btcinfo  

Hic inserere motto

Yet another Zcash bug

September 27, 2019 — shinohai

Zcash is urging it's userbase to immediately upgrade their wallets and node software to apply an "important security fix". A bulletin issued by the developers released no details, but stated:

"Version 2.0.7-3 of Zcashd includes an important security fix in response to an issue that was reported to us on Friday September 13th 2019 by Florian Tramèr, Dan Boneh, and Kenneth G. Paterson. Users should upgrade their nodes to this version immediately and discontinue use of older versions. Please note that the issue does not put funds at risk of theft or counterfeiting. More details of the issue will be released in coordination with the reporters of the issue at a future date."

This latest undisclosed issue is the second reported flaw in Zcash this year alone, the first being a bug that was found that allowed one to print unlimited monies which the developers kept secret for 8 months.

Tags: News, Cryptocurrency, Insecurity, Lulz

Canonical Shithub repositories hacked

July 06, 2019 — shinohai

Canonical Ltd (Ubuntu) source code repositories on Shithub were reportedly compromised this morning, complete with buttery screenshots. (archived)

No official word from Shithub or Canonical was available at the time of posting.

Tags: News, Insecurity, Lulz

Shinohai's Saturday Shitcoin Selections 4

July 06, 2019 — shinohai

The lulz in this story begin in a thread for the XJO cryptocuurency on bitcointalk. This guy suggests you can "run an entire 'DNM' on the XJO blockchain" and links to a javascript page (archived) that will happily eat your private keyz and encrypt and decrypt thingz for you!

Why this is incredibly stupid:

  1. iGolder.com should be all you need to know, but you can also google search it if you wish.
  2. No mention is made of airgap setups, and the joulecoin.info site is connected to the internet when performing crypto functions.
  3. No mention made of layering (see above), and why you should be using 4096-bit or higher rsa keys for any comms, period.
  4. Cost of 51% attacks and other lulz would be near nothing for interested 3-letter agencies.
  5. Point #1 is honestly enough to end this discussion.

"But it's so luser friendly, everyone can do it!"

There is no scenario that exists, or shall ever exist, where "paste your key here" ever becomes proper handling of cryptographic keys, and certainly not in situations that require proper OPSEC and associated sanitation procedures. This is seriously the most retarded post I've read all year, and tardstalk produces some very brain-damaged threads.

TL;DR OP is an utter moron and you should seek advice elsewhere if you use crypto in any high-risk situations.

Tags: News, Cryptocurrency, Insecurity, Lulz

SKS Keyserver Network Under Attack

June 29, 2019 — shinohai

via Shithub.

"At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately."

etc.

Update: Bonus lulz from phuctor.

Tags: News, Insecurity, Lulz

Official Alpine Linux Docker image found to allow NULL password for root users

May 08, 2019 — shinohai

Docker woes continue as security researchers discover that all "Official images" of Alpine linux (since v3.3) allow NULL passwords for the root user. This event, along with Docker Hub being hacked serve as a wonderful reminder of only running code from trusted sources and personal libraries.

Tags: News, Insecurity, Lulz, UNIX

McAfee flees U.S. after tax fraud allegations

January 24, 2019 — shinohai

John McAfee announced earlier this week that the U.S. Internal Revenue Service is allegedly charging him with felony tax evasion for 8 years non-payment of taxes, and that he will be "running his Presidential campaign from exile on a vessel dubbed "The Freedom Boat".

The first transgendered US President?

McAfee assured his followers on twitter that he would be releasing videos every day as long as the exile lasts, which leads the author to the conclusion that ample supplies of tinned penis, Xanax, and electronic equipment were provisioned in the freedom boat's hold before casting off. (archived)

Tags: News, Cryptocurrency, Insecurity, Lulz

Anti-Trump messages blamed on twitter hackers

December 05, 2018 — shinohai

Rudy Giuliani's cybersecurity team fails at the internet. twitter is blamed.

Tags: News, Insecurity, Lulz

Chinese Ethereum vulnerable to ancient bug

December 04, 2018 — shinohai

The NEO platform (Chinese Ethereum) was discovered to be vulnerable to the same default settings bug that caused mETH tards to have funds liberated from their nodes back in June. Chinese tech company Tencent first reported the bug, and encouraged all users to update their nodes as soon as possible, instead of correctly advising users to simply abandon the platform, and anything else remotely resembling Ethereum. Coinmarket cap lists an imaginary valuation of $532 million USD for this corn riddled steamy pile of Asian shit.

Tags: News, Bitcoin, Cryptocurrency, Lulz, Insecurity

Malicious GasToken Minting in mETHereum disclosed

November 21, 2018 — shinohai

Quoted from the public disclosure by Level K:

This is a public disclosure of a newly discovered vulnerability. Some affected parties have already been notified in a private disclosure that was sent out on November 13th. When ETH is sent to an address, that address is able to perform arbitrary computations paid for by the originator of the transaction. This is a known vector for griefing. However, in some cases, at-risk systems such as exchanges did not put proper protections in place. GasToken, which takes advantage of the refund mechanism on storage in Ethereum, allows users to store gas when the gas price is low and receive a gas refund when the gas price is high. By minting large amounts of GasToken when receiving ETH, the griefing vector mentioned above can now be a profitable attack. Because it was unknown which exchanges did and did not have the protections in place, the private disclosure was made to as many exchanges as possible, many of which were not at risk. To our knowledge, all affected exchanges that received the disclosure have patched the vulnerability. For more information the full disclosure can be found here.

As has been documented on this blog, and formerly on Qntra (Now pretty much the BingoBoingo blog), Ethereum is a flaming tire in a shitpit that should not be used for any purpose.

Tags: News, Cryptocurrency, Insecurity, Lulz

Buffer overflow bug discovered in segshit address scheme.

October 31, 2018 — shinohai

A buffer overflow vulnerability has been discovered by satoshi labs in the bech32 address scheme, used by Segshit and introduced into Bitcoin by "Core" developer Pieter Wuille. Satoshi labs assures users of their already pwnd Trezor devices that the risk is minimal and can only result in denial of service attacks, but released a firmware update immediately after the bug was confirmed. (archived)

Tags: News, Bitcoin, Insecurity, Lulz

Eliminating malicious TLDs with regex

September 07, 2018 — shinohai

A discussion on Telegram this morning led to this post, I decided to preserve this handy list of regular expressions for filtering out mostly dumb and malicious TLD's. I am personally using an EdgeRouter Lite with dnsmasq for this purpose, so your mileage may vary - feel free to modify and make these better. Suggestions for changes may be sent to my email listed on the contact page, as usual non-encrypted content will be ignored.

^https?://([A-Za-z0-9.-]*\.)?.gq/ 
^https?://([A-Za-z0-9.-]*\.)?.cf/ 
^https?://([A-Za-z0-9.-]*\.)?.men/ 
^https?://([A-Za-z0-9.-]*\.)?.loan/ 
^https?://([A-Za-z0-9.-]*\.)?.ml/
^https?://([A-Za-z0-9.-]*\.)?.top/
^https?://([A-Za-z0-9.-]*\.)?.work/
^https?://([A-Za-z0-9.-]*\.)?.click/
^https?://([A-Za-z0-9.-]*\.)?.tk/
^https?://([A-Za-z0-9.-]*\.)?.country/
^https?://([A-Za-z0-9.-]*\.)?.pw/
^https?://([A-Za-z0-9.-]*\.)?.party/
^https?://([A-Za-z0-9.-]*\.)?.trade/ 
^https?://([A-Za-z0-9.-]*\.)?.review/ 
^https?://([A-Za-z0-9.-]*\.)?.club/ 
^https?://([A-Za-z0-9.-]*\.)?.bid/

YARA compatible regular expressions for detecting base64 encoded variable-case http:// and https:// URI prefixes:

HTTP:// ([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]
[Io][Vd][FH][R][Qw][O]i\x38v[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z]
[\x30\x32EGUWkm][h][\x30U][Vd][FH][A]\x36Ly[\x2b\x2f\x38-\x39]|[Sa][FH][R][\x30U]
[Uc][D]ovL[\x2b\x2f-\x39w-z])

HTTPS:// ([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]
[Io][Vd][FH][R][Qw][Uc][z]ovL[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z]
[\x30\x32EGUWkm][h][\x30U][Vd][FH][B][Tz][O]i\x38v[\x2b\x2f-\x39A-Za-z]|[Sa][FH][R][\x30U]
[Uc][FH][M]\x36Ly[\x2b\x2f\x38-\x39])

Tags: Insecurity, Webshit

Static address bug discovered in Ledger app

August 03, 2018 — shinohai

The Ledger hardware wallet team announced a serious "bug" in the Ledger Wallet Ethereum Chrome application, telling lusers to avoid using it as it generates a static address for everyone. But "Engineering is working on it" so they recommend using more Webshit, like MyEtherWallet, in the meantime while the company tries to figure out why webpages generate static addresses and bikeshed a solution.

Tags: News, Cryptocurrency, Insecurity, Lulz, Webshit

Zerodium offering increased rewards for UNIX 0day exploits

June 29, 2018 — shinohai

Zerodium, a company that brokers exploits to governments and "law enforcement" is now offering rewards of up to one half million USD for zero days in UNIX operating systems. The company's website states that payments can be processed in Bitcoin and other "cryptocurrencies".

ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or using crypto-currencies e.g. Bitcoin.

Zerodium only accepts submissions encrypted with their GPG KEY and claims to take one's privacy "very seriously", though they require a researchers personal information that they promise not to share with anyone, ever.

Tags: News, Bitcoin, Insecurity, Linux

Enumerating geth nodes for fun and profit

June 13, 2018 — shinohai

Step 1: Download GETH and build it inside a chroot.

Step 2: Fire up geth and wait for the ethereum database to load.

Step 3: Enumerate peers running misconfigured clients and rpc consoles by running an insecure instance yourself:

dibbuk# ./geth --rpc --rpcaddr 0.0.0.0 --rpcapi, db,eth,net,web3 --dev console

Step 4: Profit. I quickly found 22 nodes listening for the entire world on port 8545, ~60% of these were located on Chinese and other South Asian mining farms. For bonus lulz you can leverage the power of virtual shrimp mining to disrupt the network whilst you pilfer the funds from vulnerable wallets.

At the time of this post, the addresses below are confirmed to have received around $22 million USD in ETH liberated by enterprising crypto pirates, and the figures still climb despite warnings not to do this shit since March:

0x09d6fd506b7eb4102182d8e4d9a3d8f3dbfa499b 
0x1234567461d3f8db7496581774bd869c83d51c93 
Ox15e4cf195Offa338ce5bc59456b3e579ed1bead3 
0x397aa69c17a7cc405a3aeeeb223158109b037d5b
0x3d985fd71a21256c7d2b618ab8a1896f10f64fcd 
0x4e0603e2a27a30480e5e3a4fe548e29ef12f64be 
0x519475b31653e46d20cd09f9fdcf3b12bdacb4f5 
0x6ef57be1168628a2bd6c5788322a41265084408a 
0x7097f41f1c1847d52407c629d0e0ae0fdd24fd58 
0x72adadb447784dd7ab1f472467750fc485e4cb2d 
0x7b09ff6548f03512dfe63a09a2673b9c25476482 
0x85545528f1d72912558f9ef72296c404afd4b18d 
0x8e4fbe2673e154fe9399166e03e18f87a5754420 
0x8f760bc9bd9748fc61c7b60ea8033037f37d44d5 
0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464 
0x9b11efcaaa1890f6ee52c6bb7cf8153ac5d74139 
0x9fe173573b3f3cf4aebce5fd5bef957b9a6686e8 
0xafecd96855ec6324d7cde57babb775676e560441 
0xc1e42aa688977d386a6ce15de741e3c34ff0c500 
Oxd26114cd6ee289accf82350c8d8487fedb8a0c07 
0xe386e3372e3d316ae063af50c38704ec6fba5149

Lesson: Trust your finances to garbage written in golang with a javascript console at your peril.

Tags: Bitcoin, Cryptocurrency, Insecurity, Lulz

Women In Tech: Tracey Rosenberger

June 02, 2018 — shinohai

Are you bored this weekend? Ever wake up at 3 a.m. and think "I'm just not giving the NSA enough personal information" ? Then follow along as women-in-tech(tm) author Tracey Rosenberger shows you how to build your own Amazon Alexa using a Raspberry Pi. Installation of the software is a breeze thanks to the unsigned automated scripts that ensure every packet of your precious data will get routed to improper users just like the real thing!

For those that prefer a more portable auto surveillance device, Ms. Rosenbenger has published an article on how to make Alexa your default assistant on Android.

Tags: News, Insecurity, lulz