giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
February 27, 2014, 08:22:22 AM |
|
Ok, so they got the server back online with a loopback device. Hooray. Unfortunately rebooting doesn't work again. As I really don't want to run some shady java app on my pc where I have bitcoins, especially when the shady java app comes from a shady bitcoin-aware hoster, I set up a virtual machine to use the management console. If, after logging in successfully, I try to do the most basic stuff, namely an "ls", it disconnects. I made up something even more basic: "# hi" which "works" but "ls" kills it again. And again. Fuck how do they have even one client?
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
joesmoe2012
|
|
February 27, 2014, 08:25:36 AM |
|
Give digitalocean a try, i've been happy with them for a while now.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
February 27, 2014, 09:23:07 AM |
|
Give digitalocean a try, i've been happy with them for a while now.
I assume you are talking about this. Yeah, looks neat. Is the management console some java app or can I log in using a normal ssh in recovery mode? … doh. They don't accept bitcoin Oh, they look really promising! Asked them to accept bitcoin Thanx for the pointer.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
February 27, 2014, 05:48:48 PM |
|
Thanks to joesmoe2012, I am a customer at digitalocean now. I asked them if they would take bitcoins and when they said they wouldn't and after I learned about how big they are, BITVPS got back to me after this most recent 15h down time. James sincerely apologized for the trouble this one machine has and offered to give me back my money and provide a new server for a full year free of charge. I honestly don't think they use this java console to steal my bitcoins but they could (if I wouldn't care to sandbox it) and that is not ok, so for now I appreciate the compensation but still can't suggest to the general public to give them a try.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
grifferz
|
|
February 27, 2014, 09:19:38 PM |
|
If you put an unencrypted bitcoin wallet on a VPS you are begging for an employee or exploit of the hosting company to fleece you. Learn from Linode.
|
|
|
|
rmines
|
|
February 27, 2014, 09:23:23 PM |
|
This might be offtopic here, but what happened with Linode?
|
|
|
|
SlidingHorn
Full Member
Offline
Activity: 196
Merit: 100
★Bitvest.io★ Play Plinko or Invest!
|
|
February 27, 2014, 09:29:10 PM |
|
This might be offtopic here, but what happened with Linode?
Nothing...they're around, alive & well. No plans to accept bitcoin, however
|
|
|
|
rmines
|
|
February 27, 2014, 09:31:15 PM |
|
Let me ask the question another way, what did grifferz mean with "learn from Linode."? Have they made a public statement against accepting bitcoin for their services?
|
|
|
|
grifferz
|
|
February 27, 2014, 09:32:56 PM |
|
Their control panel was cracked allowing attacker to go through the list of customer servers, looking for ones that might have a bitcoin wallet on them, reboot them in single user mode, alter root password, boot them again, go in as root, find unencrypted wallets, send coins to selves. http://arstechnica.com/business/2012/03/bitcoins-worth-228000-stolen-from-customers-of-hacked-webhost/Do not put unencrypted wallets in places where other people can access them. It's trivial for a VPS provider to look at unencrypted block devices, which means it's trivial for anyone who hacks the VPS provider to do the same. Scanning for things that look like bitcoin wallets is a quick and effective way to find valuable things.
|
|
|
|
SlidingHorn
Full Member
Offline
Activity: 196
Merit: 100
★Bitvest.io★ Play Plinko or Invest!
|
|
February 27, 2014, 10:31:48 PM |
|
Let me ask the question another way, what did grifferz mean with "learn from Linode."? Have they made a public statement against accepting bitcoin for their services?
lol sorry, had completely missed his comment. Their control panel was cracked allowing attacker to go through the list of customer servers, looking for ones that might have a bitcoin wallet on them, reboot them in single user mode, alter root password, boot them again, go in as root, find unencrypted wallets, send coins to selves. http://arstechnica.com/business/2012/03/bitcoins-worth-228000-stolen-from-customers-of-hacked-webhost/Do not put unencrypted wallets in places where other people can access them. It's trivial for a VPS provider to look at unencrypted block devices, which means it's trivial for anyone who hacks the VPS provider to do the same. Scanning for things that look like bitcoin wallets is a quick and effective way to find valuable things. And thank you for clarifying
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
February 27, 2014, 10:44:26 PM |
|
If you put an unencrypted bitcoin wallet on a VPS you are begging for an employee or exploit of the hosting company to fleece you. Learn from Linode.
I'm not worried about my unencrypted wallets on their server. I'm worried about my encrypted wallets on my client. With this Java applet to access the management console they have read access to the file system the browser runs on and that is why I made sure to let that be a virtual machine. (I'm not sure how security models changed but like 15 years ago I made a java applet and was *shocked* that all it took was a self-signed applet to access the full disk of whoever used my applet. Flash asks for permissions. Java apparently not. How can that be?)
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
joesmoe2012
|
|
March 10, 2014, 05:48:31 AM |
|
If you put an unencrypted bitcoin wallet on a VPS you are begging for an employee or exploit of the hosting company to fleece you. Learn from Linode.
I'm not worried about my unencrypted wallets on their server. I'm worried about my encrypted wallets on my client. With this Java applet to access the management console they have read access to the file system the browser runs on and that is why I made sure to let that be a virtual machine. (I'm not sure how security models changed but like 15 years ago I made a java applet and was *shocked* that all it took was a self-signed applet to access the full disk of whoever used my applet. Flash asks for permissions. Java apparently not. How can that be?) I don't use their java ssh console to access my machine. With DO here's the steps i take 1) login to their website (with ssl of course) 2) create virtual machine 3) Password and IP is emailed to me, i then login with SSH 4) update your OS, enable firewall, change ssh port, disable password logins, and then do whatever it is you need to do. As others mention, any VPS or shared hosting environment is no good from a security standpoint. I just use OSX's built in terminal to ssh to my VPS's though, I don't -ever- use their java ssh console.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
March 11, 2014, 08:30:13 AM |
|
If you put an unencrypted bitcoin wallet on a VPS you are begging for an employee or exploit of the hosting company to fleece you. Learn from Linode.
I'm not worried about my unencrypted wallets on their server. I'm worried about my encrypted wallets on my client. With this Java applet to access the management console they have read access to the file system the browser runs on and that is why I made sure to let that be a virtual machine. (I'm not sure how security models changed but like 15 years ago I made a java applet and was *shocked* that all it took was a self-signed applet to access the full disk of whoever used my applet. Flash asks for permissions. Java apparently not. How can that be?) I don't use their java ssh console to access my machine. With DO here's the steps i take 1) login to their website (with ssl of course) 2) create virtual machine 3) Password and IP is emailed to me, i then login with SSH 4) update your OS, enable firewall, change ssh port, disable password logins, and then do whatever it is you need to do. As others mention, any VPS or shared hosting environment is no good from a security standpoint. I just use OSX's built in terminal to ssh to my VPS's though, I don't -ever- use their java ssh console. This only works as long as the machine boots and starts sshd but what if not? This "what if not" happened 4 times in the first week I was with them. On my other servers I go to the web console and click on recovery boot and can ssh into the recovery console but with them this is only possible with a java applet.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
moriartybitcoin
|
|
November 26, 2014, 11:10:30 PM |
|
BitVPS is the WORST HOSTING COMPANY ON THE PLANET.
Downtime, lack of response, piss-poor connectivity.
Their servers go down randomly and they could care less.
|
|
|
|
vm1990
Legendary
Offline
Activity: 1540
Merit: 1002
|
|
November 27, 2014, 01:32:36 PM |
|
BitVPS is the WORST HOSTING COMPANY ON THE PLANET.
Downtime, lack of response, piss-poor connectivity.
Their servers go down randomly and they could care less.
thats why people should pick me
|
|
|
|
|