|
Clipse
|
 |
March 02, 2012, 04:41:32 AM |
|
Watch MTGOX, Im telling you someone is dumping these coins right now.
|
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
|
|
|
Even if you use Bitcoin through Tor, the way transactions are handled by the network makes anonymity difficult to achieve. Do not expect your transactions to be anonymous unless you really know what you're doing.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
smickles
|
|
March 02, 2012, 04:42:35 AM |
|
i mean seriously, could not this whole thing been prevented if the wallet was just encrypted?
Obviously the software running against the hot wallet has to have access to it. This means that if someone roots the server, they'll be able to have the same access to the hot wallet. Encryption would not have entered into it. Zhou, good on you for covering this! I'm having a hard enough time covering the BTCinch theft; I can only imagine how pissed you are at linode. In this case, encryption would have protected the wallet because the attacker was only able to get root access after a reboot. why would a reboot stop the attacker from seeing the wallet being unencrypted during the next use? You have to enter the wallet password/passphrase after rebooting/restarting bitcoin. am i missing something here? wouldn't that entry be exactly what the attacker would be waiting for? |
|
|
|
bbit
Legendary
 Offline
Activity: 1330
Merit: 1000
Bitcoin
|
|
March 02, 2012, 04:44:01 AM |
|
Watch MTGOX, Im telling you someone is dumping these coins right now.
This is right . Why not catch the thief at this part of the chain? |
|
|
|
btc_artist
Full Member
Offline
Activity: 154
Merit: 101
Bitcoin!
|
|
March 02, 2012, 04:44:51 AM |
|
i mean seriously, could not this whole thing been prevented if the wallet was just encrypted?
Obviously the software running against the hot wallet has to have access to it. This means that if someone roots the server, they'll be able to have the same access to the hot wallet. Encryption would not have entered into it. Zhou, good on you for covering this! I'm having a hard enough time covering the BTCinch theft; I can only imagine how pissed you are at linode. In this case, encryption would have protected the wallet because the attacker was only able to get root access after a reboot. why would a reboot stop the attacker from seeing the wallet being unencrypted during the next use? You have to enter the wallet password/passphrase after rebooting/restarting bitcoin. am i missing something here? wouldn't that entry be exactly what the attacker would be waiting for? Yes, an attack like that could also be done, although it would have to be slightly more sophisticated than today's attack. Likely you would modify bitcoind to log the passphrase to a file somewhere. |
BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
March 02, 2012, 04:45:00 AM |
|
i mean seriously, could not this whole thing been prevented if the wallet was just encrypted?
Obviously the software running against the hot wallet has to have access to it. This means that if someone roots the server, they'll be able to have the same access to the hot wallet. Encryption would not have entered into it. Zhou, good on you for covering this! I'm having a hard enough time covering the BTCinch theft; I can only imagine how pissed you are at linode. In this case, encryption would have protected the wallet because the attacker was only able to get root access after a reboot. why would a reboot stop the attacker from seeing the wallet being unencrypted during the next use? You have to enter the wallet password/passphrase after rebooting/restarting bitcoin. am i missing something here? wouldn't that entry be exactly what the attacker would be waiting for? Pretty sure such a random suspicious reboot would cause the poolop to review the server before entering any creds anywhere. Especially when his Linode access manager says that there was a login to his account a few minutes before, not caused by him. |
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1014
|
|
March 02, 2012, 04:45:40 AM |
|
Watch MTGOX, Im telling you someone is dumping these coins right now.
The limit for withdrawal is 10K USD for verified account, and he would need to pass fake information to MtGox's money laundering office. So the thief would need to create multiple accounts, multiple identity or compromise several mtgox accounts. IANASE, but keep in mind that AML increase barrier of entry, reducing competition and privacy of users. Keeping record of user identity is also a security liability if identity thieves get their hand on it. |
|
|
|
mrb
Legendary
Offline
Activity: 1512
Merit: 1027
|
|
March 02, 2012, 04:45:56 AM |
|
We didn't have the opportunity to scan our whole system for suspicious transactions that were not initiated from our customers because we had to shut down the system immediately after we've discovered the huge loss. We did get a rough estimate and we published a press release to warn our users about the deposit address replacement.
However, now we have concluded that we lost 43,554 BTC from this incident and we will reimburse our customers for the full amount.
When you introduced Bitcoinica, you claimed one of your security advantages was that you "did not operate a Bitcoin wallet" and that "all your funds are stored on MtGox". Source: https://bitcointalk.org/index.php?topic=42267.msg514429#msg514429However this theft makes it apparent that you changed your mind, as you lost a wallet. Why did you change your mind about hosting the wallet on your own servers? You had a great idea, you should have stuck with it. |
|
|
|
|
Sergey (imcex.com)
Newbie
Offline
Activity: 20
Merit: 0
|
|
March 02, 2012, 04:46:10 AM |
|
zhoutong, I do appreciate what your are doing for the community. This is a hell of responsibility your are taking, good job.
But, please, explain me - how could you be keeping the whole bunch of Bitcoins in a single wallet running on the VPS (!!!) in the wild? Having $200,000-250,000 worth customers' funds would make me invest my own money in renting dedicated server at least. Or two. Considering even this not being totally secure - it still would provide much more security at $50/month cost.
But hell, who cares about security at $50/month! Being a hero at $200 grands is much more effective!
|
|
|
|
|
|
Clipse
|
|
March 02, 2012, 04:47:18 AM |
|
Watch MTGOX, Im telling you someone is dumping these coins right now.
The limit for withdrawal is 10K USD for verified account, and he would need to pass fake information to MtGox's money laundering office. So the thief would need to create multiple accounts, multiple identity or compromise several mtgox accounts. If Mark isnt aware of watching for this, he might just let this guy withdraw all the funds over a few days, Im not sure what the endgame is however some individual(yes it was way to coordinated, watch the graphs) solely dumped just over 20k BTC allready. |
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
|
cablepair
|
|
March 02, 2012, 04:47:37 AM |
|
i mean seriously, could not this whole thing been prevented if the wallet was just encrypted?
Obviously the software running against the hot wallet has to have access to it. This means that if someone roots the server, they'll be able to have the same access to the hot wallet. Encryption would not have entered into it. Zhou, good on you for covering this! I'm having a hard enough time covering the BTCinch theft; I can only imagine how pissed you are at linode. In this case, encryption would have protected the wallet because the attacker was only able to get root access after a reboot. why would a reboot stop the attacker from seeing the wallet being unencrypted during the next use? You have to enter the wallet password/passphrase after rebooting/restarting bitcoin. am i missing something here? wouldn't that entry be exactly what the attacker would be waiting for? Pretty sure such a random suspicious reboot would cause the poolop to review the server before entering any creds anywhere. Especially when his Linode access manager says that there was a login to his account a few minutes before, not caused by him. +1, the idea that this hacker is sitting here watching a packet sniffer or a keylogger and the admin of the server with an encrypted wallet holding $200k+ is not going to think something suspicions is preposterous it would take multiple fails for this scenario to be successful and the bottom line is an encrypted wallet would likely have saved this money. The problem is these web applications have not been developed to the level where they are able to interact with encrypted wallets. point blank. |
|
|
|
|
|
cablepair
|
|
March 02, 2012, 04:49:28 AM |
|
and again +200k to the op for being a man and taking care of this in a responsible way, im just trying to bring awareness on how we can secure bitcoin for the future. I have only like 80 bitcoins in my wallet right now but you can damn well better believe it is in encrypted with a completely uncrackable password.
|
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
March 02, 2012, 04:50:04 AM |
|
Why did you change your mind about hosting the wallet?
my bet: mtgox limitations ^This. Especially when they are upwards of 1/3rd of MtGox's transaction volume. |
|
|
|
bbit
Legendary
Offline
Activity: 1330
Merit: 1000
Bitcoin
|
|
March 02, 2012, 04:50:15 AM |
|
Watch MTGOX, Im telling you someone is dumping these coins right now.
The limit for withdrawal is 10K USD for verified account, and he would need to pass fake information to MtGox's money laundering office. So the thief would need to create multiple accounts, multiple identity or compromise several mtgox accounts. If Mark isnt aware of watching for this, he might just let this guy withdraw all the funds over a few days, Im not sure what the endgame is however some individual(yes it was way to coordinated, watch the graphs) solely dumped just over 20k BTC allready. The thinking is as someone told me on another thread is these thief(s) steal Bitcoin and spend bitcoin at silkroad etc., etc., which seems totally stupid to me then again I'm not a thief. What again happened the allinvain person again - did that thief cash out the BTC at the $10,000 a mo. @ Mt.Gox ? |
|
|
|
|
Eveofwar
|
|
March 02, 2012, 04:50:41 AM |
|
and again +200k to the op for being a man and taking care of this in a responsible way, im just trying to bring awareness on how we can secure bitcoin for the future. I have only like 80 bitcoins in my wallet right now but you can damn well better believe it is in encrypted with a completely uncrackable password.
Nothing is "uncrackable" given the amount of time. |
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
March 02, 2012, 04:51:07 AM |
|
Watch MTGOX, Im telling you someone is dumping these coins right now.
The limit for withdrawal is 10K USD for verified account, and he would need to pass fake information to MtGox's money laundering office. So the thief would need to create multiple accounts, multiple identity or compromise several mtgox accounts. If Mark isnt aware of watching for this, he might just let this guy withdraw all the funds over a few days, Im not sure what the endgame is however some individual(yes it was way to coordinated, watch the graphs) solely dumped just over 20k BTC allready. The thinking is as someone told me on another thread is these thief(s) steal Bitcoin and spend bitcoin at silkroad etc., etc., which seems totally stupid to me then again I'm not a thief. What again happened the allinvain person again - did that thief cash out the BTC at the $10,000 a mo. @ Mt.Gox ? Most of the coins are still floating around up there in la-la land. |
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1014
|
|
March 02, 2012, 04:52:09 AM |
|
Nothing is "uncrackable" given the amount of time.
If you don't remember your password, it's as good as lost(Unless you found a way to crack them in a reasonable amount of time). There's a tradeoff between convenience and security. |
|
|
|
|
Clipse
|
|
March 02, 2012, 04:59:24 AM |
|
and its still dumping, will probably create a false panic selloff.
|
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
March 02, 2012, 05:00:37 AM |
|
i would hold off on the congrats to Zhou until he actually delivers the coins. that is a lot to deliver.
|
|
|
|
|
k9quaint
Legendary
Offline
Activity: 1190
Merit: 1000
|
|
March 02, 2012, 05:01:53 AM |
|
Maybe the attacker will pull an "Omar" and sell the coins back to him for 40 cents on the dollar.  |
Bitcoin is backed by the full faith and credit of YouTube comments.
|
|
|
|
Etlase2
|
|
March 02, 2012, 05:02:05 AM |
|
bananas
B-A-N-A-N-A-S
3k was one thing, but 44k? damn
|
|
|
|
|
