The poster makes some good points about the inconsistencies in Mt. Gox's handling of things, but it seems to me that he's ascribing to malice what is well explained by incompetence on the part of the person or people running the site.
The security practices are appalling, and their lack of clarity on the counter-party issue is damning. If I were Kevin---or, indeed, any customer of that exchange---I'd take my money and go elsewhere.
Still, it's pretty astounding how myopic the rest of the Mt Gox forum users appear. They're taking a situation that's beyond a doubt the fault of the Mt Gox admins and getting ready to lynch a dude who seems to have acted rather reasonably (intentionally not exploiting a known loophole to exceed the withdrawl limit, reporting his disposition immediately to the site's maintainer, et cetera).
Mt Gox is run in such amateurish way, it's appalling.
In real life, with many brokers you trade doesn't close in 3 days and as such you can't withdraw proceeds from the trade for 3 days (but you can use the proceeds to continue trading).
In this situation Mt Gox is effectively both exchange and the broker. Not to have rule in place to block funds from recent transactions is like people who designed it never traded real stock with real brokers.
>"Mt Gox is run in such amateurish way, it's appalling."
I blame hubris. Bitcoin is an enterprise where tech-focused people think they have a better (or at least equivalent) solution than what decades or centuries of economics and finance or whatever have come up with. An over-focus on its legitimate advantages and their own abilities ends up blinding people like this to the lessons of experience from the old model and from domain experts. In a very real sense, because they're convinced it's better and that they know what they need to know from economics and finance and banking, they're going to keep making the mistakes that the people they're replacing solved long ago.
The three day settlement rule applies to the NY equity markets. Other markets, including NY fixed income products, run under different rules, including same day settlement.
And this isn't a fraud prevention measure, it's a legacy of the days when settlement included someone carting a stack of stock certificates from one bank's vault to another.
Lastly, most traders trade on a contractual basis, not a settlement basis, so their trades are considered binding as soon as the agreement is in place.
1. In the US, most exchange operators are the counter-parties to all trades. They also interact with settlement and clearing services that ensure the verification of proper ownership and conveyance of securities. In the old days, something like a third of all trades failed to meet the three-day window because some part of this process would fail.
2. There are very very specific rules regarding how the orders are crossed (buy and sell side) and which orders take precedence in the (limit order) book. It looks like the MtGox guys didn't think this through and the trader in question took advantage of this naivete on the part of MtGox.
3. Most exchanges are "brokered" to facilitate trades while MtGox is more like a swap-meet. Brokered exchanges are more expensive to trade in but they have the advantage that brokers can "know" how to get price-improvement based on market conditions. In short, they are "informed traders" vs the "uninformed traders" you see in most post/notice markets. When the informed meet the uninformed, you see situations like this where someone takes the whole shebang home.
Personally, I find it amusing that the Bitcoin fanboys are clamoring for intervention here. It's almost like they are getting to the idea that a strong regulatory environment is a /good/ thing for the free market. If this were the cryptopunk/libertarian paradise that everyone dreams of for Bitcoin, there would be /no/ recourse.
I'm not sure where you're coming from with #2. Most exchanges use price-time priority to determine execution order. From the description the best bid was $0.01, so obviously he would get filled first at $0.0101.
The real problem is that the market was able to descend to that level to begin with. There should have been some sort of circuit breaker limits in the Mt. Gox system that would have halted such a massive decline, similar to what exist in the US equity and futures markets.
As to #3, really the only thing that matters in terms of exchange access in the US is that you satisfy the appropriate compliance burdens (broker-dealer status) and can pay the fees required for naked access. That may be good selection criteria for "informed traders" but it certainly isn't any guarantee.
What I meant in #2 was that there are market structure rules about things like minimum price improvement levels and how widely a buy or sell order is circulated before finding a cross. The HFT guys are masters at exploiting the market microstructure to extract alpha. Google SOES bandit if you need further examples.
As for #3, naked access is a relatively new invention and the rules are sufficiently constructed to virtually guarantee that only implicitly informed parties are ever going to see "naked" access.
Circuit breakers (actually the lack of them) is one of those things that enabled this to occur. The party in question essentially copied a strategy that was used by the HFT guys to soak up the offer. The seller got liquidity but it came at a very dear price.
And that's really the issue here: circuit breakers are a compromise between liquidity and price discovery. If the exchange suddenly sees that price discovery is trending outside of a range, they shut down trading. If the problem is a systemic market one, then this probably is a good idea. But if price movement is because of new information, then all the circuit breakers in the world wont help you because as soon as trading resumes, the new regime will be in play.
An order with 1/100th penny precision isn't usual for currencies, but I see your point. Either way, this was a very unusual situation. Why were there so many people sitting at $0.01? If you're going to play that game, why not jump on at $0.011 or $0.02? Hell, pretty much anything < $1.00 you could probably safely assume would give you a profit as long as you were willing to bet you weren't watching the demise of the BTC.
The problem is that the entire Bitcoin model has the same weakness. There's no rule for rolling back a bitcoin transaction because there couldn't be such a single authority because bitcoin is merely a "decentralized" algorithm.
This illustrate one of the inherent problems of Bitcoin. Any currency system today must be based not on simple transfers but on valid transactions. Valid transactions require that there exists an authority to validate those transactions.
There is no rule for rolling back transaction in real world too: once other party is gone with whatever was traded you have almost no way of "rolling back" this transaction.
Real world brokers though have settlement period for releasing funds for exactly this reason - so the transaction could be rolled back if necessary.
There is no rule for rolling back transaction in real world too
If you're real world is drug sales in a shady corner somewhere, that might be true.
Elsewhere, we have this thing called the "legal system" which actually exists primarily to enforce something called a "contract", which is essentially a transaction.
And why would this "legal system" not apply to BTC transactions? It is the same as paying someone in cash. The kind of currency used for payments has nothing to do with whether to punish fraudsters and cheats or not.
You have a point ... except that if government was engaged in enforcing a roll-back on a bitcoin transactions, it would make the ordinary "enforcement" system which bitcoin uses rather obsolete.
... and getting everyone to agree to the rollback might be difficult.
... and considering you would be using the state's court system, the state feel like refusing to use their money wasn't very generous. IE, if the Feds could sink bitcoin transactions just by saying they wouldn't engage in any Fraud protection on them.
The poster does not seem like a malevolent person at all, but he was clever enough to post the $0.0101 bid order before other buyers in line knew what happened, and the commenters on the Bitcoin forum are clearly jealous. Well played, toasty.
He didn't place the $0.0101 order. "I also decided against this, when I realized that whoever placed the gigantic sell order was probably doing so for the exact same reasons and I knew how that would make me look."
What do you mean, "stole"? He placed a buy order, and was matched to someone selling. How on earth is that "stealing"? You can claim the sell orders were illegitimate, but you can't say the same of his buys, without ascribing to every user the responsibility to never be involved in any trade that anyone could possibly call shady.
If I own a grocery store, the onus is not on me to determine whether the person offering me money in exchange for goods came by that money legitimately. They give me money, I give them goods. That's the extent of my responsibility in the transaction.
I dunno. It seems like he understood that the sell order was fraudulent (from his post -- "If there was an attacker in the system . . .," a hypothesis in support of which he calls the very trade he just participated in). Since he had a belief that he was buying hot goods, it seems reasonable to expect him to abstain.
This is the case in physical realms too. For instance, if you buy a stereo for a hugely marked down price out of the back of a guy's car and the cops find out about it, you may get charged. You will certainly have to give it back to the original owner, and if they don't catch the crook, you are the one who is out the money. Even if you don't get caught, you probably wouldn't tell your friends because this is not the sort of thing decent people do.
I read it as he was watching a market free fall and was looking to capitalize on it. He had no way of knowing if the sell order was fraudulent. It could have been someone trying to drastically crash the value of BTC, but still a legitimate owner.
Buying them through MtGox wasn't the same as buying bitcoins out of the back of some guy's car.
What about people who had standing buy orders? They could never had known about the market free-fall and conditions surrounding their eventually accepted orders.
Exactly. If I see the price of Apple drop precipitously, I might think that somebody is manipulating the market, but I'd be a fool not to buy it at $5/share.
Also, what if it wasn't an attack? What if someone with a lot of bitcoins was running a malconfigured script? We've seen flash crashes in the real world caused by automated trading; why would btc be any different?
Or, what if it wasn't an attack, and someone was really trying to sell his bitcoins, either because he needed the money/thought that was a rational thing to do, or because he wanted to drop the market price for whatever reason.
I think that the OP considered the above possibilities and acted rationally. However, he also considered the possibilitiy of this being an attack/theft/hack and acted NOT like a dick.
Yeah, I think initially there was that. But after he bought he began to suspect there was fraudulent activity. And he still transferred the money out. The problem was not the buying, it is suggesting the MtGox is responsible for providing him with a free lunch now.
> wasn't the same . . .
No, but there was a commonality in that foul play was suspected. The point of the car analogy is not the appropriateness of the forum, because MtGox is unquestionably an appropriate forum. It's about how much evidence you have to suggest that something is amiss.
So if I get word that Anonymous is planning on doing another blitz trying to create a rumour that Steve Jobs has died, would I be wrong to short Apple? It doesn't matter whether the forces moving the market are legitimate or not; you can't be faulted for playing it. What you're advocating might be moral, but it's not in keeping with the principles of a free market.
According to the misappropriation theory of inside trading, it seems you would be doing something illegal. Or perhaps you could be convicted of acting as an accessory to securities fraud. Whether it's moral or in keeping with the spirit of capitalism I guess depends on your interpretation of those two things. Personally I don't think capitalism has a finders-keepers rule when participants buy stolen goods, but you may read it differently.
FYI, the information I'm basing this on comes from a similar case in the Wikipedia article:
"""
In 1997 the U.S. Supreme Court adopted the misappropriation theory of insider trading in United States v. O'Hagan, 521 U.S. 642, 655 (1997). O'Hagan was a partner in a law firm representing Grand Metropolitan, while it was considering a tender offer for Pillsbury Co. O'Hagan used this inside information by buying call options on Pillsbury stock, resulting in profits of over $4 million. O'Hagan claimed that neither he nor his firm owed a fiduciary duty to Pillsbury, so that he did not commit fraud by purchasing Pillsbury options.[16]
The Court rejected O'Hagan's arguments and upheld his conviction.
The "misappropriation theory" holds that a person commits fraud "in connection with" a securities transaction, and thereby violates 10(b) and Rule 10b-5, when he misappropriates confidential information for securities trading purposes, in breach of a duty owed to the source of the information. Under this theory, a fiduciary's undisclosed, self-serving use of a principal's information to purchase or sell securities, in breach of a duty of loyalty and confidentiality, defrauds the principal of the exclusive use of the information. In lieu of premising liability on a fiduciary relationship between company insider and purchaser or seller of the company's stock, the misappropriation theory premises liability on a fiduciary-turned-trader's deception of those who entrusted him with access to confidential information.
"""
Of course, IANAL and I could be wrong, but it sounds like the same sort of thing. Information is created about a company by a third party, and someone else uses that information to make trades.
Then again, these two situations are also not analogous, because this guy's trades on MtGox were based on public information (namely that the value of bitcoins was falling precipitously). So he might not have done anything technically illegal, were this a real exchange. However, his trades would probably have been rolled back in a real exchange (assuming the trades were enough to move the market like this), so that still supports my overall perspective that he should not expect to get away with the money.
There's no inside information, it was all public. That case doesn't apply unless he knew something that only Mt Gox "employees" should know.
And I've never seen him say he should keep the money (he said they didn't even ask him the money back), he just disagrees with the decision of rolling back by force, which affects the whole Bitcoin market, not just himself.
No he didn't. He withdrew them as proof of concept. Right now it's not even clear who he should give them back to. Furthermore, unless he caused the selloff there was nothing wrong with putting in his $0.0101 order. I suspect the bitter people on the bitcoin forum are the ones who had $0.01 orders in and assumed that fractional values would be rounded down the the nearest cent. They were hoping to make some easy money from others' misfortune and are angry because they were outwitted.
The 643 he has are 'worth' $10K at the $17/btc rate. That would be triple the $3000 he 'had in his account' so either way that would be not a bad return on $3K.
Raises other questions about whether clients can 'conspire' to hold records of sales (vs rolling back the transactions). In real 'cash' situations you have to give back the actual currency, in a bitcoin world its a rollback of the sell record, but now you've created Heisencoins have you not? Sold by some accounts, not sold by others?
Interesting to watch the intersection of the protocol and the reality.
I'm thinking of doing some bitcoin trading myself. It's like finding a free herd of sheep; eating them would be naughty and possibly illegal, but I'm seeing good opportunities in fleecing them and selling woolly sweaters to keep out the chill.
How can you fault a guy who does what traders try to do every single day? The fault is only with Mt Gox here and this isn't the first shady thing they've done (apparently even changing jurisdictions to avoid getting sued over previous abuses). Mt Gox are scum bags and deserve to be shut down at the very least.
I whole heartedly agree. I wasn't actually expecting reactions like that from the forum users so that surprising too. It seems to me that the OP on that forum saw a pattern, proved it was true and then proceeded to tell the appropriate persons. The appropriate persons then realised they'd made a big mess of things and then twisted the truth to create a scapegoat, which is exactly how it's playing out on that forum.
The community that for months has been preaching the virtues of the currency nobody can control is suddenly arguing that a middleman should roll back a bunch of free-market transactions.
I decided a while ago that arguing against the "bitcoin has no problems" crowd was futile: people are too enamored with the idea to see problems like this until they happen.
This would make no sense if you supported a decentralized cryptocurrency, but would make perfect sense if you were worried about losing the ability to cash out of your penny stock of choice when, due to freak coincidence, a separate scam targeting the same stock imploded prior to you being able to unload the shares you had acquired for fractions of a cent at $17+ each.
The Bitcoin "community" is an emergent, distributed boiler room. They could just as easily be selling pink clam shells, tulips, or shares in an insolvent company that had a business plan to make pool cleaning agents. The underlying commodity doesn't matter. What does matter is that the widely disbursing the underlying commodity early gave them enough of a following, including folks who are savvy enough to think that they are the ones getting rich off the marks (a classic element of fraud), to attempt to convince other people that there is actually intrinsic value in what they are selling.
Every article about Bitcoin which makes it to HN -- yes, including ones in mainstream publications -- is in effect a PR hit planted by a new breed of the old boiler room scam.
BTC is neither generally accepted nor does it have the STABLE VALUE needed to become more accepted as a medium of exchange. And last element is something the Bitcommunists just utterly miss. Because a currency is medium, just a means, it will not function unless its value is stable. Not decreasing OR increasing.
Whenever the BTC shills tout the increasing value, they've accomplished the old "switch-a-roo" from currency to speculative commodity.
"Folks, in the grown-up world, trades are unwound when the market malfunctions. --Jeff Garzik, bitcoin core dev team"
In the grown-up world, currency is controlled by governments, the financial industry is regulated, and money cannot be transferred large distances anonymously. The whole sales pitch of BitCoin is that it is free of all this control. Invoking "the grown-up world" to describe BitCoin is absurd.
Where exactly do you live? Many offshore banks offer privacy even against police authorities, and tax evasion reaches billions per year. The crackdown on that is fairly recent (5-10 years) and still very ineffective.
The main reason why Bitcoin can't be considered grown-up is because there aren't guys like Soisson showing up dead.
This is an exchange issue, not a BitCoin issue. The exchange is entitled to behave however it wants. In fact, if it wants to remain profitable it should behave in a responsible, reliable way. In this case it means appeasing the majority of its users.
The market intervention that people are demanding is only possible because Mt Gox is a centralized exchange. Had this been a hack of a pure BitCoin client, it would have been even worse, because the theft would have been irreversible.
If the community wants rollbacks when transactions aren't "fair," what's the point of BitCoin again?
Right. It's clear that this is not a problem with Bitcoin itself, but a problem with an institution built on top of it. If Mt Gox fails, other trading platforms could emerge to take its place.
Likewise the freedom from government intervention that is the point of Bitcoin does not ensure freedom from government intervention in trading platforms built upon it.
Not that I don't expect problems to emerge with Bitcoin itself...
http://www.bitcoincharts.com lists the daily trading volume of various exchanges. I think the numbers for Mt. Gox represent the volume before things went sour, so based on that, Mt. Gox sees almost 30 times the volume of the next largest exchange.
I'm probably thinking of something different - but wasn't it clear in the bitcoin protocol itself that if a single actor controlled a majority percentage of the bitcoins out there, the model falls apart and is at risk?
Sorry, we have our wires crossed. You can still transfer bitcoins from one person to the other. An exchange is a website that allows you convert bitcoins in USD. MtGox controlled about 90% of the BTC↔USD conversions.
I think the problem here is the existence of Mt Gox itself. It seems like creating a centralized exchange for a currency that does not yet have a real economy associated with it - and which has been hyped by the internet meme machine - is just asking for the currency to become the victim of wild speculation.
Especially when the exchange is just a spot market - speculation in futures and options wouldn't undermine the viability of the currency as an actual means of exchange in the way that this situation will.
I agree, but without a credible exchange of any kind, you're left with party-to-party bartering, and no real means for pegging prices. Just like every other currency/commodity.
Quick! Somebody invent software which will allow people to have discussions that branch! Otherwise the dreadful disaster of discussion derailment will doom us daily!
There appears to be a real market demand for a currency that is not controlled by a national government, especially one that has the features of cash-like transactions. That bitcoin is lacking as an implementation is immaterial, people want it for whatever reason.
> There appears to be a real market demand for a currency that is not controlled by a national government, especially one that has the features of cash-like transactions. That bitcoin is lacking as an implementation is immaterial, people want it for whatever reason.
"We must do something, {random} is something, therefore we must do {random}" is generally regarded as a fallacy.
So, There's something like 21 million bitcoin possible, and 6 million 'in circulation' now. A sell order comes in for 1/12 of total amount of outstanding bitcoin. And the system processes it, flashcrashes, and. 3) Profit, I guess. or 4) rollback.
That's something like what would happen if someone dumped 1 trillion USD onto a bond exchange. There are only a couple entities who could do this.
So how did 1/12 of the value in this ecosystem wind up in one account at Mt Gox? I'd have to think that it's likely an insider/early adopter. (or Mt Gox itself?) There's a limit on the number of entities who could amass that sort of 'fortune'.
That's a really good point. Who says that there really was anyone with that many bitcoins in their account? Maybe someone just hacked the database, put 500,000 btc into an account, and then sold them on the market? We know the user database was dumped, so why shouldn't we think that someone edited the account balances too?
The way I understand bitcoin is that you can't simply sell coins made by adding them to a db record. Perhaps the MtGox system can artificially generate the appearance of those coins, but the actual validation of the transaction by the network would have failed.
The way I understand Mt. Gox is that they have a giant pool of real btc. They are the "owner" of these btc. So, for instance, if your account says you have 3000 btc, then your 3000 is just an entry in a database, and the only time that actually becomes a bitcoin is when you cash out the coins from Mt. Gox. At that point, they give you the amount of coins that you requested to be withdrawn from their giant btc pool. So, in other words, there aren't actually any specific bitcoins that are assigned to you specifically. You essentially own an IOU for 3000 bitcoins that you can cash out at any time. That's also why they can roll back transactions, because no bitcoins are actually transfered in their system, only database entries that state who owns how many bitcoins. That's why I think someone could update an account's bitcoins balance to any number, and then sell them on the market, because you're not really transferring bitcoins. You're transferring IOUs for bitcoins in a database.
Judging by the amateur security issues they've had lately, I think it's highly unlikely that they have the right controls in place to catch something like that automatically.
I imagine that all BTC available for trade at MtGox are in a MtGox-owned wallet. All trades are just done in their database, and a transaction only hits the bitcoin network when a user wants to withdraw BTC out of the market.
In that case, while adding fake BTC will not let you actually withdraw coins, it would allow one to issue mass sell orders and crash the price for BTC. Then the exploiter could purchase them at their lower valuation.
'Sell' fake coins. Crash the price. Buy 'real' coins. A virtual coin laundering. Fascinating.
There are 21 million bitcoins and they divide down to 8dp, so you need 16 decimal digits to represent them exactly. Coincidentally (?) double precision floating point is capable of precisely representing exactly 16 decimal digits.
If this was the case though, don't you see a really big issue? They're running test data through a financial production system? That wouldn't just be retarded, it would be illegal anywhere else. If you're *SX and creating fake money in a real system you're going to get into a lot of trouble.
Should mt.gox even be allowed to participate in trading? Seems like a massive conflict of interest to me. If it was their account and their account could perform trades, then that sounds like a big problem.
Unless it was the BTC mtgox directly own, that would mean that the BTC you upload aren't the ones that are transferred when you trade (remember BTC are unique). Although I haven't used MtGox, I was pretty sure that it is the case that BTC you upload are the ones that are transferred.
When you transfer money to MtGox, you're essentially giving it to them. They give you a unique address to send to (so they know who sent the money to them), but after that transaction they have your money. Then, they just update the DB reflecting you have X amount of BTC in your account. As you trade with other people on the market, your respective accounts are updated in the DB. When you want to withdraw, you tell MtGox where to send the money. They check the DB and deduct that amount, and send that money from their big stash of everyone's money.
That is why trades can be instantaneous, and don't require confirmation the network (except when you are sending to or withdrawing from MtGox itself).
In this case, if you could hack the DB and convince MtGox that you had more BTC in your account than you really did, you could still withdraw BTC, but there would no longer be enough BTC for everyone to withdraw.
Almost feels like it's one of the MtGox accounts itself. Transaction-wise, it has been making easily 200-300 BTC a day. Perhaps also doing some personal buying and selling...
> So how did 1/12 of the value in this ecosystem wind up in one account at Mt Gox?
The two leading theories are that it was the account that trading fees go into, or it was an account that didn't really have that many bitcoins, but had its balance altered by SQL injection.
What on earth is all this talk about "attacks" and "rolling back the market"? This is how currency works; we've just been witness to one of the darker parts. Just because you don't like it doesn't mean it's not legitimate.
Even if it's illegal to manipulate the US Dollar, it is most certainly legal to manipulate the BitCoin, whose express purpose was to be wholly unregulated!!!
There's been a lot of talk about regulation, but I read something earlier today that I found rather surprising:
"Unlike stocks, futures or options, currency trading does not take place on a regulated exchange. It is not controlled by any central governing body, there are no clearing houses to guarantee the trades and there is no arbitration panel to adjudicate disputes. All members trade with each other based on credit agreements. Essentially, business in the largest, most liquid market in the world depends on nothing more than a metaphorical handshake." - 1
So basically, the method of bitcoin exchange isn't all that different from ForEx. What's happened here is that the trading house has taken a fall, but doesn't appear prepared to take it on the chin. I don't know much about Mt. Gox. Any guesses as to whether or not they're insured? If this turns out to be a case of Mt. Gox's systems being hacked, are they liable?
What's most interesting for me is the irony on display. Bitcoin, Mt. Gox, and the whole ecosystem were established on principles like lack of regulation, anonymity, and un-traceability, yet here they are, hoist by their own petard.
I suppose this makes sense... the US government doesn’t really care if you get fleeced buying or selling British pounds, and the British government doesn’t care if you get fleeced buying or selling US dollars.
I guess the "attack" was done by the guy doing the mass sell off since he had acquired the coins by hacking into Mt Gox and stealing other people's coins. That is stealing, not manipulation. Had that not happened, and if it was just some speculator doing a mass sell off, they should have let him do it and not done the roll back. If you sell at 0.01 per btc, and the market goes back up, you lose money. Simple as that.
However, he has two technical mistakes in his post from a security perspective:
1) We don't know the attack vector. For example: If Mt Gox has a SQL injection vulnerability, then a sophisticated attacker will not waste their time doing a rainbow attack on a random user. Instead, if the account balance is not encrypted and the key kept secret, then the attacker simply needs to do a SQL injection attack that returns the account with the largest balance:
select top 1 t1.account_id, t1.balance from Account t1 order by t1.balance desc
Instantly, the attacker knows the largest balance. This automatically reduces the attack space. This is a standard trick attackers use to bypass even needing to guess a password.
2) Compounding this issue, it seems Kevin is right, the attacked account had a naive password susceptible to a rainbow attack. According to rumors, this attack was a pooled account that mediated all the assets traded on the exchange. This implies that MtGox used a password susceptible to a rainbow attack to secure the master account. To answer Kevin's question, what user would amass $8M in bitcoins and use a bad password? The system administrators. 0xDEADBEEF.
Postscript: I have never traded or owned bitcoins, or even signed up for an exchange. I just find the security breach fascinating!
Reading through the forum posts is really quite illuminating. The childishness of the bitcoin miners/traders is understandable given the demographic that this system appeals to at the moment, but the stunning naivete and downright ignorance of the law that is on display from the Mt. Gox admins is the most remarkable thing to me. At this point I am expecting bitcoin to die not due to its inherent failures as a currency but due to the incompetence of the major bitcoin exchange.
he claims that $1,000 daily limit at MtGox is broken and you are able to withdraw as many times as you want as long as each withdrawal is under $1,000.
the most interesting part I think is that he was actually able to withdraw 643.27 bitcoins (much more than usual daily limit) when they were for around $1.55 each which means withdrawal limit for BTC was calculated at current market prices.
If this is all true, then hacker is probably banging his head against the wall now because he was likely able to steal millions without any hope being ever caught. or did he?
MtGox claims he got away with only $1,000 worth of bitcoins however if he took them out of the exchange right after the crash when their market value was around $0.01... oh well, there is something very fishy going on here. I suspect MtGox doesn't have enough bitcoins to back their accounts now. If you see in upcoming days people complaining about MtGox not willing to physically transfer bitcoins back to their traders, it will be more than obvious.
I think people trading in Bitcoin need to keep perspective on what they are actually doing, which is participating in an experiment.
No investor with a sane mind would consider Bitcoins a solid investment decision. Unfortunately, ideas like this tend to attract both extremely savvy people as well as a bunch of lazy people who would otherwise be lapping up "Make 10,000 a week with Clickbank" e-books.
There will likely be many more stories in the same vein as this one.
In my mind, the wealth of this discussion isn't who is right and who is wrong, it's the fact that we're recognizing the current faults in a new and ambitious system, in the hopes that we can make a better one in the future.
> Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
I'm quite surprised that a service with accounts holding millions of dollars would store passwords without salt or a stronger hash algorithm than MD5!
FreeBSD MD5 is pretty strong— Its randomly salted and runs 1000 iterations of MD5. None of MD5's weaknesses are especially relevant in this context.
The most important thing is the how slow it is, and it's likely that if they'd taken defaults bcrypt would actually have been faster.
The saddest thing is that many of the people howling about MD5 are proposing weaker alternatives like straight SHA-512 with a static "salt" embedded in the source code.
In fact, MTGOX almost deployed such a replacement in their upgrade until they were cluesticked by people screaming to not invent you own cryptographic functions.
I don't think you understand how fast MD5 is. On the order of 10 billion MD5/sec is doable for very cheap. If you're going after millions, getting multiple graphics cards is a no-brainer.
A thief can't pass good title on stolen goods: If you buy a stolen item, it is not yours, it is still the original owner's. Doesn't matter if it's a bitcoin, a car, or a quarter.
The sale was not legit, it should not stand. The rest of the rollback is fuzzier, but on this gentlemans coins, a seizure should occur.
The exception to this rule is a "bona fide purchaser for value without notice". If someone has no reason to believe that property is stolen and buys it, then it's their property now. So sorry.
I'm still confused about whether or not bitcoin transactions are traceable. If they have deniability, it might be impossible to prove/disprove that you knew the goods were stolen.
Of course, I am neither a lawyer nor a crypto specialist and this isn't legal advice.
(In particular, the rules vary depending on whether the property is realty, on whether you have a Torrens system, whether you have fused equity and what your local courts and legislatures have decided).
"The exception to this rule is a "bona fide purchaser for value without notice". If someone has no reason to believe that property is stolen and buys it, then it's their property now. So sorry."
This rule only applies in some law systems. Where I live you need both to perform all the reasonable checks and 3 years time to become the owner of the stolen property.
If the original owner shows up before 3 years have passed then you have to get back whatever you have bought. This happens even if you have performed all of the reasonable legitimacy checks.
One exception is land registration - entries in the public land register (even those obtained illegally) protect the purchasers from claims by the original owners (this does not apply to bad faith buyers.)
Withdrawls from MtGox are traceable. It just a payment to an address which has to be known in order to make that payment. So, unless they (MtGox) have lost that address too..
Exactly. He may have seen the unusual dumping of bitcoins as a planned crash. Someone who legitimately acquired them with the intention of doing this dumping in order to prove some point. To prove that these the account was hacked and the coins sold illegally, has anyone seen the police reports?
Uh, is that really so? So I can steal whatever I want, as long as I can sell it off fast enough?
Say I am 99 years old and have only one week left to live. What if I go on a car stealing spree and steal Porsche cars for my extended family. Then I sell it to them for a symbolic 1 cent each, claiming that I have collected them over my lifetime and now want my family to benefit.
Yes, what I mean is that if I was 99, I wouldn't care much about being punished for being a thief. I could therefore make a lot of people happy. If not my family, then maybe I could go Robin Hood, steal from the rich and sell cheaply to the poor.
I can't imagine that it works that way. I can believe that as a buyer of stolen good without knowing they were stolen, you won't be punished. But you will still have to return the stuff. I am not a lawyer either, though.
If it works as you describe, let's found a guild of 99 year old Robin Hoods...
> If not my family, then maybe I could go Robin Hood, steal from the rich and sell cheaply to the poor.
Note "for value". If the price is unrealistically cheap, the courts can point out that the buyer should have been suspicious.
> I can't imagine that it works that way. I can believe that as a buyer of stolen good without knowing they were stolen, you won't be punished. But you will still have to return the stuff.
You don't have to return it, it's yours now. The point is that the bona fide purchaser is not a criminal and acted in good faith. If, however, there is the slightest whiff of a hint of a suspicion, those bona fides collapse and title reverts to the original owner.
It is harder to prove bona fides than you might think. Got a great price? Not for value, test fails. Knew the seller? Not bona fides, test fails. Bought it from someone who has no history of selling those items? Possible notice, test fails. And so on.
Look, here's the thing. Lawyers and judges have been working on this system (the common law) for nearly a thousand years. For day-to-day stuff like property, the loopholes are well and truly closed and have been for hundreds of years.
That I was an inadequate law student and now am an inadequate explainer does not change the fact that the common law is pretty damn adequate at providing sensible legal protection for almost all imaginable transactions.
Another question: what happens if somebody steals my Porsche and sells it to somebody else, but I still have a set of car keys. One day I notice my Porsche parked on the curb, use my keys to enter it and drive away? Is it then a Schrödinger-Porsche that belongs to both me and the person who bought it off the thief?
What if I never even noticed it was stolen?
In fact, as the thief, why even bother with stealing? Why not just sell, say, houses on ebay that don't belong to me?
A thief steals a widget from you and sells it to me for $x. I have no reason to suspect it was stolen.
The thief then absconds with the $x and spends it on consumable goods; even if caught, the cash can't be recovered from him.
I currently have the widget and have lost nothing; you're currently the thief's only victim. But if the court takes the widget from me and gives it to you, you're fully compensated, while I am now the victim, because my $x has effectively been stolen with no compensation.
In other words, there are two people who have been victimized by the thief, but all the court can do is re-assign victimhood to one party or the other, which, all things being equal, it should be indifferent to. Allowing the purchaser to keep the widget is basically the same as saying that they'll have no part in deciding who is to be the victim, and allowing circumstance itself to determine that.
But the thief himself is always responsible, and it's entirely appropriate to extract from him as much compensation for both victims as is possible.
[in my state] a title is an abstract bundle of rights and the piece of paper is a certificate of title. Having the certificate makes it easier to attempt to transfer the title, but lost certificates can be recovered and fraudulent transactions can be unwound.
In addition to what jacques_chester has said, never forget the law is adjudicated by humans, not computers. If a judge thinks you've found a "loophole" there's no guarantee he's going to take that too kindly to that line of argument. Yes, we've all heard stories about loopholes that worked, but for every one that did there were a great deal more that did not.
SO if I understand this correctly, by buying the coins at ridiculously low prices and the fact that in the post he said it was weird and he tried to take advantage of it. Would he not completely fail the test?
He doesn't know they are stolen. It could have been a legit attempt to panic the market by someone hoping to recover their losses plus some profit in the recovery. It's not illegal to ride along.
I don't know. I imagine there is a body of caselaw dealing with these rules in the context of financial instruments and currency trading that would give more detailed tests.
You are assuming bitcoins are like a negotiable instrument.
They aren't, they are much closer to bearer bonds. Whoever holds the wallet owns the bitcoins. There is no other recorded title.
It does matter if it's a bitcoin, a car or a quarter. A bitcoin is completely virtual with no intrinsic value. The legal recourse that would occur in this case is undefined.
If I own something, I have legal rights enforceable on it, regardless of whether anyone else thinks it's valuable. If I owned the bitcoins -- I suspect common law would have little difficult in identifying these as distinctly ownable -- then I have enforceable rights in them. I can ask the court to order those rights be respected.
Property rights in virtual property is a fast-growing area of law, however, so: IANAL, TINLA.
Ultimately, there's the way things should be and the way things are, and Bitcoin already has a stigma. Sure, it's not illegal right now, but that doesn't mean it's legal either. That's all I'm saying. Imagine the headlines:
"Virtual currency used by drug traffickers stolen from users, courts play world's tiniest violin."
If a drug dealer steals a kilo from another drug dealer he's not going to take it to the courts. Thinking you will be entitled to some form of legal recourse should something similar happen to you when trading bitcoins is, IMO, foolish at this point.
> If a drug dealer steels a kilo from another drug dealer he's not going to take it to the courts.
As you can imagine, courts do not uphold contracts where there is an unlawful objective ("I paid him to beat my boss and he didn't!") and in most jurisdictions you cannot obtain property rights in certain things (in others you can, but asking for enforcement exposes you to criminal prosecution so in practice it doesn't happen).
Bitcoin is not a prohibited item and the exchange of bitcoins looks very much like contracts that don't have a unlawful objective.
Put another way: courts would probably enforce rights for trades made on Mt Gox, but not on Silk Road.
A bitcoin is little different than a piece of metal with regards to that. Of courts could do something strange (they often go OH MY COMPUTERS and shake their hands for a few years), but it is clearly a piece of intangible property.
Property rights are establishable in a lot of things that are abstract with numerous physical representations. You can own commercial licences, shares, bonds, debts, legal rights to this and that and so on and so forth.
Property law does not require physical property in order to be applicable.
There's still a fundamental difference between stealing bitcoins by inducing a transfer and copying music or video games or etc. The latter is clearly a lesser crime.
What I find interesting is that everyone is saying what needs to be done when no one seem to be sure what really happened. The first thing that needs to happen is an investigation into what really happened (perferably by some outside party). At the same time Mt. Gox needs to undergo a security audit and overhaul as it seems like no matter what happened, they have some major security issues.
I also find it interesting that the person who supposedly initiated the trade has yet to be heard from. Their story would really help clarify things, not to mention that they have not been heard from yet makes it seem as if there is no such single user...
"You may not be interested in the law", goes the saying, "but the law is interested in you".
Bitcoin is meant to be unregulated, but MtGox and its identifiable customers all have legal personality. The main challenge would be identifying jurisdiction, but after that I suspect usual laws would be found to be applicable.
"If I had to store that much there, even temporarily, I would use a password so long it would make War and Peace look like a Twitter message." - Brilliant
It would have many collisions with many shorter passwords.
But almost certainly not any collisions with very simple and very short passwords. The hash output space is sufficiently large.
Someone who (given infinite time) found a brute-force collision would likely find one of the shorter preimages first – you aren't really gaining anything by going ever-longer, after your preimage choice has as many bits as the hash output.
But if the attacker truly needed to brute-force it over the entire 160-bit (SHA1) or larger (other hashes) output space, unconstrained by usual simple-password-like limits on what to try as preimages, that's impractical, and you've achieved your goal... even if you overdid it on the input.
I suppose the defender could have a rainbow file of his own and purposefully choose a password which didn't hash-collide with a password of < N characters.
Doubt that'd be worth the effort/storage, even in the case of a weak, unsalted hash like MD5.
Take N to be 10, assume 7 bits per character. Then all 10-character passwords fill no more than 2^70 of the 2^128 MD5 space. Any 11-or-larger character password then has a less than 1-in-2^58 chance of colliding with any shorter password. (That's how much larger the full space is, from which each longer-password hash will be drawn.) That's 1-in-288-quadrillion for us decimal apes.
The service would probably never deliver a useful warning before MD5 falls completely to a preimage attack.
The analysis for such a service only gets harsher for 160/256/512 bit hashes.
Sadly Mt Gox used salted and at one point unsalted MD5s for its passwords. Finding a collision would be far easier with that consideration taken into account.
Sounds like a market opening there. Who wants to start an exchange? A true exchange, so you wouldn't have to front a dime, except for the virtual server. IE: You're only matching orders and taking a cut, not putting any skin in the game.
If you create a clear, well defined entity there very well may be an opening in the market for another bitcoin exchange.
In fact, i'd say there absolutely is an opening and I presume the market will grow over time. Skim 0.75% off each side of the transaction and you're looking to be in good shape. Particularly as btc trading activity increases.
I'd be down for that, it sounds like a fun project in an interesting domain and I was actually thinking about what building one would entail as I've been reading though the comments here.
Business processes. The code is dead simple. A few hundred lines of order matching. The real meat is handling all the business processes, clearing transfers, etc.
and finding a legally safe location to put a business like that.
Way to suck the fun out of it :) -- I know, I just think a bitcoin exchange is an interesting concept, the kind of thing I would enjoy knowing my code was running in and got a little caught up bikeshedding in my mind how I'd secure a target like that.
You know what's really fun? Chilling on a beach somewhere while girls in grass skirts bring you drinks with umbrellas in them.
For that I'll put my ego aside and do a few weeks of boring work. and yeah, I was fantasizing about neat-o technology problems too. I'd love to build an order matching system. Then I got to thinking about the market size, and taking a cut of each transaction.
The $1,000 limit is only for unverified accounts. Also, it's possible that the BTC was transferred into the account months ago when it was worth vastly less. Or the BTC was accrued through trading.
This part of their story was made up to cover themselves. The "attackers" didn't run into any limit. They sold off a bunch of bit coins. A legitimate user bought then and then (sensibly) tried to get them out of the system, hitting the limit.
The stolen user hasn't reported until now, it seems. From one of the comments:
"It was definitely all our bitcoins that mtgox had in one account! I remember a few days before, people saying that some big bitcoin movements on bitcoin monitor were from mtgox, and the quantity being moved was around 400 000 to 500 000 bitcoins. No single user lost that quantity, it was our coins, from all of us!"
This is absolutely not how the Mt. Gox database works.
I know because I have access to the source code of the site.
You can't post a trade from 'all' accounts; if a large trade pushed the price down, then a large trade pushed the price down, and that trade was executed from a single account.
Given Mark's statement that the logins which had been dormant for more than a few months were the easily rainbow-table attacked ones, it seems that someone had sent in a lot of bitcoins and then stopped using the system for a while; they apparently had a weak / rainbow-table vulnerable password.
If that's the situation, I'd call this a medium-sophisticated attack; better would have been to drive prices down slowly over a day or so, then use other hacked accounts to buy them up cheaply and withdraw over BTC. That might have taken some time to notice and unravel.
As it is, it looks like someone tried to flash-crash the market, then send out $1,000 worth of BTC at very low market rates, so a lot of BTC. Someone who would do this intrinsically believes in the resilience of bitcoin by the way, which is interesting. I'm not sure how they would plan on dealing with the taint on their coins, though. They'd have needed some sort of high-volume laundering service; none of the ones I know have enough volume to deal with this.
If you had sql injection rights in the database, there would be no need to trade; you would just insert a few nice rows in the db for yourself, mark yourself 'super trusted' and then initiate a withdrawal. This wasn't a SQL injection attack in my opinion.
Hmm, but what if the attacker wasn't in it for the $currency?
What if he were in it to destroy Mt. Gox, as they say, "for the lulz"?
Making all their customers angry and causing a run on their escrow accounts might just do it more effectively than trying to withdraw whatever could be obtained through their online trading platform.
Canceling trades disincentivizes traders to fill the dry side of the order book during a liquidity crisis.
That alone makes cancellations bad policy. If you're worried about so-called erroneous trades, you should disallow market orders; make all traders provide an explicit buy or sell price and there is no such thing as a bad trade except in the event of systems failures.
You should have moved the coins out. Now they're reverting the trades because the alternative is accepting liability for their awful security (which is probably, well, still awful). Bitcoin trading is the wild west, if you behave like Jesus Christ you're just going to get nothing out of it. What I mean is that in such a risky business you shouldn't feel guilty ripping people off, they had it coming after all, it was their choice.
UNLESS, of course, you're having second thoughts because you're related to the hacking and backed off when you got nervous, seeing how far the prices went down and how the massive buy order did manage to go through... just a possibility, no offense. The fact that you gave them your id and didn't behave like a shady guy is irrelevant as long as it's impossible that you be proven guilty, in fact that's exactly how the clever shady guy should be behaving... like "not guilty", because money is usually traced in the end, and you want to look like a saint when that happens. So, their position about contacting you is perfectly reasonable and natural; to them you might be related to the hackers anyway and anything they say to you (nothing they could say would be good- a conversation with them would be full of unanswered questions) is likely to end up in a public forum. Not good pr.
This guy doesn't really have a leg to stand on. Just like when the flash crash happened on the real stock market, transactions are going to be rolled back.
One thing that has become abundantly clear from reading all of the comments on the Bitcoin forums is that the investing knowledge of most BTC traders is much less than your average equities, fixed income, or ForEx trader.
MtGox is a pretty low budget operation, but even a low budget operation isn't just going to let someone steal the equivalent of $10,000,000 USD and not reverse the transactions. It would be like your bank telling you "sorry, someone transferred money out of your account without your authorization, but we're just going to let them keep it because, hey, they won it fair and square by hacking your account."
(As I write this last line I realize there was recently a court case regarding this exact issue, ETF fraud, but it occurred over many days and the company had authorized an agreement that they would check their account balance daily for fraudulent transactions.)
I had transactions in the flash crash that weren't rolled back and I lost a big chunk of cash (well, for me).
I just don't see how an exchange that doesn't have builtin failsafes/circuit breakers can just roll back trades. I think that in this case, the exchange should be liable. He was just exploiting the market.
There are trades that get "busted" (i.e. rolled back) every day in the US stock markets. I've had it happen several times. This is part of normal market activity. In my experience it has seemed pretty subjective - some trades that I thought for sure would have been busted weren't and others were.
There's some speculation that when some more powerful market participants (read: Goldman Sachs) are on the losing end of a questionable trade they complain to the exchange and get the trade busted far more frequently than when it happens to less powerful participants.
More background: In that particular case, the password of an account was obtained on the customer's computer (a keylogger or a phishing attack targeted at the customer directly), as opposed to the bank's network being attacked and the customer chosen at random. Basis of the ruling was that the bank could have prevented the attacker from withdrawing money, which could have been flagged as suspicious, but it was up to the customer to protect his account, not the bank to act as guardian to every customer.
In regards to this MtGox issue using the same argument, if it is known that an attack did happen, an that attack was directed at MtGox directly, then yes, they should roll back that trade because someone is out money/BTC due to an attack that could not have been prevented by that account holder. The only way to legitimately know who is responsible for the sell off is to be transparent, however, it seems that MtGox hasn't fully released details of the incident and we are all speculating on what exactly happened.
A bitcoin exchange is a shady business, no regulation exists. So it is a freespace for criminals and hackers. You hustle or you will be hustled. This guy should have made a withdrawal by any means. In the bitcoin business only your wallet file counts, the rest is just a big hustle. And please forgot that you're able to sue somebody over a bitcoin dispute.
Would you be surprised to hear that ForEx (the method of exchanging currencies like the USD, EURO, and YEN) are also unregulated?
"Unlike stocks, futures or options, currency trading does not take place on a regulated exchange. It is not controlled by any central governing body, there are no clearing houses to guarantee the trades and there is no arbitration panel to adjudicate disputes. All members trade with each other based on credit agreements. Essentially, business in the largest, most liquid market in the world depends on nothing more than a metaphorical handshake."
So the person who was lucky enough to actually place that order first was a person who had the luck to have just logged in and be actively browsing the site?
It doesn't surprise me that someone who is on the site would notice an ongoing crash faster than people who were doing something else. It further doesn't surprise me that someone who is already involved with the site would find it easier to get through an overloaded system than others - for one thing they don't need to go through the login process.
I'm not saying that Kevin wasn't associated with the break-in. I'm just saying that the evidence provided is not very good evidence of anything other than that Kevin was at the right place at the right time. Given that the site is actively used, there will always be people in that boat, and they will have an advantage over people who aren't.
I don't get the significance of the logins. The hacker logs in every 15 minutes. What are the chances someone who makes a trade with him logs in a few minutes after one of his logins?? I'd say the odds are pretty high... and that log doesn't mean anything.
After Kevin's detailed and eloquent explanation of events, the best they can do is show that he was logged in at the same time as the hacker, or whoever it was?
The law clearly is on the side of rolling back the transactions. Just like Amazon.com can refuse to fulfill an order for an 50 inch LCD TV that was accidentally priced for $1[1], and a bank can withdraw money from your account that was accidentally deposited there[2], and just like the NYSE can nullify mispriced orders[3], its clear Mt Gox can legally do the same. Transactions can be rolled back and are in the real world all the time. It has to be that way, to maintain fairness in the system.
Do you think this guy deserves $5 million worth of bitcoins because of the work of a hacker? Uh no.
His rationalizations for his behavior are astonishing. Assuming he is not the hacker, he got caught up in the excitement of buying cheap bitcoins (as we all would have), realized after the fact he probably did something wrong, and through contacting Mt Gox and coming out to the community he was hoping to get away with at least some profits. He shouldn't be able to keep any of it. Sorry Kevin.
>The law clearly is on the side of rolling back the transactions
No it isn't, there's no precedent for this because it hasn't existed before. The nearest thing I can think of is when that fake letter was sent out about some company causing the stock to tank. Did all the people who bought the stock when it was low have their transactions rolled back? Because that's what happened here, someone used highly technical means to cause an artificial price dive and one guy was able to take advantage of it. It's not at all clear to me that he should give any of it back.
This reminds me of a conversation I was having with a friend a couple of days ago about network affects. Once a system gets too big, the nice people that started it start getting screwed by the people who don't understand (or care about) the founding ideals.
The problem with a trading house like Mt. Gox is that some people assume that all of the players are altruistic (these "some people" being "me", somebody with a technical, non-financial interest in bitcoin).
What happened here is just natural selfishness: the person that executed this buy order knew that the market was crashing, and that something was going wrong, but decided to exploit it regardless.
Then trying to withdraw $5 million USD from Mt. Gox?
I guess it's just crowd psychology. "If I don't exploit this market, somebody else will!"
It's sad, and it's just my naivety showing here, but bitcoin looks like a nerdy sandbox from the outside (casually reading about it on HN); it's a place for crypto/economics geeks to play around with finance.
Of course it isn't, and the actions of this [very greedy] person demonstrate that.
So why do I want to use bitcoin? What advantages does it offer me over USD right now? Before seeing this crash for the last couple of days, it felt like the advantage was that bitcoin users were mostly geeks, and mostly trustworthy. The regulation that bitcoin is avoiding is starting to look pretty darn appealing.
How stupid/childish of me is it to daydream about a world where somebody saw this crash happening, did exactly what he did (or maybe put in the buy order at exactly $0.02), held the bitcoins until the crash ended, then just gave them back to the sellers at cost?
Before seeing this crash for the last couple of days, it felt like the advantage was that bitcoin users were mostly geeks, and mostly trustworthy.
Yeah whatever. 90% of the people using Bitcoin don't believe in the Federal Reserve system or fiat money and just want anonymous online cash transactions. There is nothing wrong with such beliefs or desires, but the idea that such people are on a higher moral plane is the complaint of a naive person at best.
I'm actually almost glad Bitcoin has suffered these high-profile attacks. The amount of money actually lost seems to be relatively small, and its better attacks like this happen now, whilst the market is still small. Without regulation or reversible transactions, Bitcoin security has to be very good indeed, and this is the sort of incident that might encourage better security measures.
Quite frankly, Mt. Gox never struck me as particularly secure. I'm very surprised anyone would keep a large amount of money in it, instead of transferring it out to their accounts.
> Then trying to withdraw $5 million USD from Mt. Gox?
He was stating that he could have withdrawn the entire amount, but didn't want to appear shady (especially since doing so would have made him seem even more like a hacker that initiated the sell order).
Yeah, reading the story that is what he says, but the fact that the also doesn't want to give back the 600BTC or so that he ended up getting out to me suggests that he isn't quite that honest.
If the limit had been $10,000 -- I'm sure he would have gone for that.
Why? There is a perfectly legitimate argument for letting him keep the funds. They were put up for sale, and he bought them. It was MtGox's systems that executed the trade. If the sell order was invalid, it was MtGox's fault, or the seller account holder's, not the buyer's.
The right to sell something is predicated on owning the item in question.
A buyer of stolen goods is unable to take legal ownership, it doesn't matter if he doesn't know the item is stolen. (i.e. I steal a car, and sell it to you, you don't own the car even though you gave me money and you didn't know the car was stolen)
It does matter that the coins were not put up for sale by the owner.
So, would you say the same if I placed a standing buy order two weeks ago, and it was automatically executed?
How is a buyer supposed to know if the seller is making a bona fide offer, esp. where the buyer may place its buy order in advance of the sell order?
I stand by my position that it's up to the exchange and the seller to protect against unauthorized sell orders.
Of course, under extreme circumstances, the buyer will see that something is out of place – as is exactly the case here, where the buyer came forward because he felt that the sell order was not valid.
BUT (and here's the most important point): who gets to decide when a case is "extreme" enough to put the burden on the buyer? It's not a call anyone should be able to make, unless there are clear rules, published up front.
Yes I would say the exact same thing. The buyer was a direct counter-party to a trade involving stolen property.
The buyer isn't liable as he didn't know the property was stolen, but he don't get to keep the property. Typically in this case he would need to seek damages from the exchange to recover his assets (the dollars used in the trade)
IANAL but I have first hand seen this type of stuff on various exchanges. (i.e. stock gets fraudulently wired out one account, and sold. Trades get busted)
It sucks all around, but the fact of the matter is the great deal the buyer was getting never would have existed if somebody didn't steal from someone else. If I stole your life savings and sold it to your neighbor for a dollar, you don't really think your neighbor should be able to keep it do you?
Buying stolen goods on an exchange doesn't make it ok. It sounds to me that you'd like it to be - but that isn't how it works.
I doubt you'll find much legal precedent (or published rules on the exchanges) supporting your theory, except in the case where a broker makes unauthorized trades on a seller's behalf. Feel free to prove me wrong...
When I say I have seen it I mean I have seen it first hand. I have worked for banks where trades were unwound with the counter-party for this exact reason. The implementation is messy, but no bank on the other side of a trade wants to be party to trafficking in stolen goods resulting from a fraudulent trade.
What happened here is akin to me logging into your brokerage account with a stolen password and selling all your securities. This happens and those trades get busted. Sometimes the selling bank just eats the loss as it would take too much work or too much embarrassment to recover, but other times they work with the counter-party to unwind.
I'm not asserting this happens in all cases. As I said above, IANAL. I know equity laws in particular are a bit different than a lot of other types of property which fall under common-law.
That is kind of moot though as equity laws don't apply here - bit-coins aren't equity.
Also, you're talking about counterparties cooperating because they do many transactions together at the institutional level. That's different from the exchange itself voiding the transaction.
> A buyer of stolen goods is unable to take legal ownership, it doesn't matter if he doesn't know the item is stolen.
This is (subject to numerous exceptions) not correct. While in common law you are correct, in equity, if the buyer is a bona fide purchaser for value without notice, he or she can get title.
I feel like the concept of "own" is specific to the item. Land ownership is very different than owning money, for example. BitCoin ownership is fairly clear, it's part of the algorithm, and I feel like that should be respected. If you don't respect the rules of the commodity, then don't participate; to change the rules takes away the uniqueness of the commodity.
Are you using "honest" to mean "good intentions"? Because I think he's told the truth about everything, and I'm not surprised that someone who made money in a market wants to keep that money.
So the same folks encrypting their grocery lists with 8192bit RSA so the NSA doesn't read them are relying on ideals to keep the currency exchange functioning?
A system robust against outright criminals still works when you have decent people. The converse is not true.
It sounded like he probably tried to remove the bitcoins, hit the limit, then contemplated hitting that $1000 limit a bunch of times.
Honestly, this whole forum post reeks of "I know I did something wrong, hopefully posting here will make the pit in my stomach go away."
Same goes for contacting magicaltux (the admin of mtgox) -- I bet he was absolutely losing his mind when the trade went through. I know I would have been.
You're upset he contemplated doing something shady? Jesus, since when has uncouth thoughts been grounds for conviction? If it was, I'd be guilty of a trillion crimes.
>Jesus, since when has uncouth thoughts been grounds for conviction? If it was, I'd be guilty of a trillion crimes.
Are you seriously putting these words in my mouth? I didn't say anything like that. The gist of my post was that from a casual reader's perspective, bitcoin was a hobby for cryptographic nerds, and that this demonstrated that it's "lost its innocence", so to speak.
Am I "upset" by this? Sure. In the same way that I would be upset if I was competing on something like allrgb, but nvidia decided to come in and destroy me and my friends by building custom glass. Is nvidia be "immoral" there? No. Are they being, to be blunt, assholes?
Thoughtcrime? Convicted?
I want this to be clear to anybody reading this that doesn't understand the context of what I'm saying: (I'm trying to say this in the most polite way possible) your response here is completely incorrect, and without merit.
You're accusing me of something that I consider morally abhorrent (accusing somebody of "thoughtcrime"), and it's ridiculous.
How am I treating this like a crime? I'm saying that all of the players in bitcoin aren't altruistic.
In case you missed the context here, my original argument was that my naivety caused me to assume that people playing with bitcoin were mostly just cryto geeks.
> Honestly, this whole forum post reeks of "I know I did something wrong, hopefully posting here will make the pit in my stomach go away."
This is what you said about him contemplating transferring more money out of mtgox. You're acting like he did something abhorrent, or should think he did.
> my naivety caused me to assume that people playing with bitcoin were mostly just cryto geeks.
They are. But you're trying to say "... and I'm surprised one of them would be thiefly, like this guy."
Really, all this shows is that he should have transferred all the bitcoins out immediately. Then mtgox would have to deal with him instead of just slandering him. Now that he's pointed everything out to them he's just a scapegoat.
What happened here is just natural selfishness: the person that executed this buy order knew that the market was crashing, and that something was going wrong, but decided to exploit it regardless.
All others moaning about what he did who bid at 0.1 weren't?
Has it occurred to anyone that the reason Mt Gox may want to rollback the transactions is because the account that was hacked belonged to Mt Gox or someone affiliated with Mt Gox???
Wow, Mt. Gox sound like a bunch of criminals. Did everyone see the link (posted 2 or 3 times) where something shady happened before and they just moved jurisdiction so they couldn't be sued? I wouldn't be surprised to find out that they did this whole thing themselves to steal some bit coins.
Suppose I gamble my life savings, buy Kleenex shares. Tomorrow a report comes out showing that using paper tissues causes allergies and prolongs colds. The shares tank ... I'd like a rollback please!
Strangely enough the guy that saw the report first and shorted those shares making millions doesn't want a rollback.
Of course he wants to keep the money, he traded correctly on what was apparently a correctly operating exchange and won. That's how this sort of gambling works.
MtGox screwed up. Why would they allow a transaction that crashed the exchange so easily?
People on the Mt.Gox forums are sceptical because the amount traded appears to be equal to the entire Mt.Gox trading volume (from the little I've read).
The speculation is that it is either Mt.Gox himself/themselves, an account representing the entire volume of all Mt.Gox traders or some other buyer who has been in from the start and has somehow escaped the notice of the other traders (this last option also accounts for the ability to break in as the account security apparently was very weak and hasn't been forcedly enhanced).
I'd say the confidence is pretty shaken up because the exchange has been hacked.
I expect from my bank that they give me back my money if it is being stolen from me, why would I not expect it from MtGox (if it is within their power). Banks routinely roll back fraud transactions and nobody complains - except the fraudsters, of course.
That's different: the bank would take a loss to pay you back, even if it couldn't recover the funds from the thief. MtGox isn't proposing to take any losses, as far as I've heard.
I work at the NYSE, anytime something like this happens there would be a roll back. You cannot have a functioning stock market without this feature it would be chaos.
sure seems like the best of all possible worlds... a currency based on nothing of tangible value, no central bank to try to keep it stable and stem panics, no real economy or legal infrastructure behind it or army to protect them if they existed, transactions easily traceable (even reversible), prone to speculative fever and vulnerable to security issues.
That was a great read. If I was Kevin I would give the coins back and not do business with MtGox any longer. It's clear their systems are not secure enough to handle these kind of transfers. It wouldn't surprise me if MtGox was influenced by organized crime, they are in Japan and the Yakuza love these kind of quasi-legal schemes as of late.
Since there is quite a bit of money involved one might wonder if someone is trying to profit. One could take this even further, put up his best tinfoil hat and ask how much control MtGox has or had over the market. Is that possible scenario?
In what way do they have that capacity? That they let him and others clear trades (and made no policy against it) in the window between the trade and rollback, and that their policy pretty much doesn't give them the power to do rollbacks, I don't see how that can fly. As far as I can see, the only real option that Mt. Gox is to let all the trades go through this time and then let the trades go through. It is the only way that Mt. Gox will avoid several million dollars (USD that is) of liability.
It seems possible that Mr (or Mrs) Mt. Gox is playing them all big-time and attempted to do something clever, messed up and got found out. Of course if you can change the rules and roll back the game at will then you can do what you like. /cynical
I don't think o' Kev needs to worry about Mt. Gox thinking he hacked their site. They know who executed the sale; it was them. I don't know why nobody mentions this, but it seems rather obvious that Mt. Gox just dumped all their own bitcoins and bought them back supercheap, apart from a relatively minor 500k worth that they can now "roll back" from his account.
I had a thread last week on HN where I was downranked severely for asking what mt. gox was, i.e. if it was a mountain, in what was a sort of snarky, derogatory tone (I'll admit it). I would like that thread upranked now thx.
TL;DR Bitcoins are possibly even more flawed than any other kind of currency. There is one person who controls the flow of Bitcoins and can unmake transactions it doesn't like.
You are confusing the currency with the exchange. It is definitely a weakness for bitcoin that a shady exchange has captured 90% of the market, but this problem isn't inherent to bitcoin. It seems likely that in the wake of news like this, new exchanges will be created to try to capitalize on MtGox's misfortune, and the exchange landscape will broaden.
As long there is someone, somewhere willing to put up products or state currency in exchange for bitcoins, bitcoins will have their value. The best case scenario for bitcoin could be for MtGox to go down in flames because if it bitcoin held its value, it would prove that its fundamentals are sound, and its price is based on legitimate demand for an anonymous medium of exchange, not pure speculation.
If a MtGox collapse did cause a bitcoin collapse, it would show that bitcoin is not the real deal, just the result of a speculative frenzy. This may be hard to stomach, but it's better than continuing to ignorantly pile money into a bubble so fragile it can be popped by the guessing of a single password.
In my opinion this guy, if he really wants the best for bitcoin, should sue MtGox hard if he honestly thinks what they did is wrong/illegal/breaks contractual agreements. Let bitcoin sink or swim on its own merits.
Looks like someone is commenting on something they don't understand!
Mt Gox doesn't do bitcoin trades (as in make tx in the main chain), they do trades inside of their own system and it's converted to btc when the user withdraws money. You cannot undo a btc tx (one in the block chain). Once confirmed, it's there.
It's been going on for a while. Since midapril, there's been a minimum of two stories about bitcoin each and every day[1]. There was, for a while, suspicion that it was an attempt to boost interest in bitcoin, and get more people using it - astroturfing, more or less - but I'm increasingly convinced that it's just because stories about bitcoin tend to be upvoted, and it's often an interesting topic. Well, ignoring the fact that there's very little left to say about it, anyways.
2 copies of a movie can exist simultaneously and both still have value. The bitcoin network exists so that only one copy of a coin can have the value. They are fundamentally different things, even if their physical instantiation happens to be "just bits".
The problem with your analogy is that once spent, your bits become worthless. If for instance, I made a song and then you pirated it and then I no longer had it on my hard drive any more, then that is what's happening here.
Similarly, my password to my bank account is "just bits on a computer", but you could steal that from me, and take all of my [real] money. In that sense, it is theft. Piracy is copying, theft is moving.
If I copy your file and the file is the asset then I don't deny you free enjoyment of that file. If you own the right to prevent me copying that file and are not disclaiming it then an unlawful copyright infringement has occurred. You and I both get to use the file, this is essentially why the file is not "stolen".
If I copy your file and the file acts as a token for a real sum of money, and I acquire that sum of money (be it virtual or whatever), then I deny you free enjoyment of that file. Once used to extract the value it tokenises the file no longer has value and so I deny you the value inherent in the file by my use of it. This is stealing. It may also be a copyright infringement in this case.
Compare the second action to using a one-use credit card number. If you copy the details off my one-use credit card number then you've more than likely acted unlawfully. If you use your copy to spend the money that those details represent then you've stolen from me.
Private keys and such are not infinitely reproducible without cost to their value. Cultural value doesn't degrade over popularity/distribution. Apples and oranges.
I see where you are coming from, however I would bet that the majority of the money you have, with the exception of the coins in your pocket, is already in the form of bits on a computer.
Just like money Bitcoins are numbers in a database. With software I can make 100 trillion copy's and cost you nothing, I can't do that with money or Bitcoins.
Ignoring for a moment the objections of value (which a bunch of other commenters have already pointed out), your two scenarios don't line up at all:
Piracy: A has bits X. A wants to give B copy of X. B wants copy of X. Third party C (record label) objects. [A pirates a copy to/with B]
Bitcoin: A has bits X. A does not want to give B copy of X. B makes one anyway. A objects. Third party C (person who mined coins originally and willingly transferred to A) does not care. [B steals coins from A]
The two scenarios do not line up at all. In fact, if you made a bitcoin scenario that did line up:
Bitcoin': A has wallet X. A wants to give copy of wallet X to B. B wants copy of wallet X. Third party C (original miner of coins) objects. [A wants B to be able to spend his coins for whatever reason]
well, in the Bitcoin' scenario, I think almost everyone would agree that C has no moral authority to object.
Eh, not really. Here's a very clear example of why your stance doesn't work.
I buy an MP3 from Amazon. I then copy it 'copy bits' over to another computer. Agreed, at this point all is fine. However, then I go try to sell the copied song for value to a 3rd-party. I may profess to 'own' the original download and the copy, however that doesn't give me the right to sell the song. It's the same with Bitcoin, if you just copied my Bitcoins, it's not theft in a sense, it's when you try to sell or exchange my Bitcoins for value that theft comes into play.
Although I can completely understand why this guy (the sumbitter?) disagrees with MtGox's solution, I thought it seemed perfectly reasonable.
Even though MtGox never stated they'd interfere, being hacked is unexpected enough to allow some leeway with follow-up. If the flashcrash happened organically, I doubt MtGox would revert the trades.
It's not that they never stated they'd interfere, it's that they explicitly stated they would never interfere by publicly disclaiming any role as a counter-party.
If they were hacked, it's their responsibility to make things right with the party that was hacked, and not interfere with anyone else's accounts/trades. Anything less does severe damage to faith in the exchange, which tends to lead people to only keep money and BTC in the system for as long as they need to to make a trade, and then pull it out. That's not good for the exchange or the economy.
"If they were hacked, it's their responsibility to make things right with the party that was hacked, and not interfere with anyone else's accounts/trades."
Exactly. Trust and consistency are the foundations of a usable exchange. Without those two things, there is no confidence, and the house of cards falls down. Mt. Gox is acting in their own interest. They're changing the rules of the game as they go.
Although I understand your perspective, and I agree that they have to do something to "make things right," I'm still inclined to accept the rollback.
As much as I hate to use analogies, its the best way I can think to explain my reasoning. If someone (a hacker) robs a bank (user on MtGox), and they throw the money on the ground as they fleeing the scene of the crime, only for it to be picked up by bystanders (profiting users), what do you do?
To me, simply returning the money (rollback) seems to be the simplest effective solution. Maybe I'm being too utilitarian, but it seems too complex to add additional funds into the system, especially when we're talking about nearly 10% of the entire value of BTC. Additionally, it establishes a strange and dangerous precedent: hackers can get away with upsetting the market. And who can make sure the hackers & profiteers aren't working together?
I don't think there's really much you can do to repair faith in the exchange in the immediate future. More importantly, people will keep money as BTC the exchange if it is value is stable (or deflating). Even now, I'd be more worried about the market than hackers.
I'd love to see an insurance company spring up. It'd require major capital, but it'd really help strengthen the value of BTC by providing security and resolving nearly all of these issues. (Things I'd do with $1M...)
True, but I guess they don't have a spare 500000 BTC (or eight million $), so for them criticism and "damage to faith" is preferable to going out of business.
The security practices are appalling, and their lack of clarity on the counter-party issue is damning. If I were Kevin---or, indeed, any customer of that exchange---I'd take my money and go elsewhere.
Still, it's pretty astounding how myopic the rest of the Mt Gox forum users appear. They're taking a situation that's beyond a doubt the fault of the Mt Gox admins and getting ready to lynch a dude who seems to have acted rather reasonably (intentionally not exploiting a known loophole to exceed the withdrawl limit, reporting his disposition immediately to the site's maintainer, et cetera).