TradeHill - Who we are

[JTaBitCoinKing]

I think the chances of TradHill being behind the attacks is as likely as it being MJ12. More likely it was Lulzsec, a psychopath, someone protecting Silk Road, or just some thief.

[CharlieContent]

Finally, an exchange run by competent people instead of some Magic the Gathering idiot. BitCoin has come of age.

As long as Tradehill wasn't formerly "TradeMagicTheGatheringCardsHill" then I'm in  

[zombo]

I'm interested in signing up with you guys but you don't transfer to Liberty Reserve which is the only place I can use being that I live in New Zealand.

Hope you guys can do something for us Kiwi's sometime soon.

[Jered Kenna (TradeHill)]

I'm interested in signing up with you guys but you don't transfer to Liberty Reserve which is the only place I can use being that I live in New Zealand.

Hope you guys can do something for us Kiwi's sometime soon.

We do use Liberty Reserve and we're treating it as it's own currency so that we can be used as an LR exchange in addition to a BTC exchange.


More answers to the rest of the questions coming. We are getting flooded with emails and concentrating on user security.

[just_someguy]

Jered, see this:
http://forum.bitcoin.org/index.php?topic=19711.0

I've received it as well.

I hope you out and suspend the account.

[Jered Kenna (TradeHill)]

I want to ask a few questions about your company.

What's the number of the owners' equity on the Blance Sheet of your comapny, say, how much money have you founders invested?


Frankly, that is private – There is a distinct difference between being ‘untruthful’ or ‘inaccurate’ as opposed to choosing wisely about what information should be disclosed publicly. Either way, we will be preparing a public statement covering multiple dimensions of our business and will consider your request.

How many fulltime stuff are there in you company?

All four founders are working on this fulltime except ME. I have a consulting business and must deliver on my promises to past clients. However, as soon as that happens, I intend to dedicate all my time to this. I will not comment on the number of staffers we have.

[/quote]

Is there any founders are not fulltime?

Answered above!

[/quote]

Are you going to raise larger venture capital soon?

We have developed an innovative way to raise capital. Additionally, some of our family members are equipped to provide us significant funds.  We do have an open mind to VCs or other investors so please send us a note.

[/quote]

How many years have you founders know each other, have you guys teamed up before?

Answered above – Me and Jered have known each other for ten years – I used to email him while his base was getting mortar attacked in Afghanistan: Me and Jered have known Francisco for 3 years.

[/quote]

[tysat]

Jered, see this:
http://forum.bitcoin.org/index.php?topic=19711.0

I've received it as well.

I hope you out and suspend the account.

http://forum.bitcoin.org/index.php?topic=19707.0

Different thread, same idea.  This one has the full email headers in it.

[jibjabz]

Can you please suspend whoever's account this is for their blatant spamming?

tradehill.com/?r=TH-R15683

I'm sure you've heard, but they emailed every Mt. Gox customer with their referral code.

[Jered Kenna (TradeHill)]

We can accept international wires. If you want to buy Bitcoin with any currency.
Go to your bank, buy USD and then wire it in.
SEPA is coming ASAP, we are growing as fast as possible.
We don't want to over extend ourselves and fail. We would much rather provide a reliable service.

In regards to the servers we're on it. It's one thing to grow quickly and another to have the entire Bitcoin world try to log in at once.

When is TradeHill going to pay for, and publish results from, a professional security audit?

If you want to be a real online broker, you need to invest in Wells-Fargo levels of vulnerability analysis.

Start with NTOSpider On-Demand, http://www.ntobjectives.com/ntoondemand, to get an idea of where you stand.

Next, hire an experienced consultant to make sure everything is absolutely bulletproof.

I HIGHLY recommend Strategic Data Command of Oakland, CA.  Larry Suto is among the best at what he does.

It might cost you a small fortune, but if you want results you need to call in world-class experts.

I posted this same bit of advice to our MtGox rep. as well.

Hi ICEBREAKER,

ABSOLUTELY - and we will publish the results for the community to view!

Thank you for the recommendation. We will definitely reach out to your colleague. Understand that we will likely seek several opinions.
 
This is a major priority that is both important and urgent; however, we cannot drop everything at this moment – we hope you understand – we have already frozen withdrawals and deposits and told customers to change their passwords.  We also have confidence in our current system; although, we will definitely be seeking advancements going forward.

We are promising the community that this issue will be addressed PUBLICY – via third party AUDIT - with brevity and transparency.

Regarding costs, we are thinking that perhaps some of the Task Force’s budget could be included for third party security checks; that way, each exchange will be put to the same tests on a level playing field. Again, for anyone who wants to participate in organizing the Task Force for Exchange Security please send an email to info@tradehill.com with “Task Force” in the title.

Regards,
Adam Stradling

[mgiuca]

No offense but your security is a joke right, i understand you dont have the resources/money but it needs to be looked at seriously as the #1 priority.

Do you have any specific security complaints about TradeHill? You shouldn't go saying that a financial website's security is a "joke" unless you have some evidence.

[ivank2139]

With the proper authorizations many people can perform a penetration test of the web site.  It should be fairly easy to run one, or contract to do it, and publish the results.  It would certainly be worthwhile to have some evidence of security in place. 

Some people can do the pen testing without authorization but not legally from the USA.

[finack]

When are you going to be able to provide a timeline for things like a full security audit and features like two factor auth that you mentioned on onlyonetv?  I understand that you won't be able to commit to specific time for features or a consultant you haven't hired, but a date when you will be able to would be nice.

[SgtSpike]

When will tradehill open back up for trading?  It says a few hours on the website, but it's been 6...  I'd just like to know if it'll be 1 hour or 10 before we can start trading again?

[iCEBREAKER]

With the proper authorizations many people can perform a penetration test of the web site.  It should be fairly easy to run one, or contract to do it, and publish the results.  It would certainly be worthwhile to have some evidence of security in place. 

Some people can do the pen testing without authorization but not legally from the USA.

That's right Ivan. 

If a site won't publish the results from one or more of the readily-available penetration testing services, you should assume that their code is ready to be opened up by hackers like a tin can of sardines with a pull-tab.

[1.21gigawatts]

When will tradehill open back up for trading?  It says a few hours on the website, but it's been 6...  I'd just like to know if it'll be 1 hour or 10 before we can start trading again?

They just updated their website:
We expect to resume normal operations 06/20/11 10 AM Eastern.

[Jered Kenna (TradeHill)]

When are you going to be able to provide a timeline for things like a full security audit and features like two factor auth that you mentioned on onlyonetv?  I understand that you won't be able to commit to specific time for features or a consultant you haven't hired, but a date when you will be able to would be nice.

We have 3 people (internally) looking in to our security as I post this. We're not going to release the two factor authentication without extensive testing but I am going to say we will release an ETA as soon as we have it and this is a top priority.

[Jered Kenna (TradeHill)]

When will tradehill open back up for trading?  It says a few hours on the website, but it's been 6...  I'd just like to know if it'll be 1 hour or 10 before we can start trading again?

They just updated their website:
We expect to resume normal operations 06/20/11 10 AM Eastern.

Thanks, beat me to it.

[JTaBitCoinKing]

Come on guys! This conspiracy theory that Tradehill did the attack is just a little too wiled, don't you think? The U.S. Government, probably not but maybe. Lulzsec, much more likely. Tradehill, not very likely.

It's just an opportunity, that spammer who sent you all referrals knows that.

[sang]

I recommend a function to allow us to change our email associated with our account as well.

[ivank2139]

I have a few questions.

Did you hire a Security Professional?  A real one?  What are his qualifications?  What kind of testing, tools and monitoring has been put in place?

Have you implemetned a realistic Security Strategy, like "Defense in Depth".  Is each layer of the IT infrastructure down to the database is protected with ACL's and the minimum privileges possible.

Do you require users to have good pwd,  at least 16 characters long, digits, letters and special characters along with digital certificates. 

do you run your operations on a real Unix system?  Solaris or OpenSolaris are secure by default.  They are also "special " enough that not many hackers have expertise to penetrate it and it has very good support and Security features built in. 

Is your system hosted in the cloud? 

Are you using a well designed and professionally managed database?  Is this database being operated in the most secure manner possible?  Can you prove it and show evidence of an audit?

Everything should be logged and the logs monitored for attacks. 

Do you offer all users a digital certificate with your exchange being the CA. 

Is your entire operation behind a commercial firewall appliance and do you use a secure DNS?

What SEIM monitoring tools are in place?  You should have an SEIM monitoring solution from a reputable company.  I used AlienVault to gain experience but something even better might be a commercial offering.  Trustwave comes to mind that will audit your system and provide some certifications as to your compliance with all provisions of the NSA recommendations, and any other applicable authorities like the big exchanges. 

I think if you put this in place and let it be known upfront what is going on then you could easily attract as much business as you could handle.  With the best security in the bitcoin exchange arena you could charge more for trades and still get more customers.  With as much security as mentioned here it should be no problem for a big insurance agency like Loyds or whomever to insure each account and each trade to at least 250K bitcoins at a time or better.

You are going to be the number one target if you are successful.  Plan on it and plan on getting hit and have a plan to recover.

This is going to be a huge business with any luck and being the most secure will get you all the business you handle.