[ANN] Mt.Gox overview: January 2012 / Transparency

[SMTB1963]

Also, we plan to have this document verified by third party auditors for future releases, however we want to set a realistic expectation this may not happen by the next quarter.

Periodic deposit/withdrawal volumes, gross turnover, revenue/opcosts...these things don't provide ANY worthwhile information about the risk of doing business with you.  Why would would you bother having them attested to by a third party auditor?   

I'd also point out that as a practical matter, it's impossible to audit BTC balances on financial statements.

If you ask for the audit report though, their answer is basically... "Aww, shucks.  Sorry, we can't let you see it.  You actually have to pay for your own copy of it straight from the auditor, we can't let you see ours.  And it's really expensive.  Sorry about that."

LOL wut?  MtGox told you that a copy of their audit was available for purchase from their auditor?!?  That would really be something.  Who at MtGox told this to you?

[1714149391]

1714149391

[1714149391]

1714149391

[1714149391]

1714149391

[1714149391]

1714149391

[casascius]

LOL wut?  MtGox told you that a copy of their audit was available for purchase from their auditor?!?  That would really be something.  Who at MtGox told this to you?

E-mail from Mark Karpeles to me, received 10 July 2012, 05:17 UTC

If you're looking for a simple financial audit however, you can order one from Teikoku Databank, our Japanese auditor (we cannot distribute it, each company wishing to see it needs to buy it from them).

[SMTB1963]

Heh, Teikoku Databank is a market research firm.  They do not provide audit services.  Mr. Karpeles should be a little more careful about the language he uses in his outside communications.

Seriously, I doubt an outside auditor has ever set foot into MtGox/Tibanne offices.  The only need they have for a CPA of any kind is for their taxes.

[Phinnaeus Gage]

LOL wut?  MtGox told you that a copy of their audit was available for purchase from their auditor?!?  That would really be something.  Who at MtGox told this to you?

E-mail from Mark Karpeles to me, received 10 July 2012, 05:17 UTC

If you're looking for a simple financial audit however, you can order one from Teikoku Databank, our Japanese auditor (we cannot distribute it, each company wishing to see it needs to buy it from them).

What's the cost? And who's collecting the BTC to buy a copy to share with the community?

I guess I misunderstood what an audit is. I thought is was one that shows where the money is, oppose to showing that the patella is connected to the femur.

Seriously, I doubt an outside auditor has ever set foot into MtGox/Tibanne offices.

An adult by the name of Bruce Wagner once stepped on Holy Ground and even provided us a video of his adventure. Does that count? BTW, does anybody know where we can view said video?

~Bruno~

[SMTB1963]

What's the cost? And who's collecting the BTC to buy a copy to share with the community?

The cost is "52,500 yen (before tax 50,000 yen) + Data Charge x Output Records" (I estimate to be around 700 bucks).

But before anyone goes spending any money, they should be aware that Teikoku Databank makes no assurances on the veracity of the financial statements you buy from them.  Probably because their financial statement data for privately held Japanese firms is (by and large) gathered via surveys.  It is entirely possible that Mr. Karpeles submitted MtGox's financial data to Teikoku Databank himself.

I guess I misunderstood what an audit is. I thought is was one that shows where the money is, oppose to showing that the patella is connected to the femur.

Many types of audits performed by public accountants. The SSAE 16 referred to by casascius would provide an opinion on the internal controls implemented in MtGox's end-user systems vis-à-vis the system's ability to provide reliable financial data.  Some caveats with an SSAE 16 are: the audit is based on management's description of the controls/system, the audit gives no opinion on the accuracy of the financial data extant in the system being audited, and the audit gives gives no opinion on the accuracy of the service firm's consolidated financial statements.

[casascius]

When we get a SSAE 16, some of the things we have to account for includes how we are doing our data backups, who has access to data/facilities/equipment, and how software source code changes get vetted and sent to production.  A lot of those topics are relevant to the risk one faces when doing business with MtGox (if Bitcoinica didn't make that painfully obvious enough to many).

Also relevant is what happens if Mark Karpeles gets hit by a bus.  He may very well be the only one that has access to the bitcoins on deposit, just to avoid the risk of getting stabbed in the back.  But if our coins die with him, that can't be good, and also is relevant to anyone doing business with Gox.  If they have a contingency plan in place, SSAE 16 would hopefully disclose enough of it to suggest that they have one in place and that it's probably effective, without giving away the secrets to a would-be thief.

Yep, while SSAE 16 would reveal a lot of information relevant to someone evaluating the risk of doing business with MtGox, SSAE 16 itself isn't a "the money's there" audit.  In fact, SSAE 16 isn't necessarily the part I think everyone's after: the fundamental critical part is a third-party assertion from someone with credentials on the line to say "We looked - we saw - we believe the money's there - signed, us".

If they were interested in doing so, they could solicit a CPA firm (such as one also doing a SSAE 16) to make that attestation on their behalf.  They just don't seem interested in it.

[SMTB1963]

Yep, while SSAE 16 would reveal a lot of information relevant to someone evaluating the risk of doing business with MtGox, SSAE 16 itself isn't a "the money's there" audit.  In fact, SSAE 16 isn't necessarily the part I think everyone's after: the fundamental critical part is a third-party assertion from someone with credentials on the line to say "We looked - we saw - we believe the money's there - signed, us".

Absolutely correct.  In fact, it's likely that a practitioner would require an SSAE 16 as a prerequisite to auditing their financial statements.  But in my mind, surviving an SSAE 16 isn't necessarily a problem for them.  Getting an unqualified opinion on their financials, however, is a completely different story.

Not because they're engaging in any monkey business, but because they simply don't have enough bodies in the organization to have the necessary segregation of duties to qualify as having "strong internal controls".  This would place them in a situation where the auditor would require "substantive tests of detail" of their balances (which isn't a problem for their fiat-denominated balances, but is extremely problematic for their BTC balances).

If they were interested in doing so, they could solicit a CPA firm (such as one also doing a SSAE 16) to make that attestation on their behalf.  They just don't seem interested in it.

TBH if I was in their shoes, I'm not sure I'd be interested in an outside audit either.  There might be some upside in terms of gaining market share/revenue - as long as they get a clean opinion.  If they don't, all they've done is spend a bunch of money to get a list of things for which they will have to spend even more money.

[Mt.Gox_Alex]

It seems that some people on this forum has a better understanding of the overall Bitcoin economy and problems than others.

As I stated many times (under Mt.Gox_Support), we have been the first to come forward and tried to be as transparent as possible, we are not against an audit and such thing will come at some point, but the truth is that as for today it will be extremely costly, long and difficult to get something done and done PROPERLY! And this due to the nature of Bitcoin. On top of that we will have to find someone that is capable to understand Bitcoin and "Appreciate" all its challenges.

But we understand the needs for you to be reassured that we have what we say we have and that our system is as secure as we say it is secure. We are working on this and hope to give you all something that you will accept.  But once again, and this should at least count for something : Mt.Gox is still the largest exchange, one of the oldest exchange, and we survived Everything that has been thrown to us. So if this alone can't at least give you a chance to start trusting us, what will? You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

[casascius]

What about moving BTC or signing messages to prove possession?  These don't even have to be published (and many customers would prefer they not be) - I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

[Bitcoin Oz]

Whas so "long and difficult" about moving some coins around ?

[casascius]

You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

So, in other words, we should be thankful for unexplained open-ended delays and implausible "AML" investigations because all of this helps us keep our money safe?

Good call!  At least because of this, we don't have to worry about hackers withdrawing our USD, because their withdrawal will take 2 weeks after which we will know exactly where it went.

[Bitcoin Oz]

You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

So, in other words, we should be thankful for unexplained open-ended delays and implausible "AML" investigations because all of this helps us keep our money safe?

Good call!  At least because of this, we don't have to worry about hackers withdrawing our USD, because their withdrawal will take 2 weeks after which we will know exactly where it went.

Bitcoinica hacker withdrew $340 000 instantly without any problems

[Mt.Gox_Alex]

I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.

[casascius]

I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.

*eyes rolling*

Yes, I am pretty sure I understand exactly what I am asking for.

Yes, Mark did explain this to me.  As though he too had never heard there is a feature to sign text messages with an address's key.

I mean use the message* signature feature built right into the reference client.  You know, signmessage, verifymessage.  Do it on an offline computer so there is no risk of contact between the internet and the keys.  Write a script to enumerate the keys in the wallet and sign a message with each one, and then transfer the signatures to online computers with a flash drive.  You guys have your own custom bitcoind*, and certainly are qualified to understand how to do this.  Tell us nothing, that's fine, I get it, but don't tell me it's dangerous, that's a complete *.


* = I removed the profanity because I don't normally get on here and go into tirades of swearing.  But saying proving possession of BTC is too dangerous is a pretty weak excuse and I am shocked you guys offer it. EDIT2: ahh, nevermind, you all quoted it.

[Mt.Gox_Alex]

I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.

*eyes rolling*

Yes, I am pretty sure I understand exactly what I am asking for.

Yes, Mark did explain this to me.  As though he too had never heard there is a feature to sign text messages with an address's key.

I mean use the fucking message signature feature built right into the reference client.  You know, signmessage, verifymessage.  Do it on an offline computer so there is no risk of contact between the internet and the keys.  Write a script to enumerate the keys in the wallet and sign a message with each one, and then transfer the signatures to online computers with a flash drive.  You guys have your own custom bitcoind for Christ's sake, and certainly are qualified to understand how to do this.  Tell us nothing, that's fine, I get it, but don't tell me it's dangerous, that's a complete crock of shit.

I will ignore the bad language for a second and believe that you are a descent person who had a bad day. Hell that can happen to any one.

You have no clue on how our system work so I will forgive you for that. First of all we do not use the Bitcoin Client add to that the fact that these wallet are everywhere (They are spread pretty much everywhere and in a HUGE quantity) you can understand that this will take time and that WE want to make sure that things are safe

[casascius]

You have no clue on how our system work so I will forgive you for that. First of all we do not use the Bitcoin Client add to that the fact that these wallet are everywhere (They are spread pretty much everywhere and in a HUGE quantity) you can understand that this will take time and that WE want to make sure that things are safe

I am 100% certain you guys maintain private keys for your bitcoin addresses, otherwise technically you don't have the bitcoins in the first place.

I am 100% certain you could export the keys to a file.  They are just short strings of numbers.

I am 100% certain you could import them into a wallet.dat with a trivial script.

I am 100% certain you could sign messages with them using the reference client after doing so.

I am 100% certain you guys already understand this.

I am 100% certain they are not "spread everywhere" as, for example, none of them are on my lawn.

I am 100% certain that no matter how HUGE the quantity, the quantity is not too big for a for-loop to iterate through them.

I actually have not had a bad day.  It's hard to have a bad day when your stash of coins just took a nice solid leap and you aren't in the midst of trying to fight for possession of them from a bankrupt foreign entity.  I just get a little animated when the #1 Exchange of Bitcoin blatantly misrepresents their ability to accommodate a reasonable request, no differently than a doctor claiming his patient must bleed to death because there, according to him, exists no such thing as stitches.

For what it's worth, the phrase "for Christ's sake" is also considered profane in countries where Christianity is popular.  I thought I might point that out, because you only bolded "fucking" and "crock of shit" when quoting me.

[SMTB1963]

It seems that some people on this forum has a better understanding of the overall Bitcoin economy and problems than others.

Wait...are you saying you might have actually learned something from this thread?   

As I stated many times (under Mt.Gox_Support), we have been the first to come forward and tried to be as transparent as possible, we are not against an audit and such thing will come at some point, but the truth is that as for today it will be extremely costly, long and difficult to get something done and done PROPERLY! And this due to the nature of Bitcoin. On top of that we will have to find someone that is capable to understand Bitcoin and "Appreciate" all its challenges.

I couldn't agree more (except for the "transparent as possible" part).  It's clear you are the first to make some data available, and you have been rightly applauded for doing so.  But you made a mistake by making promises you can't/didn't keep: "A update to this document will be done every three months", "we plan to have this document verified by third party auditors for future releases".

Look, I don't know how my knowledge of the overall Bitcoin economy stacks up against yours, but it's pretty clear to me that a couple of big bitcoin scams/hacks/thefts/whatevers happen every *fucking* year.  Each time, there are calls from the wider bitcoin community for more transparency/accountability from bitcoin institutions.  Guess what...you are one.  Not taking the time to update your deck every third month after making a commitment to do so is, well, a big mistake.  Especially given the rather limited and ho-hum nature of the data you published.

You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

LOL, have you ever heard the saying "if you find yourself in a hole, the first thing to do is stop digging"?
__________________________

@casascius: while I think your idea has some merit, to me it makes more sense to press MtGox for a published audit.  Having them push transactions/messages into the blockchain ain't exactly best practices when it comes to assurance.

[casascius]

@casascius: while I think your idea has some merit, to me it makes more sense to press MtGox for a published audit.  Having them push transactions/messages into the blockchain ain't exactly best practices when it comes to assurance.

I agree and believe they should do both.  The "messages" part doesn't refer to pushing anything into the blockchain, just, in a nutshell it is a recently added feature to the client that allows them to concretely prove they possess the BTC they have without having to transact with any of it.  The proof comes in the form of a code they can publish.  For example, by publishing the following code, I have just proven possession of about 280 BTC in the most certain way possible by anyone who knows what they're doing, short of actually sending them the BTC:

Code:

bitcoind verifymessage 1DFPXfDRkJm56w96kKbncNDNxdbtqKMG6t HLAAjif4dfgCBYqMsQEKqeoTlUYzZfIZDsc0KrJjyO1ReVMut9dpaRyVt5gDakKpfDAlTit1PPPRQ4jaEd0K3mQ= "Mike Caldwell"

We as a community are interested in knowing how much BTC they possess in relation to their liabilities to us, and if a auditor had a magically-expert awareness of how BTC works, he'd know to ask for these codes.  This code took me less than 2 minutes to produce.

[Aseras]

I think a more valid response is screw the amount of bitcoins. They are virtual and are essentially worthless. The real problem Gox has is fiat liquidity and that should be perfectly tangible and easily provable.

Gox has little interest in bitcoins. It's merely a moneychanger. The question is where is the money going as it certainly isn't coming out.

It's much more likely behind the scenese Gox is stacking the deck and "buying" coins themselves and driving the price as it would suit them to make it go ever higher and of course then they would be the ones to profit by selectively selling and actually being able to cash out while screwing everyone else over.

It's just like any money laundering scheme. Follow the money.

How about just posting some financials.  Anyone can go through Gox history and figure out the float and what has gone in and out and be able to see if anything nefarious has been going on.

[casascius]

I think a more valid response is screw the amount of bitcoins. They are virtual and are essentially worthless.

If MtGox had a relatively unlimited number of these worthless coins, any fiat shortage wouldn't be a huge problem, as they'd eventually be able to sell their way out of it, possibly sooner rather than later.  Deck stacked or not, I believe the market really does demand these virtual coins and that this demand will continue grow.  They are no less virtual than the dollars in your bank account.  If by some stretch, MtGox was able to prove that it had its own huge stash of BTC above and beyond customer deposits, I'd worry less about a genuine fiat shortage and would tolerate delays.