This is the 3rd MtGox account I've heard of that's been cleaned out in the last week. A new vulnerability, perhaps?
None of them had two factor auth. If there is a vulnerability on Mt.Gox itself I think I would hear more bad news... The botsnets of this world are seriously big. I think more and more bot masters let their bots harvest BTC related data. Perhaps... maybe someone has access to the database with passwords? Hashes are pushed against a rainbow table to pick out the easy ones? Obviously, 2FA would prevent this from working, hence the reason only 1FA accounts have been broken? I would think many more accounts than just 3 would be accessed in such a case, as you alluded to, but you never know how many have been accessed without the owner finding out yet or without the owner posting here on this forum. Not sure what else the attacks could be from. Keylogger? Maybe. |
|
|
|
The free plays are also nearly worthless as 1BTC already adds a single free play.
If you're talking about the 'high roller bonuses' then it looks like you need to spend at least 5 BTC to get free plays now, and those free plays happen automatically; you don't have to claim them. The free plays you get for winning, on the other hand, are hard to claim. The FAQ says: "For each Free Play you want to use, you have to play 1 BTC". That means you have to play 100 draws to claim one free play (maybe the FAQ is out of date, and should say 0.1 BTC, who knows...). Those 100 draws will on average earn you about 15 more free plays, which you'll also have to claim. So you'll end up with more free plays than you can ever claim. In effect, every 100 draws you pay for will give you 101 draws. Please let me know if my analysis is wrong here. I came to the same conclusion. |
|
|
|
|
This is the 3rd MtGox account I've heard of that's been cleaned out in the last week. A new vulnerability, perhaps?
|
|
|
|
I already cashed out. I got out of USD and now have real money.
you must be crazy I'd imagine having 20,000BTC/month in profits from SatoshiDICE probably helps him live without USD.  |
|
|
|
Yeah, I know. 3 BTC.
Still, I was wondering - is there a new vulnerability out there I don't know about?
I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.
My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year. That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.
I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well... You're saying that your woefully weak password had been changed for more than a year? How strong is the new one, and when exactly did you change to the new one? No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later. Interesting... I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers. Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works. That'd get around any IP-based bruteforce detection. English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks. |
|
|
|
"Does not support USB 2.0 high speed connections." Nonetheless, probably a good call. I'd buy both a long USB cable AND USB over CAT5 adapters. It's a pittance compared to the money lost if the miner is down for a few days while you wait for a new cable to come in. |
|
|
|
Yeah, I know. 3 BTC.
Still, I was wondering - is there a new vulnerability out there I don't know about?
I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.
My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year. That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.
I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well... You're saying that your woefully weak password had been changed for more than a year? How strong is the new one, and when exactly did you change to the new one? |
|
|
|
|
I plan to sell in steps as the price rises, I just haven't quite figured out what those steps should be.
Maybe 20% @ $100, 20% of what's left @ $500, 20% of what's left after that @ $1,000, same again @ $5000, again at $10,000, etc.
That way, I always have something to sell when the price rises, no matter how far it rises.
|
|
|
|
He doesn't appear to be watching this thread...
"Last Active: January 22, 2013, 09:16:33 PM"
That doesn't mean much. If you remember, that account was blocked for "being hacked". He's more likely here with another account altogether. Or not signed in at all. Good point. I didn't remember that. |
|
|
|
|
He doesn't appear to be watching this thread...
"Last Active: January 22, 2013, 09:16:33 PM"
|
|
|
|
Could it be possible to send coins to an unused address, so that someone gets a surprise when they generate a new address? hmm...
No. It would take longer than the life of the universe to accidentally generate an address with coins already in it. |
|
|
|
No, "The customer sent a address that they couldnt get to" does not mean no one could get to that address.
yeah that actually could be in exactly the same category as the above "instawallet user couldn't get to coins, but instawallet owners can". Ah, good point. It could be someone else's legitimate address. We'd need clarification from sublime on tha. |
|
|
|
I forgot but I also sent a coin to a wallet that cant be accessed. The customer sent a address that they couldnt get to. I lost the coin and they charged back. So I have 5 stuck on a hard drive and 1 that I believe cant be recovered.
Well, the 5 on the hard drive can be recovered so we cannot add to the list. The 1, however, can be added. Use the format as designated in the beginning of this thread to add it...! |
|
|
|
How do people think they can totally get away with scamming a bunch of people with vast computer knowledge unless they are single and willing to leave the country...quickly.
I mean this community is easy to scam because of greed, but once you have the loot you need to skeedaddle.
Hell hath no fury like a nerd with internet access...
They get doxxed, but then nothing happens afterward. If people actually started suing these people, then maybe they'd skeedaddle more quickly. As it is, it seems like a scammer hardly has to worry. |
|
|
|
Someone said it seemed like Avalon themselves was posting it (self-promotion sort of thing). *shrug* |
|
|
|
|
100%.
My asset holdings less my debt is negative (due to student loans), so ~ 50 BTC / 0 = ∞ (or 100%, if we want to be practical).
|
|
|
|
|
Question about offline transactions... what are the system requirements for a computer that would ONLY hold private keys and sign transactions? And is there any special setup procedures for such an offline computer? Do I still have to install the Bitcoin-QT client?
|
|
|
|
3 confirmed.
The one in china doesn't count! |
|
|
|
Ok, fair enough, and I appreciate you defending yourself and setting the record straight. Nefario did way worse than you, this is for certain. Are you paying back the rest?
Yes, over time. The half of income that originally was going to be spent on growing and maintaining the company is now being spent on buying back shares, the other half of income being paid out as dividends as per contract. I just don't like you calling BFL a scam. They aren't a scam if they deliver in the end, they are a scam if they do not. All of the ASIC companies (with exception of ASICMiner) took preorders, and all of them called their preorder customers customers. It doesn't matter if that doesn't fit your definition of a customer - everyone who preordered ASICs are customers.
Actually, it depends on what US law thinks. My interpretation of law is what BFL is doing is illegal. If my interpretation is wrong and they can legally call these pre-orders by customers instead of investments by investors, then they are still violating the law by taking pre-order money before shipment. If its not a scam, then what is it? These conditions do not go away just because they ship and the government can still go after them, including halting shipments of product and destroying them or refusing them entry into the US. It might be unlawful, illegal, etc, but calling it a scam implies malicious intent. I have seen no malicious intent (towards its customers) from BFL thus far... Definitions of scamming usually include words like "defrauding" or "swindling", and are preceded with words like "deliberately" or "intentionally". BFL has not intentionally defrauded or swindled anyone. They've had delays they were not expecting. |
|
|
|
|
Show Posts
