I'm MtGox, here's my side.

[MagicalTux]

Let me show you the login logs for our hacker guy on his account full of bitcoins, and Kevin:

Code:

[2011/06/19 05:00:02] Hacker login
[2011/06/19 05:12:10] Kevin login
[2011/06/19 05:15:10] Hacker login
[2011/06/19 05:22:35] Hacker login
[2011/06/19 05:45:39] Hacker login
[2011/06/19 06:08:18] Hacker login

I don't understand. Which account? Kevin and the hacker used the same account?

Yeah Please Explain this Jargon, And what is it that you're implying by it?

He is saying that Kevin logged in 12 minutes after the attacker logged in to start the attack.  Not damning by itself, and almost certainly a coincidence, but still a connection that needs to be followed up, particularly in light of how it all played out.

And placed a buy order at 0.01 USD per btc.

[1714021643]

1714021643

[1714021643]

1714021643

[1714021643]

1714021643

[chihlidog]

We don't give a shit.

You were stupid and ill equipped, and you should admit defeat.

This is my take as well. The fact is that you were compromised. We've all seen absolute proof. When you decided you were going to move into real commodities of significant value, along with seeing dollar signs, you should have made SURE you were secure. This is on you. Most people will cut you a break, but you were lax on your security. YOu saw $ signs, got greedy, and didnt take necessary precautions.

If you think installing new securities and recoding everything can be done instantly. Mt.Gox had a growth far too fast to give us enough time for this, and we did our best to fix every found problem.

In the end however the accounts were leaked because of something completely different...

You knew you were dealing with people's money. Shit gets awfully real awfully fast when money is involved. Ive seen you blame it on your auditor, ok, fine. Then he's to blame. You hired him. Take responsibility. Your post also indicates you were trying to fix vulnerabilities you knew you had and knew you werent able to keep up. Was your userbase ever informed of this so perhaps other precautions could be taken by the clients?

[Freakin]

I'm on Gox's side.  Every network/site is vulnerable in some way.  In this case, it was through a trusted user.

While Gox may have granted more access to that user than they should have, it was certainly not grossly irresponsible of them to do so.  

Look at how many Sony properties have been hacked, and how many more "experts" they have in their employ, with huge amounts of revenue/profits.  

How about RSA?  They are a company that is pretty much 100% focused on security and represents the de facto standard in two-factor authentication.  Their entire RSA ID product was compromised and caused Lockheed Martin to be compromised as well.

And you guys are getting upset at Gox for a auditor not securing his laptop and resulting in a bunch of illegitimate trades that are completely reversible, with Gox eating the non-reversible damages?

[Phil21]

Disappointing response.

I applaud the decision to go to the authorities.  This is good, however I do want the phone number of the "competent" authority you speak of, when it comes to computer crime

The "evidence" you posted is misleading at best.  You forgot to paste all the other (hundreds? thousands?) of logins that also by chance happened to have been made during the same timeframe.  I'd be willing to bet, if you keep logs, you'll see a lot of attempted trade requests by some of those logins as well for around the same price!

And, you are absolutely NOT safe, this is categorically proven by the uh... 500,000 bitcoins stored in a single location that were stolen.  That you would state such a thing is absolutely ridiculous, and shows your complete hubris.  I predict many lulz will be had while you're still in business, due to that epicly stupid and baiting statement.  You have thrown down the gauntlet, hopefully (for bitcoins sake!) you can back those words up!  I can only hope my prediction does not come true, as I see bitcoins value quickly dropping if it's major services are operated in such a manner.

I expected at least a bit of humility, I guess.  Keep stating it's a simple leaked password issue, and perhaps you can get everyone to believe you?

[imperi]

I'm just imagining all the hungry journalists/bloggers/reporters watching this thread, waiting for juicy things to come out.

Carry on guys.  

[Synaptic]

Option 4: Mt Gox signals this to the competent authorities

Great everyone!

Nothing left to worry about.  The authorities are being notified.

Let's pray none of your transactions can be traced through the block chain to addresses linked to Silk Road, or your favorite flavor of child pornography dealer.

This is a good thing for bitcoin, after all.

The markets are doing fine! We're gonna have the Law on our side before long, and MagicalTux will be our vanguard!

[Oldminer]

What is this supposed to indicate?  That Kevin put his sell order in before the selloff began, rather than during or after the 30-some minute trade finished up, like he said?

It indicates Kevin logged in 10 minutes after the sell-off began and put in his buy order for 0.01c - now one could assume from that either:

A. He had inside knowledge and could even be involved in the scam (and could even know the hacker)

or

B. It was pure coincidence he logged in at the same time and just happened to put in his 0.01c buy order which didnt exist prior to this login and he knew nothing about what was about to occur

Now if I was a gambling man, which I am, I'd put my money on option A.

[nelisky]

We don't give a shit.

You were stupid and ill equipped, and you should admit defeat.

EDIT: You should be glad you have the admins of this site on your side, they've suppressed a shitload of dissent about what absolute joke your little site was.

First of all, we? We, who? I am a mtgox user, have been for a long time (just look up my alias there on the leaked db) and while I did move substantial amounts of money and coins with it (to my own relative values, of course) all the issues I have ever encountered were taken care of with the highest level of professional attention.

So 'most of us', or even 'some of us', or better yet 'me and some other guy in the forum don't give a shit' would be the better way to put it... I WANT to know what happened from all angles, and I do give a shit because:

'absolute joke your little site was' is probably right on the money. It is/was a sad little joke of a site, and that is why it never got any traction, or volume. Hell, if they hadn't forced you at gun point to use it, you wouldn't even know it existed...

Don't like it? Don't use it. Want assurance? That is fair, but no statement on the site ever assured anything to anyone, and with that mtgox has always honored their responsibility no matter what. I'm sure they could just run away with the current wallet and not have to work again, but instead you see a great service that suffers the most imho from not having had competition for a long time. That is changing, which is great for everyone, but I'm sticking with mtgox for as long as they keep the service standard they had so far.

[Vladimir]

Seems like "option 4" taken by mtgox is quite reasonable. Most businesses in this position would do something very similar.

[gigi]

What FBI? Aren't you in Japan?

[ixne]

This is my take as well. The fact is that you were compromised. We've all seen absolute proof. When you decided you were going to move into real commodities of significant value, along with seeing dollar signs, you should have made SURE you were secure. This is on you. Most people will cut you a break, but you were lax on your security. YOu saw $ signs, got greedy, and didnt take necessary precautions.

Yeah, all professional enterprise sites make super secret double sure that they are secure.  The really big dogs call "no breakies" before they go online.

[Synaptic]

I'm on Gox's side.  Every network/site is vulnerable in some way.  In this case, it was through a trusted user.

While Gox may have granted more access to that user than they should have, it was certainly not grossly irresponsible of them to do so.  

Look at how many Sony properties have been hacked, and how many more "experts" they have in their employ, with huge amounts of revenue/profits.  

How about RSA?  They are a company that is pretty much 100% focused on security and represents the de facto standard in two-factor authentication.  Their entire RSA ID product was compromised and caused Lockheed Martin to be compromised as well.

And you guys are getting upset at Gox for a auditor not securing his laptop and resulting in a bunch of illegitimate trades that are completely reversible, with Gox eating the non-reversible damages?

EXCEPT MT GOX WAS SUPPOSEDLY A FINANCIAL MARKET.

They are held to a different standard BY LAW, than some shit like PSN.

Glad to see you have something to put your faith in. Keep praying, cutie.

[MyFarm]

Are you REALLY trying to imply Kevin was involved with the hacker?  WOW!  Just wow.  I too logged in minutes after the hacker because I saw the market crashing and tried to get in a buy order.  I unfortunately could not but could just as easily been Kevin.  Am I going to be investigated by the FBI now, too?

I don't believe there was ever a hacker.  Let's see proof that this wasn't a bug in your code or someone at your company screwing up big time.  I also think the bitcoin account was YOURS.  HOW someone with 500k BTC could let their account be compromised needs to be answered as well.

[Freakin]

I'm on Gox's side.  Every network/site is vulnerable in some way.  In this case, it was through a trusted user.

While Gox may have granted more access to that user than they should have, it was certainly not grossly irresponsible of them to do so.  

Look at how many Sony properties have been hacked, and how many more "experts" they have in their employ, with huge amounts of revenue/profits.  

How about RSA?  They are a company that is pretty much 100% focused on security and represents the de facto standard in two-factor authentication.  Their entire RSA ID product was compromised and caused Lockheed Martin to be compromised as well.

And you guys are getting upset at Gox for a auditor not securing his laptop and resulting in a bunch of illegitimate trades that are completely reversible, with Gox eating the non-reversible damages?

EXCEPT MT GOX WAS SUPPOSEDLY A FINANCIAL MARKET.

They are held to a different standard BY LAW, than some shit like PSN.

Glad to see you have something to put your faith in. Keep praying, cutie.

How about Citigroup then?

You also disregarded RSA/Lockheed, which certainly are held to a higher standard as they are dealing with Classified+ files.

[MoonShadow]

Kevin had only one chance that day to place his 0.01 buy order. So either he had a lot of luck, and somehow knew it was the right time to place a 0.01 buy order, or something smells fishy in there. It's not up to me to decide, but I will report this as it has become a public matter.

Occam's Razor would imply luck.  I'm sure that Kevin wasn't the only one desperately trying to place a low-ball buy order as fast as he could, but perhaps he was just the one who clicked at just the right millisecond.  It is also true that, even assuming that Kevin's story is accurate from his perspectives, that he is in possession of stolen property and he knows this.  Unless he is going to try to present evidence to the contrary, this is an accepted given.  Thus it is proper for Kevin to return the funds and permit MtGox to undo the trades as best as he can.  Whether or not MtGox chooses to compensate the owner of the compromised account or not is his own business.  The fact that no policy existed that covered this scenario prior to the event is not relevant.

[epii]

Thread watched.

Just one more vote of support for Mt. Gox.  Mistakes were made, flamers were outraged, but your professionalism in dealing with crises like this has never failed to impress me.  Your customers are holding you to a very high standard in resolving this matter, but I trust you recognize that and will find the most optimal compromise that you can.  Please continue to post as much information about the situation publicly as you are at liberty to divulge.

[TiagoTiago]

I'm not sure what to make of what has been said in this thread (but i guess i'm not really aware of enough details about the events and things here would make way more sense for me if i knew as much as most other people)


lol, stop posting!!! i can't post my reply you guys keep posting again and the forum shows me your replies before i can post mine!! Xp

[Icy-]

What I don't understand is what Kevin logging in around the same time the hacker did, what about everyone else? EVERYONE was logging in around that time, so it seems to me like he is trying to make Kevin look like hes working with the hacker, but yet doesn't post logs of all the others who logged in, and if you can recall everyone was..

[RandyMarsh]

Let me show you the login logs for our hacker guy on his account full of bitcoins, and Kevin:

Code:

[2011/06/19 05:00:02] Hacker login
[2011/06/19 05:12:10] Kevin login
[2011/06/19 05:15:10] Hacker login
[2011/06/19 05:22:35] Hacker login
[2011/06/19 05:45:39] Hacker login
[2011/06/19 06:08:18] Hacker login

I don't understand. Which account? Kevin and the hacker used the same account?

Yeah Please Explain this Jargon, And what is it that you're implying by it?

He is saying that Kevin logged in 12 minutes after the attacker logged in to start the attack.  Not damning by itself, and almost certainly a coincidence, but still a connection that needs to be followed up, particularly in light of how it all played out.

And placed a buy order at 0.01 USD per btc.

Any other relevant info about Kevins account? Was it dormant brfore this event? did he ever make orders like this before ie. fairly pointlessly low bids just for shits and giggles?

[Scientician!]

http://www.threadbombing.com/data/media/2/mj_popcorn.gif