GLBSE 2.0, Is safer now.

[stochastic]

I have to wonder if Nefario shouldn't halt trading on your issues to protect their value while this issue is resolved.

+1

[1714505009]

1714505009

[1714505009]

1714505009

[1714505009]

1714505009

[Nefario]

Wow this thread has gotten out of hand since I last looked.

I would advise everyone to lay off Goat and relax, chill, this is being blown into a massive drama and it doesn't need to be, just have a little patience and allow us to work through this.

Firstly, I'm working on implementing two factor authentication for a number of things using GoogleAuth. I'm almost done, just adding the finishing touches. Once done then I'll address this in more detail, Goat showed considerable concern for his account security on me implementing recovery by email(pretty standard IMO), others may also have this concern.

One thing GLBSE has prided itself on is that we haven't been compromised or breached. This is something I am personally paranoid about (it's why I went through all the trouble to build GLBSE1.0, uber secure, I lose sleep worrying over this), and is something I want to continue, an unblemished security record.

Secondly, nothing has happened to Goats account, I've locked it. I'm not going to be keeping any of the contents of those accounts if as hashking speculates it were not to be unlocked, everything would be returned to the shareholders.

I do believe a lot of this has been the result of miss-communication.

I locked goats account because there were a considerable number of failed login attempts using his email. I assumed that his email had been compromised, as one of the largest accounts in GLBSE this is a pretty big deal, not something I'm about to let happen.

At the same time I have been wanting to talk to goat about a number of things, verification of his identity (he had asked me about it before, because he has so many assets that are such a high profile, and the breakin attempts), it has also been brought to my attention by a number of forum members of the danger posed by a single person having so many assets of such value, the potential for massive fraud. I also mentioned in the email I sent him about my intentions to introduce a new policy of limiting the number of assets created by any one person to mitigate this risk.

I guess my mistake was putting all these things in the one email, account problems, verification and notification about a policy I'd like to implement. I should have focused on the one thing first and moved on from there. This has caused considerable confusion.

The information for verification that I've asked him is pretty standard (i.e. what I ask other asset issuers), the more they can provide the better. It is not a demand, if he were to provide proof of identity to the extent that I'm satisfied with then great, usually pics of photo ID and a facebook profile(which he has told me he doesn't have) are enough (to check if they're a real person). Keep in mind that he has issued over $10,000USD worth of shares on GLBSE, I think it is prudent that at least someone knows his real life identity, this is your money that I'm trying to protect.

I was put back with goats response to what I deemed a reasonable request, both in email and PM's, this raised some red flags and prompted me to ask some questions, which hasn't resulted in anything concrete.

The steps to get this resolved are clear and simple:
1) let me finish adding two factor auth
2) goat, provide me with enough proof of identity to verify you are who you say you are, doesn't have to be everything I requested, just enough to prove who you are with the minimum of a pic of your passport.

Nefario

[stochastic]

I think I will be waiting until GLBSE is out of beta to use it anymore because of this.  I wonder if that person with 7000 TyGrr-Bank bonds is freaking out.  It has dropped 10% today.

[Nefario]

I think I will be waiting until GLBSE is out of beta to use it anymore because of this.  I wonder if that person with 7000 TyGrr-Bank bonds is freaking out.  It has dropped 10% today.

Because of the lack of breakins and paranoid security levels?

[stochastic]

I think I will be waiting until GLBSE is out of beta to use it anymore because of this.  I wonder if that person with 7000 TyGrr-Bank bonds is freaking out.  It has dropped 10% today.

Because of the lack of breakins and paranoid security levels?

I understand freezing someone's account because of a threat of security breech, but that person has contractual obligations to pay bondholders or shareholders.  If those bondholders are not paid they will start to panic.  If you are going to freeze someone's account then you should also freeze any trading of the underlying asset that their account is associated with.

[N12]

His information is known...

He shouldn't have suddenly closed your account, I agree. What is the issue with you handing over a bit of info though? You don't have a problem posting a picture of yourself publicly. A verified email, name and address isn't so bad.

What is he going to do with my passport? I do not know his policy. He has not made it public! He has no terms of service!

Looks like ToS to me: https://glbse.com/terms

"We may at our discretion, ask asset creators to provide proof of identity, address, phone number and more, until we are sufficiently satisfied. Said information will be held securely offline and not shared with any third party. We reserve the right to freeze trading of the asset and the asset creators account for failure to provide requested details or in the event of suspected fraud."

"By using GLBSE and any service it provides you agree to these terms and conditions."

[stochastic]

His information is known...

He shouldn't have suddenly closed your account, I agree. What is the issue with you handing over a bit of info though? You don't have a problem posting a picture of yourself publicly. A verified email, name and address isn't so bad.

What is he going to do with my passport? I do not know his policy. He has not made it public! He has no terms of service!

Looks like ToS to me: https://glbse.com/terms

"We may at our discretion, ask asset creators to provide proof of identity, address, phone number and more, until we are sufficiently satisfied. Said information will be held securely offline and not shared with any third party. We reserve the right to freeze trading of the asset and the asset creators account for failure to provide requested details or in the event of suspected fraud. "

Seems like half was done.

[guruvan]

I think I will be waiting until GLBSE is out of beta to use it anymore because of this.  I wonder if that person with 7000 TyGrr-Bank bonds is freaking out.  It has dropped 10% today.

I will use the GLBSE for any issue that I would purchase directly from the company. There are some coming up that I would not want to miss.

Nefario has responded immediately to the call for additional security, and is working to clean up a situation that has been pre-existing. I do not have significant concern for the safety of my money in the GLBSE. I do not yet have significant funds invested.

I have some positions established at GLBSE that I will not close over this matter. I will only be opening new positions that are with 100% verified issuers. I may close any positions whose issuers are not verified within the next week.
FWIW, since a pic of a passport is so easily faked, this is insufficient.

For future investments, depending on the amount trying to be raised in an offering,  I will likely require that the passport be verified via credit reporting agency or background check service. I expect any costs of that type of verification will be passed onto IPO buyers. For very small offerings, with definite potential profit, I may consider simple verification.

In the near future, if the issue is large enough, I might add independent financial audits to my list of requirements.

In some ways I'm very intrigued by the idea of investing in anonymous organizations, but I really don't think we have methods to adequately protect ourselves in most of these situations. Very small issues could be fun to work this out.

I wonder what it says when one of the safest seeming, most shit together issues on the board is run by a 16yo.

I don't see any issue with using the GLBSE. I don't have any more deep concern about it than I do about any other large or high profile bitcoin service.

FFS, I'm using beta money, why shouldn't I invest it on a beta stock exchange?!

[brendio]

I only have three but since Nafario also thinks I created BIB.goat...

Personally, I am baffled that you and Brendio have both failed to provide verification for your identities.  I'm not suggesting that I think you are the same person, just pointing out that I don't know of any good reason for either of you to wish to remain anonymous.  Moreover, someone posted in another thread that you had provided all sorts of proof of identity, so even if it's a PITA, why not jump through the hoops, be done with it, and hopefully have more buyers?  I was actually thinking of asking why you hadn't verified your identity in one of your threads before this whole fiasco started.

Identification was not required in 1.0, at the time BIB.goat was issued. Even now, it is optional. Nefario, could you also add OTC as an option for verification? I know you have allowed this for the MPOE-ETF offering. Also, there does not appear to be any functionality built in to 2.0 to provide verification info for previously issued assets.

The000Dustin, how would you like me to prove I'm not goat? I think proving a negative is a pretty hard thing to do.

Does this help?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I hereby state that I have viewed photo ID for goat in the form of a Thailand work permit and a utility bill and do solemnly swear that I am not goat and goat is not me, as said ID and utility bill differs from that of mine, which I have also viewed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPeqETAAoJELlDeJJBw5c+MLcH/R5A+4TGml0elPe1JrV/JU3V
M+qaCcVl7sW5oYcOJMD4fCc/XxExZk8+LgbnecAJKC7JRsPHBajE1wlpYqUGF79e
otI8J8hxrmzkL1E+Md8zHGpA9/iDUvrgI1M/xamZ10aQ4wglKcBvvuU1yZ1ewlFV
C9ajiSBeSvUfU1kqben3snqLQ3Mzbhei4+obgg1Q3AgDpPJ4ct5+TNG02yvRmhcs
7fKUDMnBA4YUN0gW41ctuDwcUrZ378DKBMeLF7BWWG0FdSJ/EAo8sJqx/H3wF/DK
c5jR7j9mzNfqfKyDdC9mKlQLgsewsTuWA5KQ/SwGI5XarOFf7xVHpwOKKBVx5UM=
=tdAR
-----END PGP SIGNATURE-----

Sure, maybe I faked my otc ID and the trades I did with my otc account (http://bitcoin-otc.com/viewratingdetail.php?nick=brendio&sign=ANY&type=RECV)

[Nefario]

I only have three but since Nafario also thinks I created BIB.goat...

Personally, I am baffled that you and Brendio have both failed to provide verification for your identities.  I'm not suggesting that I think you are the same person, just pointing out that I don't know of any good reason for either of you to wish to remain anonymous.  Moreover, someone posted in another thread that you had provided all sorts of proof of identity, so even if it's a PITA, why not jump through the hoops, be done with it, and hopefully have more buyers?  I was actually thinking of asking why you hadn't verified your identity in one of your threads before this whole fiasco started.

Identification was not required in 1.0, at the time BIB.goat was issued. Even now, it is optional. Nefario, could you also add OTC as an option for verification? I know you have allowed this for the MPOE-ETF offering. Also, there does not appear to be any functionality built in to 2.0 to provide verification info for previously issued assets.

The000Dustin, how would you like me to prove I'm not goat? I think proving a negative is a pretty hard thing to do.

Does this help?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I hereby state that I have viewed photo ID for goat in the form of a Thailand work permit and a utility bill and do solemnly swear that I am not goat and goat is not me, as said ID and utility bill differs from that of mine, which I have also viewed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPeqETAAoJELlDeJJBw5c+MLcH/R5A+4TGml0elPe1JrV/JU3V
M+qaCcVl7sW5oYcOJMD4fCc/XxExZk8+LgbnecAJKC7JRsPHBajE1wlpYqUGF79e
otI8J8hxrmzkL1E+Md8zHGpA9/iDUvrgI1M/xamZ10aQ4wglKcBvvuU1yZ1ewlFV
C9ajiSBeSvUfU1kqben3snqLQ3Mzbhei4+obgg1Q3AgDpPJ4ct5+TNG02yvRmhcs
7fKUDMnBA4YUN0gW41ctuDwcUrZ378DKBMeLF7BWWG0FdSJ/EAo8sJqx/H3wF/DK
c5jR7j9mzNfqfKyDdC9mKlQLgsewsTuWA5KQ/SwGI5XarOFf7xVHpwOKKBVx5UM=
=tdAR
-----END PGP SIGNATURE-----

Sure, maybe I faked my otc ID and the trades I did with my otc account (http://bitcoin-otc.com/viewratingdetail.php?nick=brendio&sign=ANY&type=RECV)

Yes I'll add OTC in there.

At the moment all ID verification (including the collection of document pics to verify) are done manually. I take peoples ID information very seriously, and don't want to keep those docs online. I need a way to automate the collection of the docs, and manage the verification them that is secure.

[brendio]

Do you have a public GPG key for encryption of docs?

[Nefario]

Do you have a public GPG key for encryption of docs?

Check my sig.

[brendio]

Ah, yes. I have even used it before! Just didn't see it on the GLBSE site, that's all.

[Nefario]

Two factor authentication has been added for withdrawals, transfers, and password changes(this will effect the account recovery option).

Implemented using GoogleAuth

Goodnight.

[The00Dustin]

Personally, I am baffled that you and Brendio have both failed to provide verification for your identities.  I'm not suggesting that I think you are the same person, just pointing out that I don't know of any good reason for either of you to wish to remain anonymous.

Identification was not required in 1.0, at the time BIB.goat was issued. Even now, it is optional. Nefario, could you also add OTC as an option for verification? I know you have allowed this for the MPOE-ETF offering. Also, there does not appear to be any functionality built in to 2.0 to provide verification info for previously issued assets.

Just for the record:
I am aware that it is a new feature.
I have added emphasis to the quoted section of my post (which wasn't directed at you) to clear up that I am not providing accusations here.
I have dded emphasis to your post to your post to indicate the answer that would have been good enough for me.
Nefario has responded adding OTC, and indicating it is not built-in because he wants to keep identity docs secure, but I would have been comfortable assuming you were waiting for it to be built in based on the beta tag and not expected you to contact nefario just to verify your identity if nothing indicated that being necessary.

[mila]

Two factor authentication has been added for withdrawals, transfers, and password changes(this will effect the account recovery option).

you have to log in, click on settings and enable it for any (or all) of the supported options
by default it's off

& my 2 million satoshi: any asset issuer could pro-actively seek nefario with a request to verify his identity.
with nefario keeping the submitted docs offline and only indicating their statuses on the asset page it's only between the asset issuer and nefario.

edit: I installed the google authenticator app, enabled 2step authentication in my account and then set up glbse to use it.
and it works like a charm. when enabled, it adds a new entry field on the page and retyping the code is easy. only 6 chars.
should also work over phone once forgotten at home and it would have to be read by somebody else to you. me gusta

[molecular]

Nefario,

thanks for making things clear in your long post above.

I'm now confident things will resolve to the good side and both glbse and TyGrr-* will come out of this strengthened.

keep up the great work you do for the community.

[molecular]

Two factor authentication has been added for withdrawals, transfers, and password changes(this will effect the account recovery option).

Implemented using GoogleAuth

I just activated this and tried it.

2 failed attempts, dont know why, then it worked like a charm.

What if I lose my phone?

[Nefario]

Two factor authentication has been added for withdrawals, transfers, and password changes(this will effect the account recovery option).

Implemented using GoogleAuth

I just activated this and tried it.

2 failed attempts, dont know why, then it worked like a charm.

What if I lose my phone?

Write down the code then... and don't lose your phone, but just in case you do then write down the code. You can then enter it into another phone.

Also be careful if you have more than one GLBSE account, rename the account in Google Authenticator app before scanning the second code, otherwise it will be overwritten.

It's based on time, so if you get failed attempts it's because the time on your phone and the server are not in sync(or you're making mistakes). The server syncs with time servers and generally is never more than a few milliseconds off.

If you have real trouble try entering the code a little late, a few seconds before it changes.

[likuidxd]

I understand freezing someone's account because of a threat of security breech, but that person has contractual obligations to pay bondholders or shareholders.  If those bondholders are not paid they will start to panic.  If you are going to freeze someone's account then you should also freeze any trading of the underlying asset that their account is associated with.

No one would have known the difference if this were handled differently...