[Full Disclosure] More likely MtGox Post-Mortem

[jrmithdobbs]

More full disclosure! More fun!

I have two independent sources claiming known SQLi vulnerabilities in MtGox.

One of said SQLi vulnerabilties was confirmed to be patched on the 16th.
The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was not patched could have plausibly been used to dump the user table.

The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an issue is not known for sure at this time as the site cannot be accessed.

It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again. This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin

MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked." Please respond. The truth this time.

MagicalTux's official response at the time of this writing is also attached. It is available at:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders that go through immediately, by his own admission. Classy.

Mirrors:
http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log)
http://privatepaste.com/47a50cab5b (sig)
http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)
http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig)
http://privatepaste.com/e4bacfae37 (PovAddict log)
http://privatepaste.com/9dc5daf8a0 (sig)
http://www.mediafire.com/?bflr76anvv835ib (PovAddict log)
http://www.mediafire.com/?rl250c2dahw7dx9 (sig)
http://privatepaste.com/6dad3927d6 (XSS + CSRF)
http://privatepaste.com/45e5aa0d30 (sig)
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)
http://www.mediafire.com/?uv7be34198pseoo (sig)

f-d: http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081582.html
Message is awaiting approval on bitcoin-list and bitcoin-development lists.

Edit: sourceforge list link (attachment-less reply)
http://sourceforge.net/mailarchive/forum.php?thread_name=D091767C-EF92-4B63-9C29-924F32AE34D7%40jrbobdobbs.org&forum_name=bitcoin-development

[1715248496]

1715248496

[1715248496]

1715248496

[gmaxwell]

Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")

Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.

This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.

[jrmithdobbs]

Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")

Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.

This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.

Whoops, forgot to add that. Added to f-d thread.

[chuckypalumbo]

Not mentioned here is that fact that dozens of MTGOX hashed passwords were quietly disclosed on a hash cracking forum on Fri Jun 17, 2011 5:21 am
(http://forum.insidepro.com/viewtopic.php?t=9124&postdays=0&postorder=asc&start=75&sid=1a9e31567fe815c0eea63c40c39fb707 post by "georgeclooney")

Since the overwhelming majority but not all of the hashes match the mtgox database that was posted on this forum (now deleted) and elsewhere I suspect that this post may have been generated from an earlier dump than was disclosed on the forums and everywhere else after the big event.

This appears to be significantly ahead of the prior claimed breach, and is consistent with the great many other mtgox users claiming that their accounts were robbed prior to the big event on Sunday, which I believe would have been too early to be results of the mtgox database leak according to the official timeline re: auditor compromise.

Jesus Christ.....

[Phil21]

People should read this.  All of it, even if it's boring to you.

This is what professional security teams do.  They do not blame their users for a hack that didn't happen in the first place (read: a user's account password being compromised likely was NOT the 500k selloff - at least by itself)

As I said in previous posts, the truth will come out one way or the other.  MT claiming his site is "safe" pretty much was the writing on the wall in that regard

I've made plenty of stupid ass security mistakes I'm completely embarrassed to admit to.  However, I've also admitted my mistakes and made conscious efforts to improve whenever I learn about something new.

[joepie91]

_{I told you so...}

[Hook^]

_{I told you so...}

Speak up, I can't hear you.

[nhodges]

I think this is just the icing on the cake, but now there is no allegation of scandal at Mt. Gox, it is fact.

[dana.powers]

Thank you for posting.  The theory seems credible and is, at the least, a very interesting read.

Question: what was the purpose of https://mtgox.com/claim ?

[Bit_Happy]

I think this is just the icing on the cake, but now there is no allegation of scandal at Mt. Gox, it is fact.

Fact?
What are his two independent sources, and why can they be trusted?
Exactly how do the posted links prove anything, in plain, simple English so everyone can understand, please?

[Bit_Happy]

Thank you for posting.  The theory seems credible and is, at the least, a very interesting read.

Question: what was the purpose of https://mtgox.com/claim ?

Claim = Re-claim Your account.
Verify your email and change your password.

[niemivh]

Praise god I only have a little of my BTC on MtGox.

I guess this teaches us not all use 1 centralized site that used to sell Magic the Gathering cards.

We need about a dozen exchanges each with robust security and FDIC insurance.

 

[brunner]

I agree that everyone should read this.

So, assuming the one 'user' with 500k BTC was MagicalTux, or someone close to him:

1) Gox launches with swiss cheese for security
2) Gox ignores all warning about being vulnerable, and continues to tell users they're safe
3) Gox gets hacked
4) Magical Tux's BTC gets sold for pennies
5) Magical Tux wants to roll back the transactions to get his bitcoin back

Am I missing something?

[Hook^]

I agree that everyone should read this.

So, assuming the one 'user' with 500k BTC was MagicalTux, or someone close to him:

1) Gox launches with swiss cheese for security
2) Gox ignores all warning about being vulnerable, and continues to tell users they're safe
3) Gox gets hacked
4) Magical Tux's BTC gets sold for pennies
5) Magical Tux wants to roll back the transactions to get his bitcoin back

Am I missing something?

Magical Tux probably doesn't have 500k BTC.  Perhaps everyone on the site combined would add up to 500k BTC.  I think every bitcoin on the site got liquidated.  So he is backing it out.  The problem is whether the coins got transferred out before he caught the transaction.

[Bit_Happy]

....
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)

IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

Code:

<body onload="/*document.forms['foo'].submit()*/"> <form id="foo" action="https://mtgox.com/merch/checkout" method="post" > <input type="hidden" name="notify_url" value="http://yourdomain.com/ipn.php&quot;})}alert(1);function blah(){test({5:&quot;"> <input type="hidden" name="business" value="foobar"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="item_name" value="Your Item Name<script>alert(1);</script>"> <input type="hidden" name="custom" value="your custom msg to yourself&quot;})}alert(1);function blah(){test({5:&quot;" > <input type="hidden" name="amount" value="10.30"> <input type="hidden" name="return" value="http://yourdomain.com/thanks"> <!--<input type="hidden" name="return" value="http://yourdomain.com/thanks&quot;;}alert(1);</script><script>">--> <input type="submit" value="Pay with Mt Gox" /> </form>

If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

[Bind]

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

The only reason I say that possibility is because, by their own admission, they checked out all the major bitcoin sites and exchanges for vulnerabilities, and said nothing god or bad about them. Yet, decided to zone in on TradeHill as being the best in terms of security, while neglecting to state why the other did not deserve equal mention.

Why?

If their security was so bad would it not deserve to be blasted like they did mtgox?

If they had good security would they not deserve to been mentioined like Tradehill ?

Plus the request to have TradeHill removed from the logs is quite possible a disinformation ruse to attempt to invalidate the possibility I just mentioned. (like omg,  why would i ask for tradehill to be removed if i was whoring for it?)

Regardless of the truth, it will never be able to be "proven" since, even if it is all true, the holes will be plugged by the time mtgox goes live.

Which is what we all want. A more secure market. (minus the drama please)

[Bit_Happy]

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.
...

Hi Bind link,
Do you know Tradehill is on shared hosting?
LOL!

[jrmithdobbs]

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

I do not endorse tradehill. If you read the entire log the person who made the tradehill comments asked that they be removed from the posted log. I refused. I am not a blatant hypocrite.

I do not have a tradehill account.

I do not endorse tradehill as an exchange.

I am not in any way affiliated with tradehill.

I think tradehill is bad for bitcoin because of their blatant disregard for us financial laws and dependence on third world outsourced devs working on closed source software that cannot be publically audited.

Now that that's out of the way, back to your regularly scheduled good times!

[Bit_Happy]

...
Now that that's out of the way, back to your regularly scheduled good times!

Please, answer the questions in post #10 and #15, or are you avoiding them?

[jrmithdobbs]

...
Now that that's out of the way, back to your regularly scheduled good times!

Please, answer the questions in post #10 and #15, or are you avoiding them?

#15 will not be responded to. This is common practice to prevent people who do not understand the issue at hand from making use of the exploit.

#10 will not be responded to. If these sources wanted to be named they would have taken me up on my offer to gpg sign the logs. They are afraid of MagicalTux's blamecannon getting pointed their way.

[Phil21]

#15 will not be responded to. This is common practice to prevent people who do not understand the issue at hand from making use of the exploit.

Since it appears Bit_Happy is a journalist, perhaps his question was in that frame of reference?  I'll give him the benefit of the doubt.

If that is the case, perhaps a private convo if you're willing would be appropriate, to demonstrate you actually do know what you're talking about and it's a legitimate problem.  This would assume Bit_Happy is writing an article on the topic?

Just wild assumptions, it's 1:30am

[Bit_Happy]

....
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)

IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

Code:

<body onload="/*document.forms['foo'].submit()*/"> <form id="foo" action="https://mtgox.com/merch/checkout" method="post" > <input type="hidden" name="notify_url" value="http://yourdomain.com/ipn.php&quot;})}alert(1);function blah(){test({5:&quot;"> <input type="hidden" name="business" value="foobar"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="item_name" value="Your Item Name<script>alert(1);</script>"> <input type="hidden" name="custom" value="your custom msg to yourself&quot;})}alert(1);function blah(){test({5:&quot;" > <input type="hidden" name="amount" value="10.30"> <input type="hidden" name="return" value="http://yourdomain.com/thanks"> <!--<input type="hidden" name="return" value="http://yourdomain.com/thanks&quot;;}alert(1);</script><script>">--> <input type="submit" value="Pay with Mt Gox" /> </form>

If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

The above code has a simple html form and uses the MtGox merchant API.

Your thread title says [Full Disclosure] and you are failing to provide answers to simple questions. Welcome to the forum, but why should we trust you on an important issue?

+ Your excuse is total BS.
White-hat hackers share exploit code to learn how to defend themselves.
Please, either prove your accusations, or admit you should Not have made the accusative post.


Edit: Some (or all) may be true.
You offered [Full Disclosure], so let's have it.   

[gentakin]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

[Bit_Happy]

#15 will not be responded to. This is common practice to prevent people who do not understand the issue at hand from making use of the exploit.

Since it appears Bit_Happy is a journalist, perhaps his question was in that frame of reference?  I'll give him the benefit of the doubt.

If that is the case, perhaps a private convo if you're willing would be appropriate, to demonstrate you actually do know what you're talking about and it's a legitimate problem.  This would assume Bit_Happy is writing an article on the topic?

Just wild assumptions, it's 1:30am

Hi Phil21,
My post #22 partially answers your comments

Also, let's take a close look at the thread title:

[Full Disclosure] == Not being provided
More likely MtGox Post-Mortem == Oh, that's a well thought out, fair, unbiased title if I ever saw one.  

[Bit_Happy]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

[Savaron]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

So just because you don't understand the code, it means everyone is blindly believing a sensational headline?

[Bit_Happy]

Bit_Happy: That HTML code will show a form, that - when submitted - sends a request to the MtGox web server. Note that some of the parameters POSTed to MtGox contain Javascript code hidden in their value. MtGox had a security vulnerability that leads to printing out the javaascript (embedding into the HTML of MtGox) code posted to the site. As such, it is possible to execute Javascript code in the context of mtgox.com - and, for example, steal the user's cookie for MtGox.

This specific code did probably only show some message boxes to prove that (possibly malicious) javascript was executed.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

So just because you don't understand the code, it means everyone is blindly believing a sensational headline?

Hello Savaron,
Edit: No it means I don't blindly believe it.
Since you asked: I know a decent amount of php, but not hardly any Javascript.


...Plus, his title is BS, IMO.

[Bit_Happy]

...duplicate post..

[Jaime Frontero]

Magical Tux probably doesn't have 500k BTC.  Perhaps everyone on the site combined would add up to 500k BTC.  I think every bitcoin on the site got liquidated.  So he is backing it out.  The problem is whether the coins got transferred out before he caught the transaction.

just as an aside, this doesn't quite feel right.

there are 60 k accounts, and a trading volume that was at 3M USD/day at its peak.

i'd be shocked if there were only 8% of existing Bitcoin on deposit at MtGox.

carry on...

[jrmithdobbs]

Update: I was mistaken in the posted logs regarding gavin's involvement with mybitcoin.com.

My apologies.

I have been informed that gavin is not involved with this service. My confusion came from his constant promotion of it.

[Bind]

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

I do not endorse tradehill. If you read the entire log the person who made the tradehill comments asked that they be removed from the posted log. I refused. I am not a blatant hypocrite.

I do not have a tradehill account.

I do not endorse tradehill as an exchange.

I am not in any way affiliated with tradehill.

I think tradehill is bad for bitcoin because of their blatant disregard for us financial laws and dependence on third world outsourced devs working on closed source software that cannot be publically audited.

Now that that's out of the way, back to your regularly scheduled good times!

I never said you did any of those things.

I said the possibility exists just like the possibility exists that you were duped and used by the people you have blindly trusted in your not-so [Full Disclosure].

Additionally, you or your associates has a dog in this fight in some way by saying its a Post Mordem for the exchange doing 99% of the bitcoin trading.

This leads me to further believe you want MT Gox to fail.

Again, there is no proof one way or the other... Just supposition and conjecture, wrapped in a nice thick blanket of ulterior motives and hidden agenda.

[Bind]

-removed - duplicate-

[Phil21]

Hello Savaron,
Edit: No it means I don't blindly believe it.
Since you asked: I know a decent amount of php, but not hardly any Javascript.


...Plus, his title is BS, IMO.

I was going to actually PM you re: your question, but it's been answered publicly here.  I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.  Security type nerds are an ornery bunch   While I am certainly no coder, I checked a few of those links and to me all looked like legit exploits that I've commonly seen in the wild targeting my customers (day job).  While I can't say they were actively exploited, the evidence gives me pretty much 99% confidence they were.  By the time you can Google for them, it's usually been weeks or months that they have been active.

What is surprising, is not that there are security vulnerabilities - every site has them, period.  It's the absolute basic "secure coding 101" type stuff that was missed, that is just mind blowing to people who can interpret the above code easily.  When you are making $30k/mo or more, I think it's a reasonable expectation to assume the most very basics are handled in a professional manner.  While I'd expect this for some fortune 500 company, I honestly did NOT expect it from a fledgling community of so-called technologists.  Especially one who had the balls in the first place to operate such an exchange!  I know if I operated mtgox, every waking moment would have been me worrying about security holes I've forgotten about.  These could have been found by any simple code scanner readily available on the market.

Other than there being no such thing as "full disclosure" (especially when a company is specifically NOT disclosing anything) I don't see how the thread title is BS at all.  This is absolutely the "more likely MtGox Post-Mortem".  It's at least *plausible* while MtGox's official explanation simply is not.

I expect more information to come to light soon as well, I have a feeling this train is just getting started from past experience.

[Bit_Happy]

First, please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

...I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.

Post #4 == Jesus Christ.....
Post #6 ==  I told you so...
^^^
No problem with those posts, but they do not really help verify the OP is legit.

Post #5 == Your (Phil21's) good advice that people read the info.

My first post* ==

Fact?
What are his two independent sources, and why can they be trusted?
Exactly how do the posted links prove anything, in plain, simple English so everyone can understand, please?
^^^

*If anyone finds that post to be an annoyance, then what can be done to help you be more tolerant?

Hello Savaron,
Edit: No it means I don't blindly believe it.
Since you asked: I know a decent amount of php, but not hardly any Javascript.


...Plus, his title is BS, IMO.

I was going to actually PM you re: your question, but it's been answered publicly here.  I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.  Security type nerds are an ornery bunch  While I am certainly no coder, I checked a few of those links and to me all looked like legit exploits that I've commonly seen in the wild targeting my customers (day job).  While I can't say they were actively exploited, the evidence gives me pretty much 99% confidence they were.  By the time you can Google for them, it's usually been weeks or months that they have been active.

What is surprising, is not that there are security vulnerabilities - every site has them, period.  It's the absolute basic "secure coding 101" type stuff that was missed, that is just mind blowing to people who can interpret the above code easily.  When you are making $30k/mo or more, I think it's a reasonable expectation to assume the most very basics are handled in a professional manner.  While I'd expect this for some fortune 500 company, I honestly did NOT expect it from a fledgling community of so-called technologists.  Especially one who had the balls in the first place to operate such an exchange!  I know if I operated mtgox, every waking moment would have been me worrying about security holes I've forgotten about.  These could have been found by any simple code scanner readily available on the market.

Other than there being no such thing as "full disclosure" (especially when a company is specifically NOT disclosing anything) I don't see how the thread title is BS at all.  This is absolutely the "more likely MtGox Post-Mortem".  It's at least *plausible* while MtGox's official explanation simply is not.

I expect more information to come to light soon as well, I have a feeling this train is just getting started from past experience.

Your excellent post is detailed and informative Phil21.
If my annoyance helped motivate you to write it, I'm OK with that.  

[Phil21]

First, please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

Indeed sir!

*If anyone finds that post to be an annoyance, then what can be done to help you be more tolerant?

I think the first one was likely annoyance due to the fact you (apparently, due to your question) did not read the chat log.  It was explained why identities were not verified.  Unfortunate to be sure, but you really only have MT to blame for this with his asinine attack on Kevin trying to associate him with the hacker.  I know I sure as hell wouldn't identify myself if I were discussing security vulnerabilites I've admitted to testing on MtGox any longer.  I first thought this of you as well, but then noticed your sig and decided it would be a good thing to extend the benefit of the doubt here (sorry, been a long day!).  Us nerd types (myself very much included) do get annoyed about having to answer questions we've already answered.  Aka your question was interpreted initially as laziness by myself, and perhaps some others - when it was actually more likely to be due diligence than anything else.

Your excellent post is detailed and informative Phil21.
If my annoyance helped motivate you to write it, I'm OK with that.  

Haha, I wasn't actually annoyed - my post wasn't very clear.  I actually am not a security hacker type (the folks you see discussing that in the logs), but I do happen to manage a small team of very talented folks who are.  Intelligence and computing knowledge really is the only thing generally respected by such folks (while on the Internet in "hacker" mode), and "noob" questions tend to overly annoy them when compared with the general population as a whole.  Lets just say it was a learning experience on how to best work with these types, but it's paid off in spades over time and I've met some truly exceptional individuals.

Yes, I'm generalizing.  But I think a lot of folks will agree with it!

Edit: formatting/few extra comments

[Phil21]

Also, full-disclosure is the name of a mailing list btw, hence the thread title

[piuk]

Herp derp, we do all our development in house.

[Bit_Happy]

...
Yes, I'm generalizing.  But I think a lot of folks will agree with it!...

Yes agreed, you might be surprised: I really respect when (honest) people challenge me, or suggest I might be mistaken. I have a huge pool of knowledge and experience; Many of the areas in my "huge pool" are shallow, not deep.

You have a great night/day Phil, and I'll probably enjoy talking with you again.  

[db8393]

 Bit_Happy, you might start by learning to audit websites yourself?

Maybe if you offer a 10Btc bounty you can find a nice security professional to help explain it all to you.


At this point I would say Hackers 4   Mtgox 0

I bet MagicTux wishes he could play this card

http://gatherer.wizards.com/Pages/Card/Details.aspx?multiverseid=205022

[Bit_Happy]

Bit_Happy, you might start by learning to audit websites yourself?

Maybe if you offer a 10Btc bounty you can find a nice security professional to help explain it all to you.

At this point I would say Hackers 4   Mtgox 0

I bet MagicTux wishes he could play this card

http://gatherer.wizards.com/Pages/Card/Details.aspx?multiverseid=205022

Hi db8393, you might start by learning the majority here is no longer hard-core geeks and programmers.
...and, please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

Maybe you can offer a 10Btc bounty to someone who can explain why a thread with the title "...More likely MtGox Post-Mortem", should require me to "find a nice security professional to help explain it."  


Edit: I politely, yet very firmly, asked some simple questions. should it be so hard to get easy answers?

[GeniuSxBoY]

To the gentlemen in the OP:


Thank you for laying this out so simply. Everything you said makes sense and you even go out of your way to authenticate and digitally sign all your statements. I can't thank you guys enough, because without you on our side, we'd still be clueless to how stupid magical tux's code was.

That said. I have a question.

I really want to get in on the fall of mt gox when it opens. How long will it take to hear from you to let us know if it passes an initial inspection?

[Batouzo]

http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)

Mediafire seems to require JavaScript turned on to download the fucking text file.

Someone should paste that to normal pastebin instead of this crap

[frozen]

We need about a dozen exchanges each with robust security and FDIC insurance.

+1 on more exchanges
+1 on robust security
-10000 on FDIC insurance

[gentakin]

Someone should paste that to normal pastebin instead of this crap

It is. Right there. In the OP's post. (privatepaste. Though I'm not sure if they require JS, as I have it enabled.)

[jrmithdobbs]

http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)

Mediafire seems to require JavaScript turned on to download the fucking text file.

Someone should paste that to normal pastebin instead of this crap

Both pastebin.com and pastebin.ca were down at the time this was posted and had been for about an hour or it would have been posted there.

[makomk]

... Or its all fabricated to make TradeHill look more secure in the eyes of the members of this forum.

The only reason I say that possibility is because, by their own admission, they checked out all the major bitcoin sites and exchanges for vulnerabilities, and said nothing god or bad about them. Yet, decided to zone in on TradeHill as being the best in terms of security, while neglecting to state why the other did not deserve equal mention.

Why?

Presumably because they all knew about the security issues with the other major sites and didn't feel them to be interesting enough to discuss. Several of them have beeen mentioned on the forum if you know where to look. Tradehill does at least look superficially security-aware for the reasons stated in the log. (I can't confirm all of it but I can confirm that they do appear to be using Django anti-CSRF middleware.)

[ukbitco.in]

I posted this in IRC last night and had some good convo with MagicalTux and various others. Currently i'm at work so don't have the logs in front of me. Please have a look and tell me if you see some error in my analysis or basic understanding! This is not an accusation of any kind, just someone trying to get to the bottom of this thing.

After the claims by MT that Kevin's behaviour was 'suspicous' i started looking at the activity logs on the market when it crashed, specifically what happened right at the turn (i.e. the rise back up from 0.01 after the sell).

MT said many, many things, some in his post and some in IRC chat.

So according to MT:

1) Kevin logged in at 5:12, just a few minutes before the market started crashing (~5:15 onwards).
2) Since he bought at 0.01 he must have placed that large bid BEFORE the market crashed...thus implicating him (after all who would place a ~$3000 bid at 0.01 unless they knew it was comming).

According to MT this makes Kevin looks suspcious. But there is more useful info to consider:

4) When a BUY order is filled, the only log recorded is the time of the FILL and the time the order was PLACED gets wiped out completely. Thus Tux cannot be sure of anything really.
3) Also important to mention from MT we know that you cannot place a buy when a sell is in progress. So Kevin had to have placed that order before or after the sell, but could not have done so during.

Now check:

http://www.youtube.com/watch?v=T1X6qQt9ONg

This is a video of the market crashing live, it shows a ticker. The part we are interested in is at ~5.23 into the vid, right at the turn.

What we see are three things.

1) Orders being filled with a timecode of 13:15:xx

I guess this is the time that the mega sell order was created. Here we are seeing the order book being processed and then finally getting wiped out, 0.01 and then being emptied. This take a long time.

2) Then notice time change. Ticker goes from 13:15:xx to 13:51:xx instantly. More than 30 minute gap!

This is when NEW buy orders start arriving, /after the sell has wiped out the book/

3) The 6th order down from the time change is *the big one* 13:51:16  0.01  261383.76

4) From there the orders start increasing in value, until the market bounces right back to $14 or so fairly sharply/


So some important questions and conclusions really. Looks very plain to me from these logs that Kevin did indeed get very lucky. He watched the market crash, prepared his bid and hit go just at the right time -> managing to get the 6th BUY order after the turn, not the first, the 6th.

>>>>>> Kevin placed the BUY order after the SELL and the crash, not before as he was accused of.

The login time does not proove anything, what is important is the time of the buy order was placed. But we cannot get this from MTGox because of the log issue i've mentioned so we must relly on our own understanding.



If we assume as i now do, that Kevin's really is innocent, then what was the motivation of the Hacker? We all assumed the hacker was trying to crash the markets so he could cash out, but this clearly didn't work if kevin is innocent!!!!

a) placing a large buy just after the crash ....

... the problem with a is that how would anyone be sure he could get the order in at the right time. We all know that mgtox is slow at the best of times and any half descent brain would realise that after a major market event like that, the site was going to be absolutely hammered and thus impossible to reliably connect to - just as many of you here have reported.

So unless Hacker person messed this up badly, or Kevin beat him at his own game, it looks to me like they didn't have any real intention of cashing out like this..


b) placing a large buy before the crash ... (which didn't happen as the market activity ticker seems to show)

A better stratergy would have been to use several other compomised accounts (if guy had DB access, this should have been no problem) to place 0.01 BUY orders before the SELL, just at or under the equivalent $1000 usd limit. They would have been filled and if he had withdrawn the BTC very quickly he may well have gotten away with a much, much, much larger sum.

Why not do that? Was he stupid, a kid or did he just not care about the money that much and doing it for some other purpose.

In any sense Kevin does not look like a guilty party to me but a very lucky guy who now seems to think he should be entitled to keep the profits of a crime. I wonder what his mother would say.


MagicalTux: I appreciate how busy you are trying to bring MTGox back. However, a full, indepdent analysis of these events and the others mentioned in this thread, is the only realistic way to address the concerns of your user base. Diverting attention by blaming others with very sketchy.->zero evidence is absolutely not cool.

[finack]

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

I have no connection to the poster or anyone else. But you should reconsider your attitude in my opinion. You're complaining that something wasn't explained to you in enough depth so that you could understand it. However, it was perfectly understandably to many of us. It's reasonable to ask for clarification if you don't understand and want to, but that has nothing to do with others "blindly believing a sensational headline".

People provide security disclosures of various types all the time. Some are very, very common. This XSS and the referred to SQL injections are examples of this. That means a very many people already understand the principles behind them. I'm sure you can imagine it would be very tedious to include a full explanation of each attack every time someone discusses one.  You got your explanation, you don't have to be a dick just because you don't understand something.

Also, the post is titled "Full Disclosure" because that is the name of the security mailing list it was sent to. When you send mail to that list, the subject line gets prepended to the subject you send, so that mailing list subscribers can easily identify where it came from. Don't read too much into it. see: http://seclists.org/fulldisclosure/2011/Jun/index.html

[jrmithdobbs]

More than 9 hours and still no response.

Classy.

Maybe he finally realised that he needs to seek legal counsel before mouthing off in public forums.

[finnthecelt]

Bit_Happy, you might start by learning to audit websites yourself?

Maybe if you offer a 10Btc bounty you can find a nice security professional to help explain it all to you.


At this point I would say Hackers 4   Mtgox 0

I bet MagicTux wishes he could play this card

http://gatherer.wizards.com/Pages/Card/Details.aspx?multiverseid=205022

LOL@!@!

[Bit_Happy]

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

...It's reasonable to ask for clarification if you don't understand and want to...

Yes it is reasonable, thank you.

Thanks gentakin, around here it's good to establish facts, instead of blindly believing a sensational headline.

...but that has nothing to do with others "blindly believing a sensational headline".

Misquoting the unfair, inaccurate feedback of someone else, is a waste of time, IMO.

From post #27
No it means I don't blindly believe it.


So in essence we agree, that has nothing to do with *others* "blindly believing a sensational headline"



From post #40
I politely, yet very firmly, asked some simple questions. should it be so hard to get easy answers?

[finack]

I politely, yet very firmly, asked some simple questions. should it be so hard to get easy answers?

Perhaps we live in entirely different worlds, but I can assure you that this excerpt is far from polite:

IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

Imagine how bad things would be if everyone replied to anything they didn't understand in that demanding and accusatory tone.

[Bit_Happy]

I politely, yet very firmly, asked some simple questions. should it be so hard to get easy answers?

Perhaps we live in entirely different worlds, but I can assure you that this excerpt is far from polite:

IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

Imagine how bad things would be if everyone replied to anything they didn't understand in that demanding and accusatory tone.

My first request was "socially acceptable", and then I escalated.
Please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

Thank you for your feedback finack.

[CharlieContent]

So according to MT:

1) Kevin logged in at 5:12, just a few minutes before the market started crashing (~5:15 onwards).
2) Since he bought at 0.01 he must have placed that large bid BEFORE the market crashed...thus implicating him (after all who would place a ~$3000 bid at 0.01 unless they knew it was comming).

According to MT this makes Kevin looks suspcious. But there is more useful info to consider:

4) When a BUY order is filled, the only log recorded is the time of the FILL and the time the order was PLACED gets wiped out completely. Thus Tux cannot be sure of anything really.

This proves that MagicalTux is not only incompetent, but an asshole.

[jrmithdobbs]

Just an update.

18 hours later. Still no response public or private.

[Bit_Happy]

I politely, yet very firmly, asked some simple questions. should it be so hard to get easy answers?

Perhaps we live in entirely different worlds, but I can assure you that this excerpt is far from polite:

IMO, Anyone starting a post like this needs to be able to demonstrate exactly where the attack part of this code is:

If you can show me (us) the "bad parts" and be correct, then thank you for posting this.
If you can't then (at best) you are acting without thinking things through.
Thank you

Imagine how bad things would be if everyone replied to anything they didn't understand in that demanding and accusatory tone.

My first request was "socially acceptable", and then I escalated.
Please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

Thank you for your feedback finack.

There's a lot of stupid fucks on this forum, but you are probably the worst. My god, you are a dunderheaded buffoon. Every single one of your posts betrays the fact that you're just not very bright.

If you are too stupid and ignorant to understand how things work, then please just stay out of threads discussing them. Leave it to those of us who do understand and don't need to ask for things to be explained in "simple English" like some kind of child or downs syndrome retard, you halfwitted mongoloid fuck.

We're not your mommy or your kindergarden teacher, so don't ask us to explain things slowly and carefully so your tiny little brain can understand them, you dumbass motherfucker.

Have you always been a mongo Bit_Happy? Huh? Have you always been a fucking stupid mongoloid cunt who asks for a retard's simple explanations so he can understand things? Is it some kind of chromosomal abnormality that causes you to be so slow and backwards, or was your mother fucked by a dog when she was pregnant with you, her brother's son? Those are the only two situations I can think of that would explain how fucking stupid you act.

You're so fucking stupid that I'm surprised you remember to breath. I hope you forget and die next time you get distracted by something shiny.

You would be amazed how high my IQ is, plus you need to look in the mirror and keep talking to yourself.
Please keep in mind we are in a forum with a lot of lies, distortions and BS going around.

[finnthecelt]

Are you guys done?

[magik]

seriously for every 1 good post, there's like 10-20 retarded ass flame wars going on

IMO I just want some god damned info and a straight story with some evidence to back it up

I feel like MT really hasn't handled this situation in the best manner

All we want are some freaking answers, and because of that and the extremists on either side, you guys just devolve everything into stupid flamewars.  At this point it's like fuck it, what the fuck is the point of arguing, we should be grabbing pitchforks and torches and start marching to MT or MtGox demanding some fucking answers because as a user of MtGox with my personal information leaked to the world and the site going down locking our funds out, the least we should be given is a fucking straight and sensibly answer/explanation.

This shit has gotten ridiculously out of hand

[jrmithdobbs]

Please take your worthless insults and bickering over who has the higher IQ elsewhere.

Thanks.

[Bit_Happy]

Please take your worthless insults and bickering over who has the higher IQ elsewhere.

Thanks.

The only reason I mentioned IQ was due to the nature of his attack,and the way he called me stupid several times, plus he insulted my family in ways only a very sick mind would ever think of.

• This forum used to be a great place, nobody noticed how ridiculous, and over the top his attack was, and / or bothered to suggest to him he should cool it.

Gee, thanks a lot guys.

[Bit_Happy]

More full disclosure! More fun!
...

More fun for many happy people!
History will record that MTux from MGox has done a "prove it" transfer of over 424,242BTC, so the original thread title ...More likely MtGox Post-Mortem, will most likely prove to be highly inaccurate.
http://blockexplorer.com/address/1eHhgW6vquBYhwMPhQ668HPjxTtpvZGPC

Great news for Bitcoin and the community.  

[jrmithdobbs]

More full disclosure! More fun!
...

More fun for many happy people!
History will record that MTux from MGox has done a "prove it" transfer of over 424,242BTC, so the original thread title ...More likely MtGox Post-Mortem, will most likely prove to be highly inaccurate.
http://blockexplorer.com/address/1eHhgW6vquBYhwMPhQ668HPjxTtpvZGPC

Great news for Bitcoin and the community.  

I'm glad he did this and have proven he is still in possession of the coins.

I'm disappointed it took 5 days of people asking for it for him to follow through.

That is indeed good news but has no bearing on this thread. All that proves is that the attacker in fact did not take off with the wallet. Which was never an even implication of this thread.

[jrmithdobbs]

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

[finnthecelt]

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

Right. They need to think that one through a little better.

[Tasty Champa]

however, it cuts down a little on people having more than 50 accounts each.

[finnthecelt]

however, it cuts down a little on people having more than 50 accounts each.

No they will just not be as secure as "paying" members.

[mmdough]

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

There's a few other threads addressing this... especially http://forum.bitcoin.org/index.php?topic=21405.0;all

Short version: MtGox has upgraded security across the board. 2-factor authentication will be available for those who desire even more security. This service costs money to operate, and so cannot reasonably be offered free of charge except as a perk.

[finnthecelt]

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

I suppose that's fair. Thx.

There's a few other threads addressing this... especially http://forum.bitcoin.org/index.php?topic=21405.0;all

Short version: MtGox has upgraded security across the board. 2-factor authentication will be available for those who desire even more security. This service costs money to operate, and so cannot reasonably be offered free of charge except as a perk.

[Tasty Champa]

however, it cuts down a little on people having more than 50 accounts each.

No they will just not be as secure as "paying" members.

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

What many others and I learned from this is using an exchange as an Ewallet was not the end all secure practice like a Lot of us had thought and hoped it was. The 2 step verification will theoretically bring using mtgox to be a relatively secure Ewallet. As it will also bring other exchanges into the main arena for doing so.

Whether or not trusting the exchanges enough to do so is entirely up to it's userbase, just like it was before all this happened. People trusting an entity they have never physically met with thousands of units in anything is something to say about the people doing so, but that obviously can be said about every business involving large quantities of anything.

What I'm trying to say is that remembering the word secure is only a relative term is a good thing.

[jrmithdobbs]

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

[finack]

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.

[Tasty Champa]

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

hahaha god damn you are one argumentative mother fucker!

Look at the bright side.
this is why I don't drink alcohol.

It's certainly not your job to tell them how to run their business.
I can understand you are devoted to them, but there is a limit to telling other people what they can and can't do. it's why we are here, to get away from those fools.

[Tasty Champa]

when it comes to money and corporations, loyalty is the biggest mistake.

[ius]

While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.

Last time I checked the problem was on their end, not on their users'. Although adding a second factor is undiably a good thing, it's not going to do much for security on their end.

In addition to that, I suspect a large number of bitcoin/mtgox users own a smartphone. There's a HOTP implementation for pretty much all platforms - completely free..

[jrmithdobbs]

This made me LOL so I figured this is the place to share:

http://www.quickmeme.com/meme/4565/

[joepie91]

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

hahaha god damn you are one argumentative mother fucker!

Look at the bright side.
this is why I don't drink alcohol.

It's certainly not your job to tell them how to run their business.
I can understand you are devoted to them, but there is a limit to telling other people what they can and can't do. it's why we are here, to get away from those fools.

Nice comeback bro.

[jrmithdobbs]

I love to say I told you so:

http://pastebin.com/e8NHXuSe
http://pastebin.com/HGssM2L7

Nice how he took 24 hours to notify his users.

[TriumVir]

I love to say I told you so:

http://pastebin.com/e8NHXuSe
http://pastebin.com/HGssM2L7

Nice how he took 24 hours to notify his users.

Fork, they were using floats for some calculations:

28.21:03 < eleorea> a couple days prior to the crash i noticed my BTC balance kept fluctuation up and down .01 of a bitcoin..anyone else notice similar
29.21:03 < MagicalTux> eleorea: rounding bug
30.21:03 < go1dfish> eleorea: some had mentioned that Mt Gox used floating point internally for some calculations31.21:03 < go1dfish> is that true? and has that been fixed?
33.21:03 < eleorea> ahh thx
35.21:04 < MagicalTux> go1dfish: the new system use 100% integers

[gmaxwell]

Fork, they were using floats for some calculations:

Not news: http://forum.bitcoin.org/index.php?topic=11551

On this subject, I've seen people hating on bitcoin7 for using "float" on IRC a bunch— but it turns out that they are using decimal float, which is perfectly fine and reasonable for this. Only the use of binary float leads to perplexing results with bitcoin values.

[jrmithdobbs]

Oh hey look, he admits the possibility finally. Tonight on #mtgox. (times CST/CDT)

[18:17:18] <MagicalTux> dehuman: we have two vectors possible, and I believe they are linked at some point. One is the sqli that were disclosed after we took the site offline, and the second one was the auditor, which may have been exposed by what people found via the sqli (or not, I don't know yet at this point)

[jrmithdobbs]

Hello vindication, how are you today sir?:

http://forum.bitcoin.org/index.php?topic=24727.0