Topic: Bitcoin-Central - why don't people use this exchange?? (Read 3612 times)

As promised, we're now back on bitcoincharts.com

The first answer is a good summary but the designer's criticism of DES based encryption should also be viewed with the same type of criticism for bcrypt/scrypt.  DES and other NIST type encryptions are heavily studied and analyzed, resulting in the breakthroughs in finding the vulnerabilities that the designers claim as a failure of DES/SHA.  If the same amount of resources were put into bcrypt/scrypt analysis, it's likely that breakthroughs specific to those crypt methods would be found as well.  If you don't think it to be the case, the recent finding that the reference implementation of bcrypt that is used in almost all programs is flawed after 10 years of use should serve as a warning: http://news.ycombinator.com/item?id=2654586.  The creation of scrypt after 10 years is also a testament to bcrypt's lack of analysis; scrypt is an attempt to slow down the hashing even further due to the rise of technology that was available 10 years ago for those with big budgets.  In a sense, it is security through obscurity (very little research compared to the "defective" algorithms).  I don't think there has ever been any real proof that what's being done with bcrypt doesn't weaken the crypto and people are just taking the designer's word on it.  What is undeniable is bcrypt/scrypt are generally slower than SHA on easily accessible hardware.

The thing to get out of it is also in that answer under the "What NIST recommends" section:


So even though in theory scrypt is possibly better, PBKDF2 is safer and is sufficient (the principle of high iterations hashing behind bcrypt/scrypt is the same as PBKDF2).  The general recommendation is to use well established crypto instead of creating your own.  I'd put bcrypt/scrypt on that sort of level because there hasn't been enough crypto experts checking to see if what's being done with the secure blowfish encryption doesn't weaken the cryptography after many iterations.  In some cases, combining or using the same secure crypto will weaken it.  In other cases, doing it multiple times will make it more secure (3DES).

I'd avoid bcrypt altogether unless you have a fixed implementation, but that would mean you're now non-standard.  If you're going to compile your own code instead of using standard, unpatched code, I'd use scrypt instead.

Once something is "secure enough," you should focus on the next weak link.  If you're going to use secure password storage crypto, it's not going to be of much help if you allow users to use weak passwords like "password", which happens to be in the top 3 cracked passwords on several social networking sites.

Interesting, prompted me to read this which really sums everything nicely up.

You don't want to rely on a specific hasher as your only means of security.  Realistically, it prevents brute forcing but dictionary attacks are still possible (which is where you should really focus on).  bcrypt does make it slow for the normal person to crack but there are still big unknowns in it and the more "secure" scrypt.

bcrypt has two known problems: it's not as slow as originally thought if you threw enough money at it (FPGA, ASIC) and there is a problem with the implementation that gives it something like at least a 4% chance of collisions.  They have not been studied enough, hence it is somewhat like security through obscurity (it took them many years of use before they found out that the standard implementation of bcrypt that just about everyone uses was flawed and would take many more years to completely phase out the bad implementation).

And as was already mentioned, if it's not used with proper safeguards, DoS attacks are possible.

Yes, a failed login times verification is needed.
thank you

Yes, there will be an API update ASAP in order to support it.

Hello,

Are you going to register your site with:

http://bitcoincharts.com/markets/

?

It is quite convenient for arbitrage

Thank you

The bank is the Rietumu bank, it's located in Latvia. To be honest I don't think that a zero-risk setup exists, if someone tells you something is  zero-risk you should pay even closer attention. If Japan starts frowning upon Bitcoin mtgox is dead. The main risk is if countries start to coordinate and hunt down Bitcoin exchanges one after one, in this case I don't think we'd be the first to fall.

Also, if everything goes well and our efforts at Paymium are successful, we won't need it anymore because we'll be able to do business quietly and securely in a well-regulated framework.


Not every country is the United-States

I take responsibility for my actions, I setup everything in what, I and the people I consulted, believe is a legal way.
If knowing that, the government still wants to go after me, I can't do much to stop them I guess, except for arguing that we've been honest, open and working jointly with the regulation authorities in order to come to a reasonable regulation framework.

Thank you davout for your lengthy explanation. Congratulations for everything you've built.

I still have two questions though:

• Is your SEPA-enabled bank account in Hong Kong jurisdiction, or outside it? If it's in another jurisdiction, doesn't the simple fact of having a bank account there make you vulnerable to this jurisdiction's laws?
• Does the French government care about where your data actually is? I mean, I know governments that don't give a damn about where your servers are, if you live in their jurisdiction and you're doing some "Internet business" they don't approve, they will get you.

Let me elaborate on that, because that is a really important question.

First of all, I if remember correctly the judge of the Tribunal de Commerce de Créteil ruled that the bank had a right to terminate the account because it was not used for its original purpose, which was to be the primary account for a tiny software development company called Macaraja (see previous link).


Regarding Paytunia and Bitcoin-Central : Paytunia is a brand of a French company called Paymium that also operates Instawallet, I'm the CTO of Paymium. If you happen to be in Paris you're welcome to visit us in our office (metro Porte de Saint-Cloud) !

Bitcoin-Central, on the other hand, legally is a service operated by Tivoli HK Ltd. which is a company incorporated in the Hong-Kong jurisdiction.

Legally, what the Bitcoin-Central service is, is the simplest it could be :

• It buys a digital commodity called Bitcoin from individuals or corporations by crediting a client account, and performing actual payments upon request,
• It sells a digital commodity called Bitcoin from individuals or corporations who have pre-paid a certain amount of fiat currency,
• It does both of the previous things at the same time, which functionally makes it similar to a FOREX, but legally similar to an import/export business

Please bear with me while I go back in time and give some context :

When I started BC I accepted deposits on my personal bank account, this quickly proved to be suboptimal, my account balance pretty much exploded. I didn't want to put myself at risk of being rape-caged and fined, and I didn't want my users to be at risk of losing funds.

So the next thing I thought was : "hey, there's lots of potential, let's incorporate properly". Problems started when the actual implemtation details had to be figured out. The first tough question was : "what is Bitcoin ?", because the answer to that is the prerequisite : to proper accounting, proper tax-payment, and ultimately avoidance of the dreaded rape-cage.

Options were :

• Bitcoin is currency. That would have made things easy, opening a money-changing business is comparatively easy to the other options,
• Bitcoin is a commodity. Less easy, that would have meant incorporating as a proper commodity marketplace, which is really hard if you don't have the proper resources,
• Finally, the conservative and safe option was to treat Bitcoin as a generic virtual good/service. Awesome, that's easy to incorporate for, the blocking point was the Value Added Tax that is due for sales to individuals.

VAT is the keyword, its one of the primary sources of income for the French government, so let me tell you that they take it *seriously*. What would the implications of VAT have been for someone who buys stuff from individuals and immediately sells it to others. It's pretty simple, it's 19.6%.

Practically, that would have meant that users could sell coins for X, and BC would have had to resell the same coins immediately for (X * 1.196). Users would have had to pay an extra 20% in taxes to the French government to buy coins at Bitcoin-Central. Did not happen obviously.

So we're coming to the Hong-Kong thing.

Hong-Kong's legislation has a very interesting property, it has 0% VAT if you do business outside of Hong-Kong: perfect fit!

That basically meant to me that I could incorporate a company in HK that would buy and sell a digital generic good/service free of taxes, without making risky assumptions regarding its legal nature. Opening a bank account in SEPA zone for a Hong-Kong corporation was a headache but ultimately succeeded (the hard part was always explaining Bitcoin ).

This setup enables BC to do the following thing :

• Buy Bitcoins,
• Sell Bitcoins with 0% VAT without making risky legal assumptions,
• Provide users with the convenience of a SEPA zone account

The main point here is : it's the most legally conservative, and safe setup I think is possible in Europe. Having less users, pay more to intermediates for a more complicated setup, and take the hard path is OK to me if that's what it takes to do business securely. My peace of mind has no price

We think being open to users and curious people is a good thing, so if you have further questions, don't hesitate to ask here, or visit us for a cup of coffee

Haha, yeah that is so right, BC used to be there, but at some point they required the API to change which I hadn't time to do at that moment.
It just got on top of my TODO

Yep, it is also my pleasure and passion


I don't believe there is such a thing. But as long as you find somthing useful in them it's all good.


Competition is healthy, if they like Intersango they ought to keep using them, that happens at BC as well, returning customers are the bulk of the volume.


Imaginary information is convenient, isn't it ? BC is not making a killing, but it's definitely gaining customers <3

I really think not being on bitcoincharts.com anymore hurts the volume and liquidity at bitcoin-central.net. A lot of people won't bother to manually add an extra feed to their trading system and so they don't even notice the site.

Are you operating from France? Paytunia is a French company, isn't it?
Since the banque de France decision that MtGox needed banking permits, wouldn't the same be valid to Bitcoin-central for it to operate legally?

Not that I care about respecting stupid laws per se, but I do care about having my money lost or worse in case your exchange is shut down by the Elysée's mafia...

All that ends up being your problem, you know... I don't have the need for exchanges as I'm using bitcoins the way there were intended to use, but I've already pointed several persons to your exchange and guess what... they didn't want to use it because of the €15 SEPA withdrawal fee and went to Intersango.
You are the one losing customers, not me :-)

There's no such thing as free stuff, a bitcoiner should know that.

What tells a lot about both of us are : our attitude, and our actions. One is contributing, working his ass off, investing his own money to actually get things moving. The other one knows so much better than the acting one and thinks he's so much smarter. 15€ > 0€, bravo Einstein!


You might be surprised to learn that banks do not charge corporations and individuals the same way. You might be surprised to hear that not all banks want to service corporations that engage in the commerce of Bitcoins, because guess what, I'm open about it. I don't want to end up like mtgox in France, they used a bank account that was owned by a company making 45€ as a yearly net profit[1] to make tens of thousands euros transit. The result was obviously a frozen account, angry users etc.

Man up and use your hands instead of your mouth, you might realize it's actually harder to do stuff than it is to speak about it.

References :

• [1] infogreffe.fr, search for "MACARAJA" in "Dénomination sociale, sigle ou nom" and look at the "Résultat" field

Your bank doesn't charge you anything? My bank does, Mt Gox's bank in Poland does as well, also aurumxchange's bank...

You could impose a delay after a failed attempt. And also impose a delay for re-login after a logout.

Change banks... If your bank charges you for free stuff and you let them do it, that tells me more about you than about your bank.
I lived in several european countries for the last 6 years, and consequently have bank accounts in all of them, and the only time I get to pay fees is if I go the bank and send it trough the cashier. All transfers made using internet banking services(which all banks have) are free.

Get your facts straight : http://en.wikipedia.org/wiki/Single_Euro_Payments_Area#Misconceptions

Our bank charges 15 € for outgoing payments. We add exactly 0 € on top of that.

Get your math straight : That makes us the cheapest option by far for for middle to large sized withdrawals compared to exchanges who'll charge you a percentage of the amount (even though it's not harder to make a larger transfer, go figure).

0 fees on exchange but charging €15 for a FREE SEPA transfer... good luck lol

Why don't people use bitcoin ?

Yes, but you should also know that bcrypt use more complicated algorithm to slow down the speed of calculation, this can be used as a vulnerable of DDOS attack.

Already asked and answered.  SHA2 (which SHA-256, SHA-384, SHA-512 are all part of) was optimized for speed.  It also can be easily accelerated in parallel (GPU cough cough).  While any strong hashing function is better than nothing (or trying to roll your own) you DON'T WANT AN ALGORITHM OPTIMIZED FOR SPEED.  You don't want an algorithm where it is possible for an attacker to brute force tens of billions of possible combinations per second.

bcrypt was designed to protect password files.  It is optimized to protect password files.

MD5 is weak, salts are probably stored in your DB, SHA2 is designed for speed which is precisely what *you do not want* in a password hash function, especially when half of this community is actively working on making SHA2 bruteforce more and more efficient

Don't reinvent the wheel, use bcrypt, it was designed specifically for that use case, it is designed to be slow which is a good thing for a password hash function.
[/quote]


what do you think about SHA512 with salt?

MD5 is weak, salts are probably stored in your DB, SHA2 is designed for speed which is precisely what *you do not want* in a password hash function, especially when half of this community is actively working on making SHA2 bruteforce more and more efficient

Don't reinvent the wheel, use bcrypt, it was designed specifically for that use case, it is designed to be slow which is a good thing for a password hash function.

yes, you can think at that way. but other exchangers do also learn from that hack event. for example. we are using long random words as hash to mix user's original password before hash it again with double md5/sha265. so if very unfortunately we get hacked, our user's passwords are still safe (for each user has a long random hash pre-key, to brute force all passwords will become a mission almost impossible)

i agree with that you should also give other small exchangers a try. such like Bitcoin-Central or BtcTree.com. we have nice price of bitcoins and fast withdrawal service here, you might be interesting.

We get small volume for EUR. But I hear you, there's *ahem* room for improvement

There've been a lot of behind-the-scenes improvements since BC isn't a hobby anymore but a professionnal endeavour!

I'm working to integrate BitInstant as we speak, Ukash is next, after that the roadmap is as follows :
 - improve design and usability,
 - Merge LR with fiat (currently LREUR and EUR are separate markets, seemed like a good decision at the time but apparently users think it wasn't, and users are mostly right)
 - rewrite of the trading engine to make it execute trades against multiple other trading platforms (= virtually the combined liquidity of all other exchanges)
 - improvement of the merchant API to take advantage of the rewritten trading engine, with the bigger goal of providing the tightest spreads for merchant/buyer auto-exchange

Our code's been open since December 31 2010, not a single hack. I'll let you reach your own conclusions regarding the quality of the code

The only exchange that's older than BC is mtgox (when Jed still operated it). So you can trust the fact that we're animated by passion and here to stay

I don't trade a lot, but a big reason to favor Mt.Gox is that they have already been hacked once and successfully emerged from that with most users unharmed. Presumably, this means a future hack will be that more difficult. As some of these upstart exchanges get bigger, they will become more of a target and perhaps have weaker security.

When I was doing arb trading, it was a good place, but volumes/liquidity were a bit hit and miss.  Didn't have any problems though.

Not entirely..even with the low volume, I still place some trades there. Apparently most people don't. I'm mostly curious if there are other reasons besides volume.

I think you answered your own question.

The only thing wrong about this site is that it doesn't have enough volume, so I'm curious - why not?

Not to sound like an ad for the site, but it DOESN'T HAVE TRADING FEES!! If this exchange had the volume, it'd be my main exchange just for that.

They are also one of the only exchanges that takes pecunix, which is cool. And their LR deposits AND withdraws are instant!

Why is this exchange a ghost town then?? Just curious to hear what people think.