Pages:
Author

Topic: BIPS Wallet security breach - page 2. (Read 11504 times)

hero member
Activity: 826
Merit: 501
in defi we trust
December 03, 2013, 04:49:46 AM
Whats the difference between bips and coinbase?

Coinbase hasn't been "hacked" yet. Smiley
member
Activity: 91
Merit: 10
December 03, 2013, 04:33:12 AM
The whole thing is too suspicious, too suspicious.
Kris has spend his time running around and tolled the media that its is not his fault and the wallets security is the users responsibility.

The worse thing is that he is getting away this scam.
No action has been taking since 22 Nov.
We are talking about 1295 BTC!!!
Why is there no details published of any kind?

I say he is a liar and a crock!


No he isn't getting away. I'm already in touch with my lawyer. I'm going to drag this fool to the court. We are mapping out a plan to tackle this as its outside of my country. Anyone else planning to sue him?
member
Activity: 91
Merit: 10
December 03, 2013, 04:25:50 AM
Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.

Its BS. Kris was the only guy working on BIPS. Lemme share with you guys a bug I helped fix. The secret that you entered in your IPN page was generating wrong hashes for any word that was 8-16 characters in length (weird?). I had to literally beg Kris to understand that this is a serious bug and had to write various test cases to demonstrate it. When he realized that there was indeed a bug he chose to just publish a "Enter less than 8 characters and greater than 16 characters" or something like that instead of actually fixing it. When I questioned him, he told me that he wrote his own crypto lib functions. Which fool would try to rewrite crypto when there are so many well tested modules available? This kind of shit brings in all the security loop-holes.

Quote
- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.

Tell the world the technical details of the bug. I bet Kris hasn't fixed it yet. If he couldn't find time to fix that buggy PHP hashing module I bet he is still using that same shitty hand written module (or many more like that) for everything inside BIPS.

Quote
- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first. The very fact that he is saying that he isn't responsible for the funds lost is itself BS. I'll see you in court Kris... the deadline of 72 hours is ending soon.

Quote
- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.

Thanks for the advice Saint Kris.

Quote
- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I'll make sure you do not.

Quote
I think thats a pretty good summary of the article. Otherwise - try the above google translation Smiley

Thanks Smiley


do you have personal vendetta with Kris or what?
If you were that close with Kris that you knew so much of Bips operational,
and you knew there was weakness with Bips security config as you mentioned,
why didn't you do something before?
or you could have place your btc somewhere else instead of keeping it there??

stop embarrassing yourself mate

Stop using your shill accounts Kris. We know its you. Come out in the open about the hack and save yourself some embarrassment.
legendary
Activity: 1092
Merit: 1000
nahtnam.com
December 03, 2013, 12:30:06 AM
Whats the difference between bips and coinbase?
newbie
Activity: 42
Merit: 0
December 02, 2013, 10:59:51 PM
As promised I'd update when I heard back from BIPS,  I recieved an email today from Kris.  I added a bitcoin address to my account as requested.

.... text removed per request...


Only thing I have heard from Kris was a PM asking me to remove info provided in a ticket sent to me..



Please be so kind as to remove the ticket text I wrote to you from public domain.

"Hi,

1) If ...........

There is a reason this is written below.

*************
This email is intended only for the person to whom it is addressed and may contain information that is privileged and exempt from disclosure. Please be aware that forwarding or distributing it is strictly prohibited.
newbie
Activity: 5
Merit: 0
December 02, 2013, 06:35:29 PM
Quote
do you have personal vendetta with Kris or what?
If you were that close with Kris that you knew so much of Bips operational,
and you knew there was weakness with Bips security config as you mentioned,
why didn't you do something before?
or you could have place your btc somewhere else instead of keeping it there??

stop embarrassing yourself mate

This person must be either Kris or someone related to him. Awfully suspicious when there's new accounts exclusively defending BIPS in this thread.

When you build a business around keeping money safe, there's no room for error. The absolute worst way you could ever screw over your users is by compromising their wallets.

If you manage the lose a million dollars of someone else's money, you can't expect there would be no consequences. Of course people are going to be extremely upset.

It's becoming pretty obvious all the money is gone and BIPS is an absolutely awful company nobody should ever trust, but the only way Kris could safe his face is to step forward and address the situation.

If he decides to remain silent and act like nothing happened, people are going to make it personal. There's no way around it.
sr. member
Activity: 252
Merit: 250
December 02, 2013, 03:52:54 PM
Wth? Are there some kind of online wallet fanboys around? I mean i can understand fanboys of artists or athletes but bips fanboys? For real?
hero member
Activity: 546
Merit: 510
December 02, 2013, 01:27:01 PM
The whole thing is too suspicious, too suspicious.
Kris has spend his time running around and tolled the media that its is not his fault and the wallets security is the users responsibility.

The worse thing is that he is getting away this scam.
No action has been taking since 22 Nov.
We are talking about 1295 BTC!!!
Why is there no details published of any kind?

I say he is a liar and a crock!
newbie
Activity: 7
Merit: 0
December 02, 2013, 12:30:06 PM
Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.

Its BS. Kris was the only guy working on BIPS. Lemme share with you guys a bug I helped fix. The secret that you entered in your IPN page was generating wrong hashes for any word that was 8-16 characters in length (weird?). I had to literally beg Kris to understand that this is a serious bug and had to write various test cases to demonstrate it. When he realized that there was indeed a bug he chose to just publish a "Enter less than 8 characters and greater than 16 characters" or something like that instead of actually fixing it. When I questioned him, he told me that he wrote his own crypto lib functions. Which fool would try to rewrite crypto when there are so many well tested modules available? This kind of shit brings in all the security loop-holes.

Quote
- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.

Tell the world the technical details of the bug. I bet Kris hasn't fixed it yet. If he couldn't find time to fix that buggy PHP hashing module I bet he is still using that same shitty hand written module (or many more like that) for everything inside BIPS.

Quote
- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first. The very fact that he is saying that he isn't responsible for the funds lost is itself BS. I'll see you in court Kris... the deadline of 72 hours is ending soon.

Quote
- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.

Thanks for the advice Saint Kris.

Quote
- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I'll make sure you do not.

Quote
I think thats a pretty good summary of the article. Otherwise - try the above google translation Smiley

Thanks Smiley


do you have personal vendetta with Kris or what?
If you were that close with Kris that you knew so much of Bips operational,
and you knew there was weakness with Bips security config as you mentioned,
why didn't you do something before?
or you could have place your btc somewhere else instead of keeping it there??

stop embarrassing yourself mate
full member
Activity: 219
Merit: 100
December 01, 2013, 09:07:56 PM
#99
e aynen e evet e tabi
member
Activity: 91
Merit: 10
December 01, 2013, 09:01:00 PM
#98
Quote
This kind of shit brings in all the security loop-holes.
Quote
This kind of statement makes you appear smart, but it is actually without any foundation.

Oh yeah? I bet you haven't written a single line of code in your life.

Quote
As for your assertion I am Kris, or Kris's shill or  any derivation of that  - I am not.   I lost  btc in this hack.  Unlike you however, I am not looking for a scapegoat.

Obviously you aren't looking for a scapegoat. You stole our funds, why would you feel anything at all?

Quote
It's called being an adult and taking responsibility for one's own actions.

Nice try Kris. The first thing about being an adult is to man up and become transparent about the so called "hack". The very fact that there is absolutely zero information on the hack shows you are the thief. Period.

Quote
  If you argue that Kris has to take  responsibility for  the hack, then you are, by implication, saying he did it. 

Kris (or you) did not do the hack. The hack never happend. He (or you) just moved all the funds to a new address... in plain simple words Kris (or you) just stole our funds. If it was a hack I want all the technical details laid out in public domain. The onus is one you (Kris) to prove he (you) is innocent.

Quote
You yourself allegedly knew the code was not sound.  Yet you didn't tell anyone else, and  in fact kept your btc  stored in Bips.  If you are so good at finding bugs, why did you not start your own service instead of  using  what you saw as an inferior product..  However, such questions divert from the  topic, which is the breach.

It happened.  We lost our btc.  The lesson seems to be to not use hot wallets.


Okay Kris I'll answer your questions (wish you used your real name here instead). Firstly when I asked you to fix the bug you told me clearly that you will fix it asap (and that you were upgrading your systems and needed some time). Now I gave you that benefit of doubt. Now I never in my wildest dreams thought that upgrading your systems meant steal your customers funds.

Secondly, when I say violate law I did not mean the TOS violates law. I shouldn't have mixed two different things in the same sentence (was clearly pissed). What I'm trying to say is you can write whatever you want in your TOS. When it comes to legalities the TOS is used only by customers to demand their rights to a defaulting service. If you are the owner, you don't have any say as you can change the TOS at any time. Its like a rental agreement. The tenant has more legal rights compared to the owner. TOS gives the customers more legal ammunition to go after the owner of the defaulting service... not the other way round. So either you (Kris) have a really bad lawyer or are just talking shit to divert attention from the main issue: theft of our funds. By the way I have already consulted my lawyer and I'll be going ahead with legal proceedings.
newbie
Activity: 4
Merit: 0
November 30, 2013, 04:47:46 PM
#97
Quote

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first.

How does/did the TOS violate the law?  Which law does it violate?

You had to beg Kris to  realise there was a bug.  And, knowing there was a bug, you left your funds there.  OK....  I wish I was  as smart as you...

Quote
This kind of shit brings in all the security loop-holes.


This kind of statement makes you appear smart, but it is actually without any foundation.

As for your assertion I am Kris, or Kris's shill or  any derivation of that  - I am not.   I lost  btc in this hack.  Unlike you however, I am not looking for a scapegoat.

It's called being an adult and taking responsibility for one's own actions.  If you argue that Kris has to take  responsibility for  the hack, then you are, by implication, saying he did it. 

You yourself allegedly knew the code was not sound.  Yet you didn't tell anyone else, and  in fact kept your btc  stored in Bips.  If you are so good at finding bugs, why did you not start your own service instead of  using  what you saw as an inferior product..  However, such questions divert from the  topic, which is the breach.

It happened.  We lost our btc.  The lesson seems to be to not use hot wallets.
member
Activity: 91
Merit: 10
November 29, 2013, 03:29:23 PM
#96
Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.

Its BS. Kris was the only guy working on BIPS. Lemme share with you guys a bug I helped fix. The secret that you entered in your IPN page was generating wrong hashes for any word that was 8-16 characters in length (weird?). I had to literally beg Kris to understand that this is a serious bug and had to write various test cases to demonstrate it. When he realized that there was indeed a bug he chose to just publish a "Enter less than 8 characters and greater than 16 characters" or something like that instead of actually fixing it. When I questioned him, he told me that he wrote his own crypto lib functions. Which fool would try to rewrite crypto when there are so many well tested modules available? This kind of shit brings in all the security loop-holes.

Quote
- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.

Tell the world the technical details of the bug. I bet Kris hasn't fixed it yet. If he couldn't find time to fix that buggy PHP hashing module I bet he is still using that same shitty hand written module (or many more like that) for everything inside BIPS.

Quote
- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first. The very fact that he is saying that he isn't responsible for the funds lost is itself BS. I'll see you in court Kris... the deadline of 72 hours is ending soon.

Quote
- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.

Thanks for the advice Saint Kris.

Quote
- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I'll make sure you do not.

Quote
I think thats a pretty good summary of the article. Otherwise - try the above google translation Smiley

Thanks Smiley
newbie
Activity: 1
Merit: 0
November 29, 2013, 09:05:32 AM
#95
Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.
- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.
- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.
- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.
- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I think thats a pretty good summary of the article. Otherwise - try the above google translation Smiley
newbie
Activity: 5
Merit: 0
November 29, 2013, 08:41:42 AM
#94
Summed the situation and my thoughts in a very rational way, +1.

If Kris contacts you, please share an update here.

People are very upset and very hostile towards Kris, me included, but I hope he understands it's nothing personal and it's better to just come out and state how things are and what he is planning to do about this.

Prolonging this and remaining silent will only escalate things and make this a lot worse.
newbie
Activity: 11
Merit: 0
November 29, 2013, 07:09:58 AM
#93
Has anyone heard from BIPS/Kris recently?

Two days since last response, now BIPS site is barely loading. Lots of traffic or perhaps another DDOS?

At this point I'm assuming the money is gone and it'll be quite a fight with BIPS to get it compensated for, but any information would be welcome.

Nop, not a single word from Mr. Kris Henriksen or anyone else at BIPS. I'm resending a support ticket and e-mail everyday now until someone answer my two simple questions of 1) is the money gone forever, and 2) will BIPS compensate me for any part of the lost value.

But nothing yet. However Kris does of some reason have infinite time to talk to the press about what happened where he always denies the claim of running away himself with the bitcoins, so he obviously read the Bitcoin Forum and probably this message too (Hello Kris!, nice to see you here) =)

This mess starts to become a slapstick comedy from their part. I mean, it's not that I want Kris or anyone at BIPS to walk away from their house or not be able to feed their family because of this. I will survive even if my money is never returned.

Now it's all about standing up as a honest human being facing the consequenses of your actions and promises. If you as a individual or a company make a promise to your clients that their critical data is safe with you, and that promise is broken. Well then you can choose two ways to handle this; A) Say you're sorry and that you will try to make it up to them even if the data is gone forever, or B) Tell your clients in a fancy way that they are idiots that trusted you in the first place.

Anyone choosing route B, i.g rationalizing away their role of accountability by arrogance, can expect people to be pretty angry with them for a very very very long time. This individual or company has consumed their right to operate in a free market, and should be shut down in it's existing form as an example of unacceptable business ethics. Case closed.

If Kris make some leagal research himself, like my business lawyer did, he will soon find out that there are plenty similar situations in the old financial world. Multiple financial services will ask for your money to hold them for you for free, or even paying you a good interest rate. It's a free service/wallet/account BUT the receiver are fully responsible for your money while kept in their hands. If it was stolen, they would have to pay it back or close business.

So, for Kris as the CEO of BIPS to act like nothing has happened (choosing route B) he is simply asking for a legal/social backlash. Everyone in the bitcoin community have the right to know if this is a viable business strategy in the future of digital money, and we will use this case to find out (so we atleast get something positive out of this mess). If BIPS goes free, then that is the end of this story. If not, BIPS pays up or close business. Kris will survive, keep his house and feeding his family – but with another company and hopefully alot more humble...
sr. member
Activity: 252
Merit: 250
November 29, 2013, 05:17:38 AM
#92
I mean, for god's sake, just let us know! And after that, good or bad news, everyone can go ahead in their own way of handling this (legal process or not).

For all i know after the attack there wasn't even an update or a warning on the front page about what happened.
I don't know if there is one now but it looks to me that someone pretends that nothing happened  Tongue
newbie
Activity: 5
Merit: 0
November 29, 2013, 03:59:05 AM
#91
Has anyone heard from BIPS/Kris recently?

Two days since last response, now BIPS site is barely loading. Lots of traffic or perhaps another DDOS?

At this point I'm assuming the money is gone and it'll be quite a fight with BIPS to get it compensated for, but any information would be welcome.
newbie
Activity: 51
Merit: 0
November 28, 2013, 11:53:45 AM
#90
Perhaps he could offer part of BIPs in the form of shares to the customers who lost Bitcoins in proportion to their lost Bitcoins. 

This would be one way to offer compensation, (may not ever catch up to the growing value of the actual bitcoins stolen but at least it would be some thing).

Also it would go a long way in protecting the Image and reputation of Bips.

newbie
Activity: 11
Merit: 0
November 28, 2013, 09:22:41 AM
#89
so we are talking scapegoat here?
somebody has to pay for the losses even though they were also the victim, true?

lets put it in more plain words;
We don't give a damn about you Kris! you could rob a bank, hack others, screw anybody you knew just get our money back!!!

You are right on that this is not about Kris Henriksen personally. He's representing a commercial company that did and still market themself with "Your data is secure at BIPS", etc. Obviously this is not a true statement, and some of us found that out in a really bad way, with substantial loss of economic value.

BUT the worst part of this whole stinking story, is the lack of communication from BIPS and it's CEO, Kris Henriksen. They choose to handle this mess with a strategy that pretty much left us, their affected customers, out in the dark. He himself or through any proxy has not to date had the courtesy to tell me what the status is with my lost balance and if they have any plan on compensating me for any part of the lost coins. I mean, for god's sake, just let us know! And after that, good or bad news, everyone can go ahead in their own way of handling this (legal process or not).

Pages:
Jump to: