Bitcoin Forum

MagicalTux,

As a bitcoin member that has dealt with you before, I want to say that over time you have built up my trust.

I want to offer you my support for to help make MtGox great again!

Please know that many of the older members of this community are here to support you and appreciate the tireless work that you put into the success of bitcoin.

Best of Luck, and Godspeed
da2ce7

I can only too agree with this. Too many people angry just for the sake of being angry. At this stage being angry helps nobody.

Finally, a rational, calm post.  Thank you.

+1

100% with you

Yes let's not forget the time he bring out the first exchanger & pioneer who given out the possibility bitcoin reaching ~31$/btc, we should not bring out more drama,dilemma, trickery, greed to bitcoin community, our enemy is lots, together we will prevail!.

+1

No he didn't, he bought it from the guy who did.

Wrong, wrong, the first exchange was actually dwdollar's bitcoinmarket.

I want to help MtGox too :D

MtGox will still be going strong long after the cretins in this forum have all but forgotten about Bitcoin.

+1

I'm sure it will all be ok. Thanks for putting up with all the crap MT.

People forgot about http://forum.bitcoin.org/index.php?topic=3712 - they will forget about this stuff here too...

MtGox will live strong for about 12 hours after it goes online again, since thats about the time we'll all need to transfer the money out of there.

to stop lying would be a good start to rebuild trust.

there was no one single 500kBTC account with a weak password.
that is so far out of the reasonable that it is safe to say he is lying until he provides proof.

To do that he would have to reveal the user. He cannot do that.

But look around in the forums, in very old posts, you will eventually see that in the age that MtGox was founded, people did handled some thousand of BTCs around.

I never said noone has 500kBTC. I said noone has 500 kBTC at mtgox, let alone with a weak password.
mtgox wasnt around at that time either, so it cant be an abondonded account from back then.


that someone got write access to MtGox' database as some claim and just created the 500k out of nothing is much more likely.

Well I can say that services from mtgox where good as far as I know (but this leak clusterfuck is horrible shit).

Obviously they need people that take take security as their life mission and are paranoid, not the "some hacks? well meh its probably the user fault" approach that was allegedly used.

I'm not mad at MtGox for getting hacked. They're a huge target and in some ways a hack was inevitable. They've handled the hack as well as possible with the shutdown, audit and rollback.

However, I have a BIG PROBLEM with MtGox contacting the CIA or FBI or whoever. It's bad enough that I have to worry about whoever getting my information from the leaked database. Now I have to worry about the Feds looking through my account and coming for my bitcoins? Hell no...

This isn't the first time that MtGx has considered running to the Feds:
http://www.forexyard.com/en/news/Bitcoin-exchanges-offer-anti-money-laundering-aid-2011-06-15T220113Z

If you think that the Feds are friends of BTC or that their involvement is going to help the BTC community in any way, then you're sorely mistaken.

MagicalTux, don't be a stupid snitch. Improve your security and learn your lesson, otherwise I'll be joining the tradehill exodus....

MtGox is from July 2010

And many accounts of that era are abandoned and thus never got salted after MagicalTux bought MtGox and introduced salting. Thus if any of those accounts had absurd amounts of BTC (for our standards), something that is quite likely, they also happen to be the easiest accounts to break in using the leaked database.

And never doubt people stupidity. I for example used the same password on mtgox and paypal, and it was a very crap password, and my paypal had access to several credit cards, this incident woke me up to reinforce those passwords, but if someone had broke in on my paypal that person probably would have some thousand USD of credit limit to destroy stuff around. (I have a high credit limit because I always pay credit cards in time, and I do that by never using them for more than the money I already have sitting on my bank account, thus this mean those cards also have lots of unused limit)

MtGox claims it was ONE account.

500k is an absurd amount not only for our standards, but for early miners, too.

I think MagicalTux position is that the best place to be relative your enemy, is very close to him, so you can watch his movements, and cloud your intentions.

Again, there are many accounts that are abandoned, and probably have high amount of BTC, if ANY of those accounts get hacked, it is lots of crashing power.

I see. there are 6mBTC overall, and there are several 500kBTC accounts each containing 1/12th of all BTCs at mtgox?
the biggest miner known to this board has 370kBTC, and he is definitely not stupid enough to deposit it at an exchange, with any kind of password.

this is just a madeup BS story to cover up what really happened, which is probably a write-access SQL injection.
mtgox had several SQLinj vulnerabilities.

A bit off-topic, but the first was actually NewLibertyStandards exchange at newlibertystandard.wetpaint.org...

I'm just saying...

The unlikely "benefit" of whoever getting busted isn't worth the definite minus of inviting the Feds behind the curtains.

I think you do not understand that the Feds will get involved no matter what after the Senators vs. Silk Road issue.

Now is a matter of doing it in a sort of controlled manner. It is best to show up to Feds as friend, than to show up as a libertarian (thus anti-rep and anti-dem, the current government) enemy of sorts.

We do not want to become Waco

Tradehill has no worldwide withdrawal options at all, oh wait $45 bank wire option .... wtf?? most little miners don't have that much to withdraw in the first place.

so mtgox won't die - people from all around the world will keep using it as long as all other exchanges are not an option for anywhere but USA or some other single country.

and since people will keep using it, with time they will forget this incident and mtgox will rise again, since even haters will have to admit that the real volumes are there.

also the controversial notion that the trades should not have been reversed are probably all from the hacker/kevin alts so who cares about them.

still i would suggest anyone to not only trade on one marketplace. use them all!

I have questions with the Magical Tux story of what happened.  I would like to know the truth of the hacking incident.  If there was a financial auditor possessing the database for financial reasons what business did they have with having the password file.  I see no reason for a financial auditor needing the password file.  They only need the portions of the database that reference transactions and account numbers.  Whenever I work with the government and I have been involved in many audits from an IT perspective I only give the auditors the information that is needed for the audit and no more records then are needed.  Users names, email addresses and password hashes would be out of the question in an audit.

-Dukejer

Well this extend I understand what went on. One time I asked for a db structure to implement a module for a hospital, instead of the structure they sent me a DVD with the whole db contents (means medical records of practically everybody in that town).
Is that "practical" export button and its default options...

I agree 100% with that!!

I think it's awesome that MtGox contacted authorities, especially for PR reasons (to CIA or FBI I don't think it really matters). It's a very good way to improve bitcoin's image and I don't see how it could hurt.


And about the hacking... we gotta remember that the same thing also happened with paypal (which was even worse since many CC numbers were stolen).
These unfortunate events will only make bitcoin stronger!

Right now, this can go one of two radically different ways:

1) Mt.Gox has been lying, all or most of the BTC within are lost, gone, never to be seen again. Though not a final blow to the BTC idea, it will take a very long time to recover.

2) Mt.Gox reopens, with new and improved security. Everyone who had BTC with them can access them easily, they're still by far the largest and most liquid exchange. If they've learnt from this experience, it will only benefit the rest of us.

From what I've been able to see, the actions and response from MT have been pretty spot on, if things are exactly as he claims. If they aren't, they are not.

What I'm saying is that there seems to be very little room for a middle ground here. It will either be a devastating punch against bitcoin, or it will serve to reinforce it and make it stronger than ever. Reopening the exchange and giving us all greater transparency would go a long way towards proving the latter.

Honestly, you're softening my heart somewhat and it's a dicey situation.

I like the Waco comparison too. haha. But I don't think appeasement is an appropriate response to state violence. As a market anarchist "enemy of the state", I still say the Feds are a bad idea.

Best of luck to MagicalTux though! Please don't mention my name and don't drop the soap.

Where are the updates? The silence is deafening.

If they send the whole Database or DVD then I would question the competency level of an organization or individual with my money or confidential information.  I would hope that most businesses would understand that you only send what is needed to get the job done and nothing more.  If they do not understand that or take short cuts on their own accord to make it easier for themselves then I would take my business else where.

-Dukejer

i give all my support to Mt Gox

I don't get too why the hashes where sent out to some 'auditor'. And who the hell is that auditor anyway.

It's the human side of informatics... people works with different levels of trust. By some reason Maddoff managed to run his scheme for so long.
I didn't like that some accounting auditor got his hands in a password dump, but, as human, I understand what went on there.

I also support Mt. Gox.

I plan on continuing to use Mt. Gox to make trades. Much better than Trade Hill a.k.a. GoDaddy hill.

Me too, it was always fun trading there, at least they have normal withdraw/deposit options, and I'm sure he'll take security so serious now that it will be the most secure exchange in the world :)

Also supporting MtGox, and, honestly, I'm REALLY glad this happened now, instead of inevitably happening later, only risking a few people's play money, instead of a bunch of international companies' few million of trade money tied to hundreds of thousands of customers. Hopefully this will make MtGox a much more stable and secure platform to do business with.

If an auditor had to have remote SQL access, why not at least create a view to the users table which excluded email, and password hash?

Magical Tux has always been most helpful to me, and I know I am not the only person with that experience.

Tux is doing the right thing in this crisis.

When asked in the interview a couple days ago "Why did the auditor need access to the LIVE database", the response from MtGox was that they were auditing to make sure MtGox wasn't manipulating the quoted prices for sells and buys.  In other words, gaming their own clients.  That would be fraud.  So, by MtGox's own admission, the auditor was auditing for evidence or non-evidence of fraud.

So it wasn't a DVD.  It was live access to a database.  It would appear that the access included tables which the auditor didn't necessarily need.  And that MIGHT be (gross?) negligence...  

Then again, what if the auditor was from a government agency?  It might not be so easy to tell a government agency what tables they can and cannot look at...

That is a main purpose for table views, which allow the user to see some data (columns) in a table, while others are not viewable.  Email and password hash would seem to be excellent candidates for exclusion to an auditor.

You can set up SQL to only grant access to specific tables based on their username/password combination.  You can also further restrict access by IP address -- which, as I understand, was in place.

So, for example, you could have complete access for Bob, and only show the user# and email addresses to Bill.  And you can set it up so that Bob can only log in from his own IP address, while Bill can log in from any IP address.

So if the auditor was only supposed to be auditing for evidence of gaming/fraud, then the auditor account access should have only been permitted to read those tables specific to what they were looking for.

Either the story as given to us so far is false, or the admin of the SQL database gave too much access/permission to the auditor's SQL account.  If too much access was given, then that MIGHT rise to the level of negligence, or even gross negligence.

My 2 cents:

People are being too hard on MagicalTux. Sure, there were problems. But let's remember he got the exchange from a guy who developed it alone in his spare time, and since then he's been very busy trying to answer all e-mails while getting rid of DDoS attacks. He didn't have too much time to fix the problems, everything happened really fast.

On the other hand, I also have a hard time believing this story of "one account with 500KBTC in it". I can't believe such an amount would be left in a MtGox account with weak password. The most reasonable possibility I see to that is the owner of the account passed away months ago, when these 500K weren't worth that much, and never told his relatives/heirs about the account. Sounds unlikely.

You mean he didn't TAKE the time to fix the problems. If the site wasn't secure enough (which it obviously wasn't) then worst case he should have shut it down for a while to get it fixed. Which, ironically, is actually what happened now, isn't it? Only now it caused a lot more trouble for people than when he had done it properly in the first place.
But of course, shutting the site down for a while would have cost him money. Which doesn't work well on a greedy person.

Any ideas on who the "financial auditor" was ...?

seems suspicious that it came days after MtGov's very public announcement that they would be "co-operating with the authorities" ... would be too ironic if some gubmint drone showed up and logged in with the infected computer that screwed MtGov over ...

Would be somewhat funny if it happened to be some scammer taken the "M'Tux watched too many movies" chance to present himself as a FBI/CIA/DEA Agent requesting access to database.

The author of the quoted post a.k.a. lardycake is a fucking moron, even if he improve his writing, he has no knowledge of the facts, such as that mtgox was created by Jed (not MagicalTux), and that MagicalTux already explained that he is writing a entirely new site that is decent and not a stupid magic the gathering trading script. And no matter how much we attempt to inform the moron, he will keep being ignorant, nothing is going to change that.

MagicalTux, first you gave away the keys to the store. Then you brought in "the authorities", who will be using every bit of information they can gather against this Bitcoin community. And you are less than forthcoming about what actually happened. You might want to consider what would happen if you were to make these little mistakes in Chicago of the '20s, or maybe in Central America today.

I lost nothing, and certainly do not call for violence. I do hope that you will lose every Bitcoin you ever gained, hand over the Mt.Gox project to someone who is competent, understand what a fuckup you are, and live a long and happy life.

Already crossed my mind, with places like SR around this M'Tux seams to been doing too many f**kups lately.
I understand they wish to make BTC more "legit", but write to the FBI to become a snitch is a damn too dangerous and actually adds nothing to the purpose! Who can or can't go for or against BTC are the politicians, Feds don't make laws. Hopefully SR is still too small to drag big sharks, otherwise that guy would be in real life danger.

Due to the amount of money involved in MtGox, they are most likely bound by certain rules and regulations (regardless of the Bitcoin side of the story). They are probably legally obliged to report any incident above a certain threshold. Just as they are obliged to report suspicious transactions, as is any other financial institution.

If MtGox chose not to abide by those laws all our Bitcoins at MtGox would be at risk, so I for one want them to be 100% legit and go by the book.

As for why the FBI was involved, my guess is that some suspicious activities took place in the US.

@ottodv

I would agree if that was the case, I see it right for them to report unusual activity or be regulated.
However I don't see why the FBI or why the DEA, they were reacting hysterically to the reactions of two tech-savvy US senators.
They should try to apply to financial regulators, lobbying with politics, not going straight to the police offering help as if some sort of vigilante/snitch recruitment was going on.

I'll be sticking with MT gox....why you ask....its simple really.

all the angry locust will be leaving....swarming over to tradehill.....goodbye, then there will be less volume on MT gox,
and the service will be better in terms of communication because of less angry locusts
demanding service. Also MTGOX has had their lessons, and have seemingly learned. 
They wont repeat those mistakes again. As the masses leave for tradehill, the focus of hacktack will be.....you guessed it....tradehill....

have fun...its bitcoin hell.

Nearly 100% impossible, since MtGox did not exist during the 20,000 BTC pizza era. The idea of a single 500,000 BTC account is complete BS, IMO.

I would Love to see them recover soon, and very concerned the facts are not lining up right.

It is like saying that Sony will be most secure company ever because they got hacked.

Security is not an overnight thing, it is a culture. You don't do it by hiring 10 "consultants" or even developers.

Heaving said that,
Mtgox does use OpenPGP in emails, which is a nice sign of professionalism.


(but the fuckup with md5, sql injections, CSRF and 'auditor' ...  ::)

...duplicate post..

I can't quite make the connections you are making.
Let me put it another way, I may not like everything the police does, but when I am a victim of a crime, I'll still report it to the police.

Also: it's not snitching to report a crime you are a victim off.
If the FBI can get the missing funds returned to MtGox and/or catch the cracker that would be a good thing, regardless of what anyone thinks of the FBI.

Let me put this in the right perspective then;

a) The police is NOT the community where you can rollback a whole day of transactions and have this one agreeing and the other against, they will just flash you a warrant and force you to do what it says.

b) Financial operations are regulated by financial experts, and when you need to report something fishy you also need a lawyer to protect you from lawsuits from the angry customer you'll get afterwards.

c) It's with the existing laws you need to abide, so you need lawyers and financial experts, making friends with the police will do you no good, as if you're outlawed they will pick you anyway... it's their job.

This has nothing to do with being for or against the police, but MtGox/Britcoin action was pretty much childish and most likely they made no consulting with any lawyer of financial area prior to carry on with it.

EDIT: Now I notice you've no idea of what I'm talking about. This isn't about they complaining to the police about the heist they were victims. I'm talking about this: http://in.reuters.com/article/2011/06/15/financial-bitcoin-idINN1510930920110615

This thread is about supporting MtGox in their efforts to recover from the malicious trade.
Even with the other issue you raise, wtf do you want MtGox to do? To say that they won't cooperate with authorities? That's a sure way to get shut down.

Besides it strikes me that the whole point of that statement was to counter the ridiculous and baseless claims made by those two senators that Bitcoins are merely a money laundering tool.

If asked, there were no problems. Take the initiative himself was the foolish part, not exactly cooperate or not. Different issues.
And this thread isn't about supporting M'Tux, it's about discussing it.

Personally I think a proactive approach to countering claims made by those two senators is a good thing. I am glad someone did it.

My point was that this thread was about the malicious trade and not about Tux's letter to the DEA.
But I see you like to twist words and sentences out of their original context, good luck with that, but I have got better things to do.

In all reality the japanese authorities have their hands full at fukushima and the meltdown in tokyo financial markets to the tune of trillions ... i think magic the gathering on-line exchange is pretty low on their todo list. icbw.

Dang, another Mt.Gox thread. I think I heard a miners video card explode down the hall.

No wonder you guys make so many :)

What letter? The Goxmeister is bringing in the DEA now?!!

This guy is a loose cannon. First he gives away the customer database and passwords, and now he's bringing in the DEA???

Whisky tango foxtrot. I want to see that letter!

Here you go bro: http://forum.bitcoin.org/index.php?topic=17693.0;all

Thanks for the info, tavi. I've been looking for this letter since our enchanted Tux announced he was going to the "authorities". First this creep leaked our identities, then he called in the DEA.

From Wikipedia:

Judas Goat: A Judas goat is a trained goat used at a slaughterhouse and in general animal herding. The Judas goat is trained to associate with sheep or cattle, leading them to a specific destination. In stockyards, a Judas goat will lead sheep to slaughter, while its own life is spared. Judas goats are also used to lead other animals to specific pens and on to trucks.


The Bitcoin idea was excellent, but the people involved just couldn't handle the responsibility. Game, set, match. Party over.

Could someone who thinks that Mt. Gox cooperating with authorities is bad please tell me this:

How is a centralized, incorporated exchange supposed to exist if it is to be expected to break laws? Businesses that act like they are immune to subpoenas and warrants don't last long and aren't good places to keep your money. Although located in Japan, they do substantial business in the US, and so could be compelled to cooperate. The US likely couldn't close them down, but they sure could make getting money into or out of Mt. Gox difficult. Besides, you can bet your ass that your bank in the US would gladly voluntarily hand over information on suspicious transactions, unrequested, to authorities and would also give records of non-suspicious transactions involving Dwolla or Mt. Gox if those were properly requested.

MagicalTux said this: "As a company handling Bitcoins, it is not our intention of doing anything illegal. We sent a letter to the Drug Enforcement Administration to address this issue."

They need to keep within applicable laws. You all know that. So, why did you send money to them to buy bitcoins in order to buy drugs if you knew that; 1) either they were planning on existing uncooperatively and illegally or; 2) they would be required to turn over your info if legally requested? The former, giving your money to an illegal enterprise, is just plain stupid. The latter is just ignorant.

Now, I don't buy the claim that cooperation with US agencies means voluntary or unchallenged submission of user information. That would be a hilariously bad move opening the company up to all kinds of liability. At worst, they might be required to alert authorities about suspicious transactions, just like any bank or exchange. But since this is bitcoin, it's a grey area on whether they would even need to do that. However, aside from hacked accounts and fraudulent money transfers, please tell me how, praytell, are they supposed to tell that you bought drugs and thus mark your Mt. Gox account as suspicious?

Even though bitcoins are easily trackable, in order to do this, Mt. Gox would need to be privy to information about specific Silk Road-associated bitcoin addresses. They aren't. If anyone is, it's federal agencies.

It logically follows then that Mt. Gox won't be giving any user info that the DEA couldn't already specifically request. The info that is requested properly, well, they don't have a choice but to comply with certain laws or they would not last long as business (or out of jail).

On the bitcoin show the other night, the Mt. Gox guys stated that cooperation meant that the FBI, DEA or whatever would need to make inquiries through the Japanese government. This is different from handing over user info willy nilly and unrequested by the DEA.

(Edit: Okay I just watched the video and found that part here (http://www.youtube.com/watch?v=-0XvP841jaM&feature=player_detailpage#t=2354s). The dude even said "willy nilly" as well. If you don't want to watch, they said that they will run requests through their lawyers and comply if legally obligated to. That's pretty much the best possibly thing they could be expected to do.)

Now, the criminal matter of the hack and the FBI, that's a different matter and I don't think I know enough to be able to make an argument one way or another except to say that not reporting the crime would be a massive error and potentially would hurt them from being able to find the hacker, reclaim stolen funds, or have as strong a case in court. And that's not just regarding the improbable court case against the hacker, but in defending against conspiracy theorists with lawyers (e.g "If you rolled back trades because of this crime, why didn't you report it?")

I just wanted to add that, while it seems like I'm defending them, I really don't fucking want Mt. Gox to send any of my data to any government agency whatsoever, and they darn well should challenge every subpoena.

JPMorgue Chase and Goldman Sachs would like politely disagree with you here .... seems like there is two sets of laws in effect here ... so now the FBI and SEC are going to crawl all over a money exchange? ... wtf, billions have been stolen right under their noses and they said ... "we were watching porn so we didn't see nuffin"

They don't act like they are immune. They act like they have the money to settle any cases. And they do.

Okay you've got me on that one. But then again, I wouldn't call JPMC or Goldman Sachs "good places to keep my money." ;D

Nobody said that is a bad thing, take the initiative yourself to go write love letters to someone who doesn't call the shots and is basically just the muscle, is. If they want to do it, should had do it the right way, and the right way starts to get consulting by somebody with forex regulation expertize and contact who's in charge of making laws and regulate markets.

what they have .... some might call it "money" ... others might disagree ... they are insolvent on many levels.

Why would I even want a "centralized, incorporated exchange"? I want mutliple, competitive exchanges. I don't care if they're incorporated or not. I just want them to protect my BT.

I don't get your point about warrants and subpoenas. Have any been issued in this case?

Just because the authorities haven't declared something "legal", that doesn't mean it's "illegal." It means that it's free/liberated.

Personally, I would prefer to keep the bitcoin market free from state violence and corrupted manipulation.

But you make a good point about how it's potentially MORE dangerous not to report this "crime"...

Eh... I just want MtGox to open again....

Love this thread...