Pages:
Author

Topic: MemoryDealers.com founder Roger Ver abuses admin access at Blockchain.info - page 12. (Read 28778 times)

legendary
Activity: 3514
Merit: 4895
Reserved if needed.  
(I didn't leak or abuse any information at all from Blockchain,  please read the other thread.)

You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it.

you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.
I agree, which is why I have posted about the violation of blockchain.info's privacy policy.  This does fall under a reasonable definition of dishonesty, right?

EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information.  They could not know in advance that MemoryDealers would abuse the access allowed them as an employee.  As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.
legendary
Activity: 1722
Merit: 1217
Reserved if needed. 
(I didn't leak or abuse any information at all from Blockchain,  please read the other thread.)

You didn't leak any of it, but you have access to a TON of information about account holders and their accounts, and you were prepared to leverage this information to resolve a customer service dispute in a completely unrelated business. I call that abusing it.

you cant be serious. I personally wish everyone would always post all information publicly about any and all fraud/dishonesty. It would help to lessen the need for the use of violence in resolving disputes.
hero member
Activity: 910
Merit: 1005
Also - why did he need this kind of access in the first place ? Were blockchain.info customers alerted about his access to this system ?

He was given access to this information because I was getting bogged down in support tickets and Roger kindly offered to help with some of them. Requests to recover lost identifiers are one of the most common queries. At the time it had not occurred to me that there could be a conflict of interest. In the blockchain.info thread I posted that a minority stake in the site had been sold, but did not specifically mention the admin panel.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?

Addresses are hashed with a secret. With access to the secret it would be possible to hash every bitcoin address with a none zero balance and use that to compare against subscribed hashes to determine addresses in a wallet. The sacrifice of some anonymity when notifications are enabled has always been stated https://blockchain.info/wallet/anonymity. However it is no longer possible for admins to lookup an arbitrary wallet by address.
full member
Activity: 152
Merit: 100
Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?
sr. member
Activity: 312
Merit: 250
Roger,

I hope you have learned from this situation. You should thank the guy who possibly has been dishonest with you, because it served as an example to improve the services that you have participation.

Piuk, hope you learned too. Thanks
hero member
Activity: 868
Merit: 1000
Quote
Roger and the support agent's access to this information has been revoked.

Edit: My post edited in light of the new info surfacing. Didn't know Roger did support at blockchain.info.
legendary
Activity: 3514
Merit: 4895
What has been changed
  • Roger and the support agent's access to this information has been revoked.
  • Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
  • The secret phrase is now no longer shown to any admins

Piuk,

I am trying hard to trust you and your business.  For now I will take you at your word.  Please don't make me regret that action.

If you can assure me that nobody from bitcoinstore.com (including Roger) will have access to look up user's personal information (by bitcoin address, email address, SMS number, IP address, or any other method)

Then this satisfies my request that blockchain.info:

Immediately sever all relationships with other businesses, removing admin access from anyone who would use that access to benefit their other business.

EDIT: blockchain.info has acted in a responsible way and removed from MemoryDealers all future access to personal information.  They could not know in advance that MemoryDealers would abuse the access allowed them as an employee.  As such this post has been edited to make it clear that blockchain.info is not responsible for the actions of this particular ex-employee.
newbie
Activity: 44
Merit: 0
A+ response piuk - this is the kind of professionalism Bitcoin businesses need to be exhibiting if the Bitcoin community and Bitcoin businesses want to be taken seriously by those outside of the community.
legendary
Activity: 1064
Merit: 1001
isn't this MemoryDealers guy the kid who left the country

Is this the company I'm thinking of or is it someone else?
legendary
Activity: 1288
Merit: 1227
Away on an extended break
changes


Good show. Quick, reasonable and effective countermeasures.

EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.
+1.
legendary
Activity: 1064
Merit: 1001
The difference between how Blockchain and MemoryDealers handled the problem is like night and day.

Blockchain immediately recognized a problem and swiftly corrected it without histrionics or drama.
legendary
Activity: 1652
Merit: 1128
...

Thanks for the quick response and action, this is good to see.
staff
Activity: 4270
Merit: 1209
I support freedom of choice
What has been changed
  • Roger and the support agent's access to this information has been revoked.
  • Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
  • The secret phrase is now no longer shown to any admins
Thank you Smiley
hero member
Activity: 952
Merit: 1009
changes


Good show. Quick, reasonable and effective countermeasures.

EDIT: As you are now the sole person that has access to the site's full features, please remember to store admin login credentials with a lawyer in case you get hit by a bus.
sr. member
Activity: 312
Merit: 250
I support too, but they need to learn from their mistakes and be honest on their business.
hero member
Activity: 910
Merit: 1005
What happened
I do not know the sepcifics but there was some disagreement between Roger and a customer of bitcoinstore.com. The customer claimed not to own a particular bitcoin address that a incorrect amount had been refunded to. Roger used his access to the blockchain.info admin panel to lookup the information on a wallet which held that bitcoin address. This email address associated with the wallet and the email address of the customer matched.

Why is even possible?
Wallet are stored fully encrypted, so they appear as random text to us. However when notifications are enabled the client extracts the public keys from a wallet and asks blockchain.info to subscribe to those addresses. The ability too lookup a wallet using this information was added so that when newbies come to us and say "I just created a bitcoin wallet, but forgot to record the wallet identifier how can get I get my money back?" we can ask for their bitcoin address or ip and and are normally able to recover the identifier.

Screenshot of Admin Panel:



Why does Roger have access to the blockchain admin panel
He owns a minority stake in the company and helps with support. His funding has been tremendously helpful in allowing me to work on the Site full time, buy new servers, security hardware and fund free features.

Who else has access to this information?
Me, Roger and a customer support agent.

What has been changed
  • Roger and the support agent's access to this information has been revoked.
  • Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
  • The secret phrase is now no longer shown to any admins

What other information could be used to identify a wallet
We store the ip address a wallet was created with and the ip address a wallet was last updated with.

A wallet can be looked up by SMS number or email if that information has been added in [Account Settings].

Can blockchain.info access funds the funds in my blockchain wallet?
No, the information available gives only enough information to prove the user may own a wallet with that address. He could not have accesses the wallet, even if he had wanted to. No other individuals have access to the blockchain.info servers or code apart from me.
legendary
Activity: 1099
Merit: 1000
Plus, isn't this MemoryDealers guy the kid who left the country because the IRS tried to stick a dildo up his ass or something?

Maybe this talks good about Roger. Who, besides making mistakes from time to time, has an extensive history for supporting and developing Bitcoin worldwide. Trolls in this thread all summed up, have done less than 0.001% that Roger made in the benefit of the community.

And blockchain.info service and features are awesome. I support both Roger and blockchain.

legendary
Activity: 3514
Merit: 4895
The main problem here is that now it's also hard to trust Piuk ...
Yes, when a partial owner of a business acts in a manner that damages the reputation of the business, it affects the reputation of all the stakeholders in the business.  This is why it is important to be careful about who you get involved in business with.
staff
Activity: 4270
Merit: 1209
I support freedom of choice
The main problem here is that now it's also hard to trust Piuk ...
hero member
Activity: 868
Merit: 1000
So, blockchain.info gives out admin access to co-owners ? What would they need this access for ? Wouldn't RV be considered a 'share-holder'. Is it the norm to give 'share-holders' the key to were the business operates?
Pages:
Jump to: