He is going to be know as the dude that was trying to play a game of Pacman with a disgruntled customer as he was trying to enter his office building,
the pacman pellets where the bitcoins, he had them firmly stashed in usb sticks contained in that black case he was carrying on his shoulder.
The disgruntled customer should have grabbed that case of his shoulder for sure !!!
Topic: [ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off (Read 18488 times)
April 30, 2014, 11:46:17 AM
April 30, 2014, 11:27:52 AM
Interesting all this lack of information from both Jed and Mark all the way back.
Did Jed ever get paid? If so how much? How much was mtgox sold for exactly?
Was the blockchain address of this account which withdrew 2k ever published?
Did Jed ever get paid? If so how much? How much was mtgox sold for exactly?
Was the blockchain address of this account which withdrew 2k ever published?
July 31, 2011, 10:21:16 AM
Here we go again.. 
July 17, 2011, 03:22:29 PM
because Jed has told me it was his acct that got hacked after the SQL injection.
still doesn't absolve Mark.
still doesn't absolve Mark.
July 17, 2011, 02:53:07 PM
A consistent message from Mark about this whole event was that it was Jed's fault.
Further clarification:
Compromised Admin Level User Account = Jed's user account to access Mt.Gox public website as a trader. UserID of 1 from the leaked table of users.
Point to consider: There were at least two admin level user accounts in the leaked table of users:
UserID 1, Username: jed
UserID 634, Username: MagicalTux
My assumptions from mtgox's clarification:
1) There were administrative web pages as part of Mt gox's front-end PHP website code.
2) To access these administrative web pages Mark/Jed use the same user/password as their trader account and login from the public login form.
3) BTC balances in the mtgox system are not tied to balances of public keys in the block chain (therefore unbacked by BTC which leads to the temptation of a fractional reserve exchange).
4) These administrative pages allowed unlimited deposits of BTC to an admin's trader account.
5) These administrative pages did NOT allow the configuration of withdrawal limits.
6) The withdrawal limits for the system were hard coded in the PHP withdrawal pages. $1000 per withdrawal (not per 24 hours) as the infamous Kevin has informed us. Therefore, SQL injection in combination with an admin trader account would not allow access to modify PHP files.
7) The attacker did not have access to modify PHP files.
8 ) SQL injection attack occurred on the Login page because no other tables from the database were leaked. The login form would be reading from the users table.
Why Jed is not at fault and Mark is 100% at fault:
1) Upon taking ownership of mtgox Mark recognized the database table with user and admin accounts had UNsalted MD5 passwords (read plaintext under 12 characters).
2) Mark should have removed admin accounts from the user table and created a separate table with admin level accounts. He should have created a separate login area for admin users. When a SQL injection attack is occurring the attacker is poking in the dark and is getting information little by little. Since only 1 table was leaked to the public, we can assume the attacker only knew about the users table. If admin accounts were stored in a different table their password hashes would not have been leaked.
3) Mark should have moved the administrative web pages to a separate server, the more isolation the better. He should not allow admins to login through the regular user login form.
4) Mark added user specific salts but did not add a secondary global salt that was hard coded in the PHP. If this salt existed the leaked users table would be useless!!
5) Mark did not audit the code for SQL injection vulnerabilities. Which were probably obvious from the use of embedded SQL and non-parameterized queries (red flags that you have a SQL injection door).
6) Mark did not close these vulnerabilities, probably less than 1 weeks work if not 2 days. If the attack occurred in April I'd have sympathy for Mark.
7) It's possible an earlier version of the leaked users table exists (unpublished) with the UNsalted MD5 passwords (before Mark took ownership, since we presume the same SQL injection door was open). However, Mark did not prompt users to CHANGE their passwords. Salting of already compromised passwords is pointless.
8 ) Mark did nothing to protect us from Jed (I'm not making any accusation of Jed here)
9) Upon taking ownership, Mark did not ask for a site wide password change with minimum password strength.
10) Mark could have implemented the salted SHA-512 (with user salt and global hard coded salt) then instructed Jed to change his password.
Mark has been very deceptive and this clarification is somewhat different then the story Mark presented to Bruce Wagner in their interview. Mark is trying to let our imaginations run wild by saying he questions the motives of the hacker. And that the hacker could have stolen more. The reason the hacker couldn't withdraw more money was the same reason the infamous Kevin could not withdraw more. There were active normal traders on the site who saw the price at 0.01 USD and were willing to pay 0.50 USD per BTC. The window to withdraw was very limited.
Finally, with no evidence from Mark, why should we assume it was Jed's account that was compromised and not Mark's ?
Further clarification:
Compromised Admin Level User Account = Jed's user account to access Mt.Gox public website as a trader. UserID of 1 from the leaked table of users.
Point to consider: There were at least two admin level user accounts in the leaked table of users:
UserID 1, Username: jed
UserID 634, Username: MagicalTux
My assumptions from mtgox's clarification:
1) There were administrative web pages as part of Mt gox's front-end PHP website code.
2) To access these administrative web pages Mark/Jed use the same user/password as their trader account and login from the public login form.
3) BTC balances in the mtgox system are not tied to balances of public keys in the block chain (therefore unbacked by BTC which leads to the temptation of a fractional reserve exchange).
4) These administrative pages allowed unlimited deposits of BTC to an admin's trader account.
5) These administrative pages did NOT allow the configuration of withdrawal limits.
6) The withdrawal limits for the system were hard coded in the PHP withdrawal pages. $1000 per withdrawal (not per 24 hours) as the infamous Kevin has informed us. Therefore, SQL injection in combination with an admin trader account would not allow access to modify PHP files.
7) The attacker did not have access to modify PHP files.
8 ) SQL injection attack occurred on the Login page because no other tables from the database were leaked. The login form would be reading from the users table.
Why Jed is not at fault and Mark is 100% at fault:
1) Upon taking ownership of mtgox Mark recognized the database table with user and admin accounts had UNsalted MD5 passwords (read plaintext under 12 characters).
2) Mark should have removed admin accounts from the user table and created a separate table with admin level accounts. He should have created a separate login area for admin users. When a SQL injection attack is occurring the attacker is poking in the dark and is getting information little by little. Since only 1 table was leaked to the public, we can assume the attacker only knew about the users table. If admin accounts were stored in a different table their password hashes would not have been leaked.
3) Mark should have moved the administrative web pages to a separate server, the more isolation the better. He should not allow admins to login through the regular user login form.
4) Mark added user specific salts but did not add a secondary global salt that was hard coded in the PHP. If this salt existed the leaked users table would be useless!!
5) Mark did not audit the code for SQL injection vulnerabilities. Which were probably obvious from the use of embedded SQL and non-parameterized queries (red flags that you have a SQL injection door).
6) Mark did not close these vulnerabilities, probably less than 1 weeks work if not 2 days. If the attack occurred in April I'd have sympathy for Mark.
7) It's possible an earlier version of the leaked users table exists (unpublished) with the UNsalted MD5 passwords (before Mark took ownership, since we presume the same SQL injection door was open). However, Mark did not prompt users to CHANGE their passwords. Salting of already compromised passwords is pointless.
8 ) Mark did nothing to protect us from Jed (I'm not making any accusation of Jed here)
9) Upon taking ownership, Mark did not ask for a site wide password change with minimum password strength.
10) Mark could have implemented the salted SHA-512 (with user salt and global hard coded salt) then instructed Jed to change his password.
Mark has been very deceptive and this clarification is somewhat different then the story Mark presented to Bruce Wagner in their interview. Mark is trying to let our imaginations run wild by saying he questions the motives of the hacker. And that the hacker could have stolen more. The reason the hacker couldn't withdraw more money was the same reason the infamous Kevin could not withdraw more. There were active normal traders on the site who saw the price at 0.01 USD and were willing to pay 0.50 USD per BTC. The window to withdraw was very limited.
Finally, with no evidence from Mark, why should we assume it was Jed's account that was compromised and not Mark's ?
July 14, 2011, 07:41:57 PM
I have gotten access back, withdrew my money.
July 12, 2011, 08:14:45 AM
bytemaster: go to freenode on irc #mtgox and ask for MagicalTux. He is there right now and will fix your problem.
July 10, 2011, 09:48:45 PM
I have not been given access to my account and get no response from Mt. Gox.
Please, I encourage everyone to boycott MtGox who has effectively stolen thousands of dollars from many of their customers.
Please, I encourage everyone to boycott MtGox who has effectively stolen thousands of dollars from many of their customers.
July 09, 2011, 01:50:53 PM
For fuck's sake - it's been more than three weeks and the server is still down. That's what I get for supporting someone in bitcoin business.
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!
i don't get it. i moved USD into mtgox on 7/1 and did a bunch of successful trades thru to 7/4. whats wrong with the server?
July 09, 2011, 01:05:48 PM
For fuck's sake - it's been more than three weeks and the server is still down. That's what I get for supporting someone in bitcoin business.
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!
Stay away from Mt.gox and Kalyhost. They are scammers and incompetent beyond belief!
July 08, 2011, 07:56:11 PM
FWIW, MtGox claims that I never completed registration at their site, even though I not only completed registration but also bought 6 BTC under the handle datacommander.
July 07, 2011, 11:06:32 PM
Even Snort + fw + browsing in a VM would not have protected you against, say, a tabnabbing phishing attempt. (I mention this example again because of how deceptively efficient it is...)
Just when I start to think I am being too paranoid leaving JavaScript disabled, I read this.
I temporarily enabled JavaScript for complaining about that bitcoin trademark :/
July 05, 2011, 06:53:18 PM
b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught stealing to accomplish their objectives. OTOH, if they were caught manipulating prices they could just write it off as "national security".
Except whoever did this did steal enough money to get themselves in serious legal hot water already... not to mention all the money they attempted to steal and give away at knock-down prices.or the 2000 btc could be a concession to Kevin Day?
July 05, 2011, 06:47:18 PM
b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught stealing to accomplish their objectives. OTOH, if they were caught manipulating prices they could just write it off as "national security".
Except whoever did this did steal enough money to get themselves in serious legal hot water already... not to mention all the money they attempted to steal and give away at knock-down prices. July 05, 2011, 06:21:05 PM
again, i ask the same question, why wouldn't the hacker just have changed the withdrawal limit to unlimited and just stolen all the wallet keys asap? he instead ignored the wallet, and manipulated the DB to sell the price down to 0 over a 30 min time period risking potential intervention by Mark. i think Kevin Day and others who were able to take money out are just red herrings.
Why wouldn't a government or financial industry attacker have changed the withdrawal limit to unlimited and stolen all available bitcoins ASAP? Crashing the price to zero was spectacular, but in the longer term leaving Mt Gox without enough bitcoins to back its liabilities would be much more damaging...b/c that would be an international crime and as bad as they might be, i don't think they can afford to get caught stealing to accomplish their objectives. OTOH, if they were caught manipulating prices they could just write it off as "national security".
July 05, 2011, 06:15:45 PM
again, i ask the same question, why wouldn't the hacker just have changed the withdrawal limit to unlimited and just stolen all the wallet keys asap? he instead ignored the wallet, and manipulated the DB to sell the price down to 0 over a 30 min time period risking potential intervention by Mark. i think Kevin Day and others who were able to take money out are just red herrings.
Why wouldn't a government or financial industry attacker have changed the withdrawal limit to unlimited and stolen all available bitcoins ASAP? Crashing the price to zero was spectacular, but in the longer term leaving Mt Gox without enough bitcoins to back its liabilities would be much more damaging... July 05, 2011, 09:26:55 AM
if i have to explain why a financial inst or gov't would want to drive down the price of btc to you heaven help you.
Well, heaven help me then. Perhaps you could be my angel and tell me what you mean. Do these individuals have a target price in mind? Or do you mean they just want to break it? Breaking the network is not the same as driving the price down. Some of the institutions you mention want to drive the value of the dollar down. Is that for the same reason? Would a lower rate of USD per BTC make it easier for the number of real BTC transactions to grow? Somehow I feel (guessing) you are referring to currency monopolists who don't want to see any competition, but a lower price per BTC probably wouldn't make much difference to them. Anyway, I don't think that's what happened to MtGox in this instance.
i apologize for being so dramatic.
i am referring to fiat currency monopolists whose franchise would be threatened if not taken down by btc. i think they understand that a continually rising price of btc would attract significant attention (as it did on the way to 30) and encourages more bullish behavior and growth of a btc economy.
yes its a conspiratorial theory but many ppl here on this forum can easily relate.
again, i ask the same question, why wouldn't the hacker just have changed the withdrawal limit to unlimited and just stolen all the wallet keys asap? he instead ignored the wallet, and manipulated the DB to sell the price down to 0 over a 30 min time period risking potential intervention by Mark. i think Kevin Day and others who were able to take money out are just red herrings.
July 05, 2011, 08:20:27 AM
if i have to explain why a financial inst or gov't would want to drive down the price of btc to you heaven help you.
Well, heaven help me then. Perhaps you could be my angel and tell me what you mean. Do these individuals have a target price in mind? Or do you mean they just want to break it? Breaking the network is not the same as driving the price down. Some of the institutions you mention want to drive the value of the dollar down. Is that for the same reason? Would a lower rate of USD per BTC make it easier for the number of real BTC transactions to grow? Somehow I feel (guessing) you are referring to currency monopolists who don't want to see any competition, but a lower price per BTC probably wouldn't make much difference to them. Anyway, I don't think that's what happened to MtGox in this instance.
July 04, 2011, 05:17:08 AM
So why not cut the crap and just disclose in how far you are still involved with MtGox?
maybe... he's not? yeesh....
July 04, 2011, 01:51:15 AM
Gandlaf: No that isn't my statement. You seem to really want to add to what you read. My statement is this:
MtGox has enough funds to cover any losses from the recently stolen coins and has enough to cover what it owes me to date.
MtGox will cover any debt to its customers before it pays me.
The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment.
MtGox has enough funds to cover any losses from the recently stolen coins and has enough to cover what it owes me to date.
MtGox will cover any debt to its customers before it pays me.
The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment.
In that case, I do want to apologize for ever having even harboured the slightest doubts! You Jed, are quite obviously a saint(or as close as one gets nowadays without divine intervention). Giving up a multimillion dollar business, signing a contract, not insistiting on payment, it sounds like a fairytale. You must be a truely wonderful and completely selfless individual to just wait for payment for your idea if/when it comes.
The only question for me would be the following: Why keep an admin account to audit payments, if everything is dandy, if your first concern is the bitcoin community and you really don´t want to see a penny before everyone has been paid?
Furthermore, I don´t really get your final point:
"The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment."
A BTC transfer should be fairly easy(if you don´t know how to do it just ask in the forum), or is it that you aren´t really willing to invest in BTC? In that case I do get it, the MtGox $1000 limit can be a bit of a nuisance.
Apart from the technicalities, let me get this right: You did not make time for/to complete a payment with 6 or 7 figures(by early June)
I love fairytales, but this response is BS.
You would be a truly unique individual to just let a multimillion $ business go.
So why not cut the crap and just disclose in how far you are still involved with MtGox?
look, Jed told me many months ago when i asked him why he sold mtgox that he was afraid of the legal ramifications of running an exchange. this is understandable for a US citizen given what the US gov't does to people who go against it. he also told me he was afraid of the technical challenges confronting an exchange and that Mark would be more suited to dealing with security issues. time has proven Jed correct insofar as his fears went. too bad for us that Mark wasn't as good as Jed had hoped but that certainly isn't his fault.
Jed also doesn't stand to make a multimillion profit on his sale i'm willing to bet. so he really is just doing us all a favor by not collecting right now.
Jump to: