Pages:
Author

Topic: [ANN][Pool][Profit-Switch][Optional Auto-Exchange per Coin][Vardiff] ~ Hashcows - page 93. (Read 347332 times)

sr. member
Activity: 294
Merit: 250
why are we mining still doge at that diff ??
newbie
Activity: 6
Merit: 0
The decision of the pool - OPs to cover the losses of 7 days of mining for all miners having lost some coinz is way more than to be expected by anyone with objective expectations.
All a miner has to do is set his payout in an order to get his earnings sent to his wallet daily, to not lose more than one days earnings....
If we (the miners) cannot accept our duty to look after our own earnings in a secure (and not to bothersome, mind you) way, how on earth do you expect the pool owners to be reliable for our
coins lying in the pool for weeks?
You can not expect anybody else to care more for your goods than you are prepared to care yourself....

Therefore:
+1,
and best of luck and success for the future to the pool-operators.
sr. member
Activity: 332
Merit: 250
+1 and kudos on the official response. I will surely point my miners back here when everything is up and running again.

Also, I think it would be polite if everyone who gave Nearmiss and aTriz some negative trust would rectify this once everything is resolved.
member
Activity: 90
Merit: 10
Good decision cows... not sure why you chose the reduced fees only for 60 days.. it should really be a 'fee credit' to the miners that lost anything beyond 7 days. This means that if they put down 20 Gh/s onto your site, they would end their credit within a day... but w/e, you're the admins.

I look forward to returning Smiley
hero member
Activity: 672
Merit: 501
IMO this is more than most pools would ever do.  That is a lot of coin that is going to be replaced. I have to agree with a poster above who said that if your keeping 7 days worth of BTC in a pool wallet your asking for it.
member
Activity: 112
Merit: 10
Very well worded response and an outcome for those that did lose coin better than most would have expected.
newbie
Activity: 40
Merit: 0
That's an amazing response!

Frankly if people have kept significant (>0.05) amounts of BTC in Hashcows for over 7 days it's very clearly their own fault. I think even a 7 day reimbursement is wonderfully generous.

Pools are not banks, that fact has been smashed into everyone's head.
member
Activity: 83
Merit: 10
That's a pretty good response overall.

For curiosity's sake, I'm going to ask how much of the 40.7815 BTC is covered by that 7-day window?

I'm also going to (again) suggest setting either a maximum balance for auto-payout, or setting a maximum number of days between auto-payouts, in order to reduce the pool's liability in the event of future hacks like this. You're a small mining pool, not a bank, and it's not fair for people to treat you like a bank.
full member
Activity: 182
Merit: 100
Code:
//alert('fuuuuck');

I lol'd, since I use the same alert for debugging Tongue.
sr. member
Activity: 354
Merit: 254
Owner of MiningRigRentals
That is one heck of a response! Cudo's to being a stand up member of the community.. and taking responsibility for the situation.. 10/10, will mine here again.
member
Activity: 96
Merit: 10
Good one guys. That's a real honorable way of dealing with the situation. I don't know of too many others that would be bothered, to be honest.

I'd pretty much decided I'd relocate elsewhere, but it's pretty hard not to support you if you're going to do the right thing like that Smiley

All the best with the rebuild.
legendary
Activity: 3836
Merit: 4969
Doomed to see the future and unable to prevent it
Hashcows Official Update

As has been mentioned in an earlier update, on December 24th 2013 someone was able to modify the Bitcoin payout addresses of many users of Hashcows, and trigger a manual cashout of current balances. 754 total users (out of a total of 8,142 registered users, 5,000+ of which have a BTC balance > 0) had BTC removed from their accounts, accounting for approximately 14.2% of users who held BTC on Hashcows. A total of 40.7815 BTC was removed and sent to address 13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH. Hashcows staff have followed up with all major exchanges and a number of other large pools to confirm if they had any trace of this address in their systems, which as of this time has not turned up any useful results.

Since the attack was noticed on the 24th, we've placed the site in a locked down read-only mode, and disabled all payouts. While we understand this has caused some frustration among users, not being able to see if their accounts were affected, we felt it was the responsible course of action to take, given we knew we were unable to dedicate the time required to diagnose and address the security issues on Christmas Eve and Christmas Day.

We've been working since this time, both in determining the cause of the attack, and its potential scope, including an external audit of the source code by a trusted 3rd party. At this time the belief is still sql injection, based on the nature of the attack and how it was carried out. However, regardless of the technical results of ongoing audits, 2 things are confirmed. #1 The web instance and the mining/stratum instances are physically seperate. The mining instance remains unnafected by the web based lockdown, which is why mining continues to function as usual. #2 The web front-end is undergoing a rebuild from scratch as we speak, by both myself and another developer, utilizing different technologies, improved security features, and new hardware. We hope to have a basic version of this up in the coming days.

What does this mean in the immediate future? We'd prefer to not turn on write access for the website in its current form, but obviously understand people can't be expected to wait much longer for balances held up by the system (both old balances still intact, and earnings mined over the days since lockdown). We'll be posting a simple tool for people to use, allowing you to login with your credentials, at which point it will send out an email verification link, including your current balance and payment address the site has for you. Once clicked, your balance will be sent to the address specified. If you need to make changes to these details, instructions will be provided on the tool page. We hope to have this posted by tomorrow.

Last but not least, perhaps the question many have been waiting for an answer on. What does Hashcows plan to do about the missing 40 BTC? We've thought long and hard on this, and its obviously one of the most important decisions we'll have made in our short existence as a pool and community. Its a situation and decision that has hung over us throughout the last couple days spent with family.

Hascows will be re-imbursing every miner 100% of losses incurred on earnings made within the last 7 days prior to the incident (Dec 17th's payout inclusive). This means any funds you earned between Dec 17th and Dec 24th that were cashed out of your account by the attacker, will be re-added to your account at Hashcows expense. This payout will recover 100% of losses for 463 of the 754 affected users. For the remaining 291 users who are only partially covered by the above, we'll be offering reduced fees of 0.5% for at least the next 60 days to help with any shortfall.

In closing, both aTriz and I want to make a statement on more of a personal level, we have been absolutely stunned by the community that you have all created with this pool. There has been a tremendous amount of support and encouragement through these not so fortunate times and we would personally like to say Thank You. We look forward to the future of this pool while we begin the rebuilding stage which will continue to bring this wonderful community more features, more safety, more support, and more cows!

newbie
Activity: 15
Merit: 0
I just wanted to take a moment to relay my gratitude to aTriz and nearmiss.  This has been a horrible situation and you guys have done an amazing job of stepping up to the plate.  Thanks for your hardwork, and I'm looking forward to hashing my way through 2014 with the HashCows crew.  Moo!
sr. member
Activity: 448
Merit: 250
Hashcows Official Update

As has been mentioned in an earlier update, on December 24th 2013 someone was able to modify the Bitcoin payout addresses of many users of Hashcows, and trigger a manual cashout of current balances. 754 total users (out of a total of 8,142 registered users, 5,000+ of which have a BTC balance > 0) had BTC removed from their accounts, accounting for approximately 14.2% of users who held BTC on Hashcows. A total of 40.7815 BTC was removed and sent to address 13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH. Hashcows staff have followed up with all major exchanges and a number of other large pools to confirm if they had any trace of this address in their systems, which as of this time has not turned up any useful results.

Since the attack was noticed on the 24th, we've placed the site in a locked down read-only mode, and disabled all payouts. While we understand this has caused some frustration among users, not being able to see if their accounts were affected, we felt it was the responsible course of action to take, given we knew we were unable to dedicate the time required to diagnose and address the security issues on Christmas Eve and Christmas Day.

We've been working since this time, both in determining the cause of the attack, and its potential scope, including an external audit of the source code by a trusted 3rd party. At this time the belief is still sql injection, based on the nature of the attack and how it was carried out. However, regardless of the technical results of ongoing audits, 2 things are confirmed. #1 The web instance and the mining/stratum instances are physically seperate. The mining instance remains unnafected by the web based lockdown, which is why mining continues to function as usual. #2 The web front-end is undergoing a rebuild from scratch as we speak, by both myself and another developer, utilizing different technologies, improved security features, and new hardware. We hope to have a basic version of this up in the coming days.

What does this mean in the immediate future? We'd prefer to not turn on write access for the website in its current form, but obviously understand people can't be expected to wait much longer for balances held up by the system (both old balances still intact, and earnings mined over the days since lockdown). We'll be posting a simple tool for people to use, allowing you to login with your credentials, at which point it will send out an email verification link, including your current balance and payment address the site has for you. Once clicked, your balance will be sent to the address specified. If you need to make changes to these details, instructions will be provided on the tool page. We hope to have this posted by tomorrow.

Last but not least, perhaps the question many have been waiting for an answer on. What does Hashcows plan to do about the missing 40 BTC? We've thought long and hard on this, and its obviously one of the most important decisions we'll have made in our short existence as a pool and community. Its a situation and decision that has hung over us throughout the last couple days spent with family and friends during the holiday.

Hascows will be re-imbursing every miner 100% of losses incurred on earnings made within the last 7 days prior to the incident (Dec 17th's payout inclusive). This means any funds you earned between Dec 17th and Dec 24th that were cashed out of your account by the attacker, will be re-added to your account at Hashcows expense. This payout will recover 100% of losses for 463 of the 754 affected users. For the remaining 291 users who are only partially covered by the above, we'll be offering reduced fees of 0.5% for at least the next 60 days to help with any shortfall.

In closing, both aTriz and I want to make a statement on more of a personal level, we have been absolutely stunned by the community that you have all created with this pool. There has been a tremendous amount of support and encouragement through these not so fortunate times and we would personally like to say Thank You. We look forward to the future of this pool while we begin the rebuilding stage which will continue to bring this wonderful community more features, more safety, more support, and more cows!
member
Activity: 98
Merit: 10
http://notnull.org for the harder to find pools - prop, vardiff, stratum 0.5%. TIPS,KITTEH/MEOW,PHS,DMD,QRK,CAT
sr. member
Activity: 354
Merit: 254
Owner of MiningRigRentals
We are in the process of making some decisions and such, expect an official release from us tonight.

I've been unable to log into the site since yesterday, are accounts being locked down? I did have some bitcoin in there which got frozen. It wasn't much but it's been hard earned. Are we SOL? Hoping for the best but it looks like the worst.


Logins have been disabled, hopefully the update will provide some insight Wink
newbie
Activity: 6
Merit: 0
We are in the process of making some decisions and such, expect an official release from us tonight.

I've been unable to log into the site since yesterday, are accounts being locked down? I did have some bitcoin in there which got frozen. It wasn't much but it's been hard earned. Are we SOL? Hoping for the best but it looks like the worst.

UPDATE: I was finally able to log in. Looking forward to an update.
newbie
Activity: 42
Merit: 0
On your second point, it is the front end design that allows sql injection attacks to happen, not database design. The database just does whatever it is told to do by the website or a command line interface. If this was an injection attack then it was either a coding error in the website or an out of date/misconfigured PHP installation that allowed the "hackers" to most likely dump the database and then go through the tables to identify the payout addresses and the mechanism used to initiate manual payouts.

I understand as much.  My point is that things can be done in the backend - sanity checks, multi-tier permissions, etc that can be done to prevent or at least mitigate this happening in the future.  If they plug one injection hole in the front end, there can be others.   There are things that can be done in the backend and at the database level to at least mitigate the likelihood of future sql injections causing a similar attack.  Ideally the frontend would have very limited direct write access to the database.  Yes, it's not easy to accomplish and still allow users to set and change payout addresses, but, I can think of a few possible ways to do it.
hero member
Activity: 1232
Merit: 683
Tontogether | Save Smart & Win Big
We are in the process of making some decisions and such, expect an official release from us tonight.
member
Activity: 85
Merit: 10
I just set up a new mining rig pointed to Hashcows before leaving home a few days ago.  I forgot to set up remote access first, so I really hope it is still chugging away and I will ACTUALLY get credit for the mining being done...  Huh

They have said you can keep mining and you will be paid.  Just can't access anything you've mined right now.
Pages:
Jump to: