|
Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.
Change your passwords now.
I told you so
|
|
|
|
|
There is only one solution that will work in any situation to solve the problem of infiltrants/provocateurs. It will work, regardless of the hierarchy of a forum, even regardless of the used communication medium. It will work regardless of whatever factor may influence the environment you are using to communicate. The best thing is it won't cause any technical issues or restrictions, and keeps everything accessible for everyone.
It's called individual common sense.
|
|
|
|
JS being used in a website has little to nothing to do with the possibility of using JS to exploit said site.
Well it has everything to do with possibility to disable JS in browser, which users might want to do. Even as makomk JS was not necessity for THIS attack (just making it a bit easier by autosubmiting), overall it's better if users can turn off all JS. And say Flash (I recall some bitcoin sites, not cantors probably but at least stats pages - require it). Javascript is a legitimate technology that is pretty much a basic cornerstone of the web as it is now. You can't just take that away. A way better option would probably be if browsers by default protect against CSRF attacks, like they do with XSS now. |
|
|
|
Een bijzonder goedenmiddag allemaal. Tijdje geleden een hele meuk Bitcoins gekocht. Ondanks dat ik nog in de plus sta, ben ik niet van plan om nu te verkopen. Ik zie het eerder als een leuke lange termijn 'proef' of investering. Mochten ze uiteindelijk niks waard worden, dan ben ik in theorie mijn geld kwijt, maar dat heb ik er voor over. Het is ook niet zo'n groot bedrag dat ik als student dakloos wordt. Bovendien zou ik dan op een zeer lage prijs gewoon nog een hele meuk opkopen, omdat de kans er dik in zit dat de Bitcoin dan t.z.t. wel weer gaat stijgen. Momenteel fluctueert de koers erg. Is dit het gevolg van mensen die speculeren of heeft dit andere oorzaken (slecht nieuws in de pers, fraude en hacken, etc)? Jullie zullen me waarschijnlijk nog wel vaker hier terug vinden. In ieder geval leuk om te zien dat er meer Nederlanders actief zijn en jammer dat ik dit niet vorig jaar september had ontdekt  Gegroet, LE CLOCHARD Voorzover ik kan zien is het een combinatie van dingen. Nadat de psychologische grens van $30 was bereikt, verkocht iemand een berg bitcoins en daarna werd het een soort van sneeuwbal-effect. Combineer dat met het nieuws over de US overheid vs. Bitcoin, de diefstal van wallets, de inbraken op Mt. Gox, de DDoS-aanvallen op een hoop bitcoin-gerelateerde sites, etc.... en dan is het niet zo vreemd dat de boel fluctueert  Dat komt wel weer goed  |
|
|
|
The 2 biggest problems with bitcoin right now, affecting its growth, are security (which is being addressed) and difficulty of use. Most people do not want to download a client. It is a hassle. Bitcoin.org should let people get an address, send/receive payments. Get them to register with an e-mail address. Build a list and start marketing bitcoin like you would a business. For bitcoin to be successful, it needs to be easy. Not everyone will participate in the p2p, but they need to be involved in the bitcoin economy. I will let IT people chime in with the technical requirements for this.
There are already several webwallet providers that provide exactly this service. I believe they are also mentioned in various places in the wiki. I don't think that, for the sake of decentralization, it would be a good idea for bitcoin.org to run a web wallet service. I know there's a psychological barrier involved in downloading the client, but from an ease of use perspective Bitcoin is not any more difficult to get started with than any other software package. It's literally install and go. I agree, but the psychological barrier is an insurmountable barrier for many people and will restrict the adoption of bitcoin. I would like to see more marketing from the existing web wallet services you mention. There will always be a psychological barrier in systems that are so wildly different from the "conventional" systems. I believe it's better to educate people about Bitcoin and how it works, and help them get over that psychological barrier, rather than taking the "easy way out" and changing the system to meet what people are used to. I understand where you're coming from, but consider this...say you are traveling and need to access your money at an internet cafe. How do you do it? I think the client has limitations. For growth, I think the key thing is bitcoin is as easy to use as possible. You could easily bring a backup of the wallet.dat on your USB thumbdrive. That being said, I think there should be an intuitive interface to manage things like USB thumbdrive backups etc. There is always the risk of a wallet stealer running on an internet cafe computer, but then again - there's also a risk of a software or even hardware keylogger being present! |
|
|
|
The reason this forum is so slow is because it is getting DDoSed.
If your Forumotion forum is going to get a similar amount of DDoS, Forumotion is just going to kick you off their service.
Any idea who is behind it? Seeing as a considerable amount of Bitcoin-related sites was being attacked (I believe Mt. Gox had to turn to Prolexic?), it appears to be a person or group that doesn't want Bitcoin to exist. Probably not Anonymous, probably not Lulzsec either, maybe a bank/government agency, but for all you know it may be one single person who owns a large botnet and just happens to dislike Bitcoin. There's not really a way to tell. |
|
|
|
Some members of Anonymous and Lulzsec are robbing wallets and attacking sites of bitcoin markets.
Do not see how these people can help
All I gotta say is this: http://pastebin.com/88nGp508permit me to quote: "BitCoin donations: 1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg" Do some research before you claim things. That was an attempt to frame Lulzsec that has been widely publicized... |
|
|
|
What i do is have my wallet on a dedicated machine that is never used for anything at all!, Encrypted partitions don't hurt. But I guess no on e can every really be truly secure! Perhaps transfer your money to a wallet that is never used online! stored in a couple of External drives. Maybe in gmail, a nice strong password in 7zip is VITAL! Operating system doesn't matter, Linux isn't more secure because it's better but because its not as profitable! If 50%+ of the world was on Ubuntu there would be just as much crap on there too!
Not entirely true. Linux is absolutely more secure by design, and even *if* more than half of the world was using Linux for their desktop machines, it would be considerably harder to write successful hardware for Linux systems than it would be for Windows systems. I do agree however that a wallet stealer would be just as successful on Linux, seeing as your wallet is stored in your /home directory, and is thus accessible freely by anything you run. A "wallet stealer" really isn't anything more than something that emails/uploads a file in your user directory. If anything, the wallet needs to be encrypted by default (through the client, and not by third-party software, so that you never need to have an unencrypted copy accessible as is the case with Truecrypt etc). |
|
|
|
The coins stolen from Mt.Gox were not stolen using any CSRF exploit.
So they were stolen from Mt.Gox using another exploit...? No, they logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try. Then I suppose you have the IP address of the person who logged in to the accounts? Also, I have not yet received a response to my tickets #957/#1797, nor to the PM I sent you on this forum. |
|
|
|
The point is that when retailers/exchanges start following the blacklist it changes it into something that is controlled by an entity which may or may not have accurate information.
It's just my opinion that Bitcoin is fine the way it is...if I lose all my BTC so be it...just like if I lose my cash so be it.
There is no central blacklist. There is no website that has a list. It would just be an option to avoid addresses you don't want to do business with. It's that simple. If a retailer or an exchange chooses to blacklist an address, they lose business from that address. This isn't central control. It's voluntary. You are trying to make the idea into big brother when it isn't. It's quite the opposite. I'll try to give you an example. I'm suggesting everyone carry a gun to protect themselves and others from assault. You are saying that I'm asking for a police force with authority that the average citizen doesn't have. I'm only suggesting people police themselves. What is so scary about that? By refusing to accept tainted coins you are indirectly forcing others to refuse them as well, because there is a risk they can't spend them on what they intended to spend them on. I am not even talking a centralized blacklist here, just the fact that there is a risk in that. Not to mention that it's entirely impossible to implement this because there are plenty points (merchant wallets, exchanges) where coins get mixed up. You would be refusing coins for the single fact that they have at one point been used by someone with bad intentions. How does that make any logical sense? |
|
|
|
No, even with encryption, if you are using windows, a trojan can steel your wallet after having read the password with a keylogger.
In comparison, right now you can just steal the wallet file from a mounted Truecrypt partition in 2 seconds and be done with it. Comparing that to needing a keylogger for a prolonged time to be able to decrypt the wallet in the first place... an always-encrypted wallet would be a VERY good idea. There's always the input-through-mouse PIN system. |
|
|
|
I refuse to use torrents because using one allows a hacker to instantly have an IP address with a confirmed probable Widows desktop PC behind it.
Whereas if they scanned IP ranges and passed by mine normally there would be no response at all.
Short of using something as cumbersome as TOR, is there no other way to prevent this happening? I don't want to be the subject of attack. Seems that there is now an even greater incentive to hack someone connected via P2P using this software (to steal their wallet.dat).
I don't think it's a coincidence that the guy who lost half million dollars in bitcoins did. He was probably targeted.
Without a massive-scale timing attack making use of so many nodes that you are connected to every single legitimate node on the network, there is, as far as I am aware, no way to determine how many bitcoins a person with a specific IP address holds. |
|
|
|
The 2 biggest problems with bitcoin right now, affecting its growth, are security (which is being addressed) and difficulty of use. Most people do not want to download a client. It is a hassle. Bitcoin.org should let people get an address, send/receive payments. Get them to register with an e-mail address. Build a list and start marketing bitcoin like you would a business. For bitcoin to be successful, it needs to be easy. Not everyone will participate in the p2p, but they need to be involved in the bitcoin economy. I will let IT people chime in with the technical requirements for this.
There are already several webwallet providers that provide exactly this service. I believe they are also mentioned in various places in the wiki. I don't think that, for the sake of decentralization, it would be a good idea for bitcoin.org to run a web wallet service. I know there's a psychological barrier involved in downloading the client, but from an ease of use perspective Bitcoin is not any more difficult to get started with than any other software package. It's literally install and go. I agree, but the psychological barrier is an insurmountable barrier for many people and will restrict the adoption of bitcoin. I would like to see more marketing from the existing web wallet services you mention. There will always be a psychological barrier in systems that are so wildly different from the "conventional" systems. I believe it's better to educate people about Bitcoin and how it works, and help them get over that psychological barrier, rather than taking the "easy way out" and changing the system to meet what people are used to. |
|
|
|
for windows users, I think the safer is to use services like mybitcoin.
To be safer, mybitcoin should implement otp like google (the otp app on iphone and android are cool, you can create several accounts)
On the other hand, if you use a web wallet you have to trust that they will adequately protect your funds whereas with a wallet on your own pc you can make it as secure as you want. |
|
|
|
The 2 biggest problems with bitcoin right now, affecting its growth, are security (which is being addressed) and difficulty of use. Most people do not want to download a client. It is a hassle. Bitcoin.org should let people get an address, send/receive payments. Get them to register with an e-mail address. Build a list and start marketing bitcoin like you would a business. For bitcoin to be successful, it needs to be easy. Not everyone will participate in the p2p, but they need to be involved in the bitcoin economy. I will let IT people chime in with the technical requirements for this.
There are already several webwallet providers that provide exactly this service. I believe they are also mentioned in various places in the wiki. I don't think that, for the sake of decentralization, it would be a good idea for bitcoin.org to run a web wallet service. I know there's a psychological barrier involved in downloading the client, but from an ease of use perspective Bitcoin is not any more difficult to get started with than any other software package. It's literally install and go. |
|
|
|
sht this looks bad. This is could diminish the trust on the system on the long run.
Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.
Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here. We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin. The issue is not with Bitcoin. It is perfectly possible for someone to set up a Bitcoin bank, that has insurance against theft etc, just like "conventional" banks. The issue here lies with Mt. Gox, which is only a single independent exchange. Bitcoin itself (as an idea and protocol) is technically sound. The only thing I am missing is wallet encryption in the client by default, but that can be overcome for now by storing a wallet on a machine that is not connected to the internet, using third-party encryption software. Bitcoin is much like digital cash, with the difference that you can encrypt a Bitcoin wallet, while you can't encrypt an IRL wallet. |
|
|
|
Hello,
I have read about the BitCoin project in early 2010 and it seemed like a booming project at the time, a time when its value was about $1.
Looking at the charts from MtGox.com over the time, there was a huge jump in BTC value in April. I speculate it's due to the sudden demand for anonymous money transfers to support LulzSec and other Hacktivism groups out there targeting Sony, other organizations and governments.
Not just that. There has been a lot of media attention for Bitcoin, not just regarding Lulzsec etc, but most importantly things like Silk Road. While I noticed a huge rise towards $33 then a major drop to $10, the market recovered within 8 hours to $19. I haven't seen any stock exchange system ever recover in this speed before! And if you're wondering, that huge drop was due to LulzSec withdrawing 17,000 BTCs.
Lulzsec never claimed to have been responsible for that transaction. They simply tweeted the link. Yesterday MtGox was under another DDoS attack and the traded volume dropped from ~47000 to 33000 and now it's 29000 (27500 when I finished typing this post).
The daily variations in BTC value is what attracted me to the BTC market, to trade. I've invested about $900, rather than buying gaming graphics cards and mining which would cost much more than $900 and the return value is quite minimum.
After much reading, I still do not understand what gives BTC its value. If it's demand, then it's currently powered by Hacktivists out there and if they cease their operations, BTC will drop back to its value prior to April: $6, if not less.
Bitcoin is definitely not just fueled by "hacktivists" (also, Lulzsec are not hacktivists, they are quite literally doing it "for the lulz"). Moreover, what if these Hackivists decide to DDoS major mining projects? The amount of generated hashes/blocks a day will greatly reduce causing the difficulty factor to drop, which means faster BTC generation (for the mining sites that aren't being DDoSed) which means more wealth when the DDoS attack stops and the difficulty increases again.
While I doubt Lulzsec, Anonymous, etc. would DDoS mining projects, exchanges, and other Bitcoin-related sites, the concern is reasonable. That is why it would be better if there were a lot more smaller pools and exchanges, so that one hit cannot have so much influence on the entire economy. If someone really DDoSed the major mining pools for weeks on end, and these pools would not be able to get back up, it could indeed be an issue. EDIT: Whoops, almost forgot. The value of BTC is based on supply and demand - and indirectly on what people think the value is. Just like gold, and fiat currencies, if noone sees value in Bitcoins, they wouldn't have value. However, I believe that because Bitcoin is technically sound and has certain advantages, that alone is enough reason for there to be a value for at least a small group of people. |
|
|
|
Some members of Anonymous and Lulzsec are robbing wallets and attacking sites of bitcoin markets.
Do not see how these people can help
And you are getting this idea where exactly? |
|
|
|
|
Again, two factor auth using email would be incredibly easy to implement, and a huge improvement in security - mostly because you can't get around that by having database access through a vulnerability.
|
|
|
|
sht this looks bad. This is could diminish the trust on the system on the long run.
Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.
Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.
Bitcoin has had a lot of attention lately. Of course there will be attacks from every side. People who just want to earn a buck from it in less elegant ways, and people who want to see Bitcoin vanish off the earth. I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):
* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.
Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.
The message from mtgox makes it sound like some type of XSS. How exactly would an XSS work in this case? I have never followed any links to Mt. Gox from external sites, and my account was broken into at a point where I couldn't even access Mt. Gox (probably due to the DDoS attacks). |
|
|
|
|
Show Posts
