NewLiberty
Legendary
Offline
Activity: 1204
Merit: 1002
Gresham's Lawyer
|
|
June 13, 2014, 09:09:39 AM |
|
Eligius’s offline wallet now has roughly 200 BTC work credits held from the payout queue under the attacker's addresses, that we have stopped them from stealing.
This is fucking awesome! What an idiot, or bunch of idiots! At the current rate of $601.50 per BTC they have had to forfeit over $120,000. Ha ha ha ha ha! ROTFL!!!!! No matter what their attack actually accomplished, I am pretty sure it wasn't worth a cost of $120,000. I'm less confidant in that than you. Over $18 million in bitcoin moved in just the last day, $120K is less than 1%
|
|
|
|
mdude77
Legendary
Offline
Activity: 1540
Merit: 1001
|
|
June 13, 2014, 09:16:22 AM |
|
This explains why some people have noticed that Eligius is "sitting on" a huge amount of BTC.
Good job.
BTW, someone said luck is down. That's not true. Luck is great.
Last 10 blocks: 77.33% Last 12 hours: 64.07% Last 24 hours: 74.97% Last 7 days: 99.78% <--- key figure Last 30 days: 102.22% <--- key figure Last 90 days: 95.84% <--- slowly creeping up
M
|
I mine at Kano's Pool because it pays the best and is completely transparent! Come join me!
|
|
|
thejewelrytech
Full Member
Offline
Activity: 122
Merit: 100
I Quantum Leap to different worlds when I sleep...
|
|
June 13, 2014, 10:28:52 AM |
|
It's stories like this is what helps restores my Faith in HUMANITY seeing there are still Good people in this World Score 1 for the Good Guys Too many people in this world have no Morals and think? They can just get away with anything and never have to answer for anything?But there is always a Higher Power at work! They should a known better then to take from a Saint I'm sure they will think Twice about trying to pull that again !because In the end ?You always get what you deserve! What always goes around? Comes Around eventually...... Karma you got to Love It! I imagine Good things will be coming your way Whiz in return
|
Your either part of THE SOLUTION?Or your part of THE PROBLEM!
|
|
|
s2
|
|
June 13, 2014, 10:46:12 AM |
|
Just curious, how can you be confident this was a hack? I mean what is the probability that they've just had bad luck and never got a winning answer but have genuinely been playing fairly?
Reason I ask is if it was bad luck you're inadvertently screwing over a genuine miner to subsidize others. (Although is surprising someone would leave that much BTC in an online account!)
I'm guessing you're very sure about this but would like to know how you're so sure.
|
|
|
|
|
Brucexie
Member
Offline
Activity: 116
Merit: 10
|
|
June 13, 2014, 11:19:42 AM Last edit: June 13, 2014, 03:42:38 PM by Brucexie |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have: In 5.16, I post my ticket. In 5.21, you replied to request signature for my address, I replied. In 5.23, you found my signature is wrong. after investigate, I found that I add a extra space on somewhere, then I re-sign the text. Then, a week passed. After I said that if there's no response, I will post it on society. Finally, you announced. Then I give you some option. Then you keep slience and post this. The last shared submitted on these address is in first week of May, and you keep slience, until I warn you twice. For your " demanding 1164%-APY interest", Let me paste my last post here: =============== Hi, This may be the last time I ask for your response. You need to choose one of these two options in 72 hours, or we'll 'escalate' this case to the whole bitcoin society, and your local law enforcement agencies may also be involved later. 1. Pay all unpaid bitcoin before 6/15. 2. Pay under a installment plan: pay 10% per week, or pay 5% a week, with a extra 5% interest. =================== Thats all, 5% interest. If you can pay me in 10 week, you can still pay nothing extra!!!And for my "hacking your site if you dont pay", I post my origional words here: ================== 2. No one wants to risk its money (or hash power) to behave maliciously, under the design of bitcoin protocol, since it will for sure bring negative benefit. If I want to act "maliciously", I can pay just even a small proportion of 200btc to a professional hacker, and I believe he can tear your site for weeks. it may be a much better idea than messing your share system up with legal traffic. ================== May be my english is poor, But I think you know what "IF" means. I just said that assume that I'm a bad guy and want to break your site, it's a better idea to hire a creaker than risk my power of calculation. Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".For anyone who want to raise his calculater to caclulate how rare this could be happened? I'd like to remind them, do not forget, eligius can efface my block from his own block list and annonced that I mine nothing.For customer who see this post, I want to say something to you: You can trust eligius' word, but It may be a better idea to move to a cleaner website other than this 2nd oldest one, since that now we already found that "IF" this website wants to be evil, the only thing he will do is freezing your payment "temporarily", and post something without any evidence. You guys choose Bitcoin since it is maintained by mathematics, not someone's words. So, if you trust eligius, you should also prefer saving your USD to your nearest,oldest (always 100+ years old, tens times than eligius) bank for getting interest, instead of risk it on the mining gears. Greetings Eligius miners,
So, after some investigation over the past month or so, it turns out a couple of clients/addresses were involved in a “block withholding attack” against Eligius which has cost us an estimated 300 BTC, and likely miners of other pools as well. A block withholding attack is where a miner submits low difficulty shares but does not submit block solutions— so they appear to be working for the pool and continue to get paid while not actually doing useful work for the pool.
It is unknown how many other pools they’ve executed this attack against. While withholding attacks are detectable, they are not possible to prevent: the risk of block withholding is inherent in how Bitcoin pooling works. Since the attacker does not gain any direct benefit by performing the attack it is usually assumed to not be a serious risk. A withholding attacker can’t profit, except through indirect effects like making a pool look less “lucky” and driving miners to other pools.
My guess is that they never expected to get caught and suffer income loss as a result of their attack. But, once they were caught, I put a filter in place to block them from the payout queue (similar to the block on known MtGox addresses). Eligius’s offline wallet now has roughly 200 BTC work credits held from the payout queue under the attacker's addresses, that we have stopped them from stealing.
When they noticed, weeks later, they contacted us complaining. We asked them to sign messages to verify they were in fact in control of the addresses in question including asking them to include a real name and location in the signed message, refusing to discuss it until they had done so. They eventually responded around the Memorial Day US holiday weekend. Before we were able to respond (everyone has been extra busy as you all know), they threatened putting a 200 BTC bounty on hacking Eligius. More recently, their behaviours have extended to additional ultimatums, arbitrary deadlines, demanding 1164%-APY interest on the payout, etc.
Suffice it to say, communications with the attacker have been less than productive.
My original plan was to return the coins we have held in offline storage to the rightful owners— the miners who were submitting real work and were affected by the withholding attack— by paying towards shelved shares accrued during that time period (doing this is non-trivial due to security measures in place). This is still my intention, as I have no real inclination to yield to the demands and threats made by this attacker who has cost all of us quite a bit. It has unofficially been decided that if it came down to it, Eligius would shut down before being forced to pay any attacker of any kind any amount whatsoever.
In any case, I wanted to make sure I posted the details of this before the attacker attempts to take the public FUD route, and possibly get some constructive opinions on how to actually proceed with this.
I will be posting all details we have about this soon. For now, the two addresses I have filtered from the payout queue are 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc and 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u.
Rest assured that there is no need to be concerned about their threats. Eligius is the second oldest mining pool and is also one of the few remaining pools which has never had any loss of bitcoin from any type of hack. The reason there have been no successful hacks is because we take security very seriously. There really are no possible methods for such an attack with Eligius. While I won't reveal any of the specific security measures in place, even if an attacker were to somehow compromise any or even every single Eligius server, keep in mind that there are no funds stored on any online machine for them to steal anyway. Other data is protected and verified by remote machines as well. The pool will simply be cut off from the world pending my personal review if anything important were actually manipulated. As previously noted, the offline wallet requires coordination between both myself and Luke-Jr, and also very shortly, after completing some testing, a confidential third party.
I am taking this very seriously, and I'll be monitoring the pool as closely as possible. Measures are also being taken to further harden our already very good existing security as well. If My assumption is that the attacker is not going to take kindly to being publicly outed.
Thanks,
-wk
P.S. - This is unrelated to any of the stats issues that have occurred. (Server migration for the new web server is still under way…)
|
|
|
|
HypnoticGuy
|
|
June 13, 2014, 11:29:08 AM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
In 5.16, I post my ticket. In 5.21, you replied to request signature for my address, I replied. In 5.23, you found my signature is wrong. after investigate, I found that I add a extra space on somewhere, then I re-sign the text. Then, a week passed. After I said that if there's no response, I will post it on society. Finally, you announced. Then I give you some option. Then you keep slience and post this.
The last shared submitted on these address is in first week of May, and you keep slience, until I warn you twice.
For your " demanding 1164%-APY interest", Let me paste my last post here:
=============== Hi,
This may be the last time I ask for your response. You need to choose one of these two options in 72 hours, or we'll 'escalate' this case to the whole bitcoin society, and your local law enforcement agencies may also be involved later.
1. Pay all unpaid bitcoin before 6/15. 2. Pay under a installment plan: pay 10% per week, or pay 5% a week, with a extra 5% interest. ===================
Thats all, 5% interest. If you can pay me in 10 week, you can still pay nothing extra!!!
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd old pool, trust me".
If I didn't do it I would say that I didn't do it. If I didn't do it I would try to post information showing that I didn't do it. You wrote a very long post and not one time did you say that you did not do it. To me, that says a lot! Don't bother now, it's too late.
|
|
|
|
VinceSamios
|
|
June 13, 2014, 11:42:10 AM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
In 5.16, I post my ticket. In 5.21, you replied to request signature for my address, I replied. In 5.23, you found my signature is wrong. after investigate, I found that I add a extra space on somewhere, then I re-sign the text. Then, a week passed. After I said that if there's no response, I will post it on society. Finally, you announced. Then I give you some option. Then you keep slience and post this.
The last shared submitted on these address is in first week of May, and you keep slience, until I warn you twice.
For your " demanding 1164%-APY interest", Let me paste my last post here:
=============== Hi,
This may be the last time I ask for your response. You need to choose one of these two options in 72 hours, or we'll 'escalate' this case to the whole bitcoin society, and your local law enforcement agencies may also be involved later.
1. Pay all unpaid bitcoin before 6/15. 2. Pay under a installment plan: pay 10% per week, or pay 5% a week, with a extra 5% interest. ===================
Thats all, 5% interest. If you can pay me in 10 week, you can still pay nothing extra!!!
And for my "hacking your site if you dont pay", I post my origional words here:
================== 2. No one wants to risk its money (or hash power) to behave maliciously, under the design of bitcoin protocol, since it will for sure bring negative benefit. If I want to act "maliciously", I can pay just even a small proportion of 200btc to a professional hacker, and I believe he can tear your site for weeks. it may be a much better idea than messing your share system up with legal traffic. ==================
May be my english is poor, But I think you know what "IF" means. I just said that assume that I'm a bad guy and want to break your site, it's a better idea to hire a creaker than risk my power of calculation.
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".
Even if it was unintentional you fucked up at everyone elses expense. Other people paid for your mistake in coding. You should return ALL the BTC you've mined. If you accidentally steal (or even just receive) money from a bank, you are legally required to return it. Please return all the BTC you mined whilst withholding blocks. It was my understanding this happened by accident (in coding a custom mining client), but that wasn't my mistake, yet you have my money.
|
|
|
|
Bitskint
Member
Offline
Activity: 79
Merit: 10
|
|
June 13, 2014, 11:42:54 AM |
|
What I can not get my head around is why would anyone leave an amount like that anywhere but their own personal wallets after what happened to Mt Gox.
|
1M68XehjYww77DLgwW9rk2zRid8Z8B7uw7 <-- my new BTC addy since Cryptsy took everything
|
|
|
klondike_bar
Legendary
Offline
Activity: 2128
Merit: 1005
ASIC Wannabe
|
|
June 13, 2014, 12:22:48 PM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".
so you are saying that even though, mathematically; for the ~300BTC earned by the two addresses, roughly 12 blocks *should* have been solved/submitted by you Because it sounds like you submitted no blocks. Thats like flipping a coin tails a dozen times in a row - either luck is way out of whack or you have a fake coin.
|
|
|
|
|
VinceSamios
|
|
June 13, 2014, 12:32:40 PM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".
so you are saying that even though, mathematically; for the ~300BTC earned by the two addresses, roughly 12 blocks *should* have been solved/submitted by you Because it sounds like you submitted no blocks. Thats like flipping a coin tails a dozen times in a row - either luck is way out of whack or you have a fake coin. It's more like double that, because he has mined something like 600BTC on eligius without submitting a block.
|
|
|
|
VinceSamios
|
|
June 13, 2014, 12:43:19 PM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".
so you are saying that even though, mathematically; for the ~300BTC earned by the two addresses, roughly 12 blocks *should* have been solved/submitted by you Because it sounds like you submitted no blocks. Thats like flipping a coin tails a dozen times in a row - either luck is way out of whack or you have a fake coin. It's more like double that, because he has mined something like 600BTC on eligius without submitting a block. The mathematical probability this dude not finding a block with the amount of work required to find 24 blocks is: One in 81,000,000 ie. pretty fucking unlikely.
|
|
|
|
Legov
|
|
June 13, 2014, 12:56:19 PM |
|
Do not only think about the sabotage but think about the "lie in waiting attack" too. As described here https://bitcoil.co.il/pool_analysis.pdfThis would be an explanation for the peaks in block solutions just before changing difficulty. Because changing difficulty makes witholded solutions invalid.
|
“It is well enough that people of the nation do not understand our banking and money system, for if they did, I believe there would be a revolution before tomorrow morning.” Henry Ford, founder of the Ford Motor Company.
|
|
|
AbsoluteZero
Member
Offline
Activity: 66
Merit: 10
|
|
June 13, 2014, 01:02:02 PM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".
so you are saying that even though, mathematically; for the ~300BTC earned by the two addresses, roughly 12 blocks *should* have been solved/submitted by you Because it sounds like you submitted no blocks. Thats like flipping a coin tails a dozen times in a row - either luck is way out of whack or you have a fake coin. It's more like double that, because he has mined something like 600BTC on eligius without submitting a block. The mathematical probability this dude not finding a block with the amount of work required to find 24 blocks is: One in 81,000,000 ie. pretty fucking unlikely. One In 81 million? Could you please explain the math.
|
|
|
|
VinceSamios
|
|
June 13, 2014, 01:13:36 PM |
|
I am the owner of 17JkL94B2ngJg4QQZuiozDQjnxXB6B7yTc , 1Gu8zxRi8cyENV8CQe52D7QEsiZ7ruT73u. First of all, your PR is very good at dealing with such "incident", to make this thing clear, I'll past the timeline and post we have:
Overall, I think that you cannot prove that I was guilty, and you are innocent mathematically. The only word makes you look like innocent is like "I am the 2nd oldest pool, trust me".
so you are saying that even though, mathematically; for the ~300BTC earned by the two addresses, roughly 12 blocks *should* have been solved/submitted by you Because it sounds like you submitted no blocks. Thats like flipping a coin tails a dozen times in a row - either luck is way out of whack or you have a fake coin. It's more like double that, because he has mined something like 600BTC on eligius without submitting a block. The mathematical probability this dude not finding a block with the amount of work required to find 24 blocks is: One in 81,000,000 ie. pretty fucking unlikely. One In 81 million? Could you please explain the math. Based on this: http://www.drdobbs.com/architecture-and-design/20-heads-in-a-row-what-are-the-odds/229300217
|
|
|
|
Hektur
Member
Offline
Activity: 271
Merit: 10
|
|
June 13, 2014, 01:20:05 PM |
|
Overall, I think that you cannot prove that I was guilty
I hate to tell you this but a lot of people guilty of crimes use this line when there is overwhelming evidence that does point to their guilt. Instead of trying to give evidence that you are innocent, you go to the court of public opinion by trying to make Eligius look like the bad guy. As someone else pointed out, you don't say you didn't do it or you didn't mean to do it due to bad coding. It's too late to claim this defense because it's already been pointed out to you.
|
|
|
|
capa
|
|
June 13, 2014, 01:59:10 PM |
|
I'd like to see the BTC 200 from Eligius and 300 from Blockwitholder put in escrow and a trusted 3rd party audit carried out.
I'd rather this was done than some witch hunt / trial by media.
|
|
|
|
|
RoadStress
Legendary
Offline
Activity: 1904
Merit: 1007
|
|
June 13, 2014, 03:09:35 PM |
|
Nice job catching them!!! I think out of the 200 btc, Eligius should acquire solid state disks (such as nimbus data gemeni flash array). Db will never have any issues and rebuilding/reorganizing etc.. will be a thousand times faster. Just my 2 cents. Overall, we should beef up Eligius and spread what's leftover
Another point, couldn't we analyze these 2 addresses for relationships with other addresses to see if we could infer identities behind these addys? Maybe not, but it could yield some interesting leads...
The ~200 BTC belongs to the miners affected, IMO, not in any way a donation to Eligius. On a side note, almost everything important is on SSDs except for the webserver... which will be shortly. Software is needing some updating/rewriting to get more speed, though. I am sure that some donations will come after this! Good job!
|
|
|
|
|