btc-arbs.com - Update: dead HYIP, Refund progress: BTC-arbs still doing refunds

[guncoin_support]

Hey all, FYI, I was trying out the btc-arbs site for the past month or so and yesterday my account got wiped out as well.  Luckily I only had 0.45 BTC in the account, but it is now all gone.

BE CAREFUL USING THIS SITE AND READ ALL THE RECENT REPORTS OF STOLEN BTC FROM BTC-ARBS VIA GOOGLE SEARCH

[dyask]

That page says "btc-arbs.com IS VULNERABLE. " ?

No it is fine.  That test can give a false positive when load is high.

What are you talking about? It gives part of the memory as proof :s


Just to be clear: anyone using BTC-arbs last few days should be very careful. An attacker can steal user's cookies/password as long as btc-arbs.com has this OpenSSL vulnerability. I recommend to not use this site until this vulnerability is fixed.

And well, obviously I recommend to not use them at all since months already but yeh. Will be perfect end for ponzi too "ah shit, got hacked".

What?  Now you are just spreading FUD!  

Why? With this vulnerability attackers can get ~64KB of random data from the memory, and an attacker can keep doing this to get more memory data. In the memory data there can be sessions IDs of users so the attacker can take over their session and for example do a BTC withdrawal. This is widely documented already, for example: https://www.mattslifebytes.com/?p=533 , https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/ , etc. and the scripts for it are pretty easy to find too.

Do you really enjoy people losing their money or something? I am just trying to warn people for a serious security vulnerability :\

Where is your proof that BTC-arbs is open to this vulnerability?    The test site used early in this thread cleared the site.   This is only a problem with unpatched openSSL 1.01.   In the meantime you are just whipping up the fear you have been trying since the beginning of this thread.   

[TheAwer]

That page says "btc-arbs.com IS VULNERABLE. " ?

No it is fine.  That test can give a false positive when load is high.

What are you talking about? It gives part of the memory as proof :s


Just to be clear: anyone using BTC-arbs last few days should be very careful. An attacker can steal user's cookies/password as long as btc-arbs.com has this OpenSSL vulnerability. I recommend to not use this site until this vulnerability is fixed.

And well, obviously I recommend to not use them at all since months already but yeh. Will be perfect end for ponzi too "ah shit, got hacked".

What?  Now you are just spreading FUD!  

Why? With this vulnerability attackers can get ~64KB of random data from the memory, and an attacker can keep doing this to get more memory data. In the memory data there can be sessions IDs of users so the attacker can take over their session and for example do a BTC withdrawal. This is widely documented already, for example: https://www.mattslifebytes.com/?p=533 , https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/ , etc. and the scripts for it are pretty easy to find too.

Do you really enjoy people losing their money or something? I am just trying to warn people for a serious security vulnerability :\

Where is your proof that BTC-arbs is open to this vulnerability?    The test site used early in this thread cleared the site.   This is only a problem with unpatched openSSL 1.01.   In the meantime you are just whipping up the fear you have been trying since the beginning of this thread.   

Heartbleed could end up having a HUGE IMPACT on the internet.  And it's not just 1.01, it's 1.01-1.01f.  This has been around for about two years, and it could have been exploited during that whole time.  64kb of data times many requests can get you a lot of info. 

If you don't know anything about Heartbleed, you should read about it at http://heartbleed.com/.  The worst case scenario is not hackers just stealing usernames and passwords, but acquiring the encryption keys and being able to read ALL the traffic between the server and users (including in the past) and being able to impersonate the server at will. 

I checked BTC Arbs on http://filippo.io/Heartbleed/ and with Chromebleed Checker at the time of my post about it, and they both said it was vulnerable.  Rechecking now says that it's okay, so BTC Arbs must have fixed it.  Although BTC Arbs mentioned Heartbleed in the reports, they didn't say anything about their own vulnerability.  They are just reminding everyone about 2FA (isn't that vulnerable to Heartbleed anyway?). 

It doesn't look like they revoked the certificate, so they haven't gone that far in patching the vulnerability.

[dyask]

That page says "btc-arbs.com IS VULNERABLE. " ?

No it is fine.  That test can give a false positive when load is high.

What are you talking about? It gives part of the memory as proof :s


Just to be clear: anyone using BTC-arbs last few days should be very careful. An attacker can steal user's cookies/password as long as btc-arbs.com has this OpenSSL vulnerability. I recommend to not use this site until this vulnerability is fixed.

And well, obviously I recommend to not use them at all since months already but yeh. Will be perfect end for ponzi too "ah shit, got hacked".

What?  Now you are just spreading FUD!  

Why? With this vulnerability attackers can get ~64KB of random data from the memory, and an attacker can keep doing this to get more memory data. In the memory data there can be sessions IDs of users so the attacker can take over their session and for example do a BTC withdrawal. This is widely documented already, for example: https://www.mattslifebytes.com/?p=533 , https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/ , etc. and the scripts for it are pretty easy to find too.

Do you really enjoy people losing their money or something? I am just trying to warn people for a serious security vulnerability :\

Where is your proof that BTC-arbs is open to this vulnerability?    The test site used early in this thread cleared the site.   This is only a problem with unpatched openSSL 1.01.   In the meantime you are just whipping up the fear you have been trying since the beginning of this thread.   

Heartbleed could end up having a HUGE IMPACT on the internet.  And it's not just 1.01, it's 1.01-1.01f.  This has been around for about two years, and it could have been exploited during that whole time.  64kb of data times many requests can get you a lot of info. 

If you don't know anything about Heartbleed, you should read about it at http://heartbleed.com/.  The worst case scenario is not hackers just stealing usernames and passwords, but acquiring the encryption keys and being able to read ALL the traffic between the server and users (including in the past) and being able to impersonate the server at will. 

I checked BTC Arbs on http://filippo.io/Heartbleed/ and with Chromebleed Checker at the time of my post about it, and they both said it was vulnerable.  Rechecking now says that it's okay, so BTC Arbs must have fixed it.  Although BTC Arbs mentioned Heartbleed in the reports, they didn't say anything about their own vulnerability.  They are just reminding everyone about 2FA (isn't that vulnerable to Heartbleed anyway?). 

It doesn't look like they revoked the certificate, so they haven't gone that far in patching the vulnerability.

You don't even know if they had any version of openSSL 1.01 ... most sites don't.   The test pages I tried said they weren't vulnerable.   Link was through coinbase and on this thread.   Tried both places.   

[dyask]

I did finally find a test that points out there could be an issue.   https://lastpass.com/heartbleed/?h=btc-arbs.com    Recommended that you don't change your password until it is patched.   

[TheAwer]

I did finally find a test that points out there could be an issue.   https://lastpass.com/heartbleed/?h=btc-arbs.com    Recommended that you don't change your password until it is patched.    

Glad to hear that you found that.  Now you see that we're not just "whipping up the fear".  

You don't even know if they had any version of openSSL 1.01 ... most sites don't.

I think I read that 59% of sites use OpenSSL, but I don't know about 1.01.  I hope that it hasn't been exploited this whole time.

EDIT: according to Wikipedia, 17% of secure servers are/were vulnerable.  That's a lot.

[dyask]

I did finally find a test that points out there could be an issue.   https://lastpass.com/heartbleed/?h=btc-arbs.com    Recommended that you don't change your password until it is patched.    

Glad to hear that you found that.  Now you see that we're not just "whipping up the fear".  

There was FUD postings without any proof.   Even the link I found isn't a 100% sure.   However, now that the risk is there I won't log in for a few days.    Give things time to be patched, just in case.    I don't have enough there that I can't let it ride a week or two.   
 

[NLNico]

So better have people their money stolen then warn them? What is wrong with you really? How can you blame me for warning people not to login as long as they have this vulnerability?

Sure, you disagree with me about it being a ponzi. But this is completely unrelated to that.

I have tried http://filippo.io/Heartbleed/ on btc-arbs.com like 50 times and around 35 times it showed "vulnerable", around 5 times "time-out error" and 10 times "it's safe". If you actually have read the FAQ on that website, you will see that "false negatives" are much more common than "false positives". Better yet, "false positives" is almost impossible because you can actually see a part of the memory on that website. So therefor they were vulnerable and my warning was 100% good no fucking FUD. Actually only right now http://filippo.io/Heartbleed/ returns "seems fixed" all the time, so I actually think it's fixed right now.

[vach]

I'm using BTC-arbs for few days... After reading this thread i'm 90% sure its a ponzi.

Except all those arguments i've read here I can add.

I've withdrawed all funds from First account to see if Second account really gives any profit at all by referall program, and guess what? it didnt?

Also here is my suggestion to get actual proof that previous users are paid with new users funds...

We can share all our account public keys with dates that we used to transfer funds to btcarbs, to someone here we trust (and who can actually detect if any funds were sent from any of these accounts to any of those accounts), if its legit (I personally beleave its not) then we will see rare transwers between those accounts (it will be more random picture) but otherwise we will have older accounts getting incomming transactions from newer ones... And it doesent change a thing if they use a mixer or something if we have addresses we can find any connection between them using blockchain...

As many people here share thair <publicKey, date> pairs than more obvious will be result.
This information will be only available to that one person we thrust...

I'm expecting your opinions on this suggestion if you please...

[Rannasha]

Also here is my suggestion to get actual proof that previous users are paid with new users funds...

We can share all our account public keys with dates that we used to transfer funds to btcarbs, to someone here we trust (and who can actually detect if any funds were sent from any of these accounts to any of those accounts), if its legit (I personally beleave its not) then we will see rare transwers between those accounts (it will be more random picture) but otherwise we will have older accounts getting incomming transactions from newer ones... And it doesent change a thing if they use a mixer or something if we have addresses we can find any connection between them using blockchain...

As many people here share thair <publicKey, date> pairs than more obvious will be result.
This information will be only available to that one person we thrust...

I'm expecting your opinions on this suggestion if you please...

This is trivial to avoid for a savvy Ponzi operator. Simply move all deposited funds to an exchange and withdraw funds from the exchange to pay for customer withdrawals. Not only does this make the exchange operate as a mixer, it also fits the coverstory.

[pletharoe]

I anyone else having trouble logging in?

I am currently unable to log into my account.  When I did the "forgot password" procedure, it said that my email address wasn't even registered!  I have 2FA and until now no problems.

[dyask]

So better have people their money stolen then warn them? What is wrong with you really? How can you blame me for warning people not to login as long as they have this vulnerability?

Sure, you disagree with me about it being a ponzi. But this is completely unrelated to that.

I have tried http://filippo.io/Heartbleed/ on btc-arbs.com like 50 times and around 35 times it showed "vulnerable", around 5 times "time-out error" and 10 times "it's safe". If you actually have read the FAQ on that website, you will see that "false negatives" are much more common than "false positives". Better yet, "false positives" is almost impossible because you can actually see a part of the memory on that website. So therefor they were vulnerable and my warning was 100% good no fucking FUD. Actually only right now http://filippo.io/Heartbleed/ returns "seems fixed" all the time, so I actually think it's fixed right now.

Now you start providing some details.   Anyway, I agree that you were correct about this concern.   

[calamar182]

Guys this is confusing, let's make it easy


1 Who didn't receive his withdrawal?

2 Who didn't receive his funds when he trasnfered money to btc arbs account? (Neutral LTC and Slipknot do you receive your funds in btc arbs now?)

3 Who got wipped his btc arbs account suddenly? (Kriptokings do you solve your issues now? Guncoinsupport it is true your story?)

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!

[howzar]

Guys this is confusing, let's make it easy


1 Who didn't receive his withdrawal?

2 Who didn't receive his funds when he trasnfered money to btc arbs account? (Neutral LTC and Slipknot do you receive your funds in btc arbs now?)

3 Who got wipped his btc arbs account suddenly? (Kriptokings do you solve your issues now? Guncoinsupport it is true your story?)

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!

My withdrawal of 0.05 is yet to arrive in my wallet

[pletharoe]

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!
[/quote]

I still can't log in.  When I enter my email in the "Forgot password" page it says "An error has occurred: Sorry we could not find this email in our database".

[calamar182]

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!

I still can't log in.  When I enter my email in the "Forgot password" page it says "An error has occurred: Sorry we could not find this email in our database".
[/quote]


You don't have to write your e mail when you login, you have to use your nickname

You never gonna receive the forgotten password because the e mail notifications is not working

Have you ever login before the first registration dude? I think you never login in this web at the moment, and I supose you don't have funds inside

[calamar182]

Guys this is confusing, let's make it easy


1 Who didn't receive his withdrawal?

2 Who didn't receive his funds when he trasnfered money to btc arbs account? (Neutral LTC and Slipknot do you receive your funds in btc arbs now?)

3 Who got wipped his btc arbs account suddenly? (Kriptokings do you solve your issues now? Guncoinsupport it is true your story?)

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!

My withdrawal of 0.05 is yet to arrive in my wallet

How much time are you waiting to arrive?

I supose that don't arrive yet because you have to wait 1 week or more

AT THE MOMENT ONLY FAKE RUMORS

[cesmak]

Seems not perfect but yesterday, the test, score an F today a C so there are substantial progress in security...

https://www.ssllabs.com/ssltest/analyze.html?d=btc-arbs.com

Cheers !

[KryptoKings]

Guys this is confusing, let's make it easy


1 Who didn't receive his withdrawal?

2 Who didn't receive his funds when he trasnfered money to btc arbs account? (Neutral LTC and Slipknot do you receive your funds in btc arbs now?)

3 Who got wipped his btc arbs account suddenly? (Kriptokings do you solve your issues now? Guncoinsupport it is true your story?)

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!

My withdrawal of 0.05 is yet to arrive in my wallet

How much time are you waiting to arrive?

I supose that don't arrive yet because you have to wait 1 week or more

AT THE MOMENT ONLY FAKE RUMORS

1. what as left in my account I have not received. yet in less than 4 hours they released my btc to a hacker
and
3. for some weird reason they left .46 btc in my account. Support gave me all these lame reasons not taking any responsibility for there security saying they do not need to send me an email because if my account is hacked then so will my email??? They said they have no security issues and website is perfectly secure. They stated my computer has a 0 day virus and it was hacked but when all this went down my computer wasn't even on. It was 3am my time when all this went down. I really hoped they were moving funds around and accidentally moved mine but I guess I am scammed out of my btc.

I am willing the bet right now they suffered some big loses yesterday or kept funds themselves....

I am very curious to know who has received withdraws since yesterday.


UPDATE - as of this morning I can't get into my account. This is getting better by the day!!! I am going to ask a few fellow youtubers to post this story on there show.

[cesmak]

Guys this is confusing, let's make it easy


1 Who didn't receive his withdrawal?

2 Who didn't receive his funds when he trasnfered money to btc arbs account? (Neutral LTC and Slipknot do you receive your funds in btc arbs now?)

3 Who got wipped his btc arbs account suddenly? (Kriptokings do you solve your issues now? Guncoinsupport it is true your story?)

4 Who can't login in btc arbs account? (Pletharoe can you login now?)


I fucking annoyed about rumors of friends and stuff like that, it is real or not? at the moment there are no real evidence that this site is scam

I WANT REAL EVIDENCES!

My withdrawal of 0.05 is yet to arrive in my wallet

How much time are you waiting to arrive?

I supose that don't arrive yet because you have to wait 1 week or more

AT THE MOMENT ONLY FAKE RUMORS

1. what as left in my account I have not received. yet in less than 4 hours they released my btc to a hacker
and
3. for some weird reason they left .46 btc in my account. Support gave me all these lame reasons not taking any responsibility for there security saying they do not need to send me an email because if my account is hacked then so will my email??? They said they have no security issues and website is perfectly secure.

I am willing the bet right now they suffered some big loses yesterday or kept funds themselves....

I am very curious to know who has received withdraws since yesterday.

If all the bitcoin services will use your btc address as the user id and lock your address so that withdraws will go only to this, all this kind of problems will never happens... why they don't memorize your address and lock it !!! or make your address your user id. Bad habits in bitcoinland !!!!