14qCKSgTi8d2jqeSpVMbe6EJ1wy33zBzWm

The simple fact that Reddit is a no free speech zone with heavy censorship and control is NOT new. It has been that way for a very, very long time. It is not surprising that topics like this one get censored from Reddit.

http://somethingsurprising.blogspot.co.uk/2012/02/why-this-might-become-reddit-free-zone.html

https://howgoodisthat.wordpress.com/2012/04/27/political-censorship-and-moderator-bias-on-reddit-com/

http://www.washingtonsblog.com/2013/08/redditors-furious-that-reddit-censors-alternative-media.html

http://www.newscorpse.com/ncWP/?p=10981

1) Put a USD Swaps demand offer for 30 days at the rate you want.
2) Buy all the Bitcoins
3) Enjoy the knowledge that you won't be paying more than 0.278% (like 10%/year) the next 30 days
4)
5) Take loss (or profit if this thing actually moves up)

See, the secret that is used so successfully by the trader elite is to reserve the USD at low rates for long periods before buying all the bitcoins. You may actually end up paying interest for USD you don't use for some hours or a day but that's life.

As for those who say "these rates are too low": People are, for some reason, willing to lend out at these rates. If you are a lender and you find these rates to low then go find something else to do with your digital american toilet-paper.

And there is generally no reason to worry about "Bitfinex running out of USD". If there is little USD available then rates go up and millions of fresh USD magically appears. It's supply and demand, it's that simple.

It is important to understand and remember that NONE of YOUR devices need to be compromised for your e-mail account to be compromised. There are numbers other attack vectors depending on which e-mail provider you have chosen. A dishonest employee, for example, could easily abuse or take over your e-mail account. This is why I insist that an e-mail account is just one factor regardless of how this factor is protected.


I stand by my statement. Your Gmail account is one factor which could be protected by two factors. A Google employee could take over your e-mail account regardless. Think of it this way: Your house is still just one house even if you put an extra lock on the front door.


I agree with this but I would like #4 to be a bit harder - but not so hard that it becomes impossible.



Thank you for your long response.

Actually, no, my phone and desktop would not need to be compromised. My complaint is that someone who gains access to my e-mail account, with or without hacking any device (which, if you consider the various threat models, is not required to gain control over someone's e-mail), could p0wn me.

As for your other points: I completely agree that the security of my Bitfinex account and the devices used to access it is my personal responsibility. This is why I do not like that the security can be compromised by a factor out of my control.

And I do see and agree that the human factor at Bitfinex would make an attack difficult (but not impossible?). I have e-mailed both the support@ and that better address quite a few times over the years and the average response time seems to be 5-10 minutes and it's always smart people who reply (perhaps Bitfinex requires that customer support people do not watch television?) so I assume it would not be totally strait-forward to fool them. I am also guessing that this means I could have my account locked down pretty fast if need be.


Now you are on the right track. You seem to have thought a bit about this, what would your suggestion be as to these "additional restrictions"? As I mentioned, a picture of me holding a note saying "disable 2FA" to get it disabled seems like a reasonable trade-off and I requirement I would personally like to have on _my_ Bitfinex account. It is hard to fake. This does not solve the "$5 wrench" problem but that one is a lot harder.

Oh, btw mjr, one last thing: Try leaving your phone at home when you go out to meet friends and loved ones. Consider making it a habit. I know many resist this idea but it can actually be a great thing - just like not having a television, not having facebook or a twitter account and so on. Many of these things that are supposed to make your life better .. just makes you stressed and continuously disrupt your harmony and give you bad karma.

Good points.

I guess some trade-offs for people who do not want to verify are unavoidable. If Bitfinex has no clue who is the rightful owner of an account then they can't possibly verify who the rightful owner is. I guess those who do not want to verify would have to decide if they they want privacy or the ability to recover their account if something happens?

As for blurry, badly lit pictures, that is true but it could be solved by "The picture is too unclear, please take a better one". This would not help if the picture on the ID is unclear, though. I also see your point about generic $color males, but it does make it slightly harder for some. You will, for example, have a hard time looking Chinese if you are black?

Please share any better suggestions if you have any. Anxbtc verifies accounts by sending something to the physical post address you provide. That is just as secure as your mailbox is but it does prevent some hacker on the other side of the planet of typeing some things into his keyboard and gain access to your account (you can hack e-mail accounts remotely but you need to actually to go the physical mailbox to pick a letter out of it).

There are trade-offs as to what the second factor here should be. My concern is that there should be one, taking control over the e-mail account (one factor) should not be enough to a) change the password and b) remove/change Google OTP because (I know I am repeating myself but this is an important point) that is NOT 2FA, it's 1FA. Any actual second factor would add to the security model.

Here is my problem with the current Bitfinex "security" system:

* Your e-mail account is ONE factor. ONE. Period.

If I get access to the e-mail account you used to sign up at BFX then I can:

* Reset your password.
* E-mail Bitfinex and have them disable your Google OTP.

The whole point of Google OTP is to provide TWO factor security for your account. What we have here is NOT two factor security, we have ONE factor factor security and that one factor is your e-mail account.

This means that your Bitfinex account is ONLY protected as well as your e-mail account is protected. If you, for example, signed up using a GMail account and use that with Bitfinex then everyone at Google can take control over your Bitfinex account.

Think about this: Why even bother ask for a password and OTP when you login at Bitfinex? Bitfinex could instead just ask you to enter your username and send you a login-link to your e-mail - then you click that link and you've got access to everything at Bitfinex. Does this sound secure? Well, regardless of what you think of that "security system" it is no less secure than the current system.

One little detail: You can not withdraw for 1 week after Bitfinex disables your OTP. This means that the adversary will need to look at your Facebook page and time the attack based on when you tell the world that you will be going on a two week jungle safari.


I agree that it is hard to make good trade-off's here. What I would like Bitfinex to solve better is that Google OTP should provide 2FA as in TWO FACTOR when it is used right. This means not using the device you use to login at Bitfinex for Google OTP (dedicated $50 android phone or a heavily passport protected normal phone, preferably one which you do not use to login at Bitfinex) and it also means not being able to remove Google OTP by the same means you can use to change the account password.

Bitfinex does not provide 2FA as long as you can use an e-mail account to easily both reset the password and remove OTP. That is NOT 2FA, that is 1FA. Period. And that is NOT secure. As I suggested: Write "Disable my 2FA, today is $DATE" on a piece of paper & take a photo holding that piece of paper and you now have something that is very hard to do for someone who is not you even if they have all the haxor skills in the world.

As for the $5 wrench.. yes, that is indeed a hard one to solve.

Someone bought back a 5k short and then reserved 5k BTC. If you plan to add a big short then you reserve first and wait (days if need be) for the right price. The obvious reason is that people look at bfxdata and notice big shorts. If you reserve 200 BTC or 5000 BTC at one point in time and do the trade at another then nobody knows when you actually did the trade.

It looks like Bitfinex could use some serious improvement in their routines regarding user security. And I think we should help them by brainstorming ideas for exactly how this should be done or just have a little public debate.

THE ISSUE:


I use 2FA on Bitfinex - but what is it worth if someone can just make a myname@whatever.tld e-mail account and send them an e-mail asking them to disable it?

Not sure if I should try making some random e-mail account and bug them to give me my password and disable my 2FA using that just to see what happens.. perhaps I should do it, but not right now due to this posting, perhaps in a week or month or two months... As the above message shows: Attacking them just to see what happens is probably a good idea.

You would obviously need to have the Bitfinex username and password already to gain anything from disabling someone's 2FA - but even so, disabling 2FA should just not be simple. On the other hand, it could happen that someone does need them to disable their own 2FA for legitimate reasons - like .. your 2FA device is stolen/broken/flushed down the toilet (happened to a friend once) and you do not have a few encrypted USB sticks or a paper backup of the 2FA seed. There is also the question of "what would my family do if I die in a horrible car accident" (hint: make sure a family member you really trust, blood not "love", knows how to clear out your BFX account prior to this happening).

I for one would like Bitfinex to have the option of adding a GnuPG key. If a message comes from my e-mail signed by my GnuPG key then it is likely me. Weaknesses: a) Some customers will inevitably put all eggs in a very weak basket: Their mobile phone. b) your GnuPG key is probably on your computer and you type your password in on your computer so if that is owned..

A quick note on mobile phones here: They are CHEAP. As in get a $50 Android phone JUST for 2FA. Never bring it anywhere and never use it for anything else. If you have 1 Android phone and you a) use it for 2FA b) use it for e-mail and have your username and password permanently stored on it and c) have your secret GnuPG key on it and type your password into it all the time..   You're doing it wrong. If there is also a d) you use this device to login to Bitfinex.. then you are not using 2FA, you're using 1FA as in 1 device needs to be owned and you're screwed.

What I would like to see here is ideas on what the requirements should be for Bitfinex to accept "I forgot my password" and "Please disable my 2FA". My personal view is that the answer could be as strong as "Fly to our office and show us your ID" but I realize that many will not agree..

"Reddit"-style ID could also be a thing: Write the date and "please disable 2fa I screwed up" on a piece of paper and take a photo of yourself holding that and your ID (which they can verify against the verification documents they have in cold storage)? perhaps with shoe on head to top it off? I know this idea may sound a bit silly but ANYTHING is better than "just send an e-mail saying disable my 2fa plz"

Some threat models to consider:

* The adversary has owned your mobile phone. Everything on it is accessible to the adversary (which could include e-mail account, 2FA, Bitfinex login details as you type them in)
* The adversary has owned your computer and everything on it and knows everything you type but not your mobile phone (or your main mobile phone but not your dedicated 2FA phone)
* The adversary has owned your e-mail but nothing else.
* The adversary has owned your Bitfinex username and password but nothing else (only 2FA stands in the way).

I know I've been ranting. I'd just like some input and attention to this issue and I would not like to find my Bitfinex account empty one morning because someone used social engineering and/or script-kiddie level "hacking" to fool them into handing out my password and disabling my 2FA.

I for one think Luke-Jr is the bigger man here.

We all make mistakes. That is alright, the important thing is to learn from them.

My issue with that Gentoo is doing is that they are not making it up to every single node operator, they have made it the default policy.

I did a emerge -u world which updated my bitcoind and bitcoin-qt and I only found out that I got this patchset when I looked in the log and found entries about "blacklisted transactions". I would still have no idea if I had not looked in the log and actively taken action in order to not get this patchset.

I was indeed duped into running this code.

I am fine with people having a choice, that is what Gentoo's USE flags are all about. Making it the _default_ behaviour is making this choice for you.

Yes. What is going on is: You decided to "short in the hole" and you are now "underwater".

What will happen is: Your jimmies will be rustled and you will buy back higher at a loss.

Nordea has promised that customers will get the second charge returned. If the money actually exited their system or if it was just a glitch in their own system is unclear. I am not sure what the law says but I doubt it would come to that as not promising to fix people's balances by reversing the 2nd charge for 2 MILLION people would probably be a bad idea...

What is the biggest problem with this though is that if you went and bought a sofa or something big then you now have a negative bank account balance which may be a problem if you need to buy something such as food for your family.


:-) I know. I just wanted to use the phrase since it seemed somewhat appropriate.

Do not worry, never mind that. There are millions of idle USD sitting there just waiting for the rates to move up, just like there's a million USD sitting in people's accounts waiting for another price-drop which won't come - not that jonny short lately and his friend's aren't trying..

It would appear that the traditional banks have not yet solved the Double-Spend problem (as in double-spend your money even if that means you get a negative balance).

Perhaps they should switch to blockchain technology?

https://www.aftonbladet.se/nyheter/article19660429.ab
http://www.svd.se/naringsliv/visa-kunder-fick-betala-dubbelt_3989501.svd

One of the biggest Swedish banks, Nordea, decided that spending customers money (charging them) twice each time they purchase something with VISA was a great idea. It appears that they did this for a full two days.

This only affected 2 million VISA card holders or 1/4th of the Swedish population. The one-fourth of Sweden who now find themselves with negative bank account balances are not amused. Some have pointed out that not having the money needed to buy food and pay bills available to you is not that fun.

Nordea has promised to "sort this out". Nordea will surely deliver on that promise. We just have to wait.

To me an ideal payment network has the following properties:

- All funds ("coins" in the case of Bitcoin) are equal
- All parties are equal

I like Bitcoin because it does have these properties (for now).

The differnece between the "bitcoind" and "bitcoin-qt" distributed by Gentoo Linux and github

Gentoo Linux currently distribues a version of bitcoind and bitcoin-qt which includes a set of patches by "Luke-Jr". These patches include a hardcoded blacklist. Who gets to be on this blacklist is solely up to "Luke-Jr".

This decision is currently being debated as Gentoo Bug #524512

My main problem with this is that all parties are NOT equal when you have a few select players who are put on a blacklist.

If there is more than an imaginary problem to be solved then the solution should be something which applies equal to everyone. A "solution" which singles out a few select players is not fair, or good.

"If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator."

-President-elect George W. Bush, at a photo-op with congressional leaders during his first trip to Capitol Hill, Washington, D.C., Dec. 19, 2000

There is a word for a management style like the one used to choose who gets to be blacklisted and who does not.


This is not the kind of management style I prefer for Bitcoin or GNU/Linux distributions in general. I am specially sceptical when the person who solely gets to decide who gets blacklisted or not has this to day about his political views:


The technical argument

Luke-Jr has been arguing that SD and sites like it are a "DDOS" on the Bitcoin network for years and years. There is no concensus on this. I personally do not care too much about the technical argument. SD is paying transaction fees for their transactions. If I pay $10 for a cup of coffee then I expect to get one, I do not expect the cafe to take my money and then complain loudly that I am a problem because they have to spend energy boiling the water to make my coffee for me nor do I expect them to tell me that I am doing a DOS attack because I am denying the other customers their coffee while they are making mine.

If there is an actual problem to be solved then this needs to be solved in a way which is fair and equal to all.

Why do I care about this at all? Simple. I like Bitcoin. It has poential. My view is that if the properties "All funds are equal" and "All parties are equal" go out the window then it is as good as dead and both the currency and the payment network becomes worthless. It may be a good thing that there are altcoins in case more GNU/Linux distributions decide to distribute Luke-Jr's bitcoin-qt fork instead of the real thing.

If you have an opinion on this then please comment on Gentoo Bug #524512.

One last little thing: Luke-Jr as repeatedly claimed that I am "trolling" for raising this issue. If you wake up in the morning and you meet a troll then that's just bad luck. If you wake up and meet a troll and the next person you meet is also a troll and you meet trolls all day.. well. you be the judge.

You could

* select "limit" on "order type" next to "margin buy" and
* type in 287 as a price and fill in 0.6 BTC in order size and
* click OCO Order
* then type in 351 in "OCO Stop Price"

OR

* select limit in order type and 0.6 BTC order size and 287 as price, click margin buy then
* select stop in order type and 0.6 BTC order size and 351 as your price, click margin buy

OCO is Once Cancels Other which would place 2 orders and 1 of them gets canceled if the other is hit, see https://www.bitfinex.com/pages/support#oco

Good luck with your shorting in the hole.



It used to be that they do not hold any BTC because their expenses are in USD. I have no idea if this has changed or not.

As for their well-being: More VOLUME is good for Bitfinex, less volume is bad for them. It really doesn't matter if the price is $10 or $1000.

One thing to be very aware of when it comes to DOGE: Liquidity - it does not have any.

Sure, the price may be X but if you want to actually sell more than pocket change then you will quickly learn that what you are actually able to sell it for is X minus 10-20%.

BTC is king because it has liquidity, if you want to buy or sell $100.000 worth then you can do so without much slippage. Try buying or selling the same amounts worth in any altcoin and you'll find that you can't without significantly moving the market. This is why DOGE price movements do not impress me.

Also.. look at #dogecoin on IRC. "OMG THERE IS A 10 BTC WALL" they say.. as if 10 BTC is any amount worth caring about.

I think some people who do not understand technology will like the idea of a Bitcoin bank. They do not get the idea that you can and should be your own bank.

If you do not have the private key for your Bitcoin then you have no Bitcoin - you do have, at best, a Promise to Pay (an IOU).

I guess it depends on how you look at it. Big holders who bought cheap and are looking to offload who say "Buy BTC because it will surely go to the moon" knowing full well that they have 20.000 more BTC to sell and that they will probably have to sell down to $100 before getting rid of everything is doing something that is.. borderline scam.

Bitcoin itself is just a currency and a payment network, calling these things a scam is just stupid.

Keep up the good work. Don't let the haters get to you, haters gonna hate.

The ticker price clearly shows who was right and who was wrong.