Bitcoin Forum
December 10, 2016, 04:44:43 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [18] 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145946 times)
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
July 13, 2012, 11:43:53 PM
 #341

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-


What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-



That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?


http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481388283
Hero Member
*
Offline Offline

Posts: 1481388283

View Profile Personal Message (Offline)

Ignore
1481388283
Reply with quote  #2

1481388283
Report to moderator
1481388283
Hero Member
*
Offline Offline

Posts: 1481388283

View Profile Personal Message (Offline)

Ignore
1481388283
Reply with quote  #2

1481388283
Report to moderator
1481388283
Hero Member
*
Offline Offline

Posts: 1481388283

View Profile Personal Message (Offline)

Ignore
1481388283
Reply with quote  #2

1481388283
Report to moderator
tbcoin
Hero Member
*****
Offline Offline

Activity: 896



View Profile WWW
July 13, 2012, 11:49:44 PM
 #342

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-


What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-



That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?


http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

Maybe genjix was "Monday at 19:00 UTC in #bitcoin on Freenode IRC."
No logs of the chat??
Genjix upload the decrypted file? if not, where are published these link before?

Sorry for my bad english Wink
Bitcoin card for deposit and payment + Little POS
Donations:1N65efiNUhH6sEQg7Z6oUC76kJS9Yhevyf
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 13, 2012, 11:50:39 PM
 #343



That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?


http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123 Huh

How does one decrypt that file?
Some research is due.
According to the pastbin announcement they were going to make the sourcecode public on the 9th by releasing the instructions to decrypt it on freenode. anyone got a log of freenode #bitcoin at around 1900 on the 9th of July 2012?

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
nomnomnom
Sr. Member
****
Offline Offline

Activity: 311



View Profile
July 13, 2012, 11:52:03 PM
 #344

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-


What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-



That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?


http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

It was posted on reddit a few days ago:
http://www.reddit.com/r/Bitcoin/comments/w6xen/bitcoinica_press_release/
tbcoin
Hero Member
*****
Offline Offline

Activity: 896



View Profile WWW
July 13, 2012, 11:59:00 PM
 #345

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-


What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-



That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?


http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

It was posted on reddit a few days ago:
http://www.reddit.com/r/Bitcoin/comments/w6xen/bitcoinica_press_release/


"
genjix 1 punto 5 días atrás
This is legit. Run "git log" to see the development history.
"
if you already knew, did not occur to review the code filtering, if there was something sensible?

Sorry for my bad english Wink
Bitcoin card for deposit and payment + Little POS
Donations:1N65efiNUhH6sEQg7Z6oUC76kJS9Yhevyf
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
July 14, 2012, 12:00:54 AM
 #346

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file
Code:
0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise
Code:
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 14, 2012, 12:04:11 AM
 #347

So basically they just open sourced all their passwords

 Huh

tbcoin
Hero Member
*****
Offline Offline

Activity: 896



View Profile WWW
July 14, 2012, 12:04:45 AM
 #348

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/log/HEAD file
Code:
0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

+ pastebin > BY: A GUEST ON JUL 7TH, 2012  

And again, please genjix can you explain this? Everything is falsifiable but ...

Sorry for my bad english Wink
Bitcoin card for deposit and payment + Little POS
Donations:1N65efiNUhH6sEQg7Z6oUC76kJS9Yhevyf
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
July 14, 2012, 12:06:30 AM
 #349

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/log/HEAD file
Code:
0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise
Code:
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/


And again, please genjix you explain this? Everything is falsifiable but ...

He won't explain shit. If he wanted to explain he would've done it by now.

Mt.Gox Support
VIP
Sr. Member
*
Offline Offline

Activity: 308



View Profile
July 14, 2012, 12:07:14 AM
 #350

I use lastpass but man the passwords i use now for mtgox and all other websites I have been changing to 40 character plus passwords.

My YUBIKEY CAN NOT ARRIVE FAST ENOUGH!

Wish a regular YUBIKEY would work with MtGox though Sad

Hey TUX! Any chance of getting a MtGox Yubikey free or at least allowing us to use our own? Sad

Please use Google Auth for the moment, we will see with Mark what can be done regarding people that already own a Yubikey.

Mt.Gox : The Leading International Bitcoin Exchange.
Mt.Gox Merchant Solutions : https://mtgox.com/merchant
markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
July 14, 2012, 12:08:05 AM
 #351

So basically they just open sourced all their passwords

 Huh

Not quite. How many attempts does LastPass allow before locking an account?

Someone had to have some reason to "waste" one attempt on that particular string of characters from the source code.

So, who tipped them off that if they wanted to spend those limited number of attempts, this particular string of characters might be a darn good guess to spend one of their attempts on...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
July 14, 2012, 12:12:35 AM
 #352

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file
Code:
0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise
Code:
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/


That's not the encoded file. You're still looking at genjix's re-pack.

College of Bucking Bulls Knowledge
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 14, 2012, 12:15:15 AM
 #353

So basically they just open sourced all their passwords

 Huh

Not quite. How many attempts does LastPass allow before locking an account?

Someone had to have some reason to "waste" one attempt on that particular string of characters from the source code.

So, who tipped them off that if they wanted to spend those limited number of attempts, this particular string of characters might be a darn good guess to spend one of their attempts on...

-MarkM-


 One would still have to know that particular string relates to lastpass ....Im not sure how many attempts they allow.

tbcoin
Hero Member
*****
Offline Offline

Activity: 896



View Profile WWW
July 14, 2012, 12:16:53 AM
 #354

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file
Code:
0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise
Code:
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/


That's not the encoded file. You're still looking at genjix's re-pack.

Pastebin
"
Monday 9th July, the Bitcoinica sourcecode will be made public.
 
Encrypted file for download: http://depositfiles.com/files/u8e6gd032
 
Secret key + instructions for decryption will be released on Monday at 19:00 UTC in #bitcoin on Freenode IRC.
"

Until day 9 not public how to decrypt and "re-pack" was genjix day 7, the same as it was published in pastebin


EDIT:
Cold thinking, ok, if possible, the dates remain the original.

EDIT2:
Quote
That's not the encoded file. You're still looking at genjix's re-pack.

Dude, I think I know what I did... I decoded the file... And yes, it has the exact same thing as the link genjix posted in the OP. Go look at yours if you wish.

Here's what I did, just so you know and don't call me a liar.
I downloaded bitcoinica.enc from http://depositfiles.com/files/u8e6gd032 to a dir named "b" on my home drive and I did the following
Code:
$ cd b

$ split --bytes=3000000 bitcoinica.enc

$ mv xaa 2

$ cat xab xac > 1

$ cat 1 2 > bit.tar.bz2

$ tar -jtvf bit.tar.bz2 | head -n1

After I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.



Sorry for my bad english Wink
Bitcoin card for deposit and payment + Little POS
Donations:1N65efiNUhH6sEQg7Z6oUC76kJS9Yhevyf
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
July 14, 2012, 12:17:52 AM
 #355

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file
Code:
0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise
Code:
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/


That's not the encoded file. You're still looking at genjix's re-pack.

Dude, I think I know what I did... I decoded the file... And yes, it has the exact same thing as the link genjix posted in the OP. Go look at yours if you wish.

Here's what I did, just so you know and don't call me a liar.
I downloaded bitcoinica.enc from http://depositfiles.com/files/u8e6gd032 to a dir named "b" on my home drive and I did the following
Code:
$ cd b

$ split --bytes=3000000 bitcoinica.enc

$ mv xaa 2

$ cat xab xac > 1

$ cat 1 2 > bit.tar.bz2

$ tar -jtvf bit.tar.bz2 | head -n1

After, I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

Try it yourself.

NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
July 14, 2012, 12:23:58 AM
 #356

So basically they just open sourced all their passwords

 Huh
How many attempts does LastPass allow before locking an account?
I think it's 3 attempts.

markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
July 14, 2012, 12:26:38 AM
 #357

So basically they just open sourced all their passwords

 Huh
How many attempts does LastPass allow before locking an account?
I think it's 3 attempts.

So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...

Cool

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Mt.Gox Support
VIP
Sr. Member
*
Offline Offline

Activity: 308



View Profile
July 14, 2012, 12:28:31 AM
 #358

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

AML as nothing to do with warning. AML is just here to make sure you are who you say you are, and then once a person on here in this case a company prove they are who they say they are they become Trusted or Verified. Once you have a Verified Account or a Trusted account your limits are not lifted, you or in this case the representative of the company need to contact us and ask us to lift their account limits.

AML has once again nothing to do with that. Now Mt.Gox offers many withdrawal methods, and the thief use the one(s) that fit his/her/their needs in that matter.

Mt.Gox : The Leading International Bitcoin Exchange.
Mt.Gox Merchant Solutions : https://mtgox.com/merchant
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
July 14, 2012, 12:29:12 AM
 #359

After I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

I confirm this. So the hacker had access to git even after 15th... So they didnt change password or this is an inside job.


or intersango/bitcoin consultancy simply think everyone on this forum is a moron.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 14, 2012, 12:29:39 AM
 #360

So basically they just open sourced all their passwords

 Huh
How many attempts does LastPass allow before locking an account?
I think it's 3 attempts.

So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...

Cool

-MarkM-


I think the probability is about the same as finding a sha-256 collision in bitcoin   Smiley

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [18] 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!