
Mt. Gox under DDoS attack as bitcoin price surges - morphics
http://www.computerworld.com/s/article/9238118/Mt._Gox_under_largest_DDoS_attack_as_bitcoin_price_surges
======
ChuckMcM
Fascinating stuff. Since there is no legal authority behind Bitcoin (meaning
people with jails and a willingness to use them) there are incentives to find
ways to manipulate it in these sorts of ways, and little risk.

I don't doubt for a minute that the authorities find this amusing since they
would no doubt rather a currency outside anyone's jurisdiction got established
and so people who destabilize it are "friends" of a sort. That makes them less
likely to intervene.

That combination makes BitCoin sort of like [1] Eve Online, but with drugs
instead of spaceships. I wonder if this will lead to the creation of 'recovery
agents' like the art world has, usually former thieves or investigators who
work for insurance companies for a percentage of the recovered value.

[1] in the sense that you can scheme and plan large takeovers and heists and
the "outside" world doesn't care.

~~~
tolmasky
I know this is a commonly held belief, and quite possibly also the correct
legal interpretation of the situation, but I find it so strange. A currency is
just what we call a currency. If tomorrow my friends and I decide to start
trading goods for bicycles, then our bicycles become currency. I don't see how
that would all of a sudden make it OK to steal each other's bicycles, or
somehow put bicycles outside the scope of existing laws. If I went to the
police and said "Someone stole my bicycle", it would seem crazy for them to
respond with "haha should have kept that value in USD instead sucker!"

Every physical good we have has only the value we instill in it in our minds.
The absolute best analogue to this is chips at a casino. Chips really are a
parallel currency. They can buy you anything within the mini economy of the
host casino (and additionally are accepted by other fringe elements in said
city). They can be exchanged back for USD as well. Despite this, the
authorities in Las Vegas take casino chip theft _very_ seriously. Now people
can go out of their way to explain how chips aren't _really_ currency for
whatever reason they want. To that I could then respond "fine, but in that
case I also don't believe bitcoin to be currency either, just my own digital
property, like an iTunes song. So I still expect to have these digital assets
protected by the law".

~~~
regis
How is your iTunes library protected by law?

~~~
tolmasky
IANAL, but if someone steals a hard drive from me which I can prove contained
$10,000 worth of iTunes purchases, I am relatively certain the punishment
would be harsher than stealing an empty hard drive from me. Replacement value
and all that.

It's at least certainly the case that if I were to find a way to download the
iTunes tracks off iTunes for free, I would be charged with theft (whether you
agree with that or not).

~~~
ChuckMcM
That would be a _really_ interesting test case (the hard drive one) which I
think we missed a golden opportunity back with $10,000 CAD packages that node
locked to the drive serial number.

But to address your original comment, you are absolutely correct that folks
can create arbitrary currencies out of arbitrary goods (such as bicycles), but
some make better choices than others.

Bicycles have the benefit of having both a 'property' value which was
established by their replacement cost (great posts on Priceonomics on that[1])
but a poor recovery rate. They are also hard to store and are distinctly less
useful to people far away from you because shipping has high costs. You could
use in-game WoW items, but they too get little respect when stolen [2] :-)
Casino chips however are a great analog, not only because they translate 1:1
to dollars but also because I grew up in Las Vegas and had lots of experience
with them as a "currency" and later as a forbidden currency.

When Casino chips are stolen, surprisingly enough, the police don't care.
Which is to say that as far as the police are concerned they have zero value
(even though they have a nominal face value) That value is enforced by _the
casino_ not the state. So _casinos_ care when they are stolen and take
responsibility for punishing the people who steal them.

There was a series on one of the discovery channels called "Cheating Vegas"
[3] which talked about some of the higher profile ways in which casinos were
taken advantage of and something you should note if you get to see it, is that
the people who stole Casino chips and forged casino chips, they aren't accused
of theft they are accused of _cheating the casino_. It's a weird thing but
people go to Vegas in order to "get" chips from the casinos, the casinos make
up games with rules by which they can do that, and the _gaming commission_
ensures that neither the customer nor the casino can violate the rules as
stated. Forging casino chips isn't so much a "crime" as it is an _unlicensed
way to accumulate chips._ How strange is that? Anyway the point is that the
Casinos spend a ton of their own money (a portion of their profits) on
security systems, private guards, etc.

To achieve a similar enforcement system with Bitcoin you would need some
agency which used part of their profits to hunt down and deal with people who
acquired their BitCoin in an unapproved way. So lets say Mt. Gox did this.
They took 1% of their transaction charge and funded a team of ex-special
forces types working for Blackwater[4] to apprehend them. Then what? Under
what you and I recognize as "the law" the status of BitCoin is the same as
gold coins in World of Warcraft, a digital product that some people are
willing to exchange for other currencies.

So here is the bottom line, if you steal a currency that is issued by a
country as legal tender, that country has an internationally recognized right
to prosecute in their judicial system. If you steal a currency that is issued
by a private enterprise their actions are limited by what they can do in the
Terms of Service (for game companies) or adjacent laws (in the case of
gambling). Stealing this stuff really pisses people off and its wrong but in
all the ways that count it isn't actually "illegal" as far as I can discover.
(would love to hear a legal theory on prosecuting a bitcoin theft btw, I've
been chatting off and on with my public defender sister-in-law and she hasn't
come up with one either)

[1] [http://blog.priceonomics.com/post/30393216796/what-
happens-t...](http://blog.priceonomics.com/post/30393216796/what-happens-to-
stolen-bicycles)

[2] <http://www.youtube.com/watch?v=jSyjcib_Fps>

[3] [http://america.discovery.com/tv-shows/cheating-
vegas/about-c...](http://america.discovery.com/tv-shows/cheating-vegas/about-
cheating-vegas/about-cheating-vegas.htm)

[4] <http://academi.com/> (renamed Blackwater, see
[http://abcnews.go.com/Blotter/blackwater-
renames/story?id=15...](http://abcnews.go.com/Blotter/blackwater-
renames/story?id=15140210#.UV3Zz3HS92Q))

------
wladimir
One thing with Bitcoin that still needs to be decentralized is the exchanges.
This shows again that mtgox is the achilles heel. Sure, there are many other
exchanges and ways to sell/buy, but it's telling (and sad) that DDoSing mtgox
is an effective price manipulation method.

As the stakes grow higher Bitcoin is turning into an interesting endeavor in
building resilent systems and preventing Single Points of Failure.

~~~
TazeTSchnitzel
It is already decentralised in the sense that there are plenty of
alternatives, and there are "over-the-counter" places like Bitcoin's #bitcoin-
otc.

~~~
wladimir
I know that. But for some reason there is an extreme reliance on mtgox for
price information. Even trades in -otc are usually based on the mtgox price.
So maybe I worded it wrong, it's not so much trade that is centralized but the
trade/price broadcasting.

~~~
TazeTSchnitzel
Ah, I see. Well, there are some sources that aggregate data, like Bitcoin
Charts:

<http://bitcoincharts.com/markets/>

~~~
wladimir
Agreed. Still, bitcoincharts is a centralized site too, and could be DDoSed,
overloaded, blocked, etc.

Maybe ticker/trade data could be spread over a gossip network as well. That's
not as trivial as it sounds, though, for example how to check that trades are
real and not just spam/manipulation. Maybe some way of authenticating
exchanges by signing the packets (but then -otc would be left out... maybe
their reputation system could be integrated somehow).

------
NelsonMinar
In this article Mt Gox says that the attacks are to manipulate the currency.
My first guess was this was a shakedown; it's not uncommon for organized
criminal gangs to DDOS a site until they pay a ransom. Grey market sites are
particularly vulnerable to extortion; online gambling, for instance.

~~~
baby
What kind of sources do you have to back up this theory? Never heard of that
before.

~~~
NelsonMinar
The main source I've read on DDOS extortion is "Fatal System Error". It's
largely about Barrett Lyon's company Prolexic, a company specifically
providing DDOS protection for online casinos. But that's just one example, I
think there are many more. I have zero specific evidence that there's been
DDOS extortion against BitCoin providers, but it sure seems plausible.

~~~
waterlesscloud
Prolexic is also the company providing DDOS protection for MtGox.

Source: MagicalTux (person who runs Gox) in freenode #mtgox.

------
trotsky
_Mt. Gox is in the midst of a major technical overhaul of its exchange. Gay-
Bouchery said Mt. Gox is rebuilding its trading platform from the ground up._

We're throwing out our entire OLTP system, but trust us - the lag and error
pages that have been popping up on our heaviest trading day of the year are
caused by hackers.

~~~
Karunamon
Yes it's _entirely_ more likely that they're breaking their own service (which
with transaction fees is their primary income source) rather than some person
or group screwing with the exchange in order to influence the price.

~~~
trotsky
Heh. I'm suggesting their trading platform is having trouble scaling, not that
they're doing it on purpose.

------
skore
> What can you do?

> Like our favorite author here at Tibanne says… Don’t Panic!

> “Panic-selling is a wide-scale selling of an investment which causes a sharp
> decline in prices.[...]” (Source: Wikipedia)

But... But I want it to crash! Just a little! So I can finally buy lots of
bitcoins myself!

~~~
lucb1e
I want it to crash too! Like, drop to half the price and then
[http://3.bp.blogspot.com/_JZ0rN-
zdg2M/TU_NRnvhGfI/AAAAAAAAAF...](http://3.bp.blogspot.com/_JZ0rN-
zdg2M/TU_NRnvhGfI/AAAAAAAAAF8/XqZUhPrSz90/s1600/dagobert_duck.jpg)

~~~
viraptor
I don't think it can crash anymore. Not like the last time anyway. Too many
people know that the price will go back again and want this to happen. (me
included)

What that means in practice is that some people will buy after 5% drop, more
after 10%, even more after 15%, etc... I don't believe anymore that we can
have a proper crash in this situation. If we do, the price will bounce back in
a matter of seconds. I'm probably not the only one keeping an open order to
buy as many bitcoins as possible at below £5. Lack of sell-stop orders on
mtgox also means there's nothing to balance them out (apart from automatic
trading).

~~~
davidw
A lot of people wanted tulip prices to rise again, as well.

~~~
viraptor
I agree on the bubble phase being similar, but disagree on what would happen
afterwards. Tulips becoming cheap meant that everyone suddenly had access, but
the amount was still more limitted than in case of BTC. Also the time of each
transaction was not even close to what happens at mtgox. There are thousands
of orders just waiting to be filled the moment the price moves. On the other
hand physical goods shipment took weeks/months.

So while both events may have a similar cause/progress... there's a huge
difference in how the market itself works.

~~~
eterm
Actually they would trade tulip futures and, critically, options, which
allowed for quick trades and leveraged speculation.

------
SethMurphy
With all the vague claims about attacks and building a "bullet proof" system I
have a hard time trusting them any more than a trader at a big bank selling
their own complicated financial instrument. He seems to be trying to
manipulate the prices with these statements too. Good thing it is unregulated.
Oh yeah, and "He warned bitcoin traders not to panic or invest more money than
they're willing to lose." IMHO this is a straight up admission it is a
speculative investment and not a real currency at the moment.

~~~
jimktrains2
I'm pretty sure that Grade A bonds, CDs, and IRAs, among few others, accounts
are the only types of investments that one should consider putting more money
then they're willing to loose into.

Bitcoins is a ForEx market, and like any ForEx market, you can lose money,
quickly.

~~~
gibybo
Technically speaking, an IRA is just a (brokerage|bank) account with a special
tax designation. It won't stop you from putting all your money in a penny
stock or out of the money options, for example.

~~~
jimktrains2
Ah. I thought they were a combination of various things that made them fairly
stable, or more so than a 401(k) anyway. Thanks for the clarification.

------
tlrobinson
_The lag of six or seven seconds before a trade is executed "is not
acceptable,"_

I don't understand what a DDoS has to do with trade lag. They're DDoSing the
website, not the trading engine, right?

6 or 7 seconds is bad enough, but it's a huge understatement. MtGox's trading
engine "lag" can grow to absurd numbers, it was like 10 minutes a couple days
ago. I honestly can't comprehend how it gets this bad. It should be on the
order of micro or milli seconds. It's not like matching up trades is
computationally expensive.

Anyone have an explanation?

~~~
saosebastiao
I would hope not, but this makes me skeptical. Does this mean that the trading
engine and the website are the same entity?

~~~
waterlesscloud
Yes, they are.

They currently have a project underway to separate the two.

The site owner, MagcialTux, said yesterday in irc that for the last couple of
years (since the first bubble) they've basically made barely enough revenue to
keep the site running (and sometimes at a loss), much less improving it. They
looked at loans, but the most they could arrange was a couple hundred
thousand, which wouldn't have been enough apparently. They also privately
contacted big bitcoin fortune holders for loans, to the same result.

The kind of people that you'd hire to make it work right are expensive, to no
one's surprise. The last few months have given Gox a huge increase in revenue,
and they're using it to finally upgrade their tech.

I'm not a Gox fan, and I wish people would use the other exchanges and get
some diversity into the system, but I can understand how they got where they
are.

------
api
Anyone remember EFNet IRC in the mid-1990s? Bitcoin is going to be like that,
except real money is at stake.

~~~
skrebbel
I remember EFNet allright, but I've still no clue what you're talking about.

At least to my understanding, EFNet was (is?) an IRC network. With channels.
Where people chat. Maybe I missed some relevant history?

~~~
api
Basically, the old IRC protocol was pretty brittle. You could break the
network with DDOS attacks, exploits, etc. in order to get "ops" on IRC
channels. This resulted in a sort of emergent hacker game called channel wars.
Massive attacks were constantly being launched, to the point that running an
IRC server became a way to have a serious target painted on your connection.

~~~
yebyen
Oh yes. Now I remember EFnet in the 90's.

------
someOtherName
Because what is "Mt. Gox"???

<https://encrypted.google.com/search?q=Mt.+Gox>

<https://mtgox.com/> "Mt.Gox is the world's most established Bitcoin
exchange."

~~~
jmgao
It's a Magic the Gathering Online card exchange.

------
jpdus
Does anyone had a withdrawal request processed by Mt.Gox during the last days?

I requested 2 withdrawals more than a week ago and didnt receive any funds nor
do the requests show up in my account history...

------
brokentone
Largest DDoS attack? A mighty claim without any numbers. I thought we just had
the largest attack on Spamhaus the other week anyway? Oh well, I quit tech
news stories.

~~~
swinglock
I assume against Mt. Gox.

------
saosebastiao
Bitcoin makes for some great speculation, but I absolutely cannot treat it as
a currency until the prices stabilize independent of the exchange used.

~~~
drcode
What are you talking about? It's been 24h since we've had a fluctuation
greater than 5%!

(kidding)

------
nsoun
Are there patterns in flow traffic that monitoring tools could help
detect/mitigating a DDoS like this?

------
lucb1e
It's a bird....It's a plane...It's Cloudflare!

Edit: Oh they're already using it? Guess they can't save the day then... MtGox
seem to be up now though.

~~~
nwh
Most Bitcoin websites, Mt. Gox included, are already behind CloudFlare.
Worryingly, this means they have surrendered their SSL private keys to a
secondary company.

~~~
gphil
Yeah, but you also already have to trust the certificate authority, your ISP,
your employees who have access to the server...the list goes on.

Furthermore, I believe the way it works is that clients make an SSL connection
to CloudFlare, who makes another SSL connection to your service (using
different key pairs.) Granted, they still get to see all your traffic
unencrypted, but it all just comes back to trust.

~~~
lmm
SSL is end-to-end; the ISP is just one more untrusted carrier. And I would
expect MtGox to have access controls around employee access to their servers.
Both MtGox and their certificate authority have much stronger incentives to
play nice than CloudFlare do.

~~~
ceejayoz
"Hosting provider" probably was meant more than ISP.

