Kadin2048's Weblog
JulAug Sep
Oct Nov Dec


Mon, 20 Jun 2011

I’ve been following the Mt. Gox security breach and subsequent Bitcoin/USD price collapse for a little while. This is a rough summary of events as they seem to have happened, based on available information at the current time (June 20, early morning UTC).

My assumption is that at least some of this timeline will turn out to be wrong, which in itself might be interesting in retrospect.

Sometime in early June: Unspecified attackers gained access to a machine, allegedly being used by an auditor, either containing or with read-only access to, the Mt. Gox database or some portion of it. Whether the attackers had access to the entire database or “just” the user table doesn’t seem known, but the important thing is that they got a table containing, according to Mt. Gox:

  • Account number
  • Account login
  • Email address
  • Encrypted password

For accounts not accessed in the last two months (viewed by Mt. Gox as “inactive”), the password was stored as an MD5 hash. For accounts accessed in the last two months, the password was salted, then hashed with MD5. Nowhere in the database were there plaintext passwords.

Exactly who had access to the database, whether it was an individual or group, isn’t known. It seems that access to the database might have gone through several stages: presumably from the person or group who obtained it initially from the compromised machine, and then to less-sophisticated people or groups. We can say with some confidence that it started to be distributed shortly before June 17th, because on that date somebody posted a message to a forum with some hashed passwords that came from the database. (N.B., this is hearsay from the #Bitcoin IRC channel, and thus fairly speculative. I haven’t looked at a copy of the database to confirm it.)

Monday, June 13: The actual theft of Bitcoins from compromised accounts began, according to various sources, on Monday morning. Approximately 25k BTC were transferred from 478 accounts, according to DailyTech (although elsewhere in the same article they claim 25,000 accounts). The destination address was “1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg”.

Presumably, the accounts were accessed by brute-forcing the hashed passwords in the database. It’s not clear to me whether the accounts were all “inactive” (and thus had unsalted password hashes, vulnerable to a pre-computation attack), or if they were active, had salted hashes, but were just weak and fell to a dictionary attack. It probably would have been logical for the attackers to pursue both routes at once: go after the old, unsalted hashes with Rainbow tables, while at the same time performing dictionary attacks against the salted hashes associated with accounts with significant BTC balances. At any rate, using some combination of both routes, they eventually found some vulnerable accounts.

The thefts seem to have gone on during the remainder of the week, with Mt. Gox seemingly misreading the increase in theft reports as insecurity on users’ PCs, rather than a security problem on their end.

Sunday, June 19: The Bitcoin ‘Flash Crash’.

At around 3AM Japan Standard Time, someone — my guess is not one of the original attackers — began a massive sell-off from a single compromised account. (One open question is whether this account was a receiver account for stolen BTC from other hacked accounts, or just happened to be a ‘whale’ that they managed to access.) This is where things start to get interesting, because it’s not immediately obvious why someone who recently came into possession of a whole lot of Bitcoins would want to crash the price.

One theory is that it wasn’t intentional; they were hurrying, perhaps working against other attackers who had access to the same database, and wanted to cash out quickly. But another theory, one that I think is more plausible, is that the sell-off was calculated to crash the BTC price, in order to get around Mt. Gox’s $1,000 USD/day withdrawal limit.

By dumping a large number of Bitcoins onto the market — not just once but twice (the attacker repurchased and sold the lot of coins a second time, supposedly) — the market price was driven down. Basically all open bids on the order book were filled, down to ridiculously low prices. At no point did any sort of ‘safety switch’ kick in at Mt. Gox to halt trading; it was full-bore Black Monday mode.

And here we start to run into my limit of knowledge. If we assume that the crash was engineered in order to get around the Mt. Gox withdrawal limit, then when the price was very low, the attackers should have made their move, and transferred whatever they could out of Mt. Gox, to external Bitcoin accounts.

Mt. Gox seems to be claiming that this did not happen, and the withdrawal limits successfully kept the total amount of BTC removed from the exchange to some low number. If true, this would allow them to ‘reset’ the exchange back to how it was before the flash crash, with only limited losses — perhaps low enough that Mt. Gox could make all users whole before resuming trading.

But if this isn’t the case, then it may not be possible for Mt. Gox to shield all of its users from losses. After all, one of the key features of Bitcoins is that they can’t simply be magic-ed into existence on demand by a central authority when convenient. If the Bitcoins have left the building, so to speak, Mt. Gox can’t just grab them back or create new ones to replace them.

In the next few hours or days, I expect these issues to become more clear. Also, it will be interesting to see whether the BTC/USD rate stays at the $17 mark that Mt. Gox plans to resume trading at, or immediately falls to some lower level, in keeping with lowered investor confidence.

Personally, I wouldn’t mind one bit if this marked the end of Bitcoin’s first speculative bubble; most of my interest in Bitcoin is as a currency, not as an instrument for speculative investment (and a not-very-liquid one at that). The question will be whether Bitcoin’s reputation is irretrievably damaged as a result, or if the damage is forgotten about or limited to Mt. Gox.

Certainly more interesting and higher stakes than the usual EVE Online drama, though.

0 Comments, 0 Trackbacks

[/finance] permalink

Wed, 01 Jun 2011

As is perhaps evident from some of my other posts, I’m kind of a sucker for alternative currencies. A couple of years ago I watched the trainwreck that was the demise of 1MDC, a ‘currency’ that was backed by EGold (which was itself shut down in 2009). And then there’s the sad saga of the Liberty Dollar, which in retrospect probably would have avoided a lot of legal trouble if it had been called the ‘Liberty Peso’ or something a bit less official.

Liberty Dollars and EGold (and its spawn, e.g. 1MDC) were, until recently, arguably the high-water marks for private currencies in the U.S., in modern times anyway. However, both of them suffered crucial flaws: they were built around centralized institutions which created single points of failure. When they eventually aroused the attentions of the authorities — as any private currency is likely to do — they were pretty quickly taken down.

In the case of someone holding physical Liberty Dollars this wasn’t really catastrophic, since they still had the coins. (Even morons who bought them at terribly inflated prices might have come out ahead, due to the run-up in commodities prices in the last few years, if they held out long enough.) However, “holders” of EGold were right out; they had to wait until mid-2010 to be able to get their money out, and then only by identifying themselves.

One would not have been faulted for thinking that the idea of private currencies, existing in parallel to government-backed ones, was finished.

But it’s instructive to consider why EGold was designed the way it was, with a centralized architecture. If we give its developers any benefit of the doubt at all, they must have realized this was a gaping vulnerability. But it was a necessity for two reasons:

  1. They wanted to back their currency with a physical commodity, namely gold.

  2. They wanted to be able to make money on it.

The point I’m (rather laboriously) making my way around to, is that neither of these are true for all private currencies, and Bitcoin in particular seems to avoid them.

Bitcoins aren’t backed by anything. Unlike EGold and Liberty Dollars, both backed (either directly or indirectly) by gold, Bitcoins aren’t backed by anything. They have exactly zero intrinsic value. While that makes them rather volatile, it also means there’s no warehouse full of metal to be inconveniently seized.

Second, there doesn’t seem to be much in the way of a profit motive behind Bitcoin’s development. Both Liberty Dollar and EGold seem, on their face, to be money-making ventures for those behind them. Liberty Dollars were sold, at a premium above their intrinsic value, by NORFED; EGold charged management fees, presumably in excess of its costs to have some gold bars stored in a vault. PayPal, which is admittedly not a private currency, makes money via transaction fees. All of those models require a centralized architecture in order to generate revenue.

Bitcoin’s architecture eliminates the potential for a Bitcoin, Inc. IPO, but in doing so it is significantly more difficult to shut down.

One area where Bitcoin seems to remain vulnerable is in its convertibility to traditional currencies, especially USD. Although it’s possible in theory to ‘bootstrap’ a currency (particularly one with a fixed number of tokens) that’s not convertible — someone would need to jump in and start pricing goods in it, and in doing so imbue the currency with real-world value — but it’s certainly a lot easier if you can move value back and forth from other currencies.

Currently there are several public Bitcoin markets, including Mt. Gox, the largest, Bitcoin Exchange, which is a forum for person-to-person transactions, and BitcoinExchange.cc, which just strikes me as shady (maybe it’s the .cc TLD).

Even at Mt. Gox, buying Bitcoins is not a straightforward process. You can’t just whip out your Visa and buy $100 worth of Bitcoins at the going rate; instead, you have to go through one of several intermediaries who handle the USD side of the transaction, moving money into a Mt. Gox account, and then you can use the money to buy Bitcoins. It’s not that much worse than setting up an account with a brokerage (and the fees and minimums are much lower!), but it’s not like the Foreign Exchange desk at the airport.

This is where I’m a bit concerned that the whole Bitcoin concept could get in trouble. Right now, the value of Bitcoins — which are backed by nothing, other than a mathematical guarantee that only a certain number can be ‘minted’ — has built into it an assumption about the ease of converting them into USD and other currencies. If the ability to convert Bitcoins to USD or other currencies was suddenly suspended, I suspect you would see a very sharp drop in the value of Bitcoins. In doing so, it might erode confidence enough to render it useless or insignificant as a currency.

Exactly how this plays out will be very interesting in the months and years ahead. The U.S. government took significant amounts of time to bring the axe down on EGold and Liberty Dollars, so the lack of immediate action shouldn’t be taken to indicate any change in attitude towards private currencies. If and when something does happen, my bet is that it occurs at the BTC/USD/EUR/etc. exchange points. We’ll see.

0 Comments, 0 Trackbacks

[/finance] permalink