Bitcoin Forum
December 10, 2016, 04:54:40 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: I was scammed by MtGox.  (Read 7273 times)
kiwiasian
Full Member
***
Offline Offline

Activity: 168


View Profile
June 19, 2011, 08:36:47 PM
 #41

Guys, stop telling me I need to change my password. For anything important, I never reuse a password from a different site. I had a secure alphanumeric password as well. My account was COMPROMISED, like a lot of other users here.

Let me reemphasize that I am not the only one affected. Please read the entire thread and see the link that someone posted earlier.

MtGox on the issue, addressing the security hole:

Tradehill referral link, save 10% | http://www.tradehill.com/?r=TH-R12328
www.payb.tc/kiwiasian | 1LHNW1JGMBo2e7rKiiFz7KJPKE57bqCdEC
1481388880
Hero Member
*
Offline Offline

Posts: 1481388880

View Profile Personal Message (Offline)

Ignore
1481388880
Reply with quote  #2

1481388880
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
jondecker76
Full Member
***
Offline Offline

Activity: 238


View Profile
June 19, 2011, 08:57:46 PM
 #42

I feel your pain.
I too got BTC stolen from mtgox because of the comprimise, and its been reported to mtgox for a while now (who repeately denied it to all of us that got robbed)

Now lets see if the do the right thing, and refund the money to us that was lost due to their negligence and lack of security. (20.19 BTC in my case)

RollerBot Advanced Trading Platform
https://bitcointalk.org/index.php?topic=447727.0
BTC Donations for development: 1H36oTJsi3adFh68wwzz95tPP2xoAoTmhC
Doktyr
Newbie
*
Offline Offline

Activity: 15


View Profile
June 19, 2011, 10:48:15 PM
 #43

It is very simple to match http logins with IP addresses.  Any sane trading/currency site would do this logging so if it looks like this:

XX/XX/XXXX XX:XX:XX a.a.a.a - San Diego, CA - Comcast - example
XX/XX/XXXX XX:XX:XX a.a.a.a - San Diego, CA - Comcast - example
XX/XX/XXXX XX:XX:XX a.a.a.a - San Diego, CA - Comcast - example
XX/XX/XXXX XX:XX:XX b.b.b.b - Evil Hacker Town, China - ChinaNet - example

Then it would be pretty clear from their side if an account was hacked.  Mt. Gox is the only one who knows for sure.

Hopefully the logging server is intact.

EDIT: assuming the same account.
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 20, 2011, 02:35:56 PM
 #44

Why would I lie?

I even provided a picture for proof
You are still claiming you were scammed by Mt.Gox, and this picture shows an entirely different scenario.  So you are either lying or trying to prove something else.

Btw, if your password was cracked from a salted MD5 hash, it wasn't secure.  By definition.  Secure passords can't be cracked in finite time with todays technology, even when given the hash.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 21, 2011, 02:09:07 AM
 #45

Btw, if your password was cracked from a salted MD5 hash, it wasn't secure.  By definition.  Secure passords can't be cracked in finite time with todays technology, even when given the hash.

I'm a bit sick and tired with this load of "I'm a security expert" BS! Stop blaming it on users!
Let your db to leak into the web is way more serious than use even 123 as password. There's no way to blame this guy, except that MtGox hasn't "scam him", he just opened an account at a place with a lousy service.
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 21, 2011, 12:41:39 PM
 #46

Btw, if your password was cracked from a salted MD5 hash, it wasn't secure.  By definition.  Secure passords can't be cracked in finite time with todays technology, even when given the hash.
I'm a bit sick and tired with this load of "I'm a security expert" BS! Stop blaming it on users!
Let your db to leak into the web is way more serious than use even 123 as password. There's no way to blame this guy, except that MtGox hasn't "scam him", he just opened an account at a place with a lousy service.
Just ten years ago password files, YP, etc with password hashes in the open was the norm.  A crackable password was  as good as a plaintext password.  Passwords had to be good, and the openness ensured that people made good passwords.

Unfortunately after September 1994 a lot of clueless newbies entered the Internet.  Users who had no idea about passwords, security or computers or networks in general.  Also passwords had to be made more and more complex due to increasing computing power available to malicious users.  During the last few years systems have tried to remedy the problem a bit by hiding the hashes from public view.  I'm not sure if this is a good idea or not.

This kind of security by obscurity is false.  First and most important: it is impossible to know if your password is stored in a properly salted and secure hash, or if it is kept in an open database or hashed in an insecure way (NTLM springs to mind).   Secondly: users tend to make bad assumptions about cracking being difficult, and make bad passwords. 

Treat all password databases as open.  Make good and unique passwords, and you are secure if the password database use properly salted and hashed passwords.  (If not the site isn't secure anyway.)

Don't trust "security experts", btw.  People calling themselves experts on computer security typically have little or no real knowledge about security.  Just have a look around this forum for proof.  Real security experts can be recognised by i.e. the lack of firewalls and open WiFi at their home, but would never claim to be an expert on such a complex field.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 21, 2011, 01:11:50 PM
 #47

There're a few wrong concepts on your idea sturdle.
There IS security trough obscurity. This a simple fact, you can't know what you don't see.

The idea of "open everything" is the ultimate insecure protocol, for the following main reasons:

- The attacker will know exactly what he is after.
- A regular user by seeing a hashed pass will believe to be facing the ultimate uncrackable thing on Earth, as no matter how weak the hash it will look like mumbo-jumbo to him.
- Computing power is expanding by the day. MD5 was safe for the computing power back in the 90's, isn't anymore today. Same will happen to SHA-512 in time being.

The whole idea must be to have a set of password and use them according. Your car key is by far more complex than the one to open your bike's chain; still you need to have a way to open and start your car (remember in the case of passwords) it otherwise you would be on foot.
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 21, 2011, 01:54:15 PM
 #48

There're a few wrong concepts on your idea sturdle.
There IS security trough obscurity. This a simple fact, you can't know what you don't see.
Just the fact that you can't see it doesn't make it unknown.  It can even be visible and in plain sight, you just don't know what to look for or where to look.  Treat as much as possible as if it is visible to everyone, and it won't hurt you if it is.  Make sure to protect what you need to protect.  A password is simple to protect.  If you need to protect the password hash to protect your password, you have lost because the hash isn't under your control.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 21, 2011, 01:59:52 PM
 #49

sturle,

That's the "expect the worse" part, to that end I agree.
You can have security trough obscurity, but you can't think that obscurity may will stand forever.

Now, making everything open doesn't make nothing safer, actually it does the other way around as a potential attacker would know what and where to look for. Making open is a security breach by nature.
Chucksta
Full Member
***
Offline Offline

Activity: 168



View Profile
June 23, 2011, 05:09:02 PM
 #50

So you created an account (that's the complete history, right?), just to put some coins there and about two hours later that money disappeared? I am sorry for my distrust, but with hat kind of title and TradeHill in your signature I think it all looks somewhat suspicious to me.

Hmm, I wonder if a pro Tradehill person had anything to do with the recent bleep hit the fan MT Gox hack ?
cryptoanarchist
Hero Member
*****
Offline Offline

Activity: 896



View Profile
June 23, 2011, 05:40:18 PM
 #51

So you created an account (that's the complete history, right?), just to put some coins there and about two hours later that money disappeared? I am sorry for my distrust, but with hat kind of title and TradeHill in your signature I think it all looks somewhat suspicious to me.

My thoughts exactly
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
June 23, 2011, 06:02:07 PM
 #52

It is very simple to match http logins with IP addresses.
This doesn't work if you've got a CSRF vulnerability in your website. Since it's the victim's browser carrying out the request on behalf of the attacker, no unusual IP addresses show up in the log. In fact, it's actually impossible to prove that a CSRF vulnerability hasn't been exploited from server logs, which is one of many suspicious things about MagicalTux's recent statements. (You can look at the referrer header, but there are ways for the attacker to blank this out, and many users' browsers don't send a referrer anyway.)

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!