Pages:
Author

Topic: BTC-E hacked - still unfolding - page 2. (Read 22045 times)

legendary
Activity: 1078
Merit: 1000
Charlie 'Van Bitcoin' Shrem
hero member
Activity: 868
Merit: 1000
July 31, 2012, 09:55:25 AM
#39
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

+1

It actually gives me a lot of confidence.
legendary
Activity: 980
Merit: 1020
July 31, 2012, 09:42:28 AM
#38
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

I know.  For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here.  Keep it up BTC-E.  BTW, my balances were restored.  I didn't lose anything, as far as I can tell.


We have standard?
legendary
Activity: 2198
Merit: 1311
July 31, 2012, 09:41:37 AM
#37
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

I know.  For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here.  Keep it up BTC-E.  BTW, my balances were restored.  I didn't lose anything, as far as I can tell.
legendary
Activity: 1713
Merit: 1029
July 31, 2012, 09:39:58 AM
#36
From https://btc-e.com/news/81:

Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)



Any idea how LibertyReserve stores passwords?
hero member
Activity: 530
Merit: 500
July 31, 2012, 09:24:08 AM
#35
From https://btc-e.com/news/81:

Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

legendary
Activity: 1666
Merit: 1057
Marketing manager - GO MP
July 31, 2012, 08:12:33 AM
#34
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
Lets hope it stays that way.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
July 31, 2012, 08:09:36 AM
#33
Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
legendary
Activity: 1120
Merit: 1003
July 31, 2012, 08:03:13 AM
#32

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.


This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  Smiley
You also got back USD for which u sold btc?

They reversed the trade so I got back the BTC I sold. Since those coins should have been stolen by the hacker, that means they came out of BTCe's reserves. Very kind of them.
legendary
Activity: 1855
Merit: 1016
July 31, 2012, 08:01:21 AM
#31

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.


This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  Smiley
You also got back USD for which u sold btc?
legendary
Activity: 1120
Merit: 1003
July 31, 2012, 07:56:59 AM
#30

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.


This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  Smiley

People are bitchin on here, but I think they've done right and made a good name for themselves out of this. At least they didn't keep 18,000+ coins in their hot wallet like some other people we know.
legendary
Activity: 1713
Merit: 1029
July 31, 2012, 07:45:22 AM
#29
From https://btc-e.com/news/81:

Quote
Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - [email protected]
legendary
Activity: 1666
Merit: 1057
Marketing manager - GO MP
July 31, 2012, 07:09:22 AM
#28
The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  Undecided

I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.

People said exactly the same kind of thing last time.
newbie
Activity: 15
Merit: 0
July 31, 2012, 07:06:43 AM
#27
The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  Undecided

I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.
legendary
Activity: 1666
Merit: 1057
Marketing manager - GO MP
July 31, 2012, 06:44:20 AM
#26
The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  Undecided
R-
full member
Activity: 238
Merit: 100
Pasta
July 31, 2012, 06:28:47 AM
#25
Has the admin of BTC-E signed on yet? My condolences go out to him, as well as the victims, because the hack doesn't appear to be an inside job.

*also equilibrium in the orderbook has been reached*
donator
Activity: 1464
Merit: 1047
I outlived my lifetime membership:)
July 31, 2012, 06:11:04 AM
#24
It's a little unwise to permit instantaneous irreversible withdrawals...anyone running the exchange who was watching events unfold would have known to halt trading...but once the funds are gone, you can't just roll it all back.

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.

I feel bad for everyone who lost their funds.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
July 31, 2012, 05:40:25 AM
#23
How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?
There's probably at least a few ways. No one is supposed to be able to but if the programming has defects then it's possible. Hackers specialize in finding programming defects.

If you study how LR communicates account info with it's customers then you can mimic that. If the site programming does not completely authenticate any info from LR then it may take fake info at face value and credit accounts with what it believes to be real deposits. Crediting an account on BTC-E is the same as having the money, ie. fake money, that you can spend to buy BTC.

So a relatively simple act of intercepting data flow and replaying it may lead to funds to play with. This is only one way. SQL Injection into poorly designed API/site code could lead to being able to adjust account balances without proper auditing or verification. All these things result from poorly thought out and tested code but they allow altering database records that say how much money a user has.
full member
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
July 31, 2012, 05:20:15 AM
#22
How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?
legendary
Activity: 1855
Merit: 1016
July 31, 2012, 02:12:24 AM
#21
I think this may be the root cause of hack or theft or whatever today happened/happening on btc-e

https://bitcointalksearch.org/topic/accusations-against-supadupajenkins-94573


btc-e dev said its not supa.
I apologize to supa & edited my post to reflect change.
sorry supa.
Pages:
Jump to: