All you jaded males remind me of ladder theory proponents and anti-marriage zealots. You deserve your loneliness and the quality of women whom you encounter is a direct result of your own lack of quality as a human individual.

Enjoy your increasingly frustrating and lonely lives, fools!

If you're reading this, you may be concerned or interested or exasperated over rumors of SHA256 weakness and in turn the implications for Bitcoin.

Stop reading now and rest assured in the knowledge that Bitcoin is safe for the rest of this decade if not century with regards to SHA256.

In fact, Bitcoin is probably safe beyond this century for reasons I will explain in more detail. First, let us discuss potential attacks against cryptographic digests (hash functions) in order of difficulty:

1. Collisions with less effort than expected on reduced round variants of a digest.
2. Collisions with less effort than expected on the full digest.
3. First-order preimage attacks against reduced round variants of a digest.
4. First-order preimage attacks against full digest.
5. Second-order preimage attacks against reduced round variants of a digest.
6. Second-order preimage attacks against full digest.
7. Practical attacks applied to full digest in the wild.

Yes, that's right. Bitcoin is safe until all of pins 1-6 have been tackled, and even then the costs are likely to make such efforts against Bitcoin impractical.

Even MD5 and SHA-1 are only vulnerable to #'s 1 and 2.

Find this subject interesting? You might like "The code monkey's guide to cryptographic hashes for content-based addressing" which is relevant to Bitcoin: http://valerieaurora.org/monkey.html

Now we can all go back to the illuminati and hacker threads.  Thanks!

++

Even BitcoinPorn chimed in!

If they are about to take a bitcoin related case I will revoke my ill feelings on this matter. Until then, their decision just appears cowardly.

A sensible stance for a risk averse coward of an org. I guess that is EFF now... :/

EDIT: Also, why the need to exchange? Keep them and use them as currency in and of themselves when services they need can be compensated in bitcoin. Throwing them in the faucet when they were donated in good faith is just disrespectful. [Letting them "circulate in the community" is better than nothing yet still disappointing. Run a Tor node on bitcoin server, anything instead of dismissing them whole.]

You are clearly a poor programmer. Get over yourself.

Correct. This is actually a feature borne out of wisdom dealing with lots of different languages and runtimes which may not support floating point math accurately or as expected when doing conversions to other types.

gigi is the idiot.

EDIT: and just to clarify, using a string type let's you, the API user, determine how to re-cast and interpret the value rather than dealing with side effects of some implementation which tries to "do the right thing" by default.

I heard this and thought, "Wow, that's pretty conscientious and considerate of him!"

Only annoying if you use weak sauce passwords. Are you full of weak sauce and annoyed?

Most of the requirements are "Duh" common sense. They also require testing, and have audit controls or compensating controls to identify issues early and mitigate them before they become a disaster. (in theory, see how Sony messed up PA-DSS compliance

Sure, I hate PCI-DSS bureaucracy as much as the next person, but the fact remains too many of these vulnerabilities arise from "Duh" stupid stuff they've overlooked. MtGox isn't even trying!

If you adhere to common technical standards and practices (PCI-DSS, OWASP, etc.) you're at least making an effort and protecting against the stupid stuff. Almost none of these exchangers are even doing that basic level of due diligence!

Media whore'ing opportunities like this happen once a lifetim^H^H^Hmonth in bitcoin land!  Gotta make every second and eyeball count!

All potentially revealed in about 2 days for anyone using 8 character passwords or less...

Here is a reduced set of the leak containing username and email. Anyone running bitcoin related sites where logins may have been re-used: Please protect your users and temporarily lock-down these accounts until a password reset has been performed!

http://76.74.251.235:27582/mtgox-accounts-name-email-only.csv

These users should know better than to re-use credentials, but many are not being smart. Limit damage if possible.

16 character alphanumeric. MD5 can be weak as snot, unsalted, and exposed via SQLi and I don't care.

Don't be sloppy with password management!

All of you re-using passwords between sites, re-using usernames and passwords between pools or miner accounts, re-using same email addresses across forums and exchange accounts, ALL OF YOU ARE ASKING TO GET PWNED!

What will it take for this message to sink in? cracking the MtGox hashes shows the majority of you are still being lazy...

These exchanges are dealing with big sums. In typical industry such systems are at least engineered to PCI-DSS standards with the software itself passing PA-DSS audit and requirements.

How many exchangers audit their systems? (appear to be none)
How many exchangers have per-account controls on funds? (A few now, it seems)
How many exchangers use hardware security modules to protect records? (appear to be none)
How many exchangers use a red-team or pen-test specialists to look for holes? (appear to be none)

This is pretty lame and these exchangers are fairly untrustworthy! (by nature of their vulnerability regardless of intent.)

A series of studies, "Peacocks, Porsches and Thorstein Veblen: Conspicuous Consumption as a Sexual Signaling System," was published recently in the Journal of Personality and Social Psychology.

A peacock's tail is beautiful: magnificent plumage, iridescent colors. Alas, it is also wasteful. It takes a tremendous amount of energy to develop. Sound like bitcoins?

Sexual signalling really works -- just not necessarily as intended when a man buys the biggest TV or the flashiest car or has the fattest bitcoin wallet.dat.


The moral of this story: Don't marry a guy who has bitcoins!

Ref: http://www.startribune.com/lifestyle/relationship/123994144.html

It is the Russians! Or LulzSec! Or Anonymous! Or the CIA! Or China! Or the FED!

(I think that covers all the standard speculative sources...)

Don't believe anything you read on these forums about attacks and hackers. Almost all of it is noise and nonsense!

Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d

Have fun! ;P

EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud!

LSD and Berkeley UNIX too.

The malicious .SCR trojan private messaged to members of this forum is identified as Induc.A on all the popular A/V products. It looks for wallet.dat to send via mail relay to hotmail drop as previously discussed. 

Looks like more and more bitcoin malware is popping up... everyone is running up-to-date anti-virus, right?

Do you have a set of subjects to cover? Did you find something in bitcoin design or implementation or existing network worth discussing at DEF CON? Do you know what Dan Kaminsky has planned in his "BitCoin: Network Manipulation for Fun And (Literal) Profit" presentation?

Fill in some blanks and I'll give you input/feedback

Check out: https://www.defcon.org/html/defcon-19/dc-19-speakers.html

Anyone going to be running a cash / kit / coin exchange at DC19?