There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
Topic: Bitcoin is a magnet for hackers and crooks - page 2. (Read 7771 times)
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.
These attempts all came from the Netherlands.
These attempts all came from the Netherlands.
In here they come from Russia. It's really annoying.
Quote
This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.
Let's see if I don't know what I'm talking about--again.
I think we need not one LinuxCoin, but seven--one for each 10 fold increase of Bitcoin, all the way to what is currently know as a satoshi. And don't start developing the next level until it looks like it's going to be needed soon, therefore all the latest security features and fixes can be in place, eliminating as many future patches as possible.
It can be called LinuxCoin, or any other name, but Bitcoin would remain its brand status, to satisfy the purist and not confuse the ongoing adapters.
Work should start on the next level now. Once in place, and Bitcoin reaches a certain level, say trading at $100 USD (but doesn't have to be exact), then the new client would be LC1, therefore whoever had 10 bitcoins prior to the move, now has 100 coins, valued at the same price. But now it resides on the new secure cliet without all the previous mundane luggage which, by the way, is still made available somewhere, somehow, for obvious reasons.
It's days like this that I wish I was a programmer. You guys are truly smart lads and lassies. But, then again, if I were a programmer, perhaps Atlas would then be the DaBitcoinGuy.
~Bruno~
I'll put it simply. It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later. This has nothing to do with Bitcoin and everything to do with website owners being responsible.
Don't know what you mean by "fully secure". There is no such thing as perfect security.
Anyhow, it does have something to do with Bitcoin because, if you store wallets on servers, the level of security required is so much higher than for a site like Wikipedia, where any damage caused by hackers can easily be reversed.
Security is fiendishly hard to get right even for experienced web developers. Hiring a team of 10 security experts should NOT be a requirement for every startup in the Bitcoin economy, otherwise there will be very few startups and this economy will never bootstrap.
This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.Wait, it's the victims fault if s/he is attacked?
OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.
Incorrect. You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Incorrect. You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.I'll put it simply. It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later. This has nothing to do with Bitcoin and everything to do with website owners being responsible.
Trust, is Bitcoin's #1 problem.
I actually think it's a good thing.
What doesn't kill you makes you stronger.
What doesn't kill you makes you stronger.
You mean like cancer? Or schizophrenia?
Those diseases kill and maim. Web servers are immune to diseases, last time i checked.
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Incorrect. You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.I'll put it simply. It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later. This has nothing to do with Bitcoin and everything to do with website owners being responsible.
I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.
I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Thanks for listening.
I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.
This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Thanks for listening.
I actually think it's a good thing.
What doesn't kill you makes you stronger.
After the Gox attack, security improved (both in Gox and the affected users) and we're better for it. After Bitscalper's security flaw was noted, security improved and... well.... security improved. All of these attacks are bad short-term, but long-term, they make us more alert and wiser, and may be necessary for Bitcoin to continue being used 10 years from now.
I actually think it's a good thing.
What doesn't kill you makes you stronger.
What doesn't kill you makes you stronger.
You mean like cancer? Or schizophrenia? In all the time I heard Nietzsche's phrase "That which does not kill us makes us stronger" parroted about, I've yet to hear of one convincing example. In this case, no, getting hacked will not make RSantana's business any stronger. And for any new merchant who doesn't have RSantana's server skills, getting hacked might put them off altogether.
I know you mean well znort987, but remember we're trying to encourage bitcoin access to the wider community. This means helping them be safe, not waiting until they get wiped out - or even nearly wiped out.
For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.
These attempts all came from the Netherlands.
These attempts all came from the Netherlands.
The Netherlands was probably just the last link in a proxy chain.
We shouldn't be surprised by this. Bitcoin wallets are perceived as an easy target, and there is no shortage of desperate people in the world with basic hacking skills.
Have you thought about storing your wallets offline and advertising this fact on your site?
For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.
These attempts all came from the Netherlands.
These attempts all came from the Netherlands.
i was going to say '118' looks like Australia. which service told you it was China? (other than the IE6 usage 
)
)You gotta use the Asia Pacific Network whois search to lookup the IP address
http://www.apnic.net/apnic-info/whois_search
I guess he could be spoofing the agent string.
i was going to say '118' looks like Australia. which service told you it was China? (other than the IE6 usage
)
One other interesting thing. It looks like he is on a Windows NT machine using IE 6!
I guess he could be spoofing the agent string.
I guess he could be spoofing the agent string.
What types of attacks were they using? Just web requests?
I've found that a well configured fail2ban setup has made my logs vastly less annoying to read.
I've found that a well configured fail2ban setup has made my logs vastly less annoying to read.
Yes, all attacks were using HTTP. fail2ban looks pretty good. Thanks.
Just wanted to report for documentation sake that I'm still getting hit with hack attempts. The latest attempt was yesterday someone who speaks good English using a server (118.192.35.57) from China tried over 1,500 various methods to hack into my server.
It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).
Here are some of the methods he tried:
It's kinda funny that they never tried to find my wallet.dat file :-)
It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).
Here are some of the methods he tried:
- Tried to access boot information
- Tried to access file system (ie /etc/passwd)
- Various SQL injection techniques
- javascript injection
- Tried executing system commands with buffer over-runs
It's kinda funny that they never tried to find my wallet.dat file :-)
What types of attacks were they using? Just web requests?
I've found that a well configured fail2ban setup has made my logs vastly less annoying to read.
Just wanted to report for documentation sake that I'm still getting hit with hack attempts. The latest attempt was yesterday someone who speaks good English using a server (118.192.35.57) from China tried over 1,500 various methods to hack into my server.
It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).
Here are some of the methods he tried:
It's kinda funny that they never tried to find my wallet.dat file :-)
It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).
Here are some of the methods he tried:
- Tried to access boot information
- Tried to access file system (ie /etc/passwd)
- Various SQL injection techniques
- javascript injection
- Tried executing system commands with buffer over-runs
It's kinda funny that they never tried to find my wallet.dat file :-)
It will be interesting to see if the hacking attempts slow down at a parallel rate to the value of the bitcoin.
or...hackers go further underground and release scripts to the public.
It will be interesting to see if the hacking attempts slow down at a parallel rate to the value of the bitcoin.
Jump to: