A message some users of Virwox received:
here is what has happened:
Similar to other exchanges, our servers are protected from DDOS-attacks by an external service provider. While our own servers themselves were not vulnerable to the "Heartbleed" attack, the proxy servers of the DDOS provider were. They have fixed the problem already and we have turned on the service again.
The good news is that our own server was NOT hacked, and none of our secrets or bitcoins were stolen. However, the attacker was able to get to the session cookies of in total 20 users who were logged in yesterday (between about 8am and 11am), and used this to try to withdraw the money they had in their account in the form of bitcoins.
They don't say how much loss they have suffered, but they have reimbursed the victims.
There's a few reasons for this. First, the Tarsnap client-server protocol does not use TLS
I was also lucky: The Tarsnap webserver happens to be running an older version of OpenSSL which never had the vulnerable code
For those who are curious about the protocol that Tarsnap uses : it's explained here
I remember reading about how the newly facebook chat was made using long pollings, years ago. Now with HTML5 with have sockets and webhooks made easy. I wonder if they're still using long polling now...
Anyway, Zapier. A start up that is making APIs easy, is writing a lot of interesting tutorials these last few months. Their new Chapter 7 was released and it's about polling and web hooks. And as usual it's great!
After messing around with this code for about a month I decided to write this up for the tubes in the hope that I can save some souls. I have come to the conclusion that OpenSSL is equivalent to monkeys throwing feces at the wall. It is, bar none, the worst library I have ever worked with. I can not believe that the internet is running on such a ridiculous complex and gratuitously stupid piece of code. Since circa 1998 the whole world has been trusting their secure communications to this impenetrable morass that calls itself the "OpenSSL" project. I bet that the doctors that work on that shitshow can not prescribe anything useful either!
worrying essay, read it here: https://www.peereboom.us/assl/assl/html/openssl.html
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
A pretty bad bug has been found in open SSL during the Codenomicon. more info here: http://heartbleed.com/
List of vulnerable websites from the Alexa top 10,000 websites: https://gist.github.com/dberkholz/10169691
You can test a website here: http://filippo.io/Heartbleed/
And also, if you have a lot of time to waste, this random dude seems to know a lot about it :D
Some people from Stanford are planning to build an anonymous market place. As Silk Road as shown, such a project can only fall with time unless it is decentralized. With all the new ideas and technologies coming into place (in protocols such as bitcoins, namecoins (for dns)), they are thinking of applying them for a decentralized market place as well.
More info here: https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013304.html
And a new github repo to watch out for!
They say that this wireless security system might now be breached with relative ease by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2
it is the de-authentication step in the wireless setup that represents a much more accessible entry point for an intruder with the appropriate hacking tools. As part of their purported security protocols routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time.
In the meantime, users should continue to use the strongest encryption protocol available with the most complex password and to limit access to known devices via MAC address.
they allowed "file://" to be fetched from their servers when they should have restricted it to "http(s)://"
- they were using servers that were part of a network to do some private stuff, didn't filter those ips, people on the same network could perform those tasks.
...At least for now.
This shows how unnecessary encrypting is sometimes. Some people like to encrypt and encrypt everything, and don't consider a solution "usable" if it not fully protected.
I'd argue that twitter has always been a very "public" and "exhibitionist" kind of websites where the private messages have never been a core feature (and it's actually not a really well done message system) and no user is obviously going to use it for "serious" matters. So why spend time encrypting it ?
I have two invites for the new IDE by github. I can't try it because I don't own a mac and there are no versions for windows at the moment (not even linux). Weird, but eh, if you own a mac and want an invite just ask me in the comments !
I won't link to the article because it's just a plain DOX and way too creepy for my blog, but the creator of bitcoin has been found.
Great lecture from Matt Whitlock, the video's quality is a bit off but the talk is really easy to understand and nicely paced.
And you can tell right away that he's a great educator: "I'll explain first why we use ECC, because in general I don't really understand things when I don't know how they're important" (not the exact words but you get the idea).
Monetize without ads
Check it out here: http://tidbit.co.in
You liked dogecoin? Well now there is Nyan Coin (yes with the nyancat!)
here it is : http://nyancoin.org/
Bitcore seems to be an opensource node application that lets you deal with the bitcoin protocole easily (they give as exemple an function to validate a bitcoin address)
More info here