Bitcoin Forum
December 09, 2016, 11:27:08 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 [38] 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145928 times)
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 24, 2012, 03:21:11 PM
 #741


You should really talk to an attorney that knows a thing about business organization laws.  If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.

Zhou did not sell the Delaware entity (xWaylab Inc).

Quote
If you ever find yourself needing money, if I were you, and I am def. not, would just make a new bitcoinica with your new knowledge of past mistakes.

Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission).

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

+1 (I don't pluses often)

Damn good point, repentance.

~Bruno~
1481326028
Hero Member
*
Offline Offline

Posts: 1481326028

View Profile Personal Message (Offline)

Ignore
1481326028
Reply with quote  #2

1481326028
Report to moderator
1481326028
Hero Member
*
Offline Offline

Posts: 1481326028

View Profile Personal Message (Offline)

Ignore
1481326028
Reply with quote  #2

1481326028
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481326028
Hero Member
*
Offline Offline

Posts: 1481326028

View Profile Personal Message (Offline)

Ignore
1481326028
Reply with quote  #2

1481326028
Report to moderator
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
July 24, 2012, 04:11:57 PM
 #742

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.

No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

A lot of people who should know better fail at understanding entropy. I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.



rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 24, 2012, 04:19:42 PM
 #743

I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.
Oh derp, I just rolled my eyes out of my head.  Roll Eyes
The UU in UUID stands for Universally Unique. And it is unique, unless some bonehead doesn't use any entropy.
"Security Architect" indeed.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 24, 2012, 07:43:19 PM
 #744


The only reasonable crime you the authorities might possibly could charge them is extreme negligence, not theft. You don't have any evidence for theft except your suspicion that this is an inside job.

There should be a proper investigation before we can speak about charging somebody, or did you lose your rationality when you lost your money?

FTFY.

People can certainly file criminal complaints.  The extent to which those complaints are investigated and whether any investigations lead to criminal charges is another matter entirely and not determined by the complainants.  People's theories (including mine) about what happened are not evidence.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
MrTeal
Legendary
*
Offline Offline

Activity: 1246


View Profile
July 24, 2012, 08:07:34 PM
 #745

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.

No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

A lot of people who should know better fail at understanding entropy. I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.


Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 24, 2012, 08:21:07 PM
 #746

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 24, 2012, 08:26:15 PM
 #747

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

Which brings me back to a question I had.  I should have just tested this by now but havn't had time. If you have lastpass installed on one computer and want to start using the same account on another. Does it load the passwords to the new computer when you validate there? (If so then the backdoor thing could work.) But what I was under the impression of, is if you want to use an account on another computer you had to export the saved passwords and physically place them on the new computer??  If that's the case it would have done our alleged hacker no good to just know the password..

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
Sysrq
Member
**
Offline Offline

Activity: 66



View Profile
July 24, 2012, 08:33:59 PM
 #748

Which brings me back to a question I had.  I should have just tested this by now but havn't had time. If you have lastpass installed on one computer and want to start using the same account on another. Does it load the passwords to the new computer when you validate there? (If so then the backdoor thing could work.) But what I was under the impression of, is if you want to use an account on another computer you had to export the saved passwords and physically place them on the new computer??  If that's the case it would have done our alleged hacker no good to just know the password..

You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server.
MrTeal
Legendary
*
Offline Offline

Activity: 1246


View Profile
July 24, 2012, 08:38:41 PM
 #749

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 24, 2012, 08:42:28 PM
 #750

Of course if the only place your passwords are recorded is on LastPass and LastPass itself suffers a catastrophic failure then things become interesting.

One problem is that it's often ridiculously easy to get new online credentials issued compared to how difficult it is to get new real world ID issued.  We need to stop believing that's a good thing.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 25, 2012, 12:58:53 AM
 #751

Of course if the only place your passwords are recorded is on LastPass and LastPass itself suffers a catastrophic failure then things become interesting.

One problem is that it's often ridiculously easy to get new online credentials issued compared to how difficult it is to get new real world ID issued.  We need to stop believing that's a good thing.
LastPass offers offline recovery tools you can use in that event, but you still need your password.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 25, 2012, 01:03:09 AM
 #752

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?
When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.

LastPass was not the weakness here.  The interesting point, which I have not seen anyone point out, would be:

Why on earth would anyone in their right mind select a UUID for a master password?  There are only two possibilities I can come up with:

1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.

Why anyone that knows *anything* about security would think that either of those options was good is byond me.  They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine"  easily remembered and told over the phone, etc.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 25, 2012, 01:19:06 AM
 #753

Quote
2012-06-17 Claims Payments Specifics

Be sure to fillout the payment instructions section of the claim.
Failure to do so will significantly delay claims.

Once again, no update on Bitcoinica's website, the above being the latest. Are you telling me that everybody who was a client of Bitcoinica visits this forum to get the latest? That every single client of their's knows of the latest hack and that they are now looking at only a 66% refund or, worse, done?

Also, can somebody tell me why Intersango is a wise choice to store/invest hard-earned bitcoins. And before you go there, I feel that Intersango and Bitcoinica are not mutually exclusive.

~Bruno~
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 25, 2012, 01:44:35 AM
 #754

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?
When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.

LastPass was not the weakness here.  The interesting point, which I have not seen anyone point out, would be:

Why on earth would anyone in their right mind select a UUID for a master password?  There are only two possibilities I can come up with:

1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.

Why anyone that knows *anything* about security would think that either of those options was good is byond me.  They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine"  easily remembered and told over the phone, etc.

several of us have pointed out how minsguided it is to use any common indentifier as a password. I also find it hard to believe their big time fiancer Tihan, would not reconize it as being the API for their GOX acct. Them not changing it is no different thatn if the password had been one of their birthdays and not chaning it.

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
dooglus
Legendary
*
Offline Offline

Activity: 2002



View Profile
July 25, 2012, 01:57:58 AM
 #755

Also, can somebody tell me why Intersango is a wise choice to store/invest hard-earned bitcoins. And before you go there, I feel that Intersango and Bitcoinica are not mutually exclusive.

They're currently having trouble with their bank account, leading to delayed deposits:

Metro Bank (UK)   2012-07-24 18:51 BST
While we were previously under the impression that the problems we were having with Metro bank were due to a technical issue on their end (as this has happened before), we have been told that our account activity is being reviewed and that we must be patient during this process. We have faith that our contact at Metro bank will properly investigate the matter. They have indicated that they do not require information from us at this time. The resolution time we were given was around 1 week, however this is just an approximation.

We apologise for the inconvenience this has caused our userbase. We are doing everything we can to resolve the problem as fast as possible. In the future, we may not be able to accept payments quite as fast anymore to prevent fraud however we will work hard to decrease our resolution times for issues and make the experience of purchasing and selling bitcoins as easy for the UK as possible.

We understand that many people have called Metro bank and Metro has told them that there is no issue. This is entirely incorrect. We believe it in not intentional it is simply that their support staff assumes that if there is not an issue affecting all accounts or a huge number of accounts at the bank that there is not an issue with our account.

Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 25, 2012, 02:28:38 AM
 #756

Quote
We understand that many people have called Metro bank and Metro has told them that there is no issue. This is entirely incorrect. We believe it in not intentional it is simply that their support staff assumes that if there is not an issue affecting all accounts or a huge number of accounts at the bank that there is not an issue with our account.

Does anybody here work closely with a bona fide banking representative that can call Metro Bank and directly inquire, semi-privately, the validity of the above?

Seems to me somebody is planning a vanishing act.

~Bruno~
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 25, 2012, 02:38:27 AM
 #757

Quote
We understand that many people have called Metro bank and Metro has told them that there is no issue. This is entirely incorrect. We believe it in not intentional it is simply that their support staff assumes that if there is not an issue affecting all accounts or a huge number of accounts at the bank that there is not an issue with our account.

Does anybody here work closely with a bona fide banking representative that can call Metro Bank and directly inquire, semi-privately, the validity of the above?

~Bruno~

There's not a legitimate bank on the planet which would confirm to outsiders that they're investigating activity on one of their customer's accounts.  Depending on the reason for the investigation, it could be seriously illegal to reveal that even to the customer concerned.

Intersango had previously posted that certain forms of withdrawal would be unavailable between 26 and 30 July.

It's not really clear whether their Metro bank account is now in a state of total limbo until the investigation into their account activity is completed.

Quote
Seems to me somebody is planning a vanishing act.

Or someone who's really pissed off over the Bitcoinica clusterfuck has decided to cause them as much grief as possible.


All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
LoupGaroux
Sr. Member
****
Offline Offline

Activity: 420



View Profile
July 25, 2012, 02:51:03 AM
 #758

One can only speculate that one of the victims of their gross negligence (at the very least) might have threatened Metro Bank with action and forced them to hold funds until an investigation is undertaken. Certainly I would take that action, backed up with a proper legal notice that the funds they are holding in trust are being held criminally, and are currently the subject of a massive world-wide investigation of their enormous breach of their fiduciary responsibility to those they are holding the funds in trust for.

We seem to forget that these are not Bitcoinica's funds, or Intersango's funds, or Zhou's funds, or Tihan's funds. These were amounts, especially the US dollar deposits, that were being held in trust for the performance of certain promised exchange and transactional services. Violating that trust will pierce any veil of business obscurity, and if the company law of New Zealand is anything like the corporate laws in Nevada (the most pierce-proof jurisdiction on the planet) then there is no protection in place for these incompetents, and they will be found personally liable. Especially if someone undertakes to bring charges that can be investigated under US Law, which would include attempted criminal diversion, securities fraud, RICO, illegal operation of a gambling system online, tax evasion, confidence scheming, well the list gets ever longer.

And you can bet your last Satoshi that a bank would want to freeze assets involved in those kinds of charges. Hell, US banks held deposits belonging to the former Shah of Iran for 23 years on a simple memorandum sent to them by the State Department. Imagine how quick and high they will jump when presented with a subpoena?

Probably time to think about being the first kid on your block to file against these gangsters, and stop thinking about how you are going to double down and get rich when they just get past this one new speed bump. They are, quite simply, criminals by any definition of the word, and this will not end up happily for them, or their targeted victims.

54Gh/s bASIC Bitcoin Mining Devices
Pre-Order Yours Today!     
Only $1069.99 ! @ http://www.BitcoinASIC.com


Look^^ I'm selling my soul too!
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 25, 2012, 03:08:49 AM
 #759

One can only speculate that one of the victims of their gross negligence (at the very least) might have threatened Metro Bank with action and forced them to hold funds until an investigation is undertaken. Certainly I would take that action, backed up with a proper legal notice that the funds they are holding in trust are being held criminally, and are currently the subject of a massive world-wide investigation of their enormous breach of their fiduciary responsibility to those they are holding the funds in trust for.


More likely someone contacted the bank and told them that people were using it to launder funds, which immediately obligates the bank to investigate activity on the account. 

There's no "massive world-wide investigation" going on.  While it's possible that various international agencies will investigate some of the issues related to the Bitcoinica clusterfuck, it still won't be a "massive" investigation.  As businesses go, Bitcoinica is a piddly little one and it's total debts appear to be just over USD 1 million.  They may well end up being the first Bitcoin related business investigated for financial offences such as facilitating money laundering, facilitating tax evasion, etc but I can't think of any exchange which isn't at risk for that - let's face it, the Bitcoins which pass through Silk Road are being cashed out somewhere.  In fact, if the authorities choose to go down that route, they may do exactly what they did in regard to online gambling and hit everyone at once, shutting down the flow of funds.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 25, 2012, 04:26:50 AM
 #760

One can only speculate that one of the victims of their gross negligence (at the very least) might have threatened Metro Bank with action and forced them to hold funds until an investigation is undertaken. Certainly I would take that action, backed up with a proper legal notice that the funds they are holding in trust are being held criminally, and are currently the subject of a massive world-wide investigation of their enormous breach of their fiduciary responsibility to those they are holding the funds in trust for.


More likely someone contacted the bank and told them that people were using it to launder funds, which immediately obligates the bank to investigate activity on the account. 

There's no "massive world-wide investigation" going on.  While it's possible that various international agencies will investigate some of the issues related to the Bitcoinica clusterfuck, it still won't be a "massive" investigation.  As businesses go, Bitcoinica is a piddly little one and it's total debts appear to be just over USD 1 million.  They may well end up being the first Bitcoin related business investigated for financial offences such as facilitating money laundering, facilitating tax evasion, etc but I can't think of any exchange which isn't at risk for that - let's face it, the Bitcoins which pass through Silk Road are being cashed out somewhere.  In fact, if the authorities choose to go down that route, they may do exactly what they did in regard to online gambling and hit everyone at once, shutting down the flow of funds.

WOW! Simply, wow! It looks to me that if some regulatory body choose to do so, they can walk into any banking institute and demand to see the records of (I will use this example) Intersango. They can simply claim that a certain client of theirs with such-and-such Bitcoin address conducted some illegal transaction and that an investigation is warranted. This account is now closed until we finish our investigation. This could take a week. After a week goes by, they return with another concern of another address and the whole process starts anew, thus freezing the account indefinitely. Furthermore, during the interim, Intersango will not be allowed to open up another bank account in that country, and if incorporated there and choosing to open a bank account in some other country, their incorporation privileges will be revoked. I sure the hell would hate to be such a company in their shoes if such an event did occur.

~Bruno~
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 [38] 39 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!