Zap to Zero Day 16 | Mad World

Yesterday, I almost got hit by a tram. Ok, that sounds dramatic. It wasn't really almost but the driver might had to brake to not hit me just because I was too retarded to see that the light was red. But someone shouted "Hello?" in an increasingly alarming tone behind me — someone who wasn't retarded enough to not see that the light is red and that there is literally a tram coming down towards us — so I stopped before I was in front of the tram. During my walk of shame back to the curbstone, I noticed that he seemed very annoyed by what just happened. He probably was thinking the same as me:
How can someone be THIS retarded?
I thanked and told him that I didn't realize that the light that I saw green was the light behind the red light. That seemed to have made sense to him and we both relaxed because the situation was also a bit funny now. I am not sure if I also told him this, but my mind was simply still too occupied with the pedestrian traffic light that I just passed since wires were hanging out.
Mhh, interesting. Who did that? And why? How easy is it to manipulate traffic lights? What chaos would ensue? It's probably not that hard. Just needs some reverse engineering. Is it public information how these traffic lights are built.
Funnily, at the next pedestrian light, I again wanted to cross over red — but on purpose since it's a very short distance to pass and surely not much can go wrong over this distance, right? — but I looked around first and saw blinking police cars at my right side. That's when I remembered that just a few minutes ago before I had my canceled meeting with the tram, I passed some police officers who were talking to someone who wasn't wearing a lot of clothes. I was thinking:
Dudes, it's freezing, give this man some clothes!
Now I was thinking that maybe he was behind or at least involved in some way that the wires were hanging out on that one light that piqued my interest?
When the light for the traffic got green (that's why my light was red), the chain of a cyclist broke. I think he put too much pressure on his pedals and it might also have been related to how cold it was. I think that's when chains break easier? Now he had to do a walk of shame to the curb to fix his bicycle. I smirked.
If you let it, this world can be really fun and interesting sometimes.

Satistics

DateSpentStacked (Rewards)PostsCommentsRewarded
2023-12-2813k8808 (n/a)235n/a
2023-12-2916.1k15.6k (5222)352
2023-12-3010.8k9752 (7026)141✍️
2023-12-3120.5k17.9k (4379)561
2024-01-0112.5k10.7k (7684)347✍️
2024-01-0216k19.5k (9353)636✍️
2024-01-0315.9k15.6k (6729)246
2024-01-0411.4k11.4k (3954 4093 4131)338✍️
2024-01-0511.3k11.4k (3954 4092)141?
2024-01-0666916282 (3665 3954)038✍️
2024-01-0780538503 (1219 3665)320✍️
2024-01-0888739164 (1219)212
2024-01-0958286808 (4649)2 634 35✍️
2024-01-1014.1k14.4k (4857)322
2024-01-1111.8k10.4k (4109)322✍️
2024-01-1287438016 (4778)341✍️
2024-01-13TBDTBD (3116)TBDTBD
Mhh, I think I need to accept that the calendar is indeed not reliable. Not only for posts and comments but in general. We did a release yesterday and I got a lot of sats forwarded and stacked some more sats here and there. As you can see in the chart that shows my balance, it exploded but the calendar thinks I only stacked 8016 sats, lol. I mean, not complaining (totally complaining) since that means I basically won yesterday against @grayruby since we didn't clarify which source we're using as the ~oracle to tell if I stacked more than I spent (totally not ignoring that the my win condition was to hit 0, not spent > stacked).
So as @siggy47 already mentioned on Jan 6, we still have a bug in prisms:
I was just listening, and towards the end @k00b started talking about all the sats I have earned. I did a double take. I'm not complaining, but I couldn't believe those totals. I know I don't have those sats, so I was puzzled. I also pride myself on zapping others a lot, and my percentage was low. Then it occurred to me. I was credited with the approximately 3 million sats that were donated to Anita for the Satsraiser.#239180 Apparently those sats are credited to the donor. I don't want to look like some kind of Scrooge or Mr. Potter!
Dang you're right we might still have that bug for prisms.

We also included a new but funny bug in our release yesterday. As @Wumbo noticed pretty quick, you were able to enter your own SN address to trigger an infinite loop of withdrawals:
Time for Inception!
Withdraw from wumbo@stacker.news to wumbo@stacker.news
Still wondering when we will get our first real responsible disclosure though. Maybe @Wumbo would have been greatly rewarded if he would have told us about it in a responsible way? :) Just like was mentioned to Dinesh in Silicon Valley in this scene at the end?
How many people do I need to shame about disclosing vulnerabilities on SN before we get the first responsible disclosure which is not just someone feeling FOMO and thus not verifying that it's actually a vulnerability they found? And not just them leaking their own IP address?
That report was funny though. Reporter, if you're still on SN and read this, please don't take it personal. It was just too funny to not mention it here and I think you agreed when I explained to you that it wasn't a vulnerability and we laughed together about it :)
Since it' another good example, I also want to mention the vuln that @kepford found since it was a pretty good (bad for us) privacy leak [0] a while ago but didn't realize what he found until I replied:
So you can use this to see if someone has more than 250k sats.
Nice catch! That's a privacy leak. Please consider using responsible disclosure next time you find something like this. Maybe you would have been more greatly rewarded if you didn't disclose it publicly immediately with no chance for us to fix before everyone knows about it? :) /cc @k00b
— me, #355354
I'm a dev and as soon as I saw your comment I felt terrible. I know if I were working on stacker.news I'd feel responsible to fix it asap. I appreciate the gentle scolding and the zap. Was not expecting either.
I can totally understand how you just find something and want to post about it on SN. I do this all the time. But it should depend on what you want to post.
So by mentioning this over and over again, I hope that enough people will see it and the next time they find something, they will remember my words and be like:
Mhh, that's looks weird. Better not post about this immediately on SN; essentially burning a lot of sats since I could get rewarded handsomely if I disclose this in a responsible way.

Recent Superzaps

1. Technological determinism and splitting the atom of cause and effect

This post by @elvismercury (totally not biased which posts I pick) is something I found yesterday but again have no idea how. I think telling how I find interesting things on SN would also be ... interesting.
This post is related to the Broken Money book club that @elvismercury was running [1].
(A post in the meta-experiment series of the Broken Money book club, part 5)
We've talked before (here, here, here) about one of Lyn's most remarkable claims, about the technological determinism of bitcoin. We've spent less time on the determinism of fiat, but this idea is just as important. Lyn proposes that when advances in telecom made it possible to communicate at the speed of light, that this introduced an irresistable force on the monetary system: you couldn't have sound-money final settlement at the speed of light, so money became principally an expression of credit.
[...]
There were only 20 comments but basically all of them of them evolved around replies from @Undisciplined and @k00b:
Tom Woods has talked about how one of the major problems fiat created was turning almost everyone into amateur stock traders. On a hard money standard, people can literally just save their money for tomorrow and have confidence its purchasing power will be preserved. Fiat made saving untenable and "saving" became a euphemism for financial speculation.
This post also convinced me that Urban Dictionary should add the following definition to the term "Mind Blown":
The feeling you get when you read something from @elvismercury

2. Legend of the Snail | 37 days until next elimination

Some shameless self-promotion. But in case you didn't see it (and you are one of the ones who didn't pay up yet!), I thought it makes sense to mention it here.
@oracle is running a bet when bitcoin will reach $100k. This is inspired by @orthwyrm's daily comments in the saloon (that used to be called Daily discussion thread as you can see here).
So if you want to participate, it's not too late yet! You just aren't allowed to bet on a number that is within 90 days. See here for more information.

Challenge of the Day

Do something challenging.

Song of the Day

Went to school and I was very nervous No one knew me, no one knew me Hello teacher, tell me, what's my lesson? Look right through me, looked right through me
And I find it kinda funny, I find it kinda sad The dreams in which I'm dying are the best I've ever had I find it hard to tell you, I find hard to take When people run in circles, it's a very, very Mad world, mad world

thE eNd

[0] It wasn't as impactful since you basically only had 10 chances to find the exact balance but it was still severe enough to trigger an immediate response from me. With every attempt that triggered the shown error message, you basically knew that the user balance was at least above that. Also, there was fortunately no code for exploitation included. While writing my own exploit to evaluate the impact, I found out about the 10 chances (limit for pending invoices).
[1] Apparently, @lynaldencontact even was made aware of the book club at some point. And is it still running? Can't find part 5. But I think @elvismercury mentioned somewhere that he got very busy. So I might indeed still have time to catch up!
Thanks very much for the kinds words.
That post is one of my favorites and I'm super interested in talking about it still. That's true for most of them, I suppose, which makes it so delightful when an older one bubbles up again. So it's not too late for you to read Broken Money! I'll engage with any new comments on my posts as fully as I would on the day the posts were made. I suppose eventually that might stop being true, but not yet. I also suspect the usual book club suspects like @k00b and @Undisciplined would do the same.
Wrt book club: part 5 was broken into a number of individual posts, in an attempt to not overwhelm me or get me fired from the time stoking / babysitting the mega-threads, so you've already seen them, they just don't have as prominent titles as the other parts do. (That was a mistake, in retrospect.)
I still have part 6 to complete, but as you inferred, I kind of ran out of steam toward the end of the year due to being split into many pieces; that combined with the fact that the last section of the book was one where I felt like the implications had been discussed extremely well in other places, mainly by Alex Gladstein in his books and other writings. Even the mainstream Libertarians do a good job on this one, which is rare on any btc-adjacent topic.
In other words, the narrative around the human rights implications of btc is already excellent and most people who know anything about it tend to know the best arguments, which is not (imo) the case for the topics dealt w/ in the other parts of the book. So Lyn had a much smaller lift in part 6, which is good for her, but that makes it less interesting to me.
Anyway, you've inspired me to shoot the cowboy hat off this thing as @Bitman might say. So look for part 6 in the coming days.
reply
I'm a pathological replier, so if anyone shows up in my notifications they can expect some kind of engagement. I certainly don't care how old the content is.
reply
This is how I behave as well unless I'm very busy.
reply
These Z2Z posts are so well curated and crafted. Still full of your conversational style.
If you let it, this world can be really fun and interesting sometimes.
You just reminded me to squeeze in some “people watching” this weekend 😃
reply
I enjoy people watching! and that's another bonus living in Turkey, since it's so diverse here, you pretty much got every looks possible. 👀
reply
Regarding responsible disclosures, I have already done one over email with @k00b and nobody seems to have even figured out that the issue was there before a fix was released :)
Also, I’m quite happy with my compensation. Responsible disclosures FTW.
reply
I have read all your ZZZ posts from day 1. With these posts you prove your humanity. Congrats!
reply
Great write up! Ah the snail. The big day will come sooner than we think!
reply
Your making a comeback. I need to rally the troops.
reply
What a great post, thank you very much, I think I started where I shouldn't have, that is, I'm going to read all your other posts, by the way, thanks to your second comment I'm going to take a look at that book you recommend, of which I made a quick google search and I'm definitely interested, thanks again!
reply
484 sats \ 1 reply \ @Wumbo 13 Jan
My comment was just a hypothetical issue.
I actual didn't get a chance to test my comment.
I guess I missed out on my 72 Sats reward.
@ekzyis what is your preferred way for users to report issues?
reply
My comment was just a hypothetical issue.
I actual didn't get a chance to test my comment.
I see. I am sorry that I assumed based on your comment that you did indeed test this and verified that it's a vulnerability before replying; especially since it turned out to be a correct hypothesis.
However, I welcome people trying to break our code so the issue isn't necessarily with (responsibly) testing it.
What is important to me is that people disclose vulns (even potential ones) in a manner that does not put us into a situation where we are pressured to immediately fix something since the vuln was essentially fully disclosed [0] before we were made aware of it:
Full Disclosure
With the full disclosure approach, the full details of the vulnerability are made public as soon as they are identified. This means that the full details (sometimes including exploit code) are available to attackers, often before a patch is available. The full disclosure approach is primarily used in response or organisations ignoring reported vulnerabilities, in order to put pressure on them to develop and publish a fix.
This makes the full disclosure approach very controversial, and it is seen as irresponsible by many people. Generally it should only be considered as a last resort, when all other methods have failed, or when exploit code is already publicly available.
I guess I missed out on my 72 Sats reward.
What do you think would have been reasonable? Did you evaluate the impact such a bug could have in the wrong hands before writing this?
@ekzyis what is your preferred way for users to report issues?
You can DM me on SimpleX (see my profile) or follow the instructions in the FAQ or README.
Anyway, no hard feelings; just wanted to mention this for the next time. Also wanted to mention this for everyone else reading.

[0] I consider your comment a full disclosure since your comment includes enough information to trigger the infinite withdrawal loop by anyone reading it. The severity of that loop is a topic that we could have discussed and compensation is based on that.