Quite an interesting (and sad) read:

https://news.bitcoin.com/looting-fox-sabotage-shapeshift/

Post a reply to this message

> Quite an interesting (and sad) read:
>
> https://news.bitcoin.com/looting-fox-sabotage-shapeshift/
>

So a company that wants to handle currency can't even set a secure network.

CISSPs are a dime a dozen and will work for food scraps.  There is no 
excuse.

-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }

Post a reply to this message

Am 26.04.2016 um 03:34 schrieb Francois Labreque:

>> Quite an interesting (and sad) read:
>>
>> https://news.bitcoin.com/looting-fox-sabotage-shapeshift/
>>
> 
> So a company that wants to handle currency can't even set a secure network.
> 
> CISSPs are a dime a dozen and will work for food scraps.  There is no
> excuse.

Every hacker attacking Bitcoin or other "blockchain assets" is a good
hacker in my book.

From an ecological point of view the Bitcoin concept is absolutely
braindead, as the underlying security concept _inevitably_ leads to a
fast-paced arms race to waste more and more computing power (and hence
energy).

It is also braindead from a point of view of general IT security, as the
arms race is _exclusively_ for _anti-cryptography_ tools (as opposed to
the typical asymmetric admin-vs-hacker arms race). So for the safety of
their digital currency, the Bitcoin community is heavily and constantly
investing into the research for tools that, by their very design,
ultimately jeopardize the safety of all other digital assets.

Post a reply to this message

> Am 26.04.2016 um 03:34 schrieb Francois Labreque:

>>> Quite an interesting (and sad) read:
>>>
>>> https://news.bitcoin.com/looting-fox-sabotage-shapeshift/
>>>
>>
>> So a company that wants to handle currency can't even set a secure network.
>>
>> CISSPs are a dime a dozen and will work for food scraps.  There is no
>> excuse.
>
> Every hacker attacking Bitcoin or other "blockchain assets" is a good
> hacker in my book.
>
>  From an ecological point of view the Bitcoin concept is absolutely
> braindead, as the underlying security concept _inevitably_ leads to a
> fast-paced arms race to waste more and more computing power (and hence
> energy).
>
> It is also braindead from a point of view of general IT security, as the
> arms race is _exclusively_ for _anti-cryptography_ tools (as opposed to
> the typical asymmetric admin-vs-hacker arms race). So for the safety of
> their digital currency, the Bitcoin community is heavily and constantly
> investing into the research for tools that, by their very design,
> ultimately jeopardize the safety of all other digital assets.
>

I wasn't commenting on the cryptocurrency aspect.  Simply on the fact 
that they were trying to run an online service without having the first 
clue about how to manage a secure operation.

. Very lax user ID management policies ("Bob" had root access on the 
production servers without having to "sign out" the root password, every 
time he used it.)

. Auth logs were not installed (or not paranoid enough) on the 
production servers, so they could se he logged on, but could not see 
what he did.

. "Bob" was able to install RDP on Greg's laptop, which means Greg 
didn't have a screen saver, and RDP into their office network was not 
blocked at the firewall.  It also means that no body found it strange 
that "Bob" sat down at Greg's desk for 15 minutes and used his laptop...

. They had just been hacked, and moved to a new web hosting company and 
simply copied their code over to the new place... carrying the backdoor 
with them, instead of re-installing from scratch.  (This being said, 
with Greg's laptop being compromised, even if they had reinstalled from 
scratch, Either "Bob" or "Rovion" would have been able to reinstall 
their backdoor on the new servers).

. They also went back online while forgetting to enable logging at the 
new place... so the hacker was able to steal more stuff without being 
tracked.  (You just lost $130,000.  Take the time to do things 
properly...  You don't want a repeat occurence, but since someone will 
invariably try again, you want to be able to catch them that time.  As 
the saying goes, "Fool me once, shame on you.  Fool me twice, shame on me!")

And probably a bunch of other things that would make anyone with an IT 
security background cringe.

You can't realistically expect to spin up a few VMs on Microsoft Azure 
or Amazon AWS, and run a monetary exchange service with a team of 4 
developpers, one server guy, and a CEO who runs around yapping about 
"DevOps" and "Minimum viable product" and other assorted AGILE 
buzzwords, while admitting he has no idea how any of this works.

Banks have been in the business of expecting everyone to be a crook for 
hundreds of years, there's a reason for it: online banking is SRS BZNS.

-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }

Post a reply to this message