Bitcoin Forum
December 11, 2016, 01:52:21 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
Author Topic: Mybitcoin.com Press Release #2  (Read 12487 times)
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
August 06, 2011, 03:56:38 AM
 #21

It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.
In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.
Luckily for us, this just told us enough that we could validate his whole story. Wasn't someone working on double-spend detection? Well, we need that ASAP.

1481464341
Hero Member
*
Offline Offline

Posts: 1481464341

View Profile Personal Message (Offline)

Ignore
1481464341
Reply with quote  #2

1481464341
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481464341
Hero Member
*
Offline Offline

Posts: 1481464341

View Profile Personal Message (Offline)

Ignore
1481464341
Reply with quote  #2

1481464341
Report to moderator
1481464341
Hero Member
*
Offline Offline

Posts: 1481464341

View Profile Personal Message (Offline)

Ignore
1481464341
Reply with quote  #2

1481464341
Report to moderator
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
August 06, 2011, 04:10:50 AM
 #22

It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.
In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.
Luckily for us, this just told us enough that we could validate his whole story. Wasn't someone working on double-spend detection? Well, we need that ASAP.


  What they are proporting to have happened has nothing to do with a 'double spend' as it would refer to Bitcoins. He expects us to believe that the shopping cart was vulnerable to someone using an 'on the fly' type editor like fiddler, etc to put in a fake deposit via the website's shopping cart and then spending the coins immediatly from the account to elsewhere before the site could see that no deposit showed up in the blockchain.

  I'd like to hear a lot more details on the weak point in the SCI that allowed said depsoits. Just seems that if it was as simple as just modifying the input from the client side that someone would have detected and exploited it long before the point this announced breach was discovered.

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
August 06, 2011, 05:08:03 AM
 #23

Quote
What they are proporting to have happened has nothing to do with a 'double spend' as it would refer to spending the coins immediatly from the account to elsewhere before the site could see that no deposit showed up in the blockchain.

A post by Theymos on July 1st, in another MyBitcoin thread:

Quote
MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.
- http://bitcointalk.org/index.php?topic=22221.msg309173#msg309173

jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
August 06, 2011, 05:09:25 AM
 #24

A post by Theymos on July 1st, in another MyBitcoin thread:

Quote
MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.
- http://bitcointalk.org/index.php?topic=22221.msg309173#msg309173


Indeed.  mtgox requires 6 confirmations, IIRC.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
jed
Full Member
***
Offline Offline

Activity: 166

Jed McCaleb


View Profile WWW
August 06, 2011, 05:24:13 AM
 #25

Wouldn't these double spend attacks be noticed by other clients though?

stellar.org   |    twitter
BioMike
Legendary
*
Offline Offline

Activity: 1259


View Profile
August 06, 2011, 05:38:27 AM
 #26

A post by Theymos on July 1st, in another MyBitcoin thread:

Quote
MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.
- http://bitcointalk.org/index.php?topic=22221.msg309173#msg309173


Indeed.  mtgox requires 6 confirmations, IIRC.


To me seems a bit more of a problem with the mining ecosystem then the confirmation requirement (half a year ago it would be almost impossible for double spending even if the transaction would show up in your client (0 confirmations)). As far as I know, there is no miner with >50% mining share, so the attacker could not have any grip on that.

Still, I can't make up much from their explanation of the bug. The only thing I can come up with is a bug with their SCI sending of bitcoins (not receiving) where bitcoins would be send (and not verified) before the balance in their database would be updated (or that the record update failed). But still, these bitcoin transactions should be somewhere in the block chain and SCI works with a MyBitcoin Account (should have a working email address registered in there).
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
August 06, 2011, 06:06:18 AM
 #27

Looking at the reorg log, there may be some truth in Tom's statements. However, I'm not too sure what the proper odds are for how often a reorg should statistically happen, nor do I have the other versions of the blocks listed (my client has been left off for some time).

Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
August 06, 2011, 06:07:41 AM
 #28

Quote
Their balance will be displayed along with the percentage of remaining Bitcoins that we still have in our holdings. That percentage will be paid to a Bitcoin address of their choosing. This percentage will be based on our current total liabilities vs. our existing assets.

This seems strangely worded, wonder what they mean?

SEEMS, MY ASS!!! I've read right through it. There are some things written on this forum that one can see right through it, like this for instance: https://bitcointalk.org/index.php?topic=34496.msg433346#msg433346
smoothie
Legendary
*
Offline Offline

Activity: 1848


LEALANA Monero Physical Silver Coins


View Profile
August 06, 2011, 07:56:03 AM
 #29

Well, someone claim their account and tell us what the % is.

If it's like 96% I say all you guys learned a valuable lesson at very little cost. If it's 50%, well, at least you didn't lose it all.


...and if it's 1% go buy a cheeseburger with that BTC and go choke on it because you failed hard!

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.        SMOOTHIE'S HEALTH AND FITNESS JOURNAL          History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
August 06, 2011, 08:15:48 AM
 #30

I don't have a dog in this fight but the wording of the statement is a bit odd.  Total liabilities vs assets is going to come out as a different percentage than Bitcoins on hand vs Bitcoins which should be on hand as it's going to include other creditors - which means that a portion of the Bitcoins they still have on hand might be liquidated to pay those other creditors a percentage of what they're owed.

While receivership raises its own set of issues, their backing away from it raises big red flags because it means that no external party is going to be overseeing the whole process of them paying back depositors - you're going to be left having to take their word about the state of their balance sheet (and at this point it would be insane to take their word about anything).

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 06, 2011, 08:35:56 AM
 #31

Tom Williams,

You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.

Those bitcoins are YOUR responsibility.

I can think of times in my life where I made mistakes,  and paid tens of thousands of dollars out of my own pocket to make things right.

Now it is your turn.

Do the right thing.
This x 1000.

If he's not incorporated, he can be sued for his personal assets and cash by anyone and everyone who lost bitcoins from this.  I encourage people to take this route once more of his information is revealed, and if he does not fully reimburse every single person who used the service.
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
August 06, 2011, 09:25:03 AM
 #32

A post by Theymos on July 1st, in another MyBitcoin thread:

Quote
MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.
- http://bitcointalk.org/index.php?topic=22221.msg309173#msg309173

Looking at the reorg log, there may be some truth in Tom's statements. However, I'm not too sure what the proper odds are for how often a reorg should statistically happen, nor do I have the other versions of the blocks listed (my client has been left off for some time).

Maybe we could have two threads. One where people are randomly screaming "GOXED" and another where we discuss the above which to me seems really interesting.

I assume the reorg-link shows the finally accepted blocks? If so, comparing them to the dropped ones should show large transactions where someone transferred money away from mbc.

the founder (Bitcoin)
Newbie
*
Offline Offline

Activity: 14


View Profile
August 06, 2011, 09:27:35 AM
 #33

Tom Williams,

You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.

Those bitcoins are YOUR responsibility.

I can think of times in my life where I made mistakes,  and paid tens of thousands of dollars out of my own pocket to make things right.

Now it is your turn.

Do the right thing.
This x 1000.

If he's not incorporated, he can be sued for his personal assets and cash by anyone and everyone who lost bitcoins from this.  I encourage people to take this route once more of his information is revealed, and if he does not fully reimburse every single person who used the service.

Direct from MyBitcoin's Terms of Service agreement. You agreed to it when you signed up, so too bad.

Quote
8.1 While MYBITCOIN LLC will make every effort to ensure the MyBitcoin System is accessible at all times, MYBITCOIN LLC makes no representation that User will always be able to access the MyBitcoin System or the User's User Account and User agrees that MYBITCOIN LLC will not be held liable for any loss or damage, whether direct or indirect, resulting from the use, operation or performance of the MyBitcoin System and/or the Bitcoin Network other than as a result of the deliberate or negligent acts or omissions of MYBITCOIN LLC.

Instantly get 22.5x your Bitcoins!  Play instantly with as little as 0.01 Bitcoins! Absolutely no waiting for block confirmations to play! (http://minefield.bitcoinlab.org/?r=ZtiPHe2v0oyShD8x)
NickW
Newbie
*
Offline Offline

Activity: 27


View Profile
August 06, 2011, 10:07:26 AM
 #34

If this is true, then surely he should publicly release the bitcoin addresses where this fraud took place so that anybody can track the coins.

1DRCGzEkMhhzieEkDg3e8kUKt1mVM5uqNs
memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
August 06, 2011, 10:14:16 AM
 #35

I said this before, and it only applies if MyBitcoin's losses are at the "thousands" scale: I wonder if we can buy him out.

Let's say 10000 BTC got stolen. A trusted intermediary (the new administrative board + jury) could create a new asset on GLBSE with 10000 shares, each worth 1 BTC, so that the new company would be 100% publicly owned.

This way, everyone gets their money back AND we save MyBitcoin, which is IMO a valuable asset for the community. Otherwise, both will be lost. Plus, Tom Williams can stay anonymous. Win-Win-Win.
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
August 06, 2011, 11:26:47 AM
 #36

The tech explanation doesn't add up. Is he saying they were the victim of double spend attacks?
That's the only reason 1 vs 1000 confirmations should matter.
It would be so hard to pull off a double spend in this manner that this still smacks of BS.
Not only that - if they were the victim of double-spend attacks, they should be able to provide copies the duplicate transactions spending the same input, and probably even the two blocks with different versions of the same transaction. (The official Bitcoin client stores orphaned blocks it saw that used to be part of the main chain pretty much forever.)

A double-spend with only 1 confirmation might actually be doable in this case, though, because an attacker can just keep trying repeatedly until they succeed at little or no cost to them, and because synchronization of blocks between the big mining pools isn't very good even at the best of times. Tycho's refusal to give the IP address of his Bitcoin node for Deepbit to any of the other pool operators is actually quite damaging from what I've heard.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
Are-you-a-wizard?
Member
**
Offline Offline

Activity: 98



View Profile
August 06, 2011, 11:44:22 AM
 #37

Fantastic  Smiley
giantdragon
Legendary
*
Offline Offline

Activity: 1414



View Profile
August 06, 2011, 11:59:22 AM
 #38

Quote
If he's not incorporated, he can be sued for his personal assets and cash by anyone and everyone who lost bitcoins from this.  I encourage people to take this route once more of his information is revealed, and if he does not fully reimburse every single person who used the service.
MyBitcoin is Limited Liability Company, i.e. owners don't take any liability for company's debts. In this case maximum you can get suing them is corporation's assets.

Jeremy West spendbitcoins.com
Hero Member
*****
Offline Offline

Activity: 686



View Profile WWW
August 06, 2011, 12:08:01 PM
 #39

Tom Williams,

You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.

Those bitcoins are YOUR responsibility.

I can think of times in my life where I made mistakes,  and paid tens of thousands of dollars out of my own pocket to make things right.

Now it is your turn.

Do the right thing.

+1

bitplane
Sr. Member
****
Offline Offline

Activity: 321

Firstbits: 1gyzhw


View Profile WWW
August 06, 2011, 12:14:35 PM
 #40

I said this before, and it only applies if MyBitcoin's losses are at the "thousands" scale: I wonder if we can buy him out.

Let's say 10000 BTC got stolen. A trusted intermediary (the new administrative board + jury) could create a new asset on GLBSE with 10000 shares, each worth 1 BTC, so that the new company would be 100% publicly owned.

This way, everyone gets their money back AND we save MyBitcoin, which is IMO a valuable asset for the community. Otherwise, both will be lost. Plus, Tom Williams can stay anonymous. Win-Win-Win.

This is a good idea. We could rename it to "ourbitcoin" too Cheesy
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!