Large Bitcoin Collider (Collision Finders Pool) - page 12.

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: phzi on April 17, 2017, 02:53:29 PM

Rico666 - are you okay if someone releases a cleaned script with no remote code execution and the various bullshit traps removed? Pretty trivial to have it auto-update to bypass your savagely bad "authentication" scheme.

I believe, it's way better not to use savagely bad software containing bullshit at all. Why going through the loops of trying to fix it?

At the moment I am changing some issues that were addressed and which I consider valid (host verification, FTP -> HTTPS, qx -> open, etc.), I'm not changing core features that are there for a reason. If you have a problem with that, don't use the software.

https://lbc.cryptoguru.org/man/admin#security

Quote

The programs themself do not require any critical Bitcoin infrastructure on the machine. You do not need any blockchain data, or any wallet on a LBC-client machine. If security is paramount, you are encouraged to run LBC in a virtual machine or container to provide more encapsulation. There is some performance loss, but with a good VM configuration this can be kept at a minimum.

If you have concerns running it "on iron" i.e. not in a VM because you run the GPU client, use a dedicated machine. If all of this is not an alternative for you, don't use the software.

If you then still are afraid, LBC could some day mutate on that dedicated machine into some mail-spam sending or DDoS-Zombie machine... my condolences. And then of course don't use the software!

Rico

phzi

hero member

Activity: 700

Merit: 500

Rico666 - are you okay if someone releases a cleaned script with no remote code execution and the various bullshit traps removed? Pretty trivial to have it auto-update to bypass your savagely bad "authentication" scheme.

monsanto

legendary

Activity: 1241

Merit: 1005

..like bright metal on a sullen ground.

Can someone please provide a brief summary as to the current state of the controversy with this project?

Was it shown it was malware or that it could possibly have been used as malware? Is it safe to use now?

That'll be disappointing if this whole thing turns out to be a scam (although it would explain the enthusiasm for a somewhat hopeless project Tongue

). I mean if you can't trust the Large Bitcoin Collider who can you trust? Although if it was malware in a sense the LBC was being truthful; only their software would be trying to steal the bitcoins through the client rather than the target address Grin

Gleb Gamow

vip

Activity: 1428

Merit: 1145

Quote from: HTML6 on April 17, 2017, 01:05:29 PM

Quote from: Gleb Gamow on April 17, 2017, 12:22:50 PM

Quote from: rico666 on April 17, 2017, 12:06:51 PM

Quote from: SopaXT on April 17, 2017, 12:03:53 PM

uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico

Reads to me like this Rico dude is a real Looney Tune ...

"The ONLY backdoor I see is the one I'm gonna use to fuck you in the ass."

wow. Personally I believe there are far better uses to computer power and time than this petty theft. It's interesting in a purely scientific way, but I won't be involved.

In ten minutes I'll be throwing the switch to fire up my Crypto Cyclotron. I estimate that it'll take about two hours to crack all cryptocurrency wallet addresses that have ever been used. Apologies if your lights dim during the powering-up process due to the draw needed from the grid. Light output should return to normal within one minute; unplugged toasters not affected.

HTML6

newbie

Activity: 42

Merit: 0

Quote from: Gleb Gamow on April 17, 2017, 12:22:50 PM

Quote from: rico666 on April 17, 2017, 12:06:51 PM

Quote from: SopaXT on April 17, 2017, 12:03:53 PM

uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico

Reads to me like this Rico dude is a real Looney Tune ...

"The ONLY backdoor I see is the one I'm gonna use to fuck you in the ass."

wow. Personally I believe there are far better uses to computer power and time than this petty theft. It's interesting in a purely scientific way, but I won't be involved.

ryanc

member

Activity: 105

Merit: 59

Quote from: Gleb Gamow on April 16, 2017, 05:54:45 PM

Okay, I'll try harder:

https://www.reddit.com/r/btc/comments/65mjm3/bitcoin_wallets_under_siege_from_collider_attack/dgbudsk/?st=j1kfl6t1&sh=53798e72

Quote

It's impossible to find the private keys of existing bitcoin wallets unless they're brain wallets, so this project is a false claim. As we say in cryptography, the probability of this event is negligible.
For comparison, it's more profitable to just use your computer for mining. It's actually also more profitable to physically use your computer as a hammer to physically mine in your garden in the hope of finding gold.

There are bad ways to create bitcoin private keys besides brainwallets. Broken PRNGs being one of them, and keys people have deliberately made weak being another.

ryanc

member

Activity: 105

Merit: 59

Quote from: rico666 on April 17, 2017, 11:49:56 AM

On that qx again:

Is it really a security issue if I do:

Code:

qx{./hook-start} if (-x './hook-start');

And similar with the other hooks?

I mean that are shell scripts the user writes himself as these should be executed on certain events. How is this supposed to create a shell injection?
That would be the case if the argument to qx would be (there are other places) in a variable - yes?

But not in these cases. Just asking...

Rico

If there's no arguments, or the command is hard coded, there's no security issue with backticks/qx to the best of my knowledge.

Gyrsur

legendary

Activity: 2856

Merit: 1520

Bitcoin Legal Tender Countries: 2 of 206

^^THIS!!

EDIT: in 5 days he want to find a private key of this address 15z9c9sVpu6fwNiK7dMAFgMYSK4GqsGZim which is using just the first 52 of 256 bits.

Gleb Gamow

vip

Activity: 1428

Merit: 1145

Quote from: rico666 on April 17, 2017, 12:06:51 PM

Quote from: SopaXT on April 17, 2017, 12:03:53 PM

uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico

Reads to me like this Rico dude is a real Looney Tune ...

"The ONLY backdoor I see is the one I'm gonna use to fuck you in the ass."

SopaXT

full member

Activity: 157

Merit: 113

Quote from: rico666 on April 17, 2017, 12:06:51 PM

Quote from: SopaXT on April 17, 2017, 12:03:53 PM

uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico

Well - the IP starting with 77 is probably mine.

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: SopaXT on April 17, 2017, 12:03:53 PM

uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico

SopaXT

full member

Activity: 157

Merit: 113

uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.
Oh, you are assuming my nationality now? Fine.

I can easily submit a fake PoW request too, if you let my IP submit it.

Gyrsur

legendary

Activity: 2856

Merit: 1520

Bitcoin Legal Tender Countries: 2 of 206

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: SopaXT on April 17, 2017, 11:56:23 AM

Here you go, Rico!
You were afraid of tampering, huh?
Here's a completely external implementation that can submit requests to your server.

Python 3, requires the requests library.

Code:

...

Yes?

Code:

$ python siapxt.py 
Client fingerprint: 26b0625831e3ccbf7ea4355778539bde
Secret: test
{'nil': 'perm withdrawn'}

And now? Please advise.

... Shocked

....

OMFG - Now I begin to realize... You think I am "afraid" of some app submitting requests to the server???
I'm sorry if I thought you are a chatbot. In fact you are a human, but I am speaking Chinese.

Sorry for that. Really. I try it in plain English:

Client - PoW. Must. Not. Fake.

Rico

SopaXT

full member

Activity: 157

Merit: 113

Here you go, Rico!
You were afraid of tampering, huh?
Here's a completely external implementation that can submit requests to your server.

Python 3, requires the requests library.

Code:

import requests

SERVER_URL = "https://lbc.cryptoguru.org/"

def talk2server(path, json):
    return requests.post(SERVER_URL + "/" + path, json=json).json()

finger, intfin, quine, secret, version = input("Client fingerprint: "), "b8a8", "26b0625831e3ccbf7ea4355778539bde", input("Secret: "), "1.067"

print(talk2server("work", {
    "mode": "get",
    "client": {
        "finger": finger,
        "intfin": intfin,
        "quine": quine,
        "secret": secret,
        "version": version,
    },
    "eta": 0
}))

akk123

sr. member

Activity: 290

Merit: 250

Hey rico666, Are you Evil-Knievel by chance?
https://bitcointalksearch.org/user/evil-knievel-159191

Gleb Gamow

vip

Activity: 1428

Merit: 1145

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: ryanc on April 17, 2017, 11:21:42 AM

Since I'm looking at the code anyway, I notice that there's a bunch of command execution using qx{} which IIRC is equivalent to backticks, and potentially vulnerable to shell injection. This should probably be replaced with `open` or `system`with arguments passed as an array.

On that qx again:

Is it really a security issue if I do:

Code:

qx{./hook-start} if (-x './hook-start');

And similar with the other hooks?

I mean that are shell scripts the user writes himself as these should be executed on certain events. How is this supposed to create a shell injection?
That would be the case if the argument to qx would be (there are other places) in a variable - yes?

But not in these cases. Just asking...

Rico

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: Gleb Gamow on April 17, 2017, 11:43:51 AM

WILL DOMINATE YOUR FACE. Shocked

That was way less elaborate and eloquent than your usual stuff, but eventually exactly how "your stuff" always ends.

So Poirot then, if you're allergic to Sherlock. Although that's a choice I wouldn't have made.

Rico

Gleb Gamow

vip

Activity: 1428

Merit: 1145

Quote from: rico666 on April 17, 2017, 04:56:11 AM

Quote from: Gleb Gamow on April 16, 2017, 05:54:45 PM

Okay, I'll try harder:

No, you are not trying harder.

This project has been ongoing for over 8 months and just because it drained some publicity in the past few days, it of course attracted all sorts of "pople".

People like you, trying to make a ~~point~~ appearance. Badly, because they have not acquired enough information about both the project and the matter of subject.

Example 1:

Your 1st post was - while admittedly written in an entertaining way - neither revealing and actually a non-issue. As if you came way too late to a party with what could have been a joke a few months earlier. Yes, we wanted a GPU client. Badly. Urgently. Look it up in this thread (about the time of September 2016 +/-1 month). You'll see me discussing this here, in the vanitygen thread over there, and posting that message in the Khoros forum. Everywhere for f*ing sake under the same forum name. So yeah Sherlock: you "found" it.

I temporarily stopped reading there to say that every non-nefarious actor wouldn't dream about using such a tone, whereas EVERY previous nefarious actor in this space has played the Sherlock card et al. on my scammy ass, ALL of which no longer populate this space.

That said, feel free to further have convos with me on your thread if you don't give a shit about your brand, a brand by all accounts from those brighter than I have demonstrated won't work ... and never has, ergo a scam.

One more thing, don't think for a sec that your German ass is gonna piss off this Lugan, for my replies will ... how should I say it ... WILL DOMINATE YOUR FACE. Shocked

Topic: Large Bitcoin Collider (Collision Finders Pool) - page 12. (Read 193426 times)