The peer-to-peer crypto-currency Bitcoin has some very intelligent proponents, but its largest exchange showed the world recently that parts of the movement can at times be just as clueless about security as the less tech-centric.
Bitcoin exchange Mt. Gox admitted last month that up until a couple of months ago it used an unsalted MD5 hash to encrypt its 60,000+ users' passwords.
When the site was hacked last month, the passwords of 1,000+ "idle" users were quickly discovered in rainbow lookup tables, allowing hackers to gain access to many accounts, forcing a value crash and forced market closure.
The exchange says the compromised accounts represent users who hadn't logged in within the past two months. Users who had logged in were treated to proper MD5 plus salting.
So what are hashes, MD5, and salting?
To clarify, hashes are a cryptographic technique that obscure passwords, meaning that if someone gains access to your system, he or she doesn't necessarily gain access to your users' passwords. MD5 is a 128-bit hashing algorithm, designed in 1992 by Ronald Rivest. At the time, it was considered quite “strong,” but by today's standards it is weak.
Salting is another cryptographic technique used to further obfuscate passwords. This method combines a string of random bits (the “salt”) with the hashed password to yield an encrypted password that's harder to look up.
But honestly, even MD5 with salting isn't failsafe in today's world of ultra-large lookup tables and GPU-driven brute force attacks. Mt. Gox explicitly neglects to mention whether the salting was a single value or iterative. If it was iterative, Mt. Gox probably would have mentioned it. And if all the passwords used a single salt value, that's more bad news, as a single salt would only slightly strengthen the quite-weak MD5 encryption scheme.
That's why it's refreshing that in the wake of the attacks, Mt. Gox is finally wising up. The exchange announced that it was forcing all users to enter new passwords, which would be protected by SHA-512 with iterative salting.
Unique (per-user) salting would be even more desirable, given that someday, SHA-512 may be directly cracked -- but an iterative salt is at least a step up. If the iteration period is sufficiently large, that can make the encrypted passwords exceptionally hard to break, particularly considering the underlying strength of the SHA-512 algorithm.
If there's one driving lesson from the hacks on Mt. Gox and Sony, it's that it is imperative that you safeguard your users. Losing customer data of any kind can lead to serious reputation damage for your firm. Losing customers' passwords can lead to a fatal loss of trust.
Companies, like people, learn in plenty of ways. Some learn through observation of others and proactive research. Others -- like Mt. Gox -- learn via the "school of hard knocks." And still others -- like Sony, it seems (given its ongoing breaches) -- don't learn at all.
Take the former route and adopt strong encryption early, so you don't have to experience the pain of the latter approaches.
— Jason Mick is senior news editor at independent tech news site DailyTech.
Technically Bitcoin isn't a company it's a currency. Mt. Gox is a company, but is very intimately tied to bitcoin, as it controls over 90 percent of the currency's exchange.
I agree with your analysis, though, that this was woefully negligent.
And as to answering your original question on mining, like I said, you run a program on your computer and it "mines". There's a probabilistic nature to the results, but yes, it is a bit like buying a lottery ticket, as you only occassionally hit a block and profit -- though your odds of winning are significantly better than a lottery, I should add, if you hardware is sufficiently powerful.
While it may seem a little out of context here, but still on topic, how is it that with today's technological stance (especially around the world of finance) that a company such as BitCoin could not have played a more agressive role in securing data. This includes all aspects of technology of course.
With portable encryption keys, ciphers that can be laid one on top of the other, and a never ending list of security protocols that could have been implemented should BitCoin and other similar companies like PayPal be more proactive in their security measures. In short order even those measures could be breached as well.
People can also "mine" bitcoins... this is a method of seeding the economy with initial wealth. To "mine", you basically set a powerful computer calculating a tough algorithm, which occasionally "hits" a block of bitcoins.
How would people "mine" for Bitcoin? It seems like it would be equal to hitting a lottery from your statement.
We cannot compromise with any of the security issues. So it’s most important that a new encryption method has to adopt. I think bio informatics algorithms are very unique and can help to avoid misuse of the credential up to certain level.
Jason, your last line is the best of all. Find the best way to protect yourself, so can minimize worries. If the required precautions were taken John would not have a posting like "it is past time to decide who pays for ACH fraud", SHA-512 algorithm also will be expired very soon, but till then it is there with some hope. Also wiyh internet work one always has to be alive to make sure that you are not behind the technology. Have to keep on adjusting to par with the situation. Thats from the back end. Also from the front end, even you do not like the idea of digital wallets or bitcoins, you should know about that in order to well survive online. So alive person will face fewer threats.
This is an embarassingly misleading headline. The headline is like saying "AES-256 vulnerability exposed!" because some company somewhere decided to store their plaintext encryptions keys in a public dropbox folder.
MtGox is NOT Bitcoin -- it was a hobbyist-developed exchange site that wasn't prepared to keep up with the explosion of the Bitcoin phenomenon.
There has not been weaknesses found in Bitcoin cryptography -- it's as good as it gets. If there was a real flaw in the cryptography, the system would collapse and they would become worthless. Since it's been over a month since the MtGox attack and BTC is still around $15, your post really is just FUD.
Bitcoins, unlike most currencies, though, can be divided into tiny fractional denominations, so it's possible to buy a penny worth of bitcoins.
People can also "mine" bitcoins... this is a method of seeding the economy with initial wealth. To "mine", you basically set a powerful computer calculating a tough algorithm, which occasionally "hits" a block of bitcoins.
It is somewhat analogous to facebook credits or Linden dollars, but it's also different in that the goal is to create a cybercurrency for REAL WORLD goods.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors
a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
Civil libertarians are outraged at the revelation the NSA is reportedly spying on more than one-third of Americans -- obtaining phone records from phone companies, in case it might need them for later use. Edward Snowden, the man who leaked details of that program, also revealed a second effort dubbed “Prism,” which represented a more aggressive grab of email and other communications. (See: Prism Exposes Unwritten Privacy Rules.)
While outsourcing can initially appear to deliver massive cost savings, some firms are starting to wake up to its hidden costs -- shipping, production latency, and quality control. But perhaps the biggest hidden cost of outsourcing is intellectual property (IP) theft.
The version of Windows 8.1 that Microsoft previewed this week is a step in the right direction, but it shows that Microsoft is still missing the boat in some ways.
Whether you’re an engineering firm that uses CAD for parts design, or an e-business that leverages Photoshop for user-interface graphics, you likely require a modest graphics-processing unit. In the old days, this was a daunting hurdle to innovation, but today, the situation has improved thanks to technologies like NVIDIA’s GRID and Microsoft’s RemoteFX. Such virtualized graphics protocols allow you to load-balance graphics-intensive workloads from virtual desktops on a server-side graphics card.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
Our online communications and privacy are being threatened by governments and corporations. Eben Moglen believes it's time for a People's Internet, made possible by "Freedom Boxes."
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
