так Phishing или Fishing?
Personal information fISHING - выуживание личной информации 
Topic: [UPD: взяли еще 24 ч, откроется 25 июня] MtGox откроется з
 (Read 7798 times)
Мне тоже пришло такое письмо. Не переходите по ссылкам. Уже сообщил об этом в МтГокс.
массовая рассылка писем, которые побуждают пользователей выдать их личную инфу ведь и есть рыбался, то есть fishing
Quote
Фи́шинг (англ. phishing, от fishing — рыбная ловля, выуживание
википедия жеж есть)
так Phishing или Fishing?
Quote
Фишинг — одна из разновидностей социальной инженерии, основанная на незнании пользователями основ сетевой безопасности: в частности, многие не знают простого факта: сервисы не рассылают писем с просьбами сообщить свои учётные данные, пароль и прочее.
Phishing?
что это?
Как проходит восстановление?
Я выбираю" LR account" пишу номер аккаунта
Потом жму submit proof
После, при необходимости, я выбираю, допустим, "other information" и пишу все что поможет подтвердить что я вляделец.
При необходимости добавляю еще несколько полей
После чего жму "submit my reauest now"?
Я выбираю" LR account" пишу номер аккаунта
Потом жму submit proof
После, при необходимости, я выбираю, допустим, "other information" и пишу все что поможет подтвердить что я вляделец.
При необходимости добавляю еще несколько полей
После чего жму "submit my reauest now"?
Phishing?
хм, с MtGox прислали мне письмо с кодом для восстановления пароля, типа я запрос на восстановление делал, хотя я ничего не делал... хм хм 
уже дней 5 жду восстановления пароля.
ни отказа ни пожтверждения нет.
ни отказа ни пожтверждения нет.
Я ждал 6 дней.. 
видимо пора писать на мыло им...
Написал вчера - ни ответа ни привета. Сегодня ушел на TradeHill.
видимо пора писать на мыло им...
уже дней 5 жду восстановления пароля.
ни отказа ни пожтверждения нет.
ни отказа ни пожтверждения нет.
С btcex и TH все в порядке. Странно.
Действительно странно, что совершенно разные и не связанные между собой сайты ведут себя по разному. Очень, очень странно.
С btcex и TH все в порядке. Странно.
Действительно странно, что совершенно разные и не связанные между собой сайты ведут себя по разному. Очень, очень странно.
И еще по поводу задержек.
Страшно тормозит вебинтерфейс, скрипты апишки через браузер выполняются, а торговый робот зависает на обновлении тикера.
С btcex и TH все в порядке. Странно.
Страшно тормозит вебинтерфейс, скрипты апишки через браузер выполняются, а торговый робот зависает на обновлении тикера.
С btcex и TH все в порядке. Странно.
Вывод работает. 110$ на LR получены без проблем с обычной задержкой.
насчет "работает" есть сомнения
Сами проверяли? XSS, SQL Injecion и другие способы пролезть куда-то далее вебинтерфейса? 
Так ведь сайт уже работает и вполне себе не тормозит.
насчет "работает" есть сомнения
Quote
I'm a programmer and from what I've heard and seen it looks like software behind MtGox is piece of shit not suitable for production.
It is one thing when security vulnerabilities are caused by rare bugs in code, and completely another thing when they are caused by negligence and disrespect to common practices.
CSRF: Every form in every web application is by default vulnerable. Thus any professional web developer should be aware of CSRF problems (otherwsie EVERY application he works on will be vulnerable) and should take corrective measures. Which are simple, by the way: just check goddamn referrer! So if you see CSRF somewhere then either this is a sloppy coding or sheer lack of professionalism.
SQL injections. They are not officially confirmed by MtGox, but people on irc claim that there were SQL injection problems (SQLi). This, again, shows that developers are lame because SQLi is a very serious issue but it is easily preventable: if you use parametrized queries/prepared statements and never modify queries themselves then SQL injections are simply not possible at all.
Same thing XSS: if you use a templating engine like Smarty in PHP then XSS is not possible because it will 'escape' everything automatically. Naked PHP is very vulnerable, but people should know they are not supposed to build sites like they were 10 years ago.
It looks like their trading software sucks. I've looked through a websocket API log at time of that large sell-off. Oh my... Yes, there was one large order to sell 500k BTC. I would expect that it would instantly fill it with existing bids (>= 0.01) and show current price with 0.01. But, now, it was slowly filling that huge-ass order for 36 motherfucking minutes, and it was not showing that 0.01 is the current price, so people had no idea of what is going on. (But this information was available through websocket feed.)
Normally exchanges have automatic 'circuit breakers' -- if price goes too low trading automatically stops. If that was a case with MtGox we would have none of the mess if it would halt right after filling that huge-ass order: it would be easy to undo the damage and people would have no chance so withdraw.
It was reported that withdrawal limit (no more than $1000 worth of BTC per day) was not properly implemented: a) you could withdraw more if you would do it many times per day; b) it takes current market price to estimate threshold for bitcoin withdrawal. If there is no smoothing/averaging it is vulnerable to 'large sell-off' attacks.
Looking through websocket feed logs I've noticed that prices are sometimes represented as floats and sometimes as strings. E.g. 0.01 and "0.01". This means that there is some weak-typed fun going on inside and it can be a serious source of bugs. I think that weakly typed languages like PHP SHOULD NOT be used for financial software. Ideally it should be implemented in strongly and statically-typed language like Java.
In their official announcement they said that account balances were very wrong. This indicates serious bugs or SQLi at work.
So it was not an isolated incident, software is simply full of bugs and is written in a sloppy manner. Any half-competent team would not allow software of this quality to be used in production: they would stop site and bring it back only when it is fixed.
Thus it looks like team behind MtGox is either extremely incompetent, or greedy, or both.
It is one thing when security vulnerabilities are caused by rare bugs in code, and completely another thing when they are caused by negligence and disrespect to common practices.
CSRF: Every form in every web application is by default vulnerable. Thus any professional web developer should be aware of CSRF problems (otherwsie EVERY application he works on will be vulnerable) and should take corrective measures. Which are simple, by the way: just check goddamn referrer! So if you see CSRF somewhere then either this is a sloppy coding or sheer lack of professionalism.
SQL injections. They are not officially confirmed by MtGox, but people on irc claim that there were SQL injection problems (SQLi). This, again, shows that developers are lame because SQLi is a very serious issue but it is easily preventable: if you use parametrized queries/prepared statements and never modify queries themselves then SQL injections are simply not possible at all.
Same thing XSS: if you use a templating engine like Smarty in PHP then XSS is not possible because it will 'escape' everything automatically. Naked PHP is very vulnerable, but people should know they are not supposed to build sites like they were 10 years ago.
It looks like their trading software sucks. I've looked through a websocket API log at time of that large sell-off. Oh my... Yes, there was one large order to sell 500k BTC. I would expect that it would instantly fill it with existing bids (>= 0.01) and show current price with 0.01. But, now, it was slowly filling that huge-ass order for 36 motherfucking minutes, and it was not showing that 0.01 is the current price, so people had no idea of what is going on. (But this information was available through websocket feed.)
Normally exchanges have automatic 'circuit breakers' -- if price goes too low trading automatically stops. If that was a case with MtGox we would have none of the mess if it would halt right after filling that huge-ass order: it would be easy to undo the damage and people would have no chance so withdraw.
It was reported that withdrawal limit (no more than $1000 worth of BTC per day) was not properly implemented: a) you could withdraw more if you would do it many times per day; b) it takes current market price to estimate threshold for bitcoin withdrawal. If there is no smoothing/averaging it is vulnerable to 'large sell-off' attacks.
Looking through websocket feed logs I've noticed that prices are sometimes represented as floats and sometimes as strings. E.g. 0.01 and "0.01". This means that there is some weak-typed fun going on inside and it can be a serious source of bugs. I think that weakly typed languages like PHP SHOULD NOT be used for financial software. Ideally it should be implemented in strongly and statically-typed language like Java.
In their official announcement they said that account balances were very wrong. This indicates serious bugs or SQLi at work.
So it was not an isolated incident, software is simply full of bugs and is written in a sloppy manner. Any half-competent team would not allow software of this quality to be used in production: they would stop site and bring it back only when it is fixed.
Thus it looks like team behind MtGox is either extremely incompetent, or greedy, or both.
странно.. не логинится.. не под ie не под хромом... пробовал ретрайв сделать тоже ничего не приходит 
Jump to: