Topic: BTC-E hacked - still unfolding - page 2. (Read 22045 times)
Trading has resumed: https://bitcointalk.org/index.php?topic=96912.0;topicseen
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
+1
It actually gives me a lot of confidence.
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
I know. For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here. Keep it up BTC-E. BTW, my balances were restored. I didn't lose anything, as far as I can tell.
We have standard?
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
I know. For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here. Keep it up BTC-E. BTW, my balances were restored. I didn't lose anything, as far as I can tell.
From https://btc-e.com/news/81:
Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.
Really? That would make it the longest known brute forced key I've heard of.
caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:
GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm
Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp
Result: 510892508003511 years
(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)
Any idea how LibertyReserve stores passwords?
From https://btc-e.com/news/81:
Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.
Really? That would make it the longest known brute forced key I've heard of.
caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:
GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm
Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp
Result: 510892508003511 years
(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
Lets hope it stays that way. 
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.
This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.
Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.
They reversed the trade so I got back the BTC I sold. Since those coins should have been stolen by the hacker, that means they came out of BTCe's reserves. Very kind of them.
If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.
This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.
Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.
If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.
This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.
Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.
People are bitchin on here, but I think they've done right and made a good name for themselves out of this. At least they didn't keep 18,000+ coins in their hot wallet like some other people we know.
From https://btc-e.com/news/81:
Quote
Dear users of the Exchange Btc-e.com
The exchange is not going to close. We will refund all losses from our reserves.
Neither the servers nor the database were compromised. There were no SQL injections.
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.
Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.
We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.
At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.
People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.
For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.
If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.
Our plan:
1. The trade will be disabled until we restore the balances to the point before market crash.
2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.
Icq - 610112128
Skype - btc-e.support
E-mail - [email protected]
The exchange is not going to close. We will refund all losses from our reserves.
Neither the servers nor the database were compromised. There were no SQL injections.
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.
Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.
We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.
At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.
People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.
For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.
If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.
Our plan:
1. The trade will be disabled until we restore the balances to the point before market crash.
2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.
Icq - 610112128
Skype - btc-e.support
E-mail - [email protected]
The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".
If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'
If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'
I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.
People said exactly the same kind of thing last time.
The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".
If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'
If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'
I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.
The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".
If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'
If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'
Has the admin of BTC-E signed on yet? My condolences go out to him, as well as the victims, because the hack doesn't appear to be an inside job.
*also equilibrium in the orderbook has been reached*
*also equilibrium in the orderbook has been reached*
It's a little unwise to permit instantaneous irreversible withdrawals...anyone running the exchange who was watching events unfold would have known to halt trading...but once the funds are gone, you can't just roll it all back.
If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.
I feel bad for everyone who lost their funds.
If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.
I feel bad for everyone who lost their funds.
How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?
There's probably at least a few ways. No one is supposed to be able to but if the programming has defects then it's possible. Hackers specialize in finding programming defects.Can any outsider created nonexistent currency and deposit onto an exchange?
If you study how LR communicates account info with it's customers then you can mimic that. If the site programming does not completely authenticate any info from LR then it may take fake info at face value and credit accounts with what it believes to be real deposits. Crediting an account on BTC-E is the same as having the money, ie. fake money, that you can spend to buy BTC.
So a relatively simple act of intercepting data flow and replaying it may lead to funds to play with. This is only one way. SQL Injection into poorly designed API/site code could lead to being able to adjust account balances without proper auditing or verification. All these things result from poorly thought out and tested code but they allow altering database records that say how much money a user has.
How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?
https://bitcointalksearch.org/topic/accusations-against-supadupajenkins-94573
btc-e dev said its not supa.
I apologize to supa & edited my post to reflect change.
sorry supa.
Jump to: