Is the Bitcoin Community Under Attack?

[bittenbob]

I haven't googled anything and am going completely by memory. I rarely ever use wikipedia and especially not for technical matters. If you want to fake a handshake you will need to spoof IP and mac addresses. I am afraid it is you who doesn't know WTF you are talking about.

By the way Theymos, this thread is getting out of control and has nothing to do with the OP so feel free to lock it.

Then maybe you should start using Google. First off, just to get past the TCP handshake you need to be able to capture the response. As for the SSL handshake, you need the site's private key, otherwise all you'll get back is gibberish. And without knowing what that gibberish decrypts to, you can't send a response that will make any sense to the client. Since you are apparently good at cracking private keys, why don't you just start taking bitcoins?

Edit: I think my SSL is actually backward, and it's the client that sends their encryption key using the site's pubic key to encrypt it. But, that's just semantics.

This is all irrelevant to the OP once again. It would be possible to fake if someone got the cert from MTGox. They were hacked in the past and stolen certs is part of how the Stuxnet virus worked. I haven't hacked in a while and have no intention to do so any time soon. Stealing Bitcoins is a lot harder than MTIM for MTGox API and if someone could do it, it would have been done by now. I am not a thief either so even if I could I wouldn't out of morality.

It would be nice if MTGox put out a statement directly saying what happened when the API was cycling between 6 and 7 then disappeared. It would also put any speculation to rest.

I was worried while that was happening that the site was being hacked in some way and was shitting my pants about the relatively small amount of money and bitcoins i have on there. I still have them on there if that tells you something.

[1714033086]

1714033086

[1714033086]

1714033086

[1714033086]

1714033086

[rjk]

Can anyone say... Certificate Revocation Lists (CRLs)! Hardware-based token storage! Fingerprints! Dedicated SSL appliances!
This is fun, I can go on all day.

[kjj]

MtGox's HTTPS will prevent any MITM attack unless the attacker compromises a CA or something.

Just curious theymos, what is your take on what was going on with all the charts when it was cycling in a loop between 6 and 7? After about 25 minutes those cycles were erased and the market sat at 6 until orders that were placed during the swings on the charts were executed.  Anything is possible and I have never seen anything like what happened today.

I will tell you exactly what happened today.  Ready?

Actually, gox just uses a queue with timestamps.  Their order matcher can fall behind during busy times.

When the queue is busy, everyone sees huge price swings and they try to place orders, but their orders are going to the queue, not the market.  The swings you are seeing right now on mtgoxlive.com are at least several minutes old already, possibly much older, and everyone frantically clicking their trade buttons and the bots scrambling to make sense of things are just making it worse.

I gave a much longer answer to (more or less) this same question several months ago.  Feel free to dig it out of my post history.  And, just to repeat myself:

It must be hell to be alive today with no clue about how anything at all really works.

[bittenbob]

MtGox's HTTPS will prevent any MITM attack unless the attacker compromises a CA or something.

Just curious theymos, what is your take on what was going on with all the charts when it was cycling in a loop between 6 and 7? After about 25 minutes those cycles were erased and the market sat at 6 until orders that were placed during the swings on the charts were executed.  Anything is possible and I have never seen anything like what happened today.

I will tell you exactly what happened today.  Ready?

Actually, gox just uses a queue with timestamps.  Their order matcher can fall behind during busy times.

When the queue is busy, everyone sees huge price swings and they try to place orders, but their orders are going to the queue, not the market.  The swings you are seeing right now on mtgoxlive.com are at least several minutes old already, possibly much older, and everyone frantically clicking their trade buttons and the bots scrambling to make sense of things are just making it worse.

I gave a much longer answer to (more or less) this same question several months ago.  Feel free to dig it out of my post history.  And, just to repeat myself:

It must be hell to be alive today with no clue about how anything at all really works.

Those swings were not real since they did not show up on the chart after. There was something that happened and it wasnt that. If it was simply that they were old the lines from the back and forth would be there. They disappeared as soon as trading became active again.

[luv2drnkbr]

@Eveofwar
Heh, everyone has a panic threshold.

Not too long ago I was at work. Not having enough work to do I checked bitcoinwatch. It showed a ridiculously low number of blocks/hour, something like 2.1
This got me thinking: wtf, better check the forums. Needless to say, the forums were down.
When I realized that MtGox was also down a red light went off and I immediately sent an alarming message to Gavin himself, describing the situation
Heck, when you're not at home you can't just take your time and research the situation carefully.

Why would you bother Gavin?  He surely would find out himself anyway.  He's done so much, don't pester the poor man!

[BadBear]

SSL is not the be all and end all. Handshakes can be captured and faked quite easily. Spoofing mac addresses is also very easy.

[DeathAndTaxes]

Can anyone say... Certificate Revocation Lists (CRLs)! Hardware-based token storage! Fingerprints! Dedicated SSL appliances!
This is fun, I can go on all day.

Yeah which is why I asked how one could easily MITM a https site.  I guess it was too subtle.

[cypherdoc]

SSL is not the be all and end all. Handshakes can be captured and faked quite easily. Spoofing mac addresses is also very easy.

LOL!

[bittenbob]

Can anyone say... Certificate Revocation Lists (CRLs)! Hardware-based token storage! Fingerprints! Dedicated SSL appliances!
This is fun, I can go on all day.

Yeah which is why I asked how one could easily MITM a https site.  I guess it was too subtle.

CRL's would only work if they knew it had been hijacked. Kind of like how a 0day exploit will usually only work once since it will be found and patched after it has been used.