Pages:
Author

Topic: Large Bitcoin Collider (Collision Finders Pool) - page 12. (Read 193484 times)

legendary
Activity: 1120
Merit: 1037
฿ → ∞
Rico666 - are you okay if someone releases a cleaned script with no remote code execution and the various bullshit traps removed?  Pretty trivial to have it auto-update to bypass your savagely bad "authentication" scheme.

I believe, it's way better not to use savagely bad software containing bullshit at all. Why going through the loops of trying to fix it?

At the moment I am changing some issues that were addressed and which I consider valid (host verification, FTP -> HTTPS, qx -> open, etc.), I'm not changing core features that are there for a reason. If you have a problem with that, don't use the software.

https://lbc.cryptoguru.org/man/admin#security

Quote
The programs themself do not require any critical Bitcoin infrastructure on the machine. You do not need any blockchain data, or any wallet on a LBC-client machine. If security is paramount, you are encouraged to run LBC in a virtual machine or container to provide more encapsulation. There is some performance loss, but with a good VM configuration this can be kept at a minimum.

If you have concerns running it "on iron" i.e. not in a VM because you run the GPU client, use a dedicated machine. If all of this is not an alternative for you, don't use the software.

If you then still are afraid, LBC could some day mutate on that dedicated machine into some mail-spam sending or DDoS-Zombie machine... my condolences. And then of course don't use the software!



Rico
hero member
Activity: 700
Merit: 500
Rico666 - are you okay if someone releases a cleaned script with no remote code execution and the various bullshit traps removed?  Pretty trivial to have it auto-update to bypass your savagely bad "authentication" scheme.
legendary
Activity: 1241
Merit: 1005
..like bright metal on a sullen ground.
Can someone please provide a brief summary as to the current state of the controversy with this project?

Was it shown it was malware or that it could possibly have been used as malware? Is it safe to use now?

That'll be disappointing if this whole thing turns out to be a scam (although it would explain the enthusiasm for a somewhat hopeless project  Tongue). I mean if you can't trust the Large Bitcoin Collider who can you trust? Although if it was malware in a sense the LBC was being truthful; only their software would be trying to steal the bitcoins through the client rather than the target address  Grin

vip
Activity: 1428
Merit: 1145
uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico


Reads to me like this Rico dude is a real Looney Tune ...


"The ONLY backdoor I see is the one I'm gonna use to fuck you in the ass."

 Shocked wow. Personally I believe there are far better uses to computer power and time than this petty theft. It's interesting in a purely scientific way, but I won't be involved.

In ten minutes I'll be throwing the switch to fire up my Crypto Cyclotron. I estimate that it'll take about two hours to crack all cryptocurrency wallet addresses that have ever been used. Apologies if your lights dim during the powering-up process due to the draw needed from the grid. Light output should return to normal within one minute; unplugged toasters not affected.
newbie
Activity: 42
Merit: 0
uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico


Reads to me like this Rico dude is a real Looney Tune ...


"The ONLY backdoor I see is the one I'm gonna use to fuck you in the ass."

 Shocked wow. Personally I believe there are far better uses to computer power and time than this petty theft. It's interesting in a purely scientific way, but I won't be involved.
member
Activity: 105
Merit: 59
Okay, I'll try harder:

https://www.reddit.com/r/btc/comments/65mjm3/bitcoin_wallets_under_siege_from_collider_attack/dgbudsk/?st=j1kfl6t1&sh=53798e72

Quote
It's impossible to find the private keys of existing bitcoin wallets unless they're brain wallets, so this project is a false claim. As we say in cryptography, the probability of this event is negligible.
For comparison, it's more profitable to just use your computer for mining. It's actually also more profitable to physically use your computer as a hammer to physically mine in your garden in the hope of finding gold.

There are bad ways to create bitcoin private keys besides brainwallets. Broken PRNGs being one of them, and keys people have deliberately made weak being another.
member
Activity: 105
Merit: 59
On that qx again:

Is it really a security issue if I do:
Code:
qx{./hook-start} if (-x './hook-start');

And similar with the other hooks?

I mean that are shell scripts the user writes himself as these should be executed on certain events. How is this supposed to create a shell injection?
That would be the case if the argument to qx would be (there are other places) in a variable - yes?

But not in these cases. Just asking...


Rico


If there's no arguments, or the command is hard coded, there's no security issue with backticks/qx to the best of my knowledge.
legendary
Activity: 2856
Merit: 1520
Bitcoin Legal Tender Countries: 2 of 206
^^THIS!!

EDIT: in 5 days he want to find a private key of this address 15z9c9sVpu6fwNiK7dMAFgMYSK4GqsGZim which is using just the first 52 of 256 bits.

vip
Activity: 1428
Merit: 1145
uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico


Reads to me like this Rico dude is a real Looney Tune ...


"The ONLY backdoor I see is the one I'm gonna use to fuck you in the ass."
full member
Activity: 157
Merit: 113
uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico


Well - the IP starting with 77 is probably mine.
legendary
Activity: 1120
Merit: 1037
฿ → ∞
uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.

Which one of the ... let me see ... 7 IPs blocked in the past 30 minutes is it?

And - are you sure you wouldn't want to exchange some experience with user fronti first?

Rico
full member
Activity: 157
Merit: 113
uhm, could you unblock my IP?
I want to test this a bit more. I couldn't make sure it worked because my IP was blacklisted for running a tampered client.
Oh, you are assuming my nationality now? Fine.

I can easily submit a fake PoW request too, if you let my IP submit it.
legendary
Activity: 2856
Merit: 1520
Bitcoin Legal Tender Countries: 2 of 206
legendary
Activity: 1120
Merit: 1037
฿ → ∞
Here you go, Rico!
You were afraid of tampering, huh?
Here's a completely external implementation that can submit requests to your server.

Python 3, requires the requests library.

Code:
...

Yes?

Code:
$ python siapxt.py 
Client fingerprint: 26b0625831e3ccbf7ea4355778539bde
Secret: test
{'nil': 'perm withdrawn'}

And now? Please advise.

...  Shocked ....

OMFG - Now I begin to realize... You think I am "afraid" of some app submitting requests to the server???
I'm sorry if I thought you are a chatbot. In fact you are a human, but I am speaking Chinese.

Sorry for that. Really. I try it in plain English:

Client - PoW. Must. Not. Fake.



Rico
full member
Activity: 157
Merit: 113
Here you go, Rico!
You were afraid of tampering, huh?
Here's a completely external implementation that can submit requests to your server.

Python 3, requires the requests library.

Code:
import requests

SERVER_URL = "https://lbc.cryptoguru.org/"

def talk2server(path, json):
    return requests.post(SERVER_URL + "/" + path, json=json).json()

finger, intfin, quine, secret, version = input("Client fingerprint: "), "b8a8", "26b0625831e3ccbf7ea4355778539bde", input("Secret: "), "1.067"

print(talk2server("work", {
    "mode": "get",
    "client": {
        "finger": finger,
        "intfin": intfin,
        "quine": quine,
        "secret": secret,
        "version": version,
    },
    "eta": 0
}))
sr. member
Activity: 290
Merit: 250
Hey rico666, Are you Evil-Knievel by chance?
https://bitcointalksearch.org/user/evil-knievel-159191
vip
Activity: 1428
Merit: 1145
legendary
Activity: 1120
Merit: 1037
฿ → ∞
Since I'm looking at the code anyway, I notice that there's a bunch of command execution using qx{} which IIRC is equivalent to backticks, and potentially vulnerable to shell injection. This should probably be replaced with `open` or `system`with arguments passed as an array.

On that qx again:

Is it really a security issue if I do:
Code:
qx{./hook-start} if (-x './hook-start');

And similar with the other hooks?

I mean that are shell scripts the user writes himself as these should be executed on certain events. How is this supposed to create a shell injection?
That would be the case if the argument to qx would be (there are other places) in a variable - yes?

But not in these cases. Just asking...


Rico
legendary
Activity: 1120
Merit: 1037
฿ → ∞
WILL DOMINATE YOUR FACE.  Shocked

That was way less elaborate and eloquent than your usual stuff, but eventually exactly how "your stuff" always ends.

So Poirot then, if you're allergic to Sherlock. Although that's a choice I wouldn't have made.

Rico
vip
Activity: 1428
Merit: 1145
Okay, I'll try harder:

No, you are not trying harder.

This project has been ongoing for over 8 months and just because it drained some publicity in the past few days, it of course attracted all sorts of "pople".

People like you, trying to make a point appearance. Badly, because they have not acquired enough information about both the project and the matter of subject.

Example 1:

Your 1st post was - while admittedly written in an entertaining way - neither revealing and actually a non-issue. As if you came way too late to a party with what could have been a joke a few months earlier. Yes, we wanted a GPU client. Badly. Urgently. Look it up in this thread (about the time of September 2016 +/-1 month). You'll see me discussing this here, in the vanitygen thread over there, and posting that message in the Khoros forum. Everywhere for f*ing sake under the same forum name. So yeah Sherlock: you "found" it.


I temporarily stopped reading there to say that every non-nefarious actor wouldn't dream about using such a tone, whereas EVERY previous nefarious actor in this space has played the Sherlock card et al. on my scammy ass, ALL of which no longer populate this space.

That said, feel free to further have convos with me on your thread if you don't give a shit about your brand, a brand by all accounts from those brighter than I have demonstrated won't work ... and never has, ergo a scam.

One more thing, don't think for a sec that your German ass is gonna piss off this Lugan, for my replies will ... how should I say it ... WILL DOMINATE YOUR FACE.  Shocked
Pages:
Jump to: