bitcoinBull
Legendary
Offline
Activity: 826
Merit: 1001
rippleFanatic
|
|
June 14, 2011, 01:52:11 AM |
|
Your numbers don't add up.
So far you've only said that you lost "a very large chunk" from this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG.
The receiving address (1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg) indeed had 25,000 but only 3522 were received from said address.
How much did you lose and from which addresses?
|
College of Bucking Bulls Knowledge
|
|
|
allinvain (OP)
Legendary
Offline
Activity: 3080
Merit: 1080
|
|
June 14, 2011, 01:52:35 AM |
|
Your numbers don't add up.
So far you've only said that you lost "a very large chunk" from this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG.
The receiving address (1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg) indeed had 25,000 but only 3522 were received from said address.
How much did you lose and from which addresses?
Well guys, I am taking a break from the forum. My fingers hurt from all this typing, and I got real life to deal with. Thanks for all those who have wished me the best. Cheers!
|
|
|
|
Dude65535
|
|
June 14, 2011, 01:55:05 AM |
|
Since a new address is created for each coin generation during solo mining, you had created many more than 100 new addresses. Two things you could do to see if it was a backup that was compromised instead of your pc.
See if any of the coins that were left behind shared an address with coins that were stolen, if some shared an address then the attacker just went for a round number. If no addresses are shared it might have been a backup that was the problem.
If you sort through all 400+ inputs on the hackers transaction and look for the 101st newest first seen on date, that would give you the approximate time the backup was created.
|
1DCj8ZwGZXQqQhgv6eUEnWgsxo8BTMj3mT
|
|
|
allinvain (OP)
Legendary
Offline
Activity: 3080
Merit: 1080
|
|
June 14, 2011, 02:05:03 AM |
|
Your numbers don't add up.
So far you've only said that you lost "a very large chunk" from this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG.
The receiving address (1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg) indeed had 25,000 but only 3522 were received from said address.
How much did you lose and from which addresses?
Sorry, I never mentioned ...but it has been mentioned by people in the thread..all you had to do was read the blockchain. It was 25K BTC. Well the rest could come from my other private keys? That 1J18 address is the one I used most frequently..I kept on reusing that on mining sites so I knew where my mining profits came from... Here is a screenshot: Uploaded with ImageShack.usand.. and.. Uploaded with ImageShack.usUploaded with ImageShack.usThe last screenshot is from my slush account..you can see the person changing my payout address..and the payout amounts match what you see in the screenshot..I dunno how much more I can show that this is indeed is my account... ohwell ok I'm out of here..
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
June 14, 2011, 02:13:18 AM |
|
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
June 14, 2011, 02:57:23 AM |
|
It can't be "exploitable c code" in the client. Allinvein's pool payout address was changed. Someone had completely compromised his system, but he is saying anti-virus software has found nothing. Something able to compromise his system so thoroughly would have used a know vector, and the anti virus would find it.
Not true. Modern computers are so complex that nobody knows them from top to bottom. The abstraction layers are not proven correct. Every time the "abstraction leaks", you have a potential security breach. Anti-virus software just uses a dictionary of known malware. If a popular, well-known anti-virus (like symmantec) is used, the attacker can even take the time to test their malware against the antivirus software to see if it is detected. In general, if we want to use crypto-currency in our lifetime (before computers are really ready), we need to build a list of "best practices" to keep your wallet safe. The list may include: - If your wallet is compromised, (posted on dropbox, 4chan, etc) don't erase it: send all the coins to a new wallet instead.
- keep your savings wallet on an encrypted partition. Some have suggested not even connecting the computer with the saving wallet to a network (just copy the address manually).
- Keep encrypted back-ups in an off-site location. Keep the passphrase in an offsite location as well, preferably separate from your wallet.
- Take steps to secure you computer: most probably put this off. For the record, I think anything requiring "Updates" (Including Windows and certain GNU/Linux distros, most graphical browsers) is inherently insecure. Undocumented hardware like those GPUs you use for mining are also a security risk.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
dayfall
|
|
June 14, 2011, 03:06:17 AM |
|
I tell, you the recent fall in prices make me reconsider how much some of us could stand to loose. And this story got me to finally make a secure wallet.
I am very interested in learning how this theft was done.
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
June 14, 2011, 03:32:31 AM |
|
So this was definitely not a meatspace attack, since two completely different individuals were attacked, with the monies sent to the same bitcoin address.
It was also definitely not due to the unencrypted dropbox upload. Stealing a dropbox file and stealing MtGox account info are two very different things.
I would say, with a high level of certainty, that this was a targeted hacker or malware attack.
Stay vigilant, fellow bitcoiners.
|
|
|
|
Bind
|
|
June 14, 2011, 03:53:28 AM |
|
Again I am so very sorry for your loss, but anyone with even the most rudimentary photoshop skills can manipulate and alter a image screenshot.
There is absolutely no way, other than legal and judicial means, for you to get your money back, and anyone who helps you through exchanges and such are themselves stealing from others because there is no certifiable concrete documented evidence of the theft.
Additionally because of the anonymity and security build into the bitcoin system, there is plausible deniability as exemplified by the core teams development posts and released project information.
Supposition, conjecture, and coincidence ARE NOT PROOF.
Thinking or knowing something is a lot different than proving it.
|
|
|
|
Chick
Member
Offline
Activity: 70
Merit: 10
|
|
June 14, 2011, 03:59:48 AM |
|
Again I am so very sorry for your loss, but anyone with even the most rudimentary photoshop skills can manipulate and alter a image screenshot.
There is absolutely no way, other than legal and judicial means, for you to get your money back, and anyone who helps you through exchanges and such are themselves stealing from others because there is no certifiable concrete documented evidence of the theft.
Additionally because of the anonymity and security build into the bitcoin system, there is plausible deniability as exemplified by the core teams development posts and released project information.
Supposition, conjecture, and coincidence ARE NOT PROOF.
Thinking or knowing something is a lot different than proving it.
Who would use photoshop for website text manipulation?
|
|
|
|
innervisi0nn
Member
Offline
Activity: 98
Merit: 10
Tutorials, guidelines, optimizations for all!
|
|
June 14, 2011, 04:03:39 AM |
|
how are you generating 50 coins per day? (or am i crazy?)
|
|
|
|
bitcool
Legendary
Offline
Activity: 1441
Merit: 1000
Live and enjoy experiments
|
|
June 14, 2011, 04:04:59 AM |
|
how are you generating 50 coins per day? (or am i crazy?)
read the date: 6/8/ 2010
|
|
|
|
innervisi0nn
Member
Offline
Activity: 98
Merit: 10
Tutorials, guidelines, optimizations for all!
|
|
June 14, 2011, 04:06:38 AM |
|
how are you generating 50 coins per day? (or am i crazy?)
read the date: 6/8/ 2010stupid me :X sorry. goodluck to you (allinvain) - time to look into more security measures on all my rigs now =\
|
|
|
|
allinvain (OP)
Legendary
Offline
Activity: 3080
Merit: 1080
|
|
June 14, 2011, 04:14:25 AM |
|
They're not manipulated images but I had a feeling some of you would think that. I can get slush and maybe a few others to corroborate me. In the end it doesn't matter any more. I'm going to step back from this forum for a bit. I'll keep an eye on the thread but not participate. There is nothing more that I can add to this so far.
|
|
|
|
innervisi0nn
Member
Offline
Activity: 98
Merit: 10
Tutorials, guidelines, optimizations for all!
|
|
June 14, 2011, 04:17:00 AM |
|
They're not manipulated images but I had a feeling some of you would think that. I can get slush and maybe a few others to corroborate me. In the end it doesn't matter any more. I'm going to step back from this forum for a bit. I'll keep an eye on the thread but not participate. There is nothing more that I can add to this so far.
dont get me wrong, i didnt pay attention to the date =\ sorry pal...get in touch with mtgox and some of the pool operators (tyco (deepbit) (dinox (swepool) etc.. and see if they can help
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
June 14, 2011, 04:31:59 AM |
|
...because there is no certifiable concrete documented evidence of the theft.
He can prove possession of the private keys by receiving a small amount and resending it to a specific address upon request. The amount would have to be very arbitrary and not coincide with any other coins in his wallet for the same amount, to ensure that when he sent the same amount out, he would be sending out the same transaction.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
mouse
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 14, 2011, 04:32:46 AM |
|
If anyone thinks this isn't a problem with the bitcoin system, they're deluding themselves.
While it's true that allinvain could have taken measures that would probably have avoided this, it still doesn't change the fact that as things currently stand the system is very difficult, if not impossible, to secure for the 'average joe', and this security DOES NOT come setup already out of the box. Suggestions of manually setting up laptops with multiple different encrypted (with 3rd party software no less) wallets or other such talk is FAR beyond anything the average consumer is willing to do to use this system.
Whether you want to hear this or not, my professional opinion is that unless security is built into the bitcoin system, and the system activly tries to protect users from themselves, it won't work. And by professional, I mean I've spent several years working for a few Government agencies where I've focussed mostly on usability and good UI design to reducing error rates for various high profile systems, etc.
Think about this - if EVERY user has to take steps X, Y, and Z in order to use the system safely, then steps X, Y, and Z must be built into the system.
|
|
|
|
bcearl
|
|
June 14, 2011, 04:37:58 AM |
|
What do I get if I get your money back?
Is there hope after all? 1. mtgox has the money 2. our victim can at least prove that he also has the private key of the account where the money got stolen from.
|
Misspelling protects against dictionary attacks NOT
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
June 14, 2011, 04:41:31 AM |
|
Think about this - if EVERY user has to take steps X, Y, and Z in order to use the system safely, then steps X, Y, and Z must be built into the system.
This, most definitely, I agree with.
|
|
|
|
Capitan
Member
Offline
Activity: 112
Merit: 10
|
|
June 14, 2011, 04:42:01 AM |
|
I agree with mouse. Securing the wallet, and everything else possible (I don't know what to demand security on specifically, because I'm not an encryption or security expert) is the single most important thing that needs to be done in the bitcoin world right now. I am still shocked when I read a forum post saying that one of the developers said that securing the wallet was low priority.
You aren't gonna get multiple chances with bitcoin. If it experiences one catastrophic failure, that could be enough to scare people away for good. I have no bitcoins to my name right now but as soon as I do I will pledge some to a bounty on securing the wallet, and a security audit of the entire toolchain. That includes pools, miners, clients, and wallet security. If any coders here are legitametly GOOD if not GREAT security programmers, they should set up to work on that. Or people should recruit their friends who are experts in the arena to contribute.
I said this in another thread. Cryptocurrency with a plain text wallet. Is that a joke?
|
|
|
|
|