MyBitcoin Back Up! (with a press release)

[newminerr]

Maybe once he saw the posts about a bounty on his head, he got a little antsy.  These geeks are some great detectives.

this wasn't clear... the bounty will be on the hacker of my bitcoin .. maybe thats Tom Williams him self, and maybe not ..

How much $$$$$ is that bounty?

[adamstgBit]

Maybe once he saw the posts about a bounty on his head, he got a little antsy.  These geeks are some great detectives.

this wasn't clear... the bounty will be on the hacker of my bitcoin .. maybe thats Tom Williams him self, and maybe not ..

How much $$$$$ is that bounty?

so far we have a poeple have committed a total of 25 btc

how ever we these poeple are holding on to the coins themselves, seeing how no one seems to trust anyone these days

[nighteyes]

I trust bitcoins, but I do not trust online wallet services. I keep the bulk of mt btc offline in USB sticks. When they are online they boot up with linux and are in an encrypted wallet. I do it every once in a while to update balances and update the blockchain.

The thieves are going to go where the money is...online or offline.  If the actual money(bitcoin) is held safely online, the wallet can be held just as securely...Actually, I don't even view this as a robbery...I view it as a con artist and those guys/gals will smoothtalk their way to it no matter how you store the money.

[Smalleyster]

If the actual money(bitcoin) is held safely online, the wallet can be held just as securely...

I find that proposition to be absurd. I only really trust ME. Not some anonymous guy on the internet.

[nighteyes]

If the actual money(bitcoin) is held safely online, the wallet can be held just as securely...

I find that proposition to be absurd. I only really trust ME. Not some anonymous guy on the internet.

There are protocols for being able to store info online...its just that's its vaporware right now for our community. That shouldn't stop us from pressing forward towards a long run solution. I dont know of anyone heading towards stuffing gold in mattresses as an ordinary solution to banking. People are putting the cart before the horse and getting trampled.

[Smalleyster]

There are protocols for being able to store info online...its just that's its vaporware right now for our community.

The only reason I trust an online bank is the FDIC.

There will probably never be a bitcoin equivalent to the FDIC anytime soon and therefore your magical protocol is just a sign for "take my bitcoins please". IMHO of course.

Good luck with that.

[bitminers]

Maybe once he saw the posts about a bounty on his head, he got a little antsy.  These geeks are some great detectives.

this wasn't clear... the bounty will be on the hacker of my bitcoin .. maybe thats Tom Williams him self, and maybe not ..

How much $$$$$ is that bounty?

so far we have a poeple have committed a total of 25 btc

how ever we these poeple are holding on to the coins themselves, seeing how no one seems to trust anyone these days

Due to the amount of Bitcoins we are talking Millions of dollars here are we not??? I did not have any coins there, but I am willing to pledge Money, Time, Resources and I think everyone who has lost a significant amount would contribute in some way to at least try and recoup the loss! Where is it upto?

[kiba]

Can we keep discussion on mybitcoin instead of whether or not a certain fed program is a fraud?

KTHXBYE!

[Deafboy]

For those who doesn't have tor installed:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                                     Friday, August 5th, 2011

           From the desk of Tom Williams, operator of MyBitcoin.com

                         For immediate release.

                      _SECURITY_BREACH_DISCLOSURE_

After careful analysis of the intrusion we have concluded that the software
that waited for Bitcoin confirmations was far too lenient. An unknown
attacker was able to forge Bitcoin deposits via the Shopping Cart Interface
(SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of
theft that went unnoticed for a few days. Luckily, we do keep a percentage of
the holdings in cold storage so the attackers didn'tt completely clean us out.
Just to clarify, we weren't "fully" hacked aka "rooted". You can still trust
our PGP, SSL, and Tor public keys.

It appears to be human error combined with a misunderstanding of how Bitcoin
secures transactions into the next block. Our programmer was under the
assumption that one block was good enough to secure a transaction. Two years
ago when the software was written, this single confirm myth was a popular
belief.

In hindsight we should have credited deposits after one confirmation so they
would show up in the transaction history, and held the deposit until it reached
at least 3 confirmations. Keeping track of two balances and displaying them in
the login area would have been trivial.

                       _CLAIM_PROCESS_DISCLOSURE_

We are in the process of building a claim procedure for the remainder of the
holdings now. We expect that we will have it online soon.

The claim process will consist of a online form where the claimant will be
required to enter their MyBitcoin username and password. Their balance will be
displayed along with the percentage of remaining Bitcoins that we still have in
our holdings. That percentage will be paid to a Bitcoin address of their
choosing. This percentage will be based on our current total liabilities vs.
our existing assets. We will disclose these figures as soon as they have been
totaled.

Each online claim will be written to a ledger and will be manually approved
within 48 hours of being filed online. We have decided to have a manual claim
approval process for better security. The last thing we all need right now is
for someone to breach the claim form. We are confident clients will find this
satisfactory.

                            _RECEIVERSHIP_

After some research and careful consideration regarding the appointment of a
receiver we have concluded that it would be very costly and slow.

Also, finding a receiver that even understands what a Bitcoin is or how to
handle the claim process online would be troublesome, and would only end up in
increasing our costs. Receivers are typically paid from the remaining assets
and we'd like to maximize the amount that we can disperse to our clients.

We have been trying to figure out a way to appoint a 3rd party to certify the
asset/liability figures, but there are many risks involved. It would involve
having us trust some unknown agent that could possibly just steal the rest of
the holdings out from under us. Or, we could be accused of bribing the 3rd
party to agree with our figures, and on and on. Trust is a real problem with an
anonymous and irrevocable currency.

It is true that we could disclose all of the Bitcoin payment addresses we
manage and let everyone look them up and track the lineage of the coins. This
is also troublesome due to the way that we defragment small payments to keep
the processing engine speedy. Also there are the moral implications of
disclosing our client's finances. We are sure that, unknowingly to us, that our
processing system has been used for nefarious purposes.

                       _A_GIFT_TO_THE_COMMUNITY_

After the claims have all been filed and dealt with we will be releasing the
entire MyBitcoin processing engine into the public domain. Our only hope is
that the community can improve and adapt the software to all sorts of new and
interesting Bitcoin-related things.


Tom Williams

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOPKN1AAoJEJ+5g06lAnqFeOYH/3XC0EPw23Yv9UPvvutvi7rR
2xkC3lQnltmUD9hiW1awCEVqLw3ehaU/5/9tf8NtjOlABhw0OPIGHGDasg3OYDW+
eg80/YRQ/sxfkRU362fxcxA8pQW6MLT75PggAO8YXZ0Dgghed8J3m3kLMcnsaO10
o3kvGYUeuRzoRnF+bCAhbrfJLMWGITFyQRV+36/t4D2Wh6WisEm6xrk388Zwdb/f
KaRxpwxtzopgQXuGHIOf6E3vCk/RsmLXdV6rLjSErL4k/eozEKQ0a7OCx7Yurd0B
eXRp0VOf2k4AeVS89qc2a1wGhVvT40P85agUVpICgSSRKS5vDcBSGmDWVIoQ6PU=
=NDRV
-----END PGP SIGNATURE-----

[Kermee]

For non-Tor: https://www.mybitcoin.com/index.txt

[Deafboy]

For non-Tor: https://www.mybitcoin.com/index.txt

Oh, sry. Didn't know that... non ssl connection redirects to hiden service

[Kermee]

For non-Tor: https://www.mybitcoin.com/index.txt

Oh, sry. Didn't know that... non ssl connection redirects to hiden service

Uh... Nothing to be sorry about =)

Cheers,
Kermee

[repentance]

I'm not sure who's still collecting information and trying to tie everything together but the goon detectives have found some connections I haven't seen mentioned elsewhere.

[7iain7]

I seem to remember some people complaining months ago that 1 or 2 bitcoin's was missing from there mybitcoin wallets.
So i wonder if the hacker has had access to the site for month's?
 

[willphase]

I'm surprised that, even with 1 block confirmations, stealing bitcoins in the way that Tom describes would be feasible without a considerable amount of compromised computing power.  If my understanding is correct, for an attack to succeed an attacker would have to compute 2 blocks containing their false transactions before the rest of the network computes one.  This computation could be done offline so the attacker could wait until they have been lucky and computed these blocks before publishing them, but it would still require a non-insubstantial amount of compute or waiting a long time before being able to make the attack.

I'm not saying that pools are involved in this, but if even a small pool was involved, then this attack would be a lot more believable.

Will

[boaz2020]

I'm surprised that, even with 1 block confirmations, stealing bitcoins in the way that Tom describes would be feasible without a considerable amount of compromised computing power.  If my understanding is correct, for an attack to succeed an attacker would have to compute 2 blocks containing their false transactions before the rest of the network computes one.  This computation could be done offline so the attacker could wait until they have been lucky and computed these blocks before publishing them, but it would still require a non-insubstantial amount of compute or waiting a long time before being able to make the attack.

I'm not saying that pools are involved in this, but if even a small pool was involved, then this attack would be a lot more believable.

Will

I'm pretty sure it would work something like this.

1.) Peer directly to the bitcoind running on MyBitcoin.
2.) Solve the next block with your dubious transactions.
3.) Wait for someone else to solve the block you solved.
4.) After the same block was found, but before MyBitcoin's bitcoind hears it, announce your dubious block to MyBitcoin.
5.) That is 1 confirm, funds will now show up. Transfer the funds out, the next block on the network will orphan your dubious one.

[Littleshop]

I'm surprised that, even with 1 block confirmations, stealing bitcoins in the way that Tom describes would be feasible without a considerable amount of compromised computing power.  If my understanding is correct, for an attack to succeed an attacker would have to compute 2 blocks containing their false transactions before the rest of the network computes one.  This computation could be done offline so the attacker could wait until they have been lucky and computed these blocks before publishing them, but it would still require a non-insubstantial amount of compute or waiting a long time before being able to make the attack.

I'm not saying that pools are involved in this, but if even a small pool was involved, then this attack would be a lot more believable.

Will

I'm pretty sure it would work something like this.

1.) Peer directly to the bitcoind running on MyBitcoin.
2.) Solve the next block with your dubious transactions.
3.) Wait for someone else to solve the block you solved.
4.) After the same block was found, but before MyBitcoin's bitcoind hears it, announce your dubious block to MyBitcoin.
5.) That is 1 confirm, funds will now show up. Transfer the funds out, the next block on the network will orphan your dubious one.

Step 2 is a problem, not impossible, but would require a substantial mining investment.   If i took all of my $X000 investment in mining gear I would be able to do that about once a month and it would not be guaranteed each time I solved a block. 

[boaz2020]

I'm surprised that, even with 1 block confirmations, stealing bitcoins in the way that Tom describes would be feasible without a considerable amount of compromised computing power.  If my understanding is correct, for an attack to succeed an attacker would have to compute 2 blocks containing their false transactions before the rest of the network computes one.  This computation could be done offline so the attacker could wait until they have been lucky and computed these blocks before publishing them, but it would still require a non-insubstantial amount of compute or waiting a long time before being able to make the attack.

I'm not saying that pools are involved in this, but if even a small pool was involved, then this attack would be a lot more believable.

Will

I'm pretty sure it would work something like this.

1.) Peer directly to the bitcoind running on MyBitcoin.
2.) Solve the next block with your dubious transactions.
3.) Wait for someone else to solve the block you solved.
4.) After the same block was found, but before MyBitcoin's bitcoind hears it, announce your dubious block to MyBitcoin.
5.) That is 1 confirm, funds will now show up. Transfer the funds out, the next block on the network will orphan your dubious one.

Step 2 is a problem, not impossible, but would require a substantial mining investment.   If i took all of my $X000 investment in mining gear I would be able to do that about once a month and it would not be guaranteed each time I solved a block. 

No, I'm not saying you have to generate two successive blocks.
Just generate a given block first.

By dubious transactions, I mean legitimate coins sent to MyBitcoin that will get reversed once your block gets orphaned, but only after the funds are confirmed on MyBitcoin.

[Littleshop]

Understood.  I was commenting on how hard it is to generate a single block though six months ago it was not so hard.

[boaz2020]

Understood.  I was commenting on how hard it is to generate a single block though six months ago it was not so hard.

Ahh, yeah, it would require some time. But even if your attempts fail, you are still rewarded with 50 btc for your efforts.

I don't expect that the person responsible bought into mining just for this scam. I'm sure it was an established miner, or more likely, this is all a made up story.