ans just so u know bitcointalk is not the community
Can you please stop posting here? You're really an annoying person. I mean, really. Really. Really, really, really annoying. Thanks. thank you |
|
|
|
I'm still owed 479 RAD (Radiation coins) and r3wt is not responding to my support tickets.  i'm sorry, i'm currently the only one working as everyone has bailed but me. i am working to get the coin clients all back up. i will answer your support tickets as soon as possible. to stay in the loop with what is going on, please bookmark our twitter page. i update it fairly frequently. you are not being ignored, i'm just really busy trying to dig out of this mess and i am all alone in this endeavor. https://twitter.com/_OpenEx_Maybe just launch with 2 or 3 coins and not 30  Start small and build up. eh i'm almost done now. i got all my screen scripts ready to run, now i just have to update all the conf files, add 60 firewall rules to ufw then run the screen script. |
|
|
|
I'm still owed 479 RAD (Radiation coins) and r3wt is not responding to my support tickets. i'm sorry, i'm currently the only one working as everyone has bailed but me. i am working to get the coin clients all back up. i will answer your support tickets as soon as possible. to stay in the loop with what is going on, please bookmark our twitter page. i update it fairly frequently. you are not being ignored, i'm just really busy trying to dig out of this mess and i am all alone in this endeavor. https://twitter.com/_OpenEx_ |
|
|
|
this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol
bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program |
|
|
|
I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.
We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such. yes we tested. attacker was in and out of the server fucking with the trade engine code. it took us a while to catch on that someone was changing our code besides us. lessons learned: hire a server admin don't use mysql functions and real escape string. i found a tutorial on devshed that teaches how to use pdo. i've been practicing all morning and i can't believe its so easy. we'll be back as soon as we've addressed the issues with the server and fixed the flaws in the application. though your intent was to humiliate, i thank you for being blatantly honest. you're helping make openex better though you're trying to fud it to death. |
|
|
|
to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. There is nothing genius about the code, and nothing genius about you. other than the queries, i'd say its pretty secure.
Your opinion means nothing and is apparently given out without any thought. That code is some of the worst I've seen in years. WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money? Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough. Don't even think about relaunching with anything but a play site. lets have an example there bud. Oh I don't know, the topic of this thread you fucking idiot comes to mind. Also whatever double cancel bug you had that allowed people to gives themselves coins. And then of course there's always this one: https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');I'm sure you have no idea why that's a problem though. I don't understand why anyone in this thread is cutting you slack at all. What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open. Your code is the quality of what I made in middle school, and your attitude fits that age range as well. I'm done with this thread, but a warning for anyone reading it: Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk! His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.When his next site gets hacked, don't say I didn't tell you so. hey cock server, the application is extremely secure. it was the server that was compromised. also i didn't write any of the trade engine code, if you want to talk shit, perhaps you want to talk to justin? |
|
|
|
any thought on getting a better logo?  We need better graphic design and logo IMO. i held a logo contest and didn't receive very much interest. i agree though. |
|
|
|
to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. There is nothing genius about the code, and nothing genius about you. other than the queries, i'd say its pretty secure.
Your opinion means nothing and is apparently given out without any thought. That code is some of the worst I've seen in years. WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money? Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough. Don't even think about relaunching with anything but a play site. lets have an example there bud. well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.
I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?
i retrieved the wallet while running foremost. i then sent the coins to a new address. |
|
|
|
What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.
I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework. it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do. You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself! on the same token though, i can scrutinize the code i write to a great degree of certainty, where as with a framework i have to worry about my code and that of the framework. |
|
|
|
Sorry to hear this happened r3wt  Yeah me too. back to the drawing board once more. "Edison failed 10, 000 times before he made the electric light. Do not be discouraged if you fail a few times.” – Napoleon Hill “I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.” – Michael Jordan “I was set free because my greatest fear had been realized, and I still had a daughter who I adored, and I had an old typewriter and a big idea. And so rock bottom became a solid foundation on which I rebuilt my life.” – J.K. Rowling Many of Life's failures are People that didn't realize how close they were to success when they gave up – Thomas Edison If you want the Rainbow, you gotta put up with the rain – Dolly Parton And finally a chinese proverb my dad used to say. Fall seven times Stand up eight Keep trying matey, You have put so much time and effort in You'll make it sooner or later! Remember when ever you fail, you always learn what not to do next time! thank you for the inspirational quotes and kind words. we are not giving up. #NeverYield |
|
|
|
What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.
I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework. it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do. |
|
|
|
to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure. I don't understand why it's not done MVC it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder. we have our models and controllers in /models our "view" is in /pages while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view. |
|
|
|
to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure. |
|
|
|
I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security. It doesn't. It's just one layer of basic protection, and a thin one at that.
i would appreciate if you would enlighten us all a bit. give a crash course. i'll pay you for your time. i might even list catcoin if this works out good. |
|
|
|
I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."
It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.
Sorry, but that's nonsense. There's enough people understanding node.js and i can assure you that. Also, i would consider someone who needs to visit tutorial sites being not in a good position to actually run a server. Don't get me wrong, but it's not just about stolen Bitcoin, it's also about all those hundreds of thousands of spam machines who are all run by some kids who "can i haz server, pls?", which require me (and others) to constantly setup and finetune spam filters, watch spam folders and crap because they're just not able to secure a machine. If people want to play, no problem. There's plenty of server software you can run on your local machine to try and test and become a pro one day. But please, keep the internet clean from those sloppily setup machines who bring a hell of an effort if they're being compromised again. By the way, this is one of the points which literally cry for a regulation! i clearly underestimated the role of a sysadmin. |
|
|
|
Sorry to hear this happened r3wt Yeah me too. back to the drawing board once more. |
|
|
|
I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.
also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?
0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN
whoever it was only in the server for 6 minutes before i found out. we do not know, but as a precaution we are having everyone withdraw all coins. database will be completely wiped, along with wallet.dats and conf files. have to start over from scratch. who knows what they took while they were in there. Sorry to insist, but as I can see you will delete the entire database and wallet, what about pending DEPOSITS ? I'd be happy to withdraw my money but I can't. 0.02569114 BTC - Deposit address at the time : 1A4LKQVr4r7WgG3rTYMBfDrM4qhpRU6ufR. But you changed that address since then so don't know it this will be of any help... I will be happy to help you phil. let me know the details via pm. |
|
|
|
I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.
also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?
0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN
whoever it was only in the server for 6 minutes before i found out. we do not know, but as a precaution we are having everyone withdraw all coins. database will be completely wiped, along with wallet.dats and conf files. have to start over from scratch. who knows what they took while they were in there. |
|
|
|
1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction
This was posted earlier in the thread. If you insist on running an exchange at this point in time, I would suggest setting the 'ip address restriction'. This means no ssh connections can be made to your server from any ip address that is not permitted. It is not 100% fool proof as your ISP could launch an attack on your server by spoofing your permitted ip addresses. This is extremely unlikely, but a possibility. Doing this one thing would likely prevent any future compromises. i have read a few tutorials on the subject and after discussing with Justin, we have chosen to do the smart thing and have contacted a professional server administrator. he's not cheap but he's agreed to help us get it secured as much as humanly is possible, with the notion that we would hire him full or part time once we can afford it. |
|
|
|
|
Show Posts
