Topic: Bitcoin is a magnet for hackers and crooks (Read 7771 times)
RSantana: I don't understand; why are you keeping your wallet on your server? Shouldn't it be kept on a different machine? As a retailer, you only need to collect payment except for the occasional refund (which you can do manually), which means your wallet doesn't have to be on the server at all, right? Or am I missing something here? I thought only exchanges like Mt.Gox that have to pay Bitcoins out in addition to accepting them had to worry that much about security, because they have to actually have a wallet file on a machine connected to the server. I mean, a hacker could still put up a fake BTC address on your site if it got compromised, but that's not the same degree of problem as losing your whole wallet...
"Pangolin". That was it.
Quote from: kjj link=topic=33391.msg620332#msg620332
Here are some of the methods he tried:
[list
Here are some of the methods he tried:
[list
[li]Tried to access boot information[/li]
[li]Tried to access file system (ie /etc/passwd)[/li]
[li]Various SQL injection techniques[/li]
[li]javascript injection[/li]
[li]Tried executing system commands with buffer over-runs [/li]
[/list]
It's kinda funny that they never tried to find my wallet.dat file :-)
[li]Tried to access file system (ie /etc/passwd)[/li]
[li]Various SQL injection techniques[/li]
[li]javascript injection[/li]
[li]Tried executing system commands with buffer over-runs [/li]
[/list]
It's kinda funny that they never tried to find my wallet.dat file :-)
He's almost certainly using a program that does all that stuff automatically for him. I've seen the same pattern of attacks myself. If you look in the logs closely, you'll see the same word coming up over and over. Google it - it's the name of the hacking tool he's using.
That's what I found, anyway. I don't remember the name now though sorry.
I've had a couple of ideas for bitcoin sites that I haven't bothered doing because I don't want the hassle.
Of course, I've had similar ideas for non-bitcoin sites too, and I usually don't bother with them either, because of the hassles that come with other payment systems.
Of course, I've had similar ideas for non-bitcoin sites too, and I usually don't bother with them either, because of the hassles that come with other payment systems.
This is why mt advice is if you cant code for shit dont go bringing out bitcoin sites.
There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams
so, how many bitcoins would be enough?
There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams
so, how many bitcoins would be enough?
'Crooks' are already using existing payment methods to move multi millions in laundered funds they don't need bitcoin. They need fake ID, social engineering and some socks proxies. There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams
A victim is not expected to be armed or prepared.
A business is.
The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.
A business is.
The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.
Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?
Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.
Quote
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.Stop avoiding responsibility.
It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.
But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.
If you don't want to be a victim, secure you site.
Just going off-topic here and injecting a bit of levity, but did anyone notice that if you spoonerise "hackers and crooks" you get:
"Bitcoin is a magnet for crack and hookers"
I wonder how the security at Silk Road is?
"Bitcoin is a magnet for crack and hookers"
I wonder how the security at Silk Road is?
A victim is not expected to be armed or prepared.
A business is.
The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.
A business is.
The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.
Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?
Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.
Quote
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.Stop avoiding responsibility.
It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.
But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
Trust, is Bitcoin's #1 problem.
Time to downgrade back to the good ol' credit cards, checks, and cash; systems where we don't need to trust anyone at all!
riiiiiiight.
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.Wait, it's the victims fault if s/he is attacked?
A victim is not expected to be armed or prepared.
A business is.
The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.
Incorrect. You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.
Stop avoiding responsibility.
I would be more concerned if Bitcoin only attracted law-abiding citizens and government officials.
There is no such thing as a secure server.
Based on this statement, you should exit the internet business. Too many people punt the security aspect just because it is hard.
People who can.
sony?
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
If you can't secure your sites then you should not be handling other peoples money/bitcoins. 
If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Thats why we have Bit-Pay. 
There is no such thing as a secure server.
Based on this statement, you should exit the internet business. Too many people punt the security aspect just because it is hard.
People who can.
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
OP, I'm glad you brought this to our attention.
Means we can get free or cheap penetration testing.
just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.
could even set up a site directory with bounties in BTC.
It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven hats.
creation and destruction.
May as well make the destroyers skwirm. xD
Means we can get free or cheap penetration testing.
just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.
could even set up a site directory with bounties in BTC.
It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven hats.
creation and destruction.
May as well make the destroyers skwirm. xD
Basically, set up honey pots, and see how many bees you can collect?
There is no such thing as a secure server.
Based on this statement, you should exit the internet business. Too many people punt the security aspect just because it is hard.
Jump to: