BitShares Forum
Main => Technical Support => Topic started by: goldeagle on April 26, 2017, 08:03:41 am
-
Hi All, Not being a techie I would like to ask a question.
As you will be aware doris-payne is hacking many accounts. He/she is some how accessing accounts without any bin file or password. My account was hacked even though I keep nothing pertaining to my account on my mac. Everything is stored on a usb, and all browsing data is deleted.
Is it necessary for our bitshare account details (user name, transfer amounts) to be made public in http://cryptofresh.com?
Bitshares are aware of the problem but to date nothing has been done to prevent hacking of accounts. The problem seemed to start after the recent changes to logging in to bitshares accounts.
Does any one know what is being done to prevent further hacking of bitshares accounts?
Thank you
Regards
Rick
-
cryptofresh.com is only publishing blockchain data that is public anyway. It is a *helpful* service and certainly not the cause of these hacks!
AFAICS (on cryptofresh) only a handful of accounts seem to be affected, and most of them look like compumatrix users (account name is prefixed with "cni-"). It is possible that the hack was executed through an XSS attack on the compumatrix trading interface, or whatever frontend they have over there - I don't know.
(It is of course also possible that such an attack was executed on openledger.info, but I think we would see a lot more affected accounts then.)
-
How many have been hacked?
How do we secure ourselves?
-
So fare i know at least 8 accounts where hacked so fare. This account of doris -payne was created only at the 2017-04-18 . >:( >:( >:(
-
Hi Guys, thanks for your replies.
To date, I know of ten accounts that were hacked. doris-payne, for some unknown reason also sent funds to a few other accounts. A Robin Hood action.
Yes, it does seem that only cni- accounts were hacked.
They have proven a point, that it is possible to hack accounts without the passwords or bin files that are supposedly needed to access our bitshares. A very clever person that could better use their talents elsewhere.
Thanks again
Regards
Rick
-
I'm afraid it's not hacked accident.
for the transaction at block 15973155
http://cryptofresh.com/b/15973155
lil-bi.t-of-techs-us sent 80,238 BTCPLUS to doris-payne
the signature is "1f4393f0ca49098a42cdd046bfd213081e005c83f290046d267f19740dc0956d8c40670c299d6488c5421c0605386e8804b79498159bfa826599cd4c05b05d2a17"
it's not signed by key "BTS5XmF1sN8MJAqJfcTqKJJTmZsDnUVXLnYtFVeA9rAsj1XYd3WYP" which belong to lil-bi.t-of-techs-us
it's signed by key "BTS5VRaCZGCVQrPWsFAutV5fDVu8cGePg2cRowvHNdGQywhaQTyM5" which belong to compumatrix1
and you all set account compumatrix1 as your active auth account.
-
How many have been hacked?
How do we secure ourselves?
use the desktop wallet.
-
Trying desktop wallet and can't make sense of it. Guide anywhere?
-
@renkub
https://github.com/bitshares/bitshares-ui/issues/124
-
TLDR of alt's comment: Remove compumatrix1 from your account auths if you have it..
-
compumatrix1 blacklisted doris-payne
-
experts, is there a way for a compromised lifetime member to change their signing keys..or anyone else to change them?
From xeroc: He needs the owner key .. if he has that .. he can import it into the wallet and change the active and owner key .. paperwallet.bitshares.eu may be helpful
-
how do you register via compumatrix? do they offer their own wallet (would explain everything), or do they forward to openledger?
-
how do you register via compumatrix? do they offer their own wallet (would explain everything), or do they forward to openledger?
yes, https:// compumatrix.co
-
how do you register via compumatrix? do they offer their own wallet (would explain everything), or do they forward to openledger?
yes, https:// compumatrix.co
then it's pretty clear. they have basically access to every account created through their interface.
I hope @ccedk blacklists them from their faucet ASAP.
-
how do you register via compumatrix? do they offer their own wallet (would explain everything), or do they forward to openledger?
Here is a reg I did through https://computermatrix.co ->
http://cryptofresh.com/u/test-reg-via-compumatrix-co
-
I remember saw a post from forum,
to active the account, the CNI member need to change active key, set compumatrix1 as their auth account, sent some COMPUSEEDS & BTS to compumatrix1.
you need to know if you add compumatrix1 as your active auth account, he can control all your funds. now you just need to remove it if you want to make your account safe.
-
how do you register via compumatrix? do they offer their own wallet (would explain everything), or do they forward to openledger?
Hi, Thanks to you all for your information and guidance. Members of compumatrix login to bitshares via a link in their own site. I believe there is a backdoor that has been accessed by doris-payne. To this end compumatrix members have been asked to remove permissions for compumatrix1.
Not sure if this will fix the problem, but it is being worked on. Another 4 accounts have been hacked.
Appreciate you guys advising.
Regards
Rick
-
This is amazing. People are being scamed by giving away their private keys to a scammer by their good will. And after this we advertise the DEX as being more secure than those evil centralized exchanges, banks etc...
-
Well, its not the exchange that was hacked, but compumatrix' user base .. clearly their fault .. not the techs fault
-
Compumatrix1 KNEW way ahead of time that there were very un-savvy members who would no doubt LOSE their bin files and their passwords and therefore LOSE their assets. He had them add the permissions so that he would have a way of sending the lost assets to a new account they set up, which of course HAPPENED MANY times and he INDEED sent their assets to the NEW account they made. ....they would have just LOST them if it weren't for him doing that to protect them from themselves....Henry is NO thief and anyone with half a brain would know that!! THIS hacker, doris-payne, found a crack in the system VIA those permissions and took advantage of it. That is IT in a nutshell.
HOW would he know this would happen?? can you look up a cow's ass and guess the price of butter in China??? if you can you need to get yourself a new career wearing a turban!!
IT is just pitiful the accusations that some are throwing in here...and it's damn sad that our group has never been made to feel welcome or wanted from the beginning here...
I HOPE there is as much time and energy spent on fixing the obvious fault in the system as there is pointing fingers!!
-
I want to thank you xeroc for your help in resolving this .... many kudos to you for that. Hopefully we can all turn this to a positive and grow from it...
it is a darn shame there are thieves who would rather use their talents to steal from others instead of making a contribution in creating a better world for everyone...but that is life I suppose.
Our members who lost won't be forgotten...
-
Compumatrix1 KNEW way ahead of time that there were very un-savvy members who would no doubt LOSE their bin files and their passwords and therefore LOSE their assets. He had them add the permissions so that he would have a way of sending the lost assets to a new account they set up, which of course HAPPENED MANY times and he INDEED sent their assets to the NEW account they made. ....they would have just LOST them if it weren't for him doing that to protect them from themselves....Henry is NO thief and anyone with half a brain would know that!! THIS hacker, doris-payne, found a crack in the system VIA those permissions and took advantage of it. That is IT in a nutshell.
HOW would he know this would happen?? can you look up a cow's ass and guess the price of butter in China??? if you can you need to get yourself a new career wearing a turban!!
IT is just pitiful the accusations that some are throwing in here...and it's damn sad that our group has never been made to feel welcome or wanted from the beginning here...
I HOPE there is as much time and energy spent on fixing the obvious fault in the system as there is pointing fingers!!
Prevention is better than cure. Should've educated your user base on passwords instead of baby sit them. This is entirely based on incompetency
-
to sum up :
register via a bad guy's website can lead to money being stolen.
but what about importing ur existing secure wallet bin file to a bad guy's website? Can it be stolen as well ?
-
to sum up :
register via a bad guy's website can lead to money being stolen.
but what about importing ur existing secure wallet bin file to a bad guy's website? Can it be stolen as well ?
sure, why not? they could just change the way how you import your account and catch everything.
-
I HOPE there is as much time and energy spent on fixing the obvious fault in the system as there is pointing fingers!! [/size]
Please stop shouting.
And please explain what the "obvious fault in the system is".
Like alt said,
for the transaction at block 15973155
http://cryptofresh.com/b/15973155
lil-bi.t-of-techs-us sent 80,238 BTCPLUS to doris-payne
the signature is "1f4393f0ca49098a42cdd046bfd213081e005c83f290046d267f19740dc0956d8c40670c299d6488c5421c0605386e8804b79498159bfa826599cd4c05b05d2a17"
it's signed by key "BTS5VRaCZGCVQrPWsFAutV5fDVu8cGePg2cRowvHNdGQywhaQTyM5" which belong to compumatrix1
and you all set account compumatrix1 as your active auth account.
Cryptography doesn't lie. The transaction was authorized by someone with access to compumatrix1's private key. So either it was them, or someone stole their keys. In either case I don't see how this is a "fault in the system".
-
so for these reasons, web wallet is not 100% secure unless u fully trust the web wallet provider.
the better bet is lightwallet .
we could never know if the web wallet provider turned bad because websites are not open sourced
-
This didn't happen till the new update came out with the ability to use password and username to get into accounts...I'm not a programmer but this is obviously connected (in my mind anyway) as we had NO problems like this since the time we joined over a year ago....I'm not debating and I still love the Bitshares DAX. I prefer this site over others I have been on hands down.
pc we DID see that transaction while investigating, hence, we began to figure out what happened. the hacker DID obviously exploit the permissions of compumatrix1. and as I said, setting permissions was done to help protect the members from the beginning and turned out to be not a good idea..hindsight again proves to be clearer than foresight....they have all been removed now. A lesson well learned BUT blaming and insinuating compumatrix1 to be a "scammer or a thief" is not fair.
I think we can agree we want this ecosystem to grow and prosper...THAT is good for all of us. and it would be great if we could all be supportive of each other .....
It appears the issue has been fixed and for that we are very grateful...we are ready to move on and put this behind us...
-
The only things exploited here is Compumatrix's users minds. It's a scam.
-
you statement is hollow and ignorant....but carry on thinking that way....just intensifies our resolve to prove you wrong.....
-
I am trying to wrap my head around compumatrix moving funds for users. Having the OPTION for Installing permissioned keys to wallets isn't a bad idea for a solid exchange with identity verifications and appropriate security, but if this is a shady application of that service we should aim to reduce these instances.
-
This didn't happen till the new update came out with the ability to use password and username to get into accounts...I'm not a programmer but this is obviously connected (in my mind anyway) as we had NO problems like this since the time we joined over a year ago....I'm not debating and I still love the Bitshares DAX. I prefer this site over others I have been on hands down.
pc we DID see that transaction while investigating, hence, we began to figure out what happened. the hacker DID obviously exploit the permissions of compumatrix1. and as I said, setting permissions was done to help protect the members from the beginning and turned out to be not a good idea..hindsight again proves to be clearer than foresight....they have all been removed now. A lesson well learned BUT blaming and insinuating compumatrix1 to be a "scammer or a thief" is not fair.
I think we can agree we want this ecosystem to grow and prosper...THAT is good for all of us. and it would be great if we could all be supportive of each other .....
It appears the issue has been fixed and for that we are very grateful...we are ready to move on and put this behind us...
I feel you.
To prevent future damage, please change password/active key of compumatrix1 from a secure wallet as soon as possible (may perhaps cause some function disabled on your website, so best make an announcement), then check your logs and audit your website to find out the hole.
-
thank you ....we did that....I'm ready to move forward out of this....lol
-
This whole episode has been very educational.
Hopefully others can learn from it.
-
it's better to view every single web wallet provider as centralized wallet instead of 100% pure decentralized secure wallet .
Light wallet is the least safe bet for significant funds while web wallet is for small funds .
-
Everyone read this
This is the biggest Compumatrix thread on the Internet with the most information, so I am going to put this here.
Ok, so it seems like every year Compumatrix is just Trick-Or-Treating their members for Halloween, and saying "Maybe you'll get a treat... Oops, nope, it was another Trick... But Christmas, just wait... Just a little longer" then before you know it is is October again and it is another Trick.
If you are a Compumatrix user, and want to be part of something created a by a Compumatrix user who is tired of Henry James and his bullshit (like many are, I know many, many people have left Compumatrix over the years, and there are people who told me I was stupid for thinking it was going to work this year after last year).
And I actually still trusted them. Until today. I made my own currency, and suggested to everyone that when my coin gains value, I can use my coin to raise the price of Compuceeds for everyone, and Gail was acting like I was an enemy because I made a coin.
So if anyone is looking to leave Compumatrix for something better, somethin that is actually going to work, because it has real currencies involved, not just Bitshares Assets (we will also make Bitshares assets, and Ethereum Tokens, and are looking at making our own version of the Graphene Blockchain, which is what makes Bitshares and Steemit work), then Join Temple Coin
Here is the Temple Coin ICO
https://bitsharestalk.org/index.php?topic=25621.0
Temple Coin Town
https://bitcointalk.org/index.php?topic=2681032.0