
Bitcoinica MtGox account compromised - muyuu
https://bitcointalk.org/index.php?topic=93074
======
biff
This is starting to prove -- the hard way -- why regulations, certifications,
and all that other stuff that feels like meaningless overhead the majority of
the time has become a grudgingly accepted part of our lives.

It comes back to the most difficult problem: you inevitably need to trust
someone, so how do you minimize your risk in that trust? I always thought the
Bitcoin trust issues would revolve around the inability to trust that a
service would be delivered once the provider is paid -- something that could
theoretically be worked out with their reputation over the long run in a free
market.

But it's unsettling to see that breaches like this don't evidently leave the
impression with the Bitcoin community that a believer in the free market might
hope they would, that providers in this market might not be driven to produce
quality and reliability because somehow there isn't the demand for it.

~~~
sneak
As the big banks in the USA have proven, government regulation is definitively
not the answer to the question "How can you know whom to trust?"

Seriously. Knock that shit off. It's a red herring.

You can't abstract away the personal process of choosing trust anchors and
metrics, no matter how hard you try.

Changing your trust anchor to "the government" just means you end up getting
fucked on a larger scale, over a larger timeline.

~~~
raganwald
_As the big banks in the USA have proven, government regulation is
definitively not the answer to the question "How can you know whom to trust?”_

A common sentiment: “Big Government doesn’t work.” No, it doesn’t work. But in
many cases, it’s _less broken_ then no government a/k/a The Free Market. I’m
reminded of Winston Churchill’s quip: "It has been said that democracy is the
worst form of government except all the others that have been tried.”

It could be that trusting democratic governments to manage a monetary system
is fundamentally unsound. I’m listening: What alternative do you propose, and
how is it going to scale beyond protecting the few wealthy info-elite that can
protect themselves?

~~~
guscost
Without _any_ rules, there is no such thing as personal property and therefore
a free market cannot exist. You're describing anarchy, where people take what
they want by force.

~~~
sneak
> You're describing anarchy, where people take what they want by force.

Like taxes taken by the government with the consent of the majority? Anarchy
is solving for the general case.

~~~
rprasad
You're free to move to someplace where they do not impose taxes, like Somalia.

Of course, you will have to vie with various competing warlords, all of whom
will demand "protection money", but that's the price of freedom from taxation.

------
ajross
> _Unbeknownst to us, Tihan was using the mtgox api key as the password for a
> website called LastPass._

Unbelievable. They decide to use a password escrow service... and use a
duplicate password to secure it. This is 100% cargo cult security. Clearly
whoever did this had no idea what the value of LastPass was, just that it was
what all the cool security kids were doing. The choice of the high-value BtGox
key was (staggeringly) unfortunate, but any dupulicate would be equally
ignorant.

Just unbelievable.

~~~
pwman
It's even beyond using a duplicate password which as you point out is
ignorant. They were so unclear on the concept that they used a password that
was written down into their source code, and once that source code was stolen
they didn't change that password!

They also failed to utilize the two different free multi-factor options
LastPass offers (not to mention the premium ones).

LastPass tries to educate people and push them on not utilizing the same
password anywhere with a security challenge, but that clearly didn't teach the
concept here.

Their last breach involved losing access to their email: info@bitcoinica.com
-- so what email did they use here with LastPass? info@bitcoinica.com They
didn't utilize the security email either.

It is all unbelievable.

How do we drag this out of cargo cult security?

I see some are pushing certifications; If I made a free LastPass certification
that both proves you understand the concepts, and that you're currently
putting them into practice by showing that you/your company has multi-factor
enabled would people demanded it?

------
mmcnickle
The app and its infrastructure was created by a single, very inexperienced
programmer. The app's original author, Zhou Tong, is only 17[1].

Not that age is an indicator of experience in general, but it's certainly the
case here. I'm honestly shocked at the amount of trust placed in Bitcoinica.

An interesting display of the oft mentioned Stockholm Syndrome happening
elsewhere on the forum here <https://bitcointalk.org/index.php?topic=93100.0>

[1] [http://coinabul.tumblr.com/post/24022841613/10qs-zhou-
tong-b...](http://coinabul.tumblr.com/post/24022841613/10qs-zhou-tong-
bitcoinica)

Edit: added reference.

~~~
zhoutong
Well I do agree with you that Bitcoinica was not 100% secure. This hack really
has nothing to do with the app or its infrastructure.

\- I didn't set the password. \- I didn't have the power to change the
password. \- I shouldn't have access to the account.

The root cause is LastPass account being stolen.

~~~
mmcnickle
Agreed that you are not personally responsible for this particular attack,
though I see it as the latest in a series of cascading failures, beginning
with the initial attack. It's the lack of consideration of security - that can
only be baked in from the outset - that's the real root cause.

If the application had been self-hosted in a physically secured location, the
attack that exposed the LastPass credentials would not have happened (email
reset of root passwords). It may not be cool, but the cloud/consumer-level
hosting is not appropriate for applications handling large sums of money.

~~~
zhoutong
Agreed. But one of the team members explicitly released the source code and
that caused the hacker to correctly guess LastPass account. (At least this is
the most "right" version of the story I've heard.)

------
0x0
I can't believe people entrust virtual money to sites like these which in
general - but consistently - seem to be run by amateurs.

~~~
wmf
AFAIK Bitcoinica was the only site offering BTC derivatives, so presumably
some people figured the potential profit was worth the risk. More generally,
_all_ Bitcoin exchanges seem to be run by amateurs, so people have to deal
with them to cash out.

~~~
0x0
I wonder why. There seems to be a huge gap in the market for a professionally
run enterprise here. Or at least, anything more focused beyond students half-
assing it part-time.

~~~
wmf
Bitcoin market activity may not be large enough to ever pay back the
significant cost of building a secure exchange. Also, as TradeHill and CampBX
discovered, people just won't move off of MtGox no matter how bad it is.

~~~
ScottBurson
People won't move off of MtGox for a simple reason: it has by far the best
liquidity.

The only way for another exchange to get a foothold would be to offer similar
liquidity, which would mean taking the other side of most trades themselves.
This would be very risky and they would need deep pockets.

------
aquayellow
Putting aside the way the Bitcoinica account got compromised, I wanted to
mention that I learned the hard way that either Mt.Gox is rife with security
holes or a lot of these breaches are actually insider jobs from someone
working at MtGox : A month back I realized that I had around 40 BTC lying
around and decided to sell them on MtGox. First, my Mt.Gox is mostly inactive,
so I actually had to reset my password and setup a new one that I had never
used before. Then, after I sold my coins, I realized I cannot transfer my
money to my Dwolla account; MtGox needs a scanned copy of my SSN! While I was
deliberating whether I should trust MtGox with my SSN, 24 hours had passed,
and I got an automated email from MtGox saying my money had been converted to
bitcoins and has been transferred! Everything gone! So, the fact that : 1\. My
account was mostly inactive. 2\. I had recently changed my account password to
a new more complex one : 2 upper caps, 5 lower case, 2 numbers and one special
character. 3\. My money was sitting in my account for only 24 hours. 4\. The
time between my money getting converted to bitcoins and the actual transfer
was just a few seconds, as if an automated script scans all accounts and the
performs some tasks on them. So, in short, please don't put all the blame on
Bitcoinica. Something's wrong at MtGox too :)

~~~
conroe64
I've recently had upwards of $10K on mtgox and had no problems. Could it be
that you have some malware with a keylogger on your computer?

~~~
aquayellow
Not that there aren't any keyloggers for Linux, I never found anything
suspicious, nor have any of my other accounts been breached into. But yeah, if
there is a keylogger, I bet it got installed from the Mt.Gox website itself ;)

------
codesuela
I would've thought that no one would keep using Bitconica after their first
major breach but here I am, shocked by the fact that people still kept
trusting them with their Bitcoins

~~~
xSwag
I've lost count of how many times they have been breached. Why don't they get
independent pen testers and get them to test their system? Surely paying a pen
tester $5k is much better than the amount of negative publicity you get when
you lose $350K

~~~
mmcnickle
Three times apparently (from the forum):

    
    
      Feb ~ 200k USD
      May ~ 91k USD
      Today ~ 300k USD

~~~
kokey
Someone is going to buy a lot of drugs.

~~~
throwaway1
Please go back to reddit.

------
muyuu
MtGox transfer limit maxed out: 40,000 BTC + 40,000 US$.

At current BTC valuation ($7.66) that's 346,400 US$.

By the way, the full Bitcoinica trading platform source code is posted there:
<http://depositfiles.com/files/2p6zvadzs>

~~~
ashconnor
Doesn't seem to work out of the box.

~~~
muyuu
I haven't had the time to try it myself (still in the office). All I know is
it's RoR.

------
tlrobinson
Step 1: Throw together a Bitcoin "exchange"

Step 2: Announce you were "compromised"

Step 3: Profit!

~~~
Karunamon
Step 2.5: Pay tons of restitution or get sued into next millenium

------
at-fates-hands
This seems like it has turned into a game for the hackers now. Bitcoinica get
breached, re-load their defenses and then its just a matter of time before the
hackers get in again.

I don't think anything nefarious is going on, but it would appear there is
little or no consequences for breaches which makes it a low risk, high reward
opportunity.

If I were them, I'd kill the business, completely start over with a new
company name, new site, new everything. As long as they're in business, they
are going to remain a target.

~~~
kristiandupont
How would a new company name help anything? If they want customers to be able
to find them again, surely so will the hackers?

------
encoderer
Is it really that hard to imagine that this is an inside job? Come on... 4 or
5 big money-losing breaches? To the tune of what? A million dollars? And
nobody is talking about cooperation between insiders and this "hacker" ?

~~~
lmm
Hanlon's razor. If anything, attacking via their hosting company shows
bitconica are more secure than the vast majority of internet companies. The
attacks took more effort than those on HBgary (a dedicated security firm),
LinkedIn, Lastfm (who I know have more clue than most internet companies),
....

Even in 2012, internet security is still a joke. There's no need to invoke
conspiracies.

------
xSwag
Hate to say this but if this sort of sloppiness continues, the bitcoin brand
will be trampled so badly it will never get off the ground.

~~~
efdee
Too late, I'm afraid. Who, today, uses Bitcoin, except for criminals and
speculants?

~~~
javert
That's a fallacious argument. The reason it's mainly used by criminals and
speculators is because it's brand new, as far as currencies go. If Bitcoin
_had_ been used by lots of people already who then abandoned it, you might be
able to make the argument you're trying to make.

And one thing I've noticed it increasingly being used for is basic (small-
scale) financial services - for example, loans.

------
jasonlingx
It is worth noting that (some of) the people behind Intersango acquired and
took over operations of Bitcoinica just before the recent hack that took
Bitcoinica offline since May 2012 (see
<https://bitcointalk.org/index.php?topic=81581.0>)

Intersango is currently the second largest bitcoin exchange after MtGox, and
the largest bitcoin exchange for GBP (see <http://bitcoincharts.com/markets/>)

From their site(<https://intersango.com/>):

"Having never suffered a break in or major technical error, we are confident
in our abilities to lead bitcoin into its rightful place in the real world."

Some blame for the May hack could be arguably attributed to Zhou Tong,
however, having taken over for 3 months since...

~~~
sgornick
Mt. Gox offers two-factor authentication methods (Yubikey and Google
Authenticator). Neither was used. Lastpass offers two-factor authentication
methods (Yubikey and Google Authenticator). Neither was used.

But also, nobody who also works with Intersango had access to either of those
two accounts. [Update: I may have been mislead on that as there is now
conflicting information:
[http://bitcointalk.org/index.php?topic=93074.msg1028157#msg1...](http://bitcointalk.org/index.php?topic=93074.msg1028157#msg1028157)
]

------
Smrchy
This might explain the unusual rise of BTC vs. USD.

The thief might have just traded those dollars to bitcoins which makes them
harder to trace.

~~~
bnr
Another possible explanation for the increasing rate is that someone is
offering 7% interest on BTC: <https://bitcointalk.org/index.php?topic=50822.0>

If that offer is really enough to make the price rise, this might be exactly
what this guy is speculating on.

~~~
nullc
You mean 3372% interest— The 7% number is _per-week_.

~~~
gibybo
I'm not sure why anyone would believe him enough to send him money. Perhaps
they don't understand how absurd that claimed interest rate is? :x

~~~
jonhendry
If the money were funding a payday loan shop, that's the kind of interest rate
they charge to their customers.

ie, take in money via Bitcoin, loan out dollars to poor people as payday loans
at very high rapidly compounding interest rate, pay somewhat smaller interest
rate to Bitcoin funders.

~~~
gibybo
I don't think payday loan shops are ever constrained by the amount of capital
they can loan out, though. If they were, it would be trivial for them to
borrow money at normal rates (say 10%) from a traditional bank and solve that
problem. I'm sure they are much more constrained by the physical
locations/marketing/accessibility of customers/etc and no money at 3000+%/year
is going to help them solve those constraints.

------
jsh4ft
I feel badly for the people that lost money, and hope that some legal action
is taken against the organization.

------
nthitz
Fool me once, shame on you. Fool me twice, shame on me.

~~~
coinabul
How about four times? :)

~~~
jbigelow76
I've got a bridge to sell you.

------
columbo
I know nothing about bitcoin, can someone provide a tldr about why it is
(seemingly) so difficult to build a secure site around exchanging these
things?

I don't get how you can simply "Loose" a few hundred grand without a horse
head winding up at the food of your bed.

~~~
epscylonb
If you run a service where you need to pay bitcoins out to users then that
means your systems have to respond to user input and send money to them.

It turns out this is pretty tricky to secure.

The current popular strategy is to have hot and cold wallets. A hot wallet is
online and can make payouts automatically.

A cold wallet is kept offline (airgap) and brought online by a human being to
refill the hot wallet when it is running low. This only really makes sense if
your service needs to secure large amounts of bitcoin for a long time without
using them.

This recent bitcoinica hack is pretty inexplicable, they were keeping a large
amount of coin in an account at an exchange called MtGox. This is effectively
a hot wallet.

------
noarchy
I know there is a temptation to blame bitcoin itself here, but wow... this is
just some amateurish security on the part of these bitcoin sites. If the big
banks were doing this, it would be cataclysmic disaster. Instead, the big
banks have found other ways to drive themselves (and your money) into the
ditch, and it dwarfs anything that bitcoin sites can manage to lose.

------
muyuu
This looks like the actual BTC transaction: <http://blockchain.info/tx-
index/11999735>

------
carlio
I assume 'GP' means 'Guilty Party'? If so, it's kind of telling that a
community has to use 'guilty party' enough to start abbreviating it...

~~~
ninjarobot
GP means 'General Partner' - Bitcoinica LP is Limited Partnership with a
General Partner and a Limited Partner.

------
feydr
<http://www.youtube.com/watch?v=u6mYGcNgKn8>

------
genwin
Perhaps this is the work of an insider.

------
drivebyacct2
Reusing passwords. Check.

Using passwords after they've been known to be compromised. Check.

Storing passwords protecting north of a million dollars in an online password
storage system and not even using the provided two-factor auth. Priceless.

This is just like the Mtgox guys claiming the bcrypt was not good after
getting caught using unsalted MD5.

This is amateur bullshit and the lack of actual penalties makes me think I
should have finished the exchange I started writing. You know, one where I
would have the common sense to store financial values as decimals and not
floats.

These are such naively simple mistakes, it just is hard to fathom.

The first reply's conclusion is spot on

 _You failed to disable Mt.Gox API,_

 _You failed to protect mt. Gox with a Yubikey,_

 _You failed to change Lastpass password,_

 _You failed to protect Lastpass with one of their many 2nd factor auth. (some
free)_

This is embarrassing to watch.

~~~
ajross
Surely you mean integer, not "decimal", right? I'm not an expert, but to my
understanding none of the values in the bitcoin protocol are expressed as
base-10 fractions.

It's a nit, obviously, but if you're going to ding someone for naive
mistakes...

~~~
clarkmoody
Fixed-point DECIMAL representation in the database is just as good as storing
Bitcoin values as integers. Baked into the field definition is the amount of
precision. And Python and other languages have features to work with fixed-
point numbers. This approach relieves the mental overhead and complexity of
converting to integers (which might overflow a 32-bit int) and back all the
time.

~~~
ajross
I just looked this up (feel free to correct me if you think I've missed
something): the value field in a TxOut is a 64 bit unsigned integer. It's true
that by convention the unit is 1e-07 BTC (i.e. a decimal fraction), but
nothing in the protocol actually cares, the "decimalness" is just in what you
call it. Implementing this with decimal math is just wrong, and likely to
break your implementation due to subtle bugs. Storing it in a database as a
decimal fixed point is plausible as it prints nicely, but in no way would I
consider that choice "just as good as" a quantity that was designed to fit in
a native machine word.

~~~
clarkmoody
Yes, the internal representation of Bitcoins is the 64-bit unsigned INT, but
I'm talking about storing customer account balances, trade prices, etc. I
would not use DECIMAL if I were writing an alternative client for Bitcoin or
for some other software that must create network transactions at a low level.

Even the RPC protocol for the main Bitcoin client returns fixed-point numbers
and expects non-integers for input arguments [1].

But I think we can all agree that using FLOAT for this kind of thing is just
plain wrong.

[1]
[https://en.bitcoin.it/wiki/Original_Bitcoin_client/API_Calls...](https://en.bitcoin.it/wiki/Original_Bitcoin_client/API_Calls_list)

------
rpledge
Ouch.... <http://qrauth.com> \- Login using QR codes

Password is stored on your iOS device and securely transported to the site
you're login into when you scan a QR code. No more excused for duplicate/easy
to remember passwords!

~~~
untog
You should probably put in a disclaimer that you created QRAuth, it looks
somewhat spammy.

