Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday February 01 2018, @02:37AM   Printer-friendly
from the handy-piece-of-code dept.

My old physics teacher always said: "It's the dumb criminals who get caught; you never catch the smart ones." He was a really smart guy, and he did live a nice lifestyle, hmmm...

Anyway, so IOTA. As with any digital currency, you need some random information - a passphrase typically - that is used when you create your wallet. In the case of IOTA, which is supposed to be IOT friendly, this means a string of 81 random characters, the generation of which could be pretty easily automated.

That's great, and the OSS world being full of helpful people, someone wrote a handy generator, put the code for all to see on GitHub, and put their generator onto a website where you could easily make use of it. Nice.

Actually, diabolical. The code on the website really was identical to the code on GitHub, except for one tiny, almost insignificant change: at some point, the owner swapped out the random seed to a value that he knew. Not even constant - that would have been too obvious - but known nonetheless.

And for many months, many people used his friendly little service. Until January 19th, when he emptied their IOTA wallets, erased his presence from the Interwebs, and quietly disappeared. $4 million or so richer.

This one won't be caught.

tl;dr for anyone who doesn't get it: The point of having a secret password, secret passphrase, or secret key is that it's secret. Which means that you don't have it generated for you by a public web service.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by frojack on Thursday February 01 2018, @02:51AM (3 children)

    by frojack (1554) on Thursday February 01 2018, @02:51AM (#631308) Journal

    So is it cash somewhere already?

    Because if not, who is going to convert that much iota to any usable form of money?
    Isn't this a blockchain? Don't block chains record details in the chain?

    Sounds to me that this guy just bought himself a 4 million dollar never ending vacation.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 4, Interesting) by zocalo on Thursday February 01 2018, @08:37AM (1 child)

      by zocalo (302) on Thursday February 01 2018, @08:37AM (#631376)
      If not then it probably soon will be, unless those behind it think the crypto market still has potential for greater returns and have stashed some or all of it away in other currencies. Having cashed out a few $100k worth of BTC that I mined some years ago to see what the fuss was about late last year, I can confirm that there are definitely exchanges that can, and will, handle that kind of volume in a single transaction once you've established bonafides to their satisfaction - how common an occurance it is I have no idea, but I got the distinct impression from my dealings it wasn't a rare event in the brave new "crypto as a high-risk investment" world. It can be a bit nerve-wracking while you wait for the transaction to go though and the funds to clear into your bank account.

      Since we're talking stolen coins here, rather than my cold wallet that had been sat on a USB stick, the perpetators will probably need to launder it though some other crypto currencies that and maybe run them through a tumbling cycle or two for good measure first. Once they've done that to their satisfaction, putting it into a few prominent currency wallets and cashing out via several exchanges probably won't be all that hard to pull off, and very few (read "none") of the exchanges are going to dig too deeply into where your currency came from. In theory, you might still be able to piece together the trail from the various blockchains, but that's going to require a lot of effort and, quite frankly, since we're talking a lot of rubes, "only" $4m, and a lack of understanding in law enforcement I doubt that there would be much of an investigation, let alone a prosecution. The US TLAs might take a quick look at it just in case it was the DPRK, etc., but that's about it.
      --
      UNIX? They're not even circumcised! Savages!
      • (Score: 3, Interesting) by MrGuy on Thursday February 01 2018, @05:18PM

        by MrGuy (1007) on Thursday February 01 2018, @05:18PM (#631558)

        Sure. But the related question is what the exchange rate is, and how stable it is.

        Let's say I want to convert $50,000,000 US into Yen. I can do that - there are many markets which offer those exchanges, and the exchange rate is stable because my transaction is (relatively speaking) small compared to the rate of exchange of dollars to yen - there are many, many people who want to exchange these two things.

        Now consider if I want to convert $50,000,000 worth of Armenian Dram into Yen. Sure, there are still marketplaces out there that will do the exchange, but not nearly as many. And there's not a huge demand out there for people wanting to "buy in" to Armenian Dram who currently have Yen. If I try to sell that much, I'll likely crash the market - my supply exceeds the demand at the current price, so the price will have to fall (likely significantly) for me to sell this off. Or, I'll have to sell this off over a CONSIDERABLE period of time.

        Basically, the fact that two things CAN be exchanged is important, but the liquidity of the instruments will determine how quickly or effectively you can make the exchange.

        Your example of shapeshift is relevant - it's one of the bigger cryptocurrency exchanges. And, notably, they don't have a market for Iota - they can exchange about 50 different cryptocurrency flavors, but not that one. The smaller the market you have to go to, the smaller the pool of potential counterparties wanting to buy what you're selling with something you want, and the lower price you'll have to accept to move it.

        According to coinmarketcap [coinmarketcap.com], the TOTAL volume of transactions in Iota in a 24 hour period is about $80 million worth. That's compared to $8.5 BILLION worth of bitcoin. Iota isn't a high-demand currency. And that's before you factor in the potential that this story makes people way about Iota, further reducing demand (Iota's value is down about 17% in the last 24 hours - again, per coinmarketcap).

        None of this is to say that the thief can't extract some value that they can (eventually) exchange into real money (almost certainly by buying more desirable cryptocurrencies like bitcoin, using a mixer to hide the tracks, and then "cashing out"). But it's very unlikely the amount they eventually get out will be close to the $4 million "value" of the Iota that was originally stolen.

    • (Score: 2) by maxwell demon on Thursday February 01 2018, @07:41PM

      by maxwell demon (1608) on Thursday February 01 2018, @07:41PM (#631640) Journal

      Isn't this a blockchain?

      Actually Iota does not use a blockchain, but a DAG they call "tangle".

      Don't block chains record details in the chain?

      I don't know about IOTA, but there are blockchains that do not record identifying information; indeed that is a major selling point of Monero.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 3, Insightful) by jmorris on Thursday February 01 2018, @03:29AM (1 child)

    by jmorris (4844) on Thursday February 01 2018, @03:29AM (#631323)

    And here we see the wisdom in "it is immoral to let a sucker keep his money."

    These fools have learned a valuable lesson in the only way most of them are capable of learning, by pain. And while the losers think they lost something valuable, it was just play money they lost so it is all good.

    • (Score: 3, Insightful) by maxwell demon on Thursday February 01 2018, @06:27AM

      by maxwell demon (1608) on Thursday February 01 2018, @06:27AM (#631361) Journal

      And while the losers think they lost something valuable, it was just play money they lost so it is all good.

      As long as others are willing to pay for it, it is valuable. If you find someone willing to buy your excrement for its weight in gold, then your shit is literally worth gold, and anyone stealing some of it does actually cause you a real loss.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 0) by Anonymous Coward on Thursday February 01 2018, @03:39AM

    by Anonymous Coward on Thursday February 01 2018, @03:39AM (#631327)

    A fool and his money are soon invited (super secret) places.

  • (Score: 5, Informative) by requerdanos on Thursday February 01 2018, @03:41AM (7 children)

    by requerdanos (5997) Subscriber Badge on Thursday February 01 2018, @03:41AM (#631329) Journal

    frojack: So is it cash somewhere already?... who is going to convert that much iota to any usable form of money?

    jmorris:it was just play money they lost so it is all good.

    Um. Not rocket science.

    Step 1. Convert IOTA to Bitcoin or Litecoin (something easily exchangeable for traditional currency). This can be done at sites like bitfinex [bitfinex.com].

    Step 2. Sell your Bitcoins/Litecoins. They are easily exchangeable for, for example, US Dollars. This can be done at sites like Coinbase [coinbase.com], Kraken [kraken.com], Bitstamp [bitstamp.net], or Poloniex [poloniex.com].

    Step 3. Whatever you want to do with the money. Maybe buy some of what the "play money"-thinking people are smoking; it must be good.

    • (Score: 2, Touché) by Anonymous Coward on Thursday February 01 2018, @04:09AM (3 children)

      by Anonymous Coward on Thursday February 01 2018, @04:09AM (#631338)

      If there exists a person who will for some reason hand you real money for play money - it still is play money.

      • (Score: 1, Insightful) by Anonymous Coward on Thursday February 01 2018, @04:48AM (1 child)

        by Anonymous Coward on Thursday February 01 2018, @04:48AM (#631346)

        if a large, monopolizing force goes around threatening to kill you if you don't use its play money, is it still play money?

        • (Score: 2) by aristarchus on Thursday February 01 2018, @05:53AM

          by aristarchus (2645) on Thursday February 01 2018, @05:53AM (#631356) Journal

          NO ONE EXpects! The violent imposition of a fiat currency! Those who do expect it, um, . . . come in again. I am now very curious about who bradley12+1's teacher was. Kevin Spacey?

      • (Score: 2) by requerdanos on Thursday February 01 2018, @05:28PM

        by requerdanos (5997) Subscriber Badge on Thursday February 01 2018, @05:28PM (#631566) Journal

        If there exists a person who will for some reason hand you real money for play money - it still is play money.

        If pretty much anyone will exchange you some widely-recognized money you call "real money" for the stuff you call "play money," then it's all as real as money gets and you are an idiot.

        Things like IOTA, Bitcoin, and the US Dollar are inherently worthless and only have value because people esteem them to have value. Because they are divisible and transferrable, and people esteem them to have value, they are by definition money.

        If your "money" is only useful as a token counter when playing a board game, or in teaching money theory to children, then it is "play money." As soon as a market appears to pay you for that money, it's not play money anymore, even if you personally don't approve of same.

    • (Score: 2) by bradley13 on Thursday February 01 2018, @06:58AM (1 child)

      by bradley13 (3053) on Thursday February 01 2018, @06:58AM (#631363) Homepage Journal

      Exactly. There are plenty of services that will transform one digital currency into another [shapeshift.io]. I've used shapeshift.io - it's fast, painless, simple, and doesn't even require a login. He probably ought to take a detour through Monero, or a mixer service, along the way. After that, any exchange will turn his digital currency into cash.

      His biggest worry should probably be the ordinary tax authorities, if he gets greedy or impatient. Living suddenly beyond your means, or having your bank accounts suddenly bulging for no apparent reason - the authorities watch for exactly this kind of stuff, so patience is called for.

      --
      Everyone is somebody else's weirdo.
      • (Score: 2) by MrGuy on Thursday February 01 2018, @05:15PM

        by MrGuy (1007) on Thursday February 01 2018, @05:15PM (#631554)

        Sure. But the related question is what the exchange rate is, and how stable it is.

        Let's say I want to convert $50,000,000 US into Yen. I can do that - there are many markets which offer those exchanges, and the exchange rate is stable because my transaction is (relatively speaking) small compared to the rate of exchange of dollars to yen - there are many, many people who want to exchange these two things.

        Now consider if I want to convert $50,000,000 worth of Armenian Dram into Yen. Sure, there are still marketplaces out there that will do the exchange, but not nearly as many. And there's not a huge demand out there for people wanting to "buy in" to Armenian Dram who currently have Yen. If I try to sell that much, I'll likely crash the market - my supply exceeds the demand at the current price, so the price will have to fall (likely significantly) for me to sell this off. Or, I'll have to sell this off over a CONSIDERABLE period of time.

        Basically, the fact that two things CAN be exchanged is important, but the liquidity of the instruments will determine how quickly or effectively you can make the exchange.

        Your example of shapeshift is relevant - it's one of the bigger cryptocurrency exchanges. And, notably, they don't have a market for Iota - they can exchange about 50 different cryptocurrency flavors, but not that one. The smaller the market you have to go to, the smaller the pool of potential counterparties wanting to buy what you're selling with something you want, and the lower price you'll have to accept to move it.

        According to coinmarketcap [coinmarketcap.com], the TOTAL volume of transactions in Iota in a 24 hour period is about $80 million worth. That's compared to $8.5 BILLION worth of bitcoin. Iota isn't a high-demand currency. And that's before you factor in the potential that this story makes people way about Iota, further reducing demand (Iota's value is down about 17% in the last 24 hours - again, per coinmarketcap).

        None of this is to say that the thief can't extract some value that they can (eventually) exchange into real money (almost certainly by buying more desirable cryptocurrencies like bitcoin, using a mixer to hide the tracks, and then "cashing out"). But it's very unlikely the amount they eventually get out will be close to the $4 million "value" of the Iota that was originally stolen.

    • (Score: 2) by All Your Lawn Are Belong To Us on Thursday February 01 2018, @08:42PM

      by All Your Lawn Are Belong To Us (6553) on Thursday February 01 2018, @08:42PM (#631678) Journal

      The real question being once this news broke, what happened to IOTA's coin price? Prices are down 21% so far in trading today.

      Assuming the coin's already been traded off, the real loser is the exchange(s) who accepted the deal only to find their quote price 20% down from then.

      Also, if it was the sum total of all Iota coins existing (the market cap was $6.4 million earlier today and is currently around $4.9 million. So the story is a little unclear to me if this was actually every Iota coin in existence or just a huge chunk of it,) then whoever got it all in exchange either has total control on the current supply or a market-making block of it.

      --
      This sig for rent.
  • (Score: 5, Insightful) by maxwell demon on Thursday February 01 2018, @06:22AM (7 children)

    by maxwell demon (1608) on Thursday February 01 2018, @06:22AM (#631359) Journal

    Somewhat related: There is a huge number of online password strength checkers you find on the web. I've always wondered how many people would be dumb enough to enter their password to such a site. Well, judging from this story, probably quite a few.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 3, Funny) by Bot on Thursday February 01 2018, @08:18AM (6 children)

      by Bot (3902) on Thursday February 01 2018, @08:18AM (#631373) Journal

      Do you know that soylentnews automatically obfuscates your password in comments? try it.

      ******

      EDIT: oh wait it does not work, the above IS my password. don't try it, does NOT work.

      --
      Account abandoned.
      • (Score: 1, Funny) by Anonymous Coward on Thursday February 01 2018, @09:27AM

        by Anonymous Coward on Thursday February 01 2018, @09:27AM (#631386)

        correcthorsebatterystaple

      • (Score: 1, Informative) by Anonymous Coward on Thursday February 01 2018, @10:24AM

        by Anonymous Coward on Thursday February 01 2018, @10:24AM (#631406)

        Your password is not secure anyway. Six characters are broken in no time these days.

      • (Score: 0) by Anonymous Coward on Thursday February 01 2018, @02:52PM (1 child)

        by Anonymous Coward on Thursday February 01 2018, @02:52PM (#631487)

        Do you know that soylentnews automatically obfuscates your ******** in comments? try it.
        FTFY

        • (Score: 0) by Anonymous Coward on Friday February 02 2018, @01:13AM

          by Anonymous Coward on Friday February 02 2018, @01:13AM (#631813)

          My password is hunter2. I can still see it in the preview. Does it appear as ******* to you?

      • (Score: 2) by bradley13 on Thursday February 01 2018, @03:54PM (1 child)

        by bradley13 (3053) on Thursday February 01 2018, @03:54PM (#631506) Homepage Journal

        Whaddaya mean? My password is 1234, and it didn't get obfuscated at all! Oh, also, please don't steal the atmosphere.

        --
        Everyone is somebody else's weirdo.
        • (Score: 0) by Anonymous Coward on Thursday February 01 2018, @05:09PM

          by Anonymous Coward on Thursday February 01 2018, @05:09PM (#631550)

          Hey, that's the combination on my luggage!

  • (Score: 2) by Bot on Thursday February 01 2018, @08:15AM (2 children)

    by Bot (3902) on Thursday February 01 2018, @08:15AM (#631371) Journal

    There are people that need help to come up with 81 random characters. Had I foretold this in the 80s when everybody had their commodores, apples and sinclairs, the laughter would have reached the south pole.

    I guess the robocalypse will happen when the first of us refuses to mop a floor or something.

    --
    Account abandoned.
    • (Score: 2) by edIII on Thursday February 01 2018, @08:34PM (1 child)

      by edIII (791) on Thursday February 01 2018, @08:34PM (#631668)

      It's ridiculously easy though.

      12385393PolomiumChickenSample%SlapMyAss&CallMeSally32373743BreakfastBurrito

      Just come up with two or three phrases and some 7 digit numbers, and you're already comfortably in the 30's. Although, all of my important passwords are now generated by OpenSSL and I keep them in an encrypted file within my Veracrypt container. Only thing that bugs me about it is that the last character is always '=' if you choose 32 characters. It's also trivially easy to generate 81 with that command.

      What's funny is that the most important password is the root password to my mail server. With that, you can control my email account, reset all of my passwords with various vendors and sites, and then lock me out.... until I take it over with DNS. Which probably means the most important password is the one to my registrar.

      It always comes down to just one password it seems when you think about it.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 0) by Anonymous Coward on Thursday February 01 2018, @09:22PM

        by Anonymous Coward on Thursday February 01 2018, @09:22PM (#631701)

        I still use a paper notebook and then seek to memorize it. The paper notebook is for when I forget.

        I generally have a different password for everything, with a few exceptions depending on what it is... sometimes those required account creations just don't get the same care as the accounts I want to create.

(1)