Pages:
Author

Topic: Summary of the events last night - And an apology. (Read 13029 times)

member
Activity: 84
Merit: 10
Sketch is the first word that comes to mind when I read this thread. I don't get how people with 10-20 posts here have these huge businesses elsewhere, because it seems like almost everyone on the site. Interesting...in a good way
sr. member
Activity: 322
Merit: 250
SERIOUS UPDATE:[/size]
Quote
Sorry for the slow reply.

Please post in these two threads:
https://bitcointalksearch.org/topic/summary-of-the-events-last-night-and-an-apology-131678
https://bitcointalksearch.org/topic/memorydealerscom-founder-roger-ver-abuses-admin-access-at-blockchaininfo-131608

Something along the lines of

I publicly apologize for lying to Roger Ver of MemoryDealers and Bitcoinstore and for denying that I even had his money.
In fact,  I did have it,  and have now returned it.
What I did was wrong, and I'm sorry for the trouble that I have caused for everyone.
I will work to be a more honest person in the future,

Nethead  (Your real name here if you wish)

Once you post that,  I will gladly remove the rest of your information from the forum.

My reply:

Quote
You arent going to ask for more to remove what you shouldnt have ever posted right? Are you?
Havent seen if you did removed the private info, and messaged members who have quoted that info in their posts to do so, but you have to.

If you keep asking me to do what you say your messages will go to the mods. Who do you think you are to tell me what to write? I did nothing wrong, my hands are clear AND you got FULL of what you sent me by your mistake.

So go on, its your turn now to contact mods to remove any info from the locked thread (they told so) and some members on the unlocked one to remove my info from quote in their posts, this is your responsibility

(i have just waken, so i will not be around for sme hours, i will come back later)

And his final reply here:

Quote
You are the one who lied, tried to steal from me,  and caused all the trouble.
If you continue to refuse to own up to it,  I will put your information back online for the trouble maker and liar that you are.

It is up to you,

Roger

If one has to apologize for anything, is a thing that he will do alone, noone has to tell him to do so (to promote others bussiness)
After all you have to recover my reputation, not me yours.

bump
legendary
Activity: 3472
Merit: 4801
. . .
If this is not your new policy, you really should update it.  If it is still your policy, then you shouldn't be claiming otherwise here.

In their defense, a TOS update probably can't happen overnight during Xmas holidays for practical reasons.

Certainly, however it was December 19 when it was stated:

. . . We have taken the following steps to stop this from ever occurring again: . . .
  • We are currently reviewing our privacy policy. What we did today was excessive. I do not want customers fearing the use of their private data.
. . .

Then on December 21 it was stated:
. . .We won't be sharing any more customer data. (Unless demanded by law enforcement).

After this whole debacle I don't think we'll be attempting to publicly shame anyone else . . .

And yet today January 2 (15 days after the initial incident) the TOS still states:
Quote
. . . all your information, public and private, will be shared with all third parties we do business with . . . and this information may be shared publicly at our discretion.
hero member
Activity: 756
Merit: 522

We won't be sharing any more customer data. (Unless demanded by law enforcement).

After this whole debacle I don't think we'll be attempting to publicly shame anyone else.


Will you be updating your Privacy Policy? Or have you decided that you want to reserve the right to share personal customer data and publicly shame those who you determine have misbehaved?

Your current Privacy Policy still states:

Quote
. . . all your information, public and private, will be shared with all third parties we do business with . . . and this information may be shared publicly at our discretion.

If this is not your new policy, you really should update it.  If it is still your policy, then you shouldn't be claiming otherwise here.


In their defense, a TOS update probably can't happen overnight during Xmas holidays for practical reasons.
legendary
Activity: 3472
Merit: 4801

We won't be sharing any more customer data. (Unless demanded by law enforcement).

After this whole debacle I don't think we'll be attempting to publicly shame anyone else.


Will you be updating your Privacy Policy? Or have you decided that you want to reserve the right to share personal customer data and publicly shame those who you determine have misbehaved?

Your current Privacy Policy still states:

Quote
. . . all your information, public and private, will be shared with all third parties we do business with . . . and this information may be shared publicly at our discretion.

If this is not your new policy, you really should update it.  If it is still your policy, then you shouldn't be claiming otherwise here.
member
Activity: 69
Merit: 10
Has there been any response at all to the PM from Roger trying to blackmail an apology out of nethead?  Considering it was posted in a thread started to apologize for the piss poor handling of this whole thing from the start, it adds a nice extra layer of classy to the drama cake.
full member
Activity: 238
Merit: 100
Page 7 Internet drama
member
Activity: 78
Merit: 10
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.

You misunderstood something, those werent mine, maybe bitcoinica made you broke?
The subject of this all have been changed already and if you didnt even read, please do or out.

Ok, correction. NO GIVES A FLYING FUCK ABOUT YOU.
sr. member
Activity: 322
Merit: 250
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.

You misunderstood something, those werent mine, maybe bitcoinica made you broke?
The subject of this all have been changed already and if you didnt even read, please do or out.
member
Activity: 78
Merit: 10
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)

Shut the fuck up already. Enough with the multiple posts and thinking that anyone gives a flying fuck about your broke ass 4.5 BTC.
sr. member
Activity: 322
Merit: 250
BUMP
because i do not want to let it go
(for more info read my latest posts in thread)
hero member
Activity: 910
Merit: 1005
vip
Activity: 1316
Merit: 1043
👻
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

The information should not have been posted publicly, but:

- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.

A normal hosted wallet could have simply done.

Quote
update wallets set balance = 0 where user = 'nethead'

blockchain.info could have simply done

Quote


and have it pass the verifier.
sr. member
Activity: 322
Merit: 250
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

The information should not have been posted publicly, but:

- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.

A normal hosted wallet could have simply done.

Quote
update wallets set balance = 0 where user = 'nethead'


I confirm i havent lost any bitcoins, and that after i posted i instantly got an email from piuk with the backups.
Although, i have removed any bitcoins i had in that wallet from when i first got my info from roger

Please do this, i want to test something: update wallets set balance = 1000000 where user = 'nethead'
OK, ok, j/k
hero member
Activity: 910
Merit: 1005
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.

The information should not have been posted publicly, but:

- The user has not lost any money
- The wallets private keys are still safe
- The user has his own backups, we have backups of every version of the wallet.

A normal hosted wallet could have simply done.

Quote
update wallets set balance = 0 where user = 'nethead'
vip
Activity: 1316
Merit: 1043
👻
What information do you have about who abused blockchain.info to alter nethead wallet?

The ip address the wallet was last updated with.

What about the 2-factor authentication issue nethead mentioned?

With the sharedKey two factor authentication can be disabled.

When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user
Every version of a wallet is stored (every time it is updated). The users has been sent those backups, with instructions to import them into another client or a new blockchain wallet.

That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.
There isn't really any ability lock a wallet, but yes with access to the sharedKey and some custom crafted http requests he could have achieved that affect. Nethead has an email associated with the account so he will have been automatically emailed backups. With backups the extortion would be easily circumvented by importing the wallet into Multibit or any other client. This is one of the reasons why it's always a good idea to keep your own backups.
How about stop pretending that your client sided security is nothing but a joke?
https://bitcointalksearch.org/topic/blockchaininfo-isnt-safe-my-wallet-password-stealer-passes-the-verifier-133032

Never try to build a secure system out of client JS, unless you're the guy who made cryptocat.
hero member
Activity: 910
Merit: 1005
What information do you have about who abused blockchain.info to alter nethead wallet?

The ip address the wallet was last updated with.

What about the 2-factor authentication issue nethead mentioned?

With the sharedKey two factor authentication can be disabled.

When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user
Every version of a wallet is stored (every time it is updated). The users has been sent those backups, with instructions to import them into another client or a new blockchain wallet.

That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.
There isn't really any ability to lock a wallet, but yes with access to the sharedKey and some custom crafted http requests he could have achieved that affect. Nethead has an email associated with the account so he will have been automatically emailed backups. With backups the extortion would be easily circumvented by importing the wallet into Multibit or any other client. This is one of the reasons why it's always a good idea to keep your own backups.
hero member
Activity: 686
Merit: 564
Since the users password is never sent to the server a randomly generated key is used instead for server side authentication. With that key you have the ability to control some of the meta data associated with a wallet. As that key was posted publicly on the forums nethead should start a new wallet.
That's the information he was sent by Roger Ver. So let me get this straight - any admin, including Roger Ver when he still had admin access, has access to enough information to authenticate to the blockchain.info server as that user and lock them out of their account, bypassing any auditing that might be associated with using admin tools to do the same thing. At any time - including after you'd supposedly removed his admin access - Roger Ver could've locked this person out of their blockchain.info account in order to extort them for, say, money or an apology.
full member
Activity: 209
Merit: 101
FUTURE OF CRYPTO IS HERE!
What about the other questions?

What information do you have about who abused blockchain.info to alter nethead wallet?

What about the 2-factor authentication issue nethead mentioned?

When did somebody at blockchain.info first realize that this particular problem with the key being published was a serious issue and what did blockchain.info do to protect the user from likely various attempts for abuses even if blockchain.info perhaps did not yet know what the actual vector used for the attack is going to be?
hero member
Activity: 910
Merit: 1005
Could you explain this process.

Since the users password is never sent to the server a randomly generated key is used instead for server side authentication. With that key you have the ability to control some of the meta data associated with a wallet. As that key was posted publicly on the forums nethead should start a new wallet.
Pages:
Jump to: