[ANN][BETA][EXCHANGE][REALTIME] CoinEX realtime exchange

[ccx]

withdrawed my last ltc 3 days ago,

had the same luck with freshmarket.co.in , withdrawed all my  coins before they got hacked,

[ByronP]

TheSecObserver you make all very good points.

I agree no system is 100% hack proof! I think the point being made is that I have gone above and beyond everyone out there to ensure the system is secure including daily automated and manual testing provided by 3rd parties. Only access to the private internal network is through a multitude of protection layers and at most someone may be able to reach the frontend servers which will net them nothing other than being able to deface the site (which would be tough since there is a bunch of front end servers and you never know which one you are on or will be switched to). There is no administrative interface to hack, xss, sql inject, or other exploits.

A tiered system is nothing new however many of these exchanges that pop up seem to forget to take a security first standpoint where there tiers are accessible via the internet. In the AT (current version Mjolnir) system only the front end servers can and will respond to the internet and only to certain other protection devices including a system of traffic managers, reverse proxies, and Cloudflair servers. All of which will reject a connection if a threat is detected, ssl cert is wrong, the ip address is not white listed at the transport layer, etc.

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it. What’s more is that in our system usernames are meaningless. They are for display purposes only and the internal network uses a totally different system to identify accounts. This is another security measure that ensures if the frontend servers somehow get hacked they do not have access to make any account changes since they are dummy machines that do not know the actual account id information required to do this nor is this information on any users browser (no I will not disclose the magic on how exactly that works sorry).

But what if someone hacks the frontends and then they can talk to the other machines... Nope the other tiers will not talk to other machines without a special security key pair being handed over with every request. In order for someone to get this key they would have to have a lot of time to decompile code and decrypt the keys which would probably take years which is useless since the keys are changed regularly.

Add to all that the fact that the system monitors itself for any unusual activity. This is why I call the system the overprotective mother since it shuts down withdrawals when it sees even the slightest anomaly. Thus protecting the system from many types of threats on its own.

Anyway this is getting long winded but i hope it gives you (and everyone) a better understanding of how thinking in a security first mindset is the key to creating not only a secure but reliable site.

PS. Not that is a matter of site security but one of user trust, it was pointed out to me today that Atomic Trade is the only site that has gone through the hassle of obtaining an ev business ssl cert. Which as you probably know requires us to establish trust by having our lawyers complete a verification of both myself and the business.

Any more questions please feel free to email me at info@atomic-trade.com

PPS. I am simply responding to answer questions asked and am in no way downplaying the seriousness of this thread. Many people have lost because of poor systems lately and I simply want people to know what to look for when trading. Be safe everyone and good luck.

[ccx]

TheSecObserver you make all very good points.

I agree no system is 100% hack proof! I think the point being made is that I have gone above and beyond everyone out there to ensure the system is secure including daily automated and manual testing provided by 3rd parties. Only access to the private internal network is through a multitude of protection layers and at most someone may be able to reach the frontend servers which will net them nothing other than being able to deface the site (which would be tough since there is a bunch of front end servers and you never know which one you are on or will be switched to). There is no administrative interface to hack, xss, sql inject, or other exploits.

A tiered system is nothing new however many of these exchanges that pop up seem to forget to take a security first standpoint where there tiers are accessible via the internet. In the AT (current version Mjolnir) system only the front end servers can and will respond to the internet and only to certain other protection devices including a system of traffic managers, reverse proxies, and Cloudflair servers. All of which will reject a connection if a threat is detected, ssl cert is wrong, the ip address is not white listed at the transport layer, etc.

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it. What’s more is that in our system usernames are meaningless. They are for display purposes only and the internal network uses a totally different system to identify accounts. This is another security measure that ensures if the frontend servers somehow get hacked they do not have access to make any account changes since they are dummy machines that do not know the actual account id information required to do this nor is this information on any users browser (no I will not disclose the magic on how exactly that works sorry).

But what if someone hacks the frontends and then they can talk to the other machines... Nope the other tiers will not talk to other machines without a special security key pair being handed over with every request. In order for someone to get this key they would have to have a lot of time to decompile code and decrypt the keys which would probably take years which is useless since the keys are changed regularly.

Add to all that the fact that the system monitors itself for any unusual activity. This is why I call the system the overprotective mother since it shuts down withdrawals when it sees even the slightest anomaly. Thus protecting the system from many types of threats on its own.

Anyway this is getting long winded but i hope it gives you (and everyone) a better understanding of how thinking in a security first mindset is the key to creating not only a secure but reliable site.

PS. Not that is a matter of site security but one of user trust, it was pointed out to me today that Atomic Trade is the only site that has gone through the hassle of obtaining an ev business ssl cert. Which as you probably know requires us to establish trust by having our lawyers complete a verification of both myself and the business.

Any more questions please feel free to email me at info@atomic-trade.com

PPS. I am simply responding to answer questions asked and am in no way downplaying the seriousness of this thread. Many people have lost because of poor systems lately and I simply want people to know what to look for when trading. Be safe everyone and good luck.

if you add some coins i am willing to trade on your exchange cause i really dont like cryptorush, they are so unprofessional im wondering that they are still around, but thats only my personal opinion

[nyktalgia]

Sh*t..all my 30mil CTM gone?

LOL 30 mil CTM is chump change... you kids are funnie

[r3wt]

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it.

i was with you until you dropped this gem. where on earth are they not salting and hashing passwords. inquiring minds would like to know.

[ByronP]

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it.

i was with you until you dropped this gem. where on earth are they not salting and hashing passwords. inquiring minds would like to know.

U know I wont publicly disclose any security flaws in anyone's system, so knock it off :-)

[r3wt]

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it.

i was with you until you dropped this gem. where on earth are they not salting and hashing passwords. inquiring minds would like to know.

U know I wont publicly disclose any security flaws in anyone's system, so knock it off :-)

just admit you misspoke. people love honesty.

[ByronP]

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it.

i was with you until you dropped this gem. where on earth are they not salting and hashing passwords. inquiring minds would like to know.

U know I wont publicly disclose any security flaws in anyone's system, so knock it off :-)

just admit you misspoke. people love honesty.

If I had I would be more than happy to say so... Now please lets just help these people who have lost what may seem like nothing to us but may be the world to them!!!

[r3wt]

And again hashing and salting secure information is nothing new yet a ton of places simply don't do it.

i was with you until you dropped this gem. where on earth are they not salting and hashing passwords. inquiring minds would like to know.

U know I wont publicly disclose any security flaws in anyone's system, so knock it off :-)

just admit you misspoke. people love honesty.

If i had I would be more than happy to say so... Now please lets just help these people who have lost what may seem like nothing to us but may be the world to them!!!

my exchange lost 34 btc. no one feels worse for captainfuture and erundook, and their customers than i do. its a shitty position to be in.

[hozer]

Please can you stop advertising other exchanges here. This is not the place.

Coinex was very good until it has gone bad. It was better than craptsy.

 All these advertising looks like vultures that try to feed on our fear. But please go to other place, we are not stupid sheep and we would not use your atomic (or whatever super duper)  exchange.

I started using coinex because they actually showed up on catcoin-dev, and paid attention, and I appreciated that.

No code, exchange, or system is EVERY crack-proof. What matters is how we as a community respond.
The exchanges you see advertising like vultures are going to be the next ones on the organized-cracker hit list... If you try to profit from crack and theft of your peer exchanges, you'll die in bankruptcy alone.

But together, with some information sharing and support of each other, PARTICULARLY between exchanges, we can shine some light on the cracks in the system, and send the thieves scurrying back to fiat and Bitcoin.

There are many things we can do. We, as a community can blacklist coins, we can blacklist addresses, we can collect logfiles from many different servers, and then track it back to the thief. We can color stolen coins, and collectively agree to refuse to accept them. We could build in a 'coin kill switch' that if your wallet gets compromised/stolen/whatever, you can broadcast to the network so that the thieves cannot use those coins anymore. There are downsides and trade-offs to all of these things.

But WE HAVE the code, and WE have the power to decide to do a better job than any other medium of exchange has ever done. We just have to start working WITH each other, instead of the the BS artificial scarcity world that Fiat and Bitcoin would like to keep us all locked in.

[Galane]

I'm going to wait and see what happens. I had no money into coins, just mining time and cheap 6 cent KWh power. I'd built up about 0.006 BTC on Coinex, had traded every coin I had on there with 0.01 or more into LTC or BTC and left my mining running on the switch pools.

So right now I'm mining nothing.

[lihao1989311]

When will the coinex reopen? I had a lot of coins in it

[PhattyBanks]

so there was no cold storage at all?

[CoinAmmo]

an update would be useful like cmon are you seriously telling me there hasnt been any proof of this "hack" and no plans of giving even like 50% of the coins back??? Wow koodos to guys over at freshmarket.co.in for being HONEST AND RETURNING like 80% of lost coins balances unlike you dickwads who arent even keeping us updated! like I am upset much like anyone else but YOU ARE NOT HELPING WITH THE FUD by being SILENCE.

SILENCE = SKECHINESS AND SHADINESS = loss of credibility = karma will get you you watch.  

[UltrA1]

just re hack the rx and get the coins back..
i have a few friends who can help ck where this amount of moons went.. MOON 8890.50963581 or LOT 101.00930175
DOGE 1.7910284 and UNO ill find his ass UNO 0.046969 give me his ip

[cannachris]

an update would be useful like cmon are you seriously telling me there hasnt been any proof of this "hack" and no plans of giving even like 50% of the coins back??? Wow koodos to guys over at freshmarket.co.in for being HONEST AND RETURNING like 80% of lost coins balances unlike you dickwads who arent even keeping us updated! like I am upset much like anyone else but YOU ARE NOT HELPING WITH THE FUD by being SILENCE.

SILENCE = SKECHINESS AND SHADINESS = loss of credibility = karma will get you you watch.  

looks like you have a lot of anger in there son. Look, I have 2.2BTC in there too but screaming at them only proves you are immature and impatient. This is not some fly-by-night operation...

[Artlover]

There are many things we can do. We, as a community can blacklist coins, we can blacklist addresses, we can collect logfiles from many different servers, and then track it back to the thief. We can color stolen coins, and collectively agree to refuse to accept them. We could build in a 'coin kill switch' that if your wallet gets compromised/stolen/whatever, you can broadcast to the network so that the thieves cannot use those coins anymore. There are downsides and trade-offs to all of these things.

Care to explain how any of those things are possible?

Blacklist and color coins? Coins don't have unique serial numbers. Someone steals coins, sends them to a wallet, and sends everything from that wallet to another wallet, maybe several times, maybe to 3rd party online wallets. Now go and try to pick out any specific stolen coins from their final destination. Can't. Or forgo washing between wallets, wallet to public exchange and immediately sold at whatever pending buy value offers. MAYBE, if the person who was being stolen from was online at the exact time it was happening and could hit some panic button to raise flags before those transactions completed. But that isn't going to happen most of the time. Most of the time, the coins will have already been washed/sold before the victims are even aware, and by that time, it's too late. Already buried under a pile of legitimate coins, or already in the hands of other innocent people unaware the coins they legitimately bought were sold by a hacker who stole some of them.

Black listing addresses? What good does that do? Anyone can run as many wallets and create as many different addresses as they want. Short of arbitrarily blacklisting every address any suspected address interacts with, except those other addresses won't necessarily be complicit with what was going on. Especially when you are talking about 3rd party on-line wallets.

Coin Kill switch? I'll be quite frank. That's an incredibly stupid idea that is just asking for trouble. Kill code is something that has plagued various hardware and software in the past and present, and has a tiny fundamental problem. It can and WILL activate unexpectedly for the wrong reasons. Always does. It's always Innocent people who are always negatively affected more by such tactics than guilty people such tactics are meant to stop. Look at piracy as an example. Anti piracy measures don't effect pirates at all, just the honest users.

The main failure of these ideas are that it would require a reworking of coins networking protocols, stripping away all the key features that make them desirable to begin with. IE: No central control authority, being anonymous, etc..   Once it's made that your account is going to be associated with any coin that passes through it forever for the sake of tracking, or that other people will have the power to make chunks of coins worthless on a whim of someone claiming there was a theft, no one is going to trust or want to use it.

Finally. Don't forget that not all so called theft victims are innocent. Some are scamers, lying in an attempt to get pools/exchanges to credit them for the "theft" when it was in fact they themselves who had simply logged in through a different ip or proxy, did a password reset to keep up appearances, and send their funds to their own 2nd or 3rd newly created wallet/address to wash/sell.

ATM's/Banks have cameras. POS requires signatures/id. Theft can be proven. Crypto has neither. When someone cries they were hacked and their coins stolen, you really only have their word, and that alone is not good enough to validate blacklisting/coloring/killing coins even if such functionality was available.

[OkieDoke]

For those who want Erundook held accountable for various things like the loss of our coins - stop blaming other people for your own mistakes.

Erundook didn't put a gun to your head telling you to put your coins on his exchange. You did it because you wanted to turn coins in to more coins and the bottom line is that security holes can appear anywhere regardless of how much time and money is invested in it.

Look at the UK banks, in the last 2 or 3 years there have been at least 5 successful attempts and circumventing their security and they're just the ones the FSA have told us about because they affected customers directly.
We have no idea how many more of these 'hacks' have happened in the background.

Now fortunately, the FSA requires banks to reimburse customers who lose money because of something like this.

Don't expect this with Bitcoin and digital currencies.
BTC was designed to be anonymous with all transactions not required to be tied to any person.

If you're not comfortable with this and if you're not prepared to accept that all your coins are at risk at all times then digital currencies are not for you.

[Artlover]

This is not some fly-by-night operation...

Neither was MtGox, what's your point?

The point is valid. How erundook handled this situation was not professional. He gave his explanation, and I gave my reply. But will highlight some points.

Took 2 days before he bothered to tell anyone what happened, and promptly bitched about people spreading FUD. There would have been no FUD if it didn't take him 2 days before bothering to let everyone know what was happening.

He cries about being scared and that is why he was trying to erase his presence from the internet. Something he didn't do the last time they were hacked big time, so why this time? And why at all? What good does it do, besides make it look like you're trying to hide. And trying to hide doesn't exactly ring of "trying my best to fix everything and make things right, trust me!".

Yeah, I'm sure he was/is scared and worried. So were/are customers and stock holders. Some people are trying to diminish customers, but the fact is, they have their coins because customers had their coins there and using their service. It's not a game, you're responsible for other people's funds, and as such, "should" have some contingency plan for when things go wrong besides hide for 2 days.

That is not professional and doesn't instill trust in them.

I'm not worried about CoinEx's future or everyone's fund at this point in time, but that doesn't change the fact that they could have handled this situation a lot better and could have nipped all the FUD in the bud before it even started.

[awais3344]

so, i have lost all my zeit  i only transferred in just 1 day before