[0Th]Ozcoin Pooled Mining |DGM 1%|Stratum+VarDiff port 80|NEW CN mining|

[LazyOtto]

is it possible to push through a much higher fee transaction and get it accepted before one of the fraudulent ones, thereby invalidating the whole chain?

As far as the bitcoin network is concerned, they are not fraudulent.

That is the nature of BTCs. Once they are sent, they are sent.

Any mechanic which could 'pull back' the BTC sent as a result of this successful attack would be a demonstration that the bitcoin concept itself is fatally flawed. Resulting in a collapse in value of bitcoin itself.

--

My condolences, Graet.


-- edit - changed "hack" to "successful attack"

[1713493383]

1713493383

[1713493383]

1713493383

[1713493383]

1713493383

[1713493383]

1713493383

[Mikej0h]

Oh geez, I was already wondering why I got the mail "ozco.in Automatic Payout Notification", but didn't receive the payment and didn't see it on the blockchain.

I'm on the list for "-8.75307302".

I'm really feel bad for Graet, and I could very well understand this would make him sick .
He tries to do his best, and then all this sh*t is happening.

I'm with you Graet, i'm with you; I keep supporting you and your pool (even though what you now going through).

[Nicolai]

I don't know how bitcoind's default behavior is, but can't you try to re-spend all the 0-confirms (and add a fee to the new transaction)?
If the hacked transactions has a very low priority (or isn't added the the mempool), because they don't have a fee (why would the hacker not even pay a fking fee?), then you might be able to "steal" some of them back

EDIT: When I wrote this, less than 50 BTC was confirmed. Now all of them is confirmed, so it is too late.

[JackPatrick]

Oh shi*, we're fucked.
BTCGuild takes over, all Pools are being DDOSed, MTRed closes door, ozco hacked to steal payouts.
The System itself has gotten attention of too much people, now some try to get our money out, then destroy it.

And the loss of ~1600BTC, jesus, Graet deserves a gold medal for taking this as a lesson and continue working.
Most would have killed someone responsible for this.

Why 1600 BTC? Great reported about 934 BTC theft.

[Welvis]

Oh shi*, we're fucked.
BTCGuild takes over, all Pools are being DDOSed, MTRed closes door, ozco hacked to steal payouts.
The System itself has gotten attention of too much people, now some try to get our money out, then destroy it.

And the loss of ~1600BTC, jesus, Graet deserves a gold medal for taking this as a lesson and continue working.
Most would have killed someone responsible for this.

Why 1600 BTC? Great reported about 934 BTC theft.

He is talking about the theft plus the previous loss of 700 odd BTC from PPS issues that Graet also funded out of his pocket.

[DrG]

Wow, just wow.  I think this is a new first.  It's one thing to keep money that a pool mistakenly sent you.  It's another to steal 1kBTC from miners!   

[refer_2_me]

We have isolated the method used to change the code on our side.
All payout/bitcoind control access has been removed from the public facing systems and is now operating on a private internal network with SQL.

We have implemented a pre-check system that will run prior to all payouts to stop this last incident from happening.

As mentioned before I take full responsibility for what has happened, and will be covering it personally.
I have already funded the loss again, and for what I hope to be a very short period, payouts have been throttled as an extra precaution.

Some people have shared concerns about other sites I work with. I can assure everyone that Ozcoin is separately coded and managed.
While this was indeed a great and frustrating loss, it's not a first for pools and thankfully by far one of the smallest still.

As always, I will keep everyone informed as updates become available.
Best wishes
Graet

I hope you are taking proper SQL injection precautions. I'm really sorry that this happened to you and I will be delaying any payments indefinitely, I don't need them right now, but it seems that you do. And I really have to thank you for being honorable in the face of such challenges. It restores my faith in humanity.

[rupy]

This is interesting: I just realized, the theif can't spend this money for ANYTHING at ANY point in time!

That address will be tracked by a hundred people for all future, I'm writing a system for this NOW.

Basically, he has BTC but as soon as he spends them, he will get caught!

Edit: Can someone point me to threads about this fact OR prove me wrong!

YOU CANNOT STEAL BITCOINS!

[organofcorti]

This is interesting: I just realized, the theif can't spend this money for ANYTHING at ANY point in time!

That address will be tracked by a hundred people for all future, I'm writing a system for this NOW.

Basically, he has BTC but as soon as he spends them, he will get caught!

Edit: Can someone point me to threads about this fact OR prove me wrong!

YOU CANNOT STEAL BITCOINS!

He send the coins to gox, trades them for USD and buys other coins back. Or uses a coin mixing service. Or trades them for virgin coin. Or spends them with someone who doesn't care that they're dealing with a dick.

[DrG]

This is interesting: I just realized, the theif can't spend this money for ANYTHING at ANY point in time!

That address will be tracked by a hundred people for all future, I'm writing a system for this NOW.

Basically, he has BTC but as soon as he spends them, he will get caught!

Edit: Can someone point me to threads about this fact OR prove me wrong!

YOU CANNOT STEAL BITCOINS!

Rupy come on, you've been here since 2011 and you don't know about PPS or how stolen coins can't be tracked? All the thief has to do is collect the coins, use a mixing service or even an exchange and they'll never be tracked again.

I wonder if the developers are making any headway into blacklisting addresses or would that defeat the anonymity of BTC?

[zhunifa]

I did not receive your payment , and payment records on the web has been paid . Please give me a reasonable explanation .sir

[os2sam]

This is interesting: I just realized, the theif can't spend this money for ANYTHING at ANY point in time!

That address will be tracked by a hundred people for all future, I'm writing a system for this NOW.

Basically, he has BTC but as soon as he spends them, he will get caught!

Edit: Can someone point me to threads about this fact OR prove me wrong!

YOU CANNOT STEAL BITCOINS!

Rupy come on, you've been here since 2011 and you don't know about PPS or how stolen coins can't be tracked? All the thief has to do is collect the coins, use a mixing service or even an exchange and they'll never be tracked again.

I wonder if the developers are making any headway into blacklisting addresses or would that defeat the anonymity of BTC?

Or you could drop the wallet.dat into an online wallet service.

What good will blacklisting addresses do?  Anyone can create as many addresses as they want?

[os2sam]

I did not receive your payment , and payment records on the web has been paid . Please give me a reasonable explanation .sir

Read the previous chain of post's here!!!!!

Starting with this one

https://bitcointalk.org/index.php?topic=14085.msg1883478#msg1883478

[kano]

This is interesting: I just realized, the theif can't spend this money for ANYTHING at ANY point in time!

That address will be tracked by a hundred people for all future, I'm writing a system for this NOW.

Basically, he has BTC but as soon as he spends them, he will get caught!

Edit: Can someone point me to threads about this fact OR prove me wrong!

YOU CANNOT STEAL BITCOINS!

Rupy come on, you've been here since 2011 and you don't know about PPS or how stolen coins can't be tracked? All the thief has to do is collect the coins, use a mixing service or even an exchange and they'll never be tracked again.

I wonder if the developers are making any headway into blacklisting addresses or would that defeat the anonymity of BTC?

As per discussions that have been around (and I've been part of some) black listing addresses is not an option.
The problem is simply that someone is then given the power to decide what addresses are black listed.
Who should be given power to control BTC? No one.
It's even worse when you consider what it means for the average person.
If I have 10BTC stolen can I then go to this 'power' and ask them to blacklist the target address?
Of course not - since we then have the issue of who is right and who is wrong - that again someone will be given the power to decide.
So basically it becomes a power to be used either for those with a lot of BTC and well known, or those who are also considered 'powerful' in the BTC world.
It's called give central control of BTC to a few people - which is of course a very bad thing.

[amigaman]

@rupy:
That would definitely kill the anonymity aspect.
Who are you to blacklist any address?
Law enforcement? No.
Bitcoin Administration? Also, no.

So this feature can't be added, because it would let them asses in, blacklisting any publicly available adress from forum posts, "donate here please" and whatever.
Would be a nice feature, but the only responsible person to blacklist any adress is the owner of it, and the only use to blacklist is when the wallet.dat gets lost/stolen, as to prevent someone spend the moniez.
But then you do not have any information to prove you're the responsible person.

And also, you can't track where these btc's go. That's the way the system is defined. You may be able to see the target adress, but that's an anon value also, so no Name/whatever behind it, at least as long the receiving person doesn't decide to reveal its adress in a googleable way.

Only possible option would be to enforce a new version of any btc related software that allows pool operators to blacklist such transactions/adresses and basically not process them, either as target or source of any transaction.
But there is the devil of "law enforcement person".
Do you trust any and all pool operators to not blacklist some adresses just because "they're fuckers let's kill them"?
I personally don't. Graet and some others are maybe "angels" ("faith in humanity restored" and the like), but i bet there are some bad dudes out there...
And you'll only need one to kill the whole system.

[rupy]

I'm going to explain this like you where 5 years old:

I, my son, his children, will _personally_ track 16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd for all eternity, no matter how many addresses the value is being sent to.

The value originating in 16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd is for all future marked in our collective consciousness as stolen money.

Nothing else matters, I could create a service where you can store stolen addresses, but that is COMPLETELY IRRELEVANT.

NO ONE will EVER take money from 16cDeEFn6sraUEJrDCt2Yg3r7j2oazSYEd, period.

Case closed.

[Marrs]

He send the coins to gox, trades them for USD and buys other coins back. Or uses a coin mixing service. Or trades them for virgin coin. Or spends them with someone who doesn't care that they're dealing with a dick.

Pecunia non olet.

[rupy]

Do you really think Mt.Gox would hide the new address, if they know (which they do) that the old contained stolen coins?

AFAIK there is NO WAY to "mix" your coins. It's all in the blockchain.

[organofcorti]

Do you really think Mt.Gox would hide the new address?

Can you force them to? And don't forget coin mixers and escrow agents.

[organofcorti]

He send the coins to gox, trades them for USD and buys other coins back. Or uses a coin mixing service. Or trades them for virgin coin. Or spends them with someone who doesn't care that they're dealing with a dick.

Pecunia non olet.

Unless it's fiat currency and you're out of toilet paper.