Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bitcoin Security News

Satoshi Nakamoto's Email Address Compromised 65

ASDFnz writes: Satoshi Nakamoto, the respected (and currently missing) inventor of Bitcoin, seems to have had his email address compromised by an unknown agent. Satoshi exclusively used one email address when he was active in the Bitcoin community: satoshin@gmx.com. If you have a look at the original Bitcoin whitepaper (PDF), you will find it there at the top just under the title. He also usually signed his correspondence with his PGP signature. Earlier today, the head administrator of Bitcointalk, Theymos, received an email from Satoshi's email address that appeared to originate from GMX's servers. Theymos made a post on the Bitcointalk forums saying he had received an email from the address without Satoshi's PGP signature. Later, the unknown agent posted to other Satoshi accounts.
This discussion has been archived. No new comments can be posted.

Satoshi Nakamoto's Email Address Compromised

Comments Filter:
  • WRONG! (Score:4, Insightful)

    by Anonymous Coward on Tuesday September 09, 2014 @03:41AM (#47859837)

    His address expired and someone re-created it.

    Nothing to see here, move along...

    • Re:WRONG! (Score:5, Informative)

      by ASDFnz ( 472824 ) on Tuesday September 09, 2014 @03:45AM (#47859855)

      His address expired and someone re-created it.

      Nothing to see here, move along...

      Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

      Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

      http://mineforeman.com/2014/09... [mineforeman.com]

      • by Anonymous Coward

        Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

        Let me guess, someone clicked "I forgot my password" and had the "reset password"-email sent to the freshly re-created gmx address?

        • by Anonymous Coward
          This is precisely why systems allowing the user to reset the password through e-mail are very problematic. The attacker has only to gain access of the e-mail address to get access to various other websites too.
          • Re:WRONG! (Score:5, Insightful)

            by Anonymous Coward on Tuesday September 09, 2014 @04:39AM (#47860013)
            You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."

            But all systems rely on a key thing. So you're not really saying anything at all.

            • by Anonymous Coward
              Seriously? You don't see a problem with an attacker cracking into someone's e-mail account and at the same time gaining access to bunch of other websites? The control of that e-mail account allows the attacker to completely bypass the "key thing" of all those other websites by a simple password reset request.
            • This is beaten to death over and over again. Standard procedure for secure authentication outside of ssh is to use keepassx or bitkeeper. Fully random secure seed generated 32 char passwords. cut and paste done. And the standard security systems a.k.a consisitent use of GNUPg worked as it was quickly detected as a forgery. This article blew my mind in that someone actually used gnupg. Password security is so old the guy beating it do death doesn't stink anymore. When somebody starts talking about host au
            • by tlhIngan ( 30335 )

              You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."
              But all systems rely on a key thing. So you're not really saying anything at all.

              Except that key thing is highly transient and changes frequently enough that if it's any length of time old, it needs to be verified.

              It's why systems often verify email addresses once every year or so - not just to avoid spamming, but to make sure the person their sending stuff to is the same one.

              Hell, you run into

            • But all systems rely on a key thing.

              No. Secure systems should rely on multiple key things.

            • by mysidia ( 191772 )

              But all systems rely on a key thing. So you're not really saying anything at all.

              Not true. There are systems which require a combination of elements, so they don't rely on any one thing.

              For example: Instead of simply sending a password reset e-mail, they might ask you to complete a captcha, then on success send a password reset e-mail.

              When the link is clicked, then you have to answer some security questions correctly.

              Give too many wrong answers, and your account will be locked out, and you ha

          • What is the alternative? Phone calls?
            • by mlk ( 18543 )

              Yes. Or some form of two phase auth. Email followed by SMS for example.

            • by heypete ( 60671 )

              What is the alternative? Phone calls?

              Several email services (e.g. Gmail, Yahoo, etc.) do just that: they can send voice calls or SMS messages to a phone number you've registered with them prior to the loss of your account.

              Due to the importance of email addresses when it comes to authentication (e.g. password resets for non-email services are nearly always sent to one's email address) it makes sense to have email services be secure from compromise (e.g. 2FA) and recoverable in a secure manner (e.g. phone-based validation).

              Domain names are also

        • by ASDFnz ( 472824 )

          After the GMX account was gained (however that happened), yes the person targeted known Satoshi accounts. P2P Foundation was also hit;-

          http://p2pfoundation.ning.com/... [ning.com]

      • by EzInKy ( 115248 )

        Then that is the fault of the senders not doing there due diligence. Even real physical address schemes get changed now and then to meet modern needs.

      • by mysidia ( 191772 )

        Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

        Probably by using password reset links.

    • Re: (Score:3, Insightful)

      by Raumkraut ( 518382 )

      An email address "expiring" and being re-used these days is plain negligence on the part of the email provider.
      It's not like there's a shortage of domain names one can use for email, so there is no reason to reuse existing ones. Especially given the potential security issues which can arise - as demonstrated by this particular incident.

      • Re:WRONG! (Score:5, Insightful)

        by Richard_at_work ( 517087 ) <richardpriceNO@SPAMgmail.com> on Tuesday September 09, 2014 @06:50AM (#47860415)

        Why is it negligence on part of the email provider? What obligation do they have to take out email addresses permanently just because you can't be arsed to log into the account?

        Does your logic carry over to domain names? Company names? Phone numbers? Addresses?

        Your post shows an all too common insistence that third parties should protect you, rather than you protecting yourself.

    • by Anonymous Coward

      That was the original theory, however Bitcoin core dev Peter Todd received a forwarded email from 2011 from that address, which indicates Satoshi's email was in fact hacked:

      > Interesting, got another forwarded email from "satoshi", from 2011 - indicates this was a hijacked account, not expired and re-registered. [twitter.com]

    • You may be correct sir:


      [Querying whois.verisign-grs.com]
      [Redirected to whois.schlund.info]
      [Querying whois.schlund.info]
      [whois.schlund.info]
      Domain Name: gmx.com
      Registry Domain ID:
      Registrar WHOIS Server: whois.1und1.info
      Registrar URL: http://1and1.com/ [1and1.com]
      Updated Date: 2014-05-08 00:00:00
      Creation Date: 1994-05-07 00:00:00
      Registrar Registration Expiration Date: 2015-05-08 00:00:00
      Registrar: 1&1 Internet AG
      Registrar IANA ID: 83
      Registrar Abuse Contact Email: abuse@1and1.com
      Registrar Abuse Contact Phone:
      Reseller:

      • Or I know nothing about gmx.com, didn't realize they were an email provider.

        What kind of genius doesn't have his own domain? Are we men?

        • Or I know nothing about gmx.com, didn't realize they were an email provider.

          What kind of genius doesn't have his own domain? Are we men?

          Someone that is trying to stay anonymous doesn't want their name splattered over Whois dns records.

          • by mysidia ( 191772 )

            Someone that is trying to stay anonymous doesn't want their name splattered over Whois dns records.

            Every major DNS registrar has a privacy service. These days you could also use a 3rd party escrow in a different country, and buy the domain using BTC.

            • and buy the domain using BTC.

              Nice. Real nice. We are talking about Satoshi creating an anonymous email here - BTC wasn't invented yet!

              I think a free email service offers the simplest and best privacy. Running a domain requires payment and hosting, which are hard to do 100% anonymously.

              • by mysidia ( 191772 )

                Nice. Real nice. We are talking about Satoshi creating an anonymous email here - BTC wasn't invented yet!

                I'm just attempting to point out that Satoshi has made it even easier than before.

                It was still possible to register a domain anonymously before, so even the registrar wouldn't know the ID of the person..... it just involved a little bit more work and expense.

            • Every major DNS registrar has a privacy service. These days you could also use a 3rd party escrow in a different country, and buy the domain using BTC.

              So you're saying that the inventor of bitcoin should have used bitcoin to purchase a domain before he had invented it? Shades of Emmett Brown man, what were you thinking?

  • We all learned early on that email addresses are only temporary. Anyone who expects that an ancient of numbers would lead them to the same person as they did years ago is a fool.

    • by pushing-robot ( 1037830 ) on Tuesday September 09, 2014 @04:04AM (#47859935)

      "Ancient of Numbers" is my new title, thanks.

      • I now have the mental image of a colossus dating back to the Roman Empire that shambles about. On it's stone surface are engraved numerous roman numerals. Some researchers believe the roman numerals are representative of the Roman Legions, however the presence of MCXIV makes other researchers believe the first group to be morons.

      • by mysidia ( 191772 )

        E-mail addresses aren't numbers. Hi, My name is Mysidia. My name has been Mysidia since 1984.

        For the next 1,000,000 years, nobody else should be allowed to use my name, and it should always point to me exclusively.

        I am not exactly laying claim to 1234.... but a unique moniquer.

  • by Anonymous Coward on Tuesday September 09, 2014 @06:20AM (#47860325)

    An email was received from that address without Satoshi's PGP signature. That does not mean that the email account has been compromised. It is trivial to forge an email, thus the need for cryptographic signatures in the first place.

  • by Anonymous Coward

    UPDATE: The unknown agent has also seems to use the email address to compromise Satoshi ‘s account at the P2P Foundation and has now posted;-

    Dear Satoshi. Your dox, passwords and IP addresses are being sold on the darknet. Apparently you didn’t configure Tor properly and your IP leaked when you used your email account sometime in 2010. You are not safe. You need to get out of where you are as soon as possible before these people harm you. Thank you for inventing Bitcoin.

    UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin. It is important to note, the bitcoin source has not been hosted at sourceforge for a few years now but you should not download binaries from sourceforge.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin.

      You know, I'm actually going to convert $10 into ButtCoin. Never know how this stuff's going to turn out.

    • by Khyber ( 864651 )

      "changing Bitcoin to Buttcoin in the description of bitcoin."

      Go in other words, some idiot from 4chan is likely responsible. Likely from /g/

    • UPDATE3: Pictures of Satoshi in the nude from his private iCloud account have now been posted all over 4chan.

      Stay on Slashdot as this story develops...

  • Come together and hack the account back and destroy it!

"Mr. Spock succumbs to a powerful mating urge and nearly kills Captain Kirk." -- TV Guide, describing the Star Trek episode _Amok_Time_

Working...