Topic: Bitcointalk and Security - page 2. (Read 1222 times)

I see the time-share salesmen are spewing their bullshit in another thread.

I'll repost here what I posted nearby:

https://bitcointalksearch.org/topic/--1068157

Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

This forum must be constantly under attack all day every day. It's a credit to theymos that more attacks aren't successful. The social engineering attack was not successful because of any deficiency in theymos's administrative skills, it was successful because social engineering is the weak link in the chain.

The man in the loop is always a security flaw; however, you cannot remove it from the process. So the best response to such events will be recovery preparedness - since you'll always need to recover from unavoidable hacks - while trying to mitigate the frequency of such attacks by educate parties - e.g. the host - to use best practices like safer off-line authentication, etc.


+1.

Sure theymos ar doing the best it's people not machine..

I'm not sure why people are complaining that much in regards to the security of the forum. You should all be thanking theymos that this isn't happening much more often.
Seriously, do you think that there have been only a handful of hacking attempts since the last hack (not this one)?

The forum already has security bounties that pay almost the same as Google/Facebook does for their security bounties:

https://bitcointalksearch.org/topic/security-bounties-309785

One problem is web application vulnerabilities aren't the only way we can be hacked. In this case the hacker used social engineering, there were no security vulnerabilities in the forum software, in fact the hacker likely had little technical skills at all, they just needed to convince the hosting company they were theymos and the hosting company let them in. There really isn't a whole lot we can do about attacks like that, there are thousands of ways to execute social engineering attacks against the forum, it is of course a good idea to check what information your host requires to let you reset your account, and it would also be a good idea to inform the host there may be social engineering attacks, but I mean I can think of a million other ways this could be done and I can't think of many ways to prevent them. What we really need is a more layered approach, for example if we had javascript-side PM encryption then we could store the PM's fully encrypted on the server and prevent against even a root attacker from grabbing them. The forum already stored passwords in a secure manner. Honestly the only things we need to protect are PM's, email addresses and passwords/security questions.

Additionally I would highly recommend the account recovery feature be changed. I think that it should require both a recovery email and answer to security question, currently it only requires one of those. I would think this would greatly reduce the amount of hacked accounts.

Bitcointalk is the largest community of bitcoin users,and this will always be a hacker target..

what will win the hacker if hack bitcointalk ??

most believe that if they manage to hack bitcointalk database and steal the user's information that will be able to access for example on users exchanges to still bitcoins to private messages e.g from bitcoin developments even  to learn who is the famous satoshi nakamoto
for that matter hackers are not wrong and most if not all users use the same email and passwords e.g same email and password to bitcointalk and same email to btc-e right there hackers betting

safety exists naturally not

Security is not exist generally there every day discovering new vulnerabilities |0-day exploits
if one wants to make a secure website that can not be attacked by hackers no one development programmer can't confirm that because its is impossible

I believe that each year must be organized a hacking challenge who can join in  security researchers|hackers| penetration testers which would aim to find vulnerabilities in bitcointalk forum and as a reward their will get bitcoins...