|
|
> Quite an interesting (and sad) read:
>
> https://news.bitcoin.com/looting-fox-sabotage-shapeshift/
>
So a company that wants to handle currency can't even set a secure network.
CISSPs are a dime a dozen and will work for food scraps. There is no
excuse.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
|
|
Am 26.04.2016 um 03:34 schrieb Francois Labreque:
>> Quite an interesting (and sad) read:
>>
>> https://news.bitcoin.com/looting-fox-sabotage-shapeshift/
>>
>
> So a company that wants to handle currency can't even set a secure network.
>
> CISSPs are a dime a dozen and will work for food scraps. There is no
> excuse.
Every hacker attacking Bitcoin or other "blockchain assets" is a good
hacker in my book.
From an ecological point of view the Bitcoin concept is absolutely
braindead, as the underlying security concept _inevitably_ leads to a
fast-paced arms race to waste more and more computing power (and hence
energy).
It is also braindead from a point of view of general IT security, as the
arms race is _exclusively_ for _anti-cryptography_ tools (as opposed to
the typical asymmetric admin-vs-hacker arms race). So for the safety of
their digital currency, the Bitcoin community is heavily and constantly
investing into the research for tools that, by their very design,
ultimately jeopardize the safety of all other digital assets.
Post a reply to this message
|
|
|
|
> Am 26.04.2016 um 03:34 schrieb Francois Labreque:
>>> Quite an interesting (and sad) read:
>>>
>>> https://news.bitcoin.com/looting-fox-sabotage-shapeshift/
>>>
>>
>> So a company that wants to handle currency can't even set a secure network.
>>
>> CISSPs are a dime a dozen and will work for food scraps. There is no
>> excuse.
>
> Every hacker attacking Bitcoin or other "blockchain assets" is a good
> hacker in my book.
>
> From an ecological point of view the Bitcoin concept is absolutely
> braindead, as the underlying security concept _inevitably_ leads to a
> fast-paced arms race to waste more and more computing power (and hence
> energy).
>
> It is also braindead from a point of view of general IT security, as the
> arms race is _exclusively_ for _anti-cryptography_ tools (as opposed to
> the typical asymmetric admin-vs-hacker arms race). So for the safety of
> their digital currency, the Bitcoin community is heavily and constantly
> investing into the research for tools that, by their very design,
> ultimately jeopardize the safety of all other digital assets.
>
I wasn't commenting on the cryptocurrency aspect. Simply on the fact
that they were trying to run an online service without having the first
clue about how to manage a secure operation.
. Very lax user ID management policies ("Bob" had root access on the
production servers without having to "sign out" the root password, every
time he used it.)
. Auth logs were not installed (or not paranoid enough) on the
production servers, so they could se he logged on, but could not see
what he did.
. "Bob" was able to install RDP on Greg's laptop, which means Greg
didn't have a screen saver, and RDP into their office network was not
blocked at the firewall. It also means that no body found it strange
that "Bob" sat down at Greg's desk for 15 minutes and used his laptop...
. They had just been hacked, and moved to a new web hosting company and
simply copied their code over to the new place... carrying the backdoor
with them, instead of re-installing from scratch. (This being said,
with Greg's laptop being compromised, even if they had reinstalled from
scratch, Either "Bob" or "Rovion" would have been able to reinstall
their backdoor on the new servers).
. They also went back online while forgetting to enable logging at the
new place... so the hacker was able to steal more stuff without being
tracked. (You just lost $130,000. Take the time to do things
properly... You don't want a repeat occurence, but since someone will
invariably try again, you want to be able to catch them that time. As
the saying goes, "Fool me once, shame on you. Fool me twice, shame on me!")
And probably a bunch of other things that would make anyone with an IT
security background cringe.
You can't realistically expect to spin up a few VMs on Microsoft Azure
or Amazon AWS, and run a monetary exchange service with a team of 4
developpers, one server guy, and a CEO who runs around yapping about
"DevOps" and "Minimum viable product" and other assorted AGILE
buzzwords, while admitting he has no idea how any of this works.
Banks have been in the business of expecting everyone to be a crook for
hundreds of years, there's a reason for it: online banking is SRS BZNS.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|