DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story

Home

Auto

Gadgets

Hardware

Internet

IT

Science

Software

Blogs

Polls

Search DailyTech

GO

Submit News

Internet

Related Articles
LulzSec Downs CIA's Public Site, Appears to be Subject of Framing Attempt
June 15, 2011, 7:20 PM

Inside the Mega-Hack of Bitcoin: the Full Story

Jason Mick (Blog)

- June 19, 2011 6:40 PM

33 comment(s) - last by chetrasho.. on Jun 24 at 6:50 PM

Cracking the Bitcoin: Digging Into a $131M USD Virtual Currency

June 12, 2011, 7:35 PM

Print

17

Digital Black Friday: First Bitcoin "Depression" Hits

Mt. Gox loses database; exchanges close after 500,000 coins are missing or stolen The storm had been building for over a week now. Last Monday at around 5 p.m. 25,000 Bitcoins were transferred from 478 accounts on the currency's largest exchange -- Mt. Gox. But that was just the beginning. Now Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action. In all, approximately $8.75M USD worth of Bitcoins appear to have -- at least temporarily -- been stolen in the intrusion. I. What Are Bitcoins? Bitcoins are a peer-to-peer cryptocurrency. Invented in 2009 by a shadowy Japanese figure -- Satoshi Nakamoto -- the coins promise a degree of anonymity against casual tracking attempts (though insecure practices, or more concerted government efforts could still breach your anonymity. Bitcoins are also popular because they do not rely on any one central financial authority and thus represent an anarchistic/nation agnostic financial system of sorts. To seed the market with Bitcoins, the brains behind the project created the concept of "mining" coins -- devoting computing resources to finding "blocks" of Bitcoins. Today millions of coins have been "mined" and some people accept Bitcoins as a means of payment, showing that the currency has taken its first steps towards legitimacy. Likewise, Bitcoins are traded on a number of currency exchanges, the largest of which is Mt. Gox. Mt. Gox allows for the trade of Bitcoins to and from U.S. dollars. The exchange accounts for over 90 percent of Bitcoin trading volume on an average day. II. A Volatile Market Over the last month the Bitcoin market has exploded, with the currency rising in value from around $1 USD per Bitcoin to around almost $30 USD per Bitcoin at its peak. Bitcoins were expected to slowly deflate over time, but this sudden rise was highly unusual -- and unexpected. Some chalked it up to misleading media reports which claimed Bitcoin to be a "totally anonymous" currency which could be used to safely "buy drugs" without fear of prosecution (this is expressly not true). Regardless of the
Another view shows the same tremendous dropoff as the malicious parties sold off Bitcoins for pennies on the dollar.(Source: Tycale Charts)
June 10, 2011, 7:05 PM

One in Six U.S., Canadian Internet Users Responds to Spam

July 19, 2009, 11:33 AM

Latest Headlines
Syrian Hacker Group Takes Control of NYT, Twitter
The largest Bitcoin exchange, Mt. Gox suffered an emergency closure today after a massive hack led to a plunge in value. (Source: LeanBack.eu)
August 28, 2013, 8:15 AM

Bitcoin Foundation Meets With U.S. Feds Over Legality of Cryptocurrency

August 27, 2013, 8:48 AM

Quick Note: Amazon Reportedly Testing Wireless Network

August 23, 2013, 11:50 AM

Pandora Lifting Listening Cap Ahead of iTunes Radio Launch

August 23, 2013, 11:11 AM

Quick Note: Google Updates Search with Improved Word Definitions

August 23, 2013, 9:00 AM

NSA Surveillance Programs Reach 75 Percent of U.S. Internet Communications

August 21, 2013, 11:51 AM

More Headlines

Most Popular Articles

South Korea's OLEV Electric City Bus Recharges via Cables Buried in Road
August 7, 2013, 9:27 AM

Steve Ballmer Reflects on Time at Microsoft; Says Windows Vista was Biggest Regret
August 24, 2013, 4:11 PM

8-Year-Old Boy Murders Elderly Woman, "Grand Theft Auto IV" Takes Flak
August 26, 2013, 1:55 PM

Volatility and security concerns have cast a dark shadow of the peer-to-peer cryptocurrency in recent weeks. (Source: Nerd Merit Badges)

Microsoft's Steve Ballmer Reportedly Didn't Plan to Retire So Soon

August 26, 2013, 9:52 AM

Report: Nissan's Next Generation "Z" to Go on "EPA Diet", Will Lose 400 Pounds
August 27, 2013, 11:18 AM

Latest Blog Posts

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story

source of the interest, the public was becoming interest in Bitcoins and the market was booming. Then two Fridays ago the market began a downward plunge, with the price per coin falling nearly in half. Much like the rise, there were no hard at fast explanations for the fall, though speculative theories abounded. The market recovered slightly last week, but the level of volatile was alarming as virtually no currency in history had ever seen these kinds of swings. In a couple weeks the currency had risen 30fold in value. And in just two days it had fell in half, returning to about 14-times the May value. III. Accounts Breached Over the last couple weeks people began to claim their accounts had been hacked and their Bitcoins stolen. On Monday at around 5 pm, 25,000 bitcoins were transferred into account "1KPTdMb6p7H3YCwsy FqrEmKGmsHqe1Q3jg". The coins in question came from 25,000 accounts. Given recent trading values, that would indicate the counts were worth somewhere between $375,000 and $500,000 USD. Mt. Gox's support team insisted such claims were isolated. "Magical Tux" a Tokyo-based member of the support team wrote on Saturday: Ok, we've been seeing a "lot" of cases recently. So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users. Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited. Responding to commenters upset about the 25k Bitcoin heist, he comments: As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then. As a reminder we assume no responsibility should your funds be stolen by someone using your own password. ... The coins stolen from Mt.Gox were not stolen using any CSRF exploit... [the thieves] logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try. Mt. Gox's carefree attitude over account theft (e.g. if you lose your password it's your only fault) would only last so long, though. Because a much worse breach was coming. IV. "Tango Down" -- Mt. Gox Closes In recent weeks, we suggested that the Bitcoin markets cooperate to close trading in cases where extreme volatility (deflationary or inflationary) was observed. Many Bitcoin proponents did not take kindly to this suggesting, saying that closing currency exchanges for market events would be blasphemy and the antithesis of everything the market stood for. Writes DailyTech user "whitslack": The idea of shutting down the Bitcoin exchanges when they heat up is just as repugnant to the central idea of Bitcoin as central banks are. Markets do get emotional at times, but that is something we all understand and accept. Shutting down a market is an artificial move that is in opposition to the concept of a free market. If an exchange took up such a policy, it would only incentivize the creation of new exchanges without such an artificial policy. If I can't trade my Bitcoins on Mt. Gox because it has "shut down," I'll simply go to another exchange that hasn't shut down. Even if all the currently existing exchanges colluded to shut down together, they would simply be granting enormous leverage for a newcomer to take all their volume. The concept of artificial market limits has no place in a

Belkin Hopes for Success with Pro Cycling Sponsorship

Michael Hatamoto

- Jul 23, 2013, 8:01 PM

Many Bitcoin fans consider emergency market closures flagrant heresy. Indeed, this is the first time a major Bitcoin exchange has ever closed. (Source: Artaxerxes/Wikipedia)

Two More Boeing 787 Dreamliners Catch Fire, Suffer Technical Issues
Tiffany Kaiser

- Jul 15, 2013, 1:37 AM

Quick Note: Motorola Droid Ultra XT1080 Image Hits the Web
Shane McGlaun Jason Mick

- Jul 8, 2013, 6:44 AM

EU Smacks Down NSA Data Grabs

- Jul 7, 2013, 6:25 PM

Lumosity: Does it Work?

Tiffany Kaiser

- May 22, 2013, 8:20 PM More Blog Posts

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story free economy and cannot stand in one. Well, friends, Mt. Gox has shut down. On Sunday at about 4 p.m., site official "Mark Karpeles" wrote users: The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST). Service should be back by June 20th 11:00am (JST, 02:00am GMT) with all the trades reversed and accounts available. One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins. Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again. UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible. Several other major Bitcoin exchanges including TradeHill (closed at $13.79 USD per Bitcoin) have stopped showing financial transactions that recently occurred indicating a possible shutdown (though the site Bitcoin Charts reports more recent sales). V. What is Known First, it is clear that the Mt. Gox database has been stolen. According to one source the database had 61,020 entries -- roughly in line with Mt. Gox official MagicalTux's previous statement. Within an hour of the hack, reportedly 100,000 Bitcoins were sold at incredibly cheap rates on Mt. Gox, plunging the market from around $17.50 USD per Bitcoin to just $0.01 per Bitcoin. Meanwhile 400,000 other Bitcoins were reported missing. That's roughly 1/13th of the total Bitcoins in existence, or about $8.75M USD at the previously market value. Around the same time an unknown party also posted a Pastebin commenting: I have hacked into mtgox database. Got a huge number of logins password combos. Mtgox has fixed the problem now. Too late, cause I've already got the data. Will sell the database for the right price. Send your offers to: gfc06@hotmail.com Soon after, though the actual database dump was public posted. It's available (for now), via direct download from here. According to MagicalTux Mt. Gox's current protection scheme was to use and MD5 hash on passwords in its database, along with a salt [source]. However, he did not specify whether a single salt was applied to all user passwords, multiple periodic salts, or whether user-specific unique salts were employed. The attacks have reportedly been traced to a Hong Kong IP, according to sources. Of course this could simply be a hijacked server or a proxy server, which the hackers used to obfuscate their true location Regardless, some sources are reporting that the salting was not initially used and approximately 1,600 passwords appear unsalted. Cracking unsalted MD5 hashes is a pretty elementary task with rainbow table or brute force attacks. Even salted passwords could be cracked, given the strength of the salting scheme and how much effort malicious parties put in (the expense in computing time likely wouldn't be worth the Bitcoin payoff -- of course, if you were using hijacked machines, it's "free labor" anyways. On the Mt. Gox forums users openly mocked the admins and expressed frustration at the site's security practices. Writes one user "Man From The Future": The fact that it uses MD5 is an issue. It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved. As stated in the press release the exchange says it's undoing the sell transactions currently and is working to restore the market to around $17.50 USD per Bitcoin. VI. What's Next

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story Ultimately, the massive breach may not be enough to kill the Bitcoin movement. After all, many people are very dedicated and enthusiastic about the concept of Bitcoins. That said, the recent volatility, combined with this breach raise serious doubts about Bitcoin managing to become mainstream. The fact that the largest exchange in a $130M USD would practice such lax security practices such as failing to use the state of the art hashing methods to protect its database seems disturbing. Ultimately a greater underlying problem may be the vulnerability of users' local "wallet" file, wallet.dat . When news of the original Bitcoin hack broke, many assumed that malicious users had infected victims' computers and exposed their wallet.dat files. Of course, serious Bitcoin aficionados encrypt their wallet.dat file soundly, but as casual interest in Bitcoins explodes, the question remains whether the average, security-ignorant user will practice similar safety precautions. Indeed, security firm Symantec reports finding a Trojan malware program titled Infostealer.Coinbit in the wild, which tries to extract the contents of your wallet and email it to a malicious party. The firm found code being shared on forums to similarly snatch wallet data and upload it via FTP. In the long run encrypting your wallet file may not be enough. Sophisticated hackers may copy the file to a remote location for rainbow tables attacks, or opt for a local on-system brute force attack. Either way, if your encryption scheme or password are weak, your wallet still may be compromised. Symantec also warns that botnets participating in Bitcoin mining could be netting the owners over $100,000 USD a month in profit. The idea of virtual currency has been one that has long excited. Cybercurrency was a focus of famous science fiction writer Neal Stephenson's 1995 postcyberpunk novel The Diamond Age: Or, A Young Lady's Illustrated Primer , in which digital cryptocurrency was mentioned as a driving force that eliminated the nation state by destroying their ability to collect taxes from citizens. Mr. Stephenson attacked the topic again in his 1999 bookCryptonomicon , in which protagonist search for gold to use as a basis of a digital cryptocurrency. Now that one such implementation of this ambitious concept has finally arisen, it's easy to wonder whether Mr. Stephenson could have predicted the future, much as William Gibson predicted the future of the internet, in many ways, with his seminal 1984 cyberpunk work Neuromancer . However in order for Bitcoins to truly be a legitimate international currency, there's a lot of work that must be done to improve and protect the technology. In short, it's been a very bad week for Bitcoins; one can only hope this is the last bad news we hear. Updated: Sunday June 19, 2011 7:15 p.m. TradeHill has officially closed, posting the notice: TradeHill has recently learned that a large number of user accounts at a competing Bitcoin exchange have been compromised. Because of the possibility that our users may have used the same password on multiple exchanges, we will be halting the ability to trade or withdraw funds for a few hours. We hope this will give all of our users time to reset their passwords if needed. You can reset your password by clicking on your username in the upper right of the website. This merely a precaution, and we do not have any evidence that our site has been compromised in any way. More info soon. We will update as more information becomes available.

Comments Threshold
Refresh Show All

1 1

Change

Expand All

Collapse All

Create Account

Login

This article is over a month old, voting and posting comments is disabled

Pure Stupidity
By EricMartello on 6/19/2011 9:17:43 PM , Rating: 1

OK the genius who hacked Mt.Gox hoped to accomplish what by stealing the bitcoins? Did they have a buyer lined up to pay them $15-$30 for a virtual currency that has yet to establish an intrinsic value for itself? Or was their plan to take the bitcoins and sit on them until another exchange pops up and then dump them all - again, lowering the value of the BTC on the particular exchange they dump them on. The exchange market is what gave the BTC value, and the value was based on what people were willing to buy and sell the coins for. Either way it plays out for them, they're not likely to make as much as they expected to from their little heist.

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story RE: Pure Stupidity
By bitbutter on 6/20/2011 4:43:23 AM , Rating: 5

quote: Did they have a buyer lined up to pay them $15-$30 for a virtual currency that has yet to establish an intrinsic value for itself?

No economic good has intrinsic value. Value is subjective and imputed to goods according to their expected serviceability in satisfying wants. Parent RE: Pure Stupidity
By Integral9 on 6/20/2011 9:35:00 AM , Rating: 2

Generally, a currency does have some intrinsic value, which is mostly based on the GDP of the nation state that sponsors it as compared to other nation states of similar stature and influenced by tides of trade on the open market. Bitcoins are a currency without a sponsoring nation state, thus no intrinsic value and their comparables are chuck-e-cheese on the one end and casino chips on the other, both of which are worthless outside their establishments. Parent RE: Pure Stupidity
By DFSolley on 6/20/2011 11:43:41 AM , Rating: 2

I do not think "intrinsic" means what you think it means. Parent RE: Pure Stupidity
By MatthiasF on 6/20/2011 7:04:40 PM , Rating: 2

Sometimes popular phrases turn themselves into cliches, detaching the user from the meaning. Currency is by no means intrinsic to a nation, society or economy. It's just an efficient way to make trades. With the exception of those huge stone coins on Polynesian. That's just crazy. Parent RE: Pure Stupidity
By Taft12 on 6/21/2011 12:07:34 PM , Rating: 2

Try paying your taxes with a currency not intrinsic to your home nation. Parent RE: Pure Stupidity
By interstitial on 6/24/2011 1:03:11 PM , Rating: 2

What he's saying is that you don't understand the word intrinsic. If something has intrinsic properties it has them regardless of circumstance. For example, copper is intrinsically conductive. The US dollar is not intrinsic to the USA. The USA would still be the USA if it instantly switched to to the Euro, Yen or Rupee. A material would not be copper if it had high electrical resistance at STP. Parent RE: Pure Stupidity
By BansheeX on 6/20/2011 2:57:37 PM , Rating: 3

People assign value to money if it defeats the inefficiency of barter and is a good store of savings. Its value can fluctuate over time. Bitcoins do that, and its main draw is that it's just as convenient as other methods, but doesn't have an issuer unfairly benefiting from their creation.

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story

And if you're going to argue that "promise of repayment" by a nation is intrinsic, I think you're deluding yourself. I've always thought the term "intrinsic value" was a bit of an oxy-moron. Value is totally situational and subjective. But I think the point is, money that has no use other than money does not have intrinsic value. So that would apply to both fiat currency and bitcoins. Parent RE: Pure Stupidity
By rudy on 6/20/2011 5:09:42 PM , Rating: 2

This is false the issuer was the creator and we are pretty sure he stashed plenty of bitcoins for himself when they were easy to creat. So the issuer has a ton to gain if bitcoins have value. Parent RE: Pure Stupidity
By EricMartello on 6/20/2011 8:22:40 PM , Rating: 2

quote: No economic good has intrinsic value. Value is subjective and imputed to goods according to their expected serviceability in satisfying wants.

When you can have 1 bitcoin and know it is worth about $20 or $1,000 - whatever - that becomes the bitcoin's intrinsic value. It doesn't matter how we arrive at that figure or what the figure ultimately is as long as the consensus agrees on the value. Right now the value figure is so volatile that there is no way to say for sure that yeah, 1 bitcoin is worth $20, and pricing services and products accordingly is nearly impossible due to the lack of a settled value. Even WoW gold has a stable, defined intrinsic value that is about 200 WoW Gold = $1 USD because the consensus agreed upon it. People are willing to buy 200 WoW gold per $1 USD and there are "farmers" willing to sell 200 WoW Gold for $1 USD. Parent RE: Pure Stupidity
By Mike Acker on 6/20/2011 7:42:44 AM , Rating: 3

="OK the genius who hacked Mt.Gox hoped to accomplish what by stealing the bitcoins?" you created an alternate currency. it's not nice to compete with the Central Banking System. Parent RE: Pure Stupidity
By TheDoc9 on 6/20/2011 4:57:28 PM , Rating: 2

Most likely, until they can get their hands in it or offer an alternative... Parent RE: Pure Stupidity By Alexvrb on 6/20/11, Rating: 0 im in the list..
By Quent1n on 6/20/2011 4:19:30 AM , Rating: 2

My account is in that file (I downloaded it and checked), and even though it's encrypted it looks like someone decrypted it. Why ? Well yesterday I've received a warning on my gmail account saying there is an unusual activity (someone trying to login with the wrong password many times, or logged in from some strange place). My gmail password was unique so nobody actually got in (confirmed via Gmail IP logs), but it's still scarry ... Lots of people have the same password for everything, that's pretty dangerous.

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story RE: im in the list..
By NainoKami on 6/20/2011 5:14:13 AM , Rating: 2

MtGox contacted Google, letting them know about potentially compromised Gmail accounts, so no reason to worry about that. :) Parent RE: im in the list..
By gsn2dd on 6/20/2011 6:14:45 AM , Rating: 2

I'm on the list too. Using a website on the Internet I decrypted my password hash in seconds - fortunately for me I had used my junk level password so no problem. However if you just use one password for everything then it is time to panic because it is dead easy to crack. Parent

rollback?
By ctgottapee on 6/20/2011 11:07:26 PM , Rating: 2

how does mt gox have the authority to roll back transactions? that would imply that mt gox 'controls' the currency, which i thought goes against the reason for bitcoins. i understand that mt gox could unwind transactions between two accounts it manages that were NOT then cashed out to USD, but how does it get the rest back?? details anyone??

RE: rollback?
By Taft12 on 6/21/2011 12:09:28 PM , Rating: 2

You're asking questions Mt Gox would rather you not ask. Parent RE: rollback?
By chetrasho on 6/22/2011 3:58:21 PM , Rating: 2

In addition to executing trades, MtGox also serves as an escrow account for customers' USD/BT. Once MtGox realized that an account had been hacked, they locked down everybodys' accounts. Now they're rolling back the transactions to recreate the market before the unauthorized sellof. As an escrow account, they can do this without having control of the "currency" at large. There's a possibility that people were able to cash out BT or USD before MtGox closed down. USD withdrawals could be reversed but BT losses are potentially permanent. MtGox claims these types of losses were minimal. Parent

Who say this comming? Ohh yeah I did

By ryancaa on 6/22/2011 11:09:06 AM , Rating: 1

Ok, whoever took Bitcoin seriously is an idiot. My roommate told me about Bitcoin a few months ago, my immediate response was "Man, I wonder how long until that gets hacked". Morons.

RE: Who say this comming? Ohh yeah I did

By chetrasho on 6/22/2011 4:07:44 PM , Rating: 3

Bitcoin remains unhacked, moron. MtGox is just a bitcoin service provider. Major banks (eg. Citibank) regularly get hacked for mure more money. Does that make people idiots for using the dollar?

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story

No, it makes them sheep for pawning their risk off to Citibank who pawns the risk off to the Fed who covers everything with an inflation subsidy that slowly bankrupts and enslaves the country. Wake up, suckah.... Parent RE: Who say this comming? Ohh yeah I did
By chetrasho on 6/22/2011 4:08:39 PM , Rating: 2

* more not "mure" Parent

incorrect
By kysmith on 6/22/2011 6:58:51 PM , Rating: 2

This article is incorrect from the beginning. The 25,000 BTC stolen on 6-13 were from the personal wallet.dat file of "allinvain". The 478 "accounts" were addresses in allinvain's wallet.dat file - this theft had nothing to do with MtGox. WTF do you later say 25,000 accounts? It was 25,000 BTC from numerous addresses which were in allinvain's wallet.dat. And the 400,000+ BTC were never reported missing. It was a large transfer everyone noticed in blockexplorer, and claimed by MtGox to be their own transfer done as an extra step to ensure the security of MtGox usere' deposits after the database breach. The 400,000 BTC are not missing. Everyone can see which address(es) they belong to in blockexplorer and now users are waiting for MtGox to relaunch so they can claim their deposits.

RE: incorrect
By chetrasho on 6/24/2011 6:50:11 PM , Rating: 3

I tried to write a more accurate account/analysis if anyone has any thoughts: http://poibella.org/emptyset/?p=387 This article was written on the day of the selloff, so I'll excuse Mick some inaccuracies. It was breaking news and I imagine this was better than nothing. But the MSM have generally done a terrible job of covering this. Also, Mick needs to realize that this was a security breach and not normal market activity. Even though it's a terrible idea, it's possible to regulate a free market (eg. prohibit selloffs). But it's impossible to "regulate" security, because security develops more rapidly than bureaucracy. I don't see how regulation would have prevented this problem. If selloffs were prohibited, it would only have masked MtGox's insecurity. If Mick considers this a "crime", then he should be happy to know that MtGox contacted the Feds to "regulate." In some sense MtGox is already regulated by existing laws on data security, etc.... Parent

Slow news day eh? By spread on 6/19/11, Rating: 0 RE: Slow news day eh?
By someguy123 on 6/19/2011 8:40:32 PM , Rating: 2

Technically, even though it's run on all speculation, this was about 8.5M USD or more stolen in bitcoins. Regardless of whether or not it's currently a currency (it isn't) people are still actively speculating and buying into bitcoins for whatever reason. A large amount of items currently being traded for USD being stolen is more news worthy than sony getting DDoS'd. Parent

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story RE: Slow news day eh?
By chetrasho on 6/22/2011 4:13:44 PM , Rating: 2

Technically, $8.5M probably wasn't "stolen." MtGox claims to have locked the market before much money was withdrawn. If they're telling the truth, then they will be able to rollback the market undoing the unauthorized selloff. Parent

Tradehill pauses trading too

By Michael Reigner on 6/19/2011 7:23:36 PM , Rating: 2

Tradehill (http://www.tradehill.com/?r=TH-R12508) has just stopped trading and withdrawing. Nice move.

RE: Tradehill pauses trading too

By chetrasho on 6/22/2011 3:59:46 PM , Rating: 2

Trade Hill is back online and bitcoins are trading briskly at low prices. Yep, the free market still works. Parent

peer to peer wagering

By hellokeith on 6/19/2011 7:05:04 PM , Rating: 2

This is nothing more than other online "futures" markets, which the US Treasury and IRS/FTC/SEC correctly label as gambling. I have nothing against gambling and do it myself, but not online.

Mtgox accounts were compromised

By bitbutter on 6/20/2011 4:41:25 AM , Rating: 2

quote: Over the last couple weeks people began to claim their accounts had been hacked and their Bitcoins stolen.

This is an unfortunate phrasing, without the necessary context it gives the false impression that Bitcoin 'accounts' were hacked--and that bitcoin system itself is unsecure. That's not the case, the failure had to do with mtgox accounts after the site's user database was leaked.

Checking if your password got published

By jesskleins77 on 6/20/2011 10:33:13 AM , Rating: 2

There's a website that was previously tracking the emails/passwords published by LulzSec. It now includes the Mt. Gox published emails/passwords. You can see if yours is in there here: http://shouldichangemypassword.com/

Sloppy work
By Michael Tew on 6/21/2011 5:51:21 PM , Rating: 2

This should kill off Mt Gox. To protect against hackers using rainbow tables to crack hashed passwords you can use a salt (related to a nonce [number used once]), iterative hashing [where the hash is itself hashed multiple times] and key strengthening. These techniques make it difficult to generate the rainbow tables (a technique for minimizing the number of different possibilities to be tested). As

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]

DailyTech - Inside the Mega-Hack of Bitcoin: the Full Story far as I know, neither technique was employed by Mt Gox. In fact they employed a cryptographic hash function called MD5 (Message Digest Algorithm 5) for which the rainbow tables (and rainbow table generator) are widely available. MD5 is no longer used by the federal government because it is considered to be too vulnerable and has been replaced with SHA-2. This is one of the widely publicized holes in security that was exploited by Anonymous in the hack of HB Gary a few months ago. That Mt. Gox continued to use MD5 after everybody and his dog knew it was vulnerable is really, really sloppy. Everybody who had registered on that site (and that includes me) has had their email address published (along with the easily hackable password), so their security and anonomity is terminally compromised. I am thinking I should switch email addresses close down my Fakebook and start again fully encrypted, with a new computer, in a coffee shop. Were it not for the fact that everything on my computer, and everything I have ever posted or emailed, is almost certainly stored on multi terabyte drives at NSA HQ, Id be really pissed. Of curse, being on that list of 61,020 email addresses floating around cyberspace is going to raise my profile in somebodys database.

"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il

Copyright 2013 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki

http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm[31/08/2013 12:34:58]