[GLBSE] BDT - 3% weekly interest bond, backed by Bitdaytrade

[TehZomB]

http://www.reddit.com/r/Bitcoin/comments/ybaut/do_not_invest_in_bitdaytrade_this_website_is/

[1715153971]

1715153971

[1715153971]

1715153971

[Meni Rosenfeld]

Even scammers avoid SQL injections these days, and unsalted md5 passwords? Don't know if legit. Isn't Meni into cryptography? Better double-check this, it sounds like an over-the-top story.

I know more cryptography than the average guy but as far as mathematics go I don't consider it one of my stronger fields. Anyway theoretical crypto has very little to do with website security, about which I know very little, and I have no involvement with Bitdaytrade's code or its parts dealing with security. I doubt Bitdaytrade uses unsalted MD5 passwords though (edit: If it does then Alberto really has some explaining to do).

I did advise to Alberto to take security very seriously and to avoid rapid growth until the platform has had a chance to be properly tested. The platform is still in beta and until some more time has passed for issues to pop up and be fixed and an audit has been made by external security experts (which IMO is on a timescale of months), it is unwise to put large amounts of money in it. In any case the vast majority of the money is stored offline and withdrawals are (edit: currently) inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm also advising Alberto not to offer interest rates for deposits (only for positions). Though they make functional sense, they might mislead people into thinking that a fledgling margin trading platform is the proper place to put one's life savings like in the Bitcoinica stories we've heard. People should only put in as much as they need for the desired position.

[memvola]

Even scammers avoid SQL injections these days, and unsalted md5 passwords? Don't know if legit. Isn't Meni into cryptography?

It's confirmed legit. I don't think BDT is a scam, just like REBATE wasn't a scam. It's the same story all over again though.

I doubt Bitdaytrade uses unsalted MD5 passwords though.

Apparently it does.

[cytokine]

I talked with Alberto about many things and I am confident he is committed to making bitdaytrade work, and even if it fails, to pay back every last satoshi of debt, bringing to the table his personal assets if necessary (of which he has enough to cover his obligations). He is also committed not to have the kind of security negligence we have seen in Bitcoinica.

In any case the vast majority of the money is stored offline and withdrawals are inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm holding you to these statements.

He clearly lied about passwords being stored with bcrypt.

...almost every major JSON api function has an SQL injection.

Is this accurate? Even if so, there is still plenty of time to fix all of this. Clearly a lot of work has been put into the site thus far, but perhaps it needs more time spent hardening it. It's pretty quick and simple to fix the SQL injection problem: just use parameterized queries. It shouldn't take more than a couple days to modify all your SQL statements to eliminate all injection potential. And upgrading the password to bcrypt is easy too.

As a investor, I would like more details on two core issues:
(1) What steps will be taken to harden the code? I have already outlined the first two obvious ones here; they're pretty easy and quick to implement.
(2) Have any funds actually been stolen from the site to date, or is this just FUD?

Thanks!

[labestiol]

(2) Have any funds actually been stolen from the site to date, or is this just FUD?

Since all withdraws are process manually, this answer should be no.
Another question would be : Does the spike in mtgox trades today have any relation with bitdaytrade ? If so, did bitdaytrade suffer some losses ?

[Meni Rosenfeld]

I talked with Alberto about many things and I am confident he is committed to making bitdaytrade work, and even if it fails, to pay back every last satoshi of debt, bringing to the table his personal assets if necessary (of which he has enough to cover his obligations). He is also committed not to have the kind of security negligence we have seen in Bitcoinica.

In any case the vast majority of the money is stored offline and withdrawals are inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm holding you to these statements.

I understand this and I'm doing my best to make sure bondholders get what they were promised. But I also wanted to make clear (and perhaps I wasn't clear enough in the OP) what my level of involvement with Bitdaytrade is. I haven't touched any of the IPO funds or Bitdaytrade deposit funds. I don't audit the code or do pentesting. I spend a lot of time chatting with Alberto and what I report is to a large extent the information I get from him, and I don't believe he is lying to my face. If it somehow turns out I was wrong there is only a limited degree to which I can be held accountable.

If someone believes that I did not accurately represent the situation and that this adversely affected his decision to invest, let me know and we'll see if something can be worked out.

I will discuss with Alberto in more detail the recent security accusations.

[unclescrooge]

An independant security audit would be nice.

[exahash]

I talked with Alberto about many things and I am confident he is committed to making bitdaytrade work, and even if it fails, to pay back every last satoshi of debt, bringing to the table his personal assets if necessary (of which he has enough to cover his obligations). He is also committed not to have the kind of security negligence we have seen in Bitcoinica.

In any case the vast majority of the money is stored offline and withdrawals are inspected manually, so even if something happens it should still be in a level which Alberto can absorb without affecting customers.

I'm holding you to these statements.

I understand this and I'm doing my best to make sure bondholders get what they were promised. But I also wanted to make clear (and perhaps I wasn't clear enough in the OP) what my level of involvement with Bitdaytrade is. I haven't touched any of the IPO funds or Bitdaytrade deposit funds. I don't audit the code or do pentesting. I spend a lot of time chatting with Alberto and what I report is to a large extent the information I get from him, and I don't believe he is lying to my face. If it somehow turns out I was wrong there is only a limited degree to which I can be held accountable.

If someone believes that I did not accurately represent the situation and that this adversely affected his decision to invest, let me know and we'll see if something can be worked out.

I will discuss with Alberto in more detail the recent security accusations.

In short, Meni, you are the spokesperson for BitDayTrade.  Not an owner, not a manager, nothing more.  Correct?

[Meni Rosenfeld]

I talked with Alberto. He may choose to make his own statement but the bottom line is that contrary to claims, no funds have been stolen from Bitdaytrade; whatever security deficiencies exist, they will be sorted out; and that bondholders shouldn't panic, he is still committed to fulfilling the contract and I will still assist him in doing so.

In short, Meni, you are the spokesperson for BitDayTrade.  Not an owner, not a manager, nothing more.  Correct?

I am:
1. A spokesperson, consultant and facilitator for everything related to the BDT bonds. I'm not the issuer on GLBSE though and I don't touch the funds.
2. A consultant for anything Alberto wishes to consult with me. In this capacity I may sometimes choose to speak about Bitdaytrade on the forum, but I am not an official spokesperson.
3. A creditor, I have some BDT bonds and I have a separate loan to Alberto.
4. A person who has given a vote of confidence for Alberto.
5. A user, as should be pretty clear I have an interest in BTC margin trading. Right now I'm mostly testing, as said the platform isn't mature enough to use it with large amounts, and I have some better ways to control my position. But going forward my usage could increase.

I do not have equity, ownership or any other rights or control of Bitdaytrade, I'm not an employee, I don't write or review its code (except perhaps looking at tiny snippets), I do not handle its finances directly, or any other thing I could think of. I don't make any decisions, though in some cases my advice is firm enough that it may as well have been my own decision to make. I haven't even met Alberto for that matter, but that will hopefully change soon.

[piotr_n]

@Meni, can you say if today's alleged bot malfunction at MtGox had anything to do with BitDayTrade?

[Meni Rosenfeld]

@Meni, can you say if today's alleged bot malfunction at MtGox had anything to do with BitDayTrade?

Alberto says there is no relation.

[cytokine]

I talked with Alberto. He may choose to make his own statement but the bottom line is that contrary to claims, no funds have been stolen from Bitdaytrade; whatever security deficiencies exist, they will be sorted out; and that bondholders shouldn't panic, he is still committed to fulfilling the contract and I will still assist him in doing so.

Excellent news! Thanks for the prompt reply.

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

In any event, the security issues with BDT don't sound hard to fix. It's stated as in-beta anyway so bugs and issues are to be expected at this point, and upgrading password storage and fixing the injection attacks shouldn't take long at all. The key I think is just not to have too much BTC at risk until sufficient time and code hardening have occurred. There is certainly demand for this site due to the immense vacuum left by Bitcoinica so I'm still in strongly.

[eb3full]

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

Did you read both of those threads extensively? "Alberto" ignored the fact that there were security issues being identified. When people confronted him he said there was no issue, and when people confronted him again with proof of exploits, he fixed individual exploits and pretended like the reports were wrong. He also was not using bcrypt as he claimed.

I know you have some financial interest in this being FUD, but facts are not on your side.

[Nefario]

I talked with Alberto. He may choose to make his own statement but the bottom line is that contrary to claims, no funds have been stolen from Bitdaytrade; whatever security deficiencies exist, they will be sorted out; and that bondholders shouldn't panic, he is still committed to fulfilling the contract and I will still assist him in doing so.

Excellent news! Thanks for the prompt reply.

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

In any event, the security issues with BDT don't sound hard to fix. It's stated as in-beta anyway so bugs and issues are to be expected at this point, and upgrading password storage and fixing the injection attacks shouldn't take long at all. The key I think is just not to have too much BTC at risk until sufficient time and code hardening have occurred. There is certainly demand for this site due to the immense vacuum left by Bitcoinica so I'm still in strongly.

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.

The site is running on linode (ala Bitcoinica hack)

He also lied about the site being tested for security holes, this thing is so full of holes it's swiss cheese, and hasn't been so much as looked at through the arse hole of a pen tester.

Continued, despite these very public discoveries he still assured people that the site was fine. The site itself even says "Improved Security, double factor authenication".

The site is still up AFAIK


If I find a security hole on GLBSE you know what I do? I shut it down and investigate ASAP, after the fix I explain just what it is, I don't lie about it and try to whitewash over it.

More than any other thing a bitcoin website must be secure.


If Alberto has lied about something so... essential what else has he lied about? To Meni, me, others?

What we see here is a total lack of integrity.

[cytokine]

There is way too much FUD going around (and not just about BDT, but pretty much about all Bitcoin-related investments) and those spreading this FUD should be more responsible IMO.

Did you read both of those threads extensively? "Alberto" ignored the fact that there were security issues being identified. When people confronted him he said there was no issue, and when people confronted him again with proof of exploits, he fixed individual exploits and pretended like the reports were wrong. He also was not using bcrypt as he claimed.

I know you have some financial interest in this being FUD, but facts are not on your side.

I agree, and I don't excuse anything here. My point is merely that the main security holes found are easy things to fix, like two days for the major issues. That's what I expect to be done here: I want a plan of action from Alberto to resolve the situation.

[ianspain]

If Alberto has lied about something so... essential what else has he lied about? To Meni, me, others?

What we see here is a total lack of integrity.

thanks for the heads up

[Meni Rosenfeld]

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.

I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

[ianspain]

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.

I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

Meni, the question is can Alberto fix this crap and keep on paying the bonds??

[labestiol]

FWIW, i asked the reddit poster for my hash, and i can confirm it's unsalted md5.

Meni, the question is can Alberto fix this crap and keep on paying the bonds??

Depends if he's lying about bitdaytrade being involved in the volume peak on mtgox today.
Considering that it happened around the time someone found a way to have 25M bitcoin balance ...

[Meni Rosenfeld]

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.

I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

Meni, the question is can Alberto fix this crap and keep on paying the bonds??

As far as I can tell Alberto can fix the current issues; and even if Bitdaytrade ends up a dead end (merely the bad press from this controversy could harm its growth), he can still fulfill the bond contract.