MtGox source code leaked ...

[itsunderstood]

I am going to take this code and learn from it.  I haven't ever really had much interest in programming because most all software is shit.  So, I guess if one is to learn, may as well start with the SHIT THAT MADE 500 MILLION USD?

PHP all the way + Python, you kiddin me?  This is a no brainer.  

Okay, so, we probably can agree that what is the real problem is: dickhead intentioned persons who break code, i.e. SQL inject, etc.  And Also I bet you would agree with me that these ones will always succeed UNLESS you got VC $$$ with which to test and parse and manage your code.

No way will anything grassroots be done, unless it is one dude typing furiously at his keyboard.  WITNESS the code which made functionality happen.  Haha, it is so cute to me that programmers think they can obfuscate their trade and call for centralized code and wag their finger at Tron-style creativitiy.  Okay, sure, when you look at it, it's dogshit.  But when I look at it, I want to learn it.

Everybody interested in making a better PHP world, go ahead and PM line by line as to where th vuln's are in this code, because, I didn't see anyone of you do an exploit that got his wallets, or did you??

I mean, in some ways, if you build cars so that they can withstand rocket-launchers-type-attacks, you are going to have to build tanks rather than cars.  So, then that again means that Ike was right about science-money taking over the world.  If you do not build better software designers, then there will simply be a whole new generation of them. And eventually they will decide to de-obfuscate all code everywhere.  So anyway, I am learning PHP and Python, because I don't see that programming C++ and making shithot web apps, is really doable in a practical sense.  Just my .02 as a desktop tech who writes .bat files but supports low IQ money-based programmers imported from other countries.  I agree with those who say the world runs on lousy code --it does, and yet, that it won't be fixed is a frightening truth.

[1713879965]

1713879965

[1713879965]

1713879965

[1713879965]

1713879965

[1713879965]

1713879965

[Zeeks]

Why does the MtGox code send e-mails to Luke-Jr? He has a rather "colorful" past around here, he was tampering with blocks passing through his pool.

[DeathAndTaxes]

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

[smooth]

There is a lot of wisdom here. Worse is better. Programming is not (always) art.

But I'll say this. it isn't clear that Mark made 500 million with this code. If we go by the leaked (maybe authentic, maybe not) financials, MtGox really didn't make that much money. It may be that the code made 500 million USD (or perhaps some much smaller amount if the coins were stolen earlier and valued at lower prices) for someone else. If Mark stole 500 million USD and got away with it using this code, then I would agree you are on to something. That's hardly proven.

I am going to take this code and learn from it.  I haven't ever really had much interest in programming because most all software is shit.  So, I guess if one is to learn, may as well start with the SHIT THAT MADE 500 MILLION USD?

PHP all the way + Python, you kiddin me?  This is a no brainer.  

Okay, so, we probably can agree that what is the real problem is: dickhead intentioned persons who break code, i.e. SQL inject, etc.  And Also I bet you would agree with me that these ones will always succeed UNLESS you got VC $$$ with which to test and parse and manage your code.

No way will anything grassroots be done, unless it is one dude typing furiously at his keyboard.  WITNESS the code which made functionality happen.  Haha, it is so cute to me that programmers think they can obfuscate their trade and call for centralized code and wag their finger at Tron-style creativitiy.  Okay, sure, when you look at it, it's dogshit.  But when I look at it, I want to learn it.

Everybody interested in making a better PHP world, go ahead and PM line by line as to where th vuln's are in this code, because, I didn't see anyone of you do an exploit that got his wallets, or did you??

I mean, in some ways, if you build cars so that they can withstand rocket-launchers-type-attacks, you are going to have to build tanks rather than cars.  So, then that again means that Ike was right about science-money taking over the world.  If you do not build better software designers, then there will simply be a whole new generation of them. And eventually they will decide to de-obfuscate all code everywhere.  So anyway, I am learning PHP and Python, because I don't see that programming C++ and making shithot web apps, is really doable in a practical sense.  Just my .02 as a desktop tech who writes .bat files but supports low IQ money-based programmers imported from other countries.  I agree with those who say the world runs on lousy code --it does, and yet, that it won't be fixed is a frightening truth.

[itsunderstood]

There is a lot of wisdom here. Worse is better. Programming is not (always) art.

But I'll say this. it isn't clear that Mark made 500 million with this code. If we go by the leaked (maybe authentic, maybe not) financials, MtGox really didn't make that much money. It may be that the code made 500 million USD (or perhaps some much smaller amount if the coins were stolen earlier and valued at lower prices) for someone else. If Mark stole 500 million USD and got away with it using this code, then I would agree you are on to something. That's hardly proven.

Thanks friend.

And I do not intend to defraud, because, if my exchange goes south, I will turn the damn thing off.

But, since you are all very smart, I would also suggest this:  There is no way to make Android safe.  And there is no way to stop the tablet-tsunami, with crapware standard.  So?

If you got all the programmers in a room, I don't think the public could stand to be in that room.

edit

Also the person who said that A: The Gox customer list, and now B: This code being dupe'd all around Earth, could open severe vectors for crime that smack cryptocoin in the face for years even (tho we know it will always rebound and/or have value).

So, in terms of any cred on the programmer-class of persons on Earth, I am not sure they can agree amongst themselves, as the good/shitty ones are good/bad enough to make a ton of cash either way, and then they bail and retire at 40, good for them!  Awesome.  But you can't build a world on that kind of code, can you?

[Finnminer]

I've seen so much bad code in my life... even in enterprise systems... this one looks quite average 

I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

Has someone had the time to study the code more carefully? At first glance it seems to me like they are encrypting all the private keys using the same encryption keys and storing them in a database. So if someone would get access to the database and the master key (likely to be hardcoded in a php file somewhere...) they could steal all the money from all the addresses. I haven't spent much time looking at the code so I might be interpreting it wrong.

[bitjoint]

Mysql? php??? For a multi-million dollar website?!?!?!? WTF!!!

Not a good point... Bitstamp is using php. The difference is that it seems bitstamp is built with a proper framework, and Gox was built with a crappy/old CMS... that's why I never trusted them.

[bananas]

I wonder why the SQL dump to create the database was not leaked, the actual sources using the class were not leaked either. It is not like "hey, i leaked it so you can just run it or fully analyze", 'cause you can't.

It is like Karpeles himself leaked that for some malicious reason

[elebit]

I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

It's all those "rockstar programmers" who spend more time reading blogs than working. Only the object oriented design pattern de jour is the way to go, everything else sucks beyond belief, apparently.

Meanwhile, COBOL code sprinkled with GO TOs run their banks and steer their satellites. The only thing that matters is if the code 1) works and 2) is readable (and most hipster frameworks fail on both accounts).

The difference between serious and amateurish outfits like MtGox is testing, testing, testing and testing. Did I mention testing? And a bunch of people who do not consider themselves rockstars or other silly things who work these systems daily.

[mami]

I've seen so much bad code in my life... even in enterprise systems... this one looks quite average 

I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

The code is not particularly readable, therefore it probably has some subtle bugs. OO PHP is some of the worst looking code out there, but it mostly works... Honestly, what else is anyone suggesting people USE to make this type of site?

Surely NOT Ruby (way more scary than PHP), and probably not C++/CGI (too esoteric and crashworthy), probably not Python/web (still not ready for the bigtime), and don't even mention Java (the world will be a better place when people finally stop using it).

[DeathAndTaxes]

Surely NOT Ruby (way more scary than PHP), and probably not C++/CGI (too esoteric and crashworthy), probably not Python/web (still not ready for the bigtime), and don't even mention Java (the world will be a better place when people finally stop using it).

Nothing wrong with Java running server side.  The security hell that is java applets needs to die.  I personally don't install java client side not because it is any direct risk but out of fear that some browser exploit will enable java applet access.  If java applets were killed off an no longer supported by modern browsers I would have no issue with java client side either.  Most financial institutions and large enterprises use java server side. 

The issue isn't so much PHP as the way it was used.  As a side note, you can shoot of your own foot with any programming language, PHP just makes it easier than others.  I would use Python over PHP because dynamic typing and implicit (warningless) conversion between types just makes it to easy to create bugs which only occur run time.  Combine that with no test driven development and you got a recipe for hard to identify bugs.

Someone up thread said testing, testing, and testing.  That doesn't mean let me try to manually "test the hell out of this" it means things like unit testing, code coverage, mocking, automated test validation in build process, etc.  That is impossible with the code as written.  The code as written is untestable, unmaintainable, and undocumented.  Everything is a bunch of static methods, magic constants spread throughout, SQL code interspersed with business logic, mixed with formatting.  The few places where a constant should be used they decided to use a literal 100000000 for conversion from satoshi to Bitcoins.  Money values are handled as floats.  Everything is tightly coupled and poorly documented so if Mark ever did bring on additional programmers that would just be a timebomb waiting to go off.  You can get god's gift to programming but if other "lesser" programmers can make fatal mistakes with your code because it is fragile ... it is bad code.

[spin]

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

[PassTheAmmo]

I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

It's all those "rockstar programmers" who spend more time reading blogs than working. Only the object oriented design pattern de jour is the way to go, everything else sucks beyond belief, apparently.

Meanwhile, COBOL code sprinkled with GO TOs run their banks and steer their satellites. The only thing that matters is if the code 1) works and 2) is readable (and most hipster frameworks fail on both accounts).

The difference between serious and amateurish outfits like MtGox is testing, testing, testing and testing. Did I mention testing? And a bunch of people who do not consider themselves rockstars or other silly things who work these systems daily.

The code isnt't testable in its current state which is exactly for the reasons already mentioned. It is not separated into components. That would have a lot of advantages, one og them being testability. The reason that COBOL works in banks is because the code has been running for decades, not because better tools don't exist now.

And OO has been questioned for a long time now with new programming languages even boosting about being non-OO.

You seem to be arguing against your own misconceptions.

I have a hard time believing that someone who's proficient in multiple programming languages would choose PHP for THIS particular job, but it would easily be the right choice if that's the only language he was fluent in.

[QuestionAuthority]

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

Collusion between Luke Dashjr and Gox alone should have been enough to keep you away from Gox. When you watch Luke Dashjr at a conference he looks and acts like one of those kids that used to get beat up a lot in school. He's very quiet, stays to himself and a little scary looking. I can see him having 15 decapitated human heads in a freezer in the back of his single wide mobile home with wooden Christian cross hanging in every room and an alter made for his long dead mother on the faux mantle piece.

[spin]

 I remember seeing something irc where gmaxwell said that the code is likely old.  

Rather than get personal about any members it would be good to know if this older code or newer code.

[muyuu]

PHP can be used as a non-OOP language, and in fact it's the way it makes most sense to use it since their OOP is an afterthought and doesn't play well with the rest of the characteristics of the language. "1 big superclass" basically fakes that. You can easily re-factor that anyway.

However this does seem like a 1-man weekend project. I wonder if they at least have some docs to go with it elsewhere.

TBF I'm willing to believe this was the production code.

[elebit]

The code isnt't testable in its current state which is exactly for the reasons already mentioned. It is not separated into components.

But it is. Just maybe not the components you would like.

I would not choose this exact design, but it is very far from a ball of mud. It is quite clear what is does, there are methods with proper names, and nothing is obscured by dependencies. If I would be handed this as a legacy codebase to work with I wouldn't find it too bad. I've seen much worse.

What I would miss most here is tests (of course one can write tests for this code, both functional tests and unit tests) and documentation. But that's par for the course considering there seems to have been mostly one developer working on this.

[melmo]

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

Collusion between Luke Dashjr and Gox alone should have been enough to keep you away from Gox. When you watch Luke Dashjr at a conference he looks and acts like one of those kids that used to get beat up a lot in school. He's very quiet, stays to himself and a little scary looking. I can see him having 15 decapitated human heads in a freezer in the back of his single wide mobile home with wooden Christian cross hanging in every room and an alter made for his long dead mother on the faux mantle piece.

Wow, that's harsh

[QuestionAuthority]

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

Collusion between Luke Dashjr and Gox alone should have been enough to keep you away from Gox. When you watch Luke Dashjr at a conference he looks and acts like one of those kids that used to get beat up a lot in school. He's very quiet, stays to himself and a little scary looking. I can see him having 15 decapitated human heads in a freezer in the back of his single wide mobile home with wooden Christian cross hanging in every room and an alter made for his long dead mother on the faux mantle piece.

Wow, that's harsh

Nah, not really. He's a bastard. Besides being a crippling force on Bitcoins development team, he has used the mining power of so many people without their knowledge to do so many bad things that I find it hard to say anything evil enough to describe him.

[Nagle]

Hm. Items of interest:

The code sends emails to "mark@ookoo.org" on some errors.  "ookoo.org" is owned by

Mutum Sigillum LLC
220 E. Delaware Ave., #1085
Newark, DE
US

which is a subsidiary of Mt. Gox.

On page 26, there's a private key embedded in the code as a long hex string. Requests involving that private key are rejected.

Bitcoin transactions are sent to "relay.eilgius.st" and "mtgox.relay.eligius.st". That's a mining pool. But that "eligius.st" address is registered to Mutum Sigillum LLC:

DOMAIN: eligius.st

REGISTRATION-SERVICE-PROVIDER: K.K. Tibanne
URL: http://www.tibanne.com/

created-date:    2011-05-10 00:27:33
updated-date:    2014-03-03 04:59:29
expiration-date: 2014-05-10 21:59:59

registrant-organization: Mutum Sigillum LLC
registrant-name:         David Manager (MUT525418A4EC0C7)
registrant-street:       220 E. Delaware Ave., #1085
registrant-city:         Newark
registrant-state:       
registrant-zip:          19711
registrant-country:      US
registrant-phone:       
registrant-fax:         
registrant-email:        domains@mutumsigillum.com

admin-organization: Luke Dashjr
admin-name:         Luke Dashjr (KKT5313FE423381E)
admin-street:       8512 Templeton Drive
admin-city:         Omaha
admin-state:        NE
admin-zip:          33523
admin-country:      US
admin-phone:       
admin-fax:         
admin-email:        luke+kalyhost@dashjr.org

tech-organization:
tech-name:         Luke Dashjr (KKT5313FE424A57E)
tech-street:       8512 Templeton Drive
tech-city:         Omaha
tech-state:        NE
tech-zip:          33523
tech-country:      US
tech-phone:       
tech-fax:         
tech-email:        luke+kalyhost@dashjr.org

billing-organization:
billing-name:         Luke Dashjr (KKT5313FE425CFF3)
billing-street:       8512 Templeton Drive
billing-city:         Omaha
billing-state:        NE
billing-zip:          33523
billing-country:      US
billing-phone:       
billing-fax:         
billing-email:        luke+kalyhost@dashjr.org

Mt. Gox was known to have close connections to Eligius, but this is closer than previously thought.