ANTMINER S3+ Discussion and Support Thread - page 206.

edonkey

legendary

Activity: 1150

Merit: 1004

Quote from: -ck on September 07, 2014, 07:36:52 AM

Quote from: mdude77 on September 07, 2014, 07:20:52 AM

Quote from: Soros Shorts on September 07, 2014, 07:01:06 AM

Quote from: -ck on September 06, 2014, 05:15:13 PM

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help?

No. The stratum protocol allows redirection. Unless it's a secure connection, it could be intercepted upstream from you and redirected, and you'd never know the wiser. That's what the newer cgminer allows (for pools that support it), is using SSL.

Actually we don't use ssl in cgminer stratum since it's overkill for the actual problem. The problem is a packet is intercepted between you and the pool and it sends back a redirect message to cgminer which consciously moves to the other pool. People who were mining elsewhere unintentionally could actually see their rig had switched. Redirect rules were made strict according to domain name to prevent redirection from happening unless it was to a server with the same domain meaning they'd have to spoof the domain as well. Blocking outgoing connections from cgminer to only selected upstream pools would actually work to prevent you mining elsewhere but you may end up just failing to connect to anything without the redirect protection in later versions.

You say that SSL is overkill for the problem, and it probably is from a general perspective. But overreaching as it may be it also sounds like SSL would in fact solve this problem, making it impossible for an attacker who does not have access to the SSL keys to send the redirect message in the first place.

Sorry for the off topic post. Maybe there's a better place to discuss this.

-ck

legendary

Activity: 4088

Merit: 1631

Ruu \o/

Quote from: mdude77 on September 07, 2014, 07:20:52 AM

Quote from: Soros Shorts on September 07, 2014, 07:01:06 AM

Quote from: -ck on September 06, 2014, 05:15:13 PM

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help?

No. The stratum protocol allows redirection. Unless it's a secure connection, it could be intercepted upstream from you and redirected, and you'd never know the wiser. That's what the newer cgminer allows (for pools that support it), is using SSL.

Actually we don't use ssl in cgminer stratum since it's overkill for the actual problem. The problem is a packet is intercepted between you and the pool and it sends back a redirect message to cgminer which consciously moves to the other pool. People who were mining elsewhere unintentionally could actually see their rig had switched. Redirect rules were made strict according to domain name to prevent redirection from happening unless it was to a server with the same domain meaning they'd have to spoof the domain as well. Blocking outgoing connections from cgminer to only selected upstream pools would actually work to prevent you mining elsewhere but you may end up just failing to connect to anything without the redirect protection in later versions.

mdude77

legendary

Activity: 1540

Merit: 1001

Quote from: Soros Shorts on September 07, 2014, 07:01:06 AM

Quote from: -ck on September 06, 2014, 05:15:13 PM

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help?

No. The stratum protocol allows redirection. Unless it's a secure connection, it could be intercepted upstream from you and redirected, and you'd never know the wiser. That's what the newer cgminer allows (for pools that support it), is using SSL.

M

Soros Shorts

donator

Activity: 1617

Merit: 1012

Quote from: -ck on September 06, 2014, 05:15:13 PM

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

Would a firewall configuration that only allows tcp/3333 connections to known/whitelisted pool servers help?

mdude77

legendary

Activity: 1540

Merit: 1001

Quote from: -ck on September 06, 2014, 05:15:13 PM

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

I assume a properly written proxy could use SSL to secure the connection?

M

IYFTech

hero member

Activity: 686

Merit: 500

WANTED: Active dev to fix & re-write p2pool in C

Quote from: -ck on September 06, 2014, 05:15:13 PM

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

Thanks for confirming ckolivas

This is why I & others have been making so much noise about this - it's annoying for everyone - but it's for everyones good that it gets fixed ASAP.

Are you listening, Bitmain?

Edit: It is also why miners should only buy hardware that uses Open Source software provided by ckolivas - so that it can be checked for any security issues or "strange goings on" by the cgminer devs or anyone else who wishes to do so. Never buy hardware that uses Closed Source software - there's no way of knowing what it is doing.

-ck

legendary

Activity: 4088

Merit: 1631

Ruu \o/

Quote from: MoreBloodWine on September 06, 2014, 05:09:50 PM

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

No. The attack occurred upstream, between the miner and the pool.

MoreBloodWine

legendary

Activity: 1064

Merit: 1001

As long as someone doesnt know the IP of the given miner you should be "safe" right ?

Stratobitz

legendary

Activity: 1022

Merit: 1010

Quote from: IYFTech on September 06, 2014, 04:18:25 PM

Exactly. Meaning everyone using Bitmain hardware is at risk having their hashing power redirected to a different pool without their knowing, losing valuable BTC to a third, unscrupulous party/person.

Not good.

But wouldn't the attacker have to know or have some information about your miner? Such as IP, etc?

IYFTech

hero member

Activity: 686

Merit: 500

WANTED: Active dev to fix & re-write p2pool in C

Exactly. Meaning everyone using Bitmain hardware is at risk having their hashing power redirected to a different pool without their knowing, losing valuable BTC to a third, unscrupulous party/person.

Not good.

PatMan

hero member

Activity: 924

Merit: 1000

Watch out for the "Neg-Rep-Dogie-Police".....

The most dangerous security vulnerability in that version of cgminer is called the "stratum redirect" issue. It allows a third party to redirect your hashing to a different pool of their choice & claim the BTC mined with your miner. This was fixed in a later version, as well as other fixes & improvements to drivers etc - increasing performance & using less cpu/resources.

Edit: No matter what firewall you use.

Edit1: I believe it affected all miners that used the stratum protocol - not just cgminer.

Stratobitz

legendary

Activity: 1022

Merit: 1010

Quote from: IYFTech on September 06, 2014, 07:24:18 AM

Quote from: maxood on September 06, 2014, 06:45:33 AM

Quote from: PatMan on September 06, 2014, 06:38:05 AM

Quote from: Tupsu on September 06, 2014, 06:34:27 AM

Quote from: adzam323 on September 06, 2014, 12:49:52 AM

Has anyone tried the new firmware? https://bitmaintech.com/support.htm?pid=007201407180243004432lBQW28O0633

All of my 15 Antminer S3 (Batch 4-6) work great with this new firmware.

I'll wait until they sort out the MD5 problem. Can you tell me what version cgminer is in there? Cheers.

the same, 3.12.0

What? Why on earth are Bitmain still using this old, outdated, inefficient & security flawed cgminer version in a new firmware release? It makes absolutely no sense whatsoever.....

@ Bitmain: You promised the community that you would update to the latest cgminer version that fixes the security vulnerabilities and includes many improvements weeks ago - yet you are still using it in a brand new firmware release? Cgminer version 3.12 is not safe to use & is inefficient - please use the latest version as you promised us you would.

Edit: This firmware adds support for the S3+ - does that mean that you will be shipping all S3+'s with known security issues & outdated cgminer software?

Could you elaborate on what the security issues are, and what you mean by ineffecient?

I don't mean to be lazy, but if I read through the boards on these issues I'll likely find lots of conflicting information.

Security issues... What if I'm behind a Barracuda Firewall?

Inefficiency... Meaning a more current version of Cgminer would hash faster?

Many thanks,

Strato

IYFTech

hero member

Activity: 686

Merit: 500

WANTED: Active dev to fix & re-write p2pool in C

Quote from: rsclark3 on September 06, 2014, 11:04:57 AM

I concur with #IYFTech. Bitmain stated that they would release the firmware and update cgminer. The new firmware contains the same insecure and inefficient cgminer version. We should all demand that they install a version 4.x instead of this very early version.

Thanks

A quote from August 17th - three weeks ago:

Quote from: IYFTech on August 17, 2014, 08:41:15 AM

Quote from: cathoderay on August 17, 2014, 07:35:48 AM

The cgminer software that you are deploying.......with your software has SEVERE security flaws, including the stratum redirect issue - why are you NOT implementing the latest version to eliminate these issues?

Thank you.

+1 I support this sentiment completely

rsclark3

newbie

Activity: 9

Merit: 0

I concur with #IYFTech. Bitmain stated that they would release the firmware and update cgminer. The new firmware contains the same insecure and inefficient cgminer version. We should all demand that they install a version 4.x instead of this very early version.

IYFTech

hero member

Activity: 686

Merit: 500

WANTED: Active dev to fix & re-write p2pool in C

Quote from: maxood on September 06, 2014, 06:45:33 AM

Quote from: PatMan on September 06, 2014, 06:38:05 AM

Quote from: Tupsu on September 06, 2014, 06:34:27 AM

Quote from: adzam323 on September 06, 2014, 12:49:52 AM

Has anyone tried the new firmware? https://bitmaintech.com/support.htm?pid=007201407180243004432lBQW28O0633

All of my 15 Antminer S3 (Batch 4-6) work great with this new firmware.

I'll wait until they sort out the MD5 problem. Can you tell me what version cgminer is in there? Cheers.

the same, 3.12.0

What? Why on earth are Bitmain still using this old, outdated, inefficient & security flawed cgminer version in a new firmware release? It makes absolutely no sense whatsoever.....

@ Bitmain: You promised the community that you would update to the latest cgminer version that fixes the security vulnerabilities and includes many improvements weeks ago - yet you are still using it in a brand new firmware release? Cgminer version 3.12 is not safe to use & is inefficient - please use the latest version as you promised us you would.

Edit: This firmware adds support for the S3+ - does that mean that you will be shipping all S3+'s with known security issues & outdated cgminer software?

Tigggger

legendary

Activity: 1098

Merit: 1000

Quote from: ?? on ??

What am I doing wrong here?

You have the default gateway set as 192.168.1.99 that's not right, it needs to be set to your router IP (probably 192.168.1.1 or 192.168.1.254)

Your router *might* be 192.168.1.1 so I would change that as well

So maybe
192.168.1.10
255.255.255.0
192.168.1.254 <- Router IP, whatever it is

DNS Server Auto

PatMan

hero member

Activity: 924

Merit: 1000

Watch out for the "Neg-Rep-Dogie-Police".....