muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
July 25, 2012, 07:45:15 AM |
|
When the DoJ went after the online gambling providers, they went after the payment processors. People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen. While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.
This is a large part of why, despite my general bearishness, I've moved everything off the exchanges as bitcoins in offline wallets. If MtGox, or any other exchange, is disrupted, at the very least I can get something OTC for the bitcoins or I can keep the value stored as bitcoins and use purchasing power that way. There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange.
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
Hunterbunter
|
|
July 25, 2012, 11:40:02 AM |
|
wow, this whole fiasco is so amazingly fail it's surreal.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 25, 2012, 12:39:35 PM |
|
There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange. It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress. This is one of the major obstacles to adoption.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
ErebusBat
|
|
July 25, 2012, 12:43:26 PM |
|
There's no good reason to keep a high % of your BTC in exchanges anyway. I used to have some BTC in exchanges to make payments directly in a convenient manner, but currently I have 0 BTC and 0 FIAT in exchanges. I strongly recommend this approach to everybody, it saved my backside from Bitcoinica's fiasco and from the potential bankruptcy of a certain exchange. It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress. This is one of the major obstacles to adoption. I agree with this. Plus Bitcoinica+SR is a one,two punch for any serious detractor (law makers).
|
|
|
|
BitBuster
Member
Offline
Activity: 101
Merit: 10
|
|
July 25, 2012, 01:42:52 PM |
|
This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer. You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server. Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation... Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum. You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy. Bitcoinica using LastPass wasn't a problem. Using a known string as master password was. I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored. I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described. BB.
|
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
July 25, 2012, 01:49:19 PM |
|
I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described.
BB.
It all started with the hack way back in May 2012.
|
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1060
|
|
July 25, 2012, 01:53:52 PM Last edit: July 26, 2012, 06:38:59 PM by ribuck |
|
It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress.
Bitcoin is pretty-much the only type of money you can stuff in your mattress, without its value being eroded due to inflation.
|
|
|
|
unclescrooge
|
|
July 25, 2012, 02:03:49 PM |
|
It just sucks that the Bitcoin world is so screwed up you basically have to stuff your money in your mattress That's actually a feature, not a bug. Don't trust the bank, keep your money with you
|
|
|
|
Vladimir
|
|
July 25, 2012, 02:20:58 PM |
|
Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum. You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy. Bitcoinica using LastPass wasn't a problem. Using a known string as master password was. I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored. ... I think that lastpass is a very excellent system and it is capable of greatly improving information security of a typical company that is using it instead of almost any one other typical method in common use for such purposes. However, last pass must be used correctly. This means: 1. Using second factor auth for lastpass (except maybe when the team using it is very small and has no really valuable assets at risk, or during transitional period) 2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money". For 2. probably using keepass with second factor key is a good idea.
|
-
|
|
|
defxor
|
|
July 25, 2012, 02:35:06 PM |
|
Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. No. Thankfully the concept of nonces and hashes solved that problem decades ago. (Yes, I'm a LastPass user) 2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money". I keep my Bitcoin wallet password in LastPass, and I backup my wallet with Wuala. Thanks to client side encryption, that's just as secure - or more - than any known alternatives. Disclaimer: I would of course prefer it if I could authorize signed snippets of JavaScript when using LastPass, and it'd be excellent if Wuala went open source. I do however trust those two companies more than I trust any Bitcoin or Bitcoin service developer. If there's a leak, it's likely not from the services that would have a lot to lose.
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
July 26, 2012, 04:04:50 AM |
|
Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation... I don't think you're correct there. LastPass doesn't even know my password. Javascript on the browser is used to authenticate my login. [...] LastPass employs localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) and local one-way salted hashes to give you complete security with the go-anywhere convenience of syncing through the cloud. All encrypting and decrypting happens on your computer - no one at LastPass can ever access your sensitive data. [unless you paste the master password into your source code and leak it to the world].
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
fellowtraveler
|
|
July 26, 2012, 04:35:21 AM |
|
Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
July 26, 2012, 04:53:18 AM |
|
Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."
I run NotScripts in Chrome, and NoScript in Firefox.
|
|
|
|
LightRider
Legendary
Offline
Activity: 1500
Merit: 1022
I advocate the Zeitgeist Movement & Venus Project.
|
|
July 26, 2012, 04:55:05 AM |
|
|
|
|
|
sadpandatech
|
|
July 26, 2012, 04:57:22 AM |
|
|
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
|
|
|
sadpandatech
|
|
July 26, 2012, 05:06:46 AM |
|
Nothing makes me feel more safe than the sweet sound of words like, "Javascript in the browser."
I run NotScripts in Chrome, and NoScript in Firefox. aye, noscript, noadd, https everywhere, and tls 1.0, 1.1 and ssl 2.0 UNchecked in any browser. amongst other things. DropMyRights, or similar app to reduce your browser or any other internet facing apps user privledges from administrator.. oh, and
|
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
|
|
|
stochastic
|
|
July 26, 2012, 05:11:33 AM |
|
I hope they start locking his account on this forum. There is a lot of incriminating evidence on all this posts over the last year.
|
Introducing constraints to the economy only serves to limit what can be economical.
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
July 26, 2012, 05:13:22 AM |
|
I hope they start locking his account on this forum. There is a lot of incriminating evidence on all this posts over the last year. Uh, how would that help even if there was 100% proof?
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
stochastic
|
|
July 26, 2012, 05:15:25 AM |
|
I hope they start locking his account on this forum. There is a lot of incriminating evidence on all this posts over the last year. Uh, how would that help even if there was 100% proof? How would it not help? A few pages back he entered the LastPass account again without authorization.
|
Introducing constraints to the economy only serves to limit what can be economical.
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
July 26, 2012, 05:20:25 AM |
|
I hope they start locking his account on this forum. There is a lot of incriminating evidence on all this posts over the last year. Uh, how would that help even if there was 100% proof? How would it not help? A few pages back he entered the LastPass account again without authorization. It probably doesn't matter much at this point considering no one is going to trust bitcoinica with money anymore, but if a company doesn't bother to change passwords after hacks it's worth noting.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
|