I'm fluent in Japanese. I listened to the beginning of the recording and it's legit. One of the voices is almost certainly Mark Karpeles' (based on hearing his voice in his recent public apology -- his Japanese is broken but reasonably proficient). It seems to be a recording of a Jan 30 2014 meeting where bankers from Mizuho Bank are asking Karpeles various questions about Bitcoin, the nature of his business, his partnerships in different countries, connections to underground activity, etc. Definitely not something that's meant to be publicly released.
EDIT: Listening to snippets from the rest of the recording, it seems that Mizuho is explaining that they want to cancel Mt Gox's accounts with the bank. Karpeles seems to be protesting and asking why the accounts are being shut down. The guy from Mizuho explains (at 28:00 for Japanese speakers out there) that it's a combination of a lot of factors, including recent technical issues, which make the bank uncomfortable dealing with Mt Gox. Karpeles also mentions following the orders of the Financial Services Agency (金融庁）
EDIT2: 15:00~16:10: Mizuho guy explains that the Mt Gox bank accounts will have to be shut down eventually. Karpeles says that he understands that position, but he thinks that the bank has been rude about trying to force the closure, and would appreciate a more cooperative approach.
EDIT3: 18:00~19:00: An awkward discussion of Karpeles' Japanese. The Mizuho person seems to be offended by Karpeles' rude Japanese, which frequently lacks the correct honorifics that would be expected in a business setting. A woman (I think she's on the Gox team?) explains that Karpeles' first language is French and that he means no offense.
I can work on a fuller description of the call, but just wanted to get a quick verification of its authenticity out there, along with some snippets of the contents.
There is a reason that speaking Japanese correctly is a highly valuable skill. For me personally, though, the amount of "communication rites" in Japanese business interactions is enough to be scared away.
On the other hand, I'd say that the bank person has enough reasons besides the honorifics to be really angry at the guy. The info posted indicates that they want to get rid of him and given that they cite technical difficulties, it might well be possible that their tech team already suspected the "non-banking-grade" software quality we are now hearing about.
I'm digging further off-topic, but anyway: as a non-japanese speaker and someone who spontaneously thinks in terms of optimization, I'm amazed by the seemingly gratuitously complicated rules of politeness in that language.
Does it require concentration for a native to avoid faux-pas in a discussion? Can it become much more difficult depending on your social origins (i.e. how effective is it as a social discriminant)? I'm wondering how much time and thought is typically spent on those matters, to the detriment of actually thinking and communicating information.
(I guess this post is extremely rude from a japanese PoV, but I'd genuinely like to understand all this better, and I'm sure typical HN readers can understand this approach)
Although the rules are complicated, I lived in Japan for awhile, and almost no one Japanese would be offended by a foreigner getting it only mostly right. This is not terribly hard. It suffices for foreigners to observe the basics.
As explained below, Karpeles referred to himself as "ore". "Ore" is mostly used by men, and carries a boastful tone. Moreover, pronouns aren't necessary to make grammatical sentences, e.g. "I went to the bank" = "Ginko ni ikimashita" = "[Bank] [to] [did go]".
The only function of the word "ore" is to emphasize your own high status relative to whomever you're speaking to. In a bar, after a couple of drinks, among equals, it's quite typical for all the men (usually not women) to use "ore". But in a formal business meeting --- this is known to be an absolute no-no by anyone who has formally learned even a small amount of Japanese.
A fairly close analogy in English would be to randomly sprinkle the word "fuck" in your speech.
A fairly close analogy in English would be to randomly sprinkle the word "fuck" in your speech.
I was once speaking to a good friend of mine here, in English.
"Do you want to go out for yakitori?"
"Go fuck yourself!"
"... switches to Japanese Have I recently done anything very major to offend you?"
"No, of course not."
"Oh, OK, I was worried. So that phrase, that's something you would only say under extreme distress when you had maximal desire to offend me, or I suppose you could use it jokingly between friends, but neither you nor I generally talk that way."
"I learned it from a movie. I thought it meant "No.""
Along the same lines, I was getting a shave from a super hospitable barber last November in Gifu and the topic of conversation in very broken English (from him) and correspondingly broken Japanese (from me) was basically whether I had seen all of his favorite American movies. We were chatting and laughing quite a lot. When the time came for him to shave around the Adam's apple, he pointed right at my face and said: "You! Shut up!" It was so funny: He had obviously picked that up from a movie, but it took everything in me not to feel a little hurt, even though I knew he didn't mean to say what he said with that sort of edge. I can only imagine how many times I've done something similar in reverse. :-)
(Disclaimer: I don’t know anything about Japanese.)
Complicated grammar in general generally comes from historical traces: there often is a literature associated to it, nuances that express best the ambiguities of life and what you might want to hide from. Case in point: relationship statuses, and the many way to say ‘mmh friend’.
When associated to people via honorifics, these are things people care deeply about, both because they came at what seem a cost (PhDs are hard, promotions longed for, and Noblesse Oblige) and, after being repeated every time one was addressed to, became a core part of your identity. The fact that they are flattering makes it even more crucial. Think of parents who insist on being called ‘Mum’ and ‘Dad’: of course you know what their first names are, but using them can be seen as a lack of love, or respect for their authority, or consideration for the spectacular sacrifice they made. It remains hard to explain why on the spot: it just hurts, and comes off as defiant.
There is finally (and that is certainly true in Japanese high society) an attachement to class & country, a way to protect what was once precious and unique and unpregnable. That actually takes the form of genuine and sincere preference for the formal and appropriate: I would be offended if someone told ‘I love opera, it's so-o fricking cool!’ Yes, it is, and I consider the Opera to be a very buoyant and accessible art form, like Hollywood; but it still comes with a decorum that became part of my enjoyment of it.
Japanese, especially business people, are confronted to foreigners enough to understand that doesn't come naturally. Kerpeles however does more than ignore that: even in French (probably the second most culture riddled with grammatical antique quirks -- and I'd know, I am French and love those) he comes off as defiant, irrespectful, and likely to have willingly commited what some accuse him off. That’s not ignorance from his part, but open lack of respect for institutions. Those could be modernised and improve, but they still serve a purpose. Like anyone who's worked at university, I don’t call ‘doctor’ anyone with a PhD, but I still think it’s the most compelling experience someone can go through and I’d understand if, like in Italy and Germany, that remains part of everyday interactions.
For those (like me) who don't know anything about Japanese, referring to yourself as "ore" seems to be inappropriate and likely unintended by Mark.
> Frequently used by men. It can be seen as rude depending on the context. Establishes a sense of masculinity. Emphasizes one's own status when used with peers and with those who are younger or who have less status. Among close friends or family, its use is a sign of familiarity rather than of masculinity or of superiority. It was used by both genders until the late Edo period and still is in some dialects.
Grammar & honorifics/formality are two separate subjects. I'm not fluent in Japanese by any stretch of the imagination, but I know the basics of grammar while I know basically nothing about formal speech/informal speech.
It's not offensive, it's just not right for business. Outside of work, men use ore (tough and manly) or boku (boyish and charming) in regular conversation. Some my co-workers even use ore at the office if they're making a joke or something.
What would be the correct pronoun for a business setting? My knowledge of the language is rudimentary at best (several semesters in High School); we only really learned watashi/atashi/boku (and were reprimanded if we used the wrong pronoun for our own gender).
Using 俺 (ore) sounds extremely arrogant, it's also a very amateur mistake to make (or maybe it was even deliberate). it's definitely not suitable for a business sense as it either conveys superiority or familiarity.
Wow, that's a lot of my personal data leaked in these last months. My email and encrypted password in the adobe breach, my user id and part of my mobile number via SnapChat, and now hackers potentially have scans of my passport courtesy of Mt. Gox.
I'm probably forgetting about some leaks, and who knows how many security breaches were never discovered. The internet is not a safe place.
I'm still getting almost daily phishing/malware from the Mt Gox leak in 2011, and I never even signed up for anything more than to see what it's interface was like. Can't imagine how that will be with people having copies of passports (supposedly).
Please contact Dropbox support about this. Mine vendor-tagged address leaked on or before 3 Feb 2014, as that's when I got the first spam. I'm currently in the middle of persuading them that they have a security issue, and more people expressing the problem would be helpful.
Pretty much what mine is too, a pile of spam from various compromises services I should have done better than to trust. Mt Gox, Dropbox, Bitstamp (yeah, they never made a big mention of that one) and a variety of other small services.
It happens relatively rarely that a large multinational food company poisons half its customers (or so I like to think), hence I would assume that laws and proper auditing can stop such problems.
In summary I have spent at least five to ten minutes (and likely more) on spam brought to me by Dropbox without any compensation. How about a fixed payout of, say, 100€ per leaked detail (username, password, email etc.), payable immediately to each customer? At least companies with bad security would be out-of-business soon.
Just a few years back I thought my biggest security risk was myself. In retrospect, this seems horrifically naive: The services I use outnumber me so vastly that the 10 or so breaches that I'm aware of, merely counting the services that I use, seems astoundingly low.
Be aware that they also have a different attack surface, and are likely more notorious/interesting than you as a single person. While I agree that keeping control over your own security is a good thing, the comparison you're making is dangerously biased.
I signed up for Mint.com once. I liked the concept in theory. But then after an hour of using it, I realized just how incredibly stupid it is giving a third party total access to all your bank accounts. Then I immediately went and changed the passwords on all my bank accounts.
Was just thinking about the implications of my DL scan being out on the net and potential attempts at identity theft. Excluding market risks, my money is now safer in a properly generated cold bitcoin wallet than it is in my bank account.
Right now in ##mtgox-chat someone named nanashi____ claims to be speaking for a group of hackers who have gotten into Mt Gox in an attempt to figure out what happened. Nanashi says they have a DB dump and are looking at what to do with it. Nanashi gave these links:
Nanashi also posted personal information on those employed by Mt Gox including phone numbers and addresses. Nanashi says the group plans on releasing more info. Nanashi also said they group plans on not releasing the huge store of passport scans they found… Hopefully this group has the public’s best interests at heart.
I didn't, I signed up to an account and stopped at this point because unlike a financial institution they are not governed by laws that require this or would ensure the security of such data.
But I totally understand why people did supply it.
They supplied it because:
1) They've been trained to
2) For a while MtGox was actually the most well-known (and therefore trusted) of the exchanges
On #1, every financial institution in the world goes through some form of KYC (Know Your Customer) anti-laundering process that involves identity verification. And people are so used to doing this when signing up to financial accounts that they failed to comprehend that MtGox (and other exchanges) is not a financial institution being regulated by the same safeguards for their data.
On #2, even if you accepted that they were not a financial institution almost all of the bitcoin exchanges are asking for verification. And the larger more well-known exchanges are viewed as "least risky". It's a herd-like mentality, if these thousands of others did it, it must be safe.
I never supplied the info, to this or other exchanges, but I totally see why excited people who feared missing out as the price rose were willing to do so.
I signed up before they had ID verification about two years ago, and deposited a little money. Then a few months later I'd had my fun and I wanted to take my money back, but discovered they wouldn't let me withdraw unless I provided ID.
After some back and forth with them I somehat angrily provided ID and got my money returned. It later turned out that they had either been dishonest or incompetent in their argument for providing ID, and I got them to promise me that they had deleted any and all ID docs I sent them, specifically because of scenarios like this one.
The code is ... interesting. Smells organic, not designed. Comments are rare but usually useful. Highly coupled. Static methods everywhere. Violates SOLID principles. Basically, ignores current best practices.
Clearly not designed for any sort of automated testing, which should be the first damn thing you do when there's any sort of money involved. Hell, even when there isn't money involved.
We'd already guessed that last bit, given the previous mentions of them having no testing/staging/QA environment.
Although contrary to popular belief Gox was never a Magic exchange, they were a Bitcoin startup at a time when Bitcoin was not much more than internet lols and pizza deliveries. The first thing you do when hacking together a stupid exchange for a joke e-currency isn't writing unit tests. You just write the code and blast it up on a domain you had lying around for a different project.
Cue runaway success, a company sale or two, scaling issues with complicated technology and not much precedent legal or otherwise, and this is what you get.
There is nothing at all surprising about this code. And it seems Gox's problems were much more deeply rooted than the subjective non-compliance of their code with "best practices".
Whether it was open as one is unclear, but that was the obvious intent here.
Also, remember that the current owners aren't the original owners. This code is wrong in design but new in attempted style, made or majorly updated within the past year or two (based on the language features used).
That's the part I don't understand – I'd be scared witless at the thought of not having tests for anything moving money out of my accounts. When you have millions in those accounts, even a really expensive developer is cheap insurance…
While it may have not been a MTG card trading site, Karpeles was involved in running MMO servers based around Ragnarok Online before running an exchange. His involvement carried through during MTGox's existence until maybe a year or two ago.
I'd be less concerned about code quality and technical best practices and more interested in knowing if Mt Gox had any internal notion of preventing common stock market manipulation tricks such as wash trades and chandelier bidding. I bet a lot of bitcoin startups don't know what those terms mean and thereby shouldn't be operating a finance exchange.
I've written uglier code. But I didn't write it in places where I had highly motivated adversaries trying to break it with the result that many people's life savings would be irrevocably lost if I had a bug.
How is the exception handling? For instance, if something goes wrong when generating a new private key, could they still attempt the transaction but with a null key? (cf the earlier bug that lost 2609 bitcoins.)
Thanks for the reply. If you look at each method that can return failure, and then look at the code that calls these methods, do the callers check for failure or just keep going with the transaction? (This would both indicate the quality of the code and show a path that could generate bad transactions.)
There are a few (9?) places where "getNullAddr" is called. I assume this would return what was earlier called a "null key." It returns the requested information, except when the new address could not be inserted into the database, in which case it returns false. Less than half of the calls have any failure checking, and a few of those return false as well, and who knows if the things that call those functions have any error checking...
Consider not taking advantage of the illegal compromise of someone else's servers, even if you are very interested in the contents of their purloined data. You'd hate it if it happened to your startup, and odds are your startup has plenty of ways to get into equally private data. If nothing else, consider it your moral down payment on being able to criticize the NSA ever again.
The thing with NSA is not about privacy. It's about goverment violating it en masse in vastly useless and potentially malicious even Orwellian schemes.
I don't mind hackers doing what they must because they can. I consider them force for good when they get into rich and poweful peoples drawers and publish things. It's a reminder that no matter how rich you are and how many laws you have bought you are never outside of public scrutiny.
Except that MtGox is known to with very high probability have been acting criminally dishonestly and there is a strong public interest in helping people determine what happened and recover what could potentially be up to 200000 of their own bitcoins. That pretty much passes all the standard tests for an involuntary violation of privacy; this is NOT a case of hurting an innocent startup.
That sounds like an excellent reason for a judge in Tokyo to issue a subpoena. It does not sound like an excellent reason for the Internet to vicariously participate as a group of Russian hackers roots their boxes.
This code is not "quite clean." The only thing it has going for it is mostly decent naming. This is some of the most tightly coupled code I've seen written this _century_. This is the kind of code that gives PHP a bad rap.
If this is 32-bit PHP, any amount above 21 bitcoins will overflow the integer range (2^31) and will be converted to float. That's bad.
If this is 64-bit PHP, any realistic bitcoin amount multiplied by 100000000 would still be within the integer range (2^63 - 1) and can be passed around without any loss of precision ...
... unless $info['balance'] has anything below the decimal point. As soon as you're dealing with fractional bitcoins, the amount will be converted to a float before it is multiplied by 100000000 and then back to an integer. So even in 64-bit PHP, the code can't avoid passing bitcoins around as a floating point number.
Realistically it is extremely unlikely in 64-bit PHP that the loss of precision caused by this single line of code (and the subsequent casting back into float) will ever round up to a satoshi. The (int)round() just makes sure that you get an integer rather than a double-precision float, because PHP loves to turn your values into other types behind your back. Nonetheless, if the program keeps casting numbers between int and float all over the place, eventually it may begin to lose a satoshi here and there. At the scale of Mt Gox, the errors will definitely add up. That's why you should never touch a float with a ten foot pole if you're dealing with money.
The correct way to handle monetary amounts in PHP is to use the bcmath extension, which enables arbitrary precision.
Using floats to represent currency is a big no-no. Floats have limited precision, and some numbers aren't representable by floats. Go try adding 0.1 to itself over and over again in your favorite implementation.
It is better to represent as integers or fixed-precision numbers. That way, you are dealing with exact quantities.
You can make the same arguments against integers, but you'd need to be willfully blind to the context of the discussion. There are no monetary quantities that can't be represented as integers. Using a scheme that can't represent 1/3 to record numbers for which 1/3 is an illegal value doesn't present any practical or theoretical problems.
In practice that means you can't be sure if `1/1000000` is higher or lower than the value you expect it to be. (to be pedantic, yes you can, because it's well defined, but it can spoil your calculations) When you deal with money, you want the result to be always precise.
Sure, you can prove that, then verify your language complies over the whole range, then add validation that your values never go over the range provided and no input outside of the range can be accepted and then figure out a way to guarantee none of that will change in the future.
(even controlling inputs/outputs is not enough, since internally they sometimes split the values into 40%/60% for transfers)
Or you just stick to ints (or whatever type has unlimited integer range in a given language). Simple solution here is safer than the clever one. Especially if you're sometimes confused about the types and write `round(mt_rand($amount 0.4, $amount 0.6))` even though mt_rand returns ints.
32 architecture limits your pointer size, not the values you can store. There's nothing that prevents you from using 64-bit long integers there, it will only take a bit longer than native size on arithmetical operations. (since they will be a series of ops on 32b chunks)
* People who know how to properly right code, don't mess with bitcoin because they understand the involved complexity and high risk of error since money is at stake
* People who don't give a damn about the complexity and are prone to risk, but lack the technical skill to support their ventures (MtGox was 50% of the time not scaling well enough. The website was slow even when not under DDOS).
What MtGox shows, IMHO, is that there's a market out there for serious, professional-grade bitcoin exchangers.
My guess is any passport scans would just be any recent web uploads made by users trying to verify their accounts and thus copied off the web server filesystem, not their customer database. Once verified these documents would be moved somewhere else, one would hope.
In any case, regardless of what was found or how, it's completely inexcusable that such sensitive data isn't encrypted asymmetrically the moment they receive it.
It was part of the account creation process to verify your identity. You had to send in a government issue id and proof of address. I believe I sent in a copy of my drivers license and a cable bill but passport was also an option. I wouldn't be surprised if they have access to all the data that was collected for KYC purposes.
Edit: I misread the original post and thought they were scans of employee passports. Apparently a personal verification option was a scan of a passport.
I still have no clue why this kind of information would be kept on a public-facing server.
It's reaching a bit, but they may be scans of passports for foreign employees who need to be registered with proof of identity but do not (for whatever reason) have a form of identity that the Japanese government considers "official."