Bitcoin Forum
December 05, 2016, 04:55:22 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 »
  Print  
Author Topic: [GLBSE] BDT - 3% weekly interest bond, backed by Bitdaytrade  (Read 51615 times)
TehZomB
Sr. Member
****
Offline Offline

Activity: 294


WTB NHL Expansion team in Baltimore


View Profile WWW
August 16, 2012, 11:27:11 AM
 #101

http://www.reddit.com/r/Bitcoin/comments/ybaut/do_not_invest_in_bitdaytrade_this_website_is/

1480956922
Hero Member
*
Offline Offline

Posts: 1480956922

View Profile Personal Message (Offline)

Ignore
1480956922
Reply with quote  #2

1480956922
Report to moderator
1480956922
Hero Member
*
Offline Offline

Posts: 1480956922

View Profile Personal Message (Offline)

Ignore
1480956922
Reply with quote  #2

1480956922
Report to moderator
1480956922
Hero Member
*
Offline Offline

Posts: 1480956922

View Profile Personal Message (Offline)

Ignore
1480956922
Reply with quote  #2

1480956922
Report to moderator
"This isn't the kind of software where we can leave so many unresolved bugs that we need a tracker for them." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480956922
Hero Member
*
Offline Offline

Posts: 1480956922

View Profile Personal Message (Offline)

Ignore
1480956922
Reply with quote  #2

1480956922
Report to moderator
1480956922
Hero Member
*
Offline Offline

Posts: 1480956922

View Profile Personal Message (Offline)

Ignore
1480956922
Reply with quote  #2

1480956922
Report to moderator
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
August 16, 2012, 11:29:48 AM
 #102

Even scammers avoid SQL injections these days, and unsalted md5 passwords? Don't know if legit. Isn't Meni into cryptography? Better double-check this, it sounds like an over-the-top story.
I know more cryptography than the average guy but as far as mathematics go I don't consider it one of my stronger fields. Anyway theoretical crypto has very little to do with website security, about which I know very little, and I have no involvement with Bitdaytrade's code or its parts dealing with security. I doubt Bitdaytrade uses unsalted MD5 passwords though (edit: If it does then Alberto really has some explaining to do).

I did advise to Alberto to take security very seriously and to avoid rapid growth until the platform has had a chance to be properly tested. The platform is still in beta and until some more time has passed for issues to pop up and be fixed and an audit has been made by external security experts (which IMO is on a timescale of months), it is unwise to put large amounts of money in it. In any case the vast majority of the money is stored offline and withdrawals are (edit: currently) inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm also advising Alberto not to offer interest rates for deposits (only for positions). Though they make functional sense, they might mislead people into thinking that a fledgling margin trading platform is the proper place to put one's life savings like in the Bitcoinica stories we've heard. People should only put in as much as they need for the desired position.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
August 16, 2012, 11:30:42 AM
 #103

Even scammers avoid SQL injections these days, and unsalted md5 passwords? Don't know if legit. Isn't Meni into cryptography?

It's confirmed legit. I don't think BDT is a scam, just like REBATE wasn't a scam. It's the same story all over again though.

I doubt Bitdaytrade uses unsalted MD5 passwords though.

Apparently it does.
cytokine
Donator
Full Member
*
Offline Offline

Activity: 224



View Profile
August 16, 2012, 02:07:56 PM
 #104

I talked with Alberto about many things and I am confident he is committed to making bitdaytrade work, and even if it fails, to pay back every last satoshi of debt, bringing to the table his personal assets if necessary (of which he has enough to cover his obligations). He is also committed not to have the kind of security negligence we have seen in Bitcoinica.

In any case the vast majority of the money is stored offline and withdrawals are inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm holding you to these statements.

He clearly lied about passwords being stored with bcrypt.

...almost every major JSON api function has an SQL injection.

Is this accurate? Even if so, there is still plenty of time to fix all of this. Clearly a lot of work has been put into the site thus far, but perhaps it needs more time spent hardening it. It's pretty quick and simple to fix the SQL injection problem: just use parameterized queries. It shouldn't take more than a couple days to modify all your SQL statements to eliminate all injection potential. And upgrading the password to bcrypt is easy too.

As a investor, I would like more details on two core issues:
(1) What steps will be taken to harden the code? I have already outlined the first two obvious ones here; they're pretty easy and quick to implement.
(2) Have any funds actually been stolen from the site to date, or is this just FUD?

Thanks!
labestiol
Sr. Member
****
Offline Offline

Activity: 434


View Profile
August 16, 2012, 02:16:34 PM
 #105

(2) Have any funds actually been stolen from the site to date, or is this just FUD?

Since all withdraws are process manually, this answer should be no.
Another question would be : Does the spike in mtgox trades today have any relation with bitdaytrade ? If so, did bitdaytrade suffer some losses ?

1BestioLC7YBVh8Q5LfH6RYURD6MrpP8y6
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
August 16, 2012, 02:30:31 PM
 #106

I talked with Alberto about many things and I am confident he is committed to making bitdaytrade work, and even if it fails, to pay back every last satoshi of debt, bringing to the table his personal assets if necessary (of which he has enough to cover his obligations). He is also committed not to have the kind of security negligence we have seen in Bitcoinica.

In any case the vast majority of the money is stored offline and withdrawals are inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm holding you to these statements.
I understand this and I'm doing my best to make sure bondholders get what they were promised. But I also wanted to make clear (and perhaps I wasn't clear enough in the OP) what my level of involvement with Bitdaytrade is. I haven't touched any of the IPO funds or Bitdaytrade deposit funds. I don't audit the code or do pentesting. I spend a lot of time chatting with Alberto and what I report is to a large extent the information I get from him, and I don't believe he is lying to my face. If it somehow turns out I was wrong there is only a limited degree to which I can be held accountable.

If someone believes that I did not accurately represent the situation and that this adversely affected his decision to invest, let me know and we'll see if something can be worked out.

I will discuss with Alberto in more detail the recent security accusations.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
unclescrooge
aka Raphy
Hero Member
*****
Offline Offline

Activity: 868


View Profile
August 16, 2012, 02:33:11 PM
 #107

An independant security audit would be nice.

exahash
Sr. Member
****
Offline Offline

Activity: 276



View Profile
August 16, 2012, 03:47:23 PM
 #108

I talked with Alberto about many things and I am confident he is committed to making bitdaytrade work, and even if it fails, to pay back every last satoshi of debt, bringing to the table his personal assets if necessary (of which he has enough to cover his obligations). He is also committed not to have the kind of security negligence we have seen in Bitcoinica.

In any case the vast majority of the money is stored offline and withdrawals are inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm holding you to these statements.
I understand this and I'm doing my best to make sure bondholders get what they were promised. But I also wanted to make clear (and perhaps I wasn't clear enough in the OP) what my level of involvement with Bitdaytrade is. I haven't touched any of the IPO funds or Bitdaytrade deposit funds. I don't audit the code or do pentesting. I spend a lot of time chatting with Alberto and what I report is to a large extent the information I get from him, and I don't believe he is lying to my face. If it somehow turns out I was wrong there is only a limited degree to which I can be held accountable.

If someone believes that I did not accurately represent the situation and that this adversely affected his decision to invest, let me know and we'll see if something can be worked out.

I will discuss with Alberto in more detail the recent security accusations.

In short, Meni, you are the spokesperson for BitDayTrade.  Not an owner, not a manager, nothing more.  Correct?

Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
August 16, 2012, 04:27:32 PM
 #109

I talked with Alberto. He may choose to make his own statement but the bottom line is that contrary to claims, no funds have been stolen from Bitdaytrade; whatever security deficiencies exist, they will be sorted out; and that bondholders shouldn't panic, he is still committed to fulfilling the contract and I will still assist him in doing so.

In short, Meni, you are the spokesperson for BitDayTrade.  Not an owner, not a manager, nothing more.  Correct?
I am:
1. A spokesperson, consultant and facilitator for everything related to the BDT bonds. I'm not the issuer on GLBSE though and I don't touch the funds.
2. A consultant for anything Alberto wishes to consult with me. In this capacity I may sometimes choose to speak about Bitdaytrade on the forum, but I am not an official spokesperson.
3. A creditor, I have some BDT bonds and I have a separate loan to Alberto.
4. A person who has given a vote of confidence for Alberto.
5. A user, as should be pretty clear I have an interest in BTC margin trading. Right now I'm mostly testing, as said the platform isn't mature enough to use it with large amounts, and I have some better ways to control my position. But going forward my usage could increase.

I do not have equity, ownership or any other rights or control of Bitdaytrade, I'm not an employee, I don't write or review its code (except perhaps looking at tiny snippets), I do not handle its finances directly, or any other thing I could think of. I don't make any decisions, though in some cases my advice is firm enough that it may as well have been my own decision to make. I haven't even met Alberto for that matter, but that will hopefully change soon.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
piotr_n
Legendary
*
Offline Offline

Activity: 1498


aka tonikt


View Profile WWW
August 16, 2012, 04:33:22 PM
 #110

@Meni, can you say if today's alleged bot malfunction at MtGox had anything to do with BitDayTrade?

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
August 16, 2012, 04:46:07 PM
 #111

@Meni, can you say if today's alleged bot malfunction at MtGox had anything to do with BitDayTrade?
Alberto says there is no relation.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
cytokine
Donator
Full Member
*
Offline Offline

Activity: 224



View Profile
August 16, 2012, 04:53:44 PM
 #112

I talked with Alberto. He may choose to make his own statement but the bottom line is that contrary to claims, no funds have been stolen from Bitdaytrade; whatever security deficiencies exist, they will be sorted out; and that bondholders shouldn't panic, he is still committed to fulfilling the contract and I will still assist him in doing so.

Excellent news! Thanks for the prompt reply.

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

In any event, the security issues with BDT don't sound hard to fix. It's stated as in-beta anyway so bugs and issues are to be expected at this point, and upgrading password storage and fixing the injection attacks shouldn't take long at all. The key I think is just not to have too much BTC at risk until sufficient time and code hardening have occurred. There is certainly demand for this site due to the immense vacuum left by Bitcoinica so I'm still in strongly.
eb3full
VIP
Full Member
*
Offline Offline

Activity: 198


View Profile
August 16, 2012, 05:18:58 PM
 #113

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

Did you read both of those threads extensively? "Alberto" ignored the fact that there were security issues being identified. When people confronted him he said there was no issue, and when people confronted him again with proof of exploits, he fixed individual exploits and pretended like the reports were wrong. He also was not using bcrypt as he claimed.

I know you have some financial interest in this being FUD, but facts are not on your side.

"With four parameters I can fit an elephant, and with five I can make him wiggle his trunk." John von Neumann
buy me beer: 1HG9cBBYME4HUVhfAqQvW9Vqwh3PLioHcU
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
August 16, 2012, 05:25:47 PM
 #114

I talked with Alberto. He may choose to make his own statement but the bottom line is that contrary to claims, no funds have been stolen from Bitdaytrade; whatever security deficiencies exist, they will be sorted out; and that bondholders shouldn't panic, he is still committed to fulfilling the contract and I will still assist him in doing so.

Excellent news! Thanks for the prompt reply.

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

In any event, the security issues with BDT don't sound hard to fix. It's stated as in-beta anyway so bugs and issues are to be expected at this point, and upgrading password storage and fixing the injection attacks shouldn't take long at all. The key I think is just not to have too much BTC at risk until sufficient time and code hardening have occurred. There is certainly demand for this site due to the immense vacuum left by Bitcoinica so I'm still in strongly.

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.

The site is running on linode (ala Bitcoinica hack)

He also lied about the site being tested for security holes, this thing is so full of holes it's swiss cheese, and hasn't been so much as looked at through the arse hole of a pen tester.

Continued, despite these very public discoveries he still assured people that the site was fine. The site itself even says "Improved Security, double factor authenication".

The site is still up AFAIK


If I find a security hole on GLBSE you know what I do? I shut it down and investigate ASAP, after the fix I explain just what it is, I don't lie about it and try to whitewash over it.

More than any other thing a bitcoin website must be secure.


If Alberto has lied about something so... essential what else has he lied about? To Meni, me, others?

What we see here is a total lack of integrity.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
cytokine
Donator
Full Member
*
Offline Offline

Activity: 224



View Profile
August 16, 2012, 05:32:50 PM
 #115

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

Did you read both of those threads extensively? "Alberto" ignored the fact that there were security issues being identified. When people confronted him he said there was no issue, and when people confronted him again with proof of exploits, he fixed individual exploits and pretended like the reports were wrong. He also was not using bcrypt as he claimed.

I know you have some financial interest in this being FUD, but facts are not on your side.

I agree, and I don't excuse anything here. My point is merely that the main security holes found are easy things to fix, like two days for the major issues. That's what I expect to be done here: I want a plan of action from Alberto to resolve the situation.
ianspain
Donator
Full Member
*
Offline Offline

Activity: 164



View Profile
August 16, 2012, 05:41:03 PM
 #116


If Alberto has lied about something so... essential what else has he lied about? To Meni, me, others?

What we see here is a total lack of integrity.

thanks for the heads up

BlockChain Capital
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
August 16, 2012, 05:54:09 PM
 #117

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
ianspain
Donator
Full Member
*
Offline Offline

Activity: 164



View Profile
August 16, 2012, 06:00:56 PM
 #118

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

Meni, the question is can Alberto fix this crap and keep on paying the bonds?Huh?

BlockChain Capital
labestiol
Sr. Member
****
Offline Offline

Activity: 434


View Profile
August 16, 2012, 06:01:08 PM
 #119

FWIW, i asked the reddit poster for my hash, and i can confirm it's unsalted md5.

Meni, the question is can Alberto fix this crap and keep on paying the bonds?Huh?

Depends if he's lying about bitdaytrade being involved in the volume peak on mtgox today.
Considering that it happened around the time someone found a way to have 25M bitcoin balance ...

1BestioLC7YBVh8Q5LfH6RYURD6MrpP8y6
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
August 16, 2012, 06:06:05 PM
 #120

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

Meni, the question is can Alberto fix this crap and keep on paying the bonds?Huh?
As far as I can tell Alberto can fix the current issues; and even if Bitdaytrade ends up a dead end (merely the bad press from this controversy could harm its growth), he can still fulfill the bond contract.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!