MemoryDealers.com founder Roger Ver abuses admin access at Blockchain.info

[teste]

I support too, but they need to learn from their mistakes and be honest on their business.

[greyhawk]

changes

Good show. Quick, reasonable and effective countermeasures.

EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.

[HostFat]

What has been changed

• Roger and the support agent's access to this information has been revoked.
• Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
• The secret phrase is now no longer shown to any admins

Thank you

[BadBear]

...

Thanks for the quick response and action, this is good to see.

[misterbigg]

The difference between how Blockchain and MemoryDealers handled the problem is like night and day.

Blockchain immediately recognized a problem and swiftly corrected it without histrionics or drama.

[John (John K.)]

changes

Good show. Quick, reasonable and effective countermeasures.

EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.

+1.

[misterbigg]

isn't this MemoryDealers guy the kid who left the country

Is this the company I'm thinking of or is it someone else?

[Bitcoinin]

A+ response piuk - this is the kind of professionalism Bitcoin businesses need to be exhibiting if the Bitcoin community and Bitcoin businesses want to be taken seriously by those outside of the community.

[DannyHamilton]

What has been changed

• Roger and the support agent's access to this information has been revoked.
• Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
• The secret phrase is now no longer shown to any admins

Piuk,

I am trying hard to trust you and your business.  For now I will take you at your word.  Please don't make me regret that action.

If you can assure me that nobody from bitcoinstore.com (including Roger) will have access to look up user's personal information (by bitcoin address, email address, SMS number, IP address, or any other method)

Then this satisfies my request that blockchain.info:

Immediately sever all relationships with other businesses, removing admin access from anyone who would use that access to benefit their other business.

EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information.  They could not know in advance that MemoryDealers would abuse the access allowed them as an employee.  As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.

[Herodes]

Roger and the support agent's access to this information has been revoked.

Edit: My post edited in light of the new info surfacing. Didn't know Roger did support at blockchain.info.

[teste]

Roger,

I hope you have learned from this situation. You should thank the guy who possibly has been dishonest with you, because it served as an example to improve the services that you have participation.

Piuk, hope you learned too. Thanks

[nybble41]

Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?

[piuk]

Also - why did he need this kind of access in the first place ? Were blockchain.info customers alerted about his access to this system ?

He was given access to this information because I was getting bogged down in support tickets and Roger kindly offered to help with some of them. Requests to recover lost identifiers are one of the most common queries. At the time it had not occurred to me that there could be a conflict of interest. In the blockchain.info thread I posted that a minority stake in the site had been sold, but did not specifically mention the admin panel.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?

Addresses are hashed with a secret. With access to the secret it would be possible to hash every bitcoin address with a none zero balance and use that to compare against subscribed hashes to determine addresses in a wallet. The sacrifice of some anonymity when notifications are enabled has always been stated https://blockchain.info/wallet/anonymity. However it is no longer possible for admins to lookup an arbitrary wallet by address.

[Anon136]

Reserved if needed. 
(I didn't leak or abuse any information at all from Blockchain,  please read the other thread.)

You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it.

you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.

[DannyHamilton]

Reserved if needed.  
(I didn't leak or abuse any information at all from Blockchain,  please read the other thread.)

You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it.

you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.

I agree, which is why I have posted about the violation of blockchain.info's privacy policy.  This does fall under a reasonable definition of dishonesty, right?

EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information.  They could not know in advance that MemoryDealers would abuse the access allowed them as an employee.  As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.

[elux]

What has been changed

Solid response. Extremely impressive response time.

Any email address, skype username or google talk username you enter will be stored on blockchain.info's servers. We will never share this information with any third parties.

Does this still apply when third parties show up at your door with guns and a warrant? (I don't have a blockchain.info wallet yet btw.) 

[pazor]

do we got our first watergate bitcoin event ?

 

[casascius]

While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services.  So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.

While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform.  You could also see others willing to fork it and share improvements to it.

In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.

[SgtSpike]

While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services.  So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.

While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform.  You could also see others willing to fork it and share improvements to it.

In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.

With such a client, blockchain's purpose would be relegated to calculating account/address balances, broadcasting transactions, and storing encrypted backups?

Makes sense to me.  Only issue might be the lack of revenue that blockchain brings in from a downloadable client, vs they at least bring in some revenue via an ad on most pages right now.

[John (John K.)]

While everyone's mind is focused on Blockchain, there is one thing that I think would be a +1000: an open-source (or at least source visible) downloadable executable client for all its services.  So, someone who has assured themselves they have downloaded good client code doesn't have to worry that they'll be served some malicious script on a future visit, and it can be put in an independent repository where third parties have signed off on it.

While an executable client would be great, even just a folder full of .html and .js files would be more than satisfactory, and would have the benefit of being cross-platform.  You could also see others willing to fork it and share improvements to it.

In my mind, if blockchain being a "web wallet" is the only hesitation to recommending it, doing this would definitely push it over the threshold.

This would be like Electrum plus the storage of encrypted wallet in the cloud to me.