noobtrader
Legendary
Offline
Activity: 1456
Merit: 1000
|
|
July 15, 2016, 05:33:40 PM |
|
this is waht happenz if you dont have a decent wallet ups! IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS: I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers. This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports. When you're running the wallet in rpc mode (you can do that by binding the port) for example like this: ./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost. The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds. This does not affect normal wallets, only if you run it in server mode like I explained above. As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet. It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
|
"...I suspect we need a better incentive for users to run nodes instead of relying solely on altruism...", satoshi@vistomail.com
|
|
|
c789
|
|
July 15, 2016, 05:51:01 PM |
|
this is waht happenz if you dont have a decent wallet ups! IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS: I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers. This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports. When you're running the wallet in rpc mode (you can do that by binding the port) for example like this: ./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost. The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds. This does not affect normal wallets, only if you run it in server mode like I explained above. As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet. It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed. I don't view that as being negative for simplewallet. It's just like any other software: if you don't know how to use it, it can put you at risk. It's the fault of the user, not of the software. I'll admit I was also running simplewallet incorrectly until now, but that was due to my ignorance. I wouldn't view Apache (or NGINX or Lighttpd) as indecent if I didn't do my part to secure it properly.
|
|
|
|
noobtrader
Legendary
Offline
Activity: 1456
Merit: 1000
|
|
July 15, 2016, 05:57:42 PM |
|
i never heard this happen to other decent coin... does this event really didnt bother you this is waht happenz if you dont have a decent wallet ups! IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS: I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers. This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports. When you're running the wallet in rpc mode (you can do that by binding the port) for example like this: ./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost. The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds. This does not affect normal wallets, only if you run it in server mode like I explained above. As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet. It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed. I don't view that as being negative for simplewallet. It's just like any other software: if you don't know how to use it, it can put you at risk. It's the fault of the user, not of the software. I'll admit I was also running simplewallet incorrectly until now, but that was due to my ignorance. I wouldn't view Apache (or NGINX or Lighttpd) as indecent if I didn't do my part to secure it properly.
|
"...I suspect we need a better incentive for users to run nodes instead of relying solely on altruism...", satoshi@vistomail.com
|
|
|
iCEBREAKER
Legendary
Offline
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
|
|
July 15, 2016, 06:07:22 PM |
|
[cluessless fail]
^^^That is what happens when you don't have a clue, and thus fail. works fine here. Either that server was specifically told to listen inbound, or if you can repro it, file a bug with full command line and OS etc.
|
██████████ ██████████████████ ██████████████████████ ██████████████████████████ ████████████████████████████ ██████████████████████████████ ████████████████████████████████ ████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ████████████████████████████████ ██████████████ ██████████████ ████████████████████████████ ██████████████████████████ ██████████████████████ ██████████████████ ██████████ Monero
|
| "The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy." David Chaum 1996 "Fungibility provides privacy as a side effect." Adam Back 2014
|
| | |
|
|
|
c789
|
|
July 15, 2016, 06:11:20 PM |
|
i never heard this happen to other decent coin... does this event really didnt bother you No it doesn't bother me. As I already stated, the software works correctly. The user is to blame for not using the software correctly. If you want an example of bad software design, look at DAO.
|
|
|
|
noobtrader
Legendary
Offline
Activity: 1456
Merit: 1000
|
|
July 15, 2016, 06:13:56 PM |
|
^^^That is what happens when you don't have a clue, and thus fail.
WOW... clueless would say... nice wallet you got there bro IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS: I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers. This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports. When you're running the wallet in rpc mode (you can do that by binding the port) for example like this: ./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost. The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds. This does not affect normal wallets, only if you run it in server mode like I explained above. As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet. It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
|
"...I suspect we need a better incentive for users to run nodes instead of relying solely on altruism...", satoshi@vistomail.com
|
|
|
TrueCryptonaire
Legendary
Offline
Activity: 1092
Merit: 1000
|
|
July 15, 2016, 06:15:18 PM |
|
I agree Monero needs people who are spokesmen and are bringing Monero to the elite.
You don't really want to encourage people to start thinking of XMR as an elitist's coin do you ? We do not have Forbes guys owning Monero do we? Of course one can not know with certainty. If they do it is in negligible amounts. Bullish😉 Any owners today are elite by the standards of XMR, since they are among a very few early adopters. Within that community, XMR has seen a reasonable amount of currency use, but it is definitely too small a community, too loosely knit, to support a meaningful economy. Probably, the overwhelming majority of present currency use is via XMR.to or shapeshift, and hence rather inefficient. I am dubious of prospects for adoption outside of a few use cases strongly compelling strong privacy, for the time being. Those cases should be more than sufficient for a 1bn USD cap however, at which point wider adoption follows of course. GUI will be necessary but not sufficient for reaching those use cases. Mymonero.com suffices outside the realm of the justly paranoid, but inside is where our next big wins will be found. Even if a Forbes guy recommends buying Monero it is bullish kal vachomer buys it. Indeed the period of early adopters is probably until 100 usd/xmr and then we enter to the period of early majority, after that late majority and finally our grandpas. However, we are pretty far from all of these events. You were saying you know some use cases (perhaps have contacts also?) for Monero which will lead to 1 bn market cap. How far in the future this lays, let's say, from the day GUI is officially ready and rocks? Do you see it will take weeks, months, years or decades? The community is also capable to bid Monero pretty high. Monero is so much mined that the current coins used as collateral for Mega leverage will literally make Monero fly high. Imagine, 12 million Moneros collateralized in Polo enabling the leverage of 30 million Moneros (2.5 times)?
|
|
|
|
needmoney90
Member
Offline
Activity: 114
Merit: 10
|
|
July 15, 2016, 06:37:10 PM Last edit: July 15, 2016, 06:48:02 PM by needmoney90 |
|
I was given control of the dormant Monero Slack by CryptoEra, and over the past couple days, I took the liberty of setting up relays between the various endpoints of the Monero Chat Network. There are now links between the official Monero Slack, Telegram group, and IRC channels, anything said in one of those clients can now be read on all the others, and everyone is now chatting in one big room.
Additionally, I've set up an RSS feed channel in Slack, which automatically posts any new threads that appear on /r/Monero and /r/xmrtrader, along with new Github commits on both the Bitmonero (wallet) and Monero-Core (GUI) repositories. If you want to keep tabs on the latest updates, but don't want to constantly be checking the /r/Monero new queue or Github commits, just join the channel, and it will do it automatically for you.
If you want an invite to the Monero Slack, shoot me a PM here or on Reddit (same username there) with your email, and I'll send it out as soon as I can.
|
|
|
|
TheKoziTwo
Legendary
Offline
Activity: 1552
Merit: 1047
|
|
July 15, 2016, 06:45:28 PM |
|
^^^That is what happens when you don't have a clue, and thus fail.
WOW... clueless would say... nice wallet you got there bro IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS: I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers. This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports. When you're running the wallet in rpc mode (you can do that by binding the port) for example like this: ./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost. The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds. This does not affect normal wallets, only if you run it in server mode like I explained above. As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet. It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed. It's not really a problem with the wallet itself, it works just fine. Perhaps it's rather lack of documentation that is the issue here. In any case it turns out it most likely also requires IP to be bound for this hack to work, which makes it even less likely. When you reach the point that you bind both IP and port and communicate with your wallet from a different server most admins will realize that's not a safe way to do it. This is all about education really, anything can be insecure in the wrong hands. Also 0MQ is in development and will replace the current rpc at some point.
|
|
|
|
DaveyJones
|
|
July 15, 2016, 07:32:05 PM |
|
this dude shows that he cannot even comprehend a text and get the points out of it. He only reads "coins were stolen" and that is his buzzword to ride all day on it. ELI5 for you noobtraderthathasnoclue If you put password 123 you don´t have to wonder an account is taken... in this case if you bind ip and port and don´t close that port for incoming traffic from the outside it is your fault
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3864
Merit: 5080
Doomed to see the future and unable to prevent it
|
|
July 15, 2016, 08:13:02 PM |
|
...It's not really a problem with the wallet itself, it works just fine. Perhaps it's rather lack of documentation that is the issue here. In any case it turns out it most likely also requires IP to be bound for this hack to work, which makes it even less likely. When you reach the point that you bind both IP and port and communicate with your wallet from a different server most admins will realize that's not a safe way to do it. This is all about education really, anything can be insecure in the wrong hands. Also 0MQ is in development and will replace the current rpc at some point.
There is too much conflicting info on this crap and I've asked repeatedly for the Dev notes on these changes. changing from RPC to IPC local is a good idea and Fluffy sted there was going to be a change to ZMTP for RTP but Json would also remain separately (separate builds?). Since he never finished the conversation with me I'm very unclear on what the direction is and who signed off on what. I would like to know though. Leaving open unencrypted ports is just bad setup and afaik the default is closed but in some tutorials I have seen the port being opened but have never seen it mentioned to make sure to close it.
|
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
TrueCryptonaire
Legendary
Offline
Activity: 1092
Merit: 1000
|
|
July 15, 2016, 08:35:20 PM |
|
Back to the topic, speculation. So what do you guys think, up or down from here? For me both are equally good.
|
|
|
|
iCEBREAKER
Legendary
Offline
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
|
|
July 15, 2016, 08:42:03 PM |
|
*doubles down on previous [clueless fail]*
this dude shows that he cannot even comprehend a text and get the points out of it. He only reads "coins were stolen" and that is his buzzword to ride all day on it. ELI5 for you noobtraderthathasnoclue If you put password 123 you don´t have to wonder an account is taken... in this case if you bind ip and port and don´t close that port for incoming traffic from the outside it is your fault It's too bad noobtrader can't read above a 2nd grade level. "Coins were stolen" is the only phrase in Kozi's post he could parse, so he just keeps clinging to his false impression no matter how hard we try to educate him. He's the type of person who says "ZOMG BITCOIN HAX0RD" because MtGox lost coins.
|
██████████ ██████████████████ ██████████████████████ ██████████████████████████ ████████████████████████████ ██████████████████████████████ ████████████████████████████████ ████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ████████████████████████████████ ██████████████ ██████████████ ████████████████████████████ ██████████████████████████ ██████████████████████ ██████████████████ ██████████ Monero
|
| "The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy." David Chaum 1996 "Fungibility provides privacy as a side effect." Adam Back 2014
|
| | |
|
|
|
s1gs3gv
Legendary
Offline
Activity: 1316
Merit: 1014
ex uno plures
|
|
July 15, 2016, 09:01:12 PM |
|
Back to the topic, speculation. So what do you guys think, up or down from here? For me both are equally good.
sideways till the next BTC pump, then down and consolidation around 25
|
|
|
|
nioc
Legendary
Offline
Activity: 1624
Merit: 1008
|
|
July 15, 2016, 09:52:57 PM |
|
Back to the topic, speculation. So what do you guys think, up or down from here? For me both are equally good.
sideways till the next BTC pump, then down and consolidation around 25 TC, how can they be equally good when it's not going low enough for you to buy? I know where it's going but I don't know the path from here. s1gs3gv, when is the next btc pump?
|
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
July 15, 2016, 10:00:41 PM |
|
Back to the topic, speculation. So what do you guys think, up or down from here? For me both are equally good.
It could go either way. I do see the following contributing factors: Internal software development: The most eminent here is the GUI given that it is close to completion https://forum.getmonero.org/9/work-in-progress/2476/the-official-qt-gui-project . This will come down to whether the market has already discounted the GUI on release. If it has then it could be "buy the rumor sell the news" and a fall in price could result. If the market had not discounted the GUI then it could lead to a rise in price. Other items to consider here are the development work on RingCT (bullish) and bugs, vulnerabilities in the software showing up, particularly during a hard fork (bearish). External: In the short term I see the issue surrounding the Ethereum fork as actually more significant than anything with Bitcoin. One key thing to consider here that this kind of fork to change to ownership of coins / tokens would be next to impossible to pull off in Monero. Over the longer term the whole blocksize mess in Bitcoin is bullish for Monero. The long term technical picture: For close to two years Monero has been trading between 0.00091 XBT and 0.0043 XBT. A third test / breakout of either one of these two levels could lead to drastically higher, for the 0.0043 level, or drastically lower, for the 0.00091 level, prices.
|
|
|
|
Dotto
Legendary
Offline
Activity: 981
Merit: 1005
No maps for these territories
|
|
July 15, 2016, 10:31:58 PM |
|
Excuse me, but breaking 43 seems like a little bit more plausible then revisiting.93
Sooner than you soon
OTOH, sell the news on GUI releasement is not totally out of hand. Whatever, I bet up from here
|
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
|
|
July 15, 2016, 10:35:27 PM |
|
this is waht happenz if you dont have a decent wallet ups! IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS: I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers. This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports. When you're running the wallet in rpc mode (you can do that by binding the port) for example like this: ./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost. The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds. This does not affect normal wallets, only if you run it in server mode like I explained above. As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet. It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed. I don't view that as being negative for simplewallet. It's just like any other software: if you don't know how to use it, it can put you at risk. It's the fault of the user, not of the software. I'll admit I was also running simplewallet incorrectly until now, but that was due to my ignorance. I wouldn't view Apache (or NGINX or Lighttpd) as indecent if I didn't do my part to secure it properly. It's like if I leave a vault full of cash wide open at night for anyone to come and steal....is it the fault of the vault manufacturer who designed the vault? I don't think so.
|
███████████████████████████████████████
,╓p@@███████@╗╖, ,p████████████████████N, d█████████████████████████b d██████████████████████████████æ ,████²█████████████████████████████, ,█████ ╙████████████████████╨ █████y ██████ `████████████████` ██████ ║██████ Ñ███████████` ███████ ███████ ╩██████Ñ ███████ ███████ ▐▄ ²██╩ a▌ ███████ ╢██████ ▐▓█▄ ▄█▓▌ ███████ ██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─ ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌ ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─ ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩ ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀ ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀` ²²² ███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ . LEALANA BITCOIN GRIM REAPER SILVER COINS. |
|
|
|
primer-
Legendary
Offline
Activity: 1092
Merit: 1000
|
|
July 15, 2016, 10:42:26 PM |
|
Botnets are raping Monero. So far I can account for 11MH/s of botnet hash (almost 50%). The hash is spread across 17 wallets. I'll be willing to share my sources for 1btc - escrow accepted.
|
|
|
|
s1gs3gv
Legendary
Offline
Activity: 1316
Merit: 1014
ex uno plures
|
|
July 15, 2016, 10:54:00 PM |
|
s1gs3gv, when is the next btc pump?
damned if I know. feels like it could be soon though.
|
|
|
|
|