Possible false alarm: MtGox break in

[fastandfurious]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

As a supporter of Ron Paul, that is the most slanderous and insulting thing I've seen said on this message board in awhile.

As it stands, there are no other people reporting account problems. I still believe I was targeted because I'm a well known face for the Bitcoin community and a developer of software that is used in conjunction with Bitcoin frequently.

What exactly did you think was "slanderous and insulting"?

My statement is a general point o view and are not targeted on you, I don't know all the exact details of what happened in your case, but in general I think that what I stated is something that is important to think about.

[1713563171]

1713563171

[1713563171]

1713563171

[1713563171]

1713563171

[DiabloD3]

I notified MagicTux through his support email, and he sent back a useless form letter as a reply.

Recently there has been a large increase in the number of “phishing” attacks that have been made against the users of Mt.Gox.
...
We sincerely apologize for the inconvenience our users have suffered at the hands of phishers, and are doing all that we can to prevent further attacks in the future.

Thanks,

MtGox.com Team

I consider this a smoking gun.

What about browsing other sites whilst you are logged into mtgox?  
Due to CSRF attacks - this is something you shouldn't do when you are logged in to an important account.

You can argue that the site should be fully protected against CSRF, especially as this has come up before regarding mtgox - but it's possible there is a regression in this area or even that your specific browser version is contributing to this risk.

XSRF attacks are largely difficult to perform in many cases. The problem is I would have had to visit the attacker's website at some point inside of the same environment I use to access mtgox to allow it.

[cypherdoc]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

he spent 17000 BTC bailing out Bitomat.  he could've just let them and their btc holders die on the vine and he would've been better off than buying a worthless exchange.

$60 USD worth. It was a trivial amount, I was more worried about a large scale attack, which doesn't seem to be underway. Its better to warn everyone instead of sit on the information. I'm glad I was the only one hit so far.

i would suggest you change the title of this thread to something much less ominous.  you're scaring people.

[kjj]

I believe that fraudulent EV certificates were issued.

For reasons unrelated to this, I would like to have this citation notated.

I only found one useful article that mentions that EVSSL may have been included in the breach.

http://isc.sans.edu/diary.html?storyid=11500

I'm assuming that you and MagicalTux checked the IPs used on your account.  Anything strange there?

[cypherdoc]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC.  

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

you're assuming that the tx fees will increase.  how do you know that?

and the principle is totally different.

[DiabloD3]

i would suggest you change the title of this thread to something much less ominous.  you're scaring people.

Changed. But until me or Tux can figure out what exactly happened, the issue remains open.

[fastandfurious]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC.  

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

you're assuming that the tx fees will increase.  how do you know that?

Study Economics 101.

[DiabloD3]

I believe that fraudulent EV certificates were issued.

For reasons unrelated to this, I would like to have this citation notated.

I only found one useful article that mentions that EVSSL may have been included in the breach.

http://isc.sans.edu/diary.html?storyid=11500

I'm assuming that you and MagicalTux checked the IPs used on your account.  Anything strange there?

See the third post, MtGox emails you the IP that made the request on withdraws.

[DiabloD3]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC.  

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

you're assuming that the tx fees will increase.  how do you know that?

Study Economics 101.

Thats assuming tx fees are not already set high enough to cover projected fraud issues.

[cypherdoc]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC.  

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

you're assuming that the tx fees will increase.  how do you know that?

Study Economics 101.

Studying Economics 101 will allow me to predict that MagTux will raise his tx fees as a result of this incident?

[phillipsjk]

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

I'm not so sure you can completely rule those out. Last month kernel.org was compromized. In order to compromise the kernel, several developement machines would need to be compromized as well. Which is about as unlikely as Intel installing a back-door in one of their chips. Note: I think that 'Intel Insider' is probably just a modified version of DTCP with latency limits on the initial hop relaxed.

Edit: Tabnabbing looks like it may work on even sophisticated users, unless they leave JavaScript disabled.

[fastandfurious]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC.  

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

you're assuming that the tx fees will increase.  how do you know that?

Study Economics 101.

Studying Economics 101 will allow me to predict that MagTux will raise his tx fees as a result of this incident?

When you understand Economics 101, come back and I promise you we can continue this discussion.

[DiabloD3]

I'm not so sure you can completely rule this out. Last month kernel.org was compromized. In order to compromise the kernel, several developement machines would need to be compromized as well.

Yes, I'm aware of the kernel.org break in. This does not apply here as the kernel I am running predates the break in and I do not get my kernel source from kernel.org.

Mmm delicious git.

[cypherdoc]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC.  

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

you're assuming that the tx fees will increase.  how do you know that?

Study Economics 101.

Studying Economics 101 will allow me to predict that MagTux will raise his tx fees as a result of this incident?

When you understand Economics 101, come back and I promise you we can continue this discussion.

you're an arrogant ass.  educate me now.

[WiseOldOwl]

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

I'm not so sure you can completely rule those out. Last month kernel.org was compromized. In order to compromise the kernel, several developement machines would need to be compromized as well. Which is about as unlikely as Intel installing a back-door in one of their chips. Note: I think that 'Intel Insider' is probably just a modified version of DTCP with latency limits on the initial hop relaxed.

Edit: Tabnabbing looks like it may work on even sophisticated users, unless they leave JavaScript disabled.

Damn this is a bust.

[mrb]

After a lengthy conversation with MagicTux, unless it does turn up that mtgox has been hacked, neither of us can figure out what happened. Its obviously not me and I didn't fall for a phishing expedition, and Im pretty sure its not on his end. His description of security on the new post-hack mtgox is pretty decent. Its not perfect, but he has gone to great lengths to prevent a repeat.

Your compromise may be linked to a huge mystery that was never solved during the MtGox hack of June 19, 2011: many supremely strong passwords were cracked, but no one, not even Mark Karpelès, knows how it happened. One of the theories I posted in this comment is that the MtGox infrastructure has been deeply compromised, and attackers still have access to it. (I hope this is not true.)

If not that, I know that we, security-conscious people, like to think it would never happen to us, but you may have fallen to sophisticated targeted attack. There are occurrences of paranoiac security guys who do get compromised. For example even if your Linux workstation is relatively secure and updated, all it would take to compromise you is a Flash 0-day and to entice you to visit a malicious site. You may say you won't fall for it, but you do it all the time: you hang in #bitcoin-mining, someone posts a URL, you click on it. Bam! User-level X11 keylogger now running on your fully patched Linux machine. Flash is by far the scariest client-side attack vector these days...

[phillipsjk]

When you understand Economics 101, come back and I promise you we can continue this discussion.

you're an arrogant ass.  educate me now.

In MicroEconomics, you make several 'reasonable' assumptions, including:

• Rational Market participants
• The price system is a good way to communicate efficiency
• Easy entry and exit in the market place

I think fastandfurious is arguing that if Mt.Gox can't cover their costs, they will leave the market. Of course, by the same argument, competitors less "inefficient" should be able to enter the market and undercut the Mt.Gox fees. The easy entry and exit assumption assumes captical costs don't exist (or that they are ammortized perfectly).

[hightax]

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.

Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly.  However, you still have to accept the change in certificate for the forged-SSL MIM attack to work.  Did you log in to MtGox from strange internet connections in shady places?  Or did MtGox get their DNS forged as well?

[stergium]

It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

Everyone: Clear out your accounts if you have anything in them.

again?
http://www.youtube.com/watch?v=TVpkIuutIqw
they seem to have more holes than a sponge...
and the bitcointalk incident these days..
ppl should implement temporary accounts..

[kjj]

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.

Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly.  However, you still have to accept the change in certificate for the forged-SSL MIM attack to work.  Did you log in to MtGox from strange internet connections in shady places?  Or did MtGox get their DNS forged as well?

Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?