I've started asking some security questions of the exchanges where I have an account.
I wish this questioning had previously been asked of another exchange that I was using before they had suffered a security breach recently.
So, I'm submitting these questions here and looking first specifically for the answer to:
- Does BitSTAMP use cold storage (an offline wallet that cannot be accessed should the exchange's service become compromised)
If so, then there are other questions:
- Is there a target as to how much of customer's funds are kept in cold storage? (e.g., percent of total, or perhaps relative to recent withdrawal requirements)?
- Do new deposits go to cold storage? (if the hot wallet is compromised, new deposits made (e.g., automated payouts by mining pools) would still be secure)
- Does the offline wallet where the cold storage resides remain protected due to an "air gap" (no access to it electronically, not connected to the network)?
And I have other questions that I'ld like to know the answers to:
- Does BitSTAMP maintain full reserve? (i.e., BitSTAMP controls bank accounts with all customer funds (fiat, USD, EUR, ?) and controls wallets with 100% of BTC funds. i.e., none of these amounts loaned out.)
- Does BitSTAMP maintain offsite backups of its accounts and transactions? If for some reason the exchange's primary account database were lost due to a security breach, what information (and how recent) is still available from backup or archives?
- If there is a security breach and BitSTAMP cannot meet withdrawal requests of its customers, what is the withdrawal preference that BitSTAMP would follow? Various preferences are: - - A.) All deposited funds are of equal standing with bitcoins being valued at their market rate at the time of the loss, - - B.) Withdrawals of USD funds, if not impacted by the breach, are made available to those customers who held a USD balance. in full. - - Do customer deposits have preference over any other creditor claims? (i.e., a contract stating so such that they don't become unsecured creditors ending up in the same pool as the landlord for office space and hosting bill.) - - or is there some other approach?
If there are other security-related details that are relevant that you would be will to share (e.g., physicall security, staff background checks, dead man's switch for wallet, etc.) feel free to do so.
|
|
|
- Does CampBX maintain full reserve? (i.e., Camp BX controls bank accounts with all customer USD funds and controls wallets with 100% of BTC funds. None of these amounts loaned out.)
I see this question (and perhaps others) is addressed in another thread -- one which I wish I had seen earlier, as that thread is the right place for this line of questioning. (if responding, please feel free to respond there) - No fractional reserve: We hold 100% of user funds in reserve at all times - All banking done on-shore in the USA - We do not do business with companies that don't have a registered office in USA. (Paxum, Liberty Reserve)
|
|
|
It's a joke people. I see some forum users understand this.
There is not a humor forum. There is a board for Off Topic, that might be a better place. The Gambling board is not the right place for your joke. Please move it. The link is in the bottom left.
|
|
|
Weekend dip indicator is GREEN:
Will the weekend dip strategy pay off a second week in a row?
[...] about $10.80, so that's the amount I'll use in determining if the weekend dip strategy succeeded yet again at generating profit. Doh! Well, that was a disappointment (to those holding dollars over the weekend) -- as the expected dip didn't dip! My reference trade on Thursday followed by the reverse trade just a bit ago ended up seeing a nearly 3.5% loss as a result. These patterns work until they don't. Now there's no denying one thing -- a whole lot of people just learned of Bitcoin (or heard of it before but this is now the third time perhaps they hear it) due to the Romney tax blackmailing and as a result that might have resulted in either new buyers and/or sellers simply being less willing to sell seeing the web traffic. Or it may have had little effect and no dip would have occurred anyway. Who knows. Here's the Google trends 30-day for Bitcoin. This isn't just a spike and quick drop, ... this has been high since the Bitfloor debit card news, then the rally to $15 and then the pirate mess, and has stayed high since. - http://www.google.com/trends/?q=Bitcoin&ctab=0&geo=all&date=mtd&sort=0[Edit: The link showing the first burst of media attention in late August: - http://bitcointalk.org/index.php?topic=102713.0 ]
|
|
|
Can the mods elaborate on this policy and in what contexts admins may read private messages?
This was touched on here: Deleted posts are almost never removed from the database. A PM is removed from the database if the sender and all recipients delete it.
Full database backups are created daily, and all global moderators and admins can download the (encrypted) backups and implement their own rotation policies.
they can download the backup to have it at multiple locations, but it's useless for them because they don't have the decryption key
This. Only me, Gavin, Satoshi, and Sirius can decrypt it. Global moderators can download the encrypted database backups. Admins and past admins (Gavin, Satoshi, Sirius, me, and now justmoon) can decrypt them -- they therefore have complete access to the database and can read PMs, etc. Justmoon and I can also query the live database.
Ah, so you're already reading the pms. Good to know. Who else are you snooping through?
I only scanned through them to make sure that the SQL query (to archive them) worked as I intended. The PGP message blocks stood out. I only read others' PMs without their permission during scam investigations, and I've only read a user's entire inbox a few times. That thread, starting from this quote tells more on the topic: You are going to make PMs public or give it to the police?
I will give them to the police if the police ask for them. Otherwise, I may post them publicly to help people find Pirate and obtain justice. Pirates are hostis humani generis. I'm not going to preserve the privacy of someone who stole 500,000 BTC. - http://bitcointalk.org/index.php?topic=104261.msg1145182#msg1145182Since that time was an addition: Stefan Thomas (justmoon) is now a forum administrator. He can therefore access the database directly and see IP addresses, etc.
And apparently one subtraction: How many admins do we have on bitcointalk now?
Two. Gavin recently decided to stop being an admin. The cautionary statement added to the bottom when you send a PM was requested here: Legality aside, decency would suggest you should put a notice on the "private message" page stating that the messages are not private and may be read by moderators.
They're "personal messages", not "private messages". I think it's obvious that the administrators of a site will check PMs when necessary, but I added a note to the page. [Edited: Added some additional references]
|
|
|
user paraipan sells btc for UKASH
PM him
And, for others seeing this, paraipan's service, Mercabit.eu, has a contact page: - http://mercabit.eu (Currently shows "Not available", but earlier this past week it was showing "Available").
|
|
|
I think his point was that a "syndicate" of pool ops could form a majority of the network and go rogue, forcing everyone else to either accept the changed rules or risk breaking the network due to having much less hashing power to secure it.
The nodes following the protocol won't even relay those blocks. So the only ones that would know about them are in this mining cartel/syndicate. That becomes a hard fork condition and the economic majority is unlikely to accept a fork which devalues their coins.
|
|
|
I imagine new members are always needing to look out for scamming? any guides around on member suggestions to prevent scamming?
- http://en.bitcoin.it/wiki/Secure_Trading - http://wiki.bitcoin-otc.com/wiki/Using_bitcoin-otc#Risk_of_fraudUSE ESCROW. Can't stress this enough. If someone refuses, then stay away.
I don't know if any escrowed funds got caught up in this post-pirate meltdown but some of the well known escrow providers are defaulting to their lenders. I don't know if that means those using them for escrow also ended badly. Essentially you don't want your escrow party to do anything with your escrowed funds but just sit on them and keep them safe until they are to be released per the terms of the agreement.
|
|
|
Send me money and I will return 20% of it. Guaranteed!11!!
1N57qnfaUPMq3prfEmew9ghEejAojGuoSE
Either you are trying to be humorous (ha ha, who would fall for that) or you are trying to scam as someone might misinterpret that to mean 20% returns (which is how the finance industry refers to 20% profit, or return of principal plus 20%.) Please either move this to Off-Topic (as this is not a gambling-related post) or ask a mod to delete.
|
|
|
I am looking for some mill/lathe work done for btc. I've got some ideas I need prototyped. Parts will be of delrin. Pm me if you're interested.
Where (geographically) are you? How does this work ... you send specs and then the finished item is shipped to you?
|
|
|
I am bumping this thread because I am curious how ASICs change the game plan. I hope coinlab has managed to get something done for half a million by now, but there is nothing new on their Website.
Protect your future GPU mining earnings with CoinLab's 95-97% PPS Pool - http://bitcointalk.org/index.php?topic=99643.0
|
|
|
That's awesome! I had tried using pywallet and it reported an error opening the wallet. Do you have a link to the pywallet release that you used?
|
|
|
Isn't this what the signed message in the new client is all about? Thus, you get the cooperation before the transaction and then afterwards it obviates the need for a he said she said.
No, that just ensures that a message was signed by the owner of that bitcoin address. That doesn't help me to prove that the merchant truly requested payment to that address. If addresses were static, then I could be reassured that since others were successfully using that address for payments that I could use it as well, but since Bitcoin only works when there is a different address for each payment then I see the situation where payment is made and then the merchant claims that the address isn't theirs and they aren't sure how or why the customer sent payment to that address.
|
|
|
I have 40 BTC to sell for MoneyPak. I will sell at MtGox Last Rate. Looking for 1:1
Here's someone wishing to do a trade. - http://bitcointalk.org/index.php?topic=107150.0You probably are already well aware of the risk, but just for anyone else's benefit, MoneyPak is a reversible payment method and is frequently used to defraud traders. Consider your counterparty's trust history before sending your non-reversible bitcoins away. p.s. if someone posts a link to btcpak or similar they get a punch on the nose. Good thing you put that there because that was the next thing I was going to suggest.
|
|
|
Bitinstant being down BitInstant is down? Shows "All Systems GOOD" right now ...
|
|
|
I have money but I want the BitCoins instantly and I know that this website is the fastest way to get BitCoins from the Hero Members, but i am not sure how or who I am supposed to go to to give the MoneyPak to, to get the BitCoins. Can someone please help?
MoneyPak is an excellent way to cash out of bitcoin where you then use that MP to reload a debit card or PayPal, for instance. But MoneyPak is a horrible way to try to buy bitcoins. The problem is no commercial service can accept MoneyPak as payment for the purchase of bitcoins. Green Dot doesn't want that happening. They only allow you using the MoneyPak codes with authorized merchants or for loading funds to your own debit card. So the only ones where trading MoneyPak for bitcoins is happening is with individuals who accept MoneyPak for payment when selling bitcoins person-to-person and are small enough to operate below Green Dot's radar. The person that accepts MoneyPak then uses it to load a PayPal account to to add funds to a reloadable debit card. Cashing out your bitcoins to MoneyPak is not a problem, and there are a couple of commercial services which offer this: - http://www.BTCPak.com - http://www.FastCash4Bitcoins.com MoneyPak is a bearer instrument -- anyone who knows the code can spend it. There are a few ways these MoneyPak codes can end up in the hands of thieves and criminal hackers who then trade them for bitcoins. The theif might even provide what seems to be a valid MoneyPak code and the person selling bitcoins might see the funds loaded into the PayPal account or wherever the code were used but then later the funds are reversed after the rightful owner of the code reports theft. To regain access to the funds, the person that accepted the MoneyPak needs to provide to Green Dot a copy of the receipt used to purchase the MoneyPak, using cash. Even with that, if there is someone else with the same receipt reporting the theft, that person would likely lose the dispute as another person was actually the party that bought the MoneyPak from the store. So it comes down to ... you are offering a payment method that is reversible and is frequently used to defraud. Do you already have a trust history perhaps? The #bitcoin-otc Web of Trust (WoT) will show trust history of a trader. If a person is considering trading bitcoins for someone else's MoneyPak, that person's trust history might help to determine the level of risk -- but even then, proceed with caution.
|
|
|
Last Price will be set to that calculated according to the contract specification, And the BUZ2 contract shows: Settlement: Positions are settled based on the volume weighted average rate of USD/BTC on the exchange with the most average monthly volume (for the month of contract settlement) during the contract settlement day by transferring variation margin between contract holders. - https://icbit.se/BUZ2So if Mt. Gox remains as the largest market the "Last Price" would be the 24 hour volume weighted average price (VWAP) from Mt. Gox on Dec 15, 2012. (I'm assuming that is 24 hour VWAP .. the BUZ contract is ambiguous as to which time period.) I'm having a little trouble figuring out a few details. The resulting price is written in your "Balances" window,
Also, after clearing at 20:00 GMT everyday, if you have open positions, a variation margin is transferred depending on the market price to your account I'm trying to learn the calculation for variation margin, specifically which prices it uses. The contract shows: Variation margin is calculated as follows: VM = (1/PriceClose - 1/PriceOpen) * W/R; - https://icbit.se/BUZ2From that I see the two variables, PriceOpen and PriceClose. I'm assuming PriceOpen is the "Exec(ution) Price" shown in my balance? And where does that come from? I read: "execution price" for this position will be set to the price of the last clearing. Let's say today I don't yet have a position open and I buy one contract at $13.20. Does the price used for "Exec(ution) Price" then show the same as if I had already held the position opened a previous day? (i.e., set from the last 20:00 GMT clearing?) If so, is there a way for me to know what this last clearing price will be without me already having a position open?
|
|
|
This is an old thread but there was a question asked of great importance and I don't see that it was answered: It's a start, but security for a financial institution takes a whole lot more than an automated test. You need to think about things like managing an offline wallet, physical security for that wallet and for your servers, and background checks for employees.
Jim, Agree with you 100% - Coming from a corporate background we consider what you mentioned essential for security. Our servers are housed in a physically secured data-center designed to survive F3 category tornadoes (if I am not mistaken), and have connectivity with three telco backbones. There are two Caterpillar diesel generators for extended power outages. We have identified primary and secondary owners for Wallet, and only these two people have access to it. The question specifically asks about managing an offline wallet. The response is ambiguous and uses "wallet" singular and "it" when referring to "wallet", so that is nowhere near to being an assertion that that customer's bitcoin funds are held in cold storage. There was a recent post pointing to the site's FAQ, but that FAQ doesn't address the use of a cold wallet either. CampBX has been operating securely without incident for over a year now. I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-complianceI wish this specific question and others had been asked of a competing U.S.-based bitcoin exchange as thousands of bitcoins would still be with their rightful owners as once they would have discovered that no cold storage was being used by that exchange things would have been different. So, I'm submitting these questions, looking first specifically for the answer to: - Does Camp BX use cold storage (an offline wallet that cannot be accessed should the exchange's service become compromised) If so, then there are other questions: - Is there a target as to how much of customer's funds are kept in cold storage? (e.g., percent of total, or perhaps relative to recent withdrawal requirements)? - Do new deposits go to cold storage? (if the hot wallet is compromised, new deposits made (e.g., automated payouts by mining pools) would still be secure) - Does the offline wallet where the cold storage resides remain protected due to an "air gap" (no access to it electronically, not connected to the network)? And I have other questions that I'ld like to now the answers to: - Does CampBX maintain full reserve? (i.e., Camp BX controls bank accounts with all customer USD funds and controls wallets with 100% of BTC funds. None of these amounts loaned out.) - Does CampBX maintain offsite backups of its accounts and transactions? If for some reason the exchange's primary account database were lost due to a security breach, what information (and how recent) is still available from backup or archives? - If there is a security breach and CampBX cannot meet withdrawal requests of its customers, what is the withdrawal preference that Camp BX would follow? Various preferences are: - - A.) All deposited funds are of equal standing with bitcoins being valued at their market rate at the time of the loss, - - B.) Withdrawals of USD funds, if not impacted by the breach, are made available to those customers who held a USD balance. in full. - - Do customer deposits have preference over any other creditor claims? (i.e., a contract stating so such that they don't become unsecured creditors ending up in the same pool as the landlord for office space and hosting bill.) - - or is there some other approach?
|
|
|
|