|
What DiabloD3 said is absolutely correct. If you have a non-SSL'd element on you page, you might as well have not used SSL at all. It's that big of a security hole.
|
|
|
|
|
First, try deleting everything in the Bitcoin appdata directory other than wallet.dat.
|
|
|
|
Heard back from terrytibbs and he offered a 3 month code, which works for now. Sounds like his original supplier was shady.
Great! |
|
|
|
Use ;;voiceme command to get voiced on #bitcoin-otc.
Requirements to get voiced on #bitcoin-otc: must be GPG authenticated, have account age > 1 day, and trust >= 0. |
|
|
|
|
I have PM'd WhateverName asking for an explanation.
|
|
|
|
scammer label now ? more than 2 weeks
Yeah, unfortunately. |
|
|
|
|
That's odd. I guess our script only runs after you log in...
|
|
|
|
@Mr Wizard
I think the creator of GeistGeld can readily verify that I have 68 GH/s of my own.
nice to hear that, lots of hashes  thanks for making this security test for all of us, would be nice to have some results after you finish though Glad you like it, he also claims he can do it with as little as 25% of the power.... would seem to me doing it to Bitcoin itself in not that far outside his reach with all the support you all have for these "testers", will that be the next great test, he does need to know the limits after all. Am I right people? Ya BTCExpress, just go straight for Bitcoin, that after all is the MOST realistic test, a lot of people here would love to see your data. This attack is only really possible at over 90% power (which he seems to have), unless he actually found a exploit in the code itself. Personally, I think that he just thinks he found a "design flaw", but we'll see. He'll be able to do this attack with this much power, anyway. it is a design flaw Maged https://bitcointalk.org/index.php?topic=43692.msg521772#msg521772You are right about the difficulty issue - that is indeed a serious flaw. But it still doesn't bypass the need for a higher sum-of-difficulty. It'll still be hard to rewrite from block 10000, which is, in my opinion, more of an issue. |
|
|
|
@Mr Wizard
I think the creator of GeistGeld can readily verify that I have 68 GH/s of my own.
nice to hear that, lots of hashes thanks for making this security test for all of us, would be nice to have some results after you finish though Glad you like it, he also claims he can do it with as little as 25% of the power.... would seem to me doing it to Bitcoin itself in not that far outside his reach with all the support you all have for these "testers", will that be the next great test, he does need to know the limits after all. Am I right people? Ya BTCExpress, just go straight for Bitcoin, that after all is the MOST realistic test, a lot of people here would love to see your data. This attack is only really possible at over 90% power (which he seems to have), unless he actually found a exploit in the code itself. Personally, I think that he just thinks he found a "design flaw", but we'll see. He'll be able to do this attack with this much power, anyway. |
|
|
|
As far as believing, we have proven it to the right people. Gavin and others are aware of this exploit but have kept quiet about it.
Very well, I'll defer to them, in this case. |
|
|
|
Currently we are at nearly 1 Tera Hash in committed miners.
Bullshit. Remind me, why are we even listening to this troll? Because it isn't bullshit, we've demonstrated it. Troll, an over used adjective that translates into anyone making a statement that someone disagrees with. Do you think DoubleC or Ruxum are are run by people that don't know what they are doing? Can you explain the 20,000 block generation in 73 minutes on Geist Geld, I think not, but I can. It wasn't my creation, it was ArtForz, we simply ran with it. Block 19102 will be the point truth now won't it? Let me put it this way: You're saying that you have more hashing power than every pool other than Deepbit, btcguild, and Slush. Additionally, that's without having even advertised your rouge pool on this forum. Please tell me how you actually expect us to believe that. |
|
|
|
Currently we are at nearly 1 Tera Hash in committed miners.
Bullshit. Remind me, why are we even listening to this troll? |
|
|
|
my bet is Diablo has had his forum acct hacked. look, he puts up an OP then refuses to elaborate? Ha! I see what you did there. At this moment, I'm questioning if DiabloD3 really posted this thread, I smelll something fishy here.
Maybe the forum (or DiabloD3 account) is compromised again.
Wouldn't the staff members be the first ones to secure their accounts on the forum, even before it went back online after the hack? Yup. All staff had to re-verify themselves after the forum came back up. At this moment, I'm questioning if DiabloD3 really posted this thread, I smelll something fishy here.
Maybe the forum (or DiabloD3 account) is compromised again.
Not unless the box he connects to IRC from has been hacked too; he said essentially the same things in there. This. I saw that too. |
|
|
|
|
I'm getting that spam on my old MtGox address, not my forum address.
|
|
|
|
|
Wait... I thought that Namecoin had all of the protection measures that Bitcoin had, and that these exploits were only possible due to the changes to the difficulty code the other chains made?
The great news is that, even if this does work, an emergency block-chain lockin can be made. That being said, it's literally the last line of defense.
|
|
|
|
[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]
Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they have the database (no need for further hacks/exploits from that point on to get hashes), that they didn't have the intention of snooping passwords, but now they have the motivation to try it (which they didn't, before the information was posted). I suppose that is true. With admin access, they just had to press one button to get a full database dump. That is much less work than coding a dump program yourself. Basically, this is a case where you just have to weigh the risks that the hacker would decide to suddenly start cracking the passwords after you release the details, to the damage that anything less than full disclosure would cause to your reputation. Remember when Mt.Gox was hiding things how pissed everyone was? Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post  Nobody here really thinks that mods are special. We just happen to read more posts than everyone else, so we were given the power to moderate the forum ourselves instead of having to report everything. |
|
|
|
There is no openess, there is no encouragement. Free thought!? You better keep it to yourself man. If you see someone discouraging free thought, PM me and I'll look into it. I might not be allowed to delete the post, but I can at least talk some sense into them. I've needed to do it before. You have got this superiority disease that seems to have infected nearly everyone - these Elitist Super geeks who think they are smarter than anyone, sitting up on their high horses and looking down at everyone. Trying to find new ways to exclude people and new ways to put them selves up on a pedestal Sorry, not much we can do about that.  Then you have the trolls. Searching and Searching for an idea to squash, for some confidence to extinguish. is it Attack or be attacked? You really do not make yourself look better by putting down others. This bully mentality is disgusting. Report those. We might not be able to do anything about the individual post, but we can ban them when we start seeing a pattern. On a side note, I apologize for letting smoothie go on as long as he did. I was really hoping that I could change him, since he did have good ideas. On top of that you have the Pool Hop generation. You can blame the pools that don't prevent pool hopping for that. The resentful Bitcoin youth that jumped on the band wagon when BTC was trading for $30 USD and now want to take every crumb that isnt nailed down. Listen fellas the Bitcoin world does not owe you anything. I wish that there was more that could be done about that, sorry. I sympathize with the Bitcoin forum Mods and Admins I really do, you have a very hard job trying to keep this place under control Thanks, we try. but as this forum is basically the epicenter of the Bitcoin world I do not agree with the newbie system. I think that we need to include as many people from outside as possible and not exclude them just because they got here late. I understand why we have this system and the purpose it is supposed to be serving is good but I personally believe it does more hard to Bitcoin than good. I agree. The newbie system has outlived its usefulness. There was a time that it was needed, but not anymore. Bitcoin is Closed! - For most people this is what they think and feel, the people who are first hearing about Bitcoin today, and they come to the forums and start looking around , that banner "Bitcoin is closed" this is how they feel and its hurting Bitcoin as a whole.
Thank you for your time in reading this, and if I offended you I am sorry. I love Bitcoin, I truly do and like many of you I have a lot of time, and money invested and I really want to see Bitcoin succeed. This thread was created to get people thinking about the good of Bitcoin and the good in themselves.
I happily invite all input, but please use good judgement and answer as the mature adult you are, I do now want this to turn into an argument.
Thanks for this. I agree completely that things are broken, and something needs to be done. However, I also feel that this might just solve itself thanks to things like our stackexchange site. |
|
|
|
|
I'll let theymos know, thanks.
|
|
|
|
Helped? No. Sparked the idea? That's my point. It's a psychological thing, not a technological thing. It's like the candy stands at the checkout... when you go through a grocery store, do you ever actually SEEK OUT the candy? Well, only if you've got candy issues But generally, no. You get to the checkout, and bam: candy. Mm... candy, that would be nice to have! I can afford it, whatever. *grab* Now, the hack. Mm, I've done all my deeds for the day, Cosbycoin is floating all over the forum, screenshots are taken, lulz are collectively had, it's been a fun day. Ahh, it's offline. Ahh, it's back online. What'd that whiny brat admin say about us? ("checkout" phase) Ooh, what's this? Haha, that's stupid-easy to do. ("candy" phase) Sure enough, it works! Haha, suckers, now we have all their passwords too. They may or may not have actually investigated the passwords, and even still there's a probability that they hadn't. But the probability pretty much exploded the moment some dingbat thought it would be smart to advertise how the passwords are hashed. Here's the thing: this information was only revealed AFTER the attack. As such, the hacker no longer has access to the system. If they had the idea of taking the user database and cracking the passwords, they either already did or they didn't. There is literally no way to take the user database without explicitly thinking "I want to crack everyone's password!". If they did take the user database, you can bet that they also downloaded the entire source code of the forum, just in case we made any changes to how the passwords were stored (I don't know that we did, and if we didn't change how the passwords were stored, they could have found this out from the SMF source code any time they wanted to - including well before the attack). Basically, the attacker already would have known all this. There is NO danger in revealing this information after the fact. |
|
|
|
|
For the record, I locked this thread. It was getting out of hand.
|
|
|
|
|
Show Posts
