bitscalper anyone use this ? [PASSWORDS LEAKED]

[Zoiner]

Thank you, I hadn't realised that.  Doesn't it make things a little difficult tracking what has happened if someone else quotes you?

[mav]

i do believe this is highly negligible and criminal what theymos has tried to do.

I think you mean bitscalper is highly negligible, not theymos...
Negligence is a failure to exercise the care that a reasonably prudent person would exercise in like circumstances.

Sounds to me like bitscalper putting themselves in a position to have their passwords leaks matches that definition a lot better than someone who actually accesses those passwords.

I have said it in the past, and will say it again, do not support people who can't or won't design a secure system. They are holding your MONEY ffs, this is not acceptable. It doesn't matter if you only put in a tiny amount, even though the risk to you personally is small, the risk to the perception of bitcoin community and the formation of a stereotype of 'the kinds of people that use it' is simply too high to be worth the tiny returns you will get.

[Zoiner]

Sorry, but I misunderstood the gist of your complaint.

However, while I have sympathy for the site owner he should have really made it secure and if, as it seems, he was not damaged then that is fine.

If someone has managed to get a list of logon information and passwords from another site and attempt to break in then it is a good sign that they failed.  But if people do re-use their passwords and not have unique ones for each site there is little even the best legitimate site owner can do.

[Zoiner]

I know I am being a pain but

Negligible:  means very small eg. the probability of a rare event might be thought negligible and we need not consider it worthy of consideration.

Negligence: means  a failure, usually an omission, to have a system in place to protect people.

In this case bitscalper would be negligent if he allowed usernames and passwords out.

If another site lets out usernames and passwords it is that site at fault.

[mav]

I know I am being a pain but

Negligible:  means very small eg. the probability of a rare event might be thought negligible and we need not consider it worthy of consideration.

Negligence: means  a failure, usually an omission, to have a system in place to protect people.

In this case bitscalper would be negligent if he allowed usernames and passwords out.

If another site lets out usernames and passwords it is that site at fault.

Point taken, negligible vs negligence, however I still say having passwords leaked is not negligible for exactly the same reason I stated before - this kind of attitude to providing services surrounding bticoin is extremely unprofessional and it undermines bitcoin as a whole, not just the site itself. If your consider your password 'negligible' then I have no more argument to make, but I am fairly sure the majority of people do not consider the security of their passwords to be negligible.

And as for the section quoted in bold, I'm pretty sure bitscalper DID allow usernames and passwords out.

edit: and to address theymos' actions being negligible, I think that comparing 'the passwords being vulnerable but nobody knowing' vs 'the passwords being vulnerable and everybody knowing' is also hardly negligible. It is true that this gives bitscalper the opportunity to fix their broken site, but if they're 'away for ten days' then... really... I just don't feel there's any need to say any more. This is not negligible in any way whatosever from any party involved.

[stochastic]

i do believe this is highly negligible and criminal what theymos has tried to do.

what did he do

Theymos pointed every scammer on the internet to bitscalper.


This can be taken as proof.

We are just checking that everything is in order, funds appear safe. We had hundreds of hack attempts those last days and we need to make sure there was no security breach at all and remove the bogus requests before filling withdrawals.

this is text book definition criminal negligence, this kind of action by an admin of bitcointalk should not be allowed to stand.

Lets say a reporter said on TV to not buy cars at a car dealership because they the cars they sold all used the exact same key.  Then a bunch of scammers went to the dealership because they heard the report and tried to steal the cars.  The fault lies with the car dealership not the reporter for being negligent in not knowing how to secure a car lock.

[Zoiner]

We seem to be in regime of shoot the messenger here!

Anyone who has such knowledge has to make a judgement call:

1. to quietly notify the site to get it fixed

or

2. To tell everyone so that they can change passwords ASAP and/or get their funds out.

or

3. Do both.


Which you do depends on your view of the site and how it will react to the message. 

Is it a scam vs not a scam. 

If it is a scam and you alert the owner who legs it, everyone else will be pissed.

If it isn't a scam and you alert everyone else the site may be badly damaged or killed.

We can all be wise after the event but that does not make Theymos's judgement call negligent.

[theymos]

As far as I know the site still hasn't paid anyone, so it looks like I was right and it was a scam.

The nature of the vulnerability made me especially suspicious. All login attempts were being logged to a text file at http://bitscalper.com/p/app/log . It's possible that Bitscalper was intentionally logging passwords, and this was the only way he knew how to do it with his CMS.

[kronosvl]

This password fiasco remembers me of some emails exchange I had with their support on 13 January:

bitscalper:
Dear User,

We apologize but your password was changed because of a technical problem to the database. Your password is now : ******
Feel free to change it by logging in into your account.

me:

I changed the password to the old one and now I can't login with either of the 2
can you change the password again but with a stronger one?

bitscalper: Try now with ***** and try again to change it yourself. I think you did not set the one you had before. The hash looked differently!

me:

the ****** worked and changed it again to the old one
I'm 100% that was the correct one this time and I have the same problem
pls change it again and send me the new pass.

My guess is that you are not sanitizing the input field or something like that
I guess I will have to use a normal password with only alphanumeric characters


bitscalper:

Strange, the input is automatically hashed and saved in the db. We'll look into that. I'll change your password now.


In the end everything was ok.

So they had some problems with the passwords on 13 January
They also say that they are hashing the passwords

[Zoiner]

Update:
Set up withdrawal on Sat 18th.
Sun 19th Feb still "Processing".

(Changed password with no difficulty Sunday)
Monday No response can't log in
Tuesday No response can't log in; withdrawals still "processing"
Probability this is a scam approaches 99%.

[Nachtwind]

Well.. following this thread is interestering..

I was very convinced this whole thing was nothing but a big scam.. still i am but less than before. IF it was a scam, why "coming back to life" when they had a good reason to run off with the money? Currently i just think that they work on the most obvious duplication bug(s) and hence wont allow withdrawals.. but hey.. it could be just a big scam afterall ,0)

[Matthew N. Wright]

Whether Bitscalper is a blatant ponzi, or just another MyBitcoin scam is besides the point--- the owner wants to remain 100% anonymous at all costs, did not backup any wallets or site code, does not understand security, constantly brags about who he knows and what he can do and yet falls short of even the mildest of expectations. This site should not be avoided because "someone didn't get paid out", it should be avoided because anonymous services that hold your money are a bad idea. For all you know, this site is Atlas's.

[stochastic]

Can we get a "SCAMMER" tag on bitscalper for not giving all their depositors money back?

and....

A big "IDIOT" tag on the people that gave money to bitscalper and complain they were scammed?

[3phase]

A big "IDIOT" tag on the people that gave money to bitscalper and complain they were scammed?

If there was such a tag for every victim of every bitcoins scam, the board would be full of these. Quite discouraging, to say the least.

[Joric]

A big "IDIOT" tag on the people that gave money to bitscalper and complain they were scammed?

And a bigger tag for those who didn't earn on it back then when it was bringing 2% a day.

[tacotime]

WELP, looks like I'm never gonna get my money back

[str4wm4n]

STAY FAR AWAY FROM THIS  SHIT!

[BTCurious]

STAY FAR AWAY FROM THIS  SHIT!

Bit late for that, isn't it?

[hoo]

As far as I know the site still hasn't paid anyone, so it looks like I was right and it was a scam.

The nature of the vulnerability made me especially suspicious. All login attempts were being logged to a text file at http://bitscalper.com/p/app/log . It's possible that Bitscalper was intentionally logging passwords, and this was the only way he knew how to do it with his CMS.

You need to put a scammer tag on your account.

[marked]

For all you know, this site is Atlas's.

what?


marked