Huge Bitcoin sell off due to a compromised account - rollback
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
I'm interested in the fact that they can do a rollback... is that just a rollback of their transaction log? Are they buffering transactions for a significant period before submitting them back to the network?
Trades are internal to Mt. Gox until you withdraw your money either as bitcoins or as USD. The compromised account had a $1000 per day withdraw limit, so the thief could only withdraw $1000 after selling all those coins. The rest of the cash is still within Mt. Gox, and therefore the state of the Mt. Gox DB can be rolled back to before all the coins were sold.
which makes me think mtgox got very lucky. I mean the hacker could overcome $1000 limit a day (roughly 80 bitcoins) by creating thousands of bogus accounts, putting on the market bid orders at $0.01 in all accounts, drive the market to the bottom like he did to fill his orders and quickly transfer 80 bitcoins from each account out of the exchange. he could get away with bitcoins worth of millions irreversibly and completely anonymously.
The 1000 USD is relative to the current price I suppose. So if I have access to an account with 500K bitcoins and I sell 400K bitcoins so that the price drops to 0.01 (like it did), and then I transfer the 100K bitcoin left in the account to my bitcoin address(and I can with the driven down exchange price) when the price goes back up I would have made a killing.
If you trust the Mt. Gox folks, they're now claiming that there was no server hack, just a database copy that some consultant had that got stolen.
If you trust what they're saying, which might be questionable since their business is pretty much going up in flames at the moment, so they are probably desperate to make things appear better than they are...
I hope for their sake that they actually have enough USD and BTC on hand to deal with the mass withdrawals that are coming...
My understanding is that he actually withdrawn BTCs after buying them back - presumably he was not really prepared to all this and only made the hack by accident. Withdrawing dollars would be harder - because he'd need to transfer them via standard banking systems, that takes days and could be stopped on the way and also be much harder to hide traces to the real identity of the hacker. During his buy back operation the price was back around $14 - and this price was used for the $1000 daily withdraw limit - reinforcing the notion that he did not prepare the attack at all.
[Update - 2:06 GMT] What we know and what is being done.
* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
* Once Mt.Gox is back online, trades 218869~222470 will be reverted.
I for one certainly wouldn't be going back. [MD5] is enough to tell me they only half heartedly care about securing user data, no matter how many buzz words they throw in now.
Yes, I was also worried when I saw the suspicious activity flag had been tripped on my acct., but apparently that doesn't actually mean that anyone actually tried anything, just that our e-mails appeared in the list.
Luckily I never reuse passwords for important stuff like e-mail or anything that touches money...
mtgox acts like a central authority. basically all these trades were happening in mysql database within the exchange between internal accounts, there were no actual bitcoin transactions.
Due to some US law, they restrict withdrawals to $1000/day. That includes bitcoins. Presumably, they do that to make sure they are well within the law.
Yeah, but my guess is that not many people managed to withdraw them because of the stability problems the site had/have. Mt.Gox will probably have some losses, but not that high I think.
So if you had already done a legitimate trade it's gone? "Sorry you made some money there, but someone else got affect by something else, so we've undone that". So much for "There are no chargebacks on BitCoin"
I don't understand all the anger at the idea of rolling-back. Hasn't anybody trading bitcoins been watching how major equities exchanges have worked for decades?
Take the flash-crash last year. Yes, if you were a lucky one who bought GE at $3/share then hell yes you wanted that trade to count.
But to have an exchange it takes everybody acting in the interest of the group as well as themselves. The value to that over purely selfish motivations is that it creates a liquid market which benefits everybody involved.
Part of this is the acceptance of situations like this. In cases of attack or software defect, the only real viable option is to rollback. The only people this hurts are the 1% who tried to profiteer on the situation. Not rolling back would harm the other 99%. It's an easy call.
The only real tragedy would be if they cannot rollback accurately. You'd think this wouldn't be possible, but you never know... It seems as tho this site has had a known CSRF bugs for a while. This is not a hard thing to fix. It doesn't shine well upon their competence.
Just to be clear, I'm not taking a position, only asking a question: how does the exchange layer affect the fundamental goals of bitcoin, esp. the notion that no centralized authority controls monetary policy?
In principle, it doesn't affect that goal. An exchange doesn't control monetary policy, i.e., it doesn't set interest rates or increase the quantity of currency.
Of course, an exchange can affect the value of the products it is trading. Since Mt. Gox is the biggest bitcoin exchange, if a vulnerability is found then people might stop trading there, decreasing the liquidity and consequently the value of bitcoin. But this doesn't contradict the goal you mention.
As an analogy, if company ACME only trades on Nasdaq and there's a system problem with Nasdaq, some people will be scrambling to get rid of their ACME stocks so ACME's price will go down. That doesn't mean that the exchange controls the price of ACME.
But if MtGox's technical failure effectively took USD$120M of bitcoins offline, then MtGox has reduced the supply of BTC for some period of time, no? I understand that exchanges are secondary markets, but they seem to be contrary to the philosophy of no centralized control over supply/demand. I always understood bitcoin to be a per-transaction, ad hoc currency – not an exchange-traded commodity. Of course, people are free to do whatever they want with their stuff...
Edit: I realized after posting that I called bitcoin a "currency" above. I realize that it's a controversial position, but my feeling is that, as a medium of exchange, it qualifies a currency.
Well this is trading through an intermediary, you can't really expect it to work that way otherwise something like this would have a lot more incentive for wrongdoers.
If you really want to have no chargebacks you have to go the harder route of one on one trading, with everything that comes along with that.
When designing a system like this you have to have a veil of ignorance. There may from time to time be attacks or defects that mean some people lose a lot of money while others gain some. Not knowing which will happen to you, how would you want the system to work?
You don't understand. There is a difference between the currency and the exchange. The exchange stores the trades internally without actually doing any bitcoin transactions until the time of withdrawal.
I can confirm that the alleged dump is the real deal.
Some passwords are md5 hashes, some are salted md5 hashes (utilizing the crypt[0] function). I did not log in for a long time and my password was still unsalted, so I assume that converting to salted passwords was done either automatically on login or on password changes.
I hate to look down my nose at other programmers, because I understand that we all start somewhere, but if you are building a financial exchange and you encrypted passwords using unsalted MD5 at any point in the history of your product, you have proven to me that you are learning as you go, and there is no way in hell I'd trust you with any significant sum of money.
Edit: Note, this really barely scratches the surface for building secure software. AC says how to apply cryptographic primitives correctly. It won't teach you how to avoid vulnerabilities specific to particular application domains (like CSS, SQL injection, etc...).
That book is old, and though still basically correct, there's much better ways to learn about the practice of developing secure systems. I recommend "Cryptography Engineering" by Ferguson, Schneier, Kohno which is a more modern descendant of Schneier's AC.
Being a programmer means committing yourself to a life of continued education. Building a secure authentication system? Time to read up on the subject. You don't have to go far before you learn about the vulnerability of MD5 hashes for password storage.
My account is also in the list and appears salted. Someone just tried to access my gmail account via an ec3 instance so I bet the salting is done wrong or something else.
this is the only way to fight incompetence of some websites. those passwords are (most likely) unsalted vanilla MD5 hashes. just entered a few of them into google from that file and yes, many of them are present in rainbow tables. damn. makes me angry as a programmer how financial website can be this unsecure and easy to compromise.
you can recognize salted hashes from unsalted ones just by looking at them? open the file and search for 5f4dcc3b5aa765d61d8327deb882cf99, at least 1,600 passwords in that list are unsalted. (those without $1$)
Cause, I don't think they broke any rules. Are they even required to keep those details secret? It's pretty clear marketing agencies can buy that data, so i don't think it's any sort of violation of privacy policy.
I find it funny that people are outraged about unsalted MD5 yet they use passwords like "secret123" that are found in every wordlist.
Guess what: Even salted hashes won't save your ass with such weak passwords. And yes: it's a FUCKING TRADING PLATFORM you want to put money on so _you_ should think of a secure password.
And what makes you think that the same people who are complaining about unsalted MD5 are also the same people who use passwords as weak as 'secret123'?
Mt.Gox is the biggest bitcoin market place by far.
During the last 1h the whole volume of about 500k BTC was traded making the price drop from somewhere around $17 to virtually nothing.
Details are not available yet. It could have been a bug or an intrudor.
Rumors have it that someone with a huge wallet got hacked.
<+MagicalTux> someone with lots of coins did get hacked
MagicalTux is working on Mt.Gox
Also some other markets like btcex or tradehill are seeing problems and/or price drops.
I'm surprised that people with large amounts of bitcoin don't have better security measures. For that amount of money, I'd consider securing the private key in a safety deposit box. Probably several safety deposit boxes, actually.
They apparently had 500k BTC in their MtGox account, which is insane. Unless they were actively trading all of that they should have withdrawn from MtGox to the BitCoin network.
I keep reading about people only being able to take a small number (50 or 80 BTC) out of the market at once, which is why the hacker couldn't do the same.
If that is true, then once you have your 500k BTC in the exchange, it will take you over a decade to get them out, either as cash or as bitcoins.
Agreed. It seems the real fallout of this incident is the fact that the rollback can never recover BTC taken out of the exchange accounts and put into anonymous local "wallets". I wonder who will cover those losses?
"to virtually nothing" - I believe this is misreading the chart. I had to take a second look myself. The light red column at 5:10pm is trade volume (240K sold). The price stayed between $17-18. The sale of 260k at 5:50pm was priced between $10-$13. The lowest price during the 'crash' is $10.
My theory is there are miners with large amounts of BTC and someone decided to sell a lot in a relatively small market. According to the depth-of-market calculator and there is only about 2000BTC in total on the buying side right now. Its easy to swing the market.
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
Will sell the database for the right price.
Send your offers to:
gfc06@hotmail.com
Someone sold a huge amount of Bitcoins. The market acted accordingly. Expect a bounce back to the old exchange rate as soon as Mt. Gox is available again.
Of course it might be possible that the computer of the person who sold the Bitcoin was cracked. But that's not the fault of Bitcoin - if someone is not capable of taking care of the security of his local computer, it's better not to use a distributed currency where your money is basically stored inside a single file.
Exactly, someone sold a huge amount of Bitcoins. I.e., this was the first time it was hacked by someone stupid enough to call enough attention to his crime to have most of what he stole taken back from him. What do you want to bet someone smarter got in there first, and is maybe still in there? There are subtler ways to steal money than grabbing a huge amount all in one chunk and trying to cash out.
> Of course it might be possible that the computer of the person who sold the Bitcoin was cracked. But that's not the fault of Bitcoin.
Just like it's not the fault of the dollar if someone mugs you at gunpoint. Except robbing someone typically requires you to take physical risks and (threaten to) use violence. I'll be very curious to see any effective way of tracking down bitcoin thieves.
If you have to be a security expert to own more than a few dollars worth of bitcoins, the project has effectively failed already.
You don't necessarily have to be a security expert to use Bitcoins, just if you want to run the client by yourself.
If you don't have the required knowledge just pay a little bit to a "Bitcoin bank" that handles the task for you. In the real world you also don't carry your money with you all the time, but store it on a bank.
Banking eradicates many of the supposed gains of decentralized money - not all, but most. I just dig a quick Google for "benefits of Bitcoin" and it seems most people agree on the following:
- Anonymity/trackability. Gone if you are with a bank. Sure, possible to sidestep by going through the song-and-dance that is withdraw-send-deposit. We can do this IRL also, but there's a reason people do not.
- Taxability. Welp, if your BTCs are in a bank, the IRS can easily get you.
- Abusive/coercisve government action (e.g., freezing). Well, yeah, if you're with a bank that can happen too.
- Lack of fees. If banks become standard (and if BTC takes off, yes, they will become standard) then kiss goodbye to this benefit - the same way cash right now has no transaction fee, but bank transactions do.
In fact, the only major sell of Bitcoin that remains:
- Inability for government to arbitrarily expand the supply of money.
Still a win, but suddenly Bitcoins have lost a lot of charm, especially for the everyman for whom the above 4 points are much more salient than that last one.
If you have to be a security expert to own more than a few dollars worth of bitcoins, the project has effectively failed already.
Why?
It's true that key management and security are not as good as they could be in the official client, but that doesn't mean the project has failed, merely that the client needs to be improved.
Improving the wallet security is priority #1 of the dev team at the moment.
Note that no one of the developers expected it to get this big this fast. Six months ago, no one would even bother stealing bitcoins as they were not more than a toy curiousity. Now very serious amounts of money are represented.
Mt.Gox itself was hacked not just a guy. That's a bit like Wall Street being hacked, with due proportions. Also, Mt.Gox reaction to the episode is apparently pissing off a lot of users, as per comments in linked page.
I don't think this is the end of bitcoins but surely enough is quite a ouch moment.
Lesson I've learned today: given that bitcoin wants to be a better currency, they have the chance to provide a better service. A good bitcoin marketplace should enforce two way authentications, maybe with yubikey or even just GPG keys.
No, but that's also what would happen when the stock market behaves weirdly enough. It's a good thing, though, that stock markets and foreign exchanges have more trading volume; I'm starting to wonder what happens if a random blokes with a million actual USD wants to game the bitcoin like George Soros did it with the Swedish kroner.
Actually the bigger event around it was the Black Friday in 1992: The Bank of England was hoping/pretending that the pound would stay strong against the FRG Mark, whereas Soros lent a massive amount of pound to other people. When the pound finally devalued, he could fulfill the lendings (at the cheaper pound price). The Swedish currency took similar damage.
Basically, governments trying to stabilize their currency are in danger of losses whenever they meet someone with even deeper pockets. In contrast, the Japanese government could out-trade Soros in the crash in 1987 and Soros had to pocket substantial losses.
I agree. If one ever needed an example of why Mt. Gox or Bitcoin shouldn't be taken seriously. They had a withdrawal limit of $1000 per day, too. This was simply to save one more day of that.
It makes you wonder if Mt. Gox actually had the hard currency to back up everyone's account balance.
The point of an exchange is that you can trade one thing for another. E.g., US dollars for bitcoins.
Mt. Gox seems to act like both an exchange and a brokerage. Presumably people have an "account" in which they can deposit and withdraw various currencies.
"It makes you wonder if The New York Stock Exchange actually had the hard currency to back up everyone's account balance." That doesn't make any sense either.
I guess you don't have an account with any brokers participating in the NYSE or other exchanges. You can't open an account without writing them a check. Once you've given them money, you can trade NYSE stocks which may gain or lose value. But the dollars you deposit into your account you should be able to get them out again with low risk.
Each currency or security should represent a zero-sum balance sheet for the exchange as a whole. Unless Mt. Gox spent the hard cash for themselves and hoped the market for bitcoins stayed healthy.
Who do they think they are, a Wall Street investment bank?
I agree it doesn't make any sense (but for a different reason).
Yes, the NYSE is a building full of member broker dealers who will, in fact, buy shares from you when the proper conditions are met. (I.e., you need to be worth their time).
"Real banks" are highly regulated and in the US are backed up by the US government. I don't know of too many other entities that can handle other people's assets with such low reserve requirements without being considered fraudulent. If there are any, I suspect they're heavily regulated or at least exempted as a speculative private fund.
You're right about the anarchy, but I don't see the burning world. I don't see hackers and cheaters "taking over" bitcoin.
An account was compromised, and despite there being no government regulation, the exchange stepped in, protected their customer, rolled back the trades and protected the market.
That is anarchy exactly! But no burning world. And it is yet another realworld test that has been successfully met by the bitcoin idea.
I'm not sold on bitcoins viability, due to questions about the larger marketability and having not done an audit of the software. But from an economic perspective, bitcoin is a viable currency, or as close to meeting all the requirements that any non-physical currency can.
> and despite there being no government regulation, the exchange stepped in, protected their customer, rolled back the trades and protected the market
You know that's basically the same thing - central entity with overarching authority exerts its will over the market, canceling transactions it's deemed 'fraudulent' between two independent consenting entities. "Free hand of the market" ain't present here, chief - this is regulation.
Do they? It's by far the largest BTC exchange - by a factor of ~50 or so. If you want to exchange more than a couple hundred BTC, they're the only game in town right now.
Yes, but they're the only big game in town not because they held a gun to anyone's head or threatened to throw their customers in jail if they dared to start using another exchange, but because they provided the best service. They did not engage in coercion. This is the heart of the free market and of anarchy.
It is the heart of the free market but it is not the heart of anarchy. Anarchy would happily employ coercion. After all theres no one to stop you when anarchy reigns. In anarchy the big dog wins until a bigger dog comes along.
Please don't conflate the free market with anarchy.
You should read up on the foundations of anarchy before spouting your mouth off, since you are woefully ignorant on the subject. Bakunin, Kropotkin, and Bookchin are all good places to start.
Perhaps anarchy the philosophy would not employ coercion. But anyone in an anarchic society would happily employ coercion. That's what I meant when used the poorly phrased sentence "Anarchy would happily employ coercion".
Coercion does not have to be done by a governmental entity. The philosophy of government can wax as poetic as it wants but I know too many people who would happily take advantage of anarchy to employ said coercions. Practically speaking, Human nature being what it is, coercion will be rampant in an anarchic society. I'm quite familiar with the foundations of anarchy. I just occasionally use poor wording :-)
> If you stop being their customer, they will have just to live with that.
That's precisely the theory behind free governments the world over, to wit: "Governments are instituted among Men, deriving their just Powers from the Consent of the Governed". Except we all know in practice there are barriers to withdrawing consent from the government, just as there are surely barriers to leaving a market.
If I'm doing my math right, $500k is something like 2% of the bitcoin economy. Imagine what would happen to wall street if someone cashed out a few trillion dollars' worth of stock at once.
And if "your math" is "number of BitCoins extant time current market value of one BitCoin", your math is not correct. Macha is correct; crashing the market with $500K is proof that the entire MtGox exchange can't be much larger than that, no matter what multiplication says.
Of course MtGox isn't much bigger than $500k per ten minutes. Given how many bitcoins there are and how much each is worth, that kind of volume would be like every cent in the United States changing hands every couple of hours.
You have a terribly flawed idea of how exchanges work and what they are; your logic doesn't flow at all. But I can't really correct that in an HN post.
Entirely possible; I'm writing these before bed after getting home from work. I just have a feeling that if someone tried to convert 2% of the world's USD to rubles in a few seconds without an equivalent transfer in the opposite direction everything would explode. MtGox not being able to handle a transaction like this simply means that there was less than 500k flowing in the opposite direction every ten minutes. If there were, that would imply either a spectacular amount of arbitrage or enough transactions going on inside bitcoin for people to be changing 500k back and forth every ten minutes. This crash just means that neither of those are happening, which I find entirely believable.
Did you not read the outcome? The accounts are being rolled back while other exchanges are operating fine. These kinks have to be worked out and it's better late than never - even though it's relatively early.
Yes, the mayhem at the beginning is expected but I'm curious if the trial/error process could actually bring some sound stable system at the end. I'm inclined to think that this won't happen because most of the people in the bitcoin "economy" have some serious dislike for central authorities. And it's hard to design a stable monetary system without some kind of regulation and more transparency.
Wanting to avoid single points of failure doesn't seem that strange to me. It's an engineering decision, not a political one. Central authority is just a central system to hack, or become corrupt.
You wouldn't let your business become reliant on a single-supplier part, why would you let it rely on a single-supplier currency?
Regulations are only worth as much as the authority regulating them, if that. Just look at the USA. All the laws required to stop the recent mortgage meltdown were already in place and could still be used, but won't be. What value do those unused regulations have? It's better to have less fake regulations and simply not depend on a non-existent safety net.
I'm a little annoyed that MtGox effectively is bitcoin. I've been spending my mined coins on goods from various merchants and it has been working great. That's what bitcoin is designed to be, a currency. Recently there's so much speculation and people buying, holding and selling that so much focus has shifted away from the real use.
Mining was never supposed to be the primary means to obtain bitcoins. As long as people are still being paid salaries in other currencies, they'll need to use an exchange to buy bitcoins if you want them to participate. On the other side of the (bit)coin, do you suppose those merchants you're buying from can pay all of their suppliers in bitcoins? So they need the service of an exchange, too.
This is an "I told you so" post, but not about bitcoin, about the current exchanges.
I haven't cashed out any bitcoins because the current exchanges are a fucking joke and I've said as much many times in the IRC channel and forums. Bitcoins will remain a novelty for people with lots of disposable income until it has a real money changing service linking it to other exchanges. I can not conceive of the level of folly it would take for me to put anything more than pocket money on one of the current exchanges.
Something weird is going on. I just downloaded the CSV file and my account was in there(I don't really have any bitcoins at the moment, so that's OK). But I just got a message when trying to log into GMail about 'suspicious' activity being detected on my account. My guess is that someone might have tried logging into my mail. Luckily my email password is unique, so I don't think anyone got in. I hope that other people in their DB was savvy enough not to re-use passwords.
About 1600 passwords in this database are hashed with plain md5 without salt. I found quite a lot hits (34% success rate) using a rainbow table cracker.
Password hashes are standard php crypt() ones. I'm in that DB, was able to generate the hash using the DB entry (in contains the salt for each password) and my one-time password from mtgox. One-time PWs ftw.
So it was... I confirmed my username is in there but at least passwords are hashed. Luckily, I never added an email address and used a different Username and pw than I do everywhere else. Gotta take precautions with bitcoin!
They were hashed using the standard php crypt() method, it generates a salt for every password encrypted. I'm in that database and was able to generate the exact hash. Luckily I use one-time passwords with such things...
Hm, if it is using the same hash all over the world (on your computer it has the same salt as on the MtGox server?), what is the point? I don't understand how this salting scheme is supposed to work?
In theory, it just slows it down so rainbow tables are ineffective (not that people need them anymore), and it requires you to brute force each password than brute forcing one password and then checking it against everything.
In reality, it's all MD5 and the passwords were leaked to a community who are running tons of GPUs to brute force hashes. So it's kind of irrelevant.
You can recreate the hash by calling crypt() in php with your PW and the full hash as arguments. Basically, the hash is built like $1$_salt_$_hash_ - by feeding it as an argument to the function, you make it use the same salt used originally at encryption, when it was randomly generated. This is exactly the way these hashes are verified on login.
Presumably they can do this because they're not actually bitcoin transactions, just exchange trades. The bitcoins and USDs entering and leaving Mtgox are not going to roll back.
How do you "reverse" transactions that live in a peer-to-peer network? Or are you saying that MtGox has some kind of buffer of transactions that haven't been "executed" onto the network yet?
As far as I understood bitcoin, there is no authority. Nobody can do anything about a user having 500k of his coins hacked, and nobody can do anything about the market crash either.
As long as the money hasn't been withdrawn from the market, the market should be able to reverse all the transactions. The problem would be if the BTC or USD were withdrawn from the market before they shut down trading.
MtGox != Bitcoin. Transactions on bitcoin network cannot be undone, that is true; however, MtGox will undo the transactions inside their system (buys and sells within MtGox). The only thing that cannot be undone is the withdrawal of 80 stolen BTC from a MtGox account into Bitcoin network.
they'll probably reverse all transactions since then
How can they? Surely if the blocks have started to get verified by other users then you'd have to fork bitcoin to do it? Wasn't "There are no chargebacks" one of the selling points of BitCoin?
Does anybody have a link to instructions for reading that kind of chart (or the name of the chart type)? I used to know, but it has been many years.
I suppose green bars means the price went up and red down, and the bar extends between the high and low price. But what does the chunk in the middle mean? And where can I see that 500k were traded?
The small bar indicates the range of prices during the time frame (for example, each bar could represent 15 minutes of trading on a 15 minute chart). The big bar shows the closing and opening prices for that time range. If the closing price is below the opening price the bar is red, and vice versa.
The red bar that shoots up from the bottom is the trading volume, and usually isn't covering up the bars so it looks strange. It just says a ton of BTC was sold in that time frame.
And Zed found it from me on Twitter, and I found it on this thread: http://news.ycombinator.com/item?id=2671576 (Just setting the record straight as Zed attributed it to me)
Not as such. As an example, Steve Jobs ownes 7% the shared of Disney. If tomorrow, he were to sell them all, no matter what the price, there might not be enough people to buy them all, so people who, for the laugh, said they'd buy Disney stock at $0.01 a share would eventually get the shares. Thus the stock price for Disney would drop to $0.01. A similar thing just happened to BitCoin, but rather than shares of Disney being traded, it was bitcoins.
Someone just went to sell a ton of bitcoins at once. Because the market's so small they were able to fill all the buy orders placed all the way down to 1 cent per bitcoin. Some people with long-shot bets made quite a bit of money. About half of the 500k filled the buy orders on the way down and half of them were sold at the 1 cent price.
Which kind of implies someone was doing this with stolen coins, right? You don't sell so cheap if you have USD 8,500,000 on paper and want to get as much possible out of the sale.
What they did was destroyed the reputation of Mt. Gox - I don't think the Gox people will have a very good outcome as their customers jump ship to other exchanges.
BUT on the other hand, you could say Mt. Gox was asking for it with such poor security measures. A day ago, it was a CSRF hack ... and today it's a database dump.
I tell ya, tomorrow, the code for their trading platform will hit the net.
In fact, I wouldn't put it past the operators of the other exchanges to perpetrate something like this.
In reality, no damage to the bitcoin network was done, but Mt.Gox ended up with egg on their face.
Where will all the trades go? To other bitcoin exchanges - and there goes the services charges too. There's a sizable amount of money to be made by taking down Mt. Gox.
Imagine if someone stole 7% of all printed currency in the US and then traded it for gold at effective prices as low as pennies on the dollar. That's effectively what just happened with bitcoins.
Out of curiosity, how does the Mt.Gox hold the bitcoins. Do they have a bitcoin account for every user or do they hold all the bitcoins in their account and trades are only changes in their database?
You know whats funny about that whole 25k thing...he has shown no proof, says he filed a police report but has not shown it, media went wild with it (with no evidence) and to the best of my knowledge no media outlet has interviewed the supposed law enforcement regarding the matter....I smell some FUD...there are numerous more inconsistencies with his story and many believe him to be a troll.
NO early adopter leaves his wallet.dat file unprotected on a known compromised computer. Especially one who claims to be an early adopter and saying he got in later in the same post. If you really read that whole thread you will smell a rat or troll also.
My response was to a comment that was deleted...If you go and read the thread he posted to...which is about the supposed theft last week there seem to be a bunch of inconsistencies with the story...the biggest being he supposedly had 3btc stolen but he leaves his wallet unencrypted, unprotected, on a computer that after having supposed 3btc stolen and flagging a virus threat...either he is lying or he is very stupid...either way I do not feel bad.
As for what happened this morning I believe that the market snapped right back was a good sign...someone dumping .5M BTC at once at the lowest possible amount and it still came back in minutes.
Not only is it making claims without proof, the claims make no sense. Why would anyone with a large pile of Bitcoins want to drive the price down by advertising how insecure the currency can be?
Yea, I had been keeping my bitcoins in MtGox too, but I figured at the very least I wanted to have two points of failure, so I moved half of them onto my computer.
Figured worst case scenario I'd lose half in a single day. But hopefully that's not what happened!
You're probably thinking of the guy who claimed he lost 25k bit coins (which at that moment was "worth" 500k USD). This was a trade of 500,000 bit coins.
Interesting that on bitmarket.eu there are a lot of buy offers for 0.01€ suddenly. I wonder if those are already bots trying to automatically react to the mtgox price.
I wanted to see if I could buy some on the cheap, but I wasn't already set up to do so. I would never take this currency seriously, but I'd be willing to put in a bit of money to speculate a bit.
I looked at bitmarket.eu but they have a manual verification process, which I'm sure would not complete until after the price recovers. Oh well.
That this was Bitcoin was of no consequence. The hack was of a web site that happens to provide an exchange for Bitcoin, not the Bitcoin network. It could have been an exchange for anything.
Probably. I regret each time i comment here, but I attribute this to the cultural differences between California based NH-users and the rest of the world.
It's not cultural differences between California and the rest of the world. It's simply that your statements indicate you're commenting without an understanding the subject matter.
This incident occurred because (a) people with large amounts of bitcoin do not always store them securely, and (b) the bitcoin market is very small, and therefore can be destabilised by relatively small amounts of money (a few million dollars, for instance).
I should say it again: This monetary system have no authority behind it and as such is going to nowhere. Disclaimer: I work as financial analytic and at least have some knowledge of how money work.
Let me explain what I mean: "Real" money are just a tokens, transferring the "Trust" between one market participant to authority and other market participant to authority. By "trust" I mean that every participants believe that Rules in the market will be followed. When you have N market participants you have N*(N-1)/2 ways to exchange "trust". If I understand correctly Bitcoin is N to N system. When you have Authority there are only N ways to exchange it - Each participant to Authority. N^2 is not scalable at least. And N^2 monetary system might work in theory only when there are no problems like this security problem.
Trust that the participants in the market will behave in accordance with established rules on penalty of punishment of human administered centralised authority is one thing, trust that mathematical truths governing how cryptography works is completely another. If the latter does not hold, the financial institutions which you claim to be employed by are in a lot more hot water than they would be if it does and bitcoin flourishes because of it.
It will take a long time for normal people to understand the implications of the cryptographic backing of bitcoins. Even quite a few people here don't "get it"
You always need governing authority to enforce the rules, just because the cryptography protocol can not handle all the possible situations of human interactions and because money have no intrinsic value. Value is determined by the level of trust to Authority transferred by different communication channels and protocols (encrypted messages, paper with special printings etc.) In the case of Bitcoin it is not necessary to be Government Authority.
This is precisely what I mean by people do not grasp the entire concept of a mathematical law and how it relates to public key cryptography. There are man made laws which are invariably prescriptive, and natural laws (not in the legal sense) which are invariably descriptive, and fallible only to the extent that this is not the case.
There is no authority needed to enforce these natural laws just as there is no authority needed to enforce gravity, it is a force of nature, public key cryptography relies upon mathematics which is also a force of nature. If the math is incorrect the system is insecure, failing that no authority is required to uphold the mathematical dogma of public key cryptography lest faith in the system be compromised. You're working from a set of premises and assumptions that simply do not apply here.
These laws do not require enforcement by an authority;
I pretty well understand both laws of science (PhD in physics) and what PK cryptography is, but you still don't get my point. There is something outside the protocols implementation, that are secure and do the job they are are developed for.
The rules in Bitcoin are enforced by cryptography and the CPU-majority. So long as public key encryption works, and the majority of Bitcoin mining power is put to honest use, the system is trustworthy.
I pretty well understand that there are rules that are technically implemented to be enforced (protocols, cryptography etc) but when there is some problem in the system (hacking, fraud etc.) there is no one to enforce fairness. The value of given currency is not based only on technical implementations but on trust. In this case the trust and Authority is the technical implementation of this protocol (all bitcoin markets participating). The technical implementation cannot self improve. You can only trust that technical implementation (cryptography, protocols etc) are implemented as specified.
If someone hacks into your computer and steals bitcoins, you report them to the computer crimes division of the police. It is not the job of the currency itself to enforce fairness. If someone steals $100 from me, it's not the Federal Reserve that gets involved.
No more than I expect them to return stolen property. If I had a large amount of bitcoins, I'd probably want to insure them, or at least keep the private key in a secure location, such as in a security deposit box.
The police act as a deterrent, and make it more difficult to offload stolen bitcoins without being caught.