Topic: Mybitcoin.com Press Release #2 - page 5. (Read 13782 times)
Wouldn't these double spend attacks be noticed by other clients though?
A post by Theymos on July 1st, in another MyBitcoin thread:
Quote
MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.
- https://bitcointalksearch.org/topic/m.309173Indeed. mtgox requires 6 confirmations, IIRC.
Quote
What they are proporting to have happened has nothing to do with a 'double spend' as it would refer to spending the coins immediatly from the account to elsewhere before the site could see that no deposit showed up in the blockchain.
A post by Theymos on July 1st, in another MyBitcoin thread:
Quote
MyBitcoin is still accepting payments with only 1 confirmation. This is insane for a bank. Any miner capable of mining two blocks in a row can steal money from MyBitcoin pretty easily. I'm surprised no one has attempted it yet.
- https://bitcointalksearch.org/topic/m.309173
It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.
In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.
Luckily for us, this just told us enough that we could validate his whole story. Wasn't someone working on double-spend detection? Well, we need that ASAP.In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.
What they are proporting to have happened has nothing to do with a 'double spend' as it would refer to Bitcoins. He expects us to believe that the shopping cart was vulnerable to someone using an 'on the fly' type editor like fiddler, etc to put in a fake deposit via the website's shopping cart and then spending the coins immediatly from the account to elsewhere before the site could see that no deposit showed up in the blockchain.
I'd like to hear a lot more details on the weak point in the SCI that allowed said depsoits. Just seems that if it was as simple as just modifying the input from the client side that someone would have detected and exploited it long before the point this announced breach was discovered.
It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.
In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.
Luckily for us, this just told us enough that we could validate his whole story. Wasn't someone working on double-spend detection? Well, we need that ASAP. In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.
Tom Williams,
You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.
Those bitcoins are YOUR responsibility.
I can think of times in my life where I made mistakes, and paid tens of thousands of dollars out of my own pocket to make things right.
Now it is your turn.
Do the right thing.
qft You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.
Those bitcoins are YOUR responsibility.
I can think of times in my life where I made mistakes, and paid tens of thousands of dollars out of my own pocket to make things right.
Now it is your turn.
Do the right thing.
If the guy's story is true, I would vote that Bruce be a trusted third party (in spite of a gigantic potential for conflict of interest.) Maybe I am particularly gullible, but I would bet several BTC that Bruce would err on the side of caution and even against his own personal interests to see that things were wrapped up as fairly as possible.
...but then I had no account at mybitcoin.com.
...but then I had no account at mybitcoin.com.
Bruce is affected as well
The Bitcoin Show - Episode 033 - MyBitcoin, Contacting FBI, Discuss on Freenode https://bitcointalksearch.org/topic/m.426546
And is very hands on with this situation
Make No Mistake: MyBitcoin is NOT Back Up!
https://bitcointalksearch.org/topic/make-no-mistake-mybitcoin-is-not-back-up-34617
I actually PM'd him the press release to find out what he thinks about it waiting word.
If the guy's story is true, I would vote that Bruce be a trusted third party (in spite of a gigantic potential for conflict of interest.) Maybe I am particularly gullible, but I would bet several BTC that Bruce would err on the side of caution and even against his own personal interests to see that things were wrapped up as fairly as possible.
...but then I had no account at mybitcoin.com.
...but then I had no account at mybitcoin.com.
Bruce is affected as well
The Bitcoin Show - Episode 033 - MyBitcoin, Contacting FBI, Discuss on Freenode https://bitcointalksearch.org/topic/m.426546
And is very hands on with this situation
Make No Mistake: MyBitcoin is NOT Back Up!
https://bitcointalksearch.org/topic/make-no-mistake-mybitcoin-is-not-back-up-34617
Well, someone claim their account and tell us what the % is.
If it's like 96% I say all you guys learned a valuable lesson at very little cost. If it's 50%, well, at least you didn't lose it all.
If it's like 96% I say all you guys learned a valuable lesson at very little cost. If it's 50%, well, at least you didn't lose it all.
If the guy's story is true, I would vote that Bruce be a trusted third party (in spite of a gigantic potential for conflict of interest.) Maybe I am particularly gullible, but I would bet several BTC that Bruce would err on the side of caution and even against his own personal interests to see that things were wrapped up as fairly as possible.
...but then I had no account at mybitcoin.com.
...but then I had no account at mybitcoin.com.
When a service go silent, people assume the worst and go on a witchhunt. (That's why all critically important service should have an offsite status page where they can communicate)
Keep a cool head and see how Tom William perform, guys.
Keep a cool head and see how Tom William perform, guys.
OR, they've been taking Bitcoins for a long time. So far they have had enough people keeping BTC in the accounts they have been able to pay when people take BTC out. As the service had more and more people taking BTC out the wallet was getting empty. Then claim part was stolen and refund the remainder once they can no longer pay when people take BTC out.
Yup, and dump thousands into the market in the process, bringing down prices and allowing them to buy back making a profit. Then say they managed to save a percentage, and it's better not to use that money to go into receivership.
We could be taking many tens or hundreds of thousands.
Sounds to me that this is another story to buy time, it does not make sense at all, they should still have 100% of the coins and as mentioned above by Memory Dealers any missing coins if ANY should be replaced by mybitcoin.com and also as mentioned the double spending etc, it does not all add up.
He / They are not providing a contact email or any IRC Chat for people to discus what is actually going on, by posting stuff randomly like this it seems He / They are watching the forums, and the bitcoin-police in freenode and keeping an eye on how close people are to finding out the truth and identity and real information.
Im hope everyone gets their full return of coins, this liabilities rubbish is not the problem of the depositors that placed the coins there, liabilities are his companies problem.
Hopefully this is dealt with very quickly! Nothing makes sense though!
He / They are not providing a contact email or any IRC Chat for people to discus what is actually going on, by posting stuff randomly like this it seems He / They are watching the forums, and the bitcoin-police in freenode and keeping an eye on how close people are to finding out the truth and identity and real information.
Im hope everyone gets their full return of coins, this liabilities rubbish is not the problem of the depositors that placed the coins there, liabilities are his companies problem.
Hopefully this is dealt with very quickly! Nothing makes sense though!
Tom Williams,
You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.
Those bitcoins are YOUR responsibility.
I can think of times in my life where I made mistakes, and paid tens of thousands of dollars out of my own pocket to make things right.
Now it is your turn.
Do the right thing.
I have to give that a +1 as well. Spot on. You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.
Those bitcoins are YOUR responsibility.
I can think of times in my life where I made mistakes, and paid tens of thousands of dollars out of my own pocket to make things right.
Now it is your turn.
Do the right thing.
OR, they've been taking Bitcoins for a long time. So far they have had enough people keeping BTC in the accounts they have been able to pay when people take BTC out. As the service had more and more people taking BTC out the wallet was getting empty. Then claim part was stolen and refund the remainder once they can no longer pay when people take BTC out.
Tom Williams,
You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.
Those bitcoins are YOUR responsibility.
I can think of times in my life where I made mistakes, and paid tens of thousands of dollars out of my own pocket to make things right.
Now it is your turn.
Do the right thing.
You better come up with %100 of everyone's bitcoins ASAP even if you need to buy them with your own money from one of the exchanges.
Those bitcoins are YOUR responsibility.
I can think of times in my life where I made mistakes, and paid tens of thousands of dollars out of my own pocket to make things right.
Now it is your turn.
Do the right thing.
+1
Couldn't have said it better myself, Memory Dealers.
Well since they are bankrupting people will get what they get. Hopefully for them they kept most of their money in cold storage. If I were in their shoes I'd try to keep going under partial reserve untill they can recoup the BTC. Then again their image may be so damaged at this point it's not possible.
Yes - the sad thing is.. If he'd come out with a more immediate statement, and been willing to compromise his identity (at least perhaps to certain community members if not completely publicly) - he might have been able to sell it as a going concern even with the existing liability of missing coins.
Even if the losses are huge - This could have been handled so much better. I strongly believe there would have been investment funds available only a week or two back because the mybitcoin brand was so big. The week's silence was devastating.
He has not explained why people were being locked out of their accounts from over a month ago, nor why they received no responses to requests through the messaging system.
The tech explanation doesn't add up. Is he saying they were the victim of double spend attacks?
That's the only reason 1 vs 1000 confirmations should matter.
It would be so hard to pull off a double spend in this manner that this still smacks of BS.
That's the only reason 1 vs 1000 confirmations should matter.
It would be so hard to pull off a double spend in this manner that this still smacks of BS.
Well since they are bankrupting people will get what they get. Hopefully for them they kept most of their money in cold storage. If I were in their shoes I'd try to keep going under partial reserve untill they can recoup the BTC. Then again their image may be so damaged at this point it's not possible.
Jump to: