Poll: Rollback, No Rollback?

[Nescio]

Mt. Gox doesn't want to admit that it was a hack. Their official statement is:

• It was only ONE account hacked.
• Their systems weren't compromised, they weren't hacked.
• Their userbase was leaked, but it is not related to the market crash.

This may be down to misinterpretation and miscommunication. Or down to lack of knowledge. I'm speculating that BTC balances from multiple accounts can be pooled within Mt. Gox, but have no idea if this is true or not. If they have some kind of internal representation, it could be. If not, we should see a lot of pooling into an ever growing account in the blockchain. They might also have an administrative account that has a 'view' on all accounts' BTC pooled together for automatic backup purposes or similar. If this one was hacked, then their statement makes sense. If it was one big account by a third party after all, they could shaft this user and get away without major losses, after all if the password was reversed from a hash, it must have been weak. Then again, they are still responsible for securing their db, be it at an auditor or not.

[1715461501]

1715461501

[1715461501]

1715461501

[1715461501]

1715461501

[1715461501]

1715461501

[bitsalame]

Huge Bitcoin sell off due to a compromised account - rollback
 
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).

One account with a lot of coins was compromised[/b] and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.

According to MtGox: No other accounts were compromised, so there weren't pooled either. Only one account got compromised.
I take it with a grain of salt, for my ears, it is all bullshit.

[MikesMechanix]

Someone in the other thread got 3000 passwords in an hour with a GPU.

It was 300 IIRC. There's a file in pastebin with some 600 passwords, cracked by people who specialize in cracking passwords. I wouldn't expect that number to grow much from there.

md5 of a weak password is trivial to break, with or without salt. Most of that is the user's own damn fault, some used the same password as account name, even the same password for their E-mail, how dumb can you be?

The Unix MD5 scheme isn't the same as "md5 with salt". Yes, trivial passwords are trivial, but the Unix MD5 scheme in its current form is considered secure. It's computationally quite a bit more expensive than a single round of MD5, which itself is fairly secure despite some known collision attacks, and with current technology, the predicted age of the universe isn't enough to crack a sufficiently long and complex non-dictionary password. Basically, you are looking at thousands of years of difficulty on average somewhere around 12 alphanumeric characters (uppercase+lowercase).

What is most likely to have happened is this: the BTC balance of several thousand accounts was transferred to one account. This can be scripted to either log in via https or whatever, or more likely to use the trading API (faster).

And this would have shown on the trade charts, so it is not likely. The hacker also presumably didn't have write access to the database.

How about these for the likeliest scenarios:
1. It is someone who wants to remain anonymous and is only communicating with MtGox. In my experience, rich people often like to keep low profile.
2. It was MtGox's own account where all the fees had been collected.
3. It was the account of an early adopter, who stopped following bitcoin before it was worth anything, and is completely unaware of what's happening.

The reason for rolling back would be to protect people who do automatic trading who don't have protection for something crazy like this. Your own damn fault too, but they could sue Mt. Gox for the breach.

The reason for rolling back is because the sale was the direct result of a lapse in MtGox's security practices. If the hacker had indeed just guessed a weak password, I doubt they would be rolling back.

[FlipPro]

Dude! We're talking about 9 million bucks here. Surely these last months MtGox made some money, but still isn't Microsoft or Google. Doubt they can cover the expenses.

I seriously believe that the only account being compromised is Mt.Gox's.

See the psychological side here:
ANYONE LOSING 500,000 BTC (more or less worth $8,500,000 USD) WOULD BE GOING APESHIT INSANE.
Anyone would be twitting about it, shouting about it, ranting about it, talking to the press, talking shit about Mt.Gox, and blaming God, the Devil, the Archangels and cursing his own mother.

This is the critical factor I consider since I am a psychology major I am way more attentive on behavioral cues.
It is totally abnormal this silence from the account owner.
Either this user doesn't exist or he is a Buddhist monk with the lowest neuroticism level in the history of mankind.

According to Mt.Gox 500,000 BTC were stolen from ONE account, and that not only is highly implausible, but seeing the calmness of that supposed owner I rather believing that that owner is non-existent.
The only one going bananas is Mt.Gox. Obviously you can claim Mt. Gox is simply protecting the credibility of his exchange site, but what is really interesting is that he insists on reverting back when actually there are other options.

Why would an exchange protect the interests of only ONE user? When account got hacked in the past MtGox took some of the heavy lifting and reimbursed partially to the hacked user, never reverted back a whole history of transactions.
Also why is MtGox so adamant in defending this single affected user?

If that doesn't make sense then, we have three options left:
1) The REAL Account Owner: The hacked account "single user" account are Mt.Gox's or it belongs to someone closely related to Mt.Gox.
2) The PWNAGE Cover Up:The "single user account" is a cover story to hide the fact that actually the site got compromised much deeper than they are willing to admit. (loss of credibility would be the death of Mt.Gox)
If the auditor/attacker got access to the passwd file, he could have cracked hundred of accounts in hours.
I am currently testing that idea out, I've been trying to crack the hashes for 3 hours and I neared 600 accounts cracked, all of them from salted hashes and weak passwords. A simple script could have siphoned all the bitcoins out when the attack wasn't yet detected (maybe salami sliced, that's why nobody really noticed any thievery).
The worst case scenario is that the attacker has been in control of the site from a long time and he actually didn't need to crack any password, he simply got them all in plaintext.
3) The STOOPID Cover Up: We can never leave out the most stupid causes, since stupid mistakes happens everytime, maybe it was a typing mistake, a new employee, a girlfriend playing with the admin panel, etc...

These three possibilities makes Mt.Gox's claims understandable, it would be humilliating and his credibility would be completely stained forever. He wouldn't be able to admit such stupid mistakes.

But one thing is definitive: The single hacked user account makes NO SENSE AT ALL.

(Spin-off in a new thread)

Lay off the weed bro.

[Nescio]

Someone in the other thread got 3000 passwords in an hour with a GPU.

It was 300 IIRC. There's a file in pastebin with some 600 passwords, cracked by people who specialize in cracking passwords. I wouldn't expect that number to grow much from there.

I quote:
"The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking."

Granted, dictionary based, but still.

How about these for the likeliest scenarios:
1. It is someone who wants to remain anonymous and is only communicating with MtGox. In my experience, rich people often like to keep low profile.
2. It was MtGox's own account where all the fees had been collected.
3. It was the account of an early adopter, who stopped following bitcoin before it was worth anything, and is completely unaware of what's happening.

I can't imagine not hearing about the recent tribulations, hype etc. if you were into this some time ago. Could be a hermit not accepting Nobel prizes or something, but extremely unlikely.
The first one is very unlikely too. Who in their right minds keeps that kind of balance online in general, apparently with a weak password, especially after the rumours of hacks. Could be on holiday too I guess, but again extremely unlikely.

The most likely of those three therefore would be 2. I still like my theory of moving around balances, it could be going on outside the blockchain if my hypothesis that balances are merely internal representations until withdrawing to external account is correct. Other than speculation I have no idea what APIs or internal mechanisms are usable for this, or what uncrossable hurdles prevent it.

[d.james]

Mark my words:

Mt.Gox will get rolled
proof: http://www.youtube.com/watch?v=dQw4w9WgXcQ

[MikesMechanix]

Granted, dictionary based, but still.

Ok, had missed that.

I can't imagine not hearing about the recent tribulations, hype etc. if you were into this some time ago. Could be a hermit not accepting Nobel prizes or something, but extremely unlikely.

I still think it's a simpler explanation than the other suggested scenarios.

The first one is very unlikely too. Who in their right minds keeps that kind of balance online in general, apparently with a weak password, especially after the rumours of hacks. Could be on holiday too I guess, but again extremely unlikely.

I could easily see someone thinking that their coins are more safe at an exchange than in the unencrypted wallet.dat on a Windows computer. And normally, they probably are.

And people do use weak passwords. I've seen managers in large companies use their dogs' names as passwords, literally putting millions of $ at risk.

I still like my theory of moving around balances, it could be going on outside the blockchain if my hypothesis that balances are merely internal representations until withdrawing to external account is correct. Other than speculation I have no idea what APIs or internal mechanisms are usable for this, or what uncrossable hurdles prevent it.

To me this just somehow doesn't seem plausible. Just too many assumptions - the internal mechanism must exist; the hacker needs to gain access to it; the hacker needs to learn how to use it within a relatively short time frame; he'd need to have come up with the elaborate scheme of invisibly moving them in the first place, etc.

The explanation of someone just stumbling upon a large amount of BTC and going "ooh geewiz, I'm a gonna sell deez and I'll be rich!!$$!!$" or "lulz, sell, sell ,sell!!! tango down!" are just so much simpler.

[bitsalame]

Granted, dictionary based, but still.

Ok, had missed that.

I can't imagine not hearing about the recent tribulations, hype etc. if you were into this some time ago. Could be a hermit not accepting Nobel prizes or something, but extremely unlikely.

I still think it's a simpler explanation than the other suggested scenarios.

The first one is very unlikely too. Who in their right minds keeps that kind of balance online in general, apparently with a weak password, especially after the rumours of hacks. Could be on holiday too I guess, but again extremely unlikely.

I could easily see someone thinking that their coins are more safe at an exchange than in the unencrypted wallet.dat on a Windows computer. And normally, they probably are.

And people do use weak passwords. I've seen managers in large companies use their dogs' names as passwords, literally putting millions of $ at risk.

I still like my theory of moving around balances, it could be going on outside the blockchain if my hypothesis that balances are merely internal representations until withdrawing to external account is correct. Other than speculation I have no idea what APIs or internal mechanisms are usable for this, or what uncrossable hurdles prevent it.

To me this just somehow doesn't seem plausible. Just too many assumptions - the internal mechanism must exist; the hacker needs to gain access to it; the hacker needs to learn how to use it within a relatively short time frame; he'd need to have come up with the elaborate scheme of invisibly moving them in the first place, etc.

The explanation of someone just stumbling upon a large amount of BTC and going "ooh geewiz, I'm a gonna sell deez and I'll be rich!!$$!!$" or "lulz, sell, sell ,sell!!! tango down!" are just so much simpler.

500,000 bitcoins stored online? In a buggy website?
I don't think so.
And after the pilferage, nothing says nothing?

I am not trying to deduce the real causes or what might have happened.
What I am trying to think is that whatever the plausible scenario is: it keeps showing that the official statement from mtgox makes no sense. They keep lying, and they don't want to take responsibility of what happened here.

[Horkabork]

The true mark of conspiracy paranoia is when someone is given more evidence that their perspective is erroneous and, rather than reevaluate their thinking in light of this new information, they strengthen their belief in the conspiracy and attach a corollary that the conspiracy must be even more true because now the enemy is trying to present false evidence.

Oh man guys, and now they're sending people in to make fun of the loony conspiracy theorists. Will the lies ever stop? This shit just gets deeper and deeper!

Oh lord. I think Mt. Gox is reading my mind. I swear they were following me today and a crow went by my window and said "caw" but I think it actually said "gox". Was it a real crow or a malfunctioning spy drone? I DEMAND ANSWERS, MAGICALTUX. I'M ON TO YOU.

If you don't answer me about these crow drones that people potentially besides myself are posting about, then you are hiding something.

[Horkabork]

Aha. See? Silence from MagicalTux. That just proves that I'm right.

[hazek]

mtgox can do what ever they want, they own the exchange, they alone have the authority.

BUT:

People who like it can reward them by staying and continuing to pay a commission on trades to them, people who don't can punish them by leaving and taking their commissions to some place else.


Let the free market decide.

[FlipPro]

mtgox can do what ever they want, they own the exchange, they alone have the authority.

BUT:

People who like it can reward them by staying and continuing to pay a commission on trades to them, people who don't can punish them by leaving and taking their commissions to some place else.


Let the free market decide.

Thats the best argument I have heard. Everyone needs to "Just Let The Markets Decide". The problem is that people think that even if an exchanger goes under all of a sudden all the coins that we have worked so hard for to legitimize/produce, are all of a sudden worthless, cause some clowns decided to go after mtgox? Are these people fucking crazy? Excuse my french..

[bitsalame]

mtgox can do what ever they want, they own the exchange, they alone have the authority.

BUT:

People who like it can reward them by staying and continuing to pay a commission on trades to them, people who don't can punish them by leaving and taking their commissions to some place else.


Let the free market decide.

We are the market. And according to the survey, a huge majority is okay with the rollovers.
What I learned from practice is that democracy is beautiful in concept but totally stupid in practice.
If we set up password policy applying democracy, the password selected would be "123456"... which in fact it is the #1 preferred password in MtGox.

What do I mean with it? We can't rely on the masses, they are stupid.
The market isn't efficient (i am talking about efficiency in the economical sense).

[biovitamka19761]

energetic