
Mt. Gox leak rumor - yeukhon
http://pastebin.com/8gbUXLN3
======
542458
Before everybody gets all up in arms about how this says that they still had
around 1 million BTC, remember that this lines up exactly with what Mt. Gox
has been saying.

This is Mt. Gox's own accounting. It _should_ report that they still have BTC.
But these are just numbers from a database. What Gox has said is that while
they thought that they still had BTC, while their systems (AKA this) still
reported them having lots of BTC, the actual wallets had long since been
emptied.

So really, this doesn't help anybody in any ways. It could still be a hack, or
it could be Gox screwing with everybody, or it could be something else
entirely. It really doesn't mean anything. Other that showing that Gox still
can't secure anything to save their life.

~~~
glesica
Can someone explain how these guys managed to write their software in such a
way that there was zero automatic verification that what their database said
matched what was in the wallets, even just a cron job that ran once a week or
something? I mean, I'm assuming there's a good reason, because I can't figure
out how anyone could overlook something like that.

~~~
PeterisP
If you have bitcoins in 'cold storage' (Gox supposedly had 99+% their BTC that
way) - i.e., the keys are physically offline and not accessible remotely in
any way - then I don't see any easy ways of checking if all those coins are
still valid.

~~~
exit
"the keys" are the private component of a private key/public key pair. the
public key can be shared with anyone / stored anywhere, and gives you the
address which makes checking ones balance trivial.

~~~
PeterisP
Okay, you can detect open thefts that way and Gox should've implemented that.
But you still can't detect if you've lost control of the private keys - if
you've split all your cold balance into many addresses of X BTC each, then you
can remotely check if the addresses are still filled, however, if an [inside]
attacker takes those keys and replaces them with garbage, then no auditor is
going to know that the addresses aren't in your control anymore; the solution
would probably be periodic (automatic?) proof-of-ownership tests on those
balances.

In any case, securing BTC is hard and requires stricter controls and more
discipline than securing general banking systems, as the nature of BTC makes
it easier to get away with large amounts of funds. For example, you need a
solid solution for multiple "write-only" offsite backups of 'cold keys'
because otherwise you simply risk your assets being permanently destroyed due
to a simple hardware failure, but if anyone in your company is able to
singlehandedly recover&decrypt a single such backup then he can immediately
abscond with all money.

------
rys
The full leak contains a back office administration tool used by Mt.Gox, and
what looks to be complete trade logs up to and including November 2013. The
leakers haven't included any personally identifiable information.

If it means anything, I've had a look for my trading activity and it's all
there and completely correct.

~~~
nwh
They certainly have. The amounts withdrawn and deposited are enough to make
solid connections between addresses on the blockchain. With this information
it's possible to make a lot of associations between addresses you couldn't
before knowing this information. From what I've read it gives the amount,
account hash and the time, that's more than enough to uniquely identify them
on the blockchain.

~~~
nullc
For people who had frequently reused publicly known addresses it's as good as
putting their account name on the records.

I guess people didn't learn from the infamous AOL search data release.

------
xpda
It is possible that MtGox lost its money by dipping into deposits and pending
cash withdrawals for its own use. Then, maybe some bad investments snowballed
and they couldn't recover.

This seems more likely than someone hacking them and ripping off hundreds of
millions of dollars worth of bitcoins without them noticing.

There is regulation that prevents this (most of the time) in banks, but in an
unregulated exchange it would be easy (and stupid) to start gambling with
customer deposits and pending withdrawals.

A few months ago I set up a MtGox account, and noticed the MtGox policy of
taking weeks or months to wire the proceeds from a bitcoin sale. That seemed
like a red flag, and made me wonder what they're doing with the cash between
the bitcoin sale and the wire transfer. I'm glad I opted out of MtGox.

------
tlrobinson
This is the same content posted to Karpeles' blog, already being discussed
here:
[https://news.ycombinator.com/item?id=7369072](https://news.ycombinator.com/item?id=7369072)

~~~
yeukhon
Ah thanks. Poster of this HN post here. I posted it on pastebin because the
original content could be removed later and I thought saving in a cache like
pastebin was a good idea, so I didn't check whether original link has been
posted or not.

~~~
mckee1
Yeah you were quite right, the info has now been removed from Mark's blog.

------
fleitz
From a legal perspective for mtgox you really couldn't hope for better news,
not only have their systems been tampered with but now there is undoubted
proof.

Just paint yourself as the good guy amongst a scene of money launderers,
hackers and drug dealers. This isn't proof of fraud, it's proof that people
broke into their systems and tampered with them.

~~~
DrStalker
The attackers here broke in and stole a DB copy, they may not have been able
to tamper (e.g.: they had access to a backup of the DB but not the running
copy)

It's probably still a good part of a "we're incompetent not malicious!"
defense, if that is how they decide to handle things.

------
Zombieball
I've loosely been following the MtGox fiasco, including previous hacking that
revealed voice conversations, passport scans, etc. However, I don't quite
understand the context or ramifications of this leak. Could someone give a
brief description?

Much appreciated!

~~~
junto
I took this away as a tl;dr

    
    
       Currency: BTC Balance: 951,116.21905382 <– That fat fuck has been lying!!

~~~
bradyd
But in another part of the statement it says "We stole no bitcoins. There were
none to steal.", which seems to contradict them having ~1 million BTC.

~~~
a_olt
The balance may have been obtained from the logs, rather than from actual
funds stored in the wallets.

~~~
DrStalker
It's a DB dump, so this is exactly what it is.

If they had the public keys to all Mt Gox's wallets whey would be able to
check them for funds, but there would still be questions about who controlled
the wallets and if they had found them all so it would still not be proof of
fraud (but the more evidence collected the more likely there will be something
confirm-able discovered)

------
dcc1
Its correct, has 20 euro balance on an account I haven't used in 2 years and
forgot about until this hoopla began

