robur/homepage-data
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pinata: some rephrasing

Browse source
This commit is contained in:
Hannes Mehnert 2018-04-17 00:00:46 +02:00
parent 62642b6cbc
commit c503312a9d
1 changed files with 11 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
Projects/Pinata
View file

@ -12,9 +12,11 @@ client and a TLS server listening on a port. The total size, including TLS,
X.509, TCP/IP, of the virtual machine image is 4MB, which is less than 4% of a X.509, TCP/IP, of the virtual machine image is 4MB, which is less than 4% of a
comparable system using a Linux kernel and OpenSSL. comparable system using a Linux kernel and OpenSSL.
When a TLS handshake is successfully completed with mutual authentication, the When a TLS handshake with the Piñata is successful including mutual
Piñata transmits the private key to a bitcoin wallet which initially contained authentication, the Piñata transmits the private key to a Bitcoin wallet which
10BTC. In 2018, most of them will be reused for other projects. initially contained 10BTC. The project started on February 10th 2015. Our
lender transferred on March 18th 2018 the 10BTC and repurposed them for other
projects.
On startup, the Piñata generates its certificate authority on the fly, including On startup, the Piñata generates its certificate authority on the fly, including
certificates and private keys. This means that only the Piñata itself contains certificates and private keys. This means that only the Piñata itself contains
@ -22,13 +24,11 @@ private keys which can authenticate successfully, and an attacker has to find
an exploitable flaw in any software layer (OCaml runtime, virtual network an exploitable flaw in any software layer (OCaml runtime, virtual network
device, TCP/IP stack, TLS library, X.509 validation, or elsewhere) to complete the challenge. device, TCP/IP stack, TLS library, X.509 validation, or elsewhere) to complete the challenge.
The Piñata is online since February 2015, and even though thousands of unique IP The Piñata is online since February 10th 2015, and even though hundreds of
addresses established connections and initiated TLS handshakes, no bitcoins were thousands of connections and initiated TLS handshakes, no Bitcoins were taken.
taken. Looks like its security is decent or obscure enough.
By using a Bitcoin wallet, the Piñata is a transparent bug bounty. Everybody By using a Bitcoin wallet, the Piñata is a transparent bug bounty. Everybody
can observe (by looking into the Bitcoin blockchain) whether it has been can observe (by looking into the blockchain) whether it has been compromised and
compromised and the money has been transferred to another wallet. It is also the money has been transferred to another wallet. It is also self-serving: when
self-serving: when an attacker discovers a flaw, they don't need to fill out an attacker discovers a flaw, they don't need to fill out any forms to retrieve
any forms to retrieve the bounty, instead they can take the wallet, without any the bounty, instead they can take the wallet, without any questions asked.
questions asked.