Pages:
Author

Topic: Nefario - page 6. (Read 198711 times)

hero member
Activity: 938
Merit: 1002
February 24, 2013, 09:14:44 AM
OK. Let me explain it better.

1. We know that Bob owns some bitcoin address.

2. Alice claims she is Bob.

3. We ask her to send coins from Bob's address as a proof.

4. She asks Bob to do it in exchange for the image of her boobs (so Bob thinks he just pays for a photo).

5. We see that money moved from Bob's address and assume that Alice is Bob.

But she is not!

Good explanation. I guess having someone sign some random string for boobs is far implausible than having them send 0.00123456 coins to some address.
donator
Activity: 2058
Merit: 1007
Poor impulse control.
February 24, 2013, 08:07:05 AM
There are valid reason Bob might not want a lump sum of coin sent to a wallet where those coins would then be mixed with other coins by which Bob could be identified. If Bob did not want it known he just recieved a large sum, he might want the coins sent to a virgin address.

It's silly, but a possible reason. I agree with you, if the third party were me I would make a stipulation that coins would have to be sent back to the address form which they originated.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
February 24, 2013, 08:00:16 AM
Then CHM shouldnt allow a change of address simply. It doesnt make sense anyway when the address was verified previously. So that its sure Bob owns the address. If Alice would like to have the btc at another address it wouldnt be a problem to send the btc from the old address to a new address. So CHM wouldnt need to send to another address...
donator
Activity: 2058
Merit: 1007
Poor impulse control.
February 24, 2013, 07:55:07 AM
A reason Alice might be doing this is because, while claiming she is Bob, she wants the coins that should be sent to Bob sent instead to another address, probably one controlled by her. The other party asks for proof that she is Bob. Alice provides it by getting Bob to send a certain number of coins to the third party's address as per their specifications.

As a result:
1. The third party pays Alice instead of Bob.
2. Bob loses a certain amount of coin which we hope was worth some boobage.
3. We all lose a little respect for Alice once Bob posts the video of her boobs on xtube.

legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
February 24, 2013, 07:36:27 AM
You beat me to it... Smiley

...But Bob wouldnt care because of some reason he gets a good amount of bitcoins back in exchange... Smiley (I doubt CHM would change the address he sends the money to after the address was verified.)
donator
Activity: 2058
Merit: 1007
Poor impulse control.
February 24, 2013, 07:17:27 AM
If someone can send coins from a specific address is that sufficient proof that they control it without going through any type of signature process?

Yes.  Smiley


In general I don't think so.... Bitcoin address owner can be asked by a anybody to send bitcoins to any address (for example in exchange for goods or services)... so to my mind it doesn't prove anything.

Not TO but FROM. However more than one person can be "in control" of an address.

OK. Let me explain it better.

1. We know that Bob owns some bitcoin address.

2. Alice claims she is Bob.

3. We ask her to send coins from Bob's address as a proof.

4. She asks Bob to do it in exchange for the image of her boobs (so Bob thinks he just pays for a photo).

5. We see that money moved from Bob's address and assume that Alice is Bob.

But she is not!


Yes, arsenische has provided a very good example of the classic "Boob in the middle" attack to which many geeks can become victim.
legendary
Activity: 1199
Merit: 1012
February 24, 2013, 07:14:33 AM
If someone can send coins from a specific address is that sufficient proof that they control it without going through any type of signature process?

Yes.  Smiley


In general I don't think so.... Bitcoin address owner can be asked by a anybody to send bitcoins to any address (for example in exchange for goods or services)... so to my mind it doesn't prove anything.

Not TO but FROM. However more than one person can be "in control" of an address.

OK. Let me explain it better.

1. We know that Bob owns some bitcoin address.

2. Alice claims she is Bob.

3. We ask her to send coins from Bob's address as a proof.

4. She asks Bob to do it in exchange for the image of her boobs (so Bob thinks he just pays for a photo).

5. We see that money moved from Bob's address and assume that Alice is Bob.

But she is not!
legendary
Activity: 1199
Merit: 1012
February 24, 2013, 06:13:46 AM
If someone can send coins from a specific address is that sufficient proof that they control it without going through any type of signature process?

Yes.  Smiley


In general I don't think so.... Bitcoin address owner can be asked by a anybody to send bitcoins to any address (for example in exchange for goods or services)... so to my mind it doesn't prove anything.
hero member
Activity: 938
Merit: 1002
February 24, 2013, 05:27:23 AM
If someone can send coins from a specific address is that sufficient proof that they control it without going through any type of signature process?

Yes.

EDIT: As arsenische explained below, there are very practical attacks in this case that I hadn't imagined. I'd go with signatures as it shouldn't be that hard to use anyway.
hero member
Activity: 700
Merit: 500
February 24, 2013, 03:58:50 AM
If someone can send coins from a specific address is that sufficient proof that they control it without going through any type of signature process?
hero member
Activity: 700
Merit: 500
February 24, 2013, 03:57:40 AM
I'm also 'waiting' for my coins from GLBSE.
I've filled in the requested info immediately after the site asked for it. I even got 2 emails that said: "Your GLBSE account has been partially processed. 90% of your funds have been returned to you with this payment." But never received any coin back.
(I got 2 emails because I had multiple accounts)

Is there anything more I can do to improve the chances to get the coins back? Smiley


Nefario is in control of all of that, so your best bet is to email him. Now that he's contacted me again I can try and put some pressure on him, but no real guarantee he won't just ignore my emails.
sr. member
Activity: 322
Merit: 252
February 23, 2013, 09:52:05 PM
I'm also 'waiting' for my coins from GLBSE.
I've filled in the requested info immediately after the site asked for it. I even got 2 emails that said: "Your GLBSE account has been partially processed. 90% of your funds have been returned to you with this payment." But never received any coin back.
(I got 2 emails because I had multiple accounts)

Is there anything more I can do to improve the chances to get the coins back? Smiley
hero member
Activity: 938
Merit: 1002
February 23, 2013, 08:20:44 PM
Can you please explain better what we have to do? It seems neither me nor CHM know what all this means.

The standard bitcoin client (bitcoin-qt) and blockchain.info wallet provide a "sign message" GUI. Electrum does it on the command line. Im sure there are some other tools that do that, and usually you don't need Internet access either to sign or to verify.

In blockchain.info/wallet, click on the Actions of the related address and select "Sign Message". Enter your unique information (forum name + e-mail for instance) and sign. Send both the text and the signature to CHM.

In bitcoin-qt, it's very similar. There is a "Sign Message" button on the "Receive coins" tab that works exactly the same.

Let me know if you use a different client.

"Verify" button on blockchain.info is on Receive Money->More Actions and can be used to verify regardless of the signing client.

This is the recommended way to prove you control an address without a doubt.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
February 23, 2013, 05:52:14 PM
I mean its only a precaution against nefario getting the BTC. But how will you prove that? I mean in case nefario would have given his own addresses he could have some other forumaccounts too and claim then with these that its his address.
So i think its not possible to proof.

Otherwise if you think nefario hasnt other accounts it would only need a message saying that an address is owned. It wouldnt make sense for someone who doesnt own it to claim that he does because he cant get the money and the money would go somewhere different.
full member
Activity: 168
Merit: 100
Bixcoin Superdouche
February 23, 2013, 04:28:43 PM
I'm thinking if I post the addresses and the holders are forum members we are reasonably confident aren't Nefario, they could somehow demonstrate they do in fact control the address, and then I could send the coins on. I have no idea how that demonstration could be accomplished. I'm a bookkeeper, not a developer.

Ask people to sign a string containing their e-mail address and/or forum account name with their claim address. They will send you the clear string and the signature. You can then verify that the signature matches the string using various tools. Satoshi Bitcoin client does this.

By the way, you could also ask people to re-submit to you their GLBSE claim addresses, however since addresses are pseudonymous, posting them here would also be acceptable.


Can you please explain better what we have to do? It seems neither me nor CHM know what all this means.
hero member
Activity: 700
Merit: 500
February 23, 2013, 12:22:46 PM
Hi,

I am the owner of 1PPyh5DtEkW45MHzdub3zKC3Z5NWmjALjH and I am really happy to see that adress here.
Please tell me how we can proceed. I have full control over this adress and my registered email adress here is linked to this adress on GLBSE.

PM sent.
full member
Activity: 168
Merit: 100
Bixcoin Superdouche
February 23, 2013, 11:17:38 AM
I'm thinking if I post the addresses and the holders are forum members we are reasonably confident aren't Nefario, they could somehow demonstrate they do in fact control the address, and then I could send the coins on. I have no idea how that demonstration could be accomplished. I'm a bookkeeper, not a developer.

Ask people to sign a string containing their e-mail address and/or forum account name with their claim address. They will send you the clear string and the signature. You can then verify that the signature matches the string using various tools. Satoshi Bitcoin client does this.

By the way, you could also ask people to re-submit to you their GLBSE claim addresses, however since addresses are pseudonymous, posting them here would also be acceptable.


Okay, that sounds workable if I can figure out the verification bit. I don't have any of the emails associated with these addresses.

Thanks.


If this list is about refunding everyone 100%, first thing I'd consider is checking the list in the OP of GLBSE Payment Claims thread to identify those addresses that are still waiting for their remaining 10%.

Yet, the sum of the missing 10% from that list is tiny, compared to still pending refunds (e.g. friedcat alone is still waiting for ~1.7k BTC from GLBSE).

Your best take to verify the remaining addresses would be to post the list here and let forum members confirm via PM which they control. If those who believe their address is missing on the list also PMd you, this will give you already a quite reliable indication of how legit the list is. The only issue hard to resolve are those addresses from people not frequenting the forum or completely left Bitcoin scene. Most former GLBSE asset issuers donate the remaining funds after some wait period.

I did all this recently to repay my former investors and resolve the mess GLBSE left behind. It is a PITA lot of work and I feel sorry for you now being responsible for cleaning up mess you did not cause (alone). Good Luck.


I've only been holding a portion of the total deposits that there were. As such I only have 4 addresses to deal with, so this isn't too cumbersome. Nefario has all the records of everything else. I don't have access to any of that and never have. I have no idea what proportion of amounts owed to the addresses he gave the amounts he asked me to send represent, and no way to find that out. Given that this is the first time Nefario has responded to/contacted me since October, I would be surprised if that information were forthcoming.


That said I guess we'll do it this way. If your GLBSE payout address is one of the following please contact me so we can figure this out via memvola's suggestion above.

1GMys8gSUi5L3JrqZNPRB4s87JCwiQURvX
1PPyh5DtEkW45MHzdub3zKC3Z5NWmjALjH
17fd4pVV5u3GHrqHBc46tzoiDZJ3pMgnjJ
1BBKGnvVkyZ1sFCkZGee3RN7nxoSdm9AHT

Hi,

I am the owner of 1PPyh5DtEkW45MHzdub3zKC3Z5NWmjALjH and I am really happy to see that adress here.
Please tell me how we can proceed. I have full control over this adress and my registered email adress here is linked to this adress on GLBSE.
sr. member
Activity: 448
Merit: 250
February 23, 2013, 08:15:26 AM
Hey all,

I had a call with James this morning, and he told be he could not communicate with the people holding the bitcoins he owes us, solely because he lost the flash drive with his private (GPG) key on it. I recommended the simple solution of giving the GLBSE trustees (Theymos and ColdHardMetal) the list of those who are owed funds, and trusting that they will treat the data and distribute the funds appropriately. He said "Huh, I hadn't thought of that". Then said that he will send them the lists when he gets home in a few hours. Could he really not think of this stupidly simple answer to this ridiculous problem on his own?

I'm quoting and sending this message to the two that he mentioned on the phone.

Also, he mentioned that he hasn't checked his glbse or doctor.nefario email accounts in over a month, and the forum for even longer.

Hopefully he'll bring himself to resolve this mess once and for all.

--Garrett


As a followup to this I have been contacted by Nefario's email address with some addresses to send the coins I'm holding to.

However, before I randomly send coins off to these addresses, I'd like to establish that they aren't addresses controlled by Nefario.

Does anyone have any suggestions on how that might be accomplished?

I'm thinking if I post the addresses and the holders are forum members we are reasonably confident aren't Nefario, they could somehow demonstrate they do in fact control the address, and then I could send the coins on. I have no idea how that demonstration could be accomplished. I'm a bookkeeper, not a developer.

Thanks for any input.
Nice to see you back Goat
There is literally no way to ascertain how much btc Nefario has already sent himself or what addresses he controls. Rather than risk him getting the coins they probably should be donated to the bitcoin foundation or something.

The people who are owed coins and might sue the GLBSE owners would not agree with this. The GLBSE owners can not just give the coins away. That will not end well for them. Keep in mind that GLBSE is not an LLC.

Edit: format fail lol
Nice to see you back goat
full member
Activity: 238
Merit: 100
February 23, 2013, 06:15:28 AM
Hey all,

I had a call with James this morning, and he told be he could not communicate with the people holding the bitcoins he owes us, solely because he lost the flash drive with his private (GPG) key on it. I recommended the simple solution of giving the GLBSE trustees (Theymos and ColdHardMetal) the list of those who are owed funds, and trusting that they will treat the data and distribute the funds appropriately. He said "Huh, I hadn't thought of that". Then said that he will send them the lists when he gets home in a few hours. Could he really not think of this stupidly simple answer to this ridiculous problem on his own?

I'm quoting and sending this message to the two that he mentioned on the phone.

Also, he mentioned that he hasn't checked his glbse or doctor.nefario email accounts in over a month, and the forum for even longer.

Hopefully he'll bring himself to resolve this mess once and for all.

--Garrett


As a followup to this I have been contacted by Nefario's email address with some addresses to send the coins I'm holding to.

However, before I randomly send coins off to these addresses, I'd like to establish that they aren't addresses controlled by Nefario.

Does anyone have any suggestions on how that might be accomplished?

I'm thinking if I post the addresses and the holders are forum members we are reasonably confident aren't Nefario, they could somehow demonstrate they do in fact control the address, and then I could send the coins on. I have no idea how that demonstration could be accomplished. I'm a bookkeeper, not a developer.

Thanks for any input.

There is literally no way to ascertain how much btc Nefario has already sent himself or what addresses he controls. Rather than risk him getting the coins they probably should be donated to the bitcoin foundation or something.
hero member
Activity: 700
Merit: 500
February 23, 2013, 05:14:01 AM
I'm thinking if I post the addresses and the holders are forum members we are reasonably confident aren't Nefario, they could somehow demonstrate they do in fact control the address, and then I could send the coins on. I have no idea how that demonstration could be accomplished. I'm a bookkeeper, not a developer.

Ask people to sign a string containing their e-mail address and/or forum account name with their claim address. They will send you the clear string and the signature. You can then verify that the signature matches the string using various tools. Satoshi Bitcoin client does this.

By the way, you could also ask people to re-submit to you their GLBSE claim addresses, however since addresses are pseudonymous, posting them here would also be acceptable.


Okay, that sounds workable if I can figure out the verification bit. I don't have any of the emails associated with these addresses.

Thanks.


If this list is about refunding everyone 100%, first thing I'd consider is checking the list in the OP of GLBSE Payment Claims thread to identify those addresses that are still waiting for their remaining 10%.

Yet, the sum of the missing 10% from that list is tiny, compared to still pending refunds (e.g. friedcat alone is still waiting for ~1.7k BTC from GLBSE).

Your best take to verify the remaining addresses would be to post the list here and let forum members confirm via PM which they control. If those who believe their address is missing on the list also PMd you, this will give you already a quite reliable indication of how legit the list is. The only issue hard to resolve are those addresses from people not frequenting the forum or completely left Bitcoin scene. Most former GLBSE asset issuers donate the remaining funds after some wait period.

I did all this recently to repay my former investors and resolve the mess GLBSE left behind. It is a PITA lot of work and I feel sorry for you now being responsible for cleaning up mess you did not cause (alone). Good Luck.


I've only been holding a portion of the total deposits that there were. As such I only have 4 addresses to deal with, so this isn't too cumbersome. Nefario has all the records of everything else. I don't have access to any of that and never have. I have no idea what proportion of amounts owed to the addresses he gave the amounts he asked me to send represent, and no way to find that out. Given that this is the first time Nefario has responded to/contacted me since October, I would be surprised if that information were forthcoming.


That said I guess we'll do it this way. If your GLBSE payout address is one of the following please contact me so we can figure this out via memvola's suggestion above.

1GMys8gSUi5L3JrqZNPRB4s87JCwiQURvX
1PPyh5DtEkW45MHzdub3zKC3Z5NWmjALjH
17fd4pVV5u3GHrqHBc46tzoiDZJ3pMgnjJ
1BBKGnvVkyZ1sFCkZGee3RN7nxoSdm9AHT
Pages:
Jump to: