Bitcoin Forum
December 04, 2016, 10:34:06 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 [51] 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 201528 times)
ArticMine
Legendary
*
Offline Offline

Activity: 1792


Monero Core Team


View Profile
May 18, 2012, 07:13:31 PM
 #1001

Back to the question of WHEN WILL WE SEE THE FIRST FUNDS BACK TO THE CUSTOMERS? This timing may well lead to more volatility of bitcoin trading and to know this date would be very much appreciated.

Especially when we consider the question of the open positions and at what price they will be liquidated. If the market makes a sharp move in any direction this can get real ugly real fast.

Concerned that blockchain bloat will lead to centralization? Storing less than 4 GB of data once required the budget of a superpower and a warehouse full of punched cards. https://upload.wikimedia.org/wikipedia/commons/8/87/IBM_card_storage.NARA.jpg https://en.wikipedia.org/wiki/Punched_card
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
May 18, 2012, 07:25:33 PM
 #1002

I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 18, 2012, 07:34:25 PM
 #1003

Thus, with a strong salt making anything but huge rainbow tables ineffective, while some users might have relatively weak passwords that could be solved in reasonable amounts of time, the attackers wouldn't know which they are and would have to attack the entire DB looking for them. How long would it take with a reasonable GPU farm (say 4 5970s) a 6 character case sensitive Latin alphabet password?

It depends on the work-level but lets assume a work level of 10. That means a single core of server can verify a password in ~ 3 ms or 300 p/s.  A 5970 would be ~30x as fast (optimistic) so your might be getting ~ 9kp/s or 36kp/s for 4x5970 rig.

If your password can't be found in a dictionary or easy password list to brute force all 6 char passwords would require
alphabet only (53 values) 53^6 /36000 / 60 /60 /24 = 7 days
alphanumeric (63 values)  63^6 36000 / 60 /60 /24 = 20 days
printable symbols on keyboard (95 values) 95^6 /36000 / 60 /60 /24 = 236 days

If the salt is random per account that means each account must be cracked separately.

Of course the attacker could use multiple GPUs so a good way to think of it is in time value.    A single 5970 can generate ~0.5 BTC per day.  So cracking a 10 BTC account is worth ~ 20 GPU days.  Cracking a 1000 BTC account is worth ~200 GPU days.

Adding 1 more character significantly increases the time value cost.  A 7 char (all printable keys) password is ~ 90,000 GPU days (5970s).  The time value is worth 45,000 BTC meaning if someone had sufficient GPU they could make 45,000 BTC simply mining instead of hacking your account.  Given the attacker has no idea if he will ever crack it (maybe your password is a purely random 14 character string "pOQs9jb!su3gp@") it doesn't really make sense to even try.

6 is likely "good enough" if your password is complex but 7 or 8 makes it so expensive the thief isn't going to even try.  In the time it takes to brute force a single 8 char password he could brute force 86,000 other accounts trying all passwords length 1 to 5.


Thanks for the information. Bitcoinica uses a work level of 20 and forces at least 8 character passwords.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
MrTeal
Legendary
*
Offline Offline

Activity: 1246


View Profile
May 18, 2012, 07:41:29 PM
 #1004

Would the expected attack vector in that case be to use the known work size and then go through each user and their unique salt first using dictionary word, then working out from the minimum password size exhausting successively 4 character passwords, then 5, 6, etc?

Yeah that would be the common attack vector.

Generally speaking there are three ways to guess a password.
a) recompiled lists (often 5-8 million based on prior large scale breaches - people love re-using passwords even after breaches)
b) base word dictionary (also contains slang, names, famous people, brands, etc) with substitution
c) pure brute force.

The order of using the masks and lookup tables is kinda an art-form.  Some choices are obvious, some choices are more subjective.

There are only 857K 1-3 char passwords so try them first.  
Next try your "common password list".
A 4 char brute force usually makes the most sense (81 million).
Around 5 or 6 char brute force starts to not make much sense.  That assumes you are going against something solid like bcrypt.
So uaully after 4 or 5 char brute force trying substitution/prefix/suffix makes more sense.

Start w/ 1 substitution against the dictionary and then increase the number of substitutions.  Beyond 2 or 3 you really aren't gaining anything over brute force.  Eventually the "largeness" of the attack space makes continuing futile.


So a sensible takeaway in this situation is that even if a password was used as the sole means of verifying an account, it would be very difficult for the attacker to use the stolen database to actually compromise any accounts for anyone who's password is even remotely secure within the week long timeframe we're talking about. Even going through a 8M entry recompiled list at 36,000 passwords a second would take 3.7 minutes per password, or 2.57 days per 1000 passwords. There might be someone who's password is "password" with 1000BTC sitting in their account, but really anyone stupid enough to do that probably wouldn't have 1000BTC to begin with.
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
May 18, 2012, 07:43:46 PM
 #1005

What's considered a short, weak password?

See XKCD's take on password strength:  http://xkcd.com/936/


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
MrTeal
Legendary
*
Offline Offline

Activity: 1246


View Profile
May 18, 2012, 07:48:25 PM
 #1006

What's considered a short, weak password?

See XKCD's take on password strength:  http://xkcd.com/936/



Yeah, I've seen it. Smiley

I should have worded it differently. I was specifically asking muyuu what he considered a short, weak password when he said it. My hunch was that as long as it was something non-obvious that even a short password (say 6 characters) would be relatively safe when we're talking about a timeframe of a week.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
May 18, 2012, 08:46:22 PM
 #1007

Thanks for the information. Bitcoinica uses a work level of 20 and forces at least 8 character passwords.

If you really did enforce at least 8 character passwords than it's safe to assume that the passwords* are safe.

*Unless somebody used a dictionary password.
ArticMine
Legendary
*
Offline Offline

Activity: 1792


Monero Core Team


View Profile
May 18, 2012, 08:48:40 PM
 #1008

I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.

But if the BTC price were to drop to say $0.50 or rise to say $50 before the Bitcoinica positions were closed and the accounts settled with the clients  then the real fun begins.

Concerned that blockchain bloat will lead to centralization? Storing less than 4 GB of data once required the budget of a superpower and a warehouse full of punched cards. https://upload.wikimedia.org/wikipedia/commons/8/87/IBM_card_storage.NARA.jpg https://en.wikipedia.org/wiki/Punched_card
DiabloD3
Legendary
*
Offline Offline

Activity: 1162


DiabloMiner author


View Profile WWW
May 18, 2012, 08:59:17 PM
 #1009

I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.

But if the BTC price were to drop to say $0.50 or rise to say $50 before the Bitcoinica positions were closed and the accounts settled with the clients  then the real fun begins.

And people wonder why I called Bitcoinica a bucket shop.

bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
May 18, 2012, 09:39:07 PM
 #1010

the claims process should be finished tonight. It took long because we did not want to use a 3rd party service such as Wufoo for obvious security reasons.

Now that some claims have been filled out, when and how should we expect to get our funds back?!

The silence from you people is maddening.

College of Bucking Bulls Knowledge
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
May 18, 2012, 10:29:08 PM
 #1011

Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.

~Bruno~
R-
Full Member
***
Offline Offline

Activity: 238

Pasta


View Profile WWW
May 18, 2012, 10:55:12 PM
 #1012

Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.

~Bruno~


In the ballpark of 1336 users + Zhou.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 19, 2012, 01:22:13 AM
 #1013

In the ballpark of 1336 users + Zhou.
Ahahaha

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
XVacant
Newbie
*
Offline Offline

Activity: 23



View Profile
May 19, 2012, 01:50:33 AM
 #1014

Bitcoinica Consultancy, please check if it is a bug: Why the Deposit Method of "Last Deposit" cannot be "BITCOINICA-CODE"?
Now on the claims page, the "BITCOINICA-CODE" is available for  "Last Withdrawal", but not available for "Last Deposit".
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 19, 2012, 02:31:26 AM
 #1015

Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.

~Bruno~


Almost 5000

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
tarrant_01
Hero Member
*****
Offline Offline

Activity: 546



View Profile
May 19, 2012, 02:38:01 AM
 #1016

The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's

1P95gCUCw3Tjb7yyoYtW3ARZZQyTpFgk6H
BIGMERVE
Hero Member
*****
Offline Offline

Activity: 728



View Profile WWW
May 19, 2012, 03:04:09 AM
 #1017

The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's

If you put your email address check that. I got a message instantly with a link to confirm.

tarrant_01
Hero Member
*****
Offline Offline

Activity: 546



View Profile
May 19, 2012, 03:18:24 AM
 #1018

Nothing in my mail from them. Checked spam box too.

1P95gCUCw3Tjb7yyoYtW3ARZZQyTpFgk6H
faidsaid
Jr. Member
*
Offline Offline

Activity: 43


View Profile
May 19, 2012, 07:26:04 AM
 #1019

Nothing in my mail from them. Checked spam box too.
No response here. No reply from verify@bitcoinica.com either. Imagine that Wink


“There are two novels that can change a bookish fourteen-year old's life: The Lord of the Rings and Atlas Shrugged. One is a childish fantasy that often engenders a lifelong obsession with its unbelievable heroes, leading to an emotionally stunted, socially crippled adulthood, unable to deal with the real world. The other, of course, involves orcs.”
― John Rogers
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
May 19, 2012, 07:46:43 AM
 #1020

The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's

Check for errors. They're not displayed in red like they should, so it's easy to miss them (like I did when I was filling the form for the first time).
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 [51] 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!