Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Allege Mt. Gox Still Controls "Stolen" Bitcoins

timothy posted about 4 months ago | from the other-side-of-anonymity dept.

Bitcoin 228

The Verge reports that "Tokyo-based Bitcoin exchange Mt. Gox lost $400 million worth of bitcoins in February. Its management said the amount was stolen after hackers exploited a transaction bug to divert the funds, but some of Mt. Gox's users are not so sure, suggesting instead that the exchange's owners pocketed the cash. Now, facing silence from those owners about the fate of the money and the methods by which 6 percent of all of the Bitcoin in the world could have been stolen, a group of hackers claims it has broken into the bankrupted Bitcoin exchange's network to get answers. ... Forbes reports that the group gained access to the personal blog and Reddit account of Mark Karpeles, Mt. Gox's CEO. The hackers used the platforms to post a message that claimed Karpeles still had access to some of the bitcoins that he'd reported stolen. In support of the claim, they uploaded a series of files that included a spreadsheet of more than a million trades, Karpeles' home addresses, and a screenshot purportedly confirming the hackers' access to the data." (The Forbes article on which the Verge report is based.)

cancel ×

228 comments

This is why we can't have nice tihngs... (-1)

Anonymous Coward | about 4 months ago | (#46443849)

Hackers, hackers everywhere.

Re:This is why we can't have nice tihngs... (3, Interesting)

MRe_nl (306212) | about 4 months ago | (#46444199)

For all it's faults it's still more transparent then the Federal Reserve, the European Central Bank, the Peoples Bank of China or the Russian Goznak. "Because when the entire world is a credit-fueled ponzi scheme, these are the kind of numbers that matter". http://www.zerohedge.com/news/2013-12-11/matter-stunning-perspective-china-money-creation-blows-us-and-japan-out-water [zerohedge.com]

LIFE IS SO AWFUL. (0, Flamebait)

Anonymous Coward | about 4 months ago | (#46444851)

Yeah, it's clearly all a ponzi scheme and the sky is collapsing around us and humans aren't making any progress and OH GOD SAVE ME FROM THE EVIL.

No, you sophomoric ideologue. Like all systems, the global money system is thoroughly corrupt - but not so corrupt that it isn't working. Bitcoin, on the other hand, is a pure ponzi scheme, because there is nothing of value being created - it's just old investors being paid with the input of new investors. Bitcoin is also extremely insecure, because it is based purely on, well, not telling anyone a secret which is written down somewhere. It's not an extra layer of protection - that's it. As a mathematician, I am embarrassed to see other mathematicians coming out in support of it.

Re:This is why we can't have nice tihngs... (1, Interesting)

NotDrWho (3543773) | about 4 months ago | (#46444389)

I think a more appropriate observation might be "Ponzi schemes, pyramid schemes, everywhere."

Stills seems like it has to be an inside job (5, Insightful)

DarkOx (621550) | about 4 months ago | (#46443857)

I tend to think it has to be an inside job, that is being run by the folks pretty high up. Any kind of really really basic accounting and inventory control should have uncovered more coins going out than the transaction register indicates. This transaction malleability issue supposedly went on for months.

Even a badly run business should have detected a problem like the time frame of weeks, whenever their next month end comes up. It would have been impossible to balance the books, unless someone was simply not doing them or cooking them.

Re:Stills seems like it has to be an inside job (0)

Anonymous Coward | about 4 months ago | (#46443875)

Hmm, let's just say if the coins were pocketed, it wouldn't surprise me in the slightest.

Re:Stills seems like it has to be an inside job (5, Informative)

delt0r (999393) | about 4 months ago | (#46443915)

Well i was on contract to fix bugs in a teleco accounting system where they could only find the missing cash every 3 months when a manual audit was done. Transaction volumes where a little over 1 Billion per year however, and it was only a million or so missing every 3 months.

Re:Stills seems like it has to be an inside job (4, Interesting)

rmdingler (1955220) | about 4 months ago | (#46444417)

Interesting. Missing 1/1000th of the annual billion+ transactions every quarter can be found by a manual audit , but not detected by programmed oversight?

Wait, it's those damn programmers, huh?

Re:Stills seems like it has to be an inside job (2, Funny)

Anonymous Coward | about 4 months ago | (#46444607)

MICHAEL
It's pretty brilliant. What it does is where there's a bank
transaction, and the interests are computed in the thousands a day in
fractions of a cent, which it usually rounds off. What this does is it
takes those remainders and puts it into your account.

PETER
This sounds familiar.

MICHAEL
Yeah. They did this in Superman III.

Re:Stills seems like it has to be an inside job (0)

Anonymous Coward | about 4 months ago | (#46444757)

Sounds like they were using float arithmetics. How many programmers have ever heard of a machine epsilon?

Re:Stills seems like it has to be an inside job (5, Insightful)

delt0r (999393) | about 4 months ago | (#46444827)

Financial system i have worked have never used floats. Its integers. Either just cents, or 10th of a cent. Or 2 integers for dollars and cents. There are rounding rules for this sort of thing.

Re: Stills seems like it has to be an inside job (1)

Anonymous Coward | about 4 months ago | (#46445071)

If you code this scheme use floats. It will mask the crime in incompetence.

Re:Stills seems like it has to be an inside job (1)

delt0r (999393) | about 4 months ago | (#46444859)

Manual is a little strong. As in its not like this is not all done on computers. Its was dropped accounts mostly. ie the system would just not bill people. Other times it was failed transfers. All up it was like 11 bugs. Well we found 11 bugs and they were happy enough over a year later (another contract).

Re:Stills seems like it has to be an inside job (1)

rimcrazy (146022) | about 4 months ago | (#46444521)

".... So your are stealing?"
"No. No. No. Think of it a the little penny jar by the cash register and we just take a fraction of a penny. We just do it a lot"
" So you are taking money that does not belong to you?" "How is that not stealing?"

Re:Stills seems like it has to be an inside job (5, Insightful)

Splab (574204) | about 4 months ago | (#46443919)

Why high up? Most articles about Mt. Gox talks about lax security and bag change management.

They had half a billion dollars worth of bitcoins, a "currency" which is extremely hard to track and ridiculously easy to steal if you have the keys to the city. Stealing half a billion dollars (without being a bank) requires a truck and some heavy lifting - a developer stealing the wallets and nuking the database takes only a few seconds and very little lifting.

I find it harder to believe it took so long for someone to steal it...

Re:Stills seems like it has to be an inside job (3, Insightful)

Anonymous Coward | about 4 months ago | (#46443995)

I think the so-called 'lax security' was simply a ploy to generate plausible deniability for the fat cats at the top. There's no other reasonable explanation.

Re: Stills seems like it has to be an inside job (0)

Anonymous Coward | about 4 months ago | (#46444351)

And why not? Karpeles loved his cafe and didn't like being bothered by the bit coin business. He knew all bit coin really is is computer time for a lot of people even if it is expensive computer time now. He takes the coins and it's more or less a victimless crime. He doesn't ever have to work again, his stolen money can't be traced, and he can indulge his passions whenever and however he wants as long as he doesn't raise his profile too much. I think you're right about it being Karpeles.

Re:Stills seems like it has to be an inside job (3, Insightful)

DarkOx (621550) | about 4 months ago | (#46444905)

That would be my guess or perhaps just enable the theft in the first place by creating a culture where nobody will ask any questions being aware the documentation and logs won't exist to provide answers.

If someone in authority was making a routine habit of bypassing organizational policies, or thwarting security control some pesky honest person might start to scrutinize their behavior and might even blow a whistle. On the other hand if there are no policies and no security control than nothing anyone does malicious or others is going to seem strange enough to stick ones neck out over.

It happened before.. (3, Interesting)

xtal (49134) | about 4 months ago | (#46444141)

This happened a few years ago and is why I have nothing to do with Bitcoin - I lost quite a few coins, then decided it was too risky to be involved with until the exchange problem was figured out.

I am not sure why this is not more widely known, but there you go. I am not sure there is a solution to this problem.. without the involvement of traditional government.

Re:Stills seems like it has to be an inside job (2, Informative)

Anonymous Coward | about 4 months ago | (#46444267)

They had half a billion dollars worth of bitcoins, a "currency" which is extremely hard to track and ridiculously easy to steal if you have the keys to the city. Stealing half a billion dollars (without being a bank) requires a truck and some heavy lifting.

Oh come on. Here is a story [cbsnews.com] about a single person stealing about 7billions worth without Bitcoins, trucks and heavy lifting.

Re:Stills seems like it has to be an inside job (1)

Chas (5144) | about 4 months ago | (#46444749)

They had half a billion dollars worth of bitcoins, a "currency" which is extremely hard to track and ridiculously easy to steal if you have the keys to the city. Stealing half a billion dollars (without being a bank) requires a truck and some heavy lifting.

Oh come on. Here is a story [cbsnews.com] about a single person stealing about 7billions worth without Bitcoins, trucks and heavy lifting.

You apparently missed his "without being a bank" qualifier.

Do not pass go. Do not collect your 200 francs.

Re:Stills seems like it has to be an inside job (4, Insightful)

JoeMerchant (803320) | about 4 months ago | (#46444425)

I think what people miss is that they didn't have a half billion USD worth of currency when they set things up. When they set things up, BTC was trading for less than 1% of today's values, and (just speculating here) a couple of years back they probably had a small fraction of the BTC that they have today (had a few months ago, at least...). So, the half billion USD peak might have only been a hundred thousand or so when the organization started to "get serious."

When your organization's total assets are less than a year's salary of a good software engineer, odds are, you don't have a good software engineer on staff full time to make sure things like change management are happening properly. Ditto for accounting and audits.

Should they have hired up proper staff when assets started to resemble Scrooge McDuck's vault? Yep, they sure should have. Think about how long it takes to hire good people when you're looking for them. Now think about how long it takes management to start looking for good people, even when they have a clearly demonstrated need, but no immediate crisis.

Not that I trust a damn thing written about fund managers on prospectuses, but this is why people should be looking for years of experience in relevant fields in the team that manages an investment. Then, when the fund goes bust and it turns out that the prospectus was a pack of lies, some lawyers can make a little money suing the bastards until they only have their offshore accounts left to live on.

Re:Stills seems like it has to be an inside job (1)

Splab (574204) | about 4 months ago | (#46444493)

BS. Just because you are a startup doesn't mean you can't get competent programmers.

And whatever happened when the company started, doesn't change the fact that they had half a billion worth of bitcoin when they got screwed; with little to no security in place. as I said, it's more impressive that they didn't get run over before.

Re:Stills seems like it has to be an inside job (0)

Anonymous Coward | about 4 months ago | (#46444901)

If Karpeles was stealing the coins, he would have no incentive to hire anyone competent. And sure enough every report from a MtGox insider made it sound disorganized and short-staffed.

Re:Stills seems like it has to be an inside job (2)

Goaway (82658) | about 4 months ago | (#46443989)

unless someone was simply not doing them

Well the scary part is that this option is actually plausible, given the level of incompetence shown elsewhere.

Re:Stills seems like it has to be an inside job (1)

dbIII (701233) | about 4 months ago | (#46444131)

Any kind of really really basic accounting and inventory control

There is the problem. They couldn't handle the scale enough to be able to do that.

Re:Stills seems like it has to be an inside job (5, Informative)

ras (84108) | about 4 months ago | (#46444151)

Consider these Mt. Gox loses [bitcointalk.org] :

  • - June 2011: seller's administrator account was hacked by an unknown process. The priveleges were then abused to generate humungous quantities of BTC. None of the BTC, however, was backed by Mt. Gox. The attackers sold the BTC generated, driving Mt. Gox BTC prices down to cents. They then purchased the cheap BTC with their own accounts and withdrew the money. ... Many customers claim they have lost money from this reversion, but Mt. Gox claims it has reimbursed all customers fully for this theft. After the incident, Mt. Gox shut down for several days.
  • - June 2011: Users with weak passwords on MyBitcoin who used the same password on Mt. Gox were in for a surprise after the June 2011 Mt. Gox Incident allowed weakly-salted hashes of all Mt. Gox user passwords to be leaked. These passwords were then hacked on MyBitcoin and a significant amount of money lost.
  • - October 2011: Mt. Gox accidentally destroyed 2609.36304319 bitcoins.
  • - July 2012: A hacker infiltrated the Mt. Gox account used by Bitcoin Syndicate, sold off the USD owned, and withdrew all balances.
  • - July 2012: On July 13, 2012, a thief compromised the Bitcoinica Mt. Gox account. The thief made off with around 30% of Bitcoinica's bitcoin assets.

But for any programmer, none of this is a surprise given he hacked up an ssh server in PHP, then deployed it on a production server [ycombinator.com] .

Re:Stills seems like it has to be an inside job (2, Interesting)

NotDrWho (3543773) | about 4 months ago | (#46444413)

Gee whiz, a scheme where the people at the top bring in lower-tier investors with big promises of wealth, only to pocket all the real money and run off at some point, leaving the lower level investors with nothing. Huh, where have I heard of such a scheme before?

Re:Stills seems like it has to be an inside job (0)

DrXym (126579) | about 4 months ago | (#46444505)

Never attribute to malice what can be explained by incompetence. Perhaps it was an inside job but MtGox was always a cowboy operation and it wasn't the only service to be hit with the same hack.

I wonder how many people would have had second thoughts about investing if they'd seen the corpulent greaseball [toledoblade.com] they were entrusting their money to.

Muslims (-1)

Anonymous Coward | about 4 months ago | (#46443873)

Muslims:
They're bad

Re:Muslims (0)

Chrisq (894406) | about 4 months ago | (#46444229)

Muslims:
They're bad

I admire your art of understatement.

Obvious (0)

Anonymous Coward | about 4 months ago | (#46443887)

Its obvious that MtGox itself pocketed the bitcoins, has been obvious for a long time. Proof is good, but this is no news.

Re:Obvious (0)

Anonymous Coward | about 4 months ago | (#46444441)

I've been saying that Bitcoin is nothing but a big pyramid scheme for years now. And everyone laughed at me, and fired back with diatribes about how this was a great revolution, and that Bitcoins were unhackable and here to stay, and that I just didn't appreciate economics and the beauty of this wonderful cryptocurrency.

I bet a lot of those who laughed at me are wishing they had listened now. And a lot more will be joining them soon.

Re:Obvious (0)

Anonymous Coward | about 4 months ago | (#46445123)

Any day now. All will bow to you and your wisdom. You sure showed us ! In the meantime bitcoin still has value and people trade with it.

Anonymous cryptocurrency, who to trust? (4, Interesting)

Rick in China (2934527) | about 4 months ago | (#46443889)

Given how easily it would be to get away with the theft of anonymous cryptocurrency, I am surprised there aren't far more 'hacks' where exchanges rob all they can from their customers then close up shop. I know it has happened in China on much smaller scales, and I'm sure it will happen many more times, the question is who can you possibly trust with something that can be so easily disappeared.

Re:Anonymous cryptocurrency, who to trust? (5, Funny)

Anonymous Coward | about 4 months ago | (#46443903)

who can you possibly trust with something that can be so easily disappeared.

If only there was some kind of existing business that had heavy government oversight that could take care of that issue.

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46443931)

you want to trust the government, you have about the same luck. They can take your money just as easily...only it'll be legal.

Re:Anonymous cryptocurrency, who to trust? (1, Funny)

geekmux (1040042) | about 4 months ago | (#46444147)

you want to trust the government, you have about the same luck. They can take your money just as easily...only it'll be legal.

Legal?

Son, let me tell you about a little thing called taxes.

When you start paying them, I promise you'll know what legal theft is.

Re:Anonymous cryptocurrency, who to trust? (1)

jythie (914043) | about 4 months ago | (#46444641)

The person might have been talking about asset seizure as part of a criminal investigation, which after the various Silk Road arrests many have focused on as 'government theft' under the idea that money made via commission of a crime is still 'theirs'... or at minimal anything that generates a profit is inherently ethical because it shows demand and if there is demand then it must be ethical.

Re:Anonymous cryptocurrency, who to trust? (1)

Anonymous Coward | about 4 months ago | (#46444065)

What existing business has "heavy government oversight"?

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444173)

GP meant nuclear waste disposal, obviously.

Re:Anonymous cryptocurrency, who to trust? (1)

Imrik (148191) | about 4 months ago | (#46444291)

Just because it's heavy oversight doesn't mean it's effective.

Re:Anonymous cryptocurrency, who to trust? (1, Insightful)

StripedCow (776465) | about 4 months ago | (#46444217)

If everybody used bitcoins, we wouldn't need any exchanges or banks.

Re:Anonymous cryptocurrency, who to trust? (5, Insightful)

MartinSchou (1360093) | about 4 months ago | (#46444451)

No banks? How do you plan on borrowing money to buy things you can't afford outright, like a new car or a house?

Re:Anonymous cryptocurrency, who to trust? (1)

jythie (914043) | about 4 months ago | (#46444655)

That tends to be one of the holes in the anti-bank chain of thought, how to get loans. Though the more ironic group are the ones that hate banks because they foreclosed on 'their' house, setting aside that someone else paid for it.

Re:Anonymous cryptocurrency, who to trust? (1, Insightful)

rioki (1328185) | about 4 months ago | (#46444681)

Then don't buy them simple as that.

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444755)

That's a concept that doesn't sink in until you've actually been out into the world.

Re:Anonymous cryptocurrency, who to trust? (1)

drinkypoo (153816) | about 4 months ago | (#46445037)

No banks? How do you plan on borrowing money to buy things you can't afford outright, like a new car or a house?

It's in the public interest to have people homed and transported.

It's not clear that nationalizing the loan system would be a good way to actually achieve that, but clearly letting it be private isn't working either.

not quite (0)

Anonymous Coward | about 4 months ago | (#46445153)

Banks use fractional reserve banking to make loans, Bitcoin doesn't.

Re:Anonymous cryptocurrency, who to trust? (4, Insightful)

Z34107 (925136) | about 4 months ago | (#46443921)

who can you possibly trust with something that can be so easily disappeared

No one, which is why you don't. There's no reason to keep your bitcoins in an "online wallet," or maintain a balance in an exchange, just like there's no reason to keep your life savings in PayPal.

Re:Anonymous cryptocurrency, who to trust? (5, Insightful)

Anonymous Coward | about 4 months ago | (#46444011)

Right, instead you should keep it in an offline wallet! Just like how it's smart to keep your life's savings in an actual, physical wallet!
Oh wait, no, that's fucking retarded.

This is (one of) the (many) problem(s) with bitcoin: no one can actually come up with a sane answer of how you are supposed to store it safely. Trust it to an exchange and you're basically no better off than trusting real money to a bank -- worse off, in fact, because the lack of regulations means that if the exchange takes your money and runs you're SOL, while if a bank takes your money and runs it will be reimbursed (up to a limit) courtesy of the FDIC. Keep it in an offline wallet and you can be sure that no banker can abscond with it, but now your life's savings are tied to a single, stealable object.

Re:Anonymous cryptocurrency, who to trust? (2, Interesting)

Anonymous Coward | about 4 months ago | (#46444099)

Right, instead you should keep it in an offline wallet! Just like how it's smart to keep your life's savings in an actual, physical wallet!
Oh wait, no, that's fucking retarded.

This is (one of) the (many) problem(s) with bitcoin: no one can actually come up with a sane answer of how you are supposed to store it safely. Trust it to an exchange and you're basically no better off than trusting real money to a bank -- worse off, in fact, because the lack of regulations means that if the exchange takes your money and runs you're SOL, while if a bank takes your money and runs it will be reimbursed (up to a limit) courtesy of the FDIC. Keep it in an offline wallet and you can be sure that no banker can abscond with it, but now your life's savings are tied to a single, stealable object.

Bullshit. Try keeping your life savings as cash in your house and it will both be more obvious and take up more space, though even then a creative person could still make it difficult to find so a thief would have to know it was there in the first place or else they'd miss it.

With bitcoins you can hide them even more easily. TrueCrypt a tiny thumbdrive with an extra hidden partition to put the coins in then put other shit in the main partition that people would believe you would want to hide, even if it's fictitious data. Tape it to the inside of your TV or some other device. If you want, make a copy and put it into a safe deposit box. Or print out all of the coins and stick the papers at the bottom of a box of old tax documents or some other boring stuff in the back of your closet and don't keep any digital copies, whatever. There are many ways of doing this that are infinitely better and safer than trusting an exchange and are totally viable.

Re:Anonymous cryptocurrency, who to trust? (-1)

Anonymous Coward | about 4 months ago | (#46444107)

Security through obscurity: Bitcoin's grand solution to storing your life's savings, ladies and gentlemen.

Use them! don't save them (0)

Anonymous Coward | about 4 months ago | (#46444125)

It's really that simple. You don't store 250,000 USD in cash in your home. Bitcoins are like cash. I wouldn't hold more than several thousand in USD or any other physical currency. In fact I don't trust my bank with that much cash either beyond what I'd need when I need to spend it. Obviously I do need tens of thousands sometimes. Other than that it's stored in physical assets, like houses, cars, and other things. With insurance.

Re:Use them! don't save them (0)

Anonymous Coward | about 4 months ago | (#46444197)

>Other than that it's stored in physical assets, like houses, cars, and other things. With insurance.
No you don't. You're 12 and have no money.

Re:Use them! don't save them (1)

rioki (1328185) | about 4 months ago | (#46444739)

Actually I agree with GP, only I would say more along the line of physical assets, like gold or "virtual" assets like stock. But yea, storing "cash" in any form is a bad idea.

Re:Use them! don't save them (3, Informative)

Chas (5144) | about 4 months ago | (#46444817)

"Bitcoins are like cash."

I really REALLY wish people would stop saying this.
They're not. The way the Bitcoin system works, they're more like commodities.
Granted, some businesses have allowed you to pay for things with said fractional commodities, but still. At some point, an actual cash value has to be determined before you can actually SPEND them.

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444129)

No, it's security through cryptography and replication.

Cryptography, because the wallet can be encrypted, so it's useless, even if someone finds it.

and replication, unlike a physical wallet, you can have multiple copies of your money, in as many places as you care to store them, though that doesn't allow you to spend the money more than once.

Unless you mean it's security through obscurity in the same sense that all cryptography is: the location of the key in the keyspace is so obscure that you can't guess it with low enough probability that it seems binary deterministic, either you have the key, or you can't guess the key. Is that what you meant? because that is stretching the usual definition of "securiy through obscurity" pretty damn far.

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444339)

No, it's security through cryptography and replication.

Cryptography, because the wallet can be encrypted, so it's useless, even if someone finds it.

and replication, unlike a physical wallet, you can have multiple copies of your money, in as many places as you care to store them, though that doesn't allow you to spend the money more than once.

Unless you mean it's security through obscurity in the same sense that all cryptography is: the location of the key in the keyspace is so obscure that you can't guess it with low enough probability that it seems binary deterministic, either you have the key, or you can't guess the key. Is that what you meant? because that is stretching the usual definition of "securiy through obscurity" pretty damn far.

And when the rootkit watches you decrypt your own bitcoin wallet to use it.. bitcoins gone.

Re:Anonymous cryptocurrency, who to trust? (4, Interesting)

Gunboat_Diplomat (3390511) | about 4 months ago | (#46444371)

Nearly 150 Breeds Of Bitcoin-Stealing Malware In The Wild, Researchers Say [forbes.com]
.

From the article:

"To steal the coins of users who encrypt their private keys with passwords, many of the Bitcoin stealing programs also included keyloggers designed to eavesdrop on users’ typing. Even more tricky are malware types that wait for users to copy a Bitcoin address they want to send bitcoins to into their clipboard. When the user tries to paste the address, the malware replaces it with a different string, irreversibly sending the currency to the malware operator’s wallet. That last method never sends data to a remote server, so it can be much harder to detect, SecureWorks’ researchers say. In fact, they tested a range of antivirus scanners on their malware samples and found that roughly 50% went unnoticed."

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444135)

Security through obscurity: Bitcoin's grand solution to storing your life's savings, ladies and gentlemen.

All security is based on either obscurity or verification from a third party.
Most common form of obscurity is an unknown password, like the TrueCrypt password in the example, the rest adds extra security by keeping it hidden. The most common form of third party verification would be id-cards. The bank doesn't know you looks like and trusts the id-card with verification. Very easily fooled if not nose and ear-shape is clearly visible in the photograph and even then unreliable.

Re:Anonymous cryptocurrency, who to trust? (1)

rioki (1328185) | about 4 months ago | (#46444777)

Or a fake ID card? If there the prize if big enough making fake ID cards is not that hard. In most cases the clerk only look at the ID card and any electronic verification will (if any) be cheeked. (Electronic verification that phones home is the only really secure way that is almost unfoolable.)

Re:Anonymous cryptocurrency, who to trust? (3, Insightful)

MachineShedFred (621896) | about 4 months ago | (#46444775)

Tape it to the inside of your TV or some other device.

Yeah, so when they steal your TV, they get your encrypted life savings too!

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444445)

Keep it in an offline wallet and you can be sure that no banker can abscond with it, but now your life's savings are tied to a single, stealable object.

This is fixable. If you want to keep an offline wallet really secure, you can e.g. split it into a three-part XOR, and keep them in different places, so someone needs to steal all three. Or you can split it into e.g. four different three-part XORs, and store a different subset at each of four locations, so you need three of them to reconstruct the wallet, but the destruction of one of them doesn't mean the bitcoins are lost forever. Or whatever combination you like: X-out-of-Y caches required to reconstruct it, for any X <= Y.

You sacrifice convenience this way, of course, so you'd want to keep a day-to-day float in an easily-accessible wallet. But this gives you a way to secure your life savings in a way that's just not possible with a traditional currency.

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46443927)

The answer is you don't, keeping 700k BTC on an exchange - what are people thinking. Do your exchange and get your money out immediately. Exchange is not your wallet where you should keep your money. As long as the BTC-s are not in your pocket you are liable to loose them.

Re:Anonymous cryptocurrency, who to trust? (0)

Anonymous Coward | about 4 months ago | (#46444353)

The answer is you don't, keeping 700k BTC on an exchange - what are people thinking. Do your exchange and get your money out immediately. Exchange is not your wallet where you should keep your money. As long as the BTC-s are not in your pocket you are liable to loose them.

If you at any time connect your bitcoin wallet to your computer you are liable to lose them. Malware you are not aware of can sit there and wait for it.

Re:Anonymous cryptocurrency, who to trust? (4, Interesting)

gox (1595435) | about 4 months ago | (#46444029)

the question is who can you possibly trust with something that can be so easily disappeared.

The answer is to never assign trust in a single point. That's the whole reason Bitcoin was designed for, and these thefts really show how backwards we are with regards to the technology we have.

Surprisingly few people actually know this, but Bitcoin addresses are actually little programs that calculate the required criteria to move money out of the "address". It's purposefully Turing incomplete. The simplest defense against malevolent or incompetent parties is to require multiple signatory entities. For instance, one could be the deposit institution itself, another party for dispute resolution (e.g. a lawyer), and finally the customer. You can require only two of three signatures to move the amount so that the customer can extract the money with the help of the arbiter even if the deposit institution disappears.

Other, more sophisticated solutions are also possible, and some of the businesses themselves can even become transparently automated. However, it seems like it won't be that easy to get there, even though the crucial technology is already available.

Re:Anonymous cryptocurrency, who to trust? (1)

pantaril (1624521) | about 4 months ago | (#46444237)

Given how easily it would be to get away with the theft of anonymous cryptocurrency, I am surprised there aren't far more 'hacks' where exchanges rob all they can from their customers then close up shop.

The answer is easy - both of our presumptions are wrong. Bitcoin is not annonymous (it's mostly pseudoannonymous, like credit cards) and it is not easy to get away with exchange robbery - it's crime and the users/law enforcment would be after you.

Re:Anonymous cryptocurrency, who to trust? (3, Funny)

jittles (1613415) | about 4 months ago | (#46444293)

Given how easily it would be to get away with the theft of anonymous cryptocurrency, I am surprised there aren't far more 'hacks' where exchanges rob all they can from their customers then close up shop. I know it has happened in China on much smaller scales, and I'm sure it will happen many more times, the question is who can you possibly trust with something that can be so easily disappeared.

Thank you for sharing my retirement strategy with all of Slashdot you unselfish bastard. Now my plan will never work.

Beware: Wallet-stealing virus in the dump (5, Informative)

psymastr (684406) | about 4 months ago | (#46443929)

Reddit users have verified [reddit.com] via decompilation that the dump file includes a wallet-stealing executable. The executable attempts to send the wallet to a hard-coded IP address, whose ISP has been notified of this.

An executable? In a dump? (1)

SmallFurryCreature (593017) | about 4 months ago | (#46444059)

How does that work? What database dump requires an executable? All the ones I know simply create a very large human readable text file.

Who the fuck would execute an executable from a bunch of hackers who claim to have hacked a financial site related to a whole digital currency with said currency residing on the same machine as the one you are running the exe on.

And I thought people that ran kitten.scr.exe were idiots.

Re:An executable? In a dump? (4, Funny)

wonkey_monkey (2592601) | about 4 months ago | (#46444235)

And I thought people that ran kitten.scr.exe were idiots.

What a bunch of morons. I checked, Windows says I only have kitten.scr so I'm safe.

Re:Beware: Wallet-stealing virus in the dump (1)

Zontar_Thing_From_Ve (949321) | about 4 months ago | (#46444311)

Reddit users have verified [reddit.com] via decompilation that the dump file includes a wallet-stealing executable. The executable attempts to send the wallet to a hard-coded IP address, whose ISP has been notified of this.

I'm sure that the relevant authorities in Russia or China will be all over this. Or not.

Re:Beware: Wallet-stealing virus in the dump (4, Informative)

psymastr (684406) | about 4 months ago | (#46444325)

Actually it was Bulgaria, and they responded that they will take care of this.

or maybe he's the patsy (0)

Anonymous Coward | about 4 months ago | (#46443971)

Perhaps the thieves know there has to be a fall guy and it might as well be the CEO?

Free market solution (0)

Anonymous Coward | about 4 months ago | (#46443985)

Anonymous assassination contracts, payable in crypto-currency.

Re:Free market solution (0)

Anonymous Coward | about 4 months ago | (#46444287)

Silk Road's founder tried this, he hired an undercover fed.

Enough with this silly libertarian dream (0)

Anonymous Coward | about 4 months ago | (#46444027)

The silly libertarian dream was shattered and their little fetish currency fuck'd. Now let us move with with more important things in life other than talking about little fucks who had no clue about money/transactions.

Re:Enough with this silly libertarian dream (0)

Anonymous Coward | about 4 months ago | (#46444071)

Bitcoin is not the libertarian fetish currency. Libertarians fetish over using gold, silver, and bullets for currency. Libertarians fantasize about the end of the world where technology is unavailable, so naturally they would not tend toward fetishing Bitcoin.

It's not any less safe than cash (2, Insightful)

Anonymous Coward | about 4 months ago | (#46444189)

I love how people are attacking libertarians over this. Bitcoins are not designed to be a 'safe' currency. It's like cash. There is no reason this should be a problem for those who understand when, where, and how to use it. I wouldn't maintain more in a Bitcoin wallet than I would store in my real wallet. For me that would probably be a few thousand in US currency.

Like cash Bitcoins have a downside. Bitcoins fluctuate in value. US dollars loose value over time. It's also not that easy to steal. Practice good security hygiene and there is little to no risk. Don't walk down back alleys with $2,000 in your pocket and you'll probably be fine. Apply the security updates for your OS and don't run Microsoft Windows / Mac OS X and you'll probably be fine.

Anonymity has value- but Bitcoins isn't totally anonymous. Nobody who gets Bitcoins is claiming it is. It's at best difficult to trace due to the current lack of people or facilities to do this. That doesn't mean it or a derived currency won't eventually have such anonymous or pseudo-anonymous features. Zerocoin is a proposed extension to the Bitcoin payment network that adds anonymity to Bitcoin payments. It's here. It exists. It might need some peer review, some beta testing, and people to formally implement it, but we're not that far off.

Are Bitcoins a libertarians wet dream? Almost... but it's not 100% perfect yet and I'd be skeptical of anybody claiming it is.

Re:It's not any less safe than cash (1)

Talderas (1212466) | about 4 months ago | (#46444471)

People are attacking libertarians over it because they don't know the difference between anarchist, minarchist, and libertarian. Bitcoin is the anarchist/minarchist wet dream because it completely eliminates the need for government in money. Libertarians would be, rightfully, more divided on the issue but one thing is certain that the should be generally be constitutionalists. Strictly speaking, libertarians want the USD to be backed by something tangibile (like gold). Many are also in favor of FDIC insurance. Both of those things are part of the powers granted to the US government to regulate the value of money.

Re:It's not any less safe than cash (0)

Anonymous Coward | about 4 months ago | (#46444945)

Utter bittard bullshit. Computer security is much more complex and difficult than physical security.

I could throw $10G in my sock drawer and it would likely sit there forever. Or I could put it a safe-deposit box and it would sit there forever. There are no bitcoin wallet systems with those kids of guarantees, especially for the average skilled PC user.

The article is full of errors (4, Interesting)

pantaril (1624521) | about 4 months ago | (#46444225)

The reporter probably doesn't understand what's going on at all.

1) the leaked data contains not only the mt.gox DB dump (which seems to be legit) but also the TibanneBackOffice.exe binary which is actualy malware which steals bitcoin wallets. So i wouldn't trust the hackers at all, they are scammers. See http://www.reddit.com/r/Bitcoi... [reddit.com] for more details.
2) The article/the hackers claim that the mt.gox database dump shows that mt.gox should be in control of over 900k bitcoins and that it is an evidence that mt.gox is lying. Well it is evidence that the article/hackers don't understand anything. From the start, mt.gox is saying that because of a transaction malevability bug, their ballances in DB and their balances on their actual accounts were ouf of sync. This is the reason they didn't notice sooner. Their DB was showing everything was ok but in reality, their money was silently siphoned out of their accounts.
3) Karpeles (mt.gox owner) is probably staing silent because his lawayers told him so. Nothing unusual here.

Re:The article is full of errors (1)

Anonymous Coward | about 4 months ago | (#46444261)

you also forget that transaction malleability doesn't work to steal money unless their are no checks to verify that the funds even exist, basically meaning that Mt Gox just admitted that anyone at any time could have been withdrawing BTC out of their wallets without any issues due to transaction Malleability, or they are using it as a bullshit excuse to run with the money

Chaos at MtGox is underestimated (0)

Anonymous Coward | about 4 months ago | (#46445137)

This assumes that Mt Gox had a way to verify funds. It turns out from the leaked source code, that the Mt Gox wallet used the same database and PHP code as the site front end, customer management, etc.

This database was their ONLY copy of their accounts, and if it was out of sync with reality, they had no real way of finding out.

Of course, it would have been trivial to deploy a "watch wallet" to monitor their accounts, and it should still be possible to audit the transactions in and out to see if they balance (as the wallet did record incoming/outgoing transactions in the database) - but this will be difficult due to the malleability issue, as their wallet would record a transaction as failed, if a mutated version succeeded.

Re:The article is full of errors (-1)

Anonymous Coward | about 4 months ago | (#46444279)

Speaking of errors - You should learn to spell. McDonald's can help.

Re:The article is full of errors (1)

pantaril (1624521) | about 4 months ago | (#46444289)

Sorry english is not my primary language and the inability to edit slashdot posts afterwards doesn't help either.

render onto series continues... let us prey (-1)

Anonymous Coward | about 4 months ago | (#46444231)

On the eve of International Ladies Day, the United Nations has launched the "He for She" campaign urging men to stand up for the rights of their mothers, sisters and daughters, while top UN officials stressed that human rights for girls and women are not a dream but a duty of all. seems a bit paltry considering our time space & circumstance?

thanks again moms

Sitting on a stack of traceable coins (5, Interesting)

Alarash (746254) | about 4 months ago | (#46444265)

There's something I don't understand. If they 'stole' the coins, they can't really trade them can they? Anyone I mean. As I understand every single transaction is tracked, so you can't really spend them without people knowing so right? Ok so you can hide your identity and whatnot, but wouldn't people know the instant these BTC are back on the market?

Re:Sitting on a stack of traceable coins (4, Informative)

codebonobo (2762819) | about 4 months ago | (#46444375)

Stolen coins can all be tracked but are still usable. There are numerous ways to make it harder to track with coinjoin, mixers, and trading back and forth between different crypto-blockchains that a thief can use to hide their assets however.

Re:Sitting on a stack of traceable coins (2)

140Mandak262Jamuna (970587) | about 4 months ago | (#46444627)

Yes, every bit of bitcoin that ever went through MtGox can be traced. Both downstream from MtGox and also upstream about where they came from. But the trouble is, all those trails start and end with the public keys of the users. You need some sort of government level power to track them from Bitcoin universe to real world.

Re:Sitting on a stack of traceable coins (1)

bill_mcgonigle (4333) | about 4 months ago | (#46444991)

You need some sort of government level power to track them from Bitcoin universe to real world.

Is tracking them necessary? Why couldn't miners set a cost-prohibitive verify price on transactions to known "stolen" addresses?

Re:Sitting on a stack of traceable coins (1)

140Mandak262Jamuna (970587) | about 4 months ago | (#46445197)

My understanding of the "mining" process is this: Mining is nothing but repeatedly verifying a block, using different randomly generated salt, till the checksum matches a predefined criterion, like so many leading zeros or something. The bitcoins awarded to the the "miners" are basically fees paid to them to verify the transaction block. Bitcoin system has to create an incentive for large number of people with lots of computing power to do the drudgery work of verifying the transactions. They call it mining. But the coins "mined" by this process is very small and it mints a fresh coin and does not affect the coins already in circulation.

When a bitcoin user is already in possession of the coin the user can spend it freely. That transaction gets mingled with lots of other transactions in the block. I don't think it is feasible to "punish" one transaction in the block without hampering the others. Further it requires Bitcoin system to maintain a list of "thieves". How feasible that would be, I don't know.

If this would have happened... (1)

AndyKron (937105) | about 4 months ago | (#46444347)

I this would have happened ten years ago, things would have been different.

The Kilrathi did it. (0)

Anonymous Coward | about 4 months ago | (#46444359)

Just sayin'.

Who are you going to believe? (1)

140Mandak262Jamuna (970587) | about 4 months ago | (#46444591)

Hackers or the peddler of juvenile trading cards? Who you gonna believe?

Another explanation (1)

DaveV1.0 (203135) | about 4 months ago | (#46444779)

The hackers who stole the bitcoins generated fake evidence to show that the owners of MtGOX still control the coins, thus muddying the waters for any investigation.

Really, any "digital evidence" is suspect because it can be digitally generated and/or manipulated.

I hereby would like to just say (2)

RivenAleem (1590553) | about 4 months ago | (#46445057)

I called it.

http://slashdot.org/comments.p... [slashdot.org]

I reserve the right to call "backsies" if the current story proves false.

Anti gov't types appreciate a justice system now. (0)

Anonymous Coward | about 4 months ago | (#46445219)

I bet the Anti gov't types would appreciate a justice system now. Too bad that costs money that they're unwilling to contribute.

So? (0)

Anonymous Coward | about 4 months ago | (#46445281)

So?

Bitcoins are completely unregulated, and supposed to be outside of government regulation.

Tough luck tax dodgers.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...