Monday, June 20, 2011

MtGox Compromise And What It Means To Me

MtGox is a BitCoin Exchange Market for the BitCoin digital currency and I have read about BitCoin last year but waited for it to mature before stepping into the market.

About two weeks ago I invested in MtGox about $880 USD and 2 days later a Distributed Denial of Service (DDoS) attack was launched at MtGox. I did some reading and it wasn't the first time they were under attack and they had everything secured and well planned so I wasn't worried.

The market volume suddenly increased with massive quantities flooding the market, followed by a market crash (prices dropped to $13/BTC where the price previously was $17). MtGox closed the market and halted all transactions. Apparently, they were compromised.

I panicked at first as I couldn't access my account on MtGox (they froze all) and they said they were going to do a roll over, which means undo everything and return to the state before the crash.
I wasn't happy because I didn't know the state of my money & coins, and those who bought coins at cheap prices could have withdrawn the coins from the market which means there is no way to trace the coins nor return them.

I still don't know how will MtGox deal with those who bought cheap coins & withdrew them, but if they do a roll back, they'll get their money/coins back to what they had before the crash, in addition to the coins they withdrew! That means extra profit! Unless they monitored the withdrawn amounts from each account and will balance those out.

Anyway, I searched for my username on Google in relation to MtGox but nothing came up. Maybe Google didn't have time to index all pages, they're underground or maybe my user wasn't affected. Either way, my account will be rolled back and the password I used was unique to MtGox itself, so the attackers can't access my email or any other service associated with my email.

Moreover, MtGox has switched to an obscenely secure password hashing scheme: SHA-512, along with contacting GMail and providing them with a list of compromised email addresses so GMail could block them and require a password reset before accessing them (I was one of those affected).

MtGox keeps updating its post with news of what they're doing so they've not neglected their customers, even when under such a big stress.

In my opinion, I'm sticking with them because only at rough times you'll see what a good company can do for its customers, and while there are inconveniences, the overall success of containing the situation was successful.
Perhaps people would have felt much better had MtGox shared how it manages its systems and what kind of security schemes are implemented so that we know they can be trusted. I hope they do that soon.

Away from MtGox, and in general, those who know me well know pretty well that I'm a paranoid person when it comes to computers and being online. Below are some of my practices for staying safe:

  • Different passwords for different accounts.
  • If I forgot a password, it's OK, I request a password reset.
  • Passwords are at least 10 camel-cased alpha numeric and special characters.
  • My passwords are a mixture of meaningful words forming a non-meaningful sentence: R0undTomatoe$Insid3Triangl3Whalez
  • Always check my emails from my own systems & never someone else's (not even family or friends).
  • GMail shows you the list of IPs of who last accessed your account & alerts you on suspicious access.
  • When you create an account at a new site, request a password reset; if they send you the exact password in plaintext, close your account. They're not securing their database & don't care about your account security.
    If they send you a link to reset the password, or email you a randomly generated password, then you're fine.
  • Use different browsers: One for your accounts and another browser for everything else.
    I use Chrome for GMail and Twitter. All links in emails or tweets are opened in Incognito mode (separate/isolated processes from the main) or in Firefox.
  • I use Linux. No Windows or Mac for me, and please don't laugh at Windows if you're a Mac fanboy, Mac OSs are less secure than Windows but aren't targeted as much because you're a minority.
  • If you have to use Windows, use a good antivirus. I put Kaspersky on my family members' machines. I had used it for companies and fully trust it.
  • Do not open emails from strangers.
  • Emails that say they're from good & honest people are most likely aren't.
  • Email that come from addresses of people you know aren't necessarily from them. The addresses can be spoofed, i.e., I can send you an email from your account without accessing your account. Magic.
  • If someone you know asks you for your password or to install something you don't know about, call them and ask them in person.
  • If you read online about a nice service that you use that isn't secure, you better not shrug it off and say that you won't be affected. That's how everyone gets slapped in the end.

I probably have other habits that don't come to mind right now. If you have any suggestions, leave a comment (you can do so anonymously) and I'll be more than happy to add it to the list.

Live paranoid. Live safe.

Tuesday, June 7, 2011

Kuwait ISPs Capping Bandwidth

Updated1: Tuesday 7th, 8:44 PM

Update2: Wednesday 8th, 8:17 PM

ISPs in Kuwait have decided to gang up on residential consumers rather than step up to the Ministry of Communication's abuse. After all, it's easier (and cheaper) for multi-million companies to bully users rather than file a lawsuit against a ministry.

ISPs have setup what they call Fair Usage Policy, where they claim they have generously defined daily bandwidth cap/limits on users, to ensure that everyone has a pleasant experience. They have enforced this policy, WITHOUT NOTIFYING USERS!

Fair Usage Policies: QualityNet, KEMS, FastTelco and GulfNet. As you can see, some have blatantly put up the caps and others are doing it subtly without mentioning what the caps are.

According to them, "some" bandwidth abusers are the cause of this, as such, everyone must suffer!
It is not enough that they have increased their prices by at least 70% this year (February 2011), the increment was approved by the Ministry of Communications, and now the ministry is saying it'll fight the price increments!!! WHO THE HELL DO YOU THINK YOU'RE FOOLING?

In addition to the high prices and bad service, consumers were never compensated during the days of degraded service when there were regional cable cuts, which lasted for about 3 weeks.

If ISPs are saying that a few abusers have caused this, then why provide them with bandwidth if the ISPs can't handle it? Don't provide 24Mbps if you don't expect users to download at 24Mbps!!!

Speed (Mbps)Max Downloadable/Day (GigaBytes)New Cap Limit/Day (GigaBytes)
110.541.7
1.515.821.9
221.12.9
331.643.8
4424.7
552.735.4
663.36
773.836.8
884.47.9

The formula is: Daily maximum downloadable content = (Speed in Mbps/(8*1024))*3600*24

As you can see, we're getting barely 15% of what we paid for! And that's FAIR! Take a look at this nice table for more info.

Consumers are enraged and are forming an alliance to file lawsuits against the ISPs to fight for their rights. It doesn't matter if the contract mentioned Fair Usage or not, it doesn't matter if the contracts says it can be updated without prior notice or not, you cannot rip us off like that.

We have games to play online, buy & download games online (via Steam), rent movies online (iTunes, YouTube, NetFlix and Hulu) and watch many kitty-infused videos on youtube, in HIGH DEFINITION.

ISPs do NOT get the right to define what the Internet is.

Update1: We're using the hash tag #q8cap on Twitter to rant and disclose information about the topic.

Update2: @justjimmar provided a chat log with KEMS on Facebook. Ridiculous reasons for the cap! (original link to chat log)