The ShapeShift Hack

73 点作者 mdelias大约 9 年前

9 条评论

ikeboy大约 9 年前

Erik responded: <a href="https://www.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_professor_doubts_shapeshift_story/d2gy4iz" rel="nofollow">https://www.reddit.com/r/Bitcoin/comments/4gdxe9/cornell_pro...</a>

btilly大约 9 年前

So we've got three potential theories here.1. ShapeShift has the right version of events.2. Rovion is Bob who is having fun mocking and misleading the CEO, safe in the belief that he will never be caught.3. Rovion is another insider who is providing himself with cover to blame Bob and an outside hacker if he's ever caught.This post criticizes the first theory on Rovion's interaction not making much sense. And indeed it doesn't unless Rovion is a fairly weird guy.The second theory makes some sense. By telling this yarn, Bob managed to steal two more times, while having all evidence of how he did it the second 2 times not being taken as leads to who he is now or what he is doing.The third theory makes a ton of sense. Rovion can either be someone who was already planning to steal. Or just an insider who saw how easy it was and was motivated to do the same.One interesting detail is that Bob's initial theft is just sitting in a wallet, untouched. So apparently he didn't need that money. The first theory would say because he got paid by Rovion and can wait. The second theory would say because he made 2 other withdrawals that he can use. The third theory leaves that open.Based on human nature I'd rank them 3, 2, 1. Based on his leaving a bunch of money untouched, and my opinions about criminals, I'd rank the theories 2, 1, 3. Either way the CEO should be dubious about the story he was fed by "Rovion".

评论 #11567266 未加载

评论 #11567017 未加载

kcorbitt大约 9 年前

I agree that ShapeShift's account has holes in it and the CEO seemed a little too willing to take Rovion at his word, but this rebuttal swings too far in the other direction. Some comments:> Red Flag #1. Bob is somehow able to connect with a hacker who has been hiding in their systems for some time.Actually, in the original article Rovion says "We contacted Bob." Which makes total sense -- if Rovion eg. had access to the email account of a ShapeShift employee, he would have seen the drama with Bob unfold and been able to contact him easily.> Red Flag #2. Rovion identifies Bob by his real life name "Bob," without a moment of hesitation. > Why on earth would Bob run a criminal business under his real name?If Rovion had access to some internal communications at ShapeShift, he would of course have "Bob"'s real name and no reason not to use it.> Red Flag #3. Bob chooses to sell his backdoor access to Rovion instead of using it himself. > Red Flag #4. Bob demands only 50 BTC for a backdoor.There's a lot more risk in stealing something yourself vs just providing information that can be used for theft. Letting someone else do the dirty work could definitely be a rational decision. And anyway, the hot wallet at no point after the original hack had 315BTC again, so the expected value of the second/third hacks were a lot lower.> Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punishedIt's not surprising to me that someone could adopt a moral framework that let them steal from poorly-secured foreign companies while still considering it wrong to steal from your own employer.> Orange Flag #9. Voorhees talks derisively about Bob's competence during the period of time when Bob was employed prior to the hack.Many countries, possibly including Switzerland, do have a very high standard you have to meet to fire someone with cause. This process could be especially delicate if Bob is of an ethnic or racial minority.

rdtsc大约 9 年前

Isn't this the standard scam -- crypto-currency exchange gets cleaned out by an insider/owner and then a there is a story of an disgruntled employee or other evil hacker. Everyone is supposed to hate this made up hacker instead of suspecting the owners themselves.Maybe it is just the news bias, but crypto-currency seems to attract shady characters. I understand the sentiment about the central banks and global cabal of money controlling plutocrats and all that, but then the same people turn around and hand money to a bunch of amateurs with a website and trust them instead.

评论 #11566940 未加载

评论 #11567233 未加载

Ontheflyflyfly大约 9 年前

Didn't know"Who here remembers the story of a bank called X.com? It was a tiny, little-known online bank, until it was hacked and covered in the mainstream press during the first dot-com boom. Its popularity absolutely soared after the hack. I actually had an account on X.com, but if you didn't and never heard of it, you may perhaps have heard of X.com's founder, a fellow who goes by the name of Elon Musk."

braderhart大约 9 年前

It seemed to me like Rovion is Bob, but just taking on a different identity, hence the "Let me know when you plan to arrest Bob" comment.

评论 #11566851 未加载

评论 #11566870 未加载

buttershakes大约 9 年前

Finally, someone who took a stab at this. Ever since I read Shapeshift's version of events I couldn't help but think the entire thing was bullshit. Wild incompetance, improbable alliances, its just weird.

cubano大约 9 年前

I'm just kinda glad that my old-school, been-burned-100-times, cynical self, who also saw red flags galore into the original narrative, wasn't completely nuts.It's a pretty solid takedown of all the issues in ShapeShift's sketchy story.

评论 #11567942 未加载

AgentME大约 9 年前

>By definition, Rovion was in deep undercover mode. How would Bob have gotten a hold of Rovion? Did he know of Rovion's partial penetration? If so, how? If not, then how did they meet up? In any case, how did the two hackers exchange messages?If the attacker didn't have root or wasn't using a fancy rootkit, it's not surprising at all that his hack could have been discovered. Discovering the hack could be as simple as finding an unfamiliar php file that hosted a reverse shell in some directory. The attacker might've had some scripts in a folder. Communication could be started by editing one of the scripts to print a message instead.A friend of mine as a student sysadmin once found a server was part of a botnet, figured out the bots communicated via an IRC channel, joined the channel himself, lurked for a while, found the operator connect one day, and talked. The server never had anything worthwhile on it, the server was re-imaged, the school never bothered pursuing legal action as the guy was in Russia, and I'm told they've played counter-strike together sometimes since then.>Why wouldn't Bob take advantage of the backdoor himself? It's not like he had much to lose. He'd already been ousted from ShapeShift and was already the target of an investigation.Because he could get a bunch of money now and have someone else do most of the work probably.>Red Flag #4. Bob demands only 50 BTC for a backdoor. ... Why not split the proceeds in half, for starters?If Bob has Rovion do all the work with the backdoor access, why would Bob trust Rovion to split the proceeds once he's hit the motherlode? Much easier to get some money up-front and be done with it.>Red Flag #5. Rovion pays 50 BTC for a backdoor. ... How would Bob, then, demonstrate to Rovion that he wasn't just a scammer, or a honeypot operator, but indeed had a legitimate backdoor to sell?It probably wasn't a single 50 btc transaction. Start it slow. (Just like how Erik managed to work out some trust with Rovion later.) Bob probably offered to not boot Rovion's original access into the system for a few btc to start with, and they found somewhere to go from there.>Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punished, for being a thief.Seriously, this is just grasping for straws. That doesn't seem so strange. Or hell, maybe Rovion just wants to try to throw someone else under the bus morally. People trying to justify themselves is nothing new.