Topic: Bitcoinica MtGox account compromised - page 4. (Read 156012 times)

When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.

LastPass was not the weakness here.  The interesting point, which I have not seen anyone point out, would be:

Why on earth would anyone in their right mind select a UUID for a master password?  There are only two possibilities I can come up with:

1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.

Why anyone that knows *anything* about security would think that either of those options was good is byond me.  They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine"  easily remembered and told over the phone, etc.

LastPass offers offline recovery tools you can use in that event, but you still need your password.

Of course if the only place your passwords are recorded is on LastPass and LastPass itself suffers a catastrophic failure then things become interesting.

One problem is that it's often ridiculously easy to get new online credentials issued compared to how difficult it is to get new real world ID issued.  We need to stop believing that's a good thing.

I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?

You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server.

Which brings me back to a question I had.  I should have just tested this by now but havn't had time. If you have lastpass installed on one computer and want to start using the same account on another. Does it load the passwords to the new computer when you validate there? (If so then the backdoor thing could work.) But what I was under the impression of, is if you want to use an account on another computer you had to export the saved passwords and physically place them on the new computer??  If that's the case it would have done our alleged hacker no good to just know the password..

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

FTFY.

People can certainly file criminal complaints.  The extent to which those complaints are investigated and whether any investigations lead to criminal charges is another matter entirely and not determined by the complainants.  People's theories (including mine) about what happened are not evidence.

Oh derp, I just rolled my eyes out of my head. 
The UU in UUID stands for Universally Unique. And it is unique, unless some bonehead doesn't use any entropy.
"Security Architect" indeed.

No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

A lot of people who should know better fail at understanding entropy. I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

+1 (I don't pluses often)

Damn good point, repentance.

~Bruno~

I told you guys that ZT wasn't real. Now here's proof that ZT is Genjix.

Seriously, I have major shit going on in my life right now, some of it caused by this Bitcoinica fiasco (EPA/lead paint). And I have no problem sleeping. I dream weird shit, but do sleep well. A good friend (no longer with us) used to always say, "This too shall pass." I guess I live by those words. The other thing he used to say (before those book(s) ever came out) was, "Don't sweat the small stuff.". (Note to self: Google to learn where those fuckin' periods go when using quotes)

~Bruno~

It may be the reason why you guys are not getting refunded. They may be embroiled in a legal civil war each other trying to blame each other, rather than doing what's right for the customers. In said legal civil war, nobody will touch the funds because their lawyers said so.

And nobody will be talking until the legal dispute is a done deal.

But this is just speculation, and there's no messenger telling us what's going on.

The only reasonable crime you could charge them is extreme negligence, not theft. You don't have any evidence for theft except your suspicion that this is an inside job.

There should be a proper investigation before we can speak about charging somebody, or did you lose your rationality when you lost your money?

Germany is also a police-state, so there's that
They also ran the conference in Prague last year. If you want to organise something in Germany, I don't think anyone would complain.

First 100 tickets are €40, hurry up http://www.bitcoin2012.com/tickets

Based on on the publicly available in formation that came out during the last two weeks, my personal opinion is that Tihan was not actually supposed to have access to anything, and that (contrary to my original assumption) the reason why the password for LastPass he used was not changed lies with Bitcoinica Consultancy rather than Tihan. I still think that incompetence on part of Bitcoinica Consultancy is the most plausible explanation. In that case, Tihan and Zhou are harmed just like we (the depositors) are, and it is in their interest to cooperate with us.

Edit: another harmed party and a potential ally is Christopher Heaslip, who is still listed as a director of Bitcoinica Consultancy at the New Zealand Company Registry, even though the leaked documents show that BC was taken over by Amir, Patrick and Donald. The NZCR website says that the records needs to be updated within 20 working days of the change, but this didn't happen.

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity. Security is about risk management. LastPass itself may be secure, but it is completely inappropriate to use as a keyring for all of a production system's components. Putting "all your eggs in one basket" and needlessly creating such high risk is unforgivable.

Interesting to see that Intersango were so keen on finding exploits in other exchanges and then grandstand about how they were "warning" people and insisting that they are more qualified to look after your money on their exchange, yet when they were clearly aware of exploits in a system they took (or sought to take) ownership of, they deliberately decided not to fix them or warn the masses. Despicable.


BB.

This seems to confirm what we believe - that Tihan and/or Patrick sent the money to themselves and claimed a hack.

My claim - StrikeSapphire's claim - for $981.18 which was entirely in USD should have been processed months ago. You had all my documentation, including my passport. I spoke personally with Zhou, and with Patrick on separate occasions and was assured that it would be handled quickly.

I'll address Genjix here, because Zhou was out of the process at that point: There was absolutely no reason for you not to have paid back my USD long before your MtGox account was 'compromised'. It didn't involve any Bitcoins. The money was there in your account; you know who I am. You took my money.

There was also no reason to continue to ignore my emails. Long before this "theft" from your MtGox account, we began to suspect that the Bitcoin Consultancy (in particular, Patrick) was planning to take our money and run. I have a chat log with him where he denies he's planning to do that, and then immediately and rudely adds that I need to know that "Bitcoinica Consultancy" is not the same as "Bitcoin Consultancy". It was such transparent hedging, it was clear to me at that point he was a crook.

You didn't notice the first two large MtGox withdrawals? You didn't notice $40k and then $60k going missing, or the emails they must have sent? Tihan's LastPass password after the date of the initial compromise was the MtGox API private key...and still hasn't been changed? How stupid do you think we are? No one in their right mind would believe this bullshit. And it doesn't change the fact that you owe us money.


It's the position of StrikeSapphire that:

1. The Bitcoin("ica") Consultancy 3 and Tihan who financed the heist - never had any intention of returning our USD.

2. The USD withdrawn from their MtGox account into Liberty Reserve has undoubtedly gone right back into the pockets of the BC and Tihan - as will any other money should MtGox unlock their account. Had MtGox not locked their account, we would clearly have seen another "hack" already, since someone asked to have the password reverted. Then there would be another round of "oops, can't believe we were so stupid", and then silence.

3. Tihan gave BC $500k, supposedly for Coinlab. The real purpose of this money was to buy Bitcoinica and drain its users' accounts. All these "hacks" have been his withdrawals.

4. Patrick, Tihan, et. al. personally owe us $981.18... and until that's paid, we consider them thieves.

We recommend that everyone injured by this scam file a criminal complaint against Mr. Seale with the USDOJ. It's very easy to do, and you can file it online here:
http://www.ic3.gov/
It only takes a few minutes.

We will join any organized legal action against Mr. Seale in the United States, where I think there's a good chance of holding him personally accountable for stealing our money, given the trail of public claims to his ownership of Bitcoinica and his direct access to their USD accounts. Finally, we encourage anyone in Washington State who was harmed in Bitcoinica's theft to file in small claims court against Mr. Seale, which is the easiest way to put his involvement in the public record.

My access to the [email protected] has been revoked a few hours ago. (I don't know who did that.) I can't load the source for the email any more.