Pages:
Author

Topic: Shapeshift: Security by nature insecure "I personally trained their staff." - page 2. (Read 1725 times)

legendary
Activity: 2604
Merit: 1036
Damn I read the whole story about Bob and his adventures at the ShapeShift office yesterday and it seems to me Erik Voorhees is the only person to blame for these hacks. He hired a compromised server 'expert' with priors to his name and yet didn't do anything to stop this nuisance as early as possible I mean if they noticed something was off with this guy why didn't they just shut down the whole operation and apprehend Bob on the spot after all a lot of money is involved in this scam. And that paying off of hackers to get additional info just shows how inept the ShapeShift employees are in figuring out what had happened themselves. I suggest everyone to read 'Looting of the Fox The Story of Sabotage at ShapeShift' it makes for a very entertaining read.
newbie
Activity: 42
Merit: 0
I spent years as a full time professional poker player.

That was before you were born again in Satoshi's holy name, I hope?
Satoshi saith unto him, I am the way, the truth, and the life: no man cometh unto the Szabo, but by me.

sr. member
Activity: 532
Merit: 251
I spent years as a full time professional poker player.  When you say to me security means limiting probability I think ACTUALLY numbers.  Not religious belief.  If you tell me there is a 5% or 20% or 95% chance something will get hacked, I can tell you if it is secure or not based on the economics.  Based on tangible things.  If this cannot be done, if you do not have enough information, there is no claim for security.

The other type of security, is snake-oil.  My "new word" is accurate.  Security isn't a guess, and neither Satoshi nor Szabo espouse such ridiculous retoric.
legendary
Activity: 4410
Merit: 4766

nothing is ever 100% unbreakable

It doesn't mean it can't be theoretically, conjecturally, and practically secure. This is what Satoshi taught us.  Otherwise you and others need to confess to everyone that bitcoin is by nature not secure whether theoretically, conjecturally, and practically.

You (they) do NOT, as a business provider of security, get to say, we fucked big time, we got hacked, we had a massive security exploit exploited...BUT we are still secure as always and even more so.

your definition is so twisted..

bitcoin is secure.. because "secure" doesnt mean 100% guaranteed unbreakable. it just means safe enough to use with a low enough risk that you can trust it for most purposes.

but if you want proof that bitcoin is not 100% guaranteed unbreakable. here are some keywords
rejects
orphans
forks
bugs

bitcoin still has these issues. but the effect they have on the user is so small that economically its not a big enough deal to cause issues. and when it does cause issues its usually sorted quite quick.

(im guessing the phrase of the week for you is "snake oil". you seem to use it alot, but for the wrong reasons)

saying something is 100% unbreakable.. is the snake oil...
saying something is secure, but not 100% guaranteed, is being morally honest
sr. member
Activity: 532
Merit: 251

nothing is ever 100% unbreakable

It doesn't mean it can't be theoretically, conjecturally, and practically secure. This is what Satoshi taught us.  Otherwise you and others need to confess to everyone that bitcoin is by nature not secure whether theoretically, conjecturally, and practically.

You (they) do NOT, as a business provider of security, get to say, we fucked big time, we got hacked, we had a massive security exploit exploited...BUT we are still secure as always and even more so.

That's snake oil.

We are to be providing effective security solutions, that are admittedly secure for their purpose, not admittedly insecure.

Do we remember what bitcoin is?  Can we at least admit its "practically" secure, as in the "useful" sense?

I am not confused here, I know what we are arguing about and why.

Let me ask, how secure is shapeshift?  If security is a gradient, then what level is it at.  If I ask you from 1 to 10, what number will you give me?  Let's save time.  You can't give me a metric.  You might say "Well this exchange is far less secure".  

Security in the context you and Eric present, is public relations, and public concern management.  His blog is a narrative, and he was too focused on deception to see how obviously bad PR it is.

Who told you their model is secure?  How do we know this?  There is no claim here.  The staff is incompetent and insecure and they built the model and hired a criminal.  What could possibly be arguing me about?
legendary
Activity: 4410
Merit: 4766

secure, does not mean irradicate issues. it just means reduce chances.
No it doesn't. that is snake oil you have been sold.  Security in the context you present, means to reduce the probability so the expected value is lower than the cost of stealing. THAT is effective security.  I don't know if you understand what I say.  I don't know if I say it well.  But this is clearly what Vorhees and crew doesn't get, and clearly what has been inherited by far too much of the community.

Lowering a probability of a catastrophe is not a claim to security.

i think your saying it wrong..

eg:
Security in the context you present, means to reduce the probability so the expected value is lower than the cost of stealing. THAT is effective security.
eg:
Lowering a probability of a catastrophe is not a claim to security.

those were your own words..

security is about lowering probability and possibility of loss. shapeshift have done what they can to mitigate probability of customers losses, far more so then other altcoin exchanges.. could they go further and reduce risk of internal thefts of the admin fee stash the service keeps.. yes. but at what point is enough enough.

nothing is ever 100% unbreakable

sr. member
Activity: 532
Merit: 251

First and foremost: mind your manners, faggot.

Reported.  We all should be able to recognize ignorance. This posters position on security is wrong.
sr. member
Activity: 532
Merit: 251
Secure solutions that are extensions of bitcoin are supposed to be secure.  Your comments are silly and asinine, but your sentiments are identical to the cited person.  No more from you. You aren't knowledgeable on this subject. You are a product of this ignorant movement, that believes people should pay for insecure business models and solutions.  Insecurity is insecure.

Only a moron or a malicious actor would argue against this in Satoshi's forum.
newbie
Activity: 42
Merit: 0
.@traincarswreck

>so the expected value is lower than the cost of stealing. THAT is effective security.
Why would you say that? How would you even begin to evaluate the costs of "social engineering"? The cost of brute force attack (as in threaten you with a $5 wrench)?

>Lowering a probability of a catastrophe is not a claim to security
That's exactly what security means. Security is not a Boolean value, it's a gradient, from "totally insecure" to "almost 100% secure."

This is what these people did.  Satoshi and Szabo did not teach you this.  Bitcoin's primary security feature is that the cost of attacking the system outweighs the benefit.  

Quote
Security is not a Boolean value, it's a gradient, from "totally insecure" to "almost 100% secure."
This is why Titanic sunk.  did you train shapeshift staff?

You're confusing security of Bitcoin with security of services built on top of Bitcoin. Even if Bitcoin is 100% secure, it's only 100% secure if *people* never use it. As soon as you add meat to the equation, security is shot. Chain is only as strong as strong as its weakest link and all that Sad

Not sure what you mean re. "did (I) train shitshift staff." Explain pl0x.
sr. member
Activity: 532
Merit: 251
.@traincarswreck

>so the expected value is lower than the cost of stealing. THAT is effective security.
Why would you say that? How would you even begin to evaluate the costs of "social engineering"? The cost of brute force attack (as in threaten you with a $5 wrench)?

>Lowering a probability of a catastrophe is not a claim to security
That's exactly what security means. Security is not a Boolean value, it's a gradient, from "totally insecure" to "almost 100% secure."

This is what these people did.  Satoshi and Szabo did not teach you this.  Bitcoin's primary security feature is that the cost of attacking the system outweighs the benefit. 

Quote
Security is not a Boolean value, it's a gradient, from "totally insecure" to "almost 100% secure."
This is why Titanic sunk.  did you train shapeshift staff?
newbie
Activity: 42
Merit: 0
.@traincarswreck

>so the expected value is lower than the cost of stealing. THAT is effective security.
Why would you say that? How would you even begin to evaluate the costs of "social engineering"? The cost of brute force attack (as in threaten you with a $5 wrench)?

>Lowering a probability of a catastrophe is not a claim to security
That's exactly what security means. Security is not a Boolean value, it's a gradient, from "totally insecure" to "almost 100% secure."
hero member
Activity: 1302
Merit: 503
Leading Crypto Sports Betting & Casino Platform
Quote
How does a business that gets hacked get to claim they are STILL secure?
the power of marketing, makes the custumers still use their products or perhaps they provide secure stuff in the other side. imo
sr. member
Activity: 532
Merit: 251

secure, does not mean irradicate issues. it just means reduce chances.
No it doesn't. that is snake oil you have been sold.  Security in the context you present, means to reduce the probability so the expected value is lower than the cost of stealing. THAT is effective security.  I don't know if you understand what I say.  I don't know if I say it well.  But this is clearly what Vorhees and crew doesn't get, and clearly what has been inherited by far too much of the community.

Lowering a probability of a catastrophe is not a claim to security.
legendary
Activity: 4410
Merit: 4766
Do you mean to tell me that when Szabo says "secure all things", he means security is impossible and not achievable?

secure, does not mean irradicate issues. it just means reduce chances.

i agree that MANY MANY exchanges could do alot better.. the first being that there is no actual need of a hot wallet on the website server.

the wallet can be totally separate and even on multiple machines. and the web-server stores customer requests on a database. instead of processing the payments on the website. so that the separate machines read the 'order database'.

that way no private key will ever be on the same IP address as the website. the staff wont have access to the keys either.

but even it you fill the holes. no one should ever blindly presume that its "too big to fail".
newbie
Activity: 42
Merit: 0
Every day Erik spends on the outside is a win for him.
sr. member
Activity: 532
Merit: 251
Is this what we learned from Satoshi and Szabo that the purpose of security is insecurity?

That:

Quote from: Shapeshift Staff Secucurity trainer
All security solutions have "security leaks"

https://www.reddit.com/r/Bitcoin/comments/4g1t1l/erik_voorhees_looting_of_the_fox_the_story_of/d2dze28

How does a business that gets hacked get to claim they are STILL secure?  

I propose that an insecure security solution is not secure.  

nothing is every immortal, unbreakable, and guaranteed..

shapeshift however is not realy risking customers funds. because its not really a 'deposit and hold' wallet service ike other exchanges.. its a quick buy/sell platform that moves funds as soon as they get sufficient confirmations.

customers dont need a login or required tohold funds within the service long or short term. its a swap site not a store site.

so customers funds are at a very very very low risk, (only those who send funds in the few minutes of a hack would be delayed/affected)
Yes I understand this.  Now.  this is unfair of you imo.  Because reading your post, your sentiments, and your knowledge, it is quite clear to me that there is no way the explanation of the hacking and the incompetence of the company sits right with you. 

Quote
nothing is every immortal, unbreakable, and guaranteed..
These sentiments are snake oil ingredients from a company that offers security.  Bitcoin is theoretically, conjecturally, and practically secure.  All these things the alleged security expert says are not possible.

We are to be solving the problems in the way that EFFECTIVELY solve the security issues that we are presented with.  This is what Satoshi did.

Do you mean to tell me that when Szabo says "secure all things", he means security is impossible and not achievable?
legendary
Activity: 4410
Merit: 4766
Is this what we learned from Satoshi and Szabo that the purpose of security is insecurity?

That:

Quote from: Shapeshift Staff Secucurity trainer
All security solutions have "security leaks"

https://www.reddit.com/r/Bitcoin/comments/4g1t1l/erik_voorhees_looting_of_the_fox_the_story_of/d2dze28

How does a business that gets hacked get to claim they are STILL secure?  

I propose that an insecure security solution is not secure.  

nothing is every immortal, unbreakable, and guaranteed..

shapeshift however is not realy risking customers funds. because its not really a 'deposit and hold' wallet service ike other exchanges.. its a quick buy/sell platform that moves funds as soon as they get sufficient confirmations.

customers dont need a login or required tohold funds within the service long or short term. its a swap site not a store site.

so customers funds are at a very very very low risk, (only those who send funds in the few minutes of a hack would be delayed/affected)
sr. member
Activity: 532
Merit: 251
Unless it's one guy all alone then stuff like this is always gonna happen. That's a simple fact unless you recruit people who don't know what money is.
That is absolutely ridiculous to say, and it perfectly echoes Voorhees, I'm quite confident you learned if from people like that.  These people are selling snake oil.
legendary
Activity: 1288
Merit: 1087
Unless it's one guy all alone then stuff like this is always gonna happen. That's a simple fact unless you recruit people who don't know what money is.
sr. member
Activity: 532
Merit: 251
ShapeShift should have had a more stringent audit of their new employees before hiring them. I think it's a little harsh saying that the whole system is compromised when in reality there was 1 compromised person with ulterior motives who spoiled the party for everyone.
Do you find security in a business that doesn't give proper security audits on their security personal?  Erics blog said the person had MANY priors in another state.  Who recommend this person.  I'm going to hazard a guess here.  I think I should be paid by Vorhees to have heard it from me...the person that trained his whole staff and says that security is by nature insecure...that person, is the real leak...

The other thing, as I understand it, as they were confronting "bob" they let him literately sit in the same room and cover his tracks while they accused him. Apologies if I got that wrong, but as I understand it that is the truth, and that is insane to think about that shapeshift is still claiming competence for this.  Its just a PR move to write a blog and say "We can still claim with 100's of years of banking cannot".  You got hacked, you can no longer claim you didn't get hacked.

Quote
Do you think something like this can happen again if Erik finds other professionals with conscience this time around?
We both know there is a problem here.  This business is not an extension of bitcoin's secure nature.  It's an extension of our old banking system.  It's not secure by design, its admittedly insecure by design.

That's why it failed.  Thats why evoorhes won't respond.
Pages:
Jump to: