Coinchat doesn't salt or use a strong hash algo - page 4.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: gweedo on July 12, 2013, 03:27:41 AM

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:26:01 AM

1) He only takes full source code and database as proof apparenty

Only way in my book to prove it.

Thanks for this admission! https://bitcointalksearch.org/topic/warning-gweedo-extorts-full-database-of-sensitive-financial-site-spreads-fud-254808

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:26:01 AM

1) He only takes full source code and database as proof apparenty

Only way in my book to prove it.

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:26:01 AM

2) I am not disclosing my salt

*FACEPLAM* why would you disclose your salt, that would be pretty dumb and I never asked you to do that.

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:26:01 AM

3) If I wasn't hashing / salting them, I could just hash later.

Exactly. Plus I always said your not strongly hashing them.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Screenshots shouldn't be trusted, they can be faked.

escrow.ms

legendary

Activity: 1274

Merit: 1004

Quote from: gweedo on July 12, 2013, 03:24:25 AM

How do I know he didn't pay you just to say that. Also he could just take your stuff and throw into a hash generator.

Because I do not work for him and he should post screenshot from online database (phpmyadmin).

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: escrow.ms on July 12, 2013, 03:22:44 AM

@Trade if you want i can make a test account on both of your sites with a random password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

You can also put a bounty to crack it.

A few things:

1) He only takes full source code and database as proof apparenty

2) I am not disclosing my salt

3) If I wasn't hashing / salting them, I could just hash later.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:22:20 AM

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

Now he is spamming.

Quote from: escrow.ms on July 12, 2013, 03:22:44 AM

@Trade if you want i can make a test account on both of your sites with a random password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

How do I know he didn't pay you just to say that. Also he could just take your stuff and throw into a hash generator.

escrow.ms

legendary

Activity: 1274

Merit: 1004

@Trade if you want i can make a test account on both of your sites with a random password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

You can also put a bounty to crack it.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

escrow.ms

legendary

Activity: 1274

Merit: 1004

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:12:42 AM

That's my point? My ratings show up my default, his doesn't.

VIP donator Badge have lots of benefits. Grin

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Besides, if you ARE using the same password for more than one site / don't use a password manager / etc, you need to fix that.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: ?? on ??

When did images become FUD and untrustworthy? I am not abusing any trust system, apparently he is very sensitive with this. He has extorted me to abuse the trust, he thinks he can hack me, and he just calling me untrustworthy which is slander.

Quote

This is a warning! Don't use these sites, TF can access your password at anytime! And take over your other accounts.

Which is untrue.

Your image shows that I don't salt passwords for CoinChat. I hash passwords with SHA256. So I cannot access your password at any time. That's an outright lie. For other sites I always salt at least.

Quote

No His ratings are red because you are in " DefaultTrust"

That's my point? My ratings show up my default, his doesn't.

escrow.ms

legendary

Activity: 1274

Merit: 1004

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:06:07 AM

The negative trust rating shows up for everyone by default, your negative trust rating shows up for no one except you. I suggest making a new throwaway and seeing what your profile looks like.

No His ratings are red because you are in " DefaultTrust"

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: escrow.ms on July 12, 2013, 03:07:37 AM

Why are you guys abusing trust system for no reason?

He's posting FUD (such as claiming that I don't hash or salt), when that's plainly untrue (your password is hashed in your browser for CoinLenders) which is untrustworthy.

That's not very different from false scammer accusations, which would get you a negative trust rating. Go claim John K is a scammer (when it is untrue) and see what your trust score looks like later for example.

Or claim that a web hosting company scammed you when you haven't purchased anything. Intentionally misleading statements are untrustworthy.

escrow.ms

legendary

Activity: 1274

Merit: 1004

Why are you guys abusing trust system for no reason?

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

By hard proof, gweedo means that he wants the full source code and database of CoinLenders. I wonder what legitimate reasons he has for wanting the database? Huh

I've already found vulnerabilities in them. It's simple, provide me with a written & signed contract authorizing penetration testing on your site.

The negative trust rating shows up for everyone by default, your negative trust rating shows up for no one except you. I suggest making a new throwaway and seeing what your profile looks like.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: ?? on ??

So your going to believe him if one of his sites doesn't have for sure, I am 100% none of his sites do. Just a programming hence, I use the same template for all my sites, and 99% of programmers do. So yeah. If you believe him then good for you, but I am not.

Yeah good luck using a Node.js template for PHP Grin

FUD like this is why you have a negative trust rating. I've already shown the source code function for CL.

scotaloo

newbie

Activity: 42

Merit: 0

Quote from: ?? on ??

Thank you kind sir, for taking the risk for all of us!

Im likely about to be banned unfairly for being an alt of an account that I am not when theymos wakes up so meh I could care less.

scotaloo

newbie

Activity: 42

Merit: 0

Looks like he closed 3389 and a few others after I warned him a week ago, good job, but still Shocked

a financial site

scotaloo

newbie

Activity: 42

Merit: 0

Don't worry its perfectly legal to possess hacking software here and people need to see this, so:

Quote

$ nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 coinchat.org

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-12 08:48 IST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 08:48
Scanning coinchat.org (192.155.86.153) [8 ports]
Completed Ping Scan at 08:48, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:48
Completed Parallel DNS resolution of 1 host. at 08:48, 0.05s elapsed
Initiating SYN Stealth Scan at 08:48
Scanning coinchat.org (192.155.86.153) [1000 ports]
Discovered open port 80/tcp on 192.155.86.153
Discovered open port 22/tcp on 192.155.86.153
Discovered open port 8888/tcp on 192.155.86.153
Discovered open port 8000/tcp on 192.155.86.153
Discovered open port 9000/tcp on 192.155.86.153
Discovered open port 8333/tcp on 192.155.86.153
Completed SYN Stealth Scan at 08:48, 5.86s elapsed (1000 total ports)
Initiating Service scan at 08:48
Scanning 6 services on coinchat.org (192.155.86.153)
Completed Service scan at 08:49, 31.61s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against coinchat.org (192.155.86.153)
Retrying OS detection (try #2) against coinchat.org (192.155.86.153)
Initiating Traceroute at 08:49
Completed Traceroute at 08:49, 0.20s elapsed
Initiating Parallel DNS resolution of 10 hosts. at 08:49
Completed Parallel DNS resolution of 10 hosts. at 08:49, 0.10s elapsed
NSE: Script scanning 192.155.86.153.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 08:49
Completed NSE at 08:49, 30.34s elapsed
NSE: Script Scanning completed.
Nmap scan report for coinchat.org (192.155.86.153)
Host is up (0.19s latency).
rDNS record for 192.155.86.153: mafiahunt.net
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (protocol 2.0)
| ssh-hostkey: 1024 87:73:ff:39:8c:14:99:b2:a7:09:f8:2f:e1:95:b7:ba (DSA)
|_2048 0e:dc:0c:ff:45:c0:a1:f4:69:4e:58:80:f4:5d:f4:b7 (RSA)
25/tcp filtered smtp
80/tcp open http?
2710/tcp filtered unknown
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
6969/tcp filtered acmsoda
7000/tcp filtered afs3-fileserver
8000/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_html-title: MafiaHunt - Realtime Mafia on the web
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: CONNECTION
8333/tcp open tcpwrapped
8888/tcp open sun-answerbook?
9000/tcp open cslistener?
9090/tcp filtered zeus-admin
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=5.21%I=7%D=7/12%Time=51DFB4D7%P=i686-pc-linux-gnu%r(GetReq
SF:uest,52,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Fri,\x2012\x20Jul
SF:\x202013\x2007:48:38\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOpt
SF:ions,52,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Fri,\x2012\x20Jul
SF:\x202013\x2007:48:39\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(FourOhF
SF:ourRequest,52,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Fri,\x2012\
SF:x20Jul\x202013\x2007:48:40\x20GMT\r\nConnection:\x20close\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8888-TCP:V=5.21%I=7%D=7/12%Time=51DFB4D7%P=i686-pc-linux-gnu%r(GetR
SF:equest,1A1A,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2012\x20Jul\x2020
SF:13\x2007:48:38\x20GMT\r\nConnection:\x20close\r\n\r\n
SF:\n\nCoinChat\x20-\x20free\x20bitcoins\x20and\x20chat\x20ro<br />SF:om\nSF:ap/2\.3\.2/css/bootstrap-combined\.min\.css\"\x20rel=\"stylesheet\">\n<
SF:link\x20href='static/css/default\.css'\x20type='text/css'\x20rel='style
SF:sheet'>\nSF:mg/chat\.png\">\nSF:0chatroom\x20-\x20discuss\x20and\x20chat\x20with\x20a\x20nice\x20stylis
SF:h\x20functional\x20client\.\x20Works\x20everywhere,\x20Bitcoin\x20integ
SF:rated\">\x20\n\n\n\t\n\t\tSF:20id='changepassmodal'\x20class='modal\x20fade\x20hide'>\n\t\t\tSF:0class='modal-header'>\n\t\t\t\tSF:e'\x20data-dismiss='modal'\x20aria-hidden='true'>×\n\t\t
SF:\t\t

Change\x20Password

\n\t\t\t

\n\t\t\tSF:al-body'>\n\t\t\t\t

Change\x20the\x20password\x20for\x20this\x20accou
SF:nt

\n\t\t\t\tSF:20200\x20OK\r\nDate:\x20Fri,\x2012\x20Jul\x202013\x2007:48:39\x20GMT\r\
SF:nConnection:\x20close\r\n\r\n\n\nCoinCha<br />SF:t\x20-\x20free\x20bitcoins\x20and\x20chat\x20room\nSF:f=\"//netdna\.bootstrapcdn\.com/twitter-bootstrap/2\.3\.2/css/bootstrap
SF:-combined\.min\.css\"\x20rel=\"stylesheet\">\nSF:/default\.css'\x20type='text/css'\x20rel='stylesheet'>\nSF:icon\"\x20type=\"image/png\"\x20href=\"static/img/chat\.png\">\nSF:20name=\"description\"\x20content=\"A\x20web\x20chatroom\x20-\x20discus
SF:s\x20and\x20chat\x20with\x20a\x20nice\x20stylish\x20functional\x20clien
SF:t\.\x20Works\x20everywhere,\x20Bitcoin\x20integrated\">\x20\n\n<
SF:body>\n\t\n\t\tSF:20class='modal\x20fade\x20hide'>\n\t\t\t\n
SF:\t\t\t\tSF:l'\x20aria-hidden='true'>×\n\t\t\t\t

Change\x20Passwo
SF:rd

\n\t\t\t

\n\t\t\t\n\t\t\t\t

Ch
SF:ange\x20the\x20password\x20for\x20this\x20account

\n\t\t\t\tSF:20type='passw");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9000-TCP:V=5.21%I=7%D=7/12%Time=51DFB4EA%P=i686-pc-linux-gnu%r(Four
SF:OhFourRequest,472,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2012\x20Jul
SF:\x202013\x2007:48:57\x20GMT\r\nConnection:\x20close\r\n\r\nSF:0html>\n\n\nSF:script>\n\nSF:20src='static/jquery\.cookie\.js'>\nSF:ipts\.js'>\n\nSF:pt\x20src='/js/jquery-ui\.js'>\nSF:ype'\x20content='text/html;charset=UTF-8'\x20/>\nSF:eet\"\x20type=\"text/css\"\x20href='static/style\.css'\x20/>\n\n
SF:\n\n\x20\x20\n\x20\x
SF:20\tLoading\.\.\n\x20\x20\tSF:='timer'>Loading\.\.\n\x20\x20\tLeaveSF:an>\n\x20\x20

\n\x20\x20\n\x20\x20\tSF:20class='aliveyard'>\n\x20\x20\t

\n\x20\x20\tSF:ard'>\n\x20\x20\t

Topic: Coinchat doesn't salt or use a strong hash algo - page 4. (Read 32223 times)

Change\x20Password

Change\x20PasswoSF:rd

Change\x20Passwo
SF:rd