Bitcoin Forum
December 08, 2016, 04:33:29 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 [15] 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145870 times)
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
July 13, 2012, 07:37:38 PM
 #281

And now everyone imagine that it is year 2020 and 1 BTC worth 1 000 000 USD 1kg of gold.


First we need the americans to realise what a kilogram is. Smiley

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
1481214809
Hero Member
*
Offline Offline

Posts: 1481214809

View Profile Personal Message (Offline)

Ignore
1481214809
Reply with quote  #2

1481214809
Report to moderator
1481214809
Hero Member
*
Offline Offline

Posts: 1481214809

View Profile Personal Message (Offline)

Ignore
1481214809
Reply with quote  #2

1481214809
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481214809
Hero Member
*
Offline Offline

Posts: 1481214809

View Profile Personal Message (Offline)

Ignore
1481214809
Reply with quote  #2

1481214809
Report to moderator
1481214809
Hero Member
*
Offline Offline

Posts: 1481214809

View Profile Personal Message (Offline)

Ignore
1481214809
Reply with quote  #2

1481214809
Report to moderator
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 13, 2012, 07:39:11 PM
 #282

And now everyone imagine that it is year 2020 and 1 BTC worth 1 000 000 USD 1kg of gold.


First we need the americans to realise what a kilogram is. Smiley
is that some several thousands of grams?  Grin


kidding, in case you arn't sure.

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 13, 2012, 07:41:42 PM
 #283

did anyone else find it ironic that this happened on friday the 13th?  

I did, hence one of my over-the-size-limit Readers Digest Large Print posts. (though at the time I was bringing attention to the time of day [local] that Mt Gox support was posting)

~Bruno~

PS: BRB, all. Making a fresh pot of coffee. Anybody want some?
Mistafreeze
Sr. Member
****
Offline Offline

Activity: 291


View Profile
July 13, 2012, 07:43:14 PM
 #284

And now everyone imagine that it is year 2020 and 1 BTC worth 1 000 000 USD 1kg of gold.


First we need the americans to realise what a kilogram is. Smiley

Imperial units 4 life!!

 Tongue

Beerfund NXT-L4WV-ZF8P-8X54-D6XML
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 07:47:25 PM
 #285

PS: BRB, all. Making a fresh pot of coffee. Anybody want some?
Count me in baby

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 13, 2012, 08:07:57 PM
 #286

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

-
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 08:15:02 PM
 #287

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.


Will you say the same to those who will experience a loss once pirateat40 runs?

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
July 13, 2012, 08:15:17 PM
 #288

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).

[...]
While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
Sourcecode download link: http://depositfiles.com/files/2p6zvadzs
[...]

Had anyone heard of this source code leak? This is the first time I'm hearing of it..

College of Bucking Bulls Knowledge
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 08:15:48 PM
 #289

Will you say the same to those who will experience a loss once pirateat40 runs?
lol

davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 08:16:33 PM
 #290

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).
The API keys *were* revoked.

rdponticelli
Sr. Member
****
Offline Offline

Activity: 326


Our highest capital is the Confidence we build.


View Profile
July 13, 2012, 08:17:56 PM
 #291

Quote from: Doesn't really matter
Two things are infinite, the universe and human stupidity, and I am not yet completely sure about the universe.

By malice, negligence or whatever, the sad truth is that this is already nothing but a huge scam.

Doesn't make sense to stay kicking this dead body, lets just move on...
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 13, 2012, 08:19:12 PM
 #292

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).
The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication.

As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance?

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
July 13, 2012, 08:27:02 PM
 #293

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 13, 2012, 08:27:43 PM
 #294

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.


Will you say the same to those who will experience a loss once pirateat40 runs?

In general, yes.

BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.


-
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 08:35:21 PM
 #295

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.


Will you say the same to those who will experience a loss once pirateat40 runs?

In general, yes.

BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

I think you're stretching it a bit.. If you truly want to blame anyone (the concept of blame is stupid anyway since I don't believe we have such a thing as free will) meaning you want to find the cause of the effect then you can't really ignore the actions of the victim. Like with a ponzi even here they must have seen ample red flags and warnings by other skeptics and yet decided to risk their money. And once you are in a risk vs reward scenario and the reward doesn't pan out and instead you experience the risk event you were expecting some of the time I don't see how you don't carry partial blame for losing your money.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
July 13, 2012, 08:35:53 PM
 #296

...

Cheesy lol


This is amazing..  wow...  

Companies like this will ruin bitcoin..



Don't be so sure about that, this is the wild west and bitcoin (read digital gold) is our business...

Quite dramatic change when comparing present comments with the ones you were making a few months back.

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 13, 2012, 08:37:58 PM
 #297


I think you're stretching it a bit.. If you truly want to blame anyone (the concept of blame is stupid anyway since I don't believe we have such a thing as free will) meaning you want to find the cause of the effect then you can't really ignore the actions of the victim. Like with a ponzi even here they must have seen ample red flags and warnings by other skeptics and yet decided to risk their money. And once you are in a risk vs reward scenario and the reward doesn't pan out and instead you experience the risk event you were expecting some of the time I don't see how you don't carry partial blame for losing your money.

On closer inspection, I don't like people's money going into a very large ponzi scheme that will impact the confidence and the economy at large. I can only say "I warn ya".

Aseras
Hero Member
*****
Offline Offline

Activity: 658


View Profile
July 13, 2012, 08:41:18 PM
 #298

How exactly did they get 40K out of Gox without having to wait 2 weeks?
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 13, 2012, 08:46:14 PM
 #299

hazek, it is getting way off topic. let's stop this discussion in this thread.

But it is either my English so bad, or your reading comprehension is below average today. You are arguing exactly my point and then saying that I am wrong. WTF?

-
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
July 13, 2012, 08:53:02 PM
 #300

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).
The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication.

As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance?

Ah, somebody downloaded LastPass and sync'd it with an accoung using info@bitcoinica.com as the log-in using the revoked mtGox API key as the password. This gave them all the passwords for that account, including the regular MtGox password (no 2-factor auth).

And it sounds like three separate people/groups had full access to the info@bitcoinica.com LastPass account: zhoutong (who presumably set it up), Tihan (who passed it to "bitcoin consultancy"), and bitcoin consultancy.


That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-


I don't think there is a separate encryption passphrase for LastPass, the master password is the encryption passphrase.

https://lastpass.com/features_free.php
Quote
Your sensitive data is encrypted on your PC. Only your LastPass password can unlock your data and only YOU have it.

College of Bucking Bulls Knowledge
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 [15] 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!