Author

Topic: verifying mtgox balances: proposal (Read 4681 times)

legendary
Activity: 1792
Merit: 1059
March 29, 2014, 09:20:32 PM
#20
what if they have leaked passports, and just need your email to trick other exchanges into a reset password thing?  Roll Eyes

I'm on no other Exchange. Only Gox. It took two years before I dared to invest on Gox.
member
Activity: 133
Merit: 26
March 29, 2014, 05:57:47 PM
#19
what if they have leaked passports, and just need your email to trick other exchanges into a reset password thing?  Roll Eyes
legendary
Activity: 1792
Merit: 1059
March 28, 2014, 05:50:12 PM
#18
Any thoughts?

Hello Olivier,

first thank you for your commitment. I think first we need to try to cooperate with Gox. Gox has to provide us with certain information. Each Gox account has an email address.
There must be some way to match the data. If you are submitting a claim for us, then you also need more information about us. I think at least: name, address, and the deposited email address with Gox.

Another problem for us Germans: In Germany there is no class action. Our legal system is structured a little bit differently. How should we handle this?

regards
Oliver




legendary
Activity: 812
Merit: 1000
March 28, 2014, 01:37:14 PM
#17

he has done some good thngs:

this here is awesome work, https://dl.dropboxusercontent.com/u/68402649/Creditor%20March%2026%20Brief%20%28English%20Translation%29.pdf


i'd be happy to donate with knowing the lawfirm & all put our heads together
newbie
Activity: 37
Merit: 0
March 28, 2014, 12:34:51 PM
#16
Well, you are just putting the words on a pair of gold scales.
Of course he does not represent the cummunity... in the first place it is his own damage which he is representing.
But the fact is: He is making it much more public and factual (e.g. communication with the court) than most of the people (including me) in this forum, who are just spreading FUD in this forum for about 2 months now. Still the advantage is, that you have the opportunity (it is optinal for everyone) to join a possible class-action or not. Additionally, you can follw his efforts on a public site, which is way more useful, than any other egoistic suit.

@anarchy: I am a follower of yours. Please keep it up and do not show drawback. We all have this feeling, that we are getting closer to the truth!!
legendary
Activity: 812
Merit: 1000
March 28, 2014, 10:08:02 AM
#15
Anarchy has offered some things but please read the following to help clarify the mtgoxrecovery position.


on asked about who the law firm is for mtgoxrecovery:



[13:07] marcusw: if you really want to find out, i think their name is in the unredacted versions at the court Tongue

please be aware mtgoxrecovery does not represent you right now:

[13:23] how come you didnt hire your own lawyer yet?
[13:23] I dont need a lawyer
[13:23] well we all want the same thing right?  to get coins back?   we offer different things
[13:23] ok then stop asking about mine
[13:23] == MK4 [[email protected]] has joined ##mtgox-talk
[13:24] you the one representing everyone lol
[13:24] im not representing anyone..

[13:25] i never said im representing the community, and i dont think i should

[13:28] i can make available a group suit, but at this moment i dont see an urgent need yet and it will shave you probably like 20% of the amount you get in the end - you can perfectly submit your own individual claim

source: http://pastebin.com/NJFCrRiu




newbie
Activity: 37
Merit: 0
March 28, 2014, 09:42:36 AM
#14
This wall of text is completely useless for us. anarchy is asking open questions here. There is nothing wrong about it.
I would highly recommend you to either censore your spammy post or just capture the main points in it....  Angry
newbie
Activity: 16
Merit: 0
March 28, 2014, 08:57:05 AM
#13
Conclusion...

11:35:02 what do you think about the announcement regarding the extension of deadline for submission of the examination result ?
11:35:09 is it good news?
11:35:15 anarchystar?
11:40:07 i see lnovy is still on his crusade
11:40:53 so why won't you explain... if your intentions are good... I must be doing bad thing no?
11:41:09 explain what exactly?
11:41:21 oh, cool
11:41:35 could we work this out guys
11:41:46 I've already explained to you multiple times what the issues are and how dangerous this is
11:41:47 → tekto joined ([email protected])
11:42:00 yea, so anarchystar why not try to make it more secure man?
11:42:03 there is no legitimate usage for what you are doing
11:42:17 so people _will_ presume you are trying to scam them
11:42:23 tell me the issue one by one
11:43:07 issue number one: http://balance.mtgoxleaks.org/github/Replace%20email%20with%20autogenerated%20token%20%c2%b7%20Issue%20%237%20%c2%b7%20mtgoxbalance_mtgoxbalance%20%c2%b7%20GitHub.html
11:43:47 anarchystar, lnovy just want to make is more secure
11:43:51 usign email addresses for this purporse is a privacy leak...
11:44:03 it's not more secure... it's more dangerous
11:44:39 more dangerous so anybody can steal our Goxcoin? LoL
11:45:26 SuSEno: if you don't understand this, keep your mouth shut
11:45:40 issue number two: http://balance.mtgoxleaks.org/github/PGP%20signing%20of%20downloaded%20page%20content%20%c2%b7%20Issue%20%239%20%c2%b7%20mtgoxbalance_mtgoxbalance%20%c2%b7%20GitHub.html
11:45:51 1 at a time
11:45:56 ok... go on
11:46:14 go on... I don't have any objection with my e-mail address
11:46:15 +im on a cellphone
11:46:27 â‡� faouanima quit ([email protected]) Remote host closed the connection
11:46:40 "I have nothing else to do" so I will wait Cheesy
11:46:45 SuSEno, I still think we should make it as secure as possible
11:46:52 1) i dont understand why its 'vulnerable to leaking' unless we get hacked
11:47:36 2) if we do get hacked, you have an email, a username and a balance - which is worth exactly nothing
11:47:47 For example Man in the middle attack or because you can just have bad intentions yourself
11:48:15 as I've said... there is much more what is gained than this tripplet
11:48:40 but if there is a solution, why not implement it? besides, isn't this supposed to be open source? also, the new exchange is supposed to be more transparent right anarchystar ?
11:48:49 do explain yourself.. what is gained that is priceless
11:48:55 ?
11:49:24 Chillance: i will answer that after im done with him
11:49:38 you are able to store email address + mtgox username and in the cases of nonzero btc balance you can actually locate users balance outside mtgox... and it's possible for most identities even with zero balance... also with some more trickery, you are able to connect users mtgox identity to his other online identities
11:50:01 (i'm citing myself, I've already told you this)
11:50:20 anarchystar, Im sure lnovy just want it to be more secure, and also make it more secure for a user ala "Trust no one" principle
11:50:31 Chillance: +1
11:50:56 the only the proposed system can be trusted is that you don't trust any of it's part
11:51:11 it's the same principle Open Transactions trust model is based on
11:51:27 the only way
11:51:33 anarchystar, you should talk to Steve Gibsson http://twit.tv/sn
11:51:42 Smiley
11:51:44 ok so basically if i have someones email address and their balance i might reference it to the blockchain and find out (maybe) where the money was sent from
11:53:07 not only that... you can see when and how he was trading, when he and to which address was he sending coins, where his coins came from ect.
11:53:09 Dunno if you can actually track other ppl with just a random email addy and the info from gox.... inside gox ok... but still if we want to join his new exchange i will have to give him more then just an email addy i am sure Smiley
11:53:17 → tholu joined ([email protected])
11:53:18 this informations are valued more than gold
11:53:39 please tell why its worth more than gold
11:53:47 lnovy: he will need my ID, adress etc etc before i can partake in the new exchange anyways which is way more onfo then he gets now
11:53:47 Stormeyes: it is possible to connect your identity with for example facebook one... pretty easily
11:53:49 i still dont see any value
11:54:03 lnovy and ? he can do that when he gets my ID etc too
11:54:10 if you have some tax info to hide in the info, don't bother you're already getting fucked :p
11:54:38 cause if its worth more than gold we better close down all exchsnges right now
11:54:41 Stormeyes: but he cannot easily connect that with your mtgox account... this can be done using mtgoxbalance.org
11:54:51 If you give him the balance info you are agreeing to participate in either a lawsuit or a new exchange in both cases i need to id myself to him or the new exchange will start with trouble
11:55:05 Stormeyes: no
11:55:16 Stormeyes: the site mtgoxbalance.org is not saying anything like that
11:55:33 MtGox Balance gets your balance information directly from MtGox.
11:55:34 This allows charitable initiatives to make sure your claim is real.
11:55:41 what other reason to give your info there then lnovy ? for show ?
11:56:06 they still will need an ID to make sure they dont pay to thieves etc and if they do to be able to find them later
11:56:27 balance site is not 100% proof since it got hacked
11:56:31 Stormeyes: the purporse of the system was to have a somewhat permanent trusted system that you can use to prove your balance to others if you want
11:56:37 (the Gox db i mean)
11:56:50 because that is not possible right now without giving out your password/session
11:56:52 lnovy, well, we have 2 different things. one being more clear on the mtgoxbalance.org, and the second is applying more security right?
11:57:37 non2_ → non2
11:57:38 Just put a big warning on the site for ppl that rather have their privacy then possible charity to get anything back
11:57:44 Chillance: I'm primarly insisting on the security/privacy side...
11:57:55 btw, that Steve Gibsson I linked to REALLY knows what he is talking about.. he should be included Smiley
11:58:06 but, he might be too busy
11:58:17 You yourself give away your ID to anyone so i am suprised that you might think any privacy really still exists Smiley
11:58:35 — Stormeyes thinks privacy is an illusion
11:58:42 Stormeyes: I've proposed exactly this...
11:58:52 ok, here is the thing. we have a solution to better the mtgoxbalance security right?
11:58:58 why not just do that?
11:59:19 lnovy: we need the email for ADDED security: if you sign up at a charity, that charity will send an email confirmation.. if we just give a random token, anyone can steal that and how will you ever proove that it was yours after that?
11:59:24 Chillance: I've proposed that multiple times
12:00:27 anarchystar: you can give user a token issuing token... he will use this to issue a one-shot token to be used for confirmation
12:00:34 how about signing data? like using RSA?
12:00:43 Chillance: i've proposed that also....
12:00:47 lnovy: come again?
12:00:48 lnovy when are u planning to remove my ban on mtgox-talk?
12:01:21 Chillance: im pro signing data and i think thats a great idea
12:01:35 i know u like childish game but it s enough now don t u think?
12:01:36 anarchystar, you have a security expert there?
12:01:36 anarchystar: you give user a token and if he want's to prove his balance to charity, he puts the token to your side and another token is generated... this one is send to charity and is usable for only one fetch of balance
12:01:49 padawan123: blow me
12:02:17 blow me?
12:02:29 this is a principle used in kerberos authentication/authorization system
12:03:05 lnovy: this token how user friendly? id rather have signing
12:03:54 anarchystar: i've also proposed this signing... you just pack the downloaded data with trusted timestamp, sign it and give this to user...
12:03:59 nothing is stored
12:04:11 and only the user can now choose who to show his balance
12:04:11 also signing is issue if private key gets hacked, all becomes worthless
12:04:30 that's why the system is designed to be multi-party
12:04:46 you need more servers to sign your balance to be thrust worthy
12:04:55 yes i know you proposed mant things, but we concluded that asking for email is really not that bad and it was going too far
12:05:46 we can end up with nsa type but were talking about charity, an (self chosen) email and a balance
12:06:10 i think thats enough security
12:06:36 again... the system to be trusted... you need it to be multiparty... and you cannot assure that other parties are playing fair
12:07:15 so, as it stands now people has to trust anarchystar only then?
12:07:27 yes, if someone else besides me would start a charity, and they dont trust me, then it becomes relevabt
12:07:47 besides that... the idea of charity trusting balance sheet of mtgox is stupid... mtgox could have and probably did faked some balances for obvious reasons
12:07:50 unfortunately i have yet to see any other initiatives
12:08:15 yes, I dont think anarchystar is trying to scam people at all
12:08:41 anarchystar: one reason there arent any other initiatives is because no one knows if/what we lost yet i think
12:08:44 Chillance: I never said that also... the problem is that the way the system is designed, somebody will scam people
12:08:52 and the blame will come back to us
12:09:04 but still, I agree with the "trust no one" principle.. I mean, why not if you can right?
12:09:13 Chillance: +1
12:09:13 also stare at one point at the wall all day and you come up with 100 problems while its just a wall
12:09:26 lnovy but those ppl will be known by name etc so hard to scam when you can be found easily
12:09:29 i don't get why the actual mtgox login isn't enough
12:09:47 can check balances there
12:09:49 � ``rawr quit (uid23285@gateway/web/irccloud.com/x-rttbdspyqujkrrxe) Quit: Connection closed for inactivity
12:09:51 vocodork you dont wanna give that out Smiley
12:09:53 these are not just some corner cases problem... these are basic and founding principles of good privacy and security system
12:10:11 lnovy: which scam? explain a scam
12:10:17 Stormeyes: not really... anyone can run a site... no need to place your name there
12:10:47 tbh my alarm bells went off too when i saw mtgoxbalance.org
12:11:22 anarchystar: you have said that you are not going to leak or abuse any privacy information you are gaining this way... how you can make sure other instances of the system will not do otherwise?
12:11:51 yea, and what if you got hacked?
12:12:18 or you have the data offsite?
12:12:39 that would actually be smart
12:12:48 i dont need to run this site nor put my reputation at risk, i dont need to give 10% to gox holders.. there is no gain for me except maybe slight good press
12:13:05 that is not the question
12:13:33 you are running it... for system to be trusted, you need other instances that you have no control over... how do you make them not abuse the information?
12:13:36 lnovy: theres no other sites besides yours
12:13:40 anachystar in fact i suggest u give more than 10/100
12:13:45 again, Im sure lnovy appreciate the effort, but just want it to be secure.
12:13:52 anybody can make such instance, code is opensource
12:13:57 â‡� _ImI_ quit ([email protected]) Quit: _ImI_
12:14:02 and we pulled the source
12:14:12 padawan23: you should go collect for the red cross etc.. ppl give a euro/dollar and you grab their wallet and chose ??
12:14:13 that doesn't make them non opensource
12:14:16 or have other to participate in it
12:14:28 https://github.com/mtgoxbalance/mtgoxbalance see... still there
12:15:09 lnovy: i cant be responsible if u submit info to a scam site
12:15:13 lnovy: think even i can make a site to look like that and get the info from those who enter it....
12:15:32 you cant stop ppl from being stupid, not checking who what where etc
12:15:40 and nothing is fullproof
12:15:52 anarchystar: from the point of view of the person who will get scammed, you are responsible, that's the think I'm trying to protect you from from the start
12:16:05 â‡� mikkom quit ([email protected]) Ping timeout: 265 seconds
12:16:21 I think there are 2 ways to do this then. either closed and we trust anarchystar .. or some distributed system (that needs to be updated to be more secure) where trust relies on ... well, isnt this like BTC transactions?
12:16:22 Stormeyes: you can interlink "trusted" sites to each other
12:16:46 Chillance: it more like open transaction, not btc transactions
12:16:46 to protect an email adres and a ballance ?
12:17:00 lnovy: i dont know, its their domain name - bitstamp is not a scam although ppl submitted same info as gox there
12:17:04 Stormeyes: no, much more than that
12:17:42 → mikkom joined ([email protected])
12:17:45 lnovy: im not so sure about the 'much more than that'
12:17:47 well I don't need to help you... I just want...
12:18:08 lnovy what do they store besides email and balance ?
12:18:12 anarchystar: because you obviously are not that good at this privacy topic, sorry
12:18:34 lnovy: facts or its unfounded
12:18:39 and maybe session key if he's a bad boy Wink
12:19:02 but session key should be worthless if you follow instructions and kill the cookie right ?
12:19:06 anarchystar: you have just proven that... you are creating beginners privacy issues
12:19:18 lnovy: facts?
12:19:59 i can say i have proven x but that doesnt mean anything without facts
12:20:29 Stormeyes: yes
12:20:58 So besides balance and email what else do you have ?
12:21:09 you tell me why balance and -random- email is so sacred
12:21:32 its why we have a discussion in the first place
12:22:17 just advice ppl to get a new ano email and even then if you start to use it to receive help i think you should be forced to ID yourself in case some hacker did change and addid himself as a creditor
12:22:21 → dsfa14 joined (~dsfa14@unaffiliated/dsfa14)
12:22:28 added
12:22:40 or changed his/her balance
12:22:43 anarchystar: read this http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
12:22:53 even if its not a random email., its not a big deal
12:23:27 the simple fact that you are not finding it a big deal proves that you don't understand the topic
12:23:51 well then you explain to everyone why its a big deal
12:24:07 cause i still didnt get any decent reasons
12:24:10 The practice of minimizing the use, collection, and retention of PII is a basic privacy principle.
12:24:13 47
12:24:16 By
12:24:18 limiting PII collections to t
12:24:21 he least amount necessary to conduct its mission, the organization may limit
12:24:24 potential negative consequences in the event of a data breach involving PII. Organizations should
12:24:27 consider the total amount of PII used, collected, and maintained, as well as the
12:24:30 types and categories of PII
12:24:32 used, collected, and maintained. This general concept is often abbreviated as the ―minimum necessary‖
12:24:33 time to kill ur facebook
12:24:35 principle. PII collections should only be made where such collections are essential to meet the authorized
12:24:38 business purpose
12:24:41 and mission of the organization. If the PII serves no current business purpose, then the
12:24:44 PII should no longer be used or collected.
12:24:59 you are saying, when facebook is bad, I can be too?
12:25:32  → meelos joined  â‡� toffoo quit 
12:26:01 anarchystar, do you have some security expert in your team? I mean, at least for the new exchange right? why not have him take a look at this?
12:26:18 if you want participate from anarchys work you have to agree to his conditions end of story
12:26:29 that doesnt tell me anything except the obvious, in this case an email is the best choice for later verification - also its about user friendliness - again, an email and a balance are not worth as much as you are making it to be
12:27:19 â‡� meelos quit ([email protected]) Client Quit
12:27:29 If the PII serves no current business purpose, then the PII should no longer be used or collected. // You don't have any business purpose for the email do you?
12:27:38 Chillance: security expert - we have security experts in it and programming and we follow all standard guidelines
12:27:57 lnovy: yes i do and i explained it
12:28:08 lnovy: the email is for new etc and prob to announce his new exchange where you can use that data....
12:28:14 → _ImI_ joined ([email protected])
12:28:14 you don't following SP800-122, which is like a book for basic school
12:28:16 its to allow a charity to verify you
12:28:20 news
12:28:26 and yes indeed for news
12:29:07 I am pretty happy receiving the blogposts etc on that adres so i dont have to refresh the pages every 5 min myself Smiley
12:29:55 ok lnovy i think we both have our ideas but lets put it to rest - i think its clear now
12:30:37 i dont see serious harm in a random email (even if not random) and a balance
12:30:41 anarchystar: will you please update you F.A.Q. with the warning that you are storing the username and email and this can be connected with things I have mentioned? And also specify the policy of disclosure of this informations to third parties? If you do, I will bother you no more... And you will be safe from any claims also...
12:31:05 yes, I think the info on the site needs to be more clear then
12:31:24 I will even put down the github repo in that case
12:31:35 explicitly say random email
12:31:45 that you can access still ofcourse
12:31:47 Smiley
12:31:53 lnovy: i can add that info, as long as its within reason (let me explain)
12:31:55 not one of those one timer emails
12:32:16 username is hashed though
12:32:23 no?
12:32:26 Chillance: no
12:32:29 facebook does not have to add a warning that it might attract stalkers that could then come to kill you
12:32:33 aha, oh well
12:33:11 well, just make it clear anyway Smiley
12:33:31 anarchystar: well.. but he does have this... https://www.facebook.com/about/privacy/
12:33:55 and this... https://www.facebook.com/full_data_use_policy
12:34:00 lnovy: sure i will add a privacy policy
12:34:17 ill ask laoban lol
12:35:10 if you add the policy and the warning about connection to leaked database, I'm perfectly ok with that... I'm also asking to remove my name from the footer and that's it.
12:35:28 Sounds like a solution Smiley ppl will know the risks if the data would get stolen/abused or whatever but i agree with anarchystar the chanceit happends*usefullness is a low risk
12:36:17 well I have my own theory what you are using this data for, but that will be shown by the time Smiley
12:36:48 what would that be lnovy ?
12:37:02 Chillance: I won't disclose that
12:37:19 it's just too crazy Cheesy
12:37:40 bah, so tired of conspiracy theories and fud..
12:37:53 post it on reddit
12:38:16 seems to me like the way to do it these days..
12:38:50 I suppose you wont be using the mtgoxbalance service then lnovy ?
12:39:35 dont think he is worried about his info he posts that online all the time Smiley
12:39:43 I don't need it for anything Smiley
12:40:02 but anarchystar has my data, I've already submited them
12:40:23 he is op in mtgox-talk so he dont need anyone
12:40:32 he can op as he wants
12:40:39 and decide who to kick and ban
12:40:56 nice poem, was that hard to compose?
12:41:12 he need only the selve on his head
12:41:33 there is a clear difference between sieve and colander
12:41:41 will u ban me from here as well?
12:42:03 u lack of credibility
12:42:06 padawan123 prob not if you act as an adult Smiley
12:42:08 wut? where are you banned?
12:43:35 well, great anarchystar and lnovy solved that Smiley
12:44:17 well... it's completly different system than it was in the start, but whatever Smiley
12:44:46 yea, well, this way works too I guess...
12:45:09 Smiley
newbie
Activity: 16
Merit: 0
March 27, 2014, 11:16:18 PM
#12
I trully sorry to say that, but the project driven by anarchystar has diverted from the general idea proposed here so dramatically that I can no longer keep quiet about this.
 
[07:15] morning
[07:16] Morning anarchystar, afternoon here :-)
[07:17] == PySpace [[email protected]] has joined ##mtgox-talk
[07:17] anarchystar: have you read this? https://bitcointalksearch.org/topic/new-research-proves-mtgox-bitcoins-not-stolen-using-transaction-malleability-537772
[07:21] anarchystar: can you comment on lnovy comments about his proposed changes and closing the source?
[07:32] anarchystar: I'll be glad if you resolve this
[07:34] lnovy: sorry which comments i miss?
[07:34] == PySpace [[email protected]] has quit [Ping timeout: 252 seconds]
[07:35] anarchystar: just explain what was the reason to close the source...
[07:36] == Lunchb0x [[email protected]] has joined ##mtgox-talk
[07:36] we will make an api and not make hashes public right now
[07:36] also, open source.. many comments.. much time wasted
[07:37] these guys are paid per hour
[07:37] this is not a profitable product
[07:38] i have some good news, i will be able to release docs today from court
[07:38] good news? do tell
[07:39] so why not just choose a bsd licence, or gplv2, you can than make any changes you want and not publish them... and invite some other devels (eg. me), to take care of the request that were taking so much time?
[07:41] there is a potential huge potential privacy leak issue with the way it's done right now, I've tried to get that fixed, project code was delete from github instead..
[07:41] which privacy leak issue?
[07:45] you are able to store email address + mtgox username and in the cases of nonzero btc balance you can actually locate users balance outside mtgox... and it's possible for most identities even with zero balance... also with some more trickery, you are able to connect users mtgox identity to his other online identities
[07:48] == sz4dy [c3d20c11@gateway/web/freenode/ip.195.210.12.17] has joined ##mtgox-talk
[07:49] anarchystar: so, when are you releasing the docs today?
[07:50] lnovy: i guess thats why its better to store it in our database instead of making it publich with a hash
[07:50] no... that's a reason why you should not have these at all
[07:50] Lasseter: depends how quick the lawfirm replies
[07:50] lnovy: not have what at all?
[07:51] email addresses
[07:51] anarchystar: why did You remove all records from mtgoxblanace?
[07:51] lnovy: whats wrong with having the email? the only alternative is to ask people to provide a password and thats confusing
[07:51] if emails are leaked with ability to locate whose user on mtgox that will be a huge security risk, BE CAREFUL
[07:52] == sys [~gustgr@pdpc/supporter/active/sys] has quit [Quit: leaving]
[07:52] sz4dy: cause we reset the database, it was still beta..
[07:53] it can also be used to hack accounts
[07:53] there was no reason to reset the database... besides one... it's easier to get people to send you emails once again then is to crack them from hashes
[07:55] anarchystar: could you specify how much btc have you transfered to BB account? By my counting, it should be about 10000 BTC... btc transfer log doesn't shows such internal transfer...
[07:55] == phplaboratory [[email protected]] has joined ##mtgox-talk
[07:55]   you are able to store email address + mtgox username and in the cases of nonzero btc balance you can actually locate users balance outside mtgox... and it's possible for most identities even with zero balance... also with some more trickery, you are able to connect users mtgox identity to his other online identities << EXACTLY, if that happens everyone will be fucked !
[07:57] And I was too loud about it on github, so it was decided, it's better to silence me?
[07:57] i suggest those data to be deleted immedietly
[07:57] there is absolutely not a single reason to delete repository from github for the purporse of "close sourcing" the code
[07:59] anarchystar: you'd better make your things straight or you will be proclamed as scamer by community...
[07:59] lnovy is making a pretty good argument.  I never entered my info into that form out of suspicion.  It may be fine, but there is an element of risk and little to gain for me.
[07:59] he may also get a law suit from mtgox
[08:01] == relatic2 [[email protected]] has joined ##mtgox-talk
[08:02] i didnt enter my information too, i know what will happen if i disclose that information to a 3rd party... at some point that data will be leaked and everyone will be targeted, better to delete it than be sorry
[08:03] that's why I proposed the service to not store anything, only implement signing the downloaded data together with trusted timestamp... both request were denied
[08:04] so on a scale of 1 being gox is going to return the 200k bitcoins to 10 being they found the other 650k bitcoins how good is the news?
[08:04] jhansen858: so on a scale of 1 being gox is going to return the 200k bitcoins to 10 being they found the other 650k bitcoins how good is the news? <-- Yes, I am a member of mensa
[08:04] fuck you magical gag lol
[08:08] == nacer [[email protected]] has joined ##mtgox-talk
[08:12] I think we have our answer now
[08:13] <_biO_> what was the question?
[08:13] lnovy: im sorry, but we never released the source code for mtgoxrecovery and also collected 3000+ users info
[08:14] lnovy: if you want to kill any initiative that will try to give people back a %.. go ahead.. call it a scam..
[08:14] that's something completly different as you cannot connect mtgoxrecovery submitted data reliable to database dump
[08:14] i still trust Mark with my bitcoins
[08:15] lnovy: i dont even see how it can be a scam..
[08:15] == zby_home_ [[email protected]] has quit [Read error: Connection reset by peer]
[08:15] brb need to clear my cache
[08:15] == danieleff [[email protected]] has joined ##mtgox-talk
[08:15] irccloud slow
[08:15] == anarchystar [sid25022@gateway/web/irccloud.com/x-iakqszyvulrcnrub] has left ##mtgox-talk []
[08:15] == Lael [[email protected]] has quit [Read error: Connection reset by peer]
[08:15] == Ksipax [~Ksipax@unaffiliated/ksipax] has joined ##mtgox-talk
[08:16] == anarchystar [sid25022@gateway/web/irccloud.com/x-iakqszyvulrcnrub] has joined ##mtgox-talk
[08:16] ok
[08:16] ok... why are you asking for email addresses then?
[08:17] also, ive made $0 on this whole thing, ive spent over $40k on lawyer fees, a shitload on development fees to get the websites made, etc
[08:17] <_biO_> why?
[08:17] tbh im getting sick and tired of people calling it a scam, and i can just walk away and you know what will happen?
[08:17] lol... I've said the code was over average, but it was nothing that couldn't have been done under 2 hours
[08:18] mtgox will re-open, with mark at the head
[08:18] don't try to sidetrack
[08:18] YES !!!! WE WANT MARK BACK !
[08:18] im not sidetracking..
[08:18] ok... why are you asking for email addresses then?
[08:18] anarchystar: seriously? mtgox plans to reopen with mark as CEO?
[08:19] Blitzboom: yes, that will happen
[08:19] explain to me the alternative of an email address, so we can confirm the user when he signs up at a website and claim his %?
[08:19] hash
[08:19] lnovy: where did you hear that?
[08:19] run it through a url shortener,
[08:19] easy
[08:19] not sure if you are pulling my leg or not
[08:19] Blitzboom: no, were not
[08:19] but how are funds getting distributed through a 3rd party?
[08:19] Blitzboom: it's most probable now Sad
[08:19] that is what is going to happen?
[08:20] anarchystar, you need a computer security course.. SERIOUSLY
[08:20] why is it most probable now?
[08:20] <_biO_> Blitzboom: they said they are trying to recover the damages
[08:20] <_biO_> Blitzboom: probably by continuing to operate
[08:20] edubai shut up
[08:20] did i miss something?
[08:20] anarchystar, you are a scammer
[08:20] I don't mind if I give my e-mail address to anarchystar, even my passport scan.
[08:21] i've proposed a clean solution, generate sha256(rand()) and send that to the user, no email required
[08:21] i don't think anarchystar has bad intentions not like hes anon
[08:21] that guy may may want to help us, but he will cause damage without knowing
[08:22] just dont use same email as mtgox.. prob solved?
[08:22] I was answered, that it is not user friendly, I proposed running that through url shortener... issues was closed as won't fix
[08:22] lol if mtgox comes back to gox people again
[08:22] jhansen858: that's actually worse
[08:22] can we get the good news?  I could use some good news
[08:22] lnovy, anarchystar: how do you know the CEO is to be mark himself again?
[08:22] edubai: accusations without even a reason....
[08:22] lnovy: generate a sha256 rand and send that to the user.. so he can store it in his mailbox.. you think thats safer?
[08:23] yes
[08:23] lnovy: when he signs up at a charity website, that charity sends him a confirm email.. thats it
[08:23] this is not a charity
[08:23] oh nvm. i completely missed "tbh im getting sick and tired of people calling it a scam, and i can just walk away and you know what will happen?"
[08:23] any news at all ? Been sleeping for about 8 hours
[08:23] myrond, wait until you recieve a scam thru your email pretending to be from mtgox with all your real information
[08:23] now things make sense again
[08:23] == relatic2 [[email protected]] has quit [Remote host closed the connection]
[08:23] lnovy: i dont see issues storing the users email address.. if heaven falls down and it gets hacked.. they have an email address.. end of the world?
[08:23] == x1nablea [[email protected]] has joined ##mtgox-talk
[08:23] you don't mind to give your e-mail address to Gox who stole your coin, but you have objection to give your e-mail to anarchystar who are trying to help you.
[08:24] == relatic2 [[email protected]] has joined ##mtgox-talk
[08:24] anarchystar: you seems to not understand how privacy works
[08:24] == wiz [[email protected]] has joined ##mtgox-talk
[08:24] lnovy, soon they will close his window, and everything will be leaked
[08:24] edubai: ummm... so what?  my email has already been leaked in the 2011 hack AND it has been successfully linked already
[08:24] == letmein_cn [0e9b42e7@gateway/web/freenode/ip.14.155.66.231] has joined ##mtgox-talk
[08:24] break his window **
[08:24] edubai: that information is already out there
[08:25] edubai: certainly none of this information is out there because of anarchystar
[08:25] i mean if gox starts back up, they would have to refund the moeny from their site directly?
[08:25] lnovy: also ask any of the users on the mtgoxrecovery site if they received spam or any other crap.. answer is no
[08:25] == intx [intx@unaffiliated/intx] has joined ##mtgox-talk
[08:25] myrond: yeah... that's why the website says, that "This email does not have to be your MtGox email."
[08:26] anarchystar: that's something completly unrelated to this issue
[08:26] == lisper29 [[email protected]] has joined ##mtgox-talk
[08:26] lnovy the site doesn't ask for the email address assosiated with gox, it simply asked for AN email address. Anyone with half a clue would have entered an anonymous email. it's just a point of contact
[08:26] lnovy: its not.. now we have a more accurate balance figure.. thats it
[08:26] just put a disclaimer on there and let the user decide
[08:26] lnovy: i already know the balance of over 3000 people anyway
[08:27] so far I havent seen even one proof that anarchystar did anything... ale he is doing is saying "I claimed this, I made mtgox to do that, my lawyers sent this..". Prove it, publish at least one document otherwise it will look like You doing proper marketing and nothing more Wink
[08:27] anarchystar: now you have a accurate way to connect that user which visited your website, to his complete mtgox history and in most cases even his current bitcoin portfolio outside of mtgox... you don't see a problem with this?
[08:27] parasite
[08:27] sz4dy: i will release a lot of docs today
[08:27] sz4dy: okaj... let's see
[08:28] == mode/##mtgox-talk [+o anarchystar] by ChanServ
[08:28] anarchystar: can you give us the information how much exactly have you send to BB account to be sold through it?
[08:28] == mode/##mtgox-talk [+b edubai!*@*] by anarchystar
[08:28] anarchystar: Where will the docs be released ?
[08:28] anarchystar the bitcoin community is paranoid by nature. THIS bitcoin community is paranoid AND angry. this behavior is expected. don't let a couple of nutjobs ruin what you're doing
[08:28] == mode/##mtgox-talk [-o anarchystar] by anarchystar
[08:29] I'm not angry I'm in denial
[08:29] one step at a time
[08:29] samson_: on the mailing list, blog, etc
[08:29] defy_: yes i know.. but if you dont reply they will automatically come to conlusions and i have better things to do
[08:29] == mode/##mtgox-talk [+o lnovy] by ChanServ
[08:29] == mode/##mtgox-talk [-b edubai!*@*] by lnovy
[08:29] == mode/##mtgox-talk [+b *!*sid25022@gateway/web/irccloud.com/x-iakqszyvulrcnrub] by lnovy
[08:29] == anarchystar was kicked from ##mtgox-talk by lnovy [anarchystar]
newbie
Activity: 16
Merit: 0
March 20, 2014, 11:43:06 AM
#11
The presumed leak of database including passwords actually pointed me at the first of my proposed solutions... Also see this (krtek.net = lnovy)... http://www.reddit.com/r/Bitcoin/comments/200v89/magicaltux_wish_they_would_move_faster/
legendary
Activity: 812
Merit: 1000
March 20, 2014, 11:33:37 AM
#10
i dont know if this is stupid, possible, too time consuming or hackable:


What about verifying everyone's balances manually using the MtGox login & having a witness/witnesses.   Use a live screen viewer like sykpe or team viewer, could use google hang out, have a volunteer network to confirm balances.

you could come up with a screening process which narrows mistakes down to 0.01%, i have some more ideas how this process could work.  

if some guy slips through the net & gains 1k bitcoins via out smarting the confirm process then so be it or cant that happen?

You could even use trusted members of bitcoin community,  we have 100k people to confirm right,  how long would that take ?
sr. member
Activity: 310
Merit: 250
March 20, 2014, 11:20:43 AM
#9
Since the database of what mtgox users had in BTC and fiat was leaked (I confirmed mine), I'm pretty sure you should assume your password is compromised as well.

I just now also noticed that my pending withdraws was also included at mtgox.com, so someone have updated the info there as the pending withdraws weren't there the first time I logged in.

So, using the leaked db will miss pending withdraws/deposits from people.


But really, as the password should be assumed compromised, why not just have a system which basically openly says you can login to your mtgox account from, and it will then grab the data and save it, confirming the users data (like anarchy is saying). Obviously, the system won't save the password and will hash the email and save that with the amount data. Again, I assume my password is compromised anyway. The only thing that can be done with it now is to see my balance anyway. But you then need to know what username was used with it. Either way, one user can basically only have one account, so the only time one should be alarmed is when several users claims the same account. Those cases can be investigated further, otherwise it should be rather safe.

So, imagine I can provide my email and login info. The system grabs this, logins and grabs the amount data from mtgox.com. It then saves that amount data with the email hashed.


It's a classic trust issue. The trust must be put somewhere. At the user or the system user is using.


I will think more about this, because maybe there is a smarter solution with public and private keys generated...

newbie
Activity: 16
Merit: 0
March 20, 2014, 10:37:45 AM
#8
Ok, there is one way: Let user use your proxy with connect support to get session cookie and then let user to input cookie value to service running though same proxy. Depending whether anything else than IP is checked this should work. Mtgox.com doesn't seems to be vulnerable to session fixation, so the even easier way is probably not possible.
hero member
Activity: 714
Merit: 500
March 20, 2014, 10:35:14 AM
#7
If I get this right, you are afraid, that MtGox creditors give you false informations, so it is not enough for them to just log in and send you, what Balance they see.

Yes

The Problem about an open source bot, who sends any sort of data, is that someone simple could manipulate that data it sends, isn't it?

We could run this on a website instead of having people run it locally, but how do you know that you can trust the website to not save your password?
You could make the Code of the Website public. So you can check the code, before using it. I am not an expert on that Topic, so I am not sure, if something like that is really possible.
newbie
Activity: 16
Merit: 0
March 20, 2014, 09:27:28 AM
#6
As I've said, without help of mtgox I don't find this possible.
member
Activity: 102
Merit: 10
March 20, 2014, 09:05:51 AM
#5
the only way to do it without help from mtgox is to
1. make people change their passwords elsewhere if they used the same password as mtgox's one anywhere
2. create multiple trusted signing authorities (eg. one at your server, one at mine, one at gmaxwell... anyone can create a server as this would be public domain code)
3. user submits his username, contact email and password to as many these authorities as he likes
4. authority fetches balances from mtgox
4. authority hashes the username and email and drops the password
5. authorities publish the data and signs it with its key

It's a distributed network of trust with detection of lying authorities and it can also detect if somebody has access to password database as there would be multiple email addresses for the same username signed.


It's a good idea, but I don't think people will give their username/password to just anyone.  There is a possibility gox might re-open in the future.  If we can somehow do this without having a third party involved it would be awesome.
newbie
Activity: 16
Merit: 0
March 20, 2014, 09:03:49 AM
#4
the only way to do it without help from mtgox is to
1. make people change their passwords elsewhere if they used the same password as mtgox's one anywhere
2. create multiple trusted signing authorities (eg. one at your server, one at mine, one at gmaxwell... anyone can create a server as this would be public domain code)
3. user submits his username, contact email and password to as many these authorities as he likes
4. authority fetches balances from mtgox
4. authority hashes the username and email and drops the password
5. authorities publish the data and signs it with its key

It's a distributed network of trust with detection of lying authorities and it can also detect if somebody has access to password database as there would be multiple email addresses for the same username signed.
member
Activity: 102
Merit: 10
March 20, 2014, 08:50:45 AM
#3
If I get this right, you are afraid, that MtGox creditors give you false informations, so it is not enough for them to just log in and send you, what Balance they see.

Yes

The Problem about an open source bot, who sends any sort of data, is that someone simple could manipulate that data it sends, isn't it?

We could run this on a website instead of having people run it locally, but how do you know that you can trust the website to not save your password?
hero member
Activity: 714
Merit: 500
March 20, 2014, 08:47:23 AM
#2
If I get this right, you are afraid, that MtGox creditors give you false informations, so it is not enough for them to just log in and send you, what Balance they see.

The Problem about an open source bot, who sends any sort of data, is that someone simple could manipulate that data it sends, isn't it?
member
Activity: 102
Merit: 10
March 20, 2014, 08:40:30 AM
#1
Hey Everyone,

I'm working on several projects that will benefit MtGox creditors.  However, the 1 remaining issue is that we have to find a way to independently verify that their balances are what they say they are (and link them to an email address).  To this end, I have the following solution in mind.  I'm looking for volunteers who can help write this software.  Also feel free to comment if this is viable or not.

- We create open source software which you can run on your computer
- The software logs in to MtGox through https, and intercepts/saves everything but discards the password.  This results in you getting an https session signed by mtgox, with your username and balance inside of it.
- You submit the https session data to a public database, together with the decryption key, and an email address. 
- The username and email address should be submitted in hashed format (together as one hash), so noone knows what it is (prevent spam and guessing).  Only the websites you give your username and email to will be able to confirm your balance is correct.

Any thoughts?

Please join us in #projectgox on freenode to discuss this.  Make sure to say in the channel that you are there because of the forum post / this project Smiley
Jump to: