Bitcoin Forum
December 03, 2016, 07:01:53 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 [46] 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 201383 times)
hatshepsut
Member
**
Offline Offline

Activity: 64



View Profile
May 17, 2012, 04:25:23 PM
 #901

LOL good try.


If you are implying that I am guruvan, then you are sorely mistaken.
1480748513
Hero Member
*
Offline Offline

Posts: 1480748513

View Profile Personal Message (Offline)

Ignore
1480748513
Reply with quote  #2

1480748513
Report to moderator
1480748513
Hero Member
*
Offline Offline

Posts: 1480748513

View Profile Personal Message (Offline)

Ignore
1480748513
Reply with quote  #2

1480748513
Report to moderator
1480748513
Hero Member
*
Offline Offline

Posts: 1480748513

View Profile Personal Message (Offline)

Ignore
1480748513
Reply with quote  #2

1480748513
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480748513
Hero Member
*
Offline Offline

Posts: 1480748513

View Profile Personal Message (Offline)

Ignore
1480748513
Reply with quote  #2

1480748513
Report to moderator
1480748513
Hero Member
*
Offline Offline

Posts: 1480748513

View Profile Personal Message (Offline)

Ignore
1480748513
Reply with quote  #2

1480748513
Report to moderator
muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
May 17, 2012, 04:33:18 PM
 #902

LOL good try.


If you are implying that I am guruvan, then you are sorely mistaken.

Not implying that.

No way they are both forfeiting losses and paying off virtual positive positions. They will force liquidate, deal with it.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
dizzy1
Full Member
***
Offline Offline

Activity: 134


View Profile
May 17, 2012, 04:37:39 PM
 #903

So now http://bitcoinica.com points to a google 404 error page. Maybe they are finally readying some kind of claim page?
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
May 17, 2012, 04:48:52 PM
 #904

Ive asked earlier in the thread, is there any way/evidence that shows bitcoinica actually ever traded on any of the available exchanges, or was it all just shuffling funds internally?

They were trading on MtGox as soon as they couldn't balance out the trades internally. They were even displaying a number of BTC they have traded on MtGox (aka. "hedged") on their home page.

For most of the time you wouldn't see this, unless your trade was quite big, sometimes it needed to be over 1000 BTC. Lately, they even raised this internal buffer to ~3000 BTC, and tweaked the engine so it traded 100 BTC at the same time instead of 50, for faster execution. It was really cool, and is a shame that now it's gone.
tvbcof
Legendary
*
Offline Offline

Activity: 1974


View Profile
May 17, 2012, 05:06:24 PM
 #905


Explaining the details of your operations might not be a wise thing to do in public.


Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.


BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 17, 2012, 05:43:06 PM
 #906


Explaining the details of your operations might not be a wise thing to do in public.


Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.




Quote
Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
rdponticelli
Sr. Member
****
Offline Offline

Activity: 326


Our highest capital is the Confidence we build.


View Profile
May 17, 2012, 06:06:23 PM
 #907


Explaining the details of your operations might not be a wise thing to do in public.


Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.




Quote
Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

Obviously you have any valuable information on a strongly encrypted vm image with a complex password which is not hosted on the machine. And you have arranged really frequent off site rsyncs, so you have several images ready to be launched anytime you need them. If anybody steals your server, he only gets a lot of useless information.
ashleyconnor
Jr. Member
*
Offline Offline

Activity: 38


View Profile
May 17, 2012, 06:09:34 PM
 #908


Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

He explained before that he is encrypting his filesystem

The big security let down is the fact that you can reset a VPS root password from the control panel. Great if you are a VPS company as it reduces support issues, but for God's sake if you are running an operation with money at stake then that needs to be disabled.

The mentions of KVM etc are just more options for hackers. In fact remote administration of any sort gives hackers opportunities to compromise the servers.

One of the best methods, which I think somebody mentioned, is 2-factor SSH authentication:

http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

Even if your key is compromised due to a security breach on your local system; attacks will still not be able to access the server.
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 17, 2012, 06:18:17 PM
 #909


Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

He explained before that he is encrypting his filesystem

The big security let down is the fact that you can reset a VPS root password from the control panel. Great if you are a VPS company as it reduces support issues, but for God's sake if you are running an operation with money at stake then that needs to be disabled.

The mentions of KVM etc are just more options for hackers. In fact remote administration of any sort gives hackers opportunities to compromise the servers.

One of the best methods, which I think somebody mentioned, is 2-factor SSH authentication:

http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

Even if your key is compromised due to a security breach on your local system; attacks will still not be able to access the server.

Well, I was trying to not be so obvious.

I wouldn't steal the server from his office.  Common guys... Do we have to lay it out, why it is bad to let people where your server resides and has thousands of dollars of money in it.

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
MrTeal
Legendary
*
Offline Offline

Activity: 1246


View Profile
May 17, 2012, 06:32:07 PM
 #910

Well, I was trying to not be so obvious.

I wouldn't steal the server from his office.  Common guys... Do we have to lay it out, why it is bad to let people where your server resides and has thousands of dollars of money in it.

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

That still requires breaking into his office and installing the hardware without tripping the alarm or getting caught or them noticing. You'd probably also want to know which box actually holds the server and which room it's in.

Physically breaking into someone's office is an entirely different class of crime than hacking into a system. You'd need someone with both the computer skills to deal with whatever technical issues arise, who also lives near the office or is willing to fly in, and also have experience with physical break and enters. The risk is also much higher; convicting someone of hacking into a system and stealing $10k worth of virtual money is a lot less likely than convicting someone of B&E. Someone who has that skillset could probably do a lot better than all that risk for $10k.
ashleyconnor
Jr. Member
*
Offline Offline

Activity: 38


View Profile
May 17, 2012, 06:41:14 PM
 #911

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

No doubt 2-factor-authentication can still be compromised by a man-in-the-middle attack. The Google Authenticator PAM allows you to detect this, so you'd know if your local machine had been compromised.  You then might be able to remotely shut down the server through some administration panel.

However there's no 100% way to do remote administration. Period.
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 17, 2012, 06:51:10 PM
 #912

Well, I was trying to not be so obvious.

I wouldn't steal the server from his office.  Common guys... Do we have to lay it out, why it is bad to let people where your server resides and has thousands of dollars of money in it.

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

That still requires breaking into his office and installing the hardware without tripping the alarm or getting caught or them noticing. You'd probably also want to know which box actually holds the server and which room it's in.

Physically breaking into someone's office is an entirely different class of crime than hacking into a system. You'd need someone with both the computer skills to deal with whatever technical issues arise, who also lives near the office or is willing to fly in, and also have experience with physical break and enters. The risk is also much higher; convicting someone of hacking into a system and stealing $10k worth of virtual money is a lot less likely than convicting someone of B&E. Someone who has that skillset could probably do a lot better than all that risk for $10k.

Yes, it does. I just mean to show that people associate the criminals with being 'dumb'. There are 'smart' criminals. Social Engineering has acquired way more results than electronic trickery.

For Example:

Lets presume this was a Bitcoinica server in the 'Office'. One could pay the cleaning lady or maintenance man 10K to do it, because the total theft was 87K. That would leave 77K to the thieves. Once enough keystrokes have been acquired, then you could steal the server if necessary.

Sorry for sounding nefarious: I have had a class that dealt with 'What Ifs'. Actually that class was about more than just circumventing a server, was more about disrupting industries.  Given SOP knowledge, getting information is quite easy. Looking at problems from different perspectives also can reveal things that are not known to be public. i.e. Apple's suppliers were kept 'secret' but the guy on the loading dock didn't think it was a secret.

Most people from High Tech think high tech and forget about low tech.

Granted though, people aren't going to employ these methods over some kids computer with 10 BTC on it. But the reference was from an Exchange of sorts that deals in lots of money.

Telling people where the server resides wasn't a good idea. But meh... it's his money and possibly yours.


Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
vampire
Hero Member
*****
Offline Offline

Activity: 574



View Profile
May 17, 2012, 06:51:44 PM
 #913

Quote
Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

Now you just need to decrypt the harddrives :-)
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 17, 2012, 07:03:54 PM
 #914

Quote
Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

Now you just need to decrypt the harddrives :-)


Yes as explained it can be done.

However, this is all public knowledge that I can explain.

I believe this guy is a Mac User ( I can explain how I know, if needed). I wonder if he has fixed the debug.log for the vault on his computer. (PS. If you see this, do so.) He might already be compromised and not know it.

Security for Financial Systems especially with lots of money actually residing on the computer, needs to be elevated to absolute paranoia.


Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
vampire
Hero Member
*****
Offline Offline

Activity: 574



View Profile
May 17, 2012, 07:50:54 PM
 #915

Yes as explained it can be done.

However, this is all public knowledge that I can explain.

I believe this guy is a Mac User ( I can explain how I know, if needed). I wonder if he has fixed the debug.log for the vault on his computer. (PS. If you see this, do so.) He might already be compromised and not know it.

Security for Financial Systems especially with lots of money actually residing on the computer, needs to be elevated to absolute paranoia.

Isn't that FV1? How do you exploit that on FV2 with solo user setup?
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
May 17, 2012, 08:04:59 PM
 #916

BTC_Bear, you seem to know a good deal about security.  What are your credentials?  Do you have a related degree?  Related job experience?

Just curious more than anything.
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 17, 2012, 08:29:36 PM
 #917

BTC_Bear, you seem to know a good deal about security.  What are your credentials?  Do you have a related degree?  Related job experience?

Just curious more than anything.

Well that fact you ask that, tells me I have already talked to much.

Quote
Do you have a related degree?
I do not hold a degree in IT Security and/or Cybersecurity. Although I have during the course of work, pointed out and have shown flaws in IT systems and many other Risk Management Issues and writing Root Cause Analysis for problems that occur.

Quote
Related job experience?

I have had related job experience in the field of security. (And no, not Security Guard)


Quote
What are your credentials?

Well, when able to look for jobs when necessary, I carry credentials in a portfolio (more of a long CV with supporting documents than anything else.)


Other than that:

I'm a dumb crazy country bumpkin, pay me no mind. If my arguments make sense, then ponder them. If not, then disregard them. I like letting my hair down here without excessive peer review over every word or idea I spout out.

btw: I give credentials and/or degrees little weight other than the ability to learn. (i.e. If the janitor proves P=NP, I don't argue over who's credentials mean more or less.) I treat each individual as an individual irrespective of documented knowledge.


Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
May 17, 2012, 08:36:58 PM
 #918

I'm just thinking you might be a good consultant if/when I ever decide to launch a Bitcoin site that actually handles people's Bitcoins.  Sometimes, you seem to be the only logical thinker in a group full of people discussing proper security methods and techniques.  Lots of people can't seem to think outside the box, and miss important potential threats.

Anyway, thanks for answering my questions.
tvbcof
Legendary
*
Offline Offline

Activity: 1974


View Profile
May 17, 2012, 09:13:32 PM
 #919

...if/when I ever decide to launch a Bitcoin site that actually handles people's Bitcoins.  ...

If you are handling Bitcoins, they are your bitcoins.  That is one of the things which distinguishes Bitcoin from most other instruments (imho.)  If more people shared my philosophical view of the situation, fewer people would be whining about their Bitcoins having gone missing.

Naturally to run a good business you'll want to be able to give the Bitcoins back to your customers upon demand, and having a good security consultant would go along way toward achieving this goal.

Alternately, with Bitcoin there are creative ways to invalidate my assertions about ownership.  Having both and outstanding security consultant and a skilled scientist/engineer could blaze some trails here.  It seems to be starting though I cannot say that I have followed things closely.


mb300sd
Legendary
*
Offline Offline

Activity: 1232

Drunk Posts


View Profile WWW
May 17, 2012, 10:44:28 PM
 #920

All this security discussion is great, but WHERE IS THE CLAIM PAGE? It was supposed to be up monday, then last night, and its still not up...

1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 [46] 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!