Oh man.. the memories!  Haha!

http://www.cafepress.com/FreeKevinDay

(no, not created by me, I suck at art)

He was   MtGox blamed him for the hack, and said they forwarded his details on to the FBI (not like I believe that, but that's the official statement at least).  That is fair compensation right?

Do you actually still believe that story?  With all the evidence pointing out otherwise? Wow.

There are *very* competent security teams on this planet.  They don't advertise.  I would feel very comfortable with one of these teams flying in and taking a look ASAP.

I appreciate the attempt at a solution, however the above statement is unfortunately not correct.  It's quite plausible it may be correct, but it's equally plausible the bitcoins didn't even exist in the first place (e.g. attacker adding +500,000 to the "BTCBalance" column or whatever for their account, via SQL injection).

Since it's been pretty much proven the story given by MtGox is incorrect, it's really wild speculation as to the real current situation.  Without all the information, my vote currently is to "sit and wait" until a third party can audit this mess.  I was previously in favor of a rollback, until it became painfully obvious that we were being misled about the situation.

I am of the opinion without truthful information about the situation, it's impossible to make an informed decision.  How many other fake balances exist in the system now, that will be re-activated when the site goes live?  I have about 500 questions like this, that are impossible to even begin to answer without getting some information in the light.

-Phil

He came forward within minutes (lets call it an hour or two so I'm not later called a liar) of this all going down, directly to the owner of MtGox via IRC.  At that time it was attempted to keep things a bit quiet on the public side for obvious reasons.

Chat logs will confirm this, should it ever come to that.

This was also mentioned in the OP.

I already use a local HAProxy install to auto-failover between servers, it wouldn't be very difficult to add weights to this as well to distribute the load based off of an API call.

I'll look into it in the AM and post if I end up doing it

I read this much more as "we feel we'll likely be representing someone in a bitcoin related case in the future, so we want to remove any form of possible interpretation of impropriety by accepting them at this time"

TL;DR is a bane of society.  You obviously subscribe to this theory as well.

Kevin does not have possession of these bitcoins, so it is quite obvious you didn't even read the original post, much less the followup replies in this thread.  Yeah yeah, that'd be work and all.

Just to help out the reading-comprehension challenged...

~250k bitcoins = at MtGox.  They never left.
~650 bitcoins, the amount transferred by Kevin, are sitting in escrow waiting for this whole mess to be figured out.  He posted that he was working on doing this, and I'm certain he'll post the details in the AM for everyone to see.  Sorry this stuff isn't instant?  Lawyers don't tend to keep 24 hour law offices open.  I really don't think he expected everyone here to be up in arms about 650 BTC he said he'd give back, when there are 250k on the line...

Jesus get facts right before you go accusing people of shit.  It's starting to get pathetic here.

Also, full-disclosure is the name of a mailing list btw, hence the thread title

Indeed sir!

I think the first one was likely annoyance due to the fact you (apparently, due to your question) did not read the chat log.  It was explained why identities were not verified.  Unfortunate to be sure, but you really only have MT to blame for this with his asinine attack on Kevin trying to associate him with the hacker.  I know I sure as hell wouldn't identify myself if I were discussing security vulnerabilites I've admitted to testing on MtGox any longer.  I first thought this of you as well, but then noticed your sig and decided it would be a good thing to extend the benefit of the doubt here (sorry, been a long day!).  Us nerd types (myself very much included) do get annoyed about having to answer questions we've already answered.  Aka your question was interpreted initially as laziness by myself, and perhaps some others - when it was actually more likely to be due diligence than anything else.

Haha, I wasn't actually annoyed - my post wasn't very clear.  I actually am not a security hacker type (the folks you see discussing that in the logs), but I do happen to manage a small team of very talented folks who are.  Intelligence and computing knowledge really is the only thing generally respected by such folks (while on the Internet in "hacker" mode), and "noob" questions tend to overly annoy them when compared with the general population as a whole.  Lets just say it was a learning experience on how to best work with these types, but it's paid off in spades over time and I've met some truly exceptional individuals.

Yes, I'm generalizing.  But I think a lot of folks will agree with it!

Edit: formatting/few extra comments

I was going to actually PM you re: your question, but it's been answered publicly here.  I think you'll find more annoyance at your question for someone to interpret code for you, than you will find malfeasance here.  Security type nerds are an ornery bunch   While I am certainly no coder, I checked a few of those links and to me all looked like legit exploits that I've commonly seen in the wild targeting my customers (day job).  While I can't say they were actively exploited, the evidence gives me pretty much 99% confidence they were.  By the time you can Google for them, it's usually been weeks or months that they have been active.

What is surprising, is not that there are security vulnerabilities - every site has them, period.  It's the absolute basic "secure coding 101" type stuff that was missed, that is just mind blowing to people who can interpret the above code easily.  When you are making $30k/mo or more, I think it's a reasonable expectation to assume the most very basics are handled in a professional manner.  While I'd expect this for some fortune 500 company, I honestly did NOT expect it from a fledgling community of so-called technologists.  Especially one who had the balls in the first place to operate such an exchange!  I know if I operated mtgox, every waking moment would have been me worrying about security holes I've forgotten about.  These could have been found by any simple code scanner readily available on the market.

Other than there being no such thing as "full disclosure" (especially when a company is specifically NOT disclosing anything) I don't see how the thread title is BS at all.  This is absolutely the "more likely MtGox Post-Mortem".  It's at least *plausible* while MtGox's official explanation simply is not.

I expect more information to come to light soon as well, I have a feeling this train is just getting started from past experience.

We absolutely agree on the 3rd party audit, this needs to happen.  I think we simply disagree on the time frames involved here.  I'd like, before we roll back, to actually know if we should roll back just this one 500,000 btc trade, or if there have been dozens, hundreds, or thousands of illegitimate trades for much smaller amounts of bitcoins that no one noticed?  Does the community just pretend these didn't happen and simply move on?  I honestly don't really have a good answer or solution here since no one knows the extent of the problem.  And this is why the rollback as a concept really concerns me.  MtGox is picking an arbitrary transaction to roll back from - granted an extraordinary transaction that had a large amount of publicity and upset users.  One thing I've learned from operating sites that are high profile targets for attack, is that if you do notice someone exploiting a hole - usually you can go back in forensics and see other people exploiting that hole in a much more quiet and smart manner.  Sometimes these attacks go back years, before being noticed.

I understand you're trying to get back to normalcy as quickly as possible, and that does make sense and I wish for it too.  I actually agree that a rollback is a good idea, if it can be relatively certain we know it will actually fix anything other than simply giving 500k btc back to mtgox, and then we go on merrily being robbed from unknowingly by some other (very likely to exist with the state this code is apparently in) exploit until someone comes along and fucks it up for the smart hackers again by drawing attention.  Rinse and repeat.

I stated this in IRC, so you don't think I'm making up hypothetical concerns here.  I trade bitcoins for cash, locally in person by executing a real-time trade on MtGox and letting them watch, to ensure I'm not charging them any more/less than up-to-the-minute market rate.  I get cash, they get bitcoins sent from MtGox to their wallet address.

If a rollback can happen now at any time, how am I to conduct this business any longer?  I could be buying "stolen" bitcoins unknowingly, and have them taken from my account at a later date (how long do I have to wait for the transaction to "clear"?).  I am now out real money, since I conduct an actual business that will make my customers whole in the event of one of my vendors making a mistake.  It's the right thing to do.

I simply want to know the extent of the problem, the fixes being implemented, and the policy/plan for such situations moving forward.  I personally believe MtGox has lost their "right" to claim privacy/business secrets on this one as they've already lost the benefit of the doubt by having their entire database stolen.  Considering none of these answers have been forthcoming, I think it's starting to become obvious this problem is quite a bit more complicated than a simple hacked account.  Once answered (and answered truthfully this time, if that's even a possibility any longer) I can then evaluate my risk exposure based on legitimate and truthful information, which I currently cannot do.

Since it appears Bit_Happy is a journalist, perhaps his question was in that frame of reference?  I'll give him the benefit of the doubt.

If that is the case, perhaps a private convo if you're willing would be appropriate, to demonstrate you actually do know what you're talking about and it's a legitimate problem.  This would assume Bit_Happy is writing an article on the topic?

Just wild assumptions, it's 1:30am

Can we please move past the whole "KEVIN IS TRYING TO KEEP TEH MONIES!!!" posts?

No. Stop.  Kevin is saying that MTGOX IS LYING TO YOU.  Until the FACTS actually are revealed, why the hell should *any* action be taken yet?  Who the hell knows how far deep this goes, and how far back it goes.  I'd bet my life savings that someone has been quietly (likely more than one someone) exploiting these holes for months, and made off with a decent amount of loot undetected.  Does this fact not concern anyone?  What effect on trading prices has this historically had?  What is the scope of the problem in terms of bitcoins/dollars generated from this activity?  Did these coins even exist in the first place, or were they simply added via SQL injection to someone's balance?

This is NOT (only) a compromised password problem.  This has been as proven as it possibly can be without MtGox directly stating the facts as they happened themselves.  So why are they continuing to state this is the case? WHAT is the agenda?  Why the rush to rollback?  Why the rush to immediately after the hack call it a compromised password (the first clue this claim was BS - he had know realistic way of knowing at that time yet - post-mortems are excruciatingly both boring and generally take quite some time to really unravel anything, and usually then it's difficult to put all the pieces together sometimes if the attacker was careful)?

If you think a rollback is a good idea not knowing the entirety of the situation - that's fine, that's an opinion you can certainly hold and it may even hold some merit.  However, I want to really know if this is what you truly want?  To me, it seems like a completely bizarre stance I'm trying to understand

Er.. who are these "many people" that lost money?  MT has stated that only a single account was hacked and the contents sold off for cheap

Sounds like a lot of people possibly *made* money, and 1 person lost it.  If you go by MT's explanation of course.

Now, I don't believe MT's explanation to be anything resembling reality, so you may actually have a point!

I generally enjoy your posting actually, because you're a decent troll.  However, this statement is ridiculous.  Any 15 year old with a halfway decent command on 5 (10?!?) year old very well known exploits would have found them nearly instantly.  Read the full disclosure thread.  All it took was someone with bad intent actually looking.

No, this is being "butthurt" about MtGox lying about what happened.  It was an attempt for at least a little transparency where there was none, and the information being given to the public was demonstrably false.

Then, it was supposed to spark serious debate over how to fix the situation in the most community-responsible manner, once the actual facts of the matter were revealed.  This was met both by more lying, and accusing Kevin of being the hacker himself.  MT knows this to be untrue, so I find it to be absolutely despicable.

These facts are slowly being revealed, and I suspect in the coming days you may be astounded at some things.  If the "full disclosure" thread doesn't convince you, then I don't know what will?

hahaha, holy shit this is just getting purely entertaining at this point

A+ trolling!

People should read this.  All of it, even if it's boring to you.

This is what professional security teams do.  They do not blame their users for a hack that didn't happen in the first place (read: a user's account password being compromised likely was NOT the 500k selloff - at least by itself)

As I said in previous posts, the truth will come out one way or the other.  MT claiming his site is "safe" pretty much was the writing on the wall in that regard

I've made plenty of stupid ass security mistakes I'm completely embarrassed to admit to.  However, I've also admitted my mistakes and made conscious efforts to improve whenever I learn about something new.

I watched the live broadcast, but missed this if it was said.  I don't believe so though.  The only response to the question of "who owned the account that was hacked" I recall was "I can't answer that".   I don't expect them to reveal the name of the person's account, but I did expect a "no it was not mtgox itself, but we cannot reveal our customer's information" or similiar.  Easy answer if what they have been saying (hacked user account) is true.

You've likely simply been reading speculation on the boards that this is the case (perhaps my own speculation, as I believe it to be true).

This is an extremely important detail, and sidestepping the question seems rather shady to me.