It's really strange, you're a smart kid, like you understand the concepts of cryptography really well, you can do some nifty Chrome plugins etc. and yet you think this, I don't understand, is it like a mental blind spot for you?



I think you miss-remembered or miss-interpreted something I had said, it's never been my position to give any ID to anyone outside GLBSE and I've said as much. We've gone to great lengths to make it difficult to impossible for law enforcement to make us do so through the use of cryptography.

Also GLBSE will only have to follow AML rules if we're required to register as a financial institution, which would also mean that other regulations apply. All we need comply with is the 1998 data protection act which prevents us giving out our users information.

I'm in London now, I've had a look at the attempted "hack", quite funny if it wasn't annoying to users. I hadn't considered putting limits on the number of PM's some can send.

I'll also clean up the spam.

Im not long after arriving, and my laptop was DOA so had to get another one and restore my backup, which has taken some time. So no update on this and I don't think there will be until sometime next week.

First spot gone already.

Payable in bitcoins, whatever the market rate is at the time of paying.

I'll be adding a slider as a way to solve this.

Bitcoin2012 update

https://bitcointalk.org/index.php?topic=67199.msg1157994#msg1157994

Bitcoin2012 update https://bitcointalk.org/index.php?topic=67199.msg1157994#msg1157994

Sorry, I'm just getting really tired of people attacking me or GLBSE, they don't have anything to actually criticize so they make stuff up and throw all kinds of baseless accusations.

There is piotr_n as you see but also MPOE-PR (Mircea Popescu of Romania's sock puppet), who lately has been saying that I'm being sued as part of the Bitcoinica lawsuit (says I'm one of the unnamed Does), the guy is making up all kinds of stuff, and attacking me when I'm on IRC.

Does any exchange revert a transaction when someone has allowed their account to be compromised?

MtGox? Intersango? BTC-e?

You'll find the answer is no, for obvious reasons.

We've taken a hit plenty of times, when it was our fault but never had to do so for a compromised account as GLBSE takes all precautions, I see no reason why we or any other site should do so if they're not responsible.

People are responsible for their own security there is only so much we can do and this is doubly so with bitcoin.

Listen, crazy, if you need lies to win an argument then it's no win at all.



If there is no way to prove anything or no proof of anything, why are you accusing me?


I provide a secure platform for people to use, which includes 2fa, it requires that users keep their passwords safe, don't re-use them and use a machine that isn't compromised. If they can't do these things then there is nothing I can do to protect them. I've done everything I can and the rest is up to the user.

Just like a real stock market, if someone breaks into your account and executes trades, well that's just too bad they don't get reversed.

Whats to stop someone who made a bad trade or has fat fingers from claiming their account was compromised? Then every time the market takes a turn for the worst there would be a sudden rush of claims of hacked accounts.

On top of this I can't reverse trades when bitcoin has been withdrawn, since it's not GLBSE's fault, we've gone to the trouble to secure the exchange, we should not be required to foot the cost of someone else who didn't secure their account.


You're just sore that you lost money betting in the pirate game, and Goat won't give it back to you and I won't help you. You had your chance, you could have bought insured PPT's, or like most sensible people you could have kept your money. You made yourself a victim, don't go blaming others, don't go calling assets on my exchange "illegal IPO's" when you we're perfectly happy to buy into them when things were sweet.


No one cares about OpenTransactions, it's difficult to use and the problem it's tying to solve is the wrong one, the problem is key management.

GLBSE used to have all clients sign their orders with their private key, pretty soon because obvious that this wasn't going to scale as more and more people lost their keys

I just want to chime in on the compromise.

There was no unusual activity around the time of the attack, meaning there wasn't a large number of attempted logins.

GLBSE uses SSL from the browser to Cloudflare and from Cloudflare to the GLBSE server, cloudflare can minify JavaScript (hence the "we may change site content" in their TOS). I have a paid service with them.

I specifically told nedbert9  that GLBSE is not vulnerable to session hijacking attacks, so I don't know why he stated that it was. GLBSE resets the session ID after login which prevents session fixation. We only whitelist certain html elements for PM's and contracts so no XSS, and we use SSL so no man in the middle session sniffing attacks. Session ID's are not predictable or unencrypted.

In my PM I said apart from machine compromise, re-used/insecure password, the only thing I could think of that could be the cause was a session fixation attack, which GLBSE is not vulnerable to.

A session fixation attack requires the attacker to set the cookie in the users browser so the session ID is known, once the user visits a site and logs in, if the session ID is not changed then the (known session ID) becomes a valid session, and the attacker has succeeded. This is prevented by changing the session ID on login and using SSL (GLBSE only allows SSL).

I'm not able to say what caused the compromise, but I can say what it was not.

Nefario

Is laying a step up or down?

I feign no surprise, I place you in the tinfoil hat category of people so expect to hear all sorts of things.

Look Mr. conspiracy theorist,

I provided you with all the numbers for that asset you requested(dates as well), and all you could provide was "I remember them being different", you got chewed out by everyone else on that thread as well because you're so damn sure you remembered several sets of numbers, dates and times over a period of a few days and that the numbers I provided (pulled from a DB) are wrong, and therefor I must be in league with Goat.

Now, as I've said I'll give users signed receipts of their asset balance (but not give user details to pirate) what else have you got to say, except to trot out your theory that the rest of the world is conspiring against specifically you.


I believe it would be stupid for any GLBSE user to get a receipt to give to pirate, it won't increase their chance of getting paid, and will reduce the chance other users will (not that I think they have a chance either way), pirate will keep making excuses not to pay.

I also believe it would be dangerous for GLBSE users to give such information to pirate, why in the world would he want it?

Because thats not what he was asking, I was being asked to give GLBSE users details to pirate, which I can't. It's different from "can GLBSE users get a signed receipt of the pirate related assets they hold".

Besides, that won't get you anything, as pirate has said before his obligation is not to any of the PPT owners.

Both.

Absolutely baseless accusation, proof please.


Yes, at the request of bond holder we can provide GPG signed reciepts stating how many of the asset the person holds, it would mean that they would no longer be able to trade that asset afterwards (i.e. it would be stuck in their account) otherwise they would be able to game the system.

It depends on whether bitcoin is considered to be a currency and the FSA has already determined that it's not (that may change in the future, but it would require legislation from the UK or EU level). As things currently stand GLBSE is a virtual stock exchange for a virtual currency.

I'm in London for the month so will be hitting up the FSA to register GLBSE if they'll let me, I don't believe they will.


I don't believe so, there are pinkslip markets all over the world, this is currently what GLBSE is at the moment and even under the new standards we're bringing in (to separate assets into markets) all the PPT stuff would be in the pink section.