Mtgox has neither of those assurances.
They have absolutely no credibility on the security front. They were using MD5 with no salts at one point in time. They then moved to MD5 with salts. Now they are at "SHA-512 multi-iteration, triple salted." That seems more like they're trying to say "Oooohh! Look at us! See?! We're being secure!" Triple salted means what, exactly? (Other than the fact that it makes it clear these are people who read about salting online and then though "more is better.")
Next: "we have actively been patching holes." Oh no. You mean, you're just going through the code and looking for bugs and hoping you get them all? That might work for normal programs just fine, but even ONE vulnerability is enough to take an entire database. A database hosting just passwords may not be all that bad (it usually is, but it doesn't have to be). A database which hosts thousands and thousands of dollars? Now that is something to worry about. It truly does look like they got lucky on this attack.
As for the guarantee that banks give -- that if they get broken in to, I will still have my money -- there is no way mtgox provides this. Anyone who still has money on mtgox is asking for trouble.
Would you store your funds at the Bank of Wordpress?
That, though, in no way means that you can't build a good, secure website on the LAMP stack.
It's just a (rather obvious) fact that if you're a bad developer, then you're going to build an insecure site, most likely on LAMP. If you're a good developer, you're probably going to build a good site, which might be on a less common platform, but equally as (or more) likely on LAMP, too.
It seems to me your loathing of facebook is completely irrational. Unfortunately its this irrationality that drives most discussions regarding facebook in tech circles.
I would know that I could still withdraw my money because they have enough cash on hand for me to do so.
Or if you want a more practical example, keep watching Greece (or look at what happened to Argentina 10 years ago).
Yes. I am sure. I have far, far, far less than 0.000001% of the total money in the bank. If they could not produce this much money when I wanted it, there would be other serious problems.
> Or if you want a more practical example, keep watching Greece
If I was in Greece, I would not have my money in one of their banks.
Last year, a branch office of a large bank in Finland was barely able to produce 10 000 euros in cash when I wanted to withdraw it.
The clerk just didn't realize he shouldn't mention it.
Don't be so sure.
But I'd sure expect more than 10k euro.
Furthermore, acting as a "proper bank" means they do a lot more than just acting as your personal piggy-bank/mattress. If they have all their money tied up in cash, it means they can't actually be preforming real bank activities (investment).
I just chimed in with my anecdote.
You think this is enough nitpicking, or do you want to go on?
There's a reason banks have a legal right to refuse a withdrawal, specifically because they may not have enough funds. That reason is: because it has and will happen.
What happened with Washington Mutual is not what's going to happen if there's a run on Mt Gox.
I admit I got a little off track though. My parent specifically stated withdraw money when he wants. There's plenty of evidence that at the peak of the crisis, some people had problems. But I agree, it seemed to have been few, and in the context of Mt Gox, it isn't really relevant.
Sure it does. The FDIC makes an annual assessment on financial institutions ranging from 2.5 to 45 basis points to keep the insurance fund solvent. In 2009 there were many special assessments to replenish the fund.
Insurance is always leveraged. Those skilled in the art are actuaries.
In terms of the question, how would it be handled from an FDIC perspective if it came to a worst case scenario... it'd be a shit-show.
I think you're just rambling. Our currency isn't gold backed -- who cares how much the US govt. has in gold repositories and why does it need to be checked?
Which, it turns out, works just fine -- the belief that gold has value is roughly as magical as the belief that saying some words can turn wine into blood (and a prime sign of religious dogma in both cases).
The US economy may be fucked up in many ways, and may face some harsh transitions if it can no longer rely on the strength of the dollar as an international currency, but it is still a large economy. The loss of that strength will not magically result in the dollar having "no backing".
Certainly, if the dollar was replaced by the RMB internationally, the dollar would start to drop against other currencies - until it reached a realistic equilibrium point.
The "conspiracy" theory goes that this gold has either been loaned (that's why Ron Paul phrased his question to also check if they're "obligated") or sold to drive down gold price thereby making dollars are more attractive investment than gold. Hence the call for an audit. The "conspiracy" theory further suggests that all the world's central banks are doing this.
A precipitous drop in the value of the dollar would be unpleasant (including for for Americans with savings), but I don't see what FDIC has to do with it.
"The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords."
Increasing iteration count is synonymous with intending something to be slow. BCrypt itself uses a default of 2^10 iterations in most bindings. PBKDF2 + and an NIST studied hashing algo like SHA512 is a perfectly valid method.
Googling "triple salted" sha -gox gives me 13 results, of which 3 are about caramel cupcakes and none are serious evaluations of such an approach. It sounds like homebrew security.
<edit> Ok, whatever, keep downvoting, fuckers.
By contrast, computing bcrypt takes a significant amount of time and CPU. It's slow. It's designed to be slow. It's designed so that you will need a LOT of CPU power to bruteforce it.
So, no, SHA-512 is not much better than MD5. It's still a fail.
I for one won't be returning to mtgox.
Edit: Full-disclosure post http://seclists.org/fulldisclosure/2011/Jun/417 and relevant Bitcoin forum discussion http://forum.bitcoin.org/index.php?topic=20437.0
Why not use a standard key derivation function such as PBKDF2 or bcrypt to provide some confidence in the system rather than inventing their own?
AFAIK bcrypt is strong because of Blowfish's expensive key setup. How does this compare to SHA-512?
I could quintuple-salt my passwords with 4096 byte salts chosen purely randomly and there would be no perceivable advantage over a single 512 bit salt.
A DB compromise doesn't reveal the other 2 salts. A full filesystem image doesn't reveal the third salt. Even an interactive root compromise would need to know to take an image of the running system's memory to get the third salt.
There is a standard method of securing online accounts, using known methods that are currently known to be perfectly safe in every application from financial institutions to the latest social networking site. Triple-salting passwords is not that method.
I was providing an example of what could be meant by 'triple salting' that didn't necessarily involve 'three servers'. We could contrive scenarios where bcrypt with this multisource-salt would be a win over bcrypt with a single same-database salt. Intellectually exploring the problem and solution space requires more than just slavishly repeating the already widely-known 'standard methods'.
Have we worked together at a level that would help you assess my level of knowledge, and the sources thereof? I don't recognize your name/handle.
I agree, there could be an implementation where applying multiple salts might have a benefit, but SHA-512 is not that implementation. I was not slavishly repeating 'standard methods', but pointing out that they are or were widely wrong in whatever they were doing to begin with. An MD5 is hilariously weak for password hashing, and salting an MD5 only makes an extremely weak password hashing scheme moderately weak. It honestly sounds like they took the first hashing implementation with the largest number tacked on the back of it that came to mind and called it good. This is not the right thing to do, and anyone that 1) cares about the security of their online web app's users information, and 2) has spent more than 2 minutes reading about the correct ways to secure an online web app, should be able to figure this out.
Point being, the fact that they originally only had MD5, and then "upgraded" to a salted MD5, and now are going to a triple-salted (whatever that means) SHA-512, is a BIG clue that they really don't know what they are doing, and a complex homebrew triple salt implementation that passes a password to 3 different places to be salted is bound to be broken. Unless they have hired a well known experienced cryptographer, I wouldn't trust MTGox with a dime of my internet money.
Programmers: shut the fuck up and use a well known password derivation function. Stop the NIH wanking -- homebrew cryptography is about as useful as seeing the local witch doctor for a heart attack.
At the end of the day, salts are there for one thing alone: eliminating the possibility of rainbow tables. But whether you use 1 salt of decent size (64-bit minimum for that) or 1000, you've got the exact same protection there. There's a good reason it's recommended that you use PBKDF2 or bcrypt.
Not quite the same application, but it would seem best to take a conservative approach and make your salts 128 bits because the storage required is so small - you are only storing one per username.
The NIST application involves generating keys from passwords, which you might do a gigantic number of times for every password to get unique sessions and so on. They're not talking about password storage. And even then, 128 bits seems like a huge overkill, which was included just because it's cheap, so why not. I don't mind 128-bit salts, but let's not promote that as some "ultra-secure" feature, which it isn't.
Thus, the fact that they are describing it in terms that none of us have heard of is a troubling sign.
"Don’t write your own Crypto algorithms unless you have a Doctorate in Cryptography."
How do these businesses succeed with business people that have no business wit about them, have NO ability to communicate effectively in these critical situations and have awful taste in technical advice?
Google "bcrypt sha-512 hash passwords" and tell me if it's a hard call to make. You should have heard these guys within the first 36-hours answering questions. Even the business guy over at TradeHill, "Well, you know after mtgox, we need to do a lot to beef up our security". Even if that's a true statement, what a ridiculously terrible way to phrase it.
I think speech and debate classes should be required for everyone to graduate highschool, let alone college. People aren't good at thinking on their feet and speaking in critical situations where wording makes a difference.
When you're in the business of being an online bank for an uninsured (nearly) untraceable currency, mis-speaking like this costs you your most important asset: TRUST. That's not even touching the tip of the iceberg of lies and misinformation that has come out of mtgox.
Anyone that leaves a penny in any mtgox account is an idiot.
They take off because they are excellent, useful and timely ideas. Unfortunately, people who have strong, timely ideas, like this one, frequently aren't able to find good technical co-founders, probably because of the "ideas are worthless" meme so many hackers love to recite nowadays.
So the ideas take off anyway, but the sites basically don't have the technical architecture that they should and have to be rewritten later.
You really think so? I find that statement sort of amazing. I guess ever the optimist, right?
In the current case, well just because it isn't perfect from a technical standpoint, doesn't mean it wasn't the best execution of the idea out in the wild...
BCrypt 1000 iteration test script: https://gist.github.com/1058610
# => That took 76.370953 seconds
BCrypt 1 iteration test script:
(same as above but with `1.times do`)
# => That took 0.074209 seconds
SHA512 1000 iteration test script:
# => That took 0.004092 seconds
SHA512 at 1000 iterations is over 18,000 times faster than BCrypt at similar iterations; which, by the way, makes no sense to do.
BCrypt has a "cost" factor, which is used to adjust the computational complexity to your use case. This is why BCrypt makes so much more sense for password encryption than something like SHA512. Running SHA512 n times is just a cheap, ineffective imitation of BCrypt.
Most advances in cracking cryptographic hashes is not from Moores law, but some insight or breakthrough in the underlying algorithm. i.e. someone figures out a way to make MD5 brute forcing 2^(lots) faster. Usually these are not done overnight, but are chipped away bit by bit.
We are getting there with SHA512. The edges are starting to give. Warning signs are apparent. Eventually someone will reduce it to nothingness. 1000 iterations of nothingness is nothing ness.
SHA-2 is already in most languages without an additional library.
Oh dear god this is a terrible way to make a security decision. You have to install software no matter what you do. Unless you're writing software with a magnet in raw machine code, you will have to install additional software. Take the few minutes to install the bcrypt library.
So you would either have to port bcrypt or use existing crypto code to approximate bcrypt-level security.
They can inflate the bitcoin in circulation, and all it takes is enough real bitcoin and cash to cover the withdrawals for no one to know the difference.
Banks can do whatever they want, they're not subject to reserve requirements, or for that matter any kind of oversight.
I'm not sure how regulated fractional reserve banking is a terrible thing, but a completely unregulated bank is a better thing.
Bitcoins provide a chance for trust to be based on economics (escrow, insurance, audits, etc) not by government fiat. But you can't fall asleep at the wheel and just expect everything to work.
The difference, in case you're curious, is willful pedantry, and really just clutters up the thread.
MTGox is not a legally regulated bank. They are not a legally regulated exchange. They DO hold accounts on behalf of their customers, performing the function known as "banking". They DO execute trades between their customers, performing the function known as "an exchange".
So you agree, or you disagree? Sorry to stick with Aristotelian logic.
Since it's obvious we do need banks for bitcoin (or a safe way to store our currency) and it's not very anonymous, what's the point of using it again?
I would rather just use credit cards or cash.
The decentralization has more to do with the fact that no government can control the currency.
Congratulations to those who guessed correctly: http://news.ycombinator.com/item?id=2676467 http://news.ycombinator.com/item?id=2676986 http://news.ycombinator.com/item?id=2676612
I've got 70 bitcoins in their system, and they have not responded to any attempts to contact them for two weeks now.
I've even gone so far as to contact Mark Karpeles directly through LinkedIn, and nothing.
They have lost all credibility. Aside from the fact that no one will ever trade with them again, the most likely next scenario is a flood of lawsuits from Mt. Gox members who have lost their money.
Those are good words to read. +1.
Maybe, maybe not. But this hack may be one without recourse.
i realise it is kind of security through obscurity but in this instance the SQL injection wouldn't have compromised the private salt and it would have been much harder to recover the passwords. presumably, you would have to use a known pass/hash combo to brute force the private salt which would take a lot more computation time than recovering simple passwords.
EDIT: It looks like the guy I'm talking about only withdrew 640ish coins, so this must be someone else.
In case it isn't clear, MTGox wasn't exactly what you'd call a professional operation.
(I had this same problem)
March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.
A quick search of Google for Tibanne Co Ltd leads to Tibanne.com:
created-date: 2009-10-02 05:43:17
updated-date: 2011-05-25 15:15:09
registration-expiration-date: 2012-10-02 05:43:17
owner-name: Mark Karpeles
Does this mean Mark sold Mt. Gox to himself and in the process created a superuser account so he could manipulate the exchange to his benefit? Sounds like he could be taking a page out of the Ultimate Bet / Absolute Poker playbook.
Probably would be willing to take him at his word if the explanation of the flash crash didn't change every few hours. And/or if he and others didn't mobb the guy who put in the low bid during the crash.
I suppose arbitrarily allowing someone to devalue an entire currency because of lax security procedures is technically better than evicting people out of their home.
How, exactly? I don't remember many instances of banks having security issues that dropped the value of the US dollar to 1/1750th of its value, even briefly.
I haven't seen a 'real' stock certificate in 20 years either. But stocks are actually backed by something, somebody.
Bitcoins are backed by ... a sysadmin? An algorithm?
I'm reminded of when bond trading changed - folks stopped buying the bond, and instead just bought a 'coupon' representing the interest on the bond. Whaa? Kind of like betting on the horse, instead of owning the horse I guess.
So, bet on Bitcoins all you like. But when you get burned, its not very ingenious to complain about it.
Bitcoins are as real as grocery store coupons I guess. No, wait, grocery stores have inventory and bricks-and-mortar, so no, not that real.
Its misleading to call something as soft as a Bitcoin a 'currency'. There, no analogies at all.