Their servers are located in the US.  Their bank accounts are located in France and The USA.  I don't know where their bitcoins are located, but I suppose the wallets are backed up in several locations.  Why would they have to register as a financial institution in Japan when none of the trading goes on there?  Why not France (for a having bank account?) or The USA?

Fortunately I can't see them, because they are Flash.  Ugh.  Why?

LOL!  Flash all over the page.  That's what "open" means to them.  :-)

I think yubikey along with a strong password is more than enough security for me.  I don't plan to keep half a million bitcoins at Mt.Gox.  On other exchanges I have no other choice than password.

You don't have to use two factor authentication if you don't want to.  I don't think there will be any more secure place to trade Bitcoin than Mt.Gox, even without two factor authentication.  AFAIK none of the other exchanges offer two factor authentication at all.

Bitcoin7 has already shown total lack of interest in security and knowledge about Bitcoin and bookkeeping in general, and ThradeHill users spam my mailbox and this forum so much it is sickening.  TradeHill don't seem to do much about their spam problem either, and spammers are still allowed to trade there.  Fortunately there are other exchanges as well, which seem more secure and don't encourage anti-social practices.

Mt. Gox is very liquid and cheap to get money in to and out of for us Europeans, and a good place to trade in spite of a comparatively high fee.  They also have a simple API for fast and easy trading without using the web interface.  And I don't think any of the other exchanges could have handled a security breach like this better than Mt. Gox has done.  Most likely those that keep funds an do automatic transactions would have gone bankrupt.

Just the fact that you can't see it doesn't make it unknown.  It can even be visible and in plain sight, you just don't know what to look for or where to look.  Treat as much as possible as if it is visible to everyone, and it won't hurt you if it is.  Make sure to protect what you need to protect.  A password is simple to protect.  If you need to protect the password hash to protect your password, you have lost because the hash isn't under your control.

Bitcoin-central wasn't effected, as far as I can see.  But this is not the point.  Any exchange would have done the same if a criminal got illegal access to a brokers funds, and sold them all to manipulate prices and create havoc in the market. The only difference is that most normal stock exchanges would halt trading automatically and investigate the situation as a soon as there was unusual activity with no known reason.  MtGox should behave like any other responsible exchange, and nullify the affected trades.  Other exchanges roll back trades more often than you think.  Even Bitcoin exchanges.  It has happened on Bitcoin-Market and Bitcoin7, at least.  Hopefully MtGox will implement a few safeguards for later as well, and pause trading for a while to investigate when it gets to hot.

Of course there are complications, which would have to be handled on a case to case basis.

Did anyone lose anything?  People who traded at a loss on other exchanges based on a sudden change from 17.5 to 0 on mtgox should know better, IMHO.  I don't think you will many, with the exception of mtgox, who actually lost money on the rollback.  More likely a lot of people suffered a loss due to the unusual buying and withdrawals from stolen accounts during the previous days, but this would be impossible to prove.

Just ten years ago password files, YP, etc with password hashes in the open was the norm.  A crackable password was  as good as a plaintext password.  Passwords had to be good, and the openness ensured that people made good passwords.

Unfortunately after September 1994 a lot of clueless newbies entered the Internet.  Users who had no idea about passwords, security or computers or networks in general.  Also passwords had to be made more and more complex due to increasing computing power available to malicious users.  During the last few years systems have tried to remedy the problem a bit by hiding the hashes from public view.  I'm not sure if this is a good idea or not.

This kind of security by obscurity is false.  First and most important: it is impossible to know if your password is stored in a properly salted and secure hash, or if it is kept in an open database or hashed in an insecure way (NTLM springs to mind).   Secondly: users tend to make bad assumptions about cracking being difficult, and make bad passwords. 

Treat all password databases as open.  Make good and unique passwords, and you are secure if the password database use properly salted and hashed passwords.  (If not the site isn't secure anyway.)

Don't trust "security experts", btw.  People calling themselves experts on computer security typically have little or no real knowledge about security.  Just have a look around this forum for proof.  Real security experts can be recognised by i.e. the lack of firewalls and open WiFi at their home, but would never claim to be an expert on such a complex field.

Yes, and IMHO the situation has been handled very well.  A lot of FUD is spread here, unfortunately, and I get spam promoting TradeHill and Bitcoin7.  Spammers can not be taken seriously, and neither can the exchanges if the spammers are still allowed to trade there.  This alone strenghtens my confidence in Mt. Gox, which has never spammed me or spread FUD about other exchanges.  So far the official information has been perfectly aligned with the facts which have been shown both before and after the public explanations.

My trust is with Mt. Gox and bitcoin-central.  I do not trust TradeHill, and have complete distrust in Bitcoin7 (mostly due to cluelessness).

You are still claiming you were scammed by Mt.Gox, and this picture shows an entirely different scenario.  So you are either lying or trying to prove something else.

Btw, if your password was cracked from a salted MD5 hash, it wasn't secure.  By definition.  Secure passords can't be cracked in finite time with todays technology, even when given the hash.

Rainbow tables will not help in this case, because the passwords are properly salted.  But I'm sure you'll find a lot wit a decent wordlist or a character frequency search.  (Brute force taking most common characters in passwords into account.)

I checked my own password there.  It is real, and it is an old one.  I changed it a few days ago, and this is the previous one.  Which means the data has been out for a while.

You can check your own password by giving this line to perl: where password is your password and salt is the characters between $1$ and the next $ in your encrypted passord.  If the result matches the entire encrypted password, your password is there and it's real.  If only the part between $1$ and $ matches, the password is wrong.  If everything is far off and not even the salt matches, you did something wrong.

It is not just feasible, it is very likely.  I checked a random generation block from the transaction in block explorer.  It was generated at 2010-03-12.  Those days a few khash/s was enough to generate multiple blocks every day.

Another point -- it can be hard to remember long random passwords, but very long passwords can be simple.  If you have problems remembering long strings of random characters, try using random words.  At least three or four chosen randomly from a long wordlist.  Think of the wordlist as your alphabet.  /usr/share/dict/words on Ubuntu has 98569 words.

This happens if you choose three words from the list:
98569^3 = 957681397954009

This happens if you choose four words from the list:
98569^4 = 94397697714928713121

But please choose words which do not form a meaningful sentence or are logically connected in other ways, and make sure it is at least 12 characters long in total.  "one two three" is a terrible password.  "lion Malaysia snow cutlery" is a very good one.

An alphanumeric sequence like abcd1234?  That would be one of the first ten passwords a brute force attacker will try.  There are many such sequences in top 100 lists of common passwords.  It would generally take much shorter time to bruteforce a sequence than a rarely used dictionary word.

My four rules of passwords are:

• Never base your password on dictionary words or sequences of any kind, including keyboard sequences, periodic table, etc.
• Use at least three of the categories capital letters, normal letters, numbers and special characters.
• If your password contain one capital letter, don't place it first.
• If your password contains only one number (one or more digits) or special character, don't place it last.

And remember that trivial transcribations like $ for s, 3 for e, etc, or using the characters above, below or next to a word on the keyboard, are not novel ideas.  Those ideas, and many more stupid tricks to transcribe dictionary words, are known among crackers as well.  Don't even think about words or sequences when you make a password.

Du har nok teke ut BTC tidlgare på dagen.  Du kan maksimalt ta ut BTC til ein verdi av USD 1000 kvar dag.  Dersom du prøvar å få ut meir, vert summen du får ut redusert slik at du totalt har teke ut USD 1000 den dagen.  Veldig nøyaktig, som du ser.  Det kjem opp ei stor raud melding som fortel kva som har skjedd og kvifor.  MtGox tek ikkje gebyr for uttak av BTC. 

For å kunne ta ut meir enn USD 1000 kvar dag eller USD 10000 kvar månad, må du sende kopi av identifikasjonspapir til mtgox.  Dette skuldast lover mot kvitvasking av pengar.

I have the same problem on Linux, but only when using -v (vectors) and a low value for -f.  I never see it if I don't use -v, and I never see it with default -f.  Haven't tested for very long with higher -f, but at 10 the messages are mostly gone.  I mine solo, of course, and getwork calls takes neglible time.  I made each call to getwork log a line, and the error shows up when it takes > 12 seconds between two getwork calls.  My askrate is 5 seconds, but there is usually at least six seconds between each call to getwork.  Sometimes much more.  A lower value for -a does not remove the long gaps between getwork calls which are followed by "miner is idle" messages.

Isn't it incredible how much a simple sentence can reveal?

It is impossible to represent integers accurately in floating point, no matter what precision one use.  Any mediocre programmer will know that.  And if one doesn't know that Bitcoins are integers, one should probably not operate an exchange in the first place.  This simple sentence tells us that the exchange is written by an incompetent programmer who hasn't got much clue about Bitcoin either.

Even if it looks like it works on first sight, it is probably insecure.  I wouldn't trust it with a bitcent, or 0.009999999776482582092285156250 BTC at Bitcoin7, probably rounded in the user interface.  Would I be able to withdraw the bitcent again, or would I have insufficient funds?  I'll let someone else find out, and have fun profiting from rounding errors.

After investing in 600 Mhash/s, water cooling would be a comparatively small extra investment which enable you to silence the miner and run it 24/7.  A cooler miner also means better stability, longer life and lower power cost (colder silicon leaks less power).

You don't have to by an expensive water cooling kit.  The expensive part is the GPU water block.  Everything else is cheap.  A cheap low powered aquarium pump, a radiator from an old car, cheap plastic hose, etc.

Remember to take many of pictures and share them with us!

Note that the spike goes in the wrong direction when the FPGA clusters "just went online", and also compare with this historical chart which shows the variance on a longer time scale.