Pages:
Author

Topic: [GLBSE] BDT - 3% weekly interest bond, backed by Bitdaytrade - page 22. (Read 57962 times)

hero member
Activity: 501
Merit: 500
Uhmm.. no dividends today?
legendary
Activity: 2053
Merit: 1356
aka tonikt
he is the bitscalper scammer,seems like he is failing again. scam or epic fail, who knows.
For the record: there were couple of posts referring to this statement, but they got removed by theymos, after the author of the quoted post reported to the admin that my reply to it was "off-topic".

Though, after my further request, theymos moved the deleted content to the relevant topic.

hero member
Activity: 938
Merit: 1002
It does help a little indeed, but making the withdrawals manual helps much more as when it comes to the actual security.

It should be obvious by now that keeping a wallet on the server is unwise, but that can be remedied by polling the transactions externally, which doesn't equate to manual withdrawals, which may or may not be prone to mistakes. Judging by how well manual withdrawals worked at bitcoinrebate, I wouldn't say it's "much more helpful" (getting paid twice, being able to withdraw more than what you have, order disappearing without getting paid, etc.). A well programmed sanity check is always better (yeah even better if both combined), though I guess that's an unrealistic thing to say in this situation.

Otherwise, I agree that it's absolutely the only thing that saved BDT.

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is.

I say it's plausible (i.e. I believe he might have done something like that), but beyond ridiculous at the same time. You just don't do such things on any project, especially where you handle people's data and money. It can't be the "best of your effort" if you are removing a vital security feature because of an "implementation issue", so I still consider it dishonesty (if you don't like the word lying), besides being incompetent.

I had initially implemented the blowfish/bcrypt algorithm for storing passwords safely but because of some recent technical problems i had to swith back temporarely to MD5. I had setup the site in way so that
when a user logged in, his password would be recovered and stored in MD5, you could have seen that by looking at the javascript files used in the login page.

I can't access the js right now, but judging by the other comments, the password was MD5 hashed on the browser and sent to be stored as MD5 on the server. So, if I am able to access a hashed password from your database, I will directly be able to use it to log in, without even having to crack it? How nice of you. (Though it's also claimed that a password isn't even needed to log in to any account, using a bug in your implementation for Google Authenticator.)

EDIT: Judging by what Meni and Alberto said, if they are true, Alberto probably just disabled bcrypt altogether. While this is inexplicable, I'd agree that hashing on the client side, combined with bcrypt on the storage side, is not a bad idea.
sr. member
Activity: 457
Merit: 250
Look for the bear necessities!!
long quote

Best Regards
Alberto Armandi

I, for one, believe Albert.  If he wanted to run off with the coins he would have already done it.  I see no reason to believe that the bonds are not safe.  I do have a small number of bonds and do not plan on selling.


he is the bitscalper scammer,seems like he is failing again. scam or epic fail, who knows.

This seems uncalled for.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
4. While I can sympathize with the people wanting to panic sell, it's their decision to make and they're ultimately responsible for it if it turns out being unwise.

This
donator
Activity: 2058
Merit: 1054
I have talked some more with Alberto. The summary is:
1. He says he's not Bitscalper. In particular, while Alberto uses the handle jjfarren in some places, I did not see any evidence that jjfarren on the forum is him.
2. We're figuring out a way to resolve the current situation.
3. Tomorrow he'll be home and he'll reformat his previous announcement and add more detail to it.
4. While I can sympathize with the people wanting to panic sell, it's their decision to make and they're ultimately responsible for it if it turns out being unwise.
donator
Activity: 164
Merit: 100
Alberto, how much of the funds raised from GLBSE have been used and when do you think BDT will start making money?
hero member
Activity: 532
Merit: 500
he is the bitscalper scammer,seems like he is failing again. scam or epic fail, who knows.

If that post does not say to get out, I don't know what will.

People should have take the 0.7/share offer.
hero member
Activity: 504
Merit: 500
FPGA Mining LLC
No idea what's going on here, but giving that post some kind of structure could actually make it readable.
sr. member
Activity: 287
Merit: 250
My name is Alberto Armandi, i was born in Italy, 19/09/1983. I'm an internet entrepreneur who got caught in the Bitcoin phenomena about one and a half year ago.
Before Bitcoin, i have tried to launch several startups on my own, Wozad being one, a system for targeting digital ads based on your browsing history. It was doing well until Google Inc decided
to include the same type of targeting into their pervasive Adsense. The next effort was an hardware startup, Enso Limited, with which i've launched the highly controversial Zenpad. An early 5 inches
tablet powered by Android operating system. Enso managed to fail too, because of lack of funding but my failed endeavours did not leave a trail of destruction behind as i had and still have the determination to face any kind of trouble.
This is s short background, for those who missed it earlier, it can be easily found on the Official Bitcoin forum, in the Securities/BDT thread.
Now, fast forward to around April/May 2012 : I happened to get in touch with Jonathan Ryan Owens, who since the start of our relationship pictured himself as a sort of "Mr. Big" in the Bitcoin world and
shown to be able to use language fluenty, and to be able to convince anybody that he's actually skilled and a serious business man.
Since i did not have a real clue of who's who in this crazy, messed up community (do no take this as an insult, i'm referring to people who don't have exitation in runing other people lifes) i believed him,
and his claims of big success and profits and have developed trust on him and the group of people he was working with, again, i'm not trying to involve other people in this debacle, let's focus on Mr. Jonathan Ryan Owens.
We chatted extensively for a while and one day he came up with the ZipConf idea, inspired by some of my inputs and brainstorming. He started working on that and soon enough a site was online with that name.
Site's scope was allowing instant bitcoin transfers, without waiting confirmation from the network, as in classical bitcoin transactions. Business proposition seemed nice initially and Mr. JRO worked out
a lot of words to convince me and others it was so. He went ahead and held an IPO for this, as he said he needed lots of coins to make this happen. I was so convinced of the genuinity of this operation
that i have put Mr.JRO in touch with a guy i happened to know earlier, which is an important internet business man and investor. I valued highly my relationship with this guy, as he was funding my operations
and showing a lot of trust in me. I was hesitant, but finally made that mistake, i've procured about 2000 bitcoin in funds for the ZipConf endeavour, funded by this guy, which will go unnamed for privacy reasons.
Mr. JRO managed to put in place a written contract between him and this guy, the deal was that Mr.Jro would pay some interest over the 2000 bitcoin loan. I have later learned that this contract was never
signed and everything remained in the form of a legal agreement, bringing in even more liabilites for me, since i was the one to introduce the investor to JRO.
Everything seemed to be taking a great turn and I have then let Mr.JRO join the project i was working on, a custom Bitcoinica clone, coded entirely by me. It was intended to launch under the domain name btcxchange.net, which i own since July 2011, at that time Mr. JRO
said the brand name wasn't going places, and we agreed to call it Kronos.io. I went ahead, completed the coding work and deployed the site onto Mr. JRO controlled servers. The user interface i had
deployed was exactely the same i have in place at bitdaytrade, but Mr. JRO wanted a new design, so he hired someone to work out another skin, that took a couple of days. Please note that Mr.JRO managed
some very talented developers at that time, those who worked on ZipConf, but he never delegated them to have a check on Kronos.io source code, i've only later realized how much this is in contrast
with his claims of operating with high security standards and didn't link it directly to any malice backed act.
Almost At the same time, i was working on an unrelated project  Bitcoinrebate. After having shown Mr. JRO business plans and financial projections for said business, we decided to hold an IPO for it, to gather additional funds to be used on both rebate and Kronos.io.
At that time i demanded a payment for all the time and efforts i was putting in our projects and i was sent about 1000 bitcoin by Mr. JRO, claiming they were coming from a "trusted big lender".
I wasn't aware of how glbse worked at that time, nor i had realized the impact it might have had on my reputation, if things didn't go the way I expected. I have later learned that Bitcoinrebate IPO
was able to raise about 5000 bitcoin. I was never informed about this, not even a word.Mr JRO monopolized it all so i don't have a clue of where those coins (minus the 1000 i have received) ended up.
After Bitcoinrebate IPO i was instructed by JRO ( who always acted like a dictator and a boss ) to complete the work for Kronos ( implementing the new skin ) and prepare it for launch.
I have executed my duties and the site was launched. About one week later, Mr. JRO came up that he didn't need the coins initially funded by the unnamed investor and asked to return them back, to avoid
paying useless interests. Stupidly enough, i told him to just send him back in a mtgox account i was sharing with the investor, for different kind of operations, without asking him confirmation first.
I thought it was safe to do so and really didn't have a clue of what would be going to happen shortly.
I have made another mistake in this context, i have used this mtgox account for testing the Kronos.io hedging bot without asking direct confirmation from the investor, just assuming he would be ok with it
since my agreement with the investor was about generating profits from the coins he lend to me. I was managing money for this guy for a while and so i thought it was ok doing so.
The mtgox account passwords were know only to me and the investor, but Kronos.io had an automatic withdrawal feature, so the mtgox account was configured to allow bitcoin withdrawals via API.
Some days passed and apparently everything was going well, but one morning i woke up to find the mtgox account emptied and Kronos.io hacked.
I freaked out for a while then went ahead trying to track down what happened. It turned out that someone with knowledge of how the site worked internally (someone who was in possession of the source code)
had exploited it, exactely like it happened today with Bitdaytrade, but unfortunately, the mtgox account was emptied too, because of the automatic withdrawal feature.
I still have full logs of what happened then, with IP addresses and bitcoin addresses that received the loot.
Mr.JRO reaction to this was controversial, first he disappeared for days, claiming he was in a confused mental state, and dutied other people to deal with me. I was obviously trying to get in touch with him
like crazy, i couldn't get a hold of him on the phone at that time and i've tried for weeks. Then after some weeks he re-appeared online and blamed me harshly of incompentence and stupidity. Just like
it's happening now with Bitdaytrade, he deemed Kronos.io project dead, and gave me advice to work on different things and forget about Bitcoin.
Obviously i felt deeply ripped off, i had the investor who lost thousands of coins out of this big mess asking me what was my plan to recover the loss and going forward, with our relationship completely
destroyed on a trust level, and on the other hand i had Mr.JRO blaming me in a unmeaningful way about stupidity, incompetence, and such.I had determined at that time that my only choice was going forward with
the project, alone, i had high hopes that i would be able to repay the cumulated debt with profits i would be making from it. I then decided on another brand name, Bitdaytrade, asked support from some trusted
community members for holding an IPO to raise the necessary funds for its operations and went ahead modifying
the source code to allow Gold trading, finally launched a beta with this limited service, to avoid thousands of users flocking in, and keeping the risk level at a minimum while i ironed out all the kinks left.
Sometime passed, some users reported bugs and other problems, i had worked hard to fix all the issues and get the service to an acceptable level for the community. A lot of hack attempts where attempted
but the site did not suffer any major breach, and it was deemed safe by me.
I had initially implemented the blowfish/bcrypt algorithm for storing passwords safely but because of some recent technical problems i had to swith back temporarely to MD5. I had setup the site in way so that
when a user logged in, his password would be recovered and stored in MD5, you could have seen that by looking at the javascript files used in the login page.
Bitdaytrade IPO was held and necessary funds raised, for doing this i had to leverage the trust of other community Members, which Mr.JRO tried to block from putting trust in me, banking on the Kronos hack
story, and telling them all that i was obviously a thief. He didn't succeed as all of you noticed and Bitdaytrade started operating, i've first allowed BTC/USD margin trading feature privately for a week
and then opened it to the public, on Monday 13 of August.
Mr. JRO got in touch with me about a week ago, trying a last approach to block me, he demanded a "rapid prototype of a margin trading site" and in exchange he would not have made the Kronos.io hack public.
He added that i was losing out a great opportunity of working with him on a realworld exchange for virtual currencies and a sort of startup incubator
for bitcoin related projects.I have then understood where the funds from ZipConf, Rebate and Kronos.io ended up and obviously passed on this offer and went ahead with my plans.
What happened today is a reiteration of this blackmailing attempts, but with a more evil and criminal plan.
I strongly believe, and what i wrote in this explainative post gives a clear evidence of, that behind everything that was posted on reddit.com against bitdaytrade there is Mr. Jonathan Ryan Owens.
He used the previously stolen from him Kronos.io source code to orchestrate all of that you witnessed today, and managed apparently to have the community believe his story.
Not even one bitcoin was withdrawn from Bitdaytrade.com under today's attacks, and all funds are safe. Server will be kept offline for further investigation, and gathering of evidences to be presented upon
filing a criminal deposition with all the legal authorities i am/will be able to. Stay tuned for developments.
I'm deeply sorry and i publicly apologize to everyone for the mistakes i made in this mess but it will be sorted out and in a elegant way.

Best Regards
Alberto Armandi
legendary
Activity: 2053
Merit: 1356
aka tonikt
As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.
TLDR bcrypt FTW.
That is true, but I don't use the same passwords on other sites, so I don't care if it gets decrypted or not, after the hack.
If someone was able to dump the database on a site (using SQL injection I'd guess), in 99% cases he would as well be able to modify it, which would allow him to log into my account anyway - whether he managed to decrypt the original password, or not.

Sure, but just saying bcrypt helps... a little.
It does help a little indeed, but making the withdrawals manual helps much more as when it comes to the actual security.
Though, I would still be concerned about how they handle the hedging, because it'd be quite risky to do it manually... and even more risky to do it automatically with so many issues reported by now.

I also agree and fully support your approach of shutting the site down each time there is even any suspicion of a malfunction - which obviously didn't happen today, even though one guy has managed to multiply 0.1 BTC into millions... Smiley
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.
TLDR bcrypt FTW.
That is true, but I don't use the same passwords on other sites, so I don't care if it gets decrypted or not, after the hack.
If someone was able to dump the database on a site (using SQL injection I'd guess), in 99% cases he would as well be able to modify it, which would allow him to log into my account anyway - whether he managed to decrypt the original password, or not.

Sure, but just saying bcrypt helps... a little.
legendary
Activity: 2053
Merit: 1356
aka tonikt
As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.
TLDR bcrypt FTW.
That is true, but I don't use the same passwords on other sites, so I don't care if it gets decrypted or not, after the hack.
If someone was able to dump the database on a site (using SQL injection I'd guess), in 99% cases he is as well be able to modify it - which allows him to log into my account anyway, without decrypting my password.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the hashing method, since I learned long ago to use a different password of different sites.

Not exactly true, bcrypt hased passwords with sufficient rounds makes it a lot harder to crack. They'll have your email alright but getting the password will likely take months possibly years, of course this depends on the password difficulty.


TLDR bcrypt FTW.
legendary
Activity: 2053
Merit: 1356
aka tonikt
As soon as password hashes are compromised - I assume the site hacked.
For me if doesn't matter if they were made with md5, sha666, bcrypt or just stored in plain text - in any case it is completely unacceptable to let the user database to be leaked out.

So I don't care about the actual hashing method, since I learned long ago to use different passwords for different sites.
This way when one site gets hacked I don't care what hashing method they used - I only care if they have managed to protect my money from being stolen. Tongue
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.



You are correct about him not mentioning bcrypt at least in the reddit thread.
sr. member
Activity: 287
Merit: 250
Calm down guys. I'll be posting a detailed reply in a couple hours. I'm currently outside home.
donator
Activity: 2058
Merit: 1054
Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

Meni, the question is can Alberto fix this crap and keep on paying the bonds?Huh?
As far as I can tell Alberto can fix the current issues; and even if Bitdaytrade ends up a dead end (merely the bad press from this controversy could harm its growth), he can still fulfill the bond contract.
sr. member
Activity: 434
Merit: 251
FWIW, i asked the reddit poster for my hash, and i can confirm it's unsalted md5.

Meni, the question is can Alberto fix this crap and keep on paying the bonds?Huh?

Depends if he's lying about bitdaytrade being involved in the volume peak on mtgox today.
Considering that it happened around the time someone found a way to have 25M bitcoin balance ...
donator
Activity: 164
Merit: 100
Alberto lied about the security on the site, when asked about how passwords were stored he said bcrypt, something like a few minutes later someone had managed to gain access to all email addresses and passwords, they were being stored using MD5 without a salt.
I think you're mixing up the order of events and that this affects your narrative.

AFAIK Alberto's statement that bcrypt is used isn't recent. On the recent reddit threads he was quoted on a statement he made some time ago. So it's not true that "he said bcrypt and a few minutes later it was proven to be MD5".

Alberto says that it was originally bcrypt but there were implementation issues so he temporarily switched to MD5. As mentioned I'm not a security expert so I can't assess how plausible this is. I'll wait for Alberto to make a clarification of this and other issues.

Meni, the question is can Alberto fix this crap and keep on paying the bonds?Huh?
Pages:
Jump to: