Slashdot Mirror

← Back to Stories (view on slashdot.org)

Satoshi Nakamoto's Email Address Compromised

Posted by Soulskill on from the or-as-he-likes-to-be-called,-bitcoin-batman dept.

ASDFnz writes: Satoshi Nakamoto, the respected (and currently missing) inventor of Bitcoin, seems to have had his email address compromised by an unknown agent. Satoshi exclusively used one email address when he was active in the Bitcoin community: satoshin@gmx.com. If you have a look at the original Bitcoin whitepaper (PDF), you will find it there at the top just under the title. He also usually signed his correspondence with his PGP signature. Earlier today, the head administrator of Bitcointalk, Theymos, received an email from Satoshi's email address that appeared to originate from GMX's servers. Theymos made a post on the Bitcointalk forums saying he had received an email from the address without Satoshi's PGP signature. Later, the unknown agent posted to other Satoshi accounts.

15 of 65 comments (clear)

  1. WRONG! by Anonymous Coward · · Score: 4, Insightful

    His address expired and someone re-created it.

    Nothing to see here, move along...

    1. Re:WRONG! by ASDFnz · · Score: 5, Informative

      His address expired and someone re-created it.

      Nothing to see here, move along...

      Even if that is true (and I am not saying it is) it has lead to a host of his other accounts being compromised.

      Hardly nothing to see, it is actually quite big. One of the bitcoin download sites (SourceForge) was compromised;-

      http://mineforeman.com/2014/09...

    2. Re:WRONG! by ASDFnz · · Score: 2

      After the GMX account was gained (however that happened), yes the person targeted known Satoshi accounts. P2P Foundation was also hit;-

      http://p2pfoundation.ning.com/...

    3. Re:WRONG! by Raumkraut · · Score: 2, Insightful

      An email address "expiring" and being re-used these days is plain negligence on the part of the email provider.
      It's not like there's a shortage of domain names one can use for email, so there is no reason to reuse existing ones. Especially given the potential security issues which can arise - as demonstrated by this particular incident.

    4. Re:WRONG! by Anonymous Coward · · Score: 5, Insightful
      You're essentially saying "systems that rely on a key item are problematic. The attacker need only that key thing."

      But all systems rely on a key thing. So you're not really saying anything at all.

    5. Re:WRONG! by Pseudonym+Authority · · Score: 2

      What is the alternative? Phone calls?

    6. Re:WRONG! by neokushan · · Score: 4, Insightful

      Don't allow password recovery.

      That is absolutely not a solution. That's braindead idiocy at best. The result is that people will use one password for everything and probably write it down in a few places because if they forget it, they're fucked. Yes, people do that anyway but not allowing a password reset makes the situation much worse.

      If your problem is with that "one key system", then perhaps you need to secure that "one key system" better. Twofactor auth on email hardens that single point and makes it very difficult to compromise. If an attacker is still able to compromise it, then I'd wager they'd be able to compromise those other systems anyway.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    7. Re:WRONG! by Richard_at_work · · Score: 4, Insightful

      Why is it negligence on part of the email provider? What obligation do they have to take out email addresses permanently just because you can't be arsed to log into the account?

      Does your logic carry over to domain names? Company names? Phone numbers? Addresses?

      Your post shows an all too common insistence that third parties should protect you, rather than you protecting yourself.

    8. Re:WRONG! by heypete · · Score: 2

      What is the alternative? Phone calls?

      Several email services (e.g. Gmail, Yahoo, etc.) do just that: they can send voice calls or SMS messages to a phone number you've registered with them prior to the loss of your account.

      Due to the importance of email addresses when it comes to authentication (e.g. password resets for non-email services are nearly always sent to one's email address) it makes sense to have email services be secure from compromise (e.g. 2FA) and recoverable in a secure manner (e.g. phone-based validation).

      Domain names are also a "high-stakes" thing and it makes sense to have a high degree of security when allowing password resets at registrars: I wouldn't mind my domain registrar sending me a letter by post to my address on file with them if I were to ever request a password reset from them.

  2. Re:If true, it should be changed. by pushing-robot · · Score: 3, Funny

    "Ancient of Numbers" is my new title, thanks.

    --
    How can I believe you when you tell me what I don't want to hear?
  3. That is not proof of compromise by Anonymous Coward · · Score: 3, Insightful

    An email was received from that address without Satoshi's PGP signature. That does not mean that the email account has been compromised. It is trivial to forge an email, thus the need for cryptographic signatures in the first place.

  4. There are a couple of updates in the article by Anonymous Coward · · Score: 2, Interesting

    UPDATE: The unknown agent has also seems to use the email address to compromise Satoshi ‘s account at the P2P Foundation and has now posted;-

    Dear Satoshi. Your dox, passwords and IP addresses are being sold on the darknet. Apparently you didn’t configure Tor properly and your IP leaked when you used your email account sometime in 2010. You are not safe. You need to get out of where you are as soon as possible before these people harm you. Thank you for inventing Bitcoin.

    UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin. It is important to note, the bitcoin source has not been hosted at sourceforge for a few years now but you should not download binaries from sourceforge.

    1. Re:There are a couple of updates in the article by Jesrad · · Score: 3, Interesting

      Unfortunately Satoshi's wallet is worth a mega-fortune, and it's never been quite established that Satoshi destroyed the private key. All kinds of people would give a try and shake it out of him/her, for that much money.

      --
      Maybe we deserve this world ?
    2. Re:There are a couple of updates in the article by Anonymous Coward · · Score: 2, Funny

      UPDATE2: Satochi’s SourceForge account now appairs comprised, the perpetrator, rather childishly, is now changing Bitcoin to Buttcoin in the description of bitcoin.

      You know, I'm actually going to convert $10 into ButtCoin. Never know how this stuff's going to turn out.

  5. THIRD UPDATE by squiggleslash · · Score: 2

    UPDATE3: Pictures of Satoshi in the nude from his private iCloud account have now been posted all over 4chan.

    Stay on Slashdot as this story develops...

    --
    You are not alone. This is not normal. None of this is normal.