ASICMINER: Entering the Future of ASIC Mining by Inventing It

[empoweoqwj]

Thank you for all of your quick replies,

We will start to work on the following security implementations:

1. The option to Lock your account to a specific IP

2. Required 2FA for withdrawal / optional for order execution

3. Once 2FA is enabled, you will be required to enter your 2FA to view the private key or to disable 2FA on your account.


Once again thank you for all of your support,

Havelock Investments

Good ideas. But I have lost everything. Too late for me. I knew the risks coming in. But I have just lost $50,000 + even though i had 2FA enabled

I won't bother posting again. You didn't reply to my support email so I will safely assume you aren't going to do anything to help me out.

Time to move on, out of bitcoins. The risk was always obvious. Its only when it hits you in the face your realise how real the risk is.

To repeat, I don't believe I was keylogged. Nothing else has been stolen such as other coins or paypal or bank stuff. No check I have run on my Mac suggest I have keylogging software installed. This was a very professional job from people that knew exactly how havelock worked. Not havelock employees, why would they do that? But hackers very intimate with how havelock worked.

I don't know what to  say now. Its been the worst 48 hrs of my life. I'll leave it at that. Peace.

[empoweoqwj]

Damn ... shit. This is sick. Did you have 2FA backup somewhere in the same PC?

2FA key was written down on paper as "backup".

I am just wondering how could that happened? it seems impossible if you have 2FA

Maybe 2FA on rooted/jailbroken device ... and attacker infected both devices pc and smartphone/tablet via same router.

EDIT : I assume you're in Thailand ... 90% of smartphones there are rooted.

EDIT2 : Damn, from today I'll login to Havelock only from TailsOS ... I feel sorry for your lose mate, its really devastating. I wish we could do something about it.

My iphone is not jailbroken. I bought it from UK direct from Apple. Never attempted to get it jailbroken.

[empoweoqwj]

Damn ... shit. This is sick. Did you have 2FA backup somewhere in the same PC?

2FA key was written down on paper as "backup".

I am just wondering how could that happened? it seems impossible if you have 2FA

Maybe 2FA on rooted/jailbroken device ... and attacker infected both devices pc and smartphone/tablet via same router.

EDIT : I assume you're in Thailand ... 90% of smartphones there are rooted.

EDIT2 : Damn, from today I'll login to Havelock only from TailsOS ...

Probably jailbroken at MBK?
I have to chime in, I'm also really sorry to hear that. I can only try and fathom how that feels. This makes me truly sad and angry!
Just to address other questions/vulnerabilities: When was the last time you changed your password? Is it unique? Did you at some point land on a phishing site, i.e. a Havelock-copy (I guess you may not have noticed it)?

I'd like a comment from Havelock. I guess you guys have already contacted them? I'm, just pointing them to this problem, as well.

In many of the cases it's actually a person close to the victim, probably living in your own house or a friend or someone with actual physical access to your computer and phone. There were many such cases. Might even be your wife or lover.

Also there might be another possibility no one here discussed and that is the possibility of this guy lying to prop up another exchange. I'm not saying it's the case but it's possible.

I live on my own. Nobody has access to my computer or phone. I don't have wife or lover. I understand the theory, no problem, but its not what happened in this case.

[BuildTheFuture]

If we take a look at the numbers, we can see that:

The power consumption of the new chips (3rd gen) is 0.2~0.35 J/GHash [1];
and the power consumption of the chips about to be sold is 600 W/THash = 0.6 J/GHash [2].

The numbers are different, so are the chips, seemingly.


[1] https://bitcointalk.org/index.php?topic=438359.msg4816701#msg4816701
[2] https://bitcointalk.org/index.php?topic=99497.msg5153058#msg5153058

Actually I think the lower power consumption Friedcat mentioned is internal to the chips. But the 600W advertised for this new device is how much it would use at the wall. There are voltage conversions from the wall at least twice before the electricity gets into the chips, this causes the at the wall usage to be higher. It's the same on any device, for example the Bitmain Antminers, they advertise in their thread title the power is as low as 0.7 J/GH, but the actual devices take 2 J/GH from the wall.

Well I'm still curious if anyone else knows anything about this Weibo offer/page/guy.

[bitcoin.newsfeed]

My iphone is not jailbroken. I bought it from UK direct from Apple. Never attempted to get it jailbroken.

Not compromised 2FA device, backup written offline on paper, nobody else has access to your pc ... antivirus check is nothing, nowadays viruses are 24/7 totally fud(undetectable in any AV) <<< but still ...  now i don't have an idea how is that possible, maybe mitm attack as someone suggested, but GA provides a one-time password. Professional job indeed. I would really like to know, how is that possible.

Btw the best security what i ever seen in bitcoinland has Kraken, Havelock should learn from them. Separate 2FA for login and for trades, withdrawals, change of settings has custom time-lock, encrypted mails. Just awesome.

[arousedrhino]

2fa on withdraw is a decent roadblock to mitm attacks that can circumvent the initial 2fa sign in. Additionally I think the 2fa email is also a decent idea but less robust for obvious reasons

I like 2FA via e-mail because my e-mail account is set up with 2FA via a text message to my cell phone.  With 2FA via e-mail, a hacker would have to hack my e-mail account in order to access my Havelock account.  In order to hack my e-mail account, he would also have to hack my cell phone.

That doesn't make sense all he has to do is hack your email account and get the email you had forwarded as a text message or disable the forwarding. He only needs to compromise the cell phone or email account.

[shawshankinmate37927]

I like 2FA via e-mail because my e-mail account is set up with 2FA via a text message to my cell phone.  With 2FA via e-mail, a hacker would have to hack my e-mail account in order to access my Havelock account.  In order to hack my e-mail account, he would also have to hack my cell phone.

That doesn't make sense all he has to do is hack your email account and get the email you had forwarded as a text message or disable the forwarding. He only needs to compromise the cell phone or email account.

In order to access my e-mail account the hacker would have to provide the code that is sent as a text message to my cell phone.  (https://support.google.com/accounts/answer/180744?hl=en)  I'm not sure what you mean by e-mail that I "had forwarded as a text message".  My e-mails aren't forwarded as text messages to my cell phone.

[robix]

Sorry guys, I don't get it. What has my GMail account to do with the GAuth app on my smartphone. Even if the GMail account is hacked, I don't see how to get control over the GAuth 2FA (particularly th secret keys) on the phone. Can someone explain?

Edit: typo

[shawshankinmate37927]

Sorry guys, I don't get it. What has my GMail account to do with the GAuth app on my smartphone.

Nothing.  They're two different things.  I'm just saying that I prefer 2FA via an e-mail instead of Google Authenticator.

[robix]

Sorry guys, I don't get it. What has my GMail account to do with the GAuth app on my smartphone.

Nothing.  They're two different things.  I'm just saying that I prefer 2FA via an e-mail instead of Google Authenticator.

That's my understanding. So I don't have a clue how empoweoqwj's Havelock account could be robbed.

[electerium]

Sorry guys, I don't get it. What has my GMail account to do with the GAuth app on my smartphone.

Nothing.  They're two different things.  I'm just saying that I prefer 2FA via an e-mail instead of Google Authenticator.

That's my understanding. So I don't have a clue how empoweoqwj's Havelock account could be robbed.

mitm attack, very well documented in being able to circumvent 2fa

[substratum]

To repeat, I don't believe I was keylogged. Nothing else has been stolen such as other coins or paypal or bank stuff.

You could possibly attribute the lack of theft of other accounts to difficulty/risk to cash them out anonymously compared with Bitcoin I suppose. As far as your Mac security goes, do you use Little Snitch to watch for anomalous outbound connections? Most Mac malware would be revealed using that alone (for now).

[arousedrhino]

I like 2FA via e-mail because my e-mail account is set up with 2FA via a text message to my cell phone.  With 2FA via e-mail, a hacker would have to hack my e-mail account in order to access my Havelock account.  In order to hack my e-mail account, he would also have to hack my cell phone.

That doesn't make sense all he has to do is hack your email account and get the email you had forwarded as a text message or disable the forwarding. He only needs to compromise the cell phone or email account.

In order to access my e-mail account the hacker would have to provide the code that is sent as a text message to my cell phone.  (https://support.google.com/accounts/answer/180744?hl=en)  I'm not sure what you mean by e-mail that I "had forwarded as a text message".  My e-mails aren't forwarded as text messages to my cell phone.

That makes sense. Sorry I didn't realize you meant 2FA for the email login as well. I don't have that on and I think most people don't because of the inconvenience. In your case though it does add another layer of security.

[jimmothy]

A miner which use asicminer gen3 chip now on pre-sale, the poster is very famous in Chinese Bitcoin circle. This is the translation of the weibo post:

Miner presale Details:
Miner price :11000 RMB/T (1813 USD/T), full payment in advance.
Power consumption: 600W/T.
If a single miner's speed doesn't meet the design requirements, or beyond the design requirements, in accordance 11000RMB / T price, refund for any overpayment or a supplemental payment for any deficiency.
If you order more than 10T , it is 10000RMB/T.
April 20 is the deadline, if not shipped on time, we'll give you a full refund!
Tel: 13581816335 Zhao Dong's QQ group: 326548639

In the weibo below, one people replys:
So cheap, is it Asicminer's chip?
Zhao replys:"Yes"
Then he ask again:
Asicminer's gen3 haven't tapeout yet, can it mass production in April?
Zhao replys:"Almost"

Sorry for my poor English translation, the original weibo can be found here:
http://weibo.com/1658066713/AwIw85hLy

I have snapshoted the weibo and the chat.

Is this legit?

If so how do I buy one?

Seems like a great deal. Half the price of a knc neptune and less power consumption.

[elasticband]

If we take a look at the numbers, we can see that:

The power consumption of the new chips (3rd gen) is 0.2~0.35 J/GHash [1];
and the power consumption of the chips about to be sold is 600 W/THash = 0.6 J/GHash [2].

The numbers are different, so are the chips, seemingly.


[1] https://bitcointalk.org/index.php?topic=438359.msg4816701#msg4816701
[2] https://bitcointalk.org/index.php?topic=99497.msg5153058#msg5153058

this could be the reseller protecting himself against possible performance discrepancies

[bitcoin.newsfeed]

Guys, maybe you can help me. I'll be speaking with some potential big investors about bitcoin mining next week. And I want to introduce them to our AM immersion cooling project & custom made datacenters. So I'am gathering all possible informations about it for my presentation. I remember that in AM Immersion Cooling exhibition materials on google drive was one *.pdf document, with very useful and visionary thoughts, which I can use. I have thumbnail >



https://drive.google.com/folderview?id=0ByWHHc0u_thNSWhHS18xM2ZXSUU#grid

But that document is no longer there. Does someone have that document? Thanks

[trilogy456]

Some useful info, that you may already have, but maybe helpful to others:

http://www.allied-control.com/blog/understand-immersion-cooling-pdf-presentations

http://www.allied-control.com/publications/Immersion_Cooling_Presentation_V3.pdf

https://bitcointalk.org/index.php?topic=313087

https://bitcointalk.org/index.php?topic=346134.0

http://www.youtube.com/watch?v=oZavKweMrP4

[blueyes]

Thank you for all of your quick replies,

We will start to work on the following security implementations:

1. The option to Lock your account to a specific IP

2. Required 2FA for withdrawal / optional for order execution

3. Once 2FA is enabled, you will be required to enter your 2FA to view the private key or to disable 2FA on your account.


Once again thank you for all of your support,

Havelock Investments

Good ideas. But I have lost everything. Too late for me. I knew the risks coming in. But I have just lost $50,000 + even though i had 2FA enabled

I won't bother posting again. You didn't reply to my support email so I will safely assume you aren't going to do anything to help me out.

Time to move on, out of bitcoins. The risk was always obvious. Its only when it hits you in the face your realise how real the risk is.

To repeat, I don't believe I was keylogged. Nothing else has been stolen such as other coins or paypal or bank stuff. No check I have run on my Mac suggest I have keylogging software installed. This was a very professional job from people that knew exactly how havelock worked. Not havelock employees, why would they do that? But hackers very intimate with how havelock worked.

I don't know what to  say now. Its been the worst 48 hrs of my life. I'll leave it at that. Peace.

that is a unlucky thing. I wanted to transfer my derect AM shares to havelock serveral days ago,but I feel havelock is not safe enough ,so I didnt .I think havelock is lazy,it has  been a long time since btct is closed and  havelock  became the only one stock exchange,havelock should do better

why not add  the option to Lock  a specific  withdraw address?  if want to change withdraw address need to wait 24 hours and a confirmed email ,btct had the option and I think it is good.

another problem,when I click "sign in/register" button in Havelock,it sometimes go to "Home ". the layout is bad

[whalezy]

Here at Havelock we take security issues very seriously.

We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.

Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.

So we turn to you, our valued customers, what features would like us to add to our platform?

1. Confirmation email before any action is taken; some but not all actions.

2. Pending withdrawal of your Bitcoins; time lock?

3. Lock account by IP address?

We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.

Also we can assure everyone that it was not an "inside rogue employee"

Thank you,

Support Team
Havelock Investments

Not No.3, Havelock was banned by Chinese government, I always view your site through a proxy.

[whalezy]

A miner which use asicminer gen3 chip now on pre-sale, the poster is very famous in Chinese Bitcoin circle. This is the translation of the weibo post:

Miner presale Details:
Miner price :11000 RMB/T (1813 USD/T), full payment in advance.
Power consumption: 600W/T.
If a single miner's speed doesn't meet the design requirements, or beyond the design requirements, in accordance 11000RMB / T price, refund for any overpayment or a supplemental payment for any deficiency.
If you order more than 10T , it is 10000RMB/T.
April 20 is the deadline, if not shipped on time, we'll give you a full refund!
Tel: 13581816335 Zhao Dong's QQ group: 326548639

In the weibo below, one people replys:
So cheap, is it Asicminer's chip?
Zhao replys:"Yes"
Then he ask again:
Asicminer's gen3 haven't tapeout yet, can it mass production in April?
Zhao replys:"Almost"

Sorry for my poor English translation, the original weibo can be found here:
http://weibo.com/1658066713/AwIw85hLy

I have snapshoted the weibo and the chat.

Is this legit?

If so how do I buy one?

Seems like a great deal. Half the price of a knc neptune and less power consumption.

they accept hosting miners for their customers, but you need to pay for the electricity fee, about 0.15 dollar per KWH