Openex hacked but coins recovered

[r3wt]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

on the same token though, i can scrutinize the code i write to a great degree of certainty, where as with a framework i have to worry about my code and that of the framework.

[1714248732]

1714248732

[hypes]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

on the same token though, i can scrutinize the code i write to a great degree of certainty, where as with a framework i have to worry about my code and that of the framework.

Like i said, when you've got some of the best PHP devs in the world working on these - it's very rare you have to worry about their code. And even if something is wrong, it's patched very quickly.

[hiksush2]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

[solracx]

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

So the code here is junk?

Any recommendations of other open source exchanges that might be better?

[Stouse49]

Will withdrawal fees be lowered since we are forced to remove our coins.  I have 0.00015 BTC from trading that is stuck.

[GigaCoin]

well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.

I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.

I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?

i retrieved the wallet while running foremost. i then sent the coins to a new address.

[phillipsjk]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

I face-palmed here. It is "not invented here" syndrome.

The problem is that computers are too complex for any one person to know. That is why abstraction is used.

The difficulty I have with abstraction is that the abstraction layer (there is more than one) is rarely proven correct. This can lead to abstraction leakage. However, to start proving a whole system is correct will take many man-centuries. It is not something you can do on your own.

Myself, I have been delayed months setting up a simple Bitcoin node intended for merged-mining. I may be overly cautious compared to you.

[hiksush2]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Oh I don't know, the topic of this thread you fucking idiot comes to mind.  Also whatever double cancel bug you had that allowed people to gives themselves coins.

And then of course there's always this one:

https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');

I'm sure you have no idea why that's a problem though.  I don't understand why anyone in this thread is cutting you slack at all.  What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open.  Your code is the quality of what I made in middle school, and your attitude fits that age range as well.  I'm done with this thread, but a warning for anyone reading it:

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

[surfer43]

I got most of my skeincoins back, thanks. And tbh you could double your account deposits of skeincoin by force checking and entering TXID-000...

[johningreece]

9.17 bitcoins were hacked from my account at cex.io. I am seeking an experienced investigator to help me retrieve the lost coins.

[Zombie123]

All Bitcoins returned Thanks OP

[solracx]

9.17 bitcoins were hacked from my account at cex.io. I am seeking an experienced investigator to help me retrieve the lost coins.

did you have 2 factor authentication turned on?

[PinkPotatos]

good to see they are back!

[whiskers75]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

I might make a server-secure.sh script at some point soon.

[CatCoin]

The sad thing is, a "secure-server.sh" script would probably be a huge step forward for most of the new coin exchanges, online wallets, etc... that have been showing up recently.

[teknohog]

Just my 2 cents on this experience:

• Got all my coins back
• Lost a Blakecoin exchange, hopefully one of the established exchanges will adopt it
• It's pointless to blame r3wt specifically, as many big/professional exchanges have been hacked too
• Don't keep large amounts of coin in any exchange for a long time
• Remember http://xkcd.com/792/ that was apparently referenced in the log

[phazon307]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.

I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?

i retrieved the wallet while running foremost. i then sent the coins to a new address.

Glad my idea worked for you, even if it was a different software that you used

[Zeke_Vermillion]

I am still waiting to get my BLC back from OpenEx. I was told you'd have to "owe" me for some of it, but so far, "some" appears to mean "all". The problem is that you should not have honored the inflated balance that we got when you double-credited order cancellations. And once you announced your policy of honoring the double-credit, you then should not have invited everyone to withdraw their funds all at once! Argh!

Cryptsy had a similar problem recently, and they froze accounts until people paid back the double credit. This was quite annoying but necessary to avoid the situation you now find yourself in.

If you have the bitcoin on hand, I really think you ought to see about buying up some BLC (and other currencies where you have a shortfall). Otherwise, if you wait to do this until later, it may become too expensive for you to cover in the market. And, despite the best of intentions, you will not be able to repay me and others in my position. If you know the BLC folks, you might also consider raising an equity / fee share tranche in exchange for BLC. Heck, I might even participate by rolling in part of my IOU, if you are able to recover from this rough launch...

[sarr]

one of my  pending deposit of 0.037btc just disappeared , i did manage to recover all other coins tho, but wonder what happened to that one deposit.
txid of it is ed625d262e80d9804925251e023a0cfc457038ce83e5fbf4c34cd6cb22b087ae.

nvm it appeared in my account, now just waiting for my pending withdrawals