Topic: Poll: Rollback, No Rollback? (Read 2861 times)

energetic

We are the market. And according to the survey, a huge majority is okay with the rollovers.
What I learned from practice is that democracy is beautiful in concept but totally stupid in practice.
If we set up password policy applying democracy, the password selected would be "123456"... which in fact it is the #1 preferred password in MtGox.

What do I mean with it? We can't rely on the masses, they are stupid.
The market isn't efficient (i am talking about efficiency in the economical sense).

Thats the best argument I have heard. Everyone needs to "Just Let The Markets Decide". The problem is that people think that even if an exchanger goes under all of a sudden all the coins that we have worked so hard for to legitimize/produce, are all of a sudden worthless, cause some clowns decided to go after mtgox? Are these people fucking crazy? Excuse my french..

mtgox can do what ever they want, they own the exchange, they alone have the authority.

BUT:

People who like it can reward them by staying and continuing to pay a commission on trades to them, people who don't can punish them by leaving and taking their commissions to some place else.


Let the free market decide.

Aha. See? Silence from MagicalTux. That just proves that I'm right.

The true mark of conspiracy paranoia is when someone is given more evidence that their perspective is erroneous and, rather than reevaluate their thinking in light of this new information, they strengthen their belief in the conspiracy and attach a corollary that the conspiracy must be even more true because now the enemy is trying to present false evidence.

Oh man guys, and now they're sending people in to make fun of the loony conspiracy theorists. Will the lies ever stop? This shit just gets deeper and deeper!

Oh lord. I think Mt. Gox is reading my mind. I swear they were following me today and a crow went by my window and said "caw" but I think it actually said "gox". Was it a real crow or a malfunctioning spy drone? I DEMAND ANSWERS, MAGICALTUX. I'M ON TO YOU.

If you don't answer me about these crow drones that people potentially besides myself are posting about, then you are hiding something.

500,000 bitcoins stored online? In a buggy website?
I don't think so.
And after the pilferage, nothing says nothing?

I am not trying to deduce the real causes or what might have happened.
What I am trying to think is that whatever the plausible scenario is: it keeps showing that the official statement from mtgox makes no sense. They keep lying, and they don't want to take responsibility of what happened here.

Ok, had missed that.


I still think it's a simpler explanation than the other suggested scenarios.


I could easily see someone thinking that their coins are more safe at an exchange than in the unencrypted wallet.dat on a Windows computer. And normally, they probably are.

And people do use weak passwords. I've seen managers in large companies use their dogs' names as passwords, literally putting millions of $ at risk.


To me this just somehow doesn't seem plausible. Just too many assumptions - the internal mechanism must exist; the hacker needs to gain access to it; the hacker needs to learn how to use it within a relatively short time frame; he'd need to have come up with the elaborate scheme of invisibly moving them in the first place, etc.

The explanation of someone just stumbling upon a large amount of BTC and going "ooh geewiz, I'm a gonna sell deez and I'll be rich!!$$!!$" or "lulz, sell, sell ,sell!!! tango down!" are just so much simpler.

Mark my words:

Mt.Gox will get rolled
proof: http://www.youtube.com/watch?v=dQw4w9WgXcQ

I quote:
"The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking."

Granted, dictionary based, but still.


I can't imagine not hearing about the recent tribulations, hype etc. if you were into this some time ago. Could be a hermit not accepting Nobel prizes or something, but extremely unlikely.
The first one is very unlikely too. Who in their right minds keeps that kind of balance online in general, apparently with a weak password, especially after the rumours of hacks. Could be on holiday too I guess, but again extremely unlikely.

The most likely of those three therefore would be 2. I still like my theory of moving around balances, it could be going on outside the blockchain if my hypothesis that balances are merely internal representations until withdrawing to external account is correct. Other than speculation I have no idea what APIs or internal mechanisms are usable for this, or what uncrossable hurdles prevent it.

Lay off the weed bro.

It was 300 IIRC. There's a file in pastebin with some 600 passwords, cracked by people who specialize in cracking passwords. I wouldn't expect that number to grow much from there.


The Unix MD5 scheme isn't the same as "md5 with salt". Yes, trivial passwords are trivial, but the Unix MD5 scheme in its current form is considered secure. It's computationally quite a bit more expensive than a single round of MD5, which itself is fairly secure despite some known collision attacks, and with current technology, the predicted age of the universe isn't enough to crack a sufficiently long and complex non-dictionary password. Basically, you are looking at thousands of years of difficulty on average somewhere around 12 alphanumeric characters (uppercase+lowercase).


And this would have shown on the trade charts, so it is not likely. The hacker also presumably didn't have write access to the database.

How about these for the likeliest scenarios:
1. It is someone who wants to remain anonymous and is only communicating with MtGox. In my experience, rich people often like to keep low profile.
2. It was MtGox's own account where all the fees had been collected.
3. It was the account of an early adopter, who stopped following bitcoin before it was worth anything, and is completely unaware of what's happening.


The reason for rolling back is because the sale was the direct result of a lapse in MtGox's security practices. If the hacker had indeed just guessed a weak password, I doubt they would be rolling back.

According to MtGox: No other accounts were compromised, so there weren't pooled either. Only one account got compromised.
I take it with a grain of salt, for my ears, it is all bullshit.

This may be down to misinterpretation and miscommunication. Or down to lack of knowledge. I'm speculating that BTC balances from multiple accounts can be pooled within Mt. Gox, but have no idea if this is true or not. If they have some kind of internal representation, it could be. If not, we should see a lot of pooling into an ever growing account in the blockchain. They might also have an administrative account that has a 'view' on all accounts' BTC pooled together for automatic backup purposes or similar. If this one was hacked, then their statement makes sense. If it was one big account by a third party after all, they could shaft this user and get away without major losses, after all if the password was reversed from a hash, it must have been weak. Then again, they are still responsible for securing their db, be it at an auditor or not.

Precisely, that is precisely the point. Read carefully my post.

Mt. Gox doesn't want to admit that it was a hack. Their official statement is:

• It was only ONE account hacked.
• Their systems weren't compromised, they weren't hacked.
• Their userbase was leaked, but it is not related to the market crash.

Uhm... do you believe that shit? Because I don't.
They keep insisting that it was only one user who got hacked, had a weak password and had more than 500,000 BTC.
With this excuse they are trying to say: "It ain't our fault. Our systems are secure, you got nothing to worry about, come back to us."

With this thread my intention is to uncover that stupid lie.
It is definitely a cover up, something else happened but they don't want us to know it.

Erm, the db dump contains 60k users. It's not one account, it's thousands. Someone in the other thread got 3000 passwords in an hour with a GPU. md5 of a weak password is trivial to break, with or without salt. Most of that is the user's own damn fault, some used the same password as account name, even the same password for their E-mail, how dumb can you be?

What is most likely to have happened is this: the BTC balance of several thousand accounts was transferred to one account. This can be scripted to either log in via https or whatever, or more likely to use the trading API (faster).

From this single account, it doesn't matter which, could have had 1 bitcent on it, the accumulated 400k BTC was sold as a single order at 0.01 USD/BTC. Which absorbed all the outstanding buy orders and crashed the price down to 0.01.

After which the attacker possibly has 100k, 300k, whatever BTC left in this single account. He immediately transfers out 100k to his own Bitcoin address (100,000*0.01 USD=$1000). If he has time, he transfers the rest of the balance to another account so he can once again transfer out $1000 worth of BTC, and gets out another 100k. Or maybe it's just 80k if other automatic sell orders are placed in the mean time. Repeat a few times until it's either blocked or you have transfered out everything.

The big question now is how Mt. Gox handles the $1000/day limit and whether they immediately transfer out BTC or have some internal mechanism that delays things or possibly even tries to detect suspicious activity and halts them for operator approval for example. If they are smart and take $1000 over the average of the past 24 hours for example, then maybe $1000/(17.5/2)=114.29 BTC is lost (per account), which they can easily absorb. If they don't, and have no mechanism to filter/delay things (including massive amount of withdrawals close to $1000 from multiple accounts), then they are out of business and a bunch of people lost all their assets.

It was NOT one account with 400k BTC. Maybe a few big ones in there, but can't imagine anything that big. Your own damn fault too if you had say 50k BTC in there with a weak password.

The reason for rolling back would be to protect people who do automatic trading who don't have protection for something crazy like this. Your own damn fault too, but they could sue Mt. Gox for the breach.

On the other hand, the people who got their hands on massive amounts of BTC at 0.05 or whatever might sue for losing this golden opportunity. They would be assholes, but could win.

IMHO it's the proper and fair thing to roll back, not because Mt. Gox would protect their own asses, but because it just would be. I don't have any assets or affiliation with them BTW.

BTW, even if it was one account, he/she cannot know of this yet (and consequently not rave from the mountaintops about it), since Mt. Gox has only sent out a generic mail about the hack, and if people can log in already to look at their balance, it will show the post firesale balance, before the rollback, which either says they haven't been hacked (balance is there), or they have, and since Mt. Gox explicitly state no balances are lost, their balance will be returned. If this is not the case they have a problem, unless they can cover it up by not actually (fully) covering the BTC balance and hoping they can slowly gain it back through regular trading before someone withdraws a large enough balance, or before they can get a loan from someone to be fully covered again.

If the thief succeeded in large transfers, they should show up in blockexplorer. I haven't bothered to look yet myself.

The people have spoken in favor of the roll back.

personally, i dont blame mt gox.

this was the first major hack. it wont be the last...

LMAO


WTV it was hacker or pissed off girlfriend...Rollback and move along

Actually, in 1996 it was just a link. Today, it's CSRF or autoinfection. Or worse, Rick Astley

I seriously believe that the only account being compromised is Mt.Gox's.

See the psychological side here:
ANYONE LOSING 500,000 BTC (more or less worth $8,500,000 USD) WOULD BE GOING APESHIT INSANE.
Anyone would be twitting about it, shouting about it, ranting about it, talking to the press, talking shit about Mt.Gox, and blaming God, the Devil, the Archangels and cursing his own mother.

This is the critical factor I consider since I am a psychology major I am way more attentive on behavioral cues.
It is totally abnormal this silence from the account owner.
Either this user doesn't exist or he is a Buddhist monk with the lowest neuroticism level in the history of mankind.

According to Mt.Gox 500,000 BTC were stolen from ONE account, and that not only is highly implausible, but seeing the calmness of that supposed owner I rather believing that that owner is non-existent.
The only one going bananas is Mt.Gox. Obviously you can claim Mt. Gox is simply protecting the credibility of his exchange site, but what is really interesting is that he insists on reverting back when actually there are other options.

Why would an exchange protect the interests of only ONE user? When account got hacked in the past MtGox took some of the heavy lifting and reimbursed partially to the hacked user, never reverted back a whole history of transactions.
Also why is MtGox so adamant in defending this single affected user?

If that doesn't make sense then, we have three options left:
1) The REAL Account Owner: The hacked account "single user" account are Mt.Gox's or it belongs to someone closely related to Mt.Gox.
2) The PWNAGE Cover Up:The "single user account" is a cover story to hide the fact that actually the site got compromised much deeper than they are willing to admit. (loss of credibility would be the death of Mt.Gox)
If the auditor/attacker got access to the passwd file, he could have cracked hundred of accounts in hours.
I am currently testing that idea out, I've been trying to crack the hashes for 3 hours and I neared 600 accounts cracked, all of them from salted hashes and weak passwords. A simple script could have siphoned all the bitcoins out when the attack wasn't yet detected (maybe salami sliced, that's why nobody really noticed any thievery).
The worst case scenario is that the attacker has been in control of the site from a long time and he actually didn't need to crack any password, he simply got them all in plaintext.
3) The STOOPID Cover Up: We can never leave out the most stupid causes, since stupid mistakes happens everytime, maybe it was a typing mistake, a new employee, a girlfriend playing with the admin panel, etc...

These three possibilities makes Mt.Gox's claims understandable, it would be humilliating and his credibility would be completely stained forever. He wouldn't be able to admit such stupid mistakes.

But one thing is definitive: The single hacked user account makes NO SENSE AT ALL.

(Spin-off in a new thread)

i watched it all happen, the trades went back up to 12-15 after the sell off.