Hacker News new | past | comments | ask | show | jobs | submit login
Mt. Gox Has Been Hacked by People Trying to Find Out What Happened? (dzoba.com)
263 points by zoba on March 3, 2014 | hide | past | favorite | 146 comments

I'm fluent in Japanese. I listened to the beginning of the recording and it's legit. One of the voices is almost certainly Mark Karpeles' (based on hearing his voice in his recent public apology -- his Japanese is broken but reasonably proficient). It seems to be a recording of a Jan 30 2014 meeting where bankers from Mizuho Bank are asking Karpeles various questions about Bitcoin, the nature of his business, his partnerships in different countries, connections to underground activity, etc. Definitely not something that's meant to be publicly released.

EDIT: Listening to snippets from the rest of the recording, it seems that Mizuho is explaining that they want to cancel Mt Gox's accounts with the bank. Karpeles seems to be protesting and asking why the accounts are being shut down. The guy from Mizuho explains (at 28:00 for Japanese speakers out there) that it's a combination of a lot of factors, including recent technical issues, which make the bank uncomfortable dealing with Mt Gox. Karpeles also mentions following the orders of the Financial Services Agency (金融庁)

EDIT2: 15:00~16:10: Mizuho guy explains that the Mt Gox bank accounts will have to be shut down eventually. Karpeles says that he understands that position, but he thinks that the bank has been rude about trying to force the closure, and would appreciate a more cooperative approach.

EDIT3: 18:00~19:00: An awkward discussion of Karpeles' Japanese. The Mizuho person seems to be offended by Karpeles' rude Japanese, which frequently lacks the correct honorifics that would be expected in a business setting. A woman (I think she's on the Gox team?) explains that Karpeles' first language is French and that he means no offense.

I can work on a fuller description of the call, but just wanted to get a quick verification of its authenticity out there, along with some snippets of the contents.

Please consider typing out a full English translation. If you post your bitcoin address here, then I'm sure plenty of people here will pay you some coin for your effort.

There are additional comments about this call in this reddit thread...


Karpeles making mistakes with honorifics? That's odd, even though it would he incorrect, surely he could just -san suffix everyone and be done with it?

Japanese honorifics extend tremendously beyond name suffixes.

There is a reason that speaking Japanese correctly is a highly valuable skill. For me personally, though, the amount of "communication rites" in Japanese business interactions is enough to be scared away.

On the other hand, I'd say that the bank person has enough reasons besides the honorifics to be really angry at the guy. The info posted indicates that they want to get rid of him and given that they cite technical difficulties, it might well be possible that their tech team already suspected the "non-banking-grade" software quality we are now hearing about.

I'm digging further off-topic, but anyway: as a non-japanese speaker and someone who spontaneously thinks in terms of optimization, I'm amazed by the seemingly gratuitously complicated rules of politeness in that language.

Does it require concentration for a native to avoid faux-pas in a discussion? Can it become much more difficult depending on your social origins (i.e. how effective is it as a social discriminant)? I'm wondering how much time and thought is typically spent on those matters, to the detriment of actually thinking and communicating information.

(I guess this post is extremely rude from a japanese PoV, but I'd genuinely like to understand all this better, and I'm sure typical HN readers can understand this approach)

Although the rules are complicated, I lived in Japan for awhile, and almost no one Japanese would be offended by a foreigner getting it only mostly right. This is not terribly hard. It suffices for foreigners to observe the basics.

As explained below, Karpeles referred to himself as "ore". "Ore" is mostly used by men, and carries a boastful tone. Moreover, pronouns aren't necessary to make grammatical sentences, e.g. "I went to the bank" = "Ginko ni ikimashita" = "[Bank] [to] [did go]".

The only function of the word "ore" is to emphasize your own high status relative to whomever you're speaking to. In a bar, after a couple of drinks, among equals, it's quite typical for all the men (usually not women) to use "ore". But in a formal business meeting --- this is known to be an absolute no-no by anyone who has formally learned even a small amount of Japanese.

A fairly close analogy in English would be to randomly sprinkle the word "fuck" in your speech.

A fairly close analogy in English would be to randomly sprinkle the word "fuck" in your speech.

I was once speaking to a good friend of mine here, in English.

"Do you want to go out for yakitori?"

"Go fuck yourself!"

"... switches to Japanese Have I recently done anything very major to offend you?"

"No, of course not."

"Oh, OK, I was worried. So that phrase, that's something you would only say under extreme distress when you had maximal desire to offend me, or I suppose you could use it jokingly between friends, but neither you nor I generally talk that way."

"I learned it from a movie. I thought it meant "No.""

"You might want to not repeat it ever again."

Haha! This is great.

Along the same lines, I was getting a shave from a super hospitable barber last November in Gifu and the topic of conversation in very broken English (from him) and correspondingly broken Japanese (from me) was basically whether I had seen all of his favorite American movies. We were chatting and laughing quite a lot. When the time came for him to shave around the Adam's apple, he pointed right at my face and said: "You! Shut up!" It was so funny: He had obviously picked that up from a movie, but it took everything in me not to feel a little hurt, even though I knew he didn't mean to say what he said with that sort of edge. I can only imagine how many times I've done something similar in reverse. :-)

For those who don't know, _Coming to America_ starring Ediie Murphy:


(Disclaimer: I don’t know anything about Japanese.)

Complicated grammar in general generally comes from historical traces: there often is a literature associated to it, nuances that express best the ambiguities of life and what you might want to hide from. Case in point: relationship statuses, and the many way to say ‘mmh friend’.

When associated to people via honorifics, these are things people care deeply about, both because they came at what seem a cost (PhDs are hard, promotions longed for, and Noblesse Oblige) and, after being repeated every time one was addressed to, became a core part of your identity. The fact that they are flattering makes it even more crucial. Think of parents who insist on being called ‘Mum’ and ‘Dad’: of course you know what their first names are, but using them can be seen as a lack of love, or respect for their authority, or consideration for the spectacular sacrifice they made. It remains hard to explain why on the spot: it just hurts, and comes off as defiant.

There is finally (and that is certainly true in Japanese high society) an attachement to class & country, a way to protect what was once precious and unique and unpregnable. That actually takes the form of genuine and sincere preference for the formal and appropriate: I would be offended if someone told ‘I love opera, it's so-o fricking cool!’ Yes, it is, and I consider the Opera to be a very buoyant and accessible art form, like Hollywood; but it still comes with a decorum that became part of my enjoyment of it.

Japanese, especially business people, are confronted to foreigners enough to understand that doesn't come naturally. Kerpeles however does more than ignore that: even in French (probably the second most culture riddled with grammatical antique quirks -- and I'd know, I am French and love those) he comes off as defiant, irrespectful, and likely to have willingly commited what some accuse him off. That’s not ignorance from his part, but open lack of respect for institutions. Those could be modernised and improve, but they still serve a purpose. Like anyone who's worked at university, I don’t call ‘doctor’ anyone with a PhD, but I still think it’s the most compelling experience someone can go through and I’d understand if, like in Italy and Germany, that remains part of everyday interactions.

I don't know about honorifics, but he was using "ore," according to Reddit. If he wrote the letter on the front page of Mt Gox, there are some weird/offputting polite language mistakes, too.

(I can't listen to the recording right now and wouldn't get much out of it even if I could, since I can't hear well enough. :-/)

For those (like me) who don't know anything about Japanese, referring to yourself as "ore" seems to be inappropriate and likely unintended by Mark.

> Frequently used by men. It can be seen as rude depending on the context. Establishes a sense of masculinity. Emphasizes one's own status when used with peers and with those who are younger or who have less status. Among close friends or family, its use is a sign of familiarity rather than of masculinity or of superiority. It was used by both genders until the late Edo period and still is in some dialects.


Yes, he was saying "ore", which is an incredibly rude and amateur mistake. In English, that would be like be entering an important business meeting with a bank and saying, "Yo dude, wassup?"

That isn't how you do it?

Depends on whether I can make sense of the *nix joke on the banker’s t-shirt, or if I can tell how many months of salary his tie is worth.

I thought it depends on how many zeroes you have at the end of your (positive) account balance with the bank.

Are you sure he was saying "ore"? Given the fact that his grammar is otherwise pretty tight, I wouldn't be surprised if he were instead using "ware".

Grammar & honorifics/formality are two separate subjects. I'm not fluent in Japanese by any stretch of the imagination, but I know the basics of grammar while I know basically nothing about formal speech/informal speech.

I usually hear 'ore' from people who learned their Japanese by watching shonen anime. Even outside of a business meeting, in normal conversation, it would be offensive to most people I think.

It's not offensive, it's just not right for business. Outside of work, men use ore (tough and manly) or boku (boyish and charming) in regular conversation. Some my co-workers even use ore at the office if they're making a joke or something.

What would be the correct pronoun for a business setting? My knowledge of the language is rudimentary at best (several semesters in High School); we only really learned watashi/atashi/boku (and were reprimanded if we used the wrong pronoun for our own gender).

In doubt use watashi, it's hard to go wrong with it. The more formal watakushi is also good but you need the keigo to match, and there is such a thing as excessive politeness, even in Japanese.

What does the use of 'ore' imply and what makes it rude? Is it a snobby way of referring to yourself?

I've never heard the word before this thread but I'm inclined to think it's a bit like "lads" in British English.

It's really... boastful. Cocky. Self-important. He's using it in sentences where he could just as easily get away without using any pronoun at all.

The closest thing I could think would be to conduct a business meeting in which you only describe your actions and refer to yourself in the third person, and then only as "Big Mark".

"Big Mark understands your position but thinks you're being a bit rude about all of this. Big Mark thinks we should cooperate more" etc, etc

It's not snobbish, it's cocky/boastful. "I'm hot shit" sort of way.

Why is it that way? I don't know the history, but the short answer is, because that's the way it is used.

Using 俺 (ore) sounds extremely arrogant, it's also a very amateur mistake to make (or maybe it was even deliberate). it's definitely not suitable for a business sense as it either conveys superiority or familiarity.

Awesome, thank you for this.

Thanks for that.

Wow, that's a lot of my personal data leaked in these last months. My email and encrypted password in the adobe breach, my user id and part of my mobile number via SnapChat, and now hackers potentially have scans of my passport courtesy of Mt. Gox.

I'm probably forgetting about some leaks, and who knows how many security breaches were never discovered. The internet is not a safe place.

I'm still getting almost daily phishing/malware from the Mt Gox leak in 2011, and I never even signed up for anything more than to see what it's interface was like. Can't imagine how that will be with people having copies of passports (supposedly).

My spam folder is also full of, well, spam addressed to the email address I supplied to Dropbox (and only Dropbox) when I first signed up there sometime in 2011 and later leaked (I think 2012).

Sometimes I wish data privacy laws were stricter, but it appears that not even financial services laws are sufficiently strict, as just demonstrated here.

Please contact Dropbox support about this. Mine vendor-tagged address leaked on or before 3 Feb 2014, as that's when I got the first spam. I'm currently in the middle of persuading them that they have a security issue, and more people expressing the problem would be helpful.

The spam to mine goes back to at least March 2013 (yeah, I like to keep spam, makes it easier to train filters later one…), possibly earlier, so I don’t think that it is a recent leak.

I have stopped using Dropbox shortly after receiving the first such spam email, so I cannot comment on more recent leaks.

Pretty much what mine is too, a pile of spam from various compromises services I should have done better than to trust. Mt Gox, Dropbox, Bitstamp (yeah, they never made a big mention of that one) and a variety of other small services.

> Sometimes I wish data privacy laws were stricter

I think the laws and awareness are good enough atm, but no laws and probably no amount of knowledge or auditing will stop a data leak from indadvertedly occurring.

It happens relatively rarely that a large multinational food company poisons half its customers (or so I like to think), hence I would assume that laws and proper auditing can stop such problems.

In summary I have spent at least five to ten minutes (and likely more) on spam brought to me by Dropbox without any compensation. How about a fixed payout of, say, 100€ per leaked detail (username, password, email etc.), payable immediately to each customer? At least companies with bad security would be out-of-business soon.

For those wondering, I finally got an explanation from them. It turns out they had a leak in 2012:


It's surprising to me that my email address took 2 years to be used, but who knows.

Just a few years back I thought my biggest security risk was myself. In retrospect, this seems horrifically naive: The services I use outnumber me so vastly that the 10 or so breaches that I'm aware of, merely counting the services that I use, seems astoundingly low.

Be aware that they also have a different attack surface, and are likely more notorious/interesting than you as a single person. While I agree that keeping control over your own security is a good thing, the comparison you're making is dangerously biased.

I feel for you bud. I'm a UMD grad (SSN) who shopped at Target in December (CC).

sorry dude..fellow terp here...I never got IDs from the affected campuses and I have had a security freeze on my credit report for a number of years now. hopefully that protects me ):

I signed up for Mint.com once. I liked the concept in theory. But then after an hour of using it, I realized just how incredibly stupid it is giving a third party total access to all your bank accounts. Then I immediately went and changed the passwords on all my bank accounts.

For most large banks it's read only access through purpose built scraping API's. Mint won't be stealing your funds. Generally this is due to Regulation of the financial information space.

But you still have to give them your regular (read/write) credentials.

Was just thinking about the implications of my DL scan being out on the net and potential attempts at identity theft. Excluding market risks, my money is now safer in a properly generated cold bitcoin wallet than it is in my bank account.

So this is actually good news?

and thats just the leaks you know about

In case my server goes, here is the text:

Right now in ##mtgox-chat someone named nanashi____ claims to be speaking for a group of hackers who have gotten into Mt Gox in an attempt to figure out what happened. Nanashi says they have a DB dump and are looking at what to do with it. Nanashi gave these links:

A conversation in Japanese with Karpeles and a Banker (http://picosong.com/Y7di/) Some Mt Gox Code (http://pastebin.com/W8B3CGiN)

Nanashi also posted personal information on those employed by Mt Gox including phone numbers and addresses. Nanashi says the group plans on releasing more info. Nanashi also said they group plans on not releasing the huge store of passport scans they found… Hopefully this group has the public’s best interests at heart.

In case anyone's wondering, "nanashi" means "anonymous" in Japanese.

it could also refer to the number 74, so maybe mr or ms anonymous is ~40yo right now ?

Nope, it's 名無し nanashi, the standard way of saying "Mr/Ms Anonymous" on Japanese forums like 2ch.

They have passport scans?

I'm impressed by how hard MtGox is fucking up.

Also, we now see that the Wild West metaphor for Bitcoin banking carries quite far. If you fuck up in the wilderness, you'll not only be sorry, but you'll also be ripped apart by the wolves!

Maybe this can serve as a warning that the tedious processes used by banks and other institutions handling "serious" money can't just be disrupted away.

This is why I have had to stop using a number of services which requested a photocopy of official government documentation. I am specifically thinking of how I had to dump my Dwolla account.

Don't worry. Your documents will be there forever.

I am sure it said that they will 'dispose' of the scans after 2 weeks. Looks like they fucked up again!

On the interwebs 'temporary' is forever.

Yeah, that is really something. To think that people actually supplied that info. Wow.

I didn't, I signed up to an account and stopped at this point because unlike a financial institution they are not governed by laws that require this or would ensure the security of such data.

But I totally understand why people did supply it.

They supplied it because:

1) They've been trained to

2) For a while MtGox was actually the most well-known (and therefore trusted) of the exchanges

On #1, every financial institution in the world goes through some form of KYC (Know Your Customer) anti-laundering process that involves identity verification. And people are so used to doing this when signing up to financial accounts that they failed to comprehend that MtGox (and other exchanges) is not a financial institution being regulated by the same safeguards for their data.

On #2, even if you accepted that they were not a financial institution almost all of the bitcoin exchanges are asking for verification. And the larger more well-known exchanges are viewed as "least risky". It's a herd-like mentality, if these thousands of others did it, it must be safe.

I never supplied the info, to this or other exchanges, but I totally see why excited people who feared missing out as the price rose were willing to do so.

I signed up before they had ID verification about two years ago, and deposited a little money. Then a few months later I'd had my fun and I wanted to take my money back, but discovered they wouldn't let me withdraw unless I provided ID.

After some back and forth with them I somehat angrily provided ID and got my money returned. It later turned out that they had either been dishonest or incompetent in their argument for providing ID, and I got them to promise me that they had deleted any and all ID docs I sent them, specifically because of scenarios like this one.

Well, I hope they were telling the truth.

That is a rather charitable way of looking at this situation. Which is to be commended, I wish I was still capable of thinking that way.

Money laundering legislation in Japan may well apply to them.

Thanks, zoba.

Here is the link you added to the IRC transcript:


"Nanashi" (japanese: Anonymous) claims to be in Serbia, but posting on behalf of a Russian group.

The code is ... interesting. Smells organic, not designed. Comments are rare but usually useful. Highly coupled. Static methods everywhere. Violates SOLID principles. Basically, ignores current best practices.

Clearly not designed for any sort of automated testing, which should be the first damn thing you do when there's any sort of money involved. Hell, even when there isn't money involved.

We'd already guessed that last bit, given the previous mentions of them having no testing/staging/QA environment.

Way too much schadenfreude given Gox's history.

Although contrary to popular belief Gox was never a Magic exchange, they were a Bitcoin startup at a time when Bitcoin was not much more than internet lols and pizza deliveries. The first thing you do when hacking together a stupid exchange for a joke e-currency isn't writing unit tests. You just write the code and blast it up on a domain you had lying around for a different project.

Cue runaway success, a company sale or two, scaling issues with complicated technology and not much precedent legal or otherwise, and this is what you get.

There is nothing at all surprising about this code. And it seems Gox's problems were much more deeply rooted than the subjective non-compliance of their code with "best practices".

> contrary to popular belief Gox was never a Magic exchange

The Wayback Machine disagrees.


Whether it was open as one is unclear, but that was the obvious intent here.

Also, remember that the current owners aren't the original owners. This code is wrong in design but new in attempted style, made or majorly updated within the past year or two (based on the language features used).

My understanding is that while the domain was originally purchased for a MtG exchange, it was never used for this purpose. I've yet to see proof that a MtG exchange has existed on mtgox.com

> The first thing you do when hacking together a stupid exchange for a joke e-currency isn't writing unit tests.

As soon as you write anything where a bug causes money to change hands, even on a laugh, you write some tests.

No kidding, I would be so freaked out not writing tests the second money is involved. I just don't understand why he didn't bother to hire some help when things got bigger.

That's the part I don't understand – I'd be scared witless at the thought of not having tests for anything moving money out of my accounts. When you have millions in those accounts, even a really expensive developer is cheap insurance…

While it may have not been a MTG card trading site, Karpeles was involved in running MMO servers based around Ragnarok Online before running an exchange. His involvement carried through during MTGox's existence until maybe a year or two ago.

If Mt Gox was ever a MTG card trading site, it would have been before Mark purchased it from Jed McCaleb.

McCaleb has said by email that MtGox was at least at some point used for trading or buying cards.

> schadenfreude

Epicaricacy. because you're speaking english.

I'd be less concerned about code quality and technical best practices and more interested in knowing if Mt Gox had any internal notion of preventing common stock market manipulation tricks such as wash trades and chandelier bidding. I bet a lot of bitcoin startups don't know what those terms mean and thereby shouldn't be operating a finance exchange.

Why would you want o stop that? It's like trying to stop kissing your fist before you roll the dice, because other players might be afraid that you are doing magic.

All the rules of traditional stock market are designed to prevent scaring of gamers so they won't leave casino. Bitcoin doesn't care about faint hearted gamers.

Yes, it doesn't look very pretty. It relatively recent code though, making plenty use of php 5.3+ constructs, so you can't even blame it on legacy code.

I've written uglier code. But I didn't write it in places where I had highly motivated adversaries trying to break it with the result that many people's life savings would be irrevocably lost if I had a bug.

no shit, magic the gathering exchange is not coded like paypal.

One class to rule them all.

How is the exception handling? For instance, if something goes wrong when generating a new private key, could they still attempt the transaction but with a null key? (cf the earlier bug that lost 2609 bitcoins.)

Unfortunately I don't know enough about the bitcoin innards to give you an informative answer, and the answer isn't clear from a plain reading of the code.

The leaked code seems to just be an internal API for twiddling wallets. There doesn't seem to be any logic here for either the txid conflict retry bits or the hot/cold transfer bits.

Thanks for the reply. If you look at each method that can return failure, and then look at the code that calls these methods, do the callers check for failure or just keep going with the transaction? (This would both indicate the quality of the code and show a path that could generate bad transactions.)

There are a few (9?) places where "getNullAddr" is called. I assume this would return what was earlier called a "null key." It returns the requested information, except when the new address could not be inserted into the database, in which case it returns false. Less than half of the calls have any failure checking, and a few of those return false as well, and who knows if the things that call those functions have any error checking...

Consider not taking advantage of the illegal compromise of someone else's servers, even if you are very interested in the contents of their purloined data. You'd hate it if it happened to your startup, and odds are your startup has plenty of ways to get into equally private data. If nothing else, consider it your moral down payment on being able to criticize the NSA ever again.

Who are you talking to exactly? The hackers? I doubt they care. HN readers? How are we taking advantage of anything exactly?

The thing with NSA is not about privacy. It's about goverment violating it en masse in vastly useless and potentially malicious even Orwellian schemes.

I don't mind hackers doing what they must because they can. I consider them force for good when they get into rich and poweful peoples drawers and publish things. It's a reminder that no matter how rich you are and how many laws you have bought you are never outside of public scrutiny.

Except that MtGox is known to with very high probability have been acting criminally dishonestly and there is a strong public interest in helping people determine what happened and recover what could potentially be up to 200000 of their own bitcoins. That pretty much passes all the standard tests for an involuntary violation of privacy; this is NOT a case of hurting an innocent startup.

That sounds like an excellent reason for a judge in Tokyo to issue a subpoena. It does not sound like an excellent reason for the Internet to vicariously participate as a group of Russian hackers roots their boxes.

Thought I'll quickly scan the source code... On the first screen:

    $bean->Coins = (int)round($info['balance'] * 100000000);
Really? Currency as a float and rounding? Just so that he can later:

    $client->sendToAddress($addr, $bean->Coins / 100000000);
I'm ready to believe in any error "due to a bug" they claim now.

The code may be buggy but it is actually quite clean...more than I can say for most code (my own included)...at least it is actually readable :)

This code is not "quite clean." The only thing it has going for it is mostly decent naming. This is some of the most tightly coupled code I've seen written this _century_. This is the kind of code that gives PHP a bad rap.


Can you explain what's wrong with this? If I had 1 million in $info[ 'balance' ]? Would $bean->Coins overflow?

If this is 32-bit PHP, any amount above 21 bitcoins will overflow the integer range (2^31) and will be converted to float. That's bad.

If this is 64-bit PHP, any realistic bitcoin amount multiplied by 100000000 would still be within the integer range (2^63 - 1) and can be passed around without any loss of precision ...

... unless $info['balance'] has anything below the decimal point. As soon as you're dealing with fractional bitcoins, the amount will be converted to a float before it is multiplied by 100000000 and then back to an integer. So even in 64-bit PHP, the code can't avoid passing bitcoins around as a floating point number.

Realistically it is extremely unlikely in 64-bit PHP that the loss of precision caused by this single line of code (and the subsequent casting back into float) will ever round up to a satoshi. The (int)round() just makes sure that you get an integer rather than a double-precision float, because PHP loves to turn your values into other types behind your back. Nonetheless, if the program keeps casting numbers between int and float all over the place, eventually it may begin to lose a satoshi here and there. At the scale of Mt Gox, the errors will definitely add up. That's why you should never touch a float with a ten foot pole if you're dealing with money.

The correct way to handle monetary amounts in PHP is to use the bcmath extension, which enables arbitrary precision.

I hate it when types get coerced behind my back.

You never want to put currency in a float because floats cannot accurately represent most base 10 rational numbers.

A full explanation can be found here: http://stackoverflow.com/questions/3730019/why-not-use-doubl...

Using floats to represent currency is a big no-no. Floats have limited precision, and some numbers aren't representable by floats. Go try adding 0.1 to itself over and over again in your favorite implementation.

It is better to represent as integers or fixed-precision numbers. That way, you are dealing with exact quantities.

As an example in Ruby (2.1.1):

x = 0.1 #=> 0.1 10.times { x+=0.1 } #=> 10 x #=> 1.0999999999999999

> some numbers aren't representable by floats

an infinite number of them in fact

Turing proved there's an uncountable set of numbers that cannot even be computed let alone represented

Works in Racket (and should in other Schemes):

  -> (for/sum ([_ (in-range 10)]) (/ 1 10))
Yeah, I know, I'm cheating - `(/ 1 10)` returns a rational? which is not flonum?. Using `0.1` makes it inexact like it should be:

  -> (for/sum ([_ (in-range 10)]) 0.1)

That's why I like lisp:

    (/ 10 17)
      => 10/17
    (+ (/ 10 17) (/ 4 9))
      => 158/153

Could make all the same arguments against integers: - Limited precision, - Some numbers aren't representable, - Go try adding 1 to itself over and over again.

That said, yes, floats are a bad idea for financial arithmetic.

You can make the same arguments against integers, but you'd need to be willfully blind to the context of the discussion. There are no monetary quantities that can't be represented as integers. Using a scheme that can't represent 1/3 to record numbers for which 1/3 is an illegal value doesn't present any practical or theoretical problems.

My point was that the arguments presented were not the reasons that using floats to handle finance was a bad idea. Since, as I showed, they also applied to integers.

Sheesh, stop being so pedantic. Unlike computers, humans can infer extra meaning from the context around a sentence.

To me it seems like floats are being converted to int and then code is working with it. I don't think this will create an issue unless the int is overflowing. Any failing testcase?

It's even better to represent as binary coded decimal, Ulrich Drepper's opinions notwithstanding.

The main issue is operating on the value intended for display rather than the precise value you get. The floating point value may not be always what you expect. For example you cannot even represent 0.1 precisely. See http://stackoverflow.com/questions/3730019/why-not-use-doubl...

In practice that means you can't be sure if `1/1000000` is higher or lower than the value you expect it to be. (to be pedantic, yes you can, because it's well defined, but it can spoil your calculations) When you deal with money, you want the result to be always precise.

If Bitcoin has x point precision and I multiply every amount by 1e^x. Won't that in essence gives me correct integer value to work with. Provided I haven't overflowed the integer max?

Sure, you can prove that, then verify your language complies over the whole range, then add validation that your values never go over the range provided and no input outside of the range can be accepted and then figure out a way to guarantee none of that will change in the future.

(even controlling inputs/outputs is not enough, since internally they sometimes split the values into 40%/60% for transfers)

Or you just stick to ints (or whatever type has unlimited integer range in a given language). Simple solution here is safer than the clever one. Especially if you're sometimes confused about the types and write `round(mt_rand($amount 0.4, $amount 0.6))` even though mt_rand returns ints.

So if one of us were to create something dealing with BTC we should just store the data as the smallest discrete amount (satoshis) and then run calculations on that to display info to the user?

Sure - is there a reason not to? That's similar to what you should be doing with dates too - store as UTC at the highest precision you'll need and present in local timezone/format.

Only one I can think of is 32 bit architectures, but those are phasing out pretty fast. I wasn't being incendiary at all with my comment - just a general question from a novice software engineer.

32 architecture limits your pointer size, not the values you can store. There's nothing that prevents you from using 64-bit long integers there, it will only take a bit longer than native size on arithmetical operations. (since they will be a series of ops on 32b chunks)

As a side note: 1e^x reads as the natural log base to the x power all times 1.

1ex or 10^x is what you probably want.

Why e was chosen to represent that may be due to 7-segment-only displays on (some) (early) calculators. I still think it was a bad choice because of this very issue.

Where is the source code?

> Nanashi also said they group plans on not releasing the huge store of passport scans they found… Hopefully this group has the public’s best interests at heart.

Good lord. Lose all your bitcoins AND your identity. Mt. Gox can't go away fast enough!

WTF is all that doing on a web-accessible server.

So what you have here is:

* People who know how to properly right code, don't mess with bitcoin because they understand the involved complexity and high risk of error since money is at stake

* People who don't give a damn about the complexity and are prone to risk, but lack the technical skill to support their ventures (MtGox was 50% of the time not scaling well enough. The website was slow even when not under DDOS).

What MtGox shows, IMHO, is that there's a market out there for serious, professional-grade bitcoin exchangers.

What we have here is one person who can't write write right.

The Reddit thread on this has a bunch of links to paste bins being posted....


Ok, some good news. It might be untrue about them having passport scans. Reason I say that, is the following:

We know from the leaked mtgox crisis plan doc that they have 550,000 verified accounts.

Each user who wanted to be verified had to scan at least 2 documents- a passport+license and a electric bill of sorts.

Assuming both documents alone were only 100KB combined (and its likely way more than that since scans are usually 500KB+ per document) than we can estimate the file size:

550,000 x 100KB = 52.45GB

Thats more than double the claimed 20GB.

In fact, even if we believe that every persons doc is in the DB; and assuming nothing else but passports is in there- you are only allowing for 20KB per document

My guess is any passport scans would just be any recent web uploads made by users trying to verify their accounts and thus copied off the web server filesystem, not their customer database. Once verified these documents would be moved somewhere else, one would hope.

In any case, regardless of what was found or how, it's completely inexcusable that such sensitive data isn't encrypted asymmetrically the moment they receive it.

It is possible for them to extract the MRZ data of the passport (the Machine Readable Zone), it contains the passport ID, issuer state, DOB and DOE.

I don't know if the regulatory requirements state that you must keep a photocopy, but in case you do not it would be foolish to store more data than you need.

That may be possible, but they also accepted non-passport images, which don't necessarily have such information.

My impression was they were claiming to have passport scans and a 20GB DB dump, e.g. that they were separate?

They might very well have a "verified" column in their DB, and the scans archived or discarded.

Perhaps Gox lost two thirds of them. Or the hackers didn't download them all.

especially since they required passport scans in color and high resolution (at least 200 dpi).

so Gox were also leaking passport scans?

Reposting what I commented in the other thread since the post was deleted.


I just saw this also in ##mtgox-chat.

What legitimized this was the fact there was a portion where MtGox connected to Eligius's servers to broadcast free transactions.

Eligius and MtGox had a partnership where MtGox provided free hosting for their pool in return for their acceptance of MtGox's transactions with no charge.

Why do they have passport scan?

It was part of the account creation process to verify your identity. You had to send in a government issue id and proof of address. I believe I sent in a copy of my drivers license and a cable bill but passport was also an option. I wouldn't be surprised if they have access to all the data that was collected for KYC purposes.

Edit: I misread the original post and thought they were scans of employee passports. Apparently a personal verification option was a scan of a passport.

I still have no clue why this kind of information would be kept on a public-facing server.

It's reaching a bit, but they may be scans of passports for foreign employees who need to be registered with proof of identity but do not (for whatever reason) have a form of identity that the Japanese government considers "official."

Identity verifications.

Probably customers send them to identify themselves.

This will be another excuse to not release any official specific information about what happened.

If true, this article provides an example why I will not feel comfortable scanning or emailing my license or passport online, without sufficient reassurances.

Like putting salt in the wound . Credibility shot. Abort mission

Get the latest cryptocurrency news at www.cryptocurrencylive.com/newest

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact