Satoshi Nakamoto's Email Address Compromised

ASDFnz writes: Satoshi Nakamoto, the respected (and currently missing) inventor of Bitcoin, seems to have had his email address compromised by an unknown agent. Satoshi exclusively used one email address when he was active in the Bitcoin community: satoshin@gmx.com. If you have a look at the original Bitcoin whitepaper (PDF), you will find it there at the top just under the title. He also usually signed his correspondence with his PGP signature. Earlier today, the head administrator of Bitcointalk, Theymos, received an email from Satoshi's email address that appeared to originate from GMX's servers. Theymos made a post on the Bitcointalk forums saying he had received an email from the address without Satoshi's PGP signature. Later, the unknown agent posted to other Satoshi accounts.

WRONG!

[Anonymous Coward]

His address expired and someone re-created it.

Nothing to see here, move along...

Re:WRONG!

[ASDFnz]

His address expired and someone re-created it.

Nothing to see here, move along...

Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

http://mineforeman.com/2014/09... [mineforeman.com]

Re:

[Anonymous Coward]

Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

Let me guess, someone clicked "I forgot my password" and had the "reset password"-email sent to the freshly re-created gmx address?

Re:

[Anonymous Coward]

This is precisely why systems allowing the user to reset the password through e-mail are very problematic. The attacker has only to gain access of the e-mail address to get access to various other websites too.

Re:WRONG!

[Anonymous Coward]

You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."

But all systems rely on a key thing. So you're not really saying anything at all.

Re:

[Anonymous Coward]

Seriously? You don't see a problem with an attacker cracking into someone's e-mail account and at the same time gaining access to bunch of other websites? The control of that e-mail account allows the attacker to completely bypass the "key thing" of all those other websites by a simple password reset request.

Re:

[um... Lucas]

Whats the alternative, though?

Re:

[codermattie]

This is beaten to death over and over again. Standard procedure for secure authentication outside of ssh is to use keepassx or bitkeeper. Fully random secure seed generated 32 char passwords. cut and paste done. And the standard security systems a.k.a consisitent use of GNUPg worked as it was quickly detected as a forgery. This article blew my mind in that someone actually used gnupg. Password security is so old the guy beating it do death doesn't stink anymore. When somebody starts talking about host au

Re:

[tlhIngan]

You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."
But all systems rely on a key thing. So you're not really saying anything at all.

Except that key thing is highly transient and changes frequently enough that if it's any length of time old, it needs to be verified.

It's why systems often verify email addresses once every year or so - not just to avoid spamming, but to make sure the person their sending stuff to is the same one.

Hell, you run into

Re:

[ShanghaiBill]

But all systems rely on a key thing.

No. Secure systems should rely on multiple key things.

Re:

[mysidia]

But all systems rely on a key thing. So you're not really saying anything at all.

Not true. There are systems which require a combination of elements, so they don't rely on any one thing.

For example: Instead of simply sending a password reset e-mail, they might ask you to complete a captcha, then on success send a password reset e-mail.

When the link is clicked, then you have to answer some security questions correctly.

Give too many wrong answers, and your account will be locked out, and you ha

Re:

[Pseudonym Authority]

What is the alternative? Phone calls?

Re:WRONG!

[neokushan]

Don't allow password recovery.

That is absolutely not a solution. That's braindead idiocy at best. The result is that people will use one password for everything and probably write it down in a few places because if they forget it, they're fucked. Yes, people do that anyway but not allowing a password reset makes the situation much worse.

If your problem is with that "one key system", then perhaps you need to secure that "one key system" better. Twofactor auth on email hardens that single point and makes it very difficult to compromise. If an attacker is still able to compromise it, then I'd wager they'd be able to compromise those other systems anyway.

Re:

[Anonymous Coward]

Wow, beta is garbage. Way to fuck up quotes.

Re:

[s0nicfreak]

So what info could be used, to verify that you do indeed speak on behalf of the account owner, that people like ex-wives would not know and could use maliciously by lying that the person is dead or in the hospital?

Re:

[s0nicfreak]

Well, I guess that works if the family has a fax machine or a scanner and the knowledge to use it to get a copy to the service providers. And if we pretend you can't fake a death certificate. And if the family doesn't need to access anything before they get the death certificate. And if all service providers hire people to look at the death certificates.

So what about when that person is just in the hospital, unconscious and not dead?

Re:

[Anonymous Coward]

" are only a response to the failure of users to chose passwords with a entropy high enough to withstand even the most basic of dictionary attacks"
A completely incorrect response yes, that something is a response does not give it some fundamental rightness.

"And yes; 123456 ist still one of the most-used passwords out there."
A far more appropriate response then would be to enforce minimum length, encourage passphrases and warn when a dictionary password is used.
Instead every IT admin without a clue about sec

Re:

[um... Lucas]

were past the stage of "don't write down your passwords". Too many sites, too many passwords... Personally, I use pwSafe (a mac and iOS version of Schneiers password safe), but i know plenty of people who keep notebooks hidden with their passwords all written down. Better that than use a single password everywhere.

Re:

[mlk]

Yes. Or some form of two phase auth. Email followed by SMS for example.

Re:

[heypete]

What is the alternative? Phone calls?

Several email services (e.g. Gmail, Yahoo, etc.) do just that: they can send voice calls or SMS messages to a phone number you've registered with them prior to the loss of your account.

Due to the importance of email addresses when it comes to authentication (e.g. password resets for non-email services are nearly always sent to one's email address) it makes sense to have email services be secure from compromise (e.g. 2FA) and recoverable in a secure manner (e.g. phone-based validation).

Domain names are also

Re:

[ASDFnz]

After the GMX account was gained (however that happened), yes the person targeted known Satoshi accounts. P2P Foundation was also hit;-

http://p2pfoundation.ning.com/... [ning.com]

Re:

[EzInKy]

Then that is the fault of the senders not doing there due diligence. Even real physical address schemes get changed now and then to meet modern needs.

Re:

[mysidia]

Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

Probably by using password reset links.

Re:

[Raumkraut]

An email address "expiring" and being re-used these days is plain negligence on the part of the email provider.
It's not like there's a shortage of domain names one can use for email, so there is no reason to reuse existing ones. Especially given the potential security issues which can arise - as demonstrated by this particular incident.

Re:WRONG!

[Richard_at_work]

Why is it negligence on part of the email provider? What obligation do they have to take out email addresses permanently just because you can't be arsed to log into the account?

Does your logic carry over to domain names? Company names? Phone numbers? Addresses?

Your post shows an all too common insistence that third parties should protect you, rather than you protecting yourself.

Re:

[Anonymous Coward]

That was the original theory, however Bitcoin core dev Peter Todd received a forwarded email from 2011 from that address, which indicates Satoshi's email was in fact hacked:

> Interesting, got another forwarded email from "satoshi", from 2011 - indicates this was a hijacked account, not expired and re-registered. [twitter.com]

Re:

[H0p313ss]

You may be correct sir:

[Querying whois.verisign-grs.com]
[Redirected to whois.schlund.info]
[Querying whois.schlund.info]
[whois.schlund.info]
Domain Name: gmx.com
Registry Domain ID:
Registrar WHOIS Server: whois.1und1.info
Registrar URL: http://1and1.com/ [1and1.com]
Updated Date: 2014-05-08 00:00:00
Creation Date: 1994-05-07 00:00:00
Registrar Registration Expiration Date: 2015-05-08 00:00:00
Registrar: 1&1 Internet AG
Registrar IANA ID: 83
Registrar Abuse Contact Email: abuse@1and1.com
Registrar Abuse Contact Phone:
Reseller:

Re:

[H0p313ss]

Or I know nothing about gmx.com, didn't realize they were an email provider.

What kind of genius doesn't have his own domain? Are we men?

Re:

[lister king of smeg]

Or I know nothing about gmx.com, didn't realize they were an email provider.

What kind of genius doesn't have his own domain? Are we men?

Someone that is trying to stay anonymous doesn't want their name splattered over Whois dns records.

Re:

[mysidia]

Someone that is trying to stay anonymous doesn't want their name splattered over Whois dns records.

Every major DNS registrar has a privacy service. These days you could also use a 3rd party escrow in a different country, and buy the domain using BTC.

Re:

[__1200333]

and buy the domain using BTC.

Nice. Real nice. We are talking about Satoshi creating an anonymous email here - BTC wasn't invented yet!

I think a free email service offers the simplest and best privacy. Running a domain requires payment and hosting, which are hard to do 100% anonymously.

Re:

[mysidia]

Nice. Real nice. We are talking about Satoshi creating an anonymous email here - BTC wasn't invented yet!

I'm just attempting to point out that Satoshi has made it even easier than before.

It was still possible to register a domain anonymously before, so even the registrar wouldn't know the ID of the person..... it just involved a little bit more work and expense.

Re:

[Fnord666]

Every major DNS registrar has a privacy service. These days you could also use a 3rd party escrow in a different country, and buy the domain using BTC.

So you're saying that the inventor of bitcoin should have used bitcoin to purchase a domain before he had invented it? Shades of Emmett Brown man, what were you thinking?

If true, it should be changed.

[EzInKy]

We all learned early on that email addresses are only temporary. Anyone who expects that an ancient of numbers would lead them to the same person as they did years ago is a fool.

Re:If true, it should be changed.

[pushing-robot]

"Ancient of Numbers" is my new title, thanks.

Re:

[Talderas]

I now have the mental image of a colossus dating back to the Roman Empire that shambles about. On it's stone surface are engraved numerous roman numerals. Some researchers believe the roman numerals are representative of the Roman Legions, however the presence of MCXIV makes other researchers believe the first group to be morons.

Re:

[spiritplumber]

You just wrote the teaser to a Doctor Who episode!

Re:

[TangoMargarine]

Hey, they have secret dinosaurs living in the center of the Earth and Wi-Fi killing people; it can't be any worse.

*does Smith vigorous hand-flap*

Re:

[mysidia]

E-mail addresses aren't numbers. Hi, My name is Mysidia. My name has been Mysidia since 1984.

For the next 1,000,000 years, nobody else should be allowed to use my name, and it should always point to me exclusively.

I am not exactly laying claim to 1234.... but a unique moniquer.

That is not proof of compromise

[Anonymous Coward]

An email was received from that address without Satoshi's PGP signature. That does not mean that the email account has been compromised. It is trivial to forge an email, thus the need for cryptographic signatures in the first place.

There are a couple of updates in the article

[Anonymous Coward]

UPDATE: The unknown agent has also seems to use the email address to compromise Satoshi ‘s account at the P2P Foundation and has now posted;-

Dear Satoshi. Your dox, passwords and IP addresses are being sold on the darknet. Apparently you didn’t configure Tor properly and your IP leaked when you used your email account sometime in 2010. You are not safe. You need to get out of where you are as soon as possible before these people harm you. Thank you for inventing Bitcoin.

UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin. It is important to note, the bitcoin source has not been hosted at sourceforge for a few years now but you should not download binaries from sourceforge.

Re:There are a couple of updates in the article

[Jesrad]

Unfortunately Satoshi's wallet is worth a mega-fortune, and it's never been quite established that Satoshi destroyed the private key. All kinds of people would give a try and shake it out of him/her, for that much money.

Re:

[Anonymous Coward]

UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin.

You know, I'm actually going to convert $10 into ButtCoin. Never know how this stuff's going to turn out.

Re:

[ShaunC]

Throw in some TittyCoin and you have a great night ahead of you!

Re:

[Khyber]

"changing Bitcoin to Buttcoin in the description of bitcoin."

Go in other words, some idiot from 4chan is likely responsible. Likely from /g/

Re:

[account_deleted]

Comment removed based on user account deletion

Hackers of the crypto world Unite!

[SinisterEVIL]

Come together and hack the account back and destroy it!

Re:

[account_deleted]

Comment removed based on user account deletion