[ANN][Pool][Profit-Switch][Optional Auto-Exchange per Coin][Vardiff] ~ Hashcows

[tvister]

We were promised to receive an update on Thursday. Well, today is Thursday, where is the update?   

[1714790496]

1714790496

[1714790496]

1714790496

[1714790496]

1714790496

[1714790496]

1714790496

[1714790496]

1714790496

[_Crash_]

Cant register on the site either.

lol last on the internet to know.

Hah, I just discovered the site, so 

[captainbluff]

We were promised to receive an update on Thursday. Well, today is Thursday, where is the update?   

An update is overdue, hashing power is gradually dropping.

[DrTrouble]

I just set up a new mining rig pointed to Hashcows before leaving home a few days ago.  I forgot to set up remote access first, so I really hope it is still chugging away and I will ACTUALLY get credit for the mining being done... 

[uh60james]

I just set up a new mining rig pointed to Hashcows before leaving home a few days ago.  I forgot to set up remote access first, so I really hope it is still chugging away and I will ACTUALLY get credit for the mining being done... 

They have said you can keep mining and you will be paid.  Just can't access anything you've mined right now.

[aTriz]

We are in the process of making some decisions and such, expect an official release from us tonight.

[mattopia]

On your second point, it is the front end design that allows sql injection attacks to happen, not database design. The database just does whatever it is told to do by the website or a command line interface. If this was an injection attack then it was either a coding error in the website or an out of date/misconfigured PHP installation that allowed the "hackers" to most likely dump the database and then go through the tables to identify the payout addresses and the mechanism used to initiate manual payouts.

I understand as much.  My point is that things can be done in the backend - sanity checks, multi-tier permissions, etc that can be done to prevent or at least mitigate this happening in the future.  If they plug one injection hole in the front end, there can be others.   There are things that can be done in the backend and at the database level to at least mitigate the likelihood of future sql injections causing a similar attack.  Ideally the frontend would have very limited direct write access to the database.  Yes, it's not easy to accomplish and still allow users to set and change payout addresses, but, I can think of a few possible ways to do it.

[Mattchu]

We are in the process of making some decisions and such, expect an official release from us tonight.

I've been unable to log into the site since yesterday, are accounts being locked down? I did have some bitcoin in there which got frozen. It wasn't much but it's been hard earned. Are we SOL? Hoping for the best but it looks like the worst.

UPDATE: I was finally able to log in. Looking forward to an update.

[merc82]

We are in the process of making some decisions and such, expect an official release from us tonight.

I've been unable to log into the site since yesterday, are accounts being locked down? I did have some bitcoin in there which got frozen. It wasn't much but it's been hard earned. Are we SOL? Hoping for the best but it looks like the worst.

Logins have been disabled, hopefully the update will provide some insight

[alyons]

http://notnull.org for the harder to find pools - prop, vardiff, stratum 0.5%. TIPS,KITTEH/MEOW,PHS,DMD,QRK,CAT

[nearmiss]

Hashcows Official Update

As has been mentioned in an earlier update, on December 24th 2013 someone was able to modify the Bitcoin payout addresses of many users of Hashcows, and trigger a manual cashout of current balances. 754 total users (out of a total of 8,142 registered users, 5,000+ of which have a BTC balance > 0) had BTC removed from their accounts, accounting for approximately 14.2% of users who held BTC on Hashcows. A total of 40.7815 BTC was removed and sent to address 13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH. Hashcows staff have followed up with all major exchanges and a number of other large pools to confirm if they had any trace of this address in their systems, which as of this time has not turned up any useful results.

Since the attack was noticed on the 24th, we've placed the site in a locked down read-only mode, and disabled all payouts. While we understand this has caused some frustration among users, not being able to see if their accounts were affected, we felt it was the responsible course of action to take, given we knew we were unable to dedicate the time required to diagnose and address the security issues on Christmas Eve and Christmas Day.

We've been working since this time, both in determining the cause of the attack, and its potential scope, including an external audit of the source code by a trusted 3rd party. At this time the belief is still sql injection, based on the nature of the attack and how it was carried out. However, regardless of the technical results of ongoing audits, 2 things are confirmed. #1 The web instance and the mining/stratum instances are physically seperate. The mining instance remains unnafected by the web based lockdown, which is why mining continues to function as usual. #2 The web front-end is undergoing a rebuild from scratch as we speak, by both myself and another developer, utilizing different technologies, improved security features, and new hardware. We hope to have a basic version of this up in the coming days.

What does this mean in the immediate future? We'd prefer to not turn on write access for the website in its current form, but obviously understand people can't be expected to wait much longer for balances held up by the system (both old balances still intact, and earnings mined over the days since lockdown). We'll be posting a simple tool for people to use, allowing you to login with your credentials, at which point it will send out an email verification link, including your current balance and payment address the site has for you. Once clicked, your balance will be sent to the address specified. If you need to make changes to these details, instructions will be provided on the tool page. We hope to have this posted by tomorrow.

Last but not least, perhaps the question many have been waiting for an answer on. What does Hashcows plan to do about the missing 40 BTC? We've thought long and hard on this, and its obviously one of the most important decisions we'll have made in our short existence as a pool and community. Its a situation and decision that has hung over us throughout the last couple days spent with family and friends during the holiday.

Hascows will be re-imbursing every miner 100% of losses incurred on earnings made within the last 7 days prior to the incident (Dec 17th's payout inclusive). This means any funds you earned between Dec 17th and Dec 24th that were cashed out of your account by the attacker, will be re-added to your account at Hashcows expense. This payout will recover 100% of losses for 463 of the 754 affected users. For the remaining 291 users who are only partially covered by the above, we'll be offering reduced fees of 0.5% for at least the next 60 days to help with any shortfall.

In closing, both aTriz and I want to make a statement on more of a personal level, we have been absolutely stunned by the community that you have all created with this pool. There has been a tremendous amount of support and encouragement through these not so fortunate times and we would personally like to say Thank You. We look forward to the future of this pool while we begin the rebuilding stage which will continue to bring this wonderful community more features, more safety, more support, and more cows!

[Meta4X]

I just wanted to take a moment to relay my gratitude to aTriz and nearmiss.  This has been a horrible situation and you guys have done an amazing job of stepping up to the plate.  Thanks for your hardwork, and I'm looking forward to hashing my way through 2014 with the HashCows crew.  Moo!

[Hueristic]

Hashcows Official Update

As has been mentioned in an earlier update, on December 24th 2013 someone was able to modify the Bitcoin payout addresses of many users of Hashcows, and trigger a manual cashout of current balances. 754 total users (out of a total of 8,142 registered users, 5,000+ of which have a BTC balance > 0) had BTC removed from their accounts, accounting for approximately 14.2% of users who held BTC on Hashcows. A total of 40.7815 BTC was removed and sent to address 13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH. Hashcows staff have followed up with all major exchanges and a number of other large pools to confirm if they had any trace of this address in their systems, which as of this time has not turned up any useful results.

Since the attack was noticed on the 24th, we've placed the site in a locked down read-only mode, and disabled all payouts. While we understand this has caused some frustration among users, not being able to see if their accounts were affected, we felt it was the responsible course of action to take, given we knew we were unable to dedicate the time required to diagnose and address the security issues on Christmas Eve and Christmas Day.

We've been working since this time, both in determining the cause of the attack, and its potential scope, including an external audit of the source code by a trusted 3rd party. At this time the belief is still sql injection, based on the nature of the attack and how it was carried out. However, regardless of the technical results of ongoing audits, 2 things are confirmed. #1 The web instance and the mining/stratum instances are physically seperate. The mining instance remains unnafected by the web based lockdown, which is why mining continues to function as usual. #2 The web front-end is undergoing a rebuild from scratch as we speak, by both myself and another developer, utilizing different technologies, improved security features, and new hardware. We hope to have a basic version of this up in the coming days.

What does this mean in the immediate future? We'd prefer to not turn on write access for the website in its current form, but obviously understand people can't be expected to wait much longer for balances held up by the system (both old balances still intact, and earnings mined over the days since lockdown). We'll be posting a simple tool for people to use, allowing you to login with your credentials, at which point it will send out an email verification link, including your current balance and payment address the site has for you. Once clicked, your balance will be sent to the address specified. If you need to make changes to these details, instructions will be provided on the tool page. We hope to have this posted by tomorrow.

Last but not least, perhaps the question many have been waiting for an answer on. What does Hashcows plan to do about the missing 40 BTC? We've thought long and hard on this, and its obviously one of the most important decisions we'll have made in our short existence as a pool and community. Its a situation and decision that has hung over us throughout the last couple days spent with family.

Hascows will be re-imbursing every miner 100% of losses incurred on earnings made within the last 7 days prior to the incident (Dec 17th's payout inclusive). This means any funds you earned between Dec 17th and Dec 24th that were cashed out of your account by the attacker, will be re-added to your account at Hashcows expense. This payout will recover 100% of losses for 463 of the 754 affected users. For the remaining 291 users who are only partially covered by the above, we'll be offering reduced fees of 0.5% for at least the next 60 days to help with any shortfall.

In closing, both aTriz and I want to make a statement on more of a personal level, we have been absolutely stunned by the community that you have all created with this pool. There has been a tremendous amount of support and encouragement through these not so fortunate times and we would personally like to say Thank You. We look forward to the future of this pool while we begin the rebuilding stage which will continue to bring this wonderful community more features, more safety, more support, and more cows!

[ozoner]

Good one guys. That's a real honorable way of dealing with the situation. I don't know of too many others that would be bothered, to be honest.

I'd pretty much decided I'd relocate elsewhere, but it's pretty hard not to support you if you're going to do the right thing like that

All the best with the rebuild.

[merc82]

That is one heck of a response! Cudo's to being a stand up member of the community.. and taking responsibility for the situation.. 10/10, will mine here again.

[tubbyjr]

Code:

//alert('fuuuuck');

I lol'd, since I use the same alert for debugging .

[skyhawk]

That's a pretty good response overall.

For curiosity's sake, I'm going to ask how much of the 40.7815 BTC is covered by that 7-day window?

I'm also going to (again) suggest setting either a maximum balance for auto-payout, or setting a maximum number of days between auto-payouts, in order to reduce the pool's liability in the event of future hacks like this. You're a small mining pool, not a bank, and it's not fair for people to treat you like a bank.

[eric89]

That's an amazing response!

Frankly if people have kept significant (>0.05) amounts of BTC in Hashcows for over 7 days it's very clearly their own fault. I think even a 7 day reimbursement is wonderfully generous.

Pools are not banks, that fact has been smashed into everyone's head.

[Tasweb]

Very well worded response and an outcome for those that did lose coin better than most would have expected.

[BrewCrewFan]

IMO this is more than most pools would ever do.  That is a lot of coin that is going to be replaced. I have to agree with a poster above who said that if your keeping 7 days worth of BTC in a pool wallet your asking for it.