ASICMINER: Entering the Future of ASIC Mining by Inventing It

[Jutarul]

Update

All pending orders are either executed or cancelled. There is still one trade unpaid yet.

The IPO is finally closed. Extra shares have been sent. Please check, and contact me if there's any mistakes. Thanks.

I assumed those shares were the 'extra' free shares block buyers were promised (I did not receive any extra shares today )

So I am still a bit confused...

Give him a few days. You were correct in assessing that the "extra shares" are the 10% bonuses. However not all 200K shares were distributed, which is why at the end there will still be some shares leftover, which will get distributed to shareholders after all accounts are settled. If you didn't receive your bonus and you are a block buyer you need to PM him.

[nedbert9]

Edit:  Session Fixation attacks, based on my cursory understanding, would not be limited by the use of 2FA.
However, after the compromise I both enabled 2FA and deposited some BTC in the account.  BTC is still there.
It's just unclear what happened.  Buyer beware.

Hello, everyone.

I wanted to let everyone know about the compromise of my GLBSE account on 8/23.

The price dip for ASICMINER indeed resulted from the compromise of my account.  3000 shares were sold at 17:00 GLBSE time (?) for approximately 23 BTC.

The most important message I have for you is that GLBSE is not secure without 2FA enabled.  I had recently created the GLBSE account for the specific purpose of owning ASICMINER.  The account was created on a system lacking any prior security compromises.  The account password was a new, unused 14 character, mixed case, mixed character class.  

Taking responsibility for the fact 2FA was not enabled on my account contributed to the theft of the shares.  On the flip side of this GLBSE is a dangerous place for the uninitiated with Google 2FA.  I say this since my impression was that Google 2FA was only available to smart phone users.  This is why I didn't use it.

Nefario has investigated GLBSE logs in attempt to establish any pattern or method used to compromise the account.  Nefario's judgement is that it is unclear how my account was compromised.  Nefario gave no further  information regarding IP accesses, but only suggested that:

From what I can tell the only thing that would allow someone access would be a session fixation attack, where they set the session id in your browser for GLBSE to something they know. Then when you login to GLBSE they can just use the site as you (because you're using their session).

There are a number of possible reactions to what I've said.  Such as,

1.  Use 2FA, stupid.
My use case is pretty clearly stated above.  If you don't tell users it's dangerous not to use 2FA, and at the same time not provide the links to any necessary security software that is 3rd party OSS and not supplied by Google directly, then there is a certain element of negligence on the part of GLBSE.

In fact, if it's so dangerous, evidenced by my predicament, GLBSE should not allow account creations without the use of the Google 2FA.

2.  GLBSE negligence you say?  Hog-wash.  
No, GLBSE is a financial institution and should not leave it's users unaware and unprepared - which, yes, requires a higher level of user notification and security requirements - only to be raped.

Food for thought.  Do you think Bank of America Web portals are vulnerable to Nefario's suggestion of Session Fixation?  If that were the case my BoA account would be f'ed right now.
It isn't.  And none of any other my important online accounts have been tampered with.


Nefario's position is the same as past incidents of this nature involving shareholders.  I presented the option to Nefario of me reimbursing those who purchased the ASICMINER shares as a result of the compromise in exchange for the recall/reversal of the share sale.  Nefario declined any share reversals.  

A 22 BTC theft costing me both a good investment opportunity and a $3000+ debt to the security issuer.


I sincerely wish ASICMINER success.  Enjoy my the cheap shares.  

[puffn]

How does this give a 3000+ dollar debt to the issuer? Wouldn't they be ambivalent to share sales not involving them?

[nedbert9]

How does this give a 3000+ dollar debt to the issuer? Wouldn't they be ambivalent to share sales not involving them?

The transaction between myself and friedcat hadn't been finalized.

[DutchBrat]

How does this give a 3000+ dollar debt to the issuer? Wouldn't they be ambivalent to share sales not involving them?

The transaction between myself and friedcat hadn't been finalized.

Sorry to hear !!! 

[LoweryCBS]

(case for 2FA)

You convinced me. 2FA is now enabled.

[Jutarul]

The account password was a 14 character, mixed case, mixed character class.  

Sorry for the obvious question. But did you use that password also for a different website?
Also, if you talk about security breaches, please state the OS, browser, other software running and whether you were on a public network or at home..

A 22 BTC theft costing me both a good investment opportunity and a $3000+ debt to the security issuer.

I sincerely wish ASICMINER success.  Enjoy the cheap shares.  

If you need to get some more shares I bet friedcat will understand and give you an opportunity to buy some from the left-over stack of shares before they get handed out. I certainly wouldn't mind.

Share reversals are tricky so I am not surprised to hear that Nefario refrains from doing that.

That leaves the question about who's liable for the 300 BTC damage. I am surprised that Nefario has problems retracing the BTC flow. (unless of course the attack "only" intended to do damage to you and the 22 BTC are still in your account)

[nedbert9]

The account password was a 14 character, mixed case, mixed character class.  

Sorry for the obvious question. But did you use that password also for a different website?
Also, if you talk about security breaches, please state the OS, browser, other software running and whether you were on a public network or at home..

A 22 BTC theft costing me both a good investment opportunity and a $3000+ debt to the security issuer.

I sincerely wish ASICMINER success.  Enjoy the cheap shares.  

If you need to get some more shares I bet friedcat will understand and give you an opportunity to buy some from the left-over stack of shares before they get handed out. I certainly wouldn't mind.

Share reversals are tricky so I am not surprised to hear that Nefario refrains from doing that.

That leaves the question about who's liable for the 300 BTC damage. I am surprised that Nefario has problems retracing the BTC flow. (unless of course the attack "only" intended to do damage to you and the 22 BTC are still in your account)

New, unused password.  Win 7, chrome.  Only antivirus, chrome, trucrypt and serviio running.  Nothing out of the ordinary for the day of the compromise other than visiting #bitcoin-otc.

I have no cash to handle the debt and also buy significant amount of shares.

The proceeds of the theft were withdrawn immediately to
http://blockchain.info/address/1FxjKn6fsdQ9iYoiH1otehKbkDXJj9Jkdg
The balance is 42 BTC.  I have no idea why since I summed the sale transactions to about 23 BTC.

I appreciate the sympathy.

[Jutarul]

New, unused password.  Win 7, chrome.  Only antivirus, chrome, trucrypt and serviio running.  Nothing out of the ordinary for the day of the compromise other than visiting #bitcoin-otc.

Yes that's odd. I take it the Win 7 comes from a legit source... Pirated OS are a major technique to set up botnets.

I have no cash to handle the debt and also buy significant amount of shares.

If the Nefarios investigations turn out that it's not entirely your fault, but likely a bad combination of security weaknesses, I guess ASICminer may just write the debt off. But that's not up to me to decide.
However, I find it odd that the position is a debt - are you just reluctant to pay for shares you received and got "stolen" from your account?
 

The proceeds of the theft were withdrawn immediately to
http://blockchain.info/address/1FxjKn6fsdQ9iYoiH1otehKbkDXJj9Jkdg
The balance is 42 BTC.  I have no idea why since I summed the sale transactions to about 23 BTC.

Ok. It's fresh. Lets see where the money goes.

I appreciate the sympathy.

I had a standing buy order for 100 shares at 0.08 which got filled. All I can offer is to sell it back to you at this price. Maybe we could organize the share reversal ourselves if Nefario doesn't want to do it. All which is required for people to step up and provide their transaction information which is available as csv on GLBSE. Here's mine:

buy,2012-08-23 17:00:00,0.08,ASICMINER,100,,,

Funny. It's exactly 17:00:00. Now that's timing

To prevent this thread from getting spammed with these messages I offer to organize this list. Just send me a PM with the corresponding transactions. I'll then compose a summary post.

[DiabloD3]

You want a told you so? If a website has 2FA of any kind, USE IT. PERIOD. DOUBLY SO IF IT IS A FINANCIAL WEBSITE LIKE GLBSE.

I have no clue why the fuck people think this is optional. I've asked nefario to mandate it to use GLBSE, but he gets all bitchy about it. Banks frequently do it (especially in Europe), so why not GLBSE? Just fucking do it.

[Jutarul]

You want a told you so? If a website has 2FA of any kind, USE IT. PERIOD. DOUBLY SO IF IT IS A FINANCIAL WEBSITE LIKE GLBSE.

I have no clue why the fuck people think this is optional. I've asked nefario to mandate it to use GLBSE, but he gets all bitchy about it. Banks frequently do it (especially in Europe), so why not GLBSE? Just fucking do it.

You're bashing the wrong guy. Wait for when you learn something the hard way and then receive nothing but contempt. That's no way to tread someone who fell victim. The way I see it there are currently a few explanations: 1) hacked windows 2) leaked password hash (does anybody know which hash function GBLSE uses?) 3) Not enough entropy in the password 4) glitch in GLBSE (actually the exact match with 17:00:00 makes me worried, let's see what others have)

[friedcat]

The difference gets distributed to existing shareholders.
https://bitcointalk.org/index.php?topic=99497.msg1107204#msg1107204

I'm very sorry, but the "extra shares" here means the extra shares for bulk purchasers. (10% for >=5,000 & 12.5% for >=10,000)
Sending leftover shares proportionally to shareholders is technically very hard. It is hard to track who owns how many, and for people who hold only a handful of shares it is impossible to give them fractional shares.

However, the proportion of the company represented by each share could be adjusted. I'm considering making it a little higher to compensate the shareholders if the recent 300BTC trade doesn't end up well, as a plan-B (plan-A is that my partners and I fill the gap).

[MrTeal]

I think I must be misreading this, but are you saying that friedcat transferred the shares to you before you paid? And that some time between when you got them and when you would have paid you got hacked, lost the money, and now you can't afford to pay friedcat back?

[Bitcoin Oz]

I think I must be misreading this, but are you saying that friedcat transferred the shares to you before you paid? And that some time between when you got them and when you would have paid you got hacked, lost the money, and now you can't afford to pay friedcat back?

Yes thats what hes saying.

[MrTeal]

I think I must be misreading this, but are you saying that friedcat transferred the shares to you before you paid? And that some time between when you got them and when you would have paid you got hacked, lost the money, and now you can't afford to pay friedcat back?

Yes thats what hes saying.

Then it doesn't sounds like a $3000 debt for the issuer, it sounds likely nedbert needs to start selling his hair, blood and sperm to raise $3000 pay friedcat for the shares he bought.

[eb3full]

I was also surprised friedcat sent me so many shares before I had paid him.. and I don't even have a good forum reputation yet.

[HorseRider]

@nedbert9

I have get 168 shares during this hack @0.085 per share. I would like to give 0.00388888BTC*168=0.64BTC to you.

please give me your GLBSE account.

I guess the bitcoin transfer between GLBSE accounts is free, right? who can give me a confirmation.

[imsaguy]

@nedbert9

I have get 168 shares during this hack @0.085 per share. I would like to give 0.00388888BTC*168=0.64BTC to you.

please give me your GLBSE account.

I guess the bitcoin transfer between GLBSE accounts is free, right? who can give me a confirmation.

bitcoin transfer is free, shares aren't.

[nedbert9]

You want a told you so? If a website has 2FA of any kind, USE IT. PERIOD. DOUBLY SO IF IT IS A FINANCIAL WEBSITE LIKE GLBSE.

I have no clue why the fuck people think this is optional. I've asked nefario to mandate it to use GLBSE, but he gets all bitchy about it. Banks frequently do it (especially in Europe), so why not GLBSE? Just fucking do it.

You're bashing the wrong guy. Wait for when you learn something the hard way and then receive nothing but contempt. That's no way to tread someone who fell victim. The way I see it there are currently a few explanations: 1) hacked windows 2) leaked password hash (does anybody know which hash function GBLSE uses?) 3) Not enough entropy in the password 4) glitch in GLBSE (actually the exact match with 17:00:00 makes me worried, let's see what others have)

I see I've started to derail the thread.  Obviously, my comments were meant to inform everyone of what happened and I should have expected a number of responses.

Sorry for that.


On the point of 2FA.  Yes, it's a big deal and it's foolish not to use it.  It's foolish just the same for a financial service to operate at less than secure mode as default and then not take a rigorous approach to inform users by explicit notification and links to any 3rd party OSS software required to establish a sufficient level of protection (and this is especially true in the case for Google 2FA as Google's primary use case is with the use of smart phones and can mislead uninitiated users).  I'm just re-iterating what I said in my original post, so obviously this falls on deaf ears to some.  I fault Mt. Gox and any other site that doesn't enforce 2FA.  I use Yubikey.  So, there.

In my case the problem is two fold.  One, neither Nefario or I know exactly what happened.  Though on the day of the compromise circumstances could have allowed a security vulnerability not limited by 2FA.  
That's the Session Fixation vulnerability.  Despite Nefario's refusal to take any responsibility for such a vulnerability it's an old, common vulnerability where security whitepapers have stated that the only effective countermeasure for Session Fixation is to design the Web application to use strict session controls that limit session id creation and tightly control their invalidation - or need for revalidation.

Edit:  Some have jumped to the conclusion that this *IS* what happened.  This is my best assumption.  I typically log out and don't leave sensitive sites open.
I think I have a good idea what might have happened.  My GLBSE session was still active after closing the browser tab.  I spent some time on web freenode and was probed and compromised from that source.
Speculation, but it's the best thing I can come up with.

Use 2FA and don't have any other browser window open while using GLBSE.  I am your example to learn from.

[LazyOtto]

Sending leftover shares proportionally to shareholders is technically very hard.

I'm sorry to hear that.

However, isn't that a commitment you made?

--

edit - added the below:

Any other approach is a modification to the terms under which we bought shares. That is, gave you BTC/money with the understanding that "this is how things will be done - do you wish to buy in under those conditions?".

*Any* changes of those terms is non-trivial. It is a slippery slope. The more the original terms are changed, without a formal share-holder vote, the less confidence that those terms will be ultimately honored.

--

"without a formal share-holder vote"

BTW, this is also a problem inherent in how only 30k shares were offered to the general public. This mechanism allows, for example, votes of the following nature to be passed by the 'big players' who gave you BTC directly rather than via the GLBSE public auction.

1) Any holder of less than 5000 shares will be deemed a 'Class B' shareholder.
2) Holders of 5000 shares or more will be deemed 'Class A' shareholders.
3) All benefits and remunerations described in the original terms will only apply to 'Class A' shareholders.
4) 'Class B' shareholders will get whatever is left over, if anything, after the 'Class A' shareholders get all they want.