Bitcoin Forum
December 05, 2016, 02:44:20 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 [6] 7 8 9 »  All
  Print  
Author Topic: MtGox account compromised  (Read 108216 times)
bitdragon
Hero Member
*****
Offline Offline

Activity: 610


peace


View Profile WWW
February 02, 2011, 01:29:39 AM
 #101

It's a cost for the group as a whole and this time you took the hit;
so thank you and I'll happily share some of the cost and donate a few coins to the amount of 55BTC

Not much but I don't have that many yet- but I made a copy of my wallet Wink

There are several different types of Bitcoin clients. Header-only clients like MultiBit trust that the majority of mining power is honest for the purposes of enforcing network rules such as the 21 million BTC limit. Full clients do not trust miners in this way.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480949060
Hero Member
*
Offline Offline

Posts: 1480949060

View Profile Personal Message (Offline)

Ignore
1480949060
Reply with quote  #2

1480949060
Report to moderator
mtgox
Full Member
***
Offline Offline

Activity: 185


View Profile WWW
February 02, 2011, 01:53:16 AM
 #102

People keep asking me so...

The only accounts that were compromised were cryptofo and one other who I emailed. No other accounts were compromised. If you are still worried about it simply change your password.

I've paid out a lot to fraudsters since I started mtgox. But I admit I should have had something in place to prevent successive login attempts. But also a password such as abcd1234 is 4 letters and 4 numbers but would be found very quickly by any attack like this. 
Anyway it seems fair to restore half your coins.




cryptofo
Newbie
*
Offline Offline

Activity: 28


View Profile
February 02, 2011, 01:56:46 AM
 #103

Wow, bitdragon that really warms my heart.  I would really appreciate that.  I think this might be a good time to share a little more about myself and the project I have been working on and what led me to bitcoin in the first place.  It's a bit off topic and something I wasn't planning to share for a while as the project has been on the backburner while I've been busy with another project, but here goes.

I believe that what draws most of us to Bitcoin is an inherent desire for freedom and independence.  It is this same desire that drove me to invest many many hours and months into another project.  To some it may seem unrelated, but I have ideas and plans that could benefit both bitcoin as well my project.  At first there may seem to be no corelation, but as we dig deeper you will discover some very exciting possibilities.  They are lofty ambitions, but I'm building a framework for the future.  It's in it's infancy, but there is some core information on a video on my page openalcohol.org.  

To anyone who may want to donate some bitcoins to the project and/or to myself as I have just been robbed of 900+ there is a link to donate some bitcoins on this page.  http://openalcohol.org/node/25

At this point I won't dedicate to much about it here as this is a bitcoin forum, but if people are interested contact me at info@openalcohol.com and I will start doing my best to build up the site.

Thank you for your time and support
-Cryptofo
cryptofo
Newbie
*
Offline Offline

Activity: 28


View Profile
February 02, 2011, 02:00:04 AM
 #104

I think that would be incredibly fair also.  Thank you mtgox.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 02, 2011, 02:04:09 AM
 #105

Quote from: cryptofo
To anyone who may want to donate some bitcoins to the project and/or to myself as I have just been robbed of 900+ there is a link to donate some bitcoins on this page.  http://openalcohol.org/node/25

-Cryptofo

What is openalcohol?

Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 02, 2011, 02:09:19 AM
 #106

mtgox, how much have fraudsters cost you so far? And are you still making profit?

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
cryptofo
Newbie
*
Offline Offline

Activity: 28


View Profile
February 02, 2011, 02:09:48 AM
 #107

Openalcohol.org is to be the homepage for a project I am starting.  There is a video on it that I think you will find very interesting and the basis for my project.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 02, 2011, 02:23:59 AM
 #108

come on guys, let finish with this topic and let it fall into annals of history and off the front page.

Falling off? I am waiting for MtGox to implement several major security reform or something like that.

Anonymous
Guest

February 02, 2011, 02:44:32 AM
 #109

20btc sent. It looks like an interesting project.



bitcoinex
Sr. Member
****
Offline Offline

Activity: 350


probiwon.com


View Profile WWW
February 02, 2011, 02:58:23 AM
 #110

come on guys, let finish with this topic and let it fall into annals of history and off the front page.

We can change annoying topic

New bitcoin lottery: probiwon.com
- Может, ты ещё и в Невидимую Руку Рынка веруешь? - Зачем же веровать в то, что можно наблюдать непосредственно?
DELTA9
Member
**
Offline Offline

Activity: 101


View Profile
February 02, 2011, 04:48:33 AM
 #111

I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.
QFT.

I do not understand why anyone would keep their bitcoins w/ mtgox. An encrypted wallet.dat is the only way I will ever store mine.
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 02, 2011, 06:43:31 AM
 #112

I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.
QFT.

I do not understand why anyone would keep their bitcoins w/ mtgox. An encrypted wallet.dat is the only way I will ever store mine.

That means you will never be able to use any services that anyone provides.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Keefe
Hero Member
*****
Offline Offline

Activity: 681


View Profile
February 02, 2011, 07:58:57 AM
 #113

cryptofo:
Would you be willing to tell us the password you used, that the thief managed to guess? I assume you no longer use it anywhere. :-)

mtgox:
Could you tell us approximately how many login attempts were made by the thief before successfully guessing cryptofo's password? If it was less than say 10000, then we'd know it was just a really weak/guessable password.

I notice that there's now a delay when logging into mtgox.com, which I think is a great way to prevent major brute-force/dictionary attacks. But I'm wondering if you've implemented any additional login protections, such as longer delays after a certain number of failed attempts from a single IP?

Keefe
Hero Member
*****
Offline Offline

Activity: 681


View Profile
February 02, 2011, 08:05:11 AM
 #114

I ask because although "8 characters, numbers and letters" isn't very strong, it would take a huge number of attempts to purely brute-force if it were random. Or is the point here that it was a single word and a couple digits, easily broken by a dictionary attack? How weak was it really?

I use unique random 16-character passwords (upper, lower, and digits) most places. I assume I'm totally safe from the kind of attack that compromised cryptofo's account.

caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 02, 2011, 08:30:34 AM
 #115

It is still the site owner responsibility. I'm not saying there's an obligation of refunding any losses, that's where the contracts, insurances and premiums come in, but rather that only the site owner could have prevented this, and I'm sure in this case Jed has already closed this particular hole.

Ok, it's just a semantics misunderstanding then... I find the word "responsibility" a strong one. If you say somebody was responsible for a criminal act like this one, I understand that s/he is guilty of it. And if you're guilty of a crime, you must pay for it.
MtGox is obviously not guilty of what happened, that's why I say they have no responsibility.

I would go so far as to say Jed should have an opt-in system that would raise the fee per transaction for those who chose to allow it, and the extra fees would go to a fund to cover just these situations, but then it would become very hard to separate real cases from scams, and I don't think Jed wants to become a lawyer (assuming  he's not one already) Smiley

This would be cool, but as you noticed, it's quite difficult... they would need to contract a external service probably, and I don't think there's enough volume for that.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
February 02, 2011, 08:38:55 AM
 #116

Falling off? I am waiting for MtGox to implement several major security reform or something like that.

Better, tell him to switch to an open source backend, so everyone will be able to inspect his source Smiley

mrb
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
February 02, 2011, 09:50:32 AM
 #117

Better, tell him to switch to an open source backend, so everyone will be able to inspect his source Smiley

Speaking of inspecting source, I inspected yours and am still waiting for you to use a safer password hashing function :-)

(For those not in the know: davout's Bitcoin Central platform hashes passwords with SHA256($pass.$salt). Although safer than the way most people hash passwords, this method is not safe enough because it does not implement iterated hashing to slow down bruteforce attacks. In a scenario where an attacker gains access to BC's hashes via SQL injection for example, the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)
mrb
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
February 02, 2011, 09:56:09 AM
 #118

My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS.

Cool. What bank does this? If you don't mind sharing...
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
February 02, 2011, 10:02:41 AM
 #119

Speaking of inspecting source, I inspected yours and am still waiting for you to use a safer password hashing function :-)
You can submit a patch if you'd like Smiley

(For those not in the know: davout's Bitcoin Central platform hashes passwords with SHA256($pass.$salt). Although safer than the way most people hash passwords, this method is not safe enough because it does not implement iterated hashing to slow down bruteforce attacks. In a scenario where an attacker gains access to BC's hashes via SQL injection for example, the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)
If it was as simple as that I would've done it already, the hard part is not to replace the hash function, the hard part is update the passwords that are recorded in the database if you see what I mean Smiley

mrb
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
February 02, 2011, 10:14:38 AM
 #120

(For those not in the know: davout's Bitcoin Central platform hashes passwords with SHA256($pass.$salt). Although safer than the way most people hash passwords, this method is not safe enough because it does not implement iterated hashing to slow down bruteforce attacks. In a scenario where an attacker gains access to BC's hashes via SQL injection for example, the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)
If it was as simple as that I would've done it already, the hard part is not to replace the hash function, the hard part is update the passwords that are recorded in the database if you see what I mean Smiley

The traditional way to handle a change of hashing algo is to have a transitional phase where 2 algos are supported in parallel in the DB. Whenever a user logs in and you detect an old hash format in the DB, just update it (you can because you have the pass during authentication). I would be glad to submit a patch but I am unlikely to find the time to do it.
Pages: « 1 2 3 4 5 [6] 7 8 9 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!