On the recent Noso outage

To me this outage comes with no surprise. To be fair, I'm actually astounded that it hasn't happened before.

You see, the code that drives the entire chain is done in Pascal. Not even in Object Pascal, which is the most recent and Object Oriented Programming version of the Pascal dialect.
It's written in a dialect version of Pascal that has been out of fashion since the early 1990s.
While this is not a bad thing in itself, as can be proven for the more than 4 years of operation of this coin, it's not a good thing due to lack of easy ways to scale it or even maintain it.
And, mainly due to that, no one as ever wanted to actually dive into the code and find any relevant security issues.

Welp... Looks like someone finally said: Hold my beer!!!

I'm not quite sure what that person found that is so easy to attack and provides such a devastating effect, but from my own foray into the code, it's not that hard to find.
All the code was done with standards from the early 70s, which is when the Pascal language started with only the command line as it's target.
Alas, the current wallet is made for a GUI target. And the necessary glue to make it work with the command line in sight, but being a GUI app, was not the best of the glues!!

Now, we all know that we have a very dismissive person at the centre of this all. And we all know that this person's ego will never allow to take the blame for this outage.
Someone else has to be the culprit, just because he can do no wrong.
That person has been saying that another dev has one, or multiple, backdoors in the NosoSova application. This is him trying really hard to set some rumours in order to shift the blame.
But, as we all know, this type of person has glass roofs and is throwing rocks into the air...

Let me tell you about my foray into the code, specifically in the context of backdoors...

One thing that the author decided to add to the wallet is what he calls directives. These are commands that can be activated remotely, by someone that has a master key.
If you look at these lines of code: https://github.com/Noso-Project/NosoNode/blob/4648df5d689c23b5c23c1ba30bd7fd9dd391d15e/masterpaskalform.pas#L585-L587
Those lines of code are constants with accounts that are allowed to perform admin tasks. This in itself doesn't mean that much.
But it is the seed of doubt that most of us kinda don't like:

  • Why does a wallet have an admin account in it's code?
  • And what is considered an admin task?
  • Can this be used to allow remote commands to be run on my node?
  • How much code is this, and what does it do?


All valid questions when we think that one of the principles of cryptocurrency is decentralisation, right? So, in that context, why do we have a mention to some account as being admin anything?

Well, let me tell you, at least 2 ways, where it's been used, with me actually witnessing it:

  1. Forcing the entire network to issue the upgrade command right after a new release
  2. Forcing the entire network to issue a restart command after an upgrade has been done


I'm not sure both these commands are still in place, but if we analyse the PTC_AdminMSG procedure, located here: https://github.com/Noso-Project/NosoNode/blob/4648df5d689c23b5c23c1ba30bd7fd9dd391d15e/mpprotocol.pas#L952
In that procedure, we see that there are quite a few commands being parsed in the context of them being Admin.
From line 996 of that procedure, we see that we have a list of admin related directives:

  • UPDATE
  • RESTART
  • SETMODE
  • ADDNODE
  • DELNODE
  • ADDNTP
  • DELNTP
  • ADDBLOCKED
  • DELBLOCKED
  • ADDNOSOPAY
  • DELNOSOPAY
  • CLEARCFG
  • RESTORECFG


For a piece of software that should be as decentralised as possible, having this amount of directives that can only be executed by someone owning the private key of that account present in the AdminHash constant, is rather fishy, amirite?

I've not given you a comprehensive look at more code that exists to serve the author's need for power and control, because most of us just glaze our eyes when code is presented.

Now, all this was a long winded road to get to the matter of things with these rumours of a backdoor on NosoSova.
I can't fully guarantee that there is none, since I've not looked at the code. But one thing sets NosoSova apart from the GUI wallet:

  • NosoSova only works with outside access to a node, or a set of nodes.
  • NosoSova does not interact directly with the blockchain, only the wallet does.
  • Even if NosoSova had a backdoor, it would never be able to mess the blockchain if the main wallet disallows it.


And due to all the above statements, the rumour that NosoSova has a backdoor is kinda moot, cuz the only piece of software that touches the delicate parts is the GUI wallet, not NosoSova!!!

To conclude this, already, long rant, I just want to say that this is something that was bound to happen sooner or later.
It hasn't been done sooner because the coin never quite enjoyed that much attention and the usual bad actors weren't that much interested.
Nonetheless, someone did take the time to sift through a very bad piece of code, with roots in ideas/implementation from the late 70s and look at what could brake.
Then, took the time to tailor some code to actually prove that nothing is safe, especially a piece of code that it's author has a complete nonchalant attitude towards security.

And here we are. The very delicate house made of playing cards comes tumbling down with ease.


Update from the author of the attack (1 Sep 2024)


The author of the attack has made his reasons clear: https://telegra.ph/Lessons-for-Pedro-that-he-likes-to-skip-09-01-2

Comments

  1. Anonymous1 September 2024 at 11:54

    100%

    ReplyDelete
  2. Anonymous1 September 2024 at 12:17

    Surely you are not a Noso hater, rigth?

    ReplyDelete
    Replies
    1. Gustavo Carreno1 September 2024 at 12:23

      I do not hate Noso, no.
      I actually spent about 2 years of my life involved in it by doing both Server Administration and some programming, specifically the second version of the main page and the first iteration of the explorer.
      So, no, I do not hate Noso.
      I reserve my bad feelings towards the idiot that is the author, that's all.

      Delete
    2. Anonymous1 September 2024 at 14:46

      You helped PasichDev to attack noso, so your are as bad as he is. You attacked all NOSO community, not only Author, there is a lot of people that spend lasts years on this project. Shame on you and your projects ( for sure, you are not confiable at this point ). PD: I'm Estripa from NOSO project.

      Delete
    3. Gustavo Carreno1 September 2024 at 14:55

      Hey Estripa, glad to see you being active here.
      While I did not get involved in the actual attack, I did give him my blessings.
      This, of course, is just a technicality and, for some, it will be the same as the perpetrator. You make up your mind on that.
      Now, on the subject that I'm a bad person and I should be burnt at the nearest town square, what I have to say is this:
      Instead of engaging in a meaningful argument about the current state of Noso, our friend Estripa, decides that personal attacks are way better that the huge pink elephant in the room.
      In doing this, he objectively forgoes all the attempts that were made to resolve these things in a civilised way. And there were many. And they were always met with one, and only one, outcome: The person would be banned from the Discord server.
      So, my dear Estripa, if we only take the attack, and forgo all other attempts at civility, I guess you're right: I'm a bad person and I should be beheaded and have my head on a pike, displayed prominently.
      But, if we account for all the warnings, the effort to actually make better versions and all the work that is being dismissed in your comment, then the person that should not be trusted is you.
      Let that sink in for a moment!!

      Delete
  3. Anonymous1 September 2024 at 22:27

    To me, it looks like everyone involved should sit down at a table and have a proper discussion.
    Everyone makes mistakes and misunderstandings are natural when it comes to communication.
    Everyone has made mistakes to some extent and nobody is perfect.
    Shifting the blame back and forth and pointing the finger at others is childish and doesn't help anyone.
    To me, it all sounds like there was too little communication in the project. Healthy communication requires being open to other opinions.
    In the best case scenario, productive discussion should also take place.
    It would also be nice if some important things were brought out into the community to ask the opinions of the people who are part of Noso.
    I think it is essential that problems and critical questions, for example the one about the admin account, should always be shared with the community and in the best case explained.

    Censorship of individual developers should never take place.
    If a developer raises such problems/questions and cannot be properly explained by other developers, it should be possible for the developer to communicate openly with the community and address the problem.
    An explanation will then be forced.
    What is the point of an open source project if only a few people have the knowledge to understand the code, but those who are familiar with it are censored?
    A thing can generally only develop if things are questioned and/or errors are recognized.
    The whole thing that took place the last few days could have been avoided if censorship (blocking people on discord) had not taken place.
    The Noso project should be open to ideas and comments, which of course requires deaf ears to be opened.
    But censorship should never take place.
    That Pasishdev and his friends felt the need to make themselves heard with this attack is pity.
    Open your eyes and ears and listen to others.
    Every idea has its justification and should not be immediately labeled as nonsense.

    Personally, I am very glad that the attack took place.
    Not because I'm a fan of things being destroyed, but more because things have been revealed which, in retrospect, will help the project move forward.
    The attack highlighted weaknesses and also raised critical questions, which should always be asked.
    The fact that users have been harmed by this and that developers have been forced to work intensively is not to be taken lightly and not cool either.
    But Noso is still at the beginning of what it will be one day.
    And so it is a good thing if such difficulties are recognized and resolved earlier. The question should now be what benefit can be gained from the whole thing. All the things that have been uncovered can bring about change for the better. The question should now be what benefit can be gained from the whole thing.
    All the things that have been uncovered can bring about change for the better.
    And I emphasize again:
    It doesn't matter who is to blame.
    Everyone can learn something for themselves from this and grow.
    I therefore hope that this has been a wake-up call and that fundamental work is being done to communicate better, both internally and externally.

    ReplyDelete
    Replies
    1. Gustavo Carreno2 September 2024 at 01:21

      WOW!! Your message is very touching!!
      And I say this with the utmost respect, I really do!!

      Alas, PasichDev is the 5th or 6th dev to be burned by the author.
      Either by implementing changes that completely erase the work of a dev, and usually not even proposed to the community, or by just pressing the ban button.

      This is the baggage that PasichDev inherited and for him, this needed to be put in display for the entire community to be aware of what the past 4 or 5 years have been.

      I sincerely wish that someone will actually listen and make the proper changes for the project to be more open. But, mainly due to the evidence of the past years, I would not hold my breath.

      Nonetheless, I'm glad that someone understood what brought this about and that person is full of hope. For that I give you my most deeply felt thanks!!

      Delete
    2. Anonymous2 September 2024 at 07:24

      NOSO has GVT system, but it is not used. Someone just do what he want.

      Delete
  4. Anonymous2 September 2024 at 07:23

    We have GVT system in NOSO, is it died? How they lead the project?

    ReplyDelete

Post a Comment

Popular posts from this blog

Official announcement of the 1 Billion Row Challenge in Object Pascal

 This is to announce the official launching of the 1 Billion Row Challenge . The challenge is starting on the 10th of March and will run through to the 10th of May. At first I was thinking about making it open ended. But then I realised that some of us still like to work under some pressure. Hence the 2 month period. I extend to you all the most sincere wishes of having fun in coming up with a solution that will top the charts.
Read more

Personal Opinion about Getting GIT video series by JMac (Updated)

Image
 Introduction  I've never been a good Versioning System user. That's a fact! I barely used it when it was SVN and now with GIT and the whole distributed part of it... Well I'm kinda lost. Enter Getting Git : "A comprehensive video series from git init to Git Master ". When this endeavour, by Jason "JMac" McCreary @gonedark , hit my attention, I immediately followed that link and had a look at it: JMac was going to release a series of videos about how to get along with the whole GIT thing. He already had the first 2 sections of it released and was in the middle of doing the following one. He was asking $29 USD for it. My immediate reaction was: YES and yes... The first yes was for the fact that someone was taking the initiative to do one of these. The second yes was in total agreement with such a low price. Impressions First of all I have to apologise to JMac. He sent me a mail asking for some feedback and I didn't reply
Read more

Recentes problemas com os servidores da Embarcadero

Faz algum tempo que os servidores da Embarcadero , nomeadamente o DocWiki , o Portal de Qualidade e o GetIt para as versões 11 e abaixo. Este ultímo inclui o " Delphi Community Edition ". Entretanto os servidores para a versão 12, DocWiki e Portal de Qualidade já voltaram à vida, deixando somente o GetIt por resolver. Blogs de interesse com mais actualizações: Recent system outages on Embarcadero websites Some Embarcadero Servers Are Experiencing A Hardware Outage Link para monitorização dos servidores da Embarcadero: Delphi Related Server Uptime Atualização 20 Fevereiro 2024 O servidor GetIt para as versões 11 e abaixo voltou à vida. Quer dizer que as pessoas que querem instalar a versão Community Edition já o podem fazer.
Read more