Pages:
Author

Topic: [Full Disclosure] More likely MtGox Post-Mortem (Read 22225 times)

newbie
Activity: 67
Merit: 0
Hello vindication, how are you today sir?:

http://forum.bitcoin.org/index.php?topic=24727.0
newbie
Activity: 67
Merit: 0
Oh hey look, he admits the possibility finally. Tonight on #mtgox. (times CST/CDT)

Quote
[18:17:18] dehuman: we have two vectors possible, and I believe they are linked at some point. One is the sqli that were disclosed after we took the site offline, and the second one was the auditor, which may have been exposed by what people found via the sqli (or not, I don't know yet at this point)
staff
Activity: 4242
Merit: 8672
Fork, they were using floats for some calculations:

Not news: http://forum.bitcoin.org/index.php?topic=11551

On this subject, I've seen people hating on bitcoin7 for using "float" on IRC a bunch— but it turns out that they are using decimal float, which is perfectly fine and reasonable for this. Only the use of binary float leads to perplexing results with bitcoin values.

newbie
Activity: 56
Merit: 0
I love to say I told you so:

http://pastebin.com/e8NHXuSe
http://pastebin.com/HGssM2L7

Nice how he took 24 hours to notify his users.

Fork, they were using floats for some calculations:

28.21:03 < eleorea> a couple days prior to the crash i noticed my BTC balance kept fluctuation up and down .01 of a bitcoin..anyone else notice similar
29.21:03 < MagicalTux> eleorea: rounding bug
30.21:03 < go1dfish> eleorea: some had mentioned that Mt Gox used floating point internally for some calculations31.21:03 < go1dfish> is that true? and has that been fixed?
33.21:03 < eleorea> ahh thx
35.21:04 < MagicalTux> go1dfish: the new system use 100% integers
newbie
Activity: 67
Merit: 0
I love to say I told you so:

http://pastebin.com/e8NHXuSe
http://pastebin.com/HGssM2L7

Nice how he took 24 hours to notify his users.
sr. member
Activity: 294
Merit: 250
let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

hahaha god damn you are one argumentative mother fucker!

Look at the bright side.
this is why I don't drink alcohol.

It's certainly not your job to tell them how to run their business.
I can understand you are devoted to them, but there is a limit to telling other people what they can and can't do. it's why we are here, to get away from those fools.
Nice comeback bro.
newbie
Activity: 67
Merit: 0
This made me LOL so I figured this is the place to share:

http://www.quickmeme.com/meme/4565/
ius
newbie
Activity: 56
Merit: 0
While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.

Last time I checked the problem was on their end, not on their users'. Although adding a second factor is undiably a good thing, it's not going to do much for security on their end.

In addition to that, I suspect a large number of bitcoin/mtgox users own a smartphone. There's a HOTP implementation for pretty much all platforms - completely free..
member
Activity: 84
Merit: 10
when it comes to money and corporations, loyalty is the biggest mistake.
member
Activity: 84
Merit: 10
let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.

hahaha god damn you are one argumentative mother fucker!

Look at the bright side.
this is why I don't drink alcohol.

It's certainly not your job to tell them how to run their business.
I can understand you are devoted to them, but there is a limit to telling other people what they can and can't do. it's why we are here, to get away from those fools.
member
Activity: 126
Merit: 10
Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.
newbie
Activity: 67
Merit: 0
let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

You do this right now. Your banks' infrastructure uses open and free encryption algorithms (and in most cases, implementations) and must do so in order to comply with regulation. So does your doctor (if you're in the US, at least). At no extra cost to you.

Additionally, mtgox is not and never has been a free service. They take a fairly large percentage on every transaction.

Nice straw man though.

Paying a recurring fee (purchasing tokens would be understandable, though as mentioned rsa can't really be trusted at this point) for two factor authentication and using a proprietary un-vetted password hashing mechanism means this service should not be trusted by anyone.

How about instead of using SMS as the second factor you use something that costs little-to-nothing, like, I don't know, an rsa private key signature? Or even better, why not an ecdsa signature from a bitcoin-related private key? I guess that just makes too much sense.
member
Activity: 84
Merit: 10
however, it cuts down a little on people having more than 50 accounts each. Wink

No they will just not be as secure as "paying" members.

let me ask you this, would you really trust another entity holding thousands if not millions of your stake in something being completely free?

What many others and I learned from this is using an exchange as an Ewallet was not the end all secure practice like a Lot of us had thought and hoped it was. The 2 step verification will theoretically bring using mtgox to be a relatively secure Ewallet. As it will also bring other exchanges into the main arena for doing so.

Whether or not trusting the exchanges enough to do so is entirely up to it's userbase, just like it was before all this happened. People trusting an entity they have never physically met with thousands of units in anything is something to say about the people doing so, but that obviously can be said about every business involving large quantities of anything.

What I'm trying to say is that remembering the word secure is only a relative term is a good thing.
full member
Activity: 140
Merit: 101
I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

I suppose that's fair. Thx.

There's a few other threads addressing this... especially http://forum.bitcoin.org/index.php?topic=21405.0;all

Short version: MtGox has upgraded security across the board. 2-factor authentication will be available for those who desire even more security. This service costs money to operate, and so cannot reasonably be offered free of charge except as a perk.
member
Activity: 70
Merit: 10
I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

There's a few other threads addressing this... especially http://forum.bitcoin.org/index.php?topic=21405.0;all

Short version: MtGox has upgraded security across the board. 2-factor authentication will be available for those who desire even more security. This service costs money to operate, and so cannot reasonably be offered free of charge except as a perk.
full member
Activity: 140
Merit: 101
however, it cuts down a little on people having more than 50 accounts each. Wink

No they will just not be as secure as "paying" members.
member
Activity: 84
Merit: 10
however, it cuts down a little on people having more than 50 accounts each. Wink
full member
Activity: 140
Merit: 101
I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.

Right. They need to think that one through a little better.
newbie
Activity: 67
Merit: 0
I'm glad he did this and have proven he is still in possession of the coins.

Well, he killed any good faith that created with his latest update on the redirect page:

Quote
Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

Let me get this straight.

Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.

Seriously... WTF.
newbie
Activity: 67
Merit: 0
More full disclosure! More fun!
...

More fun for many happy people!
History will record that MTux from MGox has done a "prove it" transfer of over 424,242BTC, so the original thread title ...More likely MtGox Post-Mortem, will most likely prove to be highly inaccurate.
http://blockexplorer.com/address/1eHhgW6vquBYhwMPhQ668HPjxTtpvZGPC

Great news for Bitcoin and the community.   Smiley

I'm glad he did this and have proven he is still in possession of the coins.

I'm disappointed it took 5 days of people asking for it for him to follow through.

That is indeed good news but has no bearing on this thread. All that proves is that the attacker in fact did not take off with the wallet. Which was never an even implication of this thread.
Pages:
Jump to: