Bitcoin Forum
November 17, 2017, 05:55:11 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 »  All
  Print  
Author Topic: Instawallet/Bitcoin-Central Security Breach  (Read 84249 times)
hous
Member
**
Offline Offline

Activity: 93


View Profile
April 01, 2013, 10:39:31 PM
 #101

yea i got 30 coin in instawallet  Sad
1510941311
Hero Member
*
Offline Offline

Posts: 1510941311

View Profile Personal Message (Offline)

Ignore
1510941311
Reply with quote  #2

1510941311
Report to moderator
1510941311
Hero Member
*
Offline Offline

Posts: 1510941311

View Profile Personal Message (Offline)

Ignore
1510941311
Reply with quote  #2

1510941311
Report to moderator
A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1510941311
Hero Member
*
Offline Offline

Posts: 1510941311

View Profile Personal Message (Offline)

Ignore
1510941311
Reply with quote  #2

1510941311
Report to moderator
foo
Sr. Member
****
Offline Offline

Activity: 409



View Profile
April 01, 2013, 10:51:56 PM
 #102

The last few posts made no sense to me at all. Smiley

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address.  Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  Smiley

Confirmed! Eligius picked up the $20.

I know this because Tyler knows this.
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 01, 2013, 10:53:17 PM
 #103

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.
steelboy
Hero Member
*****
Offline Offline

Activity: 784



View Profile
April 01, 2013, 10:55:11 PM
 #104

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?
steelboy
Hero Member
*****
Offline Offline

Activity: 784



View Profile
April 01, 2013, 10:56:42 PM
 #105

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  belongs to Instawallet/Bitcoin-Central then good.


Do you believe it?
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 01, 2013, 10:59:32 PM
 #106

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  belongs to Instawallet/Bitcoin-Central then good.


Do you believe it?

Impossible to know for sure, but I believe it's legit, albeit with a bit of doubt.
Nicolai
Jr. Member
*
Offline Offline

Activity: 39


hey


View Profile
April 02, 2013, 12:05:11 AM
 #107

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 02, 2013, 12:16:38 AM
 #108

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have a chainsaw. Your argument is valid.
But anyway, your analogy is VERY bad. VERY.
It's Instawallet's flaw because they allowed Google bots to index their wallet URLs. Nobody pasted a database dump of Instawallet URLs anywhere.
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
April 02, 2013, 12:21:58 AM
 #109

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now Roll Eyes

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have no idea how to say this.

Last week,  if you googled  site:instawallet.org
You would be greeted with at least 3000 wallets,  many of them with bitcoins which you can click on that link and transfer those coins out.

If you googled site:hotmail.com
I would not be greeted with your inbox and read all your e-mails.

This not anywhere near the same issue, what they had was a SECURITY FLAW.

partially it was Google's fault, they (google) lie to people saying that a robots.txt ban means google doesn't index your site.

In reality it means they would not SPIDER the urls,  it doesn't mean they won't list them.

Big difference, the hedge against that instawallet failed to address, hence why it became a security flaw.

but let's put all this aside,  want to know the diffrence between a "flaw" and a "security flaw"

Nicolai,  would you put all your bitcoins on Instawallet?   Your answer should let you know the difference between a flaw and a security flaw.









Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
April 02, 2013, 12:34:32 AM
 #110

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

Vladimir,  I do blame Google to an extent,  it appears that many people here believe (and understandably) that Google won't index anything banned in the robots.txt file.  This is not the case.  They can and DO index anything they believe exists,  even if they technically can't spider it.     But hey.. if Chrome Browser can hit that url,  or someone sent that link via GMAIL,  or someone sent it give Google Talk or texted it via Google Voice.. etc etc...... it must be real ... so even without spidering it they know it exists.

Out of all the companies on earth, that one scares me the most...  I've been working with search engines since 1994,  and Google since 1999 ...  trust me..  this company scares me.


Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
Nicolai
Jr. Member
*
Offline Offline

Activity: 39


hey


View Profile
April 02, 2013, 12:42:34 AM
 #111

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 02, 2013, 12:51:39 AM
 #112

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i :)


View Profile
April 02, 2013, 12:56:14 AM
 #113

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? Shocked

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.
It is my understanding the site wasn't crawled, Google simply recorded the URLs people typed/pasted on the URL bar of their browser or in one of their many services and programs.

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
herzmeister
Legendary
*
Offline Offline

Activity: 1764



View Profile WWW
April 02, 2013, 01:08:44 AM
 #114

I've always felt this instawallet model is a bad idea, since the beginning... it just felt much too "instant" for me.

https://localbitcoins.com/?ch=80k | BTC: 1LJvmd1iLi199eY7EVKtNQRW3LqZi8ZmmB
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
April 02, 2013, 02:16:32 AM
 #115

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i :)


View Profile
April 02, 2013, 02:19:30 AM
 #116

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
dree12
Legendary
*
Offline Offline

Activity: 1246



View Profile
April 02, 2013, 03:05:02 AM
 #117

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.



I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.
If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:
Quote
If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
April 02, 2013, 03:13:48 AM
 #118

My day job,  I'm president of Yooter InterActive.
I've been working with search engines for a long time..  

Let me tell you some tibits of what I have discovered over the years regarding Google.

1 - Their mission is to obtain information, and resell that in the form of advertising.   Period.  
2 - They used to collect it back the very late 1990's and early 2000's virtually all though spidering.
3 - Then out of no where they started spending money on stuff like gmail, google maps, google chrome, android, google voice, google chat, google x, y ,z etc...
4 - these products exist for the sole purpose of collecting information..  that spider collects only a fraction of their info now.  every search you make is recorded, every url you visit is recorded if you use their product,  every time you use google maps and your start location is residental and that happens more than 2 or 3 times they now know where you live.
5 - you send a link to your friend from gmail or to a gmail address, they now know that link exists,  if your friend clicks on that link.. now google knows that url exists.. even if that site is banned in the robots.txt file

This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.

That's google...  

If they wanted to find the urls of instawallet.. nothing on earth could stop them.   That being stated,  the fact that instawallet didn't ban Google from listing all urls in Webmaster tools (instead relying on just a robots.txt file)  is their (instawallets) fault.

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.  

I wish I could get a million people to read this exact post...  because I don't think people fully comprehend what they are dealing with when they mention the company google.










 

Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
coinuser4000
Member
**
Offline Offline

Activity: 94



View Profile
April 02, 2013, 03:20:15 AM
 #119


I've been saying this for years, Google is the Devil.

Google wants to know everything about everybody, so they can sell you stuff.
tvbcof
Legendary
*
Offline Offline

Activity: 2324


View Profile
April 02, 2013, 03:40:53 AM
 #120

...
This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.
...

Most Bitcoiners are begging and screaming for Bitcoin to scale to a magnitude where only organizations with a very large network footprint and sophisticated processing clusters will be able to run the system reliably and competitively.  Whether they realize that is the likely end result of their cries or not...

The upside is that the business (and other) intelligence value of carrying so much of the capacity of an economic system will likely make it such that transaction fees are unnecessary.  Just like a lot of other niceties that just seem to fall into our laps from the sky gods.


Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!