Tom Williams ~ The Smoking Gun(s) or Phin's Pholly

[NF6X]

The more I try to make sense of what our friend Phin is posting here, the more I lean towards "hogwash". These so called connections seem to me to be stretches worthy of Mr. Slave. I've become comfortable about presuming that 1) mybitcoin was likely to be a scam from the start, and 2) BW is probably somebody I would prefer not to associate with. Much of what has been presented in various threads also makes me somewhat suspicious that BW may have been closely involved with the mybitcoin scam. Still, I really don't see logic behind many of these other supposed connections. They seem to be based more on numerology than solid logic to me. Well, if nothing else, this thread is entertaining to me.

P.S.  Just in case it's not completely clear, pretty much all of the connections I've proposed in this thread so far have been completely satirical B.S. I was telling the truth about feeding my neighbor's horse, though, and even about securing my hat on my head.

[1714042327]

1714042327

[1714042327]

1714042327

[1714042327]

1714042327

[1714042327]

1714042327

[niko]

Just a pinch of salt:

Has anyone ever confirmed with MagicalTux that the leaked user list has not been tampered with?  For what I know users may have been added or removed by whoever posted and reposted the file. Since information is already public, I hope MagicalTux can compare the files and at least provide a simple yes or no, with a sha1 of the file.

[Jack of Diamonds]

I have an honest question for you, BitcoinPorn, and simply give me an honest answer. Do you think I'm just spreading gossip?

Not at all, I was saying that to cypherdoc's comment, which came off that way the way he said it.  I am seeing all your info, it is not gossipy, I could have separated my sentences into paragraphs there.

MagicalTux posted a while back (3-4 months?) that russian criminals attempted to extort his business for $7000 per month.

He didn't yield to their demands, so there were massive DDoS attacks on Mt. Gox which caused significant financial harm and lowered trading volumes.

Just food for thought.
In fact, he even had to shut down the entire Mt. Gox after the attack became unbearable.

http://bitcointalk.org/?topic=6931.0

[Phinnaeus Gage]

Hi Bruno,

I know you are having fun with this. You might get some insight from this;

http://agoristradio.com/?p=480

starting at about minute 15

Shane

On the broadcast, Hero claims to know those at mybitcoin.com but then claims he doesn't know who Tom Williams is. He also stutters during his assessment. Hero also states that there is no connection what-so-ever between mybitcoin.com and BW. Of course there was--advertising and dollars/BTC changed hands. I'm not exactly convinced that they are not connected. If and when I'm proven wrong, I will concede that point.

The more I try to make sense of what our friend Phin is posting here, the more I lean towards "hogwash". These so called connections seem to me to be stretches worthy of Mr. Slave. I've become comfortable about presuming that 1) mybitcoin was likely to be a scam from the start, and 2) BW is probably somebody I would prefer not to associate with. Much of what has been presented in various threads also makes me somewhat suspicious that BW may have been closely involved with the mybitcoin scam. Still, I really don't see logic behind many of these other supposed connections. They seem to be based more on numerology than solid logic to me. Well, if nothing else, this thread is entertaining to me.

P.S.  Just in case it's not completely clear, pretty much all of the connections I've proposed in this thread so far have been completely satirical B.S. I was telling the truth about feeding my neighbor's horse, though, and even about securing my hat on my head.

I will concede that Stefan Thomas and Frank van Vliet are entirely two different people. The email address is @ the domain hosting site, hence my confusion. But: http://www.linuxsecurity.com/content/view/117467/171/

and this:

Twitter         http://twitter.com/zium

Jan van Vliet   (related?)
BitCoin: The decentralized, digital alternative to government fiat money! weusecoins.com
14 Jun via Tweet Button

Phinnaeus:  do you still have the .csv list of all the hacked accts on mtgox?  every source i've googled today has been taken down.

I put the link is the first post of this thread and it's still working: http://dump.udderweb.com/Censorship/mtgox_leak.txt

Explain the significance of a password starting with "$1$" or not.

there is none.  as you can see in the list Phin just put up, just about every other one or more starts with this string.  i think this is the result of the MD5 salting.  nothing here folks.

I believe it's because of the salting, also.


Is this a coincidence?

50730,haakjes,frank@root66.org,$1$9...    (Is  weusecoins.com)
50731,hammerfortyfour,t.williams@bankofamerica.com,$1$9...   (account created prior to Mt.Gox getting hacked--possibly EG)

[NF6X]

Twitter         http://twitter.com/zium

Jan van Vliet   (related?)
BitCoin: The decentralized, digital alternative to government fiat money! weusecoins.com
14 Jun via Tweet Button

Are you suggesting that Jan van Vliet is/was directly involved with the weusecoins.com folks? Barring some other link that I haven't perceived yet, I could easily see him as being just another Bitcoin enthusiast who stuck the weusecoins.com reference in his signature to promote his area of interest, just as I have been known to link to things which interest me but which I have had no direct involvement in creating. Like the Apple sticker that I stuck on my work-issued Lenovo laptop; I have no relationship with Apple other than repeatedly giving them lots of money for another hit of their sweet shinies. If I recall correctly, and my brain is not too fogged by the cheap store-brand vodka (don't worry, I'm not Russian), van Vliet appears to be involved with web/network service provision. His apparent connection to other People Of Interest may be due to nothing more than having provided them with services, thus learning about Bitcoins in the process, and then subsequently signing up for some of the same popular, well-publicized services as them. Maybe it's no coincidence that his name shows up in multiple particular places, yet there's another quite plausible explanation for that other than direct involvement with any of our favorite scams. Remember: Correlation does not always imply causation.

[nanaimogold]

... Of course there was--advertising and dollars/BTC changed hands. ...

Why do you believe that?

I recall the opposite to be true.

[DrYe5]

21 tweets, with almost as many users, to date contain "weusecoins.com": http://twitter.com/#!/search/realtime/weusecoins.com

[Phinnaeus Gage]

Twitter         http://twitter.com/zium

Jan van Vliet   (related?)
BitCoin: The decentralized, digital alternative to government fiat money! weusecoins.com
14 Jun via Tweet Button

Are you suggesting that Jan van Vliet is/was directly involved with the weusecoins.com folks? Barring some other link that I haven't perceived yet, I could easily see him as being just another Bitcoin enthusiast who stuck the weusecoins.com reference in his signature to promote his area of interest, just as I have been known to link to things which interest me but which I have had no direct involvement in creating. Like the Apple sticker that I stuck on my work-issued Lenovo laptop; I have no relationship with Apple other than repeatedly giving them lots of money for another hit of their sweet shinies. If I recall correctly, and my brain is not too fogged by the cheap store-brand vodka (don't worry, I'm not Russian), van Vliet appears to be involved with web/network service provision. His apparent connection to other People Of Interest may be due to nothing more than having provided them with services, thus learning about Bitcoins in the process, and then subsequently signing up for some of the same popular, well-publicized services as them. Maybe it's no coincidence that his name shows up in multiple particular places, yet there's another quite plausible explanation for that other than direct involvement with any of our favorite scams. Remember: Correlation does not always imply causation.

I believe this part:

His apparent connection to other People Of Interest may be due to nothing more than having provided them with services, thus learning about Bitcoins in the process, and then subsequently signing up for some of the same popular, well-publicized services as them. Maybe it's no coincidence that his name shows up in multiple particular places, yet there's another quite plausible explanation for that other than direct involvement with any of our favorite scams.

But, as you may have well read, FVV is a known hacker. Jan could be a close relative. And look at who Jan follows: http://twitter.com/#!/zium/following  and who FVV follows: http://twitter.com/#!/jhfssrjmouyihgg/following


Take a walk with me on this one, for it's only an eight block stretch: (Google it!)

50731,hammerfortyfour,t.williams@bankofamerica.com    115 West 42nd Street, New York, NY 10036
667,brucewagner,bruce@brucewagner.com                   290 5th Ave, New York, NY 10001

[Phinnaeus Gage]

21 tweets, with almost as many users, to date contain "weusecoins.com": http://twitter.com/#!/search/realtime/weusecoins.com

Tomorrow, it will be the same users, in the same exact order, with the same exact tweets. Mark my word on this one. LOL!

[NF6X]

Maybe BW worked at BofA under the TW alias for fun and profit?

[Phinnaeus Gage]

Maybe BW worked at BofA under the TW alias for fun and profit?

I know your type. You're just trying to throw me off the scent.

[NF6X]

Nah, I love hunting with dogs. They have great noses, and I have color vision and opposable thumbs. The rabbits don't stand a chance against us.

[Phinnaeus Gage]

Nah, I love hunting with dogs. They have great noses, and I have color vision and opposable thumbs. The rabbits don't stand a chance against us.

I should be sleeping, but I'm working on something.

[Stefan Thomas]

50730,haakjes,frank@root66.org,$1$9...    (Is  weusecoins.com)

I don't understand the connection? I started WeUseCoins and I've never heard of frank@root66.org.

21 tweets, with almost as many users, to date contain "weusecoins.com": http://twitter.com/#!/search/realtime/weusecoins.com

According to our AddThis share widget 5262 people tweeted about weusecoins.com. Twitter search shows you only the latest tweets (note they're all from last week). I tweeted about it here and here.


Not sure if this has been pointed out already, but WeUseCoins is hosted at Leaseweb, so yeah. It is one of the largest hosting providers in Europe, but still I can't really fault anybody for drawing a connection on that point.

My journey into Bitcoin is somewhat documented from IRC chats in December 2010 and early 2011. And also by the fact that at the first Swiss Bitcoin meetup in early February 2011 I didn't really know a lot about Bitcoin yet, which the other attendees Mike Hearn, cdecker and bitdragon can probably confirm. MyBitcoin has been around far longer than I've been into Bitcoin, but of course it's hard to prove a negative that I didn't know about Bitcoin longer.

I'm only following the forums occasionally, so if anybody has any questions, Phinnaeus was kind enough to post my email address already , but here it is again: moon@justmoon.de

[Phinnaeus Gage]

50730,haakjes,frank@root66.org,$1$9...    (Is  weusecoins.com)

I don't understand the connection? I started WeUseCoins and I've never heard of frank@root66.org.

21 tweets, with almost as many users, to date contain "weusecoins.com": http://twitter.com/#!/search/realtime/weusecoins.com

According to our AddThis share widget 5262 people tweeted about weusecoins.com. Twitter search shows you only the latest tweets (note they're all from last week). I tweeted about it here and here.


Not sure if this has been pointed out already, but WeUseCoins is hosted at Leaseweb, so yeah. It is one of the largest hosting providers in Europe, but still I can't really fault anybody for drawing a connection on that point.

My journey into Bitcoin is somewhat documented from IRC chats in December 2010 and early 2011. And also by the fact that at the first Swiss Bitcoin meetup in early February 2011 I didn't really know a lot about Bitcoin yet, which the other attendees Mike Hearn, cdecker and bitdragon can probably confirm. MyBitcoin has been around far longer than I've been into Bitcoin, but of course it's hard to prove a negative that I didn't know about Bitcoin longer.

I'm only following the forums occasionally, so if anybody has any questions, Phinnaeus was kind enough to post my email address already , but here it is again: moon@justmoon.de

Hello, Stefan Thomas. Bruno here. You're not going to believe this, but members of this forum have been putting something in my coffee when I'm not looking. That said, please accept my apology on this issue. The mistake I made is this: Registrant Email:postmaster@root66.org where Frank van Vliet is the owner.

I'm going to clean up some of what I've written so that your good name doesn't get smeared. Thank you kindly for the soft post to me, although this time a few curse words may have been in order.

Sincerely, Bruno

[Exonumia]

I'm up to 1.23million VexCoins... is the ebook almost ready?

[ribuck]

Explain the significance of a password starting with "$1$" or not.

Here's what the "$1$" prefix means. Don't read anything more than this into the "$1$" prefix.

Originally, MtGox stored hashed passwords in their database. A few years ago, this was considered reasonably secure, but the development and distribution of "rainbow tables" made hashed passwords insecure. (A "rainbow table" is essentially a reverse-lookup which takes you from a hashed password to a candidate unhashed password.)

In response to this, many websites (including MtGox) upgraded their systems to store salted hashed passwords instead of plain hashed passwords. This makes basic rainbow tables unusable for password cracking.

The problem is: how do you upgrade the existing passwords to use the new salting scheme? You don't know the existing passwords; you only know their hash. So you wait until the user logs on with a password that matches the hash. At that point, the user has just entered their actual password so you calculate the password's salted hash, and store that in the database in place of the unsalted hash.

A common technique (which was used at MtGox) represents the salted hashes with a prefix of "$1$", to distinguish it from unsalted hashes and to identify the salting/hashing scheme.

tl; dr:  From the presence of the "$1$" prefix we can deduce that the user logged in one or more times after MtGox changed to salted hashes. From the absence of the "$1$" prefix we can deduce that the user created their account before MtGox changed to salted hashes, and did not log in to that account between that time and when the password file was leaked.

[sadpandatech]

Explain the significance of a password starting with "$1$" or not.

Here's what the "$1$" prefix means. Don't read anything more than this into the "$1$" prefix.

Originally, MtGox stored hashed passwords in their database. A few years ago, this was considered reasonably secure, but the development and distribution of "rainbow tables" made hashed passwords insecure. (A "rainbow table" is essentially a reverse-lookup which takes you from a hashed password to a candidate unhashed password.)

A few years ago, as in like 15?

In response to this, many websites (including MtGox) upgraded their systems to store salted hashed passwords instead of plain hashed passwords. This makes basic rainbow tables unusable for password cracking.

Again, the response to this was well before Gox was in operation. More on this in a bit.

The problem is: how do you upgrade the existing passwords to use the new salting scheme? You don't know the existing passwords; you only know their hash. So you wait until the user logs on with a password that matches the hash. At that point, the user has just entered their actual password so you calculate the password's salted hash, and store that in the database in place of the unsalted hash.

A common technique (which was used at MtGox) represents the salted hashes with a prefix of "$1$", to distinguish it from unsalted hashes and to identify the salting/hashing scheme.

 The answer should have been; you don't, you friggin salt and shadow the passwords to begin with!  That prefix technique would be pretty nifty if it were in conjunction with taking some sort of furthner action on the unsalted ones.

 Case in point; About 14 years ago sadpanda owned a small hosting/dial-up firm. With roughly 2500~ dial ups, 500~ hosted sites and a partner who had the vision to monitize our userbase with our own "webmail". That was exciting, ad revenue and a new offering for our existing customers and potential new ones. There was one issue however and that was a big, fat unsalted password table.

 Not long after we set the customer base up on the new webmail servers did we start to notice 'breaches' in the form of mails in customer inboxes that did not orginate from our mail servers. A good majority of which were trojan laced. We spent many a night integrating virus scanning on the mail servers and manually forcing customers with weak passwords to update them. A daunting task which would have continued to become a growing burden until I called an associate who himself owned a sizable hosting firm.

 Skipping past the fee he wanted to come help my auditing efforts, he made short work of pointing out what I feel now should be obivous. It took him all of a few hours to exclaim, "Are these passwords unsalted and in their default locations?" Well, you by now know the answer to that. Just thinking about the implications of what that meant, not only in the immediate security issue but in what it would entail to get all those users to update their passwords, gave me quite the headache.

 After a few days of manually fixing things I realized the only way to 'fix' it quick was going to be to update all the passwords ourselves. At this point we had added salt into our pwds and moved the storage of them to a shadowed format. And thats where we decided that we had no choice but to 'crack'(L0pht before they went legit) all the passwords ourselves and then push them through the salt. This would not patch up any one who had already been comprimised but certainly did put us in a posistion where we could stop chasing new breaches and focus on securing existing ones. Amen! 

 As an aside, the perps quickly became very unhappy about their lost playground and attempted to Ddos the piss out of our upstream. Unfortunatly for them we owned the exit nodes at our upstream and managed all the filtering ourselves.. ;p

tl;dr  14 years ago we began to salt and shadow on a system not used for financials and I would have assumed anyone setting up a secure system would have done so since then. :/

tl; dr:  From the presence of the "$1$" prefix we can deduce that the user logged in one or more times after MtGox changed to salted hashes. From the absence of the "$1$" prefix we can deduce that the user created their account before MtGox changed to salted hashes, and did not log in to that account between that time and when the password file was leaked.

Sorry for all that off-topic wall of text. Those of us who reconize the salting realized what the $1$ was prefixed on the hashes.

 Not to verify or disprove any of the 'research' Bruno has done here but the $1$ prefix does not remove what he had pointed out. If you look back at the mathcing passwords he showed, one being unsalted and the other being $1$ but with $1$a , as what he was eluding to. I did not look at the pwd file to see if it is similiar past the a but I am confident that Bruno did not assume every friggin password with $1$ in front of it was the same.

  All that aside I personaly feel Tux has come a LONG way from where he started with this new venture and have not noticed anything as concering as the orginal issues. And, I definetly have to appluad his moxie in not giving in to the $7k extortion thing. That sounds like it could be quite stressing and possibly dangerous.

 Now with the mybitcoin thing I can't help but feel, after listening to Hero's input that it sounds almost like some breaches started to become noticed and got out of hand before the orginal devs could do much about it. It seems like they were scared off by something and pretty much abandoned ship, leaving someone to deal with it pretty much on their own. Just my take on it now.

cheers everyone.

[Phinnaeus Gage]

I did not look at the pwd file to see if it is similiar past the a but I am confident that Bruno did not assume every friggin password with $1$ in front of it was the same.

That is correct, sadpandatech. There was only one instance where I showed that the passwords match.

Before I go any further with this, I want to state that I sent a PM to Stefan Thomas offering my deepest apology for getting weusecoins.com into this mix. As previous stated, I see where my error was and have posted how it occurred. I will continue to play armchair detective, but will be more careful with what I post. I promise that I will continue to make mistakes, but will try to keep them to the bare minimum. I have no agenda in regards to this Bitcoin issue with the exception of finding the truth, not as I see it, but as it is. I hope that my crazy research project here has in someway helped, not hurt, Bitcoin. I want to further state that I gave Stefan my personal phone number and he can do with it as he wishes. It's no secret that I live in Sandwich, Illinois and am easy to find.

Bruno

PS: You can call be Bruno or Phin, and you have my permission to refer to my work here as Phin's Pholly.

[NF6X]

PS: You can call be Bruno or Phin, and you have my permission to refer to my work here as Phin's Pholly.

I like it! Phin's Pholly should be in the thread title.