Tihan is also smart enough to protect his cards while sitting in the #10 seat and still in a hand. This post reminds me of something I read the other day while researching Tihan, but I'm not sure how long it would take for me to re-find it. The dude knows more than what meets the eye, with securing data being one such attribute in his arsenal.
~Bruno~
So his failing to have the password changed would have to have been intentional then, right, given his expertise at securing data? -MarkM- |
|
|
|
|
Some idiot angel venture capital investor invested $500,000 in these imbeciles!?!?!?
I had no idea any of this was connected to the whole "$500,000 to talk game companies into a scheme" plan was anything to do with the rest of this.
How skilled a con-person does one have to be to talk an angel investor out of $500,000?
This gets weirder and weirder...
-MarkM-
EDIT: Aha, who was the angel? The chronic haxor(s) who have dogged bitcoin's footsteps since way back when?
I suggest next time anyone sells some bitcoin business they bear in mind that the purchaser(s) of Bitcoinica might not be the only haxors who regret not having got into the "be a trusted site" game early like MyBitcoin and see buying an existing site as a way to make up for that lost time...
-MarkM-
|
|
|
|
|
Ok here's another millinery product of thinly crafted tin:
Genjix's machine is PWNd and if sniffing/keylogging there wouldn't have sniffed the password so is someone else's.
Likely the machine(s) was/were PWNd, the password sniffed, then while wondering what would be the best moment to drop the shoe the password was noticed to be in the source code so the idea of releasing the code came up. Throw in a friday the 13th coming up and the plan is born.
The PWNing would maybe have happened way back when the messages in the blockchain were placed saying some big more to come thing was still to come (I forget the exact wording).
-MarkM-
|
|
|
|
My version of the story is, Tihan selected a password from one of the Mt. Gox API keys and we face-to-face agreed to use that. There was no plan to release the source code ever (and if I did it myself, I would at least remove the credentials). The password has never been changed for 5 months, despite the transfer of ownership.
I didn't expect to be able to log in to LastPass after Bitcoinica Consultancy took over. So I didn't try.
That nicely fits another nice little theory which is simply that the entire gameplan of buying bitcoinica from you was from the start to pull a MyBitcoin. Leaving the password unchanged would in such a storyline be deliberate, a way to tar you with the same brush they planned all along to be painting all the pots and kettles black with. You should have insisted they change all passwords to one you would not know. Heck in future I would consider getting that in writing, so that if at any future time it emerged they used any password that was known to you you could sue them for deliberate attempt at defamation of character and/or framing you or adding you to a suspects list. I sure hope the Canadian Imperial Bank of Commerce data centre changed the vault combination when I left them, I'd hate to find myself swept up in a dragnet someday due to something nasty happening and it turning out they neglected that simple standard normal expectable step. -MarkM- |
|
|
|
(the reason Tihan keeps repeating that his role was hands off is because he'd lose safe harbour protection from liability if he took part in the day to day running of the company).
He had the critical password, apparently. So while he might be able to wash his hands of responsibility for money-laundering going through his pipelines he remains a prime suspect in the theft. He could have insisted that password be changed had he wanted to wash his hands of that. -MarkM- |
|
|
|
I think the probability is about the same as finding a sha-256 collision in bitcoin  So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red. -MarkM- |
|
|
|
So basically they just open sourced all their passwords  How many attempts does LastPass allow before locking an account? I think it's 3 attempts. So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...  -MarkM- |
|
|
|
So basically they just open sourced all their passwords Not quite. How many attempts does LastPass allow before locking an account? Someone had to have some reason to "waste" one attempt on that particular string of characters from the source code. So, who tipped them off that if they wanted to spend those limited number of attempts, this particular string of characters might be a darn good guess to spend one of their attempts on... -MarkM- |
|
|
|
That still doesn't explain how the attacker knew that specific password should be tried at all.
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails? Doesn't explain why the passwords were the same though. I guess laziness and hubris. How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure? -MarkM- |
|
|
|
|
That still doesn't explain how the attacker knew that specific password should be tried at all.
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
|
|
|
|
|
Difference Gox<->Bitcoinica?
MTBH.
(Mean Time Between Hacks)
-MarkM- (Not to mention minor details such as yubikeys etc etc etc, which might contribute to MTBH.)
|
|
|
|
I never trusted intersango with my money, I trusted zhou.
And Zhou sold that trust to the highest bidder. At least his mortgage is paid off! Yeah that is wrong right there. He should have included the full amount of customer money in the sale price, paid the customers all their money and let them decide whether to put any of it back in given that the site had changed ownership. I said that wrong, but basic idea is, other people's money is theirs to sell or not sell to new owners at their own discretion. -MarkM- |
|
|
|
|
How many attempts does LastPass give people to enter their password before locking the account?
It seems almost impossibly unlikely that a hacker happened on the correct password to LastPass in the three attempts or so they probably allow.
Is LastPass being criminally negligent maybe, allowing hackers to automatically try every password and every gobbledegook string they found anywhere in Bitcoinica's records and source code?
What the hell would make some string from some code someplace be one of the first three guesses a hacker would try?
It seems far far more probable that the guy who set the LastPass password is the thief or a co-conspirator of the thief or (damn I hate providing ready made excuses for the guy) a keylogger or somesuch was used to discover the password.
There is just pretty much no reason at all to try such a stupid guess as to the LastPass password. You'd have to already know it is the right one to even consider trying it.
I really hate this crap, I do not ever want anyone putting more than 1/3 of their savings into my server. The fact that some idiot probably will anyway if there seems to be profit to be made by doing so makes me want to run three separate servers and divide everyone's balances among them or just bury all the assets backing the tokens in a timecapsule and let in and out exchange be done by third party marketmakers.
Oh and Genjix, if you didn't do it don't let it get to you. The weird stories one hears about how bitcoins managed to vanish make me paranoid that someone is going to spill their coffee and it will track all over the floor and "accidentally" spell out my private keys or something, it seems about as likely as the stuff that happens all the time around bitcoins thus not unlikely at all presumably. So don't assume anyone else didn't do it just because you didn't, either.
-MarkM-
|
|
|
|
he explained exactly what happened.
Did he? He seemed to be claiming that a third party secure password storage site allows enough tries at guessing someone's password to their entire collection of passwords that some random hacker was able discover by blind luck which other site password or API key Tihan had used at the third party password-storage site. Seems more likely Tihan set that up as a pre-prepared "excuse" then someone arranged to set up Gox with a fortune for "someone" to "steal" by "accidentlly' neglecting to use a Yubikey-secured account so that the "excuse" would pass muster with the extremely credible. -MarkM- |
|
|
|
Pro tip 2: for months now the whole problem of how to properly store passwords has been holding up Open Transactions development because of the intricacies of how to convince the various different operating-systems never ever ever to let it land on disk, including by not allowing the memory it is remembering it in get swapped to disk. Its stuff like this that has made Open Transactions late to market. Better to get in fast and out with a fast buck than wait until ready to "do it right" though maybe eh? -MarkM- |
|
|
|
EDIT : Oh wait, I misread, it indeed went through the username+password authentication. I don't have words to describe the sheer amounts of fail this represents and how easily it could have been prevented.
Ah so then it does not all point to Tihan, someone else aided and abetted by setting Gox up ready for his "negligence" to work? -MarkM- |
|
|
|
|
Seems like each instance of criminal negligence (or conscious conspiracy with thieves or whatever the exact crime turns out to be) ends up back at this Tihan character then eh?
-MarkM-
|
|
|
|
|
Yes, sorry, I realise now I did not phrase my earlier post in such a way as to make clear that Joy Christian's work not only debunks spooky action at a distance as merely a natural reflection of the topology of space (as a two-sphere not a binary scalar) but also leaves it fully non-spooky as in not violating the speed of light.
(The failure to realise that the correct topology is a two-sphere, whose topology naturally correlates points differently from points of scalar binary values, results in imagining some spooky cause must be causing the effects that simply were not understood due to not taking into account the topology of the domain space.)
-MarkM-
|
|
|
|
|
Maybe it would be useful to build in a "sale price" mechanism with automatic purchase, so people can set their price and others can buy domains at the price set by the seller in namecoins, enabling sellers to remain anonymous and causing namecoins to have to be of significant value in order for selling prices of valuable domains to be able to be expressed in namecoins as some number of namecoins that does not exceed the number of namecoins that exist, or even that ever will exist.
That way the bounty will be spread around, as in order to offer a huge amount of wealth for a domain but do so in the form of namecoins it will be necessary for namecoins to be quite valuable, which will "float all boats" as the saying goes...
-MarkM-
|
|
|
|
|
Okay well here is another way of looking at it. Bitcoins are insanely, ridiculously undervalued, which makes it ridiculously hard to get reasonable fiat prices for goods priced in bitcoin, due to people being able to look up some insanely, ridiculously low price they can buy bitcoins for somewhere.
Thus when they see you offering goods priced at, say, one bitcoin, they imagine the item you are selling for only one bitcoin is presumably only worth about seven dollars, instead of realising that being able to buy bitcoins for only seven dollars is crazy. The proper price of the item in dollars should be an entire actual bitcoin fergoshsakes, not some pathetic piece of fiat paper!
So yeah, refuse to accept their stupid fiat, tell them if they think they can buy bitcons for less than a hundred or thousand or ten thousand or a hundred thousand or whatever dollars they should please go do so right away while they can still do so, then come buy your item with an actual real bitcoin.
-MarkM-
|
|
|
|
|
Show Posts
