Topic: Instawallet claim process - page 38. (Read 79281 times)

Goody! We get to play hide-and-seek now. http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

Since we weren't around for the coin toss, they got to choose to hide first. And as we cry, "Alle, alle auch sind frei!", they hide some more.

Read link. Looks to me somebody finally wanted to get paid for all the free services they been providing. What better way to do that then to yell HACKED! My only beef now is that they didn't even bother to use vaseline, albeit I enjoyed the sex.

Now, for the umpteenth time--POLICE REPORT NUMBER. Let me give you hint as to what we're asking for: When you contacted the police about the hack, they filled out a form. That form has a number on it. You received a copy. Just give us the number and we will no the rest.

If you can't do that, don't bother coming here and posting bullshit like it-was-a-free-service-so-it-doesn't-count.

In my opinion this is giving us an indication of how they'd behave if one of the services they didn't operate for free suffered losses and it definitely doesn't inspire confidence.

Thanks for this - will come in handy.

If Paymium did in fact hold the wallet URLs on their server in an unencrypted format then this would amount to gross negligence in my opinion. It is unthinkable to me that anyone in this business could even consider doing that for a second. And yet this is what they seem to be suggesting. So...

Option 1: They held the whole wallet URL in plain text, which is what the "hacker" got hold of, and is now why it is unsafe to have the site up. This means they are a bunch of clowns from a technical point of view, and should not be trusted around Bitcoins at all. And are liable for grossly negligent behaviour (bordering on criminally negligent behaviour given that they were holding other peoples money in trust).

OR

Option 2: The wallet URL database was properly encrypted and secured (as one would naturally expect - without even being technically minded). This then raises the obvious question of how the fuck any "hacker" could do anything with it?? And points to the possibility that there was no hack at all and the whole thing is made up.

Given that Boussac refuses to give even his real name and position at Paymium, I think it is highly unlikely he will address this question here (it was asked in my original list of 12). Paymium's CTO will definitely have to address this in the soon to follow legal enquiry if they insist on not addressing it publicly here.

I still hope that they do address it here, as I personally want Paymium to prosper, and be a respected part of the Bitcoin community. Let's hope. Boussac has a couple of hours yet...

Boussac has been online again and has not responded to the questions. 

I did a little hitorical reading and captured a few things of interest.  Does not look like Jan ever open-sourced things.

  https://sites.google.com/a/tcilgl.com/paymium/home/unorganized-info/instwallet_history

Unless he is more full of shit than I would expect, it looks like ~davout should have and could have noticed if the database held sensitive data in plain-text.  Whether he told ~ballsac so he could, if he chose, answer the question asked is unknown.

Reminder to self:  If someone claims a 'military grade server', run, don't walk away from the bozo.

Sadly, I just learnt why this forum is lagging today from so many users--the price dropped.

After I first starting using IW due to sales of leather products by Martin, I eventually amassed over 1,000 bitcoins spread over two wallets (at the time). I was able to afford to lose them then at the lower price point, and paid them no mind as the price slowly rose. Most recently, I split the wallet's contents up into other IW wallets settling them back into only two wallets, one of which being a whole number, the other containing decimals. Recently, a third wallet was created and funded, having less than a full bitcoin in it.

The main wallet I vowed to myself not to touch, letting it do grow. Basically, the same for the second wallet containing ~10% of the first, with the intention of making another purchase of some kind.

Thanks to InstaWallet going down and not having access to my funds, I never had the opportunity to cash out, and still can't. Meanwhile, the owners can't even provide us a police report they so claim exist.

Currently, I have ~$100,000 worth of barn wood in storage. If the building burned now and I lost it all due to not having insurance (which I do not), it wouldn't phase me. But a police report would have been made if arson is expected, especially if I was storing a client's paid order, they would demand to see such a report. Said client can easily assume I resold his wood to some other prior to the fire and is looking for some sort of reassurance, albeit it wouldn't be much.

No motherfuckin' way would I email the client back and tell him that I was providing a free service by storing his paid for lumber and rest assure that delivery is forthcoming.

About a couple three weeks ago I was concerned about IW, but was reassured all is well, hence putting my concerns on the back burner. Two days after this mess started was when I got wind of this episode. Since then, I've seen nothing promising coming from the IW camp--only promises.

Thanks to only having URLs stored on Chrome, not even knowing two of the Bitcoin addresses, I'm not feeling good about my prospects. Each time I transferred, BlockChain showed the wallet containing $0 and immediately moved to a different IW wallet address even though the site shown my dollar amount the same. Fuck, I could set up the same type of system, but now thanks to IW nobody would fall for my scam. Then again there's still hope due to seeing people defending every new ASIC vaporware that comes on the market.

I've yet to read what the heck is going on at Mt. Gox today, but I'll assume it's not good. This no look like a good day for Bitcoin, but I have Butterfly Faith that This Too Will Pass.

~Bruno K~

PS: (opted not to proofread--apologies)

EDIT: Just looked at the Mt. Gox price for the first time today and see that it's going back up. Will now hunt down and read what happened today. Glad to see my VaporCoins^TM are gaining value again.

This is why it was my first question. The whole thing is meaningless without identity confirmed. Paymium appears to have no phone number and only one email address - which it is impossible to get a response from. They appear not to even have proper offices. Looks like all smoke and mirrors to me at this point.

And I'm sure this is why Boussac, whoever he is, is avoiding these questions. Still, criminal charges filed against the listed directors of Paymium will likely bring them out into the light.

You bring up a good point.  I would say that from a legal perspective nothing communicated to or by 'Boussac' has any meaning.  Paymium could always just say 'Boussac at bitcointalk.org?  Never heard of the guy' if we are unfortunate enough to need to take this thing any distance.

I think that all communications should go through official channels starting at whatever can be obtained from the Paymium family of web sites and including any e-mail addresses which are referenced through official e-mails or snail-mails from them.

I am sorry to report that so far I have gotten no bites on my solicitation for the initial legal work associated with ensuring that police reports have been filed.  I think it is time to explore other more mainstream channels.  I would appreciated assistance from any user in France who may have the ability to help identify and evaluate potential legal assistance.

I have also set up the following:

  https://sites.google.com/a/tcilgl.com/paymium/

I would like to publish as much information obtained by the community as possible which may be helpful in our efforts.

I would also love it if someone else had a better idea or wished to take a management role in this effort.  I suck at management and hate it and have a lot of other things I would rather do, but I don't want to let this thing just die away.  Crooks believe (correctly) that they can shit all over the Bitcoin userbase and get away with it without a fight.  This is wrong and and bad for the ecosystem and it pisses me off and I feel some desire to see it change even if I have to put in some effort.

He has not once acknowledged that question (now put to him repeatedly by many different forum members), let alone answered it.

And, in my opinion, there can be no sane, rational or legal reason to not provide that information. Especially in light of the problems the withholding of that information is causing.

Of course, more specifically, Boussac is also persisting in witholding his real name and present formal relationship to Paymium.

All suspicious activities. Or perhaps he just has a raging ego and cannot take being "told" what to do (or even respond to a request he does not feel like answering). Either way it is grossly unprofessional, in bad faith, and will do endless harm to Paymium's reputation.

Boussac, I ask you again - respectfully, humbly, amicably and in good faith:

Would you please give your real name, your current position at Paymium, and the police report file number (or other verifiable proof that Paymium has actually filed a case with the police).

So simple...

As Boussac said, the claim is scheduled to open up April 12th. So far, things are as far as anyone outside of Instawallet knows, on schedule.

Maybe once the claims process is opened they will be helped, and perhaps faster than others since the 90 day period is only for the sub-50 BTC ones.

Also, Instawallet might be planning on replenishing the stolen ones out of their own pocket, or maybe they were just talking about bitcoin-central. Realistically, as long as a small number of coins were stolen, all wallets should be able to be reimbursed, due to the number of wallets that will never be claimed.

On the lack of a police report number, they could just not want to make such a thing public, but especially their lack of even an explanation for a lack of a police report number makes this the point where I kind of cross over from trying to provide valid defenses, to just playing devil's advocate.

Boussac, seriously. At least acknowledge the requests for a police report number? Apologies if you have, I haven't read every post.

Edit: Now I have.

Also, I should note that I still am not too worried about Instawallet, just because they are doing poorly in one area of dealing with this does not necessarily mean they are fully lying.

I see no claim in process.
Am I looking the wrong way?
It's been quite some time.

To clarify: I have screenshots of all the Paymium pages as they evolved during the down time, as well as the trail of my coins through the blockchain from my Instawallet accounts to Paymium's various cold storage wallets. But not screen shots of my open Instawallet accounts. (There would have been no reason to take these.)

And yes the continued avoidance of supplying the police report number remains. I hope Boussac will simply just provide it and thereby avert a messy situation.

Of course if Paymium is just flat out lying about this then they are understandably in a difficult position. Fraud charges against directors and loss of all credibility in the Bitcoin community would follow swiftly.

The fact that this basic detail is not being supplied sadly points to the fact that they are lying. However, I intend to maintain positivity until noon tomorrow, at which point I will be taking legal action good and proper.

I think what they are implying that coins were stolen from instawallet but bitcoin-central's coins were not stolen. I may have misunderstood.

Tronlet: Many good points. Since I don't have data about the site, I have no idea how many users there are on this service.

At least there's one very outspoken member of the community on this thread claiming he has 100 BTC outstanding, and that he has screenshots of everything, why could not people like that be helped at the very least ?

Also, no police report number ?

And at one point they claim that bitcoins are stolen, yet later they claim everybody's bitcoins are safe. Which is it ?

A little history (as I understand it):

'Instawallet' was conceived of and implemented by a user named ~jav.  He seemed to me like a pretty straight up guy.

~jav got tired of it and/or busy and ~davout adopted it because 'it was to cool to let die' or something along those lines.  I don't recall if I started using it before or after this switch.

It would make perfect sense to me if ~jav never really put in the effort to adequately secure the thing.  It would be a good reason to drop it since such work would be tedious.  Remember, back in those days BTC were not worth anything near what the are today.

It would also make sense that ~davout never got around to either evaluating th implementation, or doing the necessary security work (assuming he was even capable.)  He has likely been very busy with other projects.  In short, it would not surprise me if it were true that theft of the database would result in loss of the URL's.

As I recall, ~jav open-sourced it and ~davout just took his work so perhaps some of these conjectures about at least the original ~jav vintage implementation could be verified.  A good task to run down at a later date since it is late tonight and I'm tied up most of tomorrow.

---

But, as I said in the other note, the ONLY thing that adequately explains the evasiveness about the supposed police report is that it is bullshit.  And the only thing that adequately explains them lying about that is that they are, in fact, the perps.

This in turn means that they have all the URL's and and all the coins and the mythical 'attackers' do not.  They could give all of them back at any time if they so chose.

Why would that be the case? If you stored strong salted hashes of the URI keys, then it would be next to impossible for the attacker to brute force valid URIs out of your DB. The fact that the actual keys appear to be stolen and you set up a long time (3 months) instead of a short time for claims process raises suspicion.

Please do officially confirm that you did not store the secret in plain text on a webserver.

Also, how do you store user passwords in other Paymium services? Thanks.

I assume you mean either this:

or this:

Neither of these quotes have logic I find all that convincing. The one point I'll grant you is that instawallet will no doubt make money off of this, whether or not it's a scam, because of the number of people that will have forgotten after 90 days.

However, that doesn't mean that, assuming it isn't a scam, they shouldn't exercise this level of security anyway. Maybe they should be more lax on wallets under .25 BTC in balance, but they've arbitrarily decided on two divisions instead of three, one below 50 BTC and one above 50 BTC.

All of the methods of determining wallets that you speak of are things I'm sure they'll do, if more than one claim is filed or if the wallet has a balance of 50 BTC or more.


Yes, and it's also something that shouldn't be publicized, in the interest of reducing the number of false claims.

On a final note, it's preferable that bitinstant wouldn't have to process the claims at all, and could just return them immediately. Of course, this is an impossible ideal. There are a lot of wallets, and a claims process isn't something very easy to automate, and the number of wallets mean that it would take potentially, probably, far more than 90 days for them to process all the claims manually.

The 90 day wait is an easy way to verify, with zero human work, the majority of the claimed wallets, of which there will presumably be many. If they were to try and do them all case-by-case as you suggest, in the interest of not having to wait 90 days, there would be a backup and the majority of users would most likely have to wait longer than 90 days, in the end. The 90 day wait comes closest to that impossible ideal.

Edit: Actually, the "forgetting after 90 days" problem depends on how they implement the claims system. If you could just give them an address at the very beginning of the claims process to send the funds to if there are no other claims, then forget about it, then that problem would be abolished more or less.

I don't know either, but it's a Godamn good idea.  I bet the bank's marketing department would just loooove to have their name dragged through the Bitcoin muck in mainstream news sources, so as long as they entertained any relationship at all it might be that their legal department could be convinced to take an interest in the situation.