What's there to say? This is yet another piece of evidence that Mt. Gox was grossly incompetent. Unfortunately, it's very difficult to prove whether or not there was any criminal fraud involved. If there was, and it could be proven, then at least justice could be served. If there wasn't any fraud, and that could be proven, then at least it could be shown that Karpeles was just a bad businessman, not a fraudster, and his name could be cleared. This limbo leaves so many questions unanswered that it's hard to know if we're ever going to find out what truly happened.
Mt. Gox recently claimed they found 200,000 BTC that they'd lost track of. If their claim can be taken at face value, then I think it's plausible they may have panicked back when their losses first became clear to them in February, leading them to blame it on malleability even though they didn't really have a clue where their money went or why. They probably felt they had to tell people something, and saying "we lost track of >750,000 BTC for unknown reasons" may have been less desirable than blaming their problems on something tangible, like transaction malleability. Unfortunately for them, it turns out that they were wrong about that.
So here we are. All that's been demonstrated is that consumers currently have very little protection in this space, and that patio11 and others were right to warn people to be very careful with bitcoin.
I'm not necessarily pro-bitcoin, but there's a difference between bitcoin:the protocol and bitcoin: services offered around this.
I think this is more another case of pretty incompetent people going into this (probably linked to the fact that a lot of proponents of bitcoin are in it for the ponzi-scheme like qualities of the current environment). Maybe we'll get some people who've taken an accounting class and a concurrency class(necessary but not sufficient conditions) to implement these exchanges one day.
The public ledger in particular could be used to establish a good amount of trust with an exchange (publicly-auditable). The only problem being that many bitcoin proponents buy into the myth that bitcoin allows you to remain anonymous, and that the exchanges should be built in the same way as money laundering services.
We'll probably see a lot of this so long as the current environment is based around bitcoin being some sort of investment vehicle like gold. Maybe if enough people actually start wanting to use it as a currency, the quality of these services will go up, and we can trust them a bit more. Maybe actually having exchanges bail each other out (see Japanese banks in the 80s/90s) and supplying safety nets would increase trust.
The problem, which I can't figure out a way to solve, is that any exchange can die at any time due to massive theft or failure. When this happens, customers will lose all of their funds.
People have mentioned m-of-n transactions as one possible solution, which means that the customer and the exchange both have to approve of any transaction involving the customer's funds. But this may preclude realtime trading, which is usually one of the main purposes of an exchange.
It's a tough problem, and there may be a solution. I'm continuing to think about it.
Yes, m-of-n addresses are the solution, we use it on Bitalo [0]. It's true that it is less suitable for day traders, and while they make the most of network volume, they are not the only purpose that exchanges exist. Some people just want to buy Bitcoin occasionally, i.e. once a week, month or less frequently. They also want a secure place to store them. I believe that for those people, our service is the perfect answer :).
You only need to remember your password, from which your key is derived. You also need to write a recovery string (which can be used to derive your key as well) on a piece of paper and store it somewhere safe as a backup in case you forgot your password.
Now from our side, there's very little chance we lose your key (we do encrypted offsite backups every hour) and even then we're currently implementing "presigned transactions" that use "nLockTime" function in Bitcoin protocol to let you claim your Bitcoins after certain amount of time in case we disappear.
Also, we require you to use 2-factor, so even if your computer gets hacked, attacker still can't emulate your actions to steal your coins. And if an attacker hacks our server, he only gets one key of two needed to spend the funds.
it reduces the chance of deliberate theft by the service.
One problem with bit coin, is that an exchange service can suddenly find itself with millions of dollars worth of bitcoin, dwarfing the possible income available via fees and start thinking really, really hard about where the most money is to be made.
and then the service might go out of business, and the customers lose their property.
Not to mention the target the service might represent for hackers etc.
Having a dual key system ensures that, for all parties, the best possible outcome of attempted theft is nothing at all for anyone.
Not a great outcome for any specific customer, but an outcome that aligns the motivations of the service provider and the customer.
But what's the point of keeping it in an exchange if I still have to wait for confirmations? Might as well keep it in a fancy wallet and transfer it in as-needed.
Someone brought up that Bitalo isn't really an exchange, but an OTC marketplace, and that fraud is possible. A fraudster in the US can reverse the bank payment in a Bitalo transaction up to 6 months after the BTC has been released from escrow: https://news.ycombinator.com/item?id=7432635
You should probably specify that Bitalo is perfect for non-US customers.
this, a thousand times.
Bank deposits are insured and yes it's a government thingy, but there is nothing that precludes *coin exchanges from setting up a private insurance policy.
If they have actually lost three quarters of a million bitcoins, in an unrecoverable way (and nobody stole them), that's a HUGE proportion of all the bitcoins there will ever be that have just disappeared into the ether.
I personally believe that Karpeles committed fraud and stole users' money, but I believe that category of risk was absolutely known and correctly priced into the instrument. What do you folks think?
EDIT: A rational response is a much more satisfying outcome for you, if you can pull it off, rather than mere downvoting to attempt to force your hopes for reality onto the world.. yes, you do achieve a minor victory, a move forward against the hurt, downvoted opponent.. but not truly closer to victory, secure in a rational interpretation of events.
I'm inclined to believe that it was incompetence & overconfidence that lead to the collapse. I suppose we will have a better understanding of what happened in the months to come.
Incompetence can be criminal. I was speaking towards intent. It's doubtful there was intent to defraud. This doesn't mean that those involved shouldn't suffer the consequences of their actions.
That would seem to mean either something went horribly and abruptly wrong with his scheme, or he forgot "and run". Which one are you postulating, and why?
With carefully staged incompetence, you can commit fail-safe theft (where if you are discovered, you can claim it was all an accident/a product of your incompetence/a misunderstanding).
I've covered one way that this can work here: https://news.ycombinator.com/item?id=7302672 If I were going to even attempt a theft as large as this (if in fact it was an attempted theft), I would make the scheme being fail-safe the highest priority. The scheme being fail-safe should be a higher priority than even the scheme working.
And I can't tell you why. Maybe I'm projecting. But it's my gut intuition. Though is this not a category of thought that should be discerned via "fast thinking"? Are there any studies that compare test subjects' judgments of guilt, based on defendant photographs, to jury verdicts?
Any jury, anywhere, for any case. People who think they can infer guilt from an utterly neutral facial expression captured in a still image are not fit to participate in any system of justice.
edit: hahahaha, all right, whatever. he still looks guilty to me. sorry if he's innocent. regardless, there is definitely a sentiment, and i voiced it. i don't regret contributing. maybe my tone or something could have been improved? i'm not sure, because i don't disagree with my actions.
Companies not involved with BitCoin lose large amounts of money and/or customer payment details (which is the same as losing their customers' money, in a sense) all the time, for reasons having nothing to do with malice on the part of the companies.
Why do you hold BitCoin-based companies to be different?
I've been at some places with pretty horrific internal security. It's easy to imagine that someone was trusted who shouldn't have been, and had access to nearly everything, including "cold" wallets. Heck, if they were working remotely they might not have even needed to "run".
Exactly. The reason I don't think it was Karpeles who did it is that his name is all over the place. He has (had?) a lot to lose if he decided to do something as brash as this.
Karpelès was found guilty of a financial computer crime and of money transfer fraud when he was somewhere between 13 and 18 years old. The court gave him a 3 month suspended sentence and no criminal record.[0]
"I will not give too much detail about what I did wrong, just say it concerns payment systems on the Internet. I spent two years taking risks becoming larger, perhaps because it was an exciting side … whatever, I ended up getting arrested"
Without more details it doesn't mean much, but it does sound a bit more than using a stray card -- if that translated post is actually from him.
That seems like the most plausible scenario anyway. Karpeles was just trying to take down Bitcoin with him by blaming it on a 'Bitcoin bug'. All this is a joke just like everything else in this sad saga, such as "cold storage leaking".
I wouldn't attribute to malice what could be explained by incompetence, but seriously, this cannot be explained by incompetence.
Mt. Gox recently claimed they found 200,000 BTC that they'd lost track of. If their claim can be taken at face value, then I think it's plausible they may have panicked back when their losses first became clear to them in February, leading them to blame it on malleability even though they didn't really have a clue where their money went or why. They probably felt they had to tell people something, and saying "we lost track of >750,000 BTC for unknown reasons" may have been less desirable than blaming their problems on something tangible, like transaction malleability. Unfortunately for them, it turns out that they were wrong about that.
So here we are. All that's been demonstrated is that consumers currently have very little protection in this space, and that patio11 and others were right to warn people to be very careful with bitcoin.