Topic: I'm Kevin, here's my side. - page 9. (Read 258581 times)

Think a little bit harder on that one, guy.

Look at the broader picture. If they allow $10,000 USD worth of BTC to slip out for less than it's worth they get SIGNIFICANTLY LESS fees. By rolling back, and protecting potentially $5M+ USD, they stand to make tens of thousands more in transaction fees when the BTC are sold for a higher price. Obvious troll chooses more all the time. While the customer relations aspect could keep (possibly earn) them customers (as any business management course would teach) if they did the right thing... We all know how greed works.

We absolutely agree on the 3rd party audit, this needs to happen.  I think we simply disagree on the time frames involved here.  I'd like, before we roll back, to actually know if we should roll back just this one 500,000 btc trade, or if there have been dozens, hundreds, or thousands of illegitimate trades for much smaller amounts of bitcoins that no one noticed?  Does the community just pretend these didn't happen and simply move on?  I honestly don't really have a good answer or solution here since no one knows the extent of the problem.  And this is why the rollback as a concept really concerns me.  MtGox is picking an arbitrary transaction to roll back from - granted an extraordinary transaction that had a large amount of publicity and upset users.  One thing I've learned from operating sites that are high profile targets for attack, is that if you do notice someone exploiting a hole - usually you can go back in forensics and see other people exploiting that hole in a much more quiet and smart manner.  Sometimes these attacks go back years, before being noticed.

I understand you're trying to get back to normalcy as quickly as possible, and that does make sense and I wish for it too.  I actually agree that a rollback is a good idea, if it can be relatively certain we know it will actually fix anything other than simply giving 500k btc back to mtgox, and then we go on merrily being robbed from unknowingly by some other (very likely to exist with the state this code is apparently in) exploit until someone comes along and fucks it up for the smart hackers again by drawing attention.  Rinse and repeat.

I stated this in IRC, so you don't think I'm making up hypothetical concerns here.  I trade bitcoins for cash, locally in person by executing a real-time trade on MtGox and letting them watch, to ensure I'm not charging them any more/less than up-to-the-minute market rate.  I get cash, they get bitcoins sent from MtGox to their wallet address.

If a rollback can happen now at any time, how am I to conduct this business any longer?  I could be buying "stolen" bitcoins unknowingly, and have them taken from my account at a later date (how long do I have to wait for the transaction to "clear"?).  I am now out real money, since I conduct an actual business that will make my customers whole in the event of one of my vendors making a mistake.  It's the right thing to do.

I simply want to know the extent of the problem, the fixes being implemented, and the policy/plan for such situations moving forward.  I personally believe MtGox has lost their "right" to claim privacy/business secrets on this one as they've already lost the benefit of the doubt by having their entire database stolen.  Considering none of these answers have been forthcoming, I think it's starting to become obvious this problem is quite a bit more complicated than a simple hacked account.  Once answered (and answered truthfully this time, if that's even a possibility any longer) I can then evaluate my risk exposure based on legitimate and truthful information, which I currently cannot do.

It's fairly easy to see who has a horse in this race and most likely bought coins for cheap during the selloff. Sorry guys, but big time exchanges break trades even when all the trades are executed according to the explicit instructions of the trader. And the SEC allows the exchanges to define these rules:

http://www.cbsnews.com/stories/2010/06/17/business/main6592645.shtml

This MTGOX scenario has the added condition of criminality, including unauthorized access. It's beyond absurd that some of you think these trades should be honored. It's shows a shocking level of trading amateurism on the boards.

Moral hazard, anyone?
https://secure.wikimedia.org/wikipedia/en/wiki/Moral_hazard

This is an amateur currency FFS. You should be thanking MtGox for pushing boundaries and getting this currency to where it would never be before.

BTC is essentially reliant on entrepreneurs and with this, there are always great risks.

Kevin,

No matter what the MT Gox website says, they are not going to volumtarily take a 5 million dollar hit, even if its 100% their own fault.

MT Gox will not bow to community pressure when 5 million bucks is on the line.

Not that there is significant pressure to begin with, since the majority of the public opinion is in support of the rollback do over.

We love our money. We work hard for it. We want our money protected and given back to us if its taken away. Thats where the opinion is.

My advice to you would be to consult with an attorney. If he sees feasibility in moving forward, you will probably need to hire one in japan as well to work with your US attorney. MT Gox may very well hold fiduciary responsibility in honoring your trades, barring any unknown laws regarding fraud, theft, unregulated trade and commidities speculation. The very least that could happend would be a judge refusing to hear the case or throw it out. The best that could happen is that the bitcons and/or financial assets are frozen until case disposition.

With their servers in the USA, their operations in Japan, and doing world-wide trading, its hard to tell what jurisdictional relief you may have.

When a company does not adhere to their own terms and policies, the only recourse is through the courts.

This should absolve you of my claims you are the other Kevin Day. But you could still be the hacker.

References
Site: http://www.relationalsecurity.com/company_team.htm
Kevin Day - Founder & CTOKevin is the Founder and Chief Technology Officer of Rsam.Kevin has over 10 years of experience in Information Security & Risk Assessment consulting and has worked directly with more than 100 large organizations in planning such efforts.Prior to Rsam, Kevin led Information Security, Risk Assessment, and Compliance Management efforts for fortune 500 clients in Healthcare, Entertainment, & Financial Services through Computer Horizons Corporation, (a $500m consulting company).Kevin is a CISSP and author of "Inside the Security Mind" , published by Prentice-hall 2003.Kevin holds a bachelor's degree in Music from University of Nevada, Reno.

Site: http://www.relsec.com/company_team.htm
Kevin Day - Founder & CTOKevin is the Founder and Chief Technology Officer of RSAM.Kevin has over 10 years of experience in Information Security & Risk Assessment consulting and has worked directly with more than 100 large organizations in planning such efforts.Prior to RSAM, Kevin led Information Security, Risk Assessment, and Compliance Management efforts for fortune 500 clients in Healthcare, Entertainment, & Financial Services through Computer Horizons Corporation, (a $500m consulting company).Kevin is a CISSP and author of "Inside the Security Mind" , published by Prentice-hall 2003.Kevin holds a bachelor's degree in Music from University of Nevada, Reno.

Site: http://www.rsam.com/company_team.htm
Kevin Day - Founder & CTOKevin is the Founder and Chief Technology Officer of Rsam.Kevin has over 10 years of experience in Information Security & Risk Assessment consulting and has worked directly with more than 100 large organizations in planning such efforts.Prior to Rsam, Kevin led Information Security, Risk Assessment, and Compliance Management efforts for fortune 500 clients in Healthcare, Entertainment, & Financial Services through Computer Horizons Corporation, (a $500m consulting company).Kevin is a CISSP and author of "Inside the Security Mind" , published by Prentice-hall 2003.Kevin holds a bachelor's degree in Music from University of Nevada, Reno.

Site: http://www.relationalsecurity.com/Rsam_Releases_Latest_Version_of_GRC_Software.htm
"Rsam technology and innovation continues to evolve through our vast implementation experience and Rsam v7 is a product of the direct feedback received from our customers," said Kevin Day, CTO of Rsam.

Site: http://www.rsam.com/Rsam_Releases_Latest_Version_of_GRC_Software.htm
"Rsam technology and innovation continues to evolve through our vast implementation experience and Rsam v7 is a product of the direct feedback received from our customers," said Kevin Day, CTO of Rsam.

Site: http://www.rsam.com/pdf/RELSEC_RELEASE_08_FORRESTER_WAVE.pdf
Secaucus, NJ – July 2008: Relational Security Corporation, provider of the industry's most ... added Kevin Day, CTO of Relational Security. " RSAM™'s sound risk ...

Site: http://www.rsam.com/pdf/RSAM_6.0_Release_Notes.pdf
© Relational Security Corporation | www.relsec.com | page 1 of 1 ... automate the management of data and workflow," said Kevin Day, CTO of Relational Security. ...

I don't know how everyone bought that hacker story. The so called hacker should knew couple of things - like account name and the amount of BTC in it. And that information leak is not Mt. Gox fault.

I see two possible options:
Nothing is rolled back - except providing better account security, Mt. Gox should not cover losses or cut profits.
Mt. Gox fills the accounts who sold their coins again, and leaves anyone who profited from the "attack" richer than before. Mt. Gox gets poorer.

In both cases the 250k BTC account holder gets the money "the hacker" couldn't withdraw. Anything else is his fault - even the fact I can't sell my BTC right now. Kevin keeps his BTC.

And no, I was not there, I bought nothing, my account holds $0.01 and my password is strong by accident.

That's what the rollback is. Primarily, I think, because they don't have the funds to make the users whole any other way. (at a guess, because all of their funds are sitting in Kevin's account). They can still expect users to flee in droves.


I've yet to be responded to by Kevin on that, but Yes, I think we can get past that.


I think a rollback is the first step. Put things back to before the crash. In fact, I would suggest a transaction-by-transaction examination of (at least) the last week. We need a disinterested 3rd party to do this. NOT Kevin, and NOT MT. I have no idea who, but I do not envy their headaches.

Can we please move past the whole "KEVIN IS TRYING TO KEEP TEH MONIES!!!" posts?

No. Stop.  Kevin is saying that MTGOX IS LYING TO YOU.  Until the FACTS actually are revealed, why the hell should *any* action be taken yet?  Who the hell knows how far deep this goes, and how far back it goes.  I'd bet my life savings that someone has been quietly (likely more than one someone) exploiting these holes for months, and made off with a decent amount of loot undetected.  Does this fact not concern anyone?  What effect on trading prices has this historically had?  What is the scope of the problem in terms of bitcoins/dollars generated from this activity?  Did these coins even exist in the first place, or were they simply added via SQL injection to someone's balance?

This is NOT (only) a compromised password problem.  This has been as proven as it possibly can be without MtGox directly stating the facts as they happened themselves.  So why are they continuing to state this is the case? WHAT is the agenda?  Why the rush to rollback?  Why the rush to immediately after the hack call it a compromised password (the first clue this claim was BS - he had know realistic way of knowing at that time yet - post-mortems are excruciatingly both boring and generally take quite some time to really unravel anything, and usually then it's difficult to put all the pieces together sometimes if the attacker was careful)?

If you think a rollback is a good idea not knowing the entirety of the situation - that's fine, that's an opinion you can certainly hold and it may even hold some merit.  However, I want to really know if this is what you truly want?  To me, it seems like a completely bizarre stance I'm trying to understand

I believe that actually Kevin doesn't have to give back any of it.
He purchased them in good faith. Even if the market was crashing, I would have purchased it if I saw the opportunity.

• Now, even if it is on his right to keep them, IF the money belonged to MTGOX (and not a user, but actually the main fund of MTGOX, which seems to be more plausible the more I think) then I guess that for the betterment of the economy and its stability, Kevin should give it back to MtGoX.
  In exchange of the devolution, MtGox should give a compensation for the act of good faith and allow Kevin to keep the withdrawn amount
• If the account was a personal one, Kevin has less obligation to give it back to the owner of it. When you make the wrong call playing poker you can't undo it, if you fucked it up, you fucked it up. Period.
  But still, it would be a nice gesture, and this would be totally from Kevin's generosity, if Kevin gives back partially or totally to the previous owner. A generous compensation for this gesture would be appropriate.
  

BUT, Kevin has all the rights to keep it and not giving it back to anyone. He would be a total asshole by behaving like that, but it is in his right.
Now, everything depends on his will.

MtGox shouldn't rollback shit.
The least thing that MtGox can do is to compensate to all users for this scandal and for they negligence/incompetence.
The leaked userbase is embarrassing enough, and that needs a fair compensation to all of us who entrusted this site with our money, and in some cases, our life savings (doesn't matter if trusting one's savings is a unsound judgement, the point here is that our trust has been broken).

It takes decades to build trust, and only one second to break it.

Usually, one never recovers full trust with a person, but doing good deeds can help to reestablish the relationship.
I hope MtGox understands here that more than profit, trust is actually the backbone of a business.
If you don't offer a deal to keep your users happy, expect a bank run.

Awesome. You found a 10 year old picture of me with Mark Hamill, that someone photoshopped. Can we PLEASE get back to something serious? I'm honestly trying to help all of you.

A million thanks for MK 4!



/topic

Mt Gox can't tell the head from the tail.
Why would a hacker sell then buys what he hacked? I hope they are not thinking of this as laundry.

TBH, I think I missed that thread. I'm not saying MtGox is in the clear here. I am by no means on their side. From the facts that I have seen, It looks like the hacker, whoever (s)he is, got a hold of MtGox's master account, and tried to drop the market in an attempt to clean it out. Kevin lucked into a huge pile of that, Which must have felt like scratching off that third pot of gold, But since it was the result of a hack, he doesn't get to keep them. Sorry, Kevin. MtGox smells pretty fishy, and I'm likely not going to use them anymore, but first, let's get everyone made whole.

This is actually a surprisingly useful post. Over here, the Kevin Day security researcher/book author says:


In 1999, I was working for Midway Games. You can see my name in the credits under "Special Thanks" for the arcade version Mortal Kombat 4, as the above poster was mentioning. You can see my name in the credits for the arcade (and some home versions) of Cruisin' World, Crusin' Exotica, Maximum Hangtime, NBA Showtime, NFL Blitz, Touchmaster,  Touchmaster Infinity, and more I'm probably forgetting now.

See this ancient slashdot thread from 1999 where I'm posting under the name "toastyman" and saying I'm a Midway employee.

Now can we stop arguing if I have or have not written a book about IT security, and get back to "I think Mt Gox is acting on something big without telling anyone the full story"?

Er.. who are these "many people" that lost money?  MT has stated that only a single account was hacked and the contents sold off for cheap

Sounds like a lot of people possibly *made* money, and 1 person lost it.  If you go by MT's explanation of course.

Now, I don't believe MT's explanation to be anything resembling reality, so you may actually have a point!