Bitcoin Revenue in 2014
By Sergey Tsalkov, posted on Friday, February 27 at 12:32 AM

As our customers will know, we've been true believers in Bitcoin for about as long as there has been Bitcoin in the world! We've been accepting it for several years now, and wanted to share our data on Bitcoin payments! So without any further ado, here it is! The percentage numbers on the left are for the % Transactions and % Revenue, and the dollar prices on the right side are for the Bitcoin price.

bitcoin revenue chart

A Few Thoughts

Our data does not support the fear that Bitcoin use has stopped, or even slowed down. The percentage of bitcoin transactions did drop off around October 2014, because we adopted a new rule requiring first-time bitcoin payers to pre-pay for a full year. Bitcoin revenues (as a percentage of overall revenues) have remained steady throughout 2014.

Huge Security Hole in ZPanel 10.1
By Sergey, posted on Monday, October 6 at 2:50 PM

When it comes to managing a VPS, many of our customers would prefer to install some kind of control panel rather than do it all themselves from the command line. ZPanel is perhaps the most popular choice for this. We even offered ZPanel 10.1 as a pre-made image -- it was a very recent version (10.1.1 is the most recent at the time of writing), and there are no published security announcements relating to it.

We thought it was safe.

Imagine our surprise when, over the course of a weekend, numerous chunks were simultaneously rooted and turned into DDoS zombies! It didn't take us a long to realize that they were all running zpanel, and most were running the "safe" version we offered.

More googling eventually dragged up this blog post in Spanish, written by the security researcher who discovered the problem, where he explains how it works. We also found a blackhat exploit salesman trying to sell it for $400. Oops!

According to the security researcher, he discovered this unauthenticated remote root exploit in ZPanel 10.1 back in February 2014 and reported it to the ZPanel developers. They released 10.1.1 a month later, and made no announcements of any kind about the problem -- no security alerts, no changelogs, nothing! So, many people kept on using 10.1 and thinking they were safe.

Now that we've got our own house cleaned up, and we'd like the rest of the world to know about this. We no longer recommend ZPanel for our customers, but if you want to use it, you should upgrade early and upgrade often!

Huge Security Hole in Sendgrid
By Nate Daiger, posted on Wednesday, March 26 at 2:32 PM

Weird streets: Torched

We had a serious security incident over the weekend that took us by surprise. Although no customer accounts were compromised, it was a really close call.

Like lots of companies that want to be sure our emails successfully arrive in your inbox, we use a third-party email service, Sendgrid, to ensure deliverability.

A few weeks ago, we had received a transcript of a chat with Sendgrid tech support that was clearly someone trying to social engineer access to our account. Though Sendgrid didn’t fall for that attempt, we alerted them to the probing and asked them to please make sure that future social engineering attempts wouldn't work. They replied and set our minds at ease:

As a policy, we will never change an account's credentials or email address for a user, especially over a chat or email ticket.

We will provide the links or instructions for the user to do so, but those pages can only be accessed with the proper credentials.

However, it turns out that the policy was ignored this weekend, and someone managed to convince Sendgrid over the phone to change the email address on the account. We got an email from them, but by that point it was already too late. The hacker had logged into Sendgrid and taken control.

He had registered a domain, chunkhost.info, and “Would you please change our email from support@chunkhost.com to support@chunkhost.info?” sounded convincing enough that Sendgrid went through with it without bothering to verify anything.

So why would someone want to take over our Sendgrid account?

Sendgrid has a feature that allows you to BCC every outgoing message to a separate email address. Once they activated that feature, they initiated password resets on the two accounts they were after, both of which are Bitcoin-related.

The password reset email was indeed delivered to our customer, but also BCC'd to the attacker. With the password reset link, they could change the password and access our customers' accounts.

Luckily, the affected customers were both using our Two-Factor Authentication feature. This means you not only need a password, but a token generated by your phone to log in.

Our customers' accounts were protected and the attackers were stymied. But it was really close.

Within about 20 minutes, we’d noticed what was happening and blocked their access. We disabled password resets, reset all sessions, and switched to local mail relaying. Once we were confident that things were locked down, we had a back & forth with Sendgrid. Yesterday, they told us this:

It appears that the email address on file was changed...to support@chunkhost.info by our system, which pretty much confirms your suspicion that these people convinced one of our representatives to change the email address on file. After the email address was changed, they were able to simply request a new password and gain account access. This should have never happened and we take things like this very seriously. I apologize that you've had to deal with this and I will make sure that we re-iterate with out [sic] staff that we have policies like that in place for a reason.

Be careful with third-party mail senders!

We are continuing to send our own email while we explore other options, but other companies should take notice and not make the mistake we did. If your accounts are ever a target for break-ins (especially if you do anything related to bitcoin!), protect yourself and your customers by sending your own mail.

Rebilling Bitcoiners
By Josh Jones, posted on Tuesday, January 21 at 2:33 PM

Heya! We started accepting Bitcoin (in earnest) back in September... so enough time has now passed that we thought we should do some analysis on how people who paid with Bitcoin compared to those that did not!

And there you go.. for people who signed up for ChunkHost from September through November 2013, essentially the same percentage are still active now no matter what form of payment they signed up with.

However! There is a bit difference when you see how Bitcoiners vs. Non-Bitcoiners close their accounts. Non-Bitcoiners actually go in and close out their account.. I assume because otherwise they would continue to be charged on their credit card!

Bitcoiners are much more likely to just stop paying, and wait for us to notice and eventually close their account for non-payment.

Can't say I blame em!

ChunkHost Gets 30% of November Revenue in Bitcoins!
By Nick Langer, posted on Wednesday, December 18 at 7:07 PM

Crazy Bitcoin Revenues

Here at ChunkHost, we don't consider ourselves a Bitcoin company any more than we're a Visa or PayPal company. We just provide the chunkiest VPSes on the market at great prices, with awesome support, Josh's crazy sense of humor, and all the other perks our customers have come to expect!

But we are nerds and Bitcoin investors ourselves, so naturally, we've been accepting it since 2012! For much of that time, we didn't do anything to publicize that fact. We figured we'd just accept it and they would come! And we did get the occasional Bitcoin payment, but for the most part, people ignored it and just used their Visas.

August 2013: Bitcoin Revenue Explodes!

All that changed as soon as we began announcing our Bitcoinage more loudly! Around August, we came up with a new pricing scheme that involves you getting chunks as big as 8GB for just $9 a month (after a reasonable one-time fee), and we announced on Reddit's r/Bitcoin and BitcoinTalk that we accept Bitcoin!

Shockingly, new customers started spending their increasingly-valuable coins with us! And despite the recent Bitcoin price drop (curse you, China!) people are still spending them like nothing happened!

We want your Bitcoins, too!

If you're in the market for a very chunky VPS with crazy fast SSD drives, you should check us out! We offer a 5% discount when you pre-pay with Bitcoin, and our prices are pegged at the MtGox exchange rate (which everyone knows is too high!)

How to Mine Bitcoins using ASICMiner Block Eruptor USB sticks
By Nate Daiger, posted on Saturday, November 23 at 9:20 AM

Guess who doesn't pay for electricty in their office?

We love Bitcoin, and while we haven't done much mining since GPUs got involved, last week Josh saw some little ASICMiner Block Eruptor USB sticks available for $30 each and figured they would be fun to mess around with.

With 16 of the cute little guys, a powered USB hub, and a slow afternoon, we got to fiddlin'.

An eruption of Eruptors

We weren't surprised to find that a lot of the information about how to set up the mining software to talk to the USB sticks was out of date, so here's how things stand in November 2013 if you're mining with ASICMiner Block Eruptor Sapphire USB sticks on Windows.

Read More
Password Resets Suck
By Nick Langer, posted on Tuesday, November 12 at 11:43 PM

Computer security still sucks..

Computers sure are a lot more impressive than they used to be. Even security is getting better -- it's been 10 years since we last saw an OpenSSH remote root exploit. Oh sure, we still have Adobe's severe exploit of the week, but for the first time in forever, it almost seems that you can stay secure if you know what you're doing!

BUT one thing still makes us knowledgeable folks an easy target, and that's password resets -- they're everywhere, and they all suck. Well, most of them, anyway. A hacker who knows the last 4 digits of your credit card, or your mother's maiden name, or your social security number can call up just about any organization and convince them to reset your password and send it to a totally new email address in Latvia.

With any business decision, companies weigh the costs and benefits. Allow password resets, and a handful of high-profile tempting targets will get pwn3d. This will make them angry, since they didn't do anything wrong (such as using Adobe products) and they still got hacked. So, they'll write scathing articles about your company's security. You don't want that.

Deny password resets, and those smart and security-conscious people who only ever boot OpenBSD from their known-clean thumbdrives will stay perfectly safe. They'll love you. But what happens when one of your normal customers actually forgets their password? It'll be his own damned fault -- after all you warned him that you don't ever reset passwords -- but he'll still be pissed at you. You don't want that either, but since normal customers outnumber the "high profile tempting targets who run OpenBSD" at least 100,000 to 1, their convenience matters more.

..but not at ChunkHost!

Here at ChunkHost, we let you decide whether to have password resets!

For normal people, we have a sensible reset mechanism that doesn't involve verifying things that a private investigator could look up in 5 minutes. Instead, we ask you details about your ChunkHost account, and challenge you to prove that you have access to the chunks themselves. And all of this done by a very paranoid human, not a computer program or a support drone reading a script.

Or if you're truly paranoid, just contact us at support@chunkhost.com and request that password resets be disabled for your account! Then, it's up to you to keep your password and two factor authentication from getting lost, but you can bet that no one will break into your stuff through us!

Satoshi Nakamoto == Adam Luna
By Josh Jones, posted on Monday, November 11 at 2:20 PM

As you might know, we accept Bitcoin for payment here at ChunkHost, and we love it. So much we give a 5% discount whenever you pay with it!

As you also might know, Bitcoin was invented in 2009 by an anonymous person or persons under the alias of "Satoshi Nakamoto".

For the last almost five years, there's been a lot of speculation about who this "Satoshi Nakamoto" was, and if there are any clues from the name itself.

Every time I read about that though, there's always some comment that "Satoshi and Nakamoto are very common names in Japan... it's kind of like "John Smith"."

I decided to do some research on this!

It turns out, Satoshi is the 69th most common male first name in Japan (source) and Nakamoto the 492nd most common surname (source)! (They use Yamada Taro as the most common placeholder name in Japan.)

Which would make it the equvalent of Adam Luna (source and source) in America!

As in:

"Who is buying all these Bitcoins?"

"Oh, probably just your average everyday Adam Lunas!"

Arch Enemy
By Josh Jones, posted on Monday, November 11 at 1:59 PM

Surprise!!

We now offer Arch Linux as a default install OS (along with Ubuntu, Debian, and CentOS) for your Chunk!

Who knows why you'd want it, maybe you?

What's in a name?
By Josh Jones, posted on Monday, November 11 at 1:22 PM

What's in a name?

WHO CARES BECAUSE NOW YOU CAN RENAME YOUR CHUNKS FROM OUR PANEL!

When you do rename it, it stops your chunk for less than a minute, but don't worry, your IP and everything else remains the same when it comes back up.

You'd still have to manually edit /etc/hostname and /etc/hosts (and possibly other stuff) if you want your chunk itself to be aware of its new name. But if you just want to change the name in our control panel, now you can!