An Australian security researcher has discovered a flaw in Antminer Bitcoin miners that can be leveraged with CGMiner to obtain complete control of the victim's mining resources. Tim Noise stated that the majority of devices are configured from the factory with a web interface without a password set, which can then be silently adjusted to redirect the mining proceeds to the attackers wallet. Further lulz were had when it was noted that the OpenWRT software is running most operations, including CGMiner as root user. The flaw was tested on the ubiquitous Antminer S5, and Noise is currently testing the proof of concept on the S7 series of devices to see if it can be duplicated. He has posted his version of the exploit code, dubbed "Queen Ant" on shithub. BitMain did not comment on the announcement.
Category Archives: Shitware
Activity On ChangeTip Today
The 7 remaining ChangeTip users1 cheered themselves on Twitter today as they moved a whopping 0.2 Bitcoin across their ailing network. Since the acquisition of their staff by AirnBNB, ChangeTip the product apparently no longer has sufficient staff to spam social media or further develop the service in any meaningful way. A request to the BitGive charity to comment on the donation was unanswered, and the request to twitter user @CharlesCNorton (WOT:nonperson) was blocked. (archived)
estimated ↩
"Pokemon Go" Ushers In New Phase Of Smartphone Surveillance
This past week's release of the smartphone gamified reality app "Pokemon Go" heralds the beginning of a new phase of the smartphone surveillance era. Billed as an "augmented reality" game the app uses in game incentives to direct users to physically visit locations that they would not otherwise. The app has already lead to a teenager discovering a dead body in a location she would have not otherwise visited.
In addition to directing users to physical locations the app encourages users to enable their smartphone's camera so that they may see pokemon "appear" in the real world. This active scanning of the real world by app users presents far greater potential for image collection than the typical social media app which relies on the user's vanity to get them to use their smartphone's camera.
It almost makes the app's requirement to turn on the smartphone's location services, one that will likely snare low intelligence "criminals", seem mundane.
Pokemon Go was preceeded by an alternate reality game called Ingress also developed by Pokemon Go creator Niantic. Ingress however lacked tie ins to any popular media franchises1 which would have delivered a ready made user base in the manner Pokemon Go has. Peace in our time!
Deepening the rabbit hole is Nintendo's long refusal to allow media properties they have a stake in to run on devices that aren't also sold by Nintendo. ↩
Meh Of The Week: Coinbase Can't Serve Canada
Coinbase has announced that it will no longer be servicing Canadian customers after August 1, 2016. Canadian fiat interface Vogogo abruptly decided to shut down it's service, leaving Coinbase no way to hawk it's imitation Bitcoin to users located there. Current users have been given a deadline of July 29th to convert their Canadian dollars to Bitcoin, or withdraw to a bank account. Users who fail to do so will be subject to account suspension, leaving remaining users in the scheme forced to pay exorbitant fees to recover their finds. Coinbase notably supported the failed XTCoin and ClassicCoin coup attempts which both failed like their Canadian fiat interface Vogogo. Sorry for your loss.
Water Charity Maximizes Their Marketing On Paypal's Venmo
A charity group has reportedly unwittingly used a vulnerability in Paypal's Venmo service to spam users, and perform a DoS attack on it's own network. waterislife.com reportedly used the loophole to automatically send 1 cent to a person every time they used the service to purchase products online, with one example message stating "“1 cent can’t buy you pizza. But for just 3 cents, you can buy someone clean water for a day.” There is no current restriction on the number of successive requests allowed by a single user, leaving one to expect other mass advertisers will quickly follow suit. Venmo has yet to offer word as to whether imitating the mass spam transaction service ChangeTip will be considered a bug or a feature. WaterIsLife did not disclose how much the campaign cost them to run, but reportedly received $400 USD in donations on the first day.
Avid Life Media Under FTC Investigation
Fallout from the Ashley Madison hack continues, with parent company Avid Life Media now the focus of a U.S. Federal Trade Commission investigation. CEO Rob "more could perhaps have been spent on security" Segal (WOT:nonperson) said the company is spending millions to improve zher security and did not reveal if the investigation was targeting zher use of fake profiles and fembots to lure desperate customers to the site. He offered only "That's a part of the ongoing process that we're going through … it's with the FTC right now." The company boasts they have "roughly $50 million" USD to be used for "fostering partnerships" with other dating sites.
CoinJoin Not A Privacy Tool After All
Joinmarket, the Bitcoin tumbler service apparently popular among darknet market aficionados today announced that their service isn't actually very anonymous after all. Project developer Chris Belcher (WOT:nonperson) stated that "there are some possible vulnerabilities which could be exploited to spy on every user." While this was identified approximately one year ago, nothing was done to remedy the issue until multiple users noticed deanonymizing attacks happening in real time. Belcher assures his users that "We have a pretty good idea how to fix this" and after discussing the matter with CoinJoin creator Gregory Maxwell (WOT:gmaxwell) they together suppose they have an algorithm that will make it more difficult for attackers to uncover information on utxo's. It was admitted that "This algorithm is not intended as a complete solution to that issue" leaving darknet market users with another steaming pile of shitware.
Symantec Snake Oil Goes Rancid
Researches with Googles Project Zero security team announced on Wednesday a major vulnerability affecting nearly all Symnatec snake-oil antivirus products. The kernel vulnerability requires no user action, which would allow attackers to corrupt system memory without requiring users to even open an email used to trigger the flaw.
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
Symnatec indicated they were not aware of anyone actually exploiting the bug as of yet, and responded by making a new panacea that supposedly fixes the problem.
Microsoft Withdraws Paid Fitness App, Existing Users To Lose Access
It appears Microsoft is on the Transmayo Transition Train with the company withdrawing the Xbox Fitness App from their marketplace. The app which allowed XBox One users to "purchase" a variety of fitness videos to fight the potential for Obeastiality in their own lives, will become unusable to those who paid on July 1st, 2017. It is unknown how many butter golems at Microsoft's XBox division were so triggered by the idea of people not being fellow lardbarges, that they decided they just had to turn XBox fitness into an instrument of theft.
How The Tor Project Pays And Pays CIA Agents From Their USG.Navy Coffers
From the Tor Project's own timeline on their hiring and post separation payments to "former" CIA agent David Chasteen. Given the source, information presented as facts in this timeline may not be in concordance with reality. Interesting points bolded:
A sends:
Subject: David Chasteen Timeline
This is a timeline of events related to Tor's hiring of David Chasteen.
January 15th, 2011: David Chasteen attended a Tor hackday at MIT, while claiming to work for the State Department. There, he met Tor people including Jacob Appelbaum. Around this time, David Chasteen indicated he was interested in a job at Tor, but he was not hired.
October 5th, 2014: Roger Dingledine suggested adding David Chasteen to the tor-internal private mailing list and possibly hiring him as a project manager.
October 8th, 2014: Based on her previous experiences working with him, Karen Reilly sent an email to tor-internal advocating for David Chasteen to be hired as a project manager.
October 14th, 2014: David Chasteen was added to tor-internal.
November 5th and 6th, 2014: Operation Onymous
November 6th, 2014: David Chasteen's last day at the CIA after working there for 8 years.
November 7th, 2014: David Chasteen's first day working for Tor as a project manager. Along with Karen Reilly, he attended Freedom of the Press Foundation's Digital Security Conference in Washington DC. At the conference, he met with Xeni Jardin about writing a guest post on Boingboing about Tor hiring him. On this same day, David Chasteen disclosed to Roger Dingledine that he worked for the CIA.
November 9th, 2014: In the wake of media concerns stemming from Operation Onymous, Jacob Appelbaum sent an email to tor-internal calling for a more coordinated media strategy. In this, he asked if anyone paid by Tor has a clearance.
November 10th, 2014 13:30 EST: David Chasteen responded saying that he had a clearance, but it is no longer active. He further stated that, because all Foreign Service Officers and military officers have clearance, having a policy against hiring anyone with a clearance would be discrimination against veterans.
November 10th, 2014 15:21 EST: David Chasteen sent an email to tor-internal disclosing that he worked for the CIA for 8 years, explaining why he wanted to work for Tor, and discussing is plans going forward (including the Boingboing guest post).
November 10th, 2014: tor-internal IRC and mailing list discussion about how to handle the hiring of David Chasteen.
November 10th, 2014 18:21 EST: David Chasteen sent an email saying he was going to "bow out" because it did not seem like anyone was comfortable with the situation.
November 11th, 2014 18:51 EST: Jacob Appelbaum sent the #tor-internal IRC log to the tor-internal email list.
November 10th, 2014 22:44 EST: David Chasteen said he was going to unsubscribe himself from tor-internal. At 23:10 EST, Damian Johnson confired that David Chasteen was no longer on tor-internal.
November 16th: Andrew Lewman sent an email to tor-internal saying that David Chasteen hired a law firm and that members of the list should have no contact with David Chasteen or discussions about him.
December 2nd: Andrew Lewman told tor-internal that negotiations with David Chasteen were ongoing, reiterated his request that tor-internal members have no contact with or discussions about David Chasteen, and said he would report back with updates.
At some later date, David Chasteen settled out of court with the Tor Project.1
This means the Tor Project paid their valiant CMU Tor Attack and Operation Onymous fall guy. Except where are the mentions that the CMU Tor Attack did Operation Onymous? Well, who needs those when you have a David Chasteen to play distraction. ↩