Bitcoin Forum
November 10, 2024, 11:49:24 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 »
  Print  
Author Topic: bitfloor needs your help!  (Read 177457 times)
dooglus
Legendary
*
Offline Offline

Activity: 2940
Merit: 1333



View Profile
September 04, 2012, 05:38:29 PM
 #21

Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.

It sounds as if the attacker only got the hot wallet, but that unfortunately there was no cold wallet.

It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
notme
Legendary
*
Offline Offline

Activity: 1904
Merit: 1002


View Profile
September 04, 2012, 05:39:40 PM
 #22

Why was the majority of this not in a cold wallet?

This. 

Based on the OP I assumed (incorrectly) that the attacker "only" got 100% of the hot wallet.

Quote
Even tho only a small majority of the coins are ever in use at any time


Yes. I realize this. I cannot undo it (believe me, I would if I could).

Wow... just wow.

I thought you were better than that.

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
shtylman (OP)
Sr. Member
****
Offline Offline

Activity: 243
Merit: 250



View Profile
September 04, 2012, 05:40:14 PM
 #23

It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.

Yes, I realize this is a very serious mistake.
SkRRJyTC
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
September 04, 2012, 05:40:59 PM
 #24

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.

Do you have enough funds to cover this loss yourself?

I am having trouble thinking of other options that would allow for trading to resume, without turning to a fractional model, that dont include acquiring new large sums of money.
EnergyVampire
Full Member
***
Offline Offline

Activity: 210
Merit: 100



View Profile
September 04, 2012, 05:41:13 PM
 #25

I'm not sure why an unencrypted wallet would reside on an unencrypted disk but...

BitFloor should continue operations. Get rid of the Cloud though.

BitFloor will make up the lost coins in due time with regular operations.

1nject0r
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile WWW
September 04, 2012, 05:41:32 PM
 #26

your server were not hacked i didnot see any defacing issue some account were compromised only but your server are not hacked those were not a russian hacker's they were some other countries hacker
shtylman (OP)
Sr. Member
****
Offline Offline

Activity: 243
Merit: 250



View Profile
September 04, 2012, 05:42:27 PM
 #27

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250


Tangible Cryptography LLC


View Profile WWW
September 04, 2012, 05:43:56 PM
 #28

New withdrawals are currently on hold while I work through the future of the exchange.

That is unacceptable.  Regardless of the future of the exchange you have an obligation to disburse funds to the ACH account on record.  You previously handled requests by email.  USD funds by depositors are the property of the depositor and not an investment.  You have no legal standing to hold those funds pending "anything".
ThomasV
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
September 04, 2012, 05:44:40 PM
 #29

Minimal quality standard I expect from an exchange: https://bitcointalk.org/index.php?topic=83933.0

Electrum: the convenience of a web wallet, without the risks
jojo69
Legendary
*
Offline Offline

Activity: 3346
Merit: 4636


diamond-handed zealot


View Profile
September 04, 2012, 05:45:08 PM
 #30

let the bank run begin

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
1nject0r
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile WWW
September 04, 2012, 05:45:29 PM
 #31

check your ssl certificate next time and i am thinking tht u are using vps instead of shared right ?
notme
Legendary
*
Offline Offline

Activity: 1904
Merit: 1002


View Profile
September 04, 2012, 05:45:42 PM
 #32

Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.

Perhaps a GLBSE offering could help make up the difference.  But first you need to develop and publish a better security model and have the community scrutinize it.

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
vampire
Hero Member
*****
Offline Offline

Activity: 574
Merit: 500



View Profile
September 04, 2012, 05:47:48 PM
 #33

Bitfloor lost about 25k BTC, or ~250k USD... It's somewhat hard to get these funds now. Even if it was sold, the evaluation is less than 25k USD (2k * 12 months).

Its pretty much bankruptcy for bitfloor.
notme
Legendary
*
Offline Offline

Activity: 1904
Merit: 1002


View Profile
September 04, 2012, 05:48:54 PM
 #34

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
1nject0r
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile WWW
September 04, 2012, 05:50:55 PM
 #35

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
September 04, 2012, 05:52:27 PM
 #36

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
greyhawk
Hero Member
*****
Offline Offline

Activity: 952
Merit: 1009


View Profile
September 04, 2012, 05:54:54 PM
 #37

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

He's amusing. He's like what we would see if Phinn went into the "h4x0ring" business instead of fruitlessly doxing in all the wrong places.  Grin
1nject0r
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile WWW
September 04, 2012, 05:55:40 PM
 #38

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

Secure your website first then bark in front of us u fucking k1d u really cant compare us Cheesy so grew up and secure all bitcoins site then bark here
1nject0r
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile WWW
September 04, 2012, 06:00:58 PM
 #39

1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.


fastcash4bitcoins.com lOl javascript 1njection lOL

Quote
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>[/B]
notme
Legendary
*
Offline Offline

Activity: 1904
Merit: 1002


View Profile
September 04, 2012, 06:01:25 PM
 #40

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!