Bitcoin Forum
December 08, 2016, 10:35:08 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: Info about the recent attack  (Read 48924 times)
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
September 11, 2011, 06:46:20 AM
 #21

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

If your password had been changed I don't think you'd have still been logged into the forum when it came back online.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
1481236508
Hero Member
*
Offline Offline

Posts: 1481236508

View Profile Personal Message (Offline)

Ignore
1481236508
Reply with quote  #2

1481236508
Report to moderator
1481236508
Hero Member
*
Offline Offline

Posts: 1481236508

View Profile Personal Message (Offline)

Ignore
1481236508
Reply with quote  #2

1481236508
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481236508
Hero Member
*
Offline Offline

Posts: 1481236508

View Profile Personal Message (Offline)

Ignore
1481236508
Reply with quote  #2

1481236508
Report to moderator
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
September 11, 2011, 07:00:42 AM
 #22

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

+ 1

I started using lastpass.com (there are alternatives too, like keypass and others) after the mtgox incident. I have come to love it.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
tsupp4
Full Member
***
Offline Offline

Activity: 185


View Profile
September 11, 2011, 07:01:20 AM
 #23

Change of hosting

Mark Karpeles is now hosting the forum's server. The forum is still owned by Sirius, as it has always been. There will be no policy changes.

Signed version of this message

Your statement sounds kind of different to this info:
http://bitcoinmedia.com/mt-gox-taking-over-bitcointalk-the-official-u

Mark Kapeles aka MagicalTux is part of Mt.Gox, right?

"It's not rich who got much, but who gives much."
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 11, 2011, 07:06:38 AM
 #24

Mark Kapeles aka MagicalTux is part of Mt.Gox, right?

Yes.

Quote
Your statement sounds kind of different to this info:
http://bitcoinmedia.com/mt-gox-taking-over-bitcointalk-the-official-u

He is providing free hosting. He is not "taking over Bitcointalk". In that IRC excerpt I even say that Sirius will retain control of the DNS.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 11, 2011, 07:09:58 AM
 #25

Also, that "security advisory" is inaccurate. The security breach had nothing to do with Flash. That was misinformation spread by the attacker, probably. They used a fake quote purporting to be from Sirius.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
arsenische
Legendary
*
Offline Offline

Activity: 1116


View Profile
September 11, 2011, 07:11:18 AM
 #26

I'd like to see the file with leaked hashes

nhodges
Sr. Member
****
Offline Offline

Activity: 308


View Profile
September 11, 2011, 07:13:39 AM
 #27

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

Online password stores are still a single point of failure, IMO. Great idea, but use KeePass or some other local solution that you can back up and secure with ease.

BkkCoins
Hero Member
*****
Offline Offline

Activity: 784


firstbits:1MinerQ


View Profile WWW
September 11, 2011, 07:14:50 AM
 #28

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

If your password had been changed I don't think you'd have still been logged into the forum when it came back online.
I'm pretty sure the password wouldn't matter.
Usually a session id is stored in the login cookie not a password.

I've used Keepassx on Ubuntu for years and never had it mis-remember a password. I guess I should go thru the "lost password" process now...

pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
September 11, 2011, 07:19:16 AM
 #29

Online password stores are still a single point of failure, IMO.

A solution like lastpass is great for a few reasons.

You passwords are encrypted.
Quote
LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic

Lastpass has a backup method, securely and not securely. I use not securely and rar them password protected encrypted.

Quote
WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

My passwords are always accessible to me whether lastpass is offline or not.

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
September 11, 2011, 07:21:34 AM
 #30

Why upgrading to the most recent version of SMF is worse than switching to a whole'nother forum backend? They didn't make it backward compatible?

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 11, 2011, 07:23:20 AM
 #31

Why upgrading to the most recent version of SMF is worse than switching to a whole'nother forum backend? They didn't make it backward compatible?

There are many modifications that are incompatible.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
September 11, 2011, 07:27:56 AM
 #32

They don't provide a way to convert the data to the new format or somthing like that?

Or you mean there are some addons you use that are essential that haven't been updated to be compatible with the latest version nor have equivalent alternatives made for the latest version?

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
d33tah
Jr. Member
*
Offline Offline

Activity: 47



View Profile
September 11, 2011, 07:31:12 AM
 #33

If he could run arbitrary PHP code, maybe it's not just the hashes he collected... He might have also injected some code BEFORE hashing, thus gaining plaintext. I don't know all the hack details, but does it sound possible to you?

Also, it took you a while to recover.

opticbit
Hero Member
*****
Offline Offline

Activity: 677


PGP: 6EBEBCE1E0507C38


View Profile WWW
September 11, 2011, 07:32:35 AM
 #34

so when an attacker finds that you have an extremely secure password, they can now guess that you have a password wallet somewhere, and go after that

Set up the same thing..
http://bit.ly/btcrefs
Get more bitcoins.
JonHind
Full Member
***
Offline Offline

Activity: 126


View Profile
September 11, 2011, 07:32:59 AM
 #35

The vulnerabilities in 1.1.14 have been known for a LONG time. You can hardly call what SA did a 0-day exploit. While 1.1.14 might still be 'supported', it is full of security holes. The admins of this site have been aware of these vulnerabilities for a while, as quite a few people (myself included) have pointed out the dangers of using 1.1.14.

Any admin hosting a site which deals with discussions of a financial nature who couldn't even be bothered to upgrade along the 1.1.xx path (yet alone switch to v.2) should hang their head in shame.

As for giving the database, including all PM's, and also the hosting of the site to the owner of the largest bitcoin exchange, I'm gobsmacked.

I took my $$$'s and BTC's out of Mt:Gox at the time when Bruce was visiting their company. I stopped trusting Mt:Gox when MagicalTux was white-knighting Bruce, refusing to address the evidence that was being provided (not the rumours I might add, just the evidence), and for allowing a convicted fraudster into his company's HQ. After this silent take-over of the forums, I trust Mt:Gox as much as I trust PayPal.

I have my $$$'s in my account now, and my BTC's are sitting in an offline USB stick in the gamble that they will be worth something after all this shit settles down. I'm sitting this one out.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 11, 2011, 07:33:08 AM
 #36

If he could run arbitrary PHP code, maybe it's not just the hashes he collected... He might have also injected some code BEFORE hashing, thus gaining plaintext. I don't know all the hack details, but does it sound possible to you?

It is possible.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Dusty
Hero Member
*****
Offline Offline

Activity: 722


Libertas a calumnia


View Profile WWW
September 11, 2011, 07:34:37 AM
 #37

thanks for the info, theymos. please continue to keep things as transparent as possible.
+1

Articoli bitcoin: Il portico dipinto
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 11, 2011, 07:35:43 AM
 #38

Any admin hosting a site which deals with discussions of a financial nature who couldn't even be bothered to upgrade along the 1.1.xx path (yet alone switch to v.2) should hang their head in shame.

What are you talking about? This is the latest upgrade in the 1.1.xx path.

I am not aware of any other vulnerabilities. If vulnerabilities exist, report them to me and I will take the forum down until they are fixed.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
September 11, 2011, 07:37:08 AM
 #39

Though if the intention was to steal data, the defacement stuff would be a dumb move, if they stayed hidden they could have stole shit for much longer.

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
September 11, 2011, 07:42:14 AM
 #40

Also, it took you a while to recover.

I'm sure you could've done it much faster and you would run such a site much more securely than theymos.
I'm also sure you'd gladly give up your weekend for no money to recover from a hack.
And I'm also pretty sure you would easily take a bashing from 11-post-know-it-alls without whining.

Thanks to theymos, sirius and whoever else helped in recovery and running the site. I hope you'll keep the forums up in the future. You're doing a great job! Thanks for the transparency, too.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!