Page 1 of 1

Has anyone come close to claiming this?

Posted: Tue Jan 26, 2016 7:26 am
by koinmaster
Not that I am complaining, but anyone gotten close to claiming this? You need to do like Google and offer up millions for a bug bounty, that will bring them. :lol:

Re: Has anyone come close to claiming this?

Posted: Tue Jan 26, 2016 2:57 pm
by KnightMB
It has a long answer :D

I have 28 e-mails with keys sent to the registration address. Of those 28, 3 people claimed to found a way, so I was every interested to hear how.

First person, they hacked their own server to make 1 million, billion, etc. but when connecting back to the Timekoin network, well it didn't work.

One person was very clever, he changed Timekoin to create transactions that were so large (like the amount was 9999999999999999999999999999999999999999) in the hopes of causing an integer overflow (similar to what happened to bitcoin a few years back) and maybe cause an exploit. The issue was that Timekoin actually can't decode transaction amounts that large because they can't fit in the field for the encrypted data. :lol:

The most recent was (last year) someone created a VPS with just one server with 128 IPs all going to the same machine. The reason was to have all the Timekoin servers connect to it and then he would rewrite the transaction history to give himself a million TK for example. The problem he ran into was it the network would just DoS his server because the rest of the network thinks those are 128 separate servers, but instead all that traffic was just funneling into one server. So he rewrote his server to just ignore everything, but by doing that all the real servers were failing the "polling" checks so they would disconnect after a few minutes. Finally he got the "I have a million now" transaction created via a non-existent Public Key address. So when all the other servers start exchanging information, they rejected that transaction because there was no way to verify the data, no history exist for the ghost Public Key. Anyway, long story, his server showed he had created the "million TK to me" transaction. So I asked him to send that "million" to me and see if it works. Well, the transaction was rejected of course and none of the honest TK servers had been fooled by it, so it was a bust for him (and the money he spent to setup at Amazon).

Re: Has anyone come close to claiming this?

Posted: Tue Jan 26, 2016 3:13 pm
by PoisonWolf
That's hilarious. I wonder if a cash price was offered, would people be more motivated in trying to break the network? Say like $100 USD?
KnightMB wrote:It has a long answer :D

I have 28 e-mails with keys sent to the registration address. Of those 28, 3 people claimed to found a way, so I was every interested to hear how.

First person, they hacked their own server to make 1 million, billion, etc. but when connecting back to the Timekoin network, well it didn't work.

One person was very clever, he changed Timekoin to create transactions that were so large (like the amount was 9999999999999999999999999999999999999999) in the hopes of causing an integer overflow (similar to what happened to bitcoin a few years back) and maybe cause an exploit. The issue was that Timekoin actually can't decode transaction amounts that large because they can't fit in the field for the encrypted data. :lol:

The most recent was (last year) someone created a VPS with just one server with 128 IPs all going to the same machine. The reason was to have all the Timekoin servers connect to it and then he would rewrite the transaction history to give himself a million TK for example. The problem he ran into was it the network would just DoS his server because the rest of the network thinks those are 128 separate servers, but instead all that traffic was just funneling into one server. So he rewrote his server to just ignore everything, but by doing that all the real servers were failing the "polling" checks so they would disconnect after a few minutes. Finally he got the "I have a million now" transaction created via a non-existent Public Key address. So when all the other servers start exchanging information, they rejected that transaction because there was no way to verify the data, no history exist for the ghost Public Key. Anyway, long story, his server showed he had created the "million TK to me" transaction. So I asked him to send that "million" to me and see if it works. Well, the transaction was rejected of course and none of the honest TK servers had been fooled by it, so it was a bust for him (and the money he spent to setup at Amazon).

Re: Has anyone come close to claiming this?

Posted: Tue Jan 26, 2016 4:03 pm
by KnightMB
It should be down at the bottom of here: http://timekoin.org/index.php?option=co ... &Itemid=61

Says we will pay in check, cash, digital currency of choice, even "other" payment system provided it was legal. ;)

Re: Has anyone come close to claiming this?

Posted: Wed Jan 27, 2016 7:53 pm
by bucket
I'll claim that second try, I thought the overflowing integer size would be a good way to attack the network but later figured out that knightmb already put some range checking in the code to prevent that, but I thought it was a good try. It worked for bitcoin after all. :lol:

Re: Has anyone come close to claiming this?

Posted: Wed Jan 27, 2016 7:54 pm
by PoisonWolf
bucket wrote:I'll claim that second try, I thought the overflowing integer size would be a good way to attack the network but later figured out that knightmb already put some range checking in the code to prevent that, but I thought it was a good try. It worked for bitcoin after all. :lol:
Stick around and keep trying to break it! :D

Re: Has anyone come close to claiming this?

Posted: Wed Jan 27, 2016 10:17 pm
by Smarty
I always wondered if anyone did, well back when it was 1 million anyway. I guess the million was too much for most people is that why it was reduced to 1,000? :lol:

Re: Has anyone come close to claiming this?

Posted: Thu Jan 28, 2016 11:30 pm
by koinmaster
I thought or was certain there had no been any recent hacks for timekoin, but I thought I read somewhere that someone had broken it, maybe it was just someone running off on a forum somewhere, but glad to hear things are still rock solid.