Topic: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred - page 31. (Read 158131 times)

Archived version of glados.cc from http://web.archive.org/web/20130606204001/http://glados.cc/ says that his GPG key is 2E67C3DF. See for yourself.

The GPG signed message on inputs.io and the GPG key that TF has previously used are DIFFERENT

Do not trust anything signed that is not signed with key ID 2048D/2E67C3DF. This is the key TF always used and we have no reason to believe he would use a different key now

I have sent you an address.

BTW, I think storing 4100 BTC (!) on hot wallet is somewhat an insanity and hope other service operators will not repeat this mistake!

Hello, chiming in here. The GPG signed message on the website doesn't check out. I saved the key that he had on glados.cc, and the key ID is 2E67C3DF, but when I checked this message, the key is 63DD3F13. What's the reason behind this TF?

I just replied to your email, asking for your Bitcoin address.

That's just over a million at current exchange rates. Gotta say I'm finding it a little hard to believe he was actually hacked and this isn't just another long con, though I'd like to believe that isn't the case.

Full message on his website.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side.

Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;[email protected]:[email protected] (most likely another compromised server).

What about my coins there? If you stored more than 1 BTC, send an email to [email protected] with a Bitcoin address (preferably, an offline, open source light/SPV wallet like Multibit or Electrum). Use the same email you're using on Inputs. Please don't store Bitcoins on an internet connected device, regardless of it is your own or a service's.

I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJSeuZ9AAoJEB7FawRj3T8Th5QH/iapt2DUuyy1j7t51y1N1LOk
+Gu5fdIAV8molXnv+InMQvxtfxWfc7zKiROSP6Zv1cXdvMrCyzKP+SnTEFshIa+0
j2FYOgLeMNmsPSw8yeR1O8vJieYlK+7imEZL4nRKA+O+mjqCT1nTCtBUAVcYQ8Uu
O6BoNLkgT8z/1ZTfw+OK4t2kw9KcC317JOv3yVugfA3xCn4HbKPRP2yFIKR49C7L
w7C2h3L1jHqLerQNjbowcyKH83BFJ2IB0cFZFFCLBI+8NQcUIcIFymxrxUV73Rqa
xlMPX2rPFcIj6yz0ABl1t2rwY2DGOvc33MYCzX82CumLx/qAXCd2uF/jG6fzQ5M=
=Ip/9
-----END PGP SIGNATURE-----

I have some feelings that you won't see any updates from Inputs.io! 

Update please, why this message, what is the timeframe for processing withdrawals again?

He said he'll bring us an update soon, so we'll hear from him soon enough.

Woah, this admittedly IS looking bad now TradeFortress, please give us an update?

This is very misleading. Side channel attack is a whole group of attacks, but this term is commonly used when talking about cryptography (please see https://en.wikipedia.org/wiki/Side_channel_attack, and in the rare event that you are really into it http://www.sidechannelattacks.com/a.aspx).

I can't think of any reason why someone would say this was a side channel attack (actually, sic: "like a 'side channel' attack"), except to disguise the shame of the actual bug(s) found that won't be properly disclosed. It's time to get honest and drop the text about "most secure wallet ever created".

I haven't lost any money - but I just need to move some around.  If you can let me know the soonest when I can do this...thanks! Just 2 BTC...

hope so

Yep, makes sense.

Googled "side channel", it is said its Xen's hole.
input.io use aws, and aws is base on Xen.

so , maybe TF is busing moving input.io from aws to some physical machine.
That's why it took so long.

Yes, calm is the only way here. If you can't be calm, don't trust external sites with you btc.

Take care of them yourself.

I guess he won't be answering email for a while since he is really busy. He already said that he will refund everyone so you probably shouldn't worry about those 5 BTC.

No, and when i withdraw from input.io, got "hotpocket empty"

Any news from TF?