Bitcoin Forum
June 23, 2024, 09:46:46 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Cryptsy was hacked - lost 13,000 BTC & 300,000 LTC  (Read 2081 times)
Chris Sokolowski
Full Member
***
Offline Offline

Activity: 194
Merit: 100


View Profile WWW
January 16, 2016, 08:20:01 PM
 #21

While no server is ever completely immune to hacking, it doesn't take much knowledge to secure a server.
Wrong or exaggerated simplyfied. It does take years of experience and dedication not to take any shortcuts.

Also we are talking (or should be talking) about dozens of systems and services that need to be firewalled, segregated, sandboxed, pentested, updated and monitored. This is a job for experts and should be done internally and externally in regular intervals.
I think you're jumping to conclusions that Cryptsy was run by experts who implemented proper security protocols.  If Cryptsy ignored basic security and ran the daemon as root, then the hardest part of the hack would have been convincing Cryptsy to install the client.  As epinnoia said, if you did nothing else other than run each daemon as a separate unprivileged user, then there would have to be an OS level exploit to access other users' files.  Not only is such an exploit exponentially harder to find, the same exploit would affect anyone running the OS, leaving it unlikely that the bug would not have already been detected and patched ages ago.

Prohashing - Professional Mining Made Simple
Visit us at https://prohashing.com
Optimized for performance - 15 algorithms - Payouts in 200 coins - PPS, PPLNS, or solo
tittiecoiner
Full Member
***
Offline Offline

Activity: 224
Merit: 100

★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
January 16, 2016, 10:29:58 PM
 #22

Quote
We are getting some helpful information to our reward email and want to thank all who are helping to find the culprit.  The vast majority of our users want the Cryptsy exchange to continue operating.

Many are suggesting other options other than the 3 mentioned above:

4. Spread the loss to all users in the system and allow trades to continue.

 Cheesy Cheesy Cheesy

Yes, I'd like to take the loss due to your incompetence on me, no problem. Your dishonesty doesn't matter, it's more important that your company will survive and you will make money  Roll Eyes

</sarcasm off>

Tony116
Legendary
*
Offline Offline

Activity: 2184
Merit: 1023


casinosblockchain.io


View Profile
January 18, 2016, 11:24:52 AM
 #23

so, we r loss all altcoin in cryptsy.com?? Sad

Epinnoia
Full Member
***
Offline Offline

Activity: 209
Merit: 100


View Profile
January 18, 2016, 04:07:18 PM
Last edit: January 18, 2016, 04:49:23 PM by Epinnoia
 #24



Okay, It's been some time since I had to deal with coding of this tricky nature.  But I just now was able to present that snip to someone who codes extensively/daily for a living, and he confirmed what I said.  "Read and send" (NOT write!!!).  For those more familiar with linux, it's like a remote kind of 'cat' command.  It dumps text files to the screen or output pipe.  Presumably directory structure as well (if readable/owned by same user), as they're files too.  All this exploit would do is put a backdoor into the infected wallet client such that someone knowing the backdoor existed could start looking around on the hard drive of the infected client for files that were set readable by the same user account that was running the infected client.  

So on a multi-user system, this should not have happened as Cryptsy said -- unless cryptsy was doing some incredibly negligent stuff regarding their server allocation and file permissions thereon.  They would have had to have global read permissions set on all their wallet files, either at the system or group level.  OR, they were running all the clients (including the bitcoin client) under the same username/account -- which then gave each and every one of the clients the ability to read the files created by all of them.  Again -- INCREDIBLY irresponsible, and unbelievable.  And it still doesn't explain why they'd be running them on the same physical or virtual machine that had wallet files containing keys protecting access to $6.6+million dollars (price of btc on the date of the alleged hack was ~$582).

This would have been a firing offense for anyone at any modern corporation.  I can assure you.  And anyone who has real-world experience would know better than to have made the mistakes that would have had to have been made if Cryptsy's account is true.

If you had $6.6 million sitting in a wallet.dat file on a computer, would you download strange unknown executables onto that same machine and run them?  Give me a break...

My first miner -> ATI 4550 (7.2 Mh/sec): 
https://www.facebook.com/groups/cryptospeculators/
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!