Good security is difficult to achieve and very expensive. However, for the kind of cash MtGox makes from us, I would expect much better than what we get...
Bottom line, it's ONE MAN (MagicalTux). Aren't we at fault here, for entrusting him with so much money when WE KNOW he cannot do much better, being alone and with limited competence (I guess his brain is human too, and his days have 24 hours only - like ours...)
People, there's a reason for which bank have IT departments, security officers, response teams etc.
We desperately need a solution here, I think one of the reasons for the resent price drops is FEAR of having money or bitcoins stolen. Unfortunately, justified fear...
Let's try to keep some perspective here. You've gotta pretty much expect to have to take a lot of responsibility for your own stuff out here on this wild frontier of decentralized currency/timestamp whatever. Dont risk what you cant afford to lose, I suppose.
Sure, CSRF is among the pretty well known vectors and probably should have been caught during development, but I can imagine the pressure to get and keep things running quickly overshadows the tedium and expense of diligence like that.
What I find encouraging about this situation, as some others have mentioned:
- it was identified pretty quickly by concerned citizens. measured in days.
- workarounds and good descriptions of the issue were made visible in multiple places (good transparency)
- the hole was apparently closed pretty damn fast once Mt.Gox became aware/verified it
As for banks with big IT depts. and the gobs of tax-payer $ spent to regulate and audit them....they dont really seem to do much better...case in point....CitiBank
"Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique...cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."
from
http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access..and those details came to light many many months after the event.
I think we're doing okay out here in the wild lands and early days of this "experiment"....all things considered.
Stay with the state regulated banks and fiat currencies if you want perceived safety of regulators and so called experts looking out for you. Be prepared to take more than a modicum of self-responsibility out here, however.
Bravo, bitcoin community!
