dooglus
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
September 04, 2012, 05:38:29 PM |
|
Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.
It sounds as if the attacker only got the hot wallet, but that unfortunately there was no cold wallet. It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
September 04, 2012, 05:39:40 PM |
|
Why was the majority of this not in a cold wallet?
This. Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet. Even tho only a small majority of the coins are ever in use at any time Yes. I realize this. I cannot undo it (believe me, I would if I could). Wow... just wow. I thought you were better than that. I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
|
|
|
|
shtylman (OP)
|
|
September 04, 2012, 05:40:14 PM |
|
It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.
Yes, I realize this is a very serious mistake.
|
|
|
|
SkRRJyTC
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
September 04, 2012, 05:40:59 PM |
|
Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?
This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about. Do you have enough funds to cover this loss yourself? I am having trouble thinking of other options that would allow for trading to resume, without turning to a fractional model, that dont include acquiring new large sums of money.
|
|
|
|
EnergyVampire
|
|
September 04, 2012, 05:41:13 PM |
|
I'm not sure why an unencrypted wallet would reside on an unencrypted disk but...
BitFloor should continue operations. Get rid of the Cloud though.
BitFloor will make up the lost coins in due time with regular operations.
|
|
|
|
1nject0r
Newbie
Offline
Activity: 28
Merit: 0
|
|
September 04, 2012, 05:41:32 PM |
|
your server were not hacked i didnot see any defacing issue some account were compromised only but your server are not hacked those were not a russian hacker's they were some other countries hacker
|
|
|
|
shtylman (OP)
|
|
September 04, 2012, 05:42:27 PM |
|
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing.
|
|
|
|
TangibleCryptography
|
|
September 04, 2012, 05:43:56 PM |
|
New withdrawals are currently on hold while I work through the future of the exchange.
That is unacceptable. Regardless of the future of the exchange you have an obligation to disburse funds to the ACH account on record. You previously handled requests by email. USD funds by depositors are the property of the depositor and not an investment. You have no legal standing to hold those funds pending "anything".
|
|
|
|
|
jojo69
Legendary
Offline
Activity: 3346
Merit: 4636
diamond-handed zealot
|
|
September 04, 2012, 05:45:08 PM |
|
let the bank run begin
|
This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable. Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
|
|
|
1nject0r
Newbie
Offline
Activity: 28
Merit: 0
|
|
September 04, 2012, 05:45:29 PM |
|
check your ssl certificate next time and i am thinking tht u are using vps instead of shared right ?
|
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
September 04, 2012, 05:45:42 PM |
|
Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?
This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about. Perhaps a GLBSE offering could help make up the difference. But first you need to develop and publish a better security model and have the community scrutinize it.
|
|
|
|
vampire
|
|
September 04, 2012, 05:47:48 PM |
|
Bitfloor lost about 25k BTC, or ~250k USD... It's somewhat hard to get these funds now. Even if it was sold, the evaluation is less than 25k USD (2k * 12 months).
Its pretty much bankruptcy for bitfloor.
|
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
September 04, 2012, 05:48:54 PM |
|
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing. So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access. But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not?
|
|
|
|
1nject0r
Newbie
Offline
Activity: 28
Merit: 0
|
|
September 04, 2012, 05:50:55 PM |
|
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing. So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access. But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not? hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
September 04, 2012, 05:52:27 PM |
|
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
|
|
|
|
greyhawk
|
|
September 04, 2012, 05:54:54 PM |
|
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
He's amusing. He's like what we would see if Phinn went into the "h4x0ring" business instead of fruitlessly doxing in all the wrong places.
|
|
|
|
1nject0r
Newbie
Offline
Activity: 28
Merit: 0
|
|
September 04, 2012, 05:55:40 PM |
|
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
Secure your website first then bark in front of us u fucking k1d u really cant compare us so grew up and secure all bitcoins site then bark here
|
|
|
|
1nject0r
Newbie
Offline
Activity: 28
Merit: 0
|
|
September 04, 2012, 06:00:58 PM |
|
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
fastcash4bitcoins.com lOl javascript 1njection lOL Runtime Error Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration> <system.web> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/> </system.web> </configuration>[/B]
|
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
September 04, 2012, 06:01:25 PM |
|
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing. So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access. But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not? hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
|
|
|
|
|