Bitcoin Forum
October 06, 2024, 04:24:08 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: From the desk of Tom Williams, operator of MyBitcoin.com  (Read 25371 times)
rebuilder
Legendary
*
Offline Offline

Activity: 1615
Merit: 1000



View Profile
June 29, 2011, 07:37:16 AM
 #21

theymos: Mybitcoin.com provides, as far as I can tell, no way for a user who can't log in to contact the site administrators for support. That's quite peculiar to me. I'll see if I can log in there and make a support ticket requesting some kind of contact info to be posted on the front page.

Edit: nevermind, LittleGnome says they've already tried this.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
LittleGnome
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
June 29, 2011, 07:46:49 AM
 #22

theymos: Mybitcoin.com provides, as far as I can tell, no way for a user who can't log in to contact the site administrators for support. That's quite peculiar to me. I'll see if I can log in there and make a support ticket requesting some kind of contact info to be posted on the front page.

Edit: nevermind, LittleGnome says they've already tried this.

rebuilder, feel free to submit that as a support ticket. I've mostly confined my support requests to things such as "please give me access to my account", "how can I access my account", "why don't you reply?", "you realize I'm talking about you all over the internet, right?" and words to that effect.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5348
Merit: 13316


View Profile
June 29, 2011, 05:39:02 PM
 #23

What kind of proof are you looking for?

For one thing, they should publish the results of the audit they claimed was performed.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
LittleGnome
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
June 30, 2011, 06:42:20 AM
 #24

What kind of proof are you looking for?

For one thing, they should publish the results of the audit they claimed was performed.

Then I would agree with you, theymos. That would be enormously helpful. Right now All I'm seeing are myself and a few vocal parties who feel wronged by this, and this statement, which I might add was not made to the public at large.

If Mybitcoin was even a third or fourth rate financial institution in the mainstream world we would expect more than what we've gotten.

My point in all this,

Mr. Williams, you owe your customers, anonymous or not, an explanation, and a way to reclaim their funds.
billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1007


Hide your women


View Profile WWW
June 30, 2011, 04:36:32 PM
 #25

The market response to this would be to go somewhere else. I warn everybody away from myBitcoin at least until they remedy this situation, but the problem is: what other eWallet providers are there?

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 30, 2011, 04:48:51 PM
 #26

The market response to this would be to go somewhere else. I warn everybody away from myBitcoin at least until they remedy this situation, but the problem is: what other eWallet providers are there?

I feel the same... really dislike mybitcoin.com and wouldn't want my friends to use it, but then I have no alternative to recommend either.

You can use many sites as an ewallet, although doing so won't give much functionality... i.e. Tradehill could be used as an ewallet.

billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1007


Hide your women


View Profile WWW
June 30, 2011, 05:00:38 PM
 #27

The market response to this would be to go somewhere else. I warn everybody away from myBitcoin at least until they remedy this situation, but the problem is: what other eWallet providers are there?

I feel the same... really dislike mybitcoin.com and wouldn't want my friends to use it, but then I have no alternative to recommend either.

You can use many sites as an ewallet, although doing so won't give much functionality... i.e. Tradehill could be used as an ewallet.


instawallet.org  -just got one.

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 30, 2011, 05:29:14 PM
 #28

The market response to this would be to go somewhere else. I warn everybody away from myBitcoin at least until they remedy this situation, but the problem is: what other eWallet providers are there?

I feel the same... really dislike mybitcoin.com and wouldn't want my friends to use it, but then I have no alternative to recommend either.

You can use many sites as an ewallet, although doing so won't give much functionality... i.e. Tradehill could be used as an ewallet.


instawallet.org  -just got one.

Yeah, that's a good site... what I meant by 'much functionality' was mainly merchant integration.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 5348
Merit: 13316


View Profile
July 01, 2011, 01:31:47 AM
 #29

MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.

There's another attack made possible by accepting payments with less than 6 confirmations that would allow you to see exactly which coins MyBitcoin has, and possibly do other damage.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
just_someguy
Full Member
***
Offline Offline

Activity: 125
Merit: 100


View Profile
July 01, 2011, 02:06:53 AM
 #30

MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.

There's another attack made possible by accepting payments with less than 6 confirmations that would allow you to see exactly which coins MyBitcoin has, and possibly do other damage.

Don't leave us hanging! As long as it doesn't allow someone to go right out and do it what is the < 6 block attack?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5348
Merit: 13316


View Profile
July 01, 2011, 02:49:00 AM
 #31

It's pretty simple, which is why I didn't mention it. The client will only send coins with >6 confirmations unless you have none of those left. So you just keep depositing and withdrawing lots of coins and MyBitcoin will quickly send every coin they have. Once the same coins start to be resent, you know you've seen them all. Now you know how many coins MyBitcoin has with high accuracy as well as exactly which coins make up that balance. You've also "brought to the surface" all of MyBitcoin's coins, which might allow other attacks.

I haven't tried this. Maybe MyBitcoin limits site-wide BTC movements, which might make it more difficult.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
da2ce7
Legendary
*
Offline Offline

Activity: 1222
Merit: 1016


Live and Let Live


View Profile
August 04, 2011, 09:21:47 AM
 #32

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            From the desk of Tom Williams, operator of MyBitcoin.com

                          For immediate release.

There are a lot of unanswered questions floating around on the Bitcoin
forum and other places about the recent Mtgox password leak, and theft
from the MyBitcoin system.

I will attempt to answer as many of the questions and concerns as best
as I can in order to silence the rumor-mill once and for all.

As many of you already know, Mtgox was hacked and its password file was
leaked. As soon as we heard about the leak we were closely monitoring
the system for abnormal activity, and we didn't see any.

At first glance, we didn't see any hard evidence that a password leak
had even occurred. There was just a lot of speculation to an SQL
injection vulnerability in Mtgox's site. A few clients of ours had
informed us of the forum threads, and we watched them carefully.

The following morning a client of ours sent us the download link to the
leaked Mtgox password file. We prompty downloaded the file, put up a
warning on the main page, and disabled the login.

We attempted to line up usernames from the leak, and we found a lot of
matching ones. We started locking down all of those accounts using a
script that we had to have written at a moment's notice. It was during
this time that we noticed a flurry of spends happening. Yes, even with
the site disabled.

The attacker had active sessions open to the site. We quickly flushed
them and the spends stopped abruptly. We disabled the SCI, all payment
forwarding, and all receipt URL traffic on all of the usernames in the
Mtgox leak.

We proceeded to change the password on every account where the username
matched our system's database. PGP-signed emails went out to all of the
accounts that we changed the password on. If an account didn't have an
email address or had already been compromised we put up a bulletin.
(Email addresses were mandatory when we opened our service initially,
but people complained that it wasn't truly anonymous so we made them
optional. Unfortunately this makes contacting a security-compromised
customer impossible.)

An investigation was conducted at that time, and we determined that the
attacker had opened up a session to each active user/password pair ahead
of time, solved the captcha, and used some sort of bot to maintain a
connection so our system wouldn't timeout on the session. It was likely
his intent to gain access to more accounts than he did, but as soon as
he noticed that we had changed the main page of the site he sprung into
action by sending a flurry of spends.

(Before you ask: no, we don't limit logins per IP address. We can't. We
have a lot of users that come in from Tor and I2P that all appear to
share the same source IP address.)

We've concluded that around 1% of the users on the leaked Mtgox password
file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a
horrible experience for the Bitcoin community in general.

The IP address that the attacker used was a Tor exit node and the spends
were to an address that is outside of our system.

Now to address the rumors:

No, our database wasn't compromised. We had a 3rd party company audit
our site for SQL injection attacks and we passed. (We did, however, have
one XSS hole in the address book page last month that would allow an
attacker to insert fake entries into a customer's address book. It was
promptly fixed and offending address book entries were purged. Not a
single customer had spent to the fake address book entries.) Every line
of code was audited last month. Literally line by line audited by
professionals, and it was deemed safe.

No, this site isn't being ran by some amateur that just learned how to
program computers. It was created by seasoned programmers that
understand security.

Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.

We also use whole-disk level encryption on every single one of our
servers. When you fail a disk in a NOC and a level 1 technician replaces
it does he wipe the disk before the RMA/tossing it in the garbage? Not
usually! We know these mistakes happen, so we take precautions. Any and
all servers with an IP KVM on them are ran in secure console mode. The
root passwords are required even for single user mode. All disk keys are
held off-site and were never generated anywhere near the internet. All
server passwords are unique per server and per user, of course. Only two
technicians have access to the secure servers. This access is over a VPN
and we only use secured workstations running Linux and BSD to access
them.

We use BSD servers with MAC, immutable flags, jails, PAX, SSP,
randomized mmap, secure level, a WAF, a DDoS mitigation and alert system
- -- the works. Like I said earlier. We are not amateurs. In fact,
combined we have over 30 years of experience in the payment
processing (credit card arena) industry.

A large amount of the Bitcoin holding is in cold (offline) storage. We
only have a percentage of the holding available hot. This is done for
obvious reasons.

Going forward we are implementing a 2-factor login system,
user-configurable spend limits, better session token tumbling, and a
bunch of new SCI features.

Wishing the Bitcoin community all the best and a swift recovery, and
sincerely yours,


Tom Williams

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF
VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567
T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY
jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z
9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL
+HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM=
=VaXC
-----END PGP SIGNATURE-----


Public Key "MyBitcoin LLC (SCI Verification Key) <nobody@mybitcoin.com>":


Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQENBEvfPosBCACwT0PMxOgh3iI5loNxhMUrB2fQpFwMy6m0OQO9U+mVpG8fcWdc
TQyLE0LLgU3q1a3A7qpvvWZ+IPeDfFokPwhXsS5fBwGF9LpWIfPCObIif59/r9A0
6aJ03AfKS6pvIxkCje4ndjIvNXcDQuzaKZI38WkHHMHcwkOsmFy5EDtguCvu2i3u
c3HTZ2KJOEHqvw7cO8/hfmvSvNX1WTYUN7/3tMFVGiHkxsxK11HBGdVsKsFlBslS
21Y/zzwqWW1HWC7XNI5IVnqjPWbYz0VnPZeYItoPJ/07xIjA1UmsrN2V2z+qdO4F
bEEtYnMevl6Z9aNOVzJkoEkmtJ7rZhv+MZF9ABEBAAG0O015Qml0Y29pbiBMTEMg
KFNDSSBWZXJpZmljYXRpb24gS2V5KSA8bm9ib2R5QG15Yml0Y29pbi5jb20+iQEc
BBABAgAGBQJNl0P2AAoJEK5905SKX7IvZNoH/jzO4NbHfhBebM7PlG+uhVIjSJ6v
YnurNWSGa5UMMaxKU165bhdaBPh8JMFLPUPKs/+iArlqzetvbErN0r7wXvUTcxc0
fJXdZAAfdxGhdlDDlDoztm6nPb85pYVQ4FeQvMq+KILGn0U0I604OYgX0N6dDtuE
YTYq5pEskxEZL/hkkPlqApipBntXAATGkQHC47ZuUvHyVxDSNML5aV2I7T3wurex
ZW/wuuPM77oDVil8sAG0MCqMSFdKpUJDU2I9C2kPMJ25INi/UkMBmkV9EHN1er4a
u4LKiXc8t5TtXMF6ShRzp6hlICp8pnst5liXDwx6gGd4UDOUpNCELRJGcnmJATgE
EwECACIFAkvfPosCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ+5g06l
AnqF2DUH/3H9ZHJNtMirehS8lzZBlVZikuvdIciG/rIOIuk6C18iWz7Bkis4/+rv
CjCQcY7hXkbPkFxuA+Xrn+/j/C1X5kWSdk6tORDGqq5jYb46biQHX2RiEiT0fKpx
DQQXkaaLCYN6Xu2u7lSh1l/MJ9Z2j1GckDYavsdtxzg/2v2/EzDBzKT+gcVPYyyx
97uxCr9kIO0uzWqSk+04YASGOZc+KIdHHYuBWg+xFVFZvYijbTM3GOENEsg7npCZ
4txniLOrsivQQLcC8+WOG2m/GM+Pt8TxDyidTfDeXnqjHPSFh9jvuMUea6IuSbGN
utzyNw4N6ATH13/Fm1OsqyYzcBxFd3CJAZwEEAECAAYFAk2kYdIACgkQweM0C93b
oWYlCAv+P0p0tkj8s00fBMwJKbgJtyNlzBsO7V1duGvFJ7l3TKNzDr4eXT4K4NBT
wESoMJTTDSmuNX0HAdwywWTk/ng9uw14Cjfhi/ZT78Lo1qI0+b1JQ7Q/USZ1iEkh
AN5Ierfmv3CAnxGpnetq/XcBC3N/7iENNr1il0fNIFP0UGDSUtghFpjLEOpGNBvX
UpN9kIWRxG4JydYJvzbWP+fjsRs++2zQn+G3ofaPxwrNW0v7j5ECStRO/cll7V6t
f0zEzZ/fBBCZcQqpJtm1fvubDl1/7i0dyJZh242vGtn5idPicPBQdrybG/MibK59
Hm90ebeLC/rxfRMVehpG6kDM5eXKEhVFw91RvZxkS8CV93IHZsRAmhoSbWGoCfCJ
7taTEtTm/ecYP8/FN/LZlzMyI7tyslVWJJSb8ul+vqi/aS35DwFvm5tMJUFOzNNY
w+5evvm+IIj7fYwCfNJWDF/o+m16bAg/HEjkmX1NczK/1Y883AWE36y6u01T8hIn
/7DsELvXuQENBEvfPosBCADA0x8iYN8UDruVzwfDuKErS36oINCz+gX60I2mwQ56
lKL9TMNjyJpXLgAiu3Ly+rs/v25jb1W8/dzWHJQ3R0ajmIUs0WHR3P5du7HnvLcu
60zrug/n2dAR1t0LspbiuMI0AEB8pzZF1hEz2Dx2F6NWvJkEiTAJplsLAY9dg8E2
bM3RQtK5jFn8UanY/ryNqjFqFDb5x+5uytXHV99+KjZM04Imr94UP4r+43opljfh
ifwylDz5peKXjB2YYunggznXBEnWSDeNGUXcS1k/aVQyb9ysOo87QZtS+IsUSQ8Y
QdPlfl2jA0DLMJBjZKXLqcjT1olW3rk6j65QEc1tEm1/ABEBAAGJAR8EGAECAAkF
AkvfPosCGwwACgkQn7mDTqUCeoVZTwf/afFkF1pYpl30K90ht6QKkmBUDSZX+eu2
vmhuEKQaB9z2hE1Z5sDgieLR4rxsyPldDwpA10vx4+ECIvtxAGJ6CE3VklxrmY6h
R9zLrUO73DxQN+jGRPt6P91XtR3pcU9WcxQkN5XT4jID+ZqWrbEoxJxAQ9TD9niF
NN4NWrVirU+eh+xZ7XaAT7iHo465fvGAqhVP94p+laHabEXf42cEODN++gM2cd7m
rfra3wnkyPughpc2W9oqxf5aUUb7+8N4Hd1loryg/l2b9eJ3fRpD7IK4QFp1YHNA
EyvBLSCUUk6GMYeWuSarwic2ygxY/HPuai3PYKtb23+Ssqo7Xh7b/Q==
=cUT5
-----END PGP PUBLIC KEY BLOCK-----


Result (gpg -v):

Code:
gpg: Signature made 06/23/11 05:55:37 AUS Eastern Standard Time using RSA key ID A5027A85
gpg: using PGP trust model
gpg: Good signature from "MyBitcoin LLC (SCI Verification Key) <nobody@mybitcoin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB59 EE27 E803 FB68 EF30  3F5A 9FB9 834E A502 7A85
gpg: textmode signature, digest algorithm SHA1

One off NP-Hard.
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Posts: 69


View Profile WWW
August 04, 2011, 11:38:46 AM
 #33

Fake PGP key was known already or did I just read your post wrong?

julz
Legendary
*
Offline Offline

Activity: 1092
Merit: 1001



View Profile
August 04, 2011, 11:53:19 AM
 #34

Fake PGP key was known already or did I just read your post wrong?

Not the way I read it
That post seems legit. 
I also did a gpg verify on a mybitcoin deposit email someone posted online and got a similar result

The signature isn't 'trusted' in that it's not verified by a certifying agency - but I think we can know that it's the same person who had control of the mybitcoin response email system.

I found the same public key in some python software which interfaced with mybitcoin.

Interestingly.. that key does seem to have been certified on 2011-04-02 and 2011-04-12 by one Tobias LLoyd and there are a couple of email addresses for him.

As far as I know.. you shouldn't certify unless you've met and properly verified the person.. so maybe Tobias has some information?



@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
August 04, 2011, 11:55:10 AM
 #35

As far as I know.. you shouldn't certify unless you've met and properly verified the person.. so maybe Tobias has some information?
Yes he might, do you have his mail address? Maybe send him a polite mail...

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
julz
Legendary
*
Offline Offline

Activity: 1092
Merit: 1001



View Profile
August 04, 2011, 12:00:42 PM
 #36

As far as I know.. you shouldn't certify unless you've met and properly verified the person.. so maybe Tobias has some information?
Yes he might, do you have his mail address? Maybe send him a polite mail...


I have just done so.

@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
August 04, 2011, 12:11:14 PM
 #37

I have just done so.
This seems a genuine web of trust, the keys his key are signed with are also signed by others etc... Let's hope this turns op something.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
julz
Legendary
*
Offline Offline

Activity: 1092
Merit: 1001



View Profile
August 04, 2011, 02:48:19 PM
 #38

Tobias was very helpful but doesn't have any further information regarding Tom Williams.

Quote
I believe the only certificate for mybitcoin.com I would have verified would have been the PGP cert that was used to sign all of the emails.

With PGP (or GPG in the OpenSource community) there is no need to meet each other face to face to exchange certificates.  All encryption and signing is done through a public and private key pair.  So, mybitcoin.com would sign all of their correspondence with their private key.  Then through use of their public key, I can validate that it was actually them who signed it.

Now, in regards to my validation of the mybitcoin.com public key.  When I received a message from mybitcoin.com that was signed AND I confirmed that the data contained within was correct (I.E. the transaction listed matched one I had just placed) I knew the message was authentic, so I would have signed their public key indicating that I trusted this key as an authentic key.  So anything signed with that particular key, I knew I could trust.  All of the verification was done from right here at my desk, so I'm sorry to say, I did not have to meet anyone in person in order to verify the key.  I probably gave the key too high of a signing rating though.  Usually when I'm signing keys I go all or nothing.  So sorry if I mis-led you.

I know this doesn't help you in your search, but I wish the best of luck to you!
Tobias


@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
Cryptoman
Hero Member
*****
Offline Offline

Activity: 726
Merit: 500



View Profile
August 04, 2011, 02:55:05 PM
 #39

Who exactly is Tobias Lloyd, and could he be Tom Williams?

"A small body of determined spirits fired by an unquenchable faith in their mission can alter the course of history." --Gandhi
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
August 04, 2011, 02:59:43 PM
 #40

Too bad, another dead end. It was worth a try!

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!