Crazy Land Rush

[the founder]

Do the accounts get locked after a few invalid login attempts (to fix the weak password issue)?

Actually we do have it set at a very high number for this weekend due to the invite process..  (we were thinking that people wanted to get familiar with the system,  try it on their mobile device. etc etc..)

On Monday we'll be increasing the password length limitation,  and lowering down the number of attempts then temporary lockout to 6 tries...  the problem I have with it is that I personally thumb it a dozen times on my iphone when entering in crap... but we've made this decision 2000 times... security over convenience...  in this case security wins both times.

[1714094787]

1714094787

[1714094787]

1714094787

[1714094787]

1714094787

[1714094787]

1714094787

[FlyingFlapjack]

yep we're the first bitcoin bank...  now I am not sure where to find the legal documents in Washington surrounding a bitcoin bank.   Honestly if you can find that let me know.   

Well you can be a federally chartered bank, or a state chartered bank. It costs millions in capital either way.

So...you're saying you're just going to avoid handling dollars and other 'real money' to avoid all that?  Do you have lawyers? I can't believe they'd tell you to just wing it. Even if bitcoin is not legally money, it is probably something like a security.

I'm not a lawyer, but you don't even seem to have a legal disclaimer anywhere about you not legally being an actual bank, unless I'm missing that link.

[the founder]

yep we're the first bitcoin bank...  now I am not sure where to find the legal documents in Washington surrounding a bitcoin bank.   Honestly if you can find that let me know.  

Well you can be a federally chartered bank, or a state chartered bank. It costs millions in capital either way.

----

But can you be a federally or state charted Bitcoin bank?   Seriously Washington moves fast!

------

Do you have lawyers?
----
yep at $300/ hour two of them...  
----

I'm not a lawyer, but you don't even seem to have a legal disclaimer anywhere about you not legally being an actual bank, unless I'm missing that link.


-----
You're not missing the link.   It's just that it's not needed.  Yes our company lawyer (and we had a second opinion as well) said that the term bank can apply to the side of a road,  a sharp turn,  a storage facility,  or a financial institution.  

On a second note, I used to work for a company called DomainBank.com for 10 years..  I don't recall a "charter on their front door"  either.. considering you couldn't deposit USD there...  nor can you at Flexcoin ...

I understand your concern,  but we already hashed this out months ago when we were building the bitcoin bank.    But i'll put a note on the TOS regarding it to ensure that everyone feels better about it.

[thefussydutchman]

I really don't know what all the fuss is about an invite.  Your the owner but can't give me an invite?  That's fine this does not seem like a real company.

[payb.tc]

I've seen this image soooooo many times on the web.

just type 'laptop woman' into google images as an example



(actually, tineye returns 978 results for it   )

[kloinko1n]

I just LOVE the part where impulsepay.com says that this hype goes at a premium of 33% additional costs (as they charge 25% of the revenues, you have to raise the price by 33% to satisfy that condition).

uhmm... NOT 

[phillipsjk]

Are you kidding me? You are limiting passwords to 12 characters? And you consider this sufficient security? Sounds to me like you're storing the passwords in plaintext.

No, it's encrypted.. and B:  we were thinking that people might one day want to use it for their mobile phones...  so I have no idea what kind of phone you use.. but I'd rather not type in a 30 character password.

For a cellphone, it may be easier to type a 20 character numeric password (66.4 bits of entropy if random). A 12 character password can't really have over 72 bits of entropy. Computers are getting stupidly fast these days. Anything with less than 64 bits of entropy is likely insecure. After 128 bits you are probably safe as long as the storage mechanism has no underlying weakness.

[CubedRoot]

so, I think I missed this
How do we get invites?  I would like to give Flexcoin a shot

[dishwara]

I try to register & got this error.

could not register new user
you do not have a valid invitation
try again

[phillipsjk]

Any attacker would set up their look-alike on a different domain as well. Have you seen the Upside-Down-Ternet page?

Intercepting HTTP is trivial. In some cases intercepting HTTPS is trivial as well.

yea but you don't even need to do that...   I could go setup ...  paypal.com.EXAMPLE.Com and just make the shitty scum site look like paypal and send out tons of unsolicited e-mail to people and some idiots will bite.. it's called phishing.

Many users visit websites by typing their name into a trusted search engine like Google (Which does support HTTPS). paypal.com.example.com won't come up in the first 10 results, but paypal.com will. Without HTTPS (or other authentication), it is possible for an attacker to use your real domain for their phishing site.

As I have pointed out, this is not a theoretical or difficult attack. Are you OK with my ISP injecting PayPal ads when I view your landing page?

PS: I know my own website does not support HTTPS or IPsec at the moment... I hope to change that eventually. IPsec should work for the gopher version too