molecular
Donator
Legendary
 Offline
Activity: 2772
Merit: 1019
|
 |
January 22, 2013, 03:44:44 PM |
|
OP: Don't listen to people moaning about how we had been thinking we had a Mt.Gox breach even with a Yubikey in use and that turning out not to be the case it's just good that we've been told now and can stop worrying :-)
yeah, true, sorry JMcGrath for being a bit harsh before. Thanks for telling us you probably hadn't linked the yubikey. |
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
|
|
|
|
|
|
|
|
|
"You Asked For Change, We Gave You Coins" -- casascius
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
January 22, 2013, 05:14:30 PM |
|
Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever. The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address. All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.
We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue). This would still be a much easier problem to solve than, say, adding a dependency on PGP, given that all the necessary code can be lifted directly from the current build of bitcoind. And signing aside, simply allowing one the option to restrict their account so that instant bitcoin withdrawals can only go to a single bitcoin address would be of trivial complexity and yet would result in an enormous leap in practical security. That may not work for some, but for others, it is so simple to understand as to be a meaningful confidence builder. If you ask people to write that bitcoin address on their AML docs as they send them in, you've got a bulletproof paper trail connecting the withdrawal address to the customer. The unspoken underlying fear is that one might have their funds disappear and be in a "he said she said" war with Gox as to how the withdrawal actually occurred. If MtGox adopts policy and procedures that ensures that all withdrawals can be positively accounted for, and that instant withdrawals to arbitrary addresses are easy to limit, it literally reduces the customers negative fear of unauthorized withdrawal. |
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
misterbigg
Legendary
Offline
Activity: 1064
Merit: 1001
|
|
January 23, 2013, 01:06:38 AM |
|
I'll give a reward if I can find out who this person is so I can beat the **** out of them! If there's anyone who should be beat, it should be YOU for this fucking misleading thread title! MtGox DID NOT GET HACKED and all you're doing is stirring shit. |
|
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
January 23, 2013, 01:26:41 AM |
|
title should read:
"I was surfing porn, downloaded a key logger and now I don't have anymore coins in my Mt. Gox account. "
|
|
|
|
|
Jaw3bmasters
Full Member
Offline
Activity: 196
Merit: 100
Another block in the wall
|
|
January 23, 2013, 02:28:28 AM |
|
title should read:
"I was surfing porn, downloaded a key logger and now I don't have anymore coins in my Mt. Gox account. "
LOL. |
In Cryptography we trust.
|
|
|
|
MPOE-PR
|
|
January 23, 2013, 08:18:35 AM |
|
title should read:
"I was surfing porn, downloaded a key logger and now I don't have anymore coins in my Mt. Gox account. "
MY PRONSITE WAS HACKED |
|
|
|
|
Ghostofkobra
|
|
January 23, 2013, 10:40:26 AM |
|
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Is it not enough that he/she lost their Bitcoins?
I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.
Please, think before you post and dont post drunk.
/GoK
|
|
|
|
|
MPOE-PR
|
|
January 23, 2013, 12:30:06 PM |
|
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Is it not enough that he/she lost their Bitcoins?
Actually I was considering starting a fund to pay people to abuse those who "got hacked" further. There's certainly not enough of it being done naturally. That aside, wasn't muchly aware of such a great standing of MtGox? Perhaps you're confusing Inaba's unpopularity with MtGox's popularity? |
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
January 23, 2013, 01:22:04 PM |
|
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Is it not enough that he/she lost their Bitcoins?
I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.
Please, think before you post and dont post drunk.
/GoK
Title is misleading. He got hacked not MtGox. |
|
|
|
|
|
deadweasel
|
|
January 23, 2013, 01:32:33 PM |
|
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Is it not enough that he/she lost their Bitcoins?
I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.
Please, think before you post and dont post drunk.
/GoK
Title is misleading. He got hacked not MtGox. Very Misleading, Please fix! |
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1226
Away on an extended break
|
|
January 23, 2013, 04:39:26 PM |
|
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Is it not enough that he/she lost their Bitcoins?
I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.
Please, think before you post and dont post drunk.
/GoK
Title is misleading. He got hacked not MtGox. Very Misleading, Please fix! Agreed. Added a single word. |
|
|
|
|
|
niko
|
|
January 24, 2013, 12:55:50 AM |
|
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Read the posts again, and you will notice that your comment is out of place. He makes a false claim that MtGox is "hacked" and that he was using Yubikey. He did not yet correct the title of the thread as of this moment. It is misleading, it spreads unjustified panic, and it is everybody's waste of time. I am sorry for his loss, and I do hope the thief is caught, but please act with some integrity. |
They're there, in their room.
Your mining rig is on fire, yet you're very calm.
|
|
|
|
twolifeinexile
|
|
January 28, 2013, 03:28:46 PM |
|
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
How is google authenticator different from Yubi Key? |
|
|
|
|
|
niko
|
|
January 28, 2013, 03:38:34 PM |
|
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
How is google authenticator different from Yubi Key? You can back up the code at the time if setup, if your phone is lost or broken you can set everything up again easily. Not so easy with yubikey. Having said that, yubikey introduces less risk of security holes than an android phone. |
They're there, in their room.
Your mining rig is on fire, yet you're very calm.
|
|
|
kokojie
Legendary
Offline
Activity: 1806
Merit: 1003
|
|
January 28, 2013, 03:38:52 PM |
|
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
How is google authenticator different from Yubi Key? I think it's more convenient since you always have your phone. Plus it's free. |
btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
|
|
|
|
Ghostofkobra
|
|
January 29, 2013, 10:19:14 PM |
|
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Read the posts again, and you will notice that your comment is out of place. He makes a false claim that MtGox is "hacked" and that he was using Yubikey. He did not yet correct the title of the thread as of this moment. It is misleading, it spreads unjustified panic, and it is everybody's waste of time. I am sorry for his loss, and I do hope the thief is caught, but please act with some integrity. First off, my comment was not about the correct or incorrect title, it was about all those other posts that was made. Secondly i wrote "their account gets hacked" which is a neutral term as to where the security break was, his pwd or Mt Gox. Bottom line is, that thread, as well as many other "Gox account hacked" threads are full of namecalling and unintelligent BS in order to belittle the OP. I am not saying that the Mob should turn on Gox, but i see a systematic behavior of "some elements in the community" that kicks on ppl that gets hacked, calling them stupid and worse. And i figured i would at least write one post that says that this behavior should end. /GoK |
|
|
|
Puppet
Legendary
Offline
Activity: 980
Merit: 1040
|
|
January 30, 2013, 08:51:39 AM |
|
How much security does Yubi key really add if your PC is compromised?
Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.
Im no expert, never used mtgox or yubi key, but what am I missing?
|
|
|
|
|
|
MPOE-PR
|
|
January 30, 2013, 09:22:19 AM |
|
The unspoken underlying fear is that one might have their funds disappear and be in a "he said she said" war with Gox as to how the withdrawal actually occurred. If MtGox adopts policy and procedures that ensures that all withdrawals can be positively accounted for, and that instant withdrawals to arbitrary addresses are easy to limit, it literally reduces the customers negative fear of unauthorized withdrawal.
Doesn't seem there's much better a way to do this than PGP really. |
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
January 30, 2013, 02:37:34 PM |
|
PGP won't be widely used until there are better libraries and it is easier to implement and use.
|
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
January 30, 2013, 05:05:01 PM |
|
How much security does Yubi key really add if your PC is compromised?
Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.
Im no expert, never used mtgox or yubi key, but what am I missing?
You are right in the case of a sophisticated attacker but most of them are script kiddies who log only username and password. With Yubi key or Google Authenticator you prevent most attack imo. |
|
|
|
|
|
