Bitcoin Forum
December 03, 2016, 12:37:44 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 [5] 6 »  All
  Print  
Author Topic: 135 BTC Stolen from my Deepbit account!!!!!!!!  (Read 13133 times)
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
May 15, 2011, 11:15:32 AM
 #81


Quote
4.08162404503791e+125


Hint: scientific notation.

He's learning. Unfortunately, still wrong conclusions

Oh, come on, I wrote it out to make a point.  But, there, I fixed it for you.  What wrong conclusion am I coming to?  Help me not be such a dummy.  I'm sincerely asking for you to help understand what wrong conclusion I'm making.  I don't even mind if you continue to mock me.  Just help me out too.


To be clear, the personal info I revealed is that my password is more than 20 characters long.  I just don't see how telling the world that my password is more than 20 characters long compromises me that much.  You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long.  Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 4.08162404503791e+125 possibilities.

No one is claiming that your 20 character password is easy to crack, for the time being. It has, however, been pointed out that since you revealed that it is 20 characters, it would be easier to crack than if you had said nothing about its length, since the cracker will not have to spend time checking passwords <20 characters. If this seems trivial, remember that passwords nowadays are the key to valuable information about us and that Moore's Observation (Law) means that the cost of technology needed to crack passwords is getting cheaper quickly. The time will come when there will be a low degree of difficulty to crack a 20 character pw--it might come sooner than you think.

Just to be clear, I did not reveal that my password is 20 characters.  I revealed that my password is more than 20 characters.

Edit: mewantsbitcoins, is it that the possibilities answer is wrong?  I took that value from a website that claims to calculate password possibilities, but my own calculation says it should be 3.40562E+41.  Basically, I entered the values backwards.  Is that it?
1480725464
Hero Member
*
Offline Offline

Posts: 1480725464

View Profile Personal Message (Offline)

Ignore
1480725464
Reply with quote  #2

1480725464
Report to moderator
1480725464
Hero Member
*
Offline Offline

Posts: 1480725464

View Profile Personal Message (Offline)

Ignore
1480725464
Reply with quote  #2

1480725464
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480725464
Hero Member
*
Offline Offline

Posts: 1480725464

View Profile Personal Message (Offline)

Ignore
1480725464
Reply with quote  #2

1480725464
Report to moderator
1480725464
Hero Member
*
Offline Offline

Posts: 1480725464

View Profile Personal Message (Offline)

Ignore
1480725464
Reply with quote  #2

1480725464
Report to moderator
1480725464
Hero Member
*
Offline Offline

Posts: 1480725464

View Profile Personal Message (Offline)

Ignore
1480725464
Reply with quote  #2

1480725464
Report to moderator
bitcoindaddy
Hero Member
*****
Offline Offline

Activity: 481


View Profile
May 15, 2011, 12:01:29 PM
 #82

I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2086



View Profile
May 15, 2011, 12:28:11 PM
 #83

I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  

It's not clear that it was hacked. It could have been a some packet sniffing quite easily if people use the web account password the same as there miner(s) password (do not do this) since that is getting sent in plain-text by the miner all the time they getwork (i.e. lots). Someone was talking about wrapping up the miners-to-pools comms inside https, ssl or similar, where did that project get to? (It could be useful for other reasons down the line if miners get targeted.)

Sebz4n
Jr. Member
*
Offline Offline

Activity: 59


View Profile
May 15, 2011, 12:35:54 PM
 #84

Did you contact Leaseweb?
mewantsbitcoins
Full Member
***
Offline Offline

Activity: 126


View Profile
May 15, 2011, 12:55:24 PM
 #85

80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).
That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password.
This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices.
Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then?
It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on.
And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
May 15, 2011, 03:03:32 PM
 #86

80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).
That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password.
This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices.
Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then?
It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on.
And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?

Ok, look, I get it.  Any information can make it easier to get your password, even if by 'easier' it's still really, really hard.  Point taken.  The best practice is just not to reveal any relevant personal information at all.  Got it.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
May 15, 2011, 03:38:19 PM
 #87

I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly.  Let's hope that was not the case.

Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.  

http://www.startssl.com/

Before you ask, no it's not the same thing as CACert - StartSSL actually has root certificates in most major OSes and browsers (and for what mining pools need, that's plenty).

^_^
Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
May 15, 2011, 04:07:21 PM
 #88

We are not talking about you, but about security practices and how dumb some people are revealing their personal data on public forums without even realizing it

But you are talking about me since I'm the dummy who revealed the personal data that my deepbit password is over 20 characters long.  Now, in a matter of months, if not sooner, any sufficiently crafty scriptkiddie could have access to my deepbit account.

Or you have a well protected 19 character password!   Grin


cschmitz
Member
**
Offline Offline

Activity: 98


View Profile
May 15, 2011, 04:30:37 PM
 #89

I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.

big kudos to you for providing such a service

proud 5.x gh/s miner. tips welcome at 1A132BPnYMrgYdDaRyLpRrLQU4aG1WLRtd
trentzb
Sr. Member
****
Offline Offline

Activity: 406


View Profile
May 15, 2011, 09:09:08 PM
 #90

@MemoryDealers

Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?
MemoryDealers
VIP
Legendary
*
Offline Offline

Activity: 1005



View Profile WWW
May 15, 2011, 09:20:24 PM
 #91

@MemoryDealers

Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?

I was / still do check from my iphone safari browser as well.

Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
May 15, 2011, 09:49:32 PM
 #92

https would be nice, with mining software as well web interface over account forms, including log-on's
I'd say its a must for any serious org. dealing with personal data of their users over the web

also it is a good practice to use secure connections while accessing mail and ftp servers too.
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
May 15, 2011, 10:44:03 PM
 #93

@MemoryDealers
Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?
Yes, I asked the victims about this too, but looks like it's not the case. Also all of them used same password for workers and main account. At least one said that he was using same password on his e-mail account and this e-mail account was hacked.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
xf2_org
Member
**
Offline Offline

Activity: 70


View Profile
May 16, 2011, 12:31:35 AM
 #94

Also all of them used same password for workers and main account.

*facepalm*

And people wonder why I am implementing Digest auth for miners....

[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
May 16, 2011, 10:39:06 PM
 #95

Your BTC balance is refunded :)

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
AntiVigilante
Member
**
Offline Offline

Activity: 98



View Profile
May 18, 2011, 02:01:13 AM
 #96

HB Gary didn't teach the world anything.

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
minerX
Jr. Member
*
Offline Offline

Activity: 56


View Profile
May 18, 2011, 03:19:32 AM
 #97

Wow.  Can't believe he refunded the BTC!  That's great service.

I was thinking about going solo mining but after this bit of service I'm going to stick with deepbit.
bournemt
Newbie
*
Offline Offline

Activity: 2


View Profile
May 18, 2011, 02:26:15 PM
 #98

+1 Tycho
bitcoindaddy
Hero Member
*****
Offline Offline

Activity: 481


View Profile
May 18, 2011, 03:06:46 PM
 #99

FYI - Deepbit has SSL now (HTTPS).
cablepair
Hero Member
*****
Offline Offline

Activity: 854


https://btc-republic.com/index.php?ref=cablepair


View Profile WWW
May 18, 2011, 03:51:52 PM
 #100

dude,

the guy who uses that IP (94.75.217.249) address is on irc right now.

irc.linode.com
#linode
his nickname is takamichi

hes not using that IP right now, but he has in the past.... (check google)
iMMUNE
181msjFgfXo1LwFk8S9BLRYETNqD72yHCL
Pages: « 1 2 3 4 [5] 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!