Info about the recent attack - page 10.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

Quote from: Are-you-a-wizard? on September 11, 2011, 04:06:24 AM

I'm done with this bullshit. Every month my password is leaked by fail bitcoin sites and their shit security.

Yes, I use different passwords for each site. I don't give a flying fuck.

This is unacceptable,
bye

Quote from: Are-you-a-wizard? on August 05, 2011, 03:29:52 PM

Quote from: Steve on August 05, 2011, 03:07:50 PM

Keep in mind, the annualized inflation rate of bitcoin is ~37.6% at the moment. If the price holds steady it means that there is enough new demand to keep up with this pace of inflation. To me, it seems quite natural that the variance in demand relative to the rate of inflation in such a small market is bound to create substantial volatility in both directions. People should be more surprised that the price stuck at around $14 or $15 for so long.

The absolute number of miners has nothing to do with it...the question is simply to what degree the net demand is increasing in relation to the supply. A miner that sells all of their generated bitcoins are reducing net demand (just like anyone else selling bitcoins) while a miner that holds all of their generated bitcoins and increasing net demand (just like anyone else buying bitcoins).

The breaches, the hacks, and the fading media attention are probably all contributing to a lull in demand at the moment.

Somebody buy this man a beer.

Smart Money Drives the Financial Markets?
Let's hear what Tom Williams has to say about all this: http://www.youtube.com/watch?v=6jwEwlZnSFY

Tom and Gavin being interviewed: http://www.youtube.com/watch?v=wYowjdORSNQ

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

Basically in the whole forum we keep discussing about security and guess that? The forum itself get HACKED Roll Eyes

Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)

dvide

newbie

Activity: 59

Merit: 0

Quote from: dvide on September 11, 2011, 08:39:29 AM

Quote from: BkkCoins on September 11, 2011, 12:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.

Ok something is definitely broken. I just used the forgot password function to reset my password, because it wasn't working from within my account, but then I could not log in at all using either my new password or my old one. Both passwords were 25 characters with special characters and spaces. I used the forgot password again to reset it to a 16 char password without special characters or spaces, and then I was able to login.

So something WRT to either length, special characters or spaces has a problem. Also none of the passwords I tried used a space at either the start or the end, so it's not trimming the string that is my problem.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: ctoon6 on September 11, 2011, 08:52:38 AM

is my password safe if i used a 64char hexadecimal?

do the math yourself.

serrouisly you guys, learn about password strength, and hashing algo's.

ctoon6

sr. member

Activity: 350

Merit: 251

is my password safe if i used a 64char hexadecimal?

antares

hero member

Activity: 518

Merit: 500

Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?

actions like simply taking the forum offline hurt the confidence of people in bitcoin.

dvide

newbie

Activity: 59

Merit: 0

Quote from: BkkCoins on September 11, 2011, 12:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.

makomk

hero member

Activity: 686

Merit: 564

Quote from: JeffK on September 11, 2011, 07:26:35 AM

I really have a hard time believing this was a 0-day, especially with the last version of the forum being so dated - it sounds like a CYA excuse.

If it was a security vulnerability in the forum software, and it wasn't caused by one of the mods they installed, it pretty much has to be. There are no relevant public vulnerabilities for SMF 1.1.14 or 1.1.13. (Though having looked closer, I'm not sure if it is a vulnerability at all... decidedly dodgy code at the very least though.)

superpc

newbie

Activity: 55

Merit: 0

How could they let this happen? The security of this forum is vital to your users. This should have not happened today. The admins need to upgrade the version of this forum's software(well, PHP) to SMF 2.0 or switch to PHPBB or VBulletin.

bitstarter

sr. member

Activity: 300

Merit: 250

BitcoinStarter.com Support Account

Just glad to have it back

SoreGums

full member

Activity: 129

Merit: 100

Quote from: EskimoBob on September 11, 2011, 05:15:18 AM

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'

that's pretty neat little script - cheers Wink

I'm going to stick to lastpass though...

mikeo

full member

Activity: 196

Merit: 100

Oikos.cash | Decentralized Finance on Tron

Quote from: BkkCoins on September 11, 2011, 12:37:13 AM

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

@theymos,

I own a copy of VBulletin that is not in use and would gladly donate it to you for use here if you want to pursue migrating.

JeffK

sr. member

Activity: 350

Merit: 250

I never hashed for this...

Quote from: ShadowOfHarbringer on September 11, 2011, 06:19:10 AM

Quote from: theymos on September 11, 2011, 03:12:44 AM

Quote from: TiagoTiago on September 11, 2011, 02:55:58 AM

Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

Apparently.

Moving to PHPBB or vBulletin is a solution to only one of your problems.
Another one is that the forums are so heavily trolled & flooded with pointless/spam post that it has become difficult to actually discuss about something seriously here.

This forum lacks a Slashdot-like moderation system. Slashdot has probably the best moderation system in the world. It automatically filters out all spam & scam messages with high effectivness. Also, it severely decreases the level of trolling.

Slashdot's moderation system, much like reddit's, only filters out non-groupthink.

I really have a hard time believing this was a 0-day, especially with the last version of the forum being so dated - it sounds like a CYA excuse.

ShadowOfHarbringer

legendary

Activity: 1470

Merit: 1006

Bringing Legendary Har® to you since 1952

Quote from: theymos on September 11, 2011, 03:12:44 AM

Quote from: TiagoTiago on September 11, 2011, 02:55:58 AM

Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

Apparently.

Moving to PHPBB or vBulletin is a solution to only one of your problems.
Another one is that the forums are so heavily trolled & flooded with pointless/spam post that it has become difficult to actually discuss about something seriously here.

This forum lacks a Slashdot-like moderation system. Slashdot has probably the best moderation system in the world. It automatically filters out all spam & scam messages with high effectivness. Also, it severely decreases the level of trolling.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: deepceleron on September 11, 2011, 05:20:19 AM

Quote from: theymos on September 11, 2011, 04:01:10 AM

He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.

That address was funded with exactly 10BTC with this transaction on 9-3.
We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC.

I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.

ithink that its most likely that the coins came direcly from an exchange. i dont know why, but the acount balances are odd, and the timing between the transactions is fast(indicating some kind of online wallet, at least in my mind)

deepceleron

legendary

Activity: 1512

Merit: 1036

Quote from: theymos on September 11, 2011, 04:01:10 AM

He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.

That address was funded with exactly 10BTC with this transaction on 9-3.
We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC. That kinda looks like an exchange savings account too, so they could have gone into an exchange.

I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.

fadisaaida

member

Activity: 105

Merit: 10

Quote from: JonHind on September 11, 2011, 02:32:59 AM

The vulnerabilities in 1.1.14 have been known for a LONG time. You can hardly call what SA did a 0-day exploit. While 1.1.14 might still be 'supported', it is full of security holes. The admins of this site have been aware of these vulnerabilities for a while, as quite a few people (myself included) have pointed out the dangers of using 1.1.14.

Seriously i spent 5 minutes trying to see where did you point it out before ? am i blind ?

EskimoBob

legendary

Activity: 910

Merit: 1000

Quality Printing Services by Federal Reserve Bank

DO NOT USE WEBSITES TO GENERATE YOUR PASSWORDS

There is a good chance that your new and shiny password is stored for later attacks!

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'

ovidiusoft

sr. member

Activity: 252

Merit: 250

Quote from: haploid23 on September 11, 2011, 04:54:49 AM

my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?

After hashing, very little. But:

Quote

The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.

You should assume that if you entered your password while logging in after sept 3rd, it was intercepted while still in plaintext. Change it.

haploid23

legendary

Activity: 812

Merit: 1002

my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?

Topic: Info about the recent attack - page 10. (Read 52585 times)