It’s been an amazing week in bitcoin news. We’ve seen continued development and innovation within the BT economy:

We’ve also seen an upswing in security issues:

But the most bombass (bitcoin) news has been the hack, crash, shutdown and leaked database of the largest USD/BT exchange, MtGox:

via wikipedia

MtGox is a prime target for espionage, so it’s no surprise they got hit. But what went wrong? How bad is the damage? What do investors and developers need to know? The MSM has responded with the usual uninformed hysteria. We’ve got the full story and analysis. Keep going for the realness…

Recently there have been increased reports of MtGox accounts being hacked. On Saturday MtGox owner, MagicalTux, responded that some accounts were “hacked” via a legitimate username and password and that MtGox would “assume no responsibility should your funds be stolen by someone using your own password.” But that same day various users reported that they had discovered a “massive CSRF vulnerability”. Although CSRF vulnerabilities are somewhat difficult to exploit, they allow for potentially devastating attacks. MtGox quickly fixed the problem, but it remains unclear how long this vulnerability existed and what data may have been compromised.

The next day, Sunday, 20:00 UTC the MtGox market crashed precipitously from around $15 down to $.01 per BT. There was no apparent reason for the selloff, as approximately 400,000BT flooded the market. For a short time “lucky” buyers scooped up bitcoins at amazing prices, while a few panicked sellers dumped their assets. MtGox soon closed down the market and locked customers out of their accounts.

Around the same time as Sunday’s selloff the following message was posted on pastebin:

I have hacked into mtgox database. Got a huge number of logins password combos.

Mtgox has fixed the problem now. Too late, cause I’ve already got the data.

Will sell the database for the right price.

Send your offers to:

gfc06@hotmail.com

Soon after this message was posted, someone publicly dumped the MtGox database and thus published every customers’ username, email and encrypted password. In short, MtGox had an absolutely miserable weekend.

At this time MtGox remains closed as they assess damages and improve security. They plan to reopen customer accounts for withdraw/deposit on June 25th 15:00 UTC. They will reopen the market an hour later with all transactions rolled back to before the selloff. Customers are required to reset their passwords before they can “reclaim” their account. Click here for MtGox’s official updates.

While MtGox has not addressed concerns about earlier hacks or the CSRF vulnerability, they had no choice but to acknowledges that their database was leaked. So obviously some joker(s), whom we’ll refer to as GFC06, gained at least read-only access to the MtGox database at some point. Database hacks are typical of a SQL Injection on a stupid insecure website (eg. Sony). But MtGox denies reports of SQLI claiming instead that an auditor’s computer was “compromised”:

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

This is a subtle but potentially important difference to technology-minded investors who might be willing to forgive a basic human error more than a basic computing error.

But regardless of the causes, a leaked database is a fundamental security breach. MtGox’s explanation of a “compromised computer” only raises more questions. Who is this auditor? Why would they need access to customers’ emails and passwords? How and when was their computer compromised? Was the CSRF vulnerability exploited in this attack? If MtGox is found negligent in securing their accounts and database, then they could be liable for an unknown number of hacked accounts. It’s possible that peeps have been exploiting the CSRF vulnerability for some time on a small enough scale to avoid being discovered. But, once GFC06 obtained a copy of the database, they had easy access to 61,020 MtGox accounts.

Although the passwords in the database are encrypted, stupid passwords are easily decrypted. As “bitsalame” so eloquently explains:

I am currently cracking the leaked password file just for fun and because I am curious.

Guess what?

1) Hundreds of accounts with their usernames as passwords.

2) Hundreds of accounts with the password “123456″

3) Hundreds of accounts with the password “testtest”

4) Hundreds of accounts with the password “bitcoin”

Are you guys STUPID?

TO THE THOUSANDS OF USERS WHO ARE THIS DUMB:

YOU DESERVE TO LOSE YOUR BITCOINS, IDIOTS.

MtGox now requires strong passwords.

MtGox also admits that older passwords, sometimes containing large BT, were insecurely encrypted with an outdated md5 hashing algorithm. But even strong passwords encrypted with modern hashes can be cracked given enough time. Once the database leaked, it was game over for MtGox.

(note: md5 = no longer secure)

The leaked database is obviously a security concern for MtGox customers. Please be aware:

MtGox claims that only $1000 in BT was stolen in the big selloff:

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

But this figure seems to ignore reports that customers who bought (stolen) BT at rock bottom prices were able to withdraw their BT before the shutdown. In addition, if customers’ accounts were previously compromised through CSRF exploits or cracked passwords, then the total amount stolen could be much larger than $1000. The wild boyz in the MSM are pushing the story that $9,000,000 in BT was stolen (eg. herehere and here) but these fools provide no reliable reference for that number. I can only assume they’re approximating the value of the 400,000BT involved in the selloff, but again MtGox claims that a withdraw limit capped those losses at $1000. It’s probably impossible to accurately assess the total financial damages until MtGox reopens and customers check their accounts.

While MtGox’s security breach is particularly biting to a bitcoin community that values privacy and security, there is nothing exceptional about MtGox getting hacked. We’ve seen the unhackable get hacked (eg. the CIA), databases leaked all over (eg. Sony) and sometimes millions of dollars disappeared (eg. Citibank). Security is perhaps the most difficult aspect of internet development. People fuck up, CSRF is tricky and it’s difficult to keep up with the latest hash techniques. MtGox has been running 24/7/365 for almost a year nonstop. An informal post by jed, the previous owner of MtGox, paints a company overwhelmed by its success, understaffed and led by a frazzled MagicalTux:

Things have been very hectic with mtgox since MagicalTux took over. He has simultaneously been trying to fend off persistent ddos attacks, hire more staff, deal with the huge increase in users, improve the code to support the much larger trade volume, ensure regulatory compliance and deal with various security issues. Obviously things haven’t gone as smoothly as we would like but we can see the light at the end of the tunnel with more people being hired and the backend changes done. MtGox will hopefully be able to regain your trust in the coming weeks.

There have been many vocal critics of MtGox but also many loyal customers. If the financial damages are indeed minimal, then MtGox will probably survive.

Shortly after MtGox closed, their main competitor, Trade Hill, also shut down as a precaution in case customers needed to update their passwords. Trade Hill has already reopened and their volume is unsurprisingly up. Almost immediately after GFC06 exposed MtGox’s email list, each MtGox customer received spam containing the following “helpful” advice:

For a more secure alternative to Mt Gox, the community appears to be moving to TradeHill. So this is no reason to lose faith in Bitcoin itself. It must be seen as a warning that not every website can be trusted with your data however!

Hooray for the free market! (Booooo spam.)

Of course the bitcoin network itself is still secure. The overall bitcoin market has been relatively stable. Domestic and international markets are currently trading around $15 per BT. However, MtGox customers remain anxiously awaiting access to their accounts and, when MtGox finally reopens, nobody knows what will be unleashed.

The MSM has exploited this uncertainty with the usual misinformation and sensationalism designed to denigrate bitcoin and promote the statist agenda. For example, Shawn Drew calls for “regulation” and “a large enough body [that] can create a secure Internet currency with their assurances that they won’t manipulate the price.” But it’s unclear what exactly should be “regulated” in this situation. MtGox discovered a security breach so they shut down to fix it. No regulation required. If Mr. Drew considers this a “crime”, then he should be happy to hear that MagicalTux snitched to the Feds. I was naturally disappointed that state violence would be introduced into a fundamentally peaceful market. However, I understand that not contacting the Feds could bring that violence directly upon MagicalTux. Also, if Mr. Drew wants a “large body” to “secure” his currency with “assurances” of honesty, he should look no further than the USD. The USD is guaranteed by an international banking cartel who assure the world that they’re not manipulating anything, while they finance violence, destroy our economies and enslave the people with debt. Don’t be fooled by shoddy, demagogic journalism. Bitcoin rules. The fed drools.

Despite the hatas, this debacle could ultimately help the bitcoin economy. MtGox will emerge humbled but more secure. Tradehill will see an upswing in users. The market will benefit from competition and decentralization. Hopefully, investors and developers will have learned something.

Since the bitcoin economy is essentially based on information, those with the best information always win. In this case the best information was knowledge of CSRF and the worst was choosing your username as your password. The selloff was a whistleblower alerting MtGox to major issues and waking up sleepy investors.  Good Morning! MtGox is about to reopen. Keep that BT close to your heart, homies….

Thanks for reading. Please let me know about any mistakes. What’s the best nation? BT doNation: 17qz8a1YRZmJ19xTjdaKXxSXFNVBgFM4sq

6 Responses to “Bitcoin Watch: MtGox Down”

  1. I’ve no love for dragging a debate across two articles, but hey, why not! Oh, and MTGOX put off their reopening for another day. Trading will now start at GMT 4:00 on the 25th.

    I appreciate the article, as I did learn a few things about the incident that I didn’t know before. However, the crux of my argument remains unchanged. If Bitcoin wants to be taken seriously as a currency, in more than just strange online transactions and black markets, it will need a certain amount of regulation to gain wide acceptance. Wild fluctuations in a currency’s price, like what has happened over the past few months, will only serve to drive people out of the currency.

    I’ve no love of the U.S. government, but certain regulations are a good thing, as they prevent financial catastrophes, like what could have happened if the MTGOX hacker was more patient. Banking and Exchange regulation not only prevent criminals (as much as anyone can) from preying on normal people, but prevent human reactions from tanking the economy. For example, the FDIC prevents bank runs, and a host of regulations ensures that the US exchanges provide a fair playing field.

    Of course, people still find ways to mess with the system, sometimes even using regulation (or half-regulation) to steal. But removing these rules wouldn’t make these people change a single thing, it would just make their evil actions perfectly legal. Claiming that without the rules people wouldn’t try to manipulate the markets is just fantasy.

    Bitcoin has had a nice, er, well, interesting run over the past few weeks, but it has little chance of becoming a long-term currency. As more and more issues with the security of the currency and the openness of the exchange comes to light, fewer and fewer people will be willing to take the risk by investing real money into Bitcoins, and the price will plummet back to pre-2011 levels.

    • I don’t understand your general call for regulation in this situation. What would you have had regulated?

      If someone had willing sold off 400,000BT, then that’s their choice even if it’s a bad investment decision. Lots of people were happy to scoop up BT at $.01. There’s no reason for the goverment to prohibit these transactions. If MtGox wants to control market fluctuations, that’s their choice. But competition presents a disincentive to regulate. Instead MtGox has dark pools to provide a smarter alternative for the big seller.

      Apparently, the selloff was the result of a security breach. Obviously, MtGox has a responsibility to keep their site secure regardless of regulation. It’s a fool errand to “regulate” security, since security develops faster than bureaucracy. Instead the govt distributes security notices and tries to prosecute hackers. This type of “regulation” already exists and covers the entire internet including bitcoin.

      The problem is not a lack of regulation but a lack of competition. MtGox was the PRIMARY bitcoin exchange and therefore a huge target. Every other market has learned from MtGox’s mistakes. Customers fleeing to other markets will decentralize the market and therefore minimize the risk from market attacks. This type of security develops naturally due to internet and market forces….

      Ultimately, it’s not even possible for any govt to regulate an international bitcoin market with a low barrier to entry….

      I don’t understand why you hold up the united states financial system like some kind of ideal. The system is deeply corrupt and dysfunctional. The “regulations” are written by the banking cartel to promote their own interests, not the interests of the public. If you want MtGox to become the next Goldman-Sachs, then coooool… But that’s certainly not what I want.

      Investors have a choice. If they want regulation and corruption, then stick with the dollar. If you want fairness, freedom and the risk associated with it, then choose bitcoin.

      • Didn’t mean to suggest that regulation would have prevented this particular situation, although market security regulations may have require passwords that weren’t “password,” which would have made things more difficult.

        Again, our difference come down to how we think markets are best served. I appreciate the free market argument, and it’s difficult to argue against freedom, but I feel that without a sense of security and fairness, the average investor won’t come near a market. Without common acceptance, the Bitcoin will remain an odd Internet currency that is occasionally useful, as long as you have dollars to pay the rent and electricity.

        I agree that no government can regulate the Bitcoin, and that the central authority that issues the currency refuses to, however, I think that this will result in the long-term depreciation of the currency as fewer and fewer people accept it.

        I don’t hold the dollar in any excessively high esteem, and generally think that the move from the gold standard was a terrible decision for the middle class and the poor (worked out pretty well for the rich, but most things do…). However, the dollar is recognized and accepted around the world, not just because of American Imperialism, but because foreign banks and governments know that the Fed will protect the value of the dollar in a catastrophe. This isn’t saying that the Fed is some great agency or a boom to America, but given the choice between a controlled currency and an uncontrolled one, I’ll take the controlled one.

        And suggesting that the Bitcoin can’t be corrupt is not even close to true. It’s been worthless for most of its existence, so there has been little reason to game the system, but I guarantee that within the next year there will be a corruption story coming from either the Bitcoin markets or the Bitcoin central authority.

  2. @Shawn Drew, it seems to me that as more people use BT, and as the traded daily volume increases, the the fluctuations in exchange rate will become smaller. My guess is they’ll be subject to the central limit theorem. This increased stability will encourage yet more people to start trading BT, causing a positive feedback effect.

    And as for freedom vs security:

    “Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.” — Ben Franklin

  3. @Shawn, also, what pray tell, is the “Bitcoin central authority”? Bitcoin itself is P2P as far as I know. The whole point of bitcoin is that it’s decentralized.

  4. “The dollar is recognized and accepted around the world … because foreign banks and governments know that the Fed will protect the value of the dollar in a catastrophe.”

    Since the inception of the Fed, the dollar has lost about 95% of its value. So, the Fed has absolutely failed to “protect the value of the dollar.”

    I think it’s more accurate to say that the Fed subsidizes banks and foreign governments at the expense of the american public.

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2011 ∅ empty set Suffusion theme by Sayontan Sinha