Pages:
Author

Topic: [ANN] Mt.Gox overview: January 2012 / Transparency (Read 7058 times)

full member
Activity: 203
Merit: 100
There seems to be at least one newer report, from August: https://mtgox.com/img/pdf/20120831/Transparency_august.pdf
Oh, and even newer data (not in a pdf report though) here: https://bitcointalksearch.org/topic/overview-mtgoxcom-120953
newbie
Activity: 30
Merit: 0
Will there be an update soon?
member
Activity: 112
Merit: 10
 If you're hesitant about publishing absolute figures, consider using simple ratios/KPIs.  I think a simple ratio expressing total btc/customer btc would go a long LONG way to instilling confidence in the community (as casascius has suggested).

I'd also throw out my opinion that expecting MtGox to provide audited figures of any kind more than once a year is unreasonable (at least until they grow s'more)   Grin

Well noted.

member
Activity: 100
Merit: 10
The "messages" part doesn't refer to pushing anything into the blockchain, just, in a nutshell it is a recently added feature to the client that allows them to concretely prove they possess the BTC they have without having to transact with any of it.  The proof comes in the form of a code they can publish.  For example, by publishing the following code, I have just proven possession of about 280 BTC in the most certain way possible by anyone who knows what they're doing, short of actually sending them the BTC:

Code:
bitcoind verifymessage 1DFPXfDRkJm56w96kKbncNDNxdbtqKMG6t HLAAjif4dfgCBYqMsQEKqeoTlUYzZfIZDsc0KrJjyO1ReVMut9dpaRyVt5gDakKpfDAlTit1PPPRQ4jaEd0K3mQ= "Mike Caldwell"


I was not aware of that!  I will have to re-consider my position that BTC balances on financial statements are unauditable.  Heh, maybe I learned something from this thread...  Cheesy

I think a more valid response is screw the amount of bitcoins. They are virtual and are essentially worthless. The real problem Gox has is fiat liquidity and that should be perfectly tangible and easily provable.

Gox has little interest in bitcoins. It's merely a moneychanger. The question is where is the money going as it certainly isn't coming out.

It's much more likely behind the scenese Gox is stacking the deck and "buying" coins themselves and driving the price as it would suit them to make it go ever higher and of course then they would be the ones to profit by selectively selling and actually being able to cash out while screwing everyone else over.

It's just like any money laundering scheme. Follow the money.

How about just posting some financials.  Anyone can go through Gox history and figure out the float and what has gone in and out and be able to see if anything nefarious has been going on.



And as promised we will give these document verified by third parties auditors, when? I am not sure, but we will.

Kudos to you for making this commitment.  If I may make a suggestion: the stuff of most interest to the community is on your balance sheet and statement of cash flows...do your best to publish info from those documents.  If you're hesitant about publishing absolute figures, consider using simple ratios/KPIs.  I think a simple ratio expressing total btc/customer btc would go a long LONG way to instilling confidence in the community (as casascius has suggested).

I'd also throw out my opinion that expecting MtGox to provide audited figures of any kind more than once a year is unreasonable (at least until they grow s'more)   Grin
member
Activity: 112
Merit: 10
But you made a mistake by making promises you can't/didn't keep: "A update to this document will be done every three months", "we plan to have this document verified by third party auditors for future releases".

I am fully aware of this as I am the person who made this very document. I push the team on a weekly basis here to get the data out of our DB but they are so swamp with other priorities that I could not keep the promise I made when publishing the first document. And for this I am truly sorry. Once again Mark and Mt.Gox is not opposed to this program but the fact that Making Deposit/Withdrawal faster and and work on making more Deposit/Withdrawal methods available is for us a priority and I won't ague with that.

And as promised we will give these document verified by third parties auditors, when? I am not sure, but we will. Let's make sure that we have this 2nd document ready first.

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
I think a more valid response is screw the amount of bitcoins. They are virtual and are essentially worthless.

If MtGox had a relatively unlimited number of these worthless coins, any fiat shortage wouldn't be a huge problem, as they'd eventually be able to sell their way out of it, possibly sooner rather than later.  Deck stacked or not, I believe the market really does demand these virtual coins and that this demand will continue grow.  They are no less virtual than the dollars in your bank account.  If by some stretch, MtGox was able to prove that it had its own huge stash of BTC above and beyond customer deposits, I'd worry less about a genuine fiat shortage and would tolerate delays.
hero member
Activity: 658
Merit: 500
I think a more valid response is screw the amount of bitcoins. They are virtual and are essentially worthless. The real problem Gox has is fiat liquidity and that should be perfectly tangible and easily provable.

Gox has little interest in bitcoins. It's merely a moneychanger. The question is where is the money going as it certainly isn't coming out.

It's much more likely behind the scenese Gox is stacking the deck and "buying" coins themselves and driving the price as it would suit them to make it go ever higher and of course then they would be the ones to profit by selectively selling and actually being able to cash out while screwing everyone else over.

It's just like any money laundering scheme. Follow the money.

How about just posting some financials.  Anyone can go through Gox history and figure out the float and what has gone in and out and be able to see if anything nefarious has been going on.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
@casascius: while I think your idea has some merit, to me it makes more sense to press MtGox for a published audit.  Having them push transactions/messages into the blockchain ain't exactly best practices when it comes to assurance.

I agree and believe they should do both.  The "messages" part doesn't refer to pushing anything into the blockchain, just, in a nutshell it is a recently added feature to the client that allows them to concretely prove they possess the BTC they have without having to transact with any of it.  The proof comes in the form of a code they can publish.  For example, by publishing the following code, I have just proven possession of about 280 BTC in the most certain way possible by anyone who knows what they're doing, short of actually sending them the BTC:

Code:
bitcoind verifymessage 1DFPXfDRkJm56w96kKbncNDNxdbtqKMG6t HLAAjif4dfgCBYqMsQEKqeoTlUYzZfIZDsc0KrJjyO1ReVMut9dpaRyVt5gDakKpfDAlTit1PPPRQ4jaEd0K3mQ= "Mike Caldwell"

We as a community are interested in knowing how much BTC they possess in relation to their liabilities to us, and if a auditor had a magically-expert awareness of how BTC works, he'd know to ask for these codes.  This code took me less than 2 minutes to produce.
member
Activity: 100
Merit: 10
It seems that some people on this forum has a better understanding of the overall Bitcoin economy and problems than others.

Wait...are you saying you might have actually learned something from this thread?   Grin

As I stated many times (under Mt.Gox_Support), we have been the first to come forward and tried to be as transparent as possible, we are not against an audit and such thing will come at some point, but the truth is that as for today it will be extremely costly, long and difficult to get something done and done PROPERLY! And this due to the nature of Bitcoin. On top of that we will have to find someone that is capable to understand Bitcoin and "Appreciate" all its challenges.

I couldn't agree more (except for the "transparent as possible" part).  It's clear you are the first to make some data available, and you have been rightly applauded for doing so.  But you made a mistake by making promises you can't/didn't keep: "A update to this document will be done every three months", "we plan to have this document verified by third party auditors for future releases".

Look, I don't know how my knowledge of the overall Bitcoin economy stacks up against yours, but it's pretty clear to me that a couple of big bitcoin scams/hacks/thefts/whatevers happen every *fucking* year.  Each time, there are calls from the wider bitcoin community for more transparency/accountability from bitcoin institutions.  Guess what...you are one.  Not taking the time to update your deck every third month after making a commitment to do so is, well, a big mistake.  Especially given the rather limited and ho-hum nature of the data you published.

You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

LOL, have you ever heard the saying "if you find yourself in a hole, the first thing to do is stop digging"?
__________________________

@casascius: while I think your idea has some merit, to me it makes more sense to press MtGox for a published audit.  Having them push transactions/messages into the blockchain ain't exactly best practices when it comes to assurance.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
You have no clue on how our system work so I will forgive you for that. First of all we do not use the Bitcoin Client add to that the fact that these wallet are everywhere (They are spread pretty much everywhere and in a HUGE quantity) you can understand that this will take time and that WE want to make sure that things are safe

I am 100% certain you guys maintain private keys for your bitcoin addresses, otherwise technically you don't have the bitcoins in the first place.

I am 100% certain you could export the keys to a file.  They are just short strings of numbers.

I am 100% certain you could import them into a wallet.dat with a trivial script.

I am 100% certain you could sign messages with them using the reference client after doing so.

I am 100% certain you guys already understand this.

I am 100% certain they are not "spread everywhere" as, for example, none of them are on my lawn.

I am 100% certain that no matter how HUGE the quantity, the quantity is not too big for a for-loop to iterate through them.

I actually have not had a bad day.  It's hard to have a bad day when your stash of coins just took a nice solid leap and you aren't in the midst of trying to fight for possession of them from a bankrupt foreign entity.  I just get a little animated when the #1 Exchange of Bitcoin blatantly misrepresents their ability to accommodate a reasonable request, no differently than a doctor claiming his patient must bleed to death because there, according to him, exists no such thing as stitches.

For what it's worth, the phrase "for Christ's sake" is also considered profane in countries where Christianity is popular.  I thought I might point that out, because you only bolded "fucking" and "crock of shit" when quoting me. Wink
member
Activity: 112
Merit: 10
I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.

*eyes rolling*

Yes, I am pretty sure I understand exactly what I am asking for.

Yes, Mark did explain this to me.  As though he too had never heard there is a feature to sign text messages with an address's key.

I mean use the fucking message signature feature built right into the reference client.  You know, signmessage, verifymessage.  Do it on an offline computer so there is no risk of contact between the internet and the keys.  Write a script to enumerate the keys in the wallet and sign a message with each one, and then transfer the signatures to online computers with a flash drive.  You guys have your own custom bitcoind for Christ's sake, and certainly are qualified to understand how to do this.  Tell us nothing, that's fine, I get it, but don't tell me it's dangerous, that's a complete crock of shit.

I will ignore the bad language for a second and believe that you are a descent person who had a bad day. Hell that can happen to any one.

You have no clue on how our system work so I will forgive you for that. First of all we do not use the Bitcoin Client add to that the fact that these wallet are everywhere (They are spread pretty much everywhere and in a HUGE quantity) you can understand that this will take time and that WE want to make sure that things are safe
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.

*eyes rolling*

Yes, I am pretty sure I understand exactly what I am asking for.

Yes, Mark did explain this to me.  As though he too had never heard there is a feature to sign text messages with an address's key.

I mean use the message* signature feature built right into the reference client.  You know, signmessage, verifymessage.  Do it on an offline computer so there is no risk of contact between the internet and the keys.  Write a script to enumerate the keys in the wallet and sign a message with each one, and then transfer the signatures to online computers with a flash drive.  You guys have your own custom bitcoind*, and certainly are qualified to understand how to do this.  Tell us nothing, that's fine, I get it, but don't tell me it's dangerous, that's a complete *.


* = I removed the profanity because I don't normally get on here and go into tirades of swearing.  But saying proving possession of BTC is too dangerous is a pretty weak excuse and I am shocked you guys offer it. EDIT2: ahh, nevermind, you all quoted it.
member
Activity: 112
Merit: 10
I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.
hero member
Activity: 686
Merit: 500
Wat
You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

So, in other words, we should be thankful for unexplained open-ended delays and implausible "AML" investigations because all of this helps us keep our money safe?

Good call!  At least because of this, we don't have to worry about hackers withdrawing our USD, because their withdrawal will take 2 weeks after which we will know exactly where it went.

Bitcoinica hacker withdrew $340 000 instantly without any problems Wink
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

So, in other words, we should be thankful for unexplained open-ended delays and implausible "AML" investigations because all of this helps us keep our money safe?

Good call!  At least because of this, we don't have to worry about hackers withdrawing our USD, because their withdrawal will take 2 weeks after which we will know exactly where it went.
hero member
Activity: 686
Merit: 500
Wat
Whas so "long and difficult" about moving some coins around ?

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
What about moving BTC or signing messages to prove possession?  These don't even have to be published (and many customers would prefer they not be) - I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.
member
Activity: 112
Merit: 10
It seems that some people on this forum has a better understanding of the overall Bitcoin economy and problems than others.

As I stated many times (under Mt.Gox_Support), we have been the first to come forward and tried to be as transparent as possible, we are not against an audit and such thing will come at some point, but the truth is that as for today it will be extremely costly, long and difficult to get something done and done PROPERLY! And this due to the nature of Bitcoin. On top of that we will have to find someone that is capable to understand Bitcoin and "Appreciate" all its challenges.

But we understand the needs for you to be reassured that we have what we say we have and that our system is as secure as we say it is secure. We are working on this and hope to give you all something that you will accept.  But once again, and this should at least count for something : Mt.Gox is still the largest exchange, one of the oldest exchange, and we survived Everything that has been thrown to us. So if this alone can't at least give you a chance to start trusting us, what will? You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!
member
Activity: 100
Merit: 10
Yep, while SSAE 16 would reveal a lot of information relevant to someone evaluating the risk of doing business with MtGox, SSAE 16 itself isn't a "the money's there" audit.  In fact, SSAE 16 isn't necessarily the part I think everyone's after: the fundamental critical part is a third-party assertion from someone with credentials on the line to say "We looked - we saw - we believe the money's there - signed, us".

Absolutely correct.  In fact, it's likely that a practitioner would require an SSAE 16 as a prerequisite to auditing their financial statements.  But in my mind, surviving an SSAE 16 isn't necessarily a problem for them.  Getting an unqualified opinion on their financials, however, is a completely different story.

Not because they're engaging in any monkey business, but because they simply don't have enough bodies in the organization to have the necessary segregation of duties to qualify as having "strong internal controls".  This would place them in a situation where the auditor would require "substantive tests of detail" of their balances (which isn't a problem for their fiat-denominated balances, but is extremely problematic for their BTC balances).

If they were interested in doing so, they could solicit a CPA firm (such as one also doing a SSAE 16) to make that attestation on their behalf.  They just don't seem interested in it.

TBH if I was in their shoes, I'm not sure I'd be interested in an outside audit either.  There might be some upside in terms of gaining market share/revenue - as long as they get a clean opinion.  If they don't, all they've done is spend a bunch of money to get a list of things for which they will have to spend even more money.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
When we get a SSAE 16, some of the things we have to account for includes how we are doing our data backups, who has access to data/facilities/equipment, and how software source code changes get vetted and sent to production.  A lot of those topics are relevant to the risk one faces when doing business with MtGox (if Bitcoinica didn't make that painfully obvious enough to many).

Also relevant is what happens if Mark Karpeles gets hit by a bus.  He may very well be the only one that has access to the bitcoins on deposit, just to avoid the risk of getting stabbed in the back.  But if our coins die with him, that can't be good, and also is relevant to anyone doing business with Gox.  If they have a contingency plan in place, SSAE 16 would hopefully disclose enough of it to suggest that they have one in place and that it's probably effective, without giving away the secrets to a would-be thief.

Yep, while SSAE 16 would reveal a lot of information relevant to someone evaluating the risk of doing business with MtGox, SSAE 16 itself isn't a "the money's there" audit.  In fact, SSAE 16 isn't necessarily the part I think everyone's after: the fundamental critical part is a third-party assertion from someone with credentials on the line to say "We looked - we saw - we believe the money's there - signed, us".

If they were interested in doing so, they could solicit a CPA firm (such as one also doing a SSAE 16) to make that attestation on their behalf.  They just don't seem interested in it.
Pages:
Jump to: