Bitcoin Forum
January 29, 2022, 09:46:33 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Bitfloor status update - September 6, 2012  (Read 7666 times)
miscreanity
Legendary
*
Offline Offline

Activity: 1316
Merit: 1005


View Profile
September 07, 2012, 03:37:43 AM
 #21

It's a good idea to allow them to be traded for bitcoin but it would require adding a lot of new functionality to bitfloor, since there would be 3 currencies: USD, BTC, and BTC IOU's. Roman probably doesn't have time for that...

A solution of making BTC holders whole might best be solved by providing bonds in exchange for the losses.
1643449593
Hero Member
*
Offline Offline

Posts: 1643449593

View Profile Personal Message (Offline)

Ignore
1643449593
Reply with quote  #2

1643449593
Report to moderator
1643449593
Hero Member
*
Offline Offline

Posts: 1643449593

View Profile Personal Message (Offline)

Ignore
1643449593
Reply with quote  #2

1643449593
Report to moderator
1643449593
Hero Member
*
Offline Offline

Posts: 1643449593

View Profile Personal Message (Offline)

Ignore
1643449593
Reply with quote  #2

1643449593
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
mufa23
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001


I'd fight Gandhi.


View Profile
September 07, 2012, 05:09:54 AM
 #22

Thanks for opening the website so we could withdraw our USD. I have got all my funds back now. I appreciate this. Money is really tight for me. So the only thing I have lost is one heck of an exchange that I will miss for the time being.

I really hope Bitfloor can launch again. I enjoyed it MUCH more then MtGox. I wish you the best, and hope to use your service again in the future.

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
jojo69
Legendary
*
Offline Offline

Activity: 2352
Merit: 3132


1/21000000 , the only math you need to know


View Profile
September 07, 2012, 06:24:43 AM
 #23

A question I thought was serious from the other thread;

What of those who deposited BTC, either manually or automated, after the hack?  There was, as far as I have heard, no email notification, and the website message was ambiguous.

Starting a thread on this forum is not exactly a high standard of damage control for your users.

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1003


View Profile
September 07, 2012, 07:08:05 AM
 #24

Starting a thread on this forum is not exactly a high standard of damage control for your users.

There is an Important Announcements forum board.  A thread for this issue was (eventually) created there:
 - http://bitcointalk.org/index.php?board=87.0


Some people got an e-mail initially ... though it was only saying API keys might have been compromised.  It even said "No accounts were compromised financially nor was there any access to coins or any funds. Our system are separated to protect against this.":

 - http://bitcointalk.org/index.php?topic=105079.msg1159003#msg1159003

There was then many hours that passed before the "bitfloor needs your help!" forum post.

The normal procedure for using a hosted (shared) EWallet is to create a new deposit address before each transfer.

Anyone not doing that but instead is re-using a BitFloor deposit address is probably a miner or for receiving some other type of withdrawal.  If BitFloor was offline, then there was no was no way to obtain a new Bitcoin deposit address.   If it was a miner payout, the upside was that the amount sent was probably not all that much (e.g., just hit the payout threshold).

Of course, the best course of action would have been for BitFloor to send an E-mail to all users immediately when it was ascertained that there had been a compromise -- and included explicit instruction to no longer deposit funds and to halt any automated transfers.

After the Linode outage a few days earlier which took BitFloor down, written was:

Going forward I will be looking at using multiple data center locations and/or a separate status page to indicate the current situation and not keep you (our users) in the dark about what is going on.

But that had not been implemented yet.

If you wish to have automated transfers to a static bitcoin address then the most secure solution is likely to have it be an address that you control.  Creating a paper bitcoin and using that for your mining payouts or dividends or whatever is a good approach.  Then when you want to spend using those funds, you simply scan the QR code and spend then (e.g., on Blockchain.info/wallet - import function).

 - http://www.BitAddress.org

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


rb2k
Member
**
Offline Offline

Activity: 109
Merit: 10


View Profile
September 07, 2012, 07:53:55 AM
 #25

What are the options for us non-US folks that ACH doesn't apply to.
I'd love to be able to get e.g. a mtgox code or something.

Any ETA on when we'll have options available?
shtylman
Sr. Member
****
Offline Offline

Activity: 243
Merit: 250



View Profile
September 07, 2012, 08:13:38 AM
 #26

What are the options for us non-US folks that ACH doesn't apply to.
I'd love to be able to get e.g. a mtgox code or something.

Any ETA on when we'll have options available?

International users can request a wire transfer. I will not be giving out MtGox codes. ACH and Wire are the only options for USD withdrawal.
rb2k
Member
**
Offline Offline

Activity: 109
Merit: 10


View Profile
September 07, 2012, 08:15:31 AM
 #27

International users can request a wire transfer. I will not be giving out MtGox codes. ACH and Wire are the only options for USD withdrawal.

What's the fee for those? I only have 9 usd in the account. For international wire transfers usually eat that for breakfest Wink
shtylman
Sr. Member
****
Offline Offline

Activity: 243
Merit: 250



View Profile
September 07, 2012, 08:16:57 AM
 #28

International users can request a wire transfer. I will not be giving out MtGox codes. ACH and Wire are the only options for USD withdrawal.

What's the fee for those? I only have 9 usd in the account. For international wire transfers usually eat that for breakfest Wink

The fees as the same as before.

ACH is free. Wire $15.
rjbtc
Member
**
Offline Offline

Activity: 69
Merit: 10


View Profile
September 07, 2012, 12:38:56 PM
 #29

International users can request a wire transfer. I will not be giving out MtGox codes. ACH and Wire are the only options for USD withdrawal.

What's the fee for those? I only have 9 usd in the account. For international wire transfers usually eat that for breakfest Wink

You could have the USD deposited to a US account with ACH and have them send you $9 worth of BTC?  If you needed the $9 badly enough that is.

BTC: 1AYWtqieXoQZnuT4iEk6MDEXBkdVd5BykN
rb2k
Member
**
Offline Offline

Activity: 109
Merit: 10


View Profile
September 07, 2012, 12:43:23 PM
 #30

Nah, I'll just wait until I can get the money in bitcoins at some point in the future Smiley
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1020


Gerald Davis


View Profile
September 07, 2012, 01:04:59 PM
Last edit: September 07, 2012, 01:43:21 PM by DeathAndTaxes
 #31

A question I thought was serious from the other thread;

What of those who deposited BTC, either manually or automated, after the hack?  There was, as far as I have heard, no email notification, and the website message was ambiguous.

Starting a thread on this forum is not exactly a high standard of damage control for your users.

I think after ever incident "we" as a community of service providers can learn.  These are IMHO very good questions and ones that we have been discussing inside our own company.  Far too often this forum is used as the sole communication mechanism to the customer base.  Some ideas we have been brainstorming, a good starting point for a discussion I think (feel free to add details and more bullet points).

In a hack (or failed hack or suspected hack in progress):
  • The service should be halted.  This includes immediate deletion of all hot wallets and in the case of encrypted databases immediate destruction of host encryption key.  Obviously both of these should be available in offline form.
  • If there is no loss of control of the server the site should be replaced with a static page indicating in general terms the issue and warning users not to deposit coins.  This page likely should be pre-created and have an offline backup as time is of the essence in any hack or attack.
  • If there is a loss of control of the server, the server should be taken completely offline (hard power switch at datacenter if necessary). One idea would be to have a status.domainname.com site on another server (probably a low powered VPS in a different hosting provider).  It would at least provide partial communication.  Nameserver change could redirect traffic to the status server although that change will take time to propogate.
  • If the service uses social media those could be used to communicate with users.
  • All registered users should receive an email with similar information.  User email list should be stored off site in a fast accessible form in the event that access to server or database is lost.  The mass email should be tested before needed to ensure it won't get caught by spam filters.
  • If cellphone numbers are available users should receive a text notification & warning.
  • Moderators of bitcointalk should be notified so an "Important News" thread can be created.

I would point out that the scenario you described above is exactly why a cold wallet should be used.  If hot wallet is also used "incoming client addresses" should always be directed to the cold wallet.  The hot wallet is then only filled from the cold wallet. 
joesdc
Newbie
*
Offline Offline

Activity: 21
Merit: 0


View Profile
September 07, 2012, 09:14:59 PM
 #32

Is it just me or was there a part missing from his update about how people owed BTC would be repaid? I'm not sure its a good idea for the community to back someone who can leave unencrypted wallets on the server and when it gets hacked say "oops my bad. Your bitcoins are gone but good news you can deposit more soon and hope I do a better job securing them this time."
unclemantis
Member
**
Offline Offline

Activity: 98
Merit: 10


(:firstbits => "1mantis")


View Profile
September 07, 2012, 11:02:02 PM
 #33

Is it just me or was there a part missing from his update about how people owed BTC would be repaid? I'm not sure its a good idea for the community to back someone who can leave unencrypted wallets on the server and when it gets hacked say "oops my bad. Your bitcoins are gone but good news you can deposit more soon and hope I do a better job securing them this time."

Shit happens.

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
SgtSpike
Legendary
*
Offline Offline

Activity: 1386
Merit: 1003



View Profile
September 07, 2012, 11:03:39 PM
 #34

Is it just me or was there a part missing from his update about how people owed BTC would be repaid? I'm not sure its a good idea for the community to back someone who can leave unencrypted wallets on the server and when it gets hacked say "oops my bad. Your bitcoins are gone but good news you can deposit more soon and hope I do a better job securing them this time."

Shit happens.
You weren't saying that back when it was your money on the line too...
greyhawk
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1004


View Profile
September 08, 2012, 01:44:42 AM
 #35

Is it just me or was there a part missing from his update about how people owed BTC would be repaid? I'm not sure its a good idea for the community to back someone who can leave unencrypted wallets on the server and when it gets hacked say "oops my bad. Your bitcoins are gone but good news you can deposit more soon and hope I do a better job securing them this time."

Shit happens.
You weren't saying that back when it was your money on the line too...

"Fuck you, got mine!" - The Bitcoiner's Creed
crazy_rabbit
Legendary
*
Offline Offline

Activity: 1204
Merit: 1001


RUM AND CARROTS: A PIRATE LIFE FOR ME


View Profile
September 08, 2012, 10:13:27 AM
 #36

A question I thought was serious from the other thread;

What of those who deposited BTC, either manually or automated, after the hack?  There was, as far as I have heard, no email notification, and the website message was ambiguous.

Starting a thread on this forum is not exactly a high standard of damage control for your users.

I think after ever incident "we" as a community of service providers can learn.  These are IMHO very good questions and ones that we have been discussing inside our own company.  Far too often this forum is used as the sole communication mechanism to the customer base.  Some ideas we have been brainstorming, a good starting point for a discussion I think (feel free to add details and more bullet points).

In a hack (or failed hack or suspected hack in progress):
  • The service should be halted.  This includes immediate deletion of all hot wallets and in the case of encrypted databases immediate destruction of host encryption key.  Obviously both of these should be available in offline form.
  • If there is no loss of control of the server the site should be replaced with a static page indicating in general terms the issue and warning users not to deposit coins.  This page likely should be pre-created and have an offline backup as time is of the essence in any hack or attack.
  • If there is a loss of control of the server, the server should be taken completely offline (hard power switch at datacenter if necessary). One idea would be to have a status.domainname.com site on another server (probably a low powered VPS in a different hosting provider).  It would at least provide partial communication.  Nameserver change could redirect traffic to the status server although that change will take time to propogate.
  • If the service uses social media those could be used to communicate with users.
  • All registered users should receive an email with similar information.  User email list should be stored off site in a fast accessible form in the event that access to server or database is lost.  The mass email should be tested before needed to ensure it won't get caught by spam filters.
  • If cellphone numbers are available users should receive a text notification & warning.
  • Moderators of bitcointalk should be notified so an "Important News" thread can be created.

I would point out that the scenario you described above is exactly why a cold wallet should be used.  If hot wallet is also used "incoming client addresses" should always be directed to the cold wallet.  The hot wallet is then only filled from the cold wallet. 

What if the wallet we kept on some sort of special purpose Wallet device? Something like a powerful microcontroller that was not running an operating system but rather had a specific implementation for controlling it. What if this this microcontroller did thing for example like measure the statistical frequency and amount of withdrawals and limited withdrawals that were outside of the statistical frequency? What if this device were even located somewhere at an IP address that only listens to the ip address of the server and vic versa, or physically located next to the server. What if the access to the 'hot wallet' was controlled through some sort of automated ubi-key type thing?

just musing,
crazy_rabbit

more or less retired.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
September 08, 2012, 10:41:45 AM
 #37

What if the wallet we kept on some sort of special purpose Wallet device? Something like a powerful microcontroller that was not running an operating system but rather had a specific implementation for controlling it. What if this this microcontroller did thing for example like measure the statistical frequency and amount of withdrawals and limited withdrawals that were outside of the statistical frequency? What if this device were even located somewhere at an IP address that only listens to the ip address of the server and vic versa, or physically located next to the server. What if the access to the 'hot wallet' was controlled through some sort of automated ubi-key type thing?
That's exactly how cold wallets are supposed to work. This fancy device you are imagining is commonly referred to as a "computer".

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
jojo69
Legendary
*
Offline Offline

Activity: 2352
Merit: 3132


1/21000000 , the only math you need to know


View Profile
September 08, 2012, 12:39:42 PM
 #38

dry man...dry

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
unclemantis
Member
**
Offline Offline

Activity: 98
Merit: 10


(:firstbits => "1mantis")


View Profile
September 08, 2012, 10:11:23 PM
 #39

Is it just me or was there a part missing from his update about how people owed BTC would be repaid? I'm not sure its a good idea for the community to back someone who can leave unencrypted wallets on the server and when it gets hacked say "oops my bad. Your bitcoins are gone but good news you can deposit more soon and hope I do a better job securing them this time."

Shit happens.
You weren't saying that back when it was your money on the line too...

I did say I was sorry. Damn. Forgive me not.

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!