* screenshot of the back office application
* OSX and Windows back office application binaries
* btc_xfer_report.csv containing every deposit and withdraw
* mtgox_balances containing the balances of all user wallets
* trades.zip containing monthly csv files of all trades within mtgox & coinlab between 2011-04 to 2013-11
* trades csvs have fields:
Trade_Id Date User_Id User User_Id_Hash
Japan Type Currency Bitcoins Money
Money_Fee Money_Fee_Rate Money_Fee_JPY
Bitcoin_Fee Bitcoin_Fee_JPY User_Country User_State
From this data you could reconstruct every trade within the site, and identify the address from transaction values.
This dataset could lead to loss of anonymity to a significant number of people in the cryptocurrency world.
If what you say is true and this data is sufficient to recreate and de-anonymize the trades on gox against withdrawals from their addresses shouldn't we be able to see if coins were actually stolen through tx malleability?
My cousin had an account on there with 102 BTC, and bought it while the price was around $650. He was having a hard time since last few days, but after a trekking trip and being with him since the fiasco he seems to be coping up fine. He is more worried about the Driver's license copy he provided as a verification. The database sure is leaked, and Identity theft seems real possibility. What are the safeguards that can be adopted now? Any help will be good.
Primarily, you need to straighten out your framework - "identity theft" isn't actually a real thing. It's a marketing term to scare people into thinking they share fault for institutions' trivially broken systems. In the event that a third party commits fraud using your cousin's non-secret driver's license number and your cousin suffers repercussions, the actual concepts you're looking for are libel and tortious interference committed by credit bureaus and banks.
What kind of stupid comment is this? "Identity theft" has caused people to be chased by collection agencies, to be prosecuted for or imprisoned for crimes they had nothing to do with, and credit ratings ruined.
Case in point: a copy of a guy's id card here was used when signing a lease for an apartment. Apartment was later found to contain marihuana plantation. Public prosecutor claims the guy is the guy behind it all, and has him arrested several times until 2 years later, at trial, the judge decides 'well it can't have been this guy, given all the circumstances'. In the mean time, he lost his job over it, was so stressed and depressed that his relationship fell apart, and was in financial ruins.
He handed a copy of his id to a temp agency once before this thing happened. Probably somebody there copied it, or there was a break-in there and somebody took it. There was no way to hold them responsible, nor were the actual people who rented the house ever found.
The problem is that the term reverses the arrow of causality. It indicates that there is some specific "identity" that an individual possesses, and thus implies the individual has a responsibility to protect it from being "stolen".
> There was no way to hold them [the copier of his ID card] responsible
With the term "identity theft", one concludes that his damages come from being the victim of the copier, and that this crime was never solved. However, every harm that befell him was actually due to other parties that operate completely out in the open, but they manage to escape your blame!
> prosecuted for or imprisoned for crimes they had nothing to do with
The real crimes are the utter incompetence of the prosecutor and the extrajudicial punishment from merely being targeted by that system.
> people to be chased by collection agencies
The collection agencies are committing harassment and extortion, rooted in negligence.
> credit ratings ruined
Libel and tortious interference by the credit bureaus.
In all of these cases, the term "identity theft" primarily serves to obscure the root of the problem, which is the utter lack of diligence by creditors and the unearned importance given to the results of their sloppy process. The parties responsible for the above transgressions seek to pass the buck by glossing over their glaringly simplistic assumptions, because any actual fix would make their job much harder.
It is? It reads like a mix of truth and sophistry. If somebody frames you for murder, you may well blame the prosecution for being incompetent, but the main guilty party is certainly the one who planted the evidence in the first place.
Yes, the murderer is still guilty of murder, just like the fraudster is still guilty of fraud.
But this doesn't account for the additional damage caused by complete reliance on "evidence" that shouldn't even pass a sniff test. One would very much fault a prosecutor for continuing to press a murder case with the sole piece of evidence being a typewritten note saying "I, John Smith, committed this murder".
(If I understand the original argument) a better analogy would be being framed for murder while the guy who framed you cashed out a life insurance policy on you. You neither took out the policy nor benefited from it - yet the burden is on you, not those who paid out incorrectly, to prove your innocence.
The prosecutors aren't being blamed here (by OP), but those who profit by blind prosecution are.
I really don't know, besides just stating the truth and hoping people recognize it. I think the disconnect is ultimately due to a precession of the model - as a system gets taken for granted, people analyze things in terms of its paradigm and its failures become seen in terms of the system's abstractions rather than the underlying reality.
On the other hand, when I'd write comments like this five years ago, they'd generally get a net negative reception. So it seems like widespread belief in manifest human inventorying and tracking is hopefully wearing off.
A word is a word is a word - you can make it your pet peeve to redefine common terms to mean something that better fits your ideology, that still doesn't make it relevant to us here living in the real world. Whatever you call it, people impersonating themselves as other people are a real and tangible threat to those being impersonated.
You can go blame others and make grandiose accusations of 'incompetence', 'the system' ('holding us down' too, presumably rollseyes ), 'harassment', 'extortion', 'tortious interference' - that just shows you have no idea of the law, sociology, history or the realities of emerging behavior in human relations.
What is your point, exactly? Are you saying the problem will go away if only everybody except the criminals doing the identify theft would... I don't know, what exactly?
These are just common feel-good anti-intellectualisms about individual words and phrases I wrote, which ignore my actual points.
So I'll try to put it plainly:
Most of the problem will indeed go away if everybody, not just the criminals, stopped relying on the concept of "identity" as if it were infallible.
In your example, the negligent prosecutor is responsible for the sheer majority of harm to the victim, by failing to evaluate the quality of the evidence. By perpetuating the term "identity theft", you are giving that prosecutor a shield to hide behind instead of them having to change.
He's doing a shitty job of pointing out that "negligence on the part of financial institutions" has been re-branded by the industry as "identity theft" so they can transfer part or all of the liability to the customer, and even get you to pay to protect yourself from their negligence. If he'd spoken plainly and not tried to mimic one of a hundred libertarian web sites that rail on such things it probably would have been clearer.
The next Monday, when the fathers were all back at work, we kids were playing in a field. One kid says to me, “See that bird? What kind of bird is that?” I said, “I haven’t the slightest idea what kind of a bird it is.” He says, “It’s a brown-throated thrush. Your father doesn’t teach you anything!” But it was the opposite. He had already taught me: “See that bird?” he says. “It’s a Spencer’s warbler.” (I knew he didn’t know the real name.) “Well, in Italian, it’s a Chutto Lapittida. In Portuguese, it’s a Bom da Peida. In Chinese, it’s a Chung-long-tah, and in Japanese, it’s a Katano Tekeda. You can know the name of that bird in all the languages of the world, but when you’re finished, you’ll know absolutely nothing whatever about the bird. You’ll only know about humans in different places, and what they call the bird. So let’s look at the bird and see what it’s doing—that’s what counts.” (I learned very early the difference between knowing the name of something and knowing something.)
iamshs's cousin doesn't need to be straightened out on the NAME of his situation. He needs help on DEALING with it.
Except this situation is created by the information environment, in which names themselves are quite important. For your comment to be applicable, the credit system would have to be something that existed outside of human creation.
The term 'fraud' makes it clear that the situation involves the fraudster and the defrauded, and OP's cousin is not part of it. The term "identity theft" makes it sound like OP's cousin has had something taken from him and is therefore heavily involved.
"Identity theft" is a catch-all term describing fraud committed using this sort of information. It may not be as specific a term as you want it to be, but that's far from not being "actually a real thing".
> The point being that "identity theft" is typically used to shift responsibility to the individual from institutions.
That's hasn't been the case for me. Each of the several times my data was taken and there was the possibility of identity theft, the company responsible ended up having to pay for various monitoring schemes.
And should that data have been used fradulently, it would still have been the fault of whatever person took that data, not the institution that misproperly handled it.
It's not that "my identity has been stolen". It's that financial institutions (and others) have established procedures for freely creating binding obligations in my name on the flimsiest of actual evidence. It's fraud, enabled by financial institution's weak procedures.
It really is a terrible term though. I dislike it enough that I sent Al Franken a letter asking him not to use it during hearings (though given that I'm not in Minnesota it probably wasn't even a symbolic act).
I've no idea about recovering damages, but it's at least congruent with reality. No competent security analyst would ever declare that numbers openly printed on a card and freely submitted on forms and devices are authentication secrets.
Very well said. The main problem is the poor system in place and people's lack of ability to put constraints on their records.
Given the current state of affairs it is unforgivable that users can't activate higher levels of security for using their information. Given that the cost of the credit industries practices are born by people it is not ok for people to have no say over how casually credit is handed out.
Here is more evidence. "Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data" on millions of Americans http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id... The casual disregard these companies have for what should be private information creates the pain for people.
Europe has much more protection for people versus data brokers (that create huge costs to people with their actions). I think Europe has a much more sensible view.
I agree with you. Even my friends know everything that is contained on the driver's license. Obtaining SSN can be a trivial thing too.
The thing is he wants to contain the damage because now there can be real repercussions. Even though the banks are liable, he still needs to be proactive.
The ground-floor safeguard-which-isn't-a-safeguard is subscribing to one of many credit monitoring sites so you know what's happening.
Your state will have information about what to do if your drivers license was lost or stolen (even though obviously he still has the physical license). Some states will have somewhere to report you may be the target of identity theft. You should see if you can replace your license.
Just because it's not posted publicly doesn't mean it won't be used by whatever parties have it. Given that this seems to be an American posting (comments about pizza and beer) and not the badly-typed Russian hacker earlier, it would appear that two parties at least have a copy of this information now (or alternatively got the information independently). You'd be a fool to assume this person is acting in good faith, they've exposed a hell of a lot of private data by posting this alone.
I signed up for a Mt. Gox account ~12 months ago and included my drivers license. I then cancelled the account a few weeks later after one of the many Mt. Gox incidents. A few months ago when the price skyrocketed to $1000 USD/BTC I reopened my account with Mt. Gox. They didn't require any further information from me, just a a request to open the account.
I took from that that even when an account is cancelled/deleted, they still retained all user information including drivers licenses. Even if you deleted your Mt. Gox account before they went bust you may still be at risk.
I feel for you. He says hardest part was breaking the news to family. Straight afterwards he drove down to me, he said hearing scorn every second was becoming overbearing for him. Cryptocurrency can be hard to explain in layman terms.
They might very well be in possession of the 950k but have lost the private key to spend those funds. It looks like in recent days they regained control of 200k BTC, so perhaps they've recovered a key or two?
I sure wish they would make a statement soon because if it was in fact the case that they recovered a large portion of their BTC, that would go a long way to bolstering faith in BitCoin itself, whose brand they totally damaged by blaming transaction malleability in the first place.
The attack that they claim happened was due to a bug in their accounting software. The software sometimes wouldn't record that a transaction had finished, so that account's balance didn't go down. Nothing to do with losing keys.
Karpeles was trying to get investors to cover the losses after the bug was found. That's why he was hoping the losses would be temporary. But Mt Gox's business practices are so bad no one wanted to invest in them, so that's almost certainly not going to happen.
There is only one way the coins could be recovered: if the thieves are found with the stash intact. Just keep in mind that Karpeles might be the thief.
I wonder if the balances revealed are concretely tied to wallet data, or rather simply are entries in a database. If the latter (and from what they said it seems to indeed be the latter), doesn't really mean much / doesn't contradict Mark's words in itself. (cf. Mark's comment that 'technically speaking [bitcoins are] not "lost" just yet, just temporarily unavailable.')
They would just be balances, otherwise every trade in their engine would hammer the Bitcoin network with transactions. No sane person would do anything but have an external databases with a fairly tenuous connection to the actual wallet balances.
That has some advantages, but also some disadvantages. It uses the original server as a "web seed", so even though it's a torrent, it's still putting a little strain on the web server for no good reason. Also with all those unnecessary trackers in there, it's long and awkward to copy-and-paste.
Remember, the "transaction malleability" attack would have siphoned money from their real wallet while not showing up in their accounting software. So having a balance in this file doesn't mean the wallet actually has BTC left.