error
|
|
May 14, 2011, 11:45:23 PM |
|
error@underground ~ $ host 94.75.217.249 Host 249.217.75.94.in-addr.arpa. not found: 3(NXDOMAIN) error@underground ~ $ whois 94.75.217.249 [Querying whois.arin.net] [Redirected to whois.ripe.net:43] [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered. % To receive output for a database update, use the "-B" flag.
% Information related to '94.75.217.0 - 94.75.217.255'
inetnum: 94.75.217.0 - 94.75.217.255 netname: LEASEWEB descr: LeaseWeb descr: P.O. Box 93054 descr: 1090BB AMSTERDAM descr: Netherlands descr: www.leaseweb.com remarks: Please send email to "abuse@leaseweb.com" for complaints remarks: regarding portscans, DoS attacks and spam. remarks: assignment LEASEWEB 20080723 country: NL admin-c: LSW1-RIPE tech-c: LSW1-RIPE status: ASSIGNED PA mnt-by: LEASEWEB-MNT source: RIPE # Filtered
person: RIP Mean address: P.O. Box 93054 address: 1090BB AMSTERDAM address: Netherlands phone: +31 20 3162880 fax-no: +31 20 3162890 abuse-mailbox: abuse@leaseweb.com nic-hdl: LSW1-RIPE mnt-by: OCOM-MNT source: RIPE # Filtered
% Information related to '94.75.192.0/18AS16265'
route: 94.75.192.0/18 descr: LEASEWEB origin: AS16265 remarks: LeaseWeb mnt-by: OCOM-MNT source: RIPE # Filtered
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
[Tycho]
|
|
May 15, 2011, 01:56:43 AM |
|
Bitcoin addresses of all users were removed by me in order to implement new system for enhanced security. Additional details will be available shortly.
I found that someone changed bitcoin addresses of some users. I'm not sure how the attacker got passwords, but now you'll have to use e-mail confirmation for changing your wallet address. I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed. (Please note: I can't garantee that I can do such reimbursment in the future).
Your money is safe and i'll give instructions on setting your address again. Please wait.
A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
MemoryDealers (OP)
VIP
Legendary
Offline
Activity: 1052
Merit: 1155
|
|
May 15, 2011, 02:07:31 AM |
|
Bitcoin addresses of all users were removed by me in order to implement new system for enhanced security. Additional details will be available shortly.
I found that someone changed bitcoin addresses of some users. I'm not sure how the attacker got passwords, but now you'll have to use e-mail confirmation for changing your wallet address. I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed. (Please note: I can't garantee that I can do such reimbursment in the future).
Your money is safe and i'll give instructions on setting your address again. Please wait.
A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
Wow! That is very generous of you! Can I ask about how many users had their bitcoin addresses changed? So this sounds like it means that none of my employees violated my trust. (I'm still implementing stronger security measures.) Would you agree? I have been worried all day about who could be a thief at my company. I was worried even more about it than the missing bitcoins. Thank you again, and I will gladly continue mining with deepbit because of your help! (I'll keep a much lower balance though)
|
|
|
|
tiberiandusk
|
|
May 15, 2011, 02:46:12 AM |
|
+1 Tycho. Most people wouldn't be so nice. Sounds like some of the people attacking mt. gox have been looking for other attack vectors.
|
|
|
|
bitcoindaddy
|
|
May 15, 2011, 02:47:13 AM |
|
Either the email verification is taking a long time - or it's not working.
|
|
|
|
[Tycho]
|
|
May 15, 2011, 02:54:23 AM |
|
Either the email verification is taking a long time - or it's not working. It's not deployed yet, i'm testing it atm. Wait a bit more please.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
May 15, 2011, 02:54:34 AM |
|
My deepbit password is now over 20 characters long with caps and symbols.
That just shortened the time to crack now didn't it? How so? Because now you don;t have to waste time searching all the combinations between 1 and 20 characters. Well, sure. But you've still got to search through at least all the 20 character combinations and the password is longer than that so it's still a pretty big task. But, yes, you're right, it'll take less time. Less time to make a realistic difference? Probably not. 80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly). That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum. You shouldn't take this personally; in fact, you should be gracious. I was reminded to be more aware of accidentally revealing personal info online. To be clear, the personal info I revealed is that my password is more than 20 characters long. I just don't see how telling the world that my password is more than 20 characters long compromises me that much. You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long. Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 408,162,404,503,791,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possibilities.
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
[Tycho]
|
|
May 15, 2011, 02:57:45 AM |
|
Last week was slush's pool that succumbed to an as yet unidentified failure ... and now deepbit gets hacked for a measly 150 BTC. I'm not sure yet how the attacker got the passwords, but some of his data was not correct. May be he sniffed the mining traffic and tried to log in with same credentials, may be he used some other kind of exploit. I'll look into it after finishing with confirmation system.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
mewantsbitcoins
|
|
May 15, 2011, 03:02:31 AM Last edit: May 15, 2011, 03:39:55 AM by mewantsbitcoins |
|
408,162,404,503,791,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 Hint: scientific notation. He's learning. Unfortunately, still wrong conclusions
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
May 15, 2011, 04:29:54 AM |
|
Even though my account appears to be fine, I appreciate you being completely transparent with us Tycho, and taking full responsibility for it. Much respect.
|
|
|
|
[Tycho]
|
|
May 15, 2011, 04:43:42 AM |
|
E-mail confirmation should be working now. PM me if your e-mail was non-existent or you can't receive the message.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
jimbobway
Legendary
Offline
Activity: 1304
Merit: 1015
|
|
May 15, 2011, 05:16:39 AM |
|
Last week was slush's pool that succumbed to an as yet unidentified failure ... and now deepbit gets hacked for a measly 150 BTC. I'm not sure yet how the attacker got the passwords, but some of his data was not correct. May be he sniffed the mining traffic and tried to log in with same credentials, may be he used some other kind of exploit. I'll look into it after finishing with confirmation system. Password cracking have been used successfully a while back at mtgox until mtgox changed their login process. Has this been ruled out?
|
|
|
|
Tha Feds
Newbie
Offline
Activity: 9
Merit: 0
|
|
May 15, 2011, 05:54:47 AM |
|
I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed. (Please note: I can't garantee that I can do such reimbursment in the future).
Your money is safe and i'll give instructions on setting your address again. Please wait.
A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
If this is accurate, then major props for the reimbursement.
|
|
|
|
Tha Feds
Newbie
Offline
Activity: 9
Merit: 0
|
|
May 15, 2011, 06:05:35 AM |
|
To be clear, the personal info I revealed is that my password is more than 20 characters long. I just don't see how telling the world that my password is more than 20 characters long compromises me that much. You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long. Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 408,162,404,503,791,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possibilities.
No one is claiming that your 20 character password is easy to crack, for the time being. It has, however, been pointed out that since you revealed that it is 20 characters, it would be easier to crack than if you had said nothing about its length, since the cracker will not have to spend time checking passwords <20 characters. If this seems trivial, remember that passwords nowadays are the key to valuable information about us and that Moore's Observation (Law) means that the cost of technology needed to crack passwords is getting cheaper quickly. The time will come when there will be a low degree of difficulty to crack a 20 character pw--it might come sooner than you think.
|
|
|
|
gigabytecoin
|
|
May 15, 2011, 09:11:46 AM |
|
Beware of other people using your accounts.
I agree, but they are both trusted long term employees 5+ years who I trust. I am guessing that deepbit maybe susceptible to a brute force password hacking attack. You seem to be able to try as many incorrect passwords on the site in a row as you want. I hope they put a delay after 3 failed log in attempts. Does anyone have the contact info for the admin at deepbit? I am hoping they have some kind of log for whoever logged into my account. You "trust" your employees? Hah.
|
|
|
|
eMansipater
|
|
May 15, 2011, 09:48:41 AM |
|
You "trust" your employees? Hah.
Yeah, forming real human relationships and then relying on them is for suckers. Next thing you know he'll be claiming to have "friends" or some other kind of nonsense too. Major kudos to [Tycho] for his response to this incident. Real trustworthiness is proven in a person's response to unplanned-for circumstances.
|
If you found my post helpful, feel free to send a small tip to 1QGukeKbBQbXHtV6LgkQa977LJ3YHXXW8B Visit the BitCoin Q&A Site to ask questions or share knowledge. 0.009 BTC too confusing? Use mBTC instead! Details at www.em-bit.org or visit the project thread to help make Bitcoin prices more human-friendly.
|
|
|
vuce
|
|
May 15, 2011, 10:26:41 AM |
|
Bitcoin addresses of all users were removed by me in order to implement new system for enhanced security. Additional details will be available shortly.
I found that someone changed bitcoin addresses of some users. I'm not sure how the attacker got passwords, but now you'll have to use e-mail confirmation for changing your wallet address. I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed. (Please note: I can't garantee that I can do such reimbursment in the future).
Your money is safe and i'll give instructions on setting your address again. Please wait.
A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
real class, way to go Tycho!
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
May 15, 2011, 11:15:32 AM Last edit: May 15, 2011, 12:47:27 PM by proudhon |
|
4.08162404503791e+125 Hint: scientific notation. He's learning. Unfortunately, still wrong conclusions Oh, come on, I wrote it out to make a point. But, there, I fixed it for you. What wrong conclusion am I coming to? Help me not be such a dummy. I'm sincerely asking for you to help understand what wrong conclusion I'm making. I don't even mind if you continue to mock me. Just help me out too. To be clear, the personal info I revealed is that my password is more than 20 characters long. I just don't see how telling the world that my password is more than 20 characters long compromises me that much. You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long. Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 4.08162404503791e+125 possibilities.
No one is claiming that your 20 character password is easy to crack, for the time being. It has, however, been pointed out that since you revealed that it is 20 characters, it would be easier to crack than if you had said nothing about its length, since the cracker will not have to spend time checking passwords <20 characters. If this seems trivial, remember that passwords nowadays are the key to valuable information about us and that Moore's Observation (Law) means that the cost of technology needed to crack passwords is getting cheaper quickly. The time will come when there will be a low degree of difficulty to crack a 20 character pw--it might come sooner than you think. Just to be clear, I did not reveal that my password is 20 characters. I revealed that my password is more than 20 characters. Edit: mewantsbitcoins, is it that the possibilities answer is wrong? I took that value from a website that claims to calculate password possibilities, but my own calculation says it should be 3.40562E+41. Basically, I entered the values backwards. Is that it?
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
bitcoindaddy
|
|
May 15, 2011, 12:01:29 PM |
|
I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly. Let's hope that was not the case.
Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2349
Eadem mutata resurgo
|
|
May 15, 2011, 12:28:11 PM |
|
I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly. Let's hope that was not the case.
Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.
It's not clear that it was hacked. It could have been a some packet sniffing quite easily if people use the web account password the same as there miner(s) password (do not do this) since that is getting sent in plain-text by the miner all the time they getwork (i.e. lots). Someone was talking about wrapping up the miners-to-pools comms inside https, ssl or similar, where did that project get to? (It could be useful for other reasons down the line if miners get targeted.)
|
|
|
|
|