Topic: [ANN] https://bitdaytrade.com - Bitcoin margin trading unrolled (Read 3866 times)

LOL - what is the level that they are safe until?  $250K value or $500K value?  When will you fake a theft and walk away with all the coins?

Ok.

Waving from a wannabe porn star like you it is not encouraging for Meni, since you are a men.

https://bitcointalksearch.org/topic/m.1121264

Waves at Meni Rosenfeld.

https://bitcointalksearch.org/topic/m.1139370

ICBIT had nothing to do with bitdaytrade (fortunately)

I think the site has gone further here:
http://bitcoinmagazine.net/icbit-se-bitcoin-margin-trading-reloaded/

It seems hardening the site takes some time... probably a good thing.

yes, those threads indicate that there might be problems, but actually they show no really verifiable information, aside from that demonstration with the password.

But besides that, those quoted threads show exactly that kind of adolescent and immature behaviour (by "marshal banana"), which voids much of the credibility of these accusations.


And, frankly, what's so difficult with doing it properly?

If someone finds a bug, what's so difficult with first writing a personal mail to the support?

And, in case the support really ignores such feedback (which I doubt, given my own experience with Bitdaytrade support), whats so difficult with publishing a well-researched report, including really verifiable material (like screenshots or a session transcript)? And what's so difficult with just refraining form calling another person a liar?


If you find what I write here outrageous, then there's a simple litmus test:

Lets assume you're a payed employee programmer, and this "Alberto" is your co worker, sitting at the same desk 5 days a week. And lets assume your co-worker "Alberto" has lesser capabilities and tends to make a lot of errors. How would you deal with him? Yell at him? Call him an idiot?

See my point? Why are you dealing differently with an anonymous internet entity called "Alberto"?


To make one thing absolutely clear: No one denies that there are bugs and problems in Bitdaytrade. Like you, I've also found some and reported them; And for sure there is still some work required to get that platform into release shape. Guess that's why we're all here.

Um, he didn't disappear. He was out of home for several days during which I communicated with him daily, he's back now and starting to work on resolving the situation. He also wrote a lengthy reply to the accusations just two days ago (was poorly formatted and didn't focus on the right things IMO but whatever). See also this.

It's fine to want responsiveness especially in times of turmoil, but people have lives too and things take more than a few minutes to resolve.

This is my 2000th post.

Isn't it cool how he suddenly disappeared, just like last time, to leave everyone else to clean up the mess? We haven't heard anything from him for days.

I don't know about the person who uncovered it first, but you may have missed this exchange with the owner:

http://www.reddit.com/r/Bitcoin/comments/y99z3/go_long_or_short_with_bitcoin_again_up_to_10x/c5tts8s?context=15

The guy identified many other vulnerabilities which I myself confirmed. I also independently found a couple. They were scattered over the website.

In that thread and on other occasions he outright denied there were issues, without even explaining. I'm sorry, but if the vendor doesn't seem to be adequately aware/concerned about the massive amounts of vulnerabilities, getting further public attention is warranted. That is the premise of responsible disclosure, after all.

There where some threads on reddit.
Several self-claimed security experts were posting there in a rather demanding and assertive tone.

They claimed that the site is littered with tons of beginner errors. When dissecting the posts and cutting away all that vanity and self-approval (which isn't untypical for these kind of guys -- we know, we need to pay them some respect   -- then at least some facts were discovered, like a mechanism to gain other accounts password, and a mechanism which would allow to get at the source code via the web.

Shortly thereafter, a business political quarrel unfolded, which seemingly was going on already behind the scenes for some time. The author and initiator of bitdaytrade seemingly was cooperating earlier this year with the guys behind Kronos.io and zipconf and they parted in dissent. The latter ones announced semi-publicly that they would do everything possible to hinder and block bitdaytrade. In the light of this information, it looks likely that the "uncovering" of these security holes was an orchestrated action.

Any serious IT professional would discuss such security holes in private with the operators first, instead of yelling in a unrelated public forum.

Well, speaking as a developer here, security can be a tricky matter. Today's web development frameworks are especially made to ease the process of creating web sites to the point where everyone and my grandmother can hack together an online business in 3 days. To build exactly the same service to even average professional standards and with a semi-hardened setup and serious testing would require lots of additional expertise and require about 20 times the effort (two months instead of 3 days), to start with.

This is a well-known and frequently discussed dilemma. People working in the industry and trying to keep up some kind of craftsmanship see themselves put under pressure by their bosses all the time ("hey, what are you toying around, my 15-year old son hacks together that crap in 3 days!"). Even large-scale companies fall for the temptation to make additional money by reducing time-to-market.

Interesting. How do you know he experienced SQL injections? Are you talking about SQL injection vulnerabilities, or actual SQL injection attempts?

I have a hard time understanding why people who seem uneducated about computer security would want to develop an online bitcoin trading site. I would think the numerous hacks would work as a deterrent of some sort.
I sure as hell wouldn't open a site without some serious studying of these various vulnerabilities.

Actually it was forced, there were dozens of SQL injections and the entire API was vulnerable to CSRF... he tried masking the vulnerabilities one at a time and pretending like they weren't there. At some point he just had to shut it off because he couldn't lie anymore, and because everybody withdrew what they had and their user database was corrupted intentionally so that people couldn't get others' password information.

I'm bothered by all the people ignoring just how bad this was botched and how he was dishonest about their password storage method.

Cool. Thanks for the quick response. Nice to see a controlled take-down instead of a forced one.

Some security flaws have been suggested so Alberto has shut down the site until he can get home and work it out.

The site is down. What happened?

Send as un email with details of your position. today i have had internet connection troubles and have been able to restart the trading engine only by 14:00 local time (GMT+1 - Italy). This was due because the gold market stops on the weekend and i have to manually restart it on monday. I'll setup a backup solution to avoid this happening again in the future. apologizes for the issue, we offer to adjust all positions unjustly closed to 0 profit/loss. It might have happened that i've missed some emails or messages, this is because i'm currently still busy with my day job, which involves hotel+restaurant management and here it is currently Summer and the hottest season for tourism. I'll be able to dedicate more time very soon. Please send again an email with your issue if you didn't receive a reply.

Thank you for your interest.

Do not worry due small things, this service needs to be testers, I think, will I soon open a theme in the Russian sub-forum. After fixing some important bugs ...