Bitcoin Forum
April 19, 2014, 10:06:34 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
  Print  
Author Topic: bitfloor needs your help!  (Read 92305 times)
blakdawg
Member
**
Offline Offline

Activity: 112


View Profile

Ignore
September 06, 2012, 05:40:00 AM
 #381

"It's too much trouble to talk to the police" sounds pretty hollow next to the loss of $250K of other people's money.

Anyone owed even a single satoshi can file a complaint.   Has anyone?
* Stephen Gornick listens to sound of crickets ...

Time not worth the $20USD I "lost."

Which is why it would make a lot of sense for the person(s) last entrusted with the funds before they were stolen to make the report, and cooperate with the investigation.

It's not going to look very good for Bitfloor if someone else (with a loss big enough to attract attention) makes the first report, and the Bitfloor operators were too busy with other projects to take care of business.

If this were a bike store, and there were a lot of customer bikes in the back room being worked on, and someone picked the lock to the back door and stole all of the customers' bikes, but the bike store owner just shrugged and said "oh, the police never do anything anyway, I'll let someone else call if they really care" then they don't seem like a very trustworthy merchant to me.

The lack of law enforcement involvement in the previous hacks didn't leave me with a very good impression of those exchange operators. Ignoring for a moment the possibility of inside jobs, it's possible that there's one guy/crew doing all of these hacks, and they're going to keep going until they're caught.
1397945194
Hero Member
*
Offline Offline

Posts: 1397945194

View Profile Personal Message (Offline)

Ignore
1397945194
Reply with quote  #2

1397945194
Report to moderator
The grue lurks in the darkest places of the earth. Its favorite diet is adventurers, but its insatiable appetite is tempered by its fear of light. No grue has ever been seen by the light of day, and few have survived its fearsome jaws to tell the tale.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397945194
Hero Member
*
Offline Offline

Posts: 1397945194

View Profile Personal Message (Offline)

Ignore
1397945194
Reply with quote  #2

1397945194
Report to moderator
1397945194
Hero Member
*
Offline Offline

Posts: 1397945194

View Profile Personal Message (Offline)

Ignore
1397945194
Reply with quote  #2

1397945194
Report to moderator
1397945194
Hero Member
*
Offline Offline

Posts: 1397945194

View Profile Personal Message (Offline)

Ignore
1397945194
Reply with quote  #2

1397945194
Report to moderator
BorderBits
Sr. Member
****
Offline Offline

Activity: 256


View Profile

Ignore
September 06, 2012, 05:42:19 AM
 #382

ha!

http://webcache.googleusercontent.com/search?q=cache:UYt4pj002acJ:https://bitfloor.com/about+&cd=1&hl=en&ct=clnk&gl=us

http://buybitcoin.com/home/contact/

Too funny. 
Rassah
Hero Member
*****
Offline Offline

Activity: 1064


Director of Bitcoin100


View Profile

Ignore
September 06, 2012, 06:03:53 AM
 #383


Same P. O. Box office?

Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 296



View Profile WWW

Ignore
September 06, 2012, 06:16:47 AM
 #384


Interesting find!  Bruce's mailing list is awfully quiet about this hack.

Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
BorderBits
Sr. Member
****
Offline Offline

Activity: 256


View Profile

Ignore
September 06, 2012, 06:17:10 AM
 #385


I haven't read much of this thread -- do people think this Bitfloor guy didn't just rip them off?  It's just all the more funny if he's in cahoots with Bruce Pedo Wagner. 

Edit:  But yes, only the same P.O. Box Office.  Coincidence?  Eh...
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 06:40:25 AM
 #386

The only people profiting from bitcoin are hackers. Fuck this shit.

I haven't lost anything yet from bitcoin but it does seem like hackers are just having a field day with it.  As much as everyone hates Mt.Gox because of the cost to put money on there and the loss of anonymity, it seems like they have the best methods on there.  I feel like bit floor should have known better than to have all of their coins in a hot wallet after btc-e and other hacks.  

Exchanges are damned if they do and damned if they don't.  People want the convenience of being able to do instant withdrawals and transfers without any of the risk.

Small Bitcoin services which hold large amounts of other people's BTC are hacker magnets and intruders know that such services are often one or two man operations without capital reserves to invest in infrastructure.  They're soft targets.  Security needs to be baked in from the day a service is created but many Bitcoin services are more concerned about rushing to market than they are about security (they probably tell themselves they'll invest in "proper" security once the profits are rolling in, not realising that a rapidly expanding business often makes little or no profit).

Until Bitcoin service providers lift their game security-wise, people should severely limit the amount of BTC they store on such services.   Bitcoins stored on a service are always at risk.  You accept the risk of them being lost or stolen by leaving them on deposit with a service.

Take a look at Open Transactions and help us make it more accessible to people.

I notice this case is yet another Linode case, is there any reason to think there was any real vulnerability other than the fact of being hosted by a third party instead of being a server physically controlled by the operator of the service?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 06:44:07 AM
 #387


Sounds like the cold storage was deposited with pirate.
 

That was an obvious idea to jump to right off the bat but seemingly someone has traced some transaction(s) thought to possibly be the thief moving the coins, which would not really be possible if the coins had already been sent to pirate would it?

It is amazing though the clever ways people come up with of making their coins accessible to hackers.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 672


Wat


View Profile WWW

Ignore
September 06, 2012, 06:50:01 AM
 #388


I haven't read much of this thread -- do people think this Bitfloor guy didn't just rip them off?  It's just all the more funny if he's in cahoots with Bruce Pedo Wagner. 

Edit:  But yes, only the same P.O. Box Office.  Coincidence?  Eh...

Roman was on Bruce's show.

markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 06:52:37 AM
 #389

I've already stopped putting any funds in any Bitcoin service. It's obvious few of them have a clue how to secure their sites and there is no way to know who does and who doesn't.
Wrong. There is a way to know. But it requires the code for the entire system, from front end to back end, to be published for public scrutiny. And not just the program code, but the server configs and software versions and everything. In fact, it should be possible for the entire file system of every server to be available via public, read-only, anonymous FTP — minus the one directory containing the private keys and the one directory that holds the database table containing the users' personal information, if such a table exists. There is no reason that the remainder of the systems' contents shouldn't be held out for the light of day to wash over them. Security through obscurity is no security at all. Cryptographic algorithms are secure despite their method of operation being public knowledge. The same should be true of web sites.

Please come help us get Open Transactions polished up...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 672


Wat


View Profile WWW

Ignore
September 06, 2012, 06:56:34 AM
 #390


Sounds like the cold storage was deposited with pirate.
 

That was an obvious idea to jump to right off the bat but seemingly someone has traced some transaction(s) thought to possibly be the thief moving the coins, which would not really be possible if the coins had already been sent to pirate would it?

It is amazing though the clever ways people come up with of making their coins accessible to hackers.

-MarkM-



markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 06:58:30 AM
 #391

Well sadly Stephen was misinformed and likely turned a bad situation into a worse one.  His talk of injunctions and criminal activity were simply false.  I am just not certain if it was coming from a place of intentional malfeasance or simple ignorance.

Here:

Quote
But once a corporation reaches insolvency, the fiduciary duties that once flowed to equity-holders divert instead to creditors. Again quoting the Delaware Supreme Court, "the corporation's insolvency makes the creditors the principal constituency injured by any fiduciary breaches that diminish the firm's value.

Quote
But once the moment of insolvency arrives, as the Delaware Court of Chancery has explained, "the creditors become the enforcement agents of fiduciary duties because the corporation's wallet cannot handle the legal obligations owed." The court continued: "Because, by contract, the creditors have the right to benefit from the firm's operations until they are fully repaid, it is they who have an interest in ensuring that the directors comply with their traditional fiduciary duties of loyalty and care."

 - http://www.faegrebd.com/8365

tl;dr: Things change when your organization becomes insolvent.

I am not a lawyer, but I'm aware that in the U.S., bad things can happen to you as an officer or director if you then take action after establishing insolvency that ends up further harming your creditors -- especially actions which might favor one creditor over another.  Now customer funds are even more sacrosanct.  My argument was that legal counsel should be obtained BEFORE paying out one single dime.

Roman had reopened the site to allow ACH withdrawals so I was making the argument that the only way to stop it was to get an injunction filed.

Personally, I don't have that many BTC involved and have already mentally booked mine as a total write off.  I could see though how Roman might be persuaded because releasing USDs to depositors would mean some people (those with USD balances) would be less pissed off -- though others (those with BTC balances), would be more pissed off.  But an insolvent organization no longer does what is best for the company or for its shareholders and instead is in dire need of legal advice before taking further action.

It looks like that might be what then happened.

I hope to cover this stuff for my Open Transactions server by taking the position that although the tokens representing assets are intended to do so in a non fractional reserve manner, nonetheless the actions of theives, acts of god, force majeur etc could contrive to force some of those tokens into being fractional (or even zero) reserve; but that each type of token is independent such that loss of dollars to back dollar tokens would cause only those tokens into being less thasn full reserve, whereas tokens representing assets not lost would remain fully backed.

Not sure how long it would take though for the system to earn itself enough moneu to have that cast into legally airtight form...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
BorderBits
Sr. Member
****
Offline Offline

Activity: 256


View Profile

Ignore
September 06, 2012, 06:59:08 AM
 #392


I haven't read much of this thread -- do people think this Bitfloor guy didn't just rip them off?  It's just all the more funny if he's in cahoots with Bruce Pedo Wagner. 

Edit:  But yes, only the same P.O. Box Office.  Coincidence?  Eh...

Also, it's probably completely random, and it's nothing that I know about anyways, but both Bitfloor and Bruce Wagner's multiple phone numbers are in the same prefix (646-580-XXXX), which is run by a small company, BandWidth.com.  There are hundreds of prefixes for the 646 area code, and Bandwidth owns 17 . . . kinda coincidental that Bruce and Bitfloor not only use the same post office for their P.O. box, but also use the same telcomm and apparently set up their plans around the same time (assuming that's why the company gave them numbers within the same prefix).  It's like they're in cahoots or something.  
BorderBits
Sr. Member
****
Offline Offline

Activity: 256


View Profile

Ignore
September 06, 2012, 07:02:48 AM
 #393

Quote
Roman was on Bruce's show.

It's kinda clever to advertise and talk up the business before cashing it out.  With his cut, maybe Bruce can finally send the poor guy his $951 in BTC from that other thread now. 
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 07:05:51 AM
 #394

It's more the hot wallet I'm trying to understand. It is needed for the exchange to instantly process transactions directed by customers. So there'll always be a kind of command path going from website to wallet, no matter how far away you hide the hot wallet, and we'll have to trust that path we setup ourselves. A good hacker will find that path and command the bitcoind. So there's actually no need to trust our path if we can't trust our website.

Now, of course you can have the hot wallet pull for commands and transactions, but then.. how do you trust the content of those commands and transactions? Because, basically, that is that same public website with input from customers.

If we can't trust the website giving commands into the hot wallet, [edited:]how can we trust that same website to collect and offer the hot wallet valid and intended commands to pull?

The route I am going is to have the customers sign everything using their own private keys.

If a hacker uses their private keys unauthorised that will be totally outside my control and I will have no way even to distinguish between a hacker and the actual customer, since to me the private key is the customer.

This seems nice and safe from my end as service, but admittedly is not going to be very nice for people who let hackers get hold of their private keys.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 07:12:29 AM
 #395

If we can't trust the website giving commands into the hot wallet, [edited:]how can we trust that same website to collect and offer the hot wallet valid and intended commands to pull?
You never fully can trust it, but you can make it more difficult for an attacker by having the hot wallet independently check the incoming commands for deviations from normal patterns which could indicate the website has been compromised.

At the cost of requiring more manual human action you can add more safeguards, like requiring customers to pre-register their withdrawal addresses and transferring a list of valid addresses via sneakernet to the hot wallet every 8 hours. Now an attacker can't break into the website and send the hot wallet a command to withdraw all the bitcoins to some arbitrary address because that address won't be on the authorized list.

I am not really convinced that you cannot set up the system to be trustable.

For example if I base sending out of bitcoins on my having received bitcoin-tokens in a certain account, then it looks to me as if the only way I can get those tokens arriving in my account (and thus triggering a send-out-coins request) is if the hacker has the private keys of a user who has bitcoin-tokens. Those tokens in turn could only have arrived there through a properly signed transaction, and the signatures go all the way back to the account that actually issues the tokens. The whole point of all this signing is so the server does not actually have to be trusted...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
September 06, 2012, 07:14:19 AM
 #396

I've been thinking about a similar method as part of the code for an exchange I'm working on, and it's almost correct other than if somebody has access to your database and knows your rules, they can insert or alter records in the database table that controls your payment processing service.  The solution here would be to have the requests (database records) be nonced & signed.  Preferably with both a server/application private key and a per-user private key derived from the users password.

Please look at Open Transactions system and maybe come help us get it widely deployed...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Shagnasty
Jr. Member
*
Offline Offline

Activity: 59


View Profile

Ignore
September 06, 2012, 08:04:27 AM
 #397

Why can't someone invent a machine that can be switched on or off to connect to the internet and it's only purpose is to be a bitcoin wallet. It can have a little screen that says how many BTC you have. Just connect and it updates and disconnect. And the main thing would be if you needed to send BTC, it would require you to insert some type of key or swipe a card or something.
ErnestoJuarell
Member
**
Offline Offline

Activity: 114


¿Sabe lo que quiero decir?


View Profile

Ignore
September 06, 2012, 10:00:49 AM
 #398


I haven't read much of this thread -- do people think this Bitfloor guy didn't just rip them off?  It's just all the more funny if he's in cahoots with Bruce Pedo Wagner. 

Edit:  But yes, only the same P.O. Box Office.  Coincidence?  Eh...

Also, it's probably completely random, and it's nothing that I know about anyways, but both Bitfloor and Bruce Wagner's multiple phone numbers are in the same prefix (646-580-XXXX), which is run by a small company, BandWidth.com.  There are hundreds of prefixes for the 646 area code, and Bandwidth owns 17 . . . kinda coincidental that Bruce and Bitfloor not only use the same post office for their P.O. box, but also use the same telcomm and apparently set up their plans around the same time (assuming that's why the company gave them numbers within the same prefix).  It's like they're in cahoots or something.  
It could be a "virtual office".

Stephen Gornick
Hero Member
*****
Offline Offline

Activity: 1232



View Profile WWW

Ignore
September 06, 2012, 10:09:10 AM
 #399

Why can't someone invent a machine that can be switched on or off to connect to the internet and it's only purpose is to be a bitcoin wallet. It can have a little screen that says how many BTC you have. Just connect and it updates and disconnect. And the main thing would be if you needed to send BTC, it would require you to insert some type of key or swipe a card or something.

That (offline wallet) is one of the requests on the Raspberry Pi thread:

 - http://bitcointalk.org/index.php?topic=93724.msg1155722#msg1155722

Domrada
Full Member
***
Offline Offline

Activity: 186



View Profile

Ignore
September 06, 2012, 12:17:41 PM
 #400

I've been thinking about a similar method as part of the code for an exchange I'm working on, and it's almost correct other than if somebody has access to your database and knows your rules, they can insert or alter records in the database table that controls your payment processing service.  The solution here would be to have the requests (database records) be nonced & signed.  Preferably with both a server/application private key and a per-user private key derived from the users password.

Please look at Open Transactions system and maybe come help us get it widely deployed...

-MarkM-


I've been watching the #opentransactions channel and it looks like FT & co. are still working out the bugs. Are you sure it's stable enough to "widely deploy"?
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!