Satoshi Nakamoto's Email Address Compromised

ASDFnz writes: Satoshi Nakamoto, the respected (and currently missing) inventor of Bitcoin, seems to have had his email address compromised by an unknown agent. Satoshi exclusively used one email address when he was active in the Bitcoin community: satoshin@gmx.com. If you have a look at the original Bitcoin whitepaper (PDF), you will find it there at the top just under the title. He also usually signed his correspondence with his PGP signature. Earlier today, the head administrator of Bitcointalk, Theymos, received an email from Satoshi's email address that appeared to originate from GMX's servers. Theymos made a post on the Bitcointalk forums saying he had received an email from the address without Satoshi's PGP signature. Later, the unknown agent posted to other Satoshi accounts.

WRONG!

His address expired and someone re-created it.

Nothing to see here, move along...

Re:WRONG!

[ASDFnz]

His address expired and someone re-created it.

Nothing to see here, move along...

Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

http://mineforeman.com/2014/09...

Re:WRONG!

Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

Let me guess, someone clicked "I forgot my password" and had the "reset password"-email sent to the freshly re-created gmx address?

Re:WRONG!

This is precisely why systems allowing the user to reset the password through e-mail are very problematic. The attacker has only to gain access of the e-mail address to get access to various other websites too.

Re:WRONG!

[ASDFnz]

After the GMX account was gained (however that happened), yes the person targeted known Satoshi accounts. P2P Foundation was also hit;-

http://p2pfoundation.ning.com/...

Re:WRONG!

[EzInKy]

Then that is the fault of the senders not doing there due diligence. Even real physical address schemes get changed now and then to meet modern needs.

Re:WRONG!

[Raumkraut]

An email address "expiring" and being re-used these days is plain negligence on the part of the email provider.
It's not like there's a shortage of domain names one can use for email, so there is no reason to reuse existing ones. Especially given the potential security issues which can arise - as demonstrated by this particular incident.

Re:WRONG!

You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."

But all systems rely on a key thing. So you're not really saying anything at all.

Re:WRONG!

[Pseudonym+Authority]

What is the alternative? Phone calls?

Re:WRONG!

Don't allow password recovery. Stop enforcing ridiculous password schemes (so that people actually remember their passwords). Encourage pass phrases so that people do still use long and secure passwords.

Re:WRONG!

Seriously? You don't see a problem with an attacker cracking into someone's e-mail account and at the same time gaining access to bunch of other websites? The control of that e-mail account allows the attacker to completely bypass the "key thing" of all those other websites by a simple password reset request.

Re:WRONG!

[neokushan]

Don't allow password recovery.

That is absolutely not a solution. That's braindead idiocy at best. The result is that people will use one password for everything and probably write it down in a few places because if they forget it, they're fucked. Yes, people do that anyway but not allowing a password reset makes the situation much worse.

If your problem is with that "one key system", then perhaps you need to secure that "one key system" better. Twofactor auth on email hardens that single point and makes it very difficult to compromise. If an attacker is still able to compromise it, then I'd wager they'd be able to compromise those other systems anyway.

Re:WRONG!

[Richard_at_work]

Why is it negligence on part of the email provider? What obligation do they have to take out email addresses permanently just because you can't be arsed to log into the account?

Does your logic carry over to domain names? Company names? Phone numbers? Addresses?

Your post shows an all too common insistence that third parties should protect you, rather than you protecting yourself.

Re:WRONG!

Don't allow password recovery.

That is absolutely not a solution. That's braindead idiocy at best. The result is that people will use one password for everything and probably write it down in a few places because if they forget it, they're fucked. Yes, people do that anyway but not allowing a password reset makes the situation much worse.

If your problem is with that "one key system", then perhaps you need to secure that "one key system" better. Twofactor auth on email hardens that single point and makes it very difficult to compromise. If an attacker is still able to compromise it, then I'd wager they'd be able to compromise those other systems anyway.

Also, people die, and other people need access to their stuff.

Re:WRONG!

"The result is that people will use one password for everything and probably write it down in a few places because if they forget it,"
No, it is the ridiculous password restrictions currently enforced that result in this.
Each site with it's own ridiculous set of rules, must have at least two capital letters, must have at least one greek character, the two capital letters can't be next to each other etc. etc. all of these inconsistent rules combine to ensure that nobody can come up with a consistent 'password scheme' for passwords they can actually remember and instead are stuck with cryptic junk that they have to write down or will forget.

Admins who enforce these stupid rules thinking they are helping security, and then laughable blow that security wide open with 'password recovery' options *are* the problem, you *are* the problem.

Re:WRONG!

Wow, beta is garbage. Way to fuck up quotes.

Re:WRONG!

Also, people die, and other people need access to their stuff.

That is a dubious reason at best. If someone needs access to the account of a dead person, they can just get ahold of the service directly to arrange that.

Are you serious and not a troll?

I challenge you to get in touch with Googles/Facebooks/Slashdots/whatevers customer support. Good luck!

Re:WRONG!

[mlk]

Yes. Or some form of two phase auth. Email followed by SMS for example.

Re:WRONG!

[heypete]

What is the alternative? Phone calls?

Several email services (e.g. Gmail, Yahoo, etc.) do just that: they can send voice calls or SMS messages to a phone number you've registered with them prior to the loss of your account.

Due to the importance of email addresses when it comes to authentication (e.g. password resets for non-email services are nearly always sent to one's email address) it makes sense to have email services be secure from compromise (e.g. 2FA) and recoverable in a secure manner (e.g. phone-based validation).

Domain names are also a "high-stakes" thing and it makes sense to have a high degree of security when allowing password resets at registrars: I wouldn't mind my domain registrar sending me a letter by post to my address on file with them if I were to ever request a password reset from them.

Re:WRONG!

[codermattie]

This is beaten to death over and over again. Standard procedure for secure authentication outside of ssh is to use keepassx or bitkeeper. Fully random secure seed generated 32 char passwords. cut and paste done. And the standard security systems a.k.a consisitent use of GNUPg worked as it was quickly detected as a forgery. This article blew my mind in that someone actually used gnupg. Password security is so old the guy beating it do death doesn't stink anymore. When somebody starts talking about host authentication in ssh and the management thereof the world might try caring again beyond something more interesting than forgetting to get milk on the way home last night. For people who have no clue use firefox/chrome password manager and call it a day. Problem solved *years ago* by using ancient technology. I am not going to use a fraternity secret handshake to protect my data when I have cutting edge crypto and through a oddysey of trials I strained my will to live long enough to put the doritos down and have a program do it all for me. If this B.S is a big deal then don't be a 16 bit CPU brain, the ass clown who gave us Y2K, and give me a 64 char password feild. Done Deal. B.T.W slashdot your 20 char limit sucks.

Re:WRONG!

That was the original theory, however Bitcoin core dev Peter Todd received a forwarded email from 2011 from that address, which indicates Satoshi's email was in fact hacked:

> Interesting, got another forwarded email from "satoshi", from 2011 - indicates this was a hijacked account, not expired and re-registered.

Re:WRONG!

[H0p313ss]

You may be correct sir:

[Querying whois.verisign-grs.com]
[Redirected to whois.schlund.info]
[Querying whois.schlund.info]
[whois.schlund.info]
Domain Name: gmx.com
Registry Domain ID:
Registrar WHOIS Server: whois.1und1.info
Registrar URL: http://1and1.com/
Updated Date: 2014-05-08 00:00:00
Creation Date: 1994-05-07 00:00:00
Registrar Registration Expiration Date: 2015-05-08 00:00:00
Registrar: 1&1 Internet AG
Registrar IANA ID: 83
Registrar Abuse Contact Email: abuse@1and1.com
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Jan Oetjen
Registrant Organization: 1&1 Mail & Media Inc.
Registrant Street: 701 Lee Rd.
Registrant City: Chesterbrook
Registrant State/Province: PA
Registrant Postal Code: 19087
Registrant Country: US
Registrant Phone: +1.8774612631
Registrant Phone Ext:
Registrant Fax: +1.6105601501
Registrant Fax Ext:
Registrant Email: hostmaster@schlund.de
Registry Admin ID:
Admin Name: Jan Oetjen
Admin Organization: 1&1 Mail & Media Inc.
Admin Street: 701 Lee Rd.
Admin City: Chesterbrook
Admin State/Province: PA
Admin Postal Code: 19087
Admin Country: US
Admin Phone: +1.8774612631
Admin Phone Ext:
Admin Fax: +1.6105601501
Admin Fax Ext:
Admin Email: hostmaster@schlund.de
Registry Tech ID:
Tech Name: Jan Oetjen
Tech Organization: 1&1 Mail & Media Inc.
Tech Street: 701 Lee Rd.
Tech City: Chesterbrook
Tech State/Province: PA
Tech Postal Code: 19087
Tech Country: US
Tech Phone: +1.8774612631
Tech Phone Ext:
Tech Fax: +1.6105601501
Tech Fax Ext:
Tech Email: hostmaster@schlund.de
Name Server: ns-gmx.ui-dns.de
Name Server: ns-gmx.ui-dns.biz
Name Server: ns-gmx.ui-dns.com
Name Server: ns-gmx.ui-dns.org
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Re:WRONG!

[H0p313ss]

Or I know nothing about gmx.com, didn't realize they were an email provider.

What kind of genius doesn't have his own domain? Are we men?

Re:WRONG!

WRONG! The hacker forwarded old emails to a journalist. That proves he has access to the archive.

Re:WRONG!

[lister+king+of+smeg]

Or I know nothing about gmx.com, didn't realize they were an email provider.

What kind of genius doesn't have his own domain? Are we men?

Someone that is trying to stay anonymous doesn't want their name splattered over Whois dns records.

Re:WRONG!

As the original poster was pointing out, it doesn't matter if you use random 300 character passwords for every site you go to, if the only thing required to access every single one of those sites is access to your email account to use a "password reset" form.

Re:WRONG!

No, Sir, YOU are the problem.

These "ridiculus password" restrictions are only a response to the failure of users to chose passwords with a entropy high enough to withstand even the most basic of dictionary attacks. And yes; 123456 ist still one of the most-used passwords out there. Password recovery is a small problem in contrast to such ludicrous attempts to protect an account from unauthorized access. Every administrator that is in the least concerned with the security of his users will enforce at least some kind of entropy in the passwords used to access the services he's been paid to maintain and protect.

What kind of fool tries to /remember/ passwords? The kind of fool that does not use a password wallet or a system to create appropriate passwords. You, Sir, apparently are such a fool. And thus you are part of the problem.

[To the hight court] You honor, I rest my case.

Re:WRONG!

I need to call you on on this part of your submission

Satoshi Nakamoto, the respected (and currently missing) inventor of Bitcoin

Respected? By who? You? Certainly. Which is why you added your own opinion to the submission. Don't do that. Keep your personal feelings and obvious bias out. It doesn't belong. Not only that, you sideline the larger majority of people who have no respect for him either because they don't know him or feel bitcoin isn't anything to consider respectable.

Re:WRONG!

[tlhIngan]

You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."
But all systems rely on a key thing. So you're not really saying anything at all.

Except that key thing is highly transient and changes frequently enough that if it's any length of time old, it needs to be verified.

It's why systems often verify email addresses once every year or so - not just to avoid spamming, but to make sure the person their sending stuff to is the same one.

Hell, you run into the same problems in coding today - you see people accidentally re-use file descriptors leading to all sorts of interesting bugs, or even people killing processes by PID only to realize the PID was reused!

Re:WRONG!

[s0nicfreak]

So what info could be used, to verify that you do indeed speak on behalf of the account owner, that people like ex-wives would not know and could use maliciously by lying that the person is dead or in the hospital?

Re:WRONG!

" are only a response to the failure of users to chose passwords with a entropy high enough to withstand even the most basic of dictionary attacks"
A completely incorrect response yes, that something is a response does not give it some fundamental rightness.

"And yes; 123456 ist still one of the most-used passwords out there."
A far more appropriate response then would be to enforce minimum length, encourage passphrases and warn when a dictionary password is used.
Instead every IT admin without a clue about security feels the need to make up new exciting inconsistent restrictions that users need to worry about, different rules for every site/account often even different rules within the same site. This only serves to lead to weaker security (password recovery features), users writing passwords down etc. and does not help the situation.

"Password recovery is a small problem"
I disagree, password recovery undermines the security of everyone, even people who are responsible and follow good practices. It is a far bigger problem.

" Every administrator that is in the least concerned with the security of his users will enforce at least some kind of entropy in the passwords"
I don't disagree, but the problem is they do it without a clue, and therefore impose too many restrictions and in too inconsistent a way.

"What kind of fool tries to /remember/ passwords? The kind of fool that does not use a password wallet or a system to create appropriate passwords. You, Sir, apparently are such a fool. And thus you are part of the problem."
We are talking about regular users here, only a fool would try and infer what I do based on a discussion about what is best for everyone else. Also there are genuine issues that prevent the widespread adoption of password wallets, there are cases where they just aren't good enough, especially for regular users, but even for power users.

If we are in a court, then clearly you sir are the jester.

Re:WRONG!

[ShanghaiBill]

But all systems rely on a key thing.

No. Secure systems should rely on multiple key things.

Re:WRONG!

[mysidia]

Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

Probably by using password reset links.

Re:WRONG!

[mysidia]

But all systems rely on a key thing. So you're not really saying anything at all.

Not true. There are systems which require a combination of elements, so they don't rely on any one thing.

For example: Instead of simply sending a password reset e-mail, they might ask you to complete a captcha, then on success send a password reset e-mail.

When the link is clicked, then you have to answer some security questions correctly.

Give too many wrong answers, and your account will be locked out, and you have to call in and have customer support send a SMS to your backup phone and a message to your backup e-mail account which you need to receive and verify to unlock .

Re:WRONG!

[mysidia]

Someone that is trying to stay anonymous doesn't want their name splattered over Whois dns records.

Every major DNS registrar has a privacy service. These days you could also use a 3rd party escrow in a different country, and buy the domain using BTC.

Re:WRONG!

How about a certified death certificate?

Re:WRONG!

[__1200333]

and buy the domain using BTC.

Nice. Real nice. We are talking about Satoshi creating an anonymous email here - BTC wasn't invented yet!

I think a free email service offers the simplest and best privacy. Running a domain requires payment and hosting, which are hard to do 100% anonymously.

Re:WRONG!

[Fnord666]

Every major DNS registrar has a privacy service. These days you could also use a 3rd party escrow in a different country, and buy the domain using BTC.

So you're saying that the inventor of bitcoin should have used bitcoin to purchase a domain before he had invented it? Shades of Emmett Brown man, what were you thinking?

Re:WRONG!

Does your logic carry over to domain names? Company names? Phone numbers? Addresses?

It certainly should.

There's no shortage of "names", there's absolutely no need to recycle the existing ones, other than sheer idiocy.

In my city, because of political reasons, they "moved" a street name in a completely different neighborhood, causing complete mayhem that still lasts 10 years afterwards.

And that's exactly the reason why, in EU, you can keep your phone number if you change the provider. At no cost.

Re:WRONG!

[mysidia]

Nice. Real nice. We are talking about Satoshi creating an anonymous email here - BTC wasn't invented yet!

I'm just attempting to point out that Satoshi has made it even easier than before.

It was still possible to register a domain anonymously before, so even the registrar wouldn't know the ID of the person..... it just involved a little bit more work and expense.

Re:WRONG!

[s0nicfreak]

Well, I guess that works if the family has a fax machine or a scanner and the knowledge to use it to get a copy to the service providers. And if we pretend you can't fake a death certificate. And if the family doesn't need to access anything before they get the death certificate. And if all service providers hire people to look at the death certificates.

So what about when that person is just in the hospital, unconscious and not dead?

Re:WRONG!

[um...+Lucas]

Whats the alternative, though?

Re:WRONG!

[um...+Lucas]

were past the stage of "don't write down your passwords". Too many sites, too many passwords... Personally, I use pwSafe (a mac and iOS version of Schneiers password safe), but i know plenty of people who keep notebooks hidden with their passwords all written down. Better that than use a single password everywhere.

If true, it should be changed.

[EzInKy]

We all learned early on that email addresses are only temporary. Anyone who expects that an ancient of numbers would lead them to the same person as they did years ago is a fool.

Re:If true, it should be changed.

[pushing-robot]

"Ancient of Numbers" is my new title, thanks.

Re:If true, it should be changed.

[Talderas]

I now have the mental image of a colossus dating back to the Roman Empire that shambles about. On it's stone surface are engraved numerous roman numerals. Some researchers believe the roman numerals are representative of the Roman Legions, however the presence of MCXIV makes other researchers believe the first group to be morons.

Re:If true, it should be changed.

I wonder what will happen to my email address once my country will split. My domain is in .be, which may disappear sometime in the (mid- to long-term) future. Maybe I should plan to move directly to .eu now.

Re:If true, it should be changed.

[spiritplumber]

You just wrote the teaser to a Doctor Who episode!

Re:If true, it should be changed.

[mysidia]

E-mail addresses aren't numbers. Hi, My name is Mysidia. My name has been Mysidia since 1984.

For the next 1,000,000 years, nobody else should be allowed to use my name, and it should always point to me exclusively.

I am not exactly laying claim to 1234.... but a unique moniquer.

Re:If true, it should be changed.

[TangoMargarine]

Hey, they have secret dinosaurs living in the center of the Earth and Wi-Fi killing people; it can't be any worse.

*does Smith vigorous hand-flap*

That is not proof of compromise

An email was received from that address without Satoshi's PGP signature. That does not mean that the email account has been compromised. It is trivial to forge an email, thus the need for cryptographic signatures in the first place.

There are a couple of updates in the article

UPDATE: The unknown agent has also seems to use the email address to compromise Satoshi ‘s account at the P2P Foundation and has now posted;-

Dear Satoshi. Your dox, passwords and IP addresses are being sold on the darknet. Apparently you didn’t configure Tor properly and your IP leaked when you used your email account sometime in 2010. You are not safe. You need to get out of where you are as soon as possible before these people harm you. Thank you for inventing Bitcoin.

UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin. It is important to note, the bitcoin source has not been hosted at sourceforge for a few years now but you should not download binaries from sourceforge.

Re:There are a couple of updates in the article

It seems to me the person is trying to get media coverage of this and attract attention rather than do anything malicious.
Perhaps they truly believe what they wrote on the P2P Foundation website and are trying to make sure he sees it?

Re:There are a couple of updates in the article

[Jesrad]

Unfortunately Satoshi's wallet is worth a mega-fortune, and it's never been quite established that Satoshi destroyed the private key. All kinds of people would give a try and shake it out of him/her, for that much money.

Re:There are a couple of updates in the article

UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin.

You know, I'm actually going to convert $10 into ButtCoin. Never know how this stuff's going to turn out.

Re:There are a couple of updates in the article

[Khyber]

"changing Bitcoin to Buttcoin in the description of bitcoin."

Go in other words, some idiot from 4chan is likely responsible. Likely from /g/

Re:There are a couple of updates in the article

[ShaunC]

Throw in some TittyCoin and you have a great night ahead of you!

Re: There are a couple of updates in the article

Sounds like YOSPOS.

Newsweek, hello Newsweek

Where are you now that we need you?

Hackers of the crypto world Unite!

[SinisterEVIL]

Come together and hack the account back and destroy it!

THIRD UPDATE

[squiggleslash]

UPDATE3: Pictures of Satoshi in the nude from his private iCloud account have now been posted all over 4chan.

Stay on Slashdot as this story develops...

interesting

According to this screenshot, the account still contains 11,659 emails, so it is unlikely a new account.

https://www.anonimg.com/img/09f6cc92952dc4d539b21cad8daa2adf.png

Looks like Satoshi is in St. Louis, MO 63101:

https://www.anonimg.com/img/045d00e4624fb3c3ffc7056af07317d0.png

Sauce:

http://pastebin.com/7gbPi8Qr

Re:interesting

[squiggleslash]

Having trouble believing it now. Nakamoto took all these steps to protect his identity but made an order for a physical item to be shipped to his real name and address using his pseudonymous email address?