Often times the frustration is not only that the incident occurs, but there is often a lack of transparency.
What people should look for in their exchanges is a security and disclosure policy.
Topic: Why are bitcoin exchange operators so inept? (Read 4226 times)
Great point Joel - the margins are razor thin. It is very difficult to hire proper security resources and make them work for $2-3K per month.
CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US. And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.
What's sad is that it really is a solid business. Had Bitfloor made it another year, they would have had the money to do security right. Though they still might not have spent the money on security, of course. There's always something sexier that you can spend money on. Unfortunately, in this business everybody seems to think they're a security expert, even if they just took a couple of PHP classes and read a web article on SQL injection attacks. This makes it harder for the real deals to stand out, especially when they suggest things that cost more money and take more time.CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US. And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.
I don't think you are getting it. The meta-problem is auditing and insurance. In my opinion, without it, bitfloor.com should not have even opened for business (same for any other exchange), unless they limited deposits to a relatively small amount and declared their site alpha and experimental. They did not do this. Hence, bitfloor.com was far from a 'solid business'. The same for the other exchanges. It looks like Camp BX is the furthest along with security audits that have publicly available data.
If there isn't enough revenue from the exchange to cover the costs, then they need to get investors and funding.
If your security is so good, then you should be able to get 3rd party security and account audits, which would then allow you to get insurance on deposits, right?
We have conducted three independent security audits + black-box pen tests and everything considered Severity 3 and above has been addressed by our programmers and administrator. Audits are repeated periodically to discover any new vulnerabilities as they emerge. Results from one of the tests are available on this forum, and a full report was also shared with one of the former-moderators on the forum for peer review.
As things stand today, CampBX has the best chance of obtaining insurance but it will take more than security audits to seal the insurance deal.
If you got insurance, I would definitely consider using your site.
It seems to me that the meta-problem is auditing and insurance. You aren't going to get very many big players without it. Certainly not any of the big players coming from hedge funds or investment banks.
If you think a community of tech-minded people are "inept" because they keep "losing" untraceable money with which there is almost no legal recourse against them, I'm afraid you aren't really thinking it through...
Great point Joel - the margins are razor thin. It is very difficult to hire proper security resources and make them work for $2-3K per month.
CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US. And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.
What's sad is that it really is a solid business. Had Bitfloor made it another year, they would have had the money to do security right. Though they still might not have spent the money on security, of course. There's always something sexier that you can spend money on. Unfortunately, in this business everybody seems to think they're a security expert, even if they just took a couple of PHP classes and read a web article on SQL injection attacks. This makes it harder for the real deals to stand out, especially when they suggest things that cost more money and take more time.CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US. And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.
One hack after another...
It's getting quite tiresome.
Part of it is that the profit margins are very low. A sizable exchange, in its early days, might make $3,000/month. That might hire one part-time security expert so long as you don't spend any money on customer support. Doing this right is very expensive, and exchanges are too uncertain to get the investment capital needed, so they tend to defer security until they can afford it.It's getting quite tiresome.
We'll do security later.
I couldn't find any breaks in our security.
We'll use shared hosting for now.
We'll use a cold wallet when we have enough funds that we need one.
This works for now, we'll go back and do it right when we have time.
And so on. The rotten core never gets fixed.
Great point Joel - the margins are razor thin. It is very difficult to hire proper security resources and make them work for $2-3K per month.
CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US. And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.
One hack after another...
It's getting quite tiresome.
Part of it is that the profit margins are very low. A sizable exchange, in its early days, might make $3,000/month. That might hire one part-time security expert so long as you don't spend any money on customer support. Doing this right is very expensive, and exchanges are too uncertain to get the investment capital needed, so they tend to defer security until they can afford it.It's getting quite tiresome.
We'll do security later.
I couldn't find any breaks in our security.
We'll use shared hosting for now.
We'll use a cold wallet when we have enough funds that we need one.
This works for now, we'll go back and do it right when we have time.
And so on. The rotten core never gets fixed.
This looks pretty amazing compared to the lack of information most exchanges give. Could you put some proof or way for the users to prove these security statements to be true?
Also I couldn't find deposit information, or maybe I just didn't understand, but how would I deposit USD into your exchange and how much would the fees be?
Thank you SkRRJyTC! Results from one of the audits are available on this forum, and a full report was also shared with one of the former-moderators on the forum for peer review.
We support Dwolla for electronic deposits and multiple methods for paper deposits.
If your security is so good, then you should be able to get 3rd party security and account audits, which would then allow you to get insurance on deposits, right?
We have conducted three independent security audits + black-box pen tests and everything considered Severity 3 and above has been addressed by our programmers and administrator. Audits are repeated periodically to discover any new vulnerabilities as they emerge. Results from one of the tests are available on this forum, and a full report was also shared with one of the former-moderators on the forum for peer review.
As things stand today, CampBX has the best chance of obtaining insurance but it will take more than security audits to seal the insurance deal.
One hack after another...
It's getting quite tiresome.
It's getting quite tiresome.
CampBX has been operating securely without incident for over a year now. I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance
On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.
Keyur
This looks pretty amazing compared to the lack of information most exchanges give. Could you put some proof or way for the users to prove these security statements to be true?
Also I couldn't find deposit information, or maybe I just didn't understand, but how would I deposit USD into your exchange and how much would the fees be?
One hack after another...
It's getting quite tiresome.
It's getting quite tiresome.
CampBX has been operating securely without incident for over a year now. I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance
On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.
Keyur
If your security is so good, then you should be able to get 3rd party security and account audits, which would then allow you to get insurance on deposits, right?
One hack after another...
It's getting quite tiresome.
It's getting quite tiresome.
CampBX has been operating securely without incident for over a year now. I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance
On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.
Keyur
Based on a whois lookup done previously, they're not even on a real server. They're on a Linode VPS, which means they're on shared hardware in the cheapest datacenters available.
One hack after another...
It's getting quite tiresome.
It's getting quite tiresome.
CampBX has been operating securely without incident for over a year now. I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance
On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.
Keyur
Why are bitcoin exchange operators so inept?
Because, apparently, they can be.
Perhaps if their customers decided they wanted higher security standards for exchanges, we would have vastly more secure exchanges.
Because, apparently, they can be.
Perhaps if their customers decided they wanted higher security standards for exchanges, we would have vastly more secure exchanges.
One day, after enough suffering, more bitcoiners will acquire enough common sense to start asking these sorts of questions and be willing to pay more for a service that is secure. I can't count the number of times I saw Bitfloor praised for its "low fees." We're talking 0.4% at Bitfloor vs 0.6% for Gox's highest tier. Any difference in fees gets swallowed up within 10 minutes just due to currency volatility.
My feeling is that even among a bunch of libertarians and anarchists, we're so conditioned to letting governments and auditors assume the responsibility of keeping our money safe that we skimp on critical thinking and get all butthurt when shit goes wrong.
Bitfloor's trade volume was always publicly available at bitcoincharts.com. Their trade fees were 0.3% net. How many people even bothered to take out their 4-function calculator and multiply $670,000 x 0.003 to realize that Bitfloor was grossing about $2000/month? Then ask the question: how do they survive after paying for expenses and salary in NEW YORK CITY on $2000/month?
I can understand someone depositing a few hundo to trade and immediately withdraw, but for a person to park thousands of dollars of value to live on that exchange and not ask these simple questions is inexcusable.
Bingo. That is a very good point. However, if they had funding, it is not necessarily the case that they had to survive on $2000 a month. In any event, looks like this was a case of a race to the bottom. The exchanges can offer lower fees by not having proper auditing and insurance. This looks very tasty to naive Bitcoin traders. And it just keeps on happening over and over. MtGox probably has millions in unaudited and uninsured accounts. Sad.
Why are bitcoin exchange operators so inept?
Because, apparently, they can be.
Perhaps if their customers decided they wanted higher security standards for exchanges, we would have vastly more secure exchanges.
Because, apparently, they can be.
Perhaps if their customers decided they wanted higher security standards for exchanges, we would have vastly more secure exchanges.
One day, after enough suffering, more bitcoiners will acquire enough common sense to start asking these sorts of questions and be willing to pay more for a service that is secure. I can't count the number of times I saw Bitfloor praised for its "low fees." We're talking 0.4% at Bitfloor vs 0.6% for Gox's highest tier. Any difference in fees gets swallowed up within 10 minutes just due to currency volatility.
My feeling is that even among a bunch of libertarians and anarchists, we're so conditioned to letting governments and auditors assume the responsibility of keeping our money safe that we skimp on critical thinking and get all butthurt when shit goes wrong.
Bitfloor's trade volume was always publicly available at bitcoincharts.com. Their trade fees were 0.3% net. How many people even bothered to take out their 4-function calculator and multiply $670,000 x 0.003 to realize that Bitfloor was grossing about $2000/month? Then ask the question: how do they survive after paying for expenses and salary in NEW YORK CITY on $2000/month?
I can understand someone depositing a few hundo to trade and immediately withdraw, but for a person to park thousands of dollars of value to live on that exchange and not ask these simple questions is inexcusable.
Who to hire to audit an unregulated virtual security exchange? More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?
That's a good question and I'm not one to answer it because I am not in the security business nor am I in the insurance business. Someone running these exchanges needs to figure out who can audit and insure them though, because I for one will never keep significant sums of BTC in an unaudited, uninsured account. I doubt I am the only one in this camp.
People say that MtGox must be so secure now because they have already been hacked, and to that I reply: how the hell do you know? There is no publicly available security audit data of MtGox's servers (as far as I know). And not only that, there isn't any auditing of the account balances. For all we know they are operating on fractional reserve. User beware!
Even with exchanges that say they are audited, I am very skeptical. Unless that 3rd party operator puts their reputation and money on the line, then I would suggest that their auditing is full of crap.
I agree. It would have to be an auditor with a significant reputation to lose. Of course, the same applies to the insurance company.
Who to hire to audit an unregulated virtual security exchange? More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?
That's a good question and I'm not one to answer it because I am not in the security business nor am I in the insurance business. Someone running these exchanges needs to figure out who can audit and insure them though, because I for one will never keep significant sums of BTC in an unaudited, uninsured account. I doubt I am the only one in this camp.
People say that MtGox must be so secure now because they have already been hacked, and to that I reply: how the hell do you know? There is no publicly available security audit data of MtGox's servers (as far as I know). And not only that, there isn't any auditing of the account balances. For all we know they are operating on fractional reserve. User beware!
Even with exchanges that say they are audited, I am very skeptical. Unless that 3rd party operator puts their reputation and money on the line, then I would suggest that their auditing is full of crap.
Who to hire to audit an unregulated virtual security exchange? More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?
That's a good question and I'm not one to answer it because I am not in the security business nor am I in the insurance business. Someone running these exchanges needs to figure out who can audit and insure them though, because I for one will never keep significant sums of BTC in an unaudited, uninsured account. I doubt I am the only one in this camp.
People say that MtGox must be so secure now because they have already been hacked, and to that I reply: how the hell do you know? There is no publicly available security audit data of MtGox's servers (as far as I know). And not only that, there isn't any auditing of the account balances. For all we know they are operating on fractional reserve. User beware!
It's an economic problem. A startup company wants to reduce costs as much as they can. In the case of Bitcoin exchanges, that means forgoing security audits, insurance and bonding in order to get something out now. The users don't notice security problems because these involve back end processes that they never directly engage with. In any event, these startups are paying the price for cutting corners handling other people's money. And the users are paying the price for leaving significant sums of money in an account that has no auditing and no insurance.
Good points, but is seems like some losses occur due to sheer stupidty, for example not having good backup routines for offsite storage, having the majority of coins in cold storage and so on.
Besides, it's hard for users to know whether the 'hack' is because there's actually a break in, or if it's a rogue operator.
That's why you need auditing and insurance. Stupidity happens, that's a fact. But if you have audits to protect against stupidity in the first place and then insurance to pay out if stupidity still occurs, then that solves the problem (for the most part).
In this case, if Bitfloor had a respectable auditor, probably one of the first questions they would ask is: 'where all the Bitcoins are stored?'. If the reply was 'on this unencrypted hard drive over here...' then the auditor catches that problem right away. No process is 100% foolproof, but these exchanges can do a hell of a lot better than what they are doing now which is just skimping on costs and duping customers into making large deposits on their unaudited, uninsured platforms.
Who to hire to audit an unregulated virtual security exchange? More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?
Jump to: