Bitcoin Forum
April 20, 2014, 08:14:47 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
  Print  
Author Topic: bitfloor needs your help!  (Read 92381 times)
dooglus
Hero Member
*****
Offline Offline

Activity: 1036


firstbits: 1doog7


View Profile WWW

Ignore
September 04, 2012, 05:38:29 PM
 #21

Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.

It sounds as if the attacker only got the hot wallet, but that unfortunately there was no cold wallet.

It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.

1397981687
Hero Member
*
Offline Offline

Posts: 1397981687

View Profile Personal Message (Offline)

Ignore
1397981687
Reply with quote  #2

1397981687
Report to moderator
1397981687
Hero Member
*
Offline Offline

Posts: 1397981687

View Profile Personal Message (Offline)

Ignore
1397981687
Reply with quote  #2

1397981687
Report to moderator
1397981687
Hero Member
*
Offline Offline

Posts: 1397981687

View Profile Personal Message (Offline)

Ignore
1397981687
Reply with quote  #2

1397981687
Report to moderator
Private Internet Access™ - No logs, Unlimited Bandwidth, PC Magazine's Editor's Choice
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397981687
Hero Member
*
Offline Offline

Posts: 1397981687

View Profile Personal Message (Offline)

Ignore
1397981687
Reply with quote  #2

1397981687
Report to moderator
1397981687
Hero Member
*
Offline Offline

Posts: 1397981687

View Profile Personal Message (Offline)

Ignore
1397981687
Reply with quote  #2

1397981687
Report to moderator
1397981687
Hero Member
*
Offline Offline

Posts: 1397981687

View Profile Personal Message (Offline)

Ignore
1397981687
Reply with quote  #2

1397981687
Report to moderator
notme
Hero Member
*****
Offline Offline

Activity: 938


View Profile

Ignore
September 04, 2012, 05:39:40 PM
 #22

Why was the majority of this not in a cold wallet?

This. 

Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.

Quote
Even tho only a small majority of the coins are ever in use at any time


Yes. I realize this. I cannot undo it (believe me, I would if I could).

Wow... just wow.

I thought you were better than that.

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

While no idea is perfect, some ideas are useful.
Programmer/Math Nerd
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:40:14 PM
 #23

It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.

Yes, I realize this is a very serious mistake.
SkRRJyTC
Hero Member
*****
Offline Offline

Activity: 770


View Profile

Ignore
September 04, 2012, 05:40:59 PM
 #24

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.

Do you have enough funds to cover this loss yourself?

I am having trouble thinking of other options that would allow for trading to resume, without turning to a fractional model, that dont include acquiring new large sums of money.
EnergyVampire
Full Member
***
Offline Offline

Activity: 210



View Profile

Ignore
September 04, 2012, 05:41:13 PM
 #25

I'm not sure why an unencrypted wallet would reside on an unencrypted disk but...

BitFloor should continue operations. Get rid of the Cloud though.

BitFloor will make up the lost coins in due time with regular operations.

1nject0r
Newbie
*
Offline Offline

Activity: 28


View Profile WWW

Ignore
September 04, 2012, 05:41:32 PM
 #26

your server were not hacked i didnot see any defacing issue some account were compromised only but your server are not hacked those were not a russian hacker's they were some other countries hacker

Buy premium script shopping item and much more via LR AND BITCOIN http://searchnow.pro Donate Us via Liberty reserve account U5110163 Or Bitcoin 1NecBPZ7mvJ37bJLFSpWf9pNezpcQQU6NU If u wanna donate Us via Western Union contact Us on lovecreatmafia@gmail.com
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile

Ignore
September 04, 2012, 05:42:27 PM
 #27

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476


Tangible Cryptography LLC


View Profile WWW

Ignore
September 04, 2012, 05:43:56 PM
 #28

New withdrawals are currently on hold while I work through the future of the exchange.

That is unacceptable.  Regardless of the future of the exchange you have an obligation to disburse funds to the ACH account on record.  You previously handled requests by email.  USD funds by depositors are the property of the depositor and not an investment.  You have no legal standing to hold those funds pending "anything".
ThomasV
Hero Member
*****
Online Online

Activity: 1106



View Profile WWW

Ignore
September 04, 2012, 05:44:40 PM
 #29

Minimal quality standard I expect from an exchange: https://bitcointalk.org/index.php?topic=83933.0

Electrum: the convenience of a web wallet, without the risks
jojo69
Hero Member
*****
Offline Offline

Activity: 672



View Profile

Ignore
September 04, 2012, 05:45:08 PM
 #30

let the bank run begin

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
1nject0r
Newbie
*
Offline Offline

Activity: 28


View Profile WWW

Ignore
September 04, 2012, 05:45:29 PM
 #31

check your ssl certificate next time and i am thinking tht u are using vps instead of shared right ?

Buy premium script shopping item and much more via LR AND BITCOIN http://searchnow.pro Donate Us via Liberty reserve account U5110163 Or Bitcoin 1NecBPZ7mvJ37bJLFSpWf9pNezpcQQU6NU If u wanna donate Us via Western Union contact Us on lovecreatmafia@gmail.com
notme
Hero Member
*****
Offline Offline

Activity: 938


View Profile

Ignore
September 04, 2012, 05:45:42 PM
 #32

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.

Perhaps a GLBSE offering could help make up the difference.  But first you need to develop and publish a better security model and have the community scrutinize it.

While no idea is perfect, some ideas are useful.
Programmer/Math Nerd
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
vampire
Hero Member
*****
Offline Offline

Activity: 574



View Profile

Ignore
September 04, 2012, 05:47:48 PM
 #33

Bitfloor lost about 25k BTC, or ~250k USD... It's somewhat hard to get these funds now. Even if it was sold, the evaluation is less than 25k USD (2k * 12 months).

Its pretty much bankruptcy for bitfloor.
notme
Hero Member
*****
Offline Offline

Activity: 938


View Profile

Ignore
September 04, 2012, 05:48:54 PM
 #34

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

While no idea is perfect, some ideas are useful.
Programmer/Math Nerd
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
1nject0r
Newbie
*
Offline Offline

Activity: 28


View Profile WWW

Ignore
September 04, 2012, 05:50:55 PM
 #35

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP

Buy premium script shopping item and much more via LR AND BITCOIN http://searchnow.pro Donate Us via Liberty reserve account U5110163 Or Bitcoin 1NecBPZ7mvJ37bJLFSpWf9pNezpcQQU6NU If u wanna donate Us via Western Union contact Us on lovecreatmafia@gmail.com
DeathAndTaxes
Donator
Hero Member
*
Offline Offline

Activity: 966



View Profile WWW

Ignore
September 04, 2012, 05:52:27 PM
 #36

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

Gerald Davis  CEO, Tangible Cryptography Inc.
BitSimple. A simpler way to buy and sell bitcoins
greyhawk
Hero Member
*****
Offline Offline

Activity: 728


View Profile

Ignore
September 04, 2012, 05:54:54 PM
 #37

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

He's amusing. He's like what we would see if Phinn went into the "h4x0ring" business instead of fruitlessly doxing in all the wrong places.  Grin

Stop sending me Bitcoins! 1HNLqLrPEwMk8woA91qwX9sRkatRfQik2T
Click here to get hacked
1nject0r
Newbie
*
Offline Offline

Activity: 28


View Profile WWW

Ignore
September 04, 2012, 05:55:40 PM
 #38

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

Secure your website first then bark in front of us u fucking k1d u really cant compare us Cheesy so grew up and secure all bitcoins site then bark here

Buy premium script shopping item and much more via LR AND BITCOIN http://searchnow.pro Donate Us via Liberty reserve account U5110163 Or Bitcoin 1NecBPZ7mvJ37bJLFSpWf9pNezpcQQU6NU If u wanna donate Us via Western Union contact Us on lovecreatmafia@gmail.com
1nject0r
Newbie
*
Offline Offline

Activity: 28


View Profile WWW

Ignore
September 04, 2012, 06:00:58 PM
 #39

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.


fastcash4bitcoins.com lOl javascript 1njection lOL

Quote
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>[/B]

Buy premium script shopping item and much more via LR AND BITCOIN http://searchnow.pro Donate Us via Liberty reserve account U5110163 Or Bitcoin 1NecBPZ7mvJ37bJLFSpWf9pNezpcQQU6NU If u wanna donate Us via Western Union contact Us on lovecreatmafia@gmail.com
notme
Hero Member
*****
Offline Offline

Activity: 938


View Profile

Ignore
September 04, 2012, 06:01:25 PM
 #40

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?

While no idea is perfect, some ideas are useful.
Programmer/Math Nerd
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
Pages: 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!