Pages:
Author

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 29. (Read 224562 times)

sr. member
Activity: 325
Merit: 250
Our highest capital is the Confidence we build.
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's

Check for errors. They're not displayed in red like they should, so it's easy to miss them (like I did when I was filling the form for the first time).

Yes, check the decimal thing. You're only allowed to put 2 decimal places.
hero member
Activity: 607
Merit: 500
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's

Check for errors. They're not displayed in red like they should, so it's easy to miss them (like I did when I was filling the form for the first time).
newbie
Activity: 43
Merit: 0
Nothing in my mail from them. Checked spam box too.
No response here. No reply from [email protected] either. Imagine that Wink

hero member
Activity: 546
Merit: 500
Nothing in my mail from them. Checked spam box too.
hero member
Activity: 728
Merit: 500
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's

If you put your email address check that. I got a message instantly with a link to confirm.
hero member
Activity: 546
Merit: 500
The claim page just goes back up to the top when I hit submit. How am I supposed to know if it submitted or not?  I didn't have a position so I put 0's
vip
Activity: 490
Merit: 502
Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.

~Bruno~


Almost 5000
newbie
Activity: 22
Merit: 0
Bitcoinica Consultancy, please check if it is a bug: Why the Deposit Method of "Last Deposit" cannot be "BITCOINICA-CODE"?
Now on the claims page, the "BITCOINICA-CODE" is available for  "Last Withdrawal", but not available for "Last Deposit".
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
R-
full member
Activity: 238
Merit: 100
Pasta
Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.

~Bruno~


In the ballpark of 1336 users + Zhou.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Approximately, how many clients/users did/does Bitcoinica have? I'm guessing about a couple hundred.

~Bruno~
legendary
Activity: 826
Merit: 1001
rippleFanatic
the claims process should be finished tonight. It took long because we did not want to use a 3rd party service such as Wufoo for obvious security reasons.

Now that some claims have been filled out, when and how should we expect to get our funds back?!

The silence from you people is maddening.
legendary
Activity: 1162
Merit: 1000
DiabloMiner author
I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.

But if the BTC price were to drop to say $0.50 or rise to say $50 before the Bitcoinica positions were closed and the accounts settled with the clients  then the real fun begins.

And people wonder why I called Bitcoinica a bucket shop.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.

But if the BTC price were to drop to say $0.50 or rise to say $50 before the Bitcoinica positions were closed and the accounts settled with the clients  then the real fun begins.
hero member
Activity: 607
Merit: 500
Thanks for the information. Bitcoinica uses a work level of 20 and forces at least 8 character passwords.

If you really did enforce at least 8 character passwords than it's safe to assume that the passwords* are safe.

*Unless somebody used a dictionary password.
legendary
Activity: 1274
Merit: 1004
What's considered a short, weak password?

See XKCD's take on password strength:  http://xkcd.com/936/



Yeah, I've seen it. Smiley

I should have worded it differently. I was specifically asking muyuu what he considered a short, weak password when he said it. My hunch was that as long as it was something non-obvious that even a short password (say 6 characters) would be relatively safe when we're talking about a timeframe of a week.
legendary
Activity: 1596
Merit: 1100
What's considered a short, weak password?

See XKCD's take on password strength:  http://xkcd.com/936/

legendary
Activity: 1274
Merit: 1004
Would the expected attack vector in that case be to use the known work size and then go through each user and their unique salt first using dictionary word, then working out from the minimum password size exhausting successively 4 character passwords, then 5, 6, etc?

Yeah that would be the common attack vector.

Generally speaking there are three ways to guess a password.
a) recompiled lists (often 5-8 million based on prior large scale breaches - people love re-using passwords even after breaches)
b) base word dictionary (also contains slang, names, famous people, brands, etc) with substitution
c) pure brute force.

The order of using the masks and lookup tables is kinda an art-form.  Some choices are obvious, some choices are more subjective.

There are only 857K 1-3 char passwords so try them first.  
Next try your "common password list".
A 4 char brute force usually makes the most sense (81 million).
Around 5 or 6 char brute force starts to not make much sense.  That assumes you are going against something solid like bcrypt.
So uaully after 4 or 5 char brute force trying substitution/prefix/suffix makes more sense.

Start w/ 1 substitution against the dictionary and then increase the number of substitutions.  Beyond 2 or 3 you really aren't gaining anything over brute force.  Eventually the "largeness" of the attack space makes continuing futile.


So a sensible takeaway in this situation is that even if a password was used as the sole means of verifying an account, it would be very difficult for the attacker to use the stolen database to actually compromise any accounts for anyone who's password is even remotely secure within the week long timeframe we're talking about. Even going through a 8M entry recompiled list at 36,000 passwords a second would take 3.7 minutes per password, or 2.57 days per 1000 passwords. There might be someone who's password is "password" with 1000BTC sitting in their account, but really anyone stupid enough to do that probably wouldn't have 1000BTC to begin with.
vip
Activity: 490
Merit: 502
Thus, with a strong salt making anything but huge rainbow tables ineffective, while some users might have relatively weak passwords that could be solved in reasonable amounts of time, the attackers wouldn't know which they are and would have to attack the entire DB looking for them. How long would it take with a reasonable GPU farm (say 4 5970s) a 6 character case sensitive Latin alphabet password?

It depends on the work-level but lets assume a work level of 10. That means a single core of server can verify a password in ~ 3 ms or 300 p/s.  A 5970 would be ~30x as fast (optimistic) so your might be getting ~ 9kp/s or 36kp/s for 4x5970 rig.

If your password can't be found in a dictionary or easy password list to brute force all 6 char passwords would require
alphabet only (53 values) 53^6 /36000 / 60 /60 /24 = 7 days
alphanumeric (63 values)  63^6 36000 / 60 /60 /24 = 20 days
printable symbols on keyboard (95 values) 95^6 /36000 / 60 /60 /24 = 236 days

If the salt is random per account that means each account must be cracked separately.

Of course the attacker could use multiple GPUs so a good way to think of it is in time value.    A single 5970 can generate ~0.5 BTC per day.  So cracking a 10 BTC account is worth ~ 20 GPU days.  Cracking a 1000 BTC account is worth ~200 GPU days.

Adding 1 more character significantly increases the time value cost.  A 7 char (all printable keys) password is ~ 90,000 GPU days (5970s).  The time value is worth 45,000 BTC meaning if someone had sufficient GPU they could make 45,000 BTC simply mining instead of hacking your account.  Given the attacker has no idea if he will ever crack it (maybe your password is a purely random 14 character string "pOQs9jb!su3gp@") it doesn't really make sense to even try.

6 is likely "good enough" if your password is complex but 7 or 8 makes it so expensive the thief isn't going to even try.  In the time it takes to brute force a single 8 char password he could brute force 86,000 other accounts trying all passwords length 1 to 5.


Thanks for the information. Bitcoinica uses a work level of 20 and forces at least 8 character passwords.
legendary
Activity: 2198
Merit: 1311
I'll be sure to let you guys know when I get the $300,000 or so I had in long positions before I use it to buy on MtGox.
Pages:
Jump to: