Bitcoin Forum
December 11, 2016, 06:35:07 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: [ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off  (Read 17391 times)
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
July 05, 2011, 10:47:18 PM
 #61

b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught  stealing to accomplish their objectives.  OTOH, if they were caught manipulating prices they could just write it off as "national security".
Except whoever did this did steal enough money to get themselves in serious legal hot water already... not to mention all the money they attempted to steal and give away at knock-down prices.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
1481438107
Hero Member
*
Offline Offline

Posts: 1481438107

View Profile Personal Message (Offline)

Ignore
1481438107
Reply with quote  #2

1481438107
Report to moderator
1481438107
Hero Member
*
Offline Offline

Posts: 1481438107

View Profile Personal Message (Offline)

Ignore
1481438107
Reply with quote  #2

1481438107
Report to moderator
1481438107
Hero Member
*
Offline Offline

Posts: 1481438107

View Profile Personal Message (Offline)

Ignore
1481438107
Reply with quote  #2

1481438107
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
July 05, 2011, 10:53:18 PM
 #62

b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught  stealing to accomplish their objectives.  OTOH, if they were caught manipulating prices they could just write it off as "national security".
Except whoever did this did steal enough money to get themselves in serious legal hot water already... not to mention all the money they attempted to steal and give away at knock-down prices.

or the 2000 btc could be a concession to Kevin Day?
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 08, 2011, 03:06:32 AM
 #63

Even Snort + fw + browsing in a VM would not have protected you against, say, a tabnabbing phishing attempt. (I mention this example again because of how deceptively efficient it is...)

Just when I start to think I am being too paranoid leaving JavaScript disabled, I read this.

I temporarily enabled JavaScript for complaining about that bitcoin trademark :/

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
DATA COMMANDER
Full Member
***
Offline Offline

Activity: 126


View Profile
July 08, 2011, 11:56:11 PM
 #64

FWIW, MtGox claims that I never completed registration at their site, even though I not only completed registration but also bought 6 BTC under the handle datacommander.

Tips are appreciated (very tiny tips are perfectly okay!) 13gDRynPfLH3NNAz3nVyU3k3mYVcfeiQuF
mewantsbitcoins
Full Member
***
Offline Offline

Activity: 126


View Profile
July 09, 2011, 05:05:48 PM
 #65

For fuck's sake - it's been more than three weeks and the server is still down. That's what I get for supporting someone in bitcoin business.
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
July 09, 2011, 05:50:53 PM
 #66

For fuck's sake - it's been more than three weeks and the server is still down. That's what I get for supporting someone in bitcoin business.
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!

i don't get it.  i moved USD into mtgox on 7/1 and did a bunch of successful trades thru to 7/4.  whats wrong with the server?
bytemaster
Hero Member
*****
Offline Offline

Activity: 728

BitShares


View Profile WWW
July 11, 2011, 01:48:45 AM
 #67

I have not been given access to my account and get no response from Mt. Gox. 

Please, I encourage everyone to boycott MtGox who has effectively stolen thousands of dollars from many of their customers.

https://steemit.com  Blogging is the new Mining
jed
Full Member
***
Offline Offline

Activity: 166

Jed McCaleb


View Profile WWW
July 12, 2011, 12:14:45 PM
 #68

bytemaster: go to freenode on irc #mtgox and ask for MagicalTux. He is there right now and will fix your problem.

stellar.org   |    twitter
bytemaster
Hero Member
*****
Offline Offline

Activity: 728

BitShares


View Profile WWW
July 14, 2011, 11:41:57 PM
 #69

I have gotten access back, withdrew my money. 

https://steemit.com  Blogging is the new Mining
pointbiz
Sr. Member
****
Offline Offline

Activity: 426

1ninja


View Profile
July 17, 2011, 06:53:07 PM
 #70

A consistent message from Mark about this whole event was that it was Jed's fault.

Further clarification:
Compromised Admin Level User Account = Jed's user account to access Mt.Gox public website as a trader. UserID of 1 from the leaked table of users.

Point to consider: There were at least two admin level user accounts in the leaked table of users:
UserID 1, Username: jed
UserID 634, Username: MagicalTux

My assumptions from mtgox's clarification:
1) There were administrative web pages as part of Mt gox's front-end PHP website code.
2) To access these administrative web pages Mark/Jed use the same user/password as their trader account and login from the public login form.
3) BTC balances in the mtgox system are not tied to balances of public keys in the block chain (therefore unbacked by BTC which leads to the temptation of a fractional reserve exchange).
4) These administrative pages allowed unlimited deposits of BTC to an admin's trader account.
5) These administrative pages did NOT allow the configuration of withdrawal limits.
6) The withdrawal limits for the system were hard coded in the PHP withdrawal pages. $1000 per withdrawal (not per 24 hours) as the infamous Kevin has informed us. Therefore, SQL injection in combination with an admin trader account would not allow access to modify PHP files.
7) The attacker did not have access to modify PHP files.
8 ) SQL injection attack occurred on the Login page because no other tables from the database were leaked. The login form would be reading from the users table.



Why Jed is not at fault and Mark is 100% at fault:
1) Upon taking ownership of mtgox Mark recognized the database table with user and admin accounts had UNsalted MD5 passwords (read plaintext under 12 characters).
2) Mark should have removed admin accounts from the user table and created a separate table with admin level accounts. He should have created a separate login area for admin users. When a SQL injection attack is occurring the attacker is poking in the dark and is getting information little by little. Since only 1 table was leaked to the public, we can assume the attacker only knew about the users table. If admin accounts were stored in a different table their password hashes would not have been leaked.
3) Mark should have moved the administrative web pages to a separate server, the more isolation the better. He should not allow admins to login through the regular user login form.
4) Mark added user specific salts but did not add a secondary global salt that was hard coded in the PHP. If this salt existed the leaked users table would be useless!!
5) Mark did not audit the code for SQL injection vulnerabilities. Which were probably obvious from the use of embedded SQL and non-parameterized queries (red flags that you have a SQL injection door).
6) Mark did not close these vulnerabilities, probably less than 1 weeks work if not 2 days. If the attack occurred in April I'd have sympathy for Mark.
7) It's possible an earlier version of the leaked users table exists (unpublished) with the UNsalted MD5 passwords (before Mark took ownership, since we presume the same SQL injection door was open). However, Mark did not prompt users to CHANGE their passwords. Salting of already compromised passwords is pointless.
8 ) Mark did nothing to protect us from Jed (I'm not making any accusation of Jed here)
9) Upon taking ownership, Mark did not ask for a site wide password change with minimum password strength.
10) Mark could have implemented the salted SHA-512 (with user salt and global hard coded salt) then instructed Jed to change his password.


Mark has been very deceptive and this clarification is somewhat different then the story Mark presented to Bruce Wagner in their interview. Mark is trying to let our imaginations run wild by saying he questions the motives of the hacker. And that the hacker could have stolen more. The reason the hacker couldn't withdraw more money was the same reason the infamous Kevin could not withdraw more. There were active normal traders on the site who saw the price at 0.01 USD and were willing to pay 0.50 USD per BTC. The window to withdraw was very limited.

Finally, with no evidence from Mark, why should we assume it was Jed's account that was compromised and not Mark's ?

Coder of: https://www.bitaddress.org      Thread
Open Source JavaScript Client-Side Bitcoin Wallet Generator
Donations: 1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN   PGP
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
July 17, 2011, 07:22:29 PM
 #71

because Jed has told me it was his acct that got hacked after the SQL injection.

still doesn't absolve Mark.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
July 31, 2011, 02:21:16 PM
 #72

Here we go again.. Undecided

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

Aquent
Member
**
Offline Offline

Activity: 72


View Profile
April 30, 2014, 03:27:52 PM
 #73

Interesting all this lack of information from both Jed and Mark all the way back.

Did Jed ever get paid? If so how much? How much was mtgox sold for exactly?

Was the blockchain address of this account which withdrew 2k ever published?
Bitcoinpro
Legendary
*
Offline Offline

Activity: 1134



View Profile
April 30, 2014, 03:46:17 PM
 #74

He is going to be know as the dude that was trying to play a game of Pacman with a disgruntled customer as he was trying to enter his office building,

the pacman pellets where the bitcoins, he had them firmly stashed in usb sticks contained in that black case he was carrying on his shoulder.

The disgruntled customer should have grabbed that case of his shoulder for sure !!!

www.cryptocurrencycentralbank.com 

LTC: LP7bcFENVL9vdmUVea1M6FMyjSmUfsMVYf
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!