o_O people still have Java installed? After the latest problems I ditched that sh!t and haven't looked back. How many zero-days is it responsible for now? 105% of them?

OP, might make sense for a thread like this to be called "blockchain.info hack" instead of "bitcoin hack". The latter is somewhat misleading.

I am collecting all the information I can, still not clear of the exact root cause. There are a number a blockchain.info wallets compromised in this transaction but i'm not sure it is exclusively blockchain wallets, some of the input addresses look like wallets from other clients (i.e. they use change addresses and transactions are not shown as being relayed by blockchain). More data points are needed.


I think it is possible to rule out an android problem, several users have stated they do not use an android app.

Brute forcing is a possibility but I remain sceptical about the feasibility of brute forcing 10 character passwords. A 10 character password, 10 rounds of pbkdF2 with 36 possible characters at 5 million guesses per second would take 80,000 days to search the entire key space. I'm not sure it even possible to achieve 5 million guesses per second http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ estimates rates significantly lower speeds (if  pbkdF2 can be considered close to bcrypt speed). That is for one wallet as well, this seems to be multiple wallets in parallel. All wallets have a unique salt so precomputed dictionary attack shouldn't be possible. Also I have setup several wallets with deliberately weak passwords that are unemptied.

All users affected so far have had JAVA enabled possibly this is the result of some malware spread through a java applet. I can't find the post now but there was a report of a malicious Java applet designed to collect wallet data.

Other possibilities are XSS or a leak of passwords from another site although there is is no direct evidence of this.

Yeah, can I change it after the fact?  Realized that after I did it and it's definitely misleading.  Nothing wrong with the protocol or bitcoin in general - more apropot would be wallet hack.

I think you can just edit your original post (at the top of this thread), and change the subject.

I re-imaged my Windows laptop from the recovery partition to get rid of it (and the creepy taskbar it installed on my browser.)  But my Windows machine is used irregularly for limited things which are not practical on my main workstations so it was relatively easy for me to do.   Backed up what few interesting docs I had in mega.co.nz before performing this action.

Now I don't even like to allow Microsoft or HP to install updates.  Since phone vendors are so willing to pre-install rootkits, and OS vendors seem happy to make that possible, it seems likely to me that commercial laptop and workstation vendors would be happy to follow suit.  The momentum behind the trend to make the Internet significantly more invasive seems to be building at an alarming rate.

---

BTW, so far my blockchain.info wallet seems fine in spite of the phone hack and gmail theft.  This seems to lend strength to the idea that the issue of this thread is not Android related.

Does not seem like Android is involved at all. In fact, I am not aware of any Android-related Bitcoin thefts in all these years.

Unless I am missing something, the common denominator here is Java.

I did notice a Windows update last week - one lone security patch, outside of regular schedule - which only provided the usual "an issue has been identified that may allow a remote attacker blah blah". Does anyone know what kind of hole was patched?

Android runs almost exclusively in a java virtual machine

Android's not at risk from this sort of Java exploit. Other hacks are different matter - usually from installing something dodgy nd giving it permissions it shouldn't have.

since the addition of the bitcoin:// uri in windows. do any of those that have lost funds do any "free bitcoin" faucets regularly.

i remember last year there was one that actually made my QT client start running.

also

check all the programs installed EG the miners, drivers, etc that are not from the official websites. even check if you have a trading bot that was not created, compiled by yourself.

there was a guy named litecoin trader that hade a closed source trading bot. his version one last year was very very "iffy" and he soon went quiet when questioning him. he now has a version 2 which is also closed source.

do any of you use a trading bot for btc-e mtgox?