That would help eliminating the doubt that this email is a smoke screen, and the whole story a big and complex theater play.
When all the dust settles, whoever dose the research and writes a novel based upon these events has the prospective of making a lot of BTC. We have lots of accusations with no evidence. To me that is disgusting and says lots for the characters of those making the accusations. I personally believe people should be treated an innocent until proven guilty. From what is presented, we don’t even have the beginnings of proof.
|
|
|
Bruce invited Spanish Bitcoin users in general to come visit him at a gay-friendly hotel he was staying at in Spain. Said hotel has a spa attached. Some Bitcoin users are known to be minors. Somehow nanaimogold and warweed managed to twist this into Bruce luring minors to a gay bathhouse. So because Bruce is gay (so what), that automatically means that he wants to have sex with children? Meeting somebody doesn't atomically mean that they want to have sex! Overall who cares if it is a gay-friendly hotel or not... it makes 0 difference. All of you points are rather stupid imho.
|
|
|
wtf is going on here... Being gay is nothing more different than being black... I think that some people here should crawl back into their caves and go back to the stone age.
|
|
|
@ Garrett Burgwardt, sorry I have already bought a laptop (Lenovo X220). I have arrived in Barcelona! I'm loving spain so much! It would be great to meetup with the bitcoiners in the loverly city. PM me for my mobile number
|
|
|
@ptshamrock: sounds great! I'll be in Germany maybe in 4 weeks.
@lagios: hmm... don't have plans to go to Athens, but if I do travel there I'll certainly send you a pm.
|
|
|
dang boys, (and bitcoin girls also)... I'm in the UK! shoot me a email with your numbers!
|
|
|
@TheLaundryMan
You make a post stating your pgp key... yet you don't sign your post with it...
|
|
|
Where in the UK are you going?
I'm flying into Heathrow, from there I'm planning to stick in the London area. I'll only be in the UK for 5 days...
|
|
|
If you are going to Stockholm, let me know. Ill fix you a sofa a beer and a shower.
Great! I always wanted to go to Sweden... lets see what happens
|
|
|
yo yo... updated the op. I'll be leaving for the UK in 1 day.
|
|
|
who said that the value of the bitcoins is judged by how cheaply (or expensive) they are to transfer between each-other...
Bitcoins value come from the fact that the barriers to disrupting the transactions are huge! It requires a huge investment in bitcoin mining to start mucking around with other peoples transactions.
|
|
|
We have a decent throughput into the black markets, but there's a limit to how much that can grow before those black markets either get shut down or implode under the weight of their own politics and infighting.
Interested to know what you think... [/quote]
There isn't even close to saturation with black markets... The decentralized nature of bitcoin means that many interdependent markets can exist without each becoming too large. I expect that black and grey markets to set the minimum price of bitcoin over the next year or so.
Bitcoin's won't go down in value, as these black an grey markets will have a vested interest in tightening up the supply of coins. It will be interesting to see how much they grow... It wouldn't be surprising to me to see the markets go up to $30 or $100, just from the pressure the black markets, (bitcoins will just seep out of mtgox and tradehill and otherwise... and not be re-deposited (other than those who mine).
Either way... it is going to be very interesting.
|
|
|
MyBitcoin.com USERS HAD BITCOIN STOLEN. They are returning a portion 49% of them to you: Not sure where to send them? CALL ME. 646-580-0022
Hey Bruce, you are sounding a bit shrill. It is better to not jump to conclusions without sold evidence. For people looking for places to store bitcoin, I personalty recommend: Trade Hill: https://www.tradehill.com/ or MtGox: https://mtgox.com/ as e-wallet services.
|
|
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
From the desk of Tom Williams, operator of MyBitcoin.com
For immediate release.
There are a lot of unanswered questions floating around on the Bitcoin forum and other places about the recent Mtgox password leak, and theft from the MyBitcoin system.
I will attempt to answer as many of the questions and concerns as best as I can in order to silence the rumor-mill once and for all.
As many of you already know, Mtgox was hacked and its password file was leaked. As soon as we heard about the leak we were closely monitoring the system for abnormal activity, and we didn't see any.
At first glance, we didn't see any hard evidence that a password leak had even occurred. There was just a lot of speculation to an SQL injection vulnerability in Mtgox's site. A few clients of ours had informed us of the forum threads, and we watched them carefully.
The following morning a client of ours sent us the download link to the leaked Mtgox password file. We prompty downloaded the file, put up a warning on the main page, and disabled the login.
We attempted to line up usernames from the leak, and we found a lot of matching ones. We started locking down all of those accounts using a script that we had to have written at a moment's notice. It was during this time that we noticed a flurry of spends happening. Yes, even with the site disabled.
The attacker had active sessions open to the site. We quickly flushed them and the spends stopped abruptly. We disabled the SCI, all payment forwarding, and all receipt URL traffic on all of the usernames in the Mtgox leak.
We proceeded to change the password on every account where the username matched our system's database. PGP-signed emails went out to all of the accounts that we changed the password on. If an account didn't have an email address or had already been compromised we put up a bulletin. (Email addresses were mandatory when we opened our service initially, but people complained that it wasn't truly anonymous so we made them optional. Unfortunately this makes contacting a security-compromised customer impossible.)
An investigation was conducted at that time, and we determined that the attacker had opened up a session to each active user/password pair ahead of time, solved the captcha, and used some sort of bot to maintain a connection so our system wouldn't timeout on the session. It was likely his intent to gain access to more accounts than he did, but as soon as he noticed that we had changed the main page of the site he sprung into action by sending a flurry of spends.
(Before you ask: no, we don't limit logins per IP address. We can't. We have a lot of users that come in from Tor and I2P that all appear to share the same source IP address.)
We've concluded that around 1% of the users on the leaked Mtgox password file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a horrible experience for the Bitcoin community in general.
The IP address that the attacker used was a Tor exit node and the spends were to an address that is outside of our system.
Now to address the rumors:
No, our database wasn't compromised. We had a 3rd party company audit our site for SQL injection attacks and we passed. (We did, however, have one XSS hole in the address book page last month that would allow an attacker to insert fake entries into a customer's address book. It was promptly fixed and offending address book entries were purged. Not a single customer had spent to the fake address book entries.) Every line of code was audited last month. Literally line by line audited by professionals, and it was deemed safe.
No, this site isn't being ran by some amateur that just learned how to program computers. It was created by seasoned programmers that understand security.
Yes, we use password encryption. We are currently using SHA-256, but since the recent Mtgox hack we will be upgrading that to something stronger. It's surprising how many sites still use MD5, even though it was broken years ago. It is my personal opinion that MD5 be deprecated from modern operating systems.
We also use whole-disk level encryption on every single one of our servers. When you fail a disk in a NOC and a level 1 technician replaces it does he wipe the disk before the RMA/tossing it in the garbage? Not usually! We know these mistakes happen, so we take precautions. Any and all servers with an IP KVM on them are ran in secure console mode. The root passwords are required even for single user mode. All disk keys are held off-site and were never generated anywhere near the internet. All server passwords are unique per server and per user, of course. Only two technicians have access to the secure servers. This access is over a VPN and we only use secured workstations running Linux and BSD to access them.
We use BSD servers with MAC, immutable flags, jails, PAX, SSP, randomized mmap, secure level, a WAF, a DDoS mitigation and alert system - -- the works. Like I said earlier. We are not amateurs. In fact, combined we have over 30 years of experience in the payment processing (credit card arena) industry.
A large amount of the Bitcoin holding is in cold (offline) storage. We only have a percentage of the holding available hot. This is done for obvious reasons.
Going forward we are implementing a 2-factor login system, user-configurable spend limits, better session token tumbling, and a bunch of new SCI features.
Wishing the Bitcoin community all the best and a swift recovery, and sincerely yours,
Tom Williams
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MBC v1.0
iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567 T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z 9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL +HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM= =VaXC -----END PGP SIGNATURE-----
Public Key "MyBitcoin LLC (SCI Verification Key) < nobody@mybitcoin.com>": -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32)
mQENBEvfPosBCACwT0PMxOgh3iI5loNxhMUrB2fQpFwMy6m0OQO9U+mVpG8fcWdc TQyLE0LLgU3q1a3A7qpvvWZ+IPeDfFokPwhXsS5fBwGF9LpWIfPCObIif59/r9A0 6aJ03AfKS6pvIxkCje4ndjIvNXcDQuzaKZI38WkHHMHcwkOsmFy5EDtguCvu2i3u c3HTZ2KJOEHqvw7cO8/hfmvSvNX1WTYUN7/3tMFVGiHkxsxK11HBGdVsKsFlBslS 21Y/zzwqWW1HWC7XNI5IVnqjPWbYz0VnPZeYItoPJ/07xIjA1UmsrN2V2z+qdO4F bEEtYnMevl6Z9aNOVzJkoEkmtJ7rZhv+MZF9ABEBAAG0O015Qml0Y29pbiBMTEMg KFNDSSBWZXJpZmljYXRpb24gS2V5KSA8bm9ib2R5QG15Yml0Y29pbi5jb20+iQEc BBABAgAGBQJNl0P2AAoJEK5905SKX7IvZNoH/jzO4NbHfhBebM7PlG+uhVIjSJ6v YnurNWSGa5UMMaxKU165bhdaBPh8JMFLPUPKs/+iArlqzetvbErN0r7wXvUTcxc0 fJXdZAAfdxGhdlDDlDoztm6nPb85pYVQ4FeQvMq+KILGn0U0I604OYgX0N6dDtuE YTYq5pEskxEZL/hkkPlqApipBntXAATGkQHC47ZuUvHyVxDSNML5aV2I7T3wurex ZW/wuuPM77oDVil8sAG0MCqMSFdKpUJDU2I9C2kPMJ25INi/UkMBmkV9EHN1er4a u4LKiXc8t5TtXMF6ShRzp6hlICp8pnst5liXDwx6gGd4UDOUpNCELRJGcnmJATgE EwECACIFAkvfPosCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ+5g06l AnqF2DUH/3H9ZHJNtMirehS8lzZBlVZikuvdIciG/rIOIuk6C18iWz7Bkis4/+rv CjCQcY7hXkbPkFxuA+Xrn+/j/C1X5kWSdk6tORDGqq5jYb46biQHX2RiEiT0fKpx DQQXkaaLCYN6Xu2u7lSh1l/MJ9Z2j1GckDYavsdtxzg/2v2/EzDBzKT+gcVPYyyx 97uxCr9kIO0uzWqSk+04YASGOZc+KIdHHYuBWg+xFVFZvYijbTM3GOENEsg7npCZ 4txniLOrsivQQLcC8+WOG2m/GM+Pt8TxDyidTfDeXnqjHPSFh9jvuMUea6IuSbGN utzyNw4N6ATH13/Fm1OsqyYzcBxFd3CJAZwEEAECAAYFAk2kYdIACgkQweM0C93b oWYlCAv+P0p0tkj8s00fBMwJKbgJtyNlzBsO7V1duGvFJ7l3TKNzDr4eXT4K4NBT wESoMJTTDSmuNX0HAdwywWTk/ng9uw14Cjfhi/ZT78Lo1qI0+b1JQ7Q/USZ1iEkh AN5Ierfmv3CAnxGpnetq/XcBC3N/7iENNr1il0fNIFP0UGDSUtghFpjLEOpGNBvX UpN9kIWRxG4JydYJvzbWP+fjsRs++2zQn+G3ofaPxwrNW0v7j5ECStRO/cll7V6t f0zEzZ/fBBCZcQqpJtm1fvubDl1/7i0dyJZh242vGtn5idPicPBQdrybG/MibK59 Hm90ebeLC/rxfRMVehpG6kDM5eXKEhVFw91RvZxkS8CV93IHZsRAmhoSbWGoCfCJ 7taTEtTm/ecYP8/FN/LZlzMyI7tyslVWJJSb8ul+vqi/aS35DwFvm5tMJUFOzNNY w+5evvm+IIj7fYwCfNJWDF/o+m16bAg/HEjkmX1NczK/1Y883AWE36y6u01T8hIn /7DsELvXuQENBEvfPosBCADA0x8iYN8UDruVzwfDuKErS36oINCz+gX60I2mwQ56 lKL9TMNjyJpXLgAiu3Ly+rs/v25jb1W8/dzWHJQ3R0ajmIUs0WHR3P5du7HnvLcu 60zrug/n2dAR1t0LspbiuMI0AEB8pzZF1hEz2Dx2F6NWvJkEiTAJplsLAY9dg8E2 bM3RQtK5jFn8UanY/ryNqjFqFDb5x+5uytXHV99+KjZM04Imr94UP4r+43opljfh ifwylDz5peKXjB2YYunggznXBEnWSDeNGUXcS1k/aVQyb9ysOo87QZtS+IsUSQ8Y QdPlfl2jA0DLMJBjZKXLqcjT1olW3rk6j65QEc1tEm1/ABEBAAGJAR8EGAECAAkF AkvfPosCGwwACgkQn7mDTqUCeoVZTwf/afFkF1pYpl30K90ht6QKkmBUDSZX+eu2 vmhuEKQaB9z2hE1Z5sDgieLR4rxsyPldDwpA10vx4+ECIvtxAGJ6CE3VklxrmY6h R9zLrUO73DxQN+jGRPt6P91XtR3pcU9WcxQkN5XT4jID+ZqWrbEoxJxAQ9TD9niF NN4NWrVirU+eh+xZ7XaAT7iHo465fvGAqhVP94p+laHabEXf42cEODN++gM2cd7m rfra3wnkyPughpc2W9oqxf5aUUb7+8N4Hd1loryg/l2b9eJ3fRpD7IK4QFp1YHNA EyvBLSCUUk6GMYeWuSarwic2ygxY/HPuai3PYKtb23+Ssqo7Xh7b/Q== =cUT5 -----END PGP PUBLIC KEY BLOCK-----
Result (gpg -v): gpg: Signature made 06/23/11 05:55:37 AUS Eastern Standard Time using RSA key ID A5027A85 gpg: using PGP trust model gpg: Good signature from "MyBitcoin LLC (SCI Verification Key) <nobody@mybitcoin.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FB59 EE27 E803 FB68 EF30 3F5A 9FB9 834E A502 7A85 gpg: textmode signature, digest algorithm SHA1
|
|
|
I think that many people have lost a bit of BTC on mybitcoin... I still think that Tom is dead, or otherwise incapacitated.
Kiba, while your loss of escrow funds is awful, I'd say that mybitcoin up to this point had my trust also... I don't' think that many will hold it against you.
|
|
|
How do I make an escrow donation?
Just say that you are the owner of those coins against your reputation...
|
|
|
+1 BTC... pm limits / group membership
|
|
|
@theymos can you please set-up an auto-redirect to the https site... History has told us that it is particularly important to use secure web connections for anything bitcoin related
|
|
|
Because Dwolla is much bigger than TradeHill and have focuses other than Bitcoin itself?
Yay for adblock and to get rid of your stupid goxed banner!
|
|
|
Yay for Gay people... They use PayPal... and get scammed!
(nb... please note, that strait people also use paypal, and get scammed!)
|
|
|
|