I've got some potential international customers and I'm thinking of doing a bit of business via Moneybookers, but I'm getting conflicting information. Half of the googlesphere thinks moneybookers transactions are reversible, the other half thinks they're not and then a small fraction are saying that folks have had accounts suspended for exchanging BTC, yet there are a couple exchanges that do business in MBUSD... Maybe I just haven't spent enough time on IRC or something. Does anyone have a real answer for me?

So I figured I'd ask since you all seem to be a security-minded bunch and there are probably a bunch of programmers hanging about.

For my day job I've recently dusted off my C# hat to write some ASP.NET stuff for our intranet site and today for the first time, they didn't want an Active Directory based single-sign-on for a particular page. Now I've never used anything else via ASP.NET - it's basically the only reason I dust off the C# hat at all - super easy to do SSO in ASP.NET, giant pain in PHP.

Anyway, I found the whole process surprisingly easy. I've got a SQL database configured and secured, bumped up the hashing algorithm to SHA512, enforcing password complexity was as simple as setting a couple flags in Web.config... This is way too easy, right?

So aside from the troll-ish replies involving such classics as "Microshit" "Microshaft" "Micro$oft" etc. how good or bad IS the security built into ASP.NET's Membership Providers? Just glancing at the database it *seems* like they've done everything I would've done by hand but it also *seems* like it'd get used a lot more if it were all that secure.

Is it just a cost-of-entry thing? Anti-Microsoft sentiment? Or is it actually broken in some way I've yet to identify?

Exactly, regulation has less to do with success and failure and more to do with political outlook:


source: http://povertythinkagain.com/controversies/a-word-from-the-sponsor-of-the-film-the-end-of-poverty-georgism-capitalism-and-socialism/

It's unlikely to ever become unprofitable though it may become somewhat less profitable. Mining has an associated cost, unless you live in a dorm or with your parents - and if you're mining at any real scale in a dorm or parents' basement, someone is going to come yelling at you about the electric bill REALLY soon...

If most people can, after cost of operations, make $1,000 per month from a small mining operation, that's cool and they're likely to keep doing it. They might even buy new hardware to expand their operation, thus increasing the total hashrate of the network and driving difficulty up - therefore driving profit down.

If, after cost of operations, they can make $100 per month from that same operation, some will keep mining, but are highly unlikely to expand, and many will decide that the time, electricity, air conditioning, noise and heat are simply no longer worth it for a mere $100. Now the hashrate decreases and difficulty goes down.

Difficulty is similar to price in that they are both trying to find some stable equilibrium. If mining ever does dip into "unprofitable" territory it will likely only do so for a very brief time, similar to the value of BTC after the $31 bubble burst and it found its way back to equilibrium. Realistically there will be a level of "less profitable" that miners will begin to leave at, thus balancing around a particular difficulty/price ratio.

Homeostasis applies to more things than the populous at large seems to realize, and it applies here too.

If smoke comes out of one of my mining rigs' GPUs does that count?

Of course... I didn't inhale...

My handle is too easy to tie to my real identity (seriously, google me, dig through the Japanese rap shyte [I had the name first, I should sue!] and you should know who I am in ~30 seconds)

If I weren't so easily identifiable I might have something to say about this... I mean I *am* a miner, and I *do* keep some of my earnings in BTC but I'm also not buying anything on silk road or otherwise subverting any governments or breaking any laws.

That's my story, I'm sticking to it and you can't prove otherwise  

For the moment, at least, bitcoin is recognized (legally) as more of a product or commodity. This means that the legalities of running an exchange at present are a bit less like the stock exchange or a banking institution and much more like a specialized version of eBay. eBay matches sellers of various products with people willing to give them money for said products, which is exactly what a bitcoin exchange does also - match sellers of bitcoins (legally a product, not a currency or stock) with people willing to pay (in USD/EUR/etc.) for that product.

Now given enough time the legalities might catch up and decide once and for all what bitcoin truly is (currency? commodity? product?) and legalities may change, but it'll likely be at least a few years before that happens. Legal wheels turn slowly.

Been trying to tell people for ages that things only have whatever value we perceive them to have. Gold, silver, etc. seem valuable because they have some properties that make them ideal for use as coins (durable, don't rust, etc.) and so having used them as money we directly associate them with our concept of value. In terms of scarcity, we should be valuing helium much more - we're running out of the stuff at an alarming rate and with no easy method of cheaply producing more the stuff should bring $100 or more for one balloon's worth, but we don't associate it with value. Of course it does have industrial uses so pretty soon we'll be associating helium with money one way or another... This is just one example.

Paper money? Worthless.
Gold? Worthless (except for limited industrial value; also, people like to wear shiny things).
Silver? See: Gold.
Diamonds? See: Gold.

Iron? Our world is built around this stuff but you don't see it for $50 an ounce do you?
Water? Just try living without it.
Food? See: Water.
Helium? Do you like having MRI machines, LCD screens, or pretty much any technology created with machines that require a stable sub-zero coolant?

Unfortunately scarcity and utility seldom dictate market price. Luckily folks of my generation and below tend to associate technology with value so a tech-based currency/commodity might have a future after all.

This.

Also TradeHill has a pretty decent feature set and lower rates than Mt. Gox anyway. I've even switched my web site to their API feed and have no intentions of switching it back. Mt. Gox isn't just having issues, it's having death throes.

Not only is *.mtgox.com down for me but because their site is sort of half-assed accepting connections and squeaking just enough data through to keep the connection alive it's also brought down MY site which used the MtGox API for statistical analysis.

Of course Drupal doesn't make anything easy... I think I'm going to have to go in through the freaking database and try to edit my PHP blocks there

They really shouldn't have tried to open this to everyone at once. Stupid choice... Really stupid choice...

Edit: Managed to find the problematic block in the database and edit my PHP there - neither easy nor fun. Site is now back up with TradeHill's data and will probably stay that way even if Mt. Gox comes back up some time this week. Sorry MT, I just had to edit PHP with no line breaks in a database because you can't shut down your site when it's obviously broken, you've lost another one.

I have a suggestion.

Part of why mag-stripe cards find more use than smart cards is because they are cheap and ubiquitous. Every merchant on the planet has some device already which scans mag-stripe cards and if they somehow don't (or use an embedded device) they can be had for less than $20.

When base-64 encoded, the public and private keys for a single wallet are plenty small enough to fit on the two tracks readable by most devices. Simply use a block cipher of some sort and a standard PIN number to secure the private key before burning to a card, write a little software to b64decode the keys and you're good to go. More merchants will accept a mag-stripe solution than a smartcard solution because it either uses hardware they already own OR it requires less expensive hardware.

You may also consider hacking together a small embedded device that handles all of this for the merchant and just needs a network connection. Once bitcoin gets ported to Android successfully you could easily write software for a smallish tablet like the Archos 7, which has a USB host adapter cable that allows keyboards and other HID compliant devices (like mag-stripe readers) to be attached. It's also fairly cheap in the $130-$150 range.

Merchants like easy, merchants like familiar, and merchants definitely like cheap. Give them something with a < $200 buy-in cost that will bring them niche business from the bitcoin folks that won't cost them monthly fees or steal a percentage of their profits and they will come in swarms. Make it convert to USD and deposit in Dwolla or such automatically and it'll be an even easier sell.

It's a good thing you're long-winded because otherwise you would win my "most fails per word" award...

Let's take these one at a time...

even lulzier is bitcoin is a community of people who mine by decoding hashes
No, we generate hashes until they fall below an arbitrary value, hashes cannot be "decoded" only recreated. This is similar to the way a brute force hash-collision attack works, but not quite the same.

someone with a killer mining set up could rainbow table the shit out of any encryption
Not every encryption schema is susceptible to rainbow tables. As a matter of fact, no one really uses rainbow tables for encryption because you'd have to have a sample for every possible plaintext encrypted with every possible key to do so, which would result in immeasurably large files. We use rainbow tables for hashing algorithms. Furthermore, aside from a handful of very old accounts, Mt. Gox did at least use salt with their MD5 which renders rainbow tables ineffective and requires time be spent to specifically brute force one password at a time. If you had a password of sufficient complexity, you would still be safe from this attack for a pretty reasonable period of time (measured in years).

So theyre going to dictate the price at 17.50 when the exchange comes back.  who values this shit at $17 right now?
No one does, not even Mt. Gox. The price is rolling back to $17.51 because that's what the top (most recent) transaction in their database was at when the attack occurred. When the system comes back online, it will be free to move in whatever direction the market is currently valuing BTC at. People will cancel their buy/sell orders and place them at more reasonable points surrounding the current trade value.

someone bought a fuckload for penny each. and were supposed to buy at $17.50
Yes, but it really only matters what someone was able to cash out after buying at $0.01. I don't have the post in front of me but "Kevin" claims to have been able to cash out ~600 BTC, worth around $8,000 at current market values. Still quite a bit of cash, but not the "fuckload" you claim or the 263,000 that were actually purchased before the rollback.

mtgox is a buncha fuckups who lost lots of people alot of money, set back a revolution and wont take responsibility for handing out the database to an auditor for reasons unknown. i know what auditors do, no reason for him to have emails and logins. fucking morons down at mtgox have fucked up big time.
Now I do at least agree with you a bit here. I might use more "grown-up" language to express my opinion of Mt. Gox but I do feel that they've managed to hurt the bitcoin economy and community via their poor security. I also agree that unless the "auditor" was actually a security auditor, he/she had no business in the login database. It might be the case that Mt. Gox stores their login data within a table in the same database as their trades, which would be one more security failure on their part in my humble opinion.

anyone who used the same password for their email could have the passwords to other accounts recovered to the email without knowing the original
Although you wrote this in the most convoluted way possible, I think I understand you to be saying "if people used the same passwords in multiple places, this could lead to the compromise of even more accounts" which would be true. Of course this is why we always say to never use the same password for multiple systems, not that anyone listens. This is one of the few places where the onus of security is placed squarely on the shoulders of the individual; Mt. Gox could have forced secure passwords upon their users, additional authentication factors, all kinds of things - but they can't force their users NOT to use their GMail password at the exchange.

Not quite 40C in my house (~104F for my fellow non-metric Americans) though it IS that hot outside (I live in Las Vegas).

Air conditioning plus two portable window-mounted AC units running at 100% 24/7 can keep my house at 74F/23C at night but during the day it sometimes hits 85F/30C. Not dangerous by any means but certainly uncomfortable. I long for winter.

I'm that who trust but bitcoins now in your hole!

It may end up on a sticky note on the monitor but that leads to a single user having their account stolen for their own stupidity. Failing to enforce a strong password policy leads to MANY users having their accounts compromised for the SITE'S stupidity.

Not every individual user is perhaps best served by strong password policies, but the user-base as a whole certainly is and for a site with some 60,000 users, a utilitarian approach that protected 59,900 of them would have been preferred and in fact would likely have stopped this attack, provided the compromised account was not one of the few old enough to have an un-salted hash. Even if Mr (or Mrs?) 500,000 BTC had written their forcibly-made-stronger password on a post-it next to their mousepad that would be meaningless to an attacker with a database dump who would not have physical access to said post-it.

From the site:


I never trust someone with money who can't be bothered to run spelling and grammar check before posting on their supposedly professional page. I overlook your/you're and there/their/they're on forums and such, this is an informal method of communication, but to plaster it on the main page of your web site is something else.

OH SNAP! IT'S ON NOW SON!

So I'll fully admit, I'm NOT programmer enough for this project - I have a decent high-level understanding of a lot of what would be involved but I am nowhere near competent enough to actually write the code. Instead I'm just going to suggest an idea and see if someone who DOES have the skills will run with it. Perhaps if others like it enough we could even start a Bounty or something.

In light of the recent Mt. Gox issues I think it's time we built a distributed exchange. NameCoin has already proven that you can use a BTC-style blockchain to store non-coin data like DNS so why not provide a modified client that holds a buy/sell order database and matches buyers with sellers? The client could support a small variety of payment processors to begin (dwolla, etc) and expand with time. If the client interfaces directly with, for example, Dwolla's API then it should be able to transfer funds directly from my account to my seller's account, bypassing the middleman entirely.

I'm sure there is some obvious technical limitation that I'm missing or this would have been done already, right?

I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"

I believe we're talking about Linus' Law (http://en.wikipedia.org/wiki/Linus'_Law) - "Given enough eyeballs, all bugs are shallow"