Topic: Open Letter to Mybitcoin - Could you please tell me you're not THIEVES? (Read 5336 times)

Clipse, are you certain that's a wise thing to do?  I would never use an account based service to hold large amounts of bitcoin savings.  For savings, I would suggest that you need to have control over the ability to spend those bitcoins.  Otherwise, you don't have any bitcoin savings, what you actually have is a contract with a company to deliver you bitcoins on demand.  A small amount of spending money isn't bad, but >1000 BTC?  Seems nuts to me.

I believe people are working (Stefan Thomas, justmoon) is working on a hosted wallet solution that would enable you to retain control of your coins while at the same time providing encrypted backup.  Until then, I think the best option for savings is the regular client and great care over the handling, encryption and backup of wallet.dat.

and with those accounts you have recourse if someone gets unathorized access and does that. with bitcoin - you don't. so stop making all these asshole comparisons of bitcoin to all other established and secure means of financial security.

For some reason Clipse is trolling around these mybitcoin threads criticizing people who've been victimized. Not sure why.  Clipse, why do you even care about these threads?  Why do you feel the need to insult people who come forward?  What do you have to gain?

It seems only a few of the more clueless people having issues which isnt surprising.

Ive had no issues at mybitcoin before or after mtgox hack, so these claims about "mybitcoin changed my password" etc. seem highly unlikely.

Definitely makes alot of sense for them to steal your 3BTC but other users, including myself, have >1K in there.

I just left negative feedback there. I'm not sure what that site is all about, though. But I'm pissed at mybitcoin! Bruce Wagner will be talking about the mybitcoin problem on his program sometime this week, too, or so he says.

Just left negative feedback here. strongly urge others to do the same.
http://www.bitcoinfeedback.com/viewuser.php?id=195

I have had no issues with them whatsoever.  Granted I have only moved about 10 BTC through them.

I have finally heard from support at Mybitcoin.com. As I suspected, I had not received mail because I had not filled in an email address. This is fair enough, but I don't remember this being presented as an option when I signed up.

I will hold my opinions until I see how this matter is resolved. I'll keep you posted.

alright. Well thanks for the updates. I've tried the new account approach, so I'll see how that goes.

The response from support is pretty much in line with what I expected to hear from them. It would have been a lot more helpful if they had said that publicly.

i got this incident report with mybitcoin accounts.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            From the desk of Tom Williams, operator of MyBitcoin.com

                          For immediate release.

There are a lot of unanswered questions floating around on the Bitcoin
forum and other places about the recent Mtgox password leak, and theft
from the MyBitcoin system.

I will attempt to answer as many of the questions and concerns as best
as I can in order to silence the rumor-mill once and for all.

As many of you already know, Mtgox was hacked and its password file was
leaked. As soon as we heard about the leak we were closely monitoring
the system for abnormal activity, and we didn't see any.

At first glance, we didn't see any hard evidence that a password leak
had even occurred. There was just a lot of speculation to an SQL
injection vulnerability in Mtgox's site. A few clients of ours had
informed us of the forum threads, and we watched them carefully.

The following morning a client of ours sent us the download link to the
leaked Mtgox password file. We prompty downloaded the file, put up a
warning on the main page, and disabled the login.

We attempted to line up usernames from the leak, and we found a lot of
matching ones. We started locking down all of those accounts using a
script that we had to have written at a moment's notice. It was during
this time that we noticed a flurry of spends happening. Yes, even with
the site disabled.

The attacker had active sessions open to the site. We quickly flushed
them and the spends stopped abruptly. We disabled the SCI, all payment
forwarding, and all receipt URL traffic on all of the usernames in the
Mtgox leak.

We proceeded to change the password on every account where the username
matched our system's database. PGP-signed emails went out to all of the
accounts that we changed the password on. If an account didn't have an
email address or had already been compromised we put up a bulletin.
(Email addresses were mandatory when we opened our service initially,
but people complained that it wasn't truly anonymous so we made them
optional. Unfortunately this makes contacting a security-compromised
customer impossible.)

An investigation was conducted at that time, and we determined that the
attacker had opened up a session to each active user/password pair ahead
of time, solved the captcha, and used some sort of bot to maintain a
connection so our system wouldn't timeout on the session. It was likely
his intent to gain access to more accounts than he did, but as soon as
he noticed that we had changed the main page of the site he sprung into
action by sending a flurry of spends.

(Before you ask: no, we don't limit logins per IP address. We can't. We
have a lot of users that come in from Tor and I2P that all appear to
share the same source IP address.)

We've concluded that around 1% of the users on the leaked Mtgox password
file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a
horrible experience for the Bitcoin community in general.

The IP address that the attacker used was a Tor exit node and the spends
were to an address that is outside of our system.

Now to address the rumors:

No, our database wasn't compromised. We had a 3rd party company audit
our site for SQL injection attacks and we passed. (We did, however, have
one XSS hole in the address book page last month that would allow an
attacker to insert fake entries into a customer's address book. It was
promptly fixed and offending address book entries were purged. Not a
single customer had spent to the fake address book entries.) Every line
of code was audited last month. Literally line by line audited by
professionals, and it was deemed safe.

No, this site isn't being ran by some amateur that just learned how to
program computers. It was created by seasoned programmers that
understand security.

Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.

We also use whole-disk level encryption on every single one of our
servers. When you fail a disk in a NOC and a level 1 technician replaces
it does he wipe the disk before the RMA/tossing it in the garbage? Not
usually! We know these mistakes happen, so we take precautions. Any and
all servers with an IP KVM on them are ran in secure console mode. The
root passwords are required even for single user mode. All disk keys are
held off-site and were never generated anywhere near the internet. All
server passwords are unique per server and per user, of course. Only two
technicians have access to the secure servers. This access is over a VPN
and we only use secured workstations running Linux and BSD to access
them.

We use BSD servers with MAC, immutable flags, jails, PAX, SSP,
randomized mmap, secure level, a WAF, a DDoS mitigation and alert system
- -- the works. Like I said earlier. We are not amateurs. In fact,
combined we have over 30 years of experience in the payment
processing (credit card arena) industry.

A large amount of the Bitcoin holding is in cold (offline) storage. We
only have a percentage of the holding available hot. This is done for
obvious reasons.

Going forward we are implementing a 2-factor login system,
user-configurable spend limits, better session token tumbling, and a
bunch of new SCI features.

Wishing the Bitcoin community all the best and a swift recovery, and
sincerely yours,


Tom Williams

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF
VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567
T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY
jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z
9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL
+HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM=
=VaXC
-----END PGP SIGNATURE-----

I had a similar issue, my password seemed to have changed and I couldn't log in. No email from MyBitcoin. What I had to do was register a second account and use the support system to get in touch with someone. They insisted that my password hadn't been changed by them, which did freak me out a little. However, they did reset my password and my (tiny amount of) bitcoins were all intact.

Hope that helps.

Just bumping this up again. I found an email address that might work on Whois, and tried that.

The last few email guesses I've tried have been doing a 'slow bounce' - I'm getting 'temporary failure : message time out' from the mailer daemon.

Has anyone had more success than me in getting their accounts back?

I appreciate what you're saying Chick, and I don't think anyone here wants to go back to hoarding mountains of cured meat and trading only for goats whose teeth you can look at.

Or for that matter, cash in a mattress.

But I honestly don't know the answer to whether BTCs should be stored on your own box or online. Both methods have taken a real beating lately. The Mt.Gox troubles and the bitcoin trojan are flip sides of the same security coin.

PayPal and your bank have both billions to throw at security, and deposit insurance.

So it's all Buyer Beware right now, and I took AngstHase's comments in that light. He's just picked a side of the 'reasonable paranoia' debate you don't agree with.

That being said, thanks for standing up for nuanced reasoning.

Trust is one thing, but someone telling us to totally refrain from storing money online is just plain stupid.

Chick, It's great that you can trust PayPal and your bank like that. Who can we trust with BTC?

I'd love it if a service like Mybitcoin could be trusted like that. I'm 'calling them out' right now because they are not showing signs of being worthy of trust. I wish it were otherwise.

To be clear, I'd really like there to be a reasonable explanation and resolution to my and others' complaints. I still hold out hope that that is the case. But I want to hear from them.

I store money on PayPal and my online bank. I have full control of where it goes. So does anyone who logs into my account.

Noob

LittleGnome - sorry to hear that    We are attempting to create a service to help "cover" peoples bitcoins that are lost - so we can stop having people losing all these coins  

I know the service will be controversial  ( and touchy ) in some respects but  hopefully we at some point someone has to step in and do this and work with the community.  The response has been good so far with a lot of people signing up to receive email  when it comes out ( check sig. )  but just wanted to let you know there is some hope down the line  and wishing you the best of luck!

http://www.mini-forum.de/images/smilies/thumbs_up_smiley.gif

I realize that now, and will be more careful in the future, AngstHase. While I'm not doing so well financially that ~50 bux lost doesn't sting, I realize also that my potential loss is comparatively small potatoes.

But given that there's more than just me affected, I'd like some kind of an explanation.