mircea_popescu: imo sessions are this idiocy from hell.

mircea_popescu: i don't think she actually understood before what sessions are and how they work

mircea_popescu: anyway, as you say. mtgox does not talk to yubikey, it talks to teh computor.

mircea_popescu: lol

mircea_popescu: yeah.

mircea_popescu: eh you lot are just mean.

mircea_popescu: asciilifeform one of, the one with the daytrading.

mircea_popescu: basically this is a stolen session

mircea_popescu: "Edit2: I was finally able to log into my account and found an API key with full rights to everything. I never made one, wtf does this mean?"

mircea_popescu: asciilifeform read on, she catches on.

mircea_popescu: totallyu.

mircea_popescu: actually... there's an update to the story.

mircea_popescu: http://www.bitcoiney.com/psa-i-had-480-stolen-out-of-my-mt-gox-account-this-morning-despite-having-2-factor-identification-here-is-what-happened

mircea_popescu: just more preocupied with it

mircea_popescu: my impression of the general truecrypt population is that they're not particularly more secure than average ☟︎

mircea_popescu: this may actuallty be true

mircea_popescu: "TC gives you a false sense of security so its worse than no partition encryption."

mircea_popescu: this is not a bug as much as a hosting feature

mircea_popescu: o i see

mircea_popescu: so what's the point of virtualization then

mircea_popescu: um

mircea_popescu: http://www.reddit.com/r/Bitcoin/comments/1e79ig/how_were_my_encrypted_bitcoin_and_litecoin/c9xss1w

mircea_popescu: i was actually thinking, is this our d friend ?

mircea_popescu: "Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

mircea_popescu: great quote that.

mircea_popescu: "x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection."

mircea_popescu: you hadn't noticed ?!

mircea_popescu: well yes

mircea_popescu: mpex is http

mircea_popescu: why do they need to calculate rsa or wut ?

mircea_popescu: dub sux to be you bro.

mircea_popescu: asciilifeform except i never use a site over https anyway

mircea_popescu: so now what ?

mircea_popescu: a linux box, rather than a router, for convenience.

mircea_popescu: asciilifeform the ideea is, suppose i pass all my traffic through your controlled relay

mircea_popescu: i don't think it has anything to do with the 2fa mtgox issue but anyway

mircea_popescu: anyway, thanks optimator, most entertaining link

mircea_popescu: who the fuck designed this process ;/

mircea_popescu: Used bitcoin-qt and litecoin-qt. For the wallets, those encryption passwords were from memory. The truecrypt password, I always copied and pasted the password from a text file, on a USB drive, inside a password protected winrar file, inside of a password protected winrar file, inside of a password protected winrar file, totaling 3 different password protected rars to reach the .txt file.

mircea_popescu: optimator not sure why people imagine machines locate items by name

mircea_popescu: asciilifeform re your router mitm

mircea_popescu: asciilifeform give me an example.

mircea_popescu: yeah srsly.

mircea_popescu: "I figured if I was ever the victim of a wallet stealing program, implementing a dummy in the default location would fool it and upload it, rather than my real one, to the attackers choice, but I was wrong."

mircea_popescu: but what the fuck for, seriously.

mircea_popescu: i guess.

mircea_popescu: on an actual machine ?

mircea_popescu: "I know I've found this one thing that I just have to download and install Java for, then totally forget or put off uninstalling it afterwards, many a time."

mircea_popescu: people actually still use java ?!

mircea_popescu: "In fact, scratch the social engineering, you don't need to convince someone to run your .exe if you can just run your .exe for them via a Java drive-by attack, and admit it, you've left Java installed for extended periods of time, even if you try to keep it uninstalled normally."

mircea_popescu: this.

mircea_popescu: always funny when people with 85 ltc speak of the masses.

mircea_popescu: "I haven't nor will I ask for donations. This truly sucks for me, but I only want to find out how this happened. I wish I could see the code/method used for educational purposes. Fuck people who steal. I strive for bitcoins and litecoins to gain popularity among the masses and become an accepted currency in societies eyes." ☟︎

mircea_popescu: asciilifeform bitcoind is such a mess it'd be easier to make a million dollars being a janitor.

mircea_popescu: because of the change issue. wallet.dat was stolen

mircea_popescu: actually this is interesting

mircea_popescu: http://www.reddit.com/r/Bitcoin/comments/1e79ig/how_were_my_encrypted_bitcoin_and_litecoin/c9xjk4s

mircea_popescu: that may have been sniffed maybe >?

mircea_popescu: I used a random 64 character ASCII character password from this site for my truecrypt password.

mircea_popescu: optimator the reason girl said anything/i'm leading some credence to the claim of 2fa is because this isn't the first case i've heard.

mircea_popescu: or gribble colony

mircea_popescu: asciilifeform soft but soft in the sense of amoeba

mircea_popescu: yeah.

mircea_popescu: i have yet to see any indication of such wonder in practice.

mircea_popescu: indeed.

mircea_popescu: hm.

mircea_popescu: 4 btc ?

mircea_popescu: that good a trojan ?

mircea_popescu: for the simple reason that if anyone ever did most of the us would be so very much less lonely.

mircea_popescu: i doubt anyone actually visited the guy's apartment

mircea_popescu: see, but it'd seem to me you readily argue both ends of this rope.

mircea_popescu: now, returning there : how many times ?

mircea_popescu: <asciilifeform> there is only so many times that this can happen without a real effect

mircea_popescu: anuyay, getting back to it. the branch was off

mircea_popescu: but it wouldn't be the first website with a broken 2fa implementation.

mircea_popescu: fuck me. the idea of a website is ridiculous

mircea_popescu: it wouldn't be the first website

mircea_popescu: mtgox does.

mircea_popescu: the chump has no history of lieing

mircea_popescu: maybe.

mircea_popescu: no, it does not have to be.

mircea_popescu: 90% of thje top accounts would be hit simultaneously.

mircea_popescu: if indeed this was an attack able to cut through their (braindead) 2fa implementation

mircea_popescu: you'd have to be born last night to actually believe this.

mircea_popescu: NOW what you do with this ion cannon is steal random 4 btc wallet ?

mircea_popescu: which is insane, but anyway.

mircea_popescu: and let's presume for a moment you have no better use for it than btc.

mircea_popescu: listen. suppose you actually have the tech to own yubikeys

mircea_popescu: nope. it'll do exactly the same thing as mtgox lieing about "hacks"

mircea_popescu: well a 51% attack wouldn't generate btc.

mircea_popescu: n btc sucked into the aether

mircea_popescu: right, what io'm sauying is, this is a working prototype

mircea_popescu: yup

mircea_popescu: through 2fa ?

mircea_popescu: lik that ?

mircea_popescu: https://bitcointalk.org/index.php?topic=203837.20

mircea_popescu: it's horible for gox, and esopecxially so for gox investors. so ?

mircea_popescu: i still need to see someone argue convincingly that goxlag is bad for bitcoin.

mircea_popescu: well if it's a stochastic process, prolly.

mircea_popescu: im not sure i follow that bullet analogy