Instawallet claim process

[Phinnaeus Gage]

Monsieur Boussac (or more accurately, whoever the real name behind this invented persona is):

You started this thread and give every indication of speaking directly on behalf of Paymium.  I expect that you will explicitly state that you are no longer interested in using this thread as a formal or informal channel of communications with your customer base if that is indeed the case.  So you may answer my question here or an official representative of Paymium may do it via a different channel in the future.

I would suggest that it would be a good communications policy and may rebuild a certain amount of trust within the Paymium (or former Paymium) user-base by simply answering the question fully and right here.  But you may be the judge of that.

So, I wish to see a full revision history of the boilerplate text displayed on the Instawallet front page since the time Paymium purchased the Instawallet service and user-base from the the original designer and maintainer.

A set of links to example pages would work just fine.  I would be very surprised if your organization lacked the technical proficiency or the several minutes it would take to comply with my request.

Thanks,

 - Tom

I'm not sure what you're requesting, but...

http://www.downforeveryoneorjustme.com/instawallet.org

looks down from here

It times out all the time, because the bitcoin client is choking on the huge pile of accounts it has to keep up to date.

It's been re-engineered and re-written from scratch.

The new version is already online for testing, be my guest

https://instawallet.california.paymium.com

[1714531684]

1714531684

[Phinnaeus Gage]

Cross-posted from this thread

Apart from a couple things left to do the migration is now completed !

Left to do :

• A very small number of accounts (less than 10) need some manual attention to reconcile operations that happened during the time span where bitcoind was listening but the database wasn't properly registering transactions. The accounts in question are identified, if you think your balance is not correct, and if it remains so after 48h have passed please contact me. The reason it might take up to 48h is that the old bitcoind must catch up with the chain after being shut down during the migration, it does so very slowly since it's packed with addresses and accounts. It must be up-to-date with the chain for transaction reconciliation to be accurate.
• The current SSL certificate is valid for https://instawallet.org, a new one will be installed that also validates https://www.instawallet.org

What has been done :

• The backend has been rewritten from scratch to make it much more scalable and responsive. It relies much less on bitcoind, which was a performance bottleneck and delegates the accounting to an SQL database. bitcoind is now only used to notify the backend of incoming transactions, generate an address for each account, and send funds
• Generation transactions are now understood, that means that if you're mining at Eligius, your payouts will be available after 20 confirmations if you direct them to your Instawallet (generations usually take 120 confirmations to mature)
• Balance updates are instant (as previously) but rely on websockets instead of long-polling (if your browser doesn't support WS it will degrade gracefully to long-polling or regular polling)
• A comforting cash-register sound has been added, it plays when you receive funds (except on Safari for iOS)
• Instawallet will now tell you about the confirmed status of your funds, previously you'd get an error message when trying to send, but you had no way to know whether funds were confirmed or not
• The new API is fully backwards compatible with the original API, it will be deprecated at some point but for now it's good enough to me
• The new server is a Intel Xeon 8-cores with 24GB RAM, and a lightning-fast SSD hard-drive. (The previous server had a single-core CPU, 1GB RAM and a regular HDD)
• A paranoid firewall has been set-up, along with serious monitoring, and monitoring of the monitoring
• An iPhone app is available worldwide, for free, in the AppStore, it's called FriendlyPay, it's awesome and it lets you carry Instawallet in your pocket, an Android version is almost ready

If there's anything that should be fixed you may comment here, drop me a line by PM, send me an e-mail at david {at} bitcoin-central.net, or drop by at the office in Boulogne, right near Paris !

I really want to thank Jan Vornberger, Instawallet's previous owner for being very available and responsive during the whole migration process, having thought of such a cool concept, providing me with loads of hand-crafted documentation, and more generally being awesome. He is a gentleman.

Thank you for your attention !

YET!

[tvbcof]

I'm not sure what you're requesting, but...

Any semi-competent engineer is going to have source code for a system under revision control of some sort.

Any site like Instwallet will have some for of templating such that specific information is generated while generic 'boilerplate' information that everyone sees is coded.

I wish to see the text that all visitors would see since ~davout's re-implementation.  And I wish to see how and when it changed through time and when.

[Phinnaeus Gage]

I need somebody to explain to me how this French pseudo police report works.

Can it be done online, albeit I do see a handwritten number on the document?

Is it only done in person?

Does the police officer(?) simply take down the information, then sends you on your way?

Do the police(?) immediately send in computer forensics to make sure a false report wasn't issued, assuring clients that an inside job wasn't in play?

Without forensic specialist reviewing the servers, let alone all the computers the company has access to, what would be the purpose of having such agency in the first place?

If no forensics were performed, and these guys continue forward operating a bank, I pity the fools who deposit funds into their enterprise, with or without a guarantee backed by the state, for they already know that they can simply cry dDoS again, seeing that the culprits have ceased their attack.

To re-ask more specifically, when a police report is made, do computer forensics review the servers and their computer to make sure that nothing nefarious is afoot?

[FTWbitcoinFTW]

There is a police report !

Still better than 99% of pseudoscam on BTCland.


You believe a third party for holding your coin, assume and stop trying to blame someone else

[tvbcof]

I'm pretty careful with my funds, this is the first time someone has robbed me directly for anything more than a completely trivial sum

You are pretty careful with your funds but you kept more than a completely trivial sum on InstaWallet ??

April joke ?
...

I can assure you that Paymium took me for a tiny fraction of my BTC.  I don't need someone to ram it all the way home before they annoy me however.  A difference between Americans and Frenchmen perhaps?

I never added any BTC to my Instawallet after the user-base and funds had been purchased by Paymium.  When I put the funds in, they were worth about $100, and I specifically decided to trust ~jav for a variety of reasons which I have yet to regret.  I was delinquent in removing all of the funds, and for that I take full responsibility.

I actually have someone else to thank for issuing a warning about Paymium being pricks not long before they folded.  At that time I move half of the BTC out and/or gave them away.  Not because of the supposed defect which struck me as a non-issue, but simply for reminding me to do something I'd been neglecting.

It is interesting to note that this 'hack' just happened to have happened at that time.  I have to wonder how common my experience was and how many others had started to draw down their net fiat values from Instwallet at about that time.  That is yet another observation which balances deeply on the 'Paymium are crooks' side of the scale when evaluating the hypothesis.

In complete fairness, let me mention one of the few things which argues that Paymium are NOT crooks:  If they had planned all along to stage a hack, they probably would have taken different steps in terms of how they embraced 'Instawallet' in conjunction with their other efforts in anticipation of certain legal eventualities.  That said, there is so much which is suspicious that the 'are crooks' hypothesis remains extremely strong to me.  Unfortunately the actions and behaviors that they have taken since the 'hack' have almost without exception lent strength to the 'are crooks' hypothesis.

If anyone bothers to read all of my posts on this topic, and especially the earlier ones, they will find that I was not of the mindset that Paymium were likely the perpetrators until some distance into this situation, and until significant failures on the part of our friend Monsewer Ballsack.

[pyedpyper]

If Paymium does not do a rapid about-face and start convincing the community that they are working hard to unsure that the perpetrators of this crime are being vigorously perused, I continue to believe that a worthwhile fulcrum to apply pressure would be the mainstream bank which have been used significantly by Paymium in an effort to create confidence in their operations, and which have also already been tied to Paymium in general consumption media.

You thanked your "friend " naphto for posting a document that I POSTED in the French section of the Forum, appropriately since the document is in French.

Just so you know, naphto is a new troll writing in the French section that according to him the demise of bitcoin is inevitable:

Le BTC est voué à disparaître parce qu'il ne pourra jamais être adopté massivement.

Like a handful of people on this Forum (tvbcof, pyedpyper, Phinneaus Gaga, Herodes), he is out to exploit the incident and blow it out of proportion when in fact Paymium is probably going to be the first bitcoin start up ever to survive a cyberattack and refund all the users in the shortest possible time frame.
You have not even acknowledged the fact that we did our best to put up the claim form online as fast as we could when we had to rebuild a new production environment from scratch after the attack.

You are not the bitcoin community tvbcof, you are  amongst its worst ennemies.

I now realize that you want to create as much damage as possible to bitcoin in general and to Paymium in particular.
If it were for your money you would be content with the refund but that is not enough for you.

Now that I published a confidential piece of information about the investigation, you wonder how you could best turn it into yet another evidence of an alleged "criminal" behaviour.
You could care less about the consequences of your prejudiced, unfounded insinuations akin to libel but I will not forget who kicked us while we were on the ground.

What an unbelievable fucking child you are Boussac. You were asked for 2 weeks for the police report (probably 50 times). You ignored the question every time. The first 10 times you were asked in a polite, cordial and respectful manner. No response. Then people got unhappy of course. I explained to you repeatedly that your refusal to answer was THE singular reason why Paymium were suspected of being scammers.

Now suddenly 2 weeks later you provide it, on the French forum, without even bothering to mention it here, and then act all hurt that people have been calling you unprofessional and Paymium untrustable.

I have been doing business in the corporate world for over 20 years, and I have NEVER met anyone before who communicates with such arrogance and immaturity as you do. It is beyond pathetic.

Personally I will NEVER do any business with ANY company that you are associated with. Grow the fuck up man.

[oda.krell]

Time for a recap, methinks.

(1) Police report was posted. Ignore for a moment the circumstances under which it was posted, and the attitude around it, but acknowledge that for a second: we have a scan of a police report. That's what we asked for, that's what we got, now let's shut the hell up about it. (If you have evidence that it's fake, post it, but if not: see previous sentence.)


(2) Paymium needs someone who handles PR/customer contact for them. Boussac might be a brilliant banker and/or business man, but his ability to stay calm in the face of angry customers will be his (and his company's) downfall.

Boussac, for the love of god, trust me on this: a lot of people here (me included) were, and to a degree still are, very favorably inclined to Paymium's services. But the way your company communicated on this forum caused a lot of damage, and there is no point in blaming anyone else for that yourself. Even if you were somehow morally in the right, I'm pretty sure you know that's not how business works. Fix it, or stop blaming others for it.


EDIT: added clarifying sentence in (1)

[Phinnaeus Gage]

I need somebody to explain to me how this French pseudo police report works.

Can it be done online, albeit I do see a handwritten number on the document?

No.
 

Is it only done in person?

Yes

Does the police officer(?) simply take down the information, then sends you on your way?

Yes. Then they do their job. They can do it right away if there is any kind of emergency.

Do the police(?) immediately send in computer forensics to make sure a false report wasn't issued, assuring clients that an inside job wasn't in play?

They can do it.

Without forensic specialist reviewing the servers, let alone all the computers the company has access to, what would be the purpose of having such agency in the first place?

I don't know if you have noticed, but all the servers of the company have been stopped for one week. It is possible that they have been seized by the police.

If no forensics were performed, and these guys continue forward operating a bank, I pity the fools who deposit funds into their enterprise, with or without a guarantee backed by the state, for they already know that they can simply cry dDoS again, seeing that the culprits have ceased their attack.

We don't know that. All I know is that the money I had on bitcoin-central is still there.

To re-ask more specifically, when a police report is made, do computer forensics review the servers and their computer to make sure that nothing nefarious is afoot?

We don't know that. (I believe yes)

I truly appreciate you, ghdp, taking the time to reply. Your answers seem to make sense, thus finding no cause to refute them. Thanks, bud.

Time for a recap, methinks.

(1) Police report was posted. Ignore for a moment the circumstances under which it was posted, and the attitude around it, but acknowledge that for a second: we have a scan of a police report. That's what we asked for, that's what we got, now let's shut the hell up about it. (If you have evidence that it's fake, post it, but if not: see previous sentence.)


(2) Paymium needs someone who handles PR/customer contact for them. Boussac might be a brilliant banker and/or business man, but his ability to stay calm in the face of angry customers will be his (and his company's) downfall.

Boussac, for the love of god, trust me on this: a lot of people here (me included) were, and to a degree still are, very favorably inclined to Paymium's services. But the way your company communicated on this forum caused a lot of damage, and there is no point in blaming anyone else for that yourself. Even if you were somehow morally in the right, I'm pretty sure you know that's not how business works. Fix it, or stop blaming others for it.


EDIT: added clarifying sentence in (1)

A little terse at the onset, but overall I concur with the sentiment expressed.

[tvbcof]

I greatly appreciate your input on this ~ghdp.  A couple of follow-up questions if I may:

I need somebody to explain to me how this French pseudo police report works.

Can it be done online, albeit I do see a handwritten number on the document?

No.

Is it only done in person?

Yes

Does the police officer(?) simply take down the information, then sends you on your way?

Yes. Then they do their job. They can do it right away if there is any kind of emergency.

Can a specialist be retained to file a police report for people who cannot or do not wish to do so in person?  If so, what is the formal name of the vocation(s) who could do such a thing?

Can a person with the correct qualifications gain information on the status of a police report (or whatever the thing which Paymium claims to have filed) on my behalf?  If so, what qualifications might be necessary?

Can individuals who have other information about an incident submit it for attachment to an ongoing investigation such as the one referenced by Paymium (or more correctly, by the person calling himself ~boussac on this forum)?  Again, what qualifications might one need to perform such an operation?

Thanks,

 - Tom

[FTWbitcoinFTW]

You need a lawyer and to be involved in the case then you have access at some part of the investigation.

Lose some coins does NOT mean being involved.



Sony lose your CC number, you ask for a police report ?

[tvbcof]

You need a lawyer and to be involved in the case then you have access at some part of the investigation.

Lose some coins does NOT mean being involved.

One would expect that even in France being the victim of a criminal action would make one 'involved'.

Sony lose your CC number, you ask for a police report ?

This sentence is not parsing well for me.  Sorry.  But I thank you for your other input.

[FTWbitcoinFTW]

Ok let me try again : monday morning you read on news, your bank get hacked ! Do you call the police or call your bank for a copy of police report ?

[tvbcof]

Ok let me try again : monday morning you read on news, your bank get hacked ! Do you call the police or call your bank for a copy of police report ?

If I log on and my funds are not accessible, I call the bank.  If they are acting weird and evasive and I suspect them of fraud, you're damn straight I follow up with the investigators.

Is this not something of a no-brainier?

[tvbcof]

By the way, in the interest of being a little bit more constructive, let me just mention how I would have handled this situation if I were running Instawallet (and were completely innocent.)

Firstly, I would be ultra-sensitive about the appearance of any sort of impropriety given the nature and history of the services operating within the Bitcoin ecosystem.

I would bend over backward to provide as much information as humanly possible.  The very nature of Instawallet means that communications need to happen in public.  It did not take a lot of insight to see that this would be the case in any situations (including hacks), and if I could not handle that I would not have acquired Instwallet, their user-base, and their funds in the first place.

I would have been giving at least daily updates on all of the steps being taken to resolve this crime, and in particular any and all official legal ones.

In situations where I could not give full information because of a risk that it would damage an investigation by providing the adversary with valuable insight were to high, I would state that there was such information and that I would be releasing it under certain stated conditions.

I would also proactively be providing a channel for individuals to feed information directly to investigators without my acting as a gateway in order to further build confidence among the victims.

I would also be proactively describing the technical aspects of how the service operated and by this time would be giving up some information about how the attacker managed to subvert it.  It's not like the service is ever going to come back on-line and I would be giving up IP or anything like that after all.

A certain segment of the community is capable of fairly accurately judging effort to instill 'confidence' and whether they are legitimate and it good will, or whether they are likely part of a 'con'.  I have found that if one simply tells the plain truth, it is nearly impossible to be caught in a lie and eventually an accurate picture emerges.  That is the best outcome for everyone.  Paymium has failed badly here in my opinion.

[tvbcof]

Can individuals who have other information about an incident submit it for attachment to an ongoing investigation such as the one referenced by Paymium...

Yes. Just send a letter (french probably prefered, you can try in english but it will take more time to be processed). A lawyer might help. Just send it to the address provided by ~boussac and refer to Paymium's case.

The address is real :
http://www.prefecturedepolice.interieur.gouv.fr/La-prefecture-de-police/Missions-de-police/La-direction-regionale-de-la-police-judiciaire/La-brigade-d-enquetes-sur-les-fraudes-aux-technologies-de-l-information

Thanks you as always for the valuable information.  One last general question (or two):

 - Is it more obnoxious than helpful to use something like Google Translate to transform from English to French?

 - If I wrote extremely terse English statements, is an automated translator reasonably effective?

Thanks,

 - Tom

edit: fix quotes  And re-arrange format while I'm here:

[repentance]

Ok let me try again : monday morning you read on news, your bank get hacked ! Do you call the police or call your bank for a copy of police report ?

If my bank is saying that I will not be able to access my funds for 90 days and that they'll make a "best effort" to return my funds if my balance is above an arbitrary limit, I'll be contacting the CEO, the board of directors, the Banking Ombudsman, ASIC (regulator for financial services licences) and the media within minutes of reading that article and you can guarantee the Ombudsman will be verifying their claims about any reports to law enforcement and any internal investigations (and will ultimately make his findings public).

Banks typically don't publicly disclose the exact nature of intrusions or the amounts lost to their customers for security reasons.  As their deposits are insured and customer access to their funds is rarely affected by such intrusions (on the rare occasions when it is, banks here typically refund any out of pocket costs suffered by their customers such as dishonour fees or penalties charged by other institutions), it's not really a comparable situation.

[Herodes]

By the way, in the interest of being a little bit more constructive, let me just mention how I would have handled this situation if I were running Instawallet (and were completely innocent.)

[...]

It's perfectly in line with how I would've handled it, and it's the only way to handle it that makes sense to me. Perhaps there should be a sticky somewhere on the forum where this could be written, so anyone experiencing a break in can see how they should handle it. However, I guess this has more to do with the nature of the person handling such events, than the common sense itself. I think a very good thing to ask oneself is: If I were the victim here, how would I've liked the operator to handle the incident ?

[repentance]

By the way, in the interest of being a little bit more constructive, let me just mention how I would have handled this situation if I were running Instawallet (and were completely innocent.)

[...]

It's perfectly in line with how I would've handled it, and it's the only way to handle it that makes sense to me. Perhaps there should be a sticky somewhere on the forum where this could be written, so anyone experiencing a break in can see how they should handle it. However, I guess this has more to do with the nature of the person handling such events, than the common sense itself. I think a very good thing to ask oneself is: If I were the victim here, how would I've liked the operator to handle the incident ?

They could literally have Googled "crisis management" or "damage control" and come up with a better plan of action than the one they've implemented.

I understand that not everyone has experience in handling these situations (although an intrusion isn't just a possibility for these services, it's a likelihood) but there's absolutely no excuse for not having a disaster plan for them, and there's especially no excuse for making people pull teeth to get information.  Yes, people were able to track down the real life identities of those behind Paymium - but they should not have had to.  Those people should have been very visible and providing a constant flow of information to users.

The way this incident has been handled doesn't inspire confidence in their ability to handle a critical incident with their paid services.

[tvbcof]

By the way, in the interest of being a little bit more constructive, let me just mention how I would have handled this situation if I were running Instawallet (and were completely innocent.)

[...]

It's perfectly in line with how I would've handled it, and it's the only way to handle it that makes sense to me. Perhaps there should be a sticky somewhere on the forum where this could be written, so anyone experiencing a break in can see how they should handle it. However, I guess this has more to do with the nature of the person handling such events, than the common sense itself. I think a very good thing to ask oneself is: If I were the victim here, how would I've liked the operator to handle the incident ?

I'm glad to see that I'm not the only one who sees this as simple common sense, and also that it extends beyond my own culture.  The old 'golden rule' is, I think, almost universal because it is so obvious.  That is why this situation is so aggravating to me.

It cannot be said that Paymium would be expected to cop such an attitude if they were the perps either.  It makes no sense one way or another except that they are just ignorant pricks.

One way or another, the ONLY thing which argues that anyone will get anything in 90 days is simply the ~boussac says so.  That is hardly confidence inspiring to me, and I continue to maintain that taking no concrete action in the interim is irresponsible and negligent and will not help the ecosystem evolve to a more healthy state.