Topic: [ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off - page 2. (Read 18489 times)

In that case, I do want to apologize for ever having even harboured the slightest doubts! You Jed, are quite obviously a saint(or as close as one gets nowadays without divine intervention). Giving up a multimillion dollar business, signing a contract, not insistiting on payment, it sounds like a fairytale. You must be a truely wonderful and completely selfless individual to just wait for payment for your idea if/when it  comes.

The only question for me would be the following: Why keep an admin account to audit payments, if everything is dandy, if your first concern is the bitcoin community and you really don´t want to see a penny before everyone has been paid?

Furthermore, I don´t really get your final point:
"The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment."

A BTC transfer should be fairly easy(if you don´t know how to do it just ask in the forum), or is it that you aren´t really willing to invest in BTC? In that case I do get it, the MtGox $1000 limit can be a bit of a nuisance.
Apart from the technicalities, let me get this right: You did not make time for/to complete a payment with 6 or 7 figures(by early June)

I love fairytales, but this response is BS.

You would be a truly unique individual to just let a multimillion $ business go.

So why not cut the crap and just disclose in how far you are still involved with MtGox?

Gandlaf: No that isn't my statement. You seem to really want to misconstrue what you read. My statement is this:
MtGox has enough funds to cover any losses from the recently stolen coins and has enough to cover what it owes me to date.
MtGox will cover any debt to its customers before it pays me.
The fact that I haven't been paid yet has nothing to do with mtgox's ability to pay. It only has to do with the fact that neither I nor Mark have made time to complete the payment.

So your statement is, that MtGox currently does not even have the spare cash to pay the price/license fee currently, which you asked for as a fair price(when handing over MtGox) at a time when commissions were running a lot lower compared to todays rates and volumes?

Essentially what you are saying is that MtGox´s  current liquidity is (not) in question, but that MtGox is in debt to you, it´s original founder.
If I get you right, Mark does not even have the cash to pay you for selling him the idea and the original platform?
Apparently cash is so tight, that you have not received any money to date?



Can you conceive of any reason why customers of MtGox might find this slightly worrying?

Gandlaf: yes required to pay but not yet paid.

So which part exactly did I get wrong? Because Mark seems to state quite clearly, that you a) were the auditor in question(with admin powers) and b) actually did receive money ? Is Mark (MagicalTux) lying in his statement?

this is consistent with what Jed has told me in the past.


well, i guess that puts that one to rest.

Gandlaf: I didn't say I was bored with mtgox. I said I didn't have enough time to do it correctly. Kind of the opposite of bored.
I've never faced legal action because of anything having to do with mtgox. Baron was clearly lying since we have never heard from his lawyers.
I haven't gotten any money from mtgox since the sale so there is no danger of not being able to cover this loss.

To be fair, the account I pointed out was "XPiRX0".  He might have used that as a second account for small trades, and had a main account "XPiRX" that was never cracked.

There's no grounds for calling him a liar.

Jed,
obviously mistakes were made but given that these haven´t exactly been the first ones in MtGox´s history, it would be very interesting to know what percentage of commission you are taking and for what period of time, furthermore what your additional(finanicial) interests in MtGox still are. You´re message when handing it over(paraphrasing): I´m bored and I just dont want to invest that much time ( http://forum.bitcoin.org/index.php?topic=4187.0 ), was less than honest, especially given the fact that you were facing legal action in connection with prior inconsistencies( http://forum.bitcoin.org/index.php?topic=3712.0 ).

Are you willing to verifiably disclose what your current interests in MtGox still are(does Mark actually have the funds to compensate for losses?; are you skimming off all the profits?) or are you going to keep this cloud of uncertainty hanging over MtGox customers and therefore the wider Bitcoin community?

Now how about fixing my account?

cypherdoc: Correct. But cracking the hashes is still valuable due their re-use on other sites (Paypal, MyBitcoin, etc).

someone elsewhere said that if they got into mtgox system and already had everyones hashed passwords they wouldn't need the exact password b/c the system just looks to match the hashes.  is this correct?

I can tell this:
Dictionary attack would have been useless against my hash and attackers would not have had enough time for pure brute force attack even if they obtained unsalted md5. This leads me to think that this db dump is just a tip of the iceberg and that "clarification" is full of shit

A few passwords of length 22 or more have been discovered (none of them are yours):


The first 3 passwords are concatenations of simple words with simple mangling rules (digits/symbols appended, and a capitalization) which could have been bruteforced somewhat easily. If your password was similar, then it was weak.

However, if your password was similar to the others more complex ones, then one of these 3 possible explanations is true: http://forum.bitcoin.org/index.php?topic=24727.msg317542#msg317542

22

I am aware of most type of attacks and know how to protect myself. I keep up to date with current exploits and am Backtrack user familiar and proficient with most tools in that distro.

As one of the few users with ~1k posts on this forum, therefore a likely valuable Bicoin-rich target, I think you should envisage the possibility that you have been the victim of a targeted attack (not necessarily via an MtGox flaw). You wouldn't be the first one --you remember allinvain and his 25k BTC stolen... Even Snort + fw + browsing in a VM would not have protected you against, say, a tabnabbing phishing attempt. (I mention this example again because of how deceptively efficient it is...)

On the other hand, I have no idea how security-proficient you really are. You know Snort and firewalls, but the fact you exaggerate (few sites/apps accept "random >60characters password") makes it difficult for me to evaluate you. You say your MtGox pw was shorter than usual; would you mind sharing its exact length?

Previously broken passwords - yes, but I'm not talking about reusing passwords. I'm talking about patterns that help to derive passwords and remember them. And while some analyze these and add to their attacks, this is the case only in highly targeted attacks. Which this wasn't!
Adding such patterns to general password cracking is just a waste of time and resources.

No it doesn't. I said it wasn't the most secure because it was not a random >60characters password I normally use which would take thousands of years to crack. This was the kind of password which could be broken in several decades.


1) No
2) I know it was secure. Even if attacker got my hash the day I registered they would not had the time to crack it.
3) My home network is monitored by snort 24/7, firewalls on my router and computers are properly configured to allow just the traffic I require. There are no unnecessary services running -  I even disabled dhcp. Most of the browsing is done in VMs which are then shutdown and destroyed. So please keep your security 101 to yourself.

I am not negative - I'm just realist. If you read my previous posts, you'll find that I was advocating Mt.gox and dismissing people complaining on this board about stolen funds from Mt.gox. At the time I had blind faith in Mark, but I was wrong.

Go listen to the interview after the hack, read his statements - he was blatantly lying. And I believe he is still lying. While a move to this inferior and buggy platform and testing on production server maybe considered normal by such incompetent individual I think it indicates that Mt.gox is desperate and still has no fucking clue how attacker got in. Hiding this is irresponsible and will lead to disaster.
Time will show

Attackers don't need to tie identities. Previously broken passwords are added to dictionary lists and are blindly tried against all newly leaked accounts.


This contradicts your first post which says "my password was not the most secure". So which is it?

Don't be so negative with me. I am just trying to help you understand how your account was hacked. Multiple possibilities:
1) The majority of MtGox users who were hacked were knowingly using insecure passwords. Not your case.
2) A smaller but still considerable fraction of users had a misconception of what a secure password is. May be your case.
3) Finally, a minority were using perfectly secure passwords (see examples in my last post). These users either shared passwords with other sites that have been hacked, or were phished (eg. even experienced IT security professionals may fall for tabnabbing!), or were the victim of targeted attacks on their personal computers (eg. malware installing a keylogger). May be your case.

from the above comments, it seems this hacker was extremely talented or had access to significant processing power.  to me changing the withdrawal limit and then stealing the btc would have been easiest and most logical first step.

the limits are not hard coded.  my own limits have been changed by Mark.  Kevin Day also described a bug in the daily limit which allowed sequential withdrawals of $1000 from the same acct.

if i have to explain why a financial inst or gov't would want to drive down the price of btc to you heaven help you.  

this was the financial market equivalent of naked short selling btc into oblivion.  this is why  i have argued against implementing short selling at this stage by mtgox.

If you believe the individual was still subject to the withdrawl limits, the selloff makes sense and enabled him/her/them to escape with 2000BTC.  It is conceivable that the limits were 'hard coded'.  Why would a financial institution or gov't related entity want to drive down the price?  AFAIK there are not many short sales in play at the moment.   

The statement from MtGox is helpful, however it doesn't address some of the anomalies identified in the transaction ledger.  Why the sudden motion of 500k BTC immediately after the selloff?  Why the sudden play of the very old accounts with 50BTC each?