Pages:
Author

Topic: MCXNow Can See your passwords! REALSolid has access to all your Passwords - page 2. (Read 4754 times)

full member
Activity: 191
Merit: 100
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

The password is encrypted server side, hence you can see it period.
hero member
Activity: 518
Merit: 500
Bitrated user: ahmedbodi.
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there
full member
Activity: 191
Merit: 100
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.
Zyl
newbie
Activity: 33
Merit: 0
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.
full member
Activity: 191
Merit: 100
Don't blame me for reporting the truth.  All the information I post is true.  And I am pointing these things out because I am a reporter in my normal job and this type of thing is something people want to know!  So if it's false then prove it. But out of his own mouth, Realsolid can see each and every one of our passwords.

Stick to the facts.


Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.


Then you are a reporter the world does not need. Go find scandals that really are abuses, not things every site admin can do if he chooses so. You are only reporting this with the sole purpose of discrediting RealSolid. Why are you sol jealous>
member
Activity: 97
Merit: 10
Don't blame me for reporting the truth.  All the information I post is true.  And I am pointing these things out because I am a reporter in my normal job and this type of thing is something people want to know!  So if it's false then prove it. But out of his own mouth, Realsolid can see each and every one of our passwords.

Stick to the facts.


Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.
hero member
Activity: 798
Merit: 1000
Which is why the web is not a good platform for important applications like financial apps.

Better would be client-side encryption where the server does not ever see your keys, like Open Transactions uses for example.

-MarkM-

I remember someone working on something like this for BTC. Something that ran locally in your browser, but interfaced with a remote site. Maybe I'm misremembering about exactly what it did, but I remember thinking it was pretty cool. Tongue dunno what became of it though.
full member
Activity: 227
Merit: 100
Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.
sr. member
Activity: 391
Merit: 333
I thought I'd chime in here.

#7 rule of the internet: Use unique passwords for anything remotely important. Especially places where you hold money. If you follow this rule, these claims are irrelevant to you.

Secondly, I'm not even sure if this is correct. As a developer, I have a bit of a conundrum over whether I would do this or not. Generally, I prefer simpler code, and plaintext is as simple as you can get for passwords. While it may put the users at risk if something is compromised, I would rather tell my users that they *must* use a unique password and let them deal with the consequences if they do not.

And off topic, MCXNow is an awesome exchange in my opinion.
member
Activity: 67
Merit: 10
Zyl - Since your leaving mcxNOW, I'll take your mcxFEE shares!  ;o)
newbie
Activity: 20
Merit: 0
oh  mg. thank your message.                               
Zyl
newbie
Activity: 33
Merit: 0
I was there. You were not.

Ask realsolid for a chat log of yesterday.
Or ask somebody who is using the API and possibly has a local log.
newbie
Activity: 53
Merit: 0
This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!


Absolutely false. You are not being truthful. For example, he asked a user whose password was COMPLETELY UNRELATED to their chat username, about their full plaintext password.

Somebody else will verify this.


Cant 100% Verify that

But he admitted to entering the usernames/passwords of users at other sites to attempt to gain access. Whether or not it was to find the leak its a questionable practice
Zyl
newbie
Activity: 33
Merit: 0
This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!


Absolutely false. You are not being truthful. For example, he asked a user whose password was COMPLETELY UNRELATED to their chat username, about their full plaintext password.

Somebody else will verify this.
full member
Activity: 244
Merit: 101
The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

He posted their full password, with no ******'s.
The ***'s is a recent thing he switched over to today only.
You may have been lurking for a different conversation than the one I refer to.

Other people who were there will remember.

One password was like monkeynuts or something. But I can't remember exactly.



This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!
Zyl
newbie
Activity: 33
Merit: 0
The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

He posted their full password, with no ******'s.
The ***'s is a recent thing he switched over to today only.
You may have been lurking for a different conversation than the one I refer to.

Other people who were there will remember.

One password was like monkeynuts or something. But I can't remember exactly.
sr. member
Activity: 308
Merit: 250
Have any screenshots of that?

I didn't think of it at the time. Go on chat and ask other users, they will remember.

"Realsolid: Soandso, what other sites have you used password garbanzobunk on?"

Almost identical words to that, I don't remember their exact password though.


As someone who was there lurking when this happened, I'd like to offer a bit of context (though I have no screenshots).

The question was posed, "What site did the leaked passswords come from?"

The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

The conversation then went back and forth and it was mentioned multiple times that the passwords being attempted could be seen by the admin and consequently by users logging in (but only the first 4 letters and ****s). The group was making an effort using the passwords to try and determine which site the leaked database may have come from. These were NOT mcxNOW passwords, rather they were the passwords which were tried against mcxNOW.

I agree 110% that having unsalted plain text passwords on ANY site with $$ involved is MORONIC. However, I also agree that if you're dim enough to use a password that's not unique on ANY site with $$ involved you're asking for trouble. I'm not condoning nor defending RS or mcxNOW's site, I just thought for vitriol's sake I'd share. I don't see how its anyone but the user's fault if their passwords are the same; then again the troll box isn't really the best place to ctrl+v any passwords whatsoever.
Zyl
newbie
Activity: 33
Merit: 0
Have any screenshots of that?

I didn't think of it at the time. Go on chat and ask other users, they will remember.
Or request a chat log from RS for security reasons.

"Realsolid: Soandso, what other sites have you used password garbanzobunk on?"
Almost identical words to that, I don't remember their exact password though.
full member
Activity: 210
Merit: 100
If you are using MCXnow, be very careful!  RealSolid and his cronies has access to all your password.  This came directly from his mouth in chat. 

So If you have an account there make sure you withdraw those coins soon.  RealSolid has access to every single account's password.

Change your BTCE and other passwords to protect yourself against RealSolid and his crew.

Ask him yourself, this is from his own mouth.  He's not to be trusted.

Why in the fuck would you use a non-unique password on any bitcoin site?

Exactly!
sr. member
Activity: 356
Merit: 250
If you are using MCXnow, be very careful!  RealSolid and his cronies has access to all your password.  This came directly from his mouth in chat. 

So If you have an account there make sure you withdraw those coins soon.  RealSolid has access to every single account's password.

Change your BTCE and other passwords to protect yourself against RealSolid and his crew.

Ask him yourself, this is from his own mouth.  He's not to be trusted.

do you know how computers work?
Pages:
Jump to: