bitfloor needs your help!

[shtylman]

I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.

So basically, BTC withdrawals will be delayed until you have the funds to pay for them?  Or both BTC and USD withdrawals (after you allow whoever wants to withdraw via ACH to do so)?  What if I trade for USD (once you re-enable trading), then request an ACH withdrawal?

The BTC are gone but I have records of how much each person had at the time of the theft. Once trading resumes you will be free to deposit new BTC and trade those for USD.

[vampire]

shtylman, where physically are you for service of process?

https://bitfloor.com/about

Mailing Address
Bitfloor Inc.
27-29 W 60th St. #21053
New York, NY 10023

Roman recently had traveled or moved possibly out of the country (London ?). 

The address is USPS PO Box. Roman went for the conference to london?

[runeks]

Dammit! I'm sorry to hear this shtylman. I really had high hopes for bitfloor as well. The user interface is by far the best of any exchange I've seen.

I really hope you will release more information about how the attack was carried out. At least tell us what you know. Exchange security will never improve if we don't know how these hackers get in. Based on the number of exchanges that have been compromised, I assume that the attacks aren't terribly advanced. I mean, not via the sort of vulnerabilities that go for $100k on the black market and take months to discover. It would really help to know if it's SQL injection or an Apache/nginx vulnerability or something else.

[Otoh]

I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.

wow, sounds like he's found an angel backer, maybe it's the hacker, at least that would help sort out basic security issues as he wouldn't want anyone else running off with his new golden goose

[Stephen Gornick]

shtylman, where physically are you for service of process?

https://bitfloor.com/about

Mailing Address
Bitfloor Inc.
27-29 W 60th St. #21053
New York, NY 10023

Roman recently had traveled or moved possibly out of the country (London ?). 

The address is USPS PO Box. Roman went for the conference to london?

He's been there since July at least:

 - http://bitcointalk.org/index.php?topic=94975.0

Related thread:

 - http://bitcointalk.org/index.php?topic=93655.0

[EnergyVampire]

There is no single solution which meets the needs of every single service provider.  That being said having a hotwallet with 100% of the funds is simply inexcusable.   More than anything else it is sad.   Bitfloor was growing rapidly and was a great source of liquidity outside of MtGox (which is important IMHO).  It is destroyed now and honestly shtylman is better than that.

Agreed.  If Roman really learns as much as possible from this, let others review his security procedures, he can build the most secure exchange out there.  Large withdrawals may not be instant, who cares, at least they are safe.  If I deposit 1000 BTC with him, I want to trade it, not withdraw it back out immediately.

+1 I agree with BitPay(Tony?)

On another note, it might be possible to raise funds with a bond or equity (preferred shares, maybe?) issue. Not sure about the legality, regardless BitFloor will absorb the lost coins but at least your customers will be satisfied imo.

[DeathAndTaxes]

Dammit! I'm sorry to hear this shtylman. I really had high hopes for bitfloor as well. The user interface is by far the best of any exchange I've seen.

I really hope you will release more information about how the attack was carried out. At least tell us what you know. Exchange security will never improve if we don't know how these hackers get in. Based on the number of exchanges that have been compromised, I assume that the attacks aren't terribly advanced. I mean, not via the sort of vulnerabilities that go for $100k on the black market and take months to discover. It would really help to know if it's SQL injection or an Apache/nginx vulnerability or something else.

This I would be willing to donate towards a fund for the victims if detailed information on the attack as well as post-attack analysis and mitigating steps were provided.   I hope I am not the only one.  It could improve the security of other exchanges and service providers.

[gllen]

Man, that's really too bad.

I've been nothing but impressed by bitfloor; from the video interview, to the github code, to the API and testnet, BF seems like one of the best implemented exchanges out there.

63k BTC (30 day volume) = 3.15k fees (converted to BTC)?

Maybe a dumb idea, but you could offer trade-able bonds to the current BTC balance holders, with a 12-24 month term, and a generous (but achievable) rate.


Edit: 0.3% fees = 189 BTC gross. My math above is way off 

[ErnestoJuarell]

I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.

So basically, BTC withdrawals will be delayed until you have the funds to pay for them?  Or both BTC and USD withdrawals (after you allow whoever wants to withdraw via ACH to do so)?  What if I trade for USD (once you re-enable trading), then request an ACH withdrawal?

The BTC are gone but I have records of how much each person had at the time of the theft. Once trading resumes you will be free to deposit new BTC and trade those for USD.

Was the box holding the records compromised? How can you be sure the hacker didn't mess with the figures. Do you have offline backups to compare to to look for something fishy?

[LoweryCBS]

I'd buy Bitfloor-issued bonds. Or even Bitfloor stock.

Man, that's really too bad.

I've been nothing but impressed by bitfloor; from the video interview, to the github code, to the API and testnet, BF seems like one of the best implemented exchanges out there.

63k BTC (30 day volume) = 3.15k fees (converted to BTC)?

Maybe a dumb idea, but you could offer trade-able bonds to the current BTC balance holders, with a 12-24 month term, and a generous (but achievable) rate.

[DeathAndTaxes]

I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.

wow, sounds like he's found an angel backer, maybe it's the hacker, at least that would help sort out basic security issues as he wouldn't want anyone else running off with his new golden goose

What makes you think that.

"repaying BTC losses using the proceeds from fees".

[ErebusBat]

Replace word "bitcoins" by "potatoes" and any judge will figure out on the spot what to do.

Potatoes aren't a digital construct thinly traded only on unregulated exchanges.  I do agree that Bitcoin will need to be regulated eventually.  It simply can't co-exist with fiat currencies without definition.  However that day isn't today.

Of course. However, potatoes have value, they can be stolen too. Imagine a commodity exchange where you can deposit bags of potatoes that you and other customers have "farmed". Those potatoes can be sent to the exchange as well as fiat money (legal tender btw). Someone have stolen all the potatoes, exchange goes BK... Effectively a judge has only two choices:

1. Distribute all fiat back to depositors and leave potato sellers to hold the bag (an empty potato bag no less).
2. Value all the lost potato deposits in fiat, distribute whatever fiat left proportionally.

I bet it will be 2.

* ErebusBat steals the idea and runs off to create Potatoe-ville for facebook.

[BitPay Business Solutions]

+1 I agree with BitPay(Tony?)

On another note, it might be possible to raise funds with a bond or equity (preferred shares, maybe?) issue. Not sure about the legality, regardless BitFloor will absorb the lost coins but at least your customers will be satisfied imo.

Yes that's me.

Multiple options are being considered.  First and foremost, Roman needs a written security plan.  This is just processes and procedures, not passwords.

Beyond that, I have given Roman some ideas on how he can restart or rebuild Bitfloor stronger, but I will wait for him to review and circulate those ideas himself.  Taking outside investment capital is not out of the question.  He has the best technology of any exchange, and that is worth something to people looking to invest in this area.  He also needs to learn from this and have the best security of any exchange.

[Stephen Gornick]

I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.

Who will cooperate in filing an injunction?

Unless an injunction is filed, there is about a quarter million USD worth of customer funds from BTC balances that are going to disappear as Roman is out of the country and he has announced plans to process USD withdrawals.  i.e., those USDs are going to be leaving the BitFloor bank accounts very soon unless action is taken.

At least with an injunction, cents on the dollar (at the same level as USD depositors get) would be returned on those BTC balances.

Personally I don't have enough bitcoins with BitFloor to warrant me pursuing this myself.  

I would be surprised that nobody else cares though.

[Otoh]

I have put the website back online for users who have USD to request a withdrawal via ACH. If you choose to leave your USD funds in the account they will be available for trading once it resumes. I hope to resume trading later in the week.

If you had outstanding orders they have all been cancelled.

Once trading resumes, I hope to be able to start repaying BTC losses using the proceeds from fees. More information about this will be provided later.

wow, sounds like he's found an angel backer, maybe it's the hacker, at least that would help sort out basic security issues as he wouldn't want anyone else running off with his new golden goose

What makes you think that.

"repaying BTC losses using the proceeds from fees".

Well I hope he has found one or at least enough interest to expect one otherwise it would take forever to pay back from fees - I just don't think that would be realistic without someone buying in to the company

[BitPay Business Solutions]

Personally didn't have enough bitcoins with BitFloor to warrant me pursuing this myself.  

I would be surprised that nobody else cares though.

Technically you are correct.  However I can verify that Roman is in regular contact with his largest depositors, and while I cannot speak for all of them, I do believe this will be resolved without a bankruptcy.  give the guy a chance to make some calls and look at his options to bring in capital.

[muyuu]

Knowing that they had an unencrypted wallet somewhere with ALL the funds, and ran the whole thing on a Linode VPS despite all past happenings, I find it really hard to consider a potential investment in Bitfloor other than extremely high risk.

It's sad because shtylman sounds like a really nice lad and the interface is well done, but obviously he's punching above his weight with the exchange idea.

Maybe if he hired a team of security experts *cough*  or maybe not...

[Joe200]

Thank you for allowing ACH withdrawals.

Could you please allow trading to resume? Then the people who really want to get out will be able to sell their bitcoins (for a fraction of their price outside of bitfloor). And people who are speculating that things will turn out will be able to buy up those bitcoins and potentially make money.

I think this will reduce the amount of customer discontent.

[greyhawk]

Knowing that they had an unencrypted wallet somewhere with ALL the funds, and ran the whole thing on a Linode VPS despite all past happenings, I find it really hard to consider a potential investment in Bitfloor other than extremely high risk.

This translates to an AA- rating in Harnettopia, so buyer beware

[ErebusBat]

Thank you for allowing ACH withdrawals.

Could you please allow trading to resume? Then the people who really want to get out will be able to sell their bitcoins (for a fraction of their price outside of bitfloor). And people who are speculating that things will turn out will be able to buy up those bitcoins and potentially make money.

I think this will reduce the amount of customer discontent.

The problem with this is that there isn't enough coins to cover all (any?) withdrawal requests.