Topic: TradeFortress(aka $username): Trust Abuse (Read 1973 times)
I lost 3 BTC to him, and got IIRC 0.3 BTC back. Don't remember the exact numbers or date.
copy and pasted a feedback i sent, added a sentence to make it appear as if it was about me and posted it on my profile
the sent feedback posted by me on ekrem's trust profile:
tradefortress's feedback posted on my profile:
User drippx also did the same thing, copying a feedback i left on his profile and then pasting it back on mine:
the sent feedback posted by me on ekrem's trust profile:
tradefortress's feedback posted on my profile:
User drippx also did the same thing, copying a feedback i left on his profile and then pasting it back on mine:
Regarding this feedback in question, I copy pasted that thinking you were trying to hack someone else. Didn't read much, I'll remove it.
Thanks for being honest and addressing my question. I will remove mine as well.
It's pretty funny watching people get almost everything wrong.
[email protected] had 2FA, but it was set up to forward all emails to [email protected]. I set it up previously and forgot I had to forwarding on. The hacker only needed to reset [email protected].
And yes, I had 2FA on the linode, but they were able to get in via Lish which did not ask for 2FA at that time (still not sure if it does).
[email protected] had 2FA, but it was set up to forward all emails to [email protected]. I set it up previously and forgot I had to forwarding on. The hacker only needed to reset [email protected].
And yes, I had 2FA on the linode, but they were able to get in via Lish which did not ask for 2FA at that time (still not sure if it does).
Welcome back.
Indeed. Maybe things can move on now.
It's pretty funny watching people get almost everything wrong.
[email protected] had 2FA, but it was set up to forward all emails to [email protected]. I set it up previously and forgot I had to forwarding on. The hacker only needed to reset [email protected].
And yes, I had 2FA on the linode, but they were able to get in via Lish which did not ask for 2FA at that time (still not sure if it does).
[email protected] had 2FA, but it was set up to forward all emails to [email protected]. I set it up previously and forgot I had to forwarding on. The hacker only needed to reset [email protected].
And yes, I had 2FA on the linode, but they were able to get in via Lish which did not ask for 2FA at that time (still not sure if it does).
Welcome back.
copy and pasted a feedback i sent, added a sentence to make it appear as if it was about me and posted it on my profile
the sent feedback posted by me on ekrem's trust profile:
tradefortress's feedback posted on my profile:
User drippx also did the same thing, copying a feedback i left on his profile and then pasting it back on mine:
the sent feedback posted by me on ekrem's trust profile:
tradefortress's feedback posted on my profile:
User drippx also did the same thing, copying a feedback i left on his profile and then pasting it back on mine:
Regarding this feedback in question, I copy pasted that thinking you were trying to hack someone else. Didn't read much, I'll remove it.
It's pretty funny watching people get almost everything wrong.
[email protected] had 2FA, but it was set up to forward all emails to [email protected]. I set it up previously and forgot I had to forwarding on. The hacker only needed to reset [email protected].
And yes, I had 2FA on the linode, but they were able to get in via Lish which did not ask for 2FA at that time (still not sure if it does).
[email protected] had 2FA, but it was set up to forward all emails to [email protected]. I set it up previously and forgot I had to forwarding on. The hacker only needed to reset [email protected].
And yes, I had 2FA on the linode, but they were able to get in via Lish which did not ask for 2FA at that time (still not sure if it does).
And you lost me 
__call() allows you to catch calls to a non existing class method and reroute them, perhaps to a parent method or child property method
so if you called a non existent function from inside of __call() you would be calling the function recursively until the memory is exhausted (stack overflow)
Commonly, it would be used for uniting multiple objects under a common interface, to prevent scoping problems in a large project, but still separating concerns of each class/library.
Here's an example:
Code:
namespace App;
class App
{
private $slim; // slim is only accessible from \App\App
function __construct( $slim )
{
$this->slim = $slim;
}
// hmm, now i want to call a slim function but have no way to do so because slim is private
// __call() to the rescue!
public function __call($name, $args = false)
{
if(method_exists($this->slim,$name)){
if($args)
return call_user_func_array( [$this->slim,$name] , $args);
else
return call_user_func( [$this->slim,$name] );
}
// if we made it here, no method exists. lets call our logger function
$this->loggerr(); // notice the typo. infinite recursion results because you are recursively calling __call()
}
public function logger()
{
// something bad happened
throw new \exception('potato');
}
}
=snip=
He isn't even posting from his TF account anymore.
=snip=
He isn't even posting from his TF account anymore.
=snip=
AFAIK it is same account. He changed username/display name to $username.
I feel like I'm implied here? Am I wrong?
Sorry, I thought you meant he was doing a coding job for me when you said: advertising some kind of coding services potentially in a paid signature campaign. I read 'in' as 'for'.
Nevermind!
Although the person who you hired to code your bot has questionable ethics at best so I hope you were able to audit how it works personally.
This belongs elsewhere but please PM me how so.
And you lost me
I suppose its not terrible for functional programming. I've certainly made similar mistakes.
Functional programming?
The code shown above is clearly procedural programming and not spotting such a potentially obvious divide by zero error is "rookie" at best.
I got the terminology mixed up, but yeah, it is a rookie mistake. like calling an non existing function inside of __call()
I suppose its not terrible for functional programming. I've certainly made similar mistakes.
Functional programming?
The code shown above is clearly procedural programming and not spotting such a potentially obvious divide by zero error is "rookie level" at best.
I suppose its not terrible for functional programming. I've certainly made similar mistakes.
What happened with Hashie?
FireHashers were priced according to it's expected output.
We used Blockchain.info's simple query API to get the current difficulty.
In normal circumstances: Expected earnings = Payout - Maintenance Fee
Unfortunately, for approximately 30 minutes Blockchain.info returned 0 as the network difficulty. $globalHashrateGH became 0. In the next line, that's used to divide -- resulting in a division by zero error. The payout was calculated to be 0.
With the payout 0, the expected earnings was negative. The FireHashers were priced at expected earnings * discount. Since the expected earnings was negative, the price was negative. People could buy negatively priced FireHashers, and when they purchased it, it would actually add to their balance. Users were able to withdraw the fake balances.
We lost a total of around 90 BTC due to this bug. Since we mainly sold AMHash, our margins were very low and we absolutely could not cover 90 BTC and had to shut down. We only recovered minimal amounts (thanks to those that did send us the coins back).
What have we learned?
(1) Sanity check data sources and throw error if there's an unexpected value.
(2) Sanity check purchasing and make sure the price is always >0.
(3) Code review -- being the solo developer isn't the best idea for a bitcoin project.
I plan on launching a few new bitcoin projects in the future (many interesting ideas
), so if you're a web developer who is interested in working together (development, code review, sysadmin, etc) in upcoming projects for equity, contact [email protected].
Don't worry, I'm not touching cloud mining, or web wallets, or lending, ever again.
~ https://hashie.co/letitgo.ogg
-Queen Elsa
FireHashers were priced according to it's expected output.
Code:
function fh_estimate($hashpower, $days){
$difficulty = getDifficulty();
$btcusd = getBTCUSD();
$globalHashrateGH = $difficulty * 0.007158388055;
$oneTHPorion = 1000 / $globalHashrateGH;
$bitcoinPerHourPerTH = 25 * 6 * 24; // 25 BTC * 6 blocks * 24 hours
$payoutPerTH = floor($oneTHPorion * $bitcoinPerHourPerTH * 100000000) / 100000000;
$btcusd = getBTCUSD();
$feePerHour = ceil(((0.002 * 1 * 1000) / $btcusd) * 100000000) / 100000000;
$payoutPerTH -= $feePerHour;
$ret = $payoutPerTH * ($hashpower / 1000) * $days;
return $ret;
}
$difficulty = getDifficulty();
$btcusd = getBTCUSD();
$globalHashrateGH = $difficulty * 0.007158388055;
$oneTHPorion = 1000 / $globalHashrateGH;
$bitcoinPerHourPerTH = 25 * 6 * 24; // 25 BTC * 6 blocks * 24 hours
$payoutPerTH = floor($oneTHPorion * $bitcoinPerHourPerTH * 100000000) / 100000000;
$btcusd = getBTCUSD();
$feePerHour = ceil(((0.002 * 1 * 1000) / $btcusd) * 100000000) / 100000000;
$payoutPerTH -= $feePerHour;
$ret = $payoutPerTH * ($hashpower / 1000) * $days;
return $ret;
}
We used Blockchain.info's simple query API to get the current difficulty.
In normal circumstances: Expected earnings = Payout - Maintenance Fee
Unfortunately, for approximately 30 minutes Blockchain.info returned 0 as the network difficulty. $globalHashrateGH became 0. In the next line, that's used to divide -- resulting in a division by zero error. The payout was calculated to be 0.
With the payout 0, the expected earnings was negative. The FireHashers were priced at expected earnings * discount. Since the expected earnings was negative, the price was negative. People could buy negatively priced FireHashers, and when they purchased it, it would actually add to their balance. Users were able to withdraw the fake balances.
We lost a total of around 90 BTC due to this bug. Since we mainly sold AMHash, our margins were very low and we absolutely could not cover 90 BTC and had to shut down. We only recovered minimal amounts (thanks to those that did send us the coins back).
What have we learned?
(1) Sanity check data sources and throw error if there's an unexpected value.
(2) Sanity check purchasing and make sure the price is always >0.
(3) Code review -- being the solo developer isn't the best idea for a bitcoin project.
I plan on launching a few new bitcoin projects in the future (many interesting ideas
), so if you're a web developer who is interested in working together (development, code review, sysadmin, etc) in upcoming projects for equity, contact [email protected].Don't worry, I'm not touching cloud mining, or web wallets, or lending, ever again.
~ https://hashie.co/letitgo.ogg
-Queen Elsa
it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.
That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he's entitled to the rest of the funds because he invested so much time into building the website.
If you ignore all the issues about his story how he got hacked there is still the issue that he had way too much money stored in the hot wallet and IIRC he was hacked right around the time that TF had increased the size of the hot wallet in order to prevent people from having to wait for withdrawing
Plus he didn't learn from his mistake and did it again with hashie.co - he had too much in the hot wallet. His code introduced an exploit and he put too much in the hot wallet, extremely negligent on his part even if he was really hacked.
It would be great if we could get a sample of his code to go over.. just a thought
it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.
That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he's entitled to the rest of the funds because he invested so much time into building the website.
If you ignore all the issues about his story how he got hacked there is still the issue that he had way too much money stored in the hot wallet and IIRC he was hacked right around the time that TF had increased the size of the hot wallet in order to prevent people from having to wait for withdrawing
Plus he didn't learn from his mistake and did it again with hashie.co - he had too much in the hot wallet. His code introduced an exploit and he put too much in the hot wallet, extremely negligent on his part even if he was really hacked.
He claimed that he had to increase the size of the hot wallet due to one customer that was regularly washing large amounts of Bitcoin via inputs.io.
it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.
That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he's entitled to the rest of the funds because he invested so much time into building the website.
If you ignore all the issues about his story how he got hacked there is still the issue that he had way too much money stored in the hot wallet and IIRC he was hacked right around the time that TF had increased the size of the hot wallet in order to prevent people from having to wait for withdrawing
it is possible it was someone who knew TF in RL and knew that he was involved in those projects and was able to use social engineering to get the personal information that he had used on the accounts. Fake personal information is often not the actual identity of the person but the name/details often have some connection to the person.
That... or he's just lying. To make things worse inputs.io was not the last website TF launched that lost all it's users funds, there was also hashie.co which was also hacked just a few months ago, though I suspect that hack was real but TF admits himself the hacker didn't take all of the BTC but claims he and his partners are entitled to the rest of the funds because he invested so much time into building the website.
yeah......... in any case I think we should let lawyers figure the full story out at this stage.
There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/
The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.
http://sakurity.com/blog/2015/03/15/authy_bypass.html/
The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.
[email protected] had 2FA enabled very shortly after the hack because I checked if it was enabled by trying to reset the password and it wouldn't let me use the normal "open-an-email-and-click-on-a-link" way of resetting the password due to 2FA being enabled, though it was possible to reset it anyway by filling out a form with personal info (it is a Google account). It's possible TF had just turned 2FA on after the hack, but I actually tracked down and spoke to a hacker who had checked out possible ways of hacking TF a few months prior to the hack (I originally thought this person may have been the actual hacker) and he told me that 2FA was enabled on that account a few months prior to the hack. It was a Google account, so a 2FA bypass is highly unlikely as it's both google and Linode that were allegedly bypassed and TF was "anonymous" so a person being able to guess the accounts personal info (which were likely fake) would be very difficult, so I don't see how the hacker overcame all of this, and I think it was a part of the story that TF didn't properly consider.
There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/
The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.
http://sakurity.com/blog/2015/03/15/authy_bypass.html/
The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.
[email protected] had 2FA enabled very shortly after the hack because I checked if it was enabled by trying to reset the password and it wouldn't let me use the normal "open-an-email-and-click-on-a-link" way of resetting the password due to 2FA being enabled, though it was possible to reset it anyway by filling out a form with personal info (it is a Google account). It's possible TF had just turned 2FA on after the hack, but I actually tracked down and spoke to a hacker who had checked out possible ways of hacking TF a few months prior to the hack (I originally thought this person may have been the actual hacker) and he told me that 2FA was enabled on that account a few months prior to the hack. It was a Google account, so a 2FA bypass is highly unlikely as it's both google and Linode that were allegedly bypassed and TF was "anonymous" so a person being able to guess the accounts personal info (which were likely fake) would be very difficult, so I don't see how the hacker overcame all of this, and I think it was a part of the story that TF didn't properly consider.
Yes all of the logs are conveniently gone, TF never even took a backup of the inputs.io private keys or database from what i can tell, and never produced any server logs of the hack, nor gave much specific details about the hack other than the hacker used the unix command midnight commander to transfer stolen data to a hacked server, if he knew that he must've had other logs at the time and it is strange he did not keep those.
Supposedly, what had happened was that someone was able to dupe a Linode customer service rep into giving them access to the server's in browser tty shell. That's the story i was given.
Not exactly, allegedy what happened is the hackers hacked the email address [email protected] due to password reuse. This email address was a recovery email address for another account, which IIRC was [email protected]. Once they accessed this account, the hacker then allegedly reset the Linode password and somehow bypassed the 2FA on the linode account.
That is exactly what happened with another site Bitcoinica which was hacked 3 times in 2012, same hosting company and all, and Bitcoinica was also owned by an Australian:
https://bitcointalksearch.org/topic/bitcoinica-lost-43554-btc-from-linode-compromise-suspicious-txids-publicized-66979
in fact TF was even warned not to use this host for this reason many times by many people and ignored all of them.
It is very possible that it is a coincidence, but this also could've been planned.
There is one small detail that does not make sense however. The part about how th linode 2FA was bypassed was basically skipped over in his explanation, and also the account [email protected] had 2FA enabled too, so I don't know how the account password could be reset without turning off 2FA, and TF never mentioned how that was done either, in fact he never mentioned he had 2FA enabled on this account at all when he in fact did.
Hmmm.. thanks for this short version, I will read also the Bitcoinica hack.
He also told everyone (at least when I deposited) that all deposits were backup up with assets in AsicMiner and other securities and that if a hacked occurred, he would reimburse those affected.
I think nobody has never received anything backwards, or am I wrong?
He had made a few deals with individuals with larger balances where they received a portion of their deposits back, but thats about it. Instead, he kept all the shares of AsicMiner and other securities for himself, instead of reimbursing those that he screwed over. (and with AM going under that is now worthless as well).
I think he never will repay back all the affected customers, too much scam due the related bitcoin service (but the fault it is not all of the customers).
There was recently a flaw in (I think it was) authy that was patched where someone could enter a certain command into the box where you enter the 2fa code that allowed people to bypass 2fa. I know that the issue affected coinbase. So it is possible that the attacker used the same exploit. See the below article
http://sakurity.com/blog/2015/03/15/authy_bypass.html/
The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.
http://sakurity.com/blog/2015/03/15/authy_bypass.html/
The fact that the same hosting company was used certainly makes it look like that the hack was staged as it makes it so he was able to give a easy explanation as to what happened. At this point it would really not be possible to prove anything either way because any logs related to the hack would have been deleted/overwritten by now as the hosting was no longer paid for after the hack. So any records are likely gone.
I have heard about this exploit, most probable was used to bypass the two factor authentication.
Jump to: