Before everybody gets all up in arms about how this says that they still had around 1 million BTC, remember that this lines up exactly with what Mt. Gox has been saying.
This is Mt. Gox's own accounting. It should report that they still have BTC. But these are just numbers from a database. What Gox has said is that while they thought that they still had BTC, while their systems (AKA this) still reported them having lots of BTC, the actual wallets had long since been emptied.
So really, this doesn't help anybody in any ways. It could still be a hack, or it could be Gox screwing with everybody, or it could be something else entirely. It really doesn't mean anything. Other that showing that Gox still can't secure anything to save their life.
Can someone explain how these guys managed to write their software in such a way that there was zero automatic verification that what their database said matched what was in the wallets, even just a cron job that ran once a week or something? I mean, I'm assuming there's a good reason, because I can't figure out how anyone could overlook something like that.
It's pretty easy to miss "basics of a good design" like a cron job job when you are also missing actual basics like source control or any release process whatsoever [1]. I understand the Wired article to mean that for awhile they were actually editing source code on production servers in some cases.
This really is a case of a company managing assets well in excess of the limitations of its experience or ability, literally a trading card company that found themselves operating as a bank.
The thing I don't know was whether their customers had adequate notice that mtgox was grossly incompetent. Smart people have told me they did, but at the same time, the list of services I use where I have personally bothered to check if they use source control and have a test environment is not very long.
> literally a trading card company that found themselves operating as a bank.
Karpeles did not buy a trading carding company or even a former one. McCaleb did have a temporary Magic-related site at mtgox.com 4 years before he started the exchange, but literally the only thing the two shared in common was the domain name. I recently finished researching & clarifying the early history, if you are interested in the details: https://en.wikipedia.org/wiki/Mt._Gox#History
To be fair, even major financial firms and hedge funds have these types of problems. Lack of pre-trade risk controls and position checks (not too dissimilar to what happened with MtGox) contributed to the spectacular blow-up of Knight Capital a few years ago
You'd be amazed by the large, boneheaded moves that even the smartest people make when they fail to think defensively. Any security holes, even when people see them, can be easily discounted by just 'eh, nobody will try to hack us'. I've seen that done in Fortune 500 companies whose main business is all about IP!
If you can't identify how likely you are of being hacked, and how much is there to lose if that happens, you'll make terrible security decisions, regardless of the engineering skills available.
If you have bitcoins in 'cold storage' (Gox supposedly had 99+% their BTC that way) - i.e., the keys are physically offline and not accessible remotely in any way - then I don't see any easy ways of checking if all those coins are still valid.
"the keys" are the private component of a private key/public key pair. the public key can be shared with anyone / stored anywhere, and gives you the address which makes checking ones balance trivial.
Okay, you can detect open thefts that way and Gox should've implemented that. But you still can't detect if you've lost control of the private keys - if you've split all your cold balance into many addresses of X BTC each, then you can remotely check if the addresses are still filled, however, if an [inside] attacker takes those keys and replaces them with garbage, then no auditor is going to know that the addresses aren't in your control anymore; the solution would probably be periodic (automatic?) proof-of-ownership tests on those balances.
In any case, securing BTC is hard and requires stricter controls and more discipline than securing general banking systems, as the nature of BTC makes it easier to get away with large amounts of funds. For example, you need a solid solution for multiple "write-only" offsite backups of 'cold keys' because otherwise you simply risk your assets being permanently destroyed due to a simple hardware failure, but if anyone in your company is able to singlehandedly recover&decrypt a single such backup then he can immediately abscond with all money.
The full leak contains a back office administration tool used by Mt.Gox, and what looks to be complete trade logs up to and including November 2013. The leakers haven't included any personally identifiable information.
If it means anything, I've had a look for my trading activity and it's all there and completely correct.
They certainly have. The amounts withdrawn and deposited are enough to make solid connections between addresses on the blockchain. With this information it's possible to make a lot of associations between addresses you couldn't before knowing this information. From what I've read it gives the amount, account hash and the time, that's more than enough to uniquely identify them on the blockchain.
It is possible that MtGox lost its money by dipping into deposits and pending cash withdrawals for its own use. Then, maybe some bad investments snowballed and they couldn't recover.
This seems more likely than someone hacking them and ripping off hundreds of millions of dollars worth of bitcoins without them noticing.
There is regulation that prevents this (most of the time) in banks, but in an unregulated exchange it would be easy (and stupid) to start gambling with customer deposits and pending withdrawals.
A few months ago I set up a MtGox account, and noticed the MtGox policy of taking weeks or months to wire the proceeds from a bitcoin sale. That seemed like a red flag, and made me wonder what they're doing with the cash between the bitcoin sale and the wire transfer. I'm glad I opted out of MtGox.
Ah thanks. Poster of this HN post here. I posted it on pastebin because the original content could be removed later and I thought saving in a cache like pastebin was a good idea, so I didn't check whether original link has been posted or not.
From a legal perspective for mtgox you really couldn't hope for better news, not only have their systems been tampered with but now there is undoubted proof.
Just paint yourself as the good guy amongst a scene of money launderers, hackers and drug dealers. This isn't proof of fraud, it's proof that people broke into their systems and tampered with them.
The attackers here broke in and stole a DB copy, they may not have been able to tamper (e.g.: they had access to a backup of the DB but not the running copy)
It's probably still a good part of a "we're incompetent not malicious!" defense, if that is how they decide to handle things.
I've loosely been following the MtGox fiasco, including previous hacking that revealed voice conversations, passport scans, etc. However, I don't quite understand the context or ramifications of this leak. Could someone give a brief description?
If they had the public keys to all Mt Gox's wallets whey would be able to check them for funds, but there would still be questions about who controlled the wallets and if they had found them all so it would still not be proof of fraud (but the more evidence collected the more likely there will be something confirm-able discovered)
It appears the hackers think it is a lie because all public statements I remember seeing and even the leaked "resurrection" plan talk about 0.7M BTC.
There has been talk of a Wally trading program which is said to have be run by Mt. Gox to profit from the price imbalances. If this is true then the 200k might be Wally's account. Which would explain why Mt. Gox does not consider it real liabilities.
It means they had a security issue that let someone steal their database.
The DB shows they have lots of bitcoins and money available, but that doesn't mean anything because if they were hacked in the manner they described the DB would still show them as having bitcoins that they don't actually have.
This means the information presented matches multiple scenarios including the bitcoins were stolen by Gox, the bitcoins were stolen by hackers and the exchange is still operational and fully funded. It rules out a hack that involved someone removing coins in a way that updated the bitcoin balance in the DB (such as password theft) but there was never any speculation that such an attack had occurred so that isn't helpful.
This is Mt. Gox's own accounting. It should report that they still have BTC. But these are just numbers from a database. What Gox has said is that while they thought that they still had BTC, while their systems (AKA this) still reported them having lots of BTC, the actual wallets had long since been emptied.
So really, this doesn't help anybody in any ways. It could still be a hack, or it could be Gox screwing with everybody, or it could be something else entirely. It really doesn't mean anything. Other that showing that Gox still can't secure anything to save their life.