teste
|
|
December 19, 2012, 04:34:52 PM |
|
I support too, but they need to learn from their mistakes and be honest on their business.
|
|
|
|
greyhawk
|
|
December 19, 2012, 04:36:57 PM |
|
changes
Good show. Quick, reasonable and effective countermeasures. EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.
|
|
|
|
HostFat
Staff
Legendary
Offline
Activity: 4270
Merit: 1209
I support freedom of choice
|
|
December 19, 2012, 04:38:11 PM |
|
What has been changed
- Roger and the support agent's access to this information has been revoked.
- Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
- The secret phrase is now no longer shown to any admins
Thank you
|
|
|
|
BadBear
v2.0
Legendary
Offline
Activity: 1652
Merit: 1128
|
|
December 19, 2012, 04:39:20 PM |
|
...
Thanks for the quick response and action, this is good to see.
|
|
|
|
misterbigg
Legendary
Offline
Activity: 1064
Merit: 1001
|
|
December 19, 2012, 04:40:30 PM |
|
The difference between how Blockchain and MemoryDealers handled the problem is like night and day.
Blockchain immediately recognized a problem and swiftly corrected it without histrionics or drama.
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
December 19, 2012, 04:42:13 PM |
|
changes
Good show. Quick, reasonable and effective countermeasures. EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.+1.
|
|
|
|
misterbigg
Legendary
Offline
Activity: 1064
Merit: 1001
|
|
December 19, 2012, 04:46:32 PM |
|
isn't this MemoryDealers guy the kid who left the country Is this the company I'm thinking of or is it someone else?
|
|
|
|
Bitcoinin
Newbie
Offline
Activity: 44
Merit: 0
|
|
December 19, 2012, 04:46:58 PM |
|
A+ response piuk - this is the kind of professionalism Bitcoin businesses need to be exhibiting if the Bitcoin community and Bitcoin businesses want to be taken seriously by those outside of the community.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4832
|
|
December 19, 2012, 04:47:12 PM Last edit: December 19, 2012, 09:31:55 PM by DannyHamilton |
|
What has been changed
- Roger and the support agent's access to this information has been revoked.
- Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
- The secret phrase is now no longer shown to any admins
Piuk, I am trying hard to trust you and your business. For now I will take you at your word. Please don't make me regret that action. If you can assure me that nobody from bitcoinstore.com (including Roger) will have access to look up user's personal information (by bitcoin address, email address, SMS number, IP address, or any other method) Then this satisfies my request that blockchain.info: Immediately sever all relationships with other businesses, removing admin access from anyone who would use that access to benefit their other business.EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information. They could not know in advance that MemoryDealers would abuse the access allowed them as an employee. As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.
|
|
|
|
Herodes
|
|
December 19, 2012, 04:50:39 PM Last edit: December 19, 2012, 05:14:05 PM by Herodes |
|
Roger and the support agent's access to this information has been revoked. Edit: My post edited in light of the new info surfacing. Didn't know Roger did support at blockchain.info.
|
|
|
|
teste
|
|
December 19, 2012, 04:53:34 PM |
|
Roger,
I hope you have learned from this situation. You should thank the guy who possibly has been dishonest with you, because it served as an example to improve the services that you have participation.
Piuk, hope you learned too. Thanks
|
|
|
|
nybble41
|
|
December 19, 2012, 05:02:45 PM |
|
Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?
|
|
|
|
piuk
|
|
December 19, 2012, 05:11:27 PM |
|
Also - why did he need this kind of access in the first place ? Were blockchain.info customers alerted about his access to this system ?
He was given access to this information because I was getting bogged down in support tickets and Roger kindly offered to help with some of them. Requests to recover lost identifiers are one of the most common queries. At the time it had not occurred to me that there could be a conflict of interest. In the blockchain.info thread I posted that a minority stake in the site had been sold, but did not specifically mention the admin panel. I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?
Addresses are hashed with a secret. With access to the secret it would be possible to hash every bitcoin address with a none zero balance and use that to compare against subscribed hashes to determine addresses in a wallet. The sacrifice of some anonymity when notifications are enabled has always been stated https://blockchain.info/wallet/anonymity. However it is no longer possible for admins to lookup an arbitrary wallet by address.
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
December 19, 2012, 05:21:05 PM |
|
Reserved if needed. (I didn't leak or abuse any information at all from Blockchain, please read the other thread.)
You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it. you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4832
|
|
December 19, 2012, 05:24:08 PM Last edit: December 19, 2012, 09:31:42 PM by DannyHamilton |
|
Reserved if needed. (I didn't leak or abuse any information at all from Blockchain, please read the other thread.)
You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it. you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes. I agree, which is why I have posted about the violation of blockchain.info's privacy policy. This does fall under a reasonable definition of dishonesty, right? EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information. They could not know in advance that MemoryDealers would abuse the access allowed them as an employee. As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.
|
|
|
|
elux
Legendary
Offline
Activity: 1458
Merit: 1006
|
|
December 19, 2012, 05:26:25 PM |
|
What has been changed
Solid response. Extremely impressive response time. Any email address, skype username or google talk username you enter will be stored on blockchain.info's servers. We will never share this information with any third parties. Does this still apply when third parties show up at your door with guns and a warrant? (I don't have a blockchain.info wallet yet btw.)
|
|
|
|
pazor
Legendary
Offline
Activity: 966
Merit: 1000
|
|
December 19, 2012, 05:38:11 PM |
|
do we got our first watergate bitcoin event ?
|
treuhand-Dienst gewünscht? - frag per PM an BTC 174X17nR7vEQBQo4GXKRGMGaTmB49Gf1yT
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 19, 2012, 05:45:59 PM |
|
While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services. So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.
While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform. You could also see others willing to fork it and share improvements to it.
In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
December 19, 2012, 05:54:41 PM |
|
While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services. So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.
While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform. You could also see others willing to fork it and share improvements to it.
In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.
With such a client, blockchain's purpose would be relegated to calculating account/address balances, broadcasting transactions, and storing encrypted backups? Makes sense to me. Only issue might be the lack of revenue that blockchain brings in from a downloadable client, vs they at least bring in some revenue via an ad on most pages right now.
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
December 19, 2012, 05:56:25 PM |
|
While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services. So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.
While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform. You could also see others willing to fork it and share improvements to it.
In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.
This would be like Electrum plus the storage of encrypted wallet in the cloud to me.
|
|
|
|
|