Topic: ASICMINER: Entering the Future of ASIC Mining by Inventing It - page 1334. (Read 3917029 times)

how the hell would a 2fa protect any glbse user from the alleged "session fixation attack"?

I don't really understand what you're saying, xkrikl.

"let them have a vote in some decisions"

They have no more nor less 'vote' than their number of shares weighted against all the other shares.

"only as a communication platform"

Yes. Their only significant 'power' is the ability to 'examine the books' of the 'company'. That is, verify, or not, that Bitfountain is doing what they say they're doing.

As such, they have a vested interest in 'making things look rosy'. That is, communicate good news to the community until they benefit from an inflated share price and can dump their stock. (After which, of course, they could then 'bare their souls' and tell everyone why they sold all they had. So, in a sense, they are canaries in the coal mine.)

Really, I only see the board member position as a, reasonable, way for Bitfountain to restrict who all they need to communicate fully with while at the same time having a credible amount of transparency.

Credible is the key word here. And now that the IPO is finished, it is pretty much a moot point.

We have all placed our bets. We'll see how they come out.

The Board can do 2 things:
1) give the large share holders more information - well that could be considered insider info which would put them into advantageous position against the smaller shareholders - BAD
2) let them have a vote in some decisions - well that's OK ... BUT
- there should be somehow specified and publicly presented what the Board can decide and what has to be decided in a motion ... as of now I understand it only as a communication platform because everything should go through a motion but it's a good platform to formulate a motion
- if the Board should have any decions making rights then we need each member to prove they still own 5000+

As of now GLBSE lacks this functionality so we should stick with what is implied by this.
I agree with Friedcat that it should stay optional for the share holders and effectivelly reserved for such cases where the share holders want to prove to the issuer that they own the shares.

I think it's a good idea.

More specifically, it could be made optional, e.g, people could choose whether to show some of their assets to the issuer. It will keep the anonymous nature of GLBSE, but at the same time give people the choice of disclosure.

I've asked this feature from nefario repeatedly for DMC, but it hasn't materialized yet. Maybe if both DMC and ASICMiner asks?

That statement is the root of the problem.

Independent verification is required.

*I* could send you a 'screenshot' of my GLBSE account right now 'showing' such proof. (Photoshop is.)

Really, GLBSE needs to, if it is to be a full 'stock exchange', be able to provide the issuer/controller of a stock/bond / whatever-they-want-to-call-it a complete list of ownership with some 'identifier' + number of shares owned.

I used 'identifier' because some might wish to defer/abdicate 'control' in order to preserve anonymity.

Next step would be some way for those to want to 'expose' themselves to prove that 'identifier' is 'me'/share-holder.

--

The issue seems to be the default Bitcoin anonymity position intersecting with a 'public' ownership structure.

A thought / first thought, not necessarily a feasible thought, as is done with public corporations in the USA, the stock/share holders vote for members of the 'board'.

A scenario / thought exercise:

[sorry, as I was working through this I hit more problems than solutions.  ]

--

Surely we are not the first to hit up against this issue/problem. I'll do some research to see what I can find in the 'Bitcoin community'. ('Google is your friend.' )

I agree. I approve.


I guess I'm just surprised that GLBSE doesn't readily expose that information to you as the issuer of the security. Seems a pretty basic need to manage a distributed ownership asset.

Not yet.

And don't want to be 'pushy' by asking if you have explored all the mechanics offered by GLBSE as the issuer. I'm really assuming you have done all the relevant research/homework.

Perhaps GLBSE needs to be asked about providing more tools?

BTW, friedcat, you have made a good impression by your communications. Otherwise, I would never have invested.

My apologies if my tone sounded harsh. That often happens when just "laying things out flat", or "just trying to state things as I see it".

The Internet often isn't an 'easy' medium for amicable conversation.

Thanks for the question.

In principle, anyone who could show the proof he owns 5,000 shares should be put in the board member list, and those who doesn't hold so many after some time will leave the list. This should be the right way.

However, currently the board member list is maintained in the way that only those who purchased 5000 shares from the issuer (me) are included.

The advantage of the first approach is that board members always use their own stake to represent their commitment. The disadvantage of the first approach is that we will need some serious effort to track the information of shareholders.

Therefore we don't know whether and how to switch to the first approach yet. Do you have ideas on that? Thanks.

I'm very sorry for all the confusion. By "extra" I didn't mean leftover unsold shares, I meant
the extra shares for large investors.

This sentence isn't a excuse for me to avoid my commitment with "technical difficulty".
It's just to explain that I understood it's very hard in the first place so my "extra shares" did
mean extra 10% and 12.5% for larger bulk purchasers, but not all leftover ones.

I'm sorry again and it's my fault to bring so much confusion in my last post of announcement.

BTW, if a question I asked earlier was answered and I overlooked it, I apologize.

https://bitcointalksearch.org/topic/m.1102768

Is anyone holding 5000 shares classified a "Director", with all the rights and privileges ascribed to such a position, or only those who purchased 5000 shares directly from you?

The original terms are a bit ambiguous on that. Or I'm just confused. Still, I'm asking for clarification. (I'm slowly increasing my number of shares, but the answer to that question is germane to whether I should continue doing so.)

No problem.

Thank you for the response.

Yes, I'm operating with binding commitments. There should be compensation if the result of the drama is not ideal. I used "I'm considering" to say that I'm thinking of some more compensating plans other than the plan-A. It will of course be the shareholders who would decide.

I consider that a reasonable compromise. And would be willing to vote "aye" for such a motion.

I'm merely pointing out the dangers of your "I'm considering" statement about actions being taken unilaterally.

You are now operating with some binding commitments. Or, you are now bound by nothing and we have no reason to expect any eventual payoffs for our investment.

So, even though using 2FA might not have prevented your loss, you are telling people to:
1) Sign up with Google, whether they want to or not.
2) Rely on Google for access to your finances.

I would be interested in a solid 2FA mechanism.

I'm not interested in letting Google be the gateway to my life.

I'm sorry to hear that.

However, isn't that a commitment you made?

--

edit - added the below:

Any other approach is a modification to the terms under which we bought shares. That is, gave you BTC/money with the understanding that "this is how things will be done - do you wish to buy in under those conditions?".

*Any* changes of those terms is non-trivial. It is a slippery slope. The more the original terms are changed, without a formal share-holder vote, the less confidence that those terms will be ultimately honored.

--

"without a formal share-holder vote"

BTW, this is also a problem inherent in how only 30k shares were offered to the general public. This mechanism allows, for example, votes of the following nature to be passed by the 'big players' who gave you BTC directly rather than via the GLBSE public auction.

1) Any holder of less than 5000 shares will be deemed a 'Class B' shareholder.
2) Holders of 5000 shares or more will be deemed 'Class A' shareholders.
3) All benefits and remunerations described in the original terms will only apply to 'Class A' shareholders.
4) 'Class B' shareholders will get whatever is left over, if anything, after the 'Class A' shareholders get all they want.
 

I see I've started to derail the thread.  Obviously, my comments were meant to inform everyone of what happened and I should have expected a number of responses.

Sorry for that.


On the point of 2FA.  Yes, it's a big deal and it's foolish not to use it.  It's foolish just the same for a financial service to operate at less than secure mode as default and then not take a rigorous approach to inform users by explicit notification and links to any 3rd party OSS software required to establish a sufficient level of protection (and this is especially true in the case for Google 2FA as Google's primary use case is with the use of smart phones and can mislead uninitiated users).  I'm just re-iterating what I said in my original post, so obviously this falls on deaf ears to some.  I fault Mt. Gox and any other site that doesn't enforce 2FA.  I use Yubikey.  So, there.

In my case the problem is two fold.  One, neither Nefario or I know exactly what happened.  Though on the day of the compromise circumstances could have allowed a security vulnerability not limited by 2FA.  
That's the Session Fixation vulnerability.  Despite Nefario's refusal to take any responsibility for such a vulnerability it's an old, common vulnerability where security whitepapers have stated that the only effective countermeasure for Session Fixation is to design the Web application to use strict session controls that limit session id creation and tightly control their invalidation - or need for revalidation.

Edit:  Some have jumped to the conclusion that this *IS* what happened.  This is my best assumption.  I typically log out and don't leave sensitive sites open.
I think I have a good idea what might have happened.  My GLBSE session was still active after closing the browser tab.  I spent some time on web freenode and was probed and compromised from that source.
Speculation, but it's the best thing I can come up with.

Use 2FA and don't have any other browser window open while using GLBSE.  I am your example to learn from.

bitcoin transfer is free, shares aren't.

@nedbert9

I have get 168 shares during this hack @0.085 per share. I would like to give 0.00388888BTC*168=0.64BTC to you.

please give me your GLBSE account.

I guess the bitcoin transfer between GLBSE accounts is free, right? who can give me a confirmation.

I was also surprised friedcat sent me so many shares before I had paid him.. and I don't even have a good forum reputation yet.