A little history (as I understand it):
...
As I recall, ~jav open-sourced it and ~davout just took his work so perhaps some of these conjectures about at least the original ~jav vintage implementation could be verified. A good task to run down at a later date since it is late tonight and I'm tied up most of tomorrow.
...
I did a little hitorical reading and captured a few things of interest. Does not look like Jan ever open-sourced things.
https://sites.google.com/a/tcilgl.com/paymium/home/unorganized-info/instwallet_historyUnless he is more full of shit than I would expect, it looks like ~davout should have and could have noticed if the database held sensitive data in plain-text. Whether he told ~ballsac so he could, if he chose, answer the question asked is unknown.
Reminder to self: If someone claims a 'military grade server', run, don't walk away from the bozo.
Thanks for this - will come in handy.
If Paymium did in fact hold the wallet URLs on their server in an unencrypted format then this would amount to gross negligence in my opinion. It is unthinkable to me that anyone in this business could even consider doing that for a second. And yet this is what they seem to be suggesting. So...
Option 1: They held the whole wallet URL in plain text, which is what the "hacker" got hold of, and is now why it is unsafe to have the site up. This means they are a bunch of clowns from a technical point of view, and should not be trusted around Bitcoins at all. And are liable for grossly negligent behaviour (bordering on criminally negligent behaviour given that they were holding other peoples money in trust).
OR
Option 2: The wallet URL database was properly encrypted and secured (as one would naturally expect - without even being technically minded). This then raises the obvious question of how the fuck any "hacker" could do anything with it?? And points to the possibility that there was no hack at all and the whole thing is made up.
Given that Boussac refuses to give even his real name and position at Paymium, I think it is highly unlikely he will address this question here (it was asked in my original list of 12). Paymium's CTO will definitely have to address this in the soon to follow legal enquiry if they insist on not addressing it publicly here.
I still hope that they do address it here, as I personally want Paymium to prosper, and be a respected part of the Bitcoin community. Let's hope. Boussac has a couple of hours yet...