[ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off

[mrb]

A few passwords of length 22 or more have been discovered (none of them are yours):

Code:

$1$vl6fKApv$FM4X4hc4oJMB7D6UsEzxN1:digitalcurrencypassword
$1$zu4V3y9t$1/iE1miMzvTuj.Js17Buo0:weloveyouinglacialways72
$1$u13cgODk$1aaFBvCFoQSl5YuwvnCbk.:Thereisnogodsofuckoff!
$1$yNsa0VJP$IftjIMbVfGWz9uIFngvKu/:60x8760b6k328vc3v24kw8y1
$1$m7j/0t7K$cxWkLa48wI2LNhqRwA45A/:8ajdegejjep10umIg30purIt
$1$hp7CVOt/$ZpKbXzOnSZezpJGgBNcie/:szyzgy1w1d1w1vfescgrdv
$1$UsVn0FLE$QnEkv9NOZnFTjUsZ.RC1B/:31knuj_m43rdbr41nd34th
$1$nUFHEtPC$q/9Vpxg7gP/I161NPW6Xq0:saab9000aeroskodafabiavrs

The first 3 passwords are concatenations of simple words with simple mangling rules (digits/symbols appended, and a capitalization) which could have been bruteforced somewhat easily. If your password was similar, then it was weak.

However, if your password was similar to the others more complex ones, then one of these 3 possible explanations is true: http://forum.bitcoin.org/index.php?topic=24727.msg317542#msg317542

[1714010750]

1714010750

[mewantsbitcoins]

I can tell this:
Dictionary attack would have been useless against my hash and attackers would not have had enough time for pure brute force attack even if they obtained unsalted md5. This leads me to think that this db dump is just a tip of the iceberg and that "clarification" is full of shit

[cypherdoc]

someone elsewhere said that if they got into mtgox system and already had everyones hashed passwords they wouldn't need the exact password b/c the system just looks to match the hashes.  is this correct?

[mrb]

cypherdoc: Correct. But cracking the hashes is still valuable due their re-use on other sites (Paypal, MyBitcoin, etc).

[SpaceLord]

Now how about fixing my account?

[Gandlaf]

https://mtgox.com/press_release_20110630.html

CLARIFICATION OF MT. GOX COMPROMISED ACCOUNTS AND MAJOR BITCOIN SELL-OFF

Dear members of the press and Bitcoin community,


I. Background

March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.

...

Mark Karpeles - CEO
Tibanne Co. Ltd.

https://mtgox.com/press_release_20110630.html

...
I'm sure Mark is very busy with mtgox so has been neglecting Kalyhost.

Mistakes were obviously made but I don't think Mark is being greedy or incompetent here. He needs to hire more people and he knows this. But which if you have ever tried to do you know takes time which he doesn't have much of these days.

Jed,
obviously mistakes were made but given that these haven´t exactly been the first ones in MtGox´s history, it would be very interesting to know what percentage of commission you are taking and for what period of time, furthermore what your additional(finanicial) interests in MtGox still are. You´re message when handing it over(paraphrasing): I´m bored and I just dont want to invest that much time ( http://forum.bitcoin.org/index.php?topic=4187.0 ), was less than honest, especially given the fact that you were facing legal action in connection with prior inconsistencies( http://forum.bitcoin.org/index.php?topic=3712.0 ).

Are you willing to verifiably disclose what your current interests in MtGox still are(does Mark actually have the funds to compensate for losses?; are you skimming off all the profits?) or are you going to keep this cloud of uncertainty hanging over MtGox customers and therefore the wider Bitcoin community?

[vectorvictor]

Also you would not be the first one to think your password was relatively secure when in fact it turned out to be complete crap (this guy claimed his password was secure, and even lied about its length, when it was in fact "rascal101").

To be fair, the account I pointed out was "XPiRX0".  He might have used that as a second account for small trades, and had a main account "XPiRX" that was never cracked.

There's no grounds for calling him a liar.

[jed]

Gandlaf: I didn't say I was bored with mtgox. I said I didn't have enough time to do it correctly. Kind of the opposite of bored.
I've never faced legal action because of anything having to do with mtgox. Baron was clearly lying since we have never heard from his lawyers.
I haven't gotten any money from mtgox since the sale so there is no danger of not being able to cover this loss.

[cypherdoc]

Gandlaf: I didn't say I was bored with mtgox. I said I didn't have enough time to do it correctly.

this is consistent with what Jed has told me in the past.

Kind of the opposite of bored.
I've never faced legal action because of anything having to do with mtgox. Baron was clearly lying since we have never heard from his lawyers.

well, i guess that puts that one to rest.

[Gandlaf]

Gandlaf: I didn't say I was bored with mtgox. I said I didn't have enough time to do it correctly. Kind of the opposite of bored.
I've never faced legal action because of anything having to do with mtgox. Baron was clearly lying since we have never heard from his lawyers.
I haven't gotten any money from mtgox since the sale so there is no danger of not being able to cover this loss.

So which part exactly did I get wrong? Because Mark seems to state quite clearly, that you a) were the auditor in question(with admin powers) and b) actually did receive money ? Is Mark (MagicalTux) lying in his statement?

https://mtgox.com/press_release_20110630.html

CLARIFICATION OF MT. GOX COMPROMISED ACCOUNTS AND MAJOR BITCOIN SELL-OFF
Dear members of the press and Bitcoin community,

I. Background

March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions.In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.

...

Mark Karpeles - CEO
Tibanne Co. Ltd.

https://mtgox.com/press_release_20110630.html

[jed]

Gandlaf: yes required to pay but not yet paid.

[Gandlaf]

Gandlaf: yes required to pay but not yet paid.

So your statement is, that MtGox currently does not even have the spare cash to pay the price/license fee currently, which you asked for as a fair price(when handing over MtGox) at a time when commissions were running a lot lower compared to todays rates and volumes?

Essentially what you are saying is that MtGox´s  current liquidity is (not) in question, but that MtGox is in debt to you, it´s original founder.
If I get you right, Mark does not even have the cash to pay you for selling him the idea and the original platform?
Apparently cash is so tight, that you have not received any money to date?

Gandlaf: [...]
I haven't gotten any money from mtgox since the sale so there is no danger of not being able to cover this loss.

Can you conceive of any reason why customers of MtGox might find this slightly worrying?

[jed]

Gandlaf: No that isn't my statement. You seem to really want to misconstrue what you read. My statement is this:
MtGox has enough funds to cover any losses from the recently stolen coins and has enough to cover what it owes me to date.
MtGox will cover any debt to its customers before it pays me.
The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment.

[Gandlaf]

Gandlaf: No that isn't my statement. You seem to really want to add to what you read. My statement is this:
MtGox has enough funds to cover any losses from the recently stolen coins and has enough to cover what it owes me to date.
MtGox will cover any debt to its customers before it pays me.
The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment.

In that case, I do want to apologize for ever having even harboured the slightest doubts! You Jed, are quite obviously a saint(or as close as one gets nowadays without divine intervention). Giving up a multimillion dollar business, signing a contract, not insistiting on payment, it sounds like a fairytale. You must be a truely wonderful and completely selfless individual to just wait for payment for your idea if/when it  comes.

The only question for me would be the following: Why keep an admin account to audit payments, if everything is dandy, if your first concern is the bitcoin community and you really don´t want to see a penny before everyone has been paid?

Furthermore, I don´t really get your final point:
"The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment."

A BTC transfer should be fairly easy(if you don´t know how to do it just ask in the forum), or is it that you aren´t really willing to invest in BTC? In that case I do get it, the MtGox $1000 limit can be a bit of a nuisance.
Apart from the technicalities, let me get this right: You did not make time for/to complete a payment with 6 or 7 figures(by early June)

I love fairytales, but this response is BS.

You would be a truly unique individual to just let a multimillion $ business go.

So why not cut the crap and just disclose in how far you are still involved with MtGox?

[cypherdoc]

Gandlaf: No that isn't my statement. You seem to really want to add to what you read. My statement is this:
MtGox has enough funds to cover any losses from the recently stolen coins and has enough to cover what it owes me to date.
MtGox will cover any debt to its customers before it pays me.
The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment.

In that case, I do want to apologize for ever having even harboured the slightest doubts! You Jed, are quite obviously a saint(or as close as one gets nowadays without divine intervention). Giving up a multimillion dollar business, signing a contract, not insistiting on payment, it sounds like a fairytale. You must be a truely wonderful and completely selfless individual to just wait for payment for your idea if/when it  comes.

The only question for me would be the following: Why keep an admin account to audit payments, if everything is dandy, if your first concern is the bitcoin community and you really don´t want to see a penny before everyone has been paid?

Furthermore, I don´t really get your final point:
"The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment."

A BTC transfer should be fairly easy(if you don´t know how to do it just ask in the forum), or is it that you aren´t really willing to invest in BTC? In that case I do get it, the MtGox $1000 limit can be a bit of a nuisance.
Apart from the technicalities, let me get this right: You did not make time for/to complete a payment with 6 or 7 figures(by early June)

I love fairytales, but this response is BS.

You would be a truly unique individual to just let a multimillion $ business go.

So why not cut the crap and just disclose in how far you are still involved with MtGox?

look, Jed told me many months ago when i asked him why he sold mtgox that he was afraid of the legal ramifications of running an exchange.  this is understandable for a US citizen given what the US gov't does to people who go against it.  he also told me he was afraid of the technical challenges confronting an exchange and that Mark would be more suited to dealing with security issues.  time has proven Jed correct insofar as his fears went.  too bad for us that Mark wasn't as good as Jed had hoped but that certainly isn't his fault.

Jed also doesn't stand to make a multimillion profit on his sale i'm willing to bet.  so he really is just doing us all a favor by not collecting right now.

[csshih]

So why not cut the crap and just disclose in how far you are still involved with MtGox?

maybe... he's not? yeesh....

[hashman]

if i have to explain why a financial inst or gov't would want to drive down the price of btc to you heaven help you.  

Well, heaven help me then.  Perhaps you could be my angel and tell me what you mean.  Do these individuals have a target price in mind?  Or do you mean they just want to break it?  Breaking the network is not the same as driving the price down.  Some of the institutions you mention want to drive the value of the dollar down.  Is that for the same reason?  Would a lower rate of USD per BTC make it easier for the number of real BTC transactions to grow?  Somehow I feel (guessing) you are referring to currency monopolists who don't want to see any competition, but a lower price per BTC probably wouldn't make much difference to them.  Anyway, I don't think that's what happened to MtGox in this instance.       

[cypherdoc]

if i have to explain why a financial inst or gov't would want to drive down the price of btc to you heaven help you.  

Well, heaven help me then.  Perhaps you could be my angel and tell me what you mean.  Do these individuals have a target price in mind?  Or do you mean they just want to break it?  Breaking the network is not the same as driving the price down.  Some of the institutions you mention want to drive the value of the dollar down.  Is that for the same reason?  Would a lower rate of USD per BTC make it easier for the number of real BTC transactions to grow?  Somehow I feel (guessing) you are referring to currency monopolists who don't want to see any competition, but a lower price per BTC probably wouldn't make much difference to them.  Anyway, I don't think that's what happened to MtGox in this instance.       

i apologize for being so dramatic.

i am referring to fiat currency monopolists whose franchise would be threatened if not taken down by btc.  i think they understand that a continually rising price of btc would attract significant attention (as it did on the way to 30) and encourages more bullish behavior and growth of a btc economy.

yes its a conspiratorial theory but many ppl here on this forum can easily relate.

again, i ask the same question, why wouldn't the hacker just have changed the withdrawal limit to unlimited and just stolen all the wallet keys asap?  he instead ignored the wallet, and manipulated the DB to sell the price down to 0 over a 30 min time period risking potential intervention by Mark.  i think Kevin Day and others who were able to take money out are just red herrings.

[makomk]

again, i ask the same question, why wouldn't the hacker just have changed the withdrawal limit to unlimited and just stolen all the wallet keys asap?  he instead ignored the wallet, and manipulated the DB to sell the price down to 0 over a 30 min time period risking potential intervention by Mark.  i think Kevin Day and others who were able to take money out are just red herrings.

Why wouldn't a government or financial industry attacker have changed the withdrawal limit to unlimited and stolen all available bitcoins ASAP? Crashing the price to zero was spectacular, but in the longer term leaving Mt Gox without enough bitcoins to back its liabilities would be much more damaging...

[cypherdoc]

again, i ask the same question, why wouldn't the hacker just have changed the withdrawal limit to unlimited and just stolen all the wallet keys asap?  he instead ignored the wallet, and manipulated the DB to sell the price down to 0 over a 30 min time period risking potential intervention by Mark.  i think Kevin Day and others who were able to take money out are just red herrings.

Why wouldn't a government or financial industry attacker have changed the withdrawal limit to unlimited and stolen all available bitcoins ASAP? Crashing the price to zero was spectacular, but in the longer term leaving Mt Gox without enough bitcoins to back its liabilities would be much more damaging...

b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught  stealing to accomplish their objectives.  OTOH, if they were caught manipulating prices they could just write it off as "national security".