[ANN] A Challenger Appears: SKYPIEA, a Privacy-Friendly Exchange

[FenixRD]

EDIT:

I haven't been active on here in a while, but I left this project about 6 months ago, and sold my stake in it. I'm hearing rumors of non-response and I've had none myself when emailing the address in my contact list for the buyer. If the service has moved, I haven't managed to locate it.

This is feeling like Intersango / Bitcoinica to me; I'd steer clear.

[1714629200]

1714629200

[1714629200]

1714629200

[1714629200]

1714629200

[1714629200]

1714629200

[Mooshire]

Very nice.

[MPOE-PR]

Who's this "we" you speak of? Are you in the WoT?

[FenixRD]

Who's this "we" you speak of? Are you in the WoT?

Yes, I've noticed this concerns you greatly. I was lurking in the thread with BitBot earlier. No, I am not WoT-enabled. I'll consider it.

I had simply planned to divulge my "dox" to a few senior members of the board. WoT may accomplish this as well. If you'd PM me, I'd like to hear briefly why you prefer WoT. You've obviously spent time thinking about such solutions.

"We" are myself, my beautiful wife, my two younger brothers, and my father. We all have backgrounds in engineering and electronics disciplines, as well as military security, and physics. (Ok, so the youngest brother is still in high school, but he helps too. We're a gifted family.)

On here and on SKYPIEA we will go by aliases, and will escrow our identities (via WoT or just senior forum members). This is to prevent harassment or criminal attempts. It is trivial to find our identities probably. But, when I leave home I lock doors despite the simplicity of breaking windows. You understand. I might want to pull an "I am Iron Man" but my current thinking is, that announcing access to vaults of gold and bitcoins might attract attention of the unsavory sort.

But I still might. In any case, our payment processors to have our full information. It's an open secret. When the site is live and you click "pay with debit card" for example, it uses PopMoney's solution. We aren't manually keying in cards or something. We're ID-verified at CoinBase too. I understand the concerns but I bet once the site is live you'll see that is a non-issue.

[digit]

Send me an invite, i'n interested

[MPOE-PR]

Yes, I've noticed this concerns you greatly. I was lurking in the thread with BitBot earlier. No, I am not WoT-enabled. I'll consider it.

Mistaking points of fact, such as that the WoT is the standard and you can ignore it at the peril of being laughed off by the actual players, as personal concerns is a good way to signal your inclination towards willful ignorance. If you're here to pretend that reality is what the clueless masses would prefer it to be, just come out with it already.

Anyway the WoT discussion is here.

"We" are myself, my beautiful wife, my two younger brothers, and my father. We all have backgrounds in engineering and electronics disciplines, as well as military security, and physics. (Ok, so the youngest brother is still in high school, but he helps too. We're a gifted family.)

That's very nice. It's also, unfortunately, contentless in the context of business.

On here and on SKYPIEA we will go by aliases, and will escrow our identities (via WoT or just senior forum members). This is to prevent harassment or criminal attempts. It is trivial to find our identities probably. But, when I leave home I lock doors despite the simplicity of breaking windows. You understand. I might want to pull an "I am Iron Man" but my current thinking is, that announcing access to vaults of gold and bitcoins might attract attention of the unsavory sort.

But I still might. In any case, our payment processors to have our full information. It's an open secret. When the site is live and you click "pay with debit card" for example, it uses PopMoney's solution. We aren't manually keying in cards or something. We're ID-verified at CoinBase too. I understand the concerns but I bet once the site is live you'll see that is a non-issue.

The entire "I can't say who I am or substantiate my qualifications because Boogeyman" has been done to death. It's not going to work for you any more than it's worked for anyone else. Sure, use an alias, but keep in mind that the more standard tools you profess to not need or claim to be unable to use, the more your reputation rests on pretense --and when people's money is involved, this puts you at an extreme disadvantage.

[FenixRD]

Mistaking points of fact, such as that the WoT is the standard and you can ignore it at the peril of being laughed off by the actual players, as personal concerns is a good way to signal your inclination towards willful ignorance. If you're here to pretend that reality is what the clueless masses would prefer it to be, just come out with it already.

Anyway the WoT discussion is here.

I'll look it over. Point of fact, it hasn't been the standard with any service I've ever used. Some do, some don't. I think it has benefits, and I don't see a downside, but I wouldn't call it a standard. WOT is considered a startup in business circles and based out of Holland. It's a good idea, and on its way to perhaps being a standard of sorts, but it still requires a browser add-on for all consumers. When it shows up as a default option in a Firefox build, we can call it a standard.

"We" are myself, my beautiful wife, my two younger brothers, and my father. We all have backgrounds in engineering and electronics disciplines, as well as military security, and physics. (Ok, so the youngest brother is still in high school, but he helps too. We're a gifted family.)

That's very nice. It's also, unfortunately, contentless in the context of business.

Please tone down the aggression. I will respond to meritless disrespect by making your IGNORE link an even brighter yellow. I'm sure you have good reason to be edgy, since a lot of us have been burned in this community -- I've lost money in Bitfloor and other places -- but just because it's the web doesn't mean the rules of polite society fly out the window. You are the one who asked who we were. If I have inadequately answered that question, please tell me what sort of answer you were expecting. You yourself are quite anonymous -- more anonymous than I myself would permit when considering a service. There would be zero legal recourse for me, as a US citizen, to pursue you and your associate (not saying you would ever do such a thing, just an example). All I know about you is you appear to reside in Romania. I don't have any way of verifying actual names or businesses, etc. There is a place for that, and MPOE may be the type of service that requires such anonymity, but it does make this whole discussion feel a bit hypocritical.

The entire "I can't say who I am or substantiate my qualifications because Boogeyman" has been done to death. It's not going to work for you any more than it's worked for anyone else. Sure, use an alias, but keep in mind that the more standard tools you profess to not need or be unable to use, the more your reputation rests on pretense --and when people's money is involved, this puts you at an extreme disadvantage.

(1) My IRL identity -- US identification documents -- will be secured by trusted senior forum members for the purposes of conducting and promoting commerce on this forum. If I'm comfortable, I may come out further. Between the state of flux the legislation is in, and to protect client funds should I ever need to pull a KDC and change home bases, and the fact that it is a family endeavor and I'll be damned if I'm putting my wife at risk for kidnapping, with all due respect, I think there's plenty of good reason to shield at least our names and addresses from being listed on our homepage, for now. If you were expecting LinkedIn accounts and google maps pin drops when you asked who we were... well, sorry, that is not going to happen! I don't trust the general population of this forum one bit.

(2) For US residents especially, but also any residents of countries with cooperative agreements with the FBI -- basically any Interpol member nation: As a business, we are a registered LLC in the state of Texas. While corporate personhood is an interesting and controversial set of laws to study, the current interpretation has been repeatedly upheld by the US Supreme Court, as recently as 2012. As such, it is expected and normal to conduct trade with a business entity like an LLC, as the identified trading partner, because your legal recourse is simple: You contact the police regarding a theft by an LLC, and the police take care of it. Even you, in Romania, as a resident of an Interpol member country, have legal recourse in the event your funds are stolen. And if you really want you can look up the registrants of an LLC. But I won't be posting anything further here, at present, no. Hope you understand.

[FenixRD]

Who's this "we" you speak of? Are you in the WoT?

Yes, I've noticed this concerns you greatly. I was lurking in the thread with BitBot earlier. No, I am not WoT-enabled. I'll consider it.

Mistaking points of fact, such as that the WoT is the standard and you can ignore it at the peril of being laughed off by the actual players, as personal concerns is a good way to signal your inclination towards willful ignorance. If you're here to pretend that reality is what the clueless masses would prefer it to be, just come out with it already.

I want to specifically address the WOT question, because it seems there is a dangerous precedent being advocated. I'll reiterate that while I see nothing wrong with it (indeed, it is a good way to add confidence in a service), it is not a standalone solution for all Bitcoin trust issues, and most certainly is not the "standard." Here is Mike Hearn on the subject recently (Sept. 24, 2013):

You shouldn't [prefer the WOT]. The PKI is the result of evolving a web of trust style system over many years, as it got real usage. It looks the way it does because of its solutions to the problems the raw web of trust model has.

For instance, let's say Bob starts signing keys using GPG. His signature is worth very little unless I happen to know and trust him. In practice as a new Bitcoin user who just saw it on CNN, I don't know Bob. However, maybe I do trust the guys making the Trezor because they are a real company and they live in a country with sane laws, etc, they have lots of happy customers, so that gives me a starting point. Then if stick and slush trust Bob, and Bob has signed the key of bitcoinstore.com then I have a chain of trust to the store.

Bob has become a certificate authority!

How trustworthy is Bob, really? Does he keep his private key on a computer running a warez copy of Windows XP that is full of malware? It would be nice if we could formalise the "stick and slush trust Bob" part of the above description. Otherwise what stops Mallory turning up and demanding that Trezor trusts him too?

A good way to resolve this conundrum is to come up with a set of best practices, like keeping your private key inside a hardware security module, and setting some rules around when Bob/Mallory should sign a public key. To increase trust in the system and stop Mallory just claiming he follows the rules when really he doesn't, we might want to create a formal audit system and an auditor organisation that verifies these guys are following the rules.

We just re-invented the WebTrust Audit:

   http://www.sslshopper.com/article-what-is-webtrust-for-cas-certification-authorities.html

Eventually as Bob and Mallory get more professional and trusted, they'll discover it's sort of hard to do it in their spare time so they'll create companies and start charging fees. They'll compete in the open market. After a long time, some of them will discover that for the most basic kind of key signing (emails and domain names) it can be entirely automated and done for free.

That's StartSSL.

As the number of trusted parties goes up and they handle more and more key signings, eventually Bob or Mallory might get hacked or pressured by the government. It'd be nice if everyone knew what keys Bob and Mallory had signed, in a more scalable way than just relying on everyone to upload all their keys to the MIT key server.

That's certificate transparency.

I hope you can see now why the PGP web of trust would eventually end up being pretty similar to the regular PKI, if it got big enough.

Source: https://bitcointalk.org/index.php?topic=300809.msg3225143#msg3225143 (bottom of his post).

I believe WOT is only a tool, and cannot be recommended for use on its own to verify identities like this. I'm open to discussion however. Mike Hearn isn't always right (redlisted coins come to mind).

[timmybray]

Waiting for the invite. Interested in trying.

[FenixRD]

Waiting for the invite. Interested in trying.

Sending now.

[Rupture]

Watching this.

[Hfleer]

I would like an invite to check this out.

[MPOE-PR]

I'll look it over. Point of fact, it hasn't been the standard with any service I've ever used. Some do, some don't. I think it has benefits, and I don't see a downside, but I wouldn't call it a standard. WOT is considered a startup in business circles and based out of Holland. It's a good idea, and on its way to perhaps being a standard of sorts, but it still requires a browser add-on for all consumers. When it shows up as a default option in a Firefox build, we can call it a standard.

Standard does not mean easily accessible by consumers.

Please tone down the aggression. I will respond to meritless disrespect by making your IGNORE link an even brighter yellow. I'm sure you have good reason to be edgy, since a lot of us have been burned in this community -- I've lost money in Bitfloor and other places -- but just because it's the web doesn't mean the rules of polite society fly out the window.

Informing you that your family details are irrelevant when considering your business qualifications is not at all aggressive. Me pointing out to you that you are a clueless asshat inasmuch as you prefer to pass a bunch of pretense off as identity and reliability isn't aggressive, either. These are facts, and if the tone upsets you, you'd do well to read and understand the first time so that it doesn't have to be toned up yet again on the next pass.

You are the one who asked who we were. If I have inadequately answered that question, please tell me what sort of answer you were expecting.

You came here posting about the great and venerable business you'd like people to use, failing to convey the relevant details. I graciously pointed this out to you. You can get with the program or not, but there's no middle ground for insisting you "can't" but people should trust and support you anyway.

You yourself are quite anonymous -- more anonymous than I myself would permit when considering a service. There would be zero legal recourse for me, as a US citizen, to pursue you and your associate (not saying you would ever do such a thing, just an example). All I know about you is you appear to reside in Romania. I don't have any way of verifying actual names or businesses, etc. There is a place for that, and MPOE may be the type of service that requires such anonymity, but it does make this whole discussion feel a bit hypocritical.

So basically, you've read not a thing, you have no idea what's what, and in the fantasy world in which you reside, the likely most public person in Bitcoin is anonymous, MPOE is a service, and you don't have to show that you're competent because your family is nice.

You're out of your depth, and this isn't going to fly.

[FenixRD]

And, ignored. I don't know if you have a vested interest in acting this way (I don't think we compete with you) or what, but there's clearly no way of pleasing you, so I'll be focusing on other thread participants. If you ever have a question about the service you can PM me. I won't be trying to drain your vast ocean of rude negativity with my teacup, thank you. I've reviewed your forum activity, and I can see that is pointless.

[FenixRD]

I would like an invite to check this out.

Invites sent to you and rupture.

[FenixRD]

UPDATE:

Security and penetration testing over the weekend. One of the bounties was to compromise anonymity, and the team from UT's applied maths department managed to link asset movement between accounts in one specific situation. Kudos to them, and we're working on revising the algorithm in that subsection. For the cryptonerds, they used a rotational cryptanalysis on the ARX function after freeze-spraying the RAM to preserve the states.

This would affect a user or group of users in the event a hostile entity physically seized one of the boxes which track who has ownership of funds, and wanted to know if multiple users were in fact linked or potentially only one user IRL. Our system is designed to prevent this, among other things.

A round of applause for them, they make it more secure for all of us. We'll post a new launch target shortly.

-Nami

[superside]

Currently working with Skypiea.
Had our first meeting in Dec. I've completed my end of the transactions but am awaiting finalization which should be in the next week. Will give a full review then.

[superside]

Should be finalizing today, here's my review.

https://bitcointalk.org/index.php?topic=414213.msg4493677#msg4493677

[superside]

keeping this clear until finalization