1 2011-06-20 00:00:03 <ketsa> if the 432k btc reached the block chain, how are they going to rollback ? i dont get it.
2 2011-06-20 00:00:30 <minixking> can someone give me a straight foreward answer as to what the hashs are?
3 2011-06-20 00:00:32 <yebyen> what a bunch of winers are on this mtgox hack thread
4 2011-06-20 00:00:42 <yebyen> *whiners
5 2011-06-20 00:01:04 <kgo> ketsa, internal to mtgox, I don't think they actually send transactions to the blockchain. Only when you deposit/withdraw.
6 2011-06-20 00:01:05 <ne0futur> minixking: probably wikipedia can help you
7 2011-06-20 00:01:09 <MagicalTux> minixking: they are FreeBSD MD5 salted hashes for most, and any account that never logged in for 2 months have simple MD5 hashes
8 2011-06-20 00:01:50 <ketsa> someone linked the blockexplorer transaction so it did no ?
9 2011-06-20 00:02:13 <Lachesis> MagicalTux, why can't the code be audited?
10 2011-06-20 00:02:14 <gmaxwell> ketsa: 18:59 < MagicalTux> Kireji: it's the mtgox funds, which I moved to a secure area until things are cleared
11 2011-06-20 00:02:16 <amiller> ketsa, could you send me the link
12 2011-06-20 00:02:44 <MagicalTux> [11:02:13] <Lachesis> MagicalTux, why can't the code be audited? <- because it's too messy, the current code was written by previous owner which has no background in terms of security
13 2011-06-20 00:02:50 <eianpsego> The attack vector used (inside comprimise) sounds like a separate problem from the hash mechanism used (eg., crypt() on freebsd) - why isn't this the focus?
14 2011-06-20 00:03:10 <ketsa> gmaxwell: ah thanks
15 2011-06-20 00:03:11 <dD0T> eianpsego: ++
16 2011-06-20 00:03:26 <gmaxwell> eianpsego: because it's not something that gets public discussion.
17 2011-06-20 00:03:29 <erek> MagicalTux: they mentiond you mark, saying you're in tokyo
18 2011-06-20 00:03:31 <jlgaddis> MagicalTux: please hurry so these tradehill clowns get the fuck off this interview shit
19 2011-06-20 00:03:31 <MagicalTux> been spending half my time fixing it, half my time answering email, half my time fighting DDoS and FUD, and remaining time coding a new, more secure system
20 2011-06-20 00:03:47 <NxTitle> hell yeah 200%
21 2011-06-20 00:04:12 <eianpsego> gmaxwell, I wonder if the best mitigation to this attack is a human resources background check... :P
22 2011-06-20 00:04:12 <OVerLoRDI> MagicalTux, when you get things sorted out will you make an announcement stating when the exchange will be back online? I think it would be good if as many people as possible knew when the exchange would come online
23 2011-06-20 00:04:15 <gmaxwell> eianpsego: though I'm hoping for it being an account used for auditing by law enforcement. :)
24 2011-06-20 00:04:24 <MagicalTux> OVerLoRDI: we are updating the announcement right now
25 2011-06-20 00:04:46 <bulletbill> MagicalTux: was there a large withdrawal of BTC that happened?
26 2011-06-20 00:04:49 <MagicalTux> we'll make available a minimal interface first that will allow people to restore their account if they have enough background to prove its theirs
27 2011-06-20 00:04:52 <Lachesis> MagicalTux, legacy code is always killer... i'm glad you're not taking this lying down, but i'm still a bit irritated at the bug. sure, security is hard, but that's no excuse for not making it a priority.
28 2011-06-20 00:05:01 <fiverawr> MagicalTux: When do you imagine the new website, that your team have written, will go live?
29 2011-06-20 00:05:05 <minixking> magical: you working on mtgox?
30 2011-06-20 00:05:16 <lianj> MagicalTux: and that no funds are gone would relief people in the announcement :)
31 2011-06-20 00:05:19 <Optimo> hey leave him alone geez
32 2011-06-20 00:05:28 <Optimo> highlihgting him doesn't help
33 2011-06-20 00:05:28 <quiznor> it looks like the funds have been split up into a bunch of separate wallets with 50K each
34 2011-06-20 00:05:31 <quiznor> seems like a good idea
35 2011-06-20 00:05:55 <ius> gmaxwell: re: trojan (Bitcoin_Exploit.rar): "This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support."
36 2011-06-20 00:06:00 <fiverawr> Optimo: Yeah. Because usually when talking to somebody, you'd face the other way.
37 2011-06-20 00:07:19 <minixking> i have a copy of the hashed password file
38 2011-06-20 00:07:32 <elnato> minixking congratulations
39 2011-06-20 00:07:39 <BTCTrader> minixking: you and half the internet ;)
40 2011-06-20 00:08:05 <minixking> from what im coming to understand is these damn dummies used same password on multiple sites
41 2011-06-20 00:08:17 <Optimo> fools
42 2011-06-20 00:08:29 <minixking> so its spreading exponentially
43 2011-06-20 00:08:31 <dD0T> minixking: Nothing new there either
44 2011-06-20 00:08:33 <Optimo> but then most people see passwords as a mere formality
45 2011-06-20 00:08:35 <rusty> http://bit.ly/cdmwSu in title is wrong: says "The requested URL /bitcoin/irc/logs/ was not found on this server." Should be http://bit.ly/iPFi3X ?
46 2011-06-20 00:09:33 <erek> they're calling MagicalTux
47 2011-06-20 00:09:35 <erek> hehe
48 2011-06-20 00:09:36 <dD0T> minixking: Depends. gmail makes all its users on that list reset their passwords.
49 2011-06-20 00:09:57 <quiznor> there must be another wallet the site uses to pay out btc withdrawals.. if anyone knows that wallet, they can check if the hacker made out with any significant amount
50 2011-06-20 00:10:12 <dD0T> minixking: Also exponentially is the wrong word here.
51 2011-06-20 00:10:15 <nuthin> erek: where?
52 2011-06-20 00:10:22 <minixking> i didnt make it out with much
53 2011-06-20 00:10:25 <erek> http://onlyonetv.com/?page_id=178
54 2011-06-20 00:10:28 <erek> they live stream
55 2011-06-20 00:10:36 <machine1> Alert: Bitcoin CIA Operation - MTGOX "Hacked" Trades Rolled Back? http://members.beforeitsnews.com/story/730/098/Alert:_Bitcoin_CIA_Operation_-_MTGOX_Hacked_Trades_Rolled_Back.html
56 2011-06-20 00:10:53 <quiznor> exponentially is the right word probably
57 2011-06-20 00:10:54 <JFK911> ddos beforeitsnews.com
58 2011-06-20 00:10:57 <luke-jr> dD0T: #Eligius
59 2011-06-20 00:11:03 <quiznor> since each person tells N people, etc
60 2011-06-20 00:11:05 <minixking> erek: i get a 503
61 2011-06-20 00:11:16 <erek> try again
62 2011-06-20 00:11:21 <Optimo> machine1, I'm thoroughly convinced that link is trash
63 2011-06-20 00:11:31 <dD0T> luke-jr: https://en.bitcoin.it/wiki/Eligius I take it?
64 2011-06-20 00:12:31 <TheSeven> MagicalTux: do you know at which point in time the dump was taken? i can tell that it must have been fairly recently as it already included my new password
65 2011-06-20 00:13:19 <quiznor> can anyone give me a recent transaction where they withdrew btc from mtgox
66 2011-06-20 00:13:27 <vrs> enough time to allow somebody to crack the password of an account with a lot of BTC
67 2011-06-20 00:13:56 <vrs> several hours at least? (assuming a not-too-weak password)
68 2011-06-20 00:14:02 <NxTitle> MagicalTux: how much in the way of BTC did they get out? what price?
69 2011-06-20 00:14:03 <luke-jr> dD0T: yes
70 2011-06-20 00:14:05 <quiznor> vrs: a few hundred were cracked and then posted
71 2011-06-20 00:14:09 <TheSeven> MagicalTux: must have been after 2011-06-16 12:00 UTC
72 2011-06-20 00:14:14 <vrs> quiznor: yes, the easy ones
73 2011-06-20 00:14:32 <vrs> but i doubt somebody with >100kbtc has such an easy pw
74 2011-06-20 00:14:48 <vrs> if they have, well...
75 2011-06-20 00:14:58 <bulletbill> MT still didn't answer whether large amounts of coins were withdrawn
76 2011-06-20 00:15:00 <upb> oh so mytgox wasnt hacked, their SECURITY CONSULTANT got rooted ?!
77 2011-06-20 00:15:05 <vrs> yes
78 2011-06-20 00:15:26 <min0r> Does anyone know what happens if you send bitcoins to an address that DOESNT EXIST? (i.e. a typo in an address i sent to?)
79 2011-06-20 00:15:37 <Lachesis> min0r, if it passed the checksum validation
80 2011-06-20 00:15:39 <Keefe> bulletbill: he did say earlier: 100 btc
81 2011-06-20 00:15:39 <Lachesis> they're gone
82 2011-06-20 00:15:39 <vrs> they sit there until the day comes
83 2011-06-20 00:15:42 <MagicalTux> NxTitle: they didn't get much BTC out, which is great
84 2011-06-20 00:15:47 <NxTitle> min0r: they're checksummed so it's tough to accidentally typo
85 2011-06-20 00:15:52 <NxTitle> MagicalTux: ah, kk
86 2011-06-20 00:15:53 <vrs> or some lucky bastard gets a key that matches the address
87 2011-06-20 00:15:58 <min0r> i see...
88 2011-06-20 00:16:01 <quiznor> is 100 btc the withdrawal limit?
89 2011-06-20 00:16:13 <luke-jr> jgarzik: do you have e-wallet services yet? I've had a number of people on Eligius looking for one that works properly
90 2011-06-20 00:16:21 <min0r> but if you typo it... can you create that address somewhere before someone else does ?
91 2011-06-20 00:16:22 <vrs> MagicalTux: is there a btc withdrawal limit too?
92 2011-06-20 00:16:23 <NxTitle> yeah, people were questioning whether they got out $1000 @ 17 or $1000 @ 0.01
93 2011-06-20 00:16:28 <luke-jr> min0r: it's not possible
94 2011-06-20 00:16:30 <NxTitle> vrs: yes
95 2011-06-20 00:16:36 <NxTitle> $1000 worth of BTC is max
96 2011-06-20 00:16:43 <MagicalTux> vrs: the btc withdrawal limit saved us
97 2011-06-20 00:16:44 <slush> anybody else noticed sudden withdrawals from mybitcoin.com ?
98 2011-06-20 00:16:46 <quiznor> yeah but thats dollar denominated
99 2011-06-20 00:16:54 <luke-jr> MagicalTux: saved whom?
100 2011-06-20 00:16:55 <min0r> luke-jr: whats not possible? the odds of typing a valid address?
101 2011-06-20 00:16:57 <slush> I received email that my balance was sent to some unkown address...
102 2011-06-20 00:16:58 <quiznor> so you can only withdraw 100 btc per day
103 2011-06-20 00:17:01 <Keefe> there should be another limit, denominated in btc
104 2011-06-20 00:17:01 <MagicalTux> luke-jr: mtgox, and everyone else I guess
105 2011-06-20 00:17:02 <luke-jr> min0r: pretty much
106 2011-06-20 00:17:07 <min0r> ok np
107 2011-06-20 00:17:09 <slush> ...and I didn't used same login/password as on mtgox ;)
108 2011-06-20 00:17:16 <jrabbit> Waht ever happened to collective invalidation of the chain?
109 2011-06-20 00:17:24 <vrs> MagicalTux: is it a per-account limit? could you circumvent it by intra-mtgox-transactions and withdrawing from sockpuppet accounts?
110 2011-06-20 00:17:26 <luke-jr> MagicalTux: just saying, a revert means I lose ~$1000; so didn't save me :P
111 2011-06-20 00:17:32 <jrabbit> i.e. restoring that guy's stolen wallet or similar hijinks?
112 2011-06-20 00:17:32 <quiznor> didnt the hacker check how much he can withdraw first
113 2011-06-20 00:17:36 <min0r> anyone worried that someone has over 50% of the mining hash power??
114 2011-06-20 00:17:41 <ius> gmaxwell: btw, that autoit stealer is more than just bitcoin
115 2011-06-20 00:17:42 <MagicalTux> vrs: they tried to did it, but I shut down mtgox before anything major happened
116 2011-06-20 00:17:43 <luke-jr> min0r: yep
117 2011-06-20 00:17:46 <min0r> we jumped from 6Ghash to 8Ghash in a few days
118 2011-06-20 00:18:00 <MagicalTux> min0r: and back to 6Gh since miners are busy cracking passwords ?
119 2011-06-20 00:18:00 <vrs> MagicalTux: ah, they weren't stupid then
120 2011-06-20 00:18:01 <ius> gmaxwell: Also steals chrome. ff and filezilla password caches
121 2011-06-20 00:18:02 <nuthin> gmaxwell: it seems scrypt doesn't return a fixed output size, like bcrypt
122 2011-06-20 00:18:11 <vrs> but they probably didn't plan it
123 2011-06-20 00:18:17 <jburkle> Newbie question on testnet-in-a-box. After doing everything in the README, the bitcoin daemon in datadir=2 does not appear to have an account. How do I give it a new account?
124 2011-06-20 00:18:23 <MagicalTux> vrs: they started moving funds to randomly created accounts, but I stop mtgox before they actually withdraw anything
125 2011-06-20 00:18:36 <vrs> after they ran into the withdrawal limit?
126 2011-06-20 00:18:39 <Keefe> so they weren't stupid, just slow :/
127 2011-06-20 00:18:57 <vrs> that would imply they never moved large sums via mtgox
128 2011-06-20 00:19:10 <vrs> or they would have known
129 2011-06-20 00:19:12 <gmaxwell> nuthin: iirc it can return any size you want, so you can use it as a stream cipher source.
130 2011-06-20 00:19:12 <Keefe> they won't make the same mistakes next time
131 2011-06-20 00:19:34 <Lachesis> Keefe, *a moment of reflective silence*
132 2011-06-20 00:19:42 <nuthin> hmm, k
133 2011-06-20 00:19:45 <Lachesis> let's try to be ready for next time
134 2011-06-20 00:19:52 <common_> MagicalTux: so the latest official message means, that mtgox won't be back before 8am GMT, which is in about 5h40min?
135 2011-06-20 00:20:10 <quiznor> so the hacker probably made out with around 5,000 btc and probably still has access to a good # of accounts (after resetting the email to something they control)
136 2011-06-20 00:20:12 <nuthin> I just tried out the demo utility they made and doesn't have many options
137 2011-06-20 00:20:15 <vrs> MagicalTux: did the audit person have read access to the transaction database? why did they have access to the production database anyway?
138 2011-06-20 00:20:39 <Optimo> it's an opportunity to tell part of your story, Mark. most people don't even know you took this over from a previous entity
139 2011-06-20 00:20:54 <vrs> so, is there a possibility that somebody can link bank transactions (names etc) to accounts?
140 2011-06-20 00:20:56 <Optimo> not an excuse, but at least it lowers some of the mystery
141 2011-06-20 00:20:57 <briareus> LOL "Bitcoin is for ordinary people, it's not just for criminals!" <--- Hahahaha
142 2011-06-20 00:21:05 <nuthin> :D
143 2011-06-20 00:21:10 <upb> MagicalTux: why did you send your helpdesk guy to the interview ?:P
144 2011-06-20 00:21:17 <erek> MagicalTux: thank you for your help
145 2011-06-20 00:21:22 <MagicalTux> upb: because I'm busy fixing stuff
146 2011-06-20 00:21:27 <upb> aha
147 2011-06-20 00:21:39 <jlgaddis> ...and answering questions from every idjit on irc
148 2011-06-20 00:21:46 <nuthin> o/
149 2011-06-20 00:21:47 <evolute> upb: they said it's because MagicalTux's 1st language isn't english
150 2011-06-20 00:21:54 <MagicalTux> evolute: that too
151 2011-06-20 00:21:58 <erek> MagicalTux: B???LhF
152 2011-06-20 00:22:02 <fiverawr> I think his first language is PHP
153 2011-06-20 00:22:07 <nuthin> hhaha
154 2011-06-20 00:22:08 <upb> lol
155 2011-06-20 00:22:30 <Keefe> slush: i don't use mybitcoin. i got a bad feeling about them long ago
156 2011-06-20 00:23:02 <slush> Keefe: same here, actually I lost 0.5BTC, which is not _so_ bad
157 2011-06-20 00:23:26 <slush> but I'm just curious if someone cracked my account or it is some wide major attack
158 2011-06-20 00:23:33 <quiznor> hackstack
159 2011-06-20 00:24:49 <dehuman> slush: you use same password on mybitcoin as mtgox?
160 2011-06-20 00:24:49 <kika_> MagicalTux: when mtgox will be back how many more hours?
161 2011-06-20 00:24:55 <slush> no
162 2011-06-20 00:25:05 <Optimo> gmail really needs sort my attachment size