Director, Product GTM - Blockchain, AI, and IoT Cloud Platforms
Office +1.650.506.0677 | Mobile +1.408.489.9200 
600 Oracle Parkway, M/S 6OP863, Redwood Shores, CA 94065





On Dec 20, 2018, at 6:54 AM, Cupid Chan <cchan@...> wrote:

Hello Hyperledger TSC:

My name is Cupid Chan and I am TSC from Linux Foundation ODPi and also the Champion for BI & AI project in that group. We are planning out our 2019 initiative and one idea I have is to combine AI and Blockchain on top of Big Data. I have connected with Acumos group and got some interested there. I would like to see if you are also interested and/or have already got some material in place so that we don’t need to start from scratch. 

Looking forward to your reply.

Regards,

Cupid Chan
CTO, Index Analytics
www.index-analytics.com
3700 Koppers Street, Suite 535
Baltimore, MD, 21227
Cell: 571-357-2426
cchan@...
SBA 8(a) | SBA HUBZone | GSA Schedule 70 | CMMI Level 3

<Email Footer.png>

The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC


The content of this message is confidential. If you have received it by mistake, please inform us by an email reply and then delete the message. It is forbidden to copy, forward, or in any way reveal the contents of this message to anyone. The integrity and security of this email cannot be guaranteed over the Internet. Therefore, the sender will not be held liable for any damage caused by the message - Index Analytics LLC


Re: Identity WG call tomorrow Wed 9 am. Pacific 12 noon EST

Vipin Bharathan
 

Hi all,
The call is scheduled for 9:00 am PST/12:00 noon EST/6:00 pm CET (5 pm GMT)
To restate the agenda (with some new items)

Agenda:
  • Announce start of call
  • Anti-Trust
  • Introduce participants
  • Update for TSC
  • Projects for the year
    • communications on the edge
    • paper
    • move to confluence
  • Report on HGF (Hyperledger Global Forum)
  • Combining the Identity papers (arch WG and IDWG).
  • All other business.
Best,
Vipin


On Tue, Jan 8, 2019 at 7:29 AM vipin bharathan <vipinsun@...> wrote:
Hello all,

Call of the Identity WG  tomorrow 12 noon EST will happen on Zoom...(call details below). 

Happy new year!

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/my/hyperledger.community
All are welcome.-


Meeting minutes:


Agenda:
  • Announce start of call
  • Anti-Trust
  • Introduce participants
  • Projects for the next year (Edge communications)
  • Report on HGF (Hyperledger Global Forum)
  • Combining the Identity papers (arch WG and IDWG).
  • All other business.
All are welcome. You do not have to be a member of Hyperledger to be on the call!

zoom details 
iPhone one-tap :

US: +16465588656,,4034983298# or +16699006833,,4034983298#

Or Telephone:
Dial(for higher quality, dial a number based on your current location):

US: +1 646 558 8656 or +1 669 900 6833 or +1 855 880 1246 (Toll Free) or +1 877 369 0926 (Toll Free)

Meeting ID: 403 498 3298

International numbers available: https://zoom.us/u/bAaJoyznpThis is an open call. 

Thanks,
Vipin


Identity WG call tomorrow Wed 9 am. Pacific 12 noon EST

Vipin Bharathan
 

Hello all,

Call of the Identity WG  tomorrow 12 noon EST will happen on Zoom...(call details below). 

Happy new year!

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/my/hyperledger.community
All are welcome.-


Meeting minutes:


Agenda:
  • Announce start of call
  • Anti-Trust
  • Introduce participants
  • Projects for the next year (Edge communications)
  • Report on HGF (Hyperledger Global Forum)
  • Combining the Identity papers (arch WG and IDWG).
  • All other business.
All are welcome. You do not have to be a member of Hyperledger to be on the call!

zoom details 
iPhone one-tap :

US: +16465588656,,4034983298# or +16699006833,,4034983298#

Or Telephone:
Dial(for higher quality, dial a number based on your current location):

US: +1 646 558 8656 or +1 669 900 6833 or +1 855 880 1246 (Toll Free) or +1 877 369 0926 (Toll Free)

Meeting ID: 403 498 3298

International numbers available: https://zoom.us/u/bAaJoyznpThis is an open call. 

Thanks,
Vipin


Hyperledger Caliper Quarterly Update Due #tsc-project-update - Thu, 01/10/2019 #cal-reminder #tsc-project-update

tsc@lists.hyperledger.org Calendar <tsc@...>
 

Reminder:
Hyperledger Caliper Quarterly Update Due #tsc-project-update

When:
Thursday, 10 January 2019

Organizer:
tkuhrt@...

Description:
The Hyperledger Caliper project update to the TSC was due January 7, 2019, and it will be presented to the TSC on January 10, 2019. Please review prior to the meeting and bring your questions.

View Event


Hyperledger Quilt Quarterly Update Due #tsc-project-update - Thu, 01/10/2019 #cal-reminder #tsc-project-update

tsc@lists.hyperledger.org Calendar <tsc@...>
 

Reminder:
Hyperledger Quilt Quarterly Update Due #tsc-project-update

When:
Thursday, 10 January 2019

Organizer:
tkuhrt@...

Description:
The Hyperledger Quilt project update to the TSC was due January 7, 2019, and it will be presented to the TSC on January 10, 2019. Please review prior to the meeting and bring your questions.

View Event


Hyperledger Architecture WG Quarterly Update Due #tsc-wg-update - Thu, 01/10/2019 #tsc-wg-update #cal-reminder

tsc@lists.hyperledger.org Calendar <tsc@...>
 

Reminder:
Hyperledger Architecture WG Quarterly Update Due #tsc-wg-update

When:
Thursday, 10 January 2019

Organizer:
tkuhrt@...

Description:
The Hyperledger Architecture WG update to the TSC was due January 7, 2019, and it will be presented to the TSC on January 10, 2019. Please review prior to the meeting and bring your questions.

View Event


Re: [Hyperledger Performance and Scale WG] [Hyperledger Architecture WG] Chaos Engineering & the Blockchain

bill
 

Very nice Vipin!  Looking forward to Part 2!  Happy New Year!

B


On Jan 4, 2019, at 05:21, grapebaba <281165273@...> wrote:

Cool. I was thinking of chaos testing for fabric using jepsen framework.

发自我的 iPhone

在 2019年1月4日,上午2:20,mark wagner <mwagner@...> 写道:

another great article Vipin, thanks for sharing!

-mark

On Wed, Jan 2, 2019 at 2:28 PM Vipin Bharathan <vipinsun@...> wrote:
Hi all,
Here is a link to an article that I published on the topic of Chaos Engineering and the Blockchain. Hope you will find it interesting. 
This is the first part of a two part publication, the next part will deal with the chaos experimentation framework implemented on top of Indy.
Comments and or questions welcome.
Best,
Vipin



--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc


Re: [Hyperledger Performance and Scale WG] [Hyperledger Architecture WG] Chaos Engineering & the Blockchain

grapebaba <281165273@...>
 

Cool. I was thinking of chaos testing for fabric using jepsen framework.

发自我的 iPhone

在 2019年1月4日,上午2:20,mark wagner <mwagner@...> 写道:

another great article Vipin, thanks for sharing!

-mark

On Wed, Jan 2, 2019 at 2:28 PM Vipin Bharathan <vipinsun@...> wrote:
Hi all,
Here is a link to an article that I published on the topic of Chaos Engineering and the Blockchain. Hope you will find it interesting. 
This is the first part of a two part publication, the next part will deal with the chaos experimentation framework implemented on top of Indy.
Comments and or questions welcome.
Best,
Vipin



--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc


Re: [Hyperledger Architecture WG] Chaos Engineering & the Blockchain

mark wagner <mwagner@...>
 

another great article Vipin, thanks for sharing!

-mark


On Wed, Jan 2, 2019 at 2:28 PM Vipin Bharathan <vipinsun@...> wrote:
Hi all,
Here is a link to an article that I published on the topic of Chaos Engineering and the Blockchain. Hope you will find it interesting. 
This is the first part of a two part publication, the next part will deal with the chaos experimentation framework implemented on top of Indy.
Comments and or questions welcome.
Best,
Vipin



--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc


Chaos Engineering & the Blockchain

Vipin Bharathan
 

Hi all,
Here is a link to an article that I published on the topic of Chaos Engineering and the Blockchain. Hope you will find it interesting. 
This is the first part of a two part publication, the next part will deal with the chaos experimentation framework implemented on top of Indy.
Comments and or questions welcome.
Best,
Vipin


Re: Proposed release of the Iroha audit report

Christopher Ferris <chris.ferris@...>
 

+1 regarding Hart’s response. I am in favor of transparency and responsible disclosure.

Chris

On Dec 14, 2018, at 9:41 AM, "hmontgomery@..." <hmontgomery@...> wrote:

Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.

 

Thanks,

Hart

 

From: tsc@... [mailto:tsc@...] On Behalf Of mark wagner
Sent: Friday, December 14, 2018 5:30 AM
To: Arnaud Le Hors <lehors@...>
Cc: dhuseby@...; hyperledger-tsc <hyperledger-tsc@...>; Hyperledger List <tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report

 

Does anyone else on the TSC have an opinion on this ?

 

If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...

 

-mark

 

On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:

SGTM.
--
Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From:        "mark wagner" <mwagner@...>
To:        dhuseby@...
Cc:        hyperledger-tsc <hyperledger-tsc@...>
Date:        12/06/2018 07:39 PM
Subject:        Re: [Hyperledger TSC] Proposed release of the Iroha audit report
Sent by:        tsc@...





Thanks for the great writeup Dave

As you mentioned that all four issues have been resolved I would currently vote to release the report. <insert weasel words here> Of course if others come up with an objection that I had not considered I may need to factor that into my decision. </weasel words>

What do others think ?
-mark

On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
Hello TSC,

As part of my visit to the Iroha team, I finalized the Iroha audit
checks with the team and I think that it is time to publish the Iroha
audit report and I would like the TSC's approval to do so.  I
recommend that the report be published.

The Iroha audit found four security issues, including one that was
critical enough to require us to issue our first CVE (
https://www.cvedetails.com/cve/CVE-2018-3756/)  All four issues were
tracked using our JIRA and resolved earlier this year.

Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
Nettitude found a memory leak associated with processing a remote
request that creates a very slow potential denial of service.

Multi-signatory transactions can potentially be authorised by single
user ( https://jira.hyperledger.org/browse/IR-2)
This bug exploited some errors in the signature storage and validation
to bypass the transaction signature validation.  This is similar to
bug #3 bellow.  A malicious user could bypass the transaction
signature checking by signing it multiple times with a
non-deterministic signature scheme.

Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
This is the issue that required a CVE.  Nettitude found that by
modifying the ed25519 signature library to use random nonces instead
of message hashes, the signature checking code could be exploited to
accept multiple signatures produced with the same keypair.  This
allowed a single malicious node to sign the malicious transaction
multiple times and the other nodes would view the signatures as unique
and valid.  This completely bypasses one part of the byzantine fault
tolerance of the blockchain.

IP addresses can be made permanently unusable using the add peer
command ( https://jira.hyperledger.org/browse/IR-4)
This was a small error that is resolved by using DNS names and is not
really a problem to hold up the release.

Cheers!
Dave



---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...





--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc




--

Mark Wagner

Senior Principal Software Engineer

Performance and Scalability

Red Hat, Inc


Re: Proposed release of the Iroha audit report

Mic Bowman
 

Holidays...
+1

-----Original Message-----
From: tsc@... [mailto:tsc@...] On Behalf Of David Huseby
Sent: Wednesday, January 2, 2019 6:49 AM
To: Dan Middleton <dan.hyperledger@...>
Cc: Arnaud Le Hors <lehors@...>; Baohua Yang <yangbaohua@...>; Hart Montgomery <hmontgomery@...>; Hyperledger List <tsc@...>; Mark Wagner <mwagner@...>; hyperledger-tsc <hyperledger-tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report

By my count I've got yes votes from:
Mark, Arnoud, Hart, Baohua, Dan and Nathan

I'm waiting on:
Binh, Chris, Kelly, Mic, and Silas

Thanks,
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Wed, Jan 2, 2019 at 5:19 AM David Huseby <dhuseby@...> wrote:

So is it officially approved?

Dave

On Fri, Dec 21, 2018 at 8:41 AM Dan Middleton <dan.hyperledger@...> wrote:

+1

On Fri, Dec 14, 2018 at 2:26 PM Baohua Yang <yangbaohua@...> wrote:

LGTM!
Thanks!

On Fri, Dec 14, 2018 at 3:41 PM hmontgomery@... <hmontgomery@...> wrote:

Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.



Thanks,

Hart



From: tsc@... [mailto:tsc@...]
On Behalf Of mark wagner
Sent: Friday, December 14, 2018 5:30 AM
To: Arnaud Le Hors <lehors@...>
Cc: dhuseby@...; hyperledger-tsc
<hyperledger-tsc@...>; Hyperledger List
<tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit
report



Does anyone else on the TSC have an opinion on this ?



If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...



-mark



On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:

SGTM.
--
Arnaud Le Hors - Senior Technical Staff Member, Web & Blockchain
Open Technologies - IBM




From: "mark wagner" <mwagner@...>
To: dhuseby@...
Cc: hyperledger-tsc <hyperledger-tsc@...>
Date: 12/06/2018 07:39 PM
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report
Sent by: tsc@...

________________________________




Thanks for the great writeup Dave

As you mentioned that all four issues have been resolved I would
currently vote to release the report. <insert weasel words here> Of
course if others come up with an objection that I had not
considered I may need to factor that into my decision. </weasel
words>

What do others think ?
-mark

On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
Hello TSC,

As part of my visit to the Iroha team, I finalized the Iroha audit
checks with the team and I think that it is time to publish the
Iroha audit report and I would like the TSC's approval to do so. I
recommend that the report be published.

The Iroha audit found four security issues, including one that was
critical enough to require us to issue our first CVE (
https://www.cvedetails.com/cve/CVE-2018-3756/) All four issues
were tracked using our JIRA and resolved earlier this year.

Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
Nettitude found a memory leak associated with processing a remote
request that creates a very slow potential denial of service.

Multi-signatory transactions can potentially be authorised by
single user ( https://jira.hyperledger.org/browse/IR-2)
This bug exploited some errors in the signature storage and
validation to bypass the transaction signature validation. This is
similar to bug #3 bellow. A malicious user could bypass the
transaction signature checking by signing it multiple times with a
non-deterministic signature scheme.

Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
This is the issue that required a CVE. Nettitude found that by
modifying the ed25519 signature library to use random nonces
instead of message hashes, the signature checking code could be
exploited to accept multiple signatures produced with the same
keypair. This allowed a single malicious node to sign the
malicious transaction multiple times and the other nodes would view
the signatures as unique and valid. This completely bypasses one
part of the byzantine fault tolerance of the blockchain.

IP addresses can be made permanently unusable using the add peer
command ( https://jira.hyperledger.org/browse/IR-4)
This was a small error that is resolved by using DNS names and is
not really a problem to hold up the release.

Cheers!
Dave



---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...





--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc




--

Mark Wagner

Senior Principal Software Engineer

Performance and Scalability

Red Hat, Inc


--
Best wishes!

Baohua Yang
--
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


Re: Proposed release of the Iroha audit report

Olson, Kelly M <kelly.m.olson@...>
 

+1 from me.

Thanks,
Kelly

-----Original Message-----
From: tsc@... [mailto:tsc@...] On Behalf Of David Huseby
Sent: Wednesday, January 2, 2019 6:49 AM
To: Dan Middleton <dan.hyperledger@...>
Cc: Arnaud Le Hors <lehors@...>; Baohua Yang <yangbaohua@...>; Hart Montgomery <hmontgomery@...>; Hyperledger List <tsc@...>; Mark Wagner <mwagner@...>; hyperledger-tsc <hyperledger-tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report

By my count I've got yes votes from:
Mark, Arnoud, Hart, Baohua, Dan and Nathan

I'm waiting on:
Binh, Chris, Kelly, Mic, and Silas

Thanks,
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Wed, Jan 2, 2019 at 5:19 AM David Huseby <dhuseby@...> wrote:

So is it officially approved?

Dave

On Fri, Dec 21, 2018 at 8:41 AM Dan Middleton <dan.hyperledger@...> wrote:

+1

On Fri, Dec 14, 2018 at 2:26 PM Baohua Yang <yangbaohua@...> wrote:

LGTM!
Thanks!

On Fri, Dec 14, 2018 at 3:41 PM hmontgomery@... <hmontgomery@...> wrote:

Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.



Thanks,

Hart



From: tsc@... [mailto:tsc@...]
On Behalf Of mark wagner
Sent: Friday, December 14, 2018 5:30 AM
To: Arnaud Le Hors <lehors@...>
Cc: dhuseby@...; hyperledger-tsc
<hyperledger-tsc@...>; Hyperledger List
<tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit
report



Does anyone else on the TSC have an opinion on this ?



If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...



-mark



On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:

SGTM.
--
Arnaud Le Hors - Senior Technical Staff Member, Web & Blockchain
Open Technologies - IBM




From: "mark wagner" <mwagner@...>
To: dhuseby@...
Cc: hyperledger-tsc <hyperledger-tsc@...>
Date: 12/06/2018 07:39 PM
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report
Sent by: tsc@...

________________________________




Thanks for the great writeup Dave

As you mentioned that all four issues have been resolved I would
currently vote to release the report. <insert weasel words here> Of
course if others come up with an objection that I had not
considered I may need to factor that into my decision. </weasel
words>

What do others think ?
-mark

On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
Hello TSC,

As part of my visit to the Iroha team, I finalized the Iroha audit
checks with the team and I think that it is time to publish the
Iroha audit report and I would like the TSC's approval to do so. I
recommend that the report be published.

The Iroha audit found four security issues, including one that was
critical enough to require us to issue our first CVE (
https://www.cvedetails.com/cve/CVE-2018-3756/) All four issues
were tracked using our JIRA and resolved earlier this year.

Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
Nettitude found a memory leak associated with processing a remote
request that creates a very slow potential denial of service.

Multi-signatory transactions can potentially be authorised by
single user ( https://jira.hyperledger.org/browse/IR-2)
This bug exploited some errors in the signature storage and
validation to bypass the transaction signature validation. This is
similar to bug #3 bellow. A malicious user could bypass the
transaction signature checking by signing it multiple times with a
non-deterministic signature scheme.

Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
This is the issue that required a CVE. Nettitude found that by
modifying the ed25519 signature library to use random nonces
instead of message hashes, the signature checking code could be
exploited to accept multiple signatures produced with the same
keypair. This allowed a single malicious node to sign the
malicious transaction multiple times and the other nodes would view
the signatures as unique and valid. This completely bypasses one
part of the byzantine fault tolerance of the blockchain.

IP addresses can be made permanently unusable using the add peer
command ( https://jira.hyperledger.org/browse/IR-4)
This was a small error that is resolved by using DNS names and is
not really a problem to hold up the release.

Cheers!
Dave



---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...





--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc




--

Mark Wagner

Senior Principal Software Engineer

Performance and Scalability

Red Hat, Inc


--
Best wishes!

Baohua Yang
--
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


Re: Proposed release of the Iroha audit report

David Huseby <dhuseby@...>
 

that's actually a good idea.
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Wed, Jan 2, 2019 at 7:52 AM Mark Wagner <mwagner114@...> wrote:

Sounds like we a blockchain based voting app for the TSC. Is there a new lab in our future?

On Wed, Jan 2, 2019, 09:49 David Huseby <dhuseby@...> wrote:

By my count I've got yes votes from:
Mark, Arnoud, Hart, Baohua, Dan and Nathan

I'm waiting on:
Binh, Chris, Kelly, Mic, and Silas

Thanks,
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Wed, Jan 2, 2019 at 5:19 AM David Huseby <dhuseby@...> wrote:

So is it officially approved?

Dave

On Fri, Dec 21, 2018 at 8:41 AM Dan Middleton <dan.hyperledger@...> wrote:

+1

On Fri, Dec 14, 2018 at 2:26 PM Baohua Yang <yangbaohua@...> wrote:

LGTM!
Thanks!

On Fri, Dec 14, 2018 at 3:41 PM hmontgomery@... <hmontgomery@...> wrote:

Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.



Thanks,

Hart



From: tsc@... [mailto:tsc@...] On Behalf Of mark wagner
Sent: Friday, December 14, 2018 5:30 AM
To: Arnaud Le Hors <lehors@...>
Cc: dhuseby@...; hyperledger-tsc <hyperledger-tsc@...>; Hyperledger List <tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report



Does anyone else on the TSC have an opinion on this ?



If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...



-mark



On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:

SGTM.
--
Arnaud Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From: "mark wagner" <mwagner@...>
To: dhuseby@...
Cc: hyperledger-tsc <hyperledger-tsc@...>
Date: 12/06/2018 07:39 PM
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report
Sent by: tsc@...

________________________________




Thanks for the great writeup Dave

As you mentioned that all four issues have been resolved I would currently vote to release the report. <insert weasel words here> Of course if others come up with an objection that I had not considered I may need to factor that into my decision. </weasel words>

What do others think ?
-mark

On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
Hello TSC,

As part of my visit to the Iroha team, I finalized the Iroha audit
checks with the team and I think that it is time to publish the Iroha
audit report and I would like the TSC's approval to do so. I
recommend that the report be published.

The Iroha audit found four security issues, including one that was
critical enough to require us to issue our first CVE (
https://www.cvedetails.com/cve/CVE-2018-3756/) All four issues were
tracked using our JIRA and resolved earlier this year.

Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
Nettitude found a memory leak associated with processing a remote
request that creates a very slow potential denial of service.

Multi-signatory transactions can potentially be authorised by single
user ( https://jira.hyperledger.org/browse/IR-2)
This bug exploited some errors in the signature storage and validation
to bypass the transaction signature validation. This is similar to
bug #3 bellow. A malicious user could bypass the transaction
signature checking by signing it multiple times with a
non-deterministic signature scheme.

Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
This is the issue that required a CVE. Nettitude found that by
modifying the ed25519 signature library to use random nonces instead
of message hashes, the signature checking code could be exploited to
accept multiple signatures produced with the same keypair. This
allowed a single malicious node to sign the malicious transaction
multiple times and the other nodes would view the signatures as unique
and valid. This completely bypasses one part of the byzantine fault
tolerance of the blockchain.

IP addresses can be made permanently unusable using the add peer
command ( https://jira.hyperledger.org/browse/IR-4)
This was a small error that is resolved by using DNS names and is not
really a problem to hold up the release.

Cheers!
Dave



---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...





--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc




--

Mark Wagner

Senior Principal Software Engineer

Performance and Scalability

Red Hat, Inc


--
Best wishes!

Baohua Yang
--
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


Re: Proposed release of the Iroha audit report

Mark Wagner
 

Sounds like we a blockchain based voting app for the TSC. Is there a new lab in our future?


On Wed, Jan 2, 2019, 09:49 David Huseby <dhuseby@...> wrote:
By my count I've got yes votes from:
Mark, Arnoud, Hart, Baohua, Dan and Nathan

I'm waiting on:
Binh, Chris, Kelly, Mic, and Silas

Thanks,
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Wed, Jan 2, 2019 at 5:19 AM David Huseby <dhuseby@...> wrote:
>
> So is it officially approved?
>
> Dave
>
> On Fri, Dec 21, 2018 at 8:41 AM Dan Middleton <dan.hyperledger@...> wrote:
>>
>> +1
>>
>> On Fri, Dec 14, 2018 at 2:26 PM Baohua Yang <yangbaohua@...> wrote:
>>>
>>> LGTM!
>>> Thanks!
>>>
>>> On Fri, Dec 14, 2018 at 3:41 PM hmontgomery@... <hmontgomery@...> wrote:
>>>>
>>>> Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Hart
>>>>
>>>>
>>>>
>>>> From: tsc@... [mailto:tsc@...] On Behalf Of mark wagner
>>>> Sent: Friday, December 14, 2018 5:30 AM
>>>> To: Arnaud Le Hors <lehors@...>
>>>> Cc: dhuseby@...; hyperledger-tsc <hyperledger-tsc@...>; Hyperledger List <tsc@...>
>>>> Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report
>>>>
>>>>
>>>>
>>>> Does anyone else on the TSC have an opinion on this ?
>>>>
>>>>
>>>>
>>>> If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...
>>>>
>>>>
>>>>
>>>> -mark
>>>>
>>>>
>>>>
>>>> On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:
>>>>
>>>> SGTM.
>>>> --
>>>> Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM
>>>>
>>>>
>>>>
>>>>
>>>> From:        "mark wagner" <mwagner@...>
>>>> To:        dhuseby@...
>>>> Cc:        hyperledger-tsc <hyperledger-tsc@...>
>>>> Date:        12/06/2018 07:39 PM
>>>> Subject:        Re: [Hyperledger TSC] Proposed release of the Iroha audit report
>>>> Sent by:        tsc@...
>>>>
>>>> ________________________________
>>>>
>>>>
>>>>
>>>>
>>>> Thanks for the great writeup Dave
>>>>
>>>> As you mentioned that all four issues have been resolved I would currently vote to release the report. <insert weasel words here> Of course if others come up with an objection that I had not considered I may need to factor that into my decision. </weasel words>
>>>>
>>>> What do others think ?
>>>> -mark
>>>>
>>>> On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
>>>> Hello TSC,
>>>>
>>>> As part of my visit to the Iroha team, I finalized the Iroha audit
>>>> checks with the team and I think that it is time to publish the Iroha
>>>> audit report and I would like the TSC's approval to do so.  I
>>>> recommend that the report be published.
>>>>
>>>> The Iroha audit found four security issues, including one that was
>>>> critical enough to require us to issue our first CVE (
>>>> https://www.cvedetails.com/cve/CVE-2018-3756/)  All four issues were
>>>> tracked using our JIRA and resolved earlier this year.
>>>>
>>>> Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
>>>> Nettitude found a memory leak associated with processing a remote
>>>> request that creates a very slow potential denial of service.
>>>>
>>>> Multi-signatory transactions can potentially be authorised by single
>>>> user ( https://jira.hyperledger.org/browse/IR-2)
>>>> This bug exploited some errors in the signature storage and validation
>>>> to bypass the transaction signature validation.  This is similar to
>>>> bug #3 bellow.  A malicious user could bypass the transaction
>>>> signature checking by signing it multiple times with a
>>>> non-deterministic signature scheme.
>>>>
>>>> Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
>>>> This is the issue that required a CVE.  Nettitude found that by
>>>> modifying the ed25519 signature library to use random nonces instead
>>>> of message hashes, the signature checking code could be exploited to
>>>> accept multiple signatures produced with the same keypair.  This
>>>> allowed a single malicious node to sign the malicious transaction
>>>> multiple times and the other nodes would view the signatures as unique
>>>> and valid.  This completely bypasses one part of the byzantine fault
>>>> tolerance of the blockchain.
>>>>
>>>> IP addresses can be made permanently unusable using the add peer
>>>> command ( https://jira.hyperledger.org/browse/IR-4)
>>>> This was a small error that is resolved by using DNS names and is not
>>>> really a problem to hold up the release.
>>>>
>>>> Cheers!
>>>> Dave
>>>>
>>>>
>>>>
>>>> ---
>>>> David Huseby
>>>> Security Maven, Hyperledger
>>>> The Linux Foundation
>>>> +1-206-234-2392
>>>> dhuseby@...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mark Wagner
>>>> Senior Principal Software Engineer
>>>> Performance and Scalability
>>>> Red Hat, Inc
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Mark Wagner
>>>>
>>>> Senior Principal Software Engineer
>>>>
>>>> Performance and Scalability
>>>>
>>>> Red Hat, Inc
>>>
>>>
>>>
>>> --
>>> Best wishes!
>>>
>>> Baohua Yang
>>>
>
> --
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> dhuseby@...




Re: Proposed release of the Iroha audit report

David Huseby <dhuseby@...>
 

By my count I've got yes votes from:
Mark, Arnoud, Hart, Baohua, Dan and Nathan

I'm waiting on:
Binh, Chris, Kelly, Mic, and Silas

Thanks,
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Wed, Jan 2, 2019 at 5:19 AM David Huseby <dhuseby@...> wrote:

So is it officially approved?

Dave

On Fri, Dec 21, 2018 at 8:41 AM Dan Middleton <dan.hyperledger@...> wrote:

+1

On Fri, Dec 14, 2018 at 2:26 PM Baohua Yang <yangbaohua@...> wrote:

LGTM!
Thanks!

On Fri, Dec 14, 2018 at 3:41 PM hmontgomery@... <hmontgomery@...> wrote:

Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.



Thanks,

Hart



From: tsc@... [mailto:tsc@...] On Behalf Of mark wagner
Sent: Friday, December 14, 2018 5:30 AM
To: Arnaud Le Hors <lehors@...>
Cc: dhuseby@...; hyperledger-tsc <hyperledger-tsc@...>; Hyperledger List <tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report



Does anyone else on the TSC have an opinion on this ?



If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...



-mark



On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:

SGTM.
--
Arnaud Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From: "mark wagner" <mwagner@...>
To: dhuseby@...
Cc: hyperledger-tsc <hyperledger-tsc@...>
Date: 12/06/2018 07:39 PM
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report
Sent by: tsc@...

________________________________




Thanks for the great writeup Dave

As you mentioned that all four issues have been resolved I would currently vote to release the report. <insert weasel words here> Of course if others come up with an objection that I had not considered I may need to factor that into my decision. </weasel words>

What do others think ?
-mark

On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
Hello TSC,

As part of my visit to the Iroha team, I finalized the Iroha audit
checks with the team and I think that it is time to publish the Iroha
audit report and I would like the TSC's approval to do so. I
recommend that the report be published.

The Iroha audit found four security issues, including one that was
critical enough to require us to issue our first CVE (
https://www.cvedetails.com/cve/CVE-2018-3756/) All four issues were
tracked using our JIRA and resolved earlier this year.

Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
Nettitude found a memory leak associated with processing a remote
request that creates a very slow potential denial of service.

Multi-signatory transactions can potentially be authorised by single
user ( https://jira.hyperledger.org/browse/IR-2)
This bug exploited some errors in the signature storage and validation
to bypass the transaction signature validation. This is similar to
bug #3 bellow. A malicious user could bypass the transaction
signature checking by signing it multiple times with a
non-deterministic signature scheme.

Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
This is the issue that required a CVE. Nettitude found that by
modifying the ed25519 signature library to use random nonces instead
of message hashes, the signature checking code could be exploited to
accept multiple signatures produced with the same keypair. This
allowed a single malicious node to sign the malicious transaction
multiple times and the other nodes would view the signatures as unique
and valid. This completely bypasses one part of the byzantine fault
tolerance of the blockchain.

IP addresses can be made permanently unusable using the add peer
command ( https://jira.hyperledger.org/browse/IR-4)
This was a small error that is resolved by using DNS names and is not
really a problem to hold up the release.

Cheers!
Dave



---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...





--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc




--

Mark Wagner

Senior Principal Software Engineer

Performance and Scalability

Red Hat, Inc


--
Best wishes!

Baohua Yang
--
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


Re: Proposed release of the Iroha audit report

David Huseby <dhuseby@...>
 

So is it officially approved?

Dave

On Fri, Dec 21, 2018 at 8:41 AM Dan Middleton <dan.hyperledger@...> wrote:
+1

On Fri, Dec 14, 2018 at 2:26 PM Baohua Yang <yangbaohua@...> wrote:
LGTM!
Thanks!

On Fri, Dec 14, 2018 at 3:41 PM hmontgomery@... <hmontgomery@...> wrote:

Yeah, I’m pretty much always in favor of releasing security audits if the bugs have been fixed.

 

Thanks,

Hart

 

From: tsc@... [mailto:tsc@...] On Behalf Of mark wagner
Sent: Friday, December 14, 2018 5:30 AM
To: Arnaud Le Hors <lehors@...>
Cc: dhuseby@...; hyperledger-tsc <hyperledger-tsc@...>; Hyperledger List <tsc@...>
Subject: Re: [Hyperledger TSC] Proposed release of the Iroha audit report

 

Does anyone else on the TSC have an opinion on this ?

 

If we want to streamline TSC calls and do online voting, we actually need to pay attention to the emails...

 

-mark

 

On Tue, Dec 11, 2018 at 8:44 AM Arnaud Le Hors <lehors@...> wrote:

SGTM.
--
Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From:        "mark wagner" <mwagner@...>
To:        dhuseby@...
Cc:        hyperledger-tsc <hyperledger-tsc@...>
Date:        12/06/2018 07:39 PM
Subject:        Re: [Hyperledger TSC] Proposed release of the Iroha audit report
Sent by:        tsc@...





Thanks for the great writeup Dave

As you mentioned that all four issues have been resolved I would currently vote to release the report. <insert weasel words here> Of course if others come up with an objection that I had not considered I may need to factor that into my decision. </weasel words>

What do others think ?
-mark

On Thu, Dec 6, 2018 at 8:56 AM David Huseby <dhuseby@...> wrote:
Hello TSC,

As part of my visit to the Iroha team, I finalized the Iroha audit
checks with the team and I think that it is time to publish the Iroha
audit report and I would like the TSC's approval to do so.  I
recommend that the report be published.

The Iroha audit found four security issues, including one that was
critical enough to require us to issue our first CVE (
https://www.cvedetails.com/cve/CVE-2018-3756/)  All four issues were
tracked using our JIRA and resolved earlier this year.

Memory leak in Irohad ( https://jira.hyperledger.org/browse/IR-1)
Nettitude found a memory leak associated with processing a remote
request that creates a very slow potential denial of service.

Multi-signatory transactions can potentially be authorised by single
user ( https://jira.hyperledger.org/browse/IR-2)
This bug exploited some errors in the signature storage and validation
to bypass the transaction signature validation.  This is similar to
bug #3 bellow.  A malicious user could bypass the transaction
signature checking by signing it multiple times with a
non-deterministic signature scheme.

Vote early, Vote often ( https://jira.hyperledger.org/browse/IR-3)
This is the issue that required a CVE.  Nettitude found that by
modifying the ed25519 signature library to use random nonces instead
of message hashes, the signature checking code could be exploited to
accept multiple signatures produced with the same keypair.  This
allowed a single malicious node to sign the malicious transaction
multiple times and the other nodes would view the signatures as unique
and valid.  This completely bypasses one part of the byzantine fault
tolerance of the blockchain.

IP addresses can be made permanently unusable using the add peer
command ( https://jira.hyperledger.org/browse/IR-4)
This was a small error that is resolved by using DNS names and is not
really a problem to hold up the release.

Cheers!
Dave



---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...





--
Mark Wagner
Senior Principal Software Engineer
Performance and Scalability
Red Hat, Inc




--

Mark Wagner

Senior Principal Software Engineer

Performance and Scalability

Red Hat, Inc



--
Best wishes!

Baohua Yang

--
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


Re: [Hyperledger Architecture WG] [Hyperledger Performance and Scale WG] [Hyperledger Identity WG] [Hyperledger TSC] How can we improve diversity in the Hyperledger technical community?

Bob Summerwill <bob@...>
 

Hey David,

As I work through my mailbox I realized that I had still never replied to this mail of yours and just wanted to commend you.

These are some deep observations!

Are there now recurring meetings on community health?


On Wed, Oct 31, 2018 at 12:52 PM David Boswell <dboswell@...> wrote:
I've been looking into the topic of diversity in open source communities and wanted to share some interesting articles and a specific proposal for something our community can do.

To start, here are some important points made by three different articles:

* The basic structure of open, meritocratic and welcoming communities puts more hurdles in place for some people than others.  There's a great article that looks at how the essay 'The Tyranny of Structurelessness', an article about power structures in the feminist movement, applies to open source communities.  I think the most important line in that article is: “First, we need to recognize that while we all strive to be meritocratic when engaging and involving people we are often predisposed to those who act, talk and think like us.”


* Building on that point, open source projects are biased in favor of contributors who show up with an itch to scratch (they already have a thing in mind they want to do).  Sumana Harihareswara has a great article that points out that not everyone has an itch to scratch when they come to a community and we are sending the message that those people aren't real contributors.  But just like people have different learning styles, if we want to have a more diverse group of contributors we need to recognize that there are different contribution styles as well -- otherwise we keep limiting our contributions to the subset of people who participate in the one way we've promoted as 'the right way to contribute'.


* So we need to put new structures in place for new contributors that don't have an itch to scratch the moment they show up in the community.  Many people are interested in Hyperledger and want to get involved but don't know what to do.  We can match those new people with contribution opportunities and with existing contributors to help them.  And data shows that matching people with mentors does increase diversity -- see this recent Economist article that compares effectiveness of different diversity policies.

https://www.economist.com/united-states/2018/09/29/anti-discrimination-statements-by-employers

The proposal then is to create a formal mentoring program in the community where existing contributors share their knowledge with new contributors and connect them with tasks that the projects need help with that fit their interests and skills.  And there are models out there for how to do this in an open source community.  Mozilla had a mentoring effort that scaled to a large size by having a small group of mentors level up a group of people who then mentored others who then leveled up more people.  The attached image of their mentoring structure shows how this scales up quickly.

Thoughts?

Thanks,
David


1941 - 1960 of 3866