+ Mt. Gox commingled depositor and corporate funds. (Corroborated in the Japanese version of their docs released by the bankruptcy trustee.) Many in the community believed that they had promised not to do this (true) and they this was impressively unprincipled (I lean against this understanding).
+ Mt. Gox had standards of engineering professionalism which were not what one would hope would prevail at a financial institution with $500 million in assets. True and previously reported. Specific examples include lack of a staging environment, source control, testing procedure, engineering leadership, auditing... it goes on. Also might suggest in future not putting all code into MySQL.
+ At one point all BTC deposited at Gox were accessible by VNCing into a particular box, which suggests that claims that Gox had cold storage secured by keys kept in diverse physical locations were not consistent with conventional interpretations of engineering reality. (The new information here is "VNC." It was previously known that at one instant in time Gox proved its reserves by moving all it's BTC in a single transaction. This could be done in a way consistent with what the community thinks "cold storage" should mean; the VNC bit militates against that understanding.)
+ Employees of Mt. Gox believed, on the basic of public evidence, that the firm was losing money even at the peak. (I'd be interested in seeing their math for this; that was not the conclusion I reached in a napkin calculation in mid-2013.)
+ Wages at Tibbanne (which provided 100% of employees for Gox) were consistent with prevailing wages in Tokyo startups i.e. scandalously low. 50% of employees earned less than $2k per month; director-level salaries in order of $4k, except for...
+ ... explicitly alleged looting of customer funds to support director lifestyles.
+ Management was unable or unwilling to answer basic queries regarding finances internally.
+ Gox's bus number was one, and that bus would have resulted in $500 million being unrecoverablu lost. Management, when asked about this, lied brazenly. (Last part is new info, first part obvious.)
There's more at the link.
I've been told that employees at a certain like-deviantart-but-good startup are paid about as much as a convenience store worker. On the other hand, the conbini won't sponsor your visa.
Is this a thinly-veiled reference to pixiv?
You're not going to live anywhere near a comfortable life in Tokyo on 2 million JPY a year, much less 1 million JPY a year. Convenience store workers here make around 950 yen/hr depending on what shift you're working on.
Assuming you find somewhere super cheap and livable (we're talking slightly larger than a single bed, maybe not even including a bathroom) for 50000 yen/mo, that's already 600,000 yen/yr on housing alone. You can see that there's not much left over for utilities, food, transportation, clothes, medical, etc... and we're not even talking taxes and luxuries.
Pretty sure Japan is more like USA in cost of living than India.
My company owes money to vendors, customers, and contractors, too, in the ordinary course of business. At any given time we have probably a few dozen creditors. How many deposit accounts do you think we have?
Companies which explicitly hold other people's money are usually held to higher standards in holding it (Solicitors, Banks, Estate Agents, etc). For example deposits are usually held in a client account, separate from other corporate funds, and not usable except for the intended purpose. The reasons for this are obvious, as it makes fraud far harder to perpetrate, and Mt.Gox not doing so is a red flag given the business they were in. Even worse than this, this wasn't a corporate account, it was Mark's personal account!
I understand how you could read that from the employee's statement, but this allegation is contrary to fact. Gox did most of its business through a series of business accounts at Mizuho, one per currency. A list was provided by the bankruptcy trustee to creditors multiple times -- c.f. here: http://www.mtgox.com/img/pdf/20141126_document.pdf
Banks use client deposits to fund their lending, though.
I don't see any fundamental problem with mixing client and corporate funds, provided there is good accounting, solid auditing and sufficient oversight in place to ensure client funds don't go missing. Obviously none of those existed in Mt. Gox.
In the absence of legal requirements
to the contrary, money is money --
it doesn't typically carry along
requirements to physically segregate
it by owner
To use an analogy, consider if I courier you a parcel. When I hand it over to the couriers they have custody of it - but they don't own it. If the courier company goes bankrupt while my parcel is in transit, they don't get to open all the parcels and auction them off.
Likewise, companies like conveyancers and insurance intermediaries act as 'money couriers' - and they're expected to keep the money in separate accounts so, if the company goes bust, it's clear who is the owner of the money and who just has custody of it.
Obviously, not every financial service is a 'money courier' - but generally getting licenses that let you lose client money is more work than getting the licenses where you can't lose client money.
Of course, I'm not an expert on Japanese financial law, so it's possible financial conduct standards in Japan are different.
Well yes, there are legal requirements when money is handled.
BitCoin operates in a fuzzy realm, for sure, but it is still poor practice to not follow banking safety practices.
Any business that handles customer money (for example, a lawyer that holds client funds in escrow to pay for services later) is required to maintain separate accounts.
The only exception would be if the customer is lending money to the business (as when you invest in a bank account), not having the business to hold the customer's money.
Respectfully: this is not accurate generally or in Japan. Lawyers are special-cased in the laws of several US states for this purpose.
Software consultants in Japan, to use one example I am intimately familiar with, are not. If you take a deposit of $50k from a client which isn't your money yet, you book an asset (the money, typically deposited in your bank account, where there is no duty for segregation) and a corresponding 前受金 ("advance payment received") liability. As soon as you provide the service which you've received the money for, you're obligated to decrement that liability and increment sales. (This is important for tax purposes if the two events happen in different calendar or fiscal years, one reason why I have to keep books and report to the friendly local tax office once a year how much of OPM I'm presently holding.)
n.b. My understanding of GAAP here would be that Gox would probably hold the money on the books as a deposit (預かり金) rather than an advance payment (前受金) but I'm not positive about that -- my business never had to worry about it.
If you violate professional standards while providing your services, even in the absence of requirements to the contrary, you're putting your clients at risk, probably to an unethical degree depending on what assurances you gave them.
The new information here is "VNC." It was previously
known that at one instant in time Gox proved its
reserves by moving all it's BTC in a single
transaction. This could be done in a way consistent
with what the community thinks "cold storage" should
mean; the VNC bit militates against that understanding.
And how does the fact that it is accessible via VNC change anything?
Have all the private keys stored on a machine which is airgapped. Sign a transaction on that machine; copy the transaction to a networked machine (could be done via e.g. copying a QR code from the monitor with a smartphone or, in extremis, just typing very carefully); release onto the Bitcoin network.
Management has previously said that Gox's cold storage was based on offline copies of the keys being fixed onto paper and held in 3+ locations, sprinkled with some RAID-esque pixie dust. (I promise -- this is the maximally charitable summary.) If they're all available for management via VNC at any given time, that casts some doubt about whether they are actually striped over a bunch of paper wallets. Although the Bitcoin community is primarily worried about a server compromise followed instantly by a wallet draining, putting them on a machine accessible from the internal network is approximately just as dangerous, since one assumes that an attacker who gets the web server owns the entire internal network with probability approaching 1.
You can also split up control of the keys with multisig, so multiple keys have to come together to move the BTC.
Since most financial institutions only have small fraction of their balance needed to cover their money inflows and outflows, having most of your BTC in cold storage is a best practice.
This. . . is. . .particularly shocking. The FIRST thing I did when me and my two partners decided to start a business was to get all of these in place before we even started thinking of what we were going to build. All three of us thought it was that important.
Dude, I mean, lack of source control? Who does that? Even when I only had two years of development experience it was drilled in my head this was not just optional, it was absolutely necessary - there is no option to the contrary. It was just basic stuff you should know and this guy was handling millions of dollars in transactions every day? It really makes my jaw drop to think about.
> So you're saying that the mt gox bank account was his own personal account? I wired money to his personal account??
Maybe it wasn't correct in 2014, but apparently it was true when Barr worked there.
The original author reused an old domain for the bitcoin exchange afaik.
Edit: Ok so it WAS in that thread just not something that the only "verified" person said. I'm inclined to believe it's true however it hasn't been confirmed and posting it here in quotes like that given the title (indicating the person running the AMA said this) is misleading at best.
And I think Karpeles was going through that phase at this time. I vividly remember seeing his blogposts on reimplementing an SSH server in PHP, just to show that it's doable. I wouldn't be surprised to see that code and other similar terribad ideas running in production.
People basically just keep chasing local Optima until the unholy mess becomes self-sustaining as real improvement becomes more difficult and you can always look back and say, well at least we have "backups" even if it's just a copy on another disk in the same machine.
We don't know that server was used in production, but it's consistent with the complete anarchy we hear prevailed at Mt. Gox, yet again.
Even if this didn't happen at Mt. Gox I'm sure it's happened in other places. I've heard of people storing the queries that they were going to send to the database in a database row.
In fairness, that's not all that different from prepared statements...
> Someone brute forced Jed's account (as told to me by Mark).
> I was there about 3 days before it happened, and I received 3 emails about an SQL injection vulnerability (which Mark ignored/thought unworthy).
The question was asked but somewhat suspiciously dodged: https://www.reddit.com/r/Bitcoin/comments/3fe92x/im_ashley_b...
You're given such a large opportunity and to piss it all away. Yikes.
* As far as I know, no one else at Mt.Gox ever had access to the backend of Mt.Gox, nor the cold wallets. At my time there, only Mark had access to the Database. ... Mark said that if he died there would be hints that one of his best friends could follow to find and unlock the cold-wallets. When I asked said friend, he said he had no idea what Mark was talking about.
* We then looked at the expenses (eye-witness expenses only [AKA, we collaborated and make a list of things we had seen were purchased for the company] so it's not accurate, but surely less than what was actually spent), and used the trading data to calculate some averages around Mt.Gox's profits. The expenditures far exceeded every model we had for income. [This is in relation to the AMA'er being asked to be CEO of Mt. Gox and what happened when he tried to do due diligence, Mark wouldn't give him access to the books]
* Around the same time, we learned that Mark only had one bank account, shared with Mt.Gox's customer deposits.
* Mark was receiving a lot of pressure for "proof of solvency". I was behind him when he VNC'd into... somewhere, used the bitcoin otc app to send the money from A-to-B, and then posted about it. [In case you didn't catch that... THERE WAS NO COLD WALLET. ALL of it was hot and on a machine (running in graphical mode of all things...)]
* "How likely do You think it is that Mark Karpeles was running the Willy bot?" -- To be honest, before you asked this question I had never considered it wasn't Mark. ... I just know my ex-employee contacted me about with the impression that Mark owned this account, I hadn't questioned it, and it was presented as "Mark is at it again"
* I think gross incompetence happened, and Mark tried to cover it up. I don't believe he is outright malicious, but certainly ignorantly-malicious.
* [Mark's] salary was the same as mine at that time. ... I started at 240000yen/month (~$3.1K/mo - ~$37K/yr), and was paid 320000yen/month (~$4.1K/mo - ~50K/yr) from about August 2011. I was the highest paid employee (including Mark) when I left the company.
* "Where do you think the millions of depositors fiat have gone to?" -- Nooooooo fucking idea. I hope to read about it the same as you do. I want answers.
* "Why was Ross Ulbricht's Gox account banned very early on?" -- Honestly, no idea. I know that Mark banned any accounts blatantly linked to SR. Some people emailed that they needed to use their undeposited cash to buy things on SR. If that made it to Mark, he banned it. I think it was safe practice.
* "Since this is AMA: How come you chose this particular time to come out with this AMA? Why now and not earlier?" -- I think I mentioned in different comment threads, I had an NDA that prohibited me from talking about Mt.Gox. It's still enforceable, but I think Mark has other things to worry about at the moment... I hope :/
* I stopped believe anything he [Mark] said after a month of working there.
* "Reuters reported that expensive toys were being purchased by MtGox/Mark. Do you have any more examples of luxurious spending?" -- He bout a NAO for $5k in August 2011, a Makerbot a little later, and... Ahem, I had to talk him down from buying a Lamborghini as his first car. Respectively, the Honda civic was a modest purchase. (how to fuck could I explain a Lamborghini to 50% of the employees making under $2000 a month... it would have killed moral, even moreso
* "I find it incredibly irresponsible that no employee or ex-employee blew the whistle on what was going on." -- There was no proof, no one (mark) gave anyone access to anything directly. Everything was inferred. (Spent 900K, made x00K?) where did that come from? No answers... what can you report on that ... :/ It sucked....
* "Do you think Mark is guilty of actually manipulating data in a fraudulent manner, or merely negligence in operating MtGox?" -- Both. but only the latter do I have an experience.
>The entire codebase was stored in a database, only accessible via a client Mark maintained, with no version control nor lock controls meaning if we both had a file open we could overwrite one another's files and undo work.
>>Like, PHP source stored in mysql tables?
>There was no pre-production environment. Meaning changes were supposedly deployed untested or made straight on production.
>I was told I could not touch the backend, although they were working on getting access to this via Mark.