Topic: [1423GH] ABCPool PPS - Proxy Pool For High & Steady Mining Rewards - page 47. (Read 151781 times)

In approx. 90 minutes we'll deploy payout-address locking.  At that moment payouts will be enabled again.

In what timezone ABCPool is located. I really want my coins out

I moved ~4.5k GH/s over here a few minutes back. If they seem stable/running in the morning, I'll be moving an additional 12k over.

Here's to hoping

Our intentions were to create a stable pool with a respectable size. We want to introduce fees only as soon as we are confident that our miners get value for their money when mining with us. With the recent improvements we feel that moment is not far away now.
The PIN-mechanism was inherited from SimpleCoin, and we were never completely satisfied with it. It will either receive a makeover like you suggested or be replaced by a better mechanism. Thanks for your suggestions!

MC

Brian, Chunglam, LoupGaroux & Hotdog453: Thanks for your kind words and your generous attitude! As you may have guessed ABCPool is a spare-time-and-money project for us. The support from people like you encourages us to keep improving ABCPool despite whatever setbacks we encounter. So thanks!

Reimbursement
We have a pretty good idea of the people and amounts that went missing. To be sure, we'd like to invite those that have lost funds and have not yet responded through the forum, to PM us with the details.

Chlorine & I have been thinking about how to handle reimbursement in a way that everybody will be happy, and I think we may have found a solution that could have your support. I'll come back to that that later this week. First I'd like to talk about some updates on the security front!

SECURITY UPDATE: Moments ago we've activated HTTPS access through https://www.abcpool.co, allowing encrypted access to ABCPool. We did not want to spend the resources for a third-party SSL Certificate so it's self-signed for the time being. That means you'll get a warning, which will disappear when you add our CA to your trusted authorities store. For details: http://www.abcpool.co/faq.php#toc4. On windows the process is real easy, for other systems.. I have no idea. If you figure it out for your device, don't forget to share it with the rest of us.

Another security feature that will be launched shortly is a permanent payout-address lock.

And as promised earlier, payouts will continue this sunday evening/night.

MC

You handled the issue well. I utilize you guys as a backup, and might be moving a big chunk, ~15k or so GHs, over here in a few days. Good work.

I'm affected too. Transaction of 4.02765368 BTC to 1KRJK2nAb78PU4b8ro3uG3HXsSH3mWq5Q at 2011-11-02 10:44

Is the purpose of not having a fee to attract users only to increase the hash rate of the pool, thus making a smoother pool for everyone?

I think it's perfectly acceptable to give a small portion to the pool owners. But why can't it be like 1% for everyone? Instead of say, 1/4 of the nice users giving 4% and everybody else giving 0%.


For the pool security my idea is this:
Make the PIN only for changing the payout address, password, or PIN. Immediately log out the account on a failed PIN entry.

I'm bumping my donation percentage up to help with these losses. You guys have been doing a damn fine job running this pool, and I appreciate how smoothly things normally run. It looks like I didn't get burned this time, but a few satoshis to the good might help.

Agree. To further support you guys, I will donate whatever amount/percentage you guys decide to give back. I was a long time ABC miner until this incident. I still keep one worker in ABC and this pool as my third fail-over pool. I will come back after I feel comfortable with pool's security/protection improvement.

I know you guys aren't rolling in cash, most pools are in a negative cashflow as it is, so any percentage of the missing bitcoins that are reimbursed is more than I was expecting to get back anyway.

UPDATE: Cause found, payouts will continue sunday-evening at the latest.

To all our users, thanks for your continued patience while we were getting to the bottom of this.

Earlier today we verified the exact details of how the theft took place, which was through session spoofing. Multiple accounts were compromised, resulting in unwanted payouts the bulk of which occurred between october 29 and november 3. We have deployed measures that prevent this type of session spoofing on ABCPool in the future.

What was potentially compromised:
* The attacker did not need your passwords for the intrusion
* No passwords have been leaked directly, since passwords are only stored as a hash.
* Weak passwords MAY have been guessed by brute-force abuse of the 'change password' function.
* The attacker COULD log in to any account through the ABCPool site and act as though they were that user
* PIN has been guessed (or brute-forced) in at least several cases

Steps we have taken to mitigate the issue thus far:
* We have fixed the session handling code
* We have reset the payment address for all our users, because it might have been set by the attacker to his own address.
* We have expired all current sessions
* We have introduced additional logging code

Steps still to be taken:
* Introduce additional security measures
* Re-activate payouts (this will happen sunday evening at the latest)
* Come to an agreement with you guys on how to handle the missing BTC.

What will change for you:
* For now, you'll need to (re)enter you payment address. You may take a look at past payouts and copy the address from there, but be sure to verify that it is actually your own address.
* It's always a good security practice to use difficult and unique passwords, and to change them regularly.

How long it takes that we can get our precious bitcoins out again. I really need them before monday.

I highly suggest ABC to add HTTP secure mode access. Without https protecting the traffic, everything is plain text including your password and pin. I will not come back to ABC until your pool added https mode.

I think the requirement to enter the pin should be removed on the cash out now option. Someone who is sniffing traffic can find out what the pin is that way.

The PIN should only really be needed when changing the payout address or other similar task.

account: alphy

11/03/11	10:01 AM	3.66268195	BTC	1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
11/02/11	08:41 AM	10.27910886	BTC	1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
10/29/11	01:56 PM	0.76806254	BTC	1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
10/29/11	07:43 AM	0.72685549	BTC	1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
10/29/11	01:43 AM	8.67988397	BTC	1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ

account: squid

11/03/11	10:02 AM	3.64415207	BTC	1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
11/02/11	08:43 AM	10.28272094	BTC	1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
10/29/11	01:57 PM	0.77105942	BTC	1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
10/29/11	07:42 AM	0.74075010	BTC	1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
10/29/11	01:42 AM	20.80623292	BTC	1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ

 

60.36150826 BTC total for both accounts to an address I don't own. I guess it was bound to happen. I finally lost some bitcoins due to theft. I never used automatic payouts, it has nothing to do with that.

edit: added more info

Everything is how it should be.

Thanks !

Right now, for the duration of a week.

When exactly? Starting next week?

The requirement has been lifted for the next 7 days.