Pages:
Author

Topic: bitfloor needs your help! - page 26. (Read 177467 times)

sr. member
Activity: 272
Merit: 250
Cryptopreneur
September 05, 2012, 11:07:58 AM
It was for at least an hour, but it started working right after i posted.  Cheesy
hero member
Activity: 816
Merit: 1000
September 05, 2012, 11:06:37 AM
Interestingly, Mt.Gox is down also it seems.

False.  Good one though.
sr. member
Activity: 272
Merit: 250
Cryptopreneur
September 05, 2012, 11:04:35 AM
Interestingly, Mt.Gox is down also it seems.
legendary
Activity: 1680
Merit: 1035
September 05, 2012, 10:59:46 AM
Also, I trust MtGox because it was previously hacked, and was forced to review its security procedures. Someone new may not care until they got hurt badly. Should it come back, I would trust Bitfloor more than other new exchanges (assuming their security policies we're also publicly scrutinized), because, like MtGox, they were forced to learn from mistakes and the owner knows just now much stupid oversights can cost him.
legendary
Activity: 1680
Merit: 1035
September 05, 2012, 10:52:41 AM
I don't think selling ownership of the company is a good idea. Loans or bonds may be a better way to go. Running the numbers, to borrow $260k for 15 years at 5% interest will cost $2,056 per month (extra $20k to get the infrastructure and security rebuilt). If Roman can't borrow that from a bank, it may be prudent to sell long-term bonds that pay out a dividends the sum of which equal to that monthly amount. Now, in bitcoinworld, a paltry 5% a year dividend may seem like crap, especially compared to 7% a week ponzis, AND there's a huge risk that this business may not survive for very long anyway (using personal bank accounts for deposits?), but the benefits are:

1) All the money needed to cover stolen BTC are raised immediately
2) Roman still takes a hit (punishment) by working for zero profit for a few months, until revenues exceed the dividend payouts.
3) Roman still retains ownership of the company, and has incentive in keeping it going, because
4) While the volume continues to grow, and Bitcoin continues to increase in value, the fixed ~$2,000 monthly payments remain the same, and become easier and easier to pay off, and once the business is established enough, Roman can start buying the bonds back early (though he may not have the incentive to do so).

Again, it's important to keep in mind that this business itself is risky, with plenty of competition and regulatory traps, and it's dealing with a risky currency, so 15 years (even with the hope that once Bitfloor revenues improve, it may turn into 2 to 5 years) may be hard for people to swallow. Especially since this is in computer years. We were using dial-up and Windows 95 15 years ago. Who knows where Bitcoin and our tech will be 15 years from now. But, if run well, a 5% a year bond is still a damn good investment in the real world.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
September 05, 2012, 10:48:42 AM
I go to the site and it reads this (which it still reads)

Bitfloor Website
Is currently offline.
It will be back shortly.
I check back later and its up. So I sent 136 coin to my deposit address.
Anyone else think the message on the site should read
DO NOT SEND ANY COIN TO US WE HAVE BEEN HACKED!!!!!
or something of that nature. I only keep my money in coin for less than 24 hours before converting it and got screwed. Guess I stop taking bitcoin cause its too risky.

Speaking like a true Junior.

Imagine how Bitfloor feels right now.

Speaking of Junior League: looking through Google's cache of bitfloor, and maybe I'm just missing something obvious here, but I don't see TOS at all. Did bitfloor users agree to a specific TOS via email, or some form of messaging, or… what?

This is the closest I could find: http://webcache.googleusercontent.com/search?q=cache:sm6wAI8jZJYJ:https://bitfloor.com/docs/+&cd=1&hl=en&ct=clnk&gl=us

Somebody else may desire to copy and paste what's available.

~Bruno~
hero member
Activity: 546
Merit: 500
September 05, 2012, 10:44:35 AM
It's simply not believable that anyone involved enough with Bitcoin to make such a site, who has undoubtedly heard about all the other large-scale hacks, would simply leave an unencrypted wallet file worth a quarter mil lying around waiting to be hacked.

Right now, the owner should be desperately trying to convince us he didn't steal the money himself.

I have but a tiny percentage of the wealth of that wallet, and I am not smart enough to run such an exchange website, but I know enough to encrypt my fucking wallet .

I like Roman and Bitfloor, but I agree with barbarousrelic.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
September 05, 2012, 10:40:54 AM
If ever I'm putting any service public (I have a Facebook wallet), I will have my cold storage on an air gaped computer and not hold more in hot storage than I can afford to loose as I would get hacked like all the others. If that service doesn't make money to hire people to charge the hot wallet, this would mean the service might perform much worse when I'm on vacation but I would never loose money to a hacker exceeding what I can afford to loose.

(Ok, if the hacker manages to send out payments that look legit over an extended period of time without my users reporting anything, this could kill me but so far, all hacks went in one go and frankly I can't believe all these stories of being hacked.)
donator
Activity: 640
Merit: 500
September 05, 2012, 10:30:07 AM
 Undecided
legendary
Activity: 1428
Merit: 1000
https://www.bitworks.io
September 05, 2012, 10:25:00 AM
Interesting.  After we saw hacks and/or incompetent management from MtGox, Bitomat, Bitconica (x2), etc, exchanges are still getting hacked.  Probably best to leave matters to the professionals with 24/7 monitoring of both hardware and software involved in the project.

This is exactly right. Banking website have to comply with countless rules and regulations. BitCoin websites are setup by people with no practical experience of building secure sites and those people always miss things.



What's interesting is how all of these activities tend to drive the community toward the kinds of rules and regulations that many tend to despise.. I know the answer will be that "we can do it better" but ultimately I think it will drive down the same path because the community as a whole isn't much different, ultimately purists aren't driving the value of bitcoins, the same types that play in other financial markets are.
legendary
Activity: 1400
Merit: 1005
September 05, 2012, 10:24:05 AM
the stupid feature of exchanges are instant withdrawals....why not keep everything in cold wallets and process btc withdrawls once a day...manually...
That's kind of what I was thinking... I'd much rather have secured funds at this point than the ability to instantly withdraw them.
donator
Activity: 1466
Merit: 1048
I outlived my lifetime membership:)
September 05, 2012, 10:18:40 AM
the stupid feature of exchanges are instant withdrawals....why not keep everything in cold wallets and process btc withdrawls once a day...manually...
sd
hero member
Activity: 730
Merit: 500
September 05, 2012, 10:12:35 AM
Interesting.  After we saw hacks and/or incompetent management from MtGox, Bitomat, Bitconica (x2), etc, exchanges are still getting hacked.  Probably best to leave matters to the professionals with 24/7 monitoring of both hardware and software involved in the project.

This is exactly right. Banking website have to comply with countless rules and regulations. BitCoin websites are setup by people with no practical experience of building secure sites and those people always miss things.

donator
Activity: 1218
Merit: 1079
Gerald Davis
September 05, 2012, 10:09:56 AM
Interesting.  After we saw hacks and/or incompetent management from MtGox, Bitomat, Bitconica (x2), etc, exchanges are still getting hacked.  Probably best to leave matters to the professionals with 24/7 monitoring of both hardware and software involved in the project.

Anyone else running an exchange without 24/7 surveillance and independent auditing?  Best to own up now so users can proactively flee.

Tangible Cryptography doesn't have 24/7 manned monitoring or independent auditing.  Then again we never accept sales we can't promptly pay and we hold all coins in an offline wallet which greatly reduces out attack surface.

The reality is setting the bar that high is probably useless.  Bitcoin simply isn't that big.  MtGox "maybe" meets your requirement.  All the hacks to date could have been prevented and/or reduced in scope with some more realistic standards.
sr. member
Activity: 272
Merit: 250
Cryptopreneur
September 05, 2012, 10:09:01 AM
It's a shame. I really liked this exchange. Lets see if the owner makes things right.
legendary
Activity: 1692
Merit: 1018
September 05, 2012, 10:01:08 AM
Interesting.  After we saw hacks and/or incompetent management from MtGox, Bitomat, Bitconica (x2), etc, exchanges are still getting hacked.  Probably best to leave matters to the professionals with 24/7 monitoring of both hardware and software involved in the project.

Anyone else running an exchange without 24/7 surveillance and independent auditing?  Best to own up now so users can proactively flee.
hero member
Activity: 560
Merit: 500
I am the one who knocks
September 05, 2012, 09:02:22 AM
The system was connected to from one of our other boxes which was accessed through a virtual console. The wallet box had all public ports blocked but was able to be connected to from a few of the other boxes.
Thanks for confirming.  This is why I prefer no incoming connections allowed on the secure box.  If you must have occasional ssh, you can have it enabled on boot and then login to disable it.  That way you can reboot first if you must login.

How do you solve getting to the secluded bitcoind to command it to sent bitcoins out?
You don't.  You have a process on the 'wallet server' that checks an external source and base it off of that.

In a 100% ideal security scenario you don't have ANY incoming connections.  That isn't 100% possible because bitcoind needs to get blocks so that has to be at least port 8333 open.  Also other ports were probably open as well for convenience, just firewalled to allow certain machines access.

EDIT:  Or what the other 100 people above me said (teach me to reply without reading the whole thread).
hero member
Activity: 675
Merit: 502
September 05, 2012, 08:23:54 AM
It's simply not believable that anyone involved enough with Bitcoin to make such a site, who has undoubtedly heard about all the other large-scale hacks, would simply leave an unencrypted wallet file worth a quarter mil lying around waiting to be hacked.

Right now, the owner should be desperately trying to convince us he didn't steal the money himself.

I have but a tiny percentage of the wealth of that wallet, and I am not smart enough to run such an exchange website, but I know enough to encrypt my fucking wallet .
legendary
Activity: 3472
Merit: 4801
September 05, 2012, 08:14:16 AM
. . .How do you trust the content of those commands and transactions? Because, basically, that is that same public website with input from customers.

If we can't trust the website giving commands into the hot wallet, [edited:]how can we trust that same website to collect and offer the hot wallet valid and intended commands to pull?
You can't eliminate your risk 100% and still have a functional usable interface, but you can drastically limit your risk.  If you put sanity checks into the daemon that runs on the box that does the polling, you can limit the size of any single transaction, you can limit the total amount of BTC that are transferred out over any time range, you can require authorization for certain transactions, and as I said earlier you can immediately shut down bitcoind, and the polling daemon as well as delete the wallet.dat in the event of anything that is identified as a theft attempt.  Without access to the code in this daemon, a hacker can't know what limits exist or what triggers will result in the system administrators being alerted to his efforts.  If the hacker unknowingly attempts a few really large transfers he will be stopped in his tracks.  If a hacker is more patient, he might be able to size his transactions to match the typical transaction of the service and keep the total number of transactions in line with typical traffic.  This might allow the hacker to get away with a few coins, but it will slow them way down limiting your exposure and allowing you time to identify the breach and respond.  I suspect that most users of most services would be willing to wait on human authorization and manual transfer of any large transaction if it means keeping their money safe in the first place.
Pages:
Jump to: