TradeFortress(aka $username): Trust Abuse

[peligro]

There is one small detail that does not make sense however. The part about how th linode 2FA was bypassed was basically skipped over in his explanation, and also the account admin@glados.cc had 2FA enabled too, so I don't know how the account password could be reset without turning off 2FA, and TF never mentioned how that was done either, in fact he never mentioned he had 2FA enabled on this account at all when he in fact did.

It points it to being a self hack. He would have had a good explanation otherwise.

He also told everyone (at least when I deposited) that all deposits were backup up with assets in AsicMiner and other securities and that if a hacked occurred, he would reimburse those affected.

How much did you lose?

[redsn0w]

Supposedly, what had happened was that someone was able to dupe a Linode customer service rep into giving them access to the server's in browser tty shell. That's the story i was given.

Not exactly, allegedy what happened is the hackers hacked the email address lailai625@hotmail.com due to password reuse. This email address was a recovery email address for another account, which IIRC was admin@glados.cc. Once they accessed this account, the hacker then allegedly reset the Linode password and somehow bypassed the 2FA on the linode account.

That is exactly what happened with another site Bitcoinica which was hacked 3 times in 2012, same hosting company and all, and Bitcoinica was also owned by an Australian:
https://bitcointalk.org/index.php?topic=66979.0

in fact TF was even warned not to use this host for this reason many times by many people and ignored all of them.

It is very possible that it is a coincidence, but this also could've been planned.

There is one small detail that does not make sense however. The part about how th linode 2FA was bypassed was basically skipped over in his explanation, and also the account admin@glados.cc had 2FA enabled too, so I don't know how the account password could be reset without turning off 2FA, and TF never mentioned how that was done either, in fact he never mentioned he had 2FA enabled on this account at all when he in fact did.

Hmmm.. thanks for this short version, I will read also the Bitcoinica hack.

He also told everyone (at least when I deposited) that all deposits were backup up with assets in AsicMiner and other securities and that if a hacked occurred, he would reimburse those affected.

I think nobody has never received anything backwards, or am I wrong?

[DebitMe]

Supposedly, what had happened was that someone was able to dupe a Linode customer service rep into giving them access to the server's in browser tty shell. That's the story i was given.

Not exactly, allegedy what happened is the hackers hacked the email address lailai625@hotmail.com due to password reuse. This email address was a recovery email address for another account, which IIRC was admin@glados.cc. Once they accessed this account, the hacker then allegedly reset the Linode password and somehow bypassed the 2FA on the linode account.

That is exactly what happened with another site Bitcoinica which was hacked 3 times in 2012, same hosting company and all, and Bitcoinica was also owned by an Australian:
https://bitcointalk.org/index.php?topic=66979.0

in fact TF was even warned not to use this host for this reason many times by many people and ignored all of them.

It is very possible that it is a coincidence, but this also could've been planned.

There is one small detail that does not make sense however. The part about how th linode 2FA was bypassed was basically skipped over in his explanation, and also the account admin@glados.cc had 2FA enabled too, so I don't know how the account password could be reset without turning off 2FA, and TF never mentioned how that was done either, in fact he never mentioned he had 2FA enabled on this account at all when he in fact did.

Hmmm.. thanks for this short version, I will read also the Bitcoinica hack.

He also told everyone (at least when I deposited) that all deposits were backup up with assets in AsicMiner and other securities and that if a hacked occurred, he would reimburse those affected.

I think nobody has never received anything backwards, or am I wrong?

He had made a few deals with individuals with larger balances where they received a portion of their deposits back, but thats about it.  Instead, he kept all the shares of AsicMiner and other securities for himself, instead of reimbursing those that he screwed over.  (and with AM going under that is now worthless as well).

[r3wt]

well so much for my thread 

[Blazr]

He had made a few deals with individuals with larger balances where they received a portion of their deposits back, but thats about it.  Instead, he kept all the shares of AsicMiner and other securities for himself, instead of reimbursing those that he screwed over.  (and with AM going under that is now worthless as well).

Yeah the crash of ASICMINER was a serious blow to him, he had a significant portion of coinlenders user funds invested in ASICMINER shares. I highly suspect that coinlenders was insolvent when he launched inputs.io and he was hoping funds from inputs.io would tie him over until he made back the lost coinlenders funds.

[Quickseller]

There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/

The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.

[marcotheminer]

=snip=
He isn't even posting from his TF account anymore.
 =snip=

AFAIK it is same account. He changed username/display name to $username.

The account was last active in February. He is almost certainly posting from another account somewhere, most likely advertising some kind of coding services potentially in a paid signature campaign. I have a couple of suspects, but nothing solid as of yet

I feel like I'm implied here? Am I wrong?

I wasn't aware that you know how to code like that. Yes you are wrong. No I don't think you are TF.

Sorry, I thought you meant he was doing a coding job for me when you said: advertising some kind of coding services potentially in a paid signature campaign. I read 'in' as 'for'.

Nevermind!

[ACCTseller]

=snip=
He isn't even posting from his TF account anymore.
 =snip=

AFAIK it is same account. He changed username/display name to $username.

The account was last active in February. He is almost certainly posting from another account somewhere, most likely advertising some kind of coding services potentially in a paid signature campaign. I have a couple of suspects, but nothing solid as of yet

I feel like I'm implied here? Am I wrong?

I wasn't aware that you know how to code like that. Yes you are wrong. No I don't think you are TF.

Sorry, I thought you meant he was doing a coding job for me when you said: advertising some kind of coding services potentially in a paid signature campaign. I read 'in' as 'for'.

Nevermind!

I was saying that he is both selling his coding services and is in a paid signature campaign.

Although the person who you hired to code your bot has questionable ethics at best so I hope you were able to audit how it works personally.

[redsn0w]

Supposedly, what had happened was that someone was able to dupe a Linode customer service rep into giving them access to the server's in browser tty shell. That's the story i was given.

Not exactly, allegedy what happened is the hackers hacked the email address lailai625@hotmail.com due to password reuse. This email address was a recovery email address for another account, which IIRC was admin@glados.cc. Once they accessed this account, the hacker then allegedly reset the Linode password and somehow bypassed the 2FA on the linode account.

That is exactly what happened with another site Bitcoinica which was hacked 3 times in 2012, same hosting company and all, and Bitcoinica was also owned by an Australian:
https://bitcointalk.org/index.php?topic=66979.0

in fact TF was even warned not to use this host for this reason many times by many people and ignored all of them.

It is very possible that it is a coincidence, but this also could've been planned.

There is one small detail that does not make sense however. The part about how th linode 2FA was bypassed was basically skipped over in his explanation, and also the account admin@glados.cc had 2FA enabled too, so I don't know how the account password could be reset without turning off 2FA, and TF never mentioned how that was done either, in fact he never mentioned he had 2FA enabled on this account at all when he in fact did.

Hmmm.. thanks for this short version, I will read also the Bitcoinica hack.

He also told everyone (at least when I deposited) that all deposits were backup up with assets in AsicMiner and other securities and that if a hacked occurred, he would reimburse those affected.

I think nobody has never received anything backwards, or am I wrong?

He had made a few deals with individuals with larger balances where they received a portion of their deposits back, but thats about it.  Instead, he kept all the shares of AsicMiner and other securities for himself, instead of reimbursing those that he screwed over.  (and with AM going under that is now worthless as well).

I think he never will repay back all the affected customers, too much scam due the related bitcoin service (but the fault it is not all of the customers).

There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/

The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.

I have heard about this exploit, most probable was used to bypass the two factor authentication.

[Blazr]

There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/

The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.

admin@glados.cc had 2FA enabled very shortly after the hack because I checked if it was enabled by trying to reset the password and it wouldn't let me use the normal "open-an-email-and-click-on-a-link" way of resetting the password due to 2FA being enabled, though it was possible to reset it anyway by filling out a form with personal info (it is a Google account). It's possible TF had just turned 2FA on after the hack, but I actually tracked down and spoke to a hacker who had checked out possible ways of hacking TF a few months prior to the hack (I originally thought this person may have been the actual hacker) and he told me that 2FA was enabled on that account a few months prior to the hack. It was a Google account, so a 2FA bypass is highly unlikely as it's both google and Linode that were allegedly bypassed and TF was "anonymous" so a person being able to guess the accounts personal info (which were likely fake) would be very difficult, so I don't see how the hacker overcame all of this, and I think it was a part of the story that TF didn't properly consider.

Yes all of the logs are conveniently gone, TF never even took a backup of the inputs.io private keys or database from what i can tell, and never produced any server logs of the hack, nor gave much specific details about the hack other than the hacker used the unix command midnight commander to transfer stolen data to a hacked server, if he knew that he must've had other logs at the time and it is strange he did not keep those.

[Quickseller]

There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/

The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.

admin@glados.cc had 2FA enabled very shortly after the hack because I checked if it was enabled by trying to reset the password and it wouldn't let me use the normal "open-an-email-and-click-on-a-link" way of resetting the password due to 2FA being enabled, though it was possible to reset it anyway by filling out a form with personal info (it is a Google account). It's possible TF had just turned 2FA on after the hack, but I actually tracked down and spoke to a hacker who had checked out possible ways of hacking TF a few months prior to the hack (I originally thought this person may have been the actual hacker) and he told me that 2FA was enabled on that account a few months prior to the hack. It was a Google account, so a 2FA bypass is highly unlikely as it's both google and Linode that were allegedly bypassed and TF was "anonymous" so a person being able to guess the accounts personal info (which were likely fake) would be very difficult, so I don't see how the hacker overcame all of this, and I think it was a part of the story that TF didn't properly consider.

it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person. 

[Blazr]

it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.  

That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he and his partners are entitled to the rest of the funds because he invested so much time into building the website.

yeah......... in any case I think we should let lawyers figure the full story out at this stage.

[Quickseller]

it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person. 

That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he's entitled to the rest of the funds because he invested so much time into building the website.

I am personally leaning towards him lying about the sites being hacked.

If you ignore all the issues about his story how he got hacked there is still the issue that he had way too much money stored in the hot wallet and IIRC he was hacked right around the time that TF had increased the size of the hot wallet in order to prevent people from having to wait for withdrawing

[Blazr]

it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.  

That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he's entitled to the rest of the funds because he invested so much time into building the website.

I am personally leaning towards him lying about the sites being hacked.

If you ignore all the issues about his story how he got hacked there is still the issue that he had way too much money stored in the hot wallet and IIRC he was hacked right around the time that TF had increased the size of the hot wallet in order to prevent people from having to wait for withdrawing

Plus he didn't learn from his mistake and did it again with hashie.co - he had too much in the hot wallet. His code introduced an exploit and he put too much in the hot wallet, extremely negligent on his part even if he was really hacked.

He claimed that he had to increase the size of the hot wallet due to one customer that was regularly washing large amounts of Bitcoin via inputs.io.

[r3wt]

it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.  

That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he's entitled to the rest of the funds because he invested so much time into building the website.

I am personally leaning towards him lying about the sites being hacked.

If you ignore all the issues about his story how he got hacked there is still the issue that he had way too much money stored in the hot wallet and IIRC he was hacked right around the time that TF had increased the size of the hot wallet in order to prevent people from having to wait for withdrawing

Plus he didn't learn from his mistake and did it again with hashie.co - he had too much in the hot wallet. His code introduced an exploit and he put too much in the hot wallet, extremely negligent on his part even if he was really hacked.

It would be great if we could get a sample of his code to go over.. just a thought

[Blazr]

What happened with Hashie?

FireHashers were priced according to it's expected output.

Code:

function fh_estimate($hashpower, $days){
	$difficulty = getDifficulty();
	$btcusd = getBTCUSD();
	
	$globalHashrateGH = $difficulty * 0.007158388055;

	$oneTHPorion = 1000 / $globalHashrateGH;
	$bitcoinPerHourPerTH = 25 * 6 * 24; // 25 BTC * 6 blocks * 24 hours

	$payoutPerTH = floor($oneTHPorion * $bitcoinPerHourPerTH * 100000000) / 100000000;

	$btcusd = getBTCUSD();
	$feePerHour = ceil(((0.002 * 1 * 1000) / $btcusd) * 100000000) / 100000000;
	
	$payoutPerTH -= $feePerHour;

	$ret = $payoutPerTH * ($hashpower / 1000) * $days;
	
	return $ret;
}

We used Blockchain.info's simple query API to get the current difficulty.

In normal circumstances: Expected earnings = Payout - Maintenance Fee

Unfortunately, for approximately 30 minutes Blockchain.info returned 0 as the network difficulty. $globalHashrateGH became 0. In the next line, that's used to divide -- resulting in a division by zero error. The payout was calculated to be 0.

With the payout 0, the expected earnings was negative. The FireHashers were priced at expected earnings * discount. Since the expected earnings was negative, the price was negative. People could buy negatively priced FireHashers, and when they purchased it, it would actually add to their balance. Users were able to withdraw the fake balances.

We lost a total of around 90 BTC due to this bug. Since we mainly sold AMHash, our margins were very low and we absolutely could not cover 90 BTC and had to shut down. We only recovered minimal amounts (thanks to those that did send us the coins back).

What have we learned?
(1) Sanity check data sources and throw error if there's an unexpected value.
(2) Sanity check purchasing and make sure the price is always >0.
(3) Code review -- being the solo developer isn't the best idea for a bitcoin project.

I plan on launching a few new bitcoin projects in the future (many interesting ideas ), so if you're a web developer who is interested in working together (development, code review, sysadmin, etc) in upcoming projects for equity, contact support@hashie.co.

Don't worry, I'm not touching cloud mining, or web wallets, or lending, ever again.

~ https://hashie.co/letitgo.ogg

-Queen Elsa

[r3wt]

I suppose its not terrible for functional programming. I've certainly made similar mistakes.

[CIYAM]

I suppose its not terrible for functional programming. I've certainly made similar mistakes.

Functional programming?

The code shown above is clearly procedural programming and not spotting such a potentially obvious divide by zero error is "rookie level" at best.

[r3wt]

I suppose its not terrible for functional programming. I've certainly made similar mistakes.

Functional programming?

The code shown above is clearly procedural programming and not spotting such a potentially obvious divide by zero error is "rookie" at best.

I got the terminology mixed up, but yeah, it is a rookie mistake. like calling an non existing function inside of __call()

[marcotheminer]

And you lost me