Bitcoin Forum
December 09, 2016, 06:17:58 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 »  All
  Print  
Author Topic: [Full Disclosure] More likely MtGox Post-Mortem  (Read 21299 times)
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 23, 2011, 07:38:57 AM
 #61

More full disclosure! More fun!
...

More fun for many happy people!
History will record that MTux from MGox has done a "prove it" transfer of over 424,242BTC, so the original thread title ...More likely MtGox Post-Mortem, will most likely prove to be highly inaccurate.
http://blockexplorer.com/address/1eHhgW6vquBYhwMPhQ668HPjxTtpvZGPC

Great news for Bitcoin and the community.   Smiley

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
1481264278
Hero Member
*
Offline Offline

Posts: 1481264278

View Profile Personal Message (Offline)

Ignore
1481264278
Reply with quote  #2

1481264278
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481264278
Hero Member
*
Offline Offline

Posts: 1481264278

View Profile Personal Message (Offline)

Ignore
1481264278
Reply with quote  #2

1481264278
Report to moderator
1481264278
Hero Member
*
Offline Offline

Posts: 1481264278

View Profile Personal Message (Offline)

Ignore
1481264278
Reply with quote  #2

1481264278
Report to moderator
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 23, 2011, 01:13:42 PM
 #62

More full disclosure! More fun!
...

More fun for many happy people!
History will record that MTux from MGox has done a "prove it" transfer of over 424,242BTC, so the original thread title ...More likely MtGox Post-Mortem, will most likely prove to be highly inaccurate.
http://blockexplorer.com/address/1eHhgW6vquBYhwMPhQ668HPjxTtpvZGPC

Great news for Bitcoin and the community.   Smiley

I'm glad he did this and have proven he is still in possession of the coins.

I'm disappointed it took 5 days of people asking for it for him to follow through.

That is indeed good news but has no bearing on this thread. All that proves is that the attacker in fact did not take off with the wallet. Which was never an even implication of this thread.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 23, 2011, 02:59:11 PM
 #63

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
finnthecelt
Full Member
***
Offline Offline

Activity: 140


View Profile
June 23, 2011, 03:09:45 PM
 #64

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

Right. They need to think that one through a little better.
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
June 23, 2011, 03:13:01 PM
 #65

however, it cuts down a little on people having more than 50 accounts each. Wink
finnthecelt
Full Member
***
Offline Offline

Activity: 140


View Profile
June 23, 2011, 03:46:44 PM
 #66

however, it cuts down a little on people having more than 50 accounts each. Wink

No they will just not be as secure as "paying" members.
mmdough
Member
**
Offline Offline

Activity: 70


WAAAAAHK waahk waahk waahk.


View Profile
June 23, 2011, 05:02:35 PM
 #67

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

There's a few other threads addressing this... especially http://forum.bitcoin.org/index.php?topic=21405.0;all

Short version: MtGox has upgraded security across the board. 2-factor authentication will be available for those who desire even more security. This service costs money to operate, and so cannot reasonably be offered free of charge except as a perk.

Alms for apostles: Ds9yPrqaHhRKvN8jcWmam6NN7EiTqAGsk
finnthecelt
Full Member
***
Offline Offline

Activity: 140


View Profile
June 23, 2011, 06:29:09 PM
 #68

I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

I suppose that's fair. Thx.

There's a few other threads addressing this... especially http://forum.bitcoin.org/index.php?topic=21405.0;all

Short version: MtGox has upgraded security across the board. 2-factor authentication will be available for those who desire even more security. This service costs money to operate, and so cannot reasonably be offered free of charge except as a perk.
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
June 23, 2011, 06:30:57 PM
 #69

however, it cuts down a little on people having more than 50 accounts each. Wink

No they will just not be as secure as "paying" members.

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

What many others and I learned from this is using an exchange as an Ewallet was not the end all secure practice like a Lot of us had thought and hoped it was. The 2 step verification will theoretically bring using mtgox to be a relatively secure Ewallet. As it will also bring other exchanges into the main arena for doing so.

Whether or not trusting the exchanges enough to do so is entirely up to it's userbase, just like it was before all this happened. People trusting an entity they have never physically met with thousands of units in anything is something to say about the people doing so, but that obviously can be said about every business involving large quantities of anything.

What I'm trying to say is that remembering the word secure is only a relative term is a good thing.
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 23, 2011, 06:48:16 PM
 #70

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 23, 2011, 06:55:07 PM
 #71

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
June 23, 2011, 08:53:44 PM
 #72

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

hahaha god damn you are one argumentative mother fucker!

Look at the bright side.
this is why I don't drink alcohol.

It's certainly not your job to tell them how to run their business.
I can understand you are devoted to them, but there is a limit to telling other people what they can and can't do. it's why we are here, to get away from those fools.
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
June 23, 2011, 09:01:39 PM
 #73

when it comes to money and corporations, loyalty is the biggest mistake.
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 23, 2011, 10:01:32 PM
 #74

While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.

Last time I checked the problem was on their end, not on their users'. Although adding a second factor is undiably a good thing, it's not going to do much for security on their end.

In addition to that, I suspect a large number of bitcoin/mtgox users own a smartphone. There's a HOTP implementation for pretty much all platforms - completely free..

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 24, 2011, 01:10:01 AM
 #75

This made me LOL so I figured this is the place to share:

http://www.quickmeme.com/meme/4565/

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 24, 2011, 02:01:57 AM
 #76

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

hahaha god damn you are one argumentative mother fucker!

Look at the bright side.
this is why I don't drink alcohol.

It's certainly not your job to tell them how to run their business.
I can understand you are devoted to them, but there is a limit to telling other people what they can and can't do. it's why we are here, to get away from those fools.
Nice comeback bro.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 25, 2011, 03:22:43 AM
 #77

I love to say I told you so:

http://pastebin.com/e8NHXuSe
http://pastebin.com/HGssM2L7

Nice how he took 24 hours to notify his users.

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
TriumVir
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 25, 2011, 03:30:05 AM
 #78

I love to say I told you so:

http://pastebin.com/e8NHXuSe
http://pastebin.com/HGssM2L7

Nice how he took 24 hours to notify his users.

Fork, they were using floats for some calculations:

28.21:03 < eleorea> a couple days prior to the crash i noticed my BTC balance kept fluctuation up and down .01 of a bitcoin..anyone else notice similar
29.21:03 < MagicalTux> eleorea: rounding bug
30.21:03 < go1dfish> eleorea: some had mentioned that Mt Gox used floating point internally for some calculations31.21:03 < go1dfish> is that true? and has that been fixed?
33.21:03 < eleorea> ahh thx
35.21:04 < MagicalTux> go1dfish: the new system use 100% integers
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2030



View Profile
June 25, 2011, 03:45:58 AM
 #79

Fork, they were using floats for some calculations:

Not news: http://forum.bitcoin.org/index.php?topic=11551

On this subject, I've seen people hating on bitcoin7 for using "float" on IRC a bunch— but it turns out that they are using decimal float, which is perfectly fine and reasonable for this. Only the use of binary float leads to perplexing results with bitcoin values.

jrmithdobbs
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 28, 2011, 02:13:08 AM
 #80

Oh hey look, he admits the possibility finally. Tonight on #mtgox. (times CST/CDT)

Quote
[18:17:18] <MagicalTux> dehuman: we have two vectors possible, and I believe they are linked at some point. One is the sqli that were disclosed after we took the site offline, and the second one was the auditor, which may have been exposed by what people found via the sqli (or not, I don't know yet at this point)

1B8TSDzXdyTRX5eF77gWQoXujBaDtKFE6H
Pages: « 1 2 3 [4] 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!