Bitcoin Forum
November 08, 2024, 08:35:04 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: Bitcoin is a magnet for hackers and crooks  (Read 7771 times)
organofcorti
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1007


Poor impulse control.


View Profile WWW
February 24, 2012, 11:05:02 AM
 #41

I actually think it's a good thing.

What doesn't kill you makes you stronger.


You mean like cancer? Or schizophrenia? In all the time I heard Nietzsche's phrase "That which does not kill us makes us stronger" parroted about, I've yet to hear of one convincing example. In this case, no, getting hacked will not make RSantana's business any stronger. And for any new merchant who doesn't have RSantana's server skills, getting hacked might put them off altogether.

I know you mean well znort987, but remember we're trying to encourage bitcoin access to the wider community. This means helping them be safe, not waiting until they get wiped out - or even nearly wiped out.

Bitcoin network and pool analysis 12QxPHEuxDrs7mCyGSx1iVSozTwtquDB3r
follow @oocBlog for new post notifications
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
February 24, 2012, 11:06:34 AM
 #42

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

I actually think it's a good thing.

What doesn't kill you makes you stronger.

I'm thinking along these lines, too, and wondering if there aren't a good few white-hats doing these attacks. Funny OP mentioned the crackers never looked for the wallet.dat file. I had VNC servers compromised a few months ago, not too long after the MtGox attack. What did the invader do? Was very obvious and tried infecting one computer (which did not run the Bitcoin daemon) with adware. - And I was very confused by this at first, but I'm since started thinking they were doing a service of pointing out a very obvious security flaw in my setup which I quickly corrected. I immediately disconnected my router, but I regret not trying to communicate with him.

After the Gox attack, security improved (both in Gox and the affected users) and we're better for it. After Bitscalper's security flaw was noted, security improved and... well.... security improved. All of these attacks are bad short-term, but long-term, they make us more alert and wiser, and may be necessary for Bitcoin to continue being used 10 years from now.
btc_artist
Full Member
***
Offline Offline

Activity: 154
Merit: 102

Bitcoin!


View Profile WWW
February 24, 2012, 03:33:06 PM
 #43

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
foggyb
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006


View Profile
February 24, 2012, 03:43:57 PM
 #44

I actually think it's a good thing.

What doesn't kill you makes you stronger.


You mean like cancer? Or schizophrenia?


Those diseases kill and maim. Web servers are immune to diseases, last time i checked.

Hey everyone! 🎉 Dive into the excitement with the Gamble Games Eggdrop game! Not only is it a fun and easy-to-play mobile experience, you can now stake your winnings and accumulate $WinG token, which has a finite supply of 200 million tokens. Sign up now using this exclusive referral link! Start staking, playing, and winning today! 🎲🐣
RSantana (OP)
Member
**
Offline Offline

Activity: 111
Merit: 10


CoinedBits.com


View Profile WWW
February 24, 2012, 04:59:25 PM
 #45

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.
There is no such thing as a secure server.
Trust, is Bitcoin's #1 problem.

Check out the first physical bitcoin at http://CoinedBits.com
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
February 24, 2012, 05:17:12 PM
 #46

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Wait, it's the victims fault if s/he is attacked?

OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Timo Y
Legendary
*
Offline Offline

Activity: 938
Merit: 1001


bitcoin - the aerogel of money


View Profile
February 24, 2012, 05:35:57 PM
 #47

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

Don't know what you mean by "fully secure". There is no such thing as perfect security.

Anyhow, it does have something to do with Bitcoin because, if you store wallets on servers, the level of security required is so much higher than for a site like Wikipedia, where any damage caused by hackers can easily be reversed.  

Security is fiendishly hard to get right even for experienced web developers.   Hiring a team of 10 security experts should NOT be a requirement for every startup in the Bitcoin economy, otherwise there will be very few startups and this economy will never bootstrap.  

This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.  

GPG ID: FA868D77   bitcoin-otc:forever-d
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1918
Merit: 1570


Bitcoin: An Idea Worth Spending


View Profile WWW
February 24, 2012, 08:38:12 PM
 #48

Quote
This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.

Let's see if I don't know what I'm talking about--again.

I think we need not one LinuxCoin, but seven--one for each 10 fold increase of Bitcoin, all the way to what is currently know as a satoshi. And don't start developing the next level until it looks like it's going to be needed soon, therefore all the latest security features and fixes can be in place, eliminating as many future patches as possible.

It can be called LinuxCoin, or any other name, but Bitcoin would remain its brand status, to satisfy the purist and not confuse the ongoing adapters.

Work should start on the next level now. Once in place, and Bitcoin reaches a certain level, say trading at $100 USD (but doesn't have to be exact), then the new client would be LC1, therefore whoever had 10 bitcoins prior to the move, now has 100 coins, valued at the same price. But now it resides on the new secure cliet without all the previous mundane luggage which, by the way, is still made available somewhere, somehow, for obvious reasons.

It's days like this that I wish I was a programmer. You guys are truly smart lads and lassies. But, then again, if I were a programmer, perhaps Atlas would then be the DaBitcoinGuy.

~Bruno~
Coinbuck @ BTCLot
Hero Member
*****
Offline Offline

Activity: 540
Merit: 500

The future begins today


View Profile WWW
February 25, 2012, 01:09:29 PM
 #49

For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.

These attempts all came from the Netherlands.

In here they come from Russia. It's really annoying.

Bitcoin is the future !
k9quaint
Legendary
*
Offline Offline

Activity: 1190
Merit: 1000



View Profile
February 25, 2012, 08:26:22 PM
 #50

There is no such thing as a secure server.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

Bitcoin is backed by the full faith and credit of YouTube comments.
RSantana (OP)
Member
**
Offline Offline

Activity: 111
Merit: 10


CoinedBits.com


View Profile WWW
February 25, 2012, 09:30:42 PM
 #51

There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
So who do you think is worthy to stay in the Internet business?

Check out the first physical bitcoin at http://CoinedBits.com
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


The king and the pawn go in the same box @ endgame


View Profile
February 25, 2012, 09:35:37 PM
 #52

OP, I'm glad you brought this to our attention.
Means we can get free or cheap penetration testing.
Smiley

just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.

could even set up a site directory with bounties in BTC.

It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven  hats.

creation and destruction.

May as well make the destroyers skwirm. xD

Basically, set up honey pots, and see how many bees you can collect?

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
k9quaint
Legendary
*
Offline Offline

Activity: 1190
Merit: 1000



View Profile
February 25, 2012, 10:23:31 PM
 #53

There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
So who do you think is worthy to stay in the Internet business?

People who can.

Bitcoin is backed by the full faith and credit of YouTube comments.
Jan
Legendary
*
Offline Offline

Activity: 1043
Merit: 1002



View Profile
February 25, 2012, 11:25:37 PM
 #54

If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Thats why we have Bit-Pay.

Mycelium let's you hold your private keys private.
Liberate
Member
**
Offline Offline

Activity: 70
Merit: 10


Freedom is Free


View Profile
February 25, 2012, 11:42:44 PM
 #55

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
If you can't secure your sites then you should not be handling other peoples money/bitcoins.

Will code for coins, python c#, php(+html, jss, sql) scripts can also pen testing(not a skid) PM me https://bitcointalk.org/index.php?topic=71889.msg813212#msg813212

BTC: 1X8Uwr6vxtuudvxgPv9SqP2c6omWUC3qn
LTC: LaZ8A9YTHbNiFuhRFdCt7KNRuU2XFPXgfA
payb.tc
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000



View Profile
February 25, 2012, 11:44:01 PM
 #56

There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
So who do you think is worthy to stay in the Internet business?

People who can.

sony?
Jon
Donator
Member
*
Offline Offline

Activity: 98
Merit: 12


No Gods; No Masters; Only You


View Profile
February 25, 2012, 11:57:34 PM
 #57

I would be more concerned if Bitcoin only attracted law-abiding citizens and government officials.

The Communists say, equal labour entitles man to equal enjoyment. No, equal labour does not entitle you to it, but equal enjoyment alone entitles you to equal enjoyment. Enjoy, then you are entitled to enjoyment. But, if you have laboured and let the enjoyment be taken from you, then – ‘it serves you right.’ If you take the enjoyment, it is your right.
NASDAQEnema
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
February 26, 2012, 12:30:50 AM
 #58

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Wait, it's the victims fault if s/he is attacked?

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

Quote
OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.

The prize in bitcoin land is BTC. The prize in fiat land is Credit Card numbers. Both can be sold for fiat. The barrier to entry is exaggerated.
It's just easier at the moment for large sums of BTC to trade into fiat. There's no secret trading platform where you can invest in credit card haxor teams. Not yet.

Quote
Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

If you feel Universe has trolled you exclusively, please donate to Emergency Butthurt Support Fund:
1Jv4wa1w4Le4Ku9MZRxcobnDFzAUF9aotH
Proceeds go to Emergency Butthurt Escape Pod none of you will be allowed to use. If you have read this far, you must pay Emergency Butthurt Internet Tax.
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


The king and the pawn go in the same box @ endgame


View Profile
February 26, 2012, 08:09:07 PM
 #59

Trust, is Bitcoin's #1 problem.

Time to downgrade back to the good ol' credit cards, checks, and cash; systems where we don't need to trust anyone at all!  Grin



riiiiiiight.

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
February 27, 2012, 09:56:12 AM
 #60

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?

Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.

Quote
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.

But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!