kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
June 20, 2011, 01:34:28 PM |
|
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.
No, the attacker does not need the static extra secret. The brute force attack will reveal it right along with the password. All it does is make the first two attempts harder, possibly a lot harder. After that, it has no value.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
Karmicads
|
It's amazing how small the market is really, just 60k people. wtf.
You ain't seen nothin' yet brotha. Wait till you see how small it is in a couple of days.
|
|
|
|
finnthecelt
|
|
June 20, 2011, 02:07:22 PM |
|
So has anyone discussed who in the HELL is this auditing company? How did they access Mt. Gox records? Do they have a database of these records off site? WTF?!?!
|
|
|
|
BubbleBoy
|
|
June 20, 2011, 02:16:00 PM |
|
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.
No, the attacker does not need the static extra secret. The brute force attack will reveal it right along with the password. All it does is make the first two attempts harder, possibly a lot harder. After that, it has no value. Maybe 2^128 harder, for a 128 bit static salt ? Therefore making the first two brutefoce attempts practically impossible ? Therefore requiring knowledge of the static salt stored in a source configuration file, in order to crack the hashes in the database ? Yes, that's precisely my point.
|
|
|
|
manifold
Newbie
Offline
Activity: 62
Merit: 0
|
|
June 20, 2011, 03:26:18 PM |
|
Well, I'm lucky... I never traded on mtgox AND I used a random password (only for mtgox...)... puh...
Does anyone know how fast such a passoword hash can be broken?
|
|
|
|
manifold
Newbie
Offline
Activity: 62
Merit: 0
|
|
June 20, 2011, 03:34:46 PM |
|
I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment... http://bit.ly/kE3Q4D[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] I cant believe that.
This is completely against every privacy consideration that this file is openly distributed.Honestly, I think it wasn't bad. Now everyone know's exactly how much info the attacter had. And if that database would be any use (except for the emails) any more, then mtgox hasn't doen a complete reset of the passwords. And if someone used the password on multiple accounts, they get a really good kick in the ass to change them. Before that, you could make yourself believe, that your password doesn't need to be changed.
|
|
|
|
Chick (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 05:48:57 PM |
|
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?
If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link. I believe that this shouldn't be kept secret, it is a P2P currency.
|
|
|
|
myrkul
|
|
June 20, 2011, 05:54:12 PM |
|
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?
If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link. I believe that this shouldn't be kept secret, it is a P2P currency. Srsly. Here, let me illustrate: OMG! All my horses have escaped! Why is the barn door still open?!?
|
|
|
|
Chick (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 05:55:54 PM |
|
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?
If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link. I believe that this shouldn't be kept secret, it is a P2P currency. Srsly. Here, let me illustrate: OMG! All my horses have escaped! Why is the barn door still open?!? To freshen the air, of course.
|
|
|
|
Montpelerin
Newbie
Offline
Activity: 16
Merit: 0
|
|
June 20, 2011, 06:05:38 PM |
|
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
|
|
|
|
Chick (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 06:07:09 PM |
|
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password.
|
|
|
|
myrkul
|
|
June 20, 2011, 06:14:52 PM |
|
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password. Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.
|
|
|
|
Chick (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 06:15:47 PM |
|
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password. Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked. http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983
|
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
June 20, 2011, 06:33:04 PM |
|
This information is important. I'm just trying to get it out to everyone as quickly as possible. Sorry if I'm repeating myself, but there are so many threads on this same topic.. I don't want anyone to miss it. Today at 2pm ET we'll be interviewing LIVE.... the man behind the $5,000,000 trade.... ... The man who bought the Bitcoin at $0.01 each....
Then later this evening, at 10pm ET, we will have Mark Karpeles, the owner of MtGox... personally ... LIVE ... to answer all of your questions in the Chatroom.
first I thought this was spam. but now that I watch the show... the show is OK but what really is hilarious is the chatroom
|
|
|
|
myrkul
|
|
June 20, 2011, 06:35:46 PM |
|
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password. Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked. http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983Awesome. Google living up to their motto. On a related note, My spam has not increased significantly. I did get the tradehill spam twice, though the second one was filtered. I think I have gotten one that can be directly attributed to the list leak: A financial services offer (Really? Loans by email? who is that dumb?)
|
|
|
|
Nescio
Jr. Member
Offline
Activity: 56
Merit: 1
|
|
June 21, 2011, 03:30:35 AM |
|
Srsly. Here, let me illustrate:
OMG! All my horses have escaped! Why is the barn door still open?!?
Bad analogy. Correct analogy: OMG, all my horses have escaped and they had the combination to the safe tattooed on their back. Someone copied those numbers and it's in a few newspapers now. But thank god the barn door is closed and my horses are back inside, now I can sleep well again. Seriously?
|
|
|
|
|