uh yeah.. that was exactly my point. They don't care if a BTC is $.01 or $100. The prices are locked to USD and they are going to exchange and spend 20 minutes later.

Your forgetting SR buyers who have been unable to buy anything in a week due to SR outages followed by this mess. Their funds are all tied up in Mt Gox.

SR buyers provide a strong demand because they don't care what the exchange rate is.. they aren't using it as a commodity to day trade like a lot of people on this forum..

.. buy bitcoins using mt gox.. i heart for them..

i would have expected the user with 500k BTC to have come forward by this point..

These types of standards are very generic. They talk about logical/theoretical separation of pieces of data, roles which have access to them, etc. They may mention specific types of attacks but not specific implementation used to defend against them. The standards are then applied to the business by the company and verified by an auditor. Of course, in practice, the auditor likely isn't going to poke holes in the application like hackers around the globe will - he's just going to run some automated tests of known exploits and common obvious mistakes..

Any time there is a database, someone is going to need to have access to it. How do you know that person will protect it 100% without fail? How do you know that if you put enough incentive on the line, that a switch won't flip in their head and turn them into the bad guy? If you are employing/paying people for service on your system, internal breaches are the easiest and most likely, and most difficult to guard against - you can't guess another person's behavior with 100% accuracy.

That is why the various financial computer security standards emphasize use of multiple roles to do any 1 task. For instance, making a code change could require authentication by both a coder and a reviewer. Then you are limiting your possibility of a breach to blatant negligence of multiple parties or collusion.

Anyone that has ever programmed will tell you that giving an accurate estimate of how long a large set of tasks will take is near impossible... and you always end up giving them the most optimistic estimate because you don't want to piss your customer/client/boss/etc off, then the job ends up taking 3 times as long as your worst imaginable estimate.

This explanation reeks of "I'm not telling you something."