Bitcoin Forum
November 10, 2024, 12:27:12 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Why are bitcoin exchange operators so inept?  (Read 4283 times)
Xian01
Legendary
*
Offline Offline

Activity: 1652
Merit: 1067


Christian Antkow


View Profile
September 06, 2012, 06:04:23 PM
 #21

Seems the exchanges that got pwned are textbook demonstrations of the Dunning-Kruger effect.
owdbetts
Newbie
*
Offline Offline

Activity: 20
Merit: 0


View Profile
September 06, 2012, 09:05:35 PM
 #22

The simple answer is because all too often Bitcoin ventures are set up an run by one person, who lacks all the necessary skills.  In some cases that one person is a kid, too.

Realpra
Hero Member
*****
Offline Offline

Activity: 815
Merit: 1000


View Profile
September 06, 2012, 09:15:11 PM
 #23

Well security is pretty hard when you are the hacker Wink

(looking at you Bitcoinica)

Cheap and sexy Bitcoin card/hardware wallet, buy here:
http://BlochsTech.com
Bimmerhead
Legendary
*
Offline Offline

Activity: 1291
Merit: 1000


View Profile
September 06, 2012, 09:18:59 PM
 #24

So where are the auditing and insurance services we seem to need?  Must be an opportunity here for someone who knows about that stuff.
556j
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


View Profile
September 06, 2012, 11:38:59 PM
 #25

So where are the auditing and insurance services we seem to need?  Must be an opportunity here for someone who knows about that stuff.

No one would insure bitcoin exchanges.
stochastic
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
September 07, 2012, 01:34:35 AM
 #26

It's an economic problem. A startup company wants to reduce costs as much as they can. In the case of Bitcoin exchanges, that means forgoing security audits, insurance and bonding in order to get something out now. The users don't notice security problems because these involve back end processes that they never directly engage with. In any event, these startups are paying the price for cutting corners handling other people's money. And the users are paying the price for leaving significant sums of money in an account that has no auditing and no insurance.

Good points, but is seems like some losses occur due to sheer stupidty, for example not having good backup routines for offsite storage, having the majority of coins in cold storage and so on.

Besides, it's hard for users to know whether the 'hack' is because there's actually a break in, or if it's a rogue operator.

That's why you need auditing and insurance. Stupidity happens, that's a fact. But if you have audits to protect against stupidity in the first place and then insurance to pay out if stupidity still occurs, then that solves the problem (for the most part).

In this case, if Bitfloor had a respectable auditor, probably one of the first questions they would ask is: 'where all the Bitcoins are stored?'. If the reply was 'on this unencrypted hard drive over here...' then the auditor catches that problem right away. No process is 100% foolproof, but these exchanges can do a hell of a lot better than what they are doing now which is just skimping on costs and duping customers into making large deposits on their unaudited, uninsured platforms.

Who to hire to audit an unregulated virtual security exchange?  More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?

Introducing constraints to the economy only serves to limit what can be economical.
dissipate
Sr. Member
****
Offline Offline

Activity: 288
Merit: 251


View Profile
September 07, 2012, 02:18:02 AM
 #27

Who to hire to audit an unregulated virtual security exchange?  More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?

That's a good question and I'm not one to answer it because I am not in the security business nor am I in the insurance business. Someone running these exchanges needs to figure out who can audit and insure them though, because I for one will never keep significant sums of BTC in an unaudited, uninsured account. I doubt I am the only one in this camp.

People say that MtGox must be so secure now because they have already been hacked, and to that I reply: how the hell do you know? There is no publicly available security audit data of MtGox's servers (as far as I know). And not only that, there isn't any auditing of the account balances. For all we know they are operating on fractional reserve. User beware!
stochastic
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
September 07, 2012, 02:51:40 AM
 #28

Who to hire to audit an unregulated virtual security exchange?  More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?

That's a good question and I'm not one to answer it because I am not in the security business nor am I in the insurance business. Someone running these exchanges needs to figure out who can audit and insure them though, because I for one will never keep significant sums of BTC in an unaudited, uninsured account. I doubt I am the only one in this camp.

People say that MtGox must be so secure now because they have already been hacked, and to that I reply: how the hell do you know? There is no publicly available security audit data of MtGox's servers (as far as I know). And not only that, there isn't any auditing of the account balances. For all we know they are operating on fractional reserve. User beware!

Even with exchanges that say they are audited, I am very skeptical.  Unless that 3rd party operator puts their reputation and money on the line, then I would suggest that their auditing is full of crap.

Introducing constraints to the economy only serves to limit what can be economical.
dissipate
Sr. Member
****
Offline Offline

Activity: 288
Merit: 251


View Profile
September 07, 2012, 02:54:31 AM
 #29

Who to hire to audit an unregulated virtual security exchange?  More importantly, what insurance company is going to insure bitcoins in an unregulated virtual security exchange?

That's a good question and I'm not one to answer it because I am not in the security business nor am I in the insurance business. Someone running these exchanges needs to figure out who can audit and insure them though, because I for one will never keep significant sums of BTC in an unaudited, uninsured account. I doubt I am the only one in this camp.

People say that MtGox must be so secure now because they have already been hacked, and to that I reply: how the hell do you know? There is no publicly available security audit data of MtGox's servers (as far as I know). And not only that, there isn't any auditing of the account balances. For all we know they are operating on fractional reserve. User beware!

Even with exchanges that say they are audited, I am very skeptical.  Unless that 3rd party operator puts their reputation and money on the line, then I would suggest that their auditing is full of crap.

I agree. It would have to be an auditor with a significant reputation to lose. Of course, the same applies to the insurance company.
IveBeenBit
Sr. Member
****
Offline Offline

Activity: 449
Merit: 250



View Profile
September 07, 2012, 03:58:30 AM
 #30

Why are bitcoin exchange operators so inept?

Because, apparently, they can be.

Perhaps if their customers decided they wanted higher security standards for exchanges, we would have vastly more secure exchanges.

One day, after enough suffering, more bitcoiners will acquire enough common sense to start asking these sorts of questions and be willing to pay more for a service that is secure. I can't count the number of times I saw Bitfloor praised for its "low fees." We're talking 0.4% at Bitfloor vs 0.6% for Gox's highest tier. Any difference in fees gets swallowed up within 10 minutes just due to currency volatility.

My feeling is that even among a bunch of libertarians and anarchists, we're so conditioned to letting governments and auditors assume the responsibility of keeping our money safe that we skimp on critical thinking and get all butthurt when shit goes wrong.

Bitfloor's trade volume was always publicly available at bitcoincharts.com. Their trade fees were 0.3% net. How many people even bothered to take out their 4-function calculator and multiply $670,000 x 0.003 to realize that Bitfloor was grossing about $2000/month? Then ask the question: how do they survive after paying for expenses and salary in NEW YORK CITY on $2000/month?

I can understand someone depositing a few hundo to trade and immediately withdraw, but for a person to park thousands of dollars of value to live on that exchange and not ask these simple questions is inexcusable.
dissipate
Sr. Member
****
Offline Offline

Activity: 288
Merit: 251


View Profile
September 07, 2012, 04:05:43 AM
 #31

Why are bitcoin exchange operators so inept?

Because, apparently, they can be.

Perhaps if their customers decided they wanted higher security standards for exchanges, we would have vastly more secure exchanges.

One day, after enough suffering, more bitcoiners will acquire enough common sense to start asking these sorts of questions and be willing to pay more for a service that is secure. I can't count the number of times I saw Bitfloor praised for its "low fees." We're talking 0.4% at Bitfloor vs 0.6% for Gox's highest tier. Any difference in fees gets swallowed up within 10 minutes just due to currency volatility.

My feeling is that even among a bunch of libertarians and anarchists, we're so conditioned to letting governments and auditors assume the responsibility of keeping our money safe that we skimp on critical thinking and get all butthurt when shit goes wrong.

Bitfloor's trade volume was always publicly available at bitcoincharts.com. Their trade fees were 0.3% net. How many people even bothered to take out their 4-function calculator and multiply $670,000 x 0.003 to realize that Bitfloor was grossing about $2000/month? Then ask the question: how do they survive after paying for expenses and salary in NEW YORK CITY on $2000/month?

I can understand someone depositing a few hundo to trade and immediately withdraw, but for a person to park thousands of dollars of value to live on that exchange and not ask these simple questions is inexcusable.

Bingo. That is a very good point. However, if they had funding, it is not necessarily the case that they had to survive on $2000 a month. In any event, looks like this was a case of a race to the bottom. The exchanges can offer lower fees by not having proper auditing and insurance. This looks very tasty to naive Bitcoin traders. And it just keeps on happening over and over. MtGox probably has millions in unaudited and uninsured accounts. Sad.
paulie_w
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
September 07, 2012, 04:40:47 AM
 #32

better question:

https://bitcointalk.org/index.php?topic=106316.0
Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250



View Profile WWW
September 07, 2012, 07:17:50 PM
 #33

One hack after another...

It's getting quite tiresome.

CampBX has been operating securely without incident for over a year now.  I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance

On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.

Keyur

Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
eleuthria
Legendary
*
Offline Offline

Activity: 1750
Merit: 1007



View Profile
September 07, 2012, 07:47:04 PM
 #34

One hack after another...

It's getting quite tiresome.

CampBX has been operating securely without incident for over a year now.  I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance

On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.

Keyur


Based on a whois lookup done previously, they're not even on a real server.  They're on a Linode VPS, which means they're on shared hardware in the cheapest datacenters available.

RIP BTC Guild, April 2011 - June 2015
dissipate
Sr. Member
****
Offline Offline

Activity: 288
Merit: 251


View Profile
September 07, 2012, 08:04:59 PM
 #35

One hack after another...

It's getting quite tiresome.

CampBX has been operating securely without incident for over a year now.  I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance

On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.

Keyur


If your security is so good, then you should be able to get 3rd party security and account audits, which would then allow you to get insurance on deposits, right?
SkRRJyTC
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
September 07, 2012, 08:15:04 PM
 #36

One hack after another...

It's getting quite tiresome.

CampBX has been operating securely without incident for over a year now.  I am a data-center guy and not very good at marketing on this forum, but I invite you to check out our security best practices here: https://campbx.com/faq.php#security-compliance

On a sidenote, BitFloor lost power to their servers on 8/31 which tells me that it wasn't hosted at a real data center with redundant power.

Keyur


This looks pretty amazing compared to the lack of information most exchanges give.  Could you put some proof or way for the users to prove these security statements to be true?

Also I couldn't find deposit information, or maybe I just didn't understand, but how would I deposit USD into your exchange and how much would the fees be?
Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250



View Profile WWW
September 10, 2012, 05:59:17 PM
 #37

If your security is so good, then you should be able to get 3rd party security and account audits, which would then allow you to get insurance on deposits, right?

We have conducted three independent security audits + black-box pen tests and everything considered Severity 3 and above has been addressed by our programmers and administrator.  Audits are repeated periodically to discover any new vulnerabilities as they emerge.  Results from one of the tests are available on this forum, and a full report was also shared with one of the former-moderators on the forum for peer review.

As things stand today, CampBX has the best chance of obtaining insurance but it will take more than security audits to seal the insurance deal.  


Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250



View Profile WWW
September 10, 2012, 06:01:30 PM
 #38


This looks pretty amazing compared to the lack of information most exchanges give.  Could you put some proof or way for the users to prove these security statements to be true?

Also I couldn't find deposit information, or maybe I just didn't understand, but how would I deposit USD into your exchange and how much would the fees be?

Thank you SkRRJyTC!  Results from one of the audits are available on this forum, and a full report was also shared with one of the former-moderators on the forum for peer review.

We support Dwolla for electronic deposits and multiple methods for paper deposits.



Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
September 10, 2012, 06:05:38 PM
 #39

One hack after another...

It's getting quite tiresome.
Part of it is that the profit margins are very low. A sizable exchange, in its early days, might make $3,000/month. That might hire one part-time security expert so long as you don't spend any money on customer support. Doing this right is very expensive, and exchanges are too uncertain to get the investment capital needed, so they tend to defer security until they can afford it.

We'll do security later.
I couldn't find any breaks in our security.
We'll use shared hosting for now.
We'll use a cold wallet when we have enough funds that we need one.
This works for now, we'll go back and do it right when we have time.

And so on. The rotten core never gets fixed.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250



View Profile WWW
September 10, 2012, 06:38:25 PM
 #40

One hack after another...

It's getting quite tiresome.
Part of it is that the profit margins are very low. A sizable exchange, in its early days, might make $3,000/month. That might hire one part-time security expert so long as you don't spend any money on customer support. Doing this right is very expensive, and exchanges are too uncertain to get the investment capital needed, so they tend to defer security until they can afford it.

We'll do security later.
I couldn't find any breaks in our security.
We'll use shared hosting for now.
We'll use a cold wallet when we have enough funds that we need one.
This works for now, we'll go back and do it right when we have time.

And so on. The rotten core never gets fixed.


Great point Joel - the margins are razor thin.  It is very difficult to hire proper security resources and make them work for $2-3K per month.

CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US.  And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.


Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!