Pages:
Author

Topic: bitfloor needs your help! - page 38. (Read 177467 times)

hero member
Activity: 812
Merit: 1001
-
September 04, 2012, 02:40:45 PM
#90
Replace word "bitcoins" by "potatoes" and any judge will figure out on the spot what to do.

donator
Activity: 1218
Merit: 1079
Gerald Davis
September 04, 2012, 02:40:38 PM
#89
That +1000.  I t baffles me why larger sites have not implemented that yet.  Hell they could even make it a user option.

MtGox does this (I hate to encourage more centralization of trading activity but it is the reality).  IIRC something like 80%+ of coins on deposit are in offline cold storage.   Sadly I was impressed by shtylman's other security measures and I assumed he used a cold wallet for at least a portion of the funds.   Expensive mistake on my part.
donator
Activity: 1218
Merit: 1079
Gerald Davis
September 04, 2012, 02:38:25 PM
#88
In this case I suppose it will come down to whether the Bankruptcy Judge finds that the Bitcoins stolen at the time were of value too (and must be replaced at their market value in USD) or not.

This.  I would also point out there isn't a single precedent that a judge could rely on so the judge would be essentially writing new law (something most judges don't like doing).  It is likely that a judge would look for regulation of Bitcoin (and exchanges) before accepting they have value as deposits under US Bankruptcy law.

Why?  Well otherwise the potential for abuse is huge.
legendary
Activity: 2506
Merit: 1010
September 04, 2012, 02:37:33 PM
#87
I give shtylman props for being upfront about the theft rather than dither about it as some places have.

He sent out an e-mail less than 24 hours ago about API keys being compromised, and asserted that "No accounts were compromised financially nor was there any access to coins or any funds."    

 - https://bitcointalksearch.org/topic/m.1159003


That could have been an initial attempt to communicate based on a misunderstanding of the actual situation but there was no further communication until this announcement.
hero member
Activity: 560
Merit: 500
I am the one who knocks
September 04, 2012, 02:37:12 PM
#86

Like taking that 5% fee and paying someone who knows something about security to have a look at your stuff and point out obvious weaknesses like "unencrypted copy of the wallet keys" lying around on "supposedly non-public-facing" servers with open connections to public facing servers.

Or maybe one should be responsible for one's own money and btc and not leave them sitting on other peoples' servers for extended periods? Would you leave your wallet and house keys next to someone on the subway to watch for you? You gave him five bucks. He said he'll do his best.
Obviously you don't trade alot.  If you want to take advantage of the swings then you must hold a balance on the exchanges.
hero member
Activity: 560
Merit: 500
I am the one who knocks
September 04, 2012, 02:36:37 PM
#85
There is no single solution which meets the needs of every single service provider.  That being said having a hotwallet with 100% of the funds is simply inexcusable.   More than anything else it is sad.   Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO).  It is destroyed now and honestly shtylman is better than that.

Agreed.  If Roman really learns as much as possible from this, let others review his security procedures, he can build the most secure exchange out there.  Large withdrawals may not be instant, who cares, at least they are safe.  If I deposit 1000 BTC with him, I want to trade it, not withdraw it back out immediately.
That +1000.  I t baffles me why larger sites have not implemented that yet.  Hell they could even make it a user option.
hero member
Activity: 812
Merit: 1001
-
September 04, 2012, 02:33:57 PM
#84
Few questions:

Where your servers VPS?

Who hosted your servers?


 

from whois


Name Servers:
   ns1.linode.com
   ns2.linode.com
   ns3.linode.com
   ns4.linode.com


unbelievable!  I suppose 10$/month is something that kills common sense outright.

sr. member
Activity: 476
Merit: 250
September 04, 2012, 02:32:42 PM
#83
It's very human at least.

I give shtylman props for being upfront about the theft rather than dither about it as some places have.
full member
Activity: 150
Merit: 100
Thank you! Thank you! ...
September 04, 2012, 02:31:16 PM
#82
Disbursing funds to some customers and not others would be a criminal act under those.

I believe a court order (injunction) should be filed to help ensure the exchange operator proceeds as prescribed by law.

Bitcoins were stolen, not cash. That cash is not Bitfloors to distribute to other customers. It's mine.

You assume that Bitfloor is under the same regulations as a brokerage requiring segregation of customer funds. I don't believe that is the case here, and even if it was, that is of little protection as we have seen recently with supposedly segregated funds in the MF Global and PFGBest collapses.

In this case I suppose it will come down to whether the Bankruptcy Judge finds that the Bitcoins stolen at the time were of value too (and must be replaced at their market value in USD) or not.
hero member
Activity: 742
Merit: 500
September 04, 2012, 02:30:20 PM
#81
There is no single solution which meets the needs of every single service provider.  That being said having a hotwallet with 100% of the funds is simply inexcusable.   More than anything else it is sad.   Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO).  It is destroyed now and honestly shtylman is better than that.

Agreed.  If Roman really learns as much as possible from this, let others review his security procedures, he can build the most secure exchange out there.  Large withdrawals may not be instant, who cares, at least they are safe.  If I deposit 1000 BTC with him, I want to trade it, not withdraw it back out immediately.
legendary
Activity: 1400
Merit: 1005
September 04, 2012, 02:29:49 PM
#80
shtylman, what does "currently evaluating" mean?  Do you have the ability to pay for 24k BTC out of your own pocket, or are you looking for outside investments?  I appreciate you being upfront about the attack, but do I have any hope of seeing any of my deposited BTC again?

Also, to those saying that USD should be paid out - no, it should not.  If Bitfloor does indeed default on its obligations, then a court ruling would have it pay out equally to remaining creditors.  Not 100% to USD creditors, and 2% to BTC creditors.  Therefore, shtylman should hold on to any USD he has until he has decided what course of action to take, and use it to pay out on claims on a bankruptcy liquidation, should it come to that.
legendary
Activity: 2506
Merit: 1010
September 04, 2012, 02:27:56 PM
#79
Disbursing funds to some customers and not others would be a criminal act under those.

I believe a court order (injunction) should be filed to help ensure the exchange operator proceeds as prescribed by law.

Bitcoins were stolen, not cash. That cash is not Bitfloors to distribute to other customers. It's mine.

Doesn't work that way in the U.S.

A quick search and I couldn't find the exact description about how customer funds are pooled (giving a net balance), regardless if the account had a balance of securities or cash, then disbursed.  

Here's from Canada, which is pretty much the same in the U.S.

Quote
The customer pool fund includes all securities owned by a bankrupt securities firm, and all securities and cash held by or for the account of both the securities firm and every customer of the securities firm, other than customer name securities. The customer pool fund is allocated first to cover the costs of administering the bankrupt estate and then to cover customer claims in proportion to each customers net equity position.

 -- http://www.cipf.ca/Public/FAQ/Coverage/PartXII.aspx
hero member
Activity: 952
Merit: 1009
September 04, 2012, 02:27:26 PM
#78
That too of course.  Wink

Isn't it odd that personal responsibility is always down further on the list? : )

It's very human at least.
sr. member
Activity: 476
Merit: 250
September 04, 2012, 02:25:54 PM
#77
That too of course.  Wink

Isn't it odd that personal responsibility is always down further on the list? : )
hero member
Activity: 574
Merit: 500
September 04, 2012, 02:23:08 PM
#76
Few questions:

Where your servers VPS?

Who hosted your servers?


 

from whois


Name Servers:
   ns1.linode.com
   ns2.linode.com
   ns3.linode.com
   ns4.linode.com
donator
Activity: 1218
Merit: 1079
Gerald Davis
September 04, 2012, 02:22:51 PM
#75
Wow... just wow.

I thought you were better than that.

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?

Well he didn't mean that but yes a cold wallet with batch processing is another option.  I would point out that even if a hot wallet is needed, if the hot wallet wallet had say 10% of total funds then 90% of the BTC would still remain right now.  The attacker would have stolen ~2,500 BTC not 25,000.  If using a split wallet like that occassional the hot wallet can run out of funds and clients will experience a delay.

There is no single solution which meets the needs of every single service provider.  That being said having a hotwallet with 100% of the funds is simply inexcusable.   More than anything else it is sad.   Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO).  It is destroyed now and honestly shtylman is better than that.
hero member
Activity: 574
Merit: 500
September 04, 2012, 02:22:22 PM
#74
Wow... just wow.

I thought you were better than that.

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?


Not really. A hot wallet server can connect to the exchange, listen for transfers, validate transfers to any issues (like requests from wrong ips, large transactions, etc) and automatically process them.

The server doesn't need to be accessible from outside.
sr. member
Activity: 409
Merit: 251
Crypt'n Since 2011
September 04, 2012, 02:21:36 PM
#73
Few questions:

Where your servers VPS?

Who hosted your servers?


 
hero member
Activity: 812
Merit: 1006
September 04, 2012, 02:16:02 PM
#72
Wow... just wow.

I thought you were better than that.

I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?
hero member
Activity: 952
Merit: 1009
September 04, 2012, 02:15:32 PM
#71
Like taking that 5% fee and paying someone who knows something about security to have a look at your stuff and point out obvious weaknesses like "unencrypted copy of the wallet keys" lying around on "supposedly non-public-facing" servers with open connections to public facing servers.

Or maybe one should be responsible for one's own money and btc and not leave them sitting on other peoples' servers for extended periods? Would you leave your wallet and house next to someone on the subway to watch for you? You gave him five bucks. He said he'll do his best.

That too of course.  Wink
Pages:
Jump to: