Pages:
Author

Topic: [BTC-TC] Virtual Community Exchange [CLOSED] - page 77. (Read 316534 times)

newbie
Activity: 49
Merit: 0
Has anyone found their balance empty? Shall it be that btc-tc is a scam?
full member
Activity: 490
Merit: 101
FRX: Ferocious Alpha
whats going on? why am i getting acces denied message?
thanks for the info...

I get the same, was worried for a second until I saw your post.  I am sure burnside will get it figured out

EDIT:  Few minutes later and it is fixed
sr. member
Activity: 365
Merit: 250
whats going on? why am i getting acces denied message?
thanks for the info...
legendary
Activity: 1106
Merit: 1006
Lead Blockchain Developer
Three questions:

1. Are the options on the exchange European style or American style? Meaning can I exercise them at any point in time up to the expiration date, or only on the expiration date?

2. Also, if I buy put options from someone, is it guaranteed that the user can fulfill his obligations in case the asset goes to 0 (worst case scenario for him)? Ie., for someone who writes put options, is the full amount of BTC required to fulfill the obligation locked in his account?

3. Is there a secondary market for options, or can I only buy options from issuers, and exercise them, but not sell them to someone else?

1) American

2) The exchange reserves all coins/shares required in the accounts of the options writers.
Great!

+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

 This seems sensible. Of course, an unauthorized access could then change it, so make (reduction) changes wait 30 days, in the same fashion. We can't have everything, but options are good, so long as the user is made blatantly aware that changing from the default carries an increased security risk.

[...]

If you use Google Auth print the QR code or write down the secret somewhere safe.

[...]
As far as I remember I was only shown a QR code, and not the secret key. I would like to have written down the secret key, but as far as I remember I didn't have that option. Do I recall correctly?

I don't have a printer, so printing the QR code is not an option.

Replying from my cell so can't really quote inline. 

The options can't currently be backed by other options because they do not yet auto-exercise.  Working on it...

The code should have been displayed below the QR code.  You can turn 2FA off and it should show it to you again.

Cheers.
legendary
Activity: 1106
Merit: 1026
Why is the exchange running on London time and not UTC?

You can edit the time zone under Account - Settings.
legendary
Activity: 910
Merit: 1000
Quality Printing Services by Federal Reserve Bank
Why is the exchange running on London time and not UTC?
legendary
Activity: 980
Merit: 1008
What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.
This is insane.

I think PIN is terrible and I use 2FA, and if people could reset my 2FA using my PIN would completely defeat the purpose of using 2FA in the first place!

That's why I suggested also using a waiting period. An attacker shouldn't know your PIN, so you could reduce the waiting period from lets say 30days to 7 days by authenticating yourself using your PIN/2FA.
I think 30 days is reasonable if you lose your 2FA. 7 days is not enough. 7 days means someone can compromise my account if I'm on vacation and don't read emails for a week.
sr. member
Activity: 493
Merit: 262
What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.
This is insane.

I think PIN is terrible and I use 2FA, and if people could reset my 2FA using my PIN would completely defeat the purpose of using 2FA in the first place!

That's why I suggested also using a waiting period. An attacker shouldn't know your PIN, so you could reduce the waiting period from lets say 30days to 7 days by authenticating yourself using your PIN/2FA.
legendary
Activity: 980
Merit: 1008
Three questions:

1. Are the options on the exchange European style or American style? Meaning can I exercise them at any point in time up to the expiration date, or only on the expiration date?

2. Also, if I buy put options from someone, is it guaranteed that the user can fulfill his obligations in case the asset goes to 0 (worst case scenario for him)? Ie., for someone who writes put options, is the full amount of BTC required to fulfill the obligation locked in his account?

3. Is there a secondary market for options, or can I only buy options from issuers, and exercise them, but not sell them to someone else?

1) American

2) The exchange reserves all coins/shares required in the accounts of the options writers.
Great!

+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

 This seems sensible. Of course, an unauthorized access could then change it, so make (reduction) changes wait 30 days, in the same fashion. We can't have everything, but options are good, so long as the user is made blatantly aware that changing from the default carries an increased security risk.

[...]

If you use Google Auth print the QR code or write down the secret somewhere safe.

[...]
As far as I remember I was only shown a QR code, and not the secret key. I would like to have written down the secret key, but as far as I remember I didn't have that option. Do I recall correctly?

I don't have a printer, so printing the QR code is not an option.
hero member
Activity: 630
Merit: 500
Bitgoblin
What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.
This is insane.

I think PIN is terrible and I use 2FA, and if people could reset my 2FA using my PIN would completely defeat the purpose of using 2FA in the first place!
legendary
Activity: 1106
Merit: 1006
Lead Blockchain Developer
+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

 This seems sensible. Of course, an unauthorized access could then change it, so make (reduction) changes wait 30 days, in the same fashion. We can't have everything, but options are good, so long as the user is made blatantly aware that changing from the default carries an increased security risk.

You can easily avoid ever having to use this reset system:

If you use a PIN, write it down somewhere safe.

If you use Google Auth print the QR code or write down the secret somewhere safe.

If you use Yubikeys, setup Google Auth as a backup or have a second backup key.

Don't permanently lock your withdrawal address unless you really mean it to be permanent.  (2FA makes this feature overkill, just turn on 2FA.)


A little forethought/prevention goes a long way.  The reset requests are an absolute last resort and really shouldn't have been necessary at all.  The other thing to keep in mind is that eventually we'll be offering instant resets in exchange for escrow of 150% of the account value to be held 30 days.  Also, you can create alt accounts in the interim period if you really need to make a trade.

In summary, you can prevent ever needing this and when your email is compromised, you'll be glad it's like this.  (Just ask the couple of people that have lost everything...)

Cheers
hero member
Activity: 574
Merit: 500
+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.
sr. member
Activity: 493
Merit: 262
Big change tonight to the reset process for PINS, WITHDRAWAL ACCOUNT LOCKS, GOOGLE AUTH, and YUBIKEYS.

Please visit https://btct.co/resetRequest if you need to reset any of the above.

It will send you an email.
You confirm the request by clicking the link in the email.
The request then sits in our queue for 30 days.
During the 30 days the request detail and status appears at the top of the portfolio page, including a cancel button to cancel the request.
After 30 days we process the request.

We apologize for the long wait period on doing these resets, but it is important to give an owner of a compromised email account plenty of time to realize they are compromised and recover their account before we hand over their entire account contents.

Automating this process has the side benefit that we'll be able to make resets free of charge going forward.  (each reset used to be 0.5 BTC)

Cheers.

Well first of all its great that the process is now free and automated. But there has to be a better solution than having to wait 30 days. I guess just a few requests will be malicious and in this case there's still the possibility that I don't login within 30 days. Also the attacker needs to know the PIN or have 2FA in order to do anything serious.
In my opinion you buy little security with the waiting period with A LOT of inconvenience. What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.
newbie
Activity: 14
Merit: 0
++PM see mmm+++-[BRAND NEW]-*DON'T UNDERESTIMATE OUR/\SUPERCOMPUTERS' FRIENDS FRIEDCAT AND OTHER "PASSTHROUGH" MARKETS=MASSIVE FOREIGN FVNNY MONEY IMO!!!!!
 
 Roll Eyes
legendary
Activity: 980
Merit: 1008
I was thinking about creating a python library to wrap the BTC-TC API.  Who would find such a thing useful?
Me!

Please do it. Smiley
legendary
Activity: 1106
Merit: 1006
Lead Blockchain Developer
Hi all, my schedule is going to be very tight this week.  This is bound to slow down withdrawals, support requests, and ASICMINER transfers.  I apologize for any inconvenience in advance.

Cheers.

legendary
Activity: 1106
Merit: 1006
Lead Blockchain Developer
Big change tonight to the reset process for PINS, WITHDRAWAL ACCOUNT LOCKS, GOOGLE AUTH, and YUBIKEYS.

Please visit https://btct.co/resetRequest if you need to reset any of the above.

It will send you an email.
You confirm the request by clicking the link in the email.
The request then sits in our queue for 30 days.
During the 30 days the request detail and status appears at the top of the portfolio page, including a cancel button to cancel the request.
After 30 days we process the request.

We apologize for the long wait period on doing these resets, but it is important to give an owner of a compromised email account plenty of time to realize they are compromised and recover their account before we hand over their entire account contents.

Automating this process has the side benefit that we'll be able to make resets free of charge going forward.  (each reset used to be 0.5 BTC)

Cheers.
legendary
Activity: 1106
Merit: 1006
Lead Blockchain Developer
Quick note, we had a 30 minute outage just a little while ago.  There was a bug in our drip software that caused an infinite loop.  Took down the app server for a while.  It should be fixed now.

Cheers.
legendary
Activity: 1106
Merit: 1006
Lead Blockchain Developer
Any chance for an 'oob' page with a verified code displayed for standalone clients that can't handle callbacks?

You can use a callback to something non existant and manually copy the verifier from your browser. The callback redirects for exampe to http://XXXX/ and this looks like:

Code:
http://XXXX/?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&oauth_verifier=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Yeah, that's what I was doing. Using "oob" before, it would try to redirect to a non-existent BTCT page and I would copy/paste the verifier from the address bar.

The new landing page works fine, much better than copy/pasting from an address bar from a user-experience PoV.

I believe that the standard guideline for "oob" landing pages is to have a page in the layout of the site that says something like "Copy/paste this code into the box provided by the application you're trying to access with" and then prominently showing the verifier code. That would be a nice upgrade from the current, minimalistic page Smiley

I'll see what I can do.  Wink
hero member
Activity: 728
Merit: 500
Any chance for an 'oob' page with a verified code displayed for standalone clients that can't handle callbacks?

You can use a callback to something non existant and manually copy the verifier from your browser. The callback redirects for exampe to http://XXXX/ and this looks like:

Code:
http://XXXX/?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&oauth_verifier=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Yeah, that's what I was doing. Using "oob" before, it would try to redirect to a non-existent BTCT page and I would copy/paste the verifier from the address bar.

The new landing page works fine, much better than copy/pasting from an address bar from a user-experience PoV.

I believe that the standard guideline for "oob" landing pages is to have a page in the layout of the site that says something like "Copy/paste this code into the box provided by the application you're trying to access with" and then prominently showing the verifier code. That would be a nice upgrade from the current, minimalistic page Smiley
Pages:
Jump to: