Replace word "bitcoins" by "potatoes" and any judge will figure out on the spot what to do.
Topic: bitfloor needs your help! - page 38. (Read 177459 times)
That +1000. I t baffles me why larger sites have not implemented that yet. Hell they could even make it a user option.
MtGox does this (I hate to encourage more centralization of trading activity but it is the reality). IIRC something like 80%+ of coins on deposit are in offline cold storage. Sadly I was impressed by shtylman's other security measures and I assumed he used a cold wallet for at least a portion of the funds. Expensive mistake on my part.
In this case I suppose it will come down to whether the Bankruptcy Judge finds that the Bitcoins stolen at the time were of value too (and must be replaced at their market value in USD) or not.
This. I would also point out there isn't a single precedent that a judge could rely on so the judge would be essentially writing new law (something most judges don't like doing). It is likely that a judge would look for regulation of Bitcoin (and exchanges) before accepting they have value as deposits under US Bankruptcy law.
Why? Well otherwise the potential for abuse is huge.
I give shtylman props for being upfront about the theft rather than dither about it as some places have.
He sent out an e-mail less than 24 hours ago about API keys being compromised, and asserted that "No accounts were compromised financially nor was there any access to coins or any funds."
- https://bitcointalksearch.org/topic/m.1159003
That could have been an initial attempt to communicate based on a misunderstanding of the actual situation but there was no further communication until this announcement.
Like taking that 5% fee and paying someone who knows something about security to have a look at your stuff and point out obvious weaknesses like "unencrypted copy of the wallet keys" lying around on "supposedly non-public-facing" servers with open connections to public facing servers.
Or maybe one should be responsible for one's own money and btc and not leave them sitting on other peoples' servers for extended periods? Would you leave your wallet and house keys next to someone on the subway to watch for you? You gave him five bucks. He said he'll do his best.
There is no single solution which meets the needs of every single service provider. That being said having a hotwallet with 100% of the funds is simply inexcusable. More than anything else it is sad. Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO). It is destroyed now and honestly shtylman is better than that.
Agreed. If Roman really learns as much as possible from this, let others review his security procedures, he can build the most secure exchange out there. Large withdrawals may not be instant, who cares, at least they are safe. If I deposit 1000 BTC with him, I want to trade it, not withdraw it back out immediately.
Few questions:
Where your servers VPS?
Who hosted your servers?
Where your servers VPS?
Who hosted your servers?
from whois
Name Servers:
ns1.linode.com
ns2.linode.com
ns3.linode.com
ns4.linode.com
unbelievable! I suppose 10$/month is something that kills common sense outright.
It's very human at least.
I give shtylman props for being upfront about the theft rather than dither about it as some places have.
Disbursing funds to some customers and not others would be a criminal act under those.
I believe a court order (injunction) should be filed to help ensure the exchange operator proceeds as prescribed by law.
I believe a court order (injunction) should be filed to help ensure the exchange operator proceeds as prescribed by law.
Bitcoins were stolen, not cash. That cash is not Bitfloors to distribute to other customers. It's mine.
You assume that Bitfloor is under the same regulations as a brokerage requiring segregation of customer funds. I don't believe that is the case here, and even if it was, that is of little protection as we have seen recently with supposedly segregated funds in the MF Global and PFGBest collapses.
In this case I suppose it will come down to whether the Bankruptcy Judge finds that the Bitcoins stolen at the time were of value too (and must be replaced at their market value in USD) or not.
There is no single solution which meets the needs of every single service provider. That being said having a hotwallet with 100% of the funds is simply inexcusable. More than anything else it is sad. Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO). It is destroyed now and honestly shtylman is better than that.
Agreed. If Roman really learns as much as possible from this, let others review his security procedures, he can build the most secure exchange out there. Large withdrawals may not be instant, who cares, at least they are safe. If I deposit 1000 BTC with him, I want to trade it, not withdraw it back out immediately.
shtylman, what does "currently evaluating" mean? Do you have the ability to pay for 24k BTC out of your own pocket, or are you looking for outside investments? I appreciate you being upfront about the attack, but do I have any hope of seeing any of my deposited BTC again?
Also, to those saying that USD should be paid out - no, it should not. If Bitfloor does indeed default on its obligations, then a court ruling would have it pay out equally to remaining creditors. Not 100% to USD creditors, and 2% to BTC creditors. Therefore, shtylman should hold on to any USD he has until he has decided what course of action to take, and use it to pay out on claims on a bankruptcy liquidation, should it come to that.
Also, to those saying that USD should be paid out - no, it should not. If Bitfloor does indeed default on its obligations, then a court ruling would have it pay out equally to remaining creditors. Not 100% to USD creditors, and 2% to BTC creditors. Therefore, shtylman should hold on to any USD he has until he has decided what course of action to take, and use it to pay out on claims on a bankruptcy liquidation, should it come to that.
Disbursing funds to some customers and not others would be a criminal act under those.
I believe a court order (injunction) should be filed to help ensure the exchange operator proceeds as prescribed by law.
I believe a court order (injunction) should be filed to help ensure the exchange operator proceeds as prescribed by law.
Bitcoins were stolen, not cash. That cash is not Bitfloors to distribute to other customers. It's mine.
Doesn't work that way in the U.S.
A quick search and I couldn't find the exact description about how customer funds are pooled (giving a net balance), regardless if the account had a balance of securities or cash, then disbursed.
Here's from Canada, which is pretty much the same in the U.S.
Quote
The customer pool fund includes all securities owned by a bankrupt securities firm, and all securities and cash held by or for the account of both the securities firm and every customer of the securities firm, other than customer name securities. The customer pool fund is allocated first to cover the costs of administering the bankrupt estate and then to cover customer claims in proportion to each customers net equity position.
-- http://www.cipf.ca/Public/FAQ/Coverage/PartXII.aspx
That too of course. 
Isn't it odd that personal responsibility is always down further on the list? : )
It's very human at least.
That too of course.
Isn't it odd that personal responsibility is always down further on the list? : )
Few questions:
Where your servers VPS?
Who hosted your servers?
Where your servers VPS?
Who hosted your servers?
from whois
Name Servers:
ns1.linode.com
ns2.linode.com
ns3.linode.com
ns4.linode.com
Wow... just wow.
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?
Well he didn't mean that but yes a cold wallet with batch processing is another option. I would point out that even if a hot wallet is needed, if the hot wallet wallet had say 10% of total funds then 90% of the BTC would still remain right now. The attacker would have stolen ~2,500 BTC not 25,000. If using a split wallet like that occassional the hot wallet can run out of funds and clients will experience a delay.
There is no single solution which meets the needs of every single service provider. That being said having a hotwallet with 100% of the funds is simply inexcusable. More than anything else it is sad. Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO). It is destroyed now and honestly shtylman is better than that.
Wow... just wow.
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?
Not really. A hot wallet server can connect to the exchange, listen for transfers, validate transfers to any issues (like requests from wrong ips, large transactions, etc) and automatically process them.
The server doesn't need to be accessible from outside.
Few questions:
Where your servers VPS?
Who hosted your servers?
Where your servers VPS?
Who hosted your servers?
Wow... just wow.
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?
Like taking that 5% fee and paying someone who knows something about security to have a look at your stuff and point out obvious weaknesses like "unencrypted copy of the wallet keys" lying around on "supposedly non-public-facing" servers with open connections to public facing servers.
Or maybe one should be responsible for one's own money and btc and not leave them sitting on other peoples' servers for extended periods? Would you leave your wallet and house next to someone on the subway to watch for you? You gave him five bucks. He said he'll do his best.
That too of course.
Jump to: