First: thanks to phantomcircuit and jarpiain for helping me out with #mtgox irc chatlogs! What happened?On September 11th, 2011, some weird trades showed up on MtGox' ticker. They seemingly executed way out of spread, as can still be seen here: http://bitcoincharts.com/charts/mtgoxUSD#rg5zig5-minzvztgSzm1g10zm2g25MtGox' explanationMtGox' explanation ( https://support.mtgox.com/entries/20433652-resolved-outage-11804-unexecuted-trades) talks about possibly compromised accounts in relation to the CosbyCoin-hack on this forum. As a result of this event, some of the Bitcoin Forum users` accounts may have been compromised. Subsequently, some of the information have been used to conduct unauthorized orders, resulting in unusually high trade activities.
The Press Release, if I may call it that, then goes on to talk about these "unusual activities" and says that staff has nullified these trades. It then educates us users about password security and states Please be advised that trades can now be conducted in full confidence.
This explanation is not satisfactory for me. So I came up with a highly speculative explanation myself. What I speculate really happenedI'm largely basing my speculation on things that were said in #mtgox irc channel and quoting from that, not sure about the timezones in the quotes, since the logs are from different sources. 9/11 - 18:32 <MagicalTux> molecular, I blocked ~2000 accounts created most likely for the purpose of killing bitcoin on 9/11
Now let me introduce you to a bug that was found Aug 14th 2011 (short description: orders (can) get temporarily disabled when being partly filled): 01:15 < molecular> weird, the following order did not get filled: 9bd49edb-2073-44e3-8f68-34971a1a4d45 bid 4.835 9.73 - 1 open, although the price just dropped to 9.72 by this trade: 00:14:00 6.93168 for 9.72 ask
01:15 < molecular> that order has existed for a whle
01:17 <@neofutur> an older order could have been filled before
01:17 < molecular> at what price?
01:18 < molecular> price dropped from 9.8 to 9.72 and my order at 9.73 did not get filled
01:19 < molecular> part of it got filled before: 00:10:12 5.165 for 9.73 ask
01:24 < deego> The only explanation I could think of is a queuing issue: If your older, though pre-existing to it, was in fact newer to the executing engine - that is, the engine executes them in the order they arrive to it. And, the engine saw a 9.72 first, and your 9.73 arrived later to the engine.
01:25 < molecular> but 9.73 is higher than 9.72, it surely should fill higher bids first, right?
01:25 < molecular> deego, that bid existed for at least 10 minutes
01:26 < deego> I see.
01:27 < molecular> deego, also it was partly filled before: "00:10:12 5.165 for 9.73 ask"
01:27 < deego> ^ Ah.
01:27 < molecular> maybe... ah!
01:27 < molecular> I think I have an explanation:
01:27 < molecular> maybe when an order is partly filled, a new one is created in "pending" status
01:27 < deego> heh, just what I was thinking
01:28 < molecular> then the other bid at 9.72 got filled while my order was still pending
01:28 < deego> and, it's requeued..
01:28 < molecular> so an order goes to pending when part of it is filled...? that shouldn't be the case and would be a bug, right?
01:28 < deego> shouldn't it ideally retain its position in the que, somehow?
01:29 < molecular> the position in the queue is secondary. it should, however, stay in status "open" alle the time (while I don't know exactly what that means)
01:29 < deego> IIUC, Pending should be equivalent to: "waiting to get queued."
01:30 < molecular> deego, I don't know any details of the trade matching engine... but I think we might've figured out what's happening roughly
01:30 < deego> agreed.
01:36 < deego> I think, in principle, the requeuing should be considered a bug - because then I can, in principle, negate others' orders - I can move anyone's orders "into the future" by filling 0.001% of them; and I can get my own fill at the currently lower price.
So far for the bug and possible analysis of how it works. Now deego and me come up with some evil ways to exploit this bug: 01:38 < molecular> if you put your order at the same price, you jump the queue
01:39 < molecular> even worse: you can even buy at a lower price if you time it just right. should be very hard to do, but theoretically possible, because it takes some time to requeue the "disabled" order
01:39 < deego> or ever lower price: If I negate every order at 9.73 (like yours), so that the first thing engine sees is 9.72..
01:39 < deego> exactly.
01:39 < molecular> yeah
01:40 < molecular> wow, didn't think of doing it to multiple orders successively
And this is exactly what I think happened: this bug got exploitet by use of a botnet (or similar) creating 2000 accounts on mtgox and "disabling" orders successively in order to get an order filled way out of spread.MtGox then hastily nullified these orders and tried to calm people down talking about compromised accounts and CosbyCoin, maybe in order to avoid having to shut down trading to fix the bug. Why am I publishing these wild speculations?While this speculation might be accurate to some extent, I don't think it is. By publishing this, however, I hope to put some more pressure on MtGox to explain what happened on 9/11 in more detail, because I think this should be made transparent. Why does MtGox not transparently publish more detailed information?There might be legitimate reasons not to do this at this point. In case there are, I apologize to MtGox for trying to put pressure on them to do so. Following excerpt might shed some light on this (this was on September 12th): [09:05:50] <molecular> What the hell? Just read: https://support.mtgox.com/home. no mention of a bug or anything. How can a user with a compromised account make deals much higher/lower than the market? No explanation for that is given, why not? [09:06:59] <MagicalTux> molecular: it's a known bug, we are still tracking it [09:07:19] <molecular> ok, but why try to "cover it up" talking about compromized accounts? [09:07:36] <MagicalTux> because right now to cause this bug to happen, you need to trade unholy amounts of coins [09:07:58] <phantomcircuit> wat [09:08:13] <molecular> Hmm, ok. Still: why not explain that in the news-release? [09:08:20] <MagicalTux> more exactly, you need to have your large trades be disabled in the system [09:08:57] <molecular> what does that mean? "have large trades disabled"? [09:08:58] <MagicalTux> molecular: because most people wouldn't understand what this means. Also we cannot put too much info in the public until we finish our declarations to the MET So maybe the "legitimate reason" is that there are some ongoing investigations and MtGox is not allowed to give us info. Maybe it's just that he doesn't want to, using "people wouldn't understand" as an excuse. What do you guys think? |
|
|
|
risiko??? verstehe ich nicht... das ist unser firmentarif. manche zahlen halt 23 cent und nehmen 5000kwh ab und andere zahlen 3,5 cent und nehmen 150.000kwh ab  alles klar, mehr wollt ich ja nicht wissen Ein Kumpel will seinen Miner verkaufen (schweren Herzens), natürlich wegen den Stromkosten. Ich werd ihn dein Angebot mal wissen lassen. |
|
|
|
|
Das Angebot ist interessant. Es wäre schön zu wissen, wie Du so günstig an Strom kommst. Eventuell besteht hier ja ein Risiko. Kannst Du das erklären?
|
|
|
|
Ah, gotcha. Even still, 1.3 MBytes/s is a heckofa lot faster than I'd get from a torrent, so I'm not complaining by any means.
Really? Strange, bittorrent usually maxes out my download pipe within a minute after I start dl. Even for unpopular stuff it usually downloads quite fast after it's connected to some peers. Maybe you should open the port to the outside? |
|
|
|
molecular, that's a sweet little setup. I think that's a smart idea to bypass the picoPSU, and I'm surprised it doesn't seem to be working. I didn't actually help design the X5000, but I'm 90% sure it's running on 12V. I believe it should accept between 6 and 20V. Are you sure that the primary PSU is outputting 12V? Maybe it's a bit higher? It could just be the fan that doesn't like the voltage. Are you sure you had the voltage going to the right pin?
It's a mystery, but hopefully li_gangyi can shed some light on it soon.
Why mystery? If what you're saying about the input voltage requirements is correct, it all makes perfect sense. Note that the fan is connected directly to the input plug. It's a 5V fan. Does not surprise me its going berserker when fed 12V. It would be totally awesome if I could put 12V. I'm not sure the fan is really necessary, the cooling block does not seem to get even slightly warm (to my finger, that is, so it's subjective). I could always adjust the fan's voltage using a resistor. li_gangyi will soon clear up the fog, I assume. |
|
|
|
If you want the referral program to work well, I think it's a good idea. Otherwise people are pretty unlikely to get many downloads credited. It's unlikely people will use the referral link except for first contact with the site. It's also not very likely they will download right away. They'll look at the site, see what it does and come back later when they actually have need for downloading a torrent and remember the site.
I fully agree. I am implementing this now. I might also throw together some referral banners that people can use, rather than a boring link. Well, on the other hand, a boring link may be good. Some people, myself included, tend to ignore banners or hate them so badly that they don't click them on priciple. Also, I think, there is an option to suppress images in signatures in this forum. In the end it's up to each person how he wants to place the ad, so go ahead and make banners if you like. If I would use a banner, it would have to be veriy low height, like one line of text. As you said, the best advertising is word of mouth, and a good product, I might add, which you have. I suspect you might soon run one of the more successfull bitcoin services in existance. |
|
|
|
As terrytibs stated, a single wallet address is monitored and downloads are identified by the payment size. I realize this is not the most efficient way of doing it, but it works due to the extreme unlikeliness of two people simultaneously downloading a file of the exact same size (to the byte). However, my to-do list certainly does include the implementation of unique payment addresses for the sake of user privacy.
With regards to your question on session identification molecular, I assume you want to know if recurring users will also generate you referral income? As it is, the referral idkey is obtained though a GET method, and then stored as a session variable. The session is destroyed when the user leaves the site. So if the user comes back of their own accord, you won't get credit.
However, I just implemented the referral system today, and plan to store the referral idkey in a cookie on the users computer so recurring users will generate referral credit. I don't know if this would have privacy implications for end-users though, but I don't think it should.
Do you think this would be a good idea?
If you want the referral program to work well, I think it's a good idea. Otherwise people are pretty unlikely to get many downloads credited. It's unlikely people will use the referral link except for first contact with the site. It's also not very likely they will download right away. They'll look at the site, see what it does and come back later when they actually have need for downloading a torrent and remember the site. |
|
|
|
I think in order to keep users serious we should make it to where their account here is an investment. We can get rid of the newbie board and assume a user that registers and pays for membership considers this community valuable and will return a similar amount of value in return.
Another side benefit of this is that it would pay for forum hosting easily and possibly with some profit on the side for the project.
Thoughts?
Wouldn't stop any of the people on my ignore list. |
|
|
|
Allright, thanks for clearing that up, man. Cause you had my hard stop for a second there.
lmao. Sorry 'baut that. No, for that very reason - that browsers store passwords in a common file - is exactly why browsers are so paranoid about preventing web scripts from interacting with the local file system. They're run in little sandboxes, and it while it's not entirely impossible to hack around those safeguards, it would take an *entirely* different set of hacks to do so, not just a "display random funny Cosbycoin/uplaoding walletdat" image randomizer to do so  No problem. It's this damn paranoia lately. Who knows? Some browser exploit, whatever... I happy I made you laugh, though. Much needed in these forums nowaday |
|
|
|
The reason why the site could not download your btjunkie file is because btjunkie employ certain security protocols, meaning that the "Download Link" you click for the torrent file is not the actual file itself. It does a subsequent redirect, then the torrent begins to download. I have noticed several sites have this authentication method, and I am not sure how to overcome this issue other than recommending that people download the torrent and upload the torrent file manually. Torrents from thepriatebay, however, work fine via CURL downloads.
Hmm, it worked just fine for me with btjunkie. I'm using a "right click", "copy link address" on the little grey box with the arrow pointing down. That gives me a direkt link to the torrent file, example: http://dl.btjunkie.org/torrent/The-Holding-2011-DVDSCR-XViD-NoGrp/43585890c419183fe611210d1e90ee9dcf4a01e24430/download.torrent . Pasting that into the form worked. With regards to the payment system, I am aware that all payments are going to the same bitcoin address. I am already in the process of creating unique wallet addresses for individual users, however, for the time being it is not so big of an issue as you would think. The cost of the download is filesize in GB (to 3 decimal places) * 0.1, then rounded down to 4 decimal places. It is the price of the torrent that identifies the payment, and unless two users simultaneously download a torrent of the EXACT same size, it is not an immediate problem. I plan to transition to a unique-address based solution soon.
This might not be an immediate problem for you, but if there is "the one bitcointorrentz payment address", that might become a privacy issue for users. I would pop this item to the top of your todolist. It's not hard to get a new address for each download and I can't image you having a problem to associate that with the torrent. If you need any help with that, I can help. Another good point you brought up with regards to multi-file torrents, with many subdirectories. I had considered doing exactly as you suggested and zipping up the whole torrent, but then I felt that some people may want instant streaming access to files contained within. I am still not decided on how I will proceed with this.
Yes please, don't change this. Make zip-file optional if you must. I like it that way for streaming access. As for your speed, 400kb is indeed VERY slow.
I got around 700 KByte/s which is my downstream cap. (germany) Had a friend try, he has 50mbit downstream, he got 1590 KByte/s (germany) Thanks again for this awesome service, please fix the one-payment-address-issue, though. |
|
|
|
On another note, I noticed that the server provides the same bitcoin payment address for every transaction, since the address already has a few transactions on blockexplorer. I also confirmed this by downloading a second torrent. This should probably be changed ASAP for user privacy protection and security. See this wiki page: https://en.bitcoin.it/wiki/Merchant_Howto#Common_ErrorsI'm assuming it's a "session based address". This begs the question how you determine which download a payment is for. Could you elaborate on that a little? May I ask how you do session identification? This is interesting both for privacy reasons and for evaluating possible gains from referral program |
|
|
|
ABSOLUTELY KICK-ASS SERVICE! Sorry for shouting, I don't usually do this, but I'm just so excited :-) I use this for protecting against beging dragged to court or made to pay money in order not to be dragged to court, which recently happened to a friend (it's gonna cost us around €900 for uploading 10% of a movie). I hope you really honor your statement of keeping absolutely no records of information that could identify me. What I like most about this service: - I can start watching the file pretty much once I start download to my machine, since that download is "in order", not randomly chunked, so it's actually a faster time-to-view than had I used traditional client
Some notes on the process and how you could improve it (it's pretty good already and absolutely acceptable): - Torrent upload is good, couldn't be easier (used the torrent link input field), but why not redirect to that downloads status page after that?
- On the downloads status page: there's a gif animation or something that suggests the page would auto-update, which it doesn't, right? Well, it either should auto-update or that swirly-thingy should be gone
- also on download status page: I know your server is fast and all, but a progress information would still be nice. Repeatedly hitting reload is so oldschool and just plain sucks. Also: maybe it's even possible to automatically redirect to a page that will automatically start the download in browser once the download is complete on your side?
Keep it up, it's so cool! EDIT: as you can see, I devoted my signature space to your service, that's how much I love bitcointorrentz ^^ EDIT2: removed the BS about the link to the directory should be link to file |
|
|
|
were wallet.dat files uploaded or not?
To answer your question with another question: Why would they go after your wallet.dat when they could just go after your browser's (unprotected by default) password store? What are you talking about? How would they gain access to the browser password store? EXACTLY MY POINT. They didn't steal wallet.dats because they couldn't. And even if they could, they'd probably rather go after something more useful than the Bitcoins they hate so much. That's my point: if they COULD steal wallet.dat, they probably wouldn't've bothered with something so trivial. Browsers have paranoid amounts of security regarding file-upload abilities (remember when the "file path" field disappeared from HTML file controls?), so it's just not possible for a stupid little Javascript playtime script to go stealing wallet.dats. That's the point I was making. Allright, thanks for clearing that up, man. Cause you had my hard stop for a second there. |
|
|
|
were wallet.dat files uploaded or not?
To answer your question with another question: Why would they go after your wallet.dat when they could just go after your browser's (unprotected by default) password store? What are you talking about? How would they gain access to the browser password store? |
|
|
|
I don't think you're the gambling type, but, well: place your bet: http://betsofbitco.in/item?id=89 ("French court will rule Bitcoin as a virtual currency", 0.1 BTC agree, 25.80 BTC disagree. Pretty good odds should they decide it's a currency. Hum... Funny thing is that this makes me realize an usefull side effect of gambling websites. It gives an incentive to publish and verify information. A bit as if gambling markets can be an alternative to journalism. For example, I've bookmarked this betsofbico.in page, not because I want to bet on this event, but just because I want to know its outcome asap. Interesting thought. Also: you can enter your own statements. Of course you should provide a description of how the decision can be checked, but the checking is done by site ops, I guess. |
|
|
|
I must be mining at a cheaper rate than 90% of the forum users because I'm still profitable at $3/coin at these difficulty levels. I'm not sure why any of you would stop.
power cost in germany, for example, is 0.21 €/kWh = 0.29 $/kWh. I bet you pay less. |
|
|
|
Holy shit, I thought I fried my x5000 for a minute there. I fed it 12V. The tiny fan of the X5000 immediately gave me an audible clue (lawnmower-style) that I fed it more Voltage than it expected. Took me about 2 seconds to realize that and unplug it. It survived!!! Now I have a problem: I've got quite a weird setup for the PC I want to use the X5000 with:  large image: https://i.imgur.com/tDusj.jpgProblem is: I'm using a pico-psu similar to this one: http://www.mini-box.com/s.nl/it.A/id.417/.f (you can see it at the top of the motherboard, plugged into the atx power connector) which is operating close to it's maximum capacity. Using one of the molex plugs coming out of it (this is not shown in the picture, which is older) for the X5000 (sharing it with the harddrive) causes the harddrive to behave erratically, so I'm guessing this is too much for the tiny thing and it's probably dropping Voltage. So I thought I could connect the X5000 directly to the primary PSU delivering the 12V for the pico psu, assuming the red wire on molex was 12V instead of 5V for some reason (WRONG!) Would've been quite elegant. What are the input Voltage specs for the X5000? I assume it's not a good idea to operate it with 12V input voltage, right? (the fan could be adapted) I'd hate to have to use yet another PSU for providing 5V to the X5000. Any ideas? |
|
|
|
So you are abbandoning the ship ... what about the people that already paid and are waiting for the cards ?
Not very professional attitude, I think. Me being around wouldn't have changed things from here on out. I just help with design and PR-- now we (or they) are in the assembly stage. As he said, nothing will change with this project except for newMeat's involvement with it. The group has just been reduced to me, li_gangyi, and fpgaminer. The promises about price, specs, and ETA still stand. I hope the 10% early-mover lifetime advantage remains BTW: my x5000 is sweetly mining along. EDIT: it's sad to see newMeat1 leave the project. I hope the feelings involved are not too hard. Maybe it's best for the project in the end. |
|
|
|
By the way, for all you former miners, the best thing to do right now is perform services or sell products for BTC. Then you're slowly causing the amount of BTC available on the exchange to lower since it's going to you instead of an exchange. Less available BTC on an exchange means higher prices. That means you're raising the price of the BTC that you just acquired simply by acquiring it and you didn't have to mine anything. Talk about a good investment!
Or: simply take the USD from selling your rig and buy BTC for it. |
|
|
|
I'd fall into that category but I never held any coins, always sold in 1 to 2 BTC increments as I earned it. I did just get to the break-even point a few days ago. Any miner that held the coins with the intention of getting a free video card should have done the same, holding coins was a bad gamble.
To date I've sold 55 BTC for a total or 816.77 USD. Not bad at all. Thanks BTC investors.
Also, you all can rejoice that I've stopped mining and removed 1.2 GH from the mix. Current market prices aren't worth it when electric is $0.15 kWh (thanks Progress Florida), even though it'd be profit from this point.
You know you don't get paid USD for mining, right?  it's not a loss until you sell it. So if you ever think that the price of BTC at any point in the future will rise into the retroactively profitable range, keep mining. I will not stop to point out that in such a case it's more profitable to simply buy BTC instead of mining them. |
|
|
|
|
Show Posts
