Bitcoin Forum
October 21, 2017, 11:01:33 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 [All]
  Print  
Author Topic: Security bounties  (Read 98268 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
October 12, 2013, 05:09:00 PM
 #1

The forum is offering bounties for security vulnerabilities.

The bounty amount is the highest applicable base bounty multiplied by all applicable modifiers. Amounts are in troy ounces of gold (converted to BTC at the time of payment).

Base bounties
Root access  Arbitrary DB writing  Obtaining arbitrary PMs or password hashes  Persistent script injection  CSRF or non-persistent XSS  
Admin attacker8210.10.1
User with manually-granted extra permissions (mod, etc.)10760.250.1
Regular user10870.50.1

Modifiers
Affects dev installation (including beta.bitcointalk.org) only25%, capped at 1 XAU total
Stopped by SELinux, file permissions, etc. in practice10%
Affected functionality currently disabled, but planned to be enabled75%
Problem in the forum's production custom PHP code110%
Security flaw in non-PHP software used by the forum (nginx, Linux, etc.)150%
Someone has already published the flaw in a news article, blog, public forum, etc. with a reasonably high level of detail and specificity50% - 25%, depending on how recently the article was published
Your testing of the vulnerability caused substantial disruptions25%
No proof of concept50%

Rules
- You must disclose the vulnerability only to me. Do not test your vulnerability in such a way that it would give others any information about the vulnerability.
- I must not already know about the vulnerability.
- Your info must actually convince me to make changes. If you give me info that is insufficient to convince me to change things, and then a few months later I get more info from someone else which does convince me to fix the thing that you reported, then you'll likely not be awarded a bounty.
- You must not use your exploit in any malicious way, or use it to read any database info that isn't public except for accounts that you control.
- It must be fairly easy for me to check the validity of your vulnerability. You must have proof of concept code, a live example of the exploit on the forum, or a very detailed description of the vulnerability. You can't just say something like, "Avatars can be used to execute PHP." That's not enough information, and it's very likely that the vulnerability you're talking about won't even affect the forum. Attacks using brute-force, timing, etc. that you can't demonstrate may not be eligible for bounties.
- DoS attacks aren't security vulnerabilities.
- Compromising an admin account is a valid technique, but you can't assume that you will be able to do this.
- Assume that CSRF attacks against the admin console don't work.
- If an exploit is only possible due to a combination of two or more flaws, then the bounty is calculated for each flaw assuming that it alone would succeed in the attack, and you get only the smallest of these bounties.
- You may receive a reward for reporting other security flaws (being able to delete posts when you shouldn't, for example), but these flaws are not covered by this bounty.
- I reserve the right to pay, not pay, or adjust bounties for any reason whatsoever, and to cancel/modify these rules without notice.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1508583693
Hero Member
*
Offline Offline

Posts: 1508583693

View Profile Personal Message (Offline)

Ignore
1508583693
Reply with quote  #2

1508583693
Report to moderator
1508583693
Hero Member
*
Offline Offline

Posts: 1508583693

View Profile Personal Message (Offline)

Ignore
1508583693
Reply with quote  #2

1508583693
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508583693
Hero Member
*
Offline Offline

Posts: 1508583693

View Profile Personal Message (Offline)

Ignore
1508583693
Reply with quote  #2

1508583693
Report to moderator
dree12
Legendary
*
Offline Offline

Activity: 1246



View Profile
October 13, 2013, 11:57:21 PM
 #2

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
October 14, 2013, 12:12:21 AM
 #3

Is there a particular reason why amounts are in Troy ounces of gold? I know the US is running a risk of default, but I do not see the dollar devaluing so much as to justify using Gold as a "stable" currency.

I prefer not to denominate values in any single country's currency here, but BTC is too unstable. XAU is pretty stable.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
October 14, 2013, 01:28:55 AM
 #4

I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.  

I already explained to you that you need to start by using a reverse proxy service such as cloudflare.  They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits.  $200/month.

The next thing you need to do is take some training so you know what to ask.  For instance, you confuse "vulnerability" and "exploit" and you use them interchangeably when they are not.  A "vulnerability" is a configuration on your server that can be exploited.  An exploit is something that is done to attack a vulnerability.  A vulnerability can have many exploits.   Try an Ethical Hacking class and getting a CISSP certification.

In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
October 14, 2013, 02:15:23 AM
 #5

I know the main vulnerability, it is that you are unprofessional in operating the system and you are too cheap to do things right.

This is probably the highest security bounty of any forum. It's only a little less than Google's security bounties. After this attack, the forum spent over 100 BTC on security-related stuff. Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Contrary to common belief, there is no magic wishing well into which you can throw money and instantly get good results. Often, it's better not to spend money, especially when growth is not the forum's main goal. You always seem to want me to spend thousands of bitcoins as quickly as possible. This would be a great way for the forum to lose a lot of its money without gaining much value in return.

If you don't like how I spend the forum's money, you can:
- Use reasonable arguments (not just trollish demands/complaints) to try and convince me; or
- Create your own organization, generate 6000+ BTC (mostly not from donations), and try some alternative strategy.

I already explained to you that you need to start by using a reverse proxy service such as cloudflare.  They have setting that will stop some exploits before they ever reach the server and they have custom settings to block various exploits.  $200/month.

No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped. Same for any automatic exploit detection based on patterns. Unless DoS attacks get really bad, I won't be willing to give up control of the forum's HTTPS keys.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
October 14, 2013, 12:55:42 PM
 #6

BTW - How come it is alright that Geotrust has the key?  These Geotrust rapid SSL certs are about $10/year.  They don't have access to the traffic like Clouflare would, but still.  I assume that is all you can get since the true owners are not in the whois records and a legitimate SSL cert would never had been issued since one of the purposes is to verify the ownership of the web site. 

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
greyhawk
Hero Member
*****
Offline Offline

Activity: 924


View Profile
October 14, 2013, 02:09:12 PM
 #7

Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.
Raize
Donator
Legendary
*
Offline Offline

Activity: 1408


View Profile
October 15, 2013, 05:08:31 PM
 #8

I see what this is about now.  There was a buttcoin.org article making fun of Thermos for not using Cloudflare so now you guys have to come up with reasons why it wasn't done. 

You're overvaluing flippant criticism of the forum by folks that know no details surrounding the hack yet think throwing out buzzwords or the "latest tech terms" are the equivalent of Mazlow's hammer. Cloudflare's anti-hacking filters would have done nothing to protect from this. There is maybe once or twice in the past where using Cloudflare would have prevented previous DDoS attacks, but that's about it. BarbarianBob identified a specific weakness and came up with a novel way to exploit it. There isn't some automated tool to prevent this.

Quote
then a self-signed certificate where the warning box pups up is the way to go.

If it's self-signed then you're completely subjected to a MitM attack. You could install the certificate manually, but you'd still have to first get it through a trustable transfer mechanism. This is almost too-silly of a recommendation to even comment on, I honestly can't tell if you are trolling or just so wrapped up in wanting to help you're throwing out buzzwords as possible recommendations.

In order to help me determine your purpose, maybe you can answer a question. What was the point of going through and replacing most of the text in your previous posts this year with ".."?

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 1834



View Profile
October 16, 2013, 06:34:23 PM
 #9

So does this mean that everybody can now freely try to crack your site without fear to be busted: "No, I was not hacking, I just trying to gain the bounty!" ?

So? So long as they don't exploit the vulnerabilities they find in a way that could harm the forum or its users, I think theymos will be happy to make the forums more secure.

It is also in their interest to eliminate or minimize the impact of their exploiting of the site because if it causes "substantial disruptions" the reward they will get will be considerably smaller.

I don't think I'll find anything but I'll try my luck in 4-5 weeks when I should have a lot more time than now.

@theymos

I mentioned it on IRC when the site was down and know it can be a problem for you, but if you find some time in the near future, please consider releasing the full code and configuration that's behind bitcointalk.org with the sensitive information removed.

edit: hopefully SMF would give their consent to this
http://www.simplemachines.org/about/smf/license.php
DobZombie
Hero Member
*****
Offline Offline

Activity: 756


TheBitcoinMuseum.com


View Profile
October 17, 2013, 08:33:09 AM
 #10

Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

You got lucky.

I think word will get out and you'll have hackers everywhere looking for exploits.  Security holes will get plugged faster than wet cement slipping through pantyhose.

Your effort to improve the forum (although a little late) is appreciated. Smiley

The Bitcoin Museum is back under my control, but I still need to go through all the code. DO NOT PURCHASE ANYTHING FROM IT

The Biggest Collection of Bitcoin Memorabilia The Bitcoin Museum
Series 2 BitcoinNerd 1g Silver coin thread!
Discount Jewellery! Noella Jean Jewellery



Buy premium Champanges, Spirits & Wines in Australia! My Bitmit Items

Tip Me if you Hate Justin Bieber 1DobZomBiE2gngvy6zDFKY5b76yvDbqRra
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
October 18, 2013, 02:10:05 AM
 #11

Prior to the attack, the forum spent 40 BTC on password hashing improvements which significantly mitigated the damage of this attack.

Can you restate this in ounces of gold please? I would like to know how much this was in a stable carrier of value.

I was paid for this by July 10, 2012, and the price of Bitcoin at the end of that day was $7.20. That day, gold closed at $1587.30. This makes this, at the time, about 0.181 ounces of gold.

Though, it all went to Mt. Gox at about $12/BTC... Oh, hindsight.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
dree12
Legendary
*
Offline Offline

Activity: 1246



View Profile
October 27, 2013, 03:32:01 PM
 #12

But you are aware about the SOL-Injection vulnerability that is still wide open?

The fact that you confuse O and Q is not helping your case. These two letters aren't even close to each other on the keyboard.
greyhawk
Hero Member
*****
Offline Offline

Activity: 924


View Profile
October 31, 2013, 08:37:07 AM
 #13

But you are aware about the SOL-Injection vulnerability that is still wide open?

The fact that you confuse O and Q is not helping your case. These two letters aren't even close to each other on the keyboard.

They are in fact right next to each other. On a Dvorak keyboard.
dree12
Legendary
*
Offline Offline

Activity: 1246



View Profile
November 10, 2013, 04:43:42 AM
 #14

If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
November 10, 2013, 05:41:06 AM
 #15

If it would not violate anonymity of individual security researchers, could you post statistics as to how many bugs in each category have been reported and fixed?

Just yours so far. (A CSRF.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
fligen
Member
**
Offline Offline

Activity: 102


Crypto Pros


View Profile WWW
November 15, 2013, 03:46:15 PM
 #16

good job using a password manager, theymos.

agent007
Newbie
*
Offline Offline

Activity: 14


View Profile
November 26, 2013, 09:49:51 PM
 #17

good job using a password manager, theymos.
I agree with you.
Yazuki
Newbie
*
Offline Offline

Activity: 21


View Profile
December 04, 2013, 10:35:40 PM
 #18

Just thought I would leave this here so that security researchers know that the bounty isn't only limited to bugs in SMF or the server:

Quote from: theymos on reddit
If you can cause serious damage to the forum with any sort of bug, and you responsibly disclose this bug, you will be given a lot of money.

BTW, I've contacted you about payment for the vulnerability I disclosed a few weeks back.
hostmaster
Sr. Member
****
Offline Offline

Activity: 266


View Profile WWW
January 07, 2014, 12:27:19 PM
 #19

If i were you i would pay someone to code new forum from zero then transfer everything, this way you not have to worry and spend too much about flaws.
SaltySpitoon
Global Moderator
Legendary
*
Offline Offline

Activity: 1778


Welcome to the SaltySpitoon, how Tough are ya?


View Profile
January 12, 2014, 02:43:00 PM
 #20

If i were you i would pay someone to code new forum from zero then transfer everything, this way you not have to worry and spend too much about flaws.

That is already in progress, however after the new forum is done, it will most likely be months before it goes public. Then we have to find all of the flaws in the new version, that we may have already found in the older version.
U1TRA_L0RD
Full Member
***
Offline Offline

Activity: 126

CAUTION: Angry Man with Attitude.


View Profile
February 02, 2014, 08:41:34 PM
 #21

Hmm, Java script ? Exploits,
tkbx
Sr. Member
****
Offline Offline

Activity: 322



View Profile
March 13, 2014, 12:41:29 PM
 #22

Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?
rero2
Member
**
Offline Offline

Activity: 67


View Profile
March 22, 2014, 12:25:12 PM
 #23

if I find anything I will surely tell you about it.
Goodluck and hopefully there arent many vulnerabilities
bluefirecorp
Legendary
*
Offline Offline

Activity: 882


View Profile
May 24, 2014, 04:50:54 AM
 #24

This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy

NLNico
Legendary
*
hacker
Online Online

Activity: 1484


DiceSites.com owner


View Profile WWW
May 25, 2014, 04:12:30 AM
 #25

This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
If you are finished with this bug bounty program, you can have a look at the 30+ other bug bounty programs that pay Bitcoins Smiley Overview of Bug Bounty Programs for Bitcoins > https://bitcointalk.org/index.php?topic=483195.0

bluefirecorp
Legendary
*
Offline Offline

Activity: 882


View Profile
May 25, 2014, 08:04:54 PM
 #26

This is epic. I've actually started actively looking for vulnerabilities now that I JUST found this bug bounty program Cheesy
If you are finished with this bug bounty program, you can have a look at the 30+ other bug bounty programs that pay Bitcoins Smiley Overview of Bug Bounty Programs for Bitcoins > https://bitcointalk.org/index.php?topic=483195.0

Neat. Thanks a lot for the link. I'll get a few of my netsec friends to take a look at the list and see if they can find anything. Everything at bitcointalk seems pretty secure from what I've tried so far.

e1ghtSpace
Legendary
*
Offline Offline

Activity: 1162



View Profile WWW
August 12, 2014, 10:42:00 AM
 #27

Does this count as an exploit?






<----- it has nothing to do with security but still...
Edit: it got fixed. Got 0.03 btc for it.

██████████████████            ██████████
████████████████              ██████████
██████████████          ▄█   ███████████
████████████         ▄████   ███████████
██████████        ▄███████  ████████████
████████        ▄█████████  ████████████
██████        ▄███████████  ████████████
████       ▄██████████████ █████████████
██      ▄███████████████████████████████
▀        ███████████████████████████████
▄          █████████████████████████████
██▄         ▀███████████████████████████
████▄        ▀██████████████████████████
██████▄        ▀████████████████████████
████████▄        ████████████████▀ █████
██████████▄       ▀█████████████  ██████
████████████▄       ██████████   ███████
██████████████▄      ▀██████    ████████
████████████████▄▄     ███     █████████
███████████████████▄    ▀     ██████████
█████████████████████▄       ███████████
███████████████████████▄   ▄████████████






▄█████████████████   ███             ███   ███   ███▄                ▄███            █████            ████████████████   ████████████████▄             █████
███▀                 ███             ███   ███   ████▄              ▄████           ███████           ███                ███           ▀███           ███████
███                  ███             ███   ███   █████▄            ▄█████          ███▀ ▀███          ███                ███            ███          ███▀ ▀███
███                  ███             ███   ███   ███ ███▄        ▄███ ███        ▄███▀   ▀███▄        ███                ███           ▄███        ▄███▀   ▀███▄
███                  ███████████████████   ███   ███  ▀██▄      ▄██▀  ███       ▄███▀     ▀███▄       ████████████████   ████████████████▀        ▄███▀     ▀███▄
███                  ███             ███   ███   ███   ▀███    ███▀   ███      ▄███▀       ▀███▄      ███                ███        ███          ▄███▀       ▀███▄
███                  ███             ███   ███   ███    ▀███  ███▀    ███     ▄███▀         ▀███▄     ███                ███         ███        ▄███▀         ▀███▄
███▄                 ███             ███   ███   ███      ██████      ███    ▄███             ███▄    ███                ███          ███      ▄███             ███▄
▀█████████████████   ███             ███   ███   ███       ████       ███   ▄███               ███▄   ████████████████   ███           ███    ▄███               ███▄
|
|
|
 
 
|
MakeBelieve
Hero Member
*****
Offline Offline

Activity: 602


View Profile
August 12, 2014, 08:31:34 PM
 #28

So should we test this on this actual website or should I test for vulnerabilities on a local host and the contact admin if I find any vulnerabilities on the same version? I don't want to risk getting into trouble testing on this forum just in case I do get into something I'm not suppose to unless it's allowed as long as you report it.

On a mission to make Bitcointalk.org Marketplace a safer place to Buy/Sell/Trade
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
September 08, 2014, 09:53:06 AM
 #29

Does this count as an exploit?






<----- it has nothing to do with security but still...
Edit: it got fixed. Got 0.03 btc for it.
what was it? unicode control codes?
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
September 08, 2014, 09:54:04 AM
 #30

Does changing your display name, or registering a new username with prohibited strings (e.g. Satoshi) count as something that would receive a bounty?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
September 08, 2014, 08:54:54 PM
 #31

Does changing your display name, or registering a new username with prohibited strings (e.g. Satoshi) count as something that would receive a bounty?

It's not covered in this bounty, but I'd probably pay a little for info about some bugs of that sort. Some things (like various ways to visually defeat prohibited strings) are known bugs that aren't likely to be fixed.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Cyrus
Ninja
Administrator
Legendary
*
Offline Offline

Activity: 1750



View Profile
September 08, 2014, 09:48:01 PM
 #32

I was meaning to raise awareness about people using different characters to make their usernames visually similar to some trustworthy members on bitcointalk.
Example: ṣatoshi, theymoṣ, ṫheymos etc.*
Why not limit the charset to UTF-8, and maybe some non-visually interfering symbols?

*As of yet, there aren't any usernames containing the characters and , but I could compile a list of such characters just to show how easy it is to try and register such a username.

cakir
Legendary
*
Offline Offline

Activity: 1274


★ BitClave ICO: 15/09/17 ★


View Profile WWW
September 10, 2014, 11:29:46 PM
 #33

I've sent a pm to theymos, I hope he doesn't miss it Grin
(it's not a code hack etc.)


                  ,'#██+:                 
              ,█████████████'             
            +██████████████████           
          ;██████████████████████         
         ███████:         .███████`       
        ██████               ;█████'      
      `█████                   #████#     
      ████+                     `████+    
     ████:                        ████,   
    ████:    .#              █     ████   
   ;███+     ██             ███     ████  
   ████     ███'            ███.    '███, 
  +███     #████           ,████     ████ 
  ████     █████ .+██████: █████+    `███.
 ,███     ███████████████████████     ████
 ████     ███████████████████████'    :███
 ███:    +████████████████████████     ███`
 ███     █████████████████████████`    ███+
,███     ██████████████████████████    #███
'███    '██████████████████████████    ;███
#███    ███████████████████████████    ,███
████    ███████████████████████████.   .███
████    ███████████████████████████'   .███
+███    ███████████████████████████+   :███
:███    ███████████████████████████'   +███
 ███    ███████████████████████████.   ███#
 ███.   #██████████████████████████    ███,
 ████    █████████████████████████+   `███
 '███    '████████████████████████    ████
  ███;    ███████████████████████     ███;
  ████     #████████████████████     ████ 
   ███#     .██████████████████     `███+ 
   ████`      ;██████████████       ████  
    ████         '███████#.        ████.  
    .████                         █████   
     '████                       █████    
      #████'                    █████     
       +█████`                ██████      
        ,██████:           `███████       
          ████████#;,..:+████████.        
           ,███████████████████+          
             .███████████████;            
                `+███████#,               
IceTurk
Member
**
Offline Offline

Activity: 84


View Profile
November 16, 2014, 04:36:31 PM
 #34

The only major flaw in this forum that I can see is that you are using SMF as your forum software. Can't wait until the new platform arrives.
soowein
Jr. Member
*
Offline Offline

Activity: 42


View Profile
March 25, 2015, 10:40:40 AM
 #35

Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?

Thanks !

[url=https://bitcointalk.org/index.php?
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
May 26, 2015, 01:49:39 AM
 #36

Time for social engineering to be added as a valid attack?
Check-0
Full Member
***
Offline Offline

Activity: 238


View Profile
May 26, 2015, 07:09:36 AM
 #37

Time for social engineering to be added as a valid attack?
to kill all "social engineers" theymos must host forums in his basement
 on dedicated server with fat connectivity.  Cool
Problem solved !

Не искушай меня, ибо необуздан я в желаниях своих...
Хочешь я взорву все звезды и Завтра не наступит никогда..?
macsga
Legendary
*
Offline Offline

Activity: 1456


Strange, yet attractive.


View Profile
May 27, 2015, 07:19:17 AM
 #38

If I may, the main problem with security vulnerabilities is our lack to understand that most of them are based on breaking some very simple rules. For instance, anyone who has the ability to physically access my computer is -in theory- able to retrieve ANY password that I have stored inside my web-browser and/or key-chain. You may be now thinking "oh, this is not possible" but please take some time to use some good UN-delete software together with a web-browser password retriever utility and most probably you will get the job done in less than 10 mins. Brute forcing is another way, but will take more time.

@Theymos:
It's been sometime now that I thought about the possible attacks this (and similar) sites will get within the next BTC bubble. I expect this will get much worse. Restricting user access via Tor blocking (I know this will hurt me as well, because I'm using tor from my work to access the site) will definitely rule out some of the most significant attacks. Cloudflare is also a way, but I'd go for a dedicated person(s) service. You can hire one that you trust, most possible near where you live. This would've been the best case scenario I'd choose, if I were you.

Best of luck sorting this out.

Check-0
Full Member
***
Offline Offline

Activity: 238


View Profile
May 27, 2015, 08:19:21 AM
 #39

of course i was joking about dedicated server in basement.
such setup will have issues with load balancing and speed of connection likely.
also it will be stil centralised service.

If theymos wanna save his income and keep community here,
he should :

i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).

iii) never store hashes and IPs in Internet-hosted DB.
     take a look : https://unhosted.org/

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).

iiiii) drop "security question checking" feature for password recovery.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??

At least theymos should go to several federated servers for forums...
I am not sure what is the year right now for theymos and team ?!
Are we really in 2015 ?! Tongue

Не искушай меня, ибо необуздан я в желаниях своих...
Хочешь я взорву все звезды и Завтра не наступит никогда..?
NLNico
Legendary
*
hacker
Online Online

Activity: 1484


DiceSites.com owner


View Profile WWW
May 27, 2015, 08:43:18 AM
 #40

i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley
Performance of decentralized forum software at this point will be very shit AFAIK. And usability probably bad too (gotta download client?)

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).
You want people to sign a message with a bitcoin address every time they login?

Seriously, "don't use passwords" is easier said than done. Login with Trezor Connect would be cool though. And 2FA should obv be option.

iii) never store hashes and IPs in Internet-hosted DB.
Not storing IPs def will be bad against spam / trolls / etc.

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).
Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??
Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?



Not disagreeing with all points, but some things are easier said than done Wink

Check-0
Full Member
***
Offline Offline

Activity: 238


View Profile
May 27, 2015, 09:55:29 AM
 #41

>> Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?

My previous post is a set of ideas for theymos to think about, while he studies PHP and that "new" Javascript ...  Shocked
He can pick something useful from it...
as he tries to stay behind of time and progress, he maybe will accept some ideas at least  Roll Eyes
So it looks eclectic and messed dish just bcoz i feed  conservators Tongue

>> Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

yes, would be nice to have different options for password recovery, tweakable in profile,
with safest option set on by default.

>> Not storing IPs def will be bad against spam / trolls / etc.

My point was : to store IPs and other sensitive info ( emails too ) in special separated storage, preferably in member's browser.
I did not say : "never store IPs !!!"

>> Seriously, "don't use passwords" is easier said than done.

Yes, not easy. But why cant we have a choice : power members can log in with keys, bitcoin addresses, good wishes etc AND just members can log in with passwords ?!
It can be done for sure.

>> Performance of decentralized forum software at this point will be very shit AFAIK.

the same will  be true for Epochtalk i guess. which is alfa, unaudited engine.
My point here was : if theymos will stuck with traditional approaches,
he will lose community due to aftermath of next hacks, social engineering "accidents" etc.
BTW we are now on Romania based hoster.
are romanian front desk guys safer when it comes to social engineering, than NL based ones ?! Tongue

Code:
SummaryIP Address Root Domain Hosting Provider
198.251.81.170 bitcointalk.org FranTech Solutions
Hosting Provider's DetailTitle Statistics
Country United States
Flag
City Cheyenne
ISP FranTech Solutions
Organization Voxility S.R.L.

Не искушай меня, ибо необуздан я в желаниях своих...
Хочешь я взорву все звезды и Завтра не наступит никогда..?
2112
Legendary
*
Offline Offline

Activity: 1946



View Profile
May 27, 2015, 03:34:18 PM
 #42

Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. "Time-share" term was later appropriated by the vacation real-estate salesmen, so the computer salesmen renamed their "time-shares" to "cloud computing".

But the bullshit stayed the same.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
Spendulus
Legendary
*
Offline Offline

Activity: 1666



View Profile
November 28, 2015, 06:47:51 PM
 #43

Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. ....

Some years off in that one...1970 was mostly punched cards.  I'd guess timeshared computer services maxed out in parallel with the first five or ten years of the PC.
2112
Legendary
*
Offline Offline

Activity: 1946



View Profile
November 29, 2015, 12:34:17 AM
 #44

Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. ....
Some years off in that one...1970 was mostly punched cards.  I'd guess timeshared computer services maxed out in parallel with the first five or ten years of the PC.
Not in the USA and other relatively advanced economies. There the order was approximately:

196x) organization-owned mainframes
197x) shared rented mainframes (provider-owned)
198x) departmental minicomputers (back to organization-owned)
199x) personal computers (both organization-owned and individual-owned)

Also, I'm talking about broad industrial/commercial/academic trends, not about various niches.

Edit: added one more decade and ownership qualification


Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
Decoded
Hero Member
*****
Offline Offline

Activity: 868


Crypto-News.net: News from Crypto World


View Profile WWW
October 06, 2016, 01:37:27 AM
 #45

Just asking regarding you mentioning mod-related vulnerabilities in the OP.

Mods don't have access to the server(s) that host bitcointalk, right? Only you and maybe Badbear?



              ▄▄▄██████▄▄▄
          ▄██████████████████▄
       ▄████████████████████████▄
 ▄▄  ▄████████████████████████████▄
███████████████████████████████████▄
 ▀▀█████████████████████████████████▄
   ██████████████████████████████████
   ██████████████████████████████████
   ██████████████████████████████████
   ██████████████████████████████████
   ▀████████████████████████████████▀
    ▀██████████████████████████████▀
     ▀▀██████████████████████████▀
        ▀██████████████████████▀
           ▀▀▀████████████▀▀▀
.
.....
.....
.....
.....
.....
.....





theymos
Administrator
Legendary
*
Offline Offline

Activity: 2814


View Profile
October 06, 2016, 02:18:23 AM
 #46

Mods don't have access to the server(s) that host bitcointalk, right?

They do not.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
kano
Legendary
*
Online Online

Activity: 2240


Linux since 1997 RedHat 4


View Profile
October 08, 2016, 12:22:53 AM
 #47

In case you didn't notice Theymos ...
It would appear that the email harvesting from the 2015 hack, has recently put the forum email addresses from back then into spam lists.
https://bitcointalk.org/index.php?topic=1635595.0

Looks like you need to up the bounties and/or find someone who can be rewarded them Smiley

Pool: https://kano.is Here on Bitcointalk: Forum BTC: 1KanoPb8cKYqNrswjaA8cRDk4FAS9eDMLU
FreeNode IRC: irc.freenode.net channel #kano.is Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
EnacDomains
Full Member
***
Offline Offline

Activity: 229


View Profile WWW
October 11, 2016, 09:19:22 PM
 #48

when will the Iron tank forum be released?

http://eNAC.com -Buy and sell domain names with Bitcoin
naghashisakhteman
Newbie
*
Offline Offline

Activity: 4


View Profile WWW
November 12, 2016, 09:35:21 AM
 #49

Hi
This project will help Java web developers defend against Cross Site Scripting!
Kudos Per Bug
Mad7Scientist
Sr. Member
****
Offline Offline

Activity: 272


View Profile
September 18, 2017, 02:18:41 AM
 #50

No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped.
Quote from: TradeFortress
In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.
These people really seem to know what they're doing, and theymos keeps doing it despite stupid comments from people who blurt out whatever without doing any research about what they're talking about. It's nice to be on a forum that's so well run.
Dorkie
Newbie
*
Offline Offline

Activity: 14


View Profile
October 14, 2017, 06:01:24 PM
 #51

Bullshit offer.
If you are sincere in solving any security breach, you should seek paid professionals.

Signed BTC message is alternative to RFID chip.
Pages: 1 2 3 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!