Strictly speaking you can't assume so. Practically, it depends on what attacks are possible against the transfer medium and the blockchain itself. For example your OS might prescan inserted USB sticks and contain vulnerabilities in this code (this is a known attack vector), regardless of any autoplay settings. The blockchain could be doctored to include buffer overflow initiated code (the client could contain parsing bugs, I bet this has not been vetted yet). The blockchain could even be replaced by something like a specially crafted PDF file with attack code in it. There was a nice Adobe bug where when you installed the suite it would add a PDF parsing service to Windows which had a buffer overflow vulnerability. In a default setup Windows is set to periodically scan for new files for its indexing service. When the indexer comes across a PDF file, the Adobe service would be called to parse it, boom, infected. So just having the file on the system, without opening it, would infect it.

A similar exploit was possible on the Amiga, in ancient times (Kickstart 1.2) when the OS detected a filesystem problem it would automatically invoke the checkdisk program (pretty advanced for the time), but would try to load it from amongst others the floppy. Floppies were autodetected, so if you inserted one with a purposefully corrupted filesystem, and put your own doctored checkdisk program on there it would autoexecute. This in light that bootsector viruses already existed but were only executed when booting from them.

How do you know? Are you doing a daily memory dump and auditing it?

That would constitute taking funds out of the pockets of people who support the EFF directly and giving it to people who didn't care. This will not educate those who don't care, it would reward that behaviour.

Mind you, if at all, then in an inadvertent capacity. He was admittedly out to make a good deal, and the fact that he tried to transfer it out immediately only underscores his awareness that Mt. Gox would be quite opposed to that (because it would bankrupt them).

BTW, Kevin went to IRC after having failed to transfer out the whole balance. There is no reason not to assume he did that to salvage that failure. How much are you willing to bet he would have returned the balance if successful and not also 'given it to someone to hold in escrow until things are cleared up'? If things got nasty, that's a very large legal fund right there.

It would also be quite recursive if the lawyers accepted Bitcoin

Slashdot editors seem to find Bitcoin very interesting, two more articles:

EFF stops accepting Bitcoin (comments generally of type "see, it's bs")
http://yro.slashdot.org/story/11/06/21/1433207/EFF-Stops-Accepting-Bitcoin-Regifts-All-Donations

Second one is an interview with the proprietor of Britcoin and Bitcoin Consultancy, Amir Taaki. This one is pretty positive of course, but Amir mistakes his audience and gives a lot of marketing answers, here and there evasive ones. Highly moderated comments are mostly negative, but they are quite biased and badly misinformed in places (some by the same detractors as before). Slashdot quickly takes offense to topic frequency.
http://interviews.slashdot.org/story/11/06/22/1737237/Amir-Taaki-Answers-Your-Questions-About-Bitcoin

Heh, so could it be that Kevin actually saved Mt. Gox? If his buy order went in just as the hacker's sell was winding down and he was the first to buy in quantity, Kevin snapped up the balance and the hacker could not transfer out anything because he sold the complete balance (didn't see that coming). Unless Kevin was the hacker or associated with of course.

Still, rollback is the fair thing to do.

I think a lot of people who donated to a non-profit will object to the difference with what Bruce is doing. Holding on to the coins until the EFF comes off the fence would be best I think.

Very high level of signal to noise ratio in this thread, lots of thoughtful posts, how refreshing

LOL, "Eh Ahmed, we got those Bitcoins in. We can now blow up the embassy!" checks exchange "Wait, we can now shoot five bullets at the embassy!" checks exchange again "Wait! We can fly a plane into the embassy!" checks exchange "Hold on, I'm not sure we can afford a plane, but maybe a car.. 2 bullets.. pickup truck! Pair of sandals.. By the prophet's beard Ahmed, let's just go over and surrender"

Read his post again. He clearly states he surmised what the seller was trying to do (drive price down to nothing to get as much BTC out as possible), and he even played on it before it got there, putting in a price just above what others were likely to offer. Clearly speculation with premeditated profit in the first degree

I quote:
"The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking."

Granted, dictionary based, but still.


I can't imagine not hearing about the recent tribulations, hype etc. if you were into this some time ago. Could be a hermit not accepting Nobel prizes or something, but extremely unlikely.
The first one is very unlikely too. Who in their right minds keeps that kind of balance online in general, apparently with a weak password, especially after the rumours of hacks. Could be on holiday too I guess, but again extremely unlikely.

The most likely of those three therefore would be 2. I still like my theory of moving around balances, it could be going on outside the blockchain if my hypothesis that balances are merely internal representations until withdrawing to external account is correct. Other than speculation I have no idea what APIs or internal mechanisms are usable for this, or what uncrossable hurdles prevent it.

This may be down to misinterpretation and miscommunication. Or down to lack of knowledge. I'm speculating that BTC balances from multiple accounts can be pooled within Mt. Gox, but have no idea if this is true or not. If they have some kind of internal representation, it could be. If not, we should see a lot of pooling into an ever growing account in the blockchain. They might also have an administrative account that has a 'view' on all accounts' BTC pooled together for automatic backup purposes or similar. If this one was hacked, then their statement makes sense. If it was one big account by a third party after all, they could shaft this user and get away without major losses, after all if the password was reversed from a hash, it must have been weak. Then again, they are still responsible for securing their db, be it at an auditor or not.

True. Problem is, most of this forum is entertaining in one way or another, I'm only here three weeks (2 lurking) and I'm already trying to kick the habit

From the kb page you linked:
"When the operating system integrates the SD card with your phone:
 .. 3. It locks the card to the phone with an automatically generated key."

No mention of ATA there.

From Wikipedia on CPRM:
"(CPRM/CPPM) is a mechanism for controlling the copying, moving and deletion of digital media on a host device"
"A controversial proposal to add generic key exchange commands (that could be utilized by CPRM and other Content protection technologies) to ATA specifications for removable hard drives was abandoned after outcry in 2001."

The issue is from last year:
"If you pull the SD card out of a Windows Phone 7 mobile, the whole phone stops working. It's bricked. Except for making emergency calls, you might as well carry a rock -- an expensive one, at that. You have to put the original SD card back into the phone for it to work properly.

You can't take the data off using any SD card reader I've been able to find. You can't put the SD card in a different Windows Phone 7 mobile -- that nasty reformatting habit kicks in. It can't read it, can't download or sync the data, nothing."

TLDR translation:

Hi, I'm Kevin. The other day I went to the gym and saw a guy get jumped and knocked unconscious in the locker room. The attacker rifled the pockets of the dude on the floor and took off. I smelled an opportunity but since there were others in the room I moved in closer to have the first go at him after the attacker. I quickly put the loot in my locker so noone else could get at it and immediately wanted to take as much as possible of it home, but found that my pockets could only hold a fraction. I knew there were loose bricks on the other side of the wall behind the lockers, but thought I might be committing something illegal if I went for it. Since my fingerprints were all over the place, I immediately went to the janitor and told him who I was and what happened, but he appeared to be on the phone. So I went to the library and put up a note explaining things, hoping for visitors there to gather on my side, and giving reasons why the dude who got jumped should let me keep the booty. I'm thinking some other looters may help me out a bit, and maybe some others who think the dude should have expected to be jumped, after all the gym locks were broken a couple of days ago and he didn't seem to care.

This isn't a legitimate opportunity, it's grave robbery.

I can't believe the greed dripping off my screen. You know it would be fair to roll back, but boy, being a millionaire does sound good. Whatever Mt. Gox' history, this is not right.




ROFL, so when and where does this fight between you and MyFarm take place? So far you were hanging over the precipice of the 'conspiracy researcher' ledge, hovering above the 'paranoid crackpot' abyss, but your FUD here (first attacking Mt. Gox, then turning on Kevin, as long as there is strife eh) makes me think you're a plant.

He came down from Mt. Gox. Actually, it's this esse at the corner chop shop. Dude has an attitude. Maybe BCEmporium hit him too much when he was a kid. And he must be pretty screwed up, hitting on his mom like that.

Erm, the db dump contains 60k users. It's not one account, it's thousands. Someone in the other thread got 3000 passwords in an hour with a GPU. md5 of a weak password is trivial to break, with or without salt. Most of that is the user's own damn fault, some used the same password as account name, even the same password for their E-mail, how dumb can you be?

What is most likely to have happened is this: the BTC balance of several thousand accounts was transferred to one account. This can be scripted to either log in via https or whatever, or more likely to use the trading API (faster).

From this single account, it doesn't matter which, could have had 1 bitcent on it, the accumulated 400k BTC was sold as a single order at 0.01 USD/BTC. Which absorbed all the outstanding buy orders and crashed the price down to 0.01.

After which the attacker possibly has 100k, 300k, whatever BTC left in this single account. He immediately transfers out 100k to his own Bitcoin address (100,000*0.01 USD=$1000). If he has time, he transfers the rest of the balance to another account so he can once again transfer out $1000 worth of BTC, and gets out another 100k. Or maybe it's just 80k if other automatic sell orders are placed in the mean time. Repeat a few times until it's either blocked or you have transfered out everything.

The big question now is how Mt. Gox handles the $1000/day limit and whether they immediately transfer out BTC or have some internal mechanism that delays things or possibly even tries to detect suspicious activity and halts them for operator approval for example. If they are smart and take $1000 over the average of the past 24 hours for example, then maybe $1000/(17.5/2)=114.29 BTC is lost (per account), which they can easily absorb. If they don't, and have no mechanism to filter/delay things (including massive amount of withdrawals close to $1000 from multiple accounts), then they are out of business and a bunch of people lost all their assets.

It was NOT one account with 400k BTC. Maybe a few big ones in there, but can't imagine anything that big. Your own damn fault too if you had say 50k BTC in there with a weak password.

The reason for rolling back would be to protect people who do automatic trading who don't have protection for something crazy like this. Your own damn fault too, but they could sue Mt. Gox for the breach.

On the other hand, the people who got their hands on massive amounts of BTC at 0.05 or whatever might sue for losing this golden opportunity. They would be assholes, but could win.

IMHO it's the proper and fair thing to roll back, not because Mt. Gox would protect their own asses, but because it just would be. I don't have any assets or affiliation with them BTW.

BTW, even if it was one account, he/she cannot know of this yet (and consequently not rave from the mountaintops about it), since Mt. Gox has only sent out a generic mail about the hack, and if people can log in already to look at their balance, it will show the post firesale balance, before the rollback, which either says they haven't been hacked (balance is there), or they have, and since Mt. Gox explicitly state no balances are lost, their balance will be returned. If this is not the case they have a problem, unless they can cover it up by not actually (fully) covering the BTC balance and hoping they can slowly gain it back through regular trading before someone withdraws a large enough balance, or before they can get a loan from someone to be fully covered again.

If the thief succeeded in large transfers, they should show up in blockexplorer. I haven't bothered to look yet myself.

Actually, in 1996 it was just a link. Today, it's CSRF or autoinfection. Or worse, Rick Astley

As long as it's not goatse, Alex Beckenham has a major point.

Also, some of the 'useless' threads are actually quite entertaining, if not educational (e.g. the Rawdawg and Bitcoin snail graph/meme ones).

I agree with the referral code one, though even that was interesting to see, some people are quite creative

You missed his point. Just like DRM is a euphemism where the R stands for Restrictions rather than Rights, SD cards are securing the industry from the user. Some Windows smartphones will lock-in SD cards. That means after a single insertion into the Windows mobile based phone, they are *completely inaccessible* on *any other device*.

Bad analogy. Correct analogy: OMG, all my horses have escaped and they had the combination to the safe tattooed on their back. Someone copied those numbers and it's in a few newspapers now. But thank god the barn door is closed and my horses are back inside, now I can sleep well again.

Seriously?