Bitcoin Forum

First of all I do not like to talk in public about this sort of stuff but I am doing so because I have a duty to my shareholders and people who hold my assets.  I apologize in advance. Nafario will be PMed a link to this thread.

GLBSE 1.0 was extremely solid. For the user to be at fault for a hack not only did someone need to have access to their physical computer but they also needed the password. I only kept the account on one computer and encrypted the HDD. If I got hacked it was not going to be my fault.
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!

https://bitcointalk.org/index.php?topic=60489.msg829923#msg829923

Nefario himself understand how risky this is and claims he will take no responsibility. I understand that point of view and I am going to make it very clear that I also take no responsibility!

Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Sunday morning I woke up and found that I could not get into my GLBSE account. I was almost physically ill because I knew the password I was using was correct. I had no idea what was wrong. I first checked the stock prices to see if there was a massive sell off on things I held. There was not. This made me feel better. However there is a massive amount of bitcoin in that account and I had no idea if it was still there or not. I messaged and e-mail Nefario. He did not get back to me for 24 hours and finally told me that he is having problems with my account.

I do not want to deal with level of stress again so I’m making it very clear now that I will not be held responsible for what I consider to be Nefario’s negligence. Right now I still do not have access to my account and assume no one else does either.

This whole thing just blows me away. I’m truly in shock.

+1 to this. Have you got your account back yet?
I personally am not as bothered because all I have is about 40 shares of TyGrr-Bank but even then I am concerned and see no benefits of GLBSE 2.0.
Just like blockchain.info wallet, it is trusted with thousands of bitcoin, and wouldn't be nearly as popular if they didn't only store encrypted wallets on their server.

EDIT: Would it be too hard to just create your own front end for shares? It would mean you can stop people selling for inflated prices if you want, and eliminate the glbse tx fees. You could make it so you sell to and buy from you for set prices, nothing else.

What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection.

You can take your password and encrypt it exactly like you encrypted your private key if you want.

I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it.

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

One of the only reasons why I'm trading with ~10 BTC over there, rather than 100+
I'd really like this to get fixed/improved, as I'd love to learn more about trading shares and bonds (just trying things out atm).
How was the security done on GLBSE 1.0 that you needed psychical access to your computer?
And why wasn't this implemented in version 2.0?

Can you please edit your post and remove what people need to know? You're only making it easier for people to hijack your account. I agree current security is lackluster for this site if they want to become big, but you've made your point already. No need to make it easier for people :(

OK, I agree that it is an issue in the sense that you should have been able to adjust prior, and people should be able to change their e-mail adress now with their GLBSE password.

But this is not an issue that has to do with whether GLBSE is safe but if your email account you registered with is safe …

How can you expect "this" to be fixed when you don’t even know what should be done about it? The first version of GLBSE used a long string representing your private key in addition to your password which you stored on your computer. You can do the exact same thing today and store both your email password and GLBSE password encrypted on your computer – no difference.

And the reason it got changed is that noone used GLBSE due to it, because it severely cut into usability. GLBSE 2.0 is way more popular now.

The only thing that can be done is add multifactor authentication, and it definitely should be done.

And yes, EDIT YOUR PREVIOUS POST NOW. I reported it.

Just pm Nefario and ask him to change your email address? Why this drama?

title proposal:

bring back web keys. say no to user name / password authentication

Crypto keys are only as strong as the user's ability to secure his computer and his passphrase.

2 factor auth is a better idea. Yubikey, matrix card, etc. And no, "security questions" are NOT 2 factor auth (http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx).

once your email account is pwned you have a attack vector that bypasses glbse

Do you know how many people lost their private key and could not prove that their account was theirs on GLBSE?

I’ve told Nefario from the start that private keys are a bad idea because people cannot and will not secure them, and it actually decreases usability. He himself had a hardcore stance like you did, but he became convinced otherwise and so he built GLBSE 2.0.

Now compare the popularity of nick/pw GLBSE 2.0 with the private key original GLBSE.

2 step auth w/ google authenticator would be a good thing. Passwd + key option would be cool too. Being able to turn off email password reset would be very very nice.

using a secure email account for financial services to email you seems crucial.

I'm not sure what disturbs me the most about this thread. There are several issues to ponder. :-\

@Blitzboom I've no idea how many people lost their keys from 1.0 but I'm sure it's harder to brute force a key pair then pwning an email, if very frequently all it needs is to answer a question "did you get laid this year? y/n"

The drama because I've locked his account and asked for ID verification.

His reply:


I had also told him about a policy I'd like to implement, reducing the number of assets a single account/person can create, although I think that can wait until another time, certainly until this gets sorted out.

I'll unlock it as soon as he provides this information.


This is complete rubbish, Chaang is using Gmail, which itself uses two factor authentication, and is as secure as any internet connected system available. It's weakness are the users, their choice of password (password strength) and whether they re-use that password.

A strong, single use password is as good as it gets without adding two factor authentication (something I'm researching).

Keeping in mind that all other exchanges and most other websites do the same, username/password, account recovery through email GLBSE2.0 is not exceptionally more or less secure.

I'm a very reasonable person, and I find it unsettling how quickly this has been splashed across several threads on the forums. About 5 hours after I emailed him asking (asking, not demanding) for proof of identity, in a clear attempt to pressure me to unlock his account.

Nefario

I'm still stuck on the whole email account with the name of x as his password (I'll be nice and not say it  ;)), that's just lazy.

Regarding lost keys from 1.0

I spent A LOT OF TIME, dealing with this issue, a lot of people lost their keys, as a result the security of the system as a whole was reduced as without the keys people were unable to recover their accounts.

Cryptographically the system was really well secured, sadly people didn't look after their keys so it didn't work.

"Security questions" are often the weak point of many authentication systems. If indeed all it takes (I don't use GLBSE) is to know your birth city, that is clearly insufficient security. Ask about first pet names if you must have security questions at all, but leave biographical data that can be scraped from facebook out of it.

I'm certainly not going to be doing that.

How difficult is it to support (optional) GPG encrypted e-mails? This is one feature I wish all services adopted.

If I remember correctly, when I was starting with GLBSE1.0 the initial crypto development it was quite a pain and something I had trouble with, it's certainly doable

I could also add GPGAuth as an authentication method
http://gpgauth.org

However there is currently only a plugin for Google Chrome and no ruby server side implementation(which means I'd have to create it.

So it's an option, and one I'd happily support in the current system, just not an immediate one.

Goat, are you preemptively passing all blame of Nefario if something goes wrong with any of your GLBSE listings here because you don't want to authenticate your account? You can personally take measures to keep your e-mail account safe if you're worried. One, for instance, is as simple a rotating passwords regularly. It is the responsibility of both of you to secure your accounts, taking no responsibility is fairly childish IMO.
My apologies, but this sounds sketchy

I'm going to add Yubikey support soon, next few hours.

likuidxd makes some very good points, security is everyones responsibility.

I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.

If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.

What i find most alarming in this thread is that goat doesn't want to authenticate his account...

Apart from that, having a secure email address, and single use password is a basic when money is involved...
Regarding 2 step authentication, how difficult is it to implement google authenticator ? (like bitcoinica did)

Holy scam warning Batman!

Goat, why didn't you create an alias email account with an outrageously complicated password when you signed up for GLBSE 2.0?  You're honestly saying you use the same email/password for multiple sites and have been doing it for years?  I find it hard to believe that anyone in Bitcoin could be so naive.  You hold thousands maybe tens of thousands of dollars in other people's money and you reuse a commonly used email address?  I apologize, but I don't believe you are that stupid.  You were around for the MtGox email address hack, you know better.  This seems like either A) you setting up to scam everyone and not claim responsibility or B) you trying to create a panic in all your holdings so that you can buy them back for cheap and keep the profits.  For someone with 4 listings on the GLBSE, I find this incredibly irresponsible.

THIS WARNING (https://bitcointalk.org/index.php?topic=74315.0) seems to be a lot more relevant now.

I would hold off on the speculation for a while. We must allow Goat a reasonable amount of time to comply with the requests.

Nefario.

Actually I changed my mind, turns out you (I) actually need to buy a Yubikey to even get started, I don't want to bother waiting.

I'll find another option. Will use Google Authenticator, actually that seems to be the perfect option.

So is the login on GLBSE turned off for now because I can't log into my account either?

Edit:  Stupid me, I need to allow the permission to run that thing.

Thanks for the quick reply.

No I added a captcha to the login page to make brute force logins difficult.

Does this mean you are unable to pay your dividends for your contract/bonds?

It means he is unable to use his GLBSE account, it's locked.

This will all be sorted once Goat complies with my reasonable request.

Hopefully he does as you are doing the right thing by requiring verification.  It is impossible to know if the person requesting login information is really the person that owns the account without some type of verification.  Sometimes I wonder if the people on these forums are really the same people posting the day before.

I hope people realize the importance of having strong passwords.  Ten to twenty years ago people could remember multiple phone numbers and I don't see any reason why someone can't remember multiple strong passwords.

I guess this would mimic the behavior of GLBSE 1.0. I liked it but it might be overkill. Also, I feel that GPG-encrypted e-mails would serve more than one purpose by addressing the danger of e-mail interception, which is IMO a valid concern. However it seems the idea doesn't excite many people. ;)

Well I think that GPG signed emails by default (and encrypted where public keys have been provided) would make it harder to do fishing attacks.

I'm going to have two-factor authentication up and running for email, password changes and withdrawals/transfers (all user optional) before I go to bed.

 That's awesome. Thanks!

How often does Goat normally post? And what timezone is he in? I've already send him an email but not heard anything from him since he post this thread.

He's in Thailand

Sleeping time then, we should expect something of a reply after about 6 hours or so.

Hmm. I had missed a few posts. I don't like this one bit.

(Nefario, keep up the good work, please)

May I ask why you locked his account?

That's why you have MPEX (http://polimedia.us/bitcoin/mpex.php). Probably out of beta this month.

I don't think there is any need for Nefario to identify him since he is selling honey and donate to this forum and have a photo showing a sexy woman leaning to man, which proof his social value already.  He is man who is expanding his business in the need to borrow money at 3% weekly interest and at the same time donating to the bitcoin forum, he must be a generous angle to save us from the 0.25%-annual-interest-stupid-and-evil-bank!

Such a man could be a con? the identity needs to be verified? Oh, no, you're kidding. So many people have already purchased the share with every verification option showing a red cross!

Let's buy the bond and shares issued by him!  Because lots of people buy it!

he is so trustworthy! he is working for the government!

he is in Thailand, somewhere miracle happens!

When any doubt about him arise, even hero member of this forum is thinking about ban the post, and everyone is against the doubter! you should follow the crowd to make your investment decision so that you make money!

why Nefario make this party stop!

Goat will have very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very  good reason to keep his identity confidential. because bla bla bla bla bla bla bla, you know.

Maybe has something to do with you running 4 separate listings?

What is this Atlas Shrugged ?

I believe it was because you posted personal information about your email and password use, making it even easier for unsavory types to access your account.

Personally, I am baffled that you and Brendio have both failed to provide verification for your identities.  I'm not suggesting that I think you are the same person, just pointing out that I don't know of any good reason for either of you to wish to remain anonymous.  Moreover, someone posted in another thread that you had provided all sorts of proof of identity, so even if it's a PITA, why not jump through the hoops, be done with it, and hopefully have more buyers?  I was actually thinking of asking why you hadn't verified your identity in one of your threads before this whole fiasco started.

How about because you've raised thousands of BTC in multiple listings on the GLBSE, borrowed thousands of BTC from lenders using this forum, claim you live in a 3rd world country, claim to run a bank that is just a pass-thru operation for your First Pirate Savings & Trust account, and have started being called a scammer here? 

Personally, all you would have to do to change my opinion about you is post a short video of you and your wife enjoying some of your honey in a public place in Thailand.  It seems like you're going through great lengths to convince people you are in Thailand with this honey selling.  Someone with your operation wouldn't need to bother selling honey to raise funds to be a Donator.  I imagine it is definitely not worth the trouble of buying/packaging/shipping unless you are trying to convince people you are in a location where it is not even worth trying to recover their lost funds once everything goes sour.  It just smells way too fishy.

Post a proof video and I will be the first to publicly apologize.  Personally, I think that would do more to prove your innocence then you submitting some false ID documents to be verified on the GLBSE.  You already have your picture and your wife's picture on this forum, so this should be a very simple solution to this whole witch hunt.  Although I wouldn't blame Nefario for wanting the identification of the person he's allowed to raise thousands of BTC using his site...  At least it would shut me up and would probably boost your honey sales.

Hmm. I see huge huge warning signs w/ a person who won't identify who is so potentially overextended. The Bot issue was a glaring red flag when combined with all the other deals, IMO, and seems no surprise that we're here discussing this right now.

The less that you do to show that everything is on the up and up, the less I trust the whole deal.

The defensiveness that I see when Goat is questioned about his projects, and their details is yet another huge red flag.

Red flags don't mean things are not kosher, but they do tell me that I need to seriously reassess the potential risk.

This will me the last time I purchase shares in a company run by unidentified individuals. It sounds like lots of fun to take on that much risk, but *sigh* I really don't think people can truly be trusted that way. It invites them to be irresponsible.

I don't know why verifying your ID is an issue goat. You have a picture of yourself and girlfriend as your avatar, told people you live in Thailand, shared your email address. This shouldn't be an issue.

Sounds a lot like this OP (https://bitcointalk.org/index.php?topic=65955)
Something doesn't go the way you want so you throw a public hissy fit.

Security of your account is your responsibility, no one else's. Saying 'I take no responsibility', no one in there right mind should do business with you if that's what you think. If something happens, your account gets 'hacked', man up and take responsibility, that's how an honest man operates.

Nefario has taken appropriate steps to change authentication on the GLBSE and I personally think it's sufficient. If you had issues with it, why didn't you bring it up in beta testing? You were involved.

This sounds like you feel entitled here now and things should go your way...sad

Maybe I missed something

Especially saying it after something happens.  Business is one thing, but what gets a person a successful business is their word and reputation.  That is invaluable as no one can purchase that.

I agree.  I can understand why GLBSE business owners operating in States would be troubled to verify their identity, but Goat operating in Thailand's main benefit is the removal of legal risks.

Sell off one of your listings?
Excuse me being naive, but wouldn't it be your responsibility as owner (CEO) to buy them back and close the public offering? What does selling it off accomplish?

Well, in his defense I think he just wants listers to verify their accounts for fraud purposes. There were a lot of bad contracts of the old GLBSE and with 2.0 I think he is trying to eliminate that best as possible.

This is a reasonable argument.

His information is known...

He shouldn't have suddenly closed your account, I agree. What is the issue with you handing over a bit of info though? You don't have a problem posting a picture of yourself publicly. A verified email, name and address isn't so bad.

I can understand not giving personal information to a stranger, but this is playing chicken with both people's reputations.

What kind of information is needed?

I guess the question is what happens if Nefario doesn't unlock his accounts.  Do the shareholders loose their money. 

That is a little crazy.  If there is not more to the story then this probably could have been handled better and seems to be a problem of miscommunication.  It looks like a few of your assets are dropping in price.

While I've not personally verified an ID, I did press Nefario for more information about his identity, and the ownership of GLBSE, on his thread.

It seems like Nefario is doing his fiduciary duty to protect investors using the GLBSE from unusually high risk scenarios. Regardless of how honest and solvent you may be, the number of outstanding issues plus a lack of identification is an unusual amount of risk for most investors. I can't see how you can disagree with that, regardless of how trusted you may be on these forums.

It sounds also like you've ignored your fiduciary duty to your investors and shareholders by discussing this issues so vehemently in public, and thereby calling your own actions, intentions, and identification into questions. This is why your issues are being sold off quickly now.

I have to wonder if Nefario shouldn't halt trading on your issues to protect their value while this issue is resolved.

According to this Nefario has made it clear that he can ask for any form of ID.

We may at our discretion, ask asset creators to provide proof of identity, address, phone number and more, until we are sufficiently satisfied. Said information will be held securely offline and not shared with any third party. We reserve the right to freeze trading of the asset and the asset creators account for failure to provide requested details or in the event of suspected fraud.
 By using GLBSE and any service it provides you agree to these terms and conditions.
 These terms and conditions are subject to change without notice.

March 9, 2012, BitcoinGlobal

+1

Wow this thread has gotten out of hand since I last looked.

I would advise everyone to lay off Goat and relax, chill, this is being blown into a massive drama and it doesn't need to be, just have a little patience and allow us to work through this.

Firstly, I'm working on implementing two factor authentication for a number of things using GoogleAuth. I'm almost done, just adding the finishing touches. Once done then I'll address this in more detail, Goat showed considerable concern for his account security on me implementing recovery by email(pretty standard IMO), others may also have this concern.

One thing GLBSE has prided itself on is that we haven't been compromised or breached. This is something I am personally paranoid about (it's why I went through all the trouble to build GLBSE1.0, uber secure, I lose sleep worrying over this), and is something I want to continue, an unblemished security record.

Secondly, nothing has happened to Goats account, I've locked it. I'm not going to be keeping any of the contents of those accounts if as hashking speculates it were not to be unlocked, everything would be returned to the shareholders.

I do believe a lot of this has been the result of miss-communication.

I locked goats account because there were a considerable number of failed login attempts using his email. I assumed that his email had been compromised, as one of the largest accounts in GLBSE this is a pretty big deal, not something I'm about to let happen.

At the same time I have been wanting to talk to goat about a number of things, verification of his identity (he had asked me about it before, because he has so many assets that are such a high profile, and the breakin attempts), it has also been brought to my attention by a number of forum members of the danger posed by a single person having so many assets of such value, the potential for massive fraud. I also mentioned in the email I sent him about my intentions to introduce a new policy of limiting the number of assets created by any one person to mitigate this risk.

I guess my mistake was putting all these things in the one email, account problems, verification and notification about a policy I'd like to implement. I should have focused on the one thing first and moved on from there. This has caused considerable confusion.

The information for verification that I've asked him is pretty standard (i.e. what I ask other asset issuers), the more they can provide the better. It is not a demand, if he were to provide proof of identity to the extent that I'm satisfied with then great, usually pics of photo ID and a facebook profile(which he has told me he doesn't have) are enough (to check if they're a real person). Keep in mind that he has issued over $10,000USD worth of shares on GLBSE, I think it is prudent that at least someone knows his real life identity, this is your money that I'm trying to protect.

I was put back with goats response to what I deemed a reasonable request, both in email and PM's, this raised some red flags and prompted me to ask some questions, which hasn't resulted in anything concrete.

The steps to get this resolved are clear and simple:
1) let me finish adding two factor auth
2) goat, provide me with enough proof of identity to verify you are who you say you are, doesn't have to be everything I requested, just enough to prove who you are with the minimum of a pic of your passport.

Nefario

I think I will be waiting until GLBSE is out of beta to use it anymore because of this.  I wonder if that person with 7000 TyGrr-Bank bonds is freaking out.  It has dropped 10% today.

Because of the lack of breakins and paranoid security levels?

I understand freezing someone's account because of a threat of security breech, but that person has contractual obligations to pay bondholders or shareholders.  If those bondholders are not paid they will start to panic.  If you are going to freeze someone's account then you should also freeze any trading of the underlying asset that their account is associated with.

Looks like ToS to me: https://glbse.com/terms

"We may at our discretion, ask asset creators to provide proof of identity, address, phone number and more, until we are sufficiently satisfied. Said information will be held securely offline and not shared with any third party. We reserve the right to freeze trading of the asset and the asset creators account for failure to provide requested details or in the event of suspected fraud."

"By using GLBSE and any service it provides you agree to these terms and conditions."

Seems like half was done.

I will use the GLBSE for any issue that I would purchase directly from the company. There are some coming up that I would not want to miss.

Nefario has responded immediately to the call for additional security, and is working to clean up a situation that has been pre-existing. I do not have significant concern for the safety of my money in the GLBSE. I do not yet have significant funds invested.

I have some positions established at GLBSE that I will not close over this matter. I will only be opening new positions that are with 100% verified issuers. I may close any positions whose issuers are not verified within the next week.
FWIW, since a pic of a passport is so easily faked, this is insufficient.

For future investments, depending on the amount trying to be raised in an offering,  I will likely require that the passport be verified via credit reporting agency or background check service. I expect any costs of that type of verification will be passed onto IPO buyers. For very small offerings, with definite potential profit, I may consider simple verification.

In the near future, if the issue is large enough, I might add independent financial audits to my list of requirements.

In some ways I'm very intrigued by the idea of investing in anonymous organizations, but I really don't think we have methods to adequately protect ourselves in most of these situations. Very small issues could be fun to work this out.

I wonder what it says when one of the safest seeming, most shit together issues on the board is run by a 16yo. ;D

I don't see any issue with using the GLBSE. I don't have any more deep concern about it than I do about any other large or high profile bitcoin service.

FFS, I'm using beta money, why shouldn't I invest it on a beta stock exchange?! ;D

Identification was not required in 1.0, at the time BIB.goat was issued. Even now, it is optional. Nefario, could you also add OTC as an option for verification? I know you have allowed this for the MPOE-ETF offering. Also, there does not appear to be any functionality built in to 2.0 to provide verification info for previously issued assets.

The000Dustin, how would you like me to prove I'm not goat? I think proving a negative is a pretty hard thing to do.

Does this help?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I hereby state that I have viewed photo ID for goat in the form of a Thailand work permit and a utility bill and do solemnly swear that I am not goat and goat is not me, as said ID and utility bill differs from that of mine, which I have also viewed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPeqETAAoJELlDeJJBw5c+MLcH/R5A+4TGml0elPe1JrV/JU3V
M+qaCcVl7sW5oYcOJMD4fCc/XxExZk8+LgbnecAJKC7JRsPHBajE1wlpYqUGF79e
otI8J8hxrmzkL1E+Md8zHGpA9/iDUvrgI1M/xamZ10aQ4wglKcBvvuU1yZ1ewlFV
C9ajiSBeSvUfU1kqben3snqLQ3Mzbhei4+obgg1Q3AgDpPJ4ct5+TNG02yvRmhcs
7fKUDMnBA4YUN0gW41ctuDwcUrZ378DKBMeLF7BWWG0FdSJ/EAo8sJqx/H3wF/DK
c5jR7j9mzNfqfKyDdC9mKlQLgsewsTuWA5KQ/SwGI5XarOFf7xVHpwOKKBVx5UM=
=tdAR
-----END PGP SIGNATURE-----

Sure, maybe I faked my otc ID and the trades I did with my otc account (http://bitcoin-otc.com/viewratingdetail.php?nick=brendio&sign=ANY&type=RECV)

Yes I'll add OTC in there.

At the moment all ID verification (including the collection of document pics to verify) are done manually. I take peoples ID information very seriously, and don't want to keep those docs online. I need a way to automate the collection of the docs, and manage the verification them that is secure.

Do you have a public GPG key for encryption of docs?

Check my sig.

Ah, yes. I have even used it before! Just didn't see it on the GLBSE site, that's all.

Two factor authentication has been added for withdrawals, transfers, and password changes(this will effect the account recovery option).

Implemented using GoogleAuth

Goodnight.

Just for the record:
I am aware that it is a new feature.
I have added emphasis to the quoted section of my post (which wasn't directed at you) to clear up that I am not providing accusations here.
I have dded emphasis to your post to your post to indicate the answer that would have been good enough for me.
Nefario has responded adding OTC, and indicating it is not built-in because he wants to keep identity docs secure, but I would have been comfortable assuming you were waiting for it to be built in based on the beta tag and not expected you to contact nefario just to verify your identity if nothing indicated that being necessary.

you have to log in, click on settings and enable it for any (or all) of the supported options
by default it's off

& my 2 million satoshi: any asset issuer could pro-actively seek nefario with a request to verify his identity.
with nefario keeping the submitted docs offline and only indicating their statuses on the asset page it's only between the asset issuer and nefario.

edit: I installed the google authenticator app, enabled 2step authentication in my account and then set up glbse to use it.
and it works like a charm. when enabled, it adds a new entry field on the page and retyping the code is easy. only 6 chars.
should also work over phone once forgotten at home and it would have to be read by somebody else to you. me gusta

Nefario,

thanks for making things clear in your long post above.

I'm now confident things will resolve to the good side and both glbse and TyGrr-* will come out of this strengthened.

keep up the great work you do for the community.

I just activated this and tried it.

2 failed attempts, dont know why, then it worked like a charm.

What if I lose my phone?

Write down the code then... and don't lose your phone, but just in case you do then write down the code. You can then enter it into another phone.

Also be careful if you have more than one GLBSE account, rename the account in Google Authenticator app before scanning the second code, otherwise it will be overwritten.

It's based on time, so if you get failed attempts it's because the time on your phone and the server are not in sync(or you're making mistakes). The server syncs with time servers and generally is never more than a few milliseconds off.

If you have real trouble try entering the code a little late, a few seconds before it changes.

No one would have known the difference if this were handled differently...

Part of the first email I sent in reply to your question on your account not letting you in.


You're account was locked for a good few hours before you contacted me, because there had been hundreds of failed login attempts. I added the captcha soon after to prevent this kind of attack again, I should have had it on there sooner but...stuff got in the way.

The information I asked for I have asked from others including Glasswalker, they haven't all provided all the information I requested(some have), doesn't mean it's a crime for me to ask.


The documents are stored on a USB hard drive with hardware encryption, hanging off the side of my dying netbook, on the coffee table of the house I live in (in Manchester, UK) where I spend too much of my day in front of.

GLBSE and BitcoinGlobal are not registered as businesses anywhere.
This has been clear from the beginning.


I've been saying for months (and keeping everyone informed)that we're bringing in more verification and processes to increase the reliability of asset issuers and keep out scammers. This is not new.


Why are you only asking these questions now?

You've been using GLBSE for many months, and it's only now you begin to question the legality of it all?

Listen, verify your account and I'll unlock it, you can then reset the password and continue on as you had before.

Just deal with this Goat, enough soap opera...  :'(

You could have sent a message to your share holders via GLBSE and dealt with this in private between yourself and Nefario. It would more than likely be resolved already.

/o\

This.  Seems like a reasonable concern to me despite all of the drama.  I was going to bring it up myself in response to the same post, but he beat me to it.  If the appropriate legal entity can get you to decrypt that USB key and claim all activity on GLBSE is illegal (whether said entities behavior and use of said information is legal or not), then they can come after everyone who they have proof you have worked with.  Personally, I was very concerned about using a main e-mail address instead of a more anonymous one as just a trader, but I believe this falls under the realm of hobbies and I am small time enough that US tax laws don't even touch my holdings for a hobby regardless.

Now there are all very best excuses to delay the identity information submission.   Maybe it need some time to prepare some fake ID and passport. In Thailand, with a white face, visiting the local black market asking for a fake passport... man, it's not a easy job.

give him some time, Nefario.

I cannot understand why Nefario is so wrong to protect the public investor by asking the ID information from the issuer, who raise money from maybe hundreds of people. Isn't Nefario's requirement in the best interest of the community all? we see Garr puts all his information public, and Garr is not alone. Why there are people in this world have so strong ego saying that "trust me or leave and I won't let you effectively verify whether I'm the person who I have said is"?

I think this is an understandable concern for people who wish above all things to remain anonymous. We're not asking regular traders to verify their ID, they don't even have to use a real email address (although they had better hope the don't lose their password or need to recover their account.). But Chaang is basically the largest entity being traded on GLBSE over 3 shares and has gotten thousands of BTC in shareholders money.

If you want to have this position, and do these things (get large amounts of other peoples money) showing some ID to the guy who runs the exchange is a very small requirement, a bank loan for 500USD has more requirements.

Do you not remember when GLBSE first started, and everyone, everything was anonymous, the result was time and again shareholders got scammed, we put up with that for nearly a year.

I bet if you asked him he would have done so for you.

You were never anon. Your IP had been logged, it's tied to this forum where there is a picture of you and messages in the db that I'm sure your email is located. A few members in the trading section have your address and probably a birth name.

Still can not tell if you are serious Goat...

+1. If you are trying to be anonymous, you are failing quite badly. In any case, Goat requires things to be done in small baby steps so that he can grasp what is happening. I think the sensory overload of a bunch of things at once is probably getting to him.

Once you verify your account with proof of ID I will unlock it, and this will finish.

I do remember that, and my post that caused Brendio to respond here should indicate that I expected Goat to verify without issue.  However, I also feel like there are way too many laws and it is reasonable for him to want to be confident that revealing his identity to you won't expose him to some outrageous laws he was unaware of that was potentially not even relevant when he started using GLBSE.  I also understand why you need to keep that information, but I don't imagine you would keep the key to decryption a secret if a foreign military regime took over your home and tortured you (I also don't imagine it will ever come to that, but have no way of knowing whether or not you would refuse to provide the information if commanded to by a judge [regardless of whether or not you were otherwise legally obligated to provide the information]).  Also, regarding the comments just made about Goat's anonymity or lack thereof, look into plausible deniability and remember the alleged "innocent until proven guilty" legal structure of the US.  These things make the arguments more sound, regardless of other associations (as association does not prove guilt).

You sir have not been paying attention to the news and internet security bills. Besides, Goat is apparently located in Thailand. Good luck with extradition to the US over trading securities for less than $100,000

Oh, but I have, and I signed more than one petition to help stop SOPA and PIPA, not that the US government will stop trying (nor that the Patriot act hasn't already royally F'ed us all).  Also, to be fair, I haven't seen his passport to know if he is a US citizen or just visits, and I am not familiar with trade law in Thailand to know if similar problems could exist there.  I will assume you aren't either.

The man earning his trust through his alpha male behavior, not through solid evidence. The man earning the trust in the way Mr. Ponzi earn his back in 1919 in the Boston, who was doing some highly profitable stamp arbitrage business. Just like Mr. Ponzi covered his own history back in the Italian, The man  cover his identity. Just like Mr. Ponzi has numerous indirect proof that his business is profitable,  The man  talk everyone on this forum into believing but never have any direct evidence. Take the mining companies on the GLBSE as example, they showing us every transaction of their mining payouts, they give us pics and vedios about how they setting up the mining farm, which are all direct evidence. However, you can know nothing direct evidence that why The man 's business is so profitable.

Someone will argue that, the private loan market on this forum is running at 10%-15% monthly interest, so that The man  can earn so much as well. This is true only if the scale of the business is small.

Mr. Ponzi doing stamp arbitrage might be indeed profitable, but not at 141,000 USD investment(the money back in 1919, maybe 100x- worth as it is now) which was collected from 30+ branch office in every corner of the city. man, it was only a small stamp, you put so much money into the market, how can you arbitrage any more!

Let's back to the private loan market in the bitcoin world. I personally lend some bitcoin out to two person on this forum, but I don't do it anymore. why? because I find it really hard to locate a safe debt investment opportunity. You have to spend lots of energy to search all the posts asking for lending and find someone trustworthy enough and earning 10%-15% monthly interest. So if someone invest tens of thousands of bitcoin on the bitcoin private loan market, he must take great risks where NPL jumps out and dragging the performance down. every 1% NPL make you 6% - 10% of your work meaningless. 10% NPL will eats all your interest and put you at the risk of loss. So The man  must be a god to run such huge money at such high performance. He must be a god, and avoid every potential NPL on the forum.

Just like Ponzi is starting new business everyday, The man  do the same. Yes, I cannot deny that there is some genius in the world who have super energy and very smart brain can do lots of things at the same time, but do you really believe that Goat is such kind of superman?

"History repeat itself.
If seems too good to be true, It probably is.
Listen to the skeptics."

from The Forewarned Investor: Don't Get Fooled Again by Corporate Fraud

The scale of the speculative bubble about The Myth of Goat is so huge. If it would not be stopped by the GLBSE now with effective identity verification, it might bring the bitcoin world into a Great Depression just as the scamming Wall Street did before in 1929. They issue stocks with simple, beautiful story, and drag the whole economy into disaster at the burst of the bubble. I ask everyone on the forum now, why are you so trust this man? I think the most common answer will be as this:


Yes, all people trusted him. So why not trust him, even without any identity verification by a third party.

Why do so many in this community expect another entity to come in and protect their assets? It's a big joke. If you don't want to invest money with someone that doesn't verify ID don't invest money with some one that isn't verified. What a difficult concept that is. You don't invest then demand ID AFTER the fact. When it was clearly marked he wasn't verified the entire time. Bitcoin is the wild west you guys want to turn it into USD. What the fuck is the point then.

The GLBSE is running by Nefario.
So that if he wants to verify the ID, he has the right to ask cooperation.
If his requirement is not fulfilled, he has the right to delist the asset.

 as simple as your argument.

I'LL COME FIND YOU  ;)
lol

Mr. Ponzi was well know in person and even so he is scamming the money from the crowd. However, in such case, Ponzi was put in jail at last, which prevent lots of cons from fraud criminal attempts. With the identity unverified, you can steal the money at no cost.

maybe someone should start another exchange beside the GLBSE, where the willingly investors goes there. let GLBSE persist verifying the ID. And the other one has no identity verified. let the two stock exchange compete. We will see which stock exchange is the favorite one for the investors.

You have to go through the considerable expense and effort of forging a new fake passport/ID as your old one would become public.

What if he locks his investors funds and requires them to send ID. Then sends you their ID rather than his own. Kinda like you could do, with everyones info you collect.

Nefario, for the long term best interest of the GLBSE (just from my point of view, you make the decision of course), Goat should be verified closely as someone suggested in the previous post. there should be an internet video call, and the passport/office phone number should be verified in a very diligent way.

There is already a white man in his avatar. And I guess Nefario has enough knowledge to detect any PS tricks.

??? I'm sorry I don't quite get the point you're making.

Why are you trolling so hard?  You haven't provided any indication that Goat has wronged you, and your other more accusational thread is nothing but a laugh.  You have indicated your concern, and everyone has read it, so the continuous unsupported arguing only makes it seem like you have something to gain or a personal vendetta that you won't expose because you know you're in the wrong.  Nefario will do what he thinks is best, and I should imagine, if Goat is honest but uncomfortable providing ID, BTC may even be transferred through a third party to repay debtholders.  I don't know how TyGrr would be dealt with, but TyGrr-Bank and TyGrr-BOT could be easily resolved that way.  Until that doesn't happen, your endless pointless rants just make me want to ignore you (which is probably exactly what I should do since you seem like such a troll to me, but I guess I took the bait, hook, line, and sinker).

That is a red herring, totally irrelevant.

@Goat:

Regardless of the lawful or unlawful nature of floating an IPO on GLBSE in any particular jurisdiction, you already did it.  You already got a bunch of peoples' bitcoins for what may or may not be considered a "security" in one or more countries or states.  Wasting time doing a bunch of legal research now accomplishes nothing.

Providing Nefario a copy of your passport (or whatever info he's asking for) changes nothing in the eyes of the law.

Your best bet to save face publicly (and cover your ass) is to jump through his hoops to get your account unlocked and pay the dividend(s).

That will probably keep your current investors from wanting to come get you (lawfully or otherwise).

Then you can decide what to do next... continue as-is, or, if you have no faith in Nefario or GLBSE, or are uncomfortable with the questionable legality of the securities you issued, your best bet is to buy back the securities you sold.  

Regardless of how mistreated you may feel, ending this drama quickly and to the benefit of your investors will make you look more professional and save your rep.

Hmm, wish that your wish is able to come true.

I think 556j's comment is about how it should be run, not whether Nefario has the right. Although, I have come to the conclusion that this kind of regulation is inevitable in the case of a centralized stock exchange, and Nefario is managing it pretty well.


I think that statements concludes the issue.

I think the regulation is inevitable, too. but you cannot convince everyone into believing it, especially if someone has already put the money into a Ponzi scheme. However, no matter someone agree with such kind of regulation or not, it's under the Nefario's decision. If someone don't like the regulation, he can leave the exchange. There is no gun pointing at his head.

In the real world, if the management team is feel bothered by the SEC and the public shareholder, they can purchase back all the stocks (privatization). Following the regulation sometimes cost less than a million dollars for a company comply with the regulation. Facebook did not want to be listed for a long time and doing private equity financing for several times. However, if you wanna be listed, obey the rules.

If Goat don't want to follow the ID verification rules, just leave the exchange. You can borrow on the forum in personal, or start an exchange of Goat's own.

HorseRider, what continent are you from?

Asia.

Goat spend some money on the advertise for the arbitrage Bot IPO. How much would the ad. cost?

Horserider, we all know you don't like/trust Goat but how exactly is this and the other hogwash you've been posting in anyway relevant to this thread?

Could a mod please split this off from where this hogwash starts.

Oh and Horserider Glbse isn't the only place Goat does business, I'm working with him on stuff completely unrelated to all his gblse projects that makes them look tiny.

So let's back to our topic. GLBSE is asking for identity verification but Goat won't like to cooperate. So maybe you two good buddies can looking for financing your big big project somewhere else.

So now you can't read either oh joy! Just to help you out:

"completely unrelated to" means has nothing to do with and isn't going to have anything to do with Glbse.

Furthermore, where has Goat said that he won't comply with this? He doesn't want to, that's clear and I can't say that I blame him as Gblse isn't a corporate entity in the same way as say Mt Gox, Cryptox or Bitcoinica. However I can also fully understand why Nefario wants to safeguard his users and I fully expect this to get resolved.

As to your FUD trolling in this and other threads all I can say is:

https://i.imgur.com/YzC3W.jpg

HorseRider chill

Gblse (http://www.gblse.com)?

http://www.gblse.com/images/gblse.gif
http://www.gblse.com/images/1.jpg (http://www.gblse.com)
(sorry, I had to do it)

Lol, I love this, feels like I've made it.

So what is the timeline Goat has for submitting verification and what is the plan if he refuses to submit the information?

Wasn't (at one time) the plan to make verification optional, but if you skipped the verification your account would have scary warnings and such things, saying that it isn't verified? Which would enable shareholders to react appropriately.

I believe that was the plan.  The site has the big red X saying not verified next to each ID type and indicates that will be the behavior above said big red X's.  I think Nefario is concerned about giving access to the account to the wrong person now that it has been locked from brute forcing (because of the large sum of BTC involved).  However, quite a bit was inferred by me to make this post, and there could be more to the story that is yet to be revealed.

Luckily I had not activated googleauth for one of the three things (I think "transfer") yet, so I could activate that and write down the code (assuming it's the same for all 3 actions).

With all 3 activated, however, where can I see the code?

He already told you, but you are too slow to understand simple statements.

1. Large number of attempted logins
2. All GLBSE asset issuers are required to present this information as of v2.0
 a. Verification is a manual process and will take a while to finish verifying evryone

He wouldn't be breaking his terms of service, but providing the identifying information to the police as part of an investigation would result in it becoming public in the police report.

http://bitcoin-shitlist.com/2012/02/24/chaang-noi-goat-is-a-fussy-prick/

^^ It was true back then, it continues to be true now.

Still waiting for the lawsuit, Goat. You have my name/address. Maybe we'll get to verify your identity if you sue me...

PS: He probably also has a small penis... ::)

https://glbse.com/signup

Internal Server Error

You mean the page itself or when submiting the form?
Because the page opens just fine.

https://bitcointalk.org/index.php?topic=73910.msg834030#msg834030

Has anything been worked out for paying out dividends while this dispute is being resolved?