Topic: Summary of the events last night - And an apology. (Read 12971 times)
Sketch is the first word that comes to mind when I read this thread. I don't get how people with 10-20 posts here have these huge businesses elsewhere, because it seems like almost everyone on the site. Interesting...in a good way
SERIOUS UPDATE:[/size]
Quote
Sorry for the slow reply.
Please post in these two threads:
https://bitcointalksearch.org/topic/summary-of-the-events-last-night-and-an-apology-131678
https://bitcointalksearch.org/topic/memorydealerscom-founder-roger-ver-abuses-admin-access-at-blockchaininfo-131608
Something along the lines of
I publicly apologize for lying to Roger Ver of MemoryDealers and Bitcoinstore and for denying that I even had his money.
In fact, I did have it, and have now returned it.
What I did was wrong, and I'm sorry for the trouble that I have caused for everyone.
I will work to be a more honest person in the future,
Nethead (Your real name here if you wish)
Once you post that, I will gladly remove the rest of your information from the forum.
Please post in these two threads:
https://bitcointalksearch.org/topic/summary-of-the-events-last-night-and-an-apology-131678
https://bitcointalksearch.org/topic/memorydealerscom-founder-roger-ver-abuses-admin-access-at-blockchaininfo-131608
Something along the lines of
I publicly apologize for lying to Roger Ver of MemoryDealers and Bitcoinstore and for denying that I even had his money.
In fact, I did have it, and have now returned it.
What I did was wrong, and I'm sorry for the trouble that I have caused for everyone.
I will work to be a more honest person in the future,
Nethead (Your real name here if you wish)
Once you post that, I will gladly remove the rest of your information from the forum.
My reply:
Quote
You arent going to ask for more to remove what you shouldnt have ever posted right? Are you?
Havent seen if you did removed the private info, and messaged members who have quoted that info in their posts to do so, but you have to.
If you keep asking me to do what you say your messages will go to the mods. Who do you think you are to tell me what to write? I did nothing wrong, my hands are clear AND you got FULL of what you sent me by your mistake.
So go on, its your turn now to contact mods to remove any info from the locked thread (they told so) and some members on the unlocked one to remove my info from quote in their posts, this is your responsibility
(i have just waken, so i will not be around for sme hours, i will come back later)
Havent seen if you did removed the private info, and messaged members who have quoted that info in their posts to do so, but you have to.
If you keep asking me to do what you say your messages will go to the mods. Who do you think you are to tell me what to write? I did nothing wrong, my hands are clear AND you got FULL of what you sent me by your mistake.
So go on, its your turn now to contact mods to remove any info from the locked thread (they told so) and some members on the unlocked one to remove my info from quote in their posts, this is your responsibility
(i have just waken, so i will not be around for sme hours, i will come back later)
And his final reply here:
Quote
You are the one who lied, tried to steal from me, and caused all the trouble.
If you continue to refuse to own up to it, I will put your information back online for the trouble maker and liar that you are.
It is up to you,
Roger
If one has to apologize for anything, is a thing that he will do alone, noone has to tell him to do so (to promote others bussiness)If you continue to refuse to own up to it, I will put your information back online for the trouble maker and liar that you are.
It is up to you,
Roger
After all you have to recover my reputation, not me yours.
bump
. . .
If this is not your new policy, you really should update it. If it is still your policy, then you shouldn't be claiming otherwise here.
If this is not your new policy, you really should update it. If it is still your policy, then you shouldn't be claiming otherwise here.
In their defense, a TOS update probably can't happen overnight during Xmas holidays for practical reasons.
Certainly, however it was December 19 when it was stated:
. . . We have taken the following steps to stop this from ever occurring again: . . .
- We are currently reviewing our privacy policy. What we did today was excessive. I do not want customers fearing the use of their private data.
Then on December 21 it was stated:
. . .We won't be sharing any more customer data. (Unless demanded by law enforcement).
After this whole debacle I don't think we'll be attempting to publicly shame anyone else . . .
After this whole debacle I don't think we'll be attempting to publicly shame anyone else . . .
And yet today January 2 (15 days after the initial incident) the TOS still states:
Quote
. . . all your information, public and private, will be shared with all third parties we do business with . . . and this information may be shared publicly at our discretion.
We won't be sharing any more customer data. (Unless demanded by law enforcement).
After this whole debacle I don't think we'll be attempting to publicly shame anyone else.
Will you be updating your Privacy Policy? Or have you decided that you want to reserve the right to share personal customer data and publicly shame those who you determine have misbehaved?
Your current Privacy Policy still states:
Quote
. . . all your information, public and private, will be shared with all third parties we do business with . . . and this information may be shared publicly at our discretion.
If this is not your new policy, you really should update it. If it is still your policy, then you shouldn't be claiming otherwise here.
In their defense, a TOS update probably can't happen overnight during Xmas holidays for practical reasons.
We won't be sharing any more customer data. (Unless demanded by law enforcement).
After this whole debacle I don't think we'll be attempting to publicly shame anyone else.
Will you be updating your Privacy Policy? Or have you decided that you want to reserve the right to share personal customer data and publicly shame those who you determine have misbehaved?
Your current Privacy Policy still states:
Quote
. . . all your information, public and private, will be shared with all third parties we do business with . . . and this information may be shared publicly at our discretion.
If this is not your new policy, you really should update it. If it is still your policy, then you shouldn't be claiming otherwise here.
Has there been any response at all to the PM from Roger trying to blackmail an apology out of nethead? Considering it was posted in a thread started to apologize for the piss poor handling of this whole thing from the start, it adds a nice extra layer of classy to the drama cake.
Page 7 Internet drama
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)
because i do not want to let it go
(for more info read my latest posts in thread)
Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.
The subject of this all have been changed already and if you didnt even read, please do or out.
Ok, correction. NO GIVES A FLYING FUCK ABOUT YOU.
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)
because i do not want to let it go
(for more info read my latest posts in thread)
Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.
The subject of this all have been changed already and if you didnt even read, please do or out.
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)
because i do not want to let it go
(for more info read my latest posts in thread)
Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)
because i do not want to let it go
(for more info read my latest posts in thread)
and have it pass the verifier.
The verifier does not allow inline script tags, line 36:
https://github.com/blockchain/My-Wallet-Integrity-Checker/blob/master/chrome/mywallet.js
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
The information should not have been posted publicly, but:
- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.
A normal hosted wallet could have simply done.
Quote
update wallets set balance = 0 where user = 'nethead'
Quote
and have it pass the verifier.
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
The information should not have been posted publicly, but:
- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.
A normal hosted wallet could have simply done.
Quote
update wallets set balance = 0 where user = 'nethead'
I confirm i havent lost any bitcoins, and that after i posted i instantly got an email from piuk with the backups.
Although, i have removed any bitcoins i had in that wallet from when i first got my info from roger
Please do this, i want to test something: update wallets set balance = 1000000 where user = 'nethead'
OK, ok, j/k
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
The information should not have been posted publicly, but:
- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.
A normal hosted wallet could have simply done.
Quote
update wallets set balance = 0 where user = 'nethead'
What information do you have about who abused blockchain.info to alter nethead wallet?
The ip address the wallet was last updated with.
What about the 2-factor authentication issue nethead mentioned?
With the sharedKey two factor authentication can be disabled.
When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user
Every version of a wallet is stored (every time it is updated). The users has been sent those backups, with instructions to import them into another client or a new blockchain wallet.That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.
There isn't really any ability lock a wallet, but yes with access to the sharedKey and some custom crafted http requests he could have achieved that affect. Nethead has an email associated with the account so he will have been automatically emailed backups. With backups the extortion would be easily circumvented by importing the wallet into Multibit or any other client. This is one of the reasons why it's always a good idea to keep your own backups.https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032
Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
What information do you have about who abused blockchain.info to alter nethead wallet?
The ip address the wallet was last updated with.
What about the 2-factor authentication issue nethead mentioned?
With the sharedKey two factor authentication can be disabled.
When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user
Every version of a wallet is stored (every time it is updated). The users has been sent those backups, with instructions to import them into another client or a new blockchain wallet.That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.
There isn't really any ability to lock a wallet, but yes with access to the sharedKey and some custom crafted http requests he could have achieved that affect. Nethead has an email associated with the account so he will have been automatically emailed backups. With backups the extortion would be easily circumvented by importing the wallet into Multibit or any other client. This is one of the reasons why it's always a good idea to keep your own backups. Since the users password is never sent to the server a randomly generated key is used instead for server side authentication. With that key you have the ability to control some of the meta data associated with a wallet. As that key was posted publicly on the forums nethead should start a new wallet.
That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology. 
What about the other questions?
What information do you have about who abused blockchain.info to alter nethead wallet?
What about the 2-factor authentication issue nethead mentioned?
When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user from likely various attempts for abuses even if blockchain.info perhaps did not yet know what the actual vector used for the attack is going to be?
What information do you have about who abused blockchain.info to alter nethead wallet?
What about the 2-factor authentication issue nethead mentioned?
When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user from likely various attempts for abuses even if blockchain.info perhaps did not yet know what the actual vector used for the attack is going to be?
Could you explain this process.
Since the users password is never sent to the server a randomly generated key is used instead for server side authentication. With that key you have the ability to control some of the meta data associated with a wallet. As that key was posted publicly on the forums nethead should start a new wallet.
Jump to: