Slashdot Mirror
Hackers Stole Over $20 Million From Misconfigured Ethereum Clients (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today. The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545. The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service -- such as a mineror wallet application that users or companies have set up for mining or managing funds. Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.
Does anyone have the numbers- are you more likely to have money stolen from your wallet or your virtual wallet. For each $1 value in each- which is more vulnerable?
Seems to be a lot of big money heists from virtual wallets, but does that in %wise add up to more thefts per mano?
"That's the way to do it" - Punch
Was I lied to ?
Trust was to be decentralized so this cannot happen. The transaction is on the blockchain... so just fix it. :)
And I am sure it is backed by deposit insurance.... oh wait.....
5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
Being your own bank seems to work out well.
Rpc for native clients has only been only been enabled for localhost. Someone or something has to configure it for remote access. It takes some work to make it happen
You mean writing apps on the blockchain doesn't make them magically secure? I am shocked!
Why! Dear God! Why!
I don't know why they're being blamed... but I fully endorse the blame Facebook train!
"That's the way to do it" - Punch
Or are we still only doing this for the big players only, you fucking fraud?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Stolen seems like a strong word if the victims exposed an API online with calls to transfer away their balances....
Comment removed based on user account deletion
I do hope that this was because of the clients opening it up to the outside world by accident/stupidity and not the developers leaving it open by default by accident or just assuming people would know about there being an RPC interface open to the public by default. Because if it was a dev fuckup, then there's probably a lot of vulnerable clients still out there and they're probably get sued, badly.
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
I mean, you say they're worth $200 million, but I say they make a fine bread for cookies.
All of this is due to certain nations permitting Russia and North Korea to hack to their hearts' content.
-- Tigger warning: This post may contain tiggers! --
Not the default. It wasn't a failure to configure proper security, it was a decision people made to intentionally turn off default security.
Managing the money in and money out is like the most basic API call for a cryptocurrency. What kinds of APIs would even be useful without those?
The russians just need to give up on that expensive country thing and just become a marketing firm. They were able to completely change the outcome of our elections spending only a couple hundred thousand bucks on some internet ads. Hilary spent quite a bit more and lost. Sounds like the most efficient marketing firm ever to me.
The first thing I wondered was what percentage of the currency is that.
According to this site: https://etherscan.io/stat/supp...
The total market cap of etherium is $52B so $20M is about .2%. (1/5th of 1% in case the '.' is hard to see) of all etherium in circulation.
There's about $1.6T US dollars in circulation, so as a percentage of total money in circulation that $20M etherium heist is the equivalent of a $6B USD heist.
Admittedly an odd way of looking at it but it's hard to imagine somebody making off with $6B due to something as mundane as an RPC vulnerability.
That's the problem. Facebook doesn't really verify their ads for content. They'll only check after the fact if somebody complains. You can easily put up an ad saying "Vote for Candidate X" and get around any kind of campaign finance laws because nobody is keeping track of the ad content or doing their due diligence into who is paying for the ad. The Russians or anybody else could be pumping a whole lot of money into online advertising and swaying the vote, all while hiding where the advertising revenue was coming from.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The Clinton campaign spent FAR more than that on online astroturfing trolls through Media Matters, Correct the Record, etc. Why no outrage over that?
I just read your link. The vast majority of those ads were in favor of progressive policies and organizations. Nice try tho.
Tell me again how wonderful blockchain is and that it will solve sooo many problems......
"sources".... same sources who claim the Earth is flat?
You realize that Trump is in office because the Dem's were stupid enough to put Hillary on the ticket... had it been ANYONE else, (except maybe a socialist), the Oval Office would have been handed to the Democratic Party.
Yes, but the two choices were Clinton, and Sanders (a socialist effectively). Both far left, corrupt, and highly unlikely to win. With or without Russian meddling it wouldn't have made a difference. The democratic party is no longer a political counterbalance but a progressive excursion that's outside of the mainstream. If they want to start winning elections again they need to come back to the center.
I don't believe in karma, I just call it like I see it.