AllPrivateKeys.com created to check the safety of Bitcoin ...
Bitcoin Miner Virus - How to Detect and Remove It (Update ...
Groestlcoin 6th Anniversary Release
Dear Groestlers, it goes without saying that 2020 has been a difficult time for millions of people worldwide. The groestlcoin team would like to take this opportunity to wish everyone our best to everyone coping with the direct and indirect effects of COVID-19. Let it bring out the best in us all and show that collectively, we can conquer anything. The centralised banks and our national governments are facing unprecedented times with interest rates worldwide dropping to record lows in places. Rest assured that this can only strengthen the fundamentals of all decentralised cryptocurrencies and the vision that was seeded with Satoshi's Bitcoin whitepaper over 10 years ago. Despite everything that has been thrown at us this year, the show must go on and the team will still progress and advance to continue the momentum that we have developed over the past 6 years. In addition to this, we'd like to remind you all that this is Groestlcoin's 6th Birthday release! In terms of price there have been some crazy highs and lows over the years (with highs of around $2.60 and lows of $0.000077!), but in terms of value– Groestlcoin just keeps getting more valuable! In these uncertain times, one thing remains clear – Groestlcoin will keep going and keep innovating regardless. On with what has been worked on and completed over the past few months.
UPDATED - Groestlcoin Core 2.18.2
This is a major release of Groestlcoin Core with many protocol level improvements and code optimizations, featuring the technical equivalent of Bitcoin v0.18.2 but with Groestlcoin-specific patches. On a general level, most of what is new is a new 'Groestlcoin-wallet' tool which is now distributed alongside Groestlcoin Core's other executables. NOTE: The 'Account' API has been removed from this version which was typically used in some tip bots. Please ensure you check the release notes from 2.17.2 for details on replacing this functionality.
Builds are now done through Gitian
Calls to getblocktemplate will fail if the segwit rule is not specified. Calling getblocktemplate without segwit specified is almost certainly a misconfiguration since doing so results in lower rewards for the miner. Failed calls will produce an error message describing how to enable the segwit rule.
A warning is printed if an unrecognized section name is used in the configuration file. Recognized sections are [test], [main], and [regtest].
Four new options are available for configuring the maximum number of messages that ZMQ will queue in memory (the "high water mark") before dropping additional messages. The default value is 1,000, the same as was used for previous releases.
The rpcallowip option can no longer be used to automatically listen on all network interfaces. Instead, the rpcbind parameter must be used to specify the IP addresses to listen on. Listening for RPC commands over a public network connection is insecure and should be disabled, so a warning is now printed if a user selects such a configuration. If you need to expose RPC in order to use a tool like Docker, ensure you only bind RPC to your localhost, e.g. docker run [...] -p 127.0.0.1:1441:1441 (this is an extra :1441 over the normal Docker port specification).
The rpcpassword option now causes a startup error if the password set in the configuration file contains a hash character (#), as it's ambiguous whether the hash character is meant for the password or as a comment.
The whitelistforcerelay option is used to relay transactions from whitelisted peers even when not accepted to the mempool. This option now defaults to being off, so that changes in policy and disconnect/ban behavior will not cause a node that is whitelisting another to be dropped by peers.
A new short about the JSON-RPC interface describes cases where the results of anRPC might contain inconsistencies between data sourced from differentsubsystems, such as wallet state and mempool state.
A new document introduces Groestlcoin Core's BIP174 interface, which is used to allow multiple programs to collaboratively work to create, sign, and broadcast new transactions. This is useful for offline (cold storage) wallets, multisig wallets, coinjoin implementations, and many other cases where two or more programs need to interact to generate a complete transaction.
The output script descriptor (https://github.com/groestlcoin/groestlcoin/blob/mastedoc/descriptors.md) documentation has been updated with information about new features in this still-developing language for describing the output scripts that a wallet or other program wants to receive notifications for, such as which addresses it wants to know received payments. The language is currently used in multiple new and updated RPCs described in these release notes and is expected to be adapted to other RPCs and to the underlying wallet structure.
A new --disable-bip70 option may be passed to ./configure to prevent Groestlcoin-Qt from being built with support for the BIP70 payment protocol or from linking libssl. As the payment protocol has exposed Groestlcoin Core to libssl vulnerabilities in the past, builders who don't need BIP70 support are encouraged to use this option to reduce their exposure to future vulnerabilities.
The minimum required version of Qt (when building the GUI) has been increased from 5.2 to 5.5.1 (the depends system provides 5.9.7)
getnodeaddresses returns peer addresses known to this node. It may be used to find nodes to connect to without using a DNS seeder.
listwalletdir returns a list of wallets in the wallet directory (either the default wallet directory or the directory configured bythe -walletdir parameter).
getrpcinfo returns runtime details of the RPC server. Currently, it returns an array of the currently active commands and how long they've been running.
deriveaddresses returns one or more addresses corresponding to an output descriptor.
getdescriptorinfo accepts a descriptor and returns information aboutit, including its computed checksum.
joinpsbts merges multiple distinct PSBTs into a single PSBT. The multiple PSBTs must have different inputs. The resulting PSBT will contain every input and output from all the PSBTs. Any signatures provided in any of the PSBTs will be dropped.
analyzepsbt examines a PSBT and provides information about what the PSBT contains and the next steps that need to be taken in order to complete the transaction. For each input of a PSBT, analyze psbt provides information about what information is missing for that input, including whether a UTXO needs to be provided, what pubkeys still need to be provided, which scripts need to be provided, and what signatures are still needed. Every input will also list which role is needed to complete that input, and analyzepsbt will also list the next role in general needed to complete the PSBT. analyzepsbt will also provide the estimated fee rate and estimated virtual size of the completed transaction if it has enough information to do so.
utxoupdatepsbt searches the set of Unspent Transaction Outputs (UTXOs) to find the outputs being spent by the partial transaction. PSBTs need to have the UTXOs being spent to be provided because the signing algorithm requires information from the UTXO being spent. For segwit inputs, only the UTXO itself is necessary. For non-segwit outputs, the entire previous transaction is needed so that signers can be sure that they are signing the correct thing. Unfortunately, because the UTXO set only contains UTXOs and not full transactions, utxoupdatepsbt will only add the UTXO for segwit inputs.
getpeerinfo now returns an additional minfeefilter field set to the peer's BIP133 fee filter. You can use this to detect that you have peers that are willing to accept transactions below the default minimum relay fee.
The mempool RPCs, such as getrawmempool with verbose=true, now return an additional "bip125-replaceable" value indicating whether thetransaction (or its unconfirmed ancestors) opts-in to asking nodes and miners to replace it with a higher-feerate transaction spending any of the same inputs.
settxfee previously silently ignored attempts to set the fee below the allowed minimums. It now prints a warning. The special value of"0" may still be used to request the minimum value.
getaddressinfo now provides an ischange field indicating whether the wallet used the address in a change output.
importmulti has been updated to support P2WSH, P2WPKH, P2SH-P2WPKH, and P2SH-P2WSH. Requests for P2WSH and P2SH-P2WSH accept an additional witnessscript parameter.
importmulti now returns an additional warnings field for each request with an array of strings explaining when fields are being ignored or are inconsistent, if there are any.
getaddressinfo now returns an additional solvable Boolean field when Groestlcoin Core knows enough about the address's scriptPubKey, optional redeemScript, and optional witnessScript for the wallet to be able to generate an unsigned input spending funds sent to that address.
The getaddressinfo, listunspent, and scantxoutset RPCs now return an additional desc field that contains an output descriptor containing all key paths and signing information for the address (except for the private key). The desc field is only returned for getaddressinfo and listunspent when the address is solvable.
importprivkey will preserve previously-set labels for addresses or public keys corresponding to the private key being imported. For example, if you imported a watch-only address with the label "coldwallet" in earlier releases of Groestlcoin Core, subsequently importing the private key would default to resetting the address's label to the default empty-string label (""). In this release, the previous label of "cold wallet" will be retained. If you optionally specify any label besides the default when calling importprivkey, the new label will be applied to the address.
getmininginfo now omits currentblockweight and currentblocktx when a block was never assembled via RPC on this node.
The getrawtransaction RPC & REST endpoints no longer check the unspent UTXO set for a transaction. The remaining behaviors are as follows:
If a blockhash is provided, check the corresponding block.
If no blockhash is provided, check the mempool.
If no blockhash is provided but txindex is enabled, also check txindex.
unloadwallet is now synchronous, meaning it will not return until the wallet is fully unloaded.
importmulti now supports importing of addresses from descriptors. A desc parameter can be provided instead of the "scriptPubKey" in are quest, as well as an optional range for ranged descriptors to specify the start and end of the range to import. Descriptors with key origin information imported through importmulti will have their key origin information stored in the wallet for use with creating PSBTs.
listunspent has been modified so that it also returns witnessScript, the witness script in the case of a P2WSH orP2SH-P2WSH output.
createwallet now has an optional blank argument that can be used to create a blank wallet. Blank wallets do not have any keys or HDseed. They cannot be opened in software older than 2.18.2. Once a blank wallet has a HD seed set (by using sethdseed) or private keys, scripts, addresses, and other watch only things have been imported, the wallet is no longer blank and can be opened in 2.17.2. Encrypting a blank wallet will also set a HD seed for it.
signrawtransaction is removed after being deprecated and hidden behind a special configuration option in version 2.17.2.
The 'account' API is removed after being deprecated in v2.17.2 The 'label' API was introduced in v2.17.2 as a replacement for accounts. See the release notes from v2.17.2 for a full description of the changes from the 'account' API to the 'label' API.
addwitnessaddress is removed after being deprecated in version 2.16.0.
generate is deprecated and will be fully removed in a subsequent major version. This RPC is only used for testing, but its implementation reached across multiple subsystems (wallet and mining), so it is being deprecated to simplify the wallet-node interface. Projects that are using generate for testing purposes should transition to using the generatetoaddress RPC, which does not require or use the wallet component. Calling generatetoaddress with an address returned by the getnewaddress RPC gives the same functionality as the old generate RPC. To continue using generate in this version, restart groestlcoind with the -deprecatedrpc=generate configuration option.
Be reminded that parts of the validateaddress command have been deprecated and moved to getaddressinfo. The following deprecated fields have moved to getaddressinfo: ismine, iswatchonly,script, hex, pubkeys, sigsrequired, pubkey, embedded,iscompressed, label, timestamp, hdkeypath, hdmasterkeyid.
The addresses field has been removed from the validateaddressand getaddressinfo RPC methods. This field was confusing since it referred to public keys using their P2PKH address. Clients should use the embedded.address field for P2SH or P2WSH wrapped addresses, and pubkeys for inspecting multisig participants.
A new /rest/blockhashbyheight/ endpoint is added for fetching the hash of the block in the current best blockchain based on its height (how many blocks it is after the Genesis Block).
A new Window menu is added alongside the existing File, Settings, and Help menus. Several items from the other menus that opened new windows have been moved to this new Window menu.
In the Send tab, the checkbox for "pay only the required fee" has been removed. Instead, the user can simply decrease the value in the Custom Fee rate field all the way down to the node's configured minimumrelay fee.
In the Overview tab, the watch-only balance will be the only balance shown if the wallet was created using the createwallet RPC and thedisable_private_keys parameter was set to true.
The launch-on-startup option is no longer available on macOS if compiled with macosx min version greater than 10.11 (useCXXFLAGS="-mmacosx-version-min=10.11" CFLAGS="-mmacosx-version-min=10.11" for setting the deployment sdkversion)
A new groestlcoin-wallet tool is now distributed alongside Groestlcoin Core's other executables. Without needing to use any RPCs, this tool can currently create a new wallet file or display some basic information about an existing wallet, such as whether the wallet is encrypted, whether it uses an HD seed, how many transactions it contains, and how many address book entries it has.
Since version 2.16.0, Groestlcoin Core's built-in wallet has defaulted to generating P2SH-wrapped segwit addresses when users want to receive payments. These addresses are backwards compatible with all widely used software. Starting with Groestlcoin Core 2.20.1 (expected about a year after 2.18.2), Groestlcoin Core will default to native segwitaddresses (bech32) that provide additional fee savings and other benefits. Currently, many wallets and services already support sending to bech32 addresses, and if the Groestlcoin Core project sees enough additional adoption, it will instead default to bech32 receiving addresses in Groestlcoin Core 2.19.1. P2SH-wrapped segwit addresses will continue to be provided if the user requests them in the GUI or by RPC, and anyone who doesn't want the update will be able to configure their default address type. (Similarly, pioneering users who want to change their default now may set the addresstype=bech32 configuration option in any Groestlcoin Core release from 2.16.0 up.)
BIP 61 reject messages are now deprecated. Reject messages have no use case on the P2P network and are only logged for debugging by most network nodes. Furthermore, they increase bandwidth and can be harmful for privacy and security. It has been possible to disable BIP 61 messages since v2.17.2 with the -enablebip61=0 option. BIP 61 messages will be disabled by default in a future version, before being removed entirely.
The submitblock RPC previously returned the reason a rejected block was invalid the first time it processed that block but returned a generic "duplicate" rejection message on subsequent occasions it processed the same block. It now always returns the fundamental reason for rejecting an invalid block and only returns "duplicate" for valid blocks it has already accepted.
A new submitheader RPC allows submitting block headers independently from their block. This is likely only useful for testing.
The signrawtransactionwithkey and signrawtransactionwithwallet RPCs have been modified so that they also optionally accept a witnessScript, the witness script in the case of a P2WSH orP2SH-P2WSH output. This is compatible with the change to listunspent.
For the walletprocesspsbt and walletcreatefundedpsbt RPCs, if thebip32derivs parameter is set to true but the key metadata for a public key has not been updated yet, then that key will have a derivation path as if it were just an independent key (i.e. no derivation path and its master fingerprint is itself).
The -usehd configuration option was removed in version 2.16.0 From that version onwards, all new wallets created are hierarchical deterministic wallets. This release makes specifying -usehd an invalid configuration option.
This release allows peers that your node automatically disconnected for misbehaviour (e.g. sending invalid data) to reconnect to your node if you have unused incoming connection slots. If your slots fill up, a misbehaving node will be disconnected to make room for nodes without a history of problems (unless the misbehaving node helps your node in some other way, such as by connecting to a part of the Internet from which you don't have many other peers). Previously, Groestlcoin Core banned the IP addresses of misbehaving peers for a period (default of 1 day); this was easily circumvented by attackers with multiple IP addresses. If you manually ban a peer, such as by using the setban RPC, all connections from that peer will still be rejected.
The key metadata will need to be upgraded the first time that the HDseed is available. For unencrypted wallets this will occur on wallet loading. For encrypted wallets this will occur the first time the wallet is unlocked.
Newly encrypted wallets will no longer require restarting the software. Instead such wallets will be completely unloaded and reloaded to achieve the same effect.
A sub-project of Bitcoin Core now provides Hardware Wallet Interaction (HWI) scripts that allow command-line users to use several popular hardware key management devices with Groestlcoin Core. See their project page for details.
This release changes the Random Number Generator (RNG) used from OpenSSL to Groestlcoin Core's own implementation, although entropy gathered by Groestlcoin Core is fed out to OpenSSL and then read back in when the program needs strong randomness. This moves Groestlcoin Core a little closer to no longer needing to depend on OpenSSL, a dependency that has caused security issues in the past. The new implementation gathers entropy from multiple sources, including from hardware supporting the rdseed CPU instruction.
On macOS, Groestlcoin Core now opts out of application CPU throttling ("app nap") during initial blockchain download, when catching up from over 100 blocks behind the current chain tip, or when reindexing chain data. This helps prevent these operations from taking an excessively long time because the operating system is attempting to conserve power.
How to Upgrade?
Windows If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), then run the installer. OSX If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), run the dmg and drag Groestlcoin Core to Applications. Ubuntu http://groestlcoin.org/forum/index.php?topic=441.0
ALL NEW - Groestlcoin Moonshine iOS/Android Wallet
Built with React Native, Moonshine utilizes Electrum-GRS's JSON-RPC methods to interact with the Groestlcoin network. GRS Moonshine's intended use is as a hot wallet. Meaning, your keys are only as safe as the device you install this wallet on. As with any hot wallet, please ensure that you keep only a small, responsible amount of Groestlcoin on it at any given time.
Groestlcoin Mainnet & Testnet supported
Multiple wallet support
Electrum - Support for both random and custom peers
Biometric + Pin authentication
Custom fee selection
Import mnemonic phrases via manual entry or scanning
BIP39 Passphrase functionality
Support for Segwit-compatible & legacy addresses in settings
Support individual private key sweeping
UTXO blacklisting - Accessible via the Transaction Detail view, this allows users to blacklist any utxo that they do not wish to include in their list of available utxo's when sending transactions. Blacklisting a utxo excludes its amount from the wallet's total balance.
Ability to Sign & Verify Messages
Support BitID for password-free authentication
Coin Control - This can be accessed from the Send Transaction view and basically allows users to select from a list of available UTXO's to include in their transaction.
HODL GRS connects directly to the Groestlcoin network using SPV mode and doesn't rely on servers that can be hacked or disabled. HODL GRS utilizes AES hardware encryption, app sandboxing, and the latest security features to protect users from malware, browser security holes, and even physical theft. Private keys are stored only in the secure enclave of the user's phone, inaccessible to anyone other than the user. Simplicity and ease-of-use is the core design principle of HODL GRS. A simple recovery phrase (which we call a Backup Recovery Key) is all that is needed to restore the user's wallet if they ever lose or replace their device. HODL GRS is deterministic, which means the user's balance and transaction history can be recovered just from the backup recovery key.
Simplified payment verification for fast mobile performance
Groestlcoin Seed Savior is a tool for recovering BIP39 seed phrases. This tool is meant to help users with recovering a slightly incorrect Groestlcoin mnemonic phrase (AKA backup or seed). You can enter an existing BIP39 mnemonic and get derived addresses in various formats. To find out if one of the suggested addresses is the right one, you can click on the suggested address to check the address' transaction history on a block explorer.
If a word is wrong, the tool will try to suggest the closest option.
If a word is missing or unknown, please type "?" instead and the tool will find all relevant options.
NOTE: NVidia GPU or any CPU only. AMD graphics cards will not work with this address generator. VanitySearch is a command-line Segwit-capable vanity Groestlcoin address generator. Add unique flair when you tell people to send Groestlcoin. Alternatively, VanitySearch can be used to generate random addresses offline. If you're tired of the random, cryptic addresses generated by regular groestlcoin clients, then VanitySearch is the right choice for you to create a more personalized address. VanitySearch is a groestlcoin address prefix finder. If you want to generate safe private keys, use the -s option to enter your passphrase which will be used for generating a base key as for BIP38 standard (VanitySearch.exe -s "My PassPhrase" FXPref). You can also use VanitySearch.exe -ps "My PassPhrase" which will add a crypto secure seed to your passphrase. VanitySearch may not compute a good grid size for your GPU, so try different values using -g option in order to get the best performances. If you want to use GPUs and CPUs together, you may have best performances by keeping one CPU core for handling GPU(s)/CPU exchanges (use -t option to set the number of CPU threads).
Fixed size arithmetic
Fast Modular Inversion (Delayed Right Shift 62 bits)
SecpK1 Fast modular multiplication (2 steps folding 512bits to 256bits using 64 bits digits)
Use some properties of elliptic curve to generate more keys
SSE Secure Hash Algorithm SHA256 and RIPEMD160 (CPU)
Groestlcoin EasyVanity 2020 is a windows app built from the ground-up and makes it easier than ever before to create your very own bespoke bech32 address(es) when whilst not connected to the internet. If you're tired of the random, cryptic bech32 addresses generated by regular Groestlcoin clients, then Groestlcoin EasyVanity2020 is the right choice for you to create a more personalised bech32 address. This 2020 version uses the new VanitySearch to generate not only legacy addresses (F prefix) but also Bech32 addresses (grs1 prefix).
Ability to continue finding keys after first one is found
Includes warning on start-up if connected to the internet
Ability to output keys to a text file (And shows button to open that directory)
Show and hide the private key with a simple toggle switch
Show full output of commands
Ability to choose between Processor (CPU) and Graphics Card (GPU) ( NVidia ONLY! )
Features both a Light and Dark Material Design-Style Themes
Free software - MIT. Anyone can audit the code.
Written in C# - The code is short, and easy to review.
Groestlcoin WPF is an alternative full node client with optional lightweight 'thin-client' mode based on WPF. Windows Presentation Foundation (WPF) is one of Microsoft's latest approaches to a GUI framework, used with the .NET framework. Its main advantages over the original Groestlcoin client include support for exporting blockchain.dat and including a lite wallet mode. This wallet was previously deprecated but has been brought back to life with modern standards.
Works via TOR or SOCKS5 proxy
Can use bootstrap.dat format as blockchain database
Import/Export blockchain to/from bootstrap.dat
Import wallet.dat from Groestlcoin-qt wallet
Export wallet to wallet.dat
Use both groestlcoin-wpf and groestlcoin-qt with the same addresses in parallel. When you send money from one program, the transaction will automatically be visible on the other wallet.
Rescan blockchain with a simple mouse click
Works as a full node and listens to port 1331 (listening port can be changed)
Fast Block verifying, parallel processing on multi-core CPUs
Mine Groestlcoins with your CPU by a simple mouse click
All private keys are kept encrypted on your local machine (or on a USB stick)
Lite - Has a lightweight "thin client" mode which does not require a new user to download the entire Groestlcoin chain and store it
Free and decentralised - Open Source under GNU license
Fixed Import/Export to wallet.dat
Rescan wallet option
Change wallet password option
Address type and Change type options through *.conf file
Import from bootstrap.dat - It is a flat, binary file containing Groestlcoin blockchain data, from the genesis block through a recent height. All versions automatically validate and import the file "grs.bootstrap.dat" in the GRS directory. Grs.bootstrap.dat is compatible with Qt wallet. GroestlCoin-Qt can load from it.
In Full mode file %APPDATA%\Groestlcoin-WPF\GRS\GRS.bootstrap.dat is full blockchain in standard bootstrap.dat format and can be used with other clients.
Groestlcoin Electrum Personal Server aims to make using Electrum Groestlcoin wallet more secure and more private. It makes it easy to connect your Electrum-GRS wallet to your own full node. It is an implementation of the Electrum-grs server protocol which fulfils the specific need of using the Electrum-grs wallet backed by a full node, but without the heavyweight server backend, for a single user. It allows the user to benefit from all Groestlcoin Core's resource-saving features like pruning, blocks only and disabled txindex. All Electrum-GRS's feature-richness like hardware wallet integration, multi-signature wallets, offline signing, seed recovery phrases, coin control and so on can still be used, but connected only to the user's own full node. Full node wallets are important in Groestlcoin because they are a big part of what makes the system be trust-less. No longer do people have to trust a financial institution like a bank or PayPal, they can run software on their own computers. If Groestlcoin is digital gold, then a full node wallet is your own personal goldsmith who checks for you that received payments are genuine. Full node wallets are also important for privacy. Using Electrum-GRS under default configuration requires it to send (hashes of) all your Groestlcoin addresses to some server. That server can then easily spy on your transactions. Full node wallets like Groestlcoin Electrum Personal Server would download the entire blockchain and scan it for the user's own addresses, and therefore don't reveal to anyone else which Groestlcoin addresses they are interested in. Groestlcoin Electrum Personal Server can also broadcast transactions through Tor which improves privacy by resisting traffic analysis for broadcasted transactions which can link the IP address of the user to the transaction. If enabled this would happen transparently whenever the user simply clicks "Send" on a transaction in Electrum-grs wallet. Note: Currently Groestlcoin Electrum Personal Server can only accept one connection at a time.
Use your own node
Uses less CPU and RAM than ElectrumX
Used intermittently rather than needing to be always-on
Doesn't require an index of every Groestlcoin address ever used like on ElectrumX
UPDATED – Android Wallet 7.38.1 - Main Net + Test Net
The app allows you to send and receive Groestlcoin on your device using QR codes and URI links. When using this app, please back up your wallet and email them to yourself! This will save your wallet in a password protected file. Then your coins can be retrieved even if you lose your phone.
Add confidence messages, helping users to understand the confidence state of their payments.
Handle edge case when restoring via an external app.
Count devices with a memory class of 128 MB as low ram.
Introduce dark mode on Android 10 devices.
Reduce memory usage of PIN-protected wallets.
Tapping on the app's version will reveal a checksum of the APK that was installed.
Fix issue with confirmation of transactions that empty your wallet.
Groestlcoin Sentinel is a great solution for anyone who wants the convenience and utility of a hot wallet for receiving payments directly into their cold storage (or hardware wallets). Sentinel accepts XPUB's, YPUB'S, ZPUB's and individual Groestlcoin address. Once added you will be able to view balances, view transactions, and (in the case of XPUB's, YPUB's and ZPUB's) deterministically generate addresses for that wallet. Groestlcoin Sentinel is a fork of Groestlcoin Samourai Wallet with all spending and transaction building code removed.
The importance of being mindful of security at all times - nearly everyone is one breach away from total disaster
This is a long one - TL;DR at the end!
If you haven't heard yet: BlankMediaGames, makers of Town of Salem, have been breached which resulted in almost 8 million accounts being leaked. For most people, the first reaction is "lol so what it's just a game, why should I really care?" and that is the wrong way to look at it. I'd like to explain why everyone should always care whenever they are part of a breach. I'd also like to talk about some ways game developers - whether they work solo or on a team - can take easy steps to help protect themselves and their customers/players. First I'd like to state that there is no practical way to achieve 100% solid security to guarantee you'll never be breached or part of a breach. The goal here will be to get as close as possible, or comfortable, so that you can rest easy knowing you can deal with problems when they occur (not if, when).
Why You Should Care About Breaches
The sad reality is most people re-use the same password everywhere. Your email account, your bank account, your steam account, your reddit account, random forums and game websites - you get the idea. If you haven't pieced it together yet the implication is that if anyone gets your one password you use everywhere, it's game over for you - they now own all of your accounts (whether or not they know it yet). Keep in mind that your email account is basically the holy grail of passwords to have. Most websites handle password changes/resets through your email; thus anyone who can login to your email account can get access to pretty much any of your accounts anywhere. Game over, you lose.
But wait, why would anyone want to use my password? I'm nobody!
It doesn't matter, the bad guys sell this information to other bad guys. Bots are used to make as much use of these passwords as possible. If they can get into your bank they might try money transfers. If they get into your Amazon account they might spin up $80,000 worth of servers to mine Bitcoin (or whatever coin is popular at the time). They don't care who you are; it's all automated. By the way, according to this post (which looks believable enough to be real) this is pretty much how they got into the BMG servers initially. They checked for usernames/emails of admins on the BMG website(s) in previous breach dumps (of which there are many) and found at least one that used the same password on other sites - for their admin account! If you want to see how many of your accounts are already breached check out Have I Been Pwned - I recommend registering all of your email addresses as well so you get notified of future breaches. This is how I found out about the Town of Salem breach, myself.
How You Can Protect Yourself
Before I go into all the steps you can (and should) take to protect yourself I should note that security is in a constant tug of war with convenience. What this means is that the more security measures you apply the more inconvenienced you become for many tasks. It's up to you to decide how much is too much either way. First of all I strongly recommend registering your email(s) on https://haveibeenpwned.com/ - this is especially important if your email address is associated to important things like AWS, Steam developer account, bank accounts, social media, etc. You want to know ASAP when an account of yours is compromised so you can take steps to prevent or undo damage. Note that the bad guys have a head start on this!
You probably need to have better password hygiene. If you don't already, you need to make sure every account you have uses a different, unique, secure password. You should change these passwords at least once a year. Depending on how many accounts you have and how good your memory is, this is your first big security vs convenience trade-off battle. That's easily solved, though, by using a password manager. You can find a list of password managers on Wikipedia here or you can search around for some comparison articles. Some notable choices to consider:
1Password - recommend by Troy Hunt, creator of Have I Been Pwned
LastPass - I use this at work and it's generally good
BitWarden - free and open source! I use this at home and in some ways it's better than LastPass
KeePass (and forks) - free, open source, and totally offline; if you don't trust "the cloud" you can trade away some more convenience in exchange for taking full responsibility of your password security (and backups)
Regardless of which one you choose, any of them is 100x better than not using one at all.
The problem with all these passwords is that someone can still use them if they are found in a breach. Your passwords are only as strong as the website you use them on. In the case of the BMG breach mentioned above - all passwords were stored in an ancient format which has been insecure for years. It's likely that every single password in the breach can be reversed/cracked, or already have been. The next step you need to take is to make it harder for someone else to login with your password. This is done using Multi-Factor Authentication (or Two-Factor Authentication). Unfortunately not every website/service supports MFA/2FA, but you should still use it on every single one that does support it. You can check which sites support MFA/2FA here or dig around in account options on any particular site. You should setup MFA/2FA on your email account ASAP! If it's not supported, you need to switch to a provider that does support it. This is more important than your bank account! All of the big email providers support it: GMail, Outlook.com, Yahoo Mail, etc. The type of MFA/2FA you use depends on what is supported by each site/service, but there is a common approach that is compatible on many of them. Most of them involve phone apps because a phone is the most common and convenient "thing you have" that bad guys (or anyone, really) can't access easily. Time-based One-time Password or TOTP is probably the most commonly used method because it's easy to implement and can be used with many different apps. Google Authenticator was the first popular one, but it has some limitations which continue the security vs convenience battle - namely that getting a new phone is a super huge chore (no backup/restore option - you have to disable and setup each site all over again). Many alternatives support cloud backup which is really convenient, though obviously less secure by some measure. Notable choices to consider:
Authy - probably the first big/popular one after Google Authenticator came out (I think) - NOTE: They let you use it on your desktop/browser, too, but this is TOO much convenience! Don't fall for that trap.
LastPass Authenticator - conveniently links up with a LastPass account, some sites support extra features (like not needing to type a code, just answer a phone notification)
Yubikey - A real physical MFA device! Some models are compatible with phones, too.
Duo - this one is more geared towards enterprise, but they have a free option
Some sites/services use their own app, like Blizzard (battle.net) and Steam, and don't allow you to use other ones. You will probably have a few apps on your phone when all your accounts are setup, but it's worth it. You'll definitely want to enable it on your password manager as well if you chose a cloud-based one. Don't forget to save backup codes in an actual secure location! If you lose your backup codes and your auth app/physical key you will be locked out of accounts. It's really not fun recovering in that situation. Most recommendations are to print them and put in a fireproof safe, but using some other secure encrypted storage is fine. There is such a thing as bad MFA/2FA! However, anything is at least better than nothing. A lot of places still use SMS (text messaging) or e-mail for their MFA/2FA implementation. The e-mail one has the most obvious flaw: If someone gets into your email account they have defeated that security measure. The SMS flaws are less obvious and much less likely to affect you, but still a risk: SMS is trivial to intercept (capture data over the air (literally), clone your SIM card data, and some other methods). Still, if you're not a person of interest already, it's still better than nothing.
What Does This Have To Do With GameDev?
Yeah, I do know which subreddit I'm posting in! Here's the section that gets more into things specific to game development (or software development in general).
Secure Your Code
Securing your code actually has multiple meanings here: Securing access to your code, and ensuring your code itself is secure against exploitation. Let's start with access since that's the easier topic to cover! If you're not already using some form of Source Control Management (SCM) you really need to get on board! I'm not going to go in depth on that as it's a whole other topic to itself, but I'll assume you are using Git or Mercurial (hg) already and hosting it on one of these sites (or a similar one):
First, ensure that you have locked down who can access this code already. If you are using private repositories you need to make sure that the only people who have access are the people who need access (i.e. yourself and your team). Second, everyone should have strong passwords and MFA/2FA enabled on their accounts. If 1 person on the team does not follow good security practices it puts your whole project at risk! So make sure everyone on the team is following along. You can also look into tools to do some auditing and even automate it so that if anyone's account becomes less secure over time (say they turned off MFA one day) they would automatically lose their access. Additionally you should never commit secrets (passwords, API keys, tokens, social security numbers, etc) to your code repository. Probably 90% of cases where people have their AWS/Google Cloud/Azure accounts compromised and racking up huge bills for bitcoin mining is due to having their passwords/keys stored in their git repo. They either accidentally made it public or someone got access to the private repo through a compromised account. Never store sensitive information in your code repository! Next topic: Securing your code from vulnerabilities. This one is harder to talk about for game dev as most engines/frameworks are not as susceptible (for lack of a better word) to these situations as others. In a nutshell, you need to keep track of the following:
Is my code doing anything "dangerous"? (system-level stuff, memory access, saving passwords anywhere)
Could someone get the keys to the kingdom (API key, server password, etc) by just opening Cheat Engine and looking at memory values? Or doing a strings/hex edit/decompile/etc on my game executable?
Am I using outdated libraries/framework/engine? Do they have any known security bugs?
Secure Your Computer
I'm not going to go in depth on this one because at this point everyone should have a handle on this; if not there are limitless articles, blogs, and videos about the how/what/why. In summary: Keep everything updated, and don't open suspicious links.
Lock your computer when idle - use a password (or PIN or face unlock or whatever your OS uses) - no one should ever be able to walk up to your computer and use it if you're not looking, nor should they be able to get in if they grabbed your closed laptop off the table at starbucks (thanks u/3tt07kjt for reminding me of this one)
Use full disk encryption (especially on laptops)
Update your OS for security updates ASAP
Use anti-virus (yes, Windows Defender is fine) and keep it updated
Update your web browser ALWAYS (this is your 99% chance attack vector, so don't postpone it!)
Don't install browser extensions that you don't need - a LOT of extensions are either malware from the start or become malware later (my favorite emoji extension started mining bitcoins, FFS!) - check reviews regularly after extensions update
DO use adblock and privacy extensions - ads are a common attack vector - I recommend uBlock Origin and Privacy Badger at a minimum (note that some legit sites can break and so you'll have to fiddle with settings or whitelist)
Don't open suspicious or unknown links on e-mail, social media, discord, etc (be sure to hover over the links in this post before clicking them)
Don't open attachments, ever - unless you were expecting it from that person at that time
Don't fill out ANY forms (comments, login, registration, etc) on websites that don't have HTTPS (secure) connection - your browser will show this in the address bar, usually
In general, be suspicious of everything that comes from people you don't know - and even from people you do know if it was unexpected
E-Mail is (probably) the least secure form of communications ever invented - so try not to use it for sensitive things
Secure Your Website
I will have to add more to this later probably, but again there are tons of good articles, blogs, and videos on these topics. Hopefully the information in this section is enough to get you on the right track - if not feel free to ask for more info. Lots of guides can be found on Digital Ocean's site and they are relevant even if you don't use DO for your servers.
Use HTTPS (SSL/TLS) secure connections - it's FREE and EASY thanks to Let's Encrypt
KEEP EVERYTHING UPDATED - automate as much as you can
If you have control over the server, you MUST update the OS, the web server, and any backend application servers/languages/frameworks involved. Equifax breach was due to having out of date server software. BMG breach was worsened by having out of date server software. YOU MUST STAY UPDATED, ALWAYS
Don't store sensitive personal information - it's a huge pain to be PCI compliant, it's a huge fine if you mess it up - avoid storing any customer information that you don't actually need (see also: GDPR )
Do not allow access to SSH/Remote desktop/Database services from the whole world; the general public should only ever be able to reach ports 80 and 443 on your web server (and 80 should permanently redirect to HTTPS)
Use SSH keys instead of passwords on Linux servers
Don't run your own email server - it's just not worth it; use google apps for business, office 365, zoho, or something else for business email
Secure your domain registrar account! Don't lose your domain to a bad password or lack of MFA/2FA or an old email address! If your registrar doesn't support actual security then transfer to one that does. (namecheap, namesilo, google domains, amazon aws route53, even godaddy, the absolutely worst web company, has good security options)
A lot of this will apply to your game servers as well - really any kind of server you expect to setup.
That's it, for now
I ran out of steam while typing this all up after a couple hours, but I may revisit it later to add more info. Feel free to ask any questions about any of these topics and I'll do my best to answer them all.
TL;DR (y u words so much??)
Use a password manager so you can have different, random, secure passwords on every account on every website/service/game
Use MFA/2FA on every account, if possible
Lock your computer when idle/away
Use full disk encryption on laptops
Update your operating system (we all hate Windows Update, but it really is for our own good)
Use anti-virus (Windows Defender is fine)
Update your browser
Use good adblockeprivacy blocker browsers extensions
Don't use browser extensions that you don't really need (they could be a trojan horse of bitcoin mining later)
Don't trust anything sent by anyone, unless you were expecting it and know it's safe
E-mail is the least secure form of communications in use these days; don't trust it for sensitive things
Use source control for your game code (git, mercurial, etc)
Lock down access to your source code
Don't put secrets (passwords, API keys/tokens, social security numbers, credit card numbers) in your code repository
Don't do dumb things like store your AWS keys in your game for players to just find with simple tools
Check your code dependencies for security bugs, update them when needed
Use HTTPS on your website
Update your web server OS and software
Use secure password storage (don't reinvent this wheel, it's been solved by way smarter people)
Use SSH keys instead of passwords for Linux servers
Use a firewall to block the world from getting in with SSH/Remote desktop/database direct connections
Only allow your own IP address (which can change!) into the server for admin tasks
Don't run your own email server, let someone who knows what they are doing handle that for you
Secure your domain registrar account, keep email address up to date
... in general... in general... in general... I sure wrote those 2 words a lot.
Why Should I Trust This Post?
Hopefully I have provided enough information and good links in this post that you can trust the contents to be accurate (or mostly accurate). There is certainly enough information to do some searches on your own to find out how right or wrong I might be about these things. If you want my appeal to authority answer: I've been working at a major (network/computer) security company for almost 7 years as a software developer, and I've had to put up with pretty much every inconvenience brought on by security. I've also witnessed the aftermath of nearly every type of security failure covered in this post, via customers and the industry at large. None of the links I used are related to my employer or its products. Edit: Fixed some typos and added some more links More edit: added a few more points and links
Hey all! GoodShibe here! So, yesterday I started putting this thing together and WOW did you come out in droves to help! Thank you so much for sharing your ideas and memories. And thank you kindly to the mods for stickying that post! In one day we reached 60% completion on a list of top 100 Memories and Achievements of Dogecoin! That's amazing! So many fantastic memories and accomplishments! Which leads me to share some developments. The title of this endeavor is now - unless someone comes up with something better: Such Memories: The First 100 Days of Dogecoin I'm going to be putting this together as a 100-ish paged commemorative book - for free in PDF, probably with some cost as a fancy, printed book (Sold as close to 'at cost' as I can get it -- slipstream- has recommended selling it at a small profit, with profits going toward charities or Dogecoin Foundation for charities, etc - thoughts?). Artists, if you've got Dogecoin-themed artwork you want to see in this, please, put forward some links to hi-res CMYK copies and I'll do my best to fit it in. Also! Let's find the funniest, best Dogecoin-related memes that we have put together so far and include them as well! :D) We're also going to need a cover. Any artists out there care to try their hand at designing a cover for this? We'll put it to the community to vote for the one they like the most, and we'll include the others in the book somewhere :D) If you're an artist who submits to the project, you'll get full credit and promotion for your site inside the book (probably in a credits section at the back). I also want to hear from the community - think up some interesting stories, maybe what got you into Dogecoin. What your fondest memories of Dogecoin are. These first 100 days have been an exciting rollercoaster of adventure... let's make that we never forget all the fun memories we've had together. If you have personal, fun pictures you'd like to share, fun, personal stories you want to see get into the book, then start working on them now, put them into the comments, keep them on hand!. Here's the list that I have right now - in no particular order: MOMENTS/ACHIEVEMENTS:
ummjackson's first 'joke' on Twitter about Dogecoin being 'the next big thing'
The original bitcointalk Dogecoin forum page
The first Dogecoin paperwallet design
Save Dogemas is put together by the community, to help out victims of the hack. (News articles?)
15 Million doge raised by the community to save dogemas
TOTAL: 100/100 Also: I was thinking we might have a pour-one-out for all the Orphans - a page dedicated to all the blocks we lost along the way... thoughts? What have I missed?! Let me know in the comments! It's 8:29AM EST and we're at 53.95% of DOGEs found. Our Global Hashrate is spiking from ~61 to ~98 Gigahashes per second and our Difficulty is down slightly from ~1024 to ~1014. Lots of fantastic things in store, let's keep this list growing! As always, I appreciate your support! GoodShibe TL;DR: 100/100!!!
I'm an Identity Thief and I Want My Identity Back [Part 1]
Found this on a darkweb forum. It was posted only yesterday, and I thought you all might find it interesting. Fair warning, there's supposedly more to come, according to the comments on the forum, so this isn't an all inclusive post. I decided to paste it here in real time as it was posted instead of waiting until they were done putting it all online. From here on out, this is a direct copy-paste of the post, plus some formatting for Reddit.
I fucked up. Badly. My whole life has been a great, big fuckup, but this really takes the cake. I'll be dead soon, so it can't get much worse. My name is Michael Kay, also known as Neale Keaton. If you're running your little bots trying to find my name, it'll match this post. Hello, my little darkweb stalkers. I'm about to give you my version of events. I'm about to show you that you're being played like the gullible little basement dwellers you are. So sit down, go fullscreen, and read this through to the end. Because I think that by the end, you'll see things my way.
I'm an identity thief. Have been for four years. When I got out of the military, I couldn't adjust back to "normal" life. I got stuck in the same cycle that other vets do. No job, living on savings from my military income, and trying to kick my drinking habit. After almost a year, I came to a brutal conclusion that is the reality for many people in this economy: my identity wasn't worth shit. I was only a few months away from homelessness, had no prospects at a job, and was lacking in the social etiquette needed for dating. I was an only child of two only children. Grandparents were all dead, and my parents... well, I wanted nothing to do with them. They were the reason I joined the military and left home at 18. Again, my identity was shit. But, my drunk and sometimes high brain had a thought that kept repeating itself. What if I were someone else? Someone with a good background. Some work experience, proof that I was a good employee, maybe even a degree. In the military, I got to share a training ground temporarily with some of the boys heading into the Army Cyber Command. We got a few chances to swap stories, and they talked about the things they were learning. One guy was especially cocking about how "good" he was at navigating the darkweb. He regaled us with stories about finding illegal identities and firearms online before he even joined the military. He told us that the darkweb was full of everything you'd need, legal or illegal. With that memory in mind, that's who I turned to. In a move that further diminished my savings, I bought myself a nice identity off the darkweb. A driver's license, social security number, the works. It came with years of taxes being paid on-time, and some falsified work experience. If I paid extra, the people I bought it from would even pick up the phone when the prospective employer called and recommend me as a good employee. They had a fake website for the company and everything. They even told me that their services were geared towards people like myself. Those unfortunate enough to have a bad identity. People who just needed the leg up of a trustworthy social security number. And it worked. I followed their guidelines, and true to their word, I got a job. From my Bachelor's degree in Business Management, I landed a position as a store manager for a small retail chain. During the day, I went to work and pretended I knew what the hell was going on. At night, I got a couple of dated self-help books from the library so I could make it look like I knew what I was doing with all the spreadsheets, scheduling, profit and loss statements, and anything else I was given. I worked hard. I didn't sit on my ass and let my identity carry me. I worked to earn what I'd been given, and it was the only way I could live with what I'd done. I was told that the identity was from a child who had died at birth, yet the social security number had not been discarded. The people I bought it from had "raised" that social security number. They hacked into school databases and inserted their name and grades, and did everything they needed to make the kid look like he'd grown into the man I was. Or rather, the man whose shoes I would step into. That identity saved me. But good things can't last forever.
While the identity gave me a second chance, it didn't give me good money. The job was good enough to subsist on, but after a year and then two years, I found that I was unable to save anything. At the rate I was going, I'd be working until I was 65 years old and yet have nothing to show for it. Once your basic needs are met, higher needs come into play. I learned that while reading books about business. Books about how to understand your customers. Even if all their basic needs are met, people are never satisfied. We crave purpose. We crave something higher. Something better. All the time and always. No matter how high you go, you'll always find something more to want. The same psychology that has been plaguing humanity for thousands of years, affected me. I didn't want to be a store manager my entire life. But I also wasn't sure what I wanted. So, I explored. I read even more books. I'd never read that much in my life, but I was on a mission. I was searching for something, some kind of meaning. I'd been given a second chance, and I wanted to do something with it. But I had no idea what it was. My first wrong decision, which led me to where I am now, came during work. I was manning a register while one of my employees took a break, and a customer left their debit card behind. I didn't notice it until a few customers later, when one held it up and said "I think someone forgot this." I took it, stuck it in the bottom of the cash drawer, and thanked that customer. My employee returned, and I went back to my office to work on more spreadsheets. At the end of their shift, the employee, whose register I had taken over, brought me the card. I told him I'd take care of it, and took it for safekeeping. As I turned it around in my hand after he left, my brain started to run things over in my head. I had questions. What was to stop me from sliding this card through the card reader at a register, choosing to process it as a credit card, and withdrawing cash? Who would know? How would they trace me? The store didn't have cameras. We were in a good enough neighborhood that my superior had decided not to pay for them. So, in all seriousness, who would know? Nobody.
My plan was devised while sitting in the office. It was just past lunch and time for a couple more employees to take breaks. I walked over, card in my pocket, and told the cashier that it was their time for a break. They happily walked to the break room, and I slipped into their place. The other cashier and I worked through a couple more customers, then we had nothing to do. The store wasn't busy during this time. I told the other cashier to take some returned merchandise and enter it into the inventory computer in the back. They obeyed, and I had my chance. Swiftly, I moved to the other cashier's register and typed on their machine. I logged in under their name. They were new, and I had just barely trained them on the system. I only knew their password because it was literally "1234567". I'd seen them type it so many times that I had incidentally memorized it. Their login was the key to my plan. With their account open, I scanned a pack of gum and rang out the "customer." I slid the card through the card reader, punched in $100 in cash to withdraw, and waited for the approval. Ding. Approved. The cash drawer popped open, I extracted a couple tens, some fives, and a 20 before slamming it closed. I snatched the receipt, stuffed everything into my pocket, including the gum, and went back to my register. When the other cashier returned, I told them I needed a few minutes in my car. That's where I hid the gum, receipt, and cash. On my way back in, I used my shirt to wipe the card clean of any fingerprints. I dropped it by the curb on my way into the store, stomping on it a couple of times to make it look abused. Taking a deep breath, I walked back inside. Son of a bitch. It worked.
There was never and kickback from that experiment. The customer never came to the register asking about their card, and the card disappeared from the curb outside before the end of the day. I suspect that the customer found it there when they came back for their card. I'm willing to guess that the customer talked to their bank about the extra transaction. The bank probably refunded them and gave them a new card, and the police never showed up asking questions. At home, I burned the receipt and the gum pack. I burned the gum pack so the barcode could never be traced to me. Just in case. To celebrate, I used the cash to treat myself to a very expensive dinner that night. All the evidence was gone, and I was clear and free. And the thrill was exactly what I'd been searching for.
From there, I brainstormed and even researched better ways to accomplish what I wanted. My goals were two-fold: 1) Make a decent chunk of money. Generate enough to save for long-term goals and happiness. 2) Not harm the identities of those who I used. And, of course, not get fucking caught. Generally, I planned this out by attacking many targets for small amounts, maybe a hundred dollars or less. If I hit six to ten targets a month, that'd be anywhere from $600 to $1000 extra a month. Which was enough. There were a lot of technical details that I had to plan for. I couldn't keep using my store: it was too obvious and the police would be on me in a month easily. I also couldn't use the same city. Some debit cards wouldn't let you withdraw cash without a pin. I got lucky the first time. And, what if the customer didn't have $100 in their account? I had to look at contingencies for contingencies. I also had to set rules for myself. Don't use an ATM. Don't use cards in stores that have cameras. Stay with crowds and look for cameras outside each store, like in the parking lots. Don't deposit the cash you took into your own bank account. Don't put it in a safety deposit box either. All kinds of rules based on my research and contingency planning. I bought a pen-camera off of ebay which I used while going to the store. I used it to film the person in front of me obscurely. I always got in line behind a man, too. When they pulled their card out, they often held it around their chest, like they wanted people to see their card. Rarely did people try to obscure their pins. At home, I would pull the video from my camera for the day and hope that at least one card was legible enough that I could extract the card number, expiration date, and name. A lot of people like to stand in line with their card on the counter until it's their time to pay. Or they hold it over the card reader like it's a race and they're waiting for the gun to fire. It's ridiculously easy for someone like me to extract that info with a camera. I set up an account on the darkweb where I would submit the card information, and a shiny, newly printed debit or credit card would show up in the mail. They routed the envelope through a network of darkweb "MailMen" so the envelope never even used the actual postal service. I would scuff the card up a bit, validate the data on my own card reader that I purchased through another darkweb service, and queue it up for use. I had a queue system so the cards were never used in perfect order, and were used a few months after I had snatched their information. I was grabbing information in stores that had cameras, so I wanted there to be time between when I grabbed it and when I used it. Sometimes this meant that the card went out of service before I could use it. But I was collecting enough cards that it didn't matter. I had no way to know if the cards would work, so before going to pay, I would have a contact buy a song on an obscure site using the card. It was a site that didn't require the security code printed on the back of regular cards, since I didn't have those codes. My phone would buzz after the transaction went through or failed, and I'd know whose card was next to be used. I'd get in, pay, withdraw cash, take the receipt, then leave. After each money run, I'd burn all the evidence and hide my cash. I had a good contingency plan for if a cashier asked for my ID. It was too expensive to get an ID for every card I planned to use once. So, I had my acting always ready to go. "Can I see your ID?" "Crap, that's my boyfriend's card, he's out in the car. We're just getting cash to pay the neighborhood kid who takes care of our lawn." If the cashier asked me to go and get my "boyfriend", I'd leave the store and never come back. But they always bought the excuse. And apparently I play a gay guy pretty well. Who would've thought?
I know what you're probably thinking. "God damn, Michael, get to the important parts! Blah, blah blah!" I don't get to brag much about what I've done and how clever it was, so I'm taking my last opportunity before I'm probably shot. So fuck off. During all of this, where it went on for three months without so much as a hiccup, I was doing other research. I was making more money, but those needs came back again and I found myself needing more. How could I make money faster? I'd ask myself that all the time, and skim the darkweb for methods that would work for me. That's when I turned to credit card fraud of the mail-in card variety. A new formula for making money right this second began to form. I used a feature of the MailMan darkweb service to set up a mailing address that would forward all mail to me. Then, I went online and bought a few hundred sets of personal data that were probably hacked from some company's database. Using this personal data, I signed up for three to four credit cards for each person. With those cards, I bought things online that I already intended to purchase for myself. Once the items arrived, I paid off the balance on the credit cards with my hard-earned money using prepaid cards that I bought with cash. Then, after a month or two of using the card, I would withdraw $100 in cash at a store. And then I'd store the card in my hiding place, never to be used again. If anyone ever looked at their credit reports and saw the credit card, it would look suspicious and odd, but would only be a $100 balance. They would, hopefully, just pay it off, close the card, and stop caring. Besides, my use of the card boosted their credit score. I paid the bills and fees on time, and kept the card open as long as I could afford, paying the yearly premium out of my own pocket. It was my way of saying thanks that they'd never hear. You give me some money, I help you boost your credit score. A symbiotic relationship. I even thought I'd earned the title of "ethical credit card scammer." No one, especially not the police, would see it that way, but that's how I justified my actions to myself. My mistake came from not researching my "clients" before I used their identity and their card. That's what got me caught. But not by the police.
I'd gotten used to the current routine to the point where I could do it in my sleep. I was making good money, much better compared to before. I kept my job as a store manager, and it felt so much more fulfilling because I was making the money I needed overall, and had something to look forward to: the thrill of identity theft. After some cautious planning, I rented out a nice, two-story duplex in one of my "client's" names and credit score. I kept my payments on-time and was the perfect tenant. The duplex's owner only did a soft pull on this client's credit, so it wouldn't show up on their credit report. Regardless, I had a contact on the darkweb set up some monitoring for this identity online. He assured me that if anything went wacky with the credit that made it seem like the client was suspicious or investigating, I'd get a text. I wanted a heads up if I needed to ditch my place. One month. It only took one month for them to find me. In the digital world, you would think one month was a long time, but it was too short for me. Too unexpected. I was in bed, sleeping, when I heard the front door squeak open. My eyes shot open. A million fears and thoughts ran through my head. It didn't matter if it was just a thief or the FBI. Either way, the police would be involved, and I'd be caught. I rolled out of bed silently. Watching my half-open bedroom door, I grabbed my sheets and spread them tight across my bed. I wanted to make it look like no one was home. Snatching my wallet and keys from the bedside table, I dropped to the ground and rolled under my bed. The boxes I kept under the bed for storage hid me from view once I arranged them. Footsteps came up the stairs. I wished I'd thought to buy a gun. But buying a gun took heavy background checks, and I hadn't figured out how to bypass those yet. Heavy boots tried to sneak down the hall. I saw two of them, one behind the other. Both black and menacing. They moved like they had training, but not much. From the way the floor bent under each step, they were both probably heavy around the belly. The door opened as they entered the room. Upon seeing the empty bed, they paused, unsure of what to do next. One of them whispered, loud enough that I could hear. "Not home." "So we wait." I bit my lip and cursed internally. They were looking for me, whoever they were. Probably not cops: they wore jeans, not uniforms. They could be plainclothes, sure, but I just felt that they weren't cops. I heard the front door squeak again, but the two men were too busy whispering to notice. I wondered if the door was just open in the wind. My reply came in the form of a voice from the hall. "Evening, fellas. Hands where I can see them." Shit. A cop. This guy's feet moved gracefully under him. Definitely trained. Suddenly, the two men rushed the cop, and I watched him fall as they shoved their way past him. Through the dimness, I could see that it wasn't a cop at all. It was Jack, my neighbor across the street. He was ex-military, like me, though he'd been in the service a lot longer than I had. I heard the front door fly open and slam shut as the two would-be thieves left the house. Jack stayed on the ground, sighing. He probably figured that pursuit wasn't worth the trouble. I weighed my options before finally pushing boxes out of the way and crawling out from under the bed. Jack watched, surprised. "You were under there the whole time?" He asked. "They weren't here long, thanks to you." Jack eyed my perfectly made bed, then where I'd crawled from. "Smart tactic for hiding. I'll have to remember that one." "Thanks." We stood in the dark for a minute, feeling awkward for different reasons. "Listen..." I said. "I'm grateful that you came and chased these assholes out, but can we not call the police? They didn't take anything, I'm not hurt, and I really don't want to deal with the hassle." Jack chuckled. "I was about to ask you the same thing." I looked at him in confusion. He lifted his gun, pointing it at the ceiling and showing it to me. It was a 92FS Beretta. Sleek, shiny, and well oiled. "This girl here is illegal for me to have. I have a small rap sheet from before the military, but am still not allowed to own a gun of my own. So, I'm going to agree that we don't involve the cops." "It's beautiful," I said, trying not to gasp from relief. "She sure is," he grinned. "Jack, thank you," I said, extending my hand. "Any time," he said, shaking my hand.
I wondered for a few days about those thieves. There's no way they broke into my house by random chance. They were looking for me: they'd verbally confirmed that. So who were they? Why did they want me? I thought myself into dead end after dead end. There wasn't anything I could do until I had more information. And yet, I had no way to get more information. I was stuck in limbo until they tried again, if they truly were looking for me, or until I could stop double checking my locks at night.
One night, as I lay in bed reading a book as usual, my phone rang. The duplex had actually come with a cordless phone system, which was humorous considering our cell-phone dominated world. I answered it, not knowing who it was. "Hello?" "Hi, Neale. Listen, just wanted to give you a heads up. There's a weird car that's been parked outside my house for hours. People were lying down and taking a nap for a while, but perked up when you got home. Now they've got cameras aimed at your house. Don't come to the window and try to look, they'll see. I just wanted to call and tell you that before I go and talk to them." What the hell. Breaking in is one thing, but now surveillance? Who did they think I was? Unfortunately, that was the question I should have pursued long before things got worse. "Did you get their license plate?" I asked. "And their make and model." "Can I have it before you talk to them?" "Sure," Jack said. He gave me the info, and I told him I'd call him back in a bit. To his credit, Jack didn't even question what I was doing or why I wasn't freaking out and calling the cops. I connected to Tor and sought out a darkweb site that had a backdoor into my state's DMV registration database. Only one or two states have those backdoors, and mine is one of them. Lucky for me. I put in the license plate number and the results came back. I paid my $25 fee with the usual Bitcoin, and opened the word doc that came back. Registered to one Charles B. Matsworth. With an address across the state from me. The database backdoor didn't transmit images, so I couldn't compare their driver's license photo with the people in the car. I was either dealing with Charles himself, or a stolen vehicle. Helpful, but also potentially not. I hit up another darkweb site and searched for Charles. I paid my fee, then the results populated. Except there were no results. There were ALWAYS results, but this guy's name wasn't there. Which was impossible with this site. It passively picked up every name tossed around the internet and provided you with links to where it was mentioned. But there were no results. Which means someone was actively scrubbing this guy's name from the web. So, that's when I knew he was one of you, darkweb. I hit redial on my home phone and got Jack back on the line. It was just past 11pm. "Hey, Neale," he answered. "Hey," I said, resisting the urge to peer through the blinds. "I can't look, obviously, but have you seen anything else helpful about them?" Jack paused, probably looking out the window. "Passenger is a heavy smoker: there's a small pile of cigarette butts on his side and he's smoking one right now. They've got some Arby's wrappers on their front dash. Driver is using a telescopic lens on a pretty expensive camera. Canon, I think. Two coffee cups from a gas station in the cup holders. Car looks pretty new, just a little dust. If you took it through a car wash, it would probably shine. I'm guessing it's a new model." I listened to him observe them, spouting off anything that he thought might be useful. "Any of that help you out?" He asked. "Maybe," I said, trying to think what I should do. Scare them off and let them know I'm onto them? Let them sit there and spy, hoping they don't decide to physically enter? Leave out the back? My bedroom light was on, so they knew I was home. My shadow had probably played against it a few times tonight too. This was a situation I didn't have a contingency for. "You should come over to my house. Sneak out around back, walk a block over, and come in through my back door," Jack said. "We can spy on the spies." I considered it. Last time, we had scared off the thieves and not gotten any useful information. This was the most useful situation since that night. I should take advantage of it. "Okay, I'll do that," I said. I gave him my mobile phone number so he could use that instead of the home phone. I made my way to the back door and left, locking it behind me. Going straight back and over the back fence, I went to the next street over, then jogged three streets down to crawl through someone else's yard and into Jack's. He was waiting at the sliding glass door when I got there. "No movement, they're still staring at the house and talking occasionally." "Any idea what they're saying?" I asked, hopeful. "Nope." I walked into his living room, and found his setup. He had a pair of binoculars on a coffee table, and a few slats of his blinds were held open by paper clips. "Have a look," he said, waving me into the room. "Need some water?" "Yes, please," I said, picking up the binoculars. Through the blinds, I saw the two men in their car, both heads turned towards my house. It was exactly as Jack had described. The streetlight was far away, so I couldn't make out hair colors, but one had longer hair than the other. That was about all I could make out. Jack appeared beside me and set a glass of water on the table. "Recognize them?" He asked. "No," I muttered, setting down the binoculars. "You in some kind of trouble, Neale? Borrow money from the wrong guys? Or are these just private investigators from your ex-wife trying to track you down for child support?" Jack's tone was light and joking. He honestly didn't seem to give a shit what kind of trouble I was in. "Not that I know of," I said weakly, turning back to the window. "Maybe they're after the guy who lived there before me?" "Could be," Jack said, sitting on the couch. I turned back around to face him while he watched me with the slightest smile on his face. "Thank you, again, for helping me figure this out," I said. "I haven't had this much fun since my last tour. I haven't had any action since. This is exciting and refreshing, Jack. I'm happy to help." I nodded, taking a seat as well, but keeping the window within sight. "So, it's not money, it's not women. Is it drugs? No judgement from me, man." "No drugs either," I said, trying to do my own thought process. For half a second, I considered telling Jack about myself. Then I realized how asinine of an idea that was. He'd probably kick my ass for stealing. "I say we watch 'em. We won't learn anything by running out there and scaring them off. But maybe they'll do something that gives us an idea of what they're up to," Jack said. It was the same conclusion I'd come to, so I agreed. We watched them in silence for about an hour. I was perfectly okay not talking to Jack, and he seemed okay not talking to me. We took turns at the window, and if something interesting seemed to start happening, we'd wave the other one over to look. Nothing interesting happened until almost 1am. They both got out of their seats and exited the car. Each one stretched, then pulled pistols out of their belts. They examined their guns, cocked them, and made their way to my house, side by side. I waved Jack over, and he watched them try my front door, find it locked, then go around back. "I have an idea," Jack hissed, suddenly shoving something into my hand. His Beretta. "If they come out, open the front door and yell to me. If they start shooting, you shoot back. Give me cover to get back into the house." "What are you doing?!" I hissed back as he grabbed at the front door. "Getting some information!" He said before shutting the door. I watched him drop to a low crouch and crab-walk his way to their car, which was parked at the edge of his sidewalk. The passenger window was open from the smoker, so he leaned into the car and rustled around. I watched my house, heart beating sharply. I saw a shadow pass by my bedroom window. They would have found me not in bed by now. They could be leaving soon. I made my way to the front door and opened it a crack. "Jack!" I whispered. "They made it to my bedroom! Hurry up!" I shut the door, and ran back to the window, careful not to disturb the blinds. With the binoculars, I inspected my house. The figure was still by my window, and Jack was still rummaging through the car. The figure moved away from my window, and I dashed back to the door. "They're coming!" I called. Jack didn't waste time. He got up and bolted for the door. I shut the front door as he entered, and we both went to the window. The men came back around my house and got back into their car. I thought they would wait around until I came home, but the car started, and they drove away. We both watched the tail lights disappear. When they were gone, I turned back to Jack, who had dumped handfuls what he was carrying onto the coffee table. "Receipts," he said. "I didn't see any badges for policemen or private detectives. Car is registered to Charles B. Matsworth, but the address is blurred out on the papers." I blurted out half the address before I caught myself. Jack looked at me funny, but didn't ask. "I guess grabbing the receipts was useless," he chuckled. "I was gonna say we could plot the receipts on a map and try to figure out where they came from." "That's still a good idea," I said. "That address is for Charles, not necessarily where these guys came from." "Pretty sure these guys are criminal. Sure you don't want to hand this off to the police?" Jack asked. My heart skipped a beat, and I tried to sound nonchalant. "No, I don't want to get the police involved unless it's serious." Jack laughed out loud. "They pulled guns, then went into your house in the middle of the night. I'd say it's pretty serious, Neale." "Okay, okay, I'll level with you," I said. "I've done some stuff and still have an outstanding warrant. If I go to the cops, I'll be arrested." That was enough of the truth to be a convincing argument. Jack pondered that for a bit. "What'd you do?" He asked. "Unpaid speeding ticket," I said quickly with a shrug. "50 in a 35. That was a few months ago. If I go now, before paying the ticket, I'll probably get arrested." Jack nodded with a slight smile. "Okay, Neale. We'll investigate it ourselves until you get your ticket paid. Then we'll get the police involved." I swallowed hard. I didn't intend to ever get the police involved. So I had to resolve this fast.
You need to pick your focus area. What do you want to do? Penetration testing? Encryption? Malware analysis? Forensics? Underground intelligence? Counter-espionage? Then you need to find mentors and coaches. The easiest way to do this is via online forums dedicated to your focus area. For example, check forum.infosecmentors.com.
SANS has some great online resources for people starting up in this area: check them out.
It's trivial to modify existing malware so that traditional antivirus programs won't detect it any more. It only takes couple of minutes.
That's why antivirus programs have been moving towards behaviour-based detection models as well as towards reputation-based detection models.
Do note that testing behaviour-based blocking is hard. That's why it's misleading when people post links to sites such as Virustotal as evidence that particular file is 'not detected by AVs'. There's no way to know if a particular antivirus would have blocked the file, unless you would try to run it.
"As far as we can see, this program has never been executed by anyone else anywhere. You are the first person on the planet to run this file. This is highly unusual. We will block this file, even though we can't find any known malware from the file"
The only problem with this scenario are software developers, who compile their own programs. They obviously are the first persons on the planet to run a particular program - as they made it themselves! They can easily whitelist their output folder to avoid this problem though.
People use Tor for surfing the normal web anonymized, and they use Tor Hidden Service for running websites that are only accessible for Tor users.
Both Tor use cases can be targeted by various kinds of attacks. Just like anywhere else, there is no absolute security in Tor either.
I guess the takedown showed more about capabilities of current law enforcement than anything else.
I use Tor regularily to gain access to sites in the Tor Hidden Service, but for proteting my own privacy, I don't rely on Tor. I use VPNs instead. In addition to providing you an exit node from another location, VPNs also encrypt your traffic. However, Tor is free and it's open source. Most VPNs are closed source, and you have to pay for them. And you have to rely on the VPN provider, so choose carefully. We have a VPN product of our own, which is what I use.
The operating systems on our current phones (and tablets) are clearly more secure than the operating systems on our computers. That's mostly because they are much more restricted.
Windows Phones and iOS devices don't have a real malware problem (they still have to worry about things like phishing though). Android is the only smartphone platform that has real-world malware for it (but most of that is found in China and is coming from 3rd party app stores).
It is interesting the Android is the first Linux distribution to have a real-world malware problem.
There are different problems: problems with security and problems with privacy. Security problems come from criminals who do break the law and who directly try to steal from you with attacks like banking trojans or credit card keyloggers. Blanket surveillance of the internet also affects us all. But comparing these threats to each other is hard.
The idea of a 'good virus' has been discussed to death already years ago. The consensus is that anything good that could be done with self-replicating code could be done better without the replication.
Most mobile malware IS written for Linux, since most smartphones run Linux.
So first and foremost, it's a question of market shares.
After that it's a question of attacker skillsets. If the attackers have been writing Windows malware since Windows XP, they aren't likely to stop and switch easily to OS X or Linux unless they have to. And they don't have to.
Nobody was withholding detection. Everybody detected all Regin-related files they had, and protected the end users. Which one would you rather have us to do? Sign an NDA, get the samples and protect our users? Or not sign the NDA and not protect our users.
Some people will always say this. But they are always the people who haven't really thought it through.
If you have nothing to hide, you can't keep a secret. If you have nothing to hide, show me your search history. If you have nothing to hide, give me your password. If you have nothing to hide, I can't trust you.
I, like everyone else who has been playing for the most part, has had the joy of coming up with ideas that seem to be cool and would like to see them in the game. Seeing as the Dev loves to talk with us, I figured I'd share some. Small Ideas:
The ability to see how many people are connected to your device. Would be nice to know if people are currently mulling around your phone, doing evil things. Even more so to see the IP of the connection that is currently active to your device. Plus for the Dev, more people are going to have the game open. Plus for the players, we get to find out who keeps leaving those fun little notes.
Proxies! What self respecting hollywood hacker would direct connect to a device. Furthermore, what hollywood hacker wouldn't have a nice GUI of IP's to run proxies through! Now you can fool the guys watching their devices with an IP that isn't yours! Of course, the tradeoff is that all downloads and other work being done through that proxy is slowed, but it's a tradeoff for security.
Trace Program! So, if they have a proxy, you are SOL on trying to find out who is connected to you? Nope! A trace program that will, through the magic of hacking, run back to the IP that started it all after some time!
As a note, the way I have the proxy and trace programs working in my head is that each level of the Proxy or Trace program allows to create or trace through an additional jump at a 1:1 ratio so that you will need a Level 5 Trace to catch someone using a level 5 proxy.
Log Un-Deleter It's too easy to just blast a log away and leave without a trace. A log Un-Deleter would allow the restoration of a certain amount of data that was recently destroyed. Not only will this allow for people to retaliate against those who are under consistent attack, It also encourages people to fake real looking logs to try and trick the players into going after someone else.
Bigger Ideas Specializations No two hackers are the same and not everyone playing this game goes about playing it the same. Adding in some specializations that give benefits to a specific kind of play would allow for greater customization, duh. Some examples of specializations mulling around in my head: Bot Net Creator: Installing low level software on victims devices allows the one running a bot net to have faster processing for bypasses, cracking, etc. The more infected devices, the more efficient those applications are. Malware Programmer: Sacrifice a program to infect it with malware. Anyone who downloads that program will give the Malware player a backdoor into their system along with some benefit of said program. Infected spam? You generate a greater amount of spam off of the infected players devices by it simply existing. Infected password encrypt? You gain access to their passwords for free. Infected password cracker? You gain the passwords cracked by the infected player. But you are not allowed to use the infected software yourself. You will have to delete and re-download/purchase said software if you wish to use it. Electronic Funds Acquisition: Being a financial genius or simply someone who knows their way around bank software, you have special flags on your bank account that allows you to store more bitcoins, per level, than other players. You also have a special ability that allows you take a small percentage of a players banked bitcoins every twelve hours. You also have access to the account logs on the bank's side, which will allow you to track down those who have stolen from you. Big Ideas! Of course, with games like these, players would like to team up and work as a group. This should be no different! Creating a group of hackers (or guild, clan, fraternity, whatever you want to call it), will come with an interesting set of mechanics. Every group will have their own central server which offers the same basic services. A forum for communication, a group bank where players can store their own bitcoins off the grid up to a certain amount, and file space for programs that the leaders can upload for the other members to download to make sure the group members are all around the same software tech level. But there is more! The leaders of the group can specialize the servers for further specialized play.
Turning the server into a bitcoin mining machine to give members an additional source of reliable income.
Turning the server into a powerful hacking device to attack other groups. Also allowing group members' devices to become slaves to help the server's bypass and cracking attacks.
Turning the server into an IP hijacker, spoofing a device at a certain IP and infecting those that connect with malware programs.
Generally, joining a group/guild/clan tends to be all benefits and no downsides. But in the hacking world, sometimes going as a lone wolf ends up being more beneficial though I am having trouble thinking of ways to balance that out. Perhaps some ways for players, who designate themselves as solo players, to be able to hide their IP easier or be more elusive when it comes to dealing with large scale attacks. Anyways, I have been throwing a lot of ideas out there. I do hope it was a good read and I hope the Dev takes a look atleast!
Also, you read any Bitcoin address mentions on the internet, forums and check for scam alerts. 22.04.2019 - AllPrivateKeys.com created to check the safety of Bitcoin and Altcoin networks, explain how Blockchain works, show problems of algorithm and add some fun to cryptography. Honeyminer makes mining and earning money simple for anyone with a computer. Honeyminer is brand new and may not be recognized by your computer's security software. Most will not alert you, if they do it's usually pretty easy, just press "allow" when prompted. Honeyminer is downloading. Honeyminer software is safe and secure. Learn more. 1. Open the Honeyminer Setup .EXE or .dmg in your ... Bitcoin Hack Cloud Software - Bitcoin & Ethereum cloud mining. Start mine daily BTC & ETH to earn money without hardware. Paid 39.752 BTC Paid 163.192 ETH. Enter Your BTC Address Select the amount of BTC you want to Mine. 0.9 BTC. START. Bitcoin Hack. Earn 3 Bitcoins Every Month With This Powerful Bitcoin Mining. Dear readers my name is Sam Rock and i am the founder of Bitcoin Mining BR today ... Had strong passwords set for the devices I had but on reboot the ssh root password always reset. Even then, I'm fairly sure there is an API open somewhere on the devices making having them open to the internet a terrible mistake. Miners should probably always be behind a firewall/nat to keep them mining for the owner. BitCoin miner virus or BitCoin mining virus is a dangerous malware that may use your CPU and/or GPU to obtain BitCoin cryptocurrency by mining illegally. Cryptocurrency miners keep hitting computers and trying to use their resources to generate revenue for their developers. Even though this type of infection is called BitCoinMiner, it does mine for digital currencies such as Monero ...