Bitcoinica MtGox account compromised - page 8.

repentance

hero member

Activity: 868

Merit: 1000

Quote from: MrTeal on July 23, 2012, 06:47:02 PM

Even if it was the original hacker, according to genjix the LastPass PW was not compromised. The password was the MtGox API key and that key was stored in the source that the Rackspace hacker would have had access to, but how likely is it that if you had 5 guesses you would choose an API key buried in the source vs attempting one of the other passwords that you did compromised to see if it was a duplicate of those?

Which is what most people assume they did. You get 5 attempts before it locks you out for 5 minutes and sends an email. If the list of compromised passwords the hacker had wasn't especially long, then they didn't have a lot to lose by trying the duplicates - if one of them was right, there was every chance they'd be into the LastPass account before anyone read the email.

Quote

Any time a hacking fiasco happens, it basically turns into a witchhunt, because people feel extremely powerless.

This is equally true when conventional companies go out of business.

MrTeal

legendary

Activity: 1274

Merit: 1004

Quote from: kiba on July 23, 2012, 05:36:02 PM

Hi, you misunderstood me. I was talking about mtgox, not LastPass.

There would be no need to log in multiple times to MtGox. From what Genjix claimed, the thief hacked into their LastPass account, which had the new MtGox password stored within. It's the hacking into LastPass that would require guessing the password correctly within 5 attempts.

Quote from: genjix on July 13, 2012, 04:00:07 AM

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

LastPass contains all your passwords. The username was [email protected]. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.

Even if it was the original hacker, according to genjix the LastPass PW was not compromised. The password was the MtGox API key and that key was stored in the source that the Rackspace hacker would have had access to, but how likely is it that if you had 5 guesses you would choose an API key buried in the source vs attempting one of the other passwords that you did compromised to see if it was a duplicate of those?

kiba

legendary

Activity: 980

Merit: 1020

Quote from: zhoutong on July 23, 2012, 06:35:32 PM

Please, I haven't signed anything about Bitcoinica since the end of 2011.

The hacker is anonymous, so they're going to blame identifiable individuals, even if the evidence is sorely lacking.

Any time a hacking fiasco happens, it basically turns into a witchhunt, because people feel extremely powerless.

repentance

hero member

Activity: 868

Merit: 1000

Quote from: LoupGaroux on July 23, 2012, 06:24:35 PM

How about a public demand for any settled assets be pooled for a proportional payment to all claimants (except Maria!)? That's what a Court would order if this does actually go into any kind of receivership, especially since certain privileged friends were paid in full while others were being lied to.

A court would order the Official Assignee to take control of the assets of the business and liquidate them, period. The manner in which the liquidated assets must be distributed is laid down by law and unsecured creditors are actually at the bottom of that list.

Until otherwise established by a court ruling, Bitcoinica LP is the only entity responsible for returning user funds. Any legal action to make people liable at an individual level hasn't yet taken place, may be quite pointless to pursue and would not necessarily succeed.

zhoutong

vip

Activity: 490

Merit: 502

Quote from: LoupGaroux on July 23, 2012, 06:24:35 PM

Sorry boys, but quitting does not absolve you of your liability for this criminal act- each and every one of you, Zhou, Patrick, Tihan et al. remain jointly and severally liable for the debt which you took on, especially since you chose to take it on under an apparently fraudulent basis considering your filings with the New Zealand government.

Please, I haven't signed anything about Bitcoinica since the end of 2011.

I have never signed on any New Zealand document.

And I have never signed any document with the name "Patrick" in it.

I quit because the pre-requesite I set has been met - Bitcoinica pays back 50% of all available funds, which is true after the Mt. Gox account hack. I'm a claimant too. Bitcoinica owes me $350 in USD account balance, and about $780 in the bills. I even have to cancel two of my credit cards because I don't have the access to the accounts that keep charging me every month.

kiba

legendary

Activity: 980

Merit: 1020

Quote from: Bitcoin Oz on July 23, 2012, 06:33:46 PM

This still hasnt been reported to the cops Huh

?

MtGox filed a police report, but would not details what they know until investigation is over. Bitcoinica are probably talking to their lawyers about what they should do.

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

This still hasnt been reported to the cops Huh

?

kiba

legendary

Activity: 980

Merit: 1020

Quote from: LoupGaroux on July 23, 2012, 06:24:35 PM

Sorry boys, but quitting does not absolve you of your liability for this criminal act- each and every one of you, Zhou, Patrick, Tihan et al. remain jointly and severally liable for the debt which you took on, especially since you chose to take it on under an apparently fraudulent basis considering your filings with the New Zealand government. Saying you got voted off the island does not remove the stain of criminal actions, and I hope each one of you is apprehended, charged and tried for the massive fraud that you have committed.

That is your opinion. Care to back it up with facts?

Quote

Bitcoin has suffered immensely at the hands of your premeditated acts of criminal diversion of funds, and the on-going lies and misdirection that you have subjected this community to. I hope the victims are filing charges against you right now, and I look forward to hearing how your little investment group gets it's nuts torn off by the police in whatever jurisdiction you are hiding in.

Scumbags all.

Unless you have evidence that this a premeditated theft and knowledge there is on-going lies and misdirection by bitcoinica team members, it have no basis.

LoupGaroux

sr. member

Activity: 574

Merit: 250

How about a public demand for any settled assets be pooled for a proportional payment to all claimants (except Maria!)? That's what a Court would order if this does actually go into any kind of receivership, especially since certain privileged friends were paid in full while others were being lied to.

Sorry boys, but quitting does not absolve you of your liability for this criminal act- each and every one of you, Zhou, Patrick, Tihan et al. remain jointly and severally liable for the debt which you took on, especially since you chose to take it on under an apparently fraudulent basis considering your filings with the New Zealand government. Saying you got voted off the island does not remove the stain of criminal actions, and I hope each one of you is apprehended, charged and tried for the massive fraud that you have committed. Bitcoin has suffered immensely at the hands of your premeditated acts of criminal diversion of funds, and the on-going lies and misdirection that you have subjected this community to. I hope the victims are filing charges against you right now, and I look forward to hearing how your little investment group gets it's nuts torn off by the police in whatever jurisdiction you are hiding in.

Scumbags all.

kiba

legendary

Activity: 980

Merit: 1020

Quote from: disclaimer201 on July 23, 2012, 06:13:11 PM

You are right. It's too complicated. And that's why it has to be more in the direction of the second sentence above. I really can't believe all the hacker stories, sorry. Just doesn't get into my head.

A successful hack attempt is the simplest story and have the strongest evidence thus far. All the other hypothesis don't have much evidence and is more complicated to attempt.

disclaimer201

legendary

Activity: 1526

Merit: 1001

Quote from: kiba on July 23, 2012, 06:10:29 PM

Quote from: disclaimer201 on July 23, 2012, 06:00:13 PM

Or it would be a perfect way to make everyone believe one is innocent precisely because one showed good intention to pay back funds.

That's the "THAT WHAT THEY WANT YOU BELIEVE" indirection and so on that is a common feature in a conspiracy theory.

Always remember that the more complex a gambit is, the more likely they will get caught.

You are right. It's too complicated. And that's why it has to be more in the direction of the second sentence above. I really can't believe all the hacker stories, sorry. Just doesn't get into my head.

kiba

legendary

Activity: 980

Merit: 1020

Quote from: disclaimer201 on July 23, 2012, 06:00:13 PM

Or it would be a perfect way to make everyone believe one is innocent precisely because one showed good intention to pay back funds.

That's the "THAT WHAT THEY WANT YOU BELIEVE" indirection and so on that is a common feature in a conspiracy theory.

Always remember that the more complex a gambit is, the more likely they will get caught.

Clipse

hero member

Activity: 504

Merit: 502

Anyone still buying into any of the excuses/updates/bullshit presented should really look in the mirror since they are beyond a goof ball.

If none of the big bitcoinica account holders actually move forward to make these so called experts get what they deserve then Im affraid the bitcoin world is essentially cluttered with a bunch of kids who cant do the right thing when they need to.

What you see now is the stalling game coming to an end, whoever took the money within this group have now successfully cleared and run away.

disclaimer201

legendary

Activity: 1526

Merit: 1001

Quote from: kiba on July 23, 2012, 01:18:31 PM

Why go through the trouble of telling people about hacks and passwords and staying where you are when you can just quietly shut down and run far far away with the money from where you live? Why the complicated gambit of appearing legit and why risk jailtime for your robbery?

Let me tell ya, it isn't really an inside job. It's really just extreme incompetence. There's no conspiracy, because if there was, it was an extremely unbelievable conspiracy with a well executed unnecessary complicated gambit.

And it won't make you feel better knowing what I said.

Or it would be a perfect way to make everyone believe one is innocent precisely because one showed good intention to pay back funds. I'm not sure if they'd be so smart though. My personal theory is that someone in this circle might have screwed the others over and ran with the money, carefully cleared all tracks of evidence and is trying to get away with it.

bitcoinBull

legendary

Activity: 826

Merit: 1001

rippleFanatic

Quote from: genjix on July 18, 2012, 05:50:44 AM

Hi,

Sorry for the hiatus, but I had to take a break to preserve my mental sanity. Here's the update (also in the OP):

Quote

Update: here's the facts from my point of view:

- Patrick quit.
- Zhou quit.
- Tihan was fired, and no longer acting on behalf of Bitcoinica LP.
- Bitcoinica Consultancy were the new operators coming onboard, and the company was formed after the compromise to facilitate payments out.
- Bitcoinica LP is the owner.

The payments process is at a deadlock. Technically when a company is in debt, and cannot pay off its debtors in full, it hands the process to the government (called receivership). Bitcoinica LP would have to make a police report, and hand over the payments process as the owners.

That's it basically. Just a standstill.

Thanks for the update genjix. Even if you were responsible for leaking the source code (which would be irony of ironies), I'm extremely disappointed in Patrick. First for not ensuring that the LastPass master password was a secure one (if he didn't change it, he should've at least asked Tihan about it), among other measures like enabling two-factor auth on MtGox. But Patrick's behavior afterwards is even more despicable, quitting as though to disown any and all responsibility.

At least you, genjix, are still here giving updates, and thanks for that.

kiba

legendary

Activity: 980

Merit: 1020

Hi, you misunderstood me. I was talking about mtgox, not LastPass.

MrTeal

legendary

Activity: 1274

Merit: 1004

Quote from: kiba on July 23, 2012, 03:23:36 PM

Quote from: MrTeal on July 23, 2012, 01:42:28 PM

That's not the story that was presented.

You can check it for yourself. They really don't try to block you after 3 tries. It probably doesn't have anything to do with how the hacker guess it but it could help.

I created account and entered the password incorrectly 5 times. It locked my account and sent me this email.

Hi,

This is an advisory notice letting you know that your account has been temporarily locked because of repeated failed login attempts from xxx.xxx.xxx.xxx.

If you were attempting to login, you should wait 5 minutes and try again.
If you still are unable to regain access to your account, please try these steps.

If you did not attempt to log into LastPass, you have no reason to worry.
But if you are not using a strong master password, we suggest you change it now.

Thanks,
The LastPass Team

kiba

legendary

Activity: 980

Merit: 1020

Quote from: MrTeal on July 23, 2012, 01:42:28 PM

That's not the story that was presented.

You can check it for yourself. They really don't try to block you after 3 tries. It probably doesn't have anything to do with how the hacker guess it but it could help.

repentance

hero member

Activity: 868

Merit: 1000

Quote from: MrTeal on July 23, 2012, 01:34:16 PM

Granted I don't use lastpass so I'm taking other people's word for it here, but my understanding is that lastpass will only let you make 3 incorrect attempts to log in and download the password file before locking the account. It might seem obvious in retrospect, but how likely is it that some hacker stumbled upon the leaked source code and was able to glean from it that the API key would be the lastpass PW? Baring something else that we haven't been told about like a keylogger installed on someone's machine, I have a hard time believing that story.

Did anyone from Bitcoinica Consultancy contact LastPass to attempt to get the IP address of the person who logged into their account? Or will that be done around the same time as the police report getting filed?

From what Zhou posted, the Rackspace hacker would have gained the information needed to access the MtGox account. The source code leak may have confirmed to the Rackspace hacker that the password likely hadn't been changed, or they may have already been waiting for funds to be transferred into the MtGox account to make repayments and decided that it was worth seeing if the credentials they had still had access. It's far less likely that someone who randomly viewed the leaked source code just lucked in.

MrTeal

legendary

Activity: 1274

Merit: 1004

Quote from: kiba on July 23, 2012, 01:39:08 PM

Last time I check, MtGox doesn't prevent people from trying as many time as they want. It should be something they fix, but don't.

That's not the story that was presented.

Topic: Bitcoinica MtGox account compromised - page 8. (Read 156012 times)