If your Mt. Gox account has been compromised, PLEASE READ.

[jeanjean]

Ahah so it seems that after having my www.mybitcoin.com harvested from 0.5 BTC, I fell for social engineering from joepie91... O_o

Thanks stubeans. Great investigation !

[1714913196]

1714913196

[1714913196]

1714913196

[1714913196]

1714913196

[1714913196]

1714913196

[Octavian]

Thank you for sharing this information.

As I myself thought previously it's a spin-off of Anonymous collective,
this idea is affirmed, alas still no proof.

[joepie91]

Because every (semi-)private channel on the internet is Lulzsec.

and how did you get in that channel to begin with? why do you appear so close to lulzsec members such that you're allowed to freely enter and chat as old friends?

Because I was invited to that channel by a few friends, as is usually the case when someone gets into a "private" channel.

with your litany of VPN logins? why so many VPN logins, anyhow? guilty by association? probably? moo? i like question marks?

VPN logins? I have only used two VPNs, to avoid my connection getting (D)DoSed to shit every time I connect to an IRC network that doesn't offer masking.

Because I totally did not encourage users to change their passwords to something stronger and completely unlike their current password.

You pretend to be a friend, then exploit the info you gather. Isn't that what SE and intel gathering in general is all about?

How can I possibly exploit that information?

Because I am totally a completely evil person whose only mission in life is to gather statistics on passwords that are not used anymore, to throw them into my magical hat and magically get all new passwords and usernames of everyone in the universe!

You may or may not be evil, but you do seem to associate with those online that have less than stellar characters. why?

Because that's life? People I know (from Anonymous) just happened to be involved with Lulzsec, that is not something I have control over.

Because trying to spread fear has worked the past few times something like this happened.

fear? i'm giving people food for thought. it's obvious that some here need that type of nourishment, no?

You are doing the exact same thing that people like @fakegregghoush have been doing for the past few months - making remarks implying you know more about me than other people do, trying to scare me off. It's getting old.

I consider myself a purveyor of only the finest newspapers throughout the land. So lo and behold when I launch the Guardian today and see this article on my iPad - http://www.guardian.co.uk/technology/2011/jun/21/lulzsec-hacker-group-who-belongs

The group is small – less than 10 or so. (This is confirmed separately by security researcher Rik Ferguson of Trend Micro, who comments that "it seems to be a tight-knit group – it only needs to be a few people, since all they need is a Twitter account and a web page. There's no evidence that they're a particularly sophisticated group.)

The members, according to Imperva:

• "Sabu" – HBgary hacker. Seems to be the leader.

• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.

• "Topiary" – handles finance, such as donations and payment for services (eg botnets)

• "Tflow" – Hacker. (Rumoured.)

• "Kayla" – Hacker. Owns a big botnet.

• "Joepie91" – Website admin.

• "Avunit" - No more detail.

From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.

I'm outraged they capitalized Joepie's handle, when clearly it isn't. This will be resolved, I swear!

And surprise surprise! The Guardian article is based on the Imperva article, which in turn is based on the same leaked IRC logs that were claimed to be from Lulzsec but were not.

I suggest you actually respond to some of the things I said before, instead of throwing allegation after allegation.

[stubeans]

http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html

doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?

Joepie is a current member of Anonymous, and operates a number of websites used by the group.  He feels he is operating legally in his participation in the group, as long as he is only offering material support.  Logs show him to be a full participant with access to private irc rooms, but he appears to feel he is committing no crimes as long as he personally abstains from accessing websites, a position he also took during the HBGary intrusion.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.

the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.

for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.

[joepie91]

http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html

doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?

Joepie is a current member of Anonymous, and operates a number of websites used by the group.  He feels he is operating legally in his participation in the group, as long as he is only offering material support.  Logs show him to be a full participant with access to private irc rooms, but he appears to feel he is committing no crimes as long as he personally abstains from accessing websites, a position he also took during the HBGary intrusion.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.

the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.

for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.

http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html
Based on http://lulzsecexposed.blogspot.com (which has some juicy false assumptions mixed in)
Which was in turn based on the already mentioned http://pastebin.com/QZXBCBYt

[HappyFunnyFoo]

Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid.  For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid.  Get what little assets you had in the account out and run asap...

[Nagle]

Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid.  For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid.  Get what little assets you had in the account out and run asap...

I'd agree that keeping funds on any of the Bitcoin exchanges is foolish. The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange.  They're banks, too. They hold customer funds as deposits.

None of the major Bitcoin "exchanges" is solid enough as an institution to act as a bank. They're not even at the level of some small-town independent bank in terms of organization, security, regulation, or financial strength. Mt. Gox, before the crash, was handling more money than some small town banks. But they had only two people, and no clue about security of a financial institution. Real banks and exchanges have insurance bonds on their employees, errors and omissions insurance, and real auditors. Not these guys.

If you use an exchange, sweep all your funds out of it at least once a day.

[BitterTea]

The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange.  They're banks, too. They hold customer funds as deposits.

What is commonly considered a bank today is more strictly defined as a commercial bank: "A commercial bank accepts deposits and pools those funds to provide credit, either directly by lending, or indirectly by investing through the capital markets."

So, MtGox and the other exchanges are not banks in the same sense as Bank of America or even your local credit unions.

[Nagle]

So, MtGox and the other exchanges are not banks in the same sense as Bank of America or even your local credit unions.

In a strict sense, they're "non-bank depository institutions". But I felt that was too advanced a term for this forum.

For background on that subject, see this paper from the Kansas City Fed: "Recent developments at banks and nonbank depository institutions". That was written in 1983, near the beginning of US financial deregulation, as the types of financial institutions started to proliferate. It used to be that the same institutions accepted deposits and made retail loans. The job can be split, though, with one institution accepting deposits and another making loans. Non-bank depository institutions have to put their money somewhere, and if they put it in a bank, they are lending it to the bank. 

Bank regulation exists to protect depositor's funds.  Generally, banking regulation is applied to depository institutions, regardless of whether they make loans. On the other hand, businesses which lend their own money but do not hold deposits (like payday-loan companies) are not regulated as banks.

So an "exchange" like Mt. Gox would be subject to banking regulation in some jurisdictions. PayPal is regulated as a bank in the European Union, and as a money transfer service in the US and Japan. As of April 1, 2010, money transfer services in Japan must be licensed. Does Mt. Gox have a license?

[mahun]

Does it registered in Japan at all =)) It could be pure virtual company which will disappear at some point.

[TigolBitteez]

How can anyone even know at the moment. This is some Newb Garbage.

[Big Time Coin]

Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid.  For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid.  Get what little assets you had in the account out and run asap...

I'd agree that keeping funds on any of the Bitcoin exchanges is foolish. The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange.  They're banks, too. They hold customer funds as deposits.

None of the major Bitcoin "exchanges" is solid enough as an institution to act as a bank. They're not even at the level of some small-town independent bank in terms of organization, security, regulation, or financial strength. Mt. Gox, before the crash, was handling more money than some small town banks. But they had only two people, and no clue about security of a financial institution. Real banks and exchanges have insurance bonds on their employees, errors and omissions insurance, and real auditors. Not these guys.

If you use an exchange, sweep all your funds out of it at least once a day.

qft

[Joise]

Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication.  I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system.  Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side.  Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?

I still think that a scheme based on GnuPG, smart card and mTAN would be pretty secure and accessible.

It would work that way: When creating an account one would generate a GnuPG key pair. One would enter the public key together with user name and password at the trading site.

This key can now be used to verify re-authentication in case of a lost password, and this would be MUCH safer than re-authentication by e-mail. It can also be used to certify certain critical transactions. This can be done the way that the trading site generates a authentication token, mails it to the user, and he has to sign it with is private key and return it. Alternatively, the offered token can be displayed in a web form and the user replaces it by the signed token.

One important point is that this authentication can be used to set up a cell phone number for an mTAN scheme (mobile transaction authentication number). With this, when a transaction is done, the system sends a number to the phone which contains the important items of the transaction and an alphanumerical code. The transaction is accepted only when the code is entered in the web page. This is not a perfect system, but works very effectively against key loggers, and it is widely used in many countries.

Among the good things about GnuPG is that it is available on most operation systems (even the ones you shouldn't use) and that it can be used with a smart card. In this case, the private key is moved to the smart card and can't be read from there again. Processing of signatures is done on the smart card itself when one enters a PIN. Thus, it is not possible to steal the private key any more. This type of smart cards is available from many places, see here:

http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
http://www.gnupg.org/howtos/card-howto/en/ch02s02.html

The device from privacy fundation is an open source project, which means enhanced transparency and security against governmental backdoors.

With the scheme described, you need your account password, and your phone to make an transaction. You need your smart card, your mail account password OR your account password and your smart card PIN to change the account password or the phone number.

There are certainly other solutions (Yubikey and SSL client certificates with hardware tokens have been named, and I don't know them well enough to discuss them) but I believe this one is a cost-effective and safe variant. I think that at least two-factor authentication is a must, otherwise stealing of coins becomes so easy that a real and widespread theft business will emerge within months.

And for the same reason, I think, it should not be charged for at all. This is just fulfilling basic requirements.

And of course, mTAN can be hacked, if someone gets a SIM card for my number. But that's considerably more difficult than keylogging.

[joepie91]

Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication.  I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system.  Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side.  Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?

I still think that a scheme based on GnuPG, smart card and mTAN would be pretty secure and accessible.

It would work that way: When creating an account one would generate a GnuPG key pair. One would enter the public key together with user name and password at the trading site.

This key can now be used to verify re-authentication in case of a lost password, and this would be MUCH safer than re-authentication by e-mail. It can also be used to certify certain critical transactions. This can be done the way that the trading site generates a authentication token, mails it to the user, and he has to sign it with is private key and return it. Alternatively, the offered token can be displayed in a web form and the user replaces it by the signed token.

One important point is that this authentication can be used to set up a cell phone number for an mTAN scheme (mobile transaction authentication number). With this, when a transaction is done, the system sends a number to the phone which contains the important items of the transaction and an alphanumerical code. The transaction is accepted only when the code is entered in the web page. This is not a perfect system, but works very effectively against key loggers, and it is widely used in many countries.

Among the good things about GnuPG is that it is available on most operation systems (even the ones you shouldn't use) and that it can be used with a smart card. In this case, the private key is moved to the smart card and can't be read from there again. Processing of signatures is done on the smart card itself when one enters a PIN. Thus, it is not possible to steal the private key any more. This type of smart cards is available from many places, see here:

http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
http://www.gnupg.org/howtos/card-howto/en/ch02s02.html

The device from privacy fundation is an open source project, which means enhanced transparency and security against governmental backdoors.

With the scheme described, you need your account password, and your phone to make an transaction. You need your smart card, your mail account password OR your account password and your smart card PIN to change the account password or the phone number.

There are certainly other solutions (Yubikey and SSL client certificates with hardware tokens have been named, and I don't know them well enough to discuss them) but I believe this one is a cost-effective and safe variant. I think that at least two-factor authentication is a must, otherwise stealing of coins becomes so easy that a real and widespread theft business will emerge within months weeks.

And for the same reason, I think, it should not be charged for at all. This is just fulfilling basic requirements.

And of course, mTAN can be hacked, if someone gets a SIM card for my number. But that's considerably more difficult than keylogging.

Fixed it for you.

Anyway, that is a VERY good suggestion, the only important thing to take care of, is making sure that it is all very userfriendly. Users should never have to ask themselves "what do I do now?", or there will be issues with the system (and that may scare people away, towards less secure systems).

[kabo]

* How much funds did you lose?
30.53 BTC
* To what address were your stolen funds sent?
1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD
* What OS are you using (Windows, Linux, Mac OSX ...)?
Mac OS X 10.6.7, Safari
* How long was your old password?
10 chars
* Was your old password random?
nope
* Was your username the same on Mt. Gox as on the forum?
yup
* Did you use your Mt. Gox password somewhere else?
yup, but not anymore
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
nope, just smallcaps
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
nope

I'm guessing I'm pretty much screwed here.

But I checked the mtgox logs here https://claim.mtgox.com/status.html

Code:

money withdrawn:
Thu 16 Jun 2011 06:04:15 AM GMT	out	1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD	30.53000000 ฿TC

06:45:15 a.m. Thursday June 16, 2011 in GMT converts to 03:45:15 p.m. Thursday June 16, 2011 in JST

Logins by IP-addresses that are not mine:
MTGOX_LOGIN	Successful login on Mt.Gox	Sat 18 Jun 2011 12:22:44 AM JST	184.105.220.24
MTGOX_LOGIN	Successful login on Mt.Gox	Thu 16 Jun 2011 03:03:51 PM JST	213.112.199.142 <-- likely logged on and withdrew money
MTGOX_LOGIN	Successful login on Mt.Gox	Thu 16 Jun 2011 01:14:03 PM JST	76.10.214.89
MTGOX_LOGIN	Successful login on Mt.Gox	Wed 15 Jun 2011 06:38:29 PM JST	46.166.129.61

The IP 213.112.199.142 seems to reside in Sweden and doesn't seem to run TOR. It could be part of a bot-net though.

[Visa]

I see a class action against Mt Gox is in order