Hackers Allege Mt. Gox Still Controls "Stolen" Bitcoins 228
The Verge reports that "Tokyo-based Bitcoin exchange Mt. Gox lost $400 million worth of bitcoins in February. Its management said the amount was stolen after hackers exploited a transaction bug to divert the funds, but some of Mt. Gox's users are not so sure, suggesting instead that the exchange's owners pocketed the cash. Now, facing silence from those owners about the fate of the money and the methods by which 6 percent of all of the Bitcoin in the world could have been stolen, a group of hackers claims it has broken into the bankrupted Bitcoin exchange's network to get answers. ... Forbes reports that the group gained access to the personal blog and Reddit account of Mark Karpeles, Mt. Gox's CEO. The hackers used the platforms to post a message that claimed Karpeles still had access to some of the bitcoins that he'd reported stolen. In support of the claim, they uploaded a series of files that included a spreadsheet of more than a million trades, Karpeles' home addresses, and a screenshot purportedly confirming the hackers' access to the data." (The Forbes article on which the Verge report is based.)
Anonymous cryptocurrency, who to trust? (Score:4, Interesting)
Re:Anonymous cryptocurrency, who to trust? (Score:5, Interesting)
the question is who can you possibly trust with something that can be so easily disappeared.
The answer is to never assign trust in a single point. That's the whole reason Bitcoin was designed for, and these thefts really show how backwards we are with regards to the technology we have.
Surprisingly few people actually know this, but Bitcoin addresses are actually little programs that calculate the required criteria to move money out of the "address". It's purposefully Turing incomplete. The simplest defense against malevolent or incompetent parties is to require multiple signatory entities. For instance, one could be the deposit institution itself, another party for dispute resolution (e.g. a lawyer), and finally the customer. You can require only two of three signatures to move the amount so that the customer can extract the money with the help of the arbiter even if the deposit institution disappears.
Other, more sophisticated solutions are also possible, and some of the businesses themselves can even become transparently automated. However, it seems like it won't be that easy to get there, even though the crucial technology is already available.
Re:Anonymous cryptocurrency, who to trust? (Score:2, Interesting)
Right, instead you should keep it in an offline wallet! Just like how it's smart to keep your life's savings in an actual, physical wallet!
Oh wait, no, that's fucking retarded.
This is (one of) the (many) problem(s) with bitcoin: no one can actually come up with a sane answer of how you are supposed to store it safely. Trust it to an exchange and you're basically no better off than trusting real money to a bank -- worse off, in fact, because the lack of regulations means that if the exchange takes your money and runs you're SOL, while if a bank takes your money and runs it will be reimbursed (up to a limit) courtesy of the FDIC. Keep it in an offline wallet and you can be sure that no banker can abscond with it, but now your life's savings are tied to a single, stealable object.
Bullshit. Try keeping your life savings as cash in your house and it will both be more obvious and take up more space, though even then a creative person could still make it difficult to find so a thief would have to know it was there in the first place or else they'd miss it.
With bitcoins you can hide them even more easily. TrueCrypt a tiny thumbdrive with an extra hidden partition to put the coins in then put other shit in the main partition that people would believe you would want to hide, even if it's fictitious data. Tape it to the inside of your TV or some other device. If you want, make a copy and put it into a safe deposit box. Or print out all of the coins and stick the papers at the bottom of a box of old tax documents or some other boring stuff in the back of your closet and don't keep any digital copies, whatever. There are many ways of doing this that are infinitely better and safer than trusting an exchange and are totally viable.
It happened before.. (Score:4, Interesting)
This happened a few years ago and is why I have nothing to do with Bitcoin - I lost quite a few coins, then decided it was too risky to be involved with until the exchange problem was figured out.
I am not sure why this is not more widely known, but there you go. I am not sure there is a solution to this problem.. without the involvement of traditional government.
Re:This is why we can't have nice tihngs... (Score:3, Interesting)
For all it's faults it's still more transparent then the Federal Reserve, the European Central Bank, the Peoples Bank of China or the Russian Goznak. "Because when the entire world is a credit-fueled ponzi scheme, these are the kind of numbers that matter". http://www.zerohedge.com/news/2013-12-11/matter-stunning-perspective-china-money-creation-blows-us-and-japan-out-water [zerohedge.com]
The article is full of errors (Score:5, Interesting)
The reporter probably doesn't understand what's going on at all.
1) the leaked data contains not only the mt.gox DB dump (which seems to be legit) but also the TibanneBackOffice.exe binary which is actualy malware which steals bitcoin wallets. So i wouldn't trust the hackers at all, they are scammers. See http://www.reddit.com/r/Bitcoi... [reddit.com] for more details.
2) The article/the hackers claim that the mt.gox database dump shows that mt.gox should be in control of over 900k bitcoins and that it is an evidence that mt.gox is lying. Well it is evidence that the article/hackers don't understand anything. From the start, mt.gox is saying that because of a transaction malevability bug, their ballances in DB and their balances on their actual accounts were ouf of sync. This is the reason they didn't notice sooner. Their DB was showing everything was ok but in reality, their money was silently siphoned out of their accounts.
3) Karpeles (mt.gox owner) is probably staing silent because his lawayers told him so. Nothing unusual here.
Sitting on a stack of traceable coins (Score:5, Interesting)
Re:Anonymous cryptocurrency, who to trust? (Score:4, Interesting)
From the article:
"To steal the coins of users who encrypt their private keys with passwords, many of the Bitcoin stealing programs also included keyloggers designed to eavesdrop on users’ typing. Even more tricky are malware types that wait for users to copy a Bitcoin address they want to send bitcoins to into their clipboard. When the user tries to paste the address, the malware replaces it with a different string, irreversibly sending the currency to the malware operator’s wallet. That last method never sends data to a remote server, so it can be much harder to detect, SecureWorks’ researchers say. In fact, they tested a range of antivirus scanners on their malware samples and found that roughly 50% went unnoticed."
Re:This is why we can't have nice tihngs... (Score:2, Interesting)
I think a more appropriate observation might be "Ponzi schemes, pyramid schemes, everywhere."
Re:Stills seems like it has to be an inside job (Score:3, Interesting)
Gee whiz, a scheme where the people at the top bring in lower-tier investors with big promises of wealth, only to pocket all the real money and run off at some point, leaving the lower level investors with nothing. Huh, where have I heard of such a scheme before?
Re:Stills seems like it has to be an inside job (Score:5, Interesting)
Wait, it's those damn programmers, huh?
Re:Stills seems like it has to be an inside job (Score:2, Interesting)
The developer of digitalcoin just lost $100k worth of various coins to a keylogger on his machine:
http://www.reddit.com/r/digita... [reddit.com]
Yes, you read that right, using a Windows box for his wallets.
And it gets better. His exchange cryptoave.com is built on Windows+PHP. Before you think that's trollish consider this. What's the cost of a zero-day exploit for either IIS or Server? A few thousand dollars?
Arbitraged against how many coins are on the exchange, wouldn't it make you think twice about using a proprietary base? Especially when the fixes for zero days could take months to reach patch Tuesday. What will you do in the meantime?
Again, not trying to be trollish, it's common sense. The crypto world is littered with these amateur "programmers" flinging stuff onto the web. But I guess it's just natural evolution in the wild west until the big boys show up.
Be careful out there...
Re:Stills seems like it has to be an inside job (Score:3, Interesting)
Presumably everybody here knows this, but "The Cuckoo's Egg" started with a $.75 accounting error.
http://en.wikipedia.org/wiki/T... [wikipedia.org]