Commentary on the economic , geopolitical and simply fascinating things going on. Served occasionally with a side of snark.
Saturday, February 15, 2014
Mt Gox update February 15 , 2014 - Mt. Gox has stopped bitcoin deposits and all internal bitcoin transfers for a short site maintenance update, roughly from 6pm to 12am Japan time on 15th February , the exact situation regarding bitcoin withdrawals still unknown , another update will be released Monday ......... New Jersey Case Could Set Restrictive Precedent for Bitcoin Businesses ........ The Mysterious Case of 1 Satoshi Transactions Clogging Up Bitcoin Wallets ....... According to California’s current law, Bitcoin and all other digital currencies can now be considered illegal in the North-American state. However, a bill recently sent to the Senate’s Banking and Finance Institutions Committee might be the answer to change that. ......... CoinThief Malware Stealing Bitcoins from Mac Users
A CoinDesk poll of nearly 3,000 readers has found that Mt. Goxcustomers have been waiting months for their withdrawal requests to be fulfilled, despite being ‘verified’ or ‘trusted’ account holders. Poll respondents describe frustration with the exchange’s customer service, calling it slow, opaque and providing “canned responses”.
The poll, launched on 4th Feb, discovered that customer requests were long delayed, whether they were in bitcoin or fiat currency.
One incensed customer was Daniel Smith of Stoke-on-Trent, England. He contacted CoinDesk in December to report his frustration with the exchange’s customer service.
Smith does not have a verified account with the exchange, although he still managed to deposit bitcoin to his account there. Because of this unverified account status, his recent attempts to withdraw his currency have been unsuccessful.
After opening several customer service tickets spanning dozens of messages, Smith’s tickets were eventually merged and closed. At a loss, Smith made a legal statement with Staffordshire police that he said was being passed on to the “fraud division” to deal with the “theft” of his bitcoin.
Smith is also in contact with a lawyer in Japan to explore legal action. In January, he reported that his account had been “blocked” as was his log-in for customer service tickets. “I cannot receive help requests or log into my account […] Essentially they have taken my bitcoin and have told me to fk [sic] off,” he said.
Breakdown of withdrawal stats
Yet, it appears that Smith isn’t alone. Of the 1,434 readers who responded to the question of whether they were able to successfully withdraw funds from the exchange, slightly less than a third (31.59%) reported successful withdrawals, while 68% said they were still waiting for their funds.
Customers with successful withdrawals were also likely to receive their money quickly. Of the successful withdrawals, nearly half said they received their funds in under a week. About 46% reported receiving their funds within three months. Very few successful respondents – about 4% – said they received their funds more than three months after making the initial withdrawal request.
But for the customers who still haven’t seen their funds, waiting times could stretch for months. Among respondents who were still waiting for their funds (30% of unsuccessful respondents), the median waiting time was between one to three months. Some 21% had been waiting for three months or more, while about 48% had been waiting for less than a month.
What were the factors that affected successful withdrawal rates? When we filtered the poll results for respondents who had ‘verified’ or ‘trusted’ accounts with Mt. Gox (ie they had submitted identification documents and been approved by the exchange) around 69% were still waiting for their funds.
This is in line with the overall proportion of respondents with unsuccessful withdrawal requests. So, it appears that verification did little to improve their chances.
Respondents trying to withdraw BTC from the exchange appeared to improve their chances of success.
Successful respondents increased by about 6% for BTC withdrawals. But withdrawals in fiat currency (defined here as US dollars, euros, Chinese yuan and Japanese yen) reduced the chances of a successful withdrawal by about 3%.
Some instant withdrawals
However, some respondents did report smooth withdrawal transactions at Mt. Gox.
Some 11 individuals who responded with descriptions of their transactions at the exchange described the withdrawal process as “instant” or completed within days. All these respondents had made bitcoin withdrawals.
Nevertheless, even among this group of successful respondents, there were hiccups. One individual reported withdrawing 100 BTC in early February that arrived in his wallet outside Mt. Gox “instantly”. However, two days later, a withdrawal request for an identical amount of bitcoin did not appear.
Another respondent reported a similar experience, withdrawing 14 BTC in mid-January which was transferred instantly, but then failing to receive a transfer of 1.405 BTC that was withdrawn in the first week of February.
The amount was refunded to his Mt. Gox account four days after a support ticket was created. The respondent then made a withdrawal request again and the amount was instantly transferred outside the exchange.
“Very glad to have got the BTC back and would like a detailed, transparent explanation of the problems they’ve been having,” he wrote.
Respondents were most frustrated with the way Mt. Gox had handled their support tickets. Several users voiced their suspicion that the exchange was using generic, automated responses to mollify angry customers. One respondent noted:
“Tried to withdraw BTC and failed, never showed up in my wallet. Opened a support ticket, after a week, they send me a message apologising for the long wait times […] they were completely non-responsive to the issue and my questions. I think it was some sort of robot auto-responder designed to make people give up, go away, and abandon their bitcoins at Mt. Gox. Not acceptable!”
Another respondent who tried to withdraw 4.5 BTC complained that his support ticket didn’t get a response from the Tokyo-based exchange. Additionally, he was unable to contact a customer service representative through the exchange’s live chat feature:
“Zero response from Mt. Gox. There is never an available ‘online agent’. I logged a support ticket when I noticed [my transaction] was not in the block chain.”
The 5% queue-cutting fee
Of the 569 respondents who wrote up descriptions of their Mt. Gox experience, eight mentioned that the exchange had offered to speed up the processing of their withdrawal requests for a fee of 5% of the transaction amount. Mt. Gox’s FAQ for withdrawals and deposits does not mention a 5% fee for quicker withdrawals.
One respondent wrote that his experience with Mt. Gox was “completely maddening”, having taken him three months to withdraw fiat currency. According to the respondent, the exchange offered to move him to the head of its transaction queue if he paid a fee of 5% on top of his withdrawal amount. The respondent was attempting to withdraw $200,000.
“Their support responses were full of false promises that the withdrawal would be processed ‘shortly’ due to vague ‘delays’ and ‘issues’.”
Another respondent, who attempted to withdraw $44,000 and 1,951 BTC on two occasions, was also given the option of paying the 5% fee to speed up the withdrawal process:
“Mt. Gox has become a nightmare. To receive timely support requests from them is like performing major surgery on oneself […] they delayed over five weeks on USD withdrawal requests without explanation, only ‘offering’ me to pay a 5% fee to ‘expedite’ the procedure,” the respondent wrote.
The major complaint that customers had about the exchange was its transparency, or lack of it.
Many respondents didn’t know if their withdrawals were being processed, how long it would take or how much it would cost to ultimately receive their funds. Customer service tickets were routinely closed before problems were resolved, and many people had trouble getting hold of ‘live’ agents.
Mt. Gox has stopped bitcoin deposits and all internal bitcoin transfers for a short site maintenance update, roughly from 6pm to 12am Japan time on 15th February.
According to a notice posted on Gox’s News page, the downtime is part of its implementation of a solution to the ‘transaction malleability‘ issue that has seen the exchange halt all external bitcoin withdrawals and face criticism from some sectors of the bitcoin economy.
The downtime probably won’t affect too many users. With Mt. Gox’s bitcoin price now hovering around the $342 mark (at least $300 below the CoinDesk BPI) and the exact situation regarding bitcoin withdrawals still unknown, it’s not very likely people are trying to move coins into the exchange right now. Internal transfers can probably also wait a short while.
The announcement continued that the 6-hour timeframe was approximate only, and could be shortened or lengthened if required. It also said the new system would need to have “extensive testing” before bitcoin withdrawals could begin again, and that a further update would be published on Monday (17th February).
It also mentioned that other exchanges have taken their own steps to address the transaction malleability issue, which CEO Mark Karpelesclaims is a serious flaw in the bitcoin protocol. The issue was first noticed in 2011 but was not considered a high priority by bitcoin’s core developers – at least until Mt. Gox’s current problems began.
“BlockChain.info have implemented changes to address the malleability issue. Our solution should work in the short term, while a longer-term solution is being discussed with the Bitcoin Core Dev team and the Bitcoin Foundation. We are also discussing this with other exchanges and businesses.”
Other exchanges have posted statements saying they are not affected by transaction malleability, though Bitstamp, one of the world’s most popular exchanges, also briefly halted bitcoin withdrawals after a “massive and concerted” DDoS attack affected it and numerous others. It has since resumed regular operations.
Though we have only hints at what regulation could result from last month’s NYDFS hearing in New York, members of both sides largely agree the dialogue did much to improve relations between New York regulators and the bitcoin community.
Despite the steps forward, however, recent actions taken by the state’s southern neighbor New Jersey suggest that US law enforcement is going the extra mile to try and prevent any potential bitcoin threats, no matter how dubious.
In a controversial move, the New Jersey Division of Consumer Affairs issued a subpoena this December against Jeremy Rubin, a 19-year-old bitcoin developer and MIT student, who, along with three other students, has created an innovative computer code called Tidbit.
Tidbit would allow web surfers to put their computer power toward bitcoin mining, providing a website with the proceeds of this activity in exchange for the ability to view content without advertising.
New Jersey doesn’t quite see the innovation, and the implications of its potential victory in court could have an impact on the wider bitcoin business community.
The Electronic Frontier Foundation, which is representing Rubin, told CoinDesk:
“The precedent that [it] would set is to validate the authority of a state to investigate and regulate conduct taking place online and outside of the state’s borders.
That means Bitcoin innovators will have to be very careful with what they do and understand that there is going to be scrutiny into their activities.”
The subpoena isn’t just asking introductory questions about Tidbit.
Rather, law enforcement officials have moved aggressively to prompt Rubin to turn over all of Tidbit’s assets, including its source code, related bitcoin wallets, agreements with third parties, as well as the name and IP addresses associated with its development team, all of whom are undergraduates at MIT. Though, it should be noted it stopped short of accusing Rubin of criminal wrongdoing.
Looking more closely at recent headlines from the state, the action may not be surprising. Last November, E-Sports Entertainment settled for $1m after it was accused of using malicious software code to illegally mine bitcoin on the computers of state residents.
At peak power, the company was able to take control of 14,000 computers without users’ knowledge and generate $3,500 in profits over two-week span. It was eventually accused of violating the New Jersey Consumer Fraud Act and the New Jersey Computer Related Offenses Act.
Indeed, the language of the Tidbit subpoena suggests this interpretation as it asks Rubin to turn over “all documents and correspondence concerning all breaches of security and/or unauthorized access to computer”.
Comparisons between E-Sports’ botnet program and Tidbit’s mining program certainly exist, but the accusations against Tidbit are particularly puzzling to many for one reason.
Initially developed at the Node Knockout Hackathon, where it won a prize for innovation, Tidbit was lauded for its out-of-the-box thinking to a problem that has long dogged the Internet, a dependance on advertising.
The EFF has been the most vocal about its support, questioning whether New Jersey has the legal standing to pursue any action based on the fact that Rubin is not a resident.
A spokesperson for the EFF told CoinDesk:
“New Jersey had no jurisdiction to issue a subpoena to Rubin, who lived in Massachusetts, or Tidbit, which had no connections to New Jersey at all; the server housing the code is not located in New Jersey and Tidbit didn’t do anything to target New Jersey users specifically.”
Many Bitcoin users have been reporting mysterious 1 satoshi (0.00000001BTC) transactions being sent to their wallets. The transactions are being sent from vanity Bitcoin addresses beginning with "1Enjoy" and "1Sochi," and theories behind the transactions range from it being a new kind of spam, to an attempt to bloat the blockchain, to an effort to attack Bitcoin addresses to people, to it merely being a test.
The earliest reference to such transactions I've been able to find date back to October, 2013, but there has been a sharp escalation in the last several days. I've personally received a score or more of them, including these three recent transactions to a wallet on Blockchain.info:
Three 1 Satoshi Transactions - Unconfirmed
There are three addresses sending me these transactions:
Note that all three transactions are unconfirmed. This means that the blockchain (i.e. Bitcoin miners) are ignoring these transactions. This is because of their size—0.00000001BTC, which is worth US$0.0000066211. That's a little more than 6/10,000 of a penny, or dust, as it's called.
Currently, the minimum transaction that is likely to get confirmed is 5,430 satoshis, or 0.0000543BTC, more than 5,000 times this useless dust, and that doesn't include the transaction fee. That's why many of the Bitcoin faucets I've been testing have minimum cashouts of 5800 satoshis or more.
What I've experienced, and what many other Bitcoin users on various forums have reported is that these transactions "fail" after a few days and disappear from your wallet. The question is, however, why were they sent in the first place?
We don't know the answer to that question, but there are several theories.
The first theory is that these transactions are intended as spam. This goes back to some of the earliest reports, where the Bitcoin address used to send the satoshi traced back to one gambling site or another. The thought is that the spammers are counting on some recipients being gamblers who will then follow the trail, discover a gambling site, and deposit Bitcoins on that site.
That's pretty reasonable for addresses that trace back to a known site. It's essentially free advertisingbecause the transactions will never go through and the spammers get their Bitcoins back.
Thought of in another way, one Bitcoin—worth $662.11 as of this writing—can send out 1 million of these transactions. If 1 percent of them went through (they wouldn't), that would cost the spammers $6 and change, on par with email spam.
The problem is that this theory only covers transactions that trace back to a known site, service, or something, anything, identifiable. In the case of the three address above, what exactly are they spamming? The Sochi Olympics? Is it Coca Cola with a super stealth campaign to Enjoy [Coke]? I doubt either, to say the least.
Another theory is that this is an attempt to bloat the blockchain and slow down the network. If so, it's a terrible idea, at least on the scale that it is being done now. The network can handle these transactions, and in fact, it largely ignores them.
Who Are You?
A far more intriguing idea is that these transactions are designed to map out who owns what address. Think NSA, CIA, that hacking team run by the Chinese military, or whatever the heck the Russians are doing these days.
Under this scenario, nerdspooks harvest addresses from the blockchain (remember that any address that has received Bitcoin is known publicly on the blockchain), send out these transactions and then look to see who complains about it on BitcoinTalk.org, reddit, or this very site.
Those who include their address in their comment/post/complaint will then be outed, and MUHAHAHA! A tiny corner of the map gets filled in. It's a fiendish plan that might have been designed by this guy:
It's nonsense, and I don't buy it.
Testing, Testing, 1, 2, 3
The theory that I like the most is that we're seeing some kind of test from either a commercial spamming organization or one of the world's intelligence organizations. I have no idea what exactly is being tested, but in that no other idea makes any sense, I'll settle for this one.
Should You Worry?
It's important to note that receiving one of these transactions means little or nothing. There is nothing that he sender can get from you, including information, by sending you a satoshi. As noted above, every Bitcoin wallet address that has ever received (or sent) Bitcoins is already publicly known, and they had to already have harvested even that from the blockchain before they sent you the satoshi.
That's part of the point of Bitcoin. The anonymity of the cryptocurrency comes from the fact that while the transactions are public, the owners of an address are not.
The reality is that the transaction will simply go away, and there is no discernible threat in receiving one. I spoke to a pool operator about this, and he was utterly unconcerned about this issue. I recommend the same attitude for normal users, too.
There was a clever piece of open source software released in December called dust-b-gone. As of this writing, it's Windows only, but what it does is collect all the dust out of a Bitcoin-QT wallet (a client-side wallet), and then bundle them into one transaction that is essentially sent to miners in the form of transaction fees.
That serves the handy purpose of keeping the spammers/attackers/testers from getting their Bitcoins back, while rewarding the miners who process all of the transactions.
I don't run a wallet on Windows, or I'd try out dust-b-gone. If these transactions persist, I'm hoping a Mac developer ports the software or develops something similar for Mac users.
It would also be nice if online wallets like Blockchain.info or Coinbase developed a tool that allowed users to do something similar on server-side wallets.
According to California’s current law, Bitcoin and all other digital currencies can now be considered illegal in the North-American state. However, a bill recently sent to the Senate’s Banking and Finance Institutions Committeemight be the answer to change that.
The document titled “AB-129 Lawful money: alternative currency” – which intends to amend the Section 107 of the Corporations Code – was firstly introduced about a month ago by California State Assembly member and chairman on Banking and Finance, Roger Dickenson. According to Bitcoin Magazine, the bill specifies that “current law which bans the issuance or circulation of anything but lawful money of the United States does not prohibit the issuance and use of alternative currency“.
The most recent action stated on the bill’s amendments indicates that it was sent to the Senate’s committee on February 6th, not long after it was unanimously approved by the local assembly on January 29th with 75 positive votes and zero negative. The remaining five voted present/not voting.
The official bill analysis states that the document clarifies “changes to current law to ensure that various forms of alternative currency such as digital currency, points, coupons, or other objects of monetary valuedo not violate the law when those methods are used for the purchase of goods and services or the transmission of payments“.
Besides, the bill also appears to recognize Bitcoin as a token of freedom since the analysis considers ‘community currencies’ “a form of political protest as some communities that use such currency do so in protest of the United States monetary policies, or large financial institutions”. Still, the bill specifically does not make Bitcoin similar to legal tender because it prohibits a person “from being required to accept alternative currency”.
This new step towards acceptance follows the strange cease-and-desist order sent in mid-2013 by California’s Department of Financial Institutions to the Bitcoin Foundation. The order accused the organization of conducting money transmission activities in the state without the proper licenses.
A trojan called CoinThief is stealing tens of thousands of dollars worth of BTC from unsuspecting Mac users.
Contrary to popular belief, Macs do in fact get viruses. It’s just that 91% of the world uses Windows while only 7% of the world uses OSX (The remaining percentage uses Linux). As such, virus makers have more incentive to create malware for Windows, because it simply makes sense to target the majority of computer users. This is generally great news for Mac users, since they remain virtually virus free. However, it can make them pretty complacent about security, and when a Mac virus does come along, it causes a lot of havoc.
The implementation of stealth addresses for Mac that I tweeted about last week turned out to be wallet-stealing malware. Crap.
Take this new virus for example. It’s called CoinThief, and as the name implies, it steals users’ Bitcoins. It’s already affected several users, including one reddit user who lost 20 Bitcoins (worth over $12,000 at the time of this post). This story is still developing, but there’s a lot we already know about CoinThief, including how it’s spread, how it works, how to detect it, and how to remove it. If you use OSX, you definitely want to read the “How to Detect Cointhief” section even if you skip the rest of the article, because losing 20 BTC is a serious matter.
How it’s Spread
Cointhief was actually being distributed by CNET’s Download.com and MacUpdate, two otherwise reputable and respectable websites. It was first distributed on GitHub and promoted by reddit user trevorscool. While the source code on Github seemed clean, the pre-compiled binaries were malicious. There are several variants of Cointhief floating around under different names, including Bitcoin Ticker TTM, Litecoin Ticker, BitVanity, and StealthBit.
How it Works
CoinThief is pretty elaborate. Upon launch, the first thing the malware does is install browser extensions for Safari, Chrome, and Firefox. The extension is given the generic name “Pop-Up Blocker” and even more generic description “Blocks pop-up windows and other annoyances.”In reality, the extension begins monitoring web traffic and specifically targets popular Bitcoin sites like Mt.Gox, BTC-e, and Blockchain.info. CoinThief also installs a background application that constantly monitors for login credentials for the above mentioned websites. So when a user logs in to his/her account, the username and password are captured and sent to a remote server.
The background process also seems to check for the presence of Bitcoin-Qt and patches certain components, probably with the intent of extracting private keys. It also sends information such as the Mac’s user name and UUID (unique hardware code) to the remote servers.
How to Detect CoinThief
If you’ve got a Mac, it’s a good idea to make sure you don’t have CoinThief installed on your system.
Start by opening Activity Monitor (in Applications/Utilities) and search for ”com.google.softwareUpdateAgent”in the list of processes.
Like Task Manager on Windows, Activity Monitor displays all running processes.
Open your browsers and check if “Pop-Up Blocker” is installed as an extension.
If you see “Pop-up Blocker” in the list of extensions, you’ve probably got CoinThief installed.
If you’ve got the extension installed or see the rogue process in Activity Monitor, go on to the next section. Otherwise, you should be clean.
How to Remove CoinThief
As with almost all malware, manually removing CoinThief is going to be a bit of a pain. But then again, it’s better to go through with it than risk losing all your Bitcoins. Reddit user nptacekprovides these instructions on removing CoinThief from your system.
First, if you’ve got BitcoinTicker TTM, Litecoin Ticker, BitVanity, or StealthBit installed on your system, delete it from the Applications folder and clear the Trash.
Next, fire up Terminal (from Applications/Utilities). You’re going to have to enter several Terminal commands and it is imperative that you enter them exactly as they’re shown here. Feel free to copy+paste the commands.
Enter the commands exactly as shown in the article.
Type “launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist” without quotation marks and hit the enter/return key. (Note, earlier variants of CoinThief use the name “com.google.xupdater,” so be sure to try that as well as “com.google.softwareUpdateAgent” in the command above). This stops the background process that monitors your account credentials and sends them to the malware author(s)’ servers. If you see the message, “No such file or directory, nothing found to unload,” then the background process was not loaded on your computer. Continue to step 4.
Now we’re going to unhide the file and move it to the Desktop. From there it can be dragged into the Trash and safely deleted. In Terminal, type “mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent” (without quotes) and hit enter. (Remember to use “com.google.xupdater” in the command above if needed). The file should now show up on your Desktop. Throw that file in the Trash.
Let’s do the same thing for the file that launches the background process. In Terminal, type “mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist” (no quotes) and press the return key. (Again, use “com.google.xupdater” in the above command if you’ve got an earlier variant of CoinThief installed). Once you see that file on the Desktop, throw it into the Trash. Now empty the Trash.
We’re almost done. Open all your web browsers and uninstall the “Pop-Up Blocker extensions”. Different browsers have different instructions for deleting extensions. For Safari, go here. For Chrome, here’s your guide. For Firefox, read this.
If you’ve got Bitcoin-Qt installed on your system, back up the wallet and reinstall Bitcoin-Qt.
Finally, change your passwords for any Bitcoin-related websites you use. It’s also a good idea to set up two-factor or two-step authentication for sites like Blockchain.info to better protect yourself. If you’re feeling particularly paranoid, you can reinstall OSX, but the above process should be effective.
Many people argue that a huge issue with Bitcoin is that unlike traditional money, there’s really no FDIC-style Bitcoin insurance. So if someone has their wallet compromised, there’s really no way to recover the stolen Bitcoins. It’s difficult to deny this point. With the complete independence that Bitcoin offers, users are forced to protect themselves with little to no leeway for errors. Sure there are ways to protect oneself like using encrypted backups, not downloading untrusted software, etc. But at the end of the day, it’s still something to think about.