Bittrex, one of the largest cryptocurrency exchange platforms, has delisted Bitcoin Gold (BTG) from its trading platform over the weekend after BTG maintainers declined to pay half of the damages Bittrex suffered during a complex multi-stage cyber-attack earlier this year. According to a statement from the BTG team, Bittrex asked the BTG team to pay 12,372 BTG (~$256,000) as reparations for the attacks. BTG maintainers said they did all that was possible on their end to help trading platforms prevent the attacks, but they did not have the legal power to intervene inside a private company like Bittrex.

…

Vitalik Buterin, Zoë Hitzig and E. Glen Weyl yesterday released their paper Liberal Radicalism: Formal Rules for a Society Neutral among Communities. As prior readers will know, I tend to break down whitepapers I suspect most of the community won’t have the time or inclination to do. This falls squarely in that bracket given it is self admittedly ‘strange’ and weighs in at a healthy 41 pages.

…

There are free-riders in the cryptocurrency ecosystem. At least, that’s the contention of a new paper, shared with CoinDesk on Monday, written by ethereum founder Vitalik Buterin,Microsoft researcher Glen Weyl and Ph.D. of economics at Harvard, Zoë Hitzig. And free-riders pose a problem.

Described in the paper, free-riders are people or businesses that profitfrom the under-provision of public goods. And, on top of that, ‘the more people [these public goods] benefit the more they will be under-provided.’ It’s an issue that plagues development even outside the cryptocurrency space, but the authors are – at least – initially focused on how the idea creates harmful incentives for the funding of blockchain projects.

…

Mysterious movements from the original Silk Road wallet suggest that the US government is cashing out on the Bitcoin gradually. The Silk Road market may be dead—we actually checked just to see if it came back somehow—but its wallet appears to be alive. Over a billion dollars in Bitcoin are being moved from several wallets that are all tied to the supposed original Silk Road cold storage wallet.

…

Ethereum community got all curious and agitated after Tech Crunch published an article on Ethereum – ‘collapse of ETH is inevitable’. Number of questions and doubts popped up and to answer it all co-founder Vitalik Buterin wrote a post giving an insight about it. Surprisingly, he agrees ‘collapse of ETH is inevitable’, at least for now.

Cryptocurrency entrepreneur Jeremy Rubin wrote the Tech Crunch article stipulating the price of ETH and that it is bound to plummet. Vitalik Buterin agreeing to the piece wrote on Reddit, “In Ethereum as it presently exists, this is absolutely true.” Buterin further added, “[A]nd in fact if Ethereum were not to change, all parts of the author’s argument […] would be correct.”

…

A new EOS bug has been discovered that allows users to use malicious code to steal RAM, which is a scarce resource in EOS blockchain. EOS,the fifth-largest cryptocurrency in terms of capitalization, has made headlines in connection with a new issue. A new EOS bug has been discovered that allows stealing resources directly from a user.

The resource in question is RAM, which is valuable in the EOS blockchain due to its scarcity. EOS is working on solving the issue and has provided a temporary fix in the meantime. The EOS blockchain aims to be a decentralized operating system and to allow the running of decentralized applications and smart contracts.

…

I’m a big fan of Prometheus and Grafana. As a former SRE at Google I’ve learned to appreciate good monitoring, and this combination has been a winner for me over the past year. I’m using them for monitoring my personal servers (both black-box and white-box monitoring), for the Euskal Encounter external and internal event infra, for work I do professionally for clients, and more.

…

I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com.

Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.

…

I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com.

Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.

…

Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims. The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, the mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint — saying he’d obtained yet another mobile phone.

…

In the past month, we have observed additional BGP hijacks of authoritative DNS servers with a technique similar to what was used in April. This time the targets included US payment processing companies. In April 2018, we detailed a brazen BGP hijack of Amazon’s authoritative DNS service in order to redirect users of a crypto currency wallet service to a fraudulent website ready to steal their money.

…

This week, the start-up said that a wallet being used to ‘upgrade’ smart contracts was compromised. This wallet was then used to withdraw $12.5 million in Ethereum (ETH), alongside $1 million in Pundi X (NPXS) and $10 million in Bancor Network Tokens (BNT). Bancor says that once the compromised wallet was identified the company was able to mitigate the damage by freezing the transfer of BNT, bringing the cost down to roughly $13.5 million.

…

A jury trial found a former engineer at a Navy contractor guilty of stealing trade secrets regarding Navy projects by uploading the files to his personal Dropbox account. The man, Jared Dylan Sparks, 35, of Ardmore, Oklahoma, worked as an electrical engineer for LBI, Inc., a company authorized to build unmanned underwater vehicles (drones) for the US Navy’s Office of Naval Research, and weather data-gathering buoys for the National Oceanic and Atmospheric Administration (NOAA). Sparks worked for LBI from January 2010 to December 2011, when he left for a similar position at Charles Rivers Analytics (CRA), another Navy contractor.

…

The following is intended to provide technical details for those with interest in the specifics of the information security incident Timehop has experienced. It is also to be transparent about what has happened, and correct some earlier inaccuracies. There are still some highly specific details we are withholding about an incident that remains the subject of ongoing investigations.

Source: timehop.com

…

A hacker has gained access to a developer’s npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.

…

We found the full story in what’s called the Sentencing Position document filed by the United States of America in its federal court case against Theresa Tetley, aka the “Bitcoin Maven”. The Bitcoin Maven (a maven, in case you are wondering, is an expert or connoisseur) had already pleaded guilty to money laundering charges relating to bitcoins; this time she was back in court to be sentenced. Simply put, Tetley did indeed buy bitcoins for hard cash, according to the prosecutors.

…

A team of academics from the University of California, Irvine (UCI), have presented a type of attack that could enable a malefactor to retrieve sensitive information you entered via your keyboard – possibly up to a minute after you typed it. The researchers had 30 users enter 10 different passwords, both strong and weak, on four common external keyboards. Using a thermal imaging camera, the researchers then scanned the residual heat left on the recently-pressed keys.

…

Cryptocurrencies like Bitcoin can be analysed because every transaction is traceable. This means that they are an attractive system for physicists to study. In a paper published in EPJ B, Leonardo Ermann from the National Commission for Atomic Energy in Buenos Aires, Argentina, and colleagues from the University of Toulouse, France, have examined the structure of the Bitcoin-owner community by looking at the transactions of this cryptocurrency between 2009 and 2013.

…

NSO Group sells some of the most potent, off-the-shelf malware for remotely breaking into smartphones. Some versions allow a law enforcement or intelligence agency to steal essentially all meaningful data from an iPhone with no interaction from the target. Others just require the victim to click one link in a carefully crafted text message, before giving up their contacts, emails, social media messages, GPS location, and much more.

…

One board member described the police’s justification for the raids as a ‘tenuous’ link between the privacy group, a blog, and its email address. In the early morning on June 20, German security services raided the homes of several board members of Zwiebelfreunde, a non-profit group that helps to support privacy and anonymity projects. Moritz Bartl in Augsburg, Jens Kubieziel in Jena, and Juris Vetra in Berlin were raided, as was the home of a former board member who still had access to the board’s bank accounts.

…