[BitFunder] Asset Exchange Marketplace + Rewritable Options Trading

[burnside]

Check the home page on litecoinglobal.com - it clearly states that you convert LTC to LITS to use in the securities exchange game available on the site.

Err.. I am looking at the page right now.. I see things like 'Withdrawal fee of just 0.1 LTC'... when I search the page for 'LITS', chrome gives me 2 results, both in the same line.
"Security Page: Support for splits and reverse splits. (thx osoverflow)"  splits & splits... and no finds for the word convert.

Looking at the main page for btct... again, it is the same... Perhaps Burnside can clarify this a bit more?
It might have been something they decided to remove.
 

Erm. This is how your site responded when I input the incorrect verification code. I didn't bother with a screenshot. The quoted text is what your site responded with when I input the incorrect verification code from email. To be clear, your site responded with the incorrect code I input, and the correct code

The message would have only been displayed to those who's code matched in a lowercase comparison, and only if a code had been generated for the email address within the last 5 minutes for obvious security reasons.

Thanks for that! The issue has been taken care of.

In the future, should you see any problems feel free to use the ticket system that will get someone's attention upon submission.

LTC-GLOBAL used to have verbage that when depositing and withdrawing you were trading your LTC/BTC for LITS/BITS as separate in-game tokens.

However, we had to drop LITS and BITS as currencies internal to the exchanges based on legal advice.  To be considered a separate in-game currency the conversion would need to be one-way.  Obviously we allow withdrawal, so we're stuck with LTC and BTC, which we still consider virtual currency, but a virtual currency outside our direct control much like WoW Gold, or Lindens.  Maybe someday we can go back to LITS and BITS, but it'll take a separate 3rd party setting up an exchange that accepts LITS and BITS tokens to get there.

Cheers.

[1714525128]

1714525128

[1714525128]

1714525128

[1714525128]

1714525128

[1714525128]

1714525128

[burnside]

Sounds good to me.  I'll be the first to admit that I don't completely understand the bitcoin protocol.  I've just skimmed some of the threads where the tracking of transactions is discussed and it's crazy some of the connections they seem to be able to make.

So the asset issuer has access to this public list of addresses.  If the site goes offline how do they contact their shareholders?  I feel like I must be missing a step somewhere.  Do the issuers get a different non-public list that includes more info?

Cheers.

Great question! This gives me an excellent chance to clarify for anyone else who does not get it.

If a person was wanting to hide their identity, they simple generate a new address.
As long as they use this address for the public list, and do not receive or send any bitcoins from this address, it has NO history.

Should a user need to use this (and I sure hope it never happens.) then there are a multitude of ways to provide proof.

1. The user can send a micro transaction of BTC to the issuer, who could return it. (They then have proof of who controls that address.)
(One of the easiest methods to understand.)
2. The user can 'sign' an arbitrary message with their bitcoin address to show proof of control.
http://bitcoin.stackexchange.com/questions/3337/what-are-the-safety-guidelines-for-using-the-sign-message-feature/3339#3339

These two methods alone should be more than enough to be able to show identification.

Appreciate the detail.  I don't think you really answered my question though?

- Exchange goes down.
- Asset issuer wants to contact all of the shareholders.

How does the asset issuer do that?

The MPEx approach is to make a public notice post to a few forums and call it good.  (see the thread on the delisting of the gigamining passthru where they gave 30 day notice via a forum post and an IRC message that it was going to be delisted, then delisted it Dec 1, wiping out bond holders.)

The BTC-TC approach is you take the list of email addresses from the regular BTC-TC email update in your inbox and you email all your shareholders.  (edit: AND then you go make IRC and forum posts.)

What is the BitFunder approach?  Based on your answer above it sounds like it's the "make a forum post" approach?

Hope that clarifies things a bit.

Cheers.

[Ukyo]

Sounds good to me.  I'll be the first to admit that I don't completely understand the bitcoin protocol.  I've just skimmed some of the threads where the tracking of transactions is discussed and it's crazy some of the connections they seem to be able to make.

So the asset issuer has access to this public list of addresses.  If the site goes offline how do they contact their shareholders?  I feel like I must be missing a step somewhere.  Do the issuers get a different non-public list that includes more info?

Cheers.

Great question! This gives me an excellent chance to clarify for anyone else who does not get it.

If a person was wanting to hide their identity, they simple generate a new address.
As long as they use this address for the public list, and do not receive or send any bitcoins from this address, it has NO history.

Should a user need to use this (and I sure hope it never happens.) then there are a multitude of ways to provide proof.

1. The user can send a micro transaction of BTC to the issuer, who could return it. (They then have proof of who controls that address.)
(One of the easiest methods to understand.)
2. The user can 'sign' an arbitrary message with their bitcoin address to show proof of control.
http://bitcoin.stackexchange.com/questions/3337/what-are-the-safety-guidelines-for-using-the-sign-message-feature/3339#3339

These two methods alone should be more than enough to be able to show identification.

Appreciate the detail.  I don't think you really answered my question though?

- Exchange goes down.
- Asset issuer wants to contact all of the shareholders.

How does the asset issuer do that?

The MPEx approach is to make a public notice post to a few forums and call it good.  (see the thread on the delisting of the gigamining passthru where they gave 30 day notice via a forum post and an IRC message that it was going to be delisted, then delisted it Dec 1, wiping out bond holders.)

The BTC-TC approach is you take the list of email addresses from the regular BTC-TC email update in your inbox and you email all your shareholders.  (edit: AND then you go make IRC and forum posts.)

What is the BitFunder approach?  Based on your answer above it sounds like it's the "make a forum post" approach?

Hope that clarifies things a bit.

Cheers.

Ahh, good call. Not all users from my experience (a few) have wanted their personal e-mail addresses made available directly to the issuers. (Esp. with all the scams that have gone around.) Awkward I think, but I have had people tell me this. Some have mentioned that "we have seen proof of how issuers will freely post what some people consider sensitive information".

While the forums system is definitely always an option, there are a few others as well.

Very soon, the issuer profile will be available for viewing, which will be required to have some form of contact outside of the exchange listed.
Granted, most people will not actually want to copy this information down.

I am adding an opt-in setting for users to be able to allow issuers to see their email address. This is to be added with the API updates.

I hope that most people would want to share their address. While much like BTC-TC any newer users that obtained shares since the last time the issuer pulls a list would not be contactable in this method. (Assuming the site is down and all data is unavailable.)

[burnside]

Ahh, good call. Not all users from my experience (a few) have wanted their personal e-mail addresses made available directly to the issuers. (Esp. with all the scams that have gone around.) Awkward I think, but I have had people tell me this. Some have mentioned that "we have seen proof of how issuers will freely post what some people consider sensitive information".

While the forums system is definitely always an option, there are a few others as well.

Very soon, the issuer profile will be available for viewing, which will be required to have some form of contact outside of the exchange listed.
Granted, most people will not actually want to copy this information down.

I am adding an opt-in setting for users to be able to allow issuers to see their email address. This is to be added with the API updates.

I hope that most people would want to share their address. While much like BTC-TC any newer users that obtained shares since the last time the issuer pulls a list would not be contactable in this method. (Assuming the site is down and all data is unavailable.)

I had a similar discussion with MPOE-PR in the first few pages of the BTC-TC thread.  My take on sharing of emails is that disposable emails are almost as easy to come by as disposable BTC addresses.  As long as you disclose up front what you'll be doing with them, you should be in the clear.  Users (hopefully) will be understanding, since it's largely for their protection, and if they really care, they'll use a disposable address.

I agree that no matter what interval you push out the lists, there's a chance that some trades will get missed.  We have an API the issuers can poll for finer grained control.  I know some poll at 5 minute intervals and store it more frequently.  My goal once revenue supports it is to replicate the db out to a separate facility in real-time, where a similar but reduced function site (you log in, you see your asset holders and your portfolio and that's it.) will be able to act as a backup source of the data.

Love the direction you're taking with the transparency.  I think it's going to work out pretty well.

Cheers.

[Ukyo]

I had a similar discussion with MPOE-PR in the first few pages of the BTC-TC thread.  My take on sharing of emails is that disposable emails are almost as easy to come by as disposable BTC addresses.  As long as you disclose up front what you'll be doing with them, you should be in the clear.  Users (hopefully) will be understanding, since it's largely for their protection, and if they really care, they'll use a disposable address.

I agree that no matter what interval you push out the lists, there's a chance that some trades will get missed.  We have an API the issuers can poll for finer grained control.  I know some poll at 5 minute intervals and store it more frequently.  My goal once revenue supports it is to replicate the db out to a separate facility in real-time, where a similar but reduced function site (you log in, you see your asset holders and your portfolio and that's it.) will be able to act as a backup source of the data.

Love the direction you're taking with the transparency.  I think it's going to work out pretty well.

Cheers.

Thanks!
Just a side note related to the thread. BitFunder does have redundant servers in multiple locations all around to help increase load times, as well as for disaster recovery.
Should one location go offline, the others can pick up for it in full force.

[guruvan]

Check the home page on litecoinglobal.com - it clearly states that you convert LTC to LITS to use in the securities exchange game available on the site.

Err.. I am looking at the page right now.. I see things like 'Withdrawal fee of just 0.1 LTC'... when I search the page for 'LITS', chrome gives me 2 results, both in the same line.
"Security Page: Support for splits and reverse splits. (thx osoverflow)"  splits & splits... and no finds for the word convert.

Looking at the main page for btct... again, it is the same... Perhaps Burnside can clarify this a bit more?
It might have been something they decided to remove.
 

Fuck google. Mobile chrome keeps old news in the cache forever, and you have to manually reload the page to get a new one. Totally my browser's bad.

[Ukyo]

Fuck google. Mobile chrome keeps old news in the cache forever, and you have to manually reload the page to get a new one. Totally my browser's bad.

No biggie. It happens to the best of us.

If anyone has any more ideas for BitFunder, please share.
It is a service for the community, so I want it to be what people want. (As best as that can be figured out. )

[Insu Dra]

gj, but seriously cloudflare ? *sigh*

[Ukyo]

gj, but seriously cloudflare ? *sigh*

Yes, unfortunately bitcoin has attracted many script kiddies who are very capable of multi-gigabit attacks.

What problems have you had with CloudFlare?
I use it on many projects, even have 150Gh+ mining pool passing through it with no known problems.
Actually "mining" through it.  

[Insu Dra]

gj, but seriously cloudflare ? *sigh*

Yes, unfortunately bitcoin has attracted many script kiddies who are very capable of multi-gigabit attacks.

What problems have you had with CloudFlare?
I use it on many projects, even have 150Gh+ mining pool passing through it with no known problems.
Actually "mining" through it. 

It's 'The Man' in the middle ...

They break the most fundamental principle of the internet, that is supposed to be 'end-to-end' for privacy, security and stability. From technical point of view nothing that comes out of CloudFlare can be trusted unless you trust them as a centralized entity. It's the perfect solution to a problem but at what 'cost' ? (not talking about money here)

There are other solution unfortunately at this point in time they are not that cost effective. (money wise)

[Ukyo]

gj, but seriously cloudflare ? *sigh*

Yes, unfortunately bitcoin has attracted many script kiddies who are very capable of multi-gigabit attacks.

What problems have you had with CloudFlare?
I use it on many projects, even have 150Gh+ mining pool passing through it with no known problems.
Actually "mining" through it. 

It's 'The Man' in the middle ...

They break the most fundamental principle of the internet, that is supposed to be 'end-to-end' for privacy, security and stability. From technical point of view nothing that comes out of CloudFlare can be trusted unless you trust them as a centralized entity. It's the perfect solution to a problem but at what 'cost' ? (not talking about money here)

There are other solution unfortunately at this point in time they are not that cost effective. (money wise)

Ahh, you can apply that to most any major website you visit these days. Almost all use a CDN service of some brand or another. Banks do it, facebook, etc.

[DiabloD3]

I noticed this wasn't mentioned in the thread yet. DMC is moving to BitFunder.

[Insu Dra]

gj, but seriously cloudflare ? *sigh*

Yes, unfortunately bitcoin has attracted many script kiddies who are very capable of multi-gigabit attacks.

What problems have you had with CloudFlare?
I use it on many projects, even have 150Gh+ mining pool passing through it with no known problems.
Actually "mining" through it.  

It's 'The Man' in the middle ...

They break the most fundamental principle of the internet, that is supposed to be 'end-to-end' for privacy, security and stability. From technical point of view nothing that comes out of CloudFlare can be trusted unless you trust them as a centralized entity. It's the perfect solution to a problem but at what 'cost' ? (not talking about money here)

There are other solution unfortunately at this point in time they are not that cost effective. (money wise)

Ahh, you can apply that to most any major website you visit these days. Almost all use a CDN service of some brand or another. Banks do it, facebook, etc.

What ? Did I just hear lemmings run by ? (sorry could not resist that line)

CDN is not the problem, most banks I know have there own 'Secure' CDN implementation. However CloudFlare and others are not secure, they ether replace your ssl certificate or require your private ssl key to work. (aka they can read and alter content)

As to heavy attacks a good firewall around CDN exit nodes does wonders (personally I pay for support in that department), next step would be to dynamically bind your firewall, dos detection with your name servers to create black holes for unwanted traffic and/or relay legit users to open nodes. (or use cisco to solve that if your in to them)


I’ll leave it at that, all I really meant to say was "Sad to see a other bitcoin related website go for the easy way out and good job, looks like a solid start."

Edit:
------
Having a big mouth without offering a solution is easy so let me just link.

Firewall, Intrusion detection, DDoS: http://www.infoworld.com/node/76855?source=fssr
CDN Setup: The guide works fine but it's just a guide so ... I worked with unixy once, good guy's but expensive. http://blog.unixy.net/2010/07/how-to-build-your-own-cdn-using-bind-geoip-nginx-and-varnish/

[burnside]

It's 'The Man' in the middle ...

They break the most fundamental principle of the internet, that is supposed to be 'end-to-end' for privacy, security and stability. From technical point of view nothing that comes out of CloudFlare can be trusted unless you trust them as a centralized entity. It's the perfect solution to a problem but at what 'cost' ? (not talking about money here)

There are other solution unfortunately at this point in time they are not that cost effective. (money wise)

Ahh, you can apply that to most any major website you visit these days. Almost all use a CDN service of some brand or another. Banks do it, facebook, etc.

For images, sure.  Not so much for actually passing their client's data through.

GLBSE used cloudflare I think.  So I guess if people didn't mind then, they won't mind now.  I won't be using it in my projects though.  I'd rather go offline to a DDoS than risk customer data to a 3rd party.  

Cheers.

[Ukyo]

For images, sure.  Not so much for actually passing their client's data through.

GLBSE used cloudflare I think.  So I guess if people didn't mind then, they won't mind now.  I won't be using it in my projects though.  I'd rather go offline to a DDoS than risk customer data to a 3rd party.  
Cheers.

It is a good thing we are not passing any sensitive data such as SSN's, credit card numbers, addresses across it to BitFunder then.
If you are worried about passwords being sniffed or man in the middle attacked by CloudFlare itself, or any other network hop in between, then
you should be just as worried about who runs the network in Panama where your server is. I think a local ISP (Like the Linode incidents) that
probably has no auditing or accounting of tech actions is FAR more likely to review a customers website, sniff their data, learn what they do,
and possibly attempt steal any valuable information or in this case, bitcoins than a company as large as CloudFlare who does not even have
access to the server's and that could care less about small time websites that never even show up on their radar.

I would not trust any bitcoin related services to be housed where I did not maintain the servers. Then again, with the linode and other incidents,
I don't think people bother to consider things regularly and ask every site about server security. Probably much the same as they are probably
not worried about CloudFlare securely transmitting their data, and acting as a shield to help prevent all sorts of extra vulnerability attacks such
as being a proxy. It appears you run Apache on your servers, which like most all web daemons has been know for .. at least a few.. major vulnerabilities.
Having a proxy server helps protect the actual servers from most vulnerabilities. If you are not going to use cloudflare, you should at least setup a
reverse proxy of your own in front of the server to protect it.

GLBSE did switch to CloudFlare (and also ran proxies of his own), just as MTGox did for a while. Gox needed a better and more advanced
system than CloudFlare of the time, and switched to Prolexic (I believe). I hope no one at prolexic get's any crazy ideas. Although, I feel
as confident as one can given the situation that Gox's system also has protections in place for this type of situation. I think Mark has
made so to do everything necessary to protect users data and accounts.

Thankfully for us, we do not have any coin wallets tied to the website. So in the slim remote chance that a cloudflare employee decides
to go rouge and risk their job/freedom (not that this has stopped people before) to get a users password to login, there is nothing for
them to gain out of doing so. That is one of the best things about BF. I am setting the site up currently so that 2-fa users could even give
out their user and passwords should they so desire, and people would not be able to do anything with their accounts. (Using means above and
beyond just 2-fa)

I would be more afraid to pass, and put sensitive user data on a $45.99/mo server in another country where I do not know who might mirror hard
drive data at any time, have physical console access to the server/console, and who knows what else.

I would ask as I stated before in the BTCT thread where you also began to cross-post this stuff in, that these types of conversations be be
continued on IRC. I would be happy to continue answering your concerns on how BitFunder is different from BTCT in many ways on IRC as it
really does look like childish public mudslinging to quite a few people as I pointed out there already.    http://polimedia.us/dtng/c/res/17830.html

I have no intentions to continue these 'back and fourths' in some vain attempt to try to convince, each other? the public? who's ideas are better and why.
I think the whole thing has made us look like fools. Not that it is anything new for me.

As I said in the other thread, and now again, I will be happy to talk to you on IRC about these things and perhaps we can really learn from and help each other.
I have taken quite a few notes from BTCT that I think are great ideas that I plan to implement on BF as well.

Cheers.

[Ukyo]

What ? Did I just hear lemmings run by ? (sorry could not resist that line)

CDN is not the problem, most banks I know have there own 'Secure' CDN implementation. However CloudFlare and others are not secure, they ether replace your ssl certificate or require your private ssl key to work. (aka they can read and alter content)

As to heavy attacks a good firewall around CDN exit nodes does wonders (personally I pay for support in that department), next step would be to dynamically bind your firewall, dos detection with your name servers to create black holes for unwanted traffic and/or relay legit users to open nodes. (or use cisco to solve that if your in to them)


I’ll leave it at that, all I really meant to say was "Sad to see a other bitcoin related website go for the easy way out and good job, looks like a solid start."

Edit:
------
Having a big mouth without offering a solution is easy so let me just link.

Firewall, Intrusion detection, DDoS: http://www.infoworld.com/node/76855?source=fssr
CDN Setup: The guide works fine but it's just a guide so ... I worked with unixy once, good guy's but expensive. http://blog.unixy.net/2010/07/how-to-build-your-own-cdn-using-bind-geoip-nginx-and-varnish/

I am considering just posting a direct SSL cert for BitFunder on cloudflares system. This way they will not have the private key, and there is no question that
the data encrypted end to end.

What are your thoughts on this?

Also, while I do have multiple gige's at each of my locations, without using any CDN solution, and just exposing my own proxy servers still opens the door
to a DDoS even maxing out the GigE's. While I do have a BGP Blackhole system setup that analyzes network traffic for attacks, it still takes a few moments to
process the data, send a blackhole route to each of the upstreams routers and let them block it from getting to my network. I like using cloudflare for
things like this since it protects the network overall. Cloudflare's servers take the brunt of the hit, esp. if it is a common synflood, etc, and makes it easier.
I was worried that someone would use legitimate data to DDoS the systems and pass through CF, so I made sure that my routers would not block cloudflare,
and would instead look at cloudflares provided origination IP and use their API to take appropriate measures.

Thanks!

[burnside]

I prefer to keep things public.

Didn't mean to light a fire, so to speak.  It was a side comment on someone else's observation.

I'm open to discussion related to security of any of my projects in their respective threads.

And don't worry so much about what the romanians think.  They make fun of everyone.  

[Ukyo]

I prefer to keep things public.

Ahh, that is why I generally do not like forums.

A lot of people bickering back and fourth in the public to get everyone's attention and try to win them over to their own side.
It's like having an argument out in the middle of the street over who is right.
https://www.youtube.com/watch?v=LaQXOrbqAbM
Wonder if there is another term for things like this other than Zax?

I'm open to discussion related to security of any of my projects in their respective threads.

I am too as previously posted.

I won't be using it in my projects though.  I'd rather go offline to a DDoS than risk customer data to a 3rd party.  

Side comments that do not contribute to the discussion with comparisons to your preferences with an ambiguous statement that is highly suggestive
that the sites customer data is somehow at risk without any details of how or why is really just an attack, intended or not.

In other threads you have now repeatedly publicly questioned my "age" within the community and made yourself sound to have been around longer as if it was a plus somehow, which in fact was never the case, and upon confrontation  you drop the subject like a rock. I think this has happened a few other times already.

Reminded me of btcash who did a similar thing https://bitcointalk.org/index.php?topic=102181.msg1399421#msg1399421
He made some bad (in my opinion) comparisons, and has yet to post weather he is even a shareholder of that asset or not or if I misunderstood his comments
and what could be done to better the situation as I asked him.
(When he confirms it I will edit this post and post an apology to him. I just found it odd how he was on for hours later, and on today, and have not responded.)

I still want to believe you have no ill-intent towards myself, or BitFunder, as I have none towards BTCT, LTC-Global and I am even a stockholder that would
like to see everyone succeed.

If you are truly not meaning any harm, then I would ask that you attempt to refrain yourself from posting in regards to BitFunder or myself, unless you have something positive to say (and not sarcastic, or suggestive), and you have my word I will not only do the same, but that I WILL post plenty of positive things about BTC-Global, and BTCT as they are truthful.

Let this be the last of it.

Thank you for your understand.

[burnside]

I prefer to keep things public.

Ahh, that is why I generally do not like forums.

A lot of people bickering back and fourth in the public to get everyone's attention and try to win them over to their own side.
It's like having an argument out in the middle of the street over who is right.
https://www.youtube.com/watch?v=LaQXOrbqAbM
Wonder if there is another term for things like this other than Zax?

I'm open to discussion related to security of any of my projects in their respective threads.

I am too as previously posted.

I won't be using it in my projects though.  I'd rather go offline to a DDoS than risk customer data to a 3rd party.  

Side comments that do not contribute to the discussion with comparisons to your preferences with an ambiguous statement that is highly suggestive
that the sites customer data is somehow at risk without any details of how or why is really just an attack, intended or not.

In other threads you have now repeatedly publicly questioned my "age" within the community and made yourself sound to have been around longer as if it was a plus somehow, which in fact was never the case, and upon confrontation  you drop the subject like a rock. I think this has happened a few other times already.

Reminded me of btcash who did a similar thing https://bitcointalk.org/index.php?topic=102181.msg1399421#msg1399421
He made some bad (in my opinion) comparisons, and has yet to post weather he is even a shareholder of that asset or not or if I misunderstood his comments
and what could be done to better the situation as I asked him.
(When he confirms it I will edit this post and post an apology to him. I just found it odd how he was on for hours later, and on today, and have not responded.)

I still want to believe you have no ill-intent towards myself, or BitFunder, as I have none towards BTCT, LTC-Global and I am even a stockholder that would
like to see everyone succeed.

If you are truly not meaning any harm, then I would ask that you attempt to refrain yourself from posting in regards to BitFunder or myself, unless you have something positive to say (and not sarcastic, or suggestive), and you have my word I will not only do the same, but that I WILL post plenty of positive things about BTC-Global, and BTCT as they are truthful.

Let this be the last of it.

Thank you for your understand.

Man, I avoided this thread until you sucked me in with post #9.  I'm not going to just sit quietly and let misconceptions float free.

Judging from your responses, I'm sure you feel the same way.

Cheers.


 

[Insu Dra]

CDN is not the problem, most banks I know have there own 'Secure' CDN implementation. However CloudFlare and others are not secure, they ether replace your ssl certificate or require your private ssl key to work. (aka they can read and alter content)

I am considering just posting a direct SSL cert for BitFunder on cloudflares system. This way they will not have the private key, and there is no question that the data encrypted end to end.

What are your thoughts on this?

Last time I checked there custom cert options required a cert with private key on there servers, if they changed that good for them. If your sure the encryption is 100% end-to-end it should be fine, I still dislike and avoid supporting them sins they offer insecure services as well.