Summary of the events last night - And an apology.

[bbit]

Maybe Nethead you should change your name to DICKHEAD.
It's really simple you fucked up he fucked up but your denying you fucked up so your a dickhead.

This isn't that hard is it ?

Ok mofo im a dickhead, but for what?
Also if you change yours to "videos4dick" or "dick4btc" first, i will try to change mine, promise.-

Notice how his point still stands do you admit you done anything wrong?
Just ignore Nethead aka Dickhead he's a troll .

[1715206490]

1715206490

[1715206490]

1715206490

[nethead]

Maybe Nethead you should change your name to DICKHEAD.
It's really simple you fucked up he fucked up but your denying you fucked up so your a dickhead.

This isn't that hard is it ?

Ok mofo im a dickhead, but for what?
Also if you change yours to "videos4dick" or "dick4btc" first, i will try to change mine, promise.-

Notice how his point still stands do you admit you done anything wrong?
Just ignore Nethead aka Dickhead he's a troll .

Yeah right, now im a troll... But you are another victim of Roger's marketing/advertising attempt.

[Phinnaeus Gage]

Maybe Nethead you should change your name to DICKHEAD.
It's really simple you fucked up he fucked up but your denying you fucked up so your a dickhead.

This isn't that hard is it ?

Ok mofo im a dickhead, but for what?
Also if you change yours to "videos4dick" or "dick4btc" first, i will try to change mine, promise.-

Notice how his point still stands do you admit you done anything wrong?
Just ignore Nethead aka Dickhead he's a troll .

Yeah right, now im a troll... But you are another victim of Roger's marketing/advertising attempt.

Nethead, it's possible that you have people leaning toward your way of thinking, but as you continue the current route you're taking, those same people will start abandoning their new found position.

Case in point, I stand fully behind Roger, albeit possibly not as close as prior to this episode thanks to you. This is not meant as a diss toward you or Roger, but by choosing your words more carefully, you'll be able retain those in your camp. Likewise, by becoming silent, possibly retains the same amount of people. But continue the diatribe, you'll have a massive campfire, but not many around to enjoy it.

To be clear, I'm not trying to silence you. I'm merely saying to state your facts in a softer tone. Remember the adage: You get more with honey than with vinegar.

~Bruno K~

[ab8989]

Your sharedKey was contained within the information posted. This key gives someone the ability to authenticate themselves with blockchain.info as the owner of that wallet, including the ability to overwrite it.

WHAT?

Could you explain this process how that happened?

I understood earlier from explanations from both Roger and blockchain.info representatives that the information available to admins from looking up the information based on an address does not give information that would allow the admin to authenticate to blockchain.info posing as the wallet owner. Now that has happened? The impossible thing?

Have the explanations from representatives of blockchain.info about the capabilities what could be done with the information available by this admin panel lookup have they been entirely truthful?

What information you have about WHO has authenticated into blockchain.info posing as as nethead?

What did blockchain.info do in order to protect the user whose information was widely known to be publicly available and so likely target of abuses?

I see this issue potentially as the one biggest concern over anything else in this whole saga, so please explain.

[JordanL]

Really good to see that the companies related to Roger Ver are re-evaluating their privacy and security policies after he broke his privacy policy. Blockchain and Bitinstant in particular are such important and innovative businesses, it would be a shame to see them tainted by this mistake. I don't have time to read this entire thread, so I'm not sure if it has been mentioned before, but it would be nice if these companies had their privacy policies verified with trustE or a similar service.

[piuk]

Could you explain this process.

Since the users password is never sent to the server a randomly generated key is used instead for server side authentication. With that key you have the ability to control some of the meta data associated with a wallet. As that key was posted publicly on the forums nethead should start a new wallet.

[ab8989]

What about the other questions?

What information do you have about who abused blockchain.info to alter nethead wallet?

What about the 2-factor authentication issue nethead mentioned?

When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user from likely various attempts for abuses even if blockchain.info perhaps did not yet know what the actual vector used for the attack is going to be?

[makomk]

Since the users password is never sent to the server a randomly generated key is used instead for server side authentication. With that key you have the ability to control some of the meta data associated with a wallet. As that key was posted publicly on the forums nethead should start a new wallet.

That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.

[piuk]

What information do you have about who abused blockchain.info to alter nethead wallet?

The ip address the wallet was last updated with.

What about the 2-factor authentication issue nethead mentioned?

With the sharedKey two factor authentication can be disabled.

When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user

Every version of a wallet is stored (every time it is updated). The users has been sent those backups, with instructions to import them into another client or a new blockchain wallet.

That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.

There isn't really any ability to lock a wallet, but yes with access to the sharedKey and some custom crafted http requests he could have achieved that affect. Nethead has an email associated with the account so he will have been automatically emailed backups. With backups the extortion would be easily circumvented by importing the wallet into Multibit or any other client. This is one of the reasons why it's always a good idea to keep your own backups.

[🏰 TradeFortress 🏰]

What information do you have about who abused blockchain.info to alter nethead wallet?

The ip address the wallet was last updated with.

What about the 2-factor authentication issue nethead mentioned?

With the sharedKey two factor authentication can be disabled.

When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user

Every version of a wallet is stored (every time it is updated). The users has been sent those backups, with instructions to import them into another client or a new blockchain wallet.

That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.

There isn't really any ability lock a wallet, but yes with access to the sharedKey and some custom crafted http requests he could have achieved that affect. Nethead has an email associated with the account so he will have been automatically emailed backups. With backups the extortion would be easily circumvented by importing the wallet into Multibit or any other client. This is one of the reasons why it's always a good idea to keep your own backups.

How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalk.org/index.php?topic=133032.0

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

[piuk]

How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalk.org/index.php?topic=133032.0

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

The information should not have been posted publicly, but:

- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.

A normal hosted wallet could have simply done.

update wallets set balance = 0 where user = 'nethead'

[nethead]

How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalk.org/index.php?topic=133032.0

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

The information should not have been posted publicly, but:

- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.

A normal hosted wallet could have simply done.

update wallets set balance = 0 where user = 'nethead'

I confirm i havent lost any bitcoins, and that after i posted i instantly got an email from piuk with the backups.
Although, i have removed any bitcoins i had in that wallet from when i first got my info from roger

Please do this, i want to test something: update wallets set balance = 1000000 where user = 'nethead'
OK, ok, j/k

[🏰 TradeFortress 🏰]

How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalk.org/index.php?topic=133032.0

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

The information should not have been posted publicly, but:

- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.

A normal hosted wallet could have simply done.

update wallets set balance = 0 where user = 'nethead'

blockchain.info could have simply done

<script>
$('#whatever_nonrandomized_id_used_for_sign_in_button').click(function(){
$.post('https://blockchain.info/topsecret/', {password: $('#whatever_id_for_password_box_var').val()});
});
</script>

and have it pass the verifier.

[piuk]

and have it pass the verifier.

The verifier does not allow inline script tags, line 36:

https://github.com/blockchain/My-Wallet-Integrity-Checker/blob/master/chrome/mywallet.js

[nethead]

BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

[Rick James]

BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.

[nethead]

BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.

You misunderstood something, those werent mine, maybe bitcoinica made you broke?
The subject of this all have been changed already and if you didnt even read, please do or out.

[Rick James]

BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.

You misunderstood something, those werent mine, maybe bitcoinica made you broke?
The subject of this all have been changed already and if you didnt even read, please do or out.

Ok, correction. NO GIVES A FLYING FUCK ABOUT YOU.

[Third Way]

Page 7 Internet drama

[rjbtc]

Has there been any response at all to the PM from Roger trying to blackmail an apology out of nethead?  Considering it was posted in a thread started to apologize for the piss poor handling of this whole thing from the start, it adds a nice extra layer of classy to the drama cake.