Bitcoin Forum

Hi everyone,
      Camp BX team has been gearing up for a full security and compliance audit this weekend by securing our codebase and configuration.  The third-party independent audit will commence today so you may see some signs of stress when using http://testnet.CampBX.com/ for test-coin trading.


So what exactly are the auditors testing us for?

All of the top-10 vulnerabilities identified by OWASP project will be tested.  This OWASP awareness document is acknowledged and relied on by organizations worldwide, including the PCI, Dept of Defense, Federal Trade Commission, and countless others. Current top-10 are: https://www.owasp.org/index.php/Top_10_2010-A1
    A1: Injection
    A2: Cross-Site Scripting (XSS)
    A3: Broken Authentication and Session Management
    A4: Insecure Direct Object References
    A5: Cross-Site Request Forgery (CSRF)
    A6: Security Misconfiguration
    A7: Insecure Cryptographic Storage
    A8: Failure to Restrict URL Access
    A9: Insufficient Transport Layer Protection
    A10: Unvalidated Redirects and Forwards


Plus, hundreds of additional vulnerabilities will be tested that did not make the above top-10 list. 

We will also under go couple of D-DoS (Distributed Denial of Service) attacks from the auditor's clouds in USA and offshore.


And most importantly, we will be tested for security standards compliance with:
1) All U.S. Government requirements for remote vulnerability testing as set forth by the National Infrastructure Protection Center (NIPC).
2) The Payment Card Industry (PCI) Data Security Standard
2) Security scanning requirements of Visa USA's Cardholder Information Security Program (CISP)
3) Visa International's Account Information Security (AIS) program
4) MasterCard Internationals's Site Data Protection (SDP) program
5) American Express' CID security program
6) Discover Card Information Security and Compliance (DISC) program


We will make the findings available to you, so you can form your own informed opinion about security at Camp BX.

Stay tuned,
     Keyur

 :D ;D ;) :o 8) :-*

All at the same time!

Really nice site, you can tell its made in the USA :D.

If you provide a Postal Address information in United States, you will earn a great advantage in trustworthiness over those exchange hold in Chile and Japan.

If they offer full transparency I think they have a really good shot at taking over the entire market.

Don't forget the scale tests, you might need it ;)

I don't understand those exchanges why the hell they want to hide the real world information of themselves, such as address, an official phone number, company registering information, etc, from the public. Don't they know these information support the confidence of the people who trade on the platform?

Campbx has very positive sign to be professional, responsible and transparent. Just do it better.

Yeah, it isn't like I didn't do a full WHOIS on them when they first posted. If only there was a way to search forum posts.... hmm....

If only.....

Then you'll find the address :)

Gotta say, I wasn't that impressed with their site. I signed up and found that their code transformed my username to all lowercase characters. Why would anyone do such a thing? 

Sounds promising. Just noticed we can get your server versions from the whois. Please modify this httpd.conf for me!

Yeah, it isn't like I didn't do a full WHOIS on them when they first posted. If only there was a way to search forum posts.... hmm....

If only.....

Then you'll find the address :)

[/quote]


I found it.
But I guess they could make some "contact us" on the web site, make it official and easy to find.





Usual nslookup details and such:

campbx.com

184.164.132.91

NetRange   184.164.128.0 - 184.164.159.255
CIDR   184.164.128.0/19
Name   SS5
Handle   NET-184-164-128-0-1
Parent   NET184 (NET-184-0-0-0-0)
Net Type   Direct Allocation
Origin AS   AS20454
AS32164
Organization   SECURED SERVERS LLC (SSL-65)
Registration Date   2011-05-13
Last Updated   2011-05-13

Name   SECURED SERVERS LLC
Handle   SSL-65
Street   2353 W University Bldg A
City   Tempe
State/Province   AZ
Postal Code   85281
Country   US
Registration Date   2003-12-08
Last Updated   2009-11-25

Secured Servers website: http://www.securedservers.com/index.php

securedservers.com

209.188.23.6

NetRange   209.188.23.0 - 209.188.23.31
CIDR   209.188.23.0/27
Name   CWIE
Handle   NET-209-188-23-0-1
Parent   SECUREDSERVERS (NET-209-188-0-0-1)
Net Type   Reallocated
Origin AS   
Organization   CWIE, LLC (CWIE)
Registration Date   2008-11-03
Last Updated   2008-11-03

Name   CWIE, LLC
Handle   CWIE
Street   2353 W University Bldg A
City   Tempe
State/Province   AZ
Postal Code   85281
Country   US
Registration Date   1999-09-01
Last Updated   2009-02-20

CWEI website: http://www.cavecreek.com/

@VirtualFAQs: Thank you very much!

@qikaifu, Vegetta, and TraderTimm: Agree with you 100% about the contact details.  The office information should be finalized mid-week and will be available on livenet site prior to launch.  Keep in mind that office space requires long-term contracts, and in a city like Atlanta they constitute a huge investments for a start-up company.  That is why we have kept it as the final item on the launch checklist.

Also wanted to add that our company registration details are public records, and are available for your review at Georgia Secretary of State Brian Kemp's office.

Thank you!

TV,
       Bitcoin community's success depends on reaching out to more casual users who may not be as well-versed with technology as you are.  That is why it was a conscious decision that contributes towards the user-friendliness of our platform.

Thank you,
      Keyur


       

Thanks - we surely hope so!  I think DDoS is a good simulation of this ;-)

Keyur, got any insight on deposit/withdrawal methods that you guys are planning to integrate?
Another question, will you be getting any sort of exchange or MSB licencing?  (I have no idea whichever is applicable in the case of Bitcoin exchange)

They said in another thread that MSB is pending, IIRC. Their "legal counsel" has told them none of the exchange stuff applies, I gather because at this point BTC isn't a recognized "currency" or "commodity".

Bar a few growing pains, I'm really liking what I see here so far. I still haven't gotten around to getting my password to work, but they seem responsive to critique and if they can hit the ground running with trust and avoid shady half-answers (a few of Keyur's earlier responses in the first thread didn't inspire much confidence, for the most part he seems to be rectifying that though).

Serge,
      Only method available at launch will be Dwolla.  We will work with the user community after that to prioritize which method they would like to see next.

Thank you,
    Keyur

this info is available for MtGox (its CEO) but this board deletes threads which mention it.
dont ask me why.

Elggawf,
      I apologize if some of the answers came across as shady - that was never the intention.

Keep in mind that answers to seemingly simple questions come after long discussions with lawyers, scanning through policy fine print, and back and forth communications with government agencies like Department of Banking and Finance.  These answers represent a competitive advantage for a business.  I have to straddle a fine line between sharing and open-sourcing the business to competition.

Thank you,
      Keyur

PS: You may have to reset the password once since we made couple of tweaks to the password validation policy after your registration.  

Angelo,
    We have already modified this few days ago!  You can check the HTTP headers. 

The updated information may take a while to propagate to whois records.


Thank you for trying us out!
      Keyur

Thanks. Looking forward to your launch as I'm sure many others do too =)

Very impressive, professional site. A few questions:

1. As mentioned above, will you add physical information about the exchange's whereabouts? Mt. Gox is known to operate from Cerulean Tower in Tokyo, but they do not list any address or phone number in public.

2. When (or, if at all) will you accept wire transfers as deposit and withdrawal method ($USD, Swiss franc, EUR, JPY)?

3. Do you have an automated system for instant withdrawals and deposits of bitcoins from/into the system via unique, 24 hour disposable wallets like Mt. Gox?

Thank you JD!

1) Wednesday

2) Launch time is pressure time, so we intend to keep things streamlined at launch and not scatter the team's energy. We will explore allowing other modes of payment (including wire transfers) after launch.

3) That was the first feature we implemented!  You can try it out for yourself if you have some testnet coins lying around at http://testnet.campbx.com
Keep in mind that coins need 5 confirmations from the network to show up in the wallet, which can take a while on testnet due to limited mining activity.  It should be much faster on livenet.

Hope this helps,
       Keyur

Will you be offering bank transfers to and from Australian bank accounts?

I prefer a dedicated, but cycle-able, deposit address like bitcoin-central does. This lets me deposit without going to the site, or let someone pay to it for me. Minor thing though.

I'm really impressed, very classy.

Short selling? Color me suspicious. Are you going to allow naked short sales?

Bitcoin is so tiny and thinly traded (by FX or any other standards) big-money interest hostile to Bitcoin can come in effectively drop the price to zero. Easily. All they have to do is capitalize a stand-alone entity with, say, $1B US. Then continuously take an gradually ever-growing short position. Bitcoin will never be worth much. If, over time, their short position goes underwater to an extent that exceeds their capital, they can either add more, or declare BR. If the Fed were behind it, they can just print to the extent necessary so they never have to cover.

If naked short sales are not allowed, then anybody selling short would have to "borrow" them from someone else first, and I guess that someone would be the accounts of those who hold balances at campbx. I recommend nobody hold your bitcoin balances in campbx, unless campbx has an option to disallow their borrowing for short selling.

Please disabuse me of these notions if I am in error. I don't see anything good for Bitcoin coming from allowing short sales.

Excellent... It's good to see sites coming onstream that do decent security audits.

More payment options would be great... the only reason I still consider mtgox is it's the only one that can do direct transfers to/from euros without imposing stupid fees.

I tested the website, and was only mildly impressed.  I didn't think the user interface was all that great (and just hated the color scheme).

On the other hand, though, Keyur has been unbelievably receptive and responsive to feedback.  And they seem to be putting security, reputation, and trustworthiness at the top of their agenda, with just a few feature advantages. 

I would LOVE to see another successful exchange, so I'm keeping an open mind on this one, and wishing them the best of luck!

Befuddled,
     We do not allow naked shorts - you have to put 52% coins towards the trade.  Also the trade maximum size is capped.  So $1B government money will not do any good here.

To clarify, we DO NOT borrow from user accounts and only the user can move the coins out of his/her wallet.  There is a dedicated "house account" funded by us for shorts.  This account is risk-managed based on liquidity available in the market to limit our risk exposure.

Hope this makes sense,
      Keyur

Keyur-




Yes. Thanks much.

Befuddled,
     You had some excellent questions, so we have also updated the FAQ section to reflect these clarifications. 

Thank you!
      Keyur

Thank you for trying us out JF.  We have few more exciting features in pipeline that we will roll-out over next six months.

We will also get the API rolled out after launch so you don't have to deal with the UI!


Thank you,
     Keyur

 
I'm sorry, but this "Legal compliance" statement does not contain any substance. Under what name is Camp BX registered in the State of Georgia? Camp BX is, as far as I can see, not registered. Likewise under which name are deposits insured with the FDIC. The "Camp BX user agreement" does contain more substance as it states that "This Agreement shall be governed by and construed in accordance with the laws applicable in the State of Georgia."

If Camp BX has a business model that acts in accordance with the law it can be envisaged that Bitcoin will grow as more businesses will accept Bitcoins.

I'm seriously impressed, assuming that the data we get proves that the audit took place and was of the nature described.  This is how web sites that are used to access and handle other people's money *should* be tested -- for Bitcoin or anybody else! 

Could somebody post the URL to this site, now?  I didn't see it, and I want to go look. ;)

Dennis,
      We have updated the company name in the footer - Camp BX is our product name.  You can verify the registration now!

Thank you,
     Keyur

http://testnet.campbx.com/

<!------------------------------------------------------------- Charts END!! -->

:)

That's one of our programmers celebrating a little milestone ;-)

this looks promising.

i'd much rather have my money compliant to all the various things that money needs to be compliant with, than potentially anonymous but in the hands of amateurs.

if i want anonymity, i'll do BTC > BTC transactions over Tor.

if i want a bank or an exchange, i'll go with staid and boring and all tied up with legal niceties.

i'm looking forward to your launch.  i'll be there.

A Camp BX search does still not generate any reccords at "Department of Banking & Finance" in Georgia http://dbf.georgia.gov (http://dbf.georgia.gov) or at "Georgia Business Licenses Directory" http://publicrecords.onlinesearches.com/Georgia-Business-Licenses.htm (http://publicrecords.onlinesearches.com/Georgia-Business-Licenses.htm) or at the FDIC "Bank find" http://www2.fdic.gov/idasp/main_bankfind.asp (http://www2.fdic.gov/idasp/main_bankfind.asp).

Try http://corp.sos.state.ga.us/corp/soskb/CSearch.asp

Keep in mind, other public records take time to update.

I think there is a misunderstanding about the role of FDIC in international customers.  FDIC insures bank accounts, not businesses.  Our accounts are insured by FDIC.

Hope this helps,
      Keyur

did you try the company name?

Bulbul Investments LLC

not that i'd have much confidence in the timeliness of a gov't website...

These were exactly our thoughts when we made the business plan, Jamie!  Thank you and look forward to having you at Camp BX!

Bulbul Investments LLC is registered as a Limited Liability Company, which affords "limited personal liability for the debts and actions of the LLC". Regarding FDIC, as you state, "FDIC insures bank accounts". I read this as the bank accounts that Bulbul Investments LLC hold are insured in the bank where the account of Bulbul is held. Despite funds held in accounts by Bulbul being insured, if Bulbul were to apply for bankruptcy, any deposits to Camp BX that are not in the account would not be redeemable due to the limited personal liability, and depositors to Camp BX are unsecured creditors - is this a correct understanding or not?

The Georgia Code - Corporations and Partnerships - Title 14, Section 14-11-201 states: "(a) A limited liability company may be formed under this chapter for any lawful purpose. If the purpose for which a limited liability company is formed makes it subject to a special provision of law, the limited liability company shall also comply with that provision."

As Bulbul Investments LLC operates an exchange market, I am under the impression that Bulbul is subject to other special provision of law, which again I am under the impression would require further licenses. Would you care to elucidate on this point? As Camp BX will potentially hold/transfer millions of USD, further information on the subject matter would allow for a better understanding of the risks involved when trading on Camp BX.

I transferred 500 Euro to Mtgox which literally arrived on the eve of the crash/hack. Of course the funds are not more than I can afford to lose, however the risk factor when dealing on Bitcoin exchanges has been perfectly exposed (of course the risk factor always existed) and I am considering wehter to withdraw completely as, with hindsight, I consider myself foolish to have transferred funds to an entity with a very unclear legal framework, however novel and benign the concept of Bitcoins is.

I have no idea how the previous post had many crossed over lines; i shall resubmit the entire post as I could not edit it successfully.

I must type parts of message again; will update soon.

“Try http://corp.sos.state.ga.us/corp/soskb/CSearch.asp

Keep in mind, other public records take time to update.

I think there is a misunderstanding about the role of FDIC in international customers.  FDIC insures bank accounts, not businesses.  Our accounts are insured by FDIC.

Hope this helps,
      Keyur”

Bulbul Investments LLC is registered as a Limited Liability Company, which affords "limited personal liability for the debts and actions of the LLC". Regarding FDIC, as you state, "FDIC insures bank accounts". I read this as the bank accounts that Bulbul Investments LLC hold are insured in the bank where the account of Bulbul is held. Despite funds held in accounts by Bulbul being insured, if Bulbul were to apply for bankruptcy, any deposits to Camp BX that are not in the account would not be redeemable due to the limited personal liability, and depositors to Camp BX are unsecured creditors - is this a correct understanding or not?

The Georgia Code - Corporations and Partnerships - Title 14, Section 14-11-201 states: "(a) A limited liability company may be formed under this chapter for any lawful purpose. If the purpose for which a limited liability company is formed makes it subject to a special provision of law, the limited liability company shall also comply with that provision."

As Bulbul Investments LLC operates an exchange market, I am under the impression that Bulbul is subject to other "special provision(s) of law", which again I am under the impression would require further licenses. Would you care to elucidate on this point? As Camp BX will potentially hold/transfer millions of USD, further information on the subject matter would allow for a better understanding of the risks involved when trading on Camp BX.

I transferred 500 Euro to Mtgox which literally arrived on the eve of the crash/hack. Of course the funds are not more than I can afford to lose, however the risk factor when trading on Bitcoin exchanges has been perfectly exposed (of course the risk factor always existed) and I am considering whether to withdraw completely as, with hindsight, I consider myself foolish to have transferred sums to an entity with a very unclear legal framwork, however novel and benign the concept of Bitcoins is.

The problem with the crossed over lines occured when I attempted to type "provision(s)" with [].

Will there be an option for account holders to rent their bitcoin to the short seller house account in return for a daily fee?

Hi Keyur,

I think your site looks very promising, I'm looking forward to see it in action! However, please make sure to provide a payment option for us Europeans. SEPA bank transfers (like with empty gox) would be nice; and you can also have a look at Bitcoin7, they offer the possibility to use Ebank transfers which make the payment appear within seconds in their system. The only thing that sucks with Bitcoin7 is their withdrawal concept: they demand ridiculously high fees (12-22 EUR which is about 17-31 $).

Cheers,
Mark

+10  I'm with Jaime.  I firmly believe that the Bitcoin standard itself should allow anonymity (such as cash does), but I'm not interested in playing games with U.S. law either.  Any trading I do will be above-board.

I might well acquire my first bitcoins here. :-)

Dennis,
       Sorry to hear that you were among those affected by the Mt. Gox incident.

What you describe sounds like SIPC, not FDIC. Unfortunately Bitcoins and Camp BX are not covered under SIPC.  You can do additional research at:
http://www.sipc.org/

Hope this helps,
     Keyur

Securites Investor Protection is not what my question relates to. Camp BX claims under section "Is my money safe" that all funds are maintained in FDIC-insured bank accounts. As Bulbul Investments LLC is not a "Bank" it cannot hold any funds for its registered users in FDIC-insured bank accounts, so the only remaining option, as I see it, for any funds to be covered by FDIC insurance would be in accordance with my previous entry; i.e. that funds deposited with Bulbul Investments LLC are insured in such bank accounts held by Bulbul, but do not afford any registered users safety in the event of Bulbul filing for bankruptcy, or any other event that negavtively affects assets held by Bulbul.

well, youre light years ahead of mtgox already if your actually doing security audits.
This is how we do stuff, not live tesing with other peoples money.
more power to you my friends.

I think your name could have been better, but hey I suppose thats beside the point.

If communication with government agencies like the Department of Banking and Finance has taken place, Camp BX/Bulbul Investments LLC would be in compliance with U.S. Code CHAPTER 18—BANK SERVICE COMPANIES § 1861

(2) the term “bank service company” means:

(B) any limited liability company—
(i) which is organized to perform services authorized by this chapter; and
(ii) all of the members of which are 1 or more insured depository institutions.

(4) the term “depository institution” means, except when such term appears in connection with the term “insured depository institution”, an insured bank, financial institution subject to examination by the Director of the Office of Thrift Supervision or the National Credit Union Administration Board, or a financial institution the accounts or deposits of which are insured or guaranteed under State law and are eligible to be insured by the Federal Deposit Insurance Corporation, the Federal Savings and Loan Insurance Corporation, or the National Credit Union Administration Board;

These provisions essentially state that a “limited liability company” “must be eligible to be insured by the FDIC” to obtain insurance. As Bulbul Investments LLC is not registered at the "Department of Banking & Finance" in Georgia, it is inconceivable that Bulbul is eligible to participate in FDIC insurance, or in compliance with State of Georgia - Department of Banking and Finance regulations.

Grant asked on June 22, 2011, 05:17:30 pm in thread Camp BX Platform in Beta: Margin Trading, Short Selling, and Advanced Orders (http://forum.bitcoin.org/index.php?topic=20777.0;all)

“So, basically if i deposit upto $250,000 to your exchange and you become insolvent (for whatever reason that could be) i am guaranteed my deposit by your government ?

Can you point me to some documents that proof your registration ? (might be i overlooked it, but i looked through your site and couldn't find anything)”

Whereas elggwf asked on June 23, 2011, 12:35:26 am in the same thread

“What do you mean by you're "FDIC insured" - did you get the FDIC to insure all your USD holdings? What about the BTC holdings, will those be insured too?”

and neither Grant nor elggwf received an answer; so I will make a very clear statement: the information on Camp BX website under "Is my money safe" is simply not true, which also applies to the information under “Legal compliance”:

“The foundation of our operations is an active and prominent compliance program, and we are committed to maintaining full compliance with State of Georgia - Department of Banking and Finance regulations.”

Camp BX might have an exchange that is far superior to Mtgox (of which I am not capable of making any judgement upon), but regarding providing accurate and relevant information in a timely manner, I fail to see any material difference.

Dennis,
       You seem painfully new to USA rules and regulations, but I will make one final attempt to elaborate.

We keep our cash deposits in a bank account that is insured by FDIC.  If the bank fails (there were 140 bank failures in 2009) then your money is safe.  However in USA there is no insurance for business solvency.  If the business goes under, than that is the risk you take with your investment.

In other words, we are a business not a bank.  Banks don't accepts Bitcoins so far.

Take care,       
     Keyur

Thank you NS! 

Stay tuned for the results!
      - Keyur

This information is the exact information I asked with my post at June 26, 2011, 10:53:29 pm


and received the answer


So it is very inaccurate to state that I am painfully new to U.S. regulations. However, having now received an answer to my original question, and recieving an unequivocal answer to whether Camp BX is regulated solely by business regulations or by business and banking regulations, I retract my statement that "the information on Camp BX website under "Is my money safe" is simply not true".

If margin trading is allowed, then chances are, your deposits will be used to lend.  Essentially, margin trading = fractional reserve banking + trading.  So, the FDIC thing may be irrelevant, because *your* deposit will be lent to other Camp BX users.  Am I wrong?

Cool platform, btw.  I'll be there, but still won't trust it with sums I can't afford to lose.