Bitcoin Forum
November 17, 2024, 09:44:02 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 [2]  All
  Print  
Author Topic: [ANN] https://bitdaytrade.com - Bitcoin margin trading unrolled  (Read 3864 times)
runeks
Legendary
*
Offline Offline

Activity: 980
Merit: 1008



View Profile WWW
August 19, 2012, 05:04:03 PM
 #21

The site is down. What happened?
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
August 19, 2012, 05:06:50 PM
 #22

The site is down. What happened?
Some security flaws have been suggested so Alberto has shut down the site until he can get home and work it out.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
runeks
Legendary
*
Offline Offline

Activity: 980
Merit: 1008



View Profile WWW
August 19, 2012, 05:36:29 PM
 #23

Cool. Thanks for the quick response. Nice to see a controlled take-down instead of a forced one.
eb3full
VIP
Full Member
*
Offline Offline

Activity: 198
Merit: 101


View Profile
August 19, 2012, 06:01:05 PM
 #24

Cool. Thanks for the quick response. Nice to see a controlled take-down instead of a forced one.

Actually it was forced, there were dozens of SQL injections and the entire API was vulnerable to CSRF... he tried masking the vulnerabilities one at a time and pretending like they weren't there. At some point he just had to shut it off because he couldn't lie anymore, and because everybody withdrew what they had and their user database was corrupted intentionally so that people couldn't get others' password information.

I'm bothered by all the people ignoring just how bad this was botched and how he was dishonest about their password storage method.


"With four parameters I can fit an elephant, and with five I can make him wiggle his trunk." John von Neumann
buy me beer: 1HG9cBBYME4HUVhfAqQvW9Vqwh3PLioHcU
runeks
Legendary
*
Offline Offline

Activity: 980
Merit: 1008



View Profile WWW
August 19, 2012, 06:09:53 PM
 #25

Cool. Thanks for the quick response. Nice to see a controlled take-down instead of a forced one.

Actually it was forced, there were dozens of SQL injections and the entire API was vulnerable to CSRF... he tried masking the vulnerabilities one at a time and pretending like they weren't there. At some point he just had to shut it off because he couldn't lie anymore, and because everybody withdrew what they had and their user database was corrupted intentionally so that people couldn't get others' password information.

I'm bothered by all the people ignoring just how bad this was botched and how he was dishonest about their password storage method.
Interesting. How do you know he experienced SQL injections? Are you talking about SQL injection vulnerabilities, or actual SQL injection attempts?

I have a hard time understanding why people who seem uneducated about computer security would want to develop an online bitcoin trading site. I would think the numerous hacks would work as a deterrent of some sort.
I sure as hell wouldn't open a site without some serious studying of these various vulnerabilities.
Ichthyo
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


View Profile
August 20, 2012, 09:15:05 AM
 #26

Actually it was forced, there were dozens of SQL injections and the entire API was vulnerable to CSRF...
Interesting. How do you know he experienced SQL injections? Are you talking about SQL injection vulnerabilities, or actual SQL injection attempts?

There where some threads on reddit.
Several self-claimed security experts were posting there in a rather demanding and assertive tone.

They claimed that the site is littered with tons of beginner errors. When dissecting the posts and cutting away all that vanity and self-approval (which isn't untypical for these kind of guys -- we know, we need to pay them some respect  Wink -- then at least some facts were discovered, like a mechanism to gain other accounts password, and a mechanism which would allow to get at the source code via the web.

Shortly thereafter, a business political quarrel unfolded, which seemingly was going on already behind the scenes for some time. The author and initiator of bitdaytrade seemingly was cooperating earlier this year with the guys behind Kronos.io and zipconf and they parted in dissent. The latter ones announced semi-publicly that they would do everything possible to hinder and block bitdaytrade. In the light of this information, it looks likely that the "uncovering" of these security holes was an orchestrated action.

Any serious IT professional would discuss such security holes in private with the operators first, instead of yelling in a unrelated public forum.

I have a hard time understanding why people who seem uneducated about computer security would want to develop an online bitcoin trading site. I would think the numerous hacks would work as a deterrent of some sort.
I sure as hell wouldn't open a site without some serious studying of these various vulnerabilities.
Well, speaking as a developer here, security can be a tricky matter. Today's web development frameworks are especially made to ease the process of creating web sites to the point where everyone and my grandmother can hack together an online business in 3 days. To build exactly the same service to even average professional standards and with a semi-hardened setup and serious testing would require lots of additional expertise and require about 20 times the effort (two months instead of 3 days), to start with.

This is a well-known and frequently discussed dilemma. People working in the industry and trying to keep up some kind of craftsmanship see themselves put under pressure by their bosses all the time ("hey, what are you toying around, my 15-year old son hacks together that crap in 3 days!"). Even large-scale companies fall for the temptation to make additional money by reducing time-to-market.
eb3full
VIP
Full Member
*
Offline Offline

Activity: 198
Merit: 101


View Profile
August 20, 2012, 12:30:43 PM
 #27

Any serious IT professional would discuss such security holes in private with the operators first, instead of yelling in a unrelated public forum.

I don't know about the person who uncovered it first, but you may have missed this exchange with the owner:

http://www.reddit.com/r/Bitcoin/comments/y99z3/go_long_or_short_with_bitcoin_again_up_to_10x/c5tts8s?context=15

The guy identified many other vulnerabilities which I myself confirmed. I also independently found a couple. They were scattered over the website.

In that thread and on other occasions he outright denied there were issues, without even explaining. I'm sorry, but if the vendor doesn't seem to be adequately aware/concerned about the massive amounts of vulnerabilities, getting further public attention is warranted. That is the premise of responsible disclosure, after all.

"With four parameters I can fit an elephant, and with five I can make him wiggle his trunk." John von Neumann
buy me beer: 1HG9cBBYME4HUVhfAqQvW9Vqwh3PLioHcU
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
August 20, 2012, 12:32:47 PM
 #28

Isn't it cool how he suddenly disappeared, just like last time, to leave everyone else to clean up the mess? We haven't heard anything from him for days.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
August 20, 2012, 01:08:20 PM
 #29

Isn't it cool how he suddenly disappeared, just like last time, to leave everyone else to clean up the mess? We haven't heard anything from him for days.
Um, he didn't disappear. He was out of home for several days during which I communicated with him daily, he's back now and starting to work on resolving the situation. He also wrote a lengthy reply to the accusations just two days ago (was poorly formatted and didn't focus on the right things IMO but whatever). See also this.

It's fine to want responsiveness especially in times of turmoil, but people have lives too and things take more than a few minutes to resolve.

This is my 2000th post.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
Ichthyo
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


View Profile
August 20, 2012, 11:09:31 PM
 #30

Any serious IT professional would discuss such security holes in private with the operators first, instead of yelling in a unrelated public forum.

... but you may have missed this exchange with the owner:

http://www.reddit.com/r/Bitcoin/comments/y99z3/go_long_or_short_with_bitcoin_again_up_to_10x/c5tts8s?context=15

The guy identified many other vulnerabilities which I myself confirmed. I also independently found a couple. They were scattered over the website.
yes, those threads indicate that there might be problems, but actually they show no really verifiable information, aside from that demonstration with the password.

But besides that, those quoted threads show exactly that kind of adolescent and immature behaviour (by "marshal banana"), which voids much of the credibility of these accusations.


And, frankly, what's so difficult with doing it properly?

If someone finds a bug, what's so difficult with first writing a personal mail to the support?

And, in case the support really ignores such feedback (which I doubt, given my own experience with Bitdaytrade support), whats so difficult with publishing a well-researched report, including really verifiable material (like screenshots or a session transcript)? And what's so difficult with just refraining form calling another person a liar?


If you find what I write here outrageous, then there's a simple litmus test:

Lets assume you're a payed employee programmer, and this "Alberto" is your co worker, sitting at the same desk 5 days a week. And lets assume your co-worker "Alberto" has lesser capabilities and tends to make a lot of errors. How would you deal with him? Yell at him? Call him an idiot?

See my point? Why are you dealing differently with an anonymous internet entity called "Alberto"?


To make one thing absolutely clear: No one denies that there are bugs and problems in Bitdaytrade. Like you, I've also found some and reported them; And for sure there is still some work required to get that platform into release shape. Guess that's why we're all here.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
August 26, 2012, 09:09:06 AM
 #31

It seems hardening the site takes some time... probably a good thing.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
MykelSilver
Full Member
***
Offline Offline

Activity: 237
Merit: 100


View Profile
August 26, 2012, 09:17:00 AM
 #32

I think the site has gone further here:
http://bitcoinmagazine.net/icbit-se-bitcoin-margin-trading-reloaded/

labestiol
Sr. Member
****
Offline Offline

Activity: 434
Merit: 251


View Profile
August 28, 2012, 12:21:09 AM
 #33


ICBIT had nothing to do with bitdaytrade (fortunately)

1BestioLC7YBVh8Q5LfH6RYURD6MrpP8y6
bitdaytrade (OP)
Sr. Member
****
Offline Offline

Activity: 287
Merit: 250


View Profile
August 28, 2012, 07:22:22 AM
 #34

https://bitcointalk.org/index.php?topic=93445.msg1139370#msg1139370
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
September 01, 2012, 03:59:56 PM
 #35

Waves at Meni Rosenfeld.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
ciuciu
Donator
Hero Member
*
Offline Offline

Activity: 588
Merit: 500


View Profile
September 01, 2012, 05:03:46 PM
 #36

Waves at Meni Rosenfeld.

Waving from a wannabe porn star like you it is not encouraging for Meni, since you are a men.

https://bitcointalk.org/index.php?topic=102333.msg1121264#msg1121264

Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
September 01, 2012, 07:18:38 PM
 #37

Waves at Meni Rosenfeld.
Ok.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
Vod
Legendary
*
Offline Offline

Activity: 3892
Merit: 3166


Licking my boob since 1970


View Profile WWW
September 06, 2012, 07:12:21 PM
 #38

Bitdaytrade Customer Support
 
Hi there,

Thanks for your interest in our services. Your funds are safe to a
level
with us because of the security practices in place at BDT. Such
as, keeping the majority of  funds offline, using double factor for
all our exchanges account, processing withdrawal manually and storing
your password using the bcrypt hashing method. What concerns you about
"the buffer" ?

Thank you
BDT team


LOL - what is the level that they are safe until?  $250K value or $500K value?  When will you fake a theft and walk away with all the coins?

I post for interest - not signature spam.
https://elon.report - new BPI Reports!
https://vod.fan - fast/free image sharing - coming Nov
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!