Bitcoinica MtGox account compromised

[wareen]

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

Will you say the same to those who will experience a loss once pirateat40 runs?

In general, yes.
BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

I can remember you not being that sympathetic towards the victims of the MyBitcoin incident (you basically called them insane). What made you change your mind?

I still think anyone who gives lots of money to some anonymous stranger on the internet for safekeeping is insane. I do not blame them for the theft however. These are different things. And.. well... insane in Bitcoin (and on this forum) is like a wast majority of population anyway, so this might be even a compliment.

Ok, in that case I don't see how Grouver blamed the victims any more than you did back then? You both more or less pointed out that they shouldn't have put (that much) money there in the first place - which I basically agree with, but saying so now isn't really helping either.

While I didn't have anything on Bitcoinica, I feel very sorry for all those who have lost money and I hope that the real thief won't get away with it.

[1714211167]

1714211167

[1714211167]

1714211167

[1714211167]

1714211167

[1714211167]

1714211167

[Bitcoin Oz]

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

[Bitcoin Oz]

The thing I find so amazing is there is still no police report.

[sadpandatech]

how can they know the current Gox user/pass was found out from LastPass? I guess to them it would seem obvious of the gox acct was a new pass that only the current controller of the gox acct had. But, these are still questions that all need to have answers to them in order to make better determinations.

I see that LastPass has a way to view history, which if that showed login from an unknown IP address, that would be a pretty good clue.

I just tried to view the history but the LastPass UI for the date picker is so horrible I could not use it successfully.  (Top-right is the Lastpass asterisk (starfish, ironically   ) , then click History)

aye. the other thing I'm not sure about as I have not tested it with my lastpass. Is if it will even sync the passwords to another computer without having the exported file with it..?? Have you tried it?

[MagicalTux]

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

We will open a police investigation and get this clear on the police's side. We will not however be able to share such details publicly while an investigation is in progress.

[Vladimir]

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

Will you say the same to those who will experience a loss once pirateat40 runs?

In general, yes.
BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

I can remember you not being that sympathetic towards the victims of the MyBitcoin incident (you basically called them insane). What made you change your mind?

I still think anyone who gives lots of money to some anonymous stranger on the internet for safekeeping is insane. I do not blame them for the theft however. These are different things. And.. well... insane in Bitcoin (and on this forum) is like a wast majority of population anyway, so this might be even a compliment.

Ok, in that case I don't see how Grouver blamed the victims any more than you did back then? You both more or less pointed out that they shouldn't have put (that much) money there in the first place - which I basically agree with, but saying so now isn't really helping either.

While I didn't have anything on Bitcoinica, I feel very sorry for all those who have lost money and I hope that the real thief won't get away with it.

Your comparison is invalid. Mybitcoin was an obvious anonymous hack. Bitcoinica has created an impression of them being the most  reputable institution in the Bitcoin world, registered with NZ's financial regulation authorites, having CTO "with specialisation in information security", "never compromised", venture capital funded etc...  these are VERY different things.

Can a single person on this forum put an argument together without a dozen of logical fallacies in it?

 

[scribe]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

[Bitcoin Oz]

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

We will open a police investigation and get this clear on the police's side. We will not however be able to share such details publicly while an investigation is in progress.

The question remains why there hasnt been a police report initiated by the owners of bitcoinica. Shouldnt it be them and not yourself that initiates such a thing ? When else do you arbitrarily "inform the police " without the actual people involved doing it ?

[sadpandatech]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

I don't belive you can brutforce lastpass on a computer that did not already have the lastpass account synced to it.

[wirmola]

sry to say nut... This is a scam!!!!
freaking thieves, rot in hell..

[MagicalTux]

The question remains why there hasnt been a police report initiated by the owners of bitcoinica. Shouldnt it be them and not yourself that initiates such a thing ? When else do you arbitrarily "inform the police " without the actual people involved doing it ?

We are still discussing this with our legal counsel actually, however filing the theft details pre-emptively from our side may make things easier and faster, and may protect us and our other customers too.

[markm]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

[iCEBREAKER]

This a thousand times. This last 'hack', if it happened at all, was the remnants of bitcoinica giving money away.

No-one could be so stupid as to get publicly hacked and not change all their passwords afterwards. It's just unbelievable anyone could be that dumb and still manage to dress themselves in the morning.

Both of these a million times.



/Can't believe nobody posted that yet.

[Bitcoin Oz]

We are still discussing this with our legal counsel actually, however filing the theft details pre-emptively from our side may make things easier and faster, and may protect us and our other customers too.

Mt.Gox is covering their bases... Well it's a right thing to do.

To withdraw $40 000 it needs to also be a VERIFIED account. You cant just setup a new account and withdraw that much money. Unless things have changed....this means they should know who withdrew the money.

[bitcoinBull]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

[tbcoin]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123

[Bitcoin Oz]

The question remains why there hasnt been a police report initiated by the owners of bitcoinica. Shouldnt it be them and not yourself that initiates such a thing ? When else do you arbitrarily "inform the police " without the actual people involved doing it ?

We are still discussing this with our legal counsel actually, however filing the theft details pre-emptively from our side may make things easier and faster, and may protect us and our other customers too.

Was the money withdrawn through a verified account ?

[rdponticelli]

I'm not usually a great adept at believing in conspiracy theories, but doesn't anybody else found very convenient that just when MtGox was suffering lots of liquidity issues, a couple of really big accounts full with somebody else's money (BTCSYN and Bitcoinica's) gets depleted by strange hacks?

Just saying, anyway...  

[Raoul Duke]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123

How does one decrypt that file?
Some research is due.

[tbcoin]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123

How does one decrypt that file?
Some research is due.

Maybe genjix was "Monday at 19:00 UTC in #bitcoin on Freenode IRC."
No logs of the chat??
Genjix upload the decrypted file? if not, where are published these link before?