Bitcoin Forum
October 17, 2017, 07:20:57 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 [39] 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 153964 times)
proudhon
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 25, 2012, 05:48:25 AM
 #761


When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

This is a large part of why, despite my general bearishness, I've moved everything off the exchanges as bitcoins in offline wallets.  If MtGox, or any other exchange, is disrupted, at the very least I can get something OTC for the bitcoins or I can keep the value stored as bitcoins and use purchasing power that way.
1508268057
Hero Member
*
Offline Offline

Posts: 1508268057

View Profile Personal Message (Offline)

Ignore
1508268057
Reply with quote  #2

1508268057
Report to moderator
1508268057
Hero Member
*
Offline Offline

Posts: 1508268057

View Profile Personal Message (Offline)

Ignore
1508268057
Reply with quote  #2

1508268057
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508268057
Hero Member
*
Offline Offline

Posts: 1508268057

View Profile Personal Message (Offline)

Ignore
1508268057
Reply with quote  #2

1508268057
Report to moderator
muyuu
Donator
Legendary
*
Offline Offline

Activity: 966



View Profile
July 25, 2012, 07:45:15 AM
 #762


When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

This is a large part of why, despite my general bearishness, I've moved everything off the exchanges as bitcoins in offline wallets.  If MtGox, or any other exchange, is disrupted, at the very least I can get something OTC for the bitcoins or I can keep the value stored as bitcoins and use purchasing power that way.

There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Hunterbunter
Hero Member
*****
Offline Offline

Activity: 994


View Profile
July 25, 2012, 11:40:02 AM
 #763

wow, this whole fiasco is so amazingly fail it's surreal.
JoelKatz
Legendary
*
Offline Offline

Activity: 1582


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 25, 2012, 12:39:35 PM
 #764

There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.
It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress. This is one of the major obstacles to adoption.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 25, 2012, 12:43:26 PM
 #765

There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.
It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress. This is one of the major obstacles to adoption.

I agree with this.  Plus Bitcoinica+SR is a one,two punch for any serious detractor (law makers).

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
BitBuster
Member
**
Offline Offline

Activity: 101


View Profile
July 25, 2012, 01:42:52 PM
 #766

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server.
Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation...


Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored.

I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described.


BB.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 25, 2012, 01:49:19 PM
 #767


I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described.


BB.

It all started with the hack way back in May 2012.

ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
July 25, 2012, 01:53:52 PM
 #768

It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress.
Bitcoin is pretty-much the only type of money you can stuff in your mattress, without its value being eroded due to inflation.
unclescrooge
aka Raphy
Hero Member
*****
Offline Offline

Activity: 868


View Profile
July 25, 2012, 02:03:49 PM
 #769

It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress

That's actually a feature, not a bug. Don't trust the bank, keep your money with you Smiley

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 25, 2012, 02:20:58 PM
 #770

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored.
...

I think that lastpass is a very excellent system and it is capable of greatly improving information security of a typical company that is using it instead of almost any one other typical method in common use for such purposes. However, last pass must be used correctly.

This means:
1. Using second factor auth for lastpass (except maybe when the team using it is very small and has no really valuable assets at risk, or during transitional period)
2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money".

For 2. probably using keepass with second factor key is a good idea.


-
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
July 25, 2012, 02:35:06 PM
 #771

Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers.

No. Thankfully the concept of nonces and hashes solved that problem decades ago.

(Yes, I'm a LastPass user)

2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money".

I keep my Bitcoin wallet password in LastPass, and I backup my wallet with Wuala. Thanks to client side encryption, that's just as secure - or more - than any known alternatives.

Disclaimer: I would of course prefer it if I could authorize signed snippets of JavaScript when using LastPass, and it'd be excellent if Wuala went open source. I do however trust those two companies more than I trust any Bitcoin or Bitcoin service developer. If there's a leak, it's likely not from the services that would have a lot to lose.


dooglus
Legendary
*
Offline Offline

Activity: 2310



View Profile
July 26, 2012, 04:04:50 AM
 #772

Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation...

I don't think you're correct there.  LastPass doesn't even know my password.  Javascript on the browser is used to authenticate my login.

[...] LastPass employs localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) and local one-way salted hashes to give you complete security with the go-anywhere convenience of syncing through the cloud. All encrypting and decrypting happens on your computer - no one at LastPass can ever access your sensitive data.

[unless you paste the master password into your source code and leak it to the world].

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
fellowtraveler
Sr. Member
****
Offline Offline

Activity: 440


View Profile
July 26, 2012, 04:35:21 AM
 #773

Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."

co-founder, Monetas
creator, Open-Transactions
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1176


Will read PM's. Have more time lately


View Profile
July 26, 2012, 04:53:18 AM
 #774

Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."

I run NotScripts in Chrome, and NoScript in Firefox.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

LightRider
Legendary
*
Offline Offline

Activity: 1495


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
July 26, 2012, 04:55:05 AM
 #775

https://bitcointalk.org/index.php?topic=95738.0

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 26, 2012, 04:57:22 AM
 #776


https://bitcointalk.org/index.php?topic=95738.0



+11111111111

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 26, 2012, 05:06:46 AM
 #777

Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."

I run NotScripts in Chrome, and NoScript in Firefox.

aye, noscript, noadd, https everywhere, and tls 1.0, 1.1 and ssl 2.0 UNchecked in any browser. amongst other things. DropMyRights, or similar app to reduce your browser or any other internet facing apps user privledges from administrator..

oh, and


If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
July 26, 2012, 05:11:33 AM
 #778


I hope they start locking his account on this forum.  There is a lot of incriminating evidence on all this posts over the last year.

Introducing constraints to the economy only serves to limit what can be economical.
FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
July 26, 2012, 05:13:22 AM
 #779


I hope they start locking his account on this forum.  There is a lot of incriminating evidence on all this posts over the last year.

Uh, how would that help even if there was 100% proof?

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
July 26, 2012, 05:15:25 AM
 #780


I hope they start locking his account on this forum.  There is a lot of incriminating evidence on all this posts over the last year.

Uh, how would that help even if there was 100% proof?

How would it not help?  A few pages back he entered the LastPass account again without authorization.

Introducing constraints to the economy only serves to limit what can be economical.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 [39] 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!