Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: paulie_w on July 31, 2012, 04:42:56 AM



Title: maybe its time to stop building bitcoin web apps
Post by: paulie_w on July 31, 2012, 04:42:56 AM
...and start thinking about building bitcoin apps in a more distributed way, without central points of failure?


Title: Re: maybe its time to stop building bitcoin web apps
Post by: gweedo on July 31, 2012, 04:47:08 AM
or you just build bitcoin web app that are more open and mirrored


Title: Re: maybe its time to stop building bitcoin web apps
Post by: TangibleCryptography on July 31, 2012, 04:53:50 AM
Or stop holding massive amounts of client funds in a hot wallet.

We buy and sell coins.  
No hot wallet (no wallet at all on the server)
Manual verification of orders.
No user accounts (orders can't be changed once submitted so there is no value in trying to impersonate a user).
2 Factor encryption on all our trading & funding accounts.
Encrypted Enterprise grade database with off site backups.

Nothing is "hackproof" but we certainly present a lot smaller attack surface; a much less attractive target for hackers.  

What does every major (say 10,000+ BTC) hack have in common?  A massive shared online hotwallet holding user funds.  Maybe we start there.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: mobile4ever on July 31, 2012, 04:58:36 AM
Or stop holding massive amounts of client funds in a hot wallet.


There you go. If there is nothing there to steal, there is no temptation to do so.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Xenland on July 31, 2012, 06:54:36 AM
Tis will be great when an exchange incorporates multisig transactions... Nobody can steal at that point


Title: Re: maybe its time to stop building bitcoin web apps
Post by: c_k on July 31, 2012, 07:37:47 AM
Or learn to code securely.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 07:42:04 AM
Or learn to code securely.

Nah, keep putting funds you can't afford to lose in a site coded in 4 days by a 17 year old. Totally solid business proposition.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: kangasbros on July 31, 2012, 07:47:25 AM
The most important thing bitcoin enables is easy-to-automate money transfers. This means that there can be web apps which were not possible with traditional money. Also it enables new business models. It is very difficult to implement any kind of business model in a distributed way.

Of course, this is very darwinian environment. Hopefully both users and developers will understand this. Users should not store large amount of funds in any service, and developers should be ultra cautious about developing these web apps.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 07:51:05 AM
Here's an idea:

If you don't have an actual security background with financial applications, don't code a fucking exchange.

I know that's a bit mindblowing, but think about it mr "learn ruby/python/php/node/perl (hey a guy can dream that kids are still into perl) in 24 hrs. book" guy.



Title: Re: maybe its time to stop building bitcoin web apps
Post by: Xenland on July 31, 2012, 07:54:20 AM
Here's an idea:

If you don't have an actual security background with financial applications, don't code a fucking exchange.

I know that's a bit mindblowing, but think about it mr "learn ruby/python/php/node/perl (hey a guy can dream that kids are still into perl) in 24 hrs. book" guy.


But how will any one get a integrity in financial security if they don't make financial applications?


Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 07:56:35 AM
Here's an idea:

If you don't have an actual security background with financial applications, don't code a fucking exchange.

I know that's a bit mindblowing, but think about it mr "learn ruby/python/php/node/perl (hey a guy can dream that kids are still into perl) in 24 hrs. book" guy.


But how will any one get a integrity in financial security if they don't make financial applications?



Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 07:59:26 AM
Stop the retardation, people, seriously.

You're coding a fucking financial application with no background in security? Prepare to have the shit hacked out of you. It's that simple.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: NRF on July 31, 2012, 08:00:39 AM
But how will any one get a integrity in financial security if they don't make financial applications?

They could do it the way I did it, go to university, get a degree and then work in the industry for 20 years while keeping up to date, gaining certification's attending conferences, going on vendor & paid seminars.

There is no short cuts to becoming competent unfortunately.



Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 08:02:55 AM
But how will any one get a integrity in financial security if they don't make financial applications?

They could do it the way I did it, go to university, get a degree and then work in the industry for 20 years while keeping up to date, gaining certification's attending conferences, going on vendor & paid seminars.

There is no short cuts to becoming competent unfortunately.



This man speaks the truth. To anyone who can sort of hack up some scripts and figure out the bitcoind api and decides to create an exchange, I have merely this to say:

Fuck you.



Title: Re: maybe its time to stop building bitcoin web apps
Post by: Xenland on July 31, 2012, 08:12:29 AM
Stop the retardation, people, seriously.

You're coding a fucking financial application with no background in security? Prepare to have the shit hacked out of you. It's that simple.
I thought this guy(gal?) makes the most sense.

i have met some good friends that are better educated on hacking then those that go to universities(nothing against the integrity of universities per se). I think its mostly due to there is the "unknowing" of certain problems and angles to hack at, so they learn about a systems vulnerabilities at all angles instead of a teacher or book lecturing a long list of ways (that tend to not burn into the memory) with the home-grown security skills you get the constant hands on learning and desensitisation of failure and patience on your belt. Of course just my view point and experience.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: kangasbros on July 31, 2012, 08:16:23 AM
I say it is more of users fault than developers. For example, btc-e looked always very shady and unprofessional to me, compared to other exchanges. Bitcoinica was advertised as developed by 17-year-old.

I think it is great, that any kid can code a bitcoin application if he/she wants - no barriers to entry to the market. It is users responsibility to decide if they want to trust there services.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 08:17:05 AM
Stop the retardation, people, seriously.

You're coding a fucking financial application with no background in security? Prepare to have the shit hacked out of you. It's that simple.
I thought this guy(gal?) makes the most sense.

i have met some good friends that are better educated on hacking then those that go to universities(nothing against the integrity of universities per se). I think its mostly due to there is the "unknowing" of certain problems and angles to hack at, so they learn about a systems vulnerabilities at all angles instead of a teacher or book lecturing a long list of ways (that tend to not burn into the memory) with the home-grown security skills you get the constant hands on learning and desensitisation of failure and patience on your belt. Of course just my view point and experience.

I believe NRF stated it the most politely and professionally tbh, if you're going to reference anyone reference that poster. I'm on a bit of a tirade this evening ;)


Title: Re: maybe its time to stop building bitcoin web apps
Post by: shockD on July 31, 2012, 08:20:49 AM
I say it is more of users fault than developers. For example, btc-e looked always very shady and unprofessional to me, compared to other exchanges. Bitcoinica was advertised as developed by 17-year-old.

I think it is great, that any kid can code a bitcoin application if he/she wants - no barriers to entry to the market. It is users responsibility to decide if they want to trust there services.


Hm.. great? Sort of I guess, I do get your point. Your most poignant point, however, is that it is 100% users' fault that they get taken by shitty exchanges. I just wish people were a little more aggressive about calling a spade a spade with regard to shit exchanges. Really people are very upfront here about that but nobody listens. I guess my point is, I wish idiots didn't code exchanges but you're absolutely correct that it's the users' fault for falling for seedy, shitty, obviously crappy exchanges. Nobody can stop a savvy 10 year old kid from coding an exchange and advertising it and having suckers fall for it.

 


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Xenland on July 31, 2012, 08:20:59 AM
Stop the retardation, people, seriously.

You're coding a fucking financial application with no background in security? Prepare to have the shit hacked out of you. It's that simple.
I thought this guy(gal?) makes the most sense.

i have met some good friends that are better educated on hacking then those that go to universities(nothing against the integrity of universities per se). I think its mostly due to there is the "unknowing" of certain problems and angles to hack at, so they learn about a systems vulnerabilities at all angles instead of a teacher or book lecturing a long list of ways (that tend to not burn into the memory) with the home-grown security skills you get the constant hands on learning and desensitisation of failure and patience on your belt. Of course just my view point and experience.

I believe NRF stated it the most politely and professionally tbh, if you're going to reference anyone reference that poster. I'm on a bit of a tirade this evening ;)

In that case I shall take your opinions lightly --Just for this evening



Title: Re: maybe its time to stop building bitcoin web apps
Post by: NRF on July 31, 2012, 08:25:27 AM
better educated on hacking then those that go to universities(nothing against the integrity of universities per se)

I would agree with you to a certain extent, many a time I have attempted to bash my brains out on the sharp pointy bit offered by the corner of my desk when a new graduate "invents" some new and novel way to propel feces at astonishing speed into the revolving metal blades.

But on the other hand I have also had some talented novices do their level best to put the whole mess into orbit.

I suppose what I was trying to get at is there is nothing like years of experience and training when trying to keep the shit in the bowl.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Xenland on July 31, 2012, 08:52:11 AM
better educated on hacking then those that go to universities(nothing against the integrity of universities per se)

I would agree with you to a certain extent, many a time I have attempted to bash my brains out on the sharp pointy bit offered by the corner of my desk when a new graduate "invents" some new and novel way to propel feces at astonishing speed into the revolving metal blades.

But on the other hand I have also had some talented novices do their level best to put the whole mess into orbit.

I suppose what I was trying to get at is there is nothing like years of experience and training when trying to keep the shit in the bowl.
I got that from your schpeal  8) definitely nothing beats experience that is for sure, I would append to your statement by saying that if we can cram experience into the class room in a rapid manner instead of the occasional hands on experience, the 50% of just listening about "things" that are only as relevant as the best the instructor can depict through story telling and pictures not to mention to relie on your own imagnation to paint the picture of what could be going on and left to assume the interpretation of the meanings the instructor is trying to convey and the other 50% of homework I guess I'm trying to say in a long paragraph is that once experience is integrated into the class room, students can be better educated out the door, they would have enough knowledge and experience to automatically come up with assumptions that are correct and in-line with what would be considered with practical security measures about the things they don't know or aware of.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: markm on July 31, 2012, 08:56:48 AM
Supposedly its what the users want. Its not nice that they complain when its time to pay the bill for what they insisted on but thats users for ya I guess. They'd rather have pretty and bells and whistles and periodically lose all their money than put up with secure methods.

If you are serious, go look at Open Transactions and get an Open Transactions client installed...

-MarkM-


Title: Re: maybe its time to stop building bitcoin web apps
Post by: rini17 on July 31, 2012, 09:43:15 AM
But how will any one get a integrity in financial security if they don't make financial applications?

They could do it the way I did it, go to university, get a degree and then work in the industry for 20 years while keeping up to date, gaining certification's attending conferences, going on vendor & paid seminars.

There is no short cuts to becoming competent unfortunately.
OK, but do we actually have any web apps handling significant btc amounts developed by such competent people? Things like MPOE or satoshidice don't count, they are not full featured web apps. I am under impression that nothing (at least, nothing legit) related to btc is so profitable that 20yr-experience-professional can maintain living off it. Not even considering that he won't be working alone, there must be customer support, etc...


Title: Re: maybe its time to stop building bitcoin web apps
Post by: markm on July 31, 2012, 09:45:47 AM
Oh, customer support. There is another pet peeve, making people who don't use it pay for it because some idiots need inordinate amount of hand-holding.

Would be nice to just farm that out as a pay as you go service to third parties or something, so those who dont want or need it dont end up subsidizing it for the people who will happily use up endless hours of support time...

-MarkM-


Title: Re: maybe its time to stop building bitcoin web apps
Post by: kangasbros on July 31, 2012, 09:47:01 AM
OK, but do we actually have any web apps handling significant btc amounts developed by such competent people? Things like MPOE or satoshidice don't count, they are not full featured web apps. I am under impression that nothing (at least, nothing legit) related to btc is so profitable that 20yr-experience-professional can maintain living off it. Not even considering that he won't be working alone, there must be customer support, etc...

Yep, there is only a handful of bitcoin companies that are making enough money to fund the development and on-going support/security research/so on. I don't know how much btc-e guys were making money, but I doubt that they made enough to pay for security professionals, audits etc.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Ferroh on July 31, 2012, 12:07:57 PM
Or stop holding massive amounts of client funds in a hot wallet.

+1

Giving up on web apps and running in fear is not the answer. Website software can be built to solve the problems at hand.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: BitBuster on July 31, 2012, 01:26:52 PM
If you don't have an actual security background with financial applications, don't code a fucking exchange.
To anyone who can sort of hack up some scripts and figure out the bitcoind api and decides to create an exchange, I have merely this to say:

Fuck you.

You are being childish. People are allowed to do what they like. The users are responsible for where they place their money.

They could do it the way I did it, go to university, get a degree and then work in the industry for 20 years while keeping up to date, gaining certification's attending conferences, going on vendor & paid seminars.

There is no short cuts to becoming competent unfortunately.
Competence is relative and isn't achieved the same way. Conferences and seminars (like qualifications!) are cash cows, I'm glad that you feel you have benefitted from them, personally I believe that they form part of the academic "belief" system that one is not wise unless he has a piece of paper, club tie or other affiliation to say so.

Yep, there is only a handful of bitcoin companies that are making enough money to fund the development and on-going support/security research/so on. I don't know how much btc-e guys were making money, but I doubt that they made enough to pay for security professionals, audits etc.
This is the crux of the matter. Currently, users want a cheap, fast, easy to use, highly secure service. But such service levels require sufficient funding, which isn't available to many of the startups. As the BTC market grows, so will the opportunity for decent services. (That said, many of these hacks have been down to gross incompetence/negligence and/or inside job corruption).

The infrastructure will mature at the rate that the market allows.


BB.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: BitBuster on July 31, 2012, 01:38:47 PM
Manual verification of orders.
What do you mean by this? No BTC or USD are transferred until someone sitting at a computer says so? Not exactly practical, except for perhaps transactions over a particular n threshold? A great advantage to bitcoin is that it can be automated, this should be embraced and not undermined by slow and expensive human interaction. Of course, the automation needs to be secure and sufficient algorithmic validation of orders is a must.

Most BTC exchanges have even less tools than mainstream banks to fight fraud, because they don't have unique user identification (name/personal details) and the associated risk of detection. This means that BTC exchanges need to become smarter at detection and prevention of fraud, not just hacking.


BB.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: thezerg on July 31, 2012, 02:04:28 PM
Manual verification of orders.
What do you mean by this? No BTC or USD are transferred until someone sitting at a computer says so? Not exactly practical, except for perhaps transactions over a particular n threshold? A great advantage to bitcoin is that it can be automated, this should be embraced and not undermined by slow and expensive human interaction. Of course, the automation needs to be secure and sufficient algorithmic validation of orders is a must.

Most BTC exchanges have even less tools than mainstream banks to fight fraud, because they don't have unique user identification (name/personal details) and the associated risk of detection. This means that BTC exchanges need to become smarter at detection and prevention of fraud, not just hacking.


BB.

Since it looks like BTC-e's hot vs cold wallet and transfer limits worked to stop loss, it does seem like some of this is already implemented.  But I'm amazed that a btc-e rep wasn't there within 10 minutes.

It would be extremely easy to code soft limits that both trigger a bedside alarm (i.e. your phone) and slow things down whenever any out-of-ordinary transfers happen.  Like trading curbs in the stock markets.  For example, if the price of any currency increases/decreases by > N%, or BTC/fiat money incoming or outgoing is N% more then the average.  Its a 10 minute confirmation time anyway so most people would not even notice that their xfer needed to be manually approved.   

Accepting disrupted sleep due to false alarms once per month might have saved btc-e 40 grand USD...





Title: Re: maybe its time to stop building bitcoin web apps
Post by: TangibleCryptography on July 31, 2012, 02:27:02 PM
Manual verification of orders.
What do you mean by this? No BTC or USD are transferred until someone sitting at a computer says so? Not exactly practical, except for perhaps transactions over a particular n threshold?

Why?  Every 2-3 hours someone logs into secure terminal, manually reviews the orders and processes them.  For us many of the payout options (ACH, cashier's check, etc) require manual intervention anyways so it is an easy choice.  If you want a payout in 0.1 ms well you won't get it.  Maybe I am weird but I find letting a quarter million in customer funds to be stolen on your "watch" to be highly impractical.  


More generally it comes down to security vs speed. 

instant payouts and hundreds of thousands in a hot wallet continually at risk (are you smarter than every hacker on the planet?  at all times? 24/7? even on  bad day? when making mistakes? forever until the end of time?)
       vs
non-instant payouts and $0K in hot wallet.  

I come back to:
What does every major (say 10,000+ BTC) hack have in common?  
A massive shared online hotwallet holding user funds.  Maybe we start there.



Title: Re: maybe its time to stop building bitcoin web apps
Post by: kiba on July 31, 2012, 02:40:04 PM
It's all convenience versus security. I rather for an exchange to take 24 hours then to take a minute to process if it means the difference between theft and continuous operation.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: BitBuster on July 31, 2012, 06:25:03 PM
I understand what you mean but having an inflated hot wallet is not the only way to avoid human-authorised transactions. Do you not accept that the more busy an exchange becomes, with 100s/1000s transactions per minute, the caseload for each human would increase exponentially and it would be beyond the financial capabilities of the company to employ more payment authorizers?

Normal banks don't have a human authorise each transaction. Instead they employ algorithmic monitoring and identification of suspicious transactions, which can then be followed up by a human (who is far more capable in dealing with and confirming unexpected use cases, than repetitive authorisation tasks - the opposite is true for computers).


BB.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: bg002h on July 31, 2012, 09:53:06 PM
Why is it that "depositing" coins in an exchange requires you to transfer coins to the exchanges BTC address? I mean, why do you give them complete control over your coin before you even decide to sell? Do exchanges use all the "idle" BTC for loans and stuff and just keep enough around to handle withdrawls?

Maybe we should have to enter our private keys or transfer coins only when we place a sell BTC order...it seems to me that the exchange concept ignores some of the security features of Bitcoin in exchange for convenience and liquidity.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: perlboy on July 31, 2012, 11:14:49 PM
But how will any one get a integrity in financial security if they don't make financial applications?

They could do it the way I did it, go to university, get a degree and then work in the industry for 20 years while keeping up to date, gaining certification's attending conferences, going on vendor & paid seminars.

There is no short cuts to becoming competent unfortunately.
OK, but do we actually have any web apps handling significant btc amounts developed by such competent people? Things like MPOE or satoshidice don't count, they are not full featured web apps. I am under impression that nothing (at least, nothing legit) related to btc is so profitable that 20yr-experience-professional can maintain living off it. Not even considering that he won't be working alone, there must be customer support, etc...

It's coming. ;)

Although I should say that I'm a 15yr-experience-professional working with another suitably experienced professional and we'll be working our way down the lower risk BTC businesses all the way to the highest ones eventually.

You're right though, difficult to maintain a living off at the moment but adoption is the key and trust is the key to adoption in my opinion.

Luckily for us, we're experienced & employed people who also want to do BTC things. :)

Stu


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Elwar on August 01, 2012, 04:18:40 PM
Ok, I have taken the title of this thread to heart and stopped programming my web app.


The app would have made it possible to use Bitcoin at any retailer online and also all POS transactions. It would also allow texting and cell phone service anywhere via the blockchain for one Satoshi per month. I was just finishing up the code that piggybacked the mining GPU to help tell the future through a complex algorithm that could tell you what was going to happen the next day based upon a solved block.

I just did a rm -f /* on my server and have quit my job as a software engineer telling my boss that the work we are doing is pointless because it is not secure. He agreed and quit, all the way up the ladder everyone is quitting and the company is shuttering their doors.

Thank You. Advice heeded.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Xenland on August 01, 2012, 04:36:37 PM
Ok, I have taken the title of this thread to heart and stopped programming my web app.


The app would have made it possible to use Bitcoin at any retailer online and also all POS transactions. It would also allow texting and cell phone service anywhere via the blockchain for one Satoshi per month. I was just finishing up the code that piggybacked the mining GPU to help tell the future through a complex algorithm that could tell you what was going to happen the next day based upon a solved block.

I just did a rm -f /* on my server and have quit my job as a software engineer telling my boss that the work we are doing is pointless because it is not secure. He agreed and quit, all the way up the ladder everyone is quitting and the company is shuttering their doors.

Thank You. Advice heeded.
Good for you! Anyone else ready to CONVERT!!!
http://i2.listal.com/image/726070/350full.jpg


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Meatpile on August 01, 2012, 06:19:43 PM
Why is it that "depositing" coins in an exchange requires you to transfer coins to the exchanges BTC address? I mean, why do you give them complete control over your coin before you even decide to sell? Do exchanges use all the "idle" BTC for loans and stuff and just keep enough around to handle withdrawls?

Maybe we should have to enter our private keys or transfer coins only when we place a sell BTC order...it seems to me that the exchange concept ignores some of the security features of Bitcoin in exchange for convenience and liquidity.


There is software called Open Transactions, he is working on usability right now, it has everything needed to do exactly as you describe: you control your coins until the exact point of trade.

It is only a matter of time until that becomes user friendly, i hope.


Although you will still need to trust someone who holds the "cash" side of the trade. You can only trade digital for digital, so we still need "banks" that have an amount of dollars in an account.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: BitBuster on August 01, 2012, 06:46:59 PM
Why is it that "depositing" coins in an exchange requires you to transfer coins to the exchanges BTC address? I mean, why do you give them complete control over your coin before you even decide to sell? Do exchanges use all the "idle" BTC for loans and stuff and just keep enough around to handle withdrawls?

Maybe we should have to enter our private keys or transfer coins only when we place a sell BTC order...it seems to me that the exchange concept ignores some of the security features of Bitcoin in exchange for convenience and liquidity.
The fiat is held in escrow for trade, so too should the BTC. That's the fairest way. Once a trade is completed, you are free to withdraw.


BB.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: ripper234 on August 02, 2012, 05:26:54 AM
Ok, I have taken the title of this thread to heart and stopped programming my web app.

...

I just did a rm -f /* on my server and have quit my job as a software engineer telling my boss that the work we are doing is pointless because it is not secure. He agreed and quit, all the way up the ladder everyone is quitting and the company is shuttering their doors.

Make sure to the delete your backups / source control as well, otherwise it doesn't count.
Some hacker might find one of your backups and finish building the site for you ... and who knows what harm that will cause?!

Oh, and wipe all harddrives, those forensics dudes are devious.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: bitplane on August 02, 2012, 10:56:04 PM
I suppose what I was trying to get at is there is nothing like years of experience and training when trying to keep the shit in the bowl.

There's also nothing like years of experience when it comes to not actually doing anything because you understand how hard a problem is. Youthful ignorance on the other hand has a tendency to get things done by biting off more than it can chew and then just chewing that shit down anyway.

It's easy for old farts like you and I to sit back and criticise, but we haven't actually written an exchange. Maybe we lack the balls or the enthusiasm, maybe we're just too wise, we certainly didn't lose big. We didn't risk it all to win big, or create that awesome thing, and we didn't learn anything along the way either.


Title: Re: maybe its time to stop building bitcoin web apps
Post by: Kris on August 04, 2012, 03:03:37 AM
But how will any one get a integrity in financial security if they don't make financial applications?

They could do it the way I did it, go to university, get a degree and then work in the industry for 20 years while keeping up to date, gaining certification's attending conferences, going on vendor & paid seminars.

There is no short cuts to becoming competent unfortunately.
OK, but do we actually have any web apps handling significant btc amounts developed by such competent people? Things like MPOE or satoshidice don't count, they are not full featured web apps. I am under impression that nothing (at least, nothing legit) related to btc is so profitable that 20yr-experience-professional can maintain living off it. Not even considering that he won't be working alone, there must be customer support, etc...

We do.