Bitcoin Forum

I was asleep when the whole Mtgox hack incident went down (apparently).  I am surprised by the reactions I see on this forum; it reminds me a lot of young children being told for the first time they can't stay out and play after 8pm: tantrums, yelling, and wild accusations of unfairness.  If you have half a brain in your head and you care about Bitcoins, then please consider the following important points:

• Bitcoin is still an extremely young technology.  Nobody in the Bitcoin community, including developers, can tell you with certainty that everything will work out successfully, because none of us have ever done this before.
• Due to the disruptive nature of Bitcoin, it will attract a lot of both positive and negative attention.  Even after this Mt. Gox incident is over, there will be future problems with deception, fraud, theft, and misuse.
• We need more attacks in order to secure a bright future for Bitcoin.  I know this statement will aggravate lots of people.  However, it is a fundamental property of engineering complex systems: if you haven't tested it, it's broken.  This means until we have actually tried to compromise the system in ways which we know are possible to observe the effects, we can't declare Bitcoin a secure system.  One large such example is an attempt to split the blockchain.  I fear that until someone actually tries this, there may be more serious issues lurking which we can't forsee.
• Bitcoin is not a substitute for common sense.  Just because we can all use our shiny new currency does not mean basic needs like authentication, trust, and good financial engineering practices aren't necessary.  The Mt. Gox hack was a basic failure of secure website design, and as far as I'm aware does not represent any compromise to viability of Bitcoin itself.

My sympathies to any of the Mt. Gox users hacked in this incident.  With that in mind, I'm sure there will be better more robust trading exchanges available in the future, and something tells me we will do a good job of learning from hard lessons.

Bravo! (Applauding emoticon)
I agree 1000%! This is not BitCoins insecurity! It is the users/web site security issues! Problems now, help to discover flaws that need to be fixed! So that, these issues don't arise again, and lead to more secure solutions in the future!

+1

I agree. This is NOT a result of the shortcomings of BTC. It appears to be a website security issue. Bitcoins are OK.

Apparently Mt Gox was not hacked through SQL injection.

"It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked."

So it was not website insecurity, but poor practices.

Buy and hold. Good luck men. If it goes lower buy more.

Everyone stop panicking and read this.

+1
 For helping remind people not to panic.
I'm trying to do the same:
When the Hot Deadly Lava from MtGox is Inches from Your Feet how Will YOU React? (http://forum.bitcoin.org/index.php?topic=19880.0)

It's a learning process.  It's going to be painful but hopefully in the end, it will make the bitcoin stronger.

How do you know with such certainty that this "test" has not already taken place?

If you can find a suitably sized machine/network (~6Thash/s) we could test it ... but the days of a feasible >50% attack are behind us with the current technology ...

... there have been some pretty impressive ramp-ups and collapses in network hashrate that suggest such "tests" have already taken place in the past.

+1

+1 Great !

+1

Hooray!

One thing that will help is if someone can post up a set of good secure design practices. This will help those developing new Bitcoin based websites to ensure that their sites won't get immediately cracked. I'm thinking of a minimum set of architecture requirements that can be used as a ticklist.

I'm not simply saying "TrueCrypt your wallet!" - that advice is fine for casual users. If you're developing a large scale system with lots of wallets what would you do to ensure the safety of your clients?

to me it sounds like a rouge auditor not getting paid enough ... or a semi pro using a compromised windows machine.. eitherr way there is going to be many more heists oof btc in the future like this.. its to be expected.. i think only looser here is mtgox as their rep is screwed now.. time for more exchamges to come out of the woodwork and put down the mtgox monopoly... but who to trust .. whos next to get greedy and slam some more bad press around .. totally expect more of the same

Yes... Somehow a cracker just happened to manually discover and root a box with a db connection to Mt. Gox out of the blue. And this excuse comes from the same people who have been disregarding all the recent reports of compromised accounts as client infections?

Finally it's like we are back at the beginning of the year when forum was still filled with adults. Thank you for this because I share the exact same sentiment.

Most important thing we have to remember now and in the future is that this is just the beginning. We are all early adapters and we have got to play the part in helping it become mainstream. No one else will do this for us. We have yet to face the real challenges of bitcoin which are ahead and the community can't forget that many people/organization with lot to lose will try to throw wrenches in bitcoin's path. This is just small bump of the road that really didn't do anything to compromise Bitcoin's actual security. Media outlets will already do the jobs of sensational reporting when infact it was just a compromised computer of an auditor which compromised the db of a single exchange.

+1

One principle of web site design for the Exchanges to follow is "Defense in Depth".  don't depend on a single feature to be your security, all aspects of the system require minimum access privileges and very fine grained audit controls and monitoring.  If one has permissions to access a database it should be further restricted to what tables and rows are appropriate.  All the way down to every file on every system in the enterprise.  Who owns it , who can read it (and how often!), who can change it.  who can delete it.  Keep in mind that once it is read it can be let loose in the wild with another few steps.  That has to all be monitored and logged.  and the system must do it automatically and with alerts to the watchers.

+1

i totally agree with all you said

Great post.  These are very real growing pains that this emerging currency is going through.  It's not gonna be a smooth ride with the amount of people who feel threatened by the idea of a decentralized currency becoming mainstream, but as long as you try and keep a level head while ignoring the chicken little doomers you should be fine.