Topic: Bitcoinica MtGox account compromised - page 24. (Read 156012 times)

Quote from: bitcoinBull on July 13, 2012, 06:21:38 PM

Quote from: Raoul Duke on July 13, 2012, 06:43:53 PM

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:[email protected]/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

It was posted on reddit a few days ago:
http://www.reddit.com/r/Bitcoin/comments/w6xen/bitcoinica_press_release/

"
genjix 1 punto 5 días atrás
This is legit. Run "git log" to see the development history.
"
if you already knew, did not occur to review the code filtering, if there was something sensible?

nomnomnom

sr. member

Activity: 313

Merit: 250

Quote from: bitcoinBull on July 13, 2012, 06:21:38 PM

Quote from: Raoul Duke on July 13, 2012, 06:43:53 PM

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:[email protected]/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

It was posted on reddit a few days ago:
http://www.reddit.com/r/Bitcoin/comments/w6xen/bitcoinica_press_release/

sadpandatech

hero member

Activity: 504

Merit: 500

Quote from: bitcoinBull on July 13, 2012, 06:21:38 PM

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:[email protected]/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

According to the pastbin announcement they were going to make the sourcecode public on the 9th by releasing the instructions to decrypt it on freenode. anyone got a log of freenode #bitcoin at around 1900 on the 9th of July 2012?

tbcoin

legendary

Activity: 1022

Merit: 1000

Quote from: Raoul Duke on July 13, 2012, 06:43:53 PM

Quote from: bitcoinBull on July 13, 2012, 06:21:38 PM

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:[email protected]/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

Maybe genjix was "Monday at 19:00 UTC in #bitcoin on Freenode IRC."
No logs of the chat??
Genjix upload the decrypted file? if not, where are published these link before?

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: bitcoinBull on July 13, 2012, 06:21:38 PM

Quote from: MagicalTux on July 13, 2012, 05:48:34 PM

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:[email protected]/ passwd 123 Huh

How does one decrypt that file?
Some research is due.

rdponticelli

sr. member

Activity: 325

Merit: 250

Our highest capital is the Confidence we build.

I'm not usually a great adept at believing in conspiracy theories, but doesn't anybody else found very convenient that just when MtGox was suffering lots of liquidity issues, a couple of really big accounts full with somebody else's money (BTCSYN and Bitcoinica's) gets depleted by strange hacks?

Just saying, anyway... Roll Eyes

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

Quote from: Bitcoin Oz on July 13, 2012, 05:44:01 PM

The question remains why there hasnt been a police report initiated by the owners of bitcoinica. Shouldnt it be them and not yourself that initiates such a thing ? When else do you arbitrarily "inform the police " without the actual people involved doing it ?

We are still discussing this with our legal counsel actually, however filing the theft details pre-emptively from our side may make things easier and faster, and may protect us and our other customers too.

Was the money withdrawn through a verified account ?

tbcoin

legendary

Activity: 1022

Merit: 1000

Quote from: bitcoinBull on July 13, 2012, 06:21:38 PM

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:[email protected]/ passwd 123 Huh

bitcoinBull

legendary

Activity: 826

Merit: 1001

rippleFanatic

Quote from: MagicalTux on July 13, 2012, 05:48:34 PM

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

Quote from: ?? on ??

We are still discussing this with our legal counsel actually, however filing the theft details pre-emptively from our side may make things easier and faster, and may protect us and our other customers too.

Mt.Gox is covering their bases... Well it's a right thing to do.

To withdraw $40 000 it needs to also be a VERIFIED account. You cant just setup a new account and withdraw that much money. Unless things have changed....this means they should know who withdrew the money.

iCEBREAKER

legendary

Activity: 2156

Merit: 1072

Crypto is the separation of Power and State.

Quote from: sd on July 13, 2012, 04:52:52 PM

Quote from: beckspace on July 13, 2012, 04:28:58 PM

This a thousand times. This last 'hack', if it happened at all, was the remnants of bitcoinica giving money away.

No-one could be so stupid as to get publicly hacked and not change all their passwords afterwards. It's just unbelievable anyone could be that dumb and still manage to dress themselves in the morning.

Both of these a million times.

/Can't believe nobody posted that yet.

markm

legendary

Activity: 2940

Merit: 1090