jm + bitcoin   36

Breaking open the MtGox case, part 1
Earlier today news broke of an arrest in Greece of a Russian national suspected of running a large-scale money laundering operation focused on Bitcoin. The man has since been publicly identified as Alexander Vinnik, 38, and over $4 billion USD is said to have been trafficked through the operation since 2011. We won't beat around the bush with it: Vinnik is [WizSec's] chief suspect for involvement in the MtGox theft (or the laundering of the proceeds thereof).
mtgox  theft  bitcoin  fraud 
12 weeks ago by jm
Global ‘Wana’ Ransomware Outbreak Earned Perpetrators [just] $26,000 So Far
As thousands of organizations work to contain and clean up the mess from this week’s devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what’s being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam.
money  fraud  ransomware  wana  brian-krebs  bitcoin  cryptocurrency  viruses 
may 2017 by jm
Reddit Users Lose Real Money After Meme Currency Bot Dies
dogetipbot runs out of money in another cryptocurrency omnishambles. 'Very lies, such betrayal, WOW.'
bitcoin  reddit  doge  dogetipbot  bots  memes  ffs  shambles  dogecoin 
may 2017 by jm
Mt. Gox had a chair worth $28,000
According to the bankruptcy documents, one of the assets listed is 'a chair worth 2,902,119JPY, or roughly $28,000USD.'
chairs  funny  mtgox  scams  bitcoin  furniture  assets  bankruptcy 
october 2016 by jm
Exit Scam Survival Guide : Buttcoin
Bitcoin lols:
Honesty is most important. Be sure to carefully explain that (excluding the mountain of evidence to the contrary) there was no way to foresee the [Bitcoin] exchange hacking. Practice phrases like, "this operation was the most trustworthy exchange running out of a vacant building in Singapore" and "no we can't just call the exchange, they don't have a phone number". If your significant other criticizes your decision to buy cryptocurrencies, be sure to fall back on technical merits of cryptocurrencies. Mention, "it's backed by math" and "[insert cryptocurrency here] didn't fail, people failed".
bitcoin  buttcoin  lol  funny  cryptocurrency  security  exchanges 
august 2016 by jm
A poem about Silicon Valley, made up of Quora questions about Silicon Valley

Why do so many startups fail?
Why are all the hosts on CouchSurfing male?
Are we going to be tweeting for the rest of our lives?
Why do Silicon Valley billionaires choose average-looking wives?

What makes a startup ecosystem thrive?
What do people plan to do once they’re over 35?
Is an income of $160K enough to survive?
What kind of car does Mark Zuckerberg drive?

Are the real estate prices in Palo Alto crazy?
Do welfare programs make poor people lazy?
What are some of the biggest lies ever told?
How do I explain Bitcoin to a 6-year-old?

Why is Powdered Alcohol not successful so far?
How does UberX handle vomiting in the car?
Is being worth $10 million considered ‘rich’?
What can be causing my upper lip to twitch?

Why has crowdfunding not worked for me?
Is it worth pre-ordering a Tesla Model 3?
How is Clinkle different from Venmo and Square?
Can karma, sometimes, be unfair?

Why are successful entrepreneurs stereotypically jerks?
Which Silicon Valley company has the best intern perks?
What looks easy until you actually try it?
How did your excretions change under a full Soylent diet?

What are alternatives to online dating?
Is living in small apartments debilitating?
Why don’t more entrepreneurs focus on solving world hunger?
What do you regret not doing when you were younger?
funny  tech  poetry  silicon-valley  humour  bitcoin  soylent  2016 
april 2016 by jm
Tahoe LAFS accidentally lose Bitcoin wallet with loads of donations in it, get it back
But ECDSA private keys don't trigger the same protective instincts that
we'd apply to, say, a bar of gold. One sequence of 256 random bits looks
just as worthless as any other. And the cold hard unforgeability of
these keys means we can't rely upon other humans to get our money back
when we lose them. Plus, we have no experience at all with things that grow in value by
four orders of magnitude, without any attention, in just three years.

So we have a cryptocurrency-tool UX task in front of us: to avoid
mistakes like the one we made, we must to either move these digital
assets into solid-feeling physical containers, or retrain our
perceptions to attach value to the key strings themselves.
backups  cryptography  bitcoin  cryptocurrency  ecdsa  private-keys  ux  money 
march 2016 by jm
How To Implement Secure Bitcoin Vaults
At the Bitcoin workshop in Barbados, Malte Möser will present our solution to the Bitcoin private key management problem. Specifically, our paper describes a way to create vaults, special accounts whose keys can be neutralized if they fall into the hands of attackers. Vaults are Bitcoin’s decentralized version of you calling your bank to report a stolen credit card -- it renders the attacker’s transactions null and void. And here’s the interesting part: in so doing, vaults demotivate key theft in the first place. An attacker who knows that he will not be able to get away with theft is less likely to attack in the first place, compared to current Bitcoin attackers who are guaranteed that their hacking efforts will be handsomely rewarded.

private-keys  vaults  bitcoin  security  crypto  theft 
february 2016 by jm
How to Spot Bitcoin Inventor Satoshi Nakamoto | MIT Technology Review
Emin Gün Sirer pours cold water on the "Craig Wright is Satoshi Nakamoto" theory
satoshi-nakamoto  bitcoin  anonymous  nom-de-guerre  crypto 
december 2015 by jm
Marvin.ie: Order Takeaway Food Online
new Dublin delivery service takes Bitcoin?!
bitcoin  food  delivery  takeaway  payment  ireland  dublin  wtf 
october 2015 by jm
GitTorrent
'A Decentralized GitHub'. nifty
distributed  git  github  bittorrent  bitcoin  gittorrent  dvcs 
may 2015 by jm
murbul comments on The security issue of Blockchain.info's Android Wallet is not about system's entropy. It's their own BUGs on PRNG again!
I was in the middle of writing a breakdown of what went wrong, but you've beat me to it.
Basically, they have a LinuxSecureRandom class that's supposed to override the standard SecureRandom. This class reads from /dev/urandom and should provide cryptographically secure random values.
They also seed the generator using SecureRandom#setSeed with data pulled from random.org. With their custom SecureRandom, this is safe because it mixes the entropy using XOR, so even if the random.org data is dodgy it won't reduce security. It's just an added bonus.
BUT! On some devices under some circumstances, the LinuxSecureRandom class doesn't get registered. This is likely because /dev/urandom doesn't exist or can't be accessed for some reason. Instead of screaming bloody murder like any sensible implementation would, they just ignore that and fall back to using the standard SecureRandom.
If the above happens, there's a problem because the default implementation of SecureRandom#setSeed doesn't mix. If you set the seed, it replaces the entropy entirely. So now the entropy is coming solely from random.org.
And the final mistake: They were using HTTP instead of HTTPS to make the webservice call to random.org. On Jan 4, random.org started enforcing HTTPS and returning a 301 Permanently Moved error for HTTP - see https://www.random.org/news/. So since that date, the entropy has actually been the error message (turned into bytes) instead of the expected 256-bit number. Using that seed, SecureRandom will generate the private key for address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F 100% of the time. Ouch. This is around the time that address first appears, so the timeline matches.
I haven't had a thorough look at what they've replaced it with in the latest version, but initial impressions are that it's not ideal. Not disastrous, but not good.


Always check return values; always check HTTP status codes.
bugs  android  fail  securerandom  random  prng  blockchain.info  bitcoin  http  randomness  entropy  error-checking 
may 2015 by jm
32-bit overflow in BitGo js code caused an accidental 85 BTC transaction fee
Yes, this is a fucking 32-bit integer overflow. Whatever software was used, it calculated the sum of all inputs using 32-bit variables, which overflow at about 20 BTC if signed or 40 BTC if not. The fee was supposed to be 0xC350 = 50,000 satoshis, but it turned out to be 0x2,0000,C350 = 8,589,984,592 satoshis.
Captains of the industry. If they were captains of any other industry, like say for example automotive, we'd have people dying in car crashes between two stationary vehicles.
bitcoin  fail  bitgo  javascript  bugs  32-bit  overflow  btc 
april 2015 by jm
The missing MtGox bitcoins
Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox operated at fractional reserve for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox's collapse).

MtGox' bitcoins continuously went missing over time, but at a decreasing pace. Again by the middle of 2013, the curve goes more or less flat, matching the hypothesis that by that time there may not have been any more bitcoins left to lose. The rate of loss otherwise seems unusually smooth and at the same time not strictly relative to any readily available factors such as remaining BTC holdings, transaction volumes or the BTC price. Worth pointing out is that, thanks to having matched up most of the deposit/withdrawal log earlier, we can at this point at least rule out the possibility of any large-scale fake deposits — the bitcoins going into MtGox were real, meaning the discrepancy was likely rather caused by bitcoins leaving MtGox without going through valid withdrawals.
mtgox  bitcoin  security  fail  currency  theft  crime  btc 
april 2015 by jm
Swiss Authorities Arrest Bot for Buying Drugs and Fake Passport
A bot created by a group of artists spent the last few months selecting items at random from a Silk Road-style darknet marketplace, buying them with Bitcoin, and having them shipped to a gallery in Switzerland. After the it bought some ecstasy pills and a counterfeit passport, we asked: How will authorities deal with the complex legal and moral issue of a piece of artificial intelligence breaking the law? It turns out, the answer was simple: just arrest the computer.
drugs  darknet  bitcoin  ecstasy  art  bots  law-enforcement  switzerland 
january 2015 by jm
Inside a Chinese Bitcoin Mine
The mining operation resides on an old, repurposed factory floor, and contains 2500 machines hashing away at 230 Gh/s, each. (That’s 230 billion calculations per second, per unit). [...] The operators told me that the power bill of this specific operation is in excess of ¥400,000 per month [..] about $60,000 USD.
currency  china  economics  bitcoin  power  environment  green  mining  datacenters 
august 2014 by jm
Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins | Threat Level | WIRED
'The attacker specifically targeted a collection of bitcoin mining “pools”–bitcoin-producing cooperatives in which users contribute their computers’ processing power and are rewarded with a cut of the resulting cryptocurrency the pool produces. The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds. At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day. “With this kind of hijacking, you can quite easily grab a large collection of clients,” says Pat Litke, one of the Dell researchers. “It takes less than a minute, and you end up with a lot of mining traffic under your control.”'

'In total, Stewart and Litke were able to measure $83,000 worth of cryptocurrency stolen in the BGP attack [...] but the total haul could be larger'
bitcoin  mining  fraud  internet  bgp  routing  security  attacks  hacking 
august 2014 by jm
The programming error that cost Mt Gox 2609 bitcoins
Digging into broken Bitcoin scripts in the blockchain. Fascinating:
While analyzing coinbase transactions, I came across another interesting bug that lost bitcoins. Some transactions have the meaningless and unredeemable script:

OP_IFDUP
OP_IF
OP_2SWAP
OP_VERIFY
OP_2OVER
OP_DEPTH

That script turns out to be the ASCII text script. Instead of putting the redemption script into the transaction, the P2Pool miners accidentally put in the literal word "script". The associated bitcoins are lost forever due to this error.


(via Nelson)
programming  script  coding  bitcoin  mtgox  via:nelson  scripting  dsls 
may 2014 by jm
Proof of burn - Bitcoin
method for bootstrapping one cryptocurrency off of another. The idea is that miners should show proof that they burned some coins - that is, sent them to a verifiably unspendable address. This is expensive from their individual point of view, just like proof of work; but it consumes no resources other than the burned underlying asset. To date, all proof of burn cryptocurrencies work by burning proof-of-work-mined cryptocurrencies, so the ultimate source of scarcity remains the proof-of-work-mined "fuel".
bitcoin  proof  money  mining  cryptocurrency 
may 2014 by jm
Microsoft Security Essentials reporting false positives on the Bitcoin blockchain
Earlier today, a virus signature from the virus "DOS/STONED" was uploaded into the Bitcoin blockchain, which allows small snippets of text to accompany user transactions with bitcoin.  Since this is only the virus signature and not the virus itself, there apparently is no danger to users in any way.  However, MSE recognizes the signature for the virus and continuously reports it as a threat, and every time it deletes the file, the bitcoin client will simply re-download the missing blockchain.


What a heinous prank! Hilarity ensues (via gwire)
via:gwire  av  antivirus  false-positives  fp  blockchain  microsoft  bitcoin  pranks  viruses 
may 2014 by jm
Minimum Viable Block Chain
Ilya Grigorik describes the design of the Bitcoin/altcoin block chain algorithm. Illuminating writeup
algorithms  bitcoin  security  crypto  blockchain  ilya-grigorik 
may 2014 by jm
Meet Ireland’s first bitcoin politician
Ossian Smyth -- Green Party internet spokesman and representative for communications, energy, and natural resources, with a top wheeze:

“I think it is one of the most transparent ways of receiving donations. No one would know how much money can be donated into a bank account, but with bitcoin anyone can go to the block chain and look at the wallet."

excellent ;)
ossian-smyth  bitcoin  fundraising  greens  politics  ireland  dublin  green-party  internet 
april 2014 by jm
The MtGox 500
'On March 9th a group posted a data leak, which included the trading history of all MtGox users from April 2011 to November 2013. The graphs below explore the trade behaviors of the 500 highest volume MtGox users from the leaked data set. These are the Bitcoin barons, wealthy speculators, dueling algorithms, greater fools, and many more who took bitcoin to the moon.'
dataviz  stamen  bitcoin  data  leaks  mtgox  greater-fools 
march 2014 by jm
The colossal arrogance of Newsweek’s Bitcoin “scoop” | Ars Technica
Many aspects of the story already look like a caricature of journalism gone awry. The man Goodman fingered as being worth $400 million or more is just as modest as his house suggests. He’s had a stroke and struggles with other health issues. Unemployed since 2001, he strives to take care of basic needs for himself and his 93-year-old mother, according to a reddit post by his brother Arthur Nakamoto (whom Goodman quoted as calling his brother an “asshole”).

If Goodman has mystery evidence supporting the Dorian Nakamoto theory, it should have been revealed days ago. Otherwise, Newsweek and Goodman are delaying an inevitable comeuppance and doubling down on past mistakes. Nakamoto’s multiple denials on the record have changed the dynamic of the story. Standing by the story, at this point, is an attack on him and his credibility. The Dorian Nakamoto story is a “Dewey beats Truman” moment for the Internet age, with all of the hubris and none of the humor. It shouldn’t be allowed to end in the mists of “he said, she said.” Whether or not a lawsuit gets filed, Nakamoto v. Newsweek faces an imminent verdict in the court of public opinion: either the man is lying or the magazine is wrong.
dorian-nakamoto  newsweek  journalism  bitcoin  privacy  satoshi-nakamoto 
march 2014 by jm
Digging for cryptocurrency: The newbie’s guide to mining altcoins
Mining Arscoins, dogecoins and litecoins -- CPU/GPU mining apps and how to run 'em
currency  bitcoin  altcoins  dogecoin  crypto  mining  ars-technica 
march 2014 by jm
It’s So Easy
Attempting to cash out of Bitcoins turns out to be absurdly difficult:
Trying to sell the coins in person, and basically saying he ether wants Cash, or a Cashiers check (since it can be handed over right then and there), has apparently been a hilarious clusterfuck. Today he met some guy infront of his bank, and apparently as soon as he mentioned that he needs to get the cash checked to make sure it is not counterfeit, the guy freaked out and basically walked away. Stuff like this has been happening all week, and he apparently so far has only sold a single coin of several hundred.
bitcoin  fail  funny  mtgox  fraud  cash  fiat-currency  via:rsynnott  buttcoin 
march 2014 by jm
Harvard Research Computing Resources Misused for ‘Dogecoin’ Mining Operation
A member of the Harvard community was stripped of his or her access to the University’s research computing facilities last week after setting up a “dogecoin” mining operation using a Harvard research network, according to an internal email circulated by Faculty of Arts and Sciences Research Computing officials.
harvard  dogecoin  bitcoin  mining  misuse  abuse  supercomputers 
february 2014 by jm
Why dispute resolution is hard
Good stuff (as usual) from Ross Anderson and Stephen Murdoch.

'Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?
The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.
As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.'
finance  security  ross-anderson  emv  bitcoin  chip-and-pin  banking  architecture  verification  vvat  logging 
february 2014 by jm
Why Mt. Gox is full of shit
leading Bitcoin exchange "Magic The Gatherine Online Exchange" turns out to suffer from crappy code, surprise:
why does Mt. Gox experience this issue? They run a custom Bitcoin daemon, with a custom implementation of the Bitcoin protocol. Their implementation, against all advice, does rely on the transaction ID, which makes this attack possible. They have actually been warned about it months ago by gmaxwell, and have apparently decided to ignore this warning. In other words, this is not a vulnerability in the Bitcoin protocol, but an implementation error in Mt. Gox' custom Bitcoin software.


The rest of the article is eyeopening, including the MySQL injection vulnerabilities and failure to correctly secure a Prolexic-defended server.

https://news.ycombinator.com/item?id=7211286 has some other shocking reports of Bitcoin operators being incompetent, including 'Bitomat, the incompetent exchange that deleted their own [sole] amazon instance accidentally which contained all their keys, and thus customer funds'. wtfbbq
mtgox  security  bitcoin  standards  omgwtfbbq  via:hn  bitomat 
february 2014 by jm
Alex Payne — Bitcoin, Magical Thinking, and Political Ideology
Working in technology has an element of pioneering, and with new frontiers come those would prefer to leave civilization behind. But in a time of growing inequality, we need technology that preserves and renews the civilization we already have. The first step in this direction is for technologists to engage with the experiences and struggles of those outside their industry and community. There’s a big, wide, increasingly poor world out there, and it doesn’t need 99% of what Silicon Valley is selling.

I’ve enjoyed the thought experiment of Bitcoin as much as the next nerd, but it’s time to dispense with the opportunism and adolescent fantasies of a crypto-powered stateless future and return to the work of building technology and social services that meaningfully and accountably improve our collective quality of life.
bitcoin  business  economics  silicon-valley  tech  alex-payne  writing  libertarianism  futurism  crypto  civilization  frontier  community 
december 2013 by jm
BitCoin exchange CoinBase uses MongoDB as their 'primary datastore'
'Coinbase uses MongoDB for their primary datastore for their web app, api requests, etc.'
coinbase  mongodb  reliability  hn  via:aphyr  ops  banking  bitcoin 
december 2013 by jm
Bitcoin Mining Operating Margin
"The graph showing miners' revenue minus estimated electricity and bandwidth costs." -- down to -694% right now, oh dear
bitcoin  via:peakscale  economics  mining  profit  revenue  charts  electricity  bubble 
october 2013 by jm
Randomly Failed! The State of Randomness in Current Java Implementations
This would appear to be the paper which sparked off the drama around BitCoin thefts from wallets generated on Android devices:

The SecureRandom PRNG is the primary source of randomness for Java and is used e.g., by cryptographic operations. This underlines its importance regarding security. Some of fallback solutions of the investigated implementations [are] revealed to be weak and predictable or capable of being influenced. Very alarming are the defects found in Apache Harmony, since it is partly used by Android.


More on the BitCoin drama: https://bitcointalk.org/index.php?topic=271486.40 , http://bitcoin.org/en/alert/2013-08-11-android
android  java  prng  random  security  bugs  apache-harmony  apache  crypto  bitcoin  papers 
august 2013 by jm
Mail from the (Velvet) Cybercrime Underground
Brian Krebs manages to thwart an attempted framing for possession of Silk Road heroin. bloody hell
silk-road  drugs  bitcoin  ecommerce  brian-krebs  crime  framed  cybercrime  russia  scary  law-enforcement 
july 2013 by jm
Secret Bitcoin mining code added to game sparks outrage
Thunberg's admission that [the E-Sports Entertainment Association client software] ran Bitcoin-mining software without explicit user consent is startling. Aside from potentially opening the company up to huge legal liability, the move is likely to engender distrust among some of the company's most loyal fans. The nonchalance of some of Thunberg's comments may only add insult to the betrayal many users are likely to feel.

"But for the record, I told jag he shouldn't be lazy and run the miner in a separate process," he wrote in a post, referring to one of his software engineers with the screen name Jaguar, who didn't take steps to conceal the Bitcoin miner. "Rookie move." In the later post he wrote: "100% of the funds are going into the s14 prize pot, so at the very least your melted gpus contributed to a good cause."
bitcoin  abuse  games  malware  esea  gpus 
may 2013 by jm

related tags

32-bit  abuse  alex-payne  algorithms  altcoins  android  anonymous  antivirus  apache  apache-harmony  architecture  ars-technica  art  assets  attacks  av  backups  banking  bankruptcy  bgp  bitcoin  bitgo  bitomat  bittorrent  blockchain  blockchain.info  bots  brian-krebs  btc  bubble  bugs  business  buttcoin  cash  chairs  charts  china  chip-and-pin  civilization  coding  coinbase  community  crime  crypto  cryptocurrency  cryptography  currency  cybercrime  darknet  data  datacenters  dataviz  delivery  distributed  doge  dogecoin  dogetipbot  dorian-nakamoto  dread-pirate-roberts  drugs  dsls  dublin  dvcs  ecdsa  ecommerce  economics  ecstasy  electricity  emv  entropy  environment  error-checking  esea  exchanges  fail  false-positives  fbi  ffs  fiat-currency  finance  food  fp  framed  fraud  frontier  fundraising  funny  furniture  futurism  games  git  github  gittorrent  gpus  greater-fools  green  green-party  greens  hacking  harvard  hn  http  humour  ilya-grigorik  internet  ireland  java  javascript  journalism  law-enforcement  leaks  libertarianism  logging  lol  malware  memes  microsoft  mining  misuse  money  mongodb  mtgox  newsweek  nom-de-guerre  omgwtfbbq  ops  ossian-smyth  overflow  papers  payment  poetry  politics  power  pranks  privacy  private-keys  prng  profit  programming  proof  random  randomness  ransomware  reddit  reliability  revenue  ross-anderson  ross-ulbricht  routing  russia  satoshi-nakamoto  scams  scary  script  scripting  securerandom  security  shambles  silicon-valley  silk-road  soylent  stamen  standards  supercomputers  switzerland  takeaway  tech  theft  ux  vaults  verification  via:aphyr  via:gwire  via:hn  via:nelson  via:peakscale  via:rsynnott  viruses  vvat  wana  writing  wtf 

Copy this bookmark:



description:


tags: