Is this the new Bitcoin phrase: "Sorry we got hacked, your money is gone"

[markm]

Conventional financial institutions spend literally tens of millions of dollars on securing their systems and they still get intrusions - they try to minimise their losses but they can never eliminate them entirely.  People need to accept that the services which have grown up around Bitcoin don't have that same level of sophisticated security and that as those services grow and process more and more transactions, preventing and detecting intrusions is going to become more complex and cost more.

And right about there/here is where I end up going back to check whether Open Transactions has yet gotten around to fixing its self-admitted problem of not using secure enough crypto/hash.

It looks to me more and more the case that until Open Transactions actually uses the level of crypto it claims to need for real use it would be crazy to attempt to go much farther than games and/or trivial amounts of bitcoin in developing open source financial software intended to handle huge amounts of money. Meanwhile tell the billionaires, millionaires, probably even those throwing around only a few hundred thousand - even in the aggregate, such as a very small numberof  customers each throwing around only a few thousands or tens of thousands - to please simply use bitcoin itself, directly, to do their trading person to person, "heck it *is* a person to person currency, y'know".

There (is? was?) a wild west element to the potential for a rags to riches story rich enough to put together enough capitol to simply throw money at the problem(s), and maybe MtGox might even be such a story or close to such a story. Two more recent entries to the niche seem to at least be giving an appearance of being "old money" (maybe even so old that it predates the "early adopter windfall new-rich"? Not sure).

Have we learned enough yet that a project could be started with the goal of making a reference implementation "secure" exchange and/or trading and/or minting and/or banking site?

Maybe if devcoins take off it might become possible to throw money at getting Open Transactions to use the math it apparently believes it should be using, which I keep seeming to end up coming back to as about the only serious way forward that seems to be in reasonably plain sight...

-MarkM-


 

[1714839071]

1714839071

[Nagle]

Unless users lost money, I don't see how it applies.

(The above is from someone promoting pyramid schemes in their signature: "Random Pyramid - make BTC for life with 1 deposit", "Another Pyramid game", "Bitcoin Kamikaze is BACK!". So they need people to act like suckers, putting money into questionable operations. Assurances from such a source are questionable.)

In the past two months, most of the organizations which purport to be "financial institutions" for Bitcoins, taking deposits and holding money for others, have had serious problems. With the possible exception of Dwolla, none are in compliance with laws on money-transfer firms or financial institutions for the country in which they operate. Mt. Gox should be registered as a money-transfer service in Japan, and it isn't. Global Standard Bank should be registered as a bank in Quebec, and it isn't. MyBitcoin and Bitomat were fronts for someone acting anonymously. Liberty Reserve is in Costa Rica, and may or may not be legal there.

[TraderTimm]

I think what we are learning here is "Buyer Beware", and doing your own due diligence. You don't do your homework, you'll fail. That goes for anything, really. It is no more detrimental to bitcoin than you losing a pile of cash out of your pocket as you step out of a cab. Things happen, and mistakes are made.

Don't trust new services blindly, take steps to secure your main savings wallet.

[Nagle]

Don't trust new services blindly, take steps to secure your main savings wallet.

There aren't any Bitcoin services which come up to the reputability level and financial stability of a small-town bank. Every Bitcoin exchange is a startup with no money behind it. None of them are additional services of a real bank or brokerage. 

Also, none of them guarantee a settlement date. In the real world, brokerages are required to pay up within N days of a transaction; the number of days ranges from 2 to 5 depending on what's being traded. Foreign exchange transactions normally settle within 2 days, stocks in 3 days. None of the Bitcoin exchanges commit to that, and routinely take longer. People are constantly complaining about exchanges not paying promptly.

The whole ecosystem is flaky. Too flaky for retailers. No major retailer could accept Bitcoins when they didn't know how long it would take to convert them to something they could pay their suppliers. 

[the founder]

You guys realize that this is just making life worse for everyone... everyone that owns bitcoins.

Prime example,  every time we feel we're confident enough to get out of invite and allow everyone to register an account...  we see that "mt.gox" was hacked,  or "mybitcoin was hacked" ...

Literally as of last night we were prepared to go live...  until this story broke out regarding mybitcoin,  made us question everything all over again... even though we did a million security checks...  we postponed the launch because we want to do another million... and add more security features like email authentication on transfers out of your account over a user specified amount.

I know it's not a bad thing, delaying launch in light of the mybitcoion story that broke out right before we were about to go live to everyone..  

In a perfect world security wouldn't be needed...  but CLEARY in the bitcoin world security is even more needed than banking...   we have clients that are banks...  trust me they don't go though this level of shit.


***  I'm hoping that mybitcoin was a hack and not a owner theft .. but the jury is out... 

[2112]

and Bitomat were fronts for someone acting anonymously.

The operator of Bitomat.pl was never anonymous. His home address, telephone and employer were always readily available. Only after the recent failure the WHOIS information became hidden to avoid constant interruptions at his residence (or his parents' residence).

This doesn't change the fact that he was an incompetent sysadmin.

[the founder]

and Bitomat were fronts for someone acting anonymously.

The operator of Bitomat.pl was never anonymous. His home address, telephone and employer were always readily available. Only after the recent failure the WHOIS information became hidden to avoid constant interruptions at his residence (or his parents' residence).

This doesn't change the fact that he was an incompetent sysadmin.

though the result is the same,  there is a huge difference between leaving a door unlocked to your bank and someone stealing... or setting up a bank with the intention of stealing all your depositors money. 

the jury is out regarding mybitcoin,  hopefully it turns out that most people get most of their bitcoins back.

[2112]

though the result is the same,  there is a huge difference between leaving a door unlocked to your bank and someone stealing... or setting up a bank with the intention of stealing all your depositors money. 

Your analogy is a nonsense. If you want to make a sensible comparison with paper money then talk about bank which didn't have a fire protection system and all the deposited cash had burned after a lightning strike.

[markm]

It sounded more like a case of a teller asking how much you want to deposit, saying okay let me go write that down for you, meanwhile you go over to the withdrawals teller and withdraw, the first teller gets back from writing down your deposit and prepares to do confirmation number one: counting the actual money you deposited. Oh but wait... wait... wait... hmmm, you left, eh? So much for waiting for confirmation number one. I wonder if the teller then goes back to the ledger and un-writes-down the amount you deposited?

-MarkM-

[fellowtraveler]

And right about there/here is where I end up going back to check whether Open Transactions has yet gotten around to fixing its self-admitted problem of not using secure enough crypto/hash.

It looks to me more and more the case that until Open Transactions actually uses the level of crypto it claims to need for real use it would be crazy to attempt to go much farther than games and/or trivial amounts of bitcoin in developing open source financial software intended to handle huge amounts of money. Meanwhile tell the billionaires, millionaires, probably even those throwing around only a few hundred thousand - even in the aggregate, such as a very small numberof  customers each throwing around only a few thousands or tens of thousands - to please simply use bitcoin itself, directly, to do their trading person to person, "heck it *is* a person to person currency, y'know".

There (is? was?) a wild west element to the potential for a rags to riches story rich enough to put together enough capitol to simply throw money at the problem(s), and maybe MtGox might even be such a story or close to such a story. Two more recent entries to the niche seem to at least be giving an appearance of being "old money" (maybe even so old that it predates the "early adopter windfall new-rich"? Not sure).

Have we learned enough yet that a project could be started with the goal of making a reference implementation "secure" exchange and/or trading and/or minting and/or banking site?

Maybe if devcoins take off it might become possible to throw money at getting Open Transactions to use the math it apparently believes it should be using, which I keep seeming to end up coming back to as about the only serious way forward that seems to be in reasonably plain sight...

Hi guys!

I'm writing from the beautiful desert land of Sedona, AZ, where I'm on vacation for a few days.

I wanted to address this quote. FYI, Open-Transactions currently generates 1024-bit keys by default.  Ultimately I would prefer that it uses 4096-bit keys instead of 1024, but that is not a terribly difficult fix to make. As more software is released based on OT, and as entities move closer towards actual production use, the keysize will be increased. (In other words, I wouldn't look at this as a deal-breaker, but rather as one of a long series of security fixes that naturally occur in this sort of project as it nears production.)

Similarly, the (untraceable) digital cash currently uses Lucre, which uses Wagner's algorithm and incorporates the SHA-1 hash. SHA-1 has had weaknesses uncovered over the past few years, though I'm not sure of their implications towards Chaumian blinding. This is fine: the whole idea of OT is similar to PGP: that it's easy to swap in new algorithms as the old ones expire. So on OT, it's not difficult to make new subclasses of OTToken and OTMint that use new algorithms.

(FYI, I have already obtained the source code for 2 new cash algorithms--Chaum and Brands--so these will be available within OT at some point in the future. Again, this is the sort of easy change that will probably happen once OT starts nearing production use.)

-Fellow Traveler