Bitcoin Forum
November 06, 2024, 09:34:33 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: [ANN]First online MPEx brokerage now in public beta  (Read 4871 times)
rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
November 29, 2012, 11:33:34 PM
 #21

I was worried about that.  Quoting that page:

Quote
Warning: This MPExAgent version does not support any authentication! Anyone who has access to the listening port, can freely issue MPEx commands in your name. Try it only behind firewall. Patches to support HTTP authentication (should not be hard to add, twisted supports it) or other means are welcome.

If anyone gets CLI on your box all of your brokerage's shares are pwned.  Only hedge I see against this would be some kind of agreement from MPEx to roll back trades if that situation were to occur.  Do you have such an agreement?
I know what it lacking and am honest about it, but this is not a big issue. The frontend (webserver) attacker would be able to only trade, not push or withdraw anything (MPExAgent does not support these functions at all). So possible damage for this attack vector is limited. The connection to backend is protected by VPN and backend server itself is highly secured with minimal services running. And it will not stay like this forever, it is being continuously improved. BTW, I am also owner of simpleshell.com , which is running for several years already with minimal maintenance and no major problems, something unheard of for linux shell server.

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
November 30, 2012, 12:20:10 AM
 #22

I was worried about that.  Quoting that page:

Quote
Warning: This MPExAgent version does not support any authentication! Anyone who has access to the listening port, can freely issue MPEx commands in your name. Try it only behind firewall. Patches to support HTTP authentication (should not be hard to add, twisted supports it) or other means are welcome.

If anyone gets CLI on your box all of your brokerage's shares are pwned.  Only hedge I see against this would be some kind of agreement from MPEx to roll back trades if that situation were to occur.  Do you have such an agreement?
I know what it lacking and am honest about it, but this is not a big issue. The frontend (webserver) attacker would be able to only trade, not push or withdraw anything (MPExAgent does not support these functions at all). So possible damage for this attack vector is limited. The connection to backend is protected by VPN and backend server itself is highly secured with minimal services running. And it will not stay like this forever, it is being continuously improved. BTW, I am also owner of simpleshell.com , which is running for several years already with minimal maintenance and no major problems, something unheard of for linux shell server.

TBH, when I was initially asking, I was kind of hoping you were going to say that you were manually processing the orders.

I'm going to have to disagree with how big an issue it is.  The hacker doesn't have to benefit for it to be a huge blow to CoinBr.  All the hacker has to do is sell off all of your holdings and you're in trouble.  (you have to buy them back at potentially painful prices to cover your users)  A huge part of the problem is that you're not the authority on who owns what, MPEx is.  So any mistakes you make are far harder to fix than if you were running your own exchange where you probably would eat a BTC loss out of the wallet but could easily revert to a previous backup.

For being honest about it, thank you.  I suspect you're going to need to setup your backend to not trust your frontend, maybe the backend can verify orders on a per-user basis using a hash of the users auth data or something similar?  I see lots of coding in your future.  Wink

Cheers.

burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
November 30, 2012, 10:26:09 PM
 #23

Quote
[05:05] <jurov> morning
[05:05] <jurov> so, apparently i need to slap "The use of this site is for educational and entertainment purposes only." on coinbr
[05:05] <jurov> to evade accusations that i'm "borderline scammer", eh?
[05:07] <jurov> while the same person says that that to say about myself that i'm a broker, i need some certificate, lol
[05:08] <jurov> oh, and i also need insurance. usagi, you there?
[05:10] <jurov> https://bitcointalk.org/index.php?topic=102181.msg1367797#msg1367797
[05:12] <jurov> so, mircea_popescu, of it all comes that we should get some legal affidavit that that nothing we trade is real.
[05:12] <jurov>  then we can call ourselves "security exchange" and "broker"
[05:15] <jurov> yeah borderline trolling
[05:17] <jurov> and we need  borderline insurance, don't forget Tongue

I don't mind so much that you're not taking this seriously.  Maybe you're in a jurisdiction where you don't have to care?  Fair enough.

Quote
[05:19] <mircea_popescu> mmm
[05:19] <pigeons> just use CPA oh wiat
[05:20] <mircea_popescu> lol mpex has self-issued court immunity
[05:20] <mircea_popescu> if that's not good enough i dunno what is.
[05:20] <jurov> and I'm going to my tax directorate branch tomorrow, to get official acknowledgement that i'm doing imaginary trades
[05:20] <jurov> only
[05:21] <jurov> oh, can we have this immunity extended to coinbr?
[05:21] <mircea_popescu> no.
[05:21] <mircea_popescu> it's only for white background websites

lol.   Cheesy

Quote
[05:24] <mircea_popescu> the argument is pretty retarded, "your honor, I thought jurov was a broker" "well... did you wire him money ?"
[05:24] <mircea_popescu> "no, he wouldn't take money"
[05:24] <mircea_popescu> "this makes sense"

It's common knowledge that bitcoin is a virtual commodity.  Brokers are not limited to trading cash.  Undecided

Quote
[05:29] <jurov> oh and what if hacker sells all coinbr holdings? https://bitcointalk.org/index.php?topic=118551.msg1367844#msg1367844
[05:30] <jurov> o any mistakes you make are far harder to fix than if you were running your own exchange where you probably would eat a BTC loss out of the wallet but could easily revert to a previous backup.
[05:30] <jurov> i cant even...
[05:31] <jurov> so if i empty btct wallet, they'll just revert to previous backup, and all will be dandy
[05:32] <jurov> why didn't i think of such?
[05:32] <mircea_popescu> this is a bizzare argument
[05:32] <mircea_popescu> seems to me the broker-exchange structure is inherently safer

I thought what I was saying was clear, I'll attempt to re-word it:

(a) If BTC-TC / Cryptostocks / MPEx is compromised people lose the BTC in their wallet on the exchange.  Any securities compromised can be restored by the site admins.
(b) If CoinBr is compromised people lose all their securities.  You claim zero liability, the trades happen on an exchange out of your control, so your clients are just shit out of luck.
(c) Keep in mind, we're talking asset exchanges, NOT currency exchanges.

Doing the math.  Where do you think the larger exposure is?

(a) A few BTC in a wallet?  Or;
(b) A person's entire portfolio of securities?



I'll leave ya be from here on out.  I don't think stirring the pot is going to help matters.  Best of luck with your brokerage.   Wink


rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
November 30, 2012, 11:06:14 PM
Last edit: November 30, 2012, 11:18:07 PM by rini17
 #24

Quote
[05:05] <jurov> morning
[05:05] <jurov> so, apparently i need to slap "The use of this site is for educational and entertainment purposes only." on coinbr
[05:05] <jurov> to evade accusations that i'm "borderline scammer", eh?
[05:07] <jurov> while the same person says that that to say about myself that i'm a broker, i need some certificate, lol
[05:08] <jurov> oh, and i also need insurance. usagi, you there?
[05:10] <jurov> https://bitcointalk.org/index.php?topic=102181.msg1367797#msg1367797
[05:12] <jurov> so, mircea_popescu, of it all comes that we should get some legal affidavit that that nothing we trade is real.
[05:12] <jurov>  then we can call ourselves "security exchange" and "broker"
[05:15] <jurov> yeah borderline trolling
[05:17] <jurov> and we need  borderline insurance, don't forget Tongue

I don't mind so much that you're not taking this seriously.  Maybe you're in a jurisdiction where you don't have to care?  Fair enough.

This isn't about jurisdiction. Did anyone ever got saved by that lame "for educational purposes only" excuse?

Quote
[05:29] <jurov> oh and what if hacker sells all coinbr holdings? https://bitcointalk.org/index.php?topic=118551.msg1367844#msg1367844
[05:30] <jurov> o any mistakes you make are far harder to fix than if you were running your own exchange where you probably would eat a BTC loss out of the wallet but could easily revert to a previous backup.
[05:30] <jurov> i cant even...
[05:31] <jurov> so if i empty btct wallet, they'll just revert to previous backup, and all will be dandy
[05:32] <jurov> why didn't i think of such?
[05:32] <mircea_popescu> this is a bizzare argument
[05:32] <mircea_popescu> seems to me the broker-exchange structure is inherently safer

I thought what I was saying was clear, I'll attempt to re-word it:

(a) If BTC-TC / Cryptostocks / MPEx is compromised people lose the BTC in their wallet on the exchange.  Any securities compromised can be restored by the site admins.
(b) If CoinBr is compromised people lose all their securities.  You claim zero liability, the trades happen on an exchange out of your control, so your clients are just shit out of luck.
(c) Keep in mind, we're talking asset exchanges, NOT currency exchanges.

Doing the math.  Where do you think the larger exposure is?

(a) A few BTC in a wallet?  Or;
(b) A person's entire portfolio of securities?

I'll leave ya be from here on out.  I don't think stirring the pot is going to help matters.  Best of luck with your brokerage.   Wink

Since the bitcoins can't be withdrawn without hacking also backend server, the portfolio can be rebuilt with small loss, MPEx is liquid enough for that. I am not going to bother MPEx asking to reverse transactions in this case. Maaaybe if the hacker does something utterly stupid like spend everything by buying some options and exercising them worthless, then maybe it will be possible to work together with MPEx to revert the txs, as this would be is much simpler case both for them to undo and for us to prove. We really don't see a need to draw some "what if" agreeements with MPEx, rather prefer to focus on doing our stuff right and this will be plugged too, just it takes some time.

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
November 30, 2012, 11:36:54 PM
 #25

This isn't about jurisdiction. Did anyone ever got saved by that lame "for educational purposes only" excuse?

That would definitely be very lame, if that were all it was.

Since the bitcoins can't be withdrawn without hacking also backend server, the portfolio can be rebuilt with small loss, MPEx is liquid enough for that. I am not going to bother MPEx asking to reverse transactions in this case. Maaaybe if the hacker does something utterly stupid like spend everything by buying some options and exercising them worthless, then maybe it will be possible to work together with MPEx to revert the txs, as this would be is much simpler case both for them to undo and for us to prove. We really don't see a need to draw some "what if" agreeements with MPEx, rather prefer to focus on doing our stuff right and that takes time.

The part in bold applies pretty much across the board.  I think all the exchanges have the wallets on backend boxes.

You're definitely going where noone has gone before.  Hopefully you're a breakthrough success.  Smiley

Cheers.

Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Wat


View Profile WWW
November 30, 2012, 11:47:43 PM
Last edit: November 30, 2012, 11:58:23 PM by Bitcoin Oz
 #26

I have one piece of advice for anyone who wants to take it. If youre previously "not legit" bitcoin site starts talking about "going legit" you are about to be fucked in the ass.

There is no "going legit" so either start out that way or embrace the dark side.

Quote
[05:20] <jurov> and I'm going to my tax directorate branch tomorrow, to get official acknowledgement that i'm doing imaginary trades
[05:20] <jurov> only

You should have done that before opening the brokerage.

Because if you do it now and the lawyers tell you its illegal your clients will be glbse'd

rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
December 01, 2012, 12:57:34 PM
 #27

I have one piece of advice for anyone who wants to take it. If youre previously "not legit" bitcoin site starts talking about "going legit" you are about to be fucked in the ass.

There is no "going legit" so either start out that way or embrace the dark side.

Quote
[05:20] <jurov> and I'm going to my tax directorate branch tomorrow, to get official acknowledgement that i'm doing imaginary trades
[05:20] <jurov> only

You should have done that before opening the brokerage.

Because if you do it now and the lawyers tell you its illegal your clients will be glbse'd

That whole quoted irc session was me joking and ranting. I knew burnside is in the channel and was curious what he's going to make from it, he decided to stay silent there and instead paste it here.

I'm not going to explain the jokes, just maybe can improve that quote, to make the point clearer:

Quote
<jurov> and I'm going to my doctor tomorrow, to get official acknowledgement that i'm doing imaginary trades only

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
December 02, 2012, 12:59:54 AM
 #28

I have one piece of advice for anyone who wants to take it. If youre previously "not legit" bitcoin site starts talking about "going legit" you are about to be fucked in the ass.

There is no "going legit" so either start out that way or embrace the dark side.

Quote
[05:20] <jurov> and I'm going to my tax directorate branch tomorrow, to get official acknowledgement that i'm doing imaginary trades
[05:20] <jurov> only

You should have done that before opening the brokerage.

Because if you do it now and the lawyers tell you its illegal your clients will be glbse'd

That whole quoted irc session was me joking and ranting. I knew burnside is in the channel and was curious what he's going to make from it, he decided to stay silent there and instead paste it here.

I'm not going to explain the jokes, just maybe can improve that quote, to make the point clearer:

Quote
<jurov> and I'm going to my doctor tomorrow, to get official acknowledgement that i'm doing imaginary trades only


Silent = away.  I'm not tethered to IRC.

What difference does it make where you typed it?  It was relevant to this conversation.

Cheers.

rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
December 02, 2012, 03:17:57 AM
 #29

Silent = away.  I'm not tethered to IRC.

What difference does it make where you typed it?  It was relevant to this conversation.

Cheers.
Not much difference. Only that I consider common decency for rants from irc to not be used as kinda evidence elsewhere. But that's my own fault I started them at all.

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
December 03, 2012, 07:17:48 AM
Last edit: December 03, 2012, 07:30:09 AM by burnside
 #30

Replying via PM.  We're pretty OT now.

Cheers.

rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
January 01, 2013, 10:44:16 PM
 #31

As we had two outages, and the last one very serious in December, we decided to waive 50% of account management fee for December (0.045 BTC instead of 0.09).

Happy New Year to everyone!

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
sunnankar
Legendary
*
Offline Offline

Activity: 1031
Merit: 1000



View Profile WWW
January 03, 2013, 07:41:07 PM
 #32

I suspect you're going to need to setup your backend to not trust your frontend, maybe the backend can verify orders on a per-user basis using a hash of the users auth data or something similar?  I see lots of coding in your future.  Wink

Yes, I think one of the main issues is the assets being 'titled' in CoinBR's name and not the user's.

Think there is a way to tie the MPEx trade receipt to the public key wallet address provided at signup so the assets are 'titled' to the user? Perhaps have a Blockchain.info type functionality.

rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
January 03, 2013, 10:22:18 PM
 #33

I suspect you're going to need to setup your backend to not trust your frontend, maybe the backend can verify orders on a per-user basis using a hash of the users auth data or something similar?  I see lots of coding in your future.  Wink

Yes, I think one of the main issues is the assets being 'titled' in CoinBR's name and not the user's.

Think there is a way to tie the MPEx trade receipt to the public key wallet address provided at signup so the assets are 'titled' to the user? Perhaps have a Blockchain.info type functionality.
Can you (or anyone else) please elaborate on how this could be done? I don't use blockchain.info wallet, what function do you have in mind?

AFAIK most we can do is to issue signed account statements to make assets 'titled' in user's name - that's toward the user. Other than that, unlike bitcoins, all assets on mpex account are completely fungible and no sub-account support is planned. Thus, protecting the backend from frontend... hard to do much more than set limits for suspicious behavior. Even if we figure out something better, the details shall remain known to pentesters at most. Did any other exchange publish such details?

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
btcash
Hero Member
*****
Offline Offline

Activity: 968
Merit: 515



View Profile
January 11, 2013, 10:45:29 PM
 #34

Like the service but manual deposits and withdrawals are really annoying and makes you less trustworthy.
Bugpowder
Sr. Member
****
Offline Offline

Activity: 394
Merit: 250


View Profile
January 11, 2013, 10:57:34 PM
 #35

Like the service but manual deposits and withdrawals are really annoying and makes you less trustworthy.

How many hot wallets need to be stolen before we agree that manual withdrawls are an essential security practice?
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
January 12, 2013, 12:59:20 AM
 #36

Like the service but manual deposits and withdrawals are really annoying and makes you less trustworthy.

How many hot wallets need to be stolen before we agree that manual withdrawls are an essential security practice?

A small majority.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
January 12, 2013, 01:05:58 AM
 #37

I think the manual withdrawals are a good thing for a brokerage to have.  It's one of those things that are great for security.  I wish I could do manual withdrawals on my sites, not enough time in the day unfortunately.

One consideration though.  There should be a backup plan in case anything happens to the broker.

Cheers.
rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
January 17, 2013, 08:27:43 PM
 #38

We have now our own support & discussion board on bitcoinforum: http://www.bitcoinforum.com/coinbr-com/ . Of course, we will keep responding here as well. But we can have our own place there and I really like it, OpenID support for quick registration, live chat, micropayments and other goodies Wink

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
xeverse
Full Member
***
Offline Offline

Activity: 124
Merit: 100



View Profile
February 05, 2013, 12:46:13 AM
 #39


Naturally we need to be aware of the open interest for every option contract listed.. Please reveal..
rini17 (OP)
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
February 05, 2013, 01:29:55 AM
 #40

Naturally we need to be aware of the open interest for every option contract listed.. Please reveal..
I don't understand what do you mean, can you please explain?

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!