back to article MtGox remedy worse than the disease says Kaspersky researcher

A 700MB file that hackers claimed contains valuable database information on bankrupted MtGox is actually hiding Bitcoin wallet file-stealing malware, researchers have warned. Kaspersky Lab’s Sergey Lozhkin claimed in a blog post last Friday that the entire data leak story, which emerged after MtGox CEO Mark Karpeles had his …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Holmes

    Le résumé de la situation

    Mt. Gox Problems Mount

    On its current balance sheet the company lists its assets as consisting of 2,000 bitcoins (plus $32 mn. in fiat), and offsetting liabilities of 750,000 bitcoins (and another $55 mn of fiat claims against it). There is a clearly a big hole to fill. More troubling is that Mt. Gox notes that this theft of its bitcoins took place over a five-year period. Furthermore the company now confirms that the loss is due to the “transaction malleability” issue with the bitcoin protocol (which I discussed here as a reason Mt. Gox held only fractional reserves).

    In other words, over a five-year period the bitcoin bank went from a (presumably) 100% reserve ratio to holding less than 3% reserves… and no one noticed!

    Here is the critical fault with fractional-reserve banking that rarely gets discussed. When someone deposits a good it is not because he does not want to use it. Nor does that good represent some idle resource until it is asked for. People who support fractional-reserve banking of both the centralized and “free” varieties are both of the opinion that deposits are idle cash and no one is harmed when a bank puts them to good use.....

    1. Vociferous

      Re: Le résumé de la situation

      Wow. Imagine if only there was some actor -- let's call it "a state" -- which would guarantee bank deposits if the bank stealingspeculating with or investing the money was unable to pay the customer when he wanted his deposit back...

      Also, does anyone really think the Magic The Gathering Online eXchange is just an innocent victim in this?

      1. Anonymous Coward 101

        Re: Le résumé de la situation

        "Also, does anyone really think the Magic The Gathering Online eXchange is just an innocent victim in this?"

        Due to their manifest incompetence in the past, their claims of 'whoops' in this case are credible. Their incompetence may make them criminally and certainly civilly liable, however.

        1. Vociferous

          Re: Le résumé de la situation

          > Their incompetence may make them criminally and certainly civilly liable, however.

          How will those who've lost digits prove the digits were theirs to lose? And was money?

    2. TheOtherHobbes

      Re: Le résumé de la situation

      Mt. Gox was supposed to be an exchange, not a bank.

      Although given the minimal reserves held by all banks, I'm not sure it's easy to tell the difference.

    3. flibbertigibbet
      Facepalm

      Re: Le résumé de la situation

      In other words, over a five-year period the bitcoin bank went from a (presumably) 100% reserve ratio to holding less than 3% reserves… and no one noticed!

      Firstly, it wasn't five years. It was at most one, because 1 year ago was when the miners started rejecting the badly formatted transactions created by Mt Gox. While the miners were accepting those bad transactions there was no window created by the "malleability" problem to exploit.

      Secondly, it almost certainly wasn't one year. For most of that year Mt Gox handled the rejected transactions manually. You had to contact a human and ask them to fix a problem. So if you are right Mt Gox manually authorised $350M worth of double spends. And no one noticed?!?!?

      I don't think so. To err is human. But to fuck things up on this scale requires a computer, and only a computer, in the loop.

      I'd give the time period two months at most. Which puts it over the Xmas / New Year period.

    4. I ain't Spartacus Gold badge

      Re: Le résumé de la situation

      Here is the critical fault with fractional-reserve banking that rarely gets discussed. When someone deposits a good it is not because he does not want to use it. Nor does that good represent some idle resource until it is asked for. People who support fractional-reserve banking of both the centralized and “free” varieties are both of the opinion that deposits are idle cash and no one is harmed when a bank puts them to good use.....

      Destroy all Monsters,

      This is nothing to do with fractional reserve banking. Mt Gox wasn't a bank. It was an exchange or a broker. It wasn't licenced as a bank, nor was it regulated as such. Although it wasn't regulated as a broker either. It also didn't operate as a bank. It only had a fraction of the Bitcoins that it claimed to hold on behalf of its customers either through monumental stupidity and incompetence, or internal fraud. Or possibly both. Losing some of the money was probably inevitable in any complex company, but not noticing and continuing to lose all their assets was incompetence at best.

      The reason that banks are allowed to get away with only holding a fraction of their depositors money in cash, is that they pay interest. Current accounts in the UK don't, but then they don't charge fees either (which is quite unusual). But people have savings, as well as current accounts. Banks need to expect people to spend the cash in their current accounts, over the month, but they wouldn't expect their savers to do so. And in fact generally pay higher rates of interest, if you promise to lock your money in a savings product for longer. Also banks lend cash (hopefully) they don't lose it. That loan is an asset. So although they've lent out the cash you deposited with them, they still have something to show for it (unlike Bitcoin). Often a mortgage, backed by a house, or a business loan with collaterol. Also they hold cash reserves, to meet withdrawal requests, and they have capital reserves (their shareholders' money), to cover losses and protect their depositors. Not that it's perfect. But totally different to Bitcoin. And anyone who lends a bank cash at interest is specifically asking the bank to invest it in something. Or thinks the banks are charities, that just pay interest out of niceness...

  2. jake Silver badge

    Remember, kiddies.

    If it sounds to good to be true ... it is.

    EOF

  3. Anonymous Coward
    Anonymous Coward

    Bravo

    I have to hand it to whoever put this together, it is social engineering at its finest. People who hold bitcoins are 10000x more likely to download that zip file than those who don't, that is one well targeted attack. I wonder how many bitcoins that guy got?

    For the conspiracy theorists who think it was the BoJ or the Fed who stole the bitcoins trying to destabilize a "competitor", realize that a state actor would be using far more sophisticated malware. Something more like Stuxnet. By the time it was discovered so many wallets would have been emptied bitcoin would be toast.

    1. flibbertigibbet
      Black Helicopters

      Re: Bravo

      Are you sure? Because surely social engineering at it finest would manage to steal bitcoins. As you say yourself "I wonder how many bitcoins that guy got?" No one knows. All we have here is Kaspersky releasing a media statement saying what every bitcoin bulletin board had in big red letters around the links to the file. If the goal of media statements is free publicity I guess that has been a success.

      There are few more paranoid communities on the planet than bitcoin owners. If you have paid any attention whatsoever over the past few years to the bitcoin headlines, I'm sure you would regard this as justified.

      And who does little piece of social engineering this target? The most paranoid of that choice crop. The goods maybe odd, but I'm not sure the odds were good.

    2. Moosh

      Re: Bravo

      I'm not a conspiracy theorist and even I can see that western government involvement in this wouldn't use sophisticated tools because that immediately tells you that its an organisation or government behind the attack.

      It's better to go for something simple that might slap a few people than something sophisticated that gets everyone but also slaps a big red glowing sign over your head that says "I'm responsible".

  4. Piro Silver badge

    Who the hell leaves their wallet without encryption?

    I mean seriously, who would do that?

    1. Jonathan 29

      Re: Who the hell leaves their wallet without encryption?

      I obviously understand what you are saying, but there are a few good reasons. You might want to leave an unencrypted wallet as a canary to detect whether someone had planted something on your computer. If funds from the open wallet disappear you know you have to take immediate action to protect the other. Secondly, have you given any though to what happens to your wallet in the event of your death or a head trauma that causes you to forget your passwords? An unencrypted wallet in cold storage might be better for your family than a heavily encrypted one.

      I read a lot of these stories about coins being stolen and I am very impressed with the level of skilled manipulation and hacks. I am on the fence about bitcoin banks, but when people are breaking through 2 factor security to get at wallets it is a little worrisome.

      1. Stephen Gray

        Re: Who the hell leaves their wallet without encryption?

        "Secondly, have you given any though to what happens to your wallet in the event of your death or a head trauma that causes you to forget your passwords? An unencrypted wallet in cold storage might be better for your family than a heavily encrypted one."

        You've heard of an old skool technology that is completely off grid and unlikely to suffer from data loss if kept in a drawer let's say for example where you keep your passport and other important documents? It's called pen and paper.

        1. Jonathan 29

          Re: Who the hell leaves their wallet without encryption?

          You could write your password down or even your private key, but personally I would have to write my wife detailed instructions which I am sure a burglar could follow too. I am however inclined to rate burglars with more intelligence than they usually have - the last one posed for my security camera.

          1. Anonymous Coward
            Anonymous Coward

            Re: Who the hell leaves their wallet without encryption?

            > I am however inclined to rate burglars with more intelligence than they usually have - the last one posed for my security camera.

            Mate that's embarrassing, you need to move to an area with better burglars.

  5. Turtle

    Summation, In One Word.

    "Appropriate".

    Well, let me add a second word: "Very".

  6. Anonymous Coward
    Anonymous Coward

    Anyone interested in some old DeLorean shares?

    They have gotta be worth more than these Bit-thingies!

  7. Anonymous Coward
    Anonymous Coward

    A government can guarantee a currency up to the point society itself collapses. It can do this as it can use force to seize every asset that private individuals have

    You may not like that but that is why fiat currencies work.

    If a government can no longer do this then society has collapsed and being one of 1st worlds 99% of urban livers my life expectancy is going to be more than a few days as water and food runs out. (If you live in a hut on top of a mountain please stay there). Who cares about currency then

    It takes a strong functioning government to keep 7 billion people alive in this world

  8. Stevie

    Bah!

    But these files will be encrypted and therefore useless to the hackers, no?

    Good luck on my machine. I don't have any bitcoinery. I don't have much of anything in the negotiable specie department. I put all my savings into dotcoms in the 90s. What I saved from that debacle I invested in Enron. When that fiasco was over I thanked god I had managed to move the pitiful remnants of my portfolio into instruments backed by sub-prime mortgage loans.

    I calculate I can now retire in mid-May, 3512.

    If I didn't have a pension "guaranteed" as part of my employment as a government IT bod I don't know what I'd do. Of course, the Mayor and various Governors have been "deferring" payments to the fund so they can make it look to the taxpayer as though they can afford what they get for their money, and soon there will come a flood of new retirees that will pull back the sheets and reveal the Emperor's New Clothes, so I daily expect a "sudden realization" that pension obligations are crippling the state and subsequent flood of public opinion polls demanding a reneging of that obligation. It's already started in Wisconsin and New Jersey.

This topic is closed for new posts.

Other stories you might like