Pages:
Author

Topic: Security bounties - page 3. (Read 167606 times)

administrator
Activity: 5222
Merit: 13032
November 16, 2017, 04:19:55 PM
#53
Added:

Extra bounties

These bounties use a separate system of calculation, but are subject to the same conditions as above.

- 1 XAU: Find the email address of user DefaultTrust and explain in detail how you did it.
hero member
Activity: 854
Merit: 503
|| Web developer ||
November 02, 2017, 03:16:06 AM
#52
I have sent Theymos a PM.
member
Activity: 350
Merit: 10
Global loyalty & rewards
October 24, 2017, 11:54:15 PM
#51
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. "Time-share" term was later appropriated by the vacation real-estate salesmen, so the computer salesmen renamed their "time-shares" to "cloud computing".

But the bullshit stayed the same.

You have a rich imagination.  Grin
member
Activity: 420
Merit: 13
October 14, 2017, 01:01:24 PM
#50
Bullshit offer.
If you are sincere in solving any security breach, you should seek paid professionals.
sr. member
Activity: 373
Merit: 262
September 17, 2017, 09:18:41 PM
#49
No exploit stopped by Cloudflare should ever get anywhere near affecting the forum, and any exploit that is stopped can almost certainly be done in some other way that won't be stopped.
Quote from: TradeFortress
In other words, give cloudflare the ability to MITM. Reverse proxy services should be seen as a a last resort, and all cloudflare's WAF will do is stop basic SQL injection, XSS, etc.
These people really seem to know what they're doing, and theymos keeps doing it despite stupid comments from people who blurt out whatever without doing any research about what they're talking about. It's nice to be on a forum that's so well run.
full member
Activity: 228
Merit: 100
October 11, 2016, 04:19:22 PM
#48
when will the Iron tank forum be released?
legendary
Activity: 4592
Merit: 1851
Linux since 1997 RedHat 4
October 07, 2016, 07:22:53 PM
#47
In case you didn't notice Theymos ...
It would appear that the email harvesting from the 2015 hack, has recently put the forum email addresses from back then into spam lists.
https://bitcointalksearch.org/topic/forum-database-compromised-1635595

Looks like you need to up the bounties and/or find someone who can be rewarded them Smiley
administrator
Activity: 5222
Merit: 13032
October 05, 2016, 09:18:23 PM
#46
Mods don't have access to the server(s) that host bitcointalk, right?

They do not.
legendary
Activity: 1232
Merit: 1030
give me your cryptos
October 05, 2016, 08:37:27 PM
#45
Just asking regarding you mentioning mod-related vulnerabilities in the OP.

Mods don't have access to the server(s) that host bitcointalk, right? Only you and maybe Badbear?
legendary
Activity: 2128
Merit: 1073
November 28, 2015, 07:34:17 PM
#44
Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. ....
Some years off in that one...1970 was mostly punched cards.  I'd guess timeshared computer services maxed out in parallel with the first five or ten years of the PC.
Not in the USA and other relatively advanced economies. There the order was approximately:

196x) organization-owned mainframes
197x) shared rented mainframes (provider-owned)
198x) departmental minicomputers (back to organization-owned)
199x) personal computers (both organization-owned and individual-owned)

Also, I'm talking about broad industrial/commercial/academic trends, not about various niches.

Edit: added one more decade and ownership qualification

legendary
Activity: 2926
Merit: 1386
November 28, 2015, 01:47:51 PM
#43
Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. ....

Some years off in that one...1970 was mostly punched cards.  I'd guess timeshared computer services maxed out in parallel with the first five or ten years of the PC.
legendary
Activity: 2128
Merit: 1073
May 27, 2015, 10:34:18 AM
#42
Are we really in 2015 ?! Tongue
No, we are in a time-loop. We went back to about 1970 when the sales of "time-shared" computer services were at their highest. "Time-share" term was later appropriated by the vacation real-estate salesmen, so the computer salesmen renamed their "time-shares" to "cloud computing".

But the bullshit stayed the same.
full member
Activity: 238
Merit: 100
May 27, 2015, 04:55:29 AM
#41
>> Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?

My previous post is a set of ideas for theymos to think about, while he studies PHP and that "new" Javascript ...  Shocked
He can pick something useful from it...
as he tries to stay behind of time and progress, he maybe will accept some ideas at least  Roll Eyes
So it looks eclectic and messed dish just bcoz i feed  conservators Tongue

>> Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

yes, would be nice to have different options for password recovery, tweakable in profile,
with safest option set on by default.

>> Not storing IPs def will be bad against spam / trolls / etc.

My point was : to store IPs and other sensitive info ( emails too ) in special separated storage, preferably in member's browser.
I did not say : "never store IPs !!!"

>> Seriously, "don't use passwords" is easier said than done.

Yes, not easy. But why cant we have a choice : power members can log in with keys, bitcoin addresses, good wishes etc AND just members can log in with passwords ?!
It can be done for sure.

>> Performance of decentralized forum software at this point will be very shit AFAIK.

the same will  be true for Epochtalk i guess. which is alfa, unaudited engine.
My point here was : if theymos will stuck with traditional approaches,
he will lose community due to aftermath of next hacks, social engineering "accidents" etc.
BTW we are now on Romania based hoster.
are romanian front desk guys safer when it comes to social engineering, than NL based ones ?! Tongue

Code:
SummaryIP Address	Root Domain	Hosting Provider
198.251.81.170 bitcointalk.org FranTech Solutions
Hosting Provider's DetailTitle Statistics
Country United States
Flag
City Cheyenne
ISP FranTech Solutions
Organization Voxility S.R.L.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
May 27, 2015, 03:43:18 AM
#40
i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley
Performance of decentralized forum software at this point will be very shit AFAIK. And usability probably bad too (gotta download client?)

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).
You want people to sign a message with a bitcoin address every time they login?

Seriously, "don't use passwords" is easier said than done. Login with Trezor Connect would be cool though. And 2FA should obv be option.

iii) never store hashes and IPs in Internet-hosted DB.
Not storing IPs def will be bad against spam / trolls / etc.

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).
Well for some people it's just about usability. But an optional option to only do (automatic, not manual like now) recovery by signing w/ a specific addy would be cool.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??
Are you telling me decentralization is better for scalability/performance at this point? Def not. Also interesting you are first for keeping IPs private but now you want a P2P forum?



Not disagreeing with all points, but some things are easier said than done Wink
full member
Activity: 238
Merit: 100
May 27, 2015, 03:19:21 AM
#39
of course i was joking about dedicated server in basement.
such setup will have issues with load balancing and speed of connection likely.
also it will be stil centralised service.

If theymos wanna save his income and keep community here,
he should :

i) invest in decentralised forum software, or some day such forum engine will become reality,
 but not under his control, written by other guys.Community will switch to it after next couple of hacks here.Theymos must be smart and proactive Smiley

ii) make sure to have auth of members without passwords ( maybe with bitcoin keys or other virtual identities ).

iii) never store hashes and IPs in Internet-hosted DB.
     take a look : https://unhosted.org/

iiii) abolish email usage for passwords' recovery ( there are safer means of communication ).

iiiii) drop "security question checking" feature for password recovery.

If Bitcointalk will stay centralised, what will happen when next bubble of greater adoption will arrive ??
How many members can bear 1 forum engine ( SMF or Epochtalk ) ??

At least theymos should go to several federated servers for forums...
I am not sure what is the year right now for theymos and team ?!
Are we really in 2015 ?! Tongue
legendary
Activity: 1484
Merit: 1002
Strange, yet attractive.
May 27, 2015, 02:19:17 AM
#38
If I may, the main problem with security vulnerabilities is our lack to understand that most of them are based on breaking some very simple rules. For instance, anyone who has the ability to physically access my computer is -in theory- able to retrieve ANY password that I have stored inside my web-browser and/or key-chain. You may be now thinking "oh, this is not possible" but please take some time to use some good UN-delete software together with a web-browser password retriever utility and most probably you will get the job done in less than 10 mins. Brute forcing is another way, but will take more time.

@Theymos:
It's been sometime now that I thought about the possible attacks this (and similar) sites will get within the next BTC bubble. I expect this will get much worse. Restricting user access via Tor blocking (I know this will hurt me as well, because I'm using tor from my work to access the site) will definitely rule out some of the most significant attacks. Cloudflare is also a way, but I'd go for a dedicated person(s) service. You can hire one that you trust, most possible near where you live. This would've been the best case scenario I'd choose, if I were you.

Best of luck sorting this out.
full member
Activity: 238
Merit: 100
May 26, 2015, 02:09:36 AM
#37
Time for social engineering to be added as a valid attack?
to kill all "social engineers" theymos must host forums in his basement
 on dedicated server with fat connectivity.  Cool
Problem solved !
vip
Activity: 1316
Merit: 1043
👻
May 25, 2015, 08:49:39 PM
#36
Time for social engineering to be added as a valid attack?
newbie
Activity: 42
Merit: 0
March 25, 2015, 05:40:40 AM
#35
Do you release information about vulnerabilities once they're fixed, or is obscurity safer in this case?

Thanks !
member
Activity: 84
Merit: 10
November 16, 2014, 11:36:31 AM
#34
The only major flaw in this forum that I can see is that you are using SMF as your forum software. Can't wait until the new platform arrives.
Pages:
Jump to: