Just checked out their recover password page. Just date or birth and one security question are needed. So if you already know a person, pretty easy to hack their accounts.
There's no cooldown period when you guess wrong. They say there's a 24 hour cooldown, but there isn't one. You can keep guessing all day if you solve a captcha for every three guesses you make. Captcha cracking is a cheap offshorable service, $1 for a thousand
Agreed. I've been with many different email services, both free and paid, and GMX has never given me any impression as a secure service. It has too much of a side-project-run-by-some-web-hosting-company look and feel.
Anecdotal evidence, but there are lots of security-related complaints in a popular (albeit non-technical) review site:
I wouldn't be surprised if satoshi's account turns out to have been hacked years ago, and the culprits have been using it to buy expensive electronics with stolen credit cards. After all, the original pastebin said that the account details where already circulating in the black market. Only recently somebody might have realized that this was no ordinary hacked account.
Thunderbird, which I used almost exclusively at the time was unable to login, then I tried it via their website which didn't work.
I contacted support, and they told me that someone has changed the password and logged in since. They gave me the option to get my account back, by providing a scan of my ID or passport, which I did.
The hacker never contacted me. I do not know to this day what his or her goal was because the attacker didn't send or receive any emails with my account. I believe that the attacker got access to a large batch of accounts and he simply couldn't find a way to contact me via Internet. (I didn't use Facebook or other social services at the time)
> Did you have a secret question that could have been guessed?
I never used the secret question option on any service. Whenever I'm forced to enter something, I enter senseless garbage like "jkanshbuicbwnaiubdaibvjabfuzabfnbi" precisely because I think that secret questions are unsafe and dangerous.
> Do you know what phishing is? Would you have ever fallen for it?
Yes, but I have never shared the login data with anyone and when I logged in on other machines (which I did rarely) - I used a browser that I had on my USB stick for that (which was encrypted)
> Is it possible your saved password was stolen by malware?
I do not have any reason to believe that (I never had a malware problem that I know of), but obviously I could never rule that out. But on the other hand my GMX account wasn't really important. There were accounts that the attacker could have used to steal money from me (for example: PayPal), yet I have never lost access to any other account.
Like I said, I still can't rule out the possibility (nobody could), but I believe that I had a reasonable setup at the time. I used the GMX website (rarely) via a browser on my encrypted USB stick (which I still possess) and had a Thunderbird setup with POP3 at the time so I wouldn't have to login.
A keepass password should be prohibitively hard to brute force that way. They're random and fairly long. It's far more likely the attacker found some other route.
Recovery passwords for email accounts are actually kind of tricky, since the standard is generally recover-password-through-proof-of-control-of-email-account.
You can do SMS, but then you need phone numbers for users. Requiring "alternate email" is kind of a nightmare.
I wish someone could build a "account recovery as a service", with different levels of escalation. It would be fun to spec it out, but I have no time to actually set it up, since it's more a business vs. just some servers.
Since we don't know who Satoshi Nakamoto is, there is no way to prove whether identity theft occurred to this person.
Whoever has control of certain accounts is, for all intents and purposes, Satoshi Nakamoto.
Someone who jumps up and down claiming that he is the real Satoshi who has been locked out from those accounts and subject to extortion could be the real one, or could be a liar.
There is no way to know whether the incident took place at all, or if it did take place, which of the two people are the real one.
It could be a complete hoax perpetrated by a single person, or two people, any of whom may or may not be Satoshi Nakamoto. The real Satoshi Nakamoto could also be a group of people to begin with. Or a very clever dog.
The sourceforge "vandalism" was widely reported enough that while it was "reverted" prior to me seeing it live, it seems to have happened... but everything else I've seen since (which could very well not be everything... I haven't been following super closely) requires me to believe in either easily faked screenshots (the article this discussion links to mentions possible photoshopping, but it is even easier than that to just use developer tools to modify the number of total emails a site is displaying prior to screen-capturing) or 3rd party reports with no details (eg. the Peter Todd tweet where he says he got a forwarded 2011 email but doesn't really go into specifics).
So my belief is there was some kind of incident here, but it is impossible to determine exactly what the scope of it was compared to the high likelihood of a lot of follow-up trolling.
I agree. Definitely seems like a troll. Mot sure what they'd gain though, apart from a bit of internet attention. Maybe the real Satoshi is somewhere rolling his eyes at all this.
If I gain access to such an account, I change the password to something that no one will ever break. Maybe besides the rightful owner by some account recovery mechanism I am unable to disable. But multiple people having access seems a very unlikely scenario to me. Why would you share the credentials (and risk getting locked out yourself)?
In this case GMX would have to have a huge security hole that is not widely known, otherwise mass exploitation would probably quickly trigger alarms. Not impossible but seems also unlikely to me because it must be known to at least a couple of people and I would imagine that the knowledge about such a security hole would spread quite quickly once more than a handful of people know about it. And an inside job by several different people at more or less the same point in time seems unlikely, too. So the most likely scenario to me is still that only a single person broke the password and the multiple-people-have-access-story is just FUD.
I think we've passed the point where even if the original Satoshi steps forward with a PGP signed autobiography nobody will believe it's really him. We like our legends I guess.
> even if the original Satoshi steps forward ... nobody will believe it's really him
I beg to differ. If the real Satoshi actually wanted to identify himself, he'd have no trouble convincing us beyond a reasonable doubt even without his original keys.
This situation is not like trying to decide if you believe a person who says he bought the winning lottery ticket for cash but then lost it.
This situation is more like trying to decide if you believe a person who says he's a thoracic surgeon who's an expert in US Constitutional law, speaks Finnish, and can do somersaults while skiing. Ask him to explain in Finnish how to do laparoscopic Nissen fundoplication.
Just look at all the things that Satoshi has to answer correctly:
- expert level C++ programmer
- fluent English, excellent grammar
- deep knowledge of cryptography
- extensive knowledge of mathematics (maybe not a PhD, but he's no slouch)
- totally intimate with the original Bitcoin code
- familiar with all the history of Bitcoin (at least the history pre-2010)
- plausible explanations for all his actions
- etc.
We're talking about about a miniscule fraction of the world's population that could convincingly fake all of this knowledge and ability -- maybe a few hundred people at most on the entire Earth.
Suppose Bruce Schneier claimed to be Satoshi, then you could look at other things in Bruce background to rebuff it. (Example: Bruce was on a commercial airplane flying over the Atlantic when one of the Satoshi emails was sent.)
Indeed. It's clear Satoshi never worked for any C++ development firm that imprinted at least some type of coherent design pattern on him. The programming has the flavor of someone involved in a lot of open source, spare-time C.
I'm not familiar enough with bitcoin - is there a secure way to prove that you own a certain number of bitcoins? If so, that's an easy barrier of evidence that Satoshi can overcome that others can't.
The owner of the private key corresponding to a bitcoin address can cryptographically sign a message proving they control the address. This functionality is built into most modern bitcoin wallets.
Any public writer would have most likely been discovered already. People are fairly easy to identify by their use of language if you have access to any reasonable body of their work. I presume that people have at least expended this level of effort to attempt to find him or eliminate particular candidates.
Good point. I think his private PGP key and moving some coins around might be pretty convincing though... Even a stupid version of Nakamoto would understand that private keys are kept offline and in safe storage, especially if you made software as complex as Bitcoin. I think I would have thrown away my wallet so that the early mined blocks simply could not be moved even if I wanted to.
And in any case, Nakamoto may not be a single person after all.
The identity could remain unverified for eternity if original keys aren't available, and it's possible there was a deliberate destroying of the keys. Satoshi has said that the losing of coins were a donation to everyone else -- and who else would make a donation to the entirety of the Bitcoin ecosystem other than Satoshi?
What a degenerate display of "hacking." Some man (or a group, whatever) gives the Internet something remarkable and a bit historic, but wishes to remain anonymous.
So instead of respecting that wish we have people like this, also wishing to remain anonymous, attempting to hunt this man to shake him down for payment using that man's own creation!
That's closer to repugnance than to irony in my book.
The repugnant thing is that there are a lot of things that are best kept secret, but there is a "hacker ethos" (yeah, not followed by all hackers) to disclose everything. Or at least everything about the other guy. Often enough, privacy really is the main consideration in deciding what to disclose and what not to disclose. Sometimes keeping secrets is beneficial for everyone.
I've always thought that most people "in the know" know that Nick Szabo (well the guy going under that name) had something to do with bitcoin in it's early days. If you read his blog from 1999 onward, I think you will come to the same conclusion. I think the whole "who is Satoshi Nakamoto" legend really masks a lot of the facts
Assuming what's in the article is true, I suppose it's only a matter of time before a torrent of the mailbox shows up. I have to admit that if I had access to that account, I wouldn't be able to resist the urge to clone it via POP3/IMAP – it seems strange that if "multiple people" have access to it none of them have done this.
If you really found the identity of Satoshi, wouldn't it make far more sense to contact him privately and blackmail him? He's got, what, one and a half million bitcoins?
Perhaps out of some twisted sense of honor the individual in question feels that blackmailing such a mysterious and (among hackers) revered figure would be unseemly. Although if this account is true it seems like he might be blackmailing him anyway.
When you are dealing with someone who potentially has access to hundreds of millions of dollars. Blackmailing then in public might be a way of protecting yourself from having an "accident".
There are ways to anonymously contact someone. Buy a prepaid cell phone. Hire a lawyer under an assumed name. Send a letter, but put a fake return address.
It no longer really matters who Satoshi is. He doesn't participate in Bitcoin development. He isn't that wealthy, yet at least.
Nor his character assassination can affect Bitcoin much, while it could a few years ago. He was pretty smart staying anonymous, he realized he would be targeted and smeared.
He's potentially worth a _lot_ of money and could have a heavy hand in swaying the bitcoin market for the worse if he wanted to.... or if someone else was somehow able to force his hand
As the article states, if this person had really wanted to profit, a far easier method would have been to use Satoshi's identity to manipulate the price of Bitcoin. Either he didn't, in fact, realize that opportunity (despite his claims), or he has other motives besides simply profiting from the hack. (Or something more complicated is going on.)
Except when people want to believe something or have fear (of losing mass amounts of money) of something, they tend to act irrationally.
He wouldn't be able to convince myself of his identity without one of his private keys, but there are thousands of people who would have latched on, and then once those people start confirming the story it only convinces more people and so on, in a snowball effect.
You don't think his email alone would be enough to at least bump the price? I bet if you sent emails to a few select journalists from an account known to belong to Satoshi, implying that you will begin offloading coins, you could easily cause the price to drop. I'm sure there are other ways too. Even if they thought to authenticate his identity, which many wouldn't, they would still write something up about it, and the speculation alone would have an effect.
Emails started bouncing to the account around 05:00 GMT last night, it's likely that was one of the only ways the attacker could maintain communication.
So, basically, process of elimination: go to his home with torches and pitchforks, detain him for an extended period of time, and if the e-mail hacker shows up, this guy is totally innocent!
I suspect that this is not Satoshis fault, but that GMX security is really bad.