Sebz4n
Member
Offline
Activity: 77
Merit: 10
|
|
May 15, 2011, 12:35:54 PM |
|
Did you contact Leaseweb?
|
|
|
|
mewantsbitcoins
|
|
May 15, 2011, 12:55:24 PM Last edit: May 15, 2011, 01:18:16 PM by mewantsbitcoins |
|
80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).
That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum. I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password. This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices. Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then? It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on. And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency?
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
May 15, 2011, 03:03:32 PM |
|
80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).
That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum. I'm not talking about your math. The statement above is absurd to anyone working in IT security. What you don't seem to understand is that you revealed a piece of personal information. If I'm an adversary and put enough such pieces together I'll have your password. This case is an exception and I'm glad op will get his money back, but this case is a very good example of extremely poor security practices. Lets say bitcoin exploded in value - it's on major TV channels, shops are popping up everywhere accepting it and it adds several zeros to what the value is today. Do you still think op's employees would be so trustworthy then? It's the same with you. If bitcoin suddenly increased in value, it may be worth spending years trying to figure out your password and by searching this forum and finding out it's >20 long, someone would have a good starting point. Then they can probably safely assume that it is not a random sequence because you would not be able to remember it. They would then go and read your other posts, to see how you think, what word do you use and so on. And the same goes to vuce's comment "80 bit is considered safe". Safe for what? Kids trying to acces your folder at home? a script kiddie? a skilled programmer? a government agency? Ok, look, I get it. Any information can make it easier to get your password, even if by 'easier' it's still really, really hard. Point taken. The best practice is just not to reveal any relevant personal information at all. Got it.
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
elggawf
|
|
May 15, 2011, 03:38:19 PM |
|
I recommend Tycho accelerate the installation of an SSL certificate. They can be had for a low as $50 (perhaps cheaper if you shop around) at RapidSSL. Of course, if his server was hacked, this would not have helped. In fact, if his server were hacked, the email confirmation won't help either because they could access the database directly. Let's hope that was not the case.
Kudos to Tycho for reacting in an honorable manner with regard to his customer's loss.
http://www.startssl.com/Before you ask, no it's not the same thing as CACert - StartSSL actually has root certificates in most major OSes and browsers (and for what mining pools need, that's plenty).
|
^_^
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
May 15, 2011, 04:07:21 PM |
|
We are not talking about you, but about security practices and how dumb some people are revealing their personal data on public forums without even realizing it
But you are talking about me since I'm the dummy who revealed the personal data that my deepbit password is over 20 characters long. Now, in a matter of months, if not sooner, any sufficiently crafty scriptkiddie could have access to my deepbit account. Or you have a well protected 19 character password!
|
|
|
|
cschmitz
Member
Offline
Activity: 98
Merit: 10
|
|
May 15, 2011, 04:30:37 PM |
|
I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed. (Please note: I can't garantee that I can do such reimbursment in the future).
Your money is safe and i'll give instructions on setting your address again. Please wait.
A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
big kudos to you for providing such a service
|
proud 5.x gh/s miner. tips welcome at 1A132BPnYMrgYdDaRyLpRrLQU4aG1WLRtd
|
|
|
trentzb
|
|
May 15, 2011, 09:09:08 PM |
|
@MemoryDealers
Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?
|
|
|
|
MemoryDealers (OP)
VIP
Legendary
Offline
Activity: 1052
Merit: 1155
|
|
May 15, 2011, 09:20:24 PM |
|
@MemoryDealers
Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account?
I was / still do check from my iphone safari browser as well.
|
|
|
|
Serge
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
May 15, 2011, 09:49:32 PM |
|
https would be nice, with mining software as well web interface over account forms, including log-on's I'd say its a must for any serious org. dealing with personal data of their users over the web
also it is a good practice to use secure connections while accessing mail and ftp servers too.
|
|
|
|
[Tycho]
|
|
May 15, 2011, 10:44:03 PM |
|
@MemoryDealers Forgot to ask, are you (or were you at the time) using any pool monitoring software/apps/webapps on Android/iPhone or other devices/computers to watch your deepbit account? Yes, I asked the victims about this too, but looks like it's not the case. Also all of them used same password for workers and main account. At least one said that he was using same password on his e-mail account and this e-mail account was hacked.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
xf2_org
Member
Offline
Activity: 98
Merit: 13
|
|
May 16, 2011, 12:31:35 AM |
|
Also all of them used same password for workers and main account.
*facepalm*And people wonder why I am implementing Digest auth for miners....
|
|
|
|
[Tycho]
|
|
May 16, 2011, 10:39:06 PM |
|
Your BTC balance is refunded :)
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
AntiVigilante
Member
Offline
Activity: 98
Merit: 10
|
|
May 18, 2011, 02:01:13 AM |
|
HB Gary didn't teach the world anything.
|
|
|
|
minerX
Newbie
Offline
Activity: 56
Merit: 0
|
|
May 18, 2011, 03:19:32 AM |
|
Wow. Can't believe he refunded the BTC! That's great service.
I was thinking about going solo mining but after this bit of service I'm going to stick with deepbit.
|
|
|
|
bournemt
Newbie
Offline
Activity: 2
Merit: 0
|
|
May 18, 2011, 02:26:15 PM |
|
+1 Tycho
|
|
|
|
bitcoindaddy
|
|
May 18, 2011, 03:06:46 PM |
|
FYI - Deepbit has SSL now (HTTPS).
|
|
|
|
cablepair
|
|
May 18, 2011, 03:51:52 PM |
|
dude,
the guy who uses that IP (94.75.217.249) address is on irc right now.
irc.linode.com #linode his nickname is takamichi
hes not using that IP right now, but he has in the past.... (check google) iMMUNE 181msjFgfXo1LwFk8S9BLRYETNqD72yHCL
|
|
|
|
MemoryDealers (OP)
VIP
Legendary
Offline
Activity: 1052
Merit: 1155
|
|
May 18, 2011, 04:13:41 PM |
|
Interesting! What can we do? Maybe someone could try to pose like they are going to do a deal with him to get his real contact information? Are we sure this is the same guy, or just someone else using the same proxy service?
|
|
|
|
cablepair
|
|
May 18, 2011, 04:50:13 PM |
|
It does not appear to me to be a proxy, it comes from an ISP called LeaseWeb B.V. that is in the U.S. Netherlands, and Germany they do colocated and dedicated server leasing
it is probably a co-located linux box and probably hacked
its funny beacuse this guy has a chinese irc nick and using IP from the netherlands
Chinese hackers are some of the most active anywhere, and some of the most industrious...
they probably used the same hacked linux box for an irc bouncer that they used to connect to deepbit to steal your BTC
in any case its very likely the person is not traceable, but it couldent hurt to contact LeaseWeb B.V. and let them know that someone used an IP that they own to steal your money they may do an investigation and they may not, but its the best move you can make right now.
heres the contact info for their U.S. office +1 703 5522754
LeaseWeb Inc. 9480 Innovation Drive Suite 1, Manassas Virginia 20110
glad I could help... iMMUNE
181msjFgfXo1LwFk8S9BLRYETNqD72yHCL
|
|
|
|
fergalish
|
|
May 18, 2011, 10:01:17 PM |
|
3. Back up the wallet.dat file it creates onto your USB stick. Better yet, do it onto two USB sticks. It's located at %APPDATA%\Bitcoin\wallet.dat. Keep both copies safe and secure.
I would just add to encrypt it with a good but easily memorized passphrase, print out the ascii text and store it on your bookshelf. Take a photo of those pages, and upload to your flickr account. etc. I would recommend against storing a valuable unencrypted wallet.dat anywhere.
|
|
|
|
|