
Why Mt. Gox is full of shit - klrr
http://cryto.net/~joepie91/blog/2014/02/10/why-mtgox-is-full-of-shit/
======
nwh
There's no acceptable middle ground really. Practically every Bitcoin service
is full of incompetence of varying degrees. Coinbase for example uses MongoDB
for their accounting and apparently was hacked (and the funds returned) as an
effect of that. Every other service has issues with the founders (BTC-e is run
by who?) or their security record (inputs.io had a cold wallet?) in some way.

You can't trust much in this particular corner of the internet.

~~~
lispsil
You left out Bitomat, the incompetent exchange that deleted their own amazon
instance accidentally which contained all their keys, and thus customer funds.

~~~
pbhjpbhj
Perfect[ish] cover story?

~~~
judk
Victims can monitor the blockchain to determine if their coins were spent? (Of
the victims know their coins public keys, I guess)

~~~
pbhjpbhj
Indeed that's what made me temper it with an -ish. Whilst you can monitor it
that doesn't really help if the perps have escaped beyond the reaches of the
relevant laws.

How many people are monitoring the blockchain in that way - sounds like an app
idea.

------
kens
I don't think anyone has pointed out that MtGox said "We have discussed this
solution [additional hash in the protocol] with the Bitcoin core developers
and will allow Bitcoin withdrawals again once it has been approved and
standardized." [1] A Bitcoin protocol change like that is not going to happen
for a long, long time, if ever so do the math on MtGox's statement and when
they will allow withdrawls.

The Bitcoin team did push out a change in 8 hours once for a critical
signed/unsigned bug that threatened the whole system [3], but this problem
looks to me like NOTABUG/WONTFIX. The transaction malleability is an
annoyance, not a real bug. Basically the support team just needs to spend an
extra 5 seconds checking a transaction instead of blindly issuing refunds.

My recent article [2] goes into the Bitcoin protocol in great detail if you
want to know more about transaction signing, which should help explain
technically what is going on with malleability.

[1]
[https://www.mtgox.com/press_release_20140210.html](https://www.mtgox.com/press_release_20140210.html)

[2] [http://righto.com/bc](http://righto.com/bc)

[3]
[https://bitcointalk.org/index.php?topic=822.0](https://bitcointalk.org/index.php?topic=822.0)

~~~
rjzzleep
ok, but please read the related pull requests

[https://github.com/bitcoin/bitcoin/pull/2131](https://github.com/bitcoin/bitcoin/pull/2131)

[https://github.com/bitcoin/bitcoin/pull/3637](https://github.com/bitcoin/bitcoin/pull/3637)

[https://github.com/bitcoin/bitcoin/pull/3016](https://github.com/bitcoin/bitcoin/pull/3016)

[https://github.com/bitcoin/bitcoin/pull/3025](https://github.com/bitcoin/bitcoin/pull/3025)

~~~
nullc
These are not all that directly related— they're the start of a set of changes
which will probably take us one to three years to fully deploy... what mtgox
was talking about in their press releases was just some simple standard way of
generating a stable ID, this wouldn't be a protocol change at all... and is
only a few lines of code:
[https://github.com/sipa/bitcoin/commits/normtxid](https://github.com/sipa/bitcoin/commits/normtxid)

But whats more important is that this malleability stuff is not very much
related to fraud risk, I explained more here:
[http://sourceforge.net/mailarchive/message.php?msg_id=319565...](http://sourceforge.net/mailarchive/message.php?msg_id=31956576)

------
lispsil
Of course Gox is full of shit, anybody see his php ssh implementation?
Karpales is a guy who rolls his own crypto everyday and has no idea it's
completely flawed, and when you point out the flaws he doesn't believe you and
uses it anyways.

He's a cancer and nobody should be using MtGox. You're supposed to trade coins
in IRC decentralized using the web of trust, or localbitcoins in person.
Exchanges should only be used if you have a business bank account and are on
first name basis with the guy who runs Bitstamp or Cavirtex on IRC otherwise
you get delays and holds for identity verification, limits, other problems
like your bank freezing your account when they notice wires going to Slovenia
too often.

*Edit Gavin just posted a response on the bitcoin foundation blog, confirming Gox is indeed full of shit.

------
steven2012
Anyone who uses Mt. Gox is a fool, especially after the first few security
issues. Hearing about further issues in terms of security, etc is sort of like
hearing the wailings of a person whose spouse is cheating on them... for the
5th or 6th time. At some point, the victim only has themselves to blame.

~~~
hatu
Literally 2 days after I registered on Mt Gox (2011), I got this email:
"[Mt.Gox] Account database compromised". I'm glad if they're going away. I've
never trusted them since.

------
sillysaurus2
One interesting aspect of this whole ordeal is the fact that, thus far,
exchanges' prices have depended on each other. That is, a huge sell order on
Bitstamp will more or less immediately affect the price on BTC-E, MtGox, etc.
(The exception seems to be Coinbase, which seems to use some kind of
exponential weighted averaging, but even Coinbase will get dragged down if the
price drop is dramatic enough.)

If people lose all confidence in Gox, but still retain faith in other
exchanges, then that means we're going to witness MtGox's price drop while the
other exchanges' prices rise. However, this becomes an economic opportunity
for anyone who wants to do arbitrage between exchanges. Therefore it seems
like the prices won't ever diverge too much.

The conclusion, it seems, is that no matter how bad one exchange is, it will
simply drag the overall price of Bitcoin down across all exchanges rather than
suffer punishment as an individual company. The fact that arbitrage is doable
seems to give MtGox some insulation from consumer outrage.

This poses a question: Is it true that as long as an exchange keeps
functioning, then it's "here to stay" no matter how badly they behave? Is
there any way that an exchange could go out of business from nothing more than
consumers losing faith that _one_ exchange?

~~~
socialist_coder
You can't do arbitrage on Mt Gox though because you can't get any money out.
That's the whole reason the price discrepancy exists.

~~~
oijaf888
Why can't you get the money out via a Japanese bank account? They claim to
send funds to those within a few days.

~~~
afterburner
Is is supposed to be easy to get a Japanese bank account if you've, say, never
been to Japan, and don't speak Japanese? Honest question...

~~~
rdn
No, you need some level of residency. Maybe it could be worked around by
incorporating in Japan and getting a business bank account. I think Gox can do
withdrawals to Polish banks too, but unsure.

------
pistle
The candlestick charts are not telling a pretty story about trust right now.
Bitbugs keep the faith and talk about buying with blood in the streets since
it always bounces back, but every flash crash comes with a worse story.

The headline is "Largest Bitcoin Exchange Doesn't Understand Bitcoin"

What hope do retailers and any but the very-technical have in managing the
risk implicit in digital currencies?

Not to mention, seeing supporting forum posts where people are discussing the
parts of fractions of coin being sent around... do people really think 8-10
digits past the decimal can hope to be manageable for consumers? It's bad
enough to deal with Yen conversions.

Please tip your server .00343874938239487 bitcoin. When 15% of the value can
evaporate while business is happening... when do you bill the customer for
lunch? When they order?

------
kordless
News flash: people don't like to admit they are wrong. They will find ways to
rationalize their actions to fit a model where their fears of being wrong are
temporarily alleviated. Unfortunately most people don't realize it's more work
in the end to deny being wrong than just coming clean.

We've been through this several times with Mt. Gox. It's time for everyone to
STOP using them and start using something else for trading. Continuing to use
them and making rationalizations that things will 'get better' will only
result in a global case of cognitive dissonance.

They are threatening an ecosystem that is important and which has a large
potential value. In my opinion, they need to be removed from that ecosystem.

------
zapnap
Not wholly surprised here. As a side note, I wish it was easier to move coins
_out_ of mtgox. They require "verification" to even transfer coins to another
BTC address at this point, which means sending them proof of identity and
proof of address. I'm not against identifying myself but given their
absolutely abysmal security record and repeated demonstrations of
incompetence, I'm loathe to send them anything even remotely sensitive. which
leaves me in a bad position where I'm stuck with coins I can't even access...

Ugh. Local wallets, people. Local wallets.

------
jasonlingx
Let this be a warning to everybody with bitcoin in wallets they do no
absolutely control, for example, Coinbase - you can and almost certainly will
lose them at a moment's notice, sooner or later.

I feel really sorry for those with funds tied up with MtGox. It was only
recently where I used MtGox to store most of my bitcoin and I am lucky to have
decided to move them all to paper wallets.

This demonstrates one of the biggest issues holding back widespread adoption
of bitcoin, the ability of the layperson to securely hold large amounts of
bitcoin.

------
x0054
Mt. Gox is indeed full of shit. As I understand the issue, due to their
bitcoin implementation, there is a possibility that someone would send
bitcoins from their Mt. Gox. account to a wallet, than alter the signature of
the transaction, and than claim that the transaction did not go through and
contact support to request the funds to be resent.

Here are 2 easy solutions to this problem which do not require anything to be
done by the bitcoin community, and could be exacted by Mt. Gox today:

1\. Allow all transactions to go through as before, but state clearly that if
your transaction does not go through after being submitted, it will take a
long time to clear the transaction, because it will have to be checked by
hand. Assuming that 90% of people are not planning to scam Mt. Gox, 90% of
people would be able to get their money. The remaining 10% would have to wait
a bit longer while Mt. Gox checks transactions by hand.

2\. Alternatively, write a system were a user can request to withdraw
bitcoins. The Mt. Gox server first generates a new wallet, than transfers the
BTC to that wallet, than send the user the public and private keys for that
wallet. Assuming that the user (for good reason) does not trust Mt. Gox, they
than can simply transfer the BTC from a temporary wallet to a permanent one.

------
rainmaking
My experience exactly. I was just buying a hundred bucks worth of coins, and I
had to suffer through inexplicable delays, error messages that were obvious
lies, the list goes on and on. Incompetence is one thing ("sorry about the
hassle, but look aren't we cheap!") but trying to obfuscate the real reason of
problems is just a huge red flag.

I'm in Europe, and I like Kraken very much. blockchain.info recommended them.

------
ewams
FTA: "The time to stop using Mt. Gox has been long overdue. Move your business
to a more serious exchange, one that is willing to admit their failures,
should they occur. One that has the best interests of the entire Bitcoin
ecosystem in mind, rather than their own bottom line."

~~~
gnoway
Yes. I'm shocked this hasn't happened already, since this seems like a
textbook instance of where the unrestricted free market should correct
ignorant or malicious behavior by a bad actor.

</snark>

~~~
oleganza
Keep in mind that if the market was free, US and EU would be full of bitcoin
ATMs and there would be several working exchanges in every country. So if
someone had a slightest problem with MtGox, they'd easily switch to another
exchange already.

However, in reality there are huge obstacles to moving fiat money around and
the market is simply not allowed to improve liquidity how it desires.

~~~
krrrh
A free market isn't just one with lower amounts of regulation but also one
where regulation is applied indiscriminately to all participants. Many bitcoin
exchanges have only been viable because a they did not yet have the same
regulation applied to them as is applied to "fiat" exchanges. There are
necessary regulations for how exchanges or ATMs work, what sort of reporting
they need to do, and what sort of safeguards are in place to protect customers
from fraud and loss. And there is a lack of financial professionals who
believe in bitcoin enough to help adequately build these systems, and of
course far more importantly, a huge lack of demand from the general
population.

~~~
oleganza
By your logic, if His Majesty The King applies his laws equally to everyone,
then it's a free market?

Any organization which is tax-funded has inequality and discrimination built
in. Some are net tax payers, others are net tax receivers. Then, net tax
receivers dictate why it's good and honest for them not to pay, but receive
and why it's good and honest for them to extract payment from others. And
under what "regulations". Obviously, tax-funded regulations cannot be applied
indiscriminately to _all_ participants.

Free market is not about equality. It's about ability to protect property
against anyone's opinion. Bitcoin and the internet themselves are a fine
example of a nearly free market: no matter what you think of me and no matter
what I think of you, we both can avoid each other and no one can take each
other's coins. But if we don't have such technology and have to keep our cash
in a bank, then we both depend on someone's opinion how the money should be
used and how much we can spend and where.

------
kirk21
Trying to find an European alternative. Suggestions next to
[https://localbitcoins.com](https://localbitcoins.com) or
[http://www.coinnext.com/](http://www.coinnext.com/) ?

------
oleganza
Today's price fluctuation only proves that people do not really understand how
Bitcoin works. Many keep all their coins on the exchange because they got used
to the traditional banking. MtGox says "it's a fault in the protocol" and
people sell off in panic. Thankfully, over time we have more exchanges, more
different implementations, more and better educational resources to learn
about real risks of Bitcoin. Meanwhile, smart people pick up cheap coins while
they can.

------
o_nate
This article seems rather biased and brings in lots of past problems at Mt.
Gox rather than focusing on the current issue - perhaps because a more
detailed explanation of the current issue would reveal that this problem goes
beyond Mt. Gox. There is a disturbing tendency among some Bitcoin partisans to
instantly dismiss any issue that comes up as being well-known and well-
understood, even if "well-known" means that it was posted somewhere on a
message board read by few.

~~~
TomGullen
If it goes beyond Gox, why are other exchanges operating seemingly with no
problems? Bitstamp is a good example of a well run exchange. Gox has been
mired in self inflicted problems for many months.

~~~
o_nate
From my understanding, workarounds do exist for the issue, and some exchanges
probably have implemented them. However, the issue goes beyond Gox in the
sense that without those workarounds in place, any exchange could be
vulnerable.

------
ck2
_the official Bitcoin daemon (bitcoind) does not rely on a transaction ID to
determine if a transaction succeeded_

Sooo how does it do it? How does it determine a unique transaction id?

~~~
nullc
It tracks the coins you were spending when you made the transaction.

------
angryasian
>Their implementation, against all advice, does rely on the transaction ID,
which makes this attack possible.

I think a lot of the comments here and especially the article detracts from
the discussion. The article seems to go on a rant of all the other mistakes mt
gox make rather than addressing the issue.

What is the recommended solution by bitcoin implementers to verify a
transaction succeeded, with transaction malleability existing ?

------
rsync
Why do these services exist at all ?

Cannot the bit coin protocol be used by end users with full features without a
third party "wallet" service ?

Are these services purely for people that don't understand files and
encryption utilities ?

I do not use bitcoin, but if I did, I assume I would just protect and back up
those computer files like many other extremely valuable computer files I have.

What am I missing here ?

~~~
natdempk
These services generally provide a service that is not part of standalone
bitcoin, whether that is a payment API which generates addresses and verifies
transactions for customers, an exchange to trade and value bitcoin based on
fiat currency, or a user-friendly wallet that allows access from anywhere with
internet access and bypasses the need for a user to download and update their
own copy of the blockchain. (The blockchain is pretty large. It currently sits
around 13GB and is always growing.)

There are also end-user applications like Armory, which are meant to manage
and secure a wallet on an end-user's machine, but its inevitable that people
will use online services for foreseeable future.

~~~
walden42
There are clients, like Electrum and MultiBit, that don't require downloading
the whole blockchain. The average person should be using these, IMO, not
trusting any e-wallets.

------
jere
Not mentioned in this post is that during that hack where hashed passwords
were released, Mt. Gox was using md5. What jokers.

------
paterpol
Hacked bitcoin exchange patforms, its not the point the structure, there cs or
a bug in the bitcoin system.The big players have to coopered to avoid the
unlimited use from the fed of fiat money to buy bitcoins and attac the big
.platforms on using a extreme blow off

------
spoiledtechie
I wonder which side is actually telling the truth...

~~~
pudquick
If you'd like an in-depth discussion of what Mt. Gox has screwed up and how:

[http://www.reddit.com/r/Bitcoin/comments/1x93tf/some_irc_cha...](http://www.reddit.com/r/Bitcoin/comments/1x93tf/some_irc_chatter_about_what_is_going_on_at_mtgox/cf99yac)

They didn't discover anything - they were warned, quite some time ago, that
they were not correctly spending and opening themselves up for double+ spends
due to their own misunderstanding of how to reliably track a spend (compounded
by their coding errors).

------
victorlin
the justin bieber of bitcoin exchange

------
sscalia
In case anyone needs a reminder:

Magic The Gathering Online Exchange.

Chase Manhattan, they are not.

~~~
pbhjpbhj
They don't seem too dissimilar.

JP Morgan Chase started as The Manhattan Company
([http://en.wikipedia.org/wiki/The_Manhattan_Company](http://en.wikipedia.org/wiki/The_Manhattan_Company)).
Formed to provide a clean water supply instead the owners took 95% of the $2
million to form a bank and created a system of waterworks that caused massive
cholera outbreaks ... I don't think MtGox has killed anyone yet, though I've
been convinced for a time that they've probably made-off with a lot of the
money.

JP Morgan Chase aren't exactly trustworthy either, motivation based on pure
financial profit will do that - a synopsis of some of their major
indiscretions: [http://www.icij.org/offshore/jpmorgan-chases-record-
highligh...](http://www.icij.org/offshore/jpmorgan-chases-record-highlights-
doubts-about-big-banks-devotion-fighting-dirty-money)

