

Statement on Mt. Gox - trendspotter
http://antonopoulos.com/2014/02/25/statement-on-mt-gox/

======
crystaln
"Some exchanges were in fact completely unaffected, revealing as false Gox’s
claims that this was a bug in bitcoin."

This reveals a lack of objectivity here. There IS a bug in bitcoin. There are
workarounds, and some exchanges implemented those properly.

Of course, MtGox should have followed best practices and implemented a
workaround, but the above sentence is - on its face - flawed and biased. The
fact that some exchanges were immune to the bug does NOT mean that bitcoin
bears no fault or that Gox's claims are false. This was and is, in fact, an
acknowledged and widely known bug in bitcoin.

~~~
davidw
I'm inclined to agree with cperciva, who is no slouch with security stuff:
[https://news.ycombinator.com/item?id=7289273](https://news.ycombinator.com/item?id=7289273)

~~~
crystaln
The statement is inherently flawed, regardless of its source. Because _some_
exchanges were unaffected does not mean that MtGox was not affected, and the
statement itself implies that other exchanges were affected which would be
evidence in MtGox' favor.

I'm not saying MtGox was not incredibly incompetent, however nobody is helped
by this false defensiveness over a very serious and clear bug in bitcoin that
seems to have affected at least a few exchanges.

Regardless of MtGox' incompetence, this IS a serious bug in bitcoin for which
a workaround is required, and without which a bitcoin theft is possible.

~~~
eliasmacpherson
If this implementation is bugged:

[http://blog.magicaltux.net/2010/06/27/php-can-do-anything-
wh...](http://blog.magicaltux.net/2010/06/27/php-can-do-anything-what-about-
some-ssh/)

then is ssh broken?

~~~
crystaln
Please state your point rather than providing just a link. I don't know what
you are trying to say.

~~~
seabee
That a bug in one implementation does not imply a bug in the protocol.

~~~
crystaln
I didn't say there was a bug in the protocol.

There is a bug in the REFERENCE implementation, which is used by almost every
exchange. And one criticism of MtGox was that they used a custom version of
the reference implementation, and should have used the standard one. You can't
have it both ways.

~~~
eliasmacpherson
Is there a reference implementation for SSH? I don't think so.

By your standards then SSH is broken, which is false. I don't want to have it
both ways. I think if you are running a money service that you should not rely
on variables that were known to be malleable since 2011. There's even a wiki
page about it, on a site the guy owned, since Jan 2013. Either they run
someone elses code and made sure it worked, or run their own code and made
sure it worked - and by worked I meant worked the way they needed it to, not
the way they expected it to.

~~~
crystaln
As I said, they are definitely incompetent.

However, it's quite clear that this is a bug, and it could have affected them,
and they could be telling the truth, contrary to what the original article
says.

------
mindstab
A little regulation and over sight might have prevented all this. And with out
it going forward all anyone can do is advise best practices, and then watch as
some ignore them and also have their money stolen. Very wild west. Totally
something I'll be staying well back from

~~~
argumentum
It's unfortunate that many people lost money (and some might have lost a lot),
but if the ecosystem can recover from this without _governmental_ regulation
(as I expect it will), we have the first evidence (ever) that there is no need
for a central authority to conduct oversight and ensure a robust currency.

It looks likely that the free market, which _includes_ the self-regulating
actions by Coinbase, Blockchain and others (as well as customer reactions),
will punish the bad actors and reward "good" (well managed) companies. It will
also create _better consumers_ , who will now be more diligent in evaluating
relevant services before they sign up.

You write that you'll be staying away for now, that is your right as a
potential participant in the market. We are already seeing the major players
(like Coinbase) react to your sentiment by increasing transparency to bolster
confidence in their services.

1\. _This is what we want._ 2\. When have you seen the existing financial
system react so rapidly and thoroughly to the many flaws and disasters
incumbent within?

Yes, "a little regulation and oversight might have prevented all this", but it
also might have prevented crypto currency from being able to prove its value
(or fail to) in the free market.

~~~
aggronn
> we have the first evidence (ever) that there is no need for a central
> authority to conduct oversight and ensure a robust currency.

No one has ever doubted that this was possible. 'Robust' currency has existed
without a central monetary authority in the past (for millenia!). The reason
the Fed exists is because its believe that it takes an existing 'robust'
currency and makes it better.

~~~
argumentum
""The Federal Reserve System (also known as the Federal Reserve, and
informally as the Fed) is the central banking system of the United States. It
was created on December 23, 1913, with the enactment of the Federal Reserve
Act, largely in response to a series of financial panics, particularly a
severe panic in 1907"" \-
[http://en.wikipedia.org/wiki/Federal_Reserve_System](http://en.wikipedia.org/wiki/Federal_Reserve_System)

The common argument is that the modern, global economy is too complex to
govern itself, and prone to disasters.

~~~
aggronn
I'm not sure how this relates to my comment. Its not a binary issue of whether
a currency can or cannot function on its own. Currencies functioned on their
own okay before, and after the Fed, they've arguable done better. Whether you
believe it or not is immaterial to my point--we have a wealth of evidence that
robust currency can exist without a central authority. Just because bitcoin
rebounds after some period of time doesn't mean that a) it wouldn't have been
worse if there was central authority and regulation, b) that the rebound is
translatable to other currencies, or to other crises, c) that the rebound was
a result of anything other than exogenous increases in demand.

------
xdarnold
Under the presumption that it is true that ~750k BTC has been stolen, has
anyone considered the possibility of orchestrating a 51% attack on the
attacker(s)?

Gox probably has logs of withdrawal requests. It might be daunting but
feasible to sift the tx-MAL withdrawals from legitimate ones, then work with
major pools and exchanges to double-spend stolen coins back to Gox.

Gox could then be forced (by the same 51% majority) to pay legitimate requests
for reimbursement by vendors or 3rd parties holding stolen coins they
transacted for goods or services, given reasonable documentation. Leaving us
with some but not unacceptable collateral damage.

~~~
MichaelGG
That really undermines Bitcoin overall.

Also, that makes it more attractive to act maliciously, as an exchange. Either
you make off with your stolen BTC (win), or the community fixes things for you
(not really a loss).

What _would_ help is some equivalent of FDIC. A group of Bitcoin "banks" that
handle your deposits, with some pro-BTC group guaranteeing your deposit up to
100 BTC or something. Getting the insurance would of course require all sorts
of intense auditing and oversight. And somehow, someone's gotta pay for it all
(perhaps the same group of Bitcoin companies pay in). But that's... very far
removed from the current state of affairs.

~~~
xdarnold
100% agreed - this would certainly undermine the movement. The open question
is whether it would do so more or less than the loss of half a billion dollars
held by the community. I'm not sure what the answer is, but shouldn't every
option be on the table?

------
diegocg
It puts all the blame on Mt. Gox, assuming that their lack of good management
is to blame. But I still see the lack of reversibility of transactions (one of
bitcoin's strengths) as the major problem here. We live in civilized in a
world where there are laws and polices and judges and banks and governments,
but bitcoin tries to workaround them for no good reason.

I'm still hoping that banks will take what to me is the bitcoin's biggest
feature (multiple wallet addresses and the ability to easily make cash
transfers to other wallet address) but without pretending that centuries of
legal and financial traditions somehow don't matter.

~~~
sigil
> But I still see the lack of reversibility of transactions (one of bitcoin's
> strengths) as the major problem here.

"Stop Saying Bitcoin Transactions Aren't Reversible"
[http://elidourado.com/blog/bitcoin-
arbitration/](http://elidourado.com/blog/bitcoin-arbitration/)

The n-of-m multisignature facilities described in that article are the future
of Bitcoin. You probably don't need multisig arbitration when you buy a coffee
or a stick of gum, but you probably do when you're transferring large sums. Of
course, there was no multisig protection in sight in the MtGox case, but then
there was no blockchain in sight either. Far worse errors of judgement were
made there.

Bitcoin makes the use of arbitration services optional, _and_ it makes the
actual mechanics of arbitration services safer and more efficient. The arbiter
in a 2-of-3 multisig transaction can't freeze or seize funds in transit --
hello PayPal! -- and takes zero action in the vast majority of cases, where
there is no dispute.

Banks, credit card companies, and existing payment systems like PayPal can't
easily, optionally disintermediate themselves. They must play arbiter. And we
must pay for it.

> bitcoin tries to workaround them for no good reason.

There's a good reason. Why do businesses today pay transaction fees when you
use your card to buy that coffee?

I'll just quote the opening paragraph of the original Bitcoin paper:

"Commerce on the Internet has come to rely almost exclusively on financial
institutions serving as trusted third parties to process electronic payments.
While the system works well enough for most transactions, it still suffers
from the inherent weaknesses of the trust based model. Completely non-
reversible transactions are not really possible, since financial institutions
cannot avoid mediating disputes. The cost of mediation increases transaction
costs, limiting the minimum practical transaction size and cutting off the
possibility for small casual transactions, and there is a broader cost in the
loss of ability to make non-reversible payments for non-reversible services.
With the possibility of reversal, the need for trust spreads. Merchants must
be wary of their customers, hassling them for more information than they would
otherwise need. A certain percentage of fraud is accepted as unavoidable.
These costs and payment uncertainties can be avoided in person by using
physical currency, but no mechanism exists to make payments over a
communications channel without a trusted party."

[https://bitcoin.org/bitcoin.pdf](https://bitcoin.org/bitcoin.pdf)

------
panarky

      “Cold storage” does not “leak”. The idea that the funds were stolen,
      unnoticed, from cold storage, due to Transaction Malleability,
      strains the credulity of even the most gullible observers.
    

This part of the story still doesn't make sense.

One possible explanation that I haven't seen anywhere else is that MtGox lost
control of the private keys to their cold storage.

How else could 744,000 BTC disappear, without anyone noticing, from cold
storage?

------
aresant
Two important items:

a) Adreas is the Chief Security Officer of Blockchain and a well known /
respected digital currency personality.

b) The most interesting part of the article was a link to another post
reviewing Coinbase's security practices (1) where he concludes "it appears
that the Coinbase system contains the expected funds and their cold storage
system and process appear to be operating according to security best
practices."

(1) [http://antonopoulos.com/2014/02/25/coinbase-
review/](http://antonopoulos.com/2014/02/25/coinbase-review/)

~~~
smtddr
If anyone has 38mins to burn...

[http://techcrunch.com/2013/12/17/foundation-brian-
armstrong-...](http://techcrunch.com/2013/12/17/foundation-brian-armstrong-on-
coinbase-and-bitcoin-security/)

A Google Ventures video about coinbase security with Kevin Rose(from old Digg)
asking a bunch of questions with Coinbase founder Brian Armstrong.

Sounds very legit to me.... but... you _still_ shouldn't leave huge amounts of
bitcoin in any exchange! Make[1] your own btc-address + private key and keep
the coins there. And note that bitaddress.org can be git clone'd and ran on a
computer without internet access.

1\. [https://www.bitaddress.org](https://www.bitaddress.org)

~~~
argumentum
Coinbase isn't really an exchange (though it works as such for US dollars).
It's mainly a hosted wallet service that provides apps, and merchant and
developer tools to make it easier to engage with the bitcoin ecosystem.

------
smtddr
_> >I was part of the team helping to coordinate between the other exchanges
to ensure that they could quickly resume operations which they did no more
than 48 hours later. Some exchanges were in fact completely unaffected,
revealing as false Gox’s claims that this was a bug in bitcoin._

I don't think that reveals anything about what happened in MtGox. Also, don't
know if anyone's noticed... but mtgox.com has a message now.
[http://i.imgur.com/YDONE4d.png](http://i.imgur.com/YDONE4d.png)

And note the word "DONE" in that imgurl URL. Ominous...

