I don't think this thread is good for Bitcoin, and promoting Bitcoin is my number one goal.
This thread is now locked.
Topic: Please delete (Read 23057 times)
As far as I knew blockchain.info and bitcoinstore.com were 2 completely separate and unrelated businesses. As far as I'm concerned, it is absolutely not appropriate for someone from one business to be using "admin access" at another business to gain special privileges.
I cannot in good faith (and will not) recommend blockchain.info to anybody ever again unless they do one of the following:
Publicly and openly state in an obvious and easy to find way on their main website which other businesses have special admin access to look up information on people's accounts.
or
Immediately sever all relationships with other businesses, removing admin access from anyone who would use that access to benefit their other business.
or
Provide all users with the exact same admin access, so that they too can track down scammers as necessary.
Furthermore, I can not and will not ever recommend bitcoinstore.com to anybody. I understand that they are frustrated with the loss of the bitcoins that they accidentally sent, and I realize that the "right thing to do" for the person who received those bitcoins was to return them. However, that does not make bitcoinstore.com use of special access to blockchain.info any less appropriate. As far as I'm concerned their use of this access was at least as inappropriate as the failure of the person receiving the extra bitcoin to return them.
I cannot in good faith (and will not) recommend blockchain.info to anybody ever again unless they do one of the following:
Publicly and openly state in an obvious and easy to find way on their main website which other businesses have special admin access to look up information on people's accounts.
or
Immediately sever all relationships with other businesses, removing admin access from anyone who would use that access to benefit their other business.
or
Provide all users with the exact same admin access, so that they too can track down scammers as necessary.
Furthermore, I can not and will not ever recommend bitcoinstore.com to anybody. I understand that they are frustrated with the loss of the bitcoins that they accidentally sent, and I realize that the "right thing to do" for the person who received those bitcoins was to return them. However, that does not make bitcoinstore.com use of special access to blockchain.info any less appropriate. As far as I'm concerned their use of this access was at least as inappropriate as the failure of the person receiving the extra bitcoin to return them.
He didn't set out to scam anyone though, there was no premeditation that he was going to try to scam coins from bitcoinstore.
Sure, but he was trying to get a business to commit fraud.
(yeah, government sucks and all that...but still)
As the saying goes, don't wrestle with a pig, you both end up dirty and the pig just enjoys it.
I think you are right.
This thread should be locked, then stickied. So much to learn about Bitcoin, privacy, security practices, liars, scammers, incompetence, and waste of time.
People attacking the victim in this community and sticking up for the theif? What else is new...
I wouldn't go so far as to call him the victim, but he definitely isn't a scammer either. A scumbag yes, and possibly a theif. He didn't set out to scam anyone though, there was no premeditation that he was going to try to scam coins from bitcoinstore.
Seriously Roger, this was a terrible idea. The whole thread makes you, memorydealers, bitcoinstore and blockchain.info look bad. Worse, there was no point to it. Public shaming might work against someone with a built up reputation, but this guy had to spam newbie posts just to be able to post it. As the saying goes, don't wrestle with a pig, you both end up dirty and the pig just enjoys it.
If this had just consisted of "I made a mistake but now this guy is being dishonest" I would be 100% fine with it.
Here you go:
Myself, and others at Bitcoinstore made some mistakes but now this guy is being dishonest.
TangibleCryptography, AFAIK, there is actually an existing feature in bitcoin network allowing you to send transaction with the ability to change it later. It's currently not implemented in any client, but it could be used to review and correct one's recent transactions.
https://en.bitcoin.it/wiki/Contracts
https://en.bitcoin.it/wiki/Contracts
People attacking the victim in this community and sticking up for the theif? What else is new...
high positions, high responsibility 
I don't want the next news article about Bitcoin to be entitled "In the lawless Bitcoin world, business owners seek revenge by publishing customer information"
Sure would cut down on the asshole customers.
People attacking the victim in this community and sticking up for the theif? What else is new...
If a wallet is found the results are shown as follows:
[Wallet {email='[email protected]'
, guid='abf66471-fe0a-6820-8977-55d7e8c1f6b2'
, shared_key='XXX-XXX-XXX-XXX'
, secret_phrase='My Secret'
, alias='piuk'
, created=Tue Jan 03 12:52:07 GMT 2012
, updated=Tue Dec 18 19:47:40 GMT 2012
, created_ip='81.187.238.52'
, updated_ip='127.0.0.1'
, sms_number='+44 7525431876'
, country='GBP'}
]
I am going to change notifications to store SHA256(bitcoin_address) rather than the plain bitcoin address which will remove the ability to lookup a wallet by address entirely.
You absolutely need to go into urgent damage control mode on this.
The wallet-query information (e-mail, phone# and IP-addresses) could, for example, be a used to make an example of some random Silk Road customers.
Unfortunately an extra 4.5119 was also sent to him that he is refusing to return. (I understand that this is partially Bitcoinstore's fault)
While it likely will be lost in the scam vs counter scam accusations but the error in the OP has a relatively simple fix. BTW I have done the same thing and it was a LOT larger than 4.5119 BTC. Luckily (and yes I had that sick feeling in my stomach until it was resolved) for me the person who was double paid was a regular repeat customer and stand up guy who promptly returned it.
So the relatively simple fix. bitcoind should have a delay send feature. An parameter which when set in configfile indicates the number of seconds a transaction should be held before sending.
Code:
delaysend=120
Before someone freaks out about "reversing payments" this would simply be client side. (assuming delaysend=120 is set)
1) user sends x BTC to address y (x or y may be wrong)
2) client provides transaction id
3) for the next 120 seconds the tx is NOT broadcast to the network.
4a) In the GUI a cancel button can be shown (which disapears after tx is broadcast).
4b) In bitcoind a new two new RPCs are added.
Code:
CancelDelaySend [txid]. txid is optional. Calling it with no txid will abort all queued delay sends
OverrideDelaySend [walletpassphrase]. Wallet passphrase is required even if wallet is unlocked (see hot wallet below).
5) delaysend expires and tx is broadcast normallyOverrideDelaySend [walletpassphrase]. Wallet passphrase is required even if wallet is unlocked (see hot wallet below).
Honestly I would put some coins towards a bounty (a portion for a functional patch, and another portion when included in mainline).
This would also provide some (although not complete) protection for a hot wallet.
1) hot-wallet password is NOT stored on server.
2) hot-wallet password manually entered by admin when bitcoind is started (with no expiration on locking hot-wallet)
3) DelaySend can't be modified once bitcoind is started. changing it requires bitcoind reset (and thus admin password).
4) DelaySend can be overridden but requires admin password.
If attacker attempts to send funds using the bitcoind it will be delayed for x seconds giving admins a chance to double spend the attacker from a backup wallet and get a head start in any race. The hotwallet password isn't available on the server in plaintext. The wallet.dat (actual file) is still encrypted. It can be decrypted from the key in memory but that is a slightly more sophisticated attack. In the event the server still has outside communication admins could call the 'lockwallet' RPC to flush the decryption key from memory. Alternatively cutting actual power to the server or power cycling (via remote PDU with separate login credentials) would result in a locked wallet and erasure of any DelaySend txs.
Note this isn't foolproof but it does raise the bar compared to the totally simplistic current attacks (login as admin, use servers own hotwallet bitcoind to send out funds or locate passphrase in code and grab a copy of wallet.dat). It gives admins a fighting chance if the intrusion is detected early.
This thread is good actually, outing dishonest people is a good thing in the bitcoin community. So many people are clearly mad they don't get to run successful businesses like memorydealers/bitcoinstore that they jump on any little incident to try and put them down. Doesn't it state on your website already that you don't label items cheaper than sold for to save the customers money on any customs?
If this had just consisted of "I made a mistake but now this guy is being dishonest" I would be 100% fine with it.
It went quite a bit beyond that.
This thread is good actually, outing dishonest people is a good thing in the bitcoin community. So many people are clearly mad they don't get to run successful businesses like memorydealers/bitcoinstore that they jump on any little incident to try and put them down. Doesn't it state on your website already that you don't label items cheaper than sold for to save the customers money on any customs?
This whole thread is such a joke.
It amazes me that it all revolves around Roger's own fuckup and $50
I think I'll be staying away from MD in the future.
It amazes me that it all revolves around Roger's own fuckup and $50
I think I'll be staying away from MD in the future.
I think you meant to say that this all revolves around one of my
If I had let him get away with stealing $60, or if he had been an honest guy in the first place, none of this would be an issue.
FTFY, get a PR person, you are doing it wrong.
If I knew his passphrase, I could have logged into his account, and taken my money back.
You finally destroyed your moral reputation with this phrase.
This point was made to show that Blockchain.info funds are secure, not that I want to steal anyone's money.
mccorvic summed up what happend so well!
So, if I have this right. A scammer gives blockchain.info his bitcoins for safe keeping, scams the guy who runs it, and then complains that blockchain.info might maybe want their BTC back even though that can't happen anyway?
GTFO!
I think I'm going to go buy something off bitcoinstore.com just to counteract your stupidity.
GTFO!
I think I'm going to go buy something off bitcoinstore.com just to counteract your stupidity.
Ok so it wasn't you who sent the excess coins.
I agree that the customer is dishonest.
I'll still be staying away from both people after all that has been shown in this thread.
I agree that the customer is dishonest.
I'll still be staying away from both people after all that has been shown in this thread.
This whole thread is such a joke.
It amazes me that it all revolves around Roger's own fuckup and $50
I think I'll be staying away from MD in the future.
It amazes me that it all revolves around Roger's own fuckup and $50
I think I'll be staying away from MD in the future.
I think you meant to say that this all revolves around one of my employee's fuckups, a dishonest customer, and my non-ability to let the customer get away with it.
If I had let him get away with stealing $60, or if he had been an honest guy in the first place, none of this would be an issue.
This whole thread is such a joke.
It amazes me that it all revolves around Roger's own fuckup and $50
I think I'll be staying away from MD in the future.
It amazes me that it all revolves around Roger's own fuckup and $50
I think I'll be staying away from MD in the future.
Jump to: