Topic: .. - page 2. (Read 2844 times)

I'm not going to give you a quote just to prove myself, I charge for such services and I'm positive that you are neither serious nor authorized to purchase anything.

But one thing is worth mentioning: "hire employees". For a physical collocation "remote hands" services are usually available in increments of 15 minutes. What I'm positive is that after buying and paying for "remote hands" a couple of times, which normally involves a telephone/facetime/skype conversation with the remote contractor, the possibility "social engineering" essentially disappears.

The worst "hack"s that did happen on my watch was nothing more than an equipment destruction or theft (for wipe & resale).

Tell me then, how much would it cost to set up a datacenter in a couple of countries, buy the equipment, and hire employees? I think you are vastly overestimating how much the advertising revenue brought in could support.

You are just bullshitting. I've been doing exactly that professionally (mostly as a consultant) for many years. Yeah, it is somewhat more expensive, especially in the upfront capital cost, but the operating expenses are frequently actually lower. It is a perfect solution for "a website" even with much less traffic than this one.

In particular the reliability is better if the owner of the equipment is conscientious and willing to learn, because there is no blaming "somebody else". Also, the customer service staff for the physical collocation customers is typically way more responsible and conscientious.

The "professional datacenters" that have equipment leasing included in their rental fees are the dreck of the datacenter business, because they by necessity serve mostly fly-by-nights. It seem to me like you've never owned the equipment in any datacenter so you don't really have a base to make a real judgment.

I suppose its not entirely out of the question, but collocating our own equipment probably isn't the best idea either. It would be less than cost effective, and forum up time and reliability would be far less than it is with professional datacenters. What country to place the datacenter would be another issue, and hiring employees to manage it doesn't sound too appealing. It sounds like a complete mess, and something unnecessary for a forum. This is a website, a large one at that, but the Bitcoin forum isn't Google.

just had a look at the article and all i can say is what the hell. either root password was piss poor or he got lucky. and ontop of that no white list for ip login? thats asking to get ass raped. all ROOT logins should be white listed its a basic security feature or even 2 levels of security... like 2 passwords... be interesting to know if it was being brute forced to? and if it was how that many attempts went unnoticed maybe a failed login attempt warning would be a good idea

theres loads of defenses out there and now iv read the article im pretty shocked. i was expecting a datacenter backdoor being used not walking in the front door

https://bitcointalksearch.org/topic/about-the-recent-server-compromise-1067985

a few suggesting it was an inside job by someone xd think its unlikely unless they where blackmailed into it. but still get a damn white list in place and do it now maybe i should come up with ideas for security its fun

maybe have a table in a secret location all mods get a key and only 2 mods turning the keys at the same time can change any forum code or access the servers... ooo with hand scanners and retinal scanners to confirm the changes... just a thought

I posted the simple solutions elsewhere, I'll repost it here:

https://bitcointalksearch.org/topic/m.11453289

Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

Yep, donations and such are to fix issues in time of need. Some issues though aren't fixed by throwing all of your money at them. For example, this recent hack, there is no reasonable solution that Theymos could have done to prevent this. If you know the solution, let us know  

I didn't say that moderating was hard, it just takes time. My point was that moderators are still technically volunteers, the staff (Theymos included) aren't bleeding the forums dry of funds. Donations have never been used to pay any Moderators/Admins, and funds or lack of funds isn't the issue. People hack websites that are targets, Bitcointalk is a target. The fact that the hackers didn't find a vulnerability in the site, and instead targeted the host says a lot. Facebook was hacked with a 1.05 Billion dollar private datacenter. We could spend every last penny to set up a tiny data center on an isolated island and hire one armed guard to prevent this same issue from happening again, but we can't really say that is reasonable solution.

*edit*


Donators were told that Donations would be used for new forum software, which is in production. I meant that donator's funds have never been touched by Staff/Admins.

Again, how would you increase security? There isn't a hole in which to throw money that gives you what you want. New more secure forum software is in production, but it wouldn't have helped in this case.



The forums does have multiple hosts to help mitigate DDOS attacks. One of those hosts is what allowed the latest hack to happen.

id be pissed if donations are just sitting there then whats the point in donating? even worse when they could be being used to improve/tighten security.

iv actually been through ddoss suggestions on here in the past. dont know if they didnt like my idea or was just ignored. id set up a few cheap vps load balancers. set software can only respond to certain requests so it filters out damaging traffic to the main website. i know ddos attacks are getting bigger and more complex but so are defenses. and in fairness this isnt a massive site so dosnt attract the worst ddos or hackers mostly because its a forum and little info/money to be gained from it. i do however respect the fact passwords where atleast encrypted... see  alot bigger sites fall at that point

How do the donators feel about that? I guess its better knowing they're still somewhere than not knowing what was done with them.

not going to say much but donations and stuff are there to support and fix issues in time of need. i dont know maybe everyones passwords getting stolen is a time of need. dont know why theymos sits on a large stack of BTCBTCBTC maybe he wants his own island or something. as for mod payments i dont want to upset you but recently its not the hardest job   but you still do a good job please dont shout qt me

what would you suggest for preventing both? I'm sure theymos would be very grateful if you could lend your ideas. he might have money to invest but it doesn't grant him unlimited knowledge. its nt as simple as you make it sound. many multi million websites have been exploited and ddos

im betting theymos's password is "theymos is AWESOME" but seriously the amount this forum has earned for him you think hed keep on his toes about stuff. ddos attacks and hacking.

The Staff and Admins split somewhere around 10-15% of monthly advertising revenues. Donators funds have never been touched. Mod payments aren't considered salaries, they are considered tips as they aren't guaranteed, and for the time spent moderating, staff members are far better off getting a minimum wage job at a McDonalds. It is however a nice gesture, and a result of the forums not really needing any more money (the same reason donations are no longer solicited).

And your salaries, is it not?

Yeah, Bitcointalk is one of the larger forums in the world, I don't know the actual statistic, but I'm sure it gets a lot more attempted attacks than is publicly known. I dont think the forum's track record is all that bad though, two or three hacks come to mind in 5 years. Some DDOS too, but you can't really prevent that.


Heh, what do you think that money that is made hand over nutsack is used for? Creating new forum software, security bounties, etc.

Dude, they're making money hand over nutsack. You don't have to thank them for anything. They should be thanking us.

You have to realize that hackers hate BCT. They've been hacked and had long downtimes quite a lot in the history.

I would hope that previous social engineering attacks would have been reported both internally (within the company) and to theymos. This would have allowed both to take additional precautions to prevent this kind of attack.

It is however possible that getting KVM access was attempted multiple times.

How do you know it was easy? How do you know that this was the first attempt?