To Magical Tux

[wumpus]

Me too, it was always fun trading there, at least they have normal withdraw/deposit options, and I'm sure he'll take security so serious now that it will be the most secure exchange in the world

[1715427577]

1715427577

[1715427577]

1715427577

[1715427577]

1715427577

[Rassah]

Also supporting MtGox, and, honestly, I'm REALLY glad this happened now, instead of inevitably happening later, only risking a few people's play money, instead of a bunch of international companies' few million of trade money tied to hundreds of thousands of customers. Hopefully this will make MtGox a much more stable and secure platform to do business with.

[Klestin]

If an auditor had to have remote SQL access, why not at least create a view to the users table which excluded email, and password hash?

[ottodv]

Magical Tux has always been most helpful to me, and I know I am not the only person with that experience.

Tux is doing the right thing in this crisis.

[Epinnoia]

Well this extend I understand what went on. One time I asked for a db structure to implement a module for a hospital, instead of the structure they sent me a DVD with the whole db contents (means medical records of practically everybody in that town).
Is that "practical" export button and its default options...

When asked in the interview a couple days ago "Why did the auditor need access to the LIVE database", the response from MtGox was that they were auditing to make sure MtGox wasn't manipulating the quoted prices for sells and buys.  In other words, gaming their own clients.  That would be fraud.  So, by MtGox's own admission, the auditor was auditing for evidence or non-evidence of fraud.

So it wasn't a DVD.  It was live access to a database.  It would appear that the access included tables which the auditor didn't necessarily need.  And that MIGHT be (gross?) negligence...  

Then again, what if the auditor was from a government agency?  It might not be so easy to tell a government agency what tables they can and cannot look at...

[Klestin]

Then again, what if the auditor was from a government agency?  It might not be so easy to tell a government agency what tables they can and cannot look at...

That is a main purpose for table views, which allow the user to see some data (columns) in a table, while others are not viewable.  Email and password hash would seem to be excellent candidates for exclusion to an auditor.

[Epinnoia]

Then again, what if the auditor was from a government agency?  It might not be so easy to tell a government agency what tables they can and cannot look at...

That is a main purpose for table views, which allow the user to see some data (columns) in a table, while others are not viewable.  Email and password hash would seem to be excellent candidates for exclusion to an auditor.

You can set up SQL to only grant access to specific tables based on their username/password combination.  You can also further restrict access by IP address -- which, as I understand, was in place.

So, for example, you could have complete access for Bob, and only show the user# and email addresses to Bill.  And you can set it up so that Bob can only log in from his own IP address, while Bill can log in from any IP address.

So if the auditor was only supposed to be auditing for evidence of gaming/fraud, then the auditor account access should have only been permitted to read those tables specific to what they were looking for.

Either the story as given to us so far is false, or the admin of the SQL database gave too much access/permission to the auditor's SQL account.  If too much access was given, then that MIGHT rise to the level of negligence, or even gross negligence.

[caveden]

My 2 cents:

People are being too hard on MagicalTux. Sure, there were problems. But let's remember he got the exchange from a guy who developed it alone in his spare time, and since then he's been very busy trying to answer all e-mails while getting rid of DDoS attacks. He didn't have too much time to fix the problems, everything happened really fast.

On the other hand, I also have a hard time believing this story of "one account with 500KBTC in it". I can't believe such an amount would be left in a MtGox account with weak password. The most reasonable possibility I see to that is the owner of the account passed away months ago, when these 500K weren't worth that much, and never told his relatives/heirs about the account. Sounds unlikely.

[The_Duke]

My 2 cents:

People are being too hard on MagicalTux. Sure, there were problems. But let's remember he got the exchange from a guy who developed it alone in his spare time, and since then he's been very busy trying to answer all e-mails while getting rid of DDoS attacks. He didn't have too much time to fix the problems, everything happened really fast.

You mean he didn't TAKE the time to fix the problems. If the site wasn't secure enough (which it obviously wasn't) then worst case he should have shut it down for a while to get it fixed. Which, ironically, is actually what happened now, isn't it? Only now it caused a lot more trouble for people than when he had done it properly in the first place.
But of course, shutting the site down for a while would have cost him money. Which doesn't work well on a greedy person.

[marcus_of_augustus]

Any ideas on who the "financial auditor" was ...?

seems suspicious that it came days after MtGov's very public announcement that they would be "co-operating with the authorities" ... would be too ironic if some gubmint drone showed up and logged in with the infected computer that screwed MtGov over ...

[BCEmporium]

Any ideas on who the "financial auditor" was ...?

seems suspicious that it came days after MtGov's very public announcement that they would be "co-operating with the authorities" ... would be too ironic if some gubmint drone showed up and logged in with the infected computer that screwed MtGov over ...

Would be somewhat funny if it happened to be some scammer taken the "M'Tux watched too many movies" chance to present himself as a FBI/CIA/DEA Agent requesting access to database.

[speeder]

Can't believe the people that say that it's good because now mt.gox will step up their security..

The creator of Mt.Gox a.k.a. magicaltux is a fucking moron, even if they improve the security of the site that's not going to change and he will just find something else to fuck up. We need a proper exchange, setup up by seasoned developers that know what the fuck they are doing, not some scummy pre-pubescent boy that's just using his magic the gathering trading card site script to run the exchange.

To explain this to people that have little or no programming/scripting experience. It is very very EASY to make a site...just like paypal, just like ebay, just like your banks website...very fucking easy. What is hard is making it the correct way with proper secure code. Mt.gox is made by people that lack the experience required for a site dealing with millions of $$$, no matter how much he "fixes the security flaws" nothing is going to change that.

If you disagree with me then I invite you to this thread ~2 months after mt.gox is opened back up when its either hacked or some system fails again. Just don't say I didn't warn you.

The author of the quoted post a.k.a. lardycake is a fucking moron, even if he improve his writing, he has no knowledge of the facts, such as that mtgox was created by Jed (not MagicalTux), and that MagicalTux already explained that he is writing a entirely new site that is decent and not a stupid magic the gathering trading script. And no matter how much we attempt to inform the moron, he will keep being ignorant, nothing is going to change that.

[silverman]

I'm not mad at MtGox for getting hacked. They're a huge target and in some ways a hack was inevitable. They've handled the hack as well as possible with the shutdown, audit and rollback.

However, I have a BIG PROBLEM with MtGox contacting the CIA or FBI or whoever. It's bad enough that I have to worry about whoever getting my information from the leaked database. Now I have to worry about the Feds looking through my account and coming for my bitcoins? Hell no...

This isn't the first time that MtGx has considered running to the Feds:
http://www.forexyard.com/en/news/Bitcoin-exchanges-offer-anti-money-laundering-aid-2011-06-15T220113Z

If you think that the Feds are friends of BTC or that their involvement is going to help the BTC community in any way, then you're sorely mistaken.

MagicalTux, don't be a stupid snitch. Improve your security and learn your lesson, otherwise I'll be joining the tradehill exodus....

MagicalTux, first you gave away the keys to the store. Then you brought in "the authorities", who will be using every bit of information they can gather against this Bitcoin community. And you are less than forthcoming about what actually happened. You might want to consider what would happen if you were to make these little mistakes in Chicago of the '20s, or maybe in Central America today.

I lost nothing, and certainly do not call for violence. I do hope that you will lose every Bitcoin you ever gained, hand over the Mt.Gox project to someone who is competent, understand what a fuckup you are, and live a long and happy life.

[BCEmporium]

You might want to consider what this would mean if you were to make these little mistakes in Chicago of the '20s, or maybe Central America today.

Already crossed my mind, with places like SR around this M'Tux seams to been doing too many f**kups lately.
I understand they wish to make BTC more "legit", but write to the FBI to become a snitch is a damn too dangerous and actually adds nothing to the purpose! Who can or can't go for or against BTC are the politicians, Feds don't make laws. Hopefully SR is still too small to drag big sharks, otherwise that guy would be in real life danger.

[ottodv]

However, I have a BIG PROBLEM with MtGox contacting the CIA or FBI or whoever. It's bad enough that I have to worry about whoever getting my information from the leaked database. Now I have to worry about the Feds looking through my account and coming for my bitcoins? Hell no...

Due to the amount of money involved in MtGox, they are most likely bound by certain rules and regulations (regardless of the Bitcoin side of the story). They are probably legally obliged to report any incident above a certain threshold. Just as they are obliged to report suspicious transactions, as is any other financial institution.

If MtGox chose not to abide by those laws all our Bitcoins at MtGox would be at risk, so I for one want them to be 100% legit and go by the book.

As for why the FBI was involved, my guess is that some suspicious activities took place in the US.

[BCEmporium]

@ottodv

I would agree if that was the case, I see it right for them to report unusual activity or be regulated.
However I don't see why the FBI or why the DEA, they were reacting hysterically to the reactions of two tech-savvy US senators.
They should try to apply to financial regulators, lobbying with politics, not going straight to the police offering help as if some sort of vigilante/snitch recruitment was going on.

[NO_SLAVE]

I'll be sticking with MT gox....why you ask....its simple really.

all the angry locust will be leaving....swarming over to tradehill.....goodbye, then there will be less volume on MT gox,
and the service will be better in terms of communication because of less angry locusts
demanding service. Also MTGOX has had their lessons, and have seemingly learned. 
They wont repeat those mistakes again. As the masses leave for tradehill, the focus of hacktack will be.....you guessed it....tradehill....

have fun...its bitcoin hell.

[Bit_Happy]

And many accounts of that era are abandoned and thus never got salted after MagicalTux bought MtGox and introduced salting. Thus if any of those accounts had absurd amounts of BTC (for our standards), something that is quite likely, they also happen to be the easiest accounts to break in using the leaked database.

MtGox claims it was ONE account.

Again, there are many accounts that are abandoned, and probably have high amount of BTC, if ANY of those accounts get hacked, it is lots of crashing power.

Nearly 100% impossible, since MtGox did not exist during the 20,000 BTC pizza era. The idea of a single 500,000 BTC account is complete BS, IMO.

I would Love to see them recover soon, and very concerned the facts are not lining up right.

[Batouzo]

and the service will be better in terms of communication because of less angry locusts

It is like saying that Sony will be most secure company ever because they got hacked.

Security is not an overnight thing, it is a culture. You don't do it by hiring 10 "consultants" or even developers.

Heaving said that,
Mtgox does use OpenPGP in emails, which is a nice sign of professionalism.


(but the fuckup with md5, sql injections, CSRF and 'auditor' ...  

[Bit_Happy]

...duplicate post..