ArticMine
Legendary
 Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
 |
May 18, 2012, 07:13:31 PM |
|
Back to the question of WHEN WILL WE SEE THE FIRST FUNDS BACK TO THE CUSTOMERS? This timing may well lead to more volatility of bitcoin trading and to know this date would be very much appreciated.
Especially when we consider the question of the open positions and at what price they will be liquidated. If the market makes a sharp move in any direction this can get real ugly real fast. |
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
May 18, 2012, 07:25:33 PM |
|
I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
zhoutong (OP)
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
May 18, 2012, 07:34:25 PM |
|
Thus, with a strong salt making anything but huge rainbow tables ineffective, while some users might have relatively weak passwords that could be solved in reasonable amounts of time, the attackers wouldn't know which they are and would have to attack the entire DB looking for them. How long would it take with a reasonable GPU farm (say 4 5970s) a 6 character case sensitive Latin alphabet password? It depends on the work-level but lets assume a work level of 10. That means a single core of server can verify a password in ~ 3 ms or 300 p/s. A 5970 would be ~30x as fast (optimistic) so your might be getting ~ 9kp/s or 36kp/s for 4x5970 rig. If your password can't be found in a dictionary or easy password list to brute force all 6 char passwords would require alphabet only (53 values) 53^6 /36000 / 60 /60 /24 = 7 days alphanumeric (63 values) 63^6 36000 / 60 /60 /24 = 20 days printable symbols on keyboard (95 values) 95^6 /36000 / 60 /60 /24 = 236 days If the salt is random per account that means each account must be cracked separately. Of course the attacker could use multiple GPUs so a good way to think of it is in time value. A single 5970 can generate ~0.5 BTC per day. So cracking a 10 BTC account is worth ~ 20 GPU days. Cracking a 1000 BTC account is worth ~200 GPU days. Adding 1 more character significantly increases the time value cost. A 7 char (all printable keys) password is ~ 90,000 GPU days (5970s). The time value is worth 45,000 BTC meaning if someone had sufficient GPU they could make 45,000 BTC simply mining instead of hacking your account. Given the attacker has no idea if he will ever crack it (maybe your password is a purely random 14 character string "pOQs9jb!su3gp@") it doesn't really make sense to even try. 6 is likely "good enough" if your password is complex but 7 or 8 makes it so expensive the thief isn't going to even try. In the time it takes to brute force a single 8 char password he could brute force 86,000 other accounts trying all passwords length 1 to 5. Thanks for the information. Bitcoinica uses a work level of 20 and forces at least 8 character passwords. |
|
|
|
MrTeal
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
May 18, 2012, 07:41:29 PM |
|
Would the expected attack vector in that case be to use the known work size and then go through each user and their unique salt first using dictionary word, then working out from the minimum password size exhausting successively 4 character passwords, then 5, 6, etc? Yeah that would be the common attack vector. Generally speaking there are three ways to guess a password. a) recompiled lists (often 5-8 million based on prior large scale breaches - people love re-using passwords even after breaches) b) base word dictionary (also contains slang, names, famous people, brands, etc) with substitution c) pure brute force. The order of using the masks and lookup tables is kinda an art-form. Some choices are obvious, some choices are more subjective. There are only 857K 1-3 char passwords so try them first. Next try your "common password list". A 4 char brute force usually makes the most sense (81 million). Around 5 or 6 char brute force starts to not make much sense. That assumes you are going against something solid like bcrypt. So uaully after 4 or 5 char brute force trying substitution/prefix/suffix makes more sense. Start w/ 1 substitution against the dictionary and then increase the number of substitutions. Beyond 2 or 3 you really aren't gaining anything over brute force. Eventually the "largeness" of the attack space makes continuing futile. So a sensible takeaway in this situation is that even if a password was used as the sole means of verifying an account, it would be very difficult for the attacker to use the stolen database to actually compromise any accounts for anyone who's password is even remotely secure within the week long timeframe we're talking about. Even going through a 8M entry recompiled list at 36,000 passwords a second would take 3.7 minutes per password, or 2.57 days per 1000 passwords. There might be someone who's password is "password" with 1000BTC sitting in their account, but really anyone stupid enough to do that probably wouldn't have 1000BTC to begin with. |
|
|
|
|
jgarzik
Legendary
Offline
Activity: 1596
Merit: 1100
|
|
May 18, 2012, 07:43:46 PM |
|
What's considered a short, weak password?
See XKCD's take on password strength: http://xkcd.com/936/ |
Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.
Visit bloq.com / metronome.io
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
|
|
|
MrTeal
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
May 18, 2012, 07:48:25 PM |
|
Yeah, I've seen it.  I should have worded it differently. I was specifically asking muyuu what he considered a short, weak password when he said it. My hunch was that as long as it was something non-obvious that even a short password (say 6 characters) would be relatively safe when we're talking about a timeframe of a week. |
|
|
|
|
|
M4v3R
|
|
May 18, 2012, 08:46:22 PM |
|
Thanks for the information. Bitcoinica uses a work level of 20 and forces at least 8 character passwords.
If you really did enforce at least 8 character passwords than it's safe to assume that the passwords* are safe. *Unless somebody used a dictionary password. |
|
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
May 18, 2012, 08:48:40 PM |
|
I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.
But if the BTC price were to drop to say $0.50 or rise to say $50 before the Bitcoinica positions were closed and the accounts settled with the clients then the real fun begins. |
|
|
|
DiabloD3
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
May 18, 2012, 08:59:17 PM |
|
I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.
But if the BTC price were to drop to say $0.50 or rise to say $50 before the Bitcoinica positions were closed and the accounts settled with the clients then the real fun begins. And people wonder why I called Bitcoinica a bucket shop. |
|
|
|
bitcoinBull
Legendary
Offline
Activity: 826
Merit: 1001
rippleFanatic
|
|
May 18, 2012, 09:39:07 PM |
|
the claims process should be finished tonight. It took long because we did not want to use a 3rd party service such as Wufoo for obvious security reasons.
Now that some claims have been filled out, when and how should we expect to get our funds back?! The silence from you people is maddening. |
College of Bucking Bulls Knowledge
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
May 18, 2012, 10:29:08 PM |
|
Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.
~Bruno~
|
|
|
|
|
R-
Full Member
Offline
Activity: 238
Merit: 100
Pasta
|
|
May 18, 2012, 10:55:12 PM |
|
Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.
~Bruno~
In the ballpark of 1336 users + Zhou. |
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 19, 2012, 01:22:13 AM |
|
In the ballpark of 1336 users + Zhou.
Ahahaha |
|
|
|
XVacant
Newbie
Offline
Activity: 22
Merit: 0
|
|
May 19, 2012, 01:50:33 AM |
|
Bitcoinica Consultancy, please check if it is a bug: Why the Deposit Method of "Last Deposit" cannot be "BITCOINICA-CODE"?
Now on the claims page, the "BITCOINICA-CODE" is available for "Last Withdrawal", but not available for "Last Deposit".
|
|
|
|
|
zhoutong (OP)
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
May 19, 2012, 02:31:26 AM |
|
Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.
~Bruno~
Almost 5000 |
|
|
|
|
tarrant_01
|
|
May 19, 2012, 02:38:01 AM |
|
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not? I didn't have a position so I put 0's
|
1P95gCUCw3Tjb7yyoYtW3ARZZQyTpFgk6H
|
|
|
|
BIGMERVE
|
|
May 19, 2012, 03:04:09 AM |
|
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not? I didn't have a position so I put 0's
If you put your email address check that. I got a message instantly with a link to confirm. |
|
|
|
|
tarrant_01
|
|
May 19, 2012, 03:18:24 AM |
|
Nothing in my mail from them. Checked spam box too.
|
1P95gCUCw3Tjb7yyoYtW3ARZZQyTpFgk6H
|
|
|
faidsaid
Newbie
Offline
Activity: 43
Merit: 0
|
|
May 19, 2012, 07:26:04 AM |
|
Nothing in my mail from them. Checked spam box too.
No response here. No reply from verify@bitcoinica.com either. Imagine that  |
|
|
|
|
|
M4v3R
|
|
May 19, 2012, 07:46:43 AM |
|
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not? I didn't have a position so I put 0's
Check for errors. They're not displayed in red like they should, so it's easy to miss them (like I did when I was filling the form for the first time). |
|
|
|
|
|
