bitfloor needs your help!

[Shagnasty]

it seems likely that BTC sent in AFTER the hack announcement may be set aside in an eventual settlement

What about the people who don't go here. Shouldn't the site have a warning or an e-mail blast? This is kinda like lets post on bitcointalk and hope everyone knows to go read there before sending or god forbid an automated system since they advertized having api for that very reason.

You are 100% correct, there is still nothing on the website to indicate that it is down for anything other than some trivial maintenance. Relying on your customers to read this thread is insane.

Would have saved me 20 bucks. This morning around 3am it was down and then it was running around 5 am so Ithought it was maintence. I made a deposit request at 5 am. Woke up around 4:30 pm and went to chase and made the deposit. I then checked the site and it was down again with no explanation. I emailed support with no response. Why wouldn't he send an email the minute he learned or thought something was wrong to not deposit money if you haven't done it yet.

[peasant]

I don't understand why no one was emailed. For a situation this serious the forum isn't gonna cut it.

[BkkCoins]

This is so exasperating. It's no wonder Bitcoin is becoming a laughing stock. It's simply not enough to claim the blockchain is safe when every service that people use ends up getting hacked and large sums being lost.

Frankly, if an unencrypted backup of keys was left on the server then the current operators are not worthy of continuing to run the exchange and anyone who places their trust in righting the ship and sailing onwards as if all is ok, is a fool. Is this going to be a payback-over-a-year ordeal or yet another "oops, we were hacked!" type scam. Exactly what is the OP trying to figure out?

I've already stopped putting any funds in any Bitcoin service. It's obvious few of them have a clue how to secure their sites and there is no way to know who does and who doesn't.

[whitslack]

I've already stopped putting any funds in any Bitcoin service. It's obvious few of them have a clue how to secure their sites and there is no way to know who does and who doesn't.

Wrong. There is a way to know. But it requires the code for the entire system, from front end to back end, to be published for public scrutiny. And not just the program code, but the server configs and software versions and everything. In fact, it should be possible for the entire file system of every server to be available via public, read-only, anonymous FTP — minus the one directory containing the private keys and the one directory that holds the database table containing the users' personal information, if such a table exists. There is no reason that the remainder of the systems' contents shouldn't be held out for the light of day to wash over them. Security through obscurity is no security at all. Cryptographic algorithms are secure despite their method of operation being public knowledge. The same should be true of web sites.

[Phinnaeus Gage]

shtylman, where physically are you for service of process?

https://bitfloor.com/about

Mailing Address
Bitfloor Inc.
27-29 W 60th St. #21053
New York, NY 10023

Roman recently had traveled or moved possibly out of the country (London ?). 

The address is USPS PO Box. Roman went for the conference to london?

Pardon me for adding this, but why is it that the last three major hacks involve the words genjix and conference? Just an observation that may, or may not, have relevance.

~Bruno~

[flower1024]

shtylman, where physically are you for service of process?

https://bitfloor.com/about

Mailing Address
Bitfloor Inc.
27-29 W 60th St. #21053
New York, NY 10023

Roman recently had traveled or moved possibly out of the country (London ?). 

The address is USPS PO Box. Roman went for the conference to london?

Pardon me for adding this, but why is it that the last three major hacks involve the words genjix and conference? Just an observation that may, or may not, have relevance.

~Bruno~

please use phantomcircuit for your accusations: much more fun and he deserved it

[thebaron]

This is so exasperating. It's no wonder Bitcoin is becoming a laughing stock. It's simply not enough to claim the blockchain is safe when every service that people use ends up getting hacked and large sums being lost.

I guess it's sort of like the Pirate fiasco, people turned a blind eye to due diligence.

Make sure the bank has a vault before you deposit money in it. If they have nothing to show, your mattress may be a better storage medium.

Someone brought up a great point the other day: since lots of people here never really *earned* the money that their BTC is now worth, they tend to be very careless with where they put them.

[Phinnaeus Gage]

If a bankruptcy is filed and you had $ or BTC at bitfloor, you should be included on the list of creditors, and you'll get periodic mailings about the progress of the matter.

Now we are getting to the really interesting stuff.  If BitFloor does not have any information on how to contact you, how will you get periodic mailings?

If some other legal action is filed, there's a pretty good chance you'll be included as a party, which would mean you'll get copies of filings,

See my question above.

BitFloor has no ID requirement for BTC withdrawals.

I'd just like to point out the importance of Bitfloor consulting an insolvency specialist and not a general lawyer.  You need someone who'll advise you on all of the legal options available and their pros and cons.

Enter Patrick Murck.

[Stephen Gornick]

Well sadly Stephen was misinformed and likely turned a bad situation into a worse one.  His talk of injunctions and criminal activity were simply false.  I am just not certain if it was coming from a place of intentional malfeasance or simple ignorance.

Here:

But once a corporation reaches insolvency, the fiduciary duties that once flowed to equity-holders divert instead to creditors. Again quoting the Delaware Supreme Court, "the corporation's insolvency makes the creditors the principal constituency injured by any fiduciary breaches that diminish the firm's value.

But once the moment of insolvency arrives, as the Delaware Court of Chancery has explained, "the creditors become the enforcement agents of fiduciary duties because the corporation's wallet cannot handle the legal obligations owed." The court continued: "Because, by contract, the creditors have the right to benefit from the firm's operations until they are fully repaid, it is they who have an interest in ensuring that the directors comply with their traditional fiduciary duties of loyalty and care."

 - http://www.faegrebd.com/8365

tl;dr: Things change when your organization becomes insolvent.

I am not a lawyer, but I'm aware that in the U.S., bad things can happen to you as an officer or director if you then take action after establishing insolvency that ends up further harming your creditors -- especially actions which might favor one creditor over another.  Now customer funds are even more sacrosanct.  My argument was that legal counsel should be obtained BEFORE paying out one single dime.

Roman had reopened the site to allow ACH withdrawals so I was making the argument that the only way to stop it was to get an injunction filed.

Personally, I don't have that many BTC involved and have already mentally booked mine as a total write off.  I could see though how Roman might be persuaded because releasing USDs to depositors would mean some people (those with USD balances) would be less pissed off -- though others (those with BTC balances), would be more pissed off.  But an insolvent organization no longer does what is best for the company or for its shareholders and instead is in dire need of legal advice before taking further action.

It looks like that might be what then happened.

[EuSouBitcoin]

Here's a chance for someone to buy part or all of BitFloor. Potential investors include other BTC exchanges, large mining pools, holders of large quantities of BTC and developers of bitcoin and bitcoin related products and services or an angel investor. BitFloor did have a lot of positive characteristics prior to this hack.

[davout]

Here's a chance for someone to buy part or all of BitFloor. Potential investors include other BTC exchanges, large mining pools, holders of large quantities of BTC and developers of bitcoin and bitcoin related products and services or an angel investor. BitFloor did have a lot of positive characteristics prior to this hack.

I don't see an investor buying a business with such a low entry barrier, a quarter million dollar debt, and (AFAIK) no valuable partnerships or financial licenses.

[EuSouBitcoin]

Perhaps one of the large creditors that had a large amount of USD or BTC on BitFloor has some balls and wants to double down. Where's Matthew when you need him

[ashleyconnor]

Bit Flaw 

[repentance]

The story got picked up quickly by Arstechnica, C-Net et all.

[the_thing]

The story got picked up quickly by Arstechnica, C-Net et all.

Bitcoins sold, let's wait for a FUD storm! I expect the price to hit <$8 in next few days.

[muyuu]

Bitfloor Hacked, $250,000 Missing (bitcoinmagazine.net)
http://news.ycombinator.com/item?id=4477376

http://www.reddit.com/r/Bitcoin/comments/zchfn/bitfloor_hacked/

http://arstechnica.com/tech-policy/2012/09/hacker-steals-250k-in-bitcoins-from-online-exchange-bitfloor/

[bitbonga]

The system was connected to from one of our other boxes which was accessed through a virtual console. The wallet box had all public ports blocked but was able to be connected to from a few of the other boxes.

Thanks for confirming.  This is why I prefer no incoming connections allowed on the secure box.  If you must have occasional ssh, you can have it enabled on boot and then login to disable it.  That way you can reboot first if you must login.

How do you solve getting to the secluded bitcoind to command it to sent bitcoins out?

[JoelKatz]

How do you solve getting to the secluded bitcoind to command it to sent bitcoins out?

IMO, the best solution is to walk a request to the box. You can also have the box connect out to a web server that provides it with transfer requests that then just have to be manually approved at the box. The most common transaction will be to move coins to the cold wallet, so all you need is an amount.

[vampire]

How do you solve getting to the secluded bitcoind to command it to sent bitcoins out?

The secluded server will have a payment processor that will access the production database from behind a firewall, verify transactions for fraud and send the payments out.

[davout]

How do you solve getting to the secluded bitcoind to command it to sent bitcoins out?

Polling another box? Connections allowed only from select IPs?