Initially baffling maybe, but as the thread progressed? Really? I cringed and still cringe at some of Vegetta's reactions, but is it really baffling that he's a human being and wants to be treated with some dignity? Would you be 100% receptive to good advice from someone if they were derogatory or belligerent? Have you ever had a parent or boss that was too harsh even if they were right? Vegetta already said many times that he would take the advice, whether he will use it or not remains to be seen.

On a hopefully unrelated note, teaching him a "lesson" in web security was uncalled for regardless of whom it was. Hopefully it will prepare him and his future endeavors for the attacks that so many other Bitcoin services have also had to grow through.

No, it does not come to a matter of trust between you or verisign. It's a matter of trust between anyone with access to your server, man-in-the middle, and/or verisign. A third party mitigates a man in the middle trust issue. The site you link to makes plenty of arguments for why you should be using a third party signed cert for your production environment.

Self-signed certs are more vulnerable to MITM because a user has no way to verify whether the original certificate or certificate changes are legitimate. A diligent user might be able to tell the difference with the use of other information but an average user will not. A third party will verify certificate changes for you, which makes MITM less likely to be a user "error" in trust. It doesn't fully "solve" anything other than user error (unless they are trained to expect self-signed certs from your site), but it is a must have for a service such as yours.

I don't know how much you looked around, but you can get very basic 1 year SSL certs for free at startssl.com. It's a low assurance cert, but it would be sufficient until GLBSE becomes more important.

i hate to say this but X day guarantees on web hosting and not VPSs is not unheard of in the industry (at least for budget VPSs anyway). when I was shopping for VPSs, i definitely ran into feedback for unrelated providers with the exact same complaints. it's unfortunate, but not specific to MT. it would have been a nice gesture had he given a refund, but i'm not sure he is obligated.

UPDATE: in fact I would not be surprised if MT was a reseller of the VPS I ran into above, hostrail.com. hostrail appears to be almost totally offline as well. you can see their somewhat misleading TOS here. Boy am I glad I cancelled my VPS with them before shit hit the fan and went with another similarly priced VPS that has stellar feedback.

Transparency is missing in the reports of support tickets being closed seemingly without any reason behind it. There is important information missing about how they operate, the community is left to guess. During the crash for example, I don't think I was the only one surprised to get confirmation that it was a 1 coder/1 support staff operation. We knew they were looking for help to some degree, we didn't know how far behind they were. We still don't know whether they have hired another coder. I have no doubt most people (myself included) trust mtgox is doing its best, but they leave much to be desired. I don't mean to pick on mtgox about transparency, they are just a prominent and important example.

I already acknowledged these things are mostly not Bitcoin's fault. In order to be successful, the infrastructure built around Bitcoin on the whole has to be up to snuff. That is the point I'm making, they will hopefully be existentially pointless arguments in the future but they are valid right now.

Security: No such service exists, only time will tell which hypothetical ones are actually secure. Moreover this is not a catch all for end-user side security.

Mitigation: I don't think some of the people that have claimed to have had their wallets stolen would say they didn't know what they are doing. Risk mitigation is very hard to do in practice. On the other side people securing their wallets presumably inadvertently destroyed their wallets. True or not, these stories are warnings that we need many solutions for many needs.

Transparency: My point is transparency is not guaranteed because of defacto Bitcoin services that operate like mtgox. This is why I feel it is important to emphasize the voluntary nature of Bitcoin between users and services.

Security: Encrypted wallets won't go very far to protect anyone. Bitcoin needs more than that.

Trust: Trust in any part of Bitcoin is voluntary, and as such susceptible to human folly. So while there is a high degree of trust for the block chain, almost everything else has a markedly lower trust level. The point remains Bitcoin will have trust issues, but the voluntary trust is a huge leap forward IMO.

Mitigation: People often don't know what they are doing, so hand waving that it is not an issue isn't constructive.

Transparency: I agree, but at least some of the transparency is voluntary. I'd like to see more transparency from mtgox for example, even though I still trust the service and love the volume of trading there.

I know my counter points are external to Bitcoin, but they have to be addressed.

I've put some cursory thought into combining offline wallets, offline transaction creation, and online transaction processors but even that has problems (mainly user error, physical security). Having something like that would address some of my issues.

What about the mattress stuffers? I'm not sure individuals or businesses would be happy that the cash they were holding "on hand" was arbitrarily worth half as much or just a few percentage points in such a visible way. In the current system it takes months/years/decades to feel the effects of your buying power decreasing.

I've put some Bitcoins into projects that I found interesting (similar amounts to the OP). The biggest problem I have found are the best projects (i.e. profitable) aren't actively seeking investment, probably because they don't need it (I'd love to make token investments in bitlotto and bit-pay for example). Projects that do seek investment don't seem to have much of a plan on how they are actually going to generate a return.

One project I made a small investment in hasn't moved forward much in the last month and is probably no closer to generating any sort of return. Looking at the balance sheet made me raise an eyebrow. The other two are recent investments so I can't comment on how they are run.

In any case, yes I do have some coins I'd like to toss at worthy projects.

the fact that new back end doesn't seem able to keep up with the trade volume is worrying. continuing to use a mysql database for something like this is even more worrying. i sure hope Tux has something better planned, it is disappointing to see growing pains continue while he should have all the resources that come along with being the #1 exchange. operating as a one man show is just plain scary. i'm still cautiously optimistic as long as there is volume...

deposit fees sound pretty sweet, but I'd rather use a high volume American exchange and worry less about trading fees.

seems a bit steep, especially with all the trading fee specials going on right now.

the trading fees on small trades are unprecedentedly high, major turn off

would be better to say what you ARE using BEFORE bashing a documented standard. mystery standards are worse than a well documented bad standard.

I would like to see a Canadian exchange, volume is a huge factor though.

is it possible to take this one step further and initiate an offline transaction? think:
1. generate transaction with offline wallet
2. load transaction to a clean medium (blank dvd, paper, whatever)
3. sneakernet to online computer
4. load transaction

if it's possible, i'd take the time to brush up on the language/source and learn how to do it!

seconded. i was thinking the same thing when I saw this thread revived

cool, that's what I expected. I mostly wanted to know that you had considered the possibility and don't want people to have a false sense of security when using the shred feature. maybe you can make that clear somehow without being obtrusive.

I use GLBSE, but am not affiliated with them. GLBSE uses a self-signed certificate, which means GLBSE did not pay a third party to sign the certificate. what this means is that you get a nasty warning from most web browsers because of some of the disadvantages of a self-signed certificate I will explain later. while these disadvantages are a potential risk, a self-signed certificate CAN be secure and IS safer than not having a certificate. a self-signed certificate allows you to communicate with the site securely without the cost associated of a trusted certificate authority.

that said the disadvantages of a self-signed certificate are:
-you must trust the certificate that you are presented is good (you can add it as a permanent exception, which will be used by your browser for future comparison)
-you must trust that when the certificate changes that it was not changed by a malicious third party such that they can eavesdrop on or from the secure connection with the site

compared to a trusted certificate where
-you must trust that a disinterested third party (trusted by your browser) trusts the certificate AND that the site and the third party have not been compromised
-you must trust that when the certificate changes that the disinterested third party (trusted by your browser) trusts the certificate AND that the site and the third party have not been compromised

EDIT:
there are ways to get free trusted certificates, so those are definitely worth looking at

how do you ensure that shred in fact overwrites the physical bytes where the wallet is stored? seems like that would be a problem anywhere that hard drive access is abstracted (any modern file system/OS), especially in the case of solid state drives.

at first i thought it was someone trying to reset my password because the IP was off. then I thought it was a phishing attempt when i saw the reply to address was weird after responding. i don't know what to think now, but i'm still leaning toward phishing :-/

in any case i forward it to mtgox which triggered the support site to create a ticket, hopefully i'll hear back from them.

heh, i'm in the same boat. too late for me to review/test it out, might be helpful advice for people that don't want to use "real" BTC when they test it out.

if you ever need to test something, you should try learning about/using bitcoin in testnet mode. the testnet faucet is quite generous if you don't want to mine for them. transactions can take a long time to validate however.

i would agree with not trusting a hidden volume, but could we agree that it would be safer than a non-hidden volume, except perhaps barring damning evidence supporting otherwise?