whitslack
|
|
October 02, 2012, 02:53:26 AM |
|
Crazy number of executions today...
Yeah, I know. I was responsible for several dozen of those.
|
|
|
|
|
shtylman (OP)
|
|
October 02, 2012, 07:54:44 AM |
|
Apologies for the site downtime today. It was cased by a crash on the web and API server. I have brought all services back up and posted about the outage on the bitfloor blog. In the future, serious downtime issues will always be mentioned on the blog.
|
|
|
|
mufa23
Legendary
Offline
Activity: 1022
Merit: 1001
I'd fight Gandhi.
|
|
October 02, 2012, 08:04:57 AM |
|
Sounds good. The recent down times have been getting me worried.
|
Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
|
|
|
shtylman (OP)
|
|
October 02, 2012, 08:42:59 AM |
|
Sounds good. The recent down times have been getting me worried.
Understandable given what has happened in the past. However, I do want to stress that the issues have all been separate incidents and in no way related to any sort of compromise or attack on the servers. As mentioned in the previous post (and per the sentiment expressed by my users), serious server downtime will always be mentioned on our blog as well as our twitter account (@bitfloor) as soon as possible.
|
|
|
|
Otoh
Donator
Legendary
Offline
Activity: 3094
Merit: 1166
|
|
October 02, 2012, 11:04:45 AM Last edit: October 02, 2012, 01:33:57 PM by Otoh |
|
Hi,
It's been 9 days now since I emailed support to apply for ACH withdrawal status to be set up on my account with you, I sent you my full bank account details plus photo of my ID, but so far with no acknowledgment, no reply, no response to my post in your thread asking after this & the ACH has not been enabled on my account as yet.
Copied to your thread & would appreciate an update, thanks.
Otoh
Edit PS - I've just bought 800 coins on Gox that could/might have been done on your exchange otherwise, which would at least have made a few coins for the compensation fund of those who had theirs stolen from you. Just checked - not much Ask volume on BitFloor atm so maybe it would have been just a few unless there was hidden interest waiting for Bids.
|
|
|
|
whitslack
|
|
October 02, 2012, 01:13:39 PM |
|
The outage was due to misbehavior on the server running the website and affected the website and api access.
Thanks for the attempt at transparency, but this is too vague. What was the problem? How did you correct it? You're on the Bitcoin Forum; you can get technical with us. Humor us. We need to want to trust that you know what you're doing.
|
|
|
|
SkRRJyTC
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
October 02, 2012, 01:16:48 PM |
|
Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better) ..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."... ..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."... Please? New security continues to be unverified...
|
|
|
|
fbastage
|
|
October 02, 2012, 02:22:08 PM |
|
serious downtime issues will always be mentioned on the blog.
blog? I can't find any. looked on site, google search, your bitcointalk profile. could you link to it?
|
|
|
|
whitslack
|
|
October 02, 2012, 02:56:06 PM |
|
blog? I can't find any. looked on site, google search, your bitcointalk profile. could you link to it?
Intuitively, it's: http://blog.bitfloor.com/
|
|
|
|
toffoo
|
|
October 02, 2012, 05:39:20 PM |
|
blog? I can't find any. looked on site, google search, your bitcointalk profile. could you link to it?
Intuitively, it's: http://blog.bitfloor.com/That link actually loads nothing for me (just reloads https://bitfloor.com) but https://blog.bitfloor.com looks like it redirects to: https://plus.google.com/109620439233076225324/posts... serious server downtime will always be mentioned on our blog as well as our twitter account (@bitfloor) as soon as possible.
You've made two tweets lifetime (one of which being yesterday's ex post facto downtime acknowledgement) and have have 11 total followers. Maybe you should actually start using twitter a bit more before we rely on it for downtime announcements. Hi,
It's been 9 days now since I emailed support to apply for ACH withdrawal status to be set up on my account with you, I sent you my full bank account details plus photo of my ID, but so far with no acknowledgment, no reply, no response to my post in your thread asking after this & the ACH has not been enabled on my account as yet.
Likewise, same deal for me. Waiting...no reply. I would love to continue to support BitFloor's resurrection, but I cannot justify sending any more coins there until I have a verified way to cash out. Come on Roman, your remaining loyal clients and potential new ones are going to need some extra communication and responsiveness to rebuild your credibility after what happened. So what's up?
|
|
|
|
Rassah
Legendary
Offline
Activity: 1680
Merit: 1035
|
|
October 03, 2012, 03:37:20 AM |
|
Bought $5,000 worth of BTC today, and withdrew the BTC without issues. Everything seems to be working ok (I guess aside from some customer support/ACH issues)
|
|
|
|
shtylman (OP)
|
|
October 03, 2012, 04:08:20 AM |
|
Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better) ..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."... ..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."... Please? New security continues to be unverified... There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains. I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances.
|
|
|
|
SkRRJyTC
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
October 03, 2012, 05:05:03 PM |
|
Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better) ..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."... ..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."... Please? New security continues to be unverified... There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains. I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances. Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas: In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself. In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center. In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly? If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.
|
|
|
|
BitcoinForLiberty
Newbie
Offline
Activity: 37
Merit: 0
|
|
October 04, 2012, 03:12:36 PM |
|
Roman,
Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.
|
|
|
|
shtylman (OP)
|
|
October 04, 2012, 03:19:50 PM |
|
Roman,
Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.
It was not frozen but they are closing it (details of which are private). I will be moving to a new cash deposit system which will also include more banks; however the transition will take a few weeks. The new system will continue to allow for free deposits. Apologies for any inconvenience this may cause to anyone using the Chase deposits.
|
|
|
|
jwzguy
|
|
October 04, 2012, 04:57:36 PM |
|
Roman,
Please tell us why Chase deposits into Bitfloor are not available this morning. Makes me wonder if your account was frozen by Chase.
It was not frozen but they are closing it (details of which are private). I will be moving to a new cash deposit system which will also include more banks; however the transition will take a few weeks. The new system will continue to allow for free deposits. Apologies for any inconvenience this may cause to anyone using the Chase deposits. So Chase deposits are not coming back? The webpage says "Chase deposits are temporarily unavailable." Just curious as it is my main method of deposit.
|
|
|
|
SkRRJyTC
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
October 06, 2012, 07:34:17 PM |
|
Any reasonable way for you to prove these claims? Or someway for users to verify these claims themselves (this would be even better) ..."In reopening, a number of improvements to both the wallet storage and website have been made. Bitfloor aims to be safe and reliable platform and as a result have changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk."... ..."Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US. Bitfloor services are further isolated based on exposure. Testnet and development are not located in the same data center or hosting provider to ensure further isolation. Backups are encrypted and write only on all of the servers. Hot wallet files are encrypted even further and unavailable even with physical access to the disk."... Please? New security continues to be unverified... There are no reasonable ways for many of your questions to be verified. The production and testnet separation can be confirmed through a traceroute on the respective domains. I welcome suggestions for reasonable ways in which you believe your requests can be confirmed without compromising user identities, trading activity, or balances. Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas: In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself. In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center. In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly? If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it. Were these bad ideas?
|
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
October 06, 2012, 08:37:06 PM |
|
Smarter people could help me out here if I dont know what I'm talking about, but how about these ideas:
In order to prove "...changed our fund storage policy to 100% offline storage for your funds. Daily transactions through out hot wallet will be backed by Bitfloor funds, never putting client funds at risk." You could sign messages from both the Bitfloor wallet and the customer funds wallet or at least show a picture of what you used to make the offline wallet or the offline wallet itself.
In order to prove "Bitfloor is now running on dedicated servers in a PCI compliant data center based in the US." you could show some sort of recipt from said data center.
In order to prove "Backups are encrypted and write only on all of the servers." why not just host them publicly? If they are properly encrypted it shouldn't be an issue and I believe with some cyrtpo hash magic a person should be able to verify their own details are in the backup without others being able to break it.
Were these bad ideas? Yes, mostly. 1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security. 2) Shouldn't be too harmful since anyone can verify that themselves with the existing public record . 3) Making them public reduces the effort of a compromise from "breaking into his server, obtaining root access to change permissions on backups, copying backups, finding the password" to "finding the password". Regardless, no amount of crypto "magic" will allow parts of the encrypted data to be read or even verified, so it would be pointless anyway. Hashing and encryption are two very different beasts.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1008
1davout
|
|
October 08, 2012, 07:44:44 AM |
|
1) Making public information about how he created his cold wallet, or how it is stored, or where it is stored reduces his security.
Security through obscurity is not security. 3) Making them public reduces the effort of a compromise from "breaking into his server, obtaining root access to change permissions on backups, copying backups, finding the password" to "finding the password". Regardless, no amount of crypto "magic" will allow parts of the encrypted data to be read or even verified, so it would be pointless anyway. Hashing and encryption are two very different beasts.
Why not ? Say you hash the account identifiers (maybe with a per-account secret), pair them with their balance, sum the balances in a nice report. Anyone can verify they are in the balance list, no one can look my balance up, I can check that the sum is consistent with the amount in cold storage. That can also be seen as some sort of backup if properly signed, I'm sure the Bitcoinica folks would have loved to have something like that lying around.
|
|
|
|
|