bitfloor needs your help! - page 12.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: whitslack on October 11, 2012, 11:59:11 AM

Quote from: SgtSpike on October 11, 2012, 11:23:07 AM

Roman - any update on the potential investors/payback of the lost BTC?

I somewhat expected to start seeing my "held" BTC balance tick downwards ever so slightly as transaction fees are being collected, but it hasn't happened. Maybe it's a manual process now, but Roman should automate it. Continuous, incremental progress toward getting everyone paid back, even if it will take years, would be a welcome sight.

Agreed, though I was also hoping he would find an investor to cover the losses. Wink

whitslack

full member

Activity: 120

Merit: 144

Quote from: SgtSpike on October 11, 2012, 11:23:07 AM

Roman - any update on the potential investors/payback of the lost BTC?

I somewhat expected to start seeing my "held" BTC balance tick downwards ever so slightly as transaction fees are being collected, but it hasn't happened. Maybe it's a manual process now, but Roman should automate it. Continuous, incremental progress toward getting everyone paid back, even if it will take years, would be a welcome sight.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Roman - any update on the potential investors/payback of the lost BTC?

Otoh

donator

Activity: 3108

Merit: 1166

ACH withdrawal was enabled on my account, it took a while but implemented earlier this week & just when I planned to test it out Wells Fargo go & break it, oh well I shall look at doing this in November now, I hope that Bitfloor will find the US banks more cooperative than the UK ones have proved to be for other Exchanges up until now. I guess that this explains why there's a 139 btc bid there atm for $12.20 while Gox price is just under $12 now, a nice arb op for someone who doesn't mind waiting to get the $ out.

toffoo

sr. member

Activity: 408

Merit: 261

Quote

bitfloor7:24 PM - Public

WellsFargo cash deposits are currently suspended. Due to this account suspension, ACH withdrawals will be delayed as the account is closed. These delays are outside of our control and we apologize for any inconvenience this may cause. We strive to process both USD and BTC in an efficient manner and will continue to do so after these delays are resolved.

We will post more information on the future of cash deposits as it becomes available.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: davout on October 08, 2012, 03:17:03 PM

Quote from: SgtSpike on October 08, 2012, 03:23:34 AM

Quote from: davout on October 08, 2012, 02:44:44 AM

Quote from: notme on October 06, 2012, 03:37:06 PM

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.

Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

Ok smartass, let me just quote wikipedia for you

Quote

Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security.

The fact is though, revealing information about his cold storage procedures DOES reduce the effective security of said procedure. One less unknown is one more factor a malicious entity could use in planning an attack.

I know the argument is that security measures should always be 100% bulletproof, so that even if all the facts were known, it wouldn't be possible to crack, but it is very rarely the case that such a scenario can be created. Especially with regards to cold storage, the malicious entity would want to know where it is stored, how it is stored, how often and when it is accessed, etc. Each of those unknowns is "security through obscurity", but each one, if revealed, would help an attacker with pulling off a heist.

Just my two cents. Wink

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

Quote from: davout on October 08, 2012, 03:17:03 PM

Ok smartass, let me just quote wikipedia for you

Quote from: Vod on October 08, 2012, 03:09:05 PM

A password by itself is useless - you need the associated login name.

Oh, and what are you doing here ? How about letting the grown-ups do the talking ?

Don't feed the troll.

davout

legendary

Activity: 1372

Merit: 1008

1davout

Quote from: SgtSpike on October 08, 2012, 03:23:34 AM

Quote from: davout on October 08, 2012, 02:44:44 AM

Quote from: notme on October 06, 2012, 03:37:06 PM

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.

Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

Ok smartass, let me just quote wikipedia for you

Quote from: Vod on October 08, 2012, 03:09:05 PM

A password by itself is useless - you need the associated login name.

Oh, and what are you doing here ? How about letting the grown-ups do the talking ?

Vod

legendary

Activity: 3668

Merit: 3010

Licking my boob since 1970

Quote from: SgtSpike on October 08, 2012, 03:23:34 AM

Quote from: davout on October 08, 2012, 02:44:44 AM

Quote from: notme on October 06, 2012, 03:37:06 PM

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.

Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

A password by itself is useless - you need the associated login name.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: davout on October 08, 2012, 02:44:44 AM

Quote from: notme on October 06, 2012, 03:37:06 PM

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.

Security through obscurity is not security.

Passwords are security through obscurity, so yes, it is.

davout

legendary

Activity: 1372

Merit: 1008

1davout

Quote from: notme on October 06, 2012, 03:37:06 PM

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.

Security through obscurity is not security.

Quote from: notme on October 06, 2012, 03:37:06 PM

3) Making them public reduces the effort of a compromise from "breaking into his server, obtaining root access to change permissions on backups, copying backups, finding the password" to "finding the password". Regardless, no amount of crypto "magic" will allow parts of the encrypted data to be read or even verified, so it would be pointless anyway. Hashing and encryption are two very different beasts.

Why not ? Say you hash the account identifiers (maybe with a per-account secret), pair them with their balance, sum the balances in a nice report.
Anyone can verify they are in the balance list, no one can look my balance up, I can check that the sum is consistent with the amount in cold storage.
That can also be seen as some sort of backup if properly signed, I'm sure the Bitcoinica folks would have loved to have something like that lying around.

notme

legendary

Activity: 1904

Merit: 1002

Quote from: SkRRJyTC on October 06, 2012, 02:34:17 PM

Quote from: SkRRJyTC on October 03, 2012, 12:05:03 PM

Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:

In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.

In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.

In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly? If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.

Were these bad ideas?

Yes, mostly.

1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
2) Shouldn't be too harmful since anyone can verify that themselves with the existing public record Wink

.
3) Making them public reduces the effort of a compromise from "breaking into his server, obtaining root access to change permissions on backups, copying backups, finding the password" to "finding the password". Regardless, no amount of crypto "magic" will allow parts of the encrypted data to be read or even verified, so it would be pointless anyway. Hashing and encryption are two very different beasts.

SkRRJyTC

legendary

Activity: 1008

Merit: 1000

Quote from: SkRRJyTC on October 03, 2012, 12:05:03 PM

Quote from: shtylman on October 02, 2012, 11:08:20 PM

Quote from: SkRRJyTC on October 02, 2012, 08:16:48 AM

Quote from: SkRRJyTC on September 28, 2012, 08:07:52 AM

Quote from: SkRRJyTC on September 23, 2012, 04:19:08 PM

Quote from: SkRRJyTC on September 21, 2012, 11:14:14 AM

Quote from: shtylman on September 21, 2012, 10:29:08 AM

Bitfloor has indeed resumed trading. My official statement on the matter is here:
https://plus.google.com/109620439233076225324/posts/bLJRDHApjSP

More generally https://blog.bitfloor.com will contain official updates.

If you have specific questions please contact [email protected] and I will gladly respond.

Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better)

..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."...

..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."...

Please?

New security continues to be unverified...

There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains.

I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.

Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:

In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.

In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.

In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly? If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.

Were these bad ideas?

jwzguy

hero member

Activity: 868

Merit: 1002

Quote from: shtylman on October 04, 2012, 10:19:50 AM

Quote from: BitcoinForLiberty on October 04, 2012, 10:12:36 AM

Roman,

Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.

It was not frozen but they are closing it (details of which are private). I will be moving to a new cash deposit system which will also include more banks; however the transition will take a few weeks. The new system will continue to allow for free deposits. Apologies for any inconvenience this may cause to anyone using the Chase deposits.

So Chase deposits are not coming back? The webpage says "Chase deposits are temporarily unavailable." Just curious as it is my main method of deposit.

shtylman

sr. member

Activity: 243

Merit: 250

Quote from: BitcoinForLiberty on October 04, 2012, 10:12:36 AM

Roman,

Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.

It was not frozen but they are closing it (details of which are private). I will be moving to a new cash deposit system which will also include more banks; however the transition will take a few weeks. The new system will continue to allow for free deposits. Apologies for any inconvenience this may cause to anyone using the Chase deposits.

BitcoinForLiberty

newbie

Activity: 37

Merit: 0

Roman,

Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.

SkRRJyTC

legendary

Activity: 1008

Merit: 1000

Quote from: shtylman on October 02, 2012, 11:08:20 PM

Quote from: SkRRJyTC on October 02, 2012, 08:16:48 AM

Quote from: SkRRJyTC on September 28, 2012, 08:07:52 AM

Quote from: SkRRJyTC on September 23, 2012, 04:19:08 PM

Quote from: SkRRJyTC on September 21, 2012, 11:14:14 AM

Quote from: shtylman on September 21, 2012, 10:29:08 AM

Bitfloor has indeed resumed trading. My official statement on the matter is here:
https://plus.google.com/109620439233076225324/posts/bLJRDHApjSP

More generally https://blog.bitfloor.com will contain official updates.

If you have specific questions please contact [email protected] and I will gladly respond.

Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better)

..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."...

..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."...

Please?

New security continues to be unverified...

There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains.

I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.

Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:

In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.

In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.

In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly? If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.

shtylman

sr. member

Activity: 243

Merit: 250

Quote from: SkRRJyTC on October 02, 2012, 08:16:48 AM

Quote from: SkRRJyTC on September 28, 2012, 08:07:52 AM

Quote from: SkRRJyTC on September 23, 2012, 04:19:08 PM

Quote from: SkRRJyTC on September 21, 2012, 11:14:14 AM

Quote from: shtylman on September 21, 2012, 10:29:08 AM

Bitfloor has indeed resumed trading. My official statement on the matter is here:
https://plus.google.com/109620439233076225324/posts/bLJRDHApjSP

More generally https://blog.bitfloor.com will contain official updates.

If you have specific questions please contact [email protected] and I will gladly respond.

Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better)

..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."...

..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."...

Please?

New security continues to be unverified...

There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains.

I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.

Rassah

legendary

Activity: 1680

Merit: 1035

Bought $5,000 worth of BTC today, and withdrew the BTC without issues. Everything seems to be working ok (I guess aside from some customer support/ACH issues)

toffoo

sr. member

Activity: 408

Merit: 261

Quote from: whitslack on October 02, 2012, 09:56:06 AM

Quote from: fbastage on October 02, 2012, 09:22:08 AM

blog? I can't find any. looked on site, google search, your bitcointalk profile. could you link to it?

Intuitively, it's:
http://blog.bitfloor.com/

That link actually loads nothing for me (just reloads https://bitfloor.com) but https://blog.bitfloor.com looks like it redirects to: https://plus.google.com/109620439233076225324/posts

Quote from: shtylman on October 02, 2012, 03:42:59 AM

... serious server downtime will always be mentioned on our blog as well as our twitter account (@bitfloor) as soon as possible.

You've made two tweets lifetime (one of which being yesterday's ex post facto downtime acknowledgement) and have have 11 total followers. Maybe you should actually start using twitter a bit more before we rely on it for downtime announcements.

Quote from: Otoh on October 02, 2012, 06:04:45 AM

Hi,

It's been 9 days now since I emailed support to apply for ACH withdrawal status to be set up on my account with you, I sent you my full bank account details plus photo of my ID, but so far with no acknowledgment, no reply, no response to my post in your thread asking after this & the ACH has not been enabled on my account as yet.

Likewise, same deal for me. Waiting...no reply.

I would love to continue to support BitFloor's resurrection, but I cannot justify sending any more coins there until I have a verified way to cash out.

Come on Roman, your remaining loyal clients and potential new ones are going to need some extra communication and responsiveness to rebuild your credibility after what happened. So what's up?

Topic: bitfloor needs your help! - page 12. (Read 177459 times)