Bitcoin Forum
March 17, 2018, 10:42:32 PM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
  Home Help Search Donate Login Register  
  Show Posts
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 [50] 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 ... 352 »
981  Other / Meta / Re: Request for forum privacy policy statement on: May 29, 2015, 01:31:26 AM
- Logged IPs are kept forever. However, not all IPs that you use to access the forum end up getting logged.
- There are no per-user access logs (aside from what you're doing now, the last-read post in topics, etc.). There are normal web server access logs, but these can't be reliably tied to specific users; these logs tend to be deleted after a month, but no guarantees.
- Deleted posts are kept forever. Edit logs are kept forever. But if I ever start running low on space, I reserve the right to delete some of this.
- PMs are deleted from the database when everyone who can read the PM deletes it, except for certain users who for legal reasons have additional retention. These users are warned of this condition (except where required by law), though there's no warning when communicating with such users.
- Changes/deletions to trust ratings and settings are currently not saved.

Note also that data deleted from the database may still exist in backups, potentially forever.
982  Other / Meta / Re: About the recent server compromise on: May 28, 2015, 08:32:54 PM
So, since the forums have been back up, Topic Notifications of new replies have not been getting e-mailed out.

They are getting mailed out, your mail provider is just rejecting them. Maybe I will get a new IP address in the future to stop this from happening, but IMO this is a problem on hotmail's end.

May 28 17:42:22 B184CA91EB5: to=<...>,[]:25, delay=0.55,
delays=0.16/0/0.28/0.1, dsn=5.0.0, status=bounced (host[] said: 550 OU-002 (COL004-MC1F36)
Unfortunately, messages from weren't sent. Please
contact your Internet service provider since part of their network
is on our block list. You can also refer your provider to (in reply to
MAIL FROM command))
983  Local / 日本語 (Japanese) / Re: 日本の (Japanese) on: May 28, 2015, 08:16:14 PM

984  Other / Meta / Re: Error / Bug in Trust System: User's trust appears as "???" on: May 28, 2015, 01:45:52 AM
It means that some people in your trust network say that the person is trustworthy, some say that he's a scammer, and the trust score algorithm is unwilling to guess at which one is true. You'll have to read the ratings and decide for yourself.
985  Economy / Auctions / Re: Advertise on this forum - Round 150 on: May 27, 2015, 05:50:45 AM
2 @ 2.5

You have a negative trust score for me, so I won't accept your bids.

Auction ended. Final result:

Slots BTC/Slot Person
1 2.60 SwC_Poker
1 2.60 victorhing
3 2.60 FortuneJack
1 2.50 bitcoinaliens
1 2.45 eric@haobtc
1 2.35 BuyBitcoin.US
986  Other / Meta / Re: Received email from account NOT associated with bitcointalk on: May 27, 2015, 02:47:12 AM
If the forum sent you an email, then the email address was associated with a forum account. Maybe you didn't create the account, since the forum doesn't verify email addresses. You can use the forgotten password feature to take over whichever account it's attached to if you want.
987  Other / Meta / Re: Was the forum database modified? on: May 26, 2015, 08:06:49 PM
Nothing was taken from the compromised server except the database. Backups were used for the code and configuration. Some moderators and I checked (partly manually and partly automatically) the differences between the backed up database and the live database and found no backdoors or anything obvious wrong. It is possible that the content of some posts and things were modified, though I don't think so.
988  Other / Meta / Re: no email to reset the password on: May 26, 2015, 08:30:07 AM
received 1 email at 7AM(dunno what GMT)

followed the link in the email

chose the new password, reinsert for verification

i get this:
An Error Has Occurred!
Invalid activation code

Try it again.
989  Other / Meta / Re: no email to reset the password on: May 26, 2015, 08:28:51 AM
I just sent half a million "change your password" emails, so a lot of email providers aren't too happy with me. Emails might be delayed for a few days, and when they finally do get delivered they'll probably end up in your spam folder.
990  Other / Meta / Re: Slow forum on: May 26, 2015, 02:50:48 AM
I'm still working on getting everything settled in. If it's still slow in a week then maybe better hardware will be needed.
991  Other / Meta / Re: The New Altcoin Board Placement is Elegant and Understated. :) on: May 26, 2015, 02:47:25 AM
That's a bug. The categories keep moving around, I'd guess because SMF is relying on undefined MySQL behavior that I messed up by switching to a different version of MySQL. I will fix it in the near future.
992  Other / Meta / Re: theymos is a government agent | do not use this forum it is honeypot on: May 26, 2015, 01:51:46 AM
OP: That's not me.

Another hacked / modified account... was the DB even checked?

Cøbra's account was not hacked/modified. As far as I can tell, there were no modifications to the database.
993  Other / Meta / Re: Post here if your account was *NOT* hacked on: May 26, 2015, 01:45:50 AM
Hash: SHA256

My account isn't compromised.

994  Other / Meta / Re: About the recent server compromise on: May 25, 2015, 04:43:38 PM
If our account still gets compromised, are you still able to revert permissions back with a PGP btc address to confirm user?

Yes. I also have a database snapshot from a little before the attack which I can use to verify people by email if necessary.
995  Other / Meta / Re: About the recent server compromise on: May 25, 2015, 04:20:02 PM
I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

Right, you should change your password again.

Also, is it just me or the forum looks plain to everyone? Like I am not able to identify what has changed by the layout looks a bit flat.

Your eyes got used to looking at other websites besides this one.
996  Other / Meta / Re: New HTTPS keys on: May 25, 2015, 02:54:22 PM
Hash: SHA256

Exponent: 65537 (0x10001)

997  Other / Meta / About the recent server compromise on: May 25, 2015, 02:39:49 PM
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.

Estimated time (conservative) for an attacker to break randomly-constructed passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  <all standard>
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
998  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 08:07:42 PM
In situations like TECSHARE's, you can (if you trust TECSHARE and disagree with Vod) post an additional positive rating responding to whatever Vod said. This will counteract Vod's negative rating.

The meaning of having "green" trust is now diminished and will be similar to what was previously the meaning of having black positive trust. 

Oh, good point. I changed it so that you have dark green trust if your score is 5 and dark green if your score is 15.
999  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 07:21:38 PM
It looks like no matter what if the last feedback you receive is negative then you will either have a ?? ? Trust score or a negative score.

Correct. Your trust network is assumed to consist of people who are basically reasonable. So if any trusted ratings are negative (which means "this person is probably a scammer, watch out!"), then this should be taken very seriously. That's why a single negative rating can easily cause a loss of 100+ trust points in this new algorithm. And if the most recent rating is negative, then this is a strong indicator that the person may have been running a long con which has turned into a full-blown scam.

If anyone is abusing this by reposting negative trust unnecessarily or giving out negative trust too easily, then you should remove them from your trust network.

@theymos what is the thinking behind increasing the numbers? It makes changes too much. Was it to increase the strength of DefaultTrust?

You'll get used to the larger numbers. DefaultTrust doesn't get any sort of advantage as far as I can tell.
1000  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 06:57:19 PM
??? is a valid score in the new algorithm.

Doesn't that mean if someone receives a positive and a negative rating, they'll go negative if the negative is newer?

If someone has 1 positive and 1 negative, then the time doesn't matter. They'll have a score of -1.

Old -> New
+ - : -1
- + : -1
+ + - : ???
+ - + : 0
- + + : 1
+ + + : >=3
- - + : -3
+ - - : -3
- - - : -8

That seems like quite an extreme decay, ratings after 10 months are worthless? Its going to lead to a lot of reposted ratings to refresh them.

There is no decay. Ratings grow in weight from 1 to 10, then stay at 10 forever. (If the rated person has no negatives.)
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 [50] 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 ... 352 »
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!