[11:39:03 PM BST] Incitatus: hi[11:39:14 PM BST] * Incitatus invited jed.mccal

1. [11:39:03 PM BST] Incitatus: hi
2. [11:39:14 PM BST] * Incitatus invited jed.mccaleb
3. [11:39:15 PM BST] Incitatus: Hi
4. [11:39:30 PM BST] zgenjix: hi it's genjix, jed
5. [11:40:19 PM BST] Jed McCaleb: hi
6. [11:40:40 PM BST] * Incitatus invited madetorun patrick.strateman
7. [11:40:51 PM BST] zgenjix: we were trying to contact MagicalTux for days about what was happening with mtgox
8. [11:40:55 PM BST] zgenjix: but he didn't respond.
9. [11:41:08 PM BST] zgenjix: We even were contacted your friend in France asking for you
10. [11:41:21 PM BST] Jed McCaleb: my friend in france?
11. [11:41:32 PM BST] Incitatus: I think it was tux's friend
12. [11:41:44 PM BST] zgenjix: we spent all night ringing everywhere
13. [11:41:49 PM BST] Incitatus: no just google showed they were friends but the guy said he hasn't spoken to him in years
14. [11:42:04 PM BST] zgenjix: then eventually end up disclosing it on the forum, and mtux claims it hadn't been exploited.
15. [11:42:06 PM BST] zgenjix: which is a lie.
16. [11:42:23 PM BST] zgenjix: this hurts bitcoin as a whole and makes mtgox look really shady
17. [11:42:38 PM BST] zgenjix: do you still have the money?
18. [11:42:40 PM BST] Jed McCaleb: so you knew the DB was compromised before the forum post?
19. [11:42:48 PM BST] zgenjix: we knew about the CSRF exploit
20. [11:42:54 PM BST] zgenjix: and multiple other exploits
21. [11:43:07 PM BST] Jed McCaleb: yeah he fixed that after it was mentioned on the forum
22. [11:43:12 PM BST] Patrick Strateman: it's pretty clear that the site was being exploited before i even discovered the csrf vulnerability
23. [11:43:50 PM BST] Patrick Strateman: at least one person who we know had his account compromised and im confident it was not his fault
24. [11:43:57 PM BST] zgenjix: and now i'm saying to magicaltux... look we have a team working fulltime on exchange software, why not go with what we're working on instead of being a one man team going down in flames and taking the entire bitcoin economy with you.
25. [11:44:11 PM BST] zgenjix: it's opensource too.
26. [11:44:37 PM BST] Jed McCaleb: I don't think the DB leak had to do with the exchange software
27. [11:44:58 PM BST] zgenjix: so it wasn't an SQLi attack
28. [11:45:00 PM BST] Jed McCaleb: Are there other exploits that still exist in the site?
29. [11:45:05 PM BST] zgenjix: yes
30. [11:45:07 PM BST] Jed McCaleb: no of course not
31. [11:45:17 PM BST] Jed McCaleb: what are the other exploits?
32. [11:45:32 PM BST] zgenjix: you can use $("blaa1:visited") to brute force using a html webpage.
33. [11:46:15 PM BST] Patrick Strateman: if the db leak wasn't an sqli then what was it? the only thing i can think of would be far worse
34. [11:47:41 PM BST] Jed McCaleb: He wants to be 100% certain before he announces how the DB leak happened
35. [11:48:25 PM BST] Incitatus: When will he prove that the money isn't missing?
36. [11:49:10 PM BST] Incitatus: Also does he know that there are serious legal consequences for doing a roll back... the NYSE and corporate entities have licenses to do such things, he probably doesn't and could end up in jail if i'm not mistaken
37. [11:49:36 PM BST] Jason: contracts that have been concluded legally could not simply be unwound
38. [11:49:54 PM BST] Incitatus: Jason is a lawyer btw
39. [11:50:21 PM BST] Jason: you might have to not only pay damages but potential profit
40. [11:50:34 PM BST] Jason: for example for those people who took the risk of buying btc when the market is falling
41. [11:51:32 PM BST] Jed McCaleb: JAson you are a lawyer in the UK?
42. [11:51:38 PM BST] Jason: yes
43. [11:51:50 PM BST] Jason: in your instance japanese law applies so i cant comment any more than on general principles
44. [11:52:47 PM BST] Jed McCaleb: I know that forex sites such as oanda roll back trades if there is ever a weird data anomoly so I'm not sure he would actually be at risk by doing this
45. [11:52:59 PM BST] Jed McCaleb: But I'll tell him to ask his lawyers
46. [11:53:04 PM BST] Incitatus: Jed, you might need a team of developers who you can trust and who are top notch with bitcoin. We have a new exchange platform long time in the making which will come out soon. If you still have your customer's money and the site isn't a major liability it might be in our interest to cooperate
47. [11:53:23 PM BST] Incitatus: I can't say anything on behalf of us but it's a possibility
48. [11:53:43 PM BST] Jed McCaleb: Well it isn't my site anymore. I'll run it by mark though
49. [11:53:47 PM BST] zgenjix: another attack: you lock accounts for 5 secs, but never completely disable them. so it's vulnerable to distributed brute forcing.
50. [11:56:18 PM BST] Jason: it seem you guys need some quick problem solver's
51. [11:57:22 PM BST] Jason: we are open for negotiations to fix your problems for a fee
52. [11:57:36 PM BST] Jed McCaleb: ok I'll let him know
53. [11:57:53 PM BST] zgenjix: then bitcoin is doomed.
54. [11:58:16 PM BST] Jason: if possible we should have each of our direct mobile numbers
55. [11:58:31 PM BST] zgenjix: he should have long ago pulled the plug on mtgox when it was known there were exploits.
56. [11:58:48 PM BST] zgenjix: we did it several times on britcoin for minor problems.
57. [11:59:26 PM BST] Incitatus: +44 7435 435 122 this is my number and I'm the negotiator for the group, my name is Donald
58. Monday, June 20, 2011
59. [12:00:37 AM BST] Incitatus: for the right contract, and assuming the finds are safe we could be in Japan in 2 days
60. [12:00:51 AM BST] Jed McCaleb: ok thanks guys