Pages:
Author

Topic: bitfloor needs your help! - page 12. (Read 177467 times)

legendary
Activity: 1400
Merit: 1005
October 11, 2012, 12:02:57 PM
Roman - any update on the potential investors/payback of the lost BTC?
I somewhat expected to start seeing my "held" BTC balance tick downwards ever so slightly as transaction fees are being collected, but it hasn't happened. Maybe it's a manual process now, but Roman should automate it. Continuous, incremental progress toward getting everyone paid back, even if it will take years, would be a welcome sight.
Agreed, though I was also hoping he would find an investor to cover the losses.  Wink
full member
Activity: 120
Merit: 144
October 11, 2012, 11:59:11 AM
Roman - any update on the potential investors/payback of the lost BTC?
I somewhat expected to start seeing my "held" BTC balance tick downwards ever so slightly as transaction fees are being collected, but it hasn't happened. Maybe it's a manual process now, but Roman should automate it. Continuous, incremental progress toward getting everyone paid back, even if it will take years, would be a welcome sight.
legendary
Activity: 1400
Merit: 1005
October 11, 2012, 11:23:07 AM
Roman - any update on the potential investors/payback of the lost BTC?
donator
Activity: 3136
Merit: 1167
October 11, 2012, 06:45:13 AM
ACH withdrawal was enabled on my account, it took a while but implemented earlier this week & just when I planned to test it out Wells Fargo go & break it, oh well I shall look at doing this in November now, I hope that Bitfloor will find the US banks more cooperative than the UK ones have proved to be for other Exchanges up until now. I guess that this explains why there's a 139 btc bid there atm for $12.20 while Gox price is just under $12 now, a nice arb op for someone who doesn't mind waiting to get the $ out.
sr. member
Activity: 408
Merit: 261
October 10, 2012, 08:33:39 PM
Quote
bitfloor7:24 PM  -  Public

WellsFargo cash deposits are currently suspended. Due to this account suspension, ACH withdrawals will be delayed as the account is closed. These delays are outside of our control and we apologize for any inconvenience this may cause. We strive to process both USD and BTC in an efficient manner and will continue to do so after these delays are resolved.

We will post more information on the future of cash deposits as it becomes available.
legendary
Activity: 1400
Merit: 1005
October 08, 2012, 04:23:50 PM
1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

Ok smartass, let me just quote wikipedia for you Smiley
Quote
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security.
The fact is though, revealing information about his cold storage procedures DOES reduce the effective security of said procedure.  One less unknown is one more factor a malicious entity could use in planning an attack.

I know the argument is that security measures should always be 100% bulletproof, so that even if all the facts were known, it wouldn't be possible to crack, but it is very rarely the case that such a scenario can be created.  Especially with regards to cold storage, the malicious entity would want to know where it is stored, how it is stored, how often and when it is accessed, etc.  Each of those unknowns is "security through obscurity", but each one, if revealed, would help an attacker with pulling off a heist.

Just my two cents.  Wink
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
October 08, 2012, 04:03:04 PM
Ok smartass, let me just quote wikipedia for you Smiley
A password by itself is useless - you need the associated login name.
Oh, and what are you doing here ? How about letting the grown-ups do the talking ?

Don't feed the troll.
legendary
Activity: 1372
Merit: 1008
1davout
October 08, 2012, 03:17:03 PM
1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

Ok smartass, let me just quote wikipedia for you Smiley
A password by itself is useless - you need the associated login name.
Oh, and what are you doing here ? How about letting the grown-ups do the talking ?
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
October 08, 2012, 03:09:05 PM
1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

A password by itself is useless - you need the associated login name.
legendary
Activity: 1400
Merit: 1005
October 08, 2012, 03:23:34 AM
1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.
legendary
Activity: 1372
Merit: 1008
1davout
October 08, 2012, 02:44:44 AM
1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
Security through obscurity is not security.

3) Making them public reduces the effort of a compromise from "breaking into his server, obtaining root access to change permissions on backups, copying backups, finding the password" to "finding the password".  Regardless, no amount of crypto "magic" will allow parts of the encrypted data to be read or even verified, so it would be pointless anyway.  Hashing and encryption are two very different beasts.
Why not ? Say you hash the account identifiers (maybe with a per-account secret), pair them with their balance, sum the balances in a nice report.
Anyone can verify they are in the balance list, no one can look my balance up, I can check that the sum is consistent with the amount in cold storage.
That can also be seen as some sort of backup if properly signed, I'm sure the Bitcoinica folks would have loved to have something like that lying around.
legendary
Activity: 1904
Merit: 1002
October 06, 2012, 03:37:06 PM
Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:

In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.

In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.

In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly?  If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.




Were these bad ideas?

Yes, mostly.

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
2) Shouldn't be too harmful since anyone can verify that themselves with the existing public record Wink.
3) Making them public reduces the effort of a compromise from "breaking into his server, obtaining root access to change permissions on backups, copying backups, finding the password" to "finding the password".  Regardless, no amount of crypto "magic" will allow parts of the encrypted data to be read or even verified, so it would be pointless anyway.  Hashing and encryption are two very different beasts.
legendary
Activity: 1008
Merit: 1000
October 06, 2012, 02:34:17 PM
Bitfloor has indeed resumed trading. My official statement on the matter is here:
https://plus.google.com/109620439233076225324/posts/bLJRDHApjSP

More generally https://blog.bitfloor.com will contain official updates.

If you have specific questions please contact [email protected] and I will gladly respond.

Any reasonable way for you to prove these claims?  Or someway for users to verify these claims themselves (this would be even better)

..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."...

..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."...

Please?

New security continues to be unverified...

There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains.

I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.

Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:

In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.

In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.

In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly?  If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.




Were these bad ideas?
hero member
Activity: 868
Merit: 1002
October 04, 2012, 11:57:36 AM
Roman,

Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.


It was not frozen but they are closing it (details of which are private). I will be moving to a new cash deposit system which will also include more banks; however the transition will take a few weeks. The new system will continue to allow for free deposits. Apologies for any inconvenience this may cause to anyone using the Chase deposits.
So Chase deposits are not coming back? The webpage says "Chase deposits are temporarily unavailable." Just curious as it is my main method of deposit.
sr. member
Activity: 243
Merit: 250
October 04, 2012, 10:19:50 AM
Roman,

Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.


It was not frozen but they are closing it (details of which are private). I will be moving to a new cash deposit system which will also include more banks; however the transition will take a few weeks. The new system will continue to allow for free deposits. Apologies for any inconvenience this may cause to anyone using the Chase deposits.
newbie
Activity: 37
Merit: 0
October 04, 2012, 10:12:36 AM
Roman,

Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.
legendary
Activity: 1008
Merit: 1000
October 03, 2012, 12:05:03 PM
Bitfloor has indeed resumed trading. My official statement on the matter is here:
https://plus.google.com/109620439233076225324/posts/bLJRDHApjSP

More generally https://blog.bitfloor.com will contain official updates.

If you have specific questions please contact [email protected] and I will gladly respond.

Any reasonable way for you to prove these claims?  Or someway for users to verify these claims themselves (this would be even better)

..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."...

..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."...

Please?

New security continues to be unverified...

There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains.

I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.

Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:

In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.

In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.

In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly?  If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.


sr. member
Activity: 243
Merit: 250
October 02, 2012, 11:08:20 PM
Bitfloor has indeed resumed trading. My official statement on the matter is here:
https://plus.google.com/109620439233076225324/posts/bLJRDHApjSP

More generally https://blog.bitfloor.com will contain official updates.

If you have specific questions please contact [email protected] and I will gladly respond.

Any reasonable way for you to prove these claims?  Or someway for users to verify these claims themselves (this would be even better)

..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."...

..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."...

Please?

New security continues to be unverified...

There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains.

I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.
legendary
Activity: 1680
Merit: 1035
October 02, 2012, 10:37:20 PM
Bought $5,000 worth of BTC today, and withdrew the BTC without issues. Everything seems to be working ok (I guess aside from some customer support/ACH issues)
sr. member
Activity: 408
Merit: 261
October 02, 2012, 12:39:20 PM
blog? I can't find any. looked on site, google search, your bitcointalk profile.  could you link to it?
Intuitively, it's:
http://blog.bitfloor.com/

That link actually loads nothing for me (just reloads https://bitfloor.com) but https://blog.bitfloor.com looks like it redirects to: https://plus.google.com/109620439233076225324/posts

... serious server downtime will always be mentioned on our blog as well as our twitter account (@bitfloor) as soon as possible.

You've made two tweets lifetime (one of which being yesterday's ex post facto downtime acknowledgement) and have have 11 total followers.  Maybe you should actually start using twitter a bit more before we rely on it for downtime announcements.

Hi,

It's been 9 days now since I emailed support to apply for ACH withdrawal status to be set up on my account with you, I sent you my full bank account details plus photo of my ID, but so far with no acknowledgment, no reply, no response to my post in your thread asking after this & the ACH has not been enabled on my account as yet.


Likewise, same deal for me.  Waiting...no reply.

I would love to continue to support BitFloor's resurrection, but I cannot justify sending any more coins there until I have a verified way to cash out.

Come on Roman, your remaining loyal clients and potential new ones are going to need some extra communication and responsiveness to rebuild your credibility after what happened.  So what's up?
Pages:
Jump to: