Pages:
Author

Topic: BTCLottery Shut down - now the guy has all our emails (Read 2335 times)

sr. member
Activity: 294
Merit: 250
This is seriously the most paranoid and delusional thread on the boards today.
legendary
Activity: 2072
Merit: 1001
Is pop3 so obsolete that despite all the constant updates to Linux distributions of even obscure things many might imagine to be obsolete such a major security hole as brute-forcing still is not fixed?

That seems outright weird if it extends to whatever the latest thing is if even IMAP is that obsolete already too.

I hope it is at least fixed in the getty/login/telnet/ssh type things?

-MarkM-


An out of the box linux distro will install a rock solid pop3 daemon that has a very low chance of being hacked remotely without
a user/pass.

A pop3 daemon normally contains no brute forcing code. It is up to the user to add that. Often a script that checks a log in
/var/log/whatever and then sees that a single IP has tried a dozen times so it locks it out for 24 hours or how ever you set it up.
Perhaps a pop3 daemon exists that does have that included but over the history of linux most people created tools that do one
thing well and then you add on top of that or chain tools together.

That is why accounts on cpanel hosting, for example, is popular. It contains all those bells and whistles. But if you get a server/virtual server
at a colocation place it is totally up to you to lock it down. This goes for the BSDs and generally all nix(s).

SSL in this case does not help. The attacker simply attacks that port.
legendary
Activity: 2940
Merit: 1090
Is pop3 so obsolete that despite all the constant updates to Linux distributions of even obscure things many might imagine to be obsolete such a major security hole as brute-forcing still is not fixed?

That seems outright weird if it extends to whatever the latest thing is if even IMAP is that obsolete already too.

I hope it is at least fixed in the getty/login/telnet/ssh type things?

-MarkM-
legendary
Activity: 2072
Merit: 1001
what a person can do with email addresses of known users of BTC is to try to brute force the password.
then simply use imap to watch those emails until something juicy comes in. for example, realizing the user
has a mtgox account. then reset the password via mtgox, get the email they send, login to mtgox, and profit.

naturally this assumes the user put in an email account that he uses for most everything.. like 99% of us do.

with that said... a good majority of BTC related websites look like hobbyist stuff that i would not trust to use, ever.
especially "lottery/gambling/pyramid/etc" things. those just scream lame to me.
Brute forcing is not possible on the majority of sites today.

If i were to guess, I would bet a lot of those users have email accounts on linux boxes running pop3/imap that
have no brute force protection at all. Just toss out the gmail or whatever addresses you know have brute force
protection and concentrate on the rest. A small percentage will have a weak or short password. It is not about
cracking them all.. but the low hanging fruit that could lead to a possible reward with minimal effort.

Or how about sending a pdf to users that abused a security flaw in abode reader that is craftily made?

Or how about... the list is endless. Proven ways that have worked in the past to own someone.

Some people are really really into infosec/hacking/cracking and practice this stuff every day for years in the wild.
The best know how to find holes, craft their own exploits, have contacts who can provide more tools/sploits, and
otherwise not be considered a script kid.

But this is all speculation on what a person might do with an email list of known BTC users. Just idle talk.
legendary
Activity: 2940
Merit: 1090
Brute force the password of someone's gmail or yahoo or hotmail etc ("email") account?

I naively imagined somehow that part of how gmail, yahoo, hotmail etc became so popular was they they were huge enough and rich enough to somehow resist such attacks better than smaller players in the field might be able to afford to?

-MarkM-
full member
Activity: 196
Merit: 100
what a person can do with email addresses of known users of BTC is to try to brute force the password.
then simply use imap to watch those emails until something juicy comes in. for example, realizing the user
has a mtgox account. then reset the password via mtgox, get the email they send, login to mtgox, and profit.

naturally this assumes the user put in an email account that he uses for most everything.. like 99% of us do.

with that said... a good majority of BTC related websites look like hobbyist stuff that i would not trust to use, ever.
especially "lottery/gambling/pyramid/etc" things. those just scream lame to me.
Brute forcing is not possible on the majority of sites today.
legendary
Activity: 2072
Merit: 1001
what a person can do with email addresses of known users of BTC is to try to brute force the password.
then simply use imap to watch those emails until something juicy comes in. for example, realizing the user
has a mtgox account. then reset the password via mtgox, get the email they send, login to mtgox, and profit.

naturally this assumes the user put in an email account that he uses for most everything.. like 99% of us do.

with that said... a good majority of BTC related websites look like hobbyist stuff that i would not trust to use, ever.
especially "lottery/gambling/pyramid/etc" things. those just scream lame to me.
sr. member
Activity: 280
Merit: 250
Was there a password required to go with the email?

No I simply asked for there btc address and there email so people didn't spam the system
full member
Activity: 196
Merit: 100
The reason it shut down was probably because he didn't see it as profitable. He was only charging 0.3 BTC per month to advertise, and only got two advertisers in the time the site was up. This is 0.6 BTC per month, and it seemed like he took a 5% fee... which is only 0.03 BTC per month.

So I don't think this is a way for him to run off with all your emails. Most likely he just didn't see the business model as particularly profitable and chose to try something different instead.

EDIT: Aaaand... my suspicions were confirmed in the above post.
sr. member
Activity: 280
Merit: 250
TheBitMan, his current name.  Is a pretty long standing member.  I fully question a lot of his sites intentions, but he is has always been improving and helps the community in various ways.   That doesn't mean shit as far as full trust and etc.  And in fact that makes it that much better of a scam.   Still, I got an error message leading me to think that you should just give this a little time, I think the site is down.
I didn't give that good of an explanation I guess. Bitcoinduit.com ruined the pyramid/ponzi game for all of us. So I shut down multiplymybtc.com And I shut down the free lottery because that's A LOT of work for me who would of made 0.03 BTC that month.. So it's shut down for good and I deleted all emails.
sr. member
Activity: 280
Merit: 250
Please PM me before you accuse me of being a scammer.
sr. member
Activity: 280
Merit: 250
I deleted all of the emails, I can show you a screen shot.
hero member
Activity: 630
Merit: 500
Posts: 69
TheBitMan, his current name.  Is a pretty long standing member.  I fully question a lot of his sites intentions, but he is has always been improving and helps the community in various ways.   That doesn't mean shit as far as full trust and etc.  And in fact that makes it that much better of a scam.   Still, I got an error message leading me to think that you should just give this a little time, I think the site is down.
newbie
Activity: 14
Merit: 0
Chill, he's a 15 year old boy (from what I've heard), there's not much he can do with our email addresses. Tongue
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
One of my greatest security blunders was when I gave out my e-mail and someone sent me spam.
My whole life changed after that. From Viagra to Enlargers, and even a a long lost friend from Nigeria, who happened to remember my e-mail when he ran into some trouble and needed money.  Grin
I used to have a wildcard catchall address at a domain, but at a certain moment that got me so much spam (spammers bruteforce mailing a@domain, b@domain, c@domain) which became too much bother to manage. So I switched to a simple gmail address. It rarely gets spam in the inbox, their spam filter works very well, though there have been some false positives, especially with confirmation mails etc.

sr. member
Activity: 364
Merit: 251
He had all your emails *before* he shut down. If you're worried you should simply not give out your main mail address to strangers.


One of my greatest security blunders was when I gave out my e-mail and someone sent me spam.
My whole life changed after that. From Viagra to Enlargers, and even a a long lost friend from Nigeria, who happened to remember my e-mail when he ran into some trouble and needed money.  Grin
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
He had all your emails *before* he shut down. If you're worried you should simply not give out your main mail address to strangers.
legendary
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
Was there a password required to go with the email?
sr. member
Activity: 448
Merit: 250
You don't use throwaway email addresses, or what?
How is this supposed to hurt anyone?   Roll Eyes

- Spamming for other products/services

- Knowing who is a using Bitcoin for the time when it becomes illegal

-....could think of some more but just for starters.

and people think I'M paranoid...??.....  Cheesy

Seriously. Take your thorazine and lithium and slap that tinfoil hat on...

You were willing to provide that email when the site existed, exposing yourself to every problem listed even while the site still existed. Nothing has changed except your delusional perspective.
sr. member
Activity: 364
Merit: 251
How is this supposed to hurt anyone?   Roll Eyes

- Spamming for other products/services

- Knowing who is a using Bitcoin for the time when it becomes illegal

-....could think of some more but just for starters.

and people think I'M paranoid...??.....  Cheesy
Pages:
Jump to: