Bitcoin Forum
November 12, 2024, 04:36:13 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 5 6 7 8 9 10 11 12 13 14 »  All
  Print  
Author Topic: MemoryDealers.com founder Roger Ver abuses admin access at Blockchain.info  (Read 28764 times)
teste
Sr. Member
****
Offline Offline

Activity: 312
Merit: 250


View Profile
December 19, 2012, 04:34:52 PM
 #41

I support too, but they need to learn from their mistakes and be honest on their business.
greyhawk
Hero Member
*****
Offline Offline

Activity: 952
Merit: 1009


View Profile
December 19, 2012, 04:36:57 PM
 #42

changes


Good show. Quick, reasonable and effective countermeasures.

EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.
HostFat
Staff
Legendary
*
Offline Offline

Activity: 4270
Merit: 1209


I support freedom of choice


View Profile WWW
December 19, 2012, 04:38:11 PM
 #43

What has been changed
  • Roger and the support agent's access to this information has been revoked.
  • Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
  • The secret phrase is now no longer shown to any admins
Thank you Smiley

NON DO ASSISTENZA PRIVATA - https://t.me/hostfatmind/
BadBear
v2.0
Legendary
*
Offline Offline

Activity: 1652
Merit: 1128



View Profile WWW
December 19, 2012, 04:39:20 PM
 #44

...

Thanks for the quick response and action, this is good to see.

1Kz25jm6pjNTaz8bFezEYUeBYfEtpjuKRG | PGP: B5797C4F

Tired of annoying signature ads? Ad block for signatures
misterbigg
Legendary
*
Offline Offline

Activity: 1064
Merit: 1001



View Profile
December 19, 2012, 04:40:30 PM
 #45

The difference between how Blockchain and MemoryDealers handled the problem is like night and day.

Blockchain immediately recognized a problem and swiftly corrected it without histrionics or drama.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1227


Away on an extended break


View Profile
December 19, 2012, 04:42:13 PM
 #46

changes


Good show. Quick, reasonable and effective countermeasures.

EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.
+1.
misterbigg
Legendary
*
Offline Offline

Activity: 1064
Merit: 1001



View Profile
December 19, 2012, 04:46:32 PM
 #47

isn't this MemoryDealers guy the kid who left the country

Is this the company I'm thinking of or is it someone else?
Bitcoinin
Newbie
*
Offline Offline

Activity: 44
Merit: 0



View Profile WWW
December 19, 2012, 04:46:58 PM
 #48

A+ response piuk - this is the kind of professionalism Bitcoin businesses need to be exhibiting if the Bitcoin community and Bitcoin businesses want to be taken seriously by those outside of the community.
DannyHamilton
Legendary
*
Offline Offline

Activity: 3486
Merit: 4832



View Profile
December 19, 2012, 04:47:12 PM
Last edit: December 19, 2012, 09:31:55 PM by DannyHamilton
 #49

What has been changed
  • Roger and the support agent's access to this information has been revoked.
  • Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
  • The secret phrase is now no longer shown to any admins

Piuk,

I am trying hard to trust you and your business.  For now I will take you at your word.  Please don't make me regret that action.

If you can assure me that nobody from bitcoinstore.com (including Roger) will have access to look up user's personal information (by bitcoin address, email address, SMS number, IP address, or any other method)

Then this satisfies my request that blockchain.info:

Immediately sever all relationships with other businesses, removing admin access from anyone who would use that access to benefit their other business.

EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information.  They could not know in advance that MemoryDealers would abuse the access allowed them as an employee.  As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.
Herodes
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
December 19, 2012, 04:50:39 PM
Last edit: December 19, 2012, 05:14:05 PM by Herodes
 #50

Quote
Roger and the support agent's access to this information has been revoked.

Edit: My post edited in light of the new info surfacing. Didn't know Roger did support at blockchain.info.
teste
Sr. Member
****
Offline Offline

Activity: 312
Merit: 250


View Profile
December 19, 2012, 04:53:34 PM
 #51

Roger,

I hope you have learned from this situation. You should thank the guy who possibly has been dishonest with you, because it served as an example to improve the services that you have participation.

Piuk, hope you learned too. Thanks
nybble41
Full Member
***
Offline Offline

Activity: 152
Merit: 100


View Profile
December 19, 2012, 05:02:45 PM
 #52

Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?
piuk
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
December 19, 2012, 05:11:27 PM
 #53

Also - why did he need this kind of access in the first place ? Were blockchain.info customers alerted about his access to this system ?

He was given access to this information because I was getting bogged down in support tickets and Roger kindly offered to help with some of them. Requests to recover lost identifiers are one of the most common queries. At the time it had not occurred to me that there could be a conflict of interest. In the blockchain.info thread I posted that a minority stake in the site had been sold, but did not specifically mention the admin panel.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?

Addresses are hashed with a secret. With access to the secret it would be possible to hash every bitcoin address with a none zero balance and use that to compare against subscribed hashes to determine addresses in a wallet. The sacrifice of some anonymity when notifications are enabled has always been stated https://blockchain.info/wallet/anonymity. However it is no longer possible for admins to lookup an arbitrary wallet by address.

Anon136
Legendary
*
Offline Offline

Activity: 1722
Merit: 1217



View Profile
December 19, 2012, 05:21:05 PM
 #54

Reserved if needed. 
(I didn't leak or abuse any information at all from Blockchain,  please read the other thread.)

You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it.

you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.

Rep Thread: https://bitcointalk.org/index.php?topic=381041
If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
DannyHamilton
Legendary
*
Offline Offline

Activity: 3486
Merit: 4832



View Profile
December 19, 2012, 05:24:08 PM
Last edit: December 19, 2012, 09:31:42 PM by DannyHamilton
 #55

Reserved if needed.  
(I didn't leak or abuse any information at all from Blockchain,  please read the other thread.)

You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it.

you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.
I agree, which is why I have posted about the violation of blockchain.info's privacy policy.  This does fall under a reasonable definition of dishonesty, right?

EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information.  They could not know in advance that MemoryDealers would abuse the access allowed them as an employee.  As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.
elux
Legendary
*
Offline Offline

Activity: 1458
Merit: 1006



View Profile
December 19, 2012, 05:26:25 PM
 #56

What has been changed

Solid response. Extremely impressive response time.

Quote from: blockchain.info/wallet/anonymity
Any email address, skype username or google talk username you enter will be stored on blockchain.info's servers. We will never share this information with any third parties.

Does this still apply when third parties show up at your door with guns and a warrant? (I don't have a blockchain.info wallet yet btw.)  Smiley
pazor
Legendary
*
Offline Offline

Activity: 966
Merit: 1000



View Profile
December 19, 2012, 05:38:11 PM
 #57

do we got our first watergate bitcoin event ?

 Grin

treuhand-Dienst gewünscht? - frag per PM an
BTC 174X17nR7vEQBQo4GXKRGMGaTmB49Gf1yT
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 19, 2012, 05:45:59 PM
 #58

While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services.  So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.

While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform.  You could also see others willing to fork it and share improvements to it.

In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
SgtSpike
Legendary
*
Offline Offline

Activity: 1400
Merit: 1005



View Profile
December 19, 2012, 05:54:41 PM
 #59

While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services.  So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.

While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform.  You could also see others willing to fork it and share improvements to it.

In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.
With such a client, blockchain's purpose would be relegated to calculating account/address balances, broadcasting transactions, and storing encrypted backups?

Makes sense to me.  Only issue might be the lack of revenue that blockchain brings in from a downloadable client, vs they at least bring in some revenue via an ad on most pages right now.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1227


Away on an extended break


View Profile
December 19, 2012, 05:56:25 PM
 #60

While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services.  So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.

While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform.  You could also see others willing to fork it and share improvements to it.

In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.
This would be like Electrum plus the storage of encrypted wallet in the cloud to me.
Pages: « 1 2 [3] 4 5 6 7 8 9 10 11 12 13 14 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!