[ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off

[makomk]

b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught  stealing to accomplish their objectives.  OTOH, if they were caught manipulating prices they could just write it off as "national security".

Except whoever did this did steal enough money to get themselves in serious legal hot water already... not to mention all the money they attempted to steal and give away at knock-down prices.

[cypherdoc]

b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught  stealing to accomplish their objectives.  OTOH, if they were caught manipulating prices they could just write it off as "national security".

Except whoever did this did steal enough money to get themselves in serious legal hot water already... not to mention all the money they attempted to steal and give away at knock-down prices.

or the 2000 btc could be a concession to Kevin Day?

[phillipsjk]

Even Snort + fw + browsing in a VM would not have protected you against, say, a tabnabbing phishing attempt. (I mention this example again because of how deceptively efficient it is...)

Just when I start to think I am being too paranoid leaving JavaScript disabled, I read this.

I temporarily enabled JavaScript for complaining about that bitcoin trademark :/

[DATA COMMANDER]

FWIW, MtGox claims that I never completed registration at their site, even though I not only completed registration but also bought 6 BTC under the handle datacommander.

[mewantsbitcoins]

For fuck's sake - it's been more than three weeks and the server is still down. That's what I get for supporting someone in bitcoin business.
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!

[cypherdoc]

For fuck's sake - it's been more than three weeks and the server is still down. That's what I get for supporting someone in bitcoin business.
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!

i don't get it.  i moved USD into mtgox on 7/1 and did a bunch of successful trades thru to 7/4.  whats wrong with the server?

[bytemaster]

I have not been given access to my account and get no response from Mt. Gox. 

Please, I encourage everyone to boycott MtGox who has effectively stolen thousands of dollars from many of their customers.

[jed]

bytemaster: go to freenode on irc #mtgox and ask for MagicalTux. He is there right now and will fix your problem.

[bytemaster]

I have gotten access back, withdrew my money. 

[pointbiz]

A consistent message from Mark about this whole event was that it was Jed's fault.

Further clarification:
Compromised Admin Level User Account = Jed's user account to access Mt.Gox public website as a trader. UserID of 1 from the leaked table of users.

Point to consider: There were at least two admin level user accounts in the leaked table of users:
UserID 1, Username: jed
UserID 634, Username: MagicalTux

My assumptions from mtgox's clarification:
1) There were administrative web pages as part of Mt gox's front-end PHP website code.
2) To access these administrative web pages Mark/Jed use the same user/password as their trader account and login from the public login form.
3) BTC balances in the mtgox system are not tied to balances of public keys in the block chain (therefore unbacked by BTC which leads to the temptation of a fractional reserve exchange).
4) These administrative pages allowed unlimited deposits of BTC to an admin's trader account.
5) These administrative pages did NOT allow the configuration of withdrawal limits.
6) The withdrawal limits for the system were hard coded in the PHP withdrawal pages. $1000 per withdrawal (not per 24 hours) as the infamous Kevin has informed us. Therefore, SQL injection in combination with an admin trader account would not allow access to modify PHP files.
7) The attacker did not have access to modify PHP files.
8 ) SQL injection attack occurred on the Login page because no other tables from the database were leaked. The login form would be reading from the users table.



Why Jed is not at fault and Mark is 100% at fault:
1) Upon taking ownership of mtgox Mark recognized the database table with user and admin accounts had UNsalted MD5 passwords (read plaintext under 12 characters).
2) Mark should have removed admin accounts from the user table and created a separate table with admin level accounts. He should have created a separate login area for admin users. When a SQL injection attack is occurring the attacker is poking in the dark and is getting information little by little. Since only 1 table was leaked to the public, we can assume the attacker only knew about the users table. If admin accounts were stored in a different table their password hashes would not have been leaked.
3) Mark should have moved the administrative web pages to a separate server, the more isolation the better. He should not allow admins to login through the regular user login form.
4) Mark added user specific salts but did not add a secondary global salt that was hard coded in the PHP. If this salt existed the leaked users table would be useless!!
5) Mark did not audit the code for SQL injection vulnerabilities. Which were probably obvious from the use of embedded SQL and non-parameterized queries (red flags that you have a SQL injection door).
6) Mark did not close these vulnerabilities, probably less than 1 weeks work if not 2 days. If the attack occurred in April I'd have sympathy for Mark.
7) It's possible an earlier version of the leaked users table exists (unpublished) with the UNsalted MD5 passwords (before Mark took ownership, since we presume the same SQL injection door was open). However, Mark did not prompt users to CHANGE their passwords. Salting of already compromised passwords is pointless.
8 ) Mark did nothing to protect us from Jed (I'm not making any accusation of Jed here)
9) Upon taking ownership, Mark did not ask for a site wide password change with minimum password strength.
10) Mark could have implemented the salted SHA-512 (with user salt and global hard coded salt) then instructed Jed to change his password.


Mark has been very deceptive and this clarification is somewhat different then the story Mark presented to Bruce Wagner in their interview. Mark is trying to let our imaginations run wild by saying he questions the motives of the hacker. And that the hacker could have stolen more. The reason the hacker couldn't withdraw more money was the same reason the infamous Kevin could not withdraw more. There were active normal traders on the site who saw the price at 0.01 USD and were willing to pay 0.50 USD per BTC. The window to withdraw was very limited.

Finally, with no evidence from Mark, why should we assume it was Jed's account that was compromised and not Mark's ?

[cypherdoc]

because Jed has told me it was his acct that got hacked after the SQL injection.

still doesn't absolve Mark.

[John (John K.)]

Here we go again..

[Aquent]

Interesting all this lack of information from both Jed and Mark all the way back.

Did Jed ever get paid? If so how much? How much was mtgox sold for exactly?

Was the blockchain address of this account which withdrew 2k ever published?

[Bitcoinpro]

He is going to be know as the dude that was trying to play a game of Pacman with a disgruntled customer as he was trying to enter his office building,

the pacman pellets where the bitcoins, he had them firmly stashed in usb sticks contained in that black case he was carrying on his shoulder.

The disgruntled customer should have grabbed that case of his shoulder for sure !!!