"Dear Satoshi. Your dox, passwords and IP addresses are being sold on the darknet. Apparently you didn't configure Tor properly and your IP leaked when you used your email account sometime in 2010. You are not safe. You need to get out of where you are as soon as possible before these people harm you. Thank you for inventing Bitcoin."
Is it maybe because Bitcoin enthusiasts have a large overlap with monatery cranks who tend to be conspiracy theorists?
But if you have a billion dollars of gold in your basement, you should be very, very paranoid.
Even with perfect security, you'd still be a ransom target.
It might also occur to you to diversify out of the thing that puts you at risk. Maybe there's even some sort of establishment that can hold funds more securely. He should look into that.
To answer your question, actually, yes, it's almost proven to be the most effective measurement for one's safety: don't want to get hurt? Don't let people find you: get in a forest/ mountain range and hide.
Why do you believe this? The concept predates widespread use of encryption and originally applied to things like physical locks. Their "security through obscurity" approach was custom mechanisms which were easily defeated shortly after development by determined thieves. This race between security experts (in their various incarnations) and security breakers (again, in their various incarnations) has been going on since the first person tried to secure some property with something more complex than a crossbar on a door. And this race continues, even in the information age, to occur in both the physical and information realms.
Thinking about it, I guess "security through obscurity" wasn't the correct term to use in the case. What I meant was simply that: there are completely valid reasons to keep your name and/ or location unknown, both for your safety, and otherwise convenience of life.
"Or he's really right and everyone else is wrong."
added: then again, there's also something about HN's discussion structure (mainly lack of collapsing comments like Reddit has) that makes these derails get in the way much more than necessary. Reddit even has place for strings of puns without them significantly derailing the discussion.
Oh sorry what were we talking about? I thought this was the weekly "Where you should move to/away from" thread.
At close to 25 tonnes, and ~1.3m³, I'd like to see the engineering behind such a heist
I'm sure moving a couple cubic meters of gold isn't a problem if you're motivated.
But getting it out of there is fairly easy if you lack a conscience and have a van. If you had access to a slightly larger truck it would be easier still.
new favorite HN quote
If i had so many bitcoins as Satoshi Nakamoto i would certainly not store them in my basement. I'd split my private key using n:m scheme and store them in secure deposit boxes in banks.
Are they heavily guarded?
Prosecutors can be as intimidating as they wish, the government is free to use their magical NSA powers to recover the bitcoin. They can't compel someone to incriminate themselves. giving the wallet address to the prosecutor is effectively admitting to a crime, perhaps just conspiracy, but nonetheless that's self incrimination.
Go for memorization over tattooing.
What they can't do is say "only the person who committed this crime knows the password" and then force you to enter the password (since doing so would be self incrimination). It's when it's already known that you could enter the password that you can be compelled to.
Some friends of mine trade large amounts of Bitcoin on a regular basis and there's never been much of a delay withdrawing. I doubt they are going to a bank to physically take out printed keys everyday for every transaction over $10,000 or phoning 5 people to combine keys. I bet the backups are kept in a safe deposit box, the cold wallet is likely an offline system anybody can walk up to with some kind of feeble authentication judging by past Bitcoin exchange incompetence.
Many of the smaller exchanges are using Blockchain.info wallets as their hot wallet too but won't admit it.
I think that's intended to be a feature and not a bug. With Bitcoin 'third party verification' means other people no longer use a service after you've generously sacrificed your money to demonstrate their incompetence or malice.
I think they probably know already. At least if the body guards are anything to go by.
I imagine the IRS really would like to audit him if he's an American citizen, however.
Keep in mind, the IRS can audit you out of what amounts to mere curiosity. Having your net worth go up by half a billion or whatever is the sort of thing that might raise some flags and cause someone to want to verify that you haven't realized any of those capital gains, gifted any of them to someone else off the record, or some other thing.
On the bright side, Satoshi Nakamoto should be able to afford a good tax attorney. He'd be a bit nutty not to have one already, honestly.
Like if someone steals my expensive Android phone, I'm not going to find Andy Rubin and punch him. Because that ... just wouldn't make any sense.
If it was a collective of people it is(might be) more likely that one of them is incompetent(and didn't configure TOR properly) where-as if it was a single competent/careful individual there's a smaller chance of a TOR mis-configuration and resulting IP-address leak.
I don't think it lends much credence to the 'multiple entities' theory at all personally, but that's the best I could come up with. Feel free to correct.
I don't really buy the theory, but that isn't really a counter argument...
So is the guess here (assuming this is even true) that he had an email server running at home, leaked the ip, and then was attacked when someone found it?
Basically, if a webmail service doesn't pass along your IP, there would be no way for recipient networks to ever block a flood of unwanted email because they could never blacklist, say, yahoo.com.
I read something about this lately... maybe from Paul Buchheit?
I just picked the two latest I got (and redacted them) as an example.
The first one sent through GMail (SMTP I guess, not webmail) :
Received: from [192.168.1.18] (123-123-123-123...bbox.fr. [220.127.116.11])
by mx.google.com with ESMTPSA id ...
for <multiple recipients>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Received: from unknown (HELO ?192.168.0.23?) (email@example.com@18.104.22.168)
by ns0.ovh.net with SMTP;
I learned this myself recently from an article here on HN, https://news.ycombinator.com/item?id=2083798
Haven't checked it myself, just reported there by a former gmail engineer in the context of their anti-spammer efforts.
Here's a video with Mike Hearn giving a talk about spam. At the end and middle are mentions about gmail's lack of IP from sent emails, the end specifically from a network admin expressing his grievances about Google's efforts being a hindrance to law enforcement.
It is , however, standard practice for most SMTP providers to do this.
Aha, it was on reddit, and is here: https://moderncrypto.org/mail-archive/messaging/2014/000780....
Ah, and you're right, I misremembered what it said about that, indeed it says gmail does not do that. okay!
Obviously it _could_ if it wanted to, and other webmail might. But gmail does not, okay!
IP locations are kept in databases that have many limitations. Some examples of the limitations I found here in France:
- at best your ISP links your IP with the DSLAM location or simply the city for the most lazy. Sometimes there are mistakes: one of my friend living in the north of France has his IP "geolocated" in the south of France...
- lots of big corporations only give the address of their headquarters
- IP location from 3G/4G network is completely wrong 90% of the time
nycgoat on September 08, 2014, 11:49:43 PM
Is it possible that he deleted the e-mail address @gmx when he left the project and that it has been recycled? Someone else may have been able to sign up, then use the reset password feature on these other sites. It is likely that the @gmx address would have been destroyed at the conclusion of his participation in the project, as all relevant information and e-mails have been public from the beginning.
1) Satoshi finishes with Bitcoin and deletes GMX account
2) He does not delete other accounts (sourceforge, i2p, etc)
3) GMX account is recycled after x period of time
4) Person signs up for @gmx account after it is recycled
5) Passwords for other sites are reset because they still point to the @gmx e-mail address as a recovery
6) Person tries to profit by extortion and fails
This is probably the most likely scenario... and they probably don't have any of Satoshi's information because it is unlikely that any e-mails were still in the box when he re-set up the @gmx address.
"Interesting, got another forwarded email from "satoshi", from 2011 - indicates this was a hijacked account, not expired and re-registered."
Going to grab some popcorn, this might get pretty entertaining...
uh... yes, of course it is?
I'm not saying it is necessarily a good thing, especially for him personally, but it is undeniably interesting.
Why is Jack the Ripper still making headlines? Because the unknown breeds mystery, which is inherently entertaining to people.
He is Aaron Kosminski according to DNA probably.
1) A pastebin threating to dox Satoshi for 25 BTC: http://pastebin.com/7gbPi8Qr. Address has received less than .02 BTC thus far: https://blockchain.info/address/19pta6x1hXzV9F5hHnhMARYbRjux...
2) The GMX screenshots show 11k+ emails in the inbox, with one from as far back as June 2013
Edit: To respond to
Looks like "Phone 31x" under the email address, which is consistent with St Louis area code of 314.
EDIT: From the Wired article, it seems like the hacker corresponded with the Wired reporter via the email address (to prove authenticity?) and may have done the same with the Bitcoin developer as well, judging from timestamps.
The hacker gained access to the gmx.com mailbox - resets all of the third party accounts and still comes out with nothing of value?!!
1) So he has to fake an invoice to gain media buzz? I don't buy it.
2) What's in the outbox?
Except is St Louis Missouri street address and telephone number.
We're being lied to. This is fake. The street address doesn't match the post code.
The hacker created the order himself, with fake ID, fake address and doctored the timestamp.
63101 is the downtown area (right by the Arch) – not really a place most people live, but the kind of place you might get if you Googled "St Louis zip code".
Also amusingly, "198 Bruce Ave" (not Street as in the email) is right in the center of the area Google labels Ferguson, MO.
Now, after this much time since that order, that person will be the star of the next Newsweek article because they didn't want to use their real address when buying a miner.
Care to explain?
edit: the item he ordered was a FPGA in mid 2013. He's really bothering with a single $400 miner in 2013...? He doesn't have enough BTC?
That's further evidence that someone placed an order on his email with a fake address for giggles.
We suspended s_nakamoto's account 2 hours and 17 minutes after the attacker gained access to that account.
After generating a list of changes made, confirming method of attack, and identifying no serious changes to project content, the project was restored to its pre-attack state, and the compromised user account was removed from the project.
Risk to the community is believed to be low, as file content wasn't modified.
Roberto Galoppini, SourceForge.net
Buttcoin is a peer-to-peer butt. Peer-to-peer means that no central authority issues new butts or tracks butts. These tasks are managed collectively by the network. It’s like a bitcoin, but with butts instead.
I used to read it at one time, and it was actually often the voice of reason in a sea of anarcho-capitalist pipe dreams, but I don't know about its present state.
Just another day in the Bitcoin economy.
The buttcoiners seem to make light of the BFL purchase, since in their mind, the former owner has done something that many Bitcoin investors have not - made a profit off of Bitcoin.
- You can lookup orders tied to the e-mail address firstname.lastname@example.org
- You cannot lookup order tied to gibberish accounts, like email@example.com
Satoshi Nakamoto posted a status:
"Tip Jar: 19pta6x1hXzV9F5hHnhMARYbRjuxF6xbbV"
Confirmed with Photoshop myself using the imgur image links I got from this HN post.
See also: "spam chinese emails from the future?" http://forums.androidcentral.com/samsung-galaxy-s3/278777-sp...
I mean it's much safer to have real money in a bank account than to have bitcoins.
Some kid hacked the firstname.lastname@example.org mailbox, by guessing the birthdate forgot-password check on gmx.net (yes, it sounds kind of unbelievable to me as well).
He probably used this email to gain access to the SourceForge account, and wrote some juvenile texts about "buttcoin" (everything seems to have been reverted now, see https://news.ycombinator.com/item?id=8293062 ).
He also used the mailbox to gain access to Satoshi's account on p2pfoundation.ning.com, which is the same place where the "Dorian is not Satoshi" message was posted a while back when some news media thought they found SN. Then he used this account to try and pull off a "give me 25BTC or I'll release SN's dox" scam. Nobody in the bitcointalk thread seems to believe the kid actually has SN's dox, because Satoshi was clever enough not to leave personal info in that mailbox.
The kid also used the email to try and threaten the bitcointalk forum admin ("send me some coins before I hitman you" ...). The forum admin seems fine to just let it be, because no real damage has been done, it was just a kid and by now the kid and his family have been doxed, who's probably scared shitless right now realizing what sort of serious business he's been messing with.
Adrian Chen tried to mail email@example.com with some questions, and in response got a screenshot of the mailbox, "proving" it was indeed under someone else's control: https://twitter.com/AdrianChen/status/509162847130370048/pho... . There's a second screenshot of some invoice of someone ordering a bitcoin-mining device, with the address info photoshopped out--which was done badly because someone on Reddit quickly revealed part of the name and address. But that order seems partially fake, just some guy that thought it was funny to enter Satoshi's email when ordering the device.
It's assumed the kid no longer has access to the firstname.lastname@example.org mailbox. Again I didn't see these claims substantiated either.
All in all, someone smarter could have done a LOT more damage with this hack. But whoever did this really screwed it up. There might be some unintended clues about Satoshi's identity in that mailbox, but it seems like whoever got access isn't clever enough to string all that together (tying it with the research done into his identity so far). So unless the whole mailbox gets dumped somewhere, that's it, case closed?
Hanlon's Razor is instructive here.
Creating a myth and story around the creator is brilliant to ensuring future relevance. I doubt this is a planned event; however, if the Satoshi did plan it... Wow tip my hat to you sir/ma'am
..... or is it....