http://www.thinq.co.uk/2011/6/28/mt-gox-flaw-opens-door-free-bitcoins/

I know mtgox allows you to put in orders without having the funds yet (which is very useful when putting in a sell-buy combo)
.. not sure how that would allow someone to game it for free bitcoins though.

That happened to me at first. But I've since put in 2 separate orders for 1 coin each - and they were fulfilled.

It's working - just bought 2 coins. Not displaying on bitcoinmonitor yet though..

US centric much???  Withdraw from these big ol global internets and run your own bitcoin on a lan if you want to go all parochial.

Yeah - I always assumed they were just put in as some sort of pending order.

I also emailed tradehill about allowing a similar thing.  For example - it takes a while for your BTC deposit to be confirmed at tradehill - but it'd be nice to setup a sell order at the same time as arranging the deposit.

The tradehill folks sounded positive on the idea and responded: "That way, you can leave a few open orders, monitor the different exchanges and make a transfer to the exchange you choose, all while keeping your BTC in your wallet."
..which is a usecase I hadn't thought of - but I guess that could be good.

as above
+ it's easy to get AUD in
+ tradehill doesn't seem to let me place orders if I don't have the funds to cover them at the time of placing the order whereas on mtgox it seems I could place a sell high and buy low even if there weren't any USD to cover the buy.
(perhaps for those sort of orders I should be using an external tool - but for now mtgox is more convenient)

Yeah.. fair enough. I was just being snarky because you seemed to jump to the conclusion they were hacked again.
I've been jumping to my own wrong conclusions so I can't really talk.

Oh yeah.. Makes sense!

ouch. That's potentially damning for the 'no sql injection attack occurred' line.
There are also some script tags in there that I didn't notice before.

It is interesting.. but note that on a standard qwerty keyboard - it's a pattern of 6 keys at the top left.. first unshifted then shifted.

Perhaps some wannabe security guru recommended it to a bunch of suckers as an easy way to remember your complicated password?!

No. *some* of the passwords have been extracted from the *previously* released list of (lightly) encrypted passwords.
Everyone should have changed their mtgox passwords by now, and also on other services if they were silly enough to use the same password elsewhere.
This is just an interesting exercise in seeing what insecure passwords people tend to use.
The shorter, dictionary based passwords are easily cracked. The more complex ones will take time - if anyone can even be bothered.


Fine - be happy. But take a little time to understand what you are being happy about.
then again..  maybe too much understanding is not a recipe for happiness...  
As you were!

Because your particular choice of spending sunday time is not more important than anyone elses - be it golf, work, family bbq, favourite wanking time, whatever.

Religions are renowned for their sense of self-importance. 
Don't make the mistake of assuming anyone else should think you're spending your time there well - let alone take it into consideration for a globally operating concern.

I don't fully understand the bitcoin transaction process - but the apparent difficulty in using bitcoins for micropayments is a huge disappointment for me.

I keep hearing how bitcoins are highly divisible - yet with such an arcane transaction system (where the fee changes based on the makeup of coins in your wallet?!) - the average user just isn't going to trust that (or know whether) they can send X uBTC or nBTC without losing a huge slice.

I think it's not only a hindrance for business uptake - but for the individual who just hears of bitcoin now and wants to try it out.

People trying it out now - might get 1mBTC from the faucet..   and probably nothing from mining pool.
It takes what.. a month with a modern but not top-of-the-line graphics card to even get a payout? Even if people have the ability to figure out the mining part - many will give up I think. (The very fact that pools don't seem to payout til some relatively huge size just reinforces the idea that small transactions aren't really catered for in bitcoin)

People need - right now - the ability to confidently send and receive micro BTC amounts.  Because I don't understand the transaction details - I worry that even sending a few uBTC back and forth with a friend - will somehow fragment my wallet and cause higher transaction fees in future!
I may be completely wrong in this - but until transactions are understandable - this is a problem.

In short - I think your proposal is premature, because it just adds to the complexity.
What we need first is stability and UNDERSTANDABILITY in the transaction behaviour of bitcoin client software.

Better documentation at bitcoin.org is probably the answer..  and it needs devs to think from the perspective of people who own merely 1mBTC.
I suspect all the devs have many whole BTC - and are oblivious to the needs of the 'poor'.  Same old story with any economy I guess

The database leak showed that the passwords were not stored particularly securely - so that at least needed to be fixed.
Because a fair amount of the account info is now public - that also forced them to implement extra security features e.g the IP address checking they did for account reclamation.
Also - they said they intended to keep the existing server 'as is' for investigation purposes.

It does seem a possibility that the auditor story is a cover story for an underlying sql injection vulnerability - but I don't see this as a tacit admission
 -  it's still just speculation as far as I can tell.

That's good to hear.  It was just a point of concern..  and I understand if it's not a priority just now.

perl, tcl, php.. 
The language is irrelevant.


You should give up. Making comments about programming when you clearly don't have a clue is bound to be embarrassing for you.

"If you can hack into my account, you can keep the money."

The only way I'd attempt something like this would be if tradehill also gave permission.
Seems unlikely they would, unless the 'hacker' were to give some undertaking they'd do so in ways that are highly unlikely to disrupt the system, and also that tradehill would be given time to fix any hole before the exploit were made public.

The logs show it as $17.29000 - and I'm fairly sure I asked for the trade to occur at 17.29!
It is simply not legitimate to show it with this many decimal places if it was rounded off at 2DP.




No. This is the problem with amateur programmers who try to code with currency.
It is *very easy* to get apparently simple things wrong.

e.g 0.1 * 21.55
depending on the precision used could come out as say 2.1550000000000002

now store that in a variable $x 
check if you have the expected value  $x == 2.155   and the program returns FALSE.
In this example, I've used floats - just to demonstrate one pitfall.

Rounding during intermediate calculations is another way to introduce inaccuracies and it looks to me as though this is what mt gox is doing.

When I first logged in to the mtgox claim site to see my account - I saw the balance from around the crash time.

Now I see funds that I deposited on the 20th have shown up in the account in USD

I agree... it's not something I want to hassle them about right now.. but I do think it warrants discussion and should be public knowledge.