Erm, how about the cash?

Why not just create a split WinRAR archive with a strong password and do the same with the USB keys?  Seems an awful lot easier to me than messing with TrueCrypt.

Agreed on these points.  They don't even do basic IP verification (non-recognized IP, send email with verification link).  They really need to step it up.

The troll threads tonight have been neverending.  This is one of the worst, along with that "proof" thread where the OP didn't understand that a large sell order would not be matched by a single large buy order.

The posturing wannabe programmer here is almost as bad.

This has been going around with a ~500KB attachment:

Dear Mt.Gox user,

Our database has been compromised, how you already know.

To protect your account in the future, please download the Certificate (self-extracting archive) from Attachment and install it.

If you were using the same password on Mt.Gox and other places (email, mybitcoin.com, etc),
you should change this password as soon as possible.

Please accept our apologies for the troubles caused, and be certain we will do
everything we can to keep the funds entrusted with us as secure as possible.


Any unauthorized access done to any account you own (email, mtgox, etc) should
be reported to the appropriate authorities in your country.

Thanks,
The Mt.Gox team

Expect to see more like this if your email was leaked.  It may be prudent to give up your email address as the spam will likely never stop.

Essentially any brute force client (GPU, CPU, whatever) will run billions of iterations of this:

1. Generate string
2. Grab salt (usually part of the input, at least in the case of the FreeBSD MD5 that Mt.Gox used)
3. Run crypt(string, salt), which in the FreeBSD implementation actually hashes about 1000 times
4. Check if output is expected output.
5. Repeat the above.

The nice thing about the salted FreeBSD-style MD5 is that it is pretty computationally expensive to run.  High-end GPU setups only manage about 3 MH/S, and CPUs about 12 KH/S per thread (I managed 48KH/s on an overclocked i5 750).  This slows down potential crackers considerably.   At 48KH/s, you can expect an 8-char password containing all possible characters (num, letters, specials) to take some 2.93*10^12 years.  On a GPU it is orders of magnitude better but still on the order of years.

It is very likely that the major account that was hacked was only compromised because it had its password encrypted using the old DES encryption Mt.Gox used to use until 2 months ago.  If that password was retrieved at any point and not changed it would be easily used to wreak havoc.

I have heard a few success stories with GuiMiner for Windows - I know the hate for Windows but you should be getting ~375MH/s per GPU, so about 1500MH/s total - maybe it's enough to make a compromise.

Picobit?

What miner are you using?  If you're using something like GuiMiner (http://www.softpedia.com/get/Tweak/Video-Tweak/GUIMiner.shtml) it should be trivial to select the GPU client.  2MH/s sounds like CPU to me.

Loving the site.  Great job, it looks great and I'm sure there are some users with a need for this service.