Bitcoin Forum
December 03, 2016, 09:41:05 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 [39] 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145643 times)
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 25, 2012, 05:39:22 AM
 #761


WOW! Simply, wow! It looks to me that if some regulatory body choose to do so, they can walk into any banking institute and demand to see the records of (I will use this example) Intersango. They can simply claim that a certain client of theirs with such-and-such Bitcoin address conducted some illegal transaction and that an investigation is warranted. This account is now closed until we finish our investigation. This could take a week. After a week goes by, they return with another concern of another address and the whole process starts anew, thus freezing the account indefinitely. Furthermore, during the interim, Intersango will not be allowed to open up another bank account in that country, and if incorporated there and choosing to open a bank account in some other country, their incorporation privileges will be revoked. I sure the hell would hate to be such a company in their shoes if such an event did occur.

~Bruno~


Sort of.  When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

While it's possible that a regulator might choose to go after one particular exchange, it's just as likely that they'd do what they did with the online gambling drama and go after everyone at once.  There's no question that a sub-set of customers on every exchange are going to be using the exchange to launder money, evade taxes or commit other financial offences.  The offshore poker providers weren't actually breaking any laws in the jurisdictions in which they were licensed.  It pretty much came down to the DoJ having the power to disrupt their business indefinitely if they didn't play ball.  The Bitcoin exchanges are tiny compared to the online poker providers and its unlikely they'd win in a showdown with the US DoJ.

Loup is right that there are a number of US agencies which could really fuck up an exchange's shit pretty much regardless of where that exchange is located.  I just believe that once that particular can of worms is opened they are more likely to go after everyone than after just one exchange.

I'm not sure what the fines are for failure to comply with AML/KYC requirements in the US.  Here in Australia, the fine for either not reporting a transaction as required or reporting it late is up to $1.1 million for an individual and up to $22 million for a company.  A single transaction could have multiple reporting requirements attached to it, so you can get hit with more than one fine for a single transaction.  Big banks might be able to absorb those kinds of fines, but I doubt there's a Bitcoin exchange on the planet which can afford them at this time.


All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
1480758065
Hero Member
*
Offline Offline

Posts: 1480758065

View Profile Personal Message (Offline)

Ignore
1480758065
Reply with quote  #2

1480758065
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480758065
Hero Member
*
Offline Offline

Posts: 1480758065

View Profile Personal Message (Offline)

Ignore
1480758065
Reply with quote  #2

1480758065
Report to moderator
1480758065
Hero Member
*
Offline Offline

Posts: 1480758065

View Profile Personal Message (Offline)

Ignore
1480758065
Reply with quote  #2

1480758065
Report to moderator
1480758065
Hero Member
*
Offline Offline

Posts: 1480758065

View Profile Personal Message (Offline)

Ignore
1480758065
Reply with quote  #2

1480758065
Report to moderator
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
July 25, 2012, 05:48:25 AM
 #762


When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

This is a large part of why, despite my general bearishness, I've moved everything off the exchanges as bitcoins in offline wallets.  If MtGox, or any other exchange, is disrupted, at the very least I can get something OTC for the bitcoins or I can keep the value stored as bitcoins and use purchasing power that way.
muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
July 25, 2012, 07:45:15 AM
 #763


When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

This is a large part of why, despite my general bearishness, I've moved everything off the exchanges as bitcoins in offline wallets.  If MtGox, or any other exchange, is disrupted, at the very least I can get something OTC for the bitcoins or I can keep the value stored as bitcoins and use purchasing power that way.

There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Hunterbunter
Hero Member
*****
Offline Offline

Activity: 980


View Profile
July 25, 2012, 11:40:02 AM
 #764

wow, this whole fiasco is so amazingly fail it's surreal.
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 25, 2012, 12:39:35 PM
 #765

There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.
It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress. This is one of the major obstacles to adoption.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 25, 2012, 12:43:26 PM
 #766

There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.
It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress. This is one of the major obstacles to adoption.

I agree with this.  Plus Bitcoinica+SR is a one,two punch for any serious detractor (law makers).

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
BitBuster
Member
**
Offline Offline

Activity: 101


View Profile
July 25, 2012, 01:42:52 PM
 #767

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server.
Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation...


Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored.

I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described.


BB.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 25, 2012, 01:49:19 PM
 #768


I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described.


BB.

It all started with the hack way back in May 2012.

ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
July 25, 2012, 01:53:52 PM
 #769

It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress.
Bitcoin is pretty-much the only type of money you can stuff in your mattress, without its value being eroded due to inflation.
unclescrooge
aka Raphy
Hero Member
*****
Offline Offline

Activity: 868


View Profile
July 25, 2012, 02:03:49 PM
 #770

It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress

That's actually a feature, not a bug. Don't trust the bank, keep your money with you Smiley

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 25, 2012, 02:20:58 PM
 #771

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored.
...

I think that lastpass is a very excellent system and it is capable of greatly improving information security of a typical company that is using it instead of almost any one other typical method in common use for such purposes. However, last pass must be used correctly.

This means:
1. Using second factor auth for lastpass (except maybe when the team using it is very small and has no really valuable assets at risk, or during transitional period)
2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money".

For 2. probably using keepass with second factor key is a good idea.


-
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
July 25, 2012, 02:35:06 PM
 #772

Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers.

No. Thankfully the concept of nonces and hashes solved that problem decades ago.

(Yes, I'm a LastPass user)

2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money".

I keep my Bitcoin wallet password in LastPass, and I backup my wallet with Wuala. Thanks to client side encryption, that's just as secure - or more - than any known alternatives.

Disclaimer: I would of course prefer it if I could authorize signed snippets of JavaScript when using LastPass, and it'd be excellent if Wuala went open source. I do however trust those two companies more than I trust any Bitcoin or Bitcoin service developer. If there's a leak, it's likely not from the services that would have a lot to lose.


dooglus
Legendary
*
Offline Offline

Activity: 1988



View Profile
July 26, 2012, 04:04:50 AM
 #773

Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation...

I don't think you're correct there.  LastPass doesn't even know my password.  Javascript on the browser is used to authenticate my login.

[...] LastPass employs localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) and local one-way salted hashes to give you complete security with the go-anywhere convenience of syncing through the cloud. All encrypting and decrypting happens on your computer - no one at LastPass can ever access your sensitive data.

[unless you paste the master password into your source code and leak it to the world].

fellowtraveler
Sr. Member
****
Offline Offline

Activity: 440


View Profile
July 26, 2012, 04:35:21 AM
 #774

Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."

co-founder, Monetas
creator, Open-Transactions
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
July 26, 2012, 04:53:18 AM
 #775

Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."

I run NotScripts in Chrome, and NoScript in Firefox.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

LightRider
Legendary
*
Offline Offline

Activity: 1488


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
July 26, 2012, 04:55:05 AM
 #776

https://bitcointalk.org/index.php?topic=95738.0

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 26, 2012, 04:57:22 AM
 #777


https://bitcointalk.org/index.php?topic=95738.0



+11111111111

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 26, 2012, 05:06:46 AM
 #778

Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."

I run NotScripts in Chrome, and NoScript in Firefox.

aye, noscript, noadd, https everywhere, and tls 1.0, 1.1 and ssl 2.0 UNchecked in any browser. amongst other things. DropMyRights, or similar app to reduce your browser or any other internet facing apps user privledges from administrator..

oh, and


If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
July 26, 2012, 05:11:33 AM
 #779


I hope they start locking his account on this forum.  There is a lot of incriminating evidence on all this posts over the last year.

Introducing constraints to the economy only serves to limit what can be economical.
FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
July 26, 2012, 05:13:22 AM
 #780


I hope they start locking his account on this forum.  There is a lot of incriminating evidence on all this posts over the last year.

Uh, how would that help even if there was 100% proof?

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 [39] 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!