Bitcoin Forum
March 29, 2024, 12:07:56 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 »
  Print  
Author Topic: [GLBSE] BDT - 3% weekly interest bond, backed by Bitdaytrade  (Read 57794 times)
bitdaytrade
Sr. Member
****
Offline Offline

Activity: 287
Merit: 250


View Profile
August 16, 2012, 06:13:28 PM
 #121

Calm down guys. I'll be posting a detailed reply in a couple hours. I'm currently outside home.
1711714076
Hero Member
*
Offline Offline

Posts: 1711714076

View Profile Personal Message (Offline)

Ignore
1711714076
Reply with quote  #2

1711714076
Report to moderator
Make sure you back up your wallet regularly! Unlike a bank account, nobody can help you if you lose access to your BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711714076
Hero Member
*
Offline Offline

Posts: 1711714076

View Profile Personal Message (Offline)

Ignore
1711714076
Reply with quote  #2

1711714076
Report to moderator
1711714076
Hero Member
*
Offline Offline

Posts: 1711714076

View Profile Personal Message (Offline)

Ignore
1711714076
Reply with quote  #2

1711714076
Report to moderator
1711714076
Hero Member
*
Offline Offline

Posts: 1711714076

View Profile Personal Message (Offline)

Ignore
1711714076
Reply with quote  #2

1711714076
Report to moderator
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
August 16, 2012, 06:14:07 PM
 #122

Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.



You are correct about him not mentioning bcrypt at least in the reddit thread.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
piotr_n
Legendary
*
Offline Offline

Activity: 2053
Merit: 1344


aka tonikt


View Profile WWW
August 16, 2012, 06:18:46 PM
 #123

As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the actual hashing method, since I learned long ago to use different passwords for different sites.
This way when one site gets hacked I don't care what hashing method they used - I only care if they have managed to protect my money from being stolen. Tongue

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
August 16, 2012, 06:23:07 PM
 #124

As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.


TLDR bcrypt FTW.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
piotr_n
Legendary
*
Offline Offline

Activity: 2053
Merit: 1344


aka tonikt


View Profile WWW
August 16, 2012, 06:27:25 PM
 #125

As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.
TLDR bcrypt FTW.
That is true, but I don't use the same passwords on other sites, so I don't care if it gets decrypted or not, after the hack.
If someone was able to dump the database on a site (using SQL injection I'd guess), in 99% cases he is as well be able to modify it - which allows him to log into my account anyway, without decrypting my password.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
August 16, 2012, 06:29:07 PM
 #126

As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.
TLDR bcrypt FTW.
That is true, but I don't use the same passwords on other sites, so I don't care if it gets decrypted or not, after the hack.
If someone was able to dump the database on a site (using SQL injection I'd guess), in 99% cases he would as well be able to modify it, which would allow him to log into my account anyway - whether he managed to decrypt the original password, or not.

Sure, but just saying bcrypt helps... a little.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
piotr_n
Legendary
*
Offline Offline

Activity: 2053
Merit: 1344


aka tonikt


View Profile WWW
August 16, 2012, 06:35:09 PM
 #127

As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.
TLDR bcrypt FTW.
That is true, but I don't use the same passwords on other sites, so I don't care if it gets decrypted or not, after the hack.
If someone was able to dump the database on a site (using SQL injection I'd guess), in 99% cases he would as well be able to modify it, which would allow him to log into my account anyway - whether he managed to decrypt the original password, or not.

Sure, but just saying bcrypt helps... a little.
It does help a little indeed, but making the withdrawals manual helps much more as when it comes to the actual security.
Though, I would still be concerned about how they handle the hedging, because it'd be quite risky to do it manually... and even more risky to do it automatically with so many issues reported by now.

I also agree and fully support your approach of shutting the site down each time there is even any suspicion of a malfunction - which obviously didn't happen today, even though one guy has managed to multiply 0.1 BTC into millions... Smiley

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
bitdaytrade
Sr. Member
****
Offline Offline

Activity: 287
Merit: 250


View Profile
August 17, 2012, 12:16:50 AM
Last edit: August 17, 2012, 02:54:40 AM by theymos
 #128

My name is Alberto Armandi, i was born in Italy, 19/09/1983. I'm an internet entrepreneur who got caught in the Bitcoin phenomena about one and a half year ago.
Before Bitcoin, i have tried to launch several startups on my own, Wozad being one, a system for targeting digital ads based on your browsing history. It was doing well until Google Inc decided
to include the same type of targeting into their pervasive Adsense. The next effort was an hardware startup, Enso Limited, with which i've launched the highly controversial Zenpad. An early 5 inches
tablet powered by Android operating system. Enso managed to fail too, because of lack of funding but my failed endeavours did not leave a trail of destruction behind as i had and still have the determination to face any kind of trouble.
This is s short background, for those who missed it earlier, it can be easily found on the Official Bitcoin forum, in the Securities/BDT thread.
Now, fast forward to around April/May 2012 : I happened to get in touch with Jonathan Ryan Owens, who since the start of our relationship pictured himself as a sort of "Mr. Big" in the Bitcoin world and
shown to be able to use language fluenty, and to be able to convince anybody that he's actually skilled and a serious business man.
Since i did not have a real clue of who's who in this crazy, messed up community (do no take this as an insult, i'm referring to people who don't have exitation in runing other people lifes) i believed him,
and his claims of big success and profits and have developed trust on him and the group of people he was working with, again, i'm not trying to involve other people in this debacle, let's focus on Mr. Jonathan Ryan Owens.
We chatted extensively for a while and one day he came up with the ZipConf idea, inspired by some of my inputs and brainstorming. He started working on that and soon enough a site was online with that name.
Site's scope was allowing instant bitcoin transfers, without waiting confirmation from the network, as in classical bitcoin transactions. Business proposition seemed nice initially and Mr. JRO worked out
a lot of words to convince me and others it was so. He went ahead and held an IPO for this, as he said he needed lots of coins to make this happen. I was so convinced of the genuinity of this operation
that i have put Mr.JRO in touch with a guy i happened to know earlier, which is an important internet business man and investor. I valued highly my relationship with this guy, as he was funding my operations
and showing a lot of trust in me. I was hesitant, but finally made that mistake, i've procured about 2000 bitcoin in funds for the ZipConf endeavour, funded by this guy, which will go unnamed for privacy reasons.
Mr. JRO managed to put in place a written contract between him and this guy, the deal was that Mr.Jro would pay some interest over the 2000 bitcoin loan. I have later learned that this contract was never
signed and everything remained in the form of a legal agreement, bringing in even more liabilites for me, since i was the one to introduce the investor to JRO.
Everything seemed to be taking a great turn and I have then let Mr.JRO join the project i was working on, a custom Bitcoinica clone, coded entirely by me. It was intended to launch under the domain name btcxchange.net, which i own since July 2011, at that time Mr. JRO
said the brand name wasn't going places, and we agreed to call it Kronos.io. I went ahead, completed the coding work and deployed the site onto Mr. JRO controlled servers. The user interface i had
deployed was exactely the same i have in place at bitdaytrade, but Mr. JRO wanted a new design, so he hired someone to work out another skin, that took a couple of days. Please note that Mr.JRO managed
some very talented developers at that time, those who worked on ZipConf, but he never delegated them to have a check on Kronos.io source code, i've only later realized how much this is in contrast
with his claims of operating with high security standards and didn't link it directly to any malice backed act.
Almost At the same time, i was working on an unrelated project  Bitcoinrebate. After having shown Mr. JRO business plans and financial projections for said business, we decided to hold an IPO for it, to gather additional funds to be used on both rebate and Kronos.io.
At that time i demanded a payment for all the time and efforts i was putting in our projects and i was sent about 1000 bitcoin by Mr. JRO, claiming they were coming from a "trusted big lender".
I wasn't aware of how glbse worked at that time, nor i had realized the impact it might have had on my reputation, if things didn't go the way I expected. I have later learned that Bitcoinrebate IPO
was able to raise about 5000 bitcoin. I was never informed about this, not even a word.Mr JRO monopolized it all so i don't have a clue of where those coins (minus the 1000 i have received) ended up.
After Bitcoinrebate IPO i was instructed by JRO ( who always acted like a dictator and a boss ) to complete the work for Kronos ( implementing the new skin ) and prepare it for launch.
I have executed my duties and the site was launched. About one week later, Mr. JRO came up that he didn't need the coins initially funded by the unnamed investor and asked to return them back, to avoid
paying useless interests. Stupidly enough, i told him to just send him back in a mtgox account i was sharing with the investor, for different kind of operations, without asking him confirmation first.
I thought it was safe to do so and really didn't have a clue of what would be going to happen shortly.
I have made another mistake in this context, i have used this mtgox account for testing the Kronos.io hedging bot without asking direct confirmation from the investor, just assuming he would be ok with it
since my agreement with the investor was about generating profits from the coins he lend to me. I was managing money for this guy for a while and so i thought it was ok doing so.
The mtgox account passwords were know only to me and the investor, but Kronos.io had an automatic withdrawal feature, so the mtgox account was configured to allow bitcoin withdrawals via API.
Some days passed and apparently everything was going well, but one morning i woke up to find the mtgox account emptied and Kronos.io hacked.
I freaked out for a while then went ahead trying to track down what happened. It turned out that someone with knowledge of how the site worked internally (someone who was in possession of the source code)
had exploited it, exactely like it happened today with Bitdaytrade, but unfortunately, the mtgox account was emptied too, because of the automatic withdrawal feature.
I still have full logs of what happened then, with IP addresses and bitcoin addresses that received the loot.
Mr.JRO reaction to this was controversial, first he disappeared for days, claiming he was in a confused mental state, and dutied other people to deal with me. I was obviously trying to get in touch with him
like crazy, i couldn't get a hold of him on the phone at that time and i've tried for weeks. Then after some weeks he re-appeared online and blamed me harshly of incompentence and stupidity. Just like
it's happening now with Bitdaytrade, he deemed Kronos.io project dead, and gave me advice to work on different things and forget about Bitcoin.
Obviously i felt deeply ripped off, i had the investor who lost thousands of coins out of this big mess asking me what was my plan to recover the loss and going forward, with our relationship completely
destroyed on a trust level, and on the other hand i had Mr.JRO blaming me in a unmeaningful way about stupidity, incompetence, and such.I had determined at that time that my only choice was going forward with
the project, alone, i had high hopes that i would be able to repay the cumulated debt with profits i would be making from it. I then decided on another brand name, Bitdaytrade, asked support from some trusted
community members for holding an IPO to raise the necessary funds for its operations and went ahead modifying
the source code to allow Gold trading, finally launched a beta with this limited service, to avoid thousands of users flocking in, and keeping the risk level at a minimum while i ironed out all the kinks left.
Sometime passed, some users reported bugs and other problems, i had worked hard to fix all the issues and get the service to an acceptable level for the community. A lot of hack attempts where attempted
but the site did not suffer any major breach, and it was deemed safe by me.
I had initially implemented the blowfish/bcrypt algorithm for storing passwords safely but because of some recent technical problems i had to swith back temporarely to MD5. I had setup the site in way so that
when a user logged in, his password would be recovered and stored in MD5, you could have seen that by looking at the javascript files used in the login page.
Bitdaytrade IPO was held and necessary funds raised, for doing this i had to leverage the trust of other community Members, which Mr.JRO tried to block from putting trust in me, banking on the Kronos hack
story, and telling them all that i was obviously a thief. He didn't succeed as all of you noticed and Bitdaytrade started operating, i've first allowed BTC/USD margin trading feature privately for a week
and then opened it to the public, on Monday 13 of August.
Mr. JRO got in touch with me about a week ago, trying a last approach to block me, he demanded a "rapid prototype of a margin trading site" and in exchange he would not have made the Kronos.io hack public.
He added that i was losing out a great opportunity of working with him on a realworld exchange for virtual currencies and a sort of startup incubator
for bitcoin related projects.I have then understood where the funds from ZipConf, Rebate and Kronos.io ended up and obviously passed on this offer and went ahead with my plans.
What happened today is a reiteration of this blackmailing attempts, but with a more evil and criminal plan.
I strongly believe, and what i wrote in this explainative post gives a clear evidence of, that behind everything that was posted on reddit.com against bitdaytrade there is Mr. Jonathan Ryan Owens.
He used the previously stolen from him Kronos.io source code to orchestrate all of that you witnessed today, and managed apparently to have the community believe his story.
Not even one bitcoin was withdrawn from Bitdaytrade.com under today's attacks, and all funds are safe. Server will be kept offline for further investigation, and gathering of evidences to be presented upon
filing a criminal deposition with all the legal authorities i am/will be able to. Stay tuned for developments.
I'm deeply sorry and i publicly apologize to everyone for the mistakes i made in this mess but it will be sorted out and in a elegant way.

Best Regards
Alberto Armandi
TheSeven
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500


FPGA Mining LLC


View Profile WWW
August 17, 2012, 05:09:18 AM
 #129

No idea what's going on here, but giving that post some kind of structure could actually make it readable.

My tip jar: 13kwqR7B4WcSAJCYJH1eXQcxG5vVUwKAqY
stochastic
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
August 17, 2012, 05:15:21 AM
 #130

he is the bitscalper scammer,seems like he is failing again. scam or epic fail, who knows.

If that post does not say to get out, I don't know what will.

People should have take the 0.7/share offer.

Introducing constraints to the economy only serves to limit what can be economical.
ianspain
Donator
Full Member
*
Offline Offline

Activity: 164
Merit: 100



View Profile
August 17, 2012, 08:33:02 AM
 #131

Alberto, how much of the funds raised from GLBSE have been used and when do you think BDT will start making money?

BlockChain Capital
Meni Rosenfeld (OP)
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
August 17, 2012, 08:51:30 AM
Last edit: August 17, 2012, 09:16:53 AM by Meni Rosenfeld
 #132

I have talked some more with Alberto. The summary is:
1. He says he's not Bitscalper. In particular, while Alberto uses the handle jjfarren in some places, I did not see any evidence that jjfarren on the forum is him.
2. We're figuring out a way to resolve the current situation.
3. Tomorrow he'll be home and he'll reformat his previous announcement and add more detail to it.
4. While I can sympathize with the people wanting to panic sell, it's their decision to make and they're ultimately responsible for it if it turns out being unwise.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
August 17, 2012, 08:54:22 AM
 #133

4. While I can sympathize with the people wanting to panic sell, it's their decision to make and they're ultimately responsible for it if it turns out being unwise.

This

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Bjork
Sr. Member
****
Offline Offline

Activity: 457
Merit: 250


Look for the bear necessities!!


View Profile
August 17, 2012, 09:35:35 AM
 #134

long quote

Best Regards
Alberto Armandi

I, for one, believe Albert.  If he wanted to run off with the coins he would have already done it.  I see no reason to believe that the bonds are not safe.  I do have a small number of bonds and do not plan on selling.


he is the bitscalper scammer,seems like he is failing again. scam or epic fail, who knows.

This seems uncalled for.

memvola
Hero Member
*****
Offline Offline

Activity: 938
Merit: 1002


View Profile
August 17, 2012, 10:07:19 AM
 #135

It does help a little indeed, but making the withdrawals manual helps much more as when it comes to the actual security.

It should be obvious by now that keeping a wallet on the server is unwise, but that can be remedied by polling the transactions externally, which doesn't equate to manual withdrawals, which may or may not be prone to mistakes. Judging by how well manual withdrawals worked at bitcoinrebate, I wouldn't say it's "much more helpful" (getting paid twice, being able to withdraw more than what you have, order disappearing without getting paid, etc.). A well programmed sanity check is always better (yeah even better if both combined), though I guess that's an unrealistic thing to say in this situation.

Otherwise, I agree that it's absolutely the only thing that saved BDT.

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is.

I say it's plausible (i.e. I believe he might have done something like that), but beyond ridiculous at the same time. You just don't do such things on any project, especially where you handle people's data and money. It can't be the "best of your effort" if you are removing a vital security feature because of an "implementation issue", so I still consider it dishonesty (if you don't like the word lying), besides being incompetent.

I had initially implemented the blowfish/bcrypt algorithm for storing passwords safely but because of some recent technical problems i had to swith back temporarely to MD5. I had setup the site in way so that
when a user logged in, his password would be recovered and stored in MD5, you could have seen that by looking at the javascript files used in the login page.

I can't access the js right now, but judging by the other comments, the password was MD5 hashed on the browser and sent to be stored as MD5 on the server. So, if I am able to access a hashed password from your database, I will directly be able to use it to log in, without even having to crack it? How nice of you. (Though it's also claimed that a password isn't even needed to log in to any account, using a bug in your implementation for Google Authenticator.)

EDIT: Judging by what Meni and Alberto said, if they are true, Alberto probably just disabled bcrypt altogether. While this is inexplicable, I'd agree that hashing on the client side, combined with bcrypt on the storage side, is not a bad idea.
piotr_n
Legendary
*
Offline Offline

Activity: 2053
Merit: 1344


aka tonikt


View Profile WWW
August 17, 2012, 05:27:22 PM
Last edit: August 18, 2012, 07:23:05 AM by piotr_n
 #136

he is the bitscalper scammer,seems like he is failing again. scam or epic fail, who knows.
For the record: there were couple of posts referring to this statement, but they got removed by theymos, after the author of the quoted post reported to the admin that my reply to it was "off-topic".

Though, after my further request, theymos moved the deleted content to the relevant topic.


Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
pyramining
Hero Member
*****
Offline Offline

Activity: 501
Merit: 500


View Profile
August 18, 2012, 12:17:56 AM
 #137

Uhmm.. no dividends today?
Bjork
Sr. Member
****
Offline Offline

Activity: 457
Merit: 250


Look for the bear necessities!!


View Profile
August 18, 2012, 12:28:29 AM
 #138

Uhmm.. no dividends today?

There is a clause in the contract allowing for late payments (with compensation) of up to 2 weeks.  I would not worry.

Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Wat


View Profile WWW
August 18, 2012, 12:32:36 AM
 #139

With Bitscalper I was never sure or not if it was a scam or just fail security. It is starting to look like this as well.

However I would like to know why this guy has bitscalpers source code. Only MinningBudy and myself other than bitscalper got it.

Some more clarification would be great.

Sometimes its hard to tell the difference between a scam and incompetence. Thats why a lot of scammers pretend the money was lost because of incompetence (ie I was hacked )

pyramining
Hero Member
*****
Offline Offline

Activity: 501
Merit: 500


View Profile
August 18, 2012, 12:39:18 AM
 #140

There is a clause in the contract allowing for late payments (with compensation) of up to 2 weeks.  I would not worry.

I am not too much worried (indeed I am not selling bonds), but since there is a bit of mess in the air, it would be nice to have more communication. If there will be a delay it's not a problem, but does it cost too much publish somewhere a warning, like "this week there will be a delay..." ?
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!