Bitcoin Forum
November 18, 2024, 05:24:47 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 [2]  All
  Print  
Author Topic: Inputs.io Security  (Read 2635 times)
killerstorm
Legendary
*
Offline Offline

Activity: 1022
Merit: 1033



View Profile
November 07, 2013, 11:21:44 PM
 #21

Designing your system to fail gracefully without financial consequences is far more important than designing it not to fail or get compromised.

OK, so if I read this correctly:

Quote
It is almost six months ago that Bitcoin Central, the main Bitcoin exchange in France, shut down after losing tens of thousands of dollars to an online attack. The attacker managed to get in by breaking into the exchange’s virtual private server, allowing them to access its online “hot wallet” and withdraw all of the funds. ... But now, after nearly five and a half months of downtime, Bitcoin Central is back online.

your utter incompetence cost company the content of hot wallet + 6 months of downtime.

And now you feel like you're in position to lecture anybody on security....

Dunning–Kruger at it's finest.


Chromia: a better dapp platform
tvbcof
Legendary
*
Offline Offline

Activity: 4760
Merit: 1282


View Profile
November 07, 2013, 11:24:59 PM
 #22

This reminds me, have you published a debriefing about the technical details of your problems davout?  If so, can you point to it?

I have a comprehensive forensic audit report sitting in one of my drawers, made by a decent IT security firm.
There's no perceived interest on my side to share it with bitcointalk though.

Believe it or not I actually want the Instawallet hassles to be an understandable failure against a significant attack

Nobody cares about what you want.
It is however in our plans to publish some procedures at some point, maybe some security-related code too.


Ya, Bitcointalk.org does not seem like an appropriate place for such a thing.  A well constructed outline on your web site(s) somewhere makes more sense.  I'd suggest 'About Us', and under a sub-section along the lines of 'Why we are not as big a jack-offs as old timers remember.'

But anyway, do as you wish.  It's your business to run as you please.  I guess you needed to upgrade from your 'military grade' computers to something even more secure for your current operations?


sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
November 07, 2013, 11:41:35 PM
 #23

OK, so if I read this correctly:

Whether you read it correctly is irrelevant since it is factually incorrect.


I'd suggest

I have, as usual, no particular interest in your suggestions.

tvbcof
Legendary
*
Offline Offline

Activity: 4760
Merit: 1282


View Profile
November 07, 2013, 11:44:05 PM
 #24

I'd suggest

I have, as usual, no particular interest in your suggestions.

Enough to respond, apparently.  I'm honored.


sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
mccoyspace
Full Member
***
Offline Offline

Activity: 237
Merit: 101


View Profile WWW
November 08, 2013, 01:10:54 AM
 #25

Maybe TradeFortress will be back making similar posts in 6 months.
InwardContour
Sr. Member
****
Offline Offline

Activity: 644
Merit: 260


View Profile
November 08, 2013, 01:16:26 AM
 #26

Maybe TradeFortress will be back making similar posts in 6 months.
he'll be running another lucrative long con within a year. i have completely lost faith in this community's resolve to root out scammers.
moderate
Member
**
Offline Offline

Activity: 98
Merit: 10

nearly dead


View Profile
November 08, 2013, 05:06:09 AM
 #27

Passwords are never communicated through cleartext in any circumstance. Your browser automatically hashes your password.
So the hash becomes the password, right?
If the hash is intercepted can it not be used to authorize bogus requests?
I mean if the server never sees the password in clear it can't check it in any way, if it checks the hash, and the hash is intercepted it can be used to forge requests.

We use bcrypt with a user unique salt.
Thumbs up. Isn't the salting already built right into bcrypt though?

We have decoy accounts which are populated by "real" user data from our other databases. The hot pocket server automatically dumps all coins to cold storage if it sees a payment request from a decoy account. We have methods that makes it very hard for an attacker to determine if an account is decoy or not, even with root access to the linode machine and listening to traffic.
If I was you I wouldn't underestimate the ability for an attacker to tell a decoy apart from a legitimate account given enough time, access to your traffic, access to blockchain data and access to basic taint-analysis tools of wallet fundings. But since I don't really know anything about your specifics I won't comment further.

The approach we'll outline is more systematic and doesn't use tricks such as decoys, honeypots and other traps, I think you'll like it when you read about it.

Now that we know all TF said was bullshit, can you be honest about your approach ? Did you write about it somewhere ?
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
November 08, 2013, 09:18:08 AM
 #28

I'm honored.

It doesn't take much


Did you write about it somewhere ?

Here and there, no comprehensive how-we-roll kind of post yet though.
When it's published, some of the internally developed tools will be open-sourced too, talking is easy, actually implementing stuff is something else entirely

tvbcof
Legendary
*
Offline Offline

Activity: 4760
Merit: 1282


View Profile
November 08, 2013, 09:49:00 AM
 #29


Lol!  Evidently not Smiley


sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
Damnsammit
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile
November 08, 2013, 02:55:36 PM
 #30

Maybe TradeFortress will be back making similar posts in 6 months.
he'll be running another lucrative long con within a year. i have completely lost faith in this community's resolve to root out scammers.

Bitcoin is perfect for criminals.  I really thought this community would have more umm... enforcers.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!