all my coins gone today, sucks

[Dirt Rider]

MtGox sent out emails to everyone about the password...

I didn't receive an email and I can see from the released CSV of accounts that my email is correct.

Anyone who thinks that EVERYONE in the world has the patience and tollerence to monitor these forums on a daily basis, with all the bull shit and meaningless crap and know-it-all views of idiots, is pretty foolish in my opinion.  For every 30 minutes I spend reading posts in this forum, 1 minute is worth while and the other 29 minutes I feel like looking for a tall bridge.

I think it is quite concievable that there are many out there who know of bitcoin, have used bitcoin, but still haven't heard any word of the recent events spanning the past few days.

[1714077105]

1714077105

[fascistmuffin]

I don't feel sorry for anyone who didn't change email and/or password. It's not like every bitcoin related site has the hack news posted on it asking you to change your passwords.

[Mousepotato]

I too have a new, separate, never-networked computer just for creating and encrypting new wallets.  Balance can be checked at Block Explorer.

Wait, how does this work?  Suppose I move my wallet over to an un-networked computer.  When I do a BTC disbursement from my pool's website, how will my wallet know about it?  Do the funds get put into my wallet the next time my computer goes online?

[GeniuSxBoY]

I didn't receive an email and I can see from the released CSV of accounts that my email is correct.

Look in your spam folder.


It'll be right under the 10 tradehill spam mails.

[ryepdx]

Wait, how does this work?  Suppose I move my wallet over to an un-networked computer.  When I do a BTC disbursement from my pool's website, how will my wallet know about it?  Do the funds get put into my wallet the next time my computer goes online?

Your wallet doesn't actually hold any bitcoins. Rather, it's a private key used to sign transactions from the addresses you own. You only need your wallet in order to send bitcoins. You can send all your bitcoins to a bitcoin address belonging to an offline wallet and they'll show up in your client when you finally put that wallet online, after the client catches up with the blockchain. You can also check the balance of the address you sent to via Block Explorer, as mentioned previously in this thread.

Edit:
This whole "wallet" analogy, though intuitive, is proving super-confusing to people when they start trying to dig into the details. It seems like that confusion is starting to have security ramifications. Either we need to embark on a massive education campaign or we need to get some user-friendly security features built into the official client ASAP. Or else put together some sort of easy-to-use Bitcoin-branded tool for people to stand in the gap until such features make it into the official client.

[flug]

90% of the damn sites that use bitcoin were coded by a bunch of chumps that don't know WTF they are doing.

+1

The current sites are more like prototypes of the kinds of services that need to be developed

There are massive opportunities out there right now for people who understand enterprise systems, security, banking, etc

[Mousepotato]

Wait, how does this work?  Suppose I move my wallet over to an un-networked computer.  When I do a BTC disbursement from my pool's website, how will my wallet know about it?  Do the funds get put into my wallet the next time my computer goes online?

Your wallet doesn't actually hold any bitcoins. Rather, it's a private key used to sign transactions from the addresses you own. You only need your wallet in order to send bitcoins. You can send all your bitcoins to a bitcoin address belonging to an offline wallet and they'll show up in your client when you finally put that wallet online, after the client catches up with the blockchain. You can also check the balance of the address you sent to via Block Explorer, as mentioned previously in this thread.

Edit:
This whole "wallet" analogy, though intuitive, is proving super-confusing to people when they start trying to dig into the details. It seems like that confusion is starting to have security ramifications. Either we need to embark on a massive education campaign or we need to get some user-friendly security features built into the official client ASAP. Or else put together some sort of easy-to-use Bitcoin-branded tool for people to stand in the gap until such features make it into the official client.

Ahhh, now I get it.  You're right about the wallet analogy. I was mistakenly thinking it was an actual repository for my BTC   Thanks for the explanation.

[Jblox]

Mine went to that same address, luckily I only had 0.01 BTC in MyBitcoin.

[jerfelix]

Ahhh, now I get it.  You're right about the wallet analogy. I was mistakenly thinking it was an actual repository for my BTC   Thanks for the explanation.

I like to explain it this way:  The block chain is a ledger, shared on many computers, keeping track of numerous accounts and their current balance.  Your wallet file proves that you are the owner of particular accounts.

[Bitonetta]

While I feel bad for the people with stolen coins, but come-on ...really?

Same password on multiple sites.  *one*
Bells should have been going off as soon as it was rumoured user/pass was leaked. *two*
Confirmed list was leaked and still not changing user/pass for days.  *sorry, that's too much*

If the thief took place this morning there was plenty of time to fix this.

[hawks5999]

Whoever is stealing these coins is making a big mistake.

They could be doubling their haul if they sent those coins to a Double Trouble game address.

[Bunghole]

For me, it helps to think of the wallet file as a set of the following:
1. A Bitcoin address
2. A public key
3. A private key

The first two are public, but the third is like a very long password and needs to guarded as such.

Any one wallet can contain many sets of the listed 3 items.  But if all you do is create one offline, send coins to it, and verify the balance with Block Explorer, then you are only using one set.

[Freakin]

While I feel bad for the people with stolen coins, but come-on ...really?

Same password on multiple sites.  *one*
Bells should have been going off as soon as it was rumoured user/pass was leaked. *two*
Confirmed list was leaked and still not changing user/pass for days.  *sorry, that's too much*

If the thief took place this morning there was plenty of time to fix this.

Completely agree.

Within an hour of the password list being leaked I changed the following

1) password manager password
2) facebook + enabled cell phone verification
3) email
4) NTLM
5) backblaze + encryption
6) paypal/bank without 2-factor

My secure Gox password wasn't even used on any of those sites.

All sites got a new 14+ character w/ all 4 groups.

Seriously don't fuck around with your security/identity.  You can't put the cat back in the bag and you've got an uphill battle if important accounts are compromised.

[Elanzer]

While I feel bad for the people with stolen coins, but come-on ...really?

Same password on multiple sites.  *one*
Bells should have been going off as soon as it was rumoured user/pass was leaked. *two*
Confirmed list was leaked and still not changing user/pass for days.  *sorry, that's too much*

If the thief took place this morning there was plenty of time to fix this.

1. Yes, it was stupid. I have several different passwords, the password I used for mybitcoin and mtgox was my "junk" password, while I was dabbling with mtgox. Anything financial or important has it's own unique password, but as I do not use a password manager I won't create a unique PW for a site that I will rarely, if ever use again. I never thought to change it after bitcoin became valuable to me.

2. My bitcoins left my account less than 24 hours after this notice went out. I went to bed on Sunday without receiving the email that something was wrong with mtgox during that day, I woke up Monday, went to work in a rush without checking my email, came home and saw the email, checked mybitcoin, and my coins were gone.

3. See above.


I don't live on the forums, nor do I regularly look at news sites, nor do I have a smartphone with mobile broadband to check email with. I do not have a TV so I would not have seen it on news. The only hint I had was that email, and by the time I actually got it, the account was already long compromised. Not everyone who is an advocate of bitcoin actually keeps up with the news on it. It really is boring to me because it will take a long time for bitcoin to become anything more than it's current effective status of "encrypted/untraceable USD funds", so I only check up on this stuff once every couple weeks.

Is it my fault? Ofcourse, in multiple ways it is. The password thing is one obvious one. The other is relying on a service to maintain it's security in exchange of my FEE PAYMENTS for them to uphold their service. The fee mtgox charges on exchanges is obviously to pay the person operating the exchange, in a way they are responsible to maintain their service's security. Since they didn't uphold proper service, scammers have made way with several hundred thousand dollars from the common users, regardless of the method achieved. It's like saying Sony isn't to blame for several people's credit cards being compromised and charged through the roof, and instead is the user's problem for not cancelling their credit card the very instant the news broke ice. Sony didn't uphold proper service, and caused the problem to happen regardless. Lots of people simply didn't even get the news of Sony being compromised, or thought it didn't effect them because they haven't used sony's services for many years, or forgot the one time they lent the nephew the credit card to buy some DLC or some crap when he was staying the night.

[Lars]

I can see why people who are new to BTC use the online wallet hosting sites to play around with the system, but why on earth would you leave almost $100k worth of BTC in the hands of some random website? Theese are not safe financial institutions, you have no guarantee that they have any measures in place to keep your money safe. You don't even know who is behind the site. For all we know they might just pack up and disappear with all the deposited BTC once the combined total reaches a certain ammount.

Would you put $100k in a suitcase and give it to a stranger you met on the bus for safekeeping?

[tonto]

My 2BTC are still in mybitcoin acct
Very different password thanks to keepassx.org

something like
K*=7}%Z9&t`Pb$QN

I have lost coins in different ways through loans and poker but there were no passwords to crack, just my mind-

I wanted to recommend keepassx as that has simplified the handling of passwords in my life-

Just something to keep in mind - the length of the password may be more important than the complexity of it.

"K*=7}%Z9&t`Pb$QN" would be cracked way before something like "Th1sismyDumbP@ssword" (16 vs 20 characters).

It is still important to try and use a unique password for each site (in case it is cracked or some idiot is storing them in plain text), but you do not have to make it overly complex!

 
 
Your statement is only true if they're trying to crack using every possible character.  Otherwise if they're trying to crack leaving out lesser known characters, then no, the smaller password would be the more secure password in this instance.
 
Again I agree you're correct if they're using the exact same set of characters for brute-force... but some crackers may use less character to speed up their brute force attack if they're trying to get simpler/faster results.
 
here's an example.  Let's say I use 16 characters, but with 20 possible characters, it's a better password than someone who used a set of 20 characters with a set of 19 possible characters.
 
1208925819614629174706176   
vs
5242880000000000000000000

[nakedman]

Same thing happened to me and I don't even have an mtgox account.

What can be done to this?

[phenom]

Why are you using an eWallet service? That's fucking insanity. I'm so angry at you right now.

[GeniuSxBoY]

First, the general public has to succumb to the fact that you're not an idiot and that mybitcoin's database was actually hacked.

[SmokeAndMirrors]

Which again raises the question why. The. Fuck. This. Wasn't. Detected.

You haven't figured it out yet?

90% of the damn sites that use bitcoin were coded by a bunch of chumps that don't know WTF they are doing.

Our head media spokesperson, who supposedly owns a TV studio, can't even figure out how to livestream a webcam or get a skype conference call working. That TV show was terrible. It took they 20 minutes to get the mics working and the camera display stayed on the whole show.

Major wallet and exchange sites have poorly slapped together code by people that have obviously never coded sites that need high security before. The Trade Hill people didn't have answers to basic questions.

The gambling sites look like they were drawn by 3rd graders with crayon and CSS . Some of them don't offer regular rules/odds, others don't calculate bets right, and others are most certainly scams.

The few merchant sites that are up are slapped together storefronts.

Bitcoin got too big, too quick, and every 1st semester CS student or person with an Elance account thought they could throw together a site and get rich off of it. Now the community is paying the price.

All hail the creative destruction of a free market.

Seems as though people are trying to create these sites as a way to put their foot in the door for when they've actually got some knowledge/funds to code a half decent, secured website. Everyone with some php/html/sql knowledge seems to be attempting this. That funny thing is, regardless of how shitty these sites are, a lot of them are actually profiting. Especially the crayon gambling sites.