BusmasterDMA
Member
 Offline
Activity: 118
Merit: 10
|
 |
August 05, 2011, 01:17:07 PM
Last edit: August 05, 2011, 01:28:18 PM by BusmasterDMA |
|
This could be a (poor) attempt to quell market anxieties, bolstering the price, so that the thief could then more profitably unload coins onto the market.
|
Bears. Beets. Battlestar Galactica. Bitcoin.
|
|
|
|
AtlasONo
|
|
August 05, 2011, 01:21:49 PM |
|
rabble rabble rabble rabble!
|
|
|
|
|
|
semyazza
|
|
August 05, 2011, 01:43:48 PM |
|
Here's a google cached version of an earlier posting on the site "From the desk of Tom Williams", including PGP sig: http://webcache.googleusercontent.com/search?q=cache:EN0mtcwBftAJ:https://www.mybitcoin.com/downloads/incident-report-2011-06-22.txt+From+the+desk+of+Tom+Williams,+operator+of+MyBitcoin.com&cd=1&hl=en&ct=clnk&gl=de&source=www.google.deYou really have to wonder why the current info is not signed... I somehow doubt it's Tom Williams talking to us... EDIT: decided to post the text here, in case google cache forgets: -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
From the desk of Tom Williams, operator of MyBitcoin.com
For immediate release.
There are a lot of unanswered questions floating around on the Bitcoin
forum and other places about the recent Mtgox password leak, and theft
from the MyBitcoin system.
I will attempt to answer as many of the questions and concerns as best
as I can in order to silence the rumor-mill once and for all.
As many of you already know, Mtgox was hacked and its password file was
leaked. As soon as we heard about the leak we were closely monitoring
the system for abnormal activity, and we didn't see any.
At first glance, we didn't see any hard evidence that a password leak
had even occurred. There was just a lot of speculation to an SQL
injection vulnerability in Mtgox's site. A few clients of ours had
informed us of the forum threads, and we watched them carefully.
The following morning a client of ours sent us the download link to the
leaked Mtgox password file. We prompty downloaded the file, put up a
warning on the main page, and disabled the login.
We attempted to line up usernames from the leak, and we found a lot of
matching ones. We started locking down all of those accounts using a
script that we had to have written at a moment's notice. It was during
this time that we noticed a flurry of spends happening. Yes, even with
the site disabled.
The attacker had active sessions open to the site. We quickly flushed
them and the spends stopped abruptly. We disabled the SCI, all payment
forwarding, and all receipt URL traffic on all of the usernames in the
Mtgox leak.
We proceeded to change the password on every account where the username
matched our system's database. PGP-signed emails went out to all of the
accounts that we changed the password on. If an account didn't have an
email address or had already been compromised we put up a bulletin.
(Email addresses were mandatory when we opened our service initially,
but people complained that it wasn't truly anonymous so we made them
optional. Unfortunately this makes contacting a security-compromised
customer impossible.)
An investigation was conducted at that time, and we determined that the
attacker had opened up a session to each active user/password pair ahead
of time, solved the captcha, and used some sort of bot to maintain a
connection so our system wouldn't timeout on the session. It was likely
his intent to gain access to more accounts than he did, but as soon as
he noticed that we had changed the main page of the site he sprung into
action by sending a flurry of spends.
(Before you ask: no, we don't limit logins per IP address. We can't. We
have a lot of users that come in from Tor and I2P that all appear to
share the same source IP address.)
We've concluded that around 1% of the users on the leaked Mtgox password
file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a
horrible experience for the Bitcoin community in general.
The IP address that the attacker used was a Tor exit node and the spends
were to an address that is outside of our system.
Now to address the rumors:
No, our database wasn't compromised. We had a 3rd party company audit
our site for SQL injection attacks and we passed. (We did, however, have
one XSS hole in the address book page last month that would allow an
attacker to insert fake entries into a customer's address book. It was
promptly fixed and offending address book entries were purged. Not a
single customer had spent to the fake address book entries.) Every line
of code was audited last month. Literally line by line audited by
professionals, and it was deemed safe.
No, this site isn't being ran by some amateur that just learned how to
program computers. It was created by seasoned programmers that
understand security.
Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.
We also use whole-disk level encryption on every single one of our
servers. When you fail a disk in a NOC and a level 1 technician replaces
it does he wipe the disk before the RMA/tossing it in the garbage? Not
usually! We know these mistakes happen, so we take precautions. Any and
all servers with an IP KVM on them are ran in secure console mode. The
root passwords are required even for single user mode. All disk keys are
held off-site and were never generated anywhere near the internet. All
server passwords are unique per server and per user, of course. Only two
technicians have access to the secure servers. This access is over a VPN
and we only use secured workstations running Linux and BSD to access
them.
We use BSD servers with MAC, immutable flags, jails, PAX, SSP,
randomized mmap, secure level, a WAF, a DDoS mitigation and alert system
- -- the works. Like I said earlier. We are not amateurs. In fact,
combined we have over 30 years of experience in the payment
processing (credit card arena) industry.
A large amount of the Bitcoin holding is in cold (offline) storage. We
only have a percentage of the holding available hot. This is done for
obvious reasons.
Going forward we are implementing a 2-factor login system,
user-configurable spend limits, better session token tumbling, and a
bunch of new SCI features.
Wishing the Bitcoin community all the best and a swift recovery, and
sincerely yours,
Tom Williams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0
iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF
VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567
T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY
jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z
9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL
+HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM=
=VaXC
-----END PGP SIGNATURE-----
Check our post about this: https://bitcointalk.org/index.php?topic=34225.msg427889#msg427889He lied. |
|
|
|
|
bitcon
Legendary
Offline
Activity: 2212
Merit: 1008
|
|
August 05, 2011, 02:33:19 PM |
|
GOXED again!
when will people learn to keep their money offline? they could save themselves a lot of time by just throwing their money away.
|
|
|
|
|
Smalleyster
Member
Offline
Activity: 84
Merit: 10
I yam what I yam. - Popeye
|
|
August 05, 2011, 05:27:44 PM |
|
GOXED again!
when will people learn to keep their money offline? they could save themselves a lot of time by just throwing their money away.
For some reason people insist on keeping money online. It baffles me. |
|
|
|
|
WiseOldOwl
|
|
August 05, 2011, 05:39:10 PM |
|
That hilarious,
Receivership...
This "company" is not going to pay for that...
They don't have to answer to anyone because they are in nevis.
When using an offshore company you better damn well trust them because you have ABSOLUTELY NO RECOURSE legally (a security paradox because you use them so govt's have no recourse either and cant take your money). Well pretty much you would spend more than was lost, and still lose the case because no outsiders win cases against Nevis Companies involving money.
Sorry guys, If he wants too, you are screwed.
|
|
|
|
|
|
BitcoinBug
|
|
August 05, 2011, 05:51:14 PM |
|
I'm almost sure they don't live in Nevis, the address belongs to anonymous domain registrant where they bought mybitcoin.com domain.
|
|
|
|
|
|
WiseOldOwl
|
|
August 05, 2011, 06:00:14 PM |
|
I will guarantee they dont live in nevis,
But it doesn't matter, the company that would be getting sued or prosecuted (Remember LLC means he is very limited in his personal liability) is a Nevis Company. Meaning a Nevis Court. Meaning you lose.
By the way, I'm not saying that it wasn't a tremendous amount of money, but Nevis Companies do this for millions everyday. It is hard to find someone who is using offshore business for the right reasons. (That being said there are Offshore companies that are publicly traded on major exchanges, and I myself have used offshore business for the proper reasons).
Also, It's not entirely out of the question that this might be resolved in some way. Which would be pretty great. It's just experience tells us that this most likely wont go well.
|
|
|
|
|
|
BitcoinBug
|
|
August 05, 2011, 06:24:02 PM |
|
What company are you talking about? Did mybitcoin.com have company registered in Nevis? Please provide a link if you have any...
|
|
|
|
|
|
DrKennethNoisewater
|
|
August 05, 2011, 06:32:51 PM |
|
OK
a) Never keep large amounts of bitcoins at ANY site
b) Keep the bitcoins you do have secure
c) Only transfer coins to a brokerage (1 of the main ones) when your ready to liquidate.
Be Happy and watch the crap shake out and the new infrastructure take root!
Peace---------
DKN
|
|
|
|
|
|
WiseOldOwl
|
|
August 05, 2011, 07:02:40 PM |
|
I read somewhere they were registered to a Nevis LLC. Forgive me If I am incorrect, I will look for the reference when I get a sec, or if anyone else can post or link (or confirm there isn't one).
|
|
|
|
|
|
|
Xephan
Newbie
Offline
Activity: 42
Merit: 0
|
|
August 05, 2011, 07:22:59 PM |
|
I read somewhere they were registered to a Nevis LLC. Forgive me If I am incorrect, I will look for the reference when I get a sec, or if anyone else can post or link (or confirm there isn't one).
It should be from the domain whois MyBitcoin, LLC
Main Street
PO Box 556
Charlestown, Nevis
KN
|
|
|
|
|
|
|
|
WiseOldOwl
|
|
August 05, 2011, 08:31:39 PM |
|
Thanks guys,
Thats what I was thinking, the name you guys have become familiar with was just a agent they use. He woould already have a copy of that agents resignation in hand for the day he wants to take control and cash out. That's how they work.
|
|
|
|
|
|
repentance
|
|
August 05, 2011, 08:41:12 PM |
|
Thanks guys,
Thats what I was thinking, the name you guys have become familiar with was just a agent they use. He woould already have a copy of that agents resignation in hand for the day he wants to take control and cash out. That's how they work.
Yep, and the company can be dissolved without the identity of the real owners ever being disclosed. One thing which surprised me was just how cheap it is to set up a Nevis LLC, complete with an agent acting as manager/director and an off-shore bank account (which can be in Belize or Panama rather than Nevis). It only costs about USD 2000.00 to set it up. |
All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
|
|
|
nighteyes
Member
Offline
Activity: 105
Merit: 10
|
|
August 05, 2011, 08:45:32 PM |
|
GOXED again!
when will people learn to keep their money offline? they could save themselves a lot of time by just throwing their money away.
For some reason people insist on keeping money online. It baffles me. Are you being saracastic? Or questioning why someone would trust in bitcoins? |
|
|
|
|
|
Explodicle
|
|
August 05, 2011, 08:53:43 PM |
|
GOXED again!
when will people learn to keep their money offline? they could save themselves a lot of time by just throwing their money away.
For some reason people insist on keeping money online. It baffles me. Are you being saracastic? Or questioning why someone would trust in bitcoins? In the Bitcoin vernacular, you're "offline" if you keep your wallet somewhere not connected to the internet. You can still send coins to this address while offline, so you only need to plug in to withdraw. |
|
|
|
|
|
TiagoTiago
|
|
August 05, 2011, 09:00:40 PM |
|
I thought they meant to keep your 'coins on an ewallet instead of on your own storage media
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX  The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar! |
|
|
Smalleyster
Member
Offline
Activity: 84
Merit: 10
I yam what I yam. - Popeye
|
|
August 05, 2011, 10:31:32 PM |
|
GOXED again!
when will people learn to keep their money offline? they could save themselves a lot of time by just throwing their money away.
For some reason people insist on keeping money online. It baffles me. Are you being saracastic? Or questioning why someone would trust in bitcoins? I trust bitcoins, but I do not trust online wallet services. I keep the bulk of mt btc offline in USB sticks. When they are online they boot up with linux and are in an encrypted wallet. I do it every once in a while to update balances and update the blockchain. |
|
|
|
|
