eldentyrell
Donator
Legendary
Offline
Activity: 980
Merit: 1004
felonious vagrancy, personified
|
|
December 29, 2011, 12:48:35 AM |
|
Wow, is this fact wildly known? It deserves a post of its own somewhere, the hole is indeed glaring. I'll post it to reddit.
I posted about it on 22-Dec: https://bitcointalk.org/index.php?topic=55432.msg659595#msg659595If anybody knows of an earlier mention, say so.
|
The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators. So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
December 29, 2011, 12:55:16 AM |
|
I'm (ironically) away from my Yubikey until Friday evening, so I can't verify the claims that there are settings to tweak that will solve this issue. Personally, I use the API, but I would prefer to have un/pass authentication disabled, but last I checked it still worked.
|
|
|
|
zhoutong
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
December 29, 2011, 07:38:56 AM |
|
I believe that one must use key/secret authentication in order to withdraw.
Bitcoinica has an account with Yubikey, and we had to set up another account for automated Mt. Gox code withdrawals till recently.
Now we are using key/secret authentication to process withdrawals from our main account directly.
|
|
|
|
Ferroh
Member
Offline
Activity: 111
Merit: 100
|
|
December 30, 2011, 01:45:33 AM |
|
Yubikeys are worthless ATM for protecting bitcoins since you can withdraw via the API and the API still allows un/password authentication. Just FYI. MtGox needs to suck it up and break compatibility with old code instead of allowing this glaring hole to exist.
You can't use the API without an API key and HMAC authentication. You can also leave the API disabled if you choose, and you need your Yubikey to enable it. So no, the Yubikey is not broken -- it is very useful, and telling average users (who don't even use the API) that it is useless is not the best idea.
|
|
|
|
sunnankar
Legendary
Offline
Activity: 1031
Merit: 1000
|
|
December 30, 2011, 02:20:56 AM |
|
my bank has said they don't report those large amts to the gov't. i wonder if this is true?
I think it depends on the relationship you have with your banker. There are factors and elements that go into whether something rises to the level of 'suspicious' and is tied towards the 'reasonable suspicious' standard with regards to searches and seizures. If you have a good relationship and reputation along with plausible evidence then it is not really an issue. It is not uncommon for me to initiate wires oversees in connection with deals or clients I am working with and I always have some type of plausible story like buying foreign real estate, rent, buying a business, capital goods, consulting project, etc. and my banker gets regular financial statements from me in accordance with debt covenants. It does get fun when I ask for $10-15k of physical cash in $20s but with pictures and stories it is not much of a problem and I usually give him a few days to order it. For example, last time one of my buddies flew his plane to Santiago he landed in Ecuador for gas and they didn't have any avgas and it had to be trucked in and cost $10k cash. It is not uncommon to only be able to pay for gas with cash in the Caribbean, Latin America, etc. and would be unreasonably stupid to fly down there without a large amount of cash due to the normal conditions of business and environment. QUESTION: I am thinking of putting together a business deal where I need to be able to buy about $45k of bitcoins and send them to someone within a day or two. Anyone know if MtGox raises or removes the withdrawal limit, in bitcoins, if you have the met the KYC/AML standards?
|
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 30, 2011, 02:24:51 AM |
|
They did for me. I can pull 5000 BTC per day. Plenty for me.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
December 30, 2011, 02:45:41 AM |
|
Yubikeys are worthless ATM for protecting bitcoins since you can withdraw via the API and the API still allows un/password authentication. Just FYI. MtGox needs to suck it up and break compatibility with old code instead of allowing this glaring hole to exist.
You can't use the API without an API key and HMAC authentication. You can also leave the API disabled if you choose, and you need your Yubikey to enable it. So no, the Yubikey is not broken -- it is very useful, and telling average users (who don't even use the API) that it is useless is not the best idea. As of a week ago un/pass worked with API. I forgot I had to enable the API back in the day, so you are correct there. I will test whether un/pw works still when I get home in the next few days. If it does work, I will check on withdrawals. If they work it absolutely is broken.
|
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 30, 2011, 03:27:39 AM |
|
... they didn't have any avgas and it had to be trucked in and cost $10k cash...
What kind of aircraft can hold $10k worth of avgas?
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
December 30, 2011, 03:29:33 AM |
|
... they didn't have any avgas and it had to be trucked in and cost $10k cash...
What kind of aircraft can hold $10k worth of avgas? Sounds like it was the trucking that made it so expensive.
|
|
|
|
old_engineer
|
|
December 30, 2011, 05:14:06 AM |
|
... they didn't have any avgas and it had to be trucked in and cost $10k cash...
What kind of aircraft can hold $10k worth of avgas? Sounds like it was the trucking that made it so expensive. A large private jet can carry 10,000 lbs of fuel, which is about 1300 gallons. A fill up would cost $10k if they paid $8/gallon, which is a reasonable price in rural SA or Africa.
|
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 30, 2011, 05:55:27 AM |
|
A large private jet can carry 10,000 lbs of fuel, which is about 1300 gallons. A fill up would cost $10k if they paid $8/gallon, which is a reasonable price in rural SA or Africa.
A large private jet would carry Jet-A or similar, as opposed to avgas.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
sunnankar
Legendary
Offline
Activity: 1031
Merit: 1000
|
|
December 30, 2011, 06:19:52 AM |
|
Sounds like it was the trucking that made it so expensive.
Bingo. The plane only held like 92 gallons.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
December 30, 2011, 06:22:30 AM |
|
my bank has said they don't report those large amts to the gov't. i wonder if this is true?
I think it depends on the relationship you have with your banker. There are factors and elements that go into whether something rises to the level of 'suspicious' and is tied towards the 'reasonable suspicious' standard with regards to searches and seizures. If you have a good relationship and reputation along with plausible evidence then it is not really an issue. It is not uncommon for me to initiate wires oversees in connection with deals or clients I am working with and I always have some type of plausible story like buying foreign real estate, rent, buying a business, capital goods, consulting project, etc. and my banker gets regular financial statements from me in accordance with debt covenants. It does get fun when I ask for $10-15k of physical cash in $20s but with pictures and stories it is not much of a problem and I usually give him a few days to order it. For example, last time one of my buddies flew his plane to Santiago he landed in Ecuador for gas and they didn't have any avgas and it had to be trucked in and cost $10k cash. It is not uncommon to only be able to pay for gas with cash in the Caribbean, Latin America, etc. and would be unreasonably stupid to fly down there without a large amount of cash due to the normal conditions of business and environment. QUESTION: I am thinking of putting together a business deal where I need to be able to buy about $45k of bitcoins and send them to someone within a day or two. Anyone know if MtGox raises or removes the withdrawal limit, in bitcoins, if you have the met the KYC/AML standards? with KYC standards you can withdraw $45K in bitcoins all at once but in 1000 btc batches one right after another.
|
|
|
|
papa_snurf
Newbie
Offline
Activity: 48
Merit: 0
|
|
December 31, 2011, 11:47:56 AM |
|
Wanted to make sure this was well known.
I strongly recommend a YubiKey if you're dealing with that kind of money. You will be dealing with a 100 BTC (or similar) withdrawal limit - consider that a blessing, an anti-theft measure, to give you time to get your YubiKey (while you get your personal info to MtGox). If you deposit that kind of money into MtGox, order a YubiKey immediately, and don't ask for your limit to be raised before you have received and activated it. YubiKey comes fast - it gets sent via a form of express post.
Yubikeys are not required on the API and hence are a pointless joke on the gullible.
|
|
|
|
papa_snurf
Newbie
Offline
Activity: 48
Merit: 0
|
|
December 31, 2011, 11:49:52 AM |
|
whether it was to buy BTC for myself, or on behalf of others. after seeing that your bank is probably filing a SAR as we speak In my case, it's a good thing my activities are legitimate and I have nothing to worry about. Being on a US gov terrorist list of some sort would still not be fun, even if all your activities are legitimate. It's so sad how we are letting our own government kill off civil liberties for the *illusion* of safety. This line of thinking is wrong on so many levels.
|
|
|
|
|