|
PatMan
|
 |
September 06, 2014, 11:38:05 AM |
|
All of my 15 Antminer S3 (Batch 4-6) work great with this new firmware. I'll wait until they sort out the MD5 problem. Can you tell me what version cgminer is in there? Cheers. |
|
|
|
maxood
Newbie
 Offline
Activity: 14
Merit: 0
|
|
September 06, 2014, 11:45:33 AM |
|
All of my 15 Antminer S3 (Batch 4-6) work great with this new firmware. I'll wait until they sort out the MD5 problem. Can you tell me what version cgminer is in there? Cheers. the same, 3.12.0 |
|
|
|
|
|
PatMan
|
|
September 06, 2014, 11:51:58 AM |
|
So, new firmware with old security vulnerabilities and code........hmmmmmm
Why Bitmain?
|
|
|
|
Tigggger
Legendary
Offline
Activity: 1098
Merit: 1000
|
|
September 06, 2014, 11:54:57 AM |
|
 What am I doing wrong here? You have the default gateway set as 192.168.1.99 that's not right, it needs to be set to your router IP (probably 192.168.1.1 or 192.168.1.254) Your router *might* be 192.168.1.1 so I would change that as well So maybe 192.168.1.10 255.255.255.0 192.168.1.254 <- Router IP, whatever it is DNS Server Auto |
|
|
|
|
IYFTech
|
|
September 06, 2014, 12:24:18 PM
Last edit: September 06, 2014, 12:41:00 PM by IYFTech |
|
All of my 15 Antminer S3 (Batch 4-6) work great with this new firmware. I'll wait until they sort out the MD5 problem. Can you tell me what version cgminer is in there? Cheers. the same, 3.12.0 What? Why on earth are Bitmain still using this old, outdated, inefficient & security flawed cgminer version in a new firmware release? It makes absolutely no sense whatsoever..... @ Bitmain: You promised the community that you would update to the latest cgminer version that fixes the security vulnerabilities and includes many improvements weeks ago - yet you are still using it in a brand new firmware release? Cgminer version 3.12 is not safe to use & is inefficient - please use the latest version as you promised us you would.Edit: This firmware adds support for the S3+ - does that mean that you will be shipping all S3+'s with known security issues & outdated cgminer software? |
|
|
|
rsclark3
Newbie
Offline
Activity: 9
Merit: 0
|
|
September 06, 2014, 04:04:57 PM |
|
I concur with #IYFTech. Bitmain stated that they would release the firmware and update cgminer. The new firmware contains the same insecure and inefficient cgminer version. We should all demand that they install a version 4.x instead of this very early version.
|
|
|
|
|
|
IYFTech
|
|
September 06, 2014, 04:44:19 PM |
|
I concur with #IYFTech. Bitmain stated that they would release the firmware and update cgminer. The new firmware contains the same insecure and inefficient cgminer version. We should all demand that they install a version 4.x instead of this very early version.
Thanks  A quote from August 17th - three weeks ago:
The cgminer software that you are deploying.......with your software has SEVERE security flaws, including the stratum redirect issue - why are you NOT implementing the latest version to eliminate these issues?
Thank you.
+1 I support this sentiment completely  |
|
|
|
Stratobitz
Legendary
Offline
Activity: 1022
Merit: 1010
|
|
September 06, 2014, 08:54:18 PM |
|
All of my 15 Antminer S3 (Batch 4-6) work great with this new firmware. I'll wait until they sort out the MD5 problem. Can you tell me what version cgminer is in there? Cheers. the same, 3.12.0 What? Why on earth are Bitmain still using this old, outdated, inefficient & security flawed cgminer version in a new firmware release? It makes absolutely no sense whatsoever..... @ Bitmain: You promised the community that you would update to the latest cgminer version that fixes the security vulnerabilities and includes many improvements weeks ago - yet you are still using it in a brand new firmware release? Cgminer version 3.12 is not safe to use & is inefficient - please use the latest version as you promised us you would.Edit: This firmware adds support for the S3+ - does that mean that you will be shipping all S3+'s with known security issues & outdated cgminer software? Could you elaborate on what the security issues are, and what you mean by ineffecient? I don't mean to be lazy, but if I read through the boards on these issues I'll likely find lots of conflicting information. Security issues... What if I'm behind a Barracuda Firewall? Inefficiency... Meaning a more current version of Cgminer would hash faster? Many thanks, Strato |
|
|
|
|
|
PatMan
|
|
September 06, 2014, 09:03:52 PM |
|
The most dangerous security vulnerability in that version of cgminer is called the "stratum redirect" issue. It allows a third party to redirect your hashing to a different pool of their choice & claim the BTC mined with your miner. This was fixed in a later version, as well as other fixes & improvements to drivers etc - increasing performance & using less cpu/resources.
Edit: No matter what firewall you use.
Edit1: I believe it affected all miners that used the stratum protocol - not just cgminer.
|
|
|
|
|
IYFTech
|
|
September 06, 2014, 09:18:25 PM |
|
Exactly. Meaning everyone using Bitmain hardware is at risk having their hashing power redirected to a different pool without their knowing, losing valuable BTC to a third, unscrupulous party/person.
Not good.
|
|
|
|
Stratobitz
Legendary
Offline
Activity: 1022
Merit: 1010
|
|
September 06, 2014, 10:09:30 PM |
|
Exactly. Meaning everyone using Bitmain hardware is at risk having their hashing power redirected to a different pool without their knowing, losing valuable BTC to a third, unscrupulous party/person.
Not good.
But wouldn't the attacker have to know or have some information about your miner? Such as IP, etc? |
|
|
|
|
MoreBloodWine
Legendary
Offline
Activity: 1064
Merit: 1001
|
|
September 06, 2014, 10:09:50 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
|
To be decided...
|
|
|
-ck
Legendary
Offline
Activity: 4732
Merit: 1711
Ruu \o/
|
|
September 06, 2014, 10:15:13 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. |
Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
|
|
|
|
IYFTech
|
|
September 06, 2014, 10:32:42 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. Thanks for confirming ckolivas This is why I & others have been making so much noise about this - it's annoying for everyone - but it's for everyones good that it gets fixed ASAP. Are you listening, Bitmain? Edit: It is also why miners should only buy hardware that uses Open Source software provided by ckolivas - so that it can be checked for any security issues or "strange goings on" by the cgminer devs or anyone else who wishes to do so. Never buy hardware that uses Closed Source software - there's no way of knowing what it is doing. |
|
|
|
mdude77
Legendary
Offline
Activity: 1540
Merit: 1001
|
|
September 06, 2014, 11:12:12 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. I assume a properly written proxy could use SSL to secure the connection? M |
I mine at Kano's Pool because it pays the best and is completely transparent! Come join me! |
|
|
Soros Shorts
Donator
Legendary
Offline
Activity: 1618
Merit: 1012
|
|
September 07, 2014, 12:01:06 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help? |
|
|
|
|
mdude77
Legendary
Offline
Activity: 1540
Merit: 1001
|
|
September 07, 2014, 12:20:52 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help? No. The stratum protocol allows redirection. Unless it's a secure connection, it could be intercepted upstream from you and redirected, and you'd never know the wiser. That's what the newer cgminer allows (for pools that support it), is using SSL. M |
I mine at Kano's Pool because it pays the best and is completely transparent! Come join me! |
|
|
-ck
Legendary
Offline
Activity: 4732
Merit: 1711
Ruu \o/
|
|
September 07, 2014, 12:36:52 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help? No. The stratum protocol allows redirection. Unless it's a secure connection, it could be intercepted upstream from you and redirected, and you'd never know the wiser. That's what the newer cgminer allows (for pools that support it), is using SSL. Actually we don't use ssl in cgminer stratum since it's overkill for the actual problem. The problem is a packet is intercepted between you and the pool and it sends back a redirect message to cgminer which consciously moves to the other pool. People who were mining elsewhere unintentionally could actually see their rig had switched. Redirect rules were made strict according to domain name to prevent redirection from happening unless it was to a server with the same domain meaning they'd have to spoof the domain as well. Blocking outgoing connections from cgminer to only selected upstream pools would actually work to prevent you mining elsewhere but you may end up just failing to connect to anything without the redirect protection in later versions. |
Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
|
|
|
edonkey
Legendary
Offline
Activity: 1150
Merit: 1004
|
|
September 07, 2014, 02:35:24 PM |
|
As long as someone doesnt know the IP of the given miner you should be "safe" right ?
No. The attack occurred upstream, between the miner and the pool. Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help? No. The stratum protocol allows redirection. Unless it's a secure connection, it could be intercepted upstream from you and redirected, and you'd never know the wiser. That's what the newer cgminer allows (for pools that support it), is using SSL. Actually we don't use ssl in cgminer stratum since it's overkill for the actual problem. The problem is a packet is intercepted between you and the pool and it sends back a redirect message to cgminer which consciously moves to the other pool. People who were mining elsewhere unintentionally could actually see their rig had switched. Redirect rules were made strict according to domain name to prevent redirection from happening unless it was to a server with the same domain meaning they'd have to spoof the domain as well. Blocking outgoing connections from cgminer to only selected upstream pools would actually work to prevent you mining elsewhere but you may end up just failing to connect to anything without the redirect protection in later versions. You say that SSL is overkill for the problem, and it probably is from a general perspective. But overreaching as it may be it also sounds like SSL would in fact solve this problem, making it impossible for an attacker who does not have access to the SSL keys to send the redirect message in the first place. Sorry for the off topic post. Maybe there's a better place to discuss this. |
Was I helpful? BTC: 3G1Ubof5u8K9iJkM8We2f3amYZgGVdvpHr
|
|
|
|
PatMan
|
|
September 07, 2014, 02:36:15 PM |
|
It seems to me that the obvious & right thing for Bitmain to do is what they promised the community they would do. Take down the S3+ firmware update (which does not match the MD5 checksum anyway) and replace it with one that contains the latest cgminer code that fixes the redirect issue. As has been mentioned before - why wouldn't they want to do this? Why would such a large miner manufacturer insist on keeping this security flaw in place?
Food for thought indeed......
|
|
|
|
|
