Pages:
Author

Topic: Info about the recent attack - page 10. (Read 52603 times)

legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
September 11, 2011, 08:57:16 AM
#74
I'm done with this bullshit. Every month my password is leaked by fail bitcoin sites and their shit security.

Yes, I use different passwords for each site. I don't give a flying fuck.

This is unacceptable,
bye

Keep in mind, the annualized inflation rate of bitcoin is ~37.6% at the moment.  If the price holds steady it means that there is enough new demand to keep up with this pace of inflation.  To me, it seems quite natural that the variance in demand relative to the rate of inflation in such a small market is bound to create substantial volatility in both directions.  People should be more surprised that the price stuck at around $14 or $15 for so long.  

The absolute number of miners has nothing to do with it...the question is simply to what degree the net demand is increasing in relation to the supply.  A miner that sells all of their generated bitcoins are reducing net demand (just like anyone else selling bitcoins) while a miner that holds all of their generated bitcoins and increasing net demand (just like anyone else buying bitcoins).

The breaches, the hacks, and the fading media attention are probably all contributing to a lull in demand at the moment.

Somebody buy this man a beer.

Smart Money Drives the Financial Markets?
Let's hear what Tom Williams has to say about all this: http://www.youtube.com/watch?v=6jwEwlZnSFY

Tom and Gavin being interviewed: http://www.youtube.com/watch?v=wYowjdORSNQ

legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
September 11, 2011, 08:56:28 AM
#73
Basically in the whole forum we keep discussing about security and guess that? The forum itself get HACKED  Roll Eyes

Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)

newbie
Activity: 59
Merit: 0
September 11, 2011, 08:55:35 AM
#72
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)
I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.
Ok something is definitely broken. I just used the forgot password function to reset my password, because it wasn't working from within my account, but then I could not log in at all using either my new password or my old one. Both passwords were 25 characters with special characters and spaces. I used the forgot password again to reset it to a 16 char password without special characters or spaces, and then I was able to login.

So something WRT to either length, special characters or spaces has a problem. Also none of the passwords I tried used a space at either the start or the end, so it's not trimming the string that is my problem.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
September 11, 2011, 08:54:38 AM
#71
is my password safe if i used a 64char hexadecimal?
do the math yourself.

serrouisly you guys, learn about password strength, and hashing algo's.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 08:52:38 AM
#70
is my password safe if i used a 64char hexadecimal?
hero member
Activity: 518
Merit: 500
September 11, 2011, 08:44:52 AM
#69
Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?

actions like simply taking the forum offline hurt the confidence of people in bitcoin.
newbie
Activity: 59
Merit: 0
September 11, 2011, 08:39:29 AM
#68
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)
I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.
hero member
Activity: 686
Merit: 564
September 11, 2011, 08:10:32 AM
#67
I really have a hard time believing this was a 0-day, especially with the last version of the forum being so dated - it sounds like a CYA excuse.
If it was a security vulnerability in the forum software, and it wasn't caused by one of the mods they installed, it pretty much has to be. There are no relevant public vulnerabilities for SMF 1.1.14 or 1.1.13. (Though having looked closer, I'm not sure if it is a vulnerability at all... decidedly dodgy code at the very least though.)
newbie
Activity: 55
Merit: 0
September 11, 2011, 08:07:48 AM
#66
How could they let this happen?  The security of this forum is vital to your users.  This should have not happened today.  The admins need to upgrade the version of this forum's software(well, PHP) to SMF 2.0 or switch to PHPBB or VBulletin.
sr. member
Activity: 300
Merit: 250
BitcoinStarter.com Support Account
September 11, 2011, 07:56:15 AM
#65
Just glad to have it back Smiley
full member
Activity: 129
Merit: 100
September 11, 2011, 07:31:38 AM
#64
Create 4 random passwords which contains no special characters and are 10 characters long:
Code:
cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4
Create 4 random passwords which DO contains special characters and are 12 characters long:
Code:
$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 
that's pretty neat little script - cheers Wink

I'm going to stick to lastpass though...
full member
Activity: 196
Merit: 100
Oikos.cash | Decentralized Finance on Tron
September 11, 2011, 07:30:50 AM
#63
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
@theymos,

I own a copy of VBulletin that is not in use and would gladly donate it to you for use here if you want to pursue migrating.
sr. member
Activity: 350
Merit: 250
I never hashed for this...
September 11, 2011, 07:26:35 AM
#62
Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

Apparently.

Moving to PHPBB or vBulletin is a solution to only one of your problems.
Another one is that the forums are so heavily trolled & flooded with pointless/spam post that it has become difficult to actually discuss about something seriously here.

This forum lacks a Slashdot-like moderation system. Slashdot has probably the best moderation system in the world. It automatically filters out all spam & scam messages with high effectivness. Also, it severely decreases the level of trolling.

Slashdot's moderation system, much like reddit's, only filters out non-groupthink.


I really have a hard time believing this was a 0-day, especially with the last version of the forum being so dated - it sounds like a CYA excuse.
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
September 11, 2011, 06:19:10 AM
#61
Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

Apparently.

Moving to PHPBB or vBulletin is a solution to only one of your problems.
Another one is that the forums are so heavily trolled & flooded with pointless/spam post that it has become difficult to actually discuss about something seriously here.

This forum lacks a Slashdot-like moderation system. Slashdot has probably the best moderation system in the world. It automatically filters out all spam & scam messages with high effectivness. Also, it severely decreases the level of trolling.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
September 11, 2011, 05:35:35 AM
#60
He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.
That address was funded with exactly 10BTC with this transaction on 9-3.
We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC.

I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.
ithink that its most likely that the coins came direcly from an exchange. i dont know why, but the acount balances are odd, and the timing between the transactions is fast(indicating some kind of online wallet, at least in my mind)
legendary
Activity: 1512
Merit: 1036
September 11, 2011, 05:20:19 AM
#59
He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.
That address was funded with exactly 10BTC with this transaction on 9-3.
We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC. That kinda looks like an exchange savings account too, so they could have gone into an exchange.

I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.
member
Activity: 105
Merit: 10
September 11, 2011, 05:18:25 AM
#58
The vulnerabilities in 1.1.14 have been known for a LONG time. You can hardly call what SA did a 0-day exploit. While 1.1.14 might still be 'supported', it is full of security holes. The admins of this site have been aware of these vulnerabilities for a while, as quite a few people (myself included) have pointed out the dangers of using 1.1.14.

Seriously i spent 5 minutes trying to see where did you point it out before ? am i blind ?
legendary
Activity: 910
Merit: 1000
Quality Printing Services by Federal Reserve Bank
September 11, 2011, 05:15:18 AM
#57
DO NOT USE WEBSITES TO GENERATE YOUR PASSWORDS

There is a good chance that your new and shiny password is stored for later attacks!

Create 4 random passwords which contains no special characters and are 10 characters long:
Code:
cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4



Create 4 random passwords which DO contains special characters and are 12 characters long:
Code:
$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 


sr. member
Activity: 252
Merit: 250
September 11, 2011, 05:08:52 AM
#56
my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?

After hashing, very little. But:

Quote
The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.

You should assume that if you entered your password while logging in after sept 3rd, it was intercepted while still in plaintext. Change it.
legendary
Activity: 812
Merit: 1002
September 11, 2011, 04:54:49 AM
#55
my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?
Pages:
Jump to: