Couldn't they just ban the one guy that has that referral code?

$17.51

I'm trying to figure out why you think it is acceptable to keep posting this in every thread.  Did you get dropped on your head a lot as a child?

Even a fairly weak password will take a while to find.  And you don't know in advance which passwords are weak, so you have to try them all, or try them one at a time.  This is bad, but not the end of the world.

Those passwords that have already been cracked were cracked because they were unsalted, which meant they could be stored in a database for lookup.  The rest are salted, and there is no shortcut to them.  The attacker actually has to calculate 1001 MD5 hashes using both the salt, and their current guess.  And unsuccessful guesses are wasted, they do not help on the next guess or the next account.

But no one knows in advance which ones are strong and which ones are weak, and work spent on one won't help with the next.  Also, you don't necessarily know which accounts carry balances, and which ones don't.

This simply isn't possible to have happened because of the leaked password file.  If someone found a way to reverse md5_crypt, or the quickly search the keyspace for non-trivial passwords, they would use it to make some real money, or maybe earn their PHD in mathematics.

Do you use the same passwords on any other sites?

If you have PHP, try this on the command line:


There is a similar way to do it in PERL, but I don't know it off the top of my head.

Also, I found an online thingie.  http://crypt.php-functions.com/.  Please note that I didn't test this with my password, because I don't trust it, but if you do trust it, the syntax is:


Oh, and account 16139 is probably fine.  There are no services that can crack your password short of a brute force attempt.  How long the brute force takes will depend on the length and complexity of your password.  A short password, or one that is in a dictionary, or similar to a dictionary word, will be fairly easy.

I don't know.  I'm just going off the data I have (that everyone has by now).

The newest account that I've found with an old-style hash was #3045.  I signed up about a month ago, and my number is near #10,000.  Since 50,000 of the 60,000 accounts were from the last month, I feel pretty safe saying that the change was more than a month before I signed up.  Closer to that, I can't say.

But it is trivial for anyone to find their own name in the file and check the password hash listed.  Starts with $, probably safe, but think about changing it anyway.  Doesn't start with $, change it now, and change it in every place that you've ever used that password, or one similar to it.

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

Most people have never tried to code a big exchange market, so they have no idea how they work, or what they look like in action.  Those of us who have aren't fooled.

The exchange has two lists, one for buy orders, one for sell orders.  The order matcher finds the buy order with the highest amount, and the sell order with the lowest amount.  If there is a tie in either of these, it will go to the oldest one.  If there is an overlap, a sale is recorded, balances are updated, the smaller order is closed, the larger order is decremented by the size of the smaller order (or if they were the exact same size, they both close).  Rinse, repeat.

A large order, like selling 500,000 coins for not less than 0.01 $ each, will hit thousands of buy orders, one by one as it chews through the order book.

Crypt

If it starts with $, it is probably pretty safe.

Without a $, the field is calculated by taking 25 rounds of DES on a 56 bit key field derived from the first 8 characters of the password.  This is very easy to crack.

If it starts with $1$, the next part is a random salt, ending with the next $.  The password and this random salt are hashed with MD5.  Then this hash, the password and the salt are all hashed again.  Then there are 1000 rounds of hashing using the password and the previous hash.  This value is what is finally stored in the file after the last $.

There are other schemes, such as $2$ and $2a$ that are based on blowfish, $3$ which blows, $5$ and $6$ which are based on SHA.  But I don't think any of those were used here.

By looking at the password file, I think the problem is that they upgraded the password hashing code to switch from DES to MD5, but didn't force changes of old passwords.  Looks like this was months ago.  The newest account I can find with the old style password is #3045 (out of ~60,000).

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

Uh, the salt is right there in the file.  Look at line 1.  Password hash is $1$E1xAsgR1$vPt0d/L3f81Ys3SxJ7rIh/

The bold part is the salt for that hash.

The italic part is md5(password + salt)

For more amusement, compare your place in the list to how recently you signed up.

I'm about 10,000 in, so ~50,000 have signed up in the last month.

I've been thinking about wallet security too.  I think a second device is a good idea, but I see it working in a different way.

I see a portable dedicated device with very limited communications ability.  Just a serial port will do, which probably means serial over USB or serial over bluetooth.  It will also have a SD card socket for wallet backups.

The device will generate the key pairs, and store them.  The private key never leaves the device, except on the SD card backup, which could be encrypted.

I think it only needs 3 hooks into the PC client software.

1) It needs to be able to push public keys to the client.
2) It needs to be able to ask for (and receive) balance updates from the client.
3) It needs to be able to accept an address from the client, and generate a complete transaction to that address using an amount entered on a keypad.  (Or possibly accept an address and amount, then only ask for confirmation.)

I think this could help with the retail problem too; no reason why you couldn't plug it into a potentially hostile terminal.

I'm thinking Arduino.  It should already have all of the crypto libraries necessary, plus hookups for serial, USB, BT, and SD cards.  Probably going to order some hardware this week to get started.

There isn't a root password.  Take a look in /etc/shadow.

Easy enough to become root though.  On the command line you can just type "sudo su".  In the GUI, you can just open one marked "root terminal".

 

That's because Popper was a monster of an intellectual.  He is right up there with Newton in terms of contribution to our theory and practice of science.

At any rate, since the notion of "absolute zero" started this tangent, I think I should point out that absolute zero is a bit like the speed of light.  You can never reach either one, the best you can do is approach them asymptotically.  Really, both of them are just singularities; places where the math stops working.  And absolute zero has the interesting property that there is still a ton of energy and activity going on, just not the sort of thermal energy that we know how to extract.  For more, see Zero-point field and Zero-point energy.

Value has no such singularity, and does not appear in any way, shape or form, to be fundamental.  And even if it was, if we imagined some hypothetical unit of absolute value (I'm going to call it the Planck Value), it wouldn't solve any of the problems in economics (or elsewhere) that people hope to solve by inventing it.  Prices are not stable in time or space because neither supply nor demand are stable either.

If you use unetbootin, you need to edit syslinux.cfg and add "persistent" to the first append line.

I don't think screen likes it when the command to run has args.  It gets hard to tell where one ends and the next begins.  Try making a script to run poclbm, and calling that on your screen line.



The other way to do it (with multiple lxterminal windows) is if you want them all to show up on the monitor.