Pages:
Author

Topic: I'm Kevin, here's my side. - page 9. (Read 258614 times)

full member
Activity: 174
Merit: 101
June 21, 2011, 02:13:10 AM
Look at the broader picture. If they allow $10,000 USD worth of BTC to slip out for less than it's worth they get SIGNIFICANTLY LESS fees. By rolling back, and protecting potentially $5M+ USD, they stand to make tens of thousands more in transaction fees when the BTC are sold for a higher price. Obvious troll chooses more all the time. While the customer relations aspect could keep (possibly earn) them customers (as any business management course would teach) if they did the right thing... We all know how greed works.

Think a little bit harder on that one, guy.
member
Activity: 70
Merit: 10
June 21, 2011, 02:08:26 AM
Look at the broader picture. If they allow $10,000 USD worth of BTC to slip out for less than it's worth they get SIGNIFICANTLY LESS fees. By rolling back, and protecting potentially $5M+ USD, they stand to make tens of thousands more in transaction fees when the BTC are sold for a higher price. Obvious troll chooses more all the time. While the customer relations aspect could keep (possibly earn) them customers (as any business management course would teach) if they did the right thing... We all know how greed works.
full member
Activity: 155
Merit: 100
June 21, 2011, 02:03:51 AM
I think a rollback is the first step. Put things back to before the crash. In fact, I would suggest a transaction-by-transaction examination of (at least) the last week. We need a disinterested 3rd party to do this. NOT Kevin, and NOT MT. I have no idea who, but I do not envy their headaches.

We absolutely agree on the 3rd party audit, this needs to happen.  I think we simply disagree on the time frames involved here.  I'd like, before we roll back, to actually know if we should roll back just this one 500,000 btc trade, or if there have been dozens, hundreds, or thousands of illegitimate trades for much smaller amounts of bitcoins that no one noticed?  Does the community just pretend these didn't happen and simply move on?  I honestly don't really have a good answer or solution here since no one knows the extent of the problem.  And this is why the rollback as a concept really concerns me.  MtGox is picking an arbitrary transaction to roll back from - granted an extraordinary transaction that had a large amount of publicity and upset users.  One thing I've learned from operating sites that are high profile targets for attack, is that if you do notice someone exploiting a hole - usually you can go back in forensics and see other people exploiting that hole in a much more quiet and smart manner.  Sometimes these attacks go back years, before being noticed.

I understand you're trying to get back to normalcy as quickly as possible, and that does make sense and I wish for it too.  I actually agree that a rollback is a good idea, if it can be relatively certain we know it will actually fix anything other than simply giving 500k btc back to mtgox, and then we go on merrily being robbed from unknowingly by some other (very likely to exist with the state this code is apparently in) exploit until someone comes along and fucks it up for the smart hackers again by drawing attention.  Rinse and repeat.

I stated this in IRC, so you don't think I'm making up hypothetical concerns here.  I trade bitcoins for cash, locally in person by executing a real-time trade on MtGox and letting them watch, to ensure I'm not charging them any more/less than up-to-the-minute market rate.  I get cash, they get bitcoins sent from MtGox to their wallet address.

If a rollback can happen now at any time, how am I to conduct this business any longer?  I could be buying "stolen" bitcoins unknowingly, and have them taken from my account at a later date (how long do I have to wait for the transaction to "clear"?).  I am now out real money, since I conduct an actual business that will make my customers whole in the event of one of my vendors making a mistake.  It's the right thing to do.

I simply want to know the extent of the problem, the fixes being implemented, and the policy/plan for such situations moving forward.  I personally believe MtGox has lost their "right" to claim privacy/business secrets on this one as they've already lost the benefit of the doubt by having their entire database stolen.  Considering none of these answers have been forthcoming, I think it's starting to become obvious this problem is quite a bit more complicated than a simple hacked account.  Once answered (and answered truthfully this time, if that's even a possibility any longer) I can then evaluate my risk exposure based on legitimate and truthful information, which I currently cannot do.
full member
Activity: 174
Merit: 101
June 21, 2011, 01:55:11 AM
It's fairly easy to see who has a horse in this race and most likely bought coins for cheap during the selloff. Sorry guys, but big time exchanges break trades even when all the trades are executed according to the explicit instructions of the trader. And the SEC allows the exchanges to define these rules:

http://www.cbsnews.com/stories/2010/06/17/business/main6592645.shtml

This MTGOX scenario has the added condition of criminality, including unauthorized access. It's beyond absurd that some of you think these trades should be honored. It's shows a shocking level of trading amateurism on the boards.
newbie
Activity: 14
Merit: 0
June 21, 2011, 01:53:07 AM
3) The precedent they're setting here cannot be maintained.

Exactly what happened here may never be fully known, but according to Mt Gox an unauthorized user accessed someone's account and placed a sell order. Passwords get guessed/leaked all the time, and any exchange that attempts to undo that in every case will undoubtably fail.

If I'm careless with my password and someone places orders on my behalf in my account without my permission, will Mt Gox revert an hour's worth of trading to fix it? What if I only had 2 bitcoins? Or 20? or 200? There is no way rolling back trades to handle a compromised password in any way that will scale to the size of bitcoin's current economy. Unless Mt Gox is wiling to explicitly say they'll give this same treatment to any user who has their account compromised, it's blatantly unfair to everyone else.

This also opens the door to allowing anyone to request equal treatment if they made some trades they later regret. Log in through a proxy to make it seem like someone from a distant country was using your account, make your trades, then later scream about how your account was compromised and you want a do-over.
This is the key right here.

Make no mistake, if they do a roll back and if my account gets hacked in the future I will be demanding a roll back no matter how many BTC are traded.  And I rather like the proxy idea you stated.  I might just have to go for a super risky trade and demand a rollback if it doesn't work and claim hacking.

Moral hazard, anyone?
https://secure.wikimedia.org/wikipedia/en/wiki/Moral_hazard
full member
Activity: 210
Merit: 100
June 21, 2011, 01:35:26 AM
I am astounded at the outpouring of support for MtGox here. Wow. MtGox allowed itself to be compromised, THEY are the ones responsible for settling things financially here. If they werent ready for this possibility, they shouldnt have been in the business.

This is an amateur currency FFS. You should be thanking MtGox for pushing boundaries and getting this currency to where it would never be before.

BTC is essentially reliant on entrepreneurs and with this, there are always great risks.
sr. member
Activity: 385
Merit: 250
June 21, 2011, 01:32:52 AM
Kevin,

No matter what the MT Gox website says, they are not going to volumtarily take a 5 million dollar hit, even if its 100% their own fault.

MT Gox will not bow to community pressure when 5 million bucks is on the line.

Not that there is significant pressure to begin with, since the majority of the public opinion is in support of the rollback do over.

We love our money. We work hard for it. We want our money protected and given back to us if its taken away. Thats where the opinion is.

My advice to you would be to consult with an attorney. If he sees feasibility in moving forward, you will probably need to hire one in japan as well to work with your US attorney. MT Gox may very well hold fiduciary responsibility in honoring your trades, barring any unknown laws regarding fraud, theft, unregulated trade and commidities speculation. The very least that could happend would be a judge refusing to hear the case or throw it out. The best that could happen is that the bitcons and/or financial assets are frozen until case disposition.

With their servers in the USA, their operations in Japan, and doing world-wide trading, its hard to tell what jurisdictional relief you may have.

When a company does not adhere to their own terms and policies, the only recourse is through the courts.
sr. member
Activity: 364
Merit: 251
June 21, 2011, 01:31:33 AM
This should absolve you of my claims you are the other Kevin Day. But you could still be the hacker.

References
Site: http://www.relationalsecurity.com/company_team.htm
Kevin Day - Founder & CTOKevin is the Founder and Chief Technology Officer of Rsam.Kevin has over 10 years of experience in Information Security & Risk Assessment consulting and has worked directly with more than 100 large organizations in planning such efforts.Prior to Rsam, Kevin led Information Security, Risk Assessment, and Compliance Management efforts for fortune 500 clients in Healthcare, Entertainment, & Financial Services through Computer Horizons Corporation, (a $500m consulting company).Kevin is a CISSP and author of "Inside the Security Mind" , published by Prentice-hall 2003.Kevin holds a bachelor's degree in Music from University of Nevada, Reno.

Site: http://www.relsec.com/company_team.htm
Kevin Day - Founder & CTOKevin is the Founder and Chief Technology Officer of RSAM.Kevin has over 10 years of experience in Information Security & Risk Assessment consulting and has worked directly with more than 100 large organizations in planning such efforts.Prior to RSAM, Kevin led Information Security, Risk Assessment, and Compliance Management efforts for fortune 500 clients in Healthcare, Entertainment, & Financial Services through Computer Horizons Corporation, (a $500m consulting company).Kevin is a CISSP and author of "Inside the Security Mind" , published by Prentice-hall 2003.Kevin holds a bachelor's degree in Music from University of Nevada, Reno.

Site: http://www.rsam.com/company_team.htm
Kevin Day - Founder & CTOKevin is the Founder and Chief Technology Officer of Rsam.Kevin has over 10 years of experience in Information Security & Risk Assessment consulting and has worked directly with more than 100 large organizations in planning such efforts.Prior to Rsam, Kevin led Information Security, Risk Assessment, and Compliance Management efforts for fortune 500 clients in Healthcare, Entertainment, & Financial Services through Computer Horizons Corporation, (a $500m consulting company).Kevin is a CISSP and author of "Inside the Security Mind" , published by Prentice-hall 2003.Kevin holds a bachelor's degree in Music from University of Nevada, Reno.

Site: http://www.relationalsecurity.com/Rsam_Releases_Latest_Version_of_GRC_Software.htm
"Rsam technology and innovation continues to evolve through our vast implementation experience and Rsam v7 is a product of the direct feedback received from our customers," said Kevin Day, CTO of Rsam.

Site: http://www.rsam.com/Rsam_Releases_Latest_Version_of_GRC_Software.htm
"Rsam technology and innovation continues to evolve through our vast implementation experience and Rsam v7 is a product of the direct feedback received from our customers," said Kevin Day, CTO of Rsam.

Site: http://www.rsam.com/pdf/RELSEC_RELEASE_08_FORRESTER_WAVE.pdf
Secaucus, NJ – July 2008: Relational Security Corporation, provider of the industry's most ... added Kevin Day, CTO of Relational Security. " RSAM™'s sound risk ...

Site: http://www.rsam.com/pdf/RSAM_6.0_Release_Notes.pdf
© Relational Security Corporation | www.relsec.com | page 1 of 1 ... automate the management of data and workflow," said Kevin Day, CTO of Relational Security. ...
full member
Activity: 196
Merit: 100
June 21, 2011, 01:24:44 AM
I don't know how everyone bought that hacker story. The so called hacker should knew couple of things - like account name and the amount of BTC in it. And that information leak is not Mt. Gox fault.

I see two possible options:
Nothing is rolled back - except providing better account security, Mt. Gox should not cover losses or cut profits.
Mt. Gox fills the accounts who sold their coins again, and leaves anyone who profited from the "attack" richer than before. Mt. Gox gets poorer.

In both cases the 250k BTC account holder gets the money "the hacker" couldn't withdraw. Anything else is his fault - even the fact I can't sell my BTC right now. Kevin keeps his BTC.

And no, I was not there, I bought nothing, my account holds $0.01 and my password is strong by accident.
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
June 21, 2011, 01:22:02 AM
If you don't offer a deal to keep your users happy, expect a bank run.

That's what the rollback is. Primarily, I think, because they don't have the funds to make the users whole any other way. (at a guess, because all of their funds are sitting in Kevin's account). They can still expect users to flee in droves.

Can we please move past the whole "KEVIN IS TRYING TO KEEP TEH MONIES!!!" posts?

I've yet to be responded to by Kevin on that, but Yes, I think we can get past that.

Quote
If you think a rollback is a good idea not knowing the entirety of the situation - that's fine, that's an opinion you can certainly hold and it may even hold some merit.  However, I want to really know if this what you truly want?

I think a rollback is the first step. Put things back to before the crash. In fact, I would suggest a transaction-by-transaction examination of (at least) the last week. We need a disinterested 3rd party to do this. NOT Kevin, and NOT MT. I have no idea who, but I do not envy their headaches.
full member
Activity: 169
Merit: 100
June 21, 2011, 01:12:20 AM
full member
Activity: 155
Merit: 100
June 21, 2011, 01:10:48 AM
TBH, I think I missed that thread. I'm not saying MtGox is in the clear here. I am by no means on their side. From the facts that I have seen, It looks like the hacker, whoever (s)he is, got a hold of MtGox's master account, and tried to drop the market in an attempt to clean it out. Kevin lucked into a huge pile of that, Which must have felt like scratching off that third pot of gold, But since it was the result of a hack, he doesn't get to keep them. Sorry, Kevin. MtGox smells pretty fishy, and I'm likely not going to use them anymore, but first, let's get everyone made whole.

Can we please move past the whole "KEVIN IS TRYING TO KEEP TEH MONIES!!!" posts?

No. Stop.  Kevin is saying that MTGOX IS LYING TO YOU.  Until the FACTS actually are revealed, why the hell should *any* action be taken yet?  Who the hell knows how far deep this goes, and how far back it goes.  I'd bet my life savings that someone has been quietly (likely more than one someone) exploiting these holes for months, and made off with a decent amount of loot undetected.  Does this fact not concern anyone?  What effect on trading prices has this historically had?  What is the scope of the problem in terms of bitcoins/dollars generated from this activity?  Did these coins even exist in the first place, or were they simply added via SQL injection to someone's balance?

This is NOT (only) a compromised password problem.  This has been as proven as it possibly can be without MtGox directly stating the facts as they happened themselves.  So why are they continuing to state this is the case? WHAT is the agenda?  Why the rush to rollback?  Why the rush to immediately after the hack call it a compromised password (the first clue this claim was BS - he had know realistic way of knowing at that time yet - post-mortems are excruciatingly both boring and generally take quite some time to really unravel anything, and usually then it's difficult to put all the pieces together sometimes if the attacker was careful)?

If you think a rollback is a good idea not knowing the entirety of the situation - that's fine, that's an opinion you can certainly hold and it may even hold some merit.  However, I want to really know if this is what you truly want?  To me, it seems like a completely bizarre stance I'm trying to understand Smiley
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
June 21, 2011, 01:06:51 AM
I believe that actually Kevin doesn't have to give back any of it.
He purchased them in good faith. Even if the market was crashing, I would have purchased it if I saw the opportunity.

  • Now, even if it is on his right to keep them, IF the money belonged to MTGOX (and not a user, but actually the main fund of MTGOX, which seems to be more plausible the more I think) then I guess that for the betterment of the economy and its stability, Kevin should give it back to MtGoX.
    In exchange of the devolution, MtGox should give a compensation for the act of good faith and allow Kevin to keep the withdrawn amount
  • If the account was a personal one, Kevin has less obligation to give it back to the owner of it. When you make the wrong call playing poker you can't undo it, if you fucked it up, you fucked it up. Period.
    But still, it would be a nice gesture, and this would be totally from Kevin's generosity, if Kevin gives back partially or totally to the previous owner. A generous compensation for this gesture would be appropriate.

BUT, Kevin has all the rights to keep it and not giving it back to anyone. He would be a total asshole by behaving like that, but it is in his right.
Now, everything depends on his will.

MtGox shouldn't rollback shit.
The least thing that MtGox can do is to compensate to all users for this scandal and for they negligence/incompetence.
The leaked userbase is embarrassing enough, and that needs a fair compensation to all of us who entrusted this site with our money, and in some cases, our life savings (doesn't matter if trusting one's savings is a unsound judgement, the point here is that our trust has been broken).

It takes decades to build trust, and only one second to break it.

Usually, one never recovers full trust with a person, but doing good deeds can help to reestablish the relationship.
I hope MtGox understands here that more than profit, trust is actually the backbone of a business.
If you don't offer a deal to keep your users happy, expect a bank run.
member
Activity: 90
Merit: 12
June 21, 2011, 12:59:54 AM
Awesome. You found a 10 year old picture of me with Mark Hamill, that someone photoshopped. Can we PLEASE get back to something serious? I'm honestly trying to help all of you.
full member
Activity: 168
Merit: 100
June 21, 2011, 12:58:00 AM
newbie
Activity: 39
Merit: 0
June 21, 2011, 12:52:14 AM
Hey Kevin, thanks for mk IV

Sincerely,

Pitchforkmedia smackdown
In 1999, I was working for Midway Games. You can see my name in the credits under "Special Thanks" for the arcade version Mortal Kombat 4, as the above poster was mentioning. You can see my name in the credits for the arcade (and some home versions) of Cruisin' World, Crusin' Exotica, Maximum Hangtime, NBA Showtime, NFL Blitz, Touchmaster,  Touchmaster Infinity, and more I'm probably forgetting now.
Shocked
A million thanks for MK 4!



/topic

Mt Gox can't tell the head from the tail.
Why would a hacker sell then buys what he hacked? I hope they are not thinking of this as laundry.
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
June 21, 2011, 12:47:47 AM
TBH, I think I missed that thread. I'm not saying MtGox is in the clear here. I am by no means on their side. From the facts that I have seen, It looks like the hacker, whoever (s)he is, got a hold of MtGox's master account, and tried to drop the market in an attempt to clean it out. Kevin lucked into a huge pile of that, Which must have felt like scratching off that third pot of gold, But since it was the result of a hack, he doesn't get to keep them. Sorry, Kevin. MtGox smells pretty fishy, and I'm likely not going to use them anymore, but first, let's get everyone made whole.
full member
Activity: 168
Merit: 100
June 21, 2011, 12:43:21 AM
member
Activity: 90
Merit: 12
June 21, 2011, 12:38:30 AM
Hey Kevin, thanks for mk IV

Sincerely,

Pitchforkmedia smackdown

This is actually a surprisingly useful post. Over here, the Kevin Day security researcher/book author says:

Quote
I came into Information Security Consulting about 9 years ago, and was hired by a New York based consulting company in 1999.

In 1999, I was working for Midway Games. You can see my name in the credits under "Special Thanks" for the arcade version Mortal Kombat 4, as the above poster was mentioning. You can see my name in the credits for the arcade (and some home versions) of Cruisin' World, Crusin' Exotica, Maximum Hangtime, NBA Showtime, NFL Blitz, Touchmaster,  Touchmaster Infinity, and more I'm probably forgetting now.

See this ancient slashdot thread from 1999 where I'm posting under the name "toastyman" and saying I'm a Midway employee.

Now can we stop arguing if I have or have not written a book about IT security, and get back to "I think Mt Gox is acting on something big without telling anyone the full story"?

full member
Activity: 155
Merit: 100
June 21, 2011, 12:38:12 AM
Sorry Kevin but you coming here and 'coming clean' when so many people lost tons of money and shortly will lose tons more when MtGox let's it be known that they are insolvent is sorta like going to a den of lions dressed like this:

Er.. who are these "many people" that lost money?  MT has stated that only a single account was hacked and the contents sold off for cheap Smiley

Sounds like a lot of people possibly *made* money, and 1 person lost it.  If you go by MT's explanation of course.

Now, I don't believe MT's explanation to be anything resembling reality, so you may actually have a point!
Pages:
Jump to: