Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Apparently his servers keep getting hacked, which doesn’t reflect well on his security practices: https://twitter.com/LukeDashjr/status/1606885577843957762


Assuming this physical access claim is truthful (and i have doubts), I would feel at this point its budget letting him down. If your threat model includes "targeted attacks from people with physical access", it's time to run a vm on aws or azure and use the tooling they make available to secure it further. If you want tonnes of resourcing at a quite low budget, there's only a certain amount of "calling out" the group that supplied it that's reasonable.


I believe most of these "physical attacks" are datacenter support teams being socially engineered and not state-level actors. They hook up a USB rescue drive to "help" you back into your server, using full disk encryption or locking down the BIOS can thwart such attacks.


You know as much as I'm generally unhappy with what MS is doing with forcing TPMs on Windows 11, I have to say Bitlocker on Windows is basically single click and a perfect solution, and I'm a bit disappointed in the scale of every comparable Linux guide I just Googled up. I can see why the average company doesn't have it deployed.


LUKS isn't rocket science, you're looking at the wrong guides. using the TPM to encrypt a partition is a few commands on the shell.


Sure, perhaps, but parent’s point still stands that AWS techs are not plugging USB drives into servers, because their threat-model already includes state-sponsored attacks.


Not necessarily SE, there's been tons of 0days exploited against stuff like WHMCS, Hostbill, Kayako and many other systems used by hosting companies to manage this kind of thing.

Colocation and epoxy in any relevant ports is the obvious way to avoid this.


If he has enough Bitcoins for it to be possible for ‘many of them’ to be stolen, he doesn’t have a small budget.


Just makes this thread stranger. I know if I had over $3m in btc and was working professionally with them I wouldn't state my top budget was $55.

Edit: his tweets specifically talk about not using "cloud nonsense " and states getting your own key to a rack is too expensive for him.


My goodness. Really? He refers to "cloud nonsense", then uses a "dedicated server"? That's a new kind of special.


From his tweets: he was renting a physical server for $55/m. So, a total joke.


it's even more amazing, he's posted:

    > So... Any trustworthy companies offering affordable  dedicated servers?
    >
    > Currently paying $55/mo for:
so if you offer him some crappy free dedi appearing to be in an IP block of a reputable company all you have to do is wait a bit and presumably he'll upload his wallet.dat for you!


I wonder if this is the same server that “wasn’t fully rebooted in years”.

https://bitcoinhackers.org/@lukedashjr/107769287522154866


Just a few days ago he popped into friend's Twitter thread about similarities between Freenode and Twitter situations, and announced that it was Libera Chat that conducted a hostile takeover against Freenode.

Somewhat I'm not surprised at all.


> Evidence suggests the attacker installed 2-3 remote shell backdoors, but didn't touch anything else.

Well, I guess he now has evidence that maybe they touched something else.


Probably bad security practices. Maybe he has accessed a compromised server over ssh and used agent forwarding or something. Anyhow, looks like a pretty bizarre profile...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: