Miners, You Should Be Earning 7% Fixed Income With Options

[Brunic]

I understand your financial concept and I find it really interesting.

BUT

As others mentioned, review your security method. We are hardware and software guys here. We maybe have difficulties to understand finances correctly, but we swim in network security everyday. I personally always use random passwords of around 12 characters that I generate myself with some software I own. I'm a sort of maniac that put different passwords everywhere.

We are ready to help you secure your project, ESPECIALLY if we invest money in it. If you agree to review your security method, I'm sure you'll find a shitload of good advices to enhance security. 

[nedbert9]

unfortunately, on bitcointalk good advice comes with a bit of exaggerated ass raping. 

[yochdog]

Hi Miners,

BitcoinOPX.com has recently opened and I wanted to make sure everyone knows of a risk free way to earn 7%, for example, monthly returns on your coins.

This is possible because of the value options provide asset holders who are most likely planning to sell. Below is a great example provided by forum user waltmarkers in a speculation thread:

Actually, I disagree - this could be the perfect vehicle for miners and other bitcoin holders. Covered calls in the money at inception are a great way for the bitcoin owner to make a fixed short term income based on their long term position.

For example.

I want to "lend" 1000 coins.

Current price is 5.75.

I issue a 1000 call at a strike price of 5.50  for 0.635 per coin or a $635 contract price for 28 days from now.

If bitcoin goes up past 6.135, I lose my coins, but I get $5500 plus the contract price of $635. Basically I locked in a sell price of $6.15  (7% monthly return)

If bitcoin is between 5.50 and 6.135, and the contract is exercised, I still get the $6,135. I effective sold at $6.15. (7% monthly return)

If bitcoin goes below 5.50, contract is not exercised. I keep my 1000 coins plus I now have an extra $635 I can pocket or buy more coins with.

We don't need one market maker, we need a group of miners to use covered calls.

BTW - why would someone want to buy a call already in the money? 1. They would like to speculate the coins are going up past the 6.15 with out buying a single coin. 2. They are selling coins lent to them to convert to fiat for a purchase, and want to ensure they can pay their loan in bitcoin later.

This has been your friendly neighborhood covered call lesson.

@waltmarkers: I completely agree. Thanks for that textbook example of the advantage of writing covered calls as applied to Bitcoin.

I would add a 3rd reason for someone wanting to buy a call already in the money: As I noted above options can provide leverage. If a person believes the price is heading to $7.00 for example and has $635 they can either buy the option you mentioned or buy bitcoins directly. If they buy bitcoins directly at the current price of $5.75 they can afford 110 bitcoins. Multiplying that by the difference gives 110 x $1.25 = $138.00 is the maximum they could profit from that price move.

However, buying your option at $635 yields 1000 x 1.50 = $1500, then subtracting the $635 = $865 of profit they could make. Quite a difference. More risky, of course, but no comparison in terms of profit potential.

Perhaps I should be explaining this to the miners...  

The example uses 1000 coins but BitcoinOPX allows creating options of sizes 10 or 100 as well. The 7% return would apply in any case. I'm happy to answer any questions.

Is there any volume?  I see no bids or asks on any contract.....

[Brunic]

I've made an account, to try it out. I'm a newbie in those sorts of thing, and all this seems as easy as making a worldwide speech in japanese.

So, here's my real life situation. At the end of the month, I'm going to sell 300 Bitcoins. I'm mining them right now, and they are going to be sold. Let's say you want to teach me how to use BitcoinOPX for my first time knowing that I'm selling 300 Bitcoins at the end of the month, what do you tell me?

[Graet]

Call me oldfashioned, but even before I look at the security "conversation"

Who are you? I don't entrust my BTC to random internet nicks with only an email for contact.

Where are you based? are you a registered company in any jurisdiction?

You say "We" who are the other people involved?

I see you are hosting in Panama, are you on a VM or a dedicated server or your own server colocated?
After the Linode experience, I hope the last.

And on the security issue, you do realise that the other thing GPUs are really good for apart from mining Bitcoins and playing games is password cracking?

[Ferroh]

Look, 6 chars is enough to prevent a remote brute force (since only 7 tries are given), but it is not enough if your database is copied (since billions of tries are given).

Even you admit this.

It doesn't matter if you think that 6 char passwords are enough, the people in this thread are your potential clients. Concede, and give them what they want, even if it doesn't quite fit with your view.

[Clipse]

Call me oldfashioned, but even before I look at the security "conversation"

Who are you? I don't entrust my BTC to random internet nicks with only an email for contact.

Where are you based? are you a registered company in any jurisdiction?

You say "We" who are the other people involved?

I see you are hosting in Panama, are you on a VM or a dedicated server or your own server colocated?
After the Linode experience, I hope the last.

And on the security issue, you do realise that the other thing GPUs are really good for apart from mining Bitcoins and playing games is password cracking?

This is the most important part of this whole thread, where did you come from and why do you suddenly want people to deposit money with you?

[memvola]

Why would anyone want to crack the passwords if they've got the database? Passwords are random, so they're not of use anywhere else. (Maybe they have the passwords but can't access the wallet though. Can happen.) Also I'd expect 9 randomly generated characters to be far better than 12 character user provided passwords.

Having said that, I'd comply with the demands. It's hard to prove people wrong on this matter and it is bad for PR.

EDIT: I'm more interested in security matters like how you store the coins and what my options are if you disappear tomorrow.

[aq]

6 character passwords have a huge benefit: when a user forgets his password it can be computed from the hash within a few seconds.
<sarcasm off>
Frankly I stopped reading this thread at this point - it seems that these days even hobby sites are more secure than some financial sites.

[DutchBrat]

Im no security expert so I will leave the password hashing/salting/cracking to others

I do however have some questions about the finance side of your business: the counterparty risk

In the absence of a central clearer, the margin system you are proposing seems to skew the risk of the options contract to the buyer instead of the writer of the options....

as is stated on the website, margin calls will go out to writers of the options if the initial margin isn't high enough to cover the outstanding amount owed. This is completely natural, but there is NO way for you to enforce people to actually post more collateral, hence you state that in the event the writer of the options fail to post more collateral, you will close the options and payout to the holder, ie buyer

This basically means that a seller of the options can choose to default and never be on the hook for more than his initial margin, while the holder of the option is left holding the bag: counterparty risk

for example: someone sells me a call, strikeprice 6, maturity 2 weeks. He has to put up 15% margin, 0.90 $
Now the price of btc shoots up overnight to $8 (stranger things have happened) the seller has to put up at least $1.10 more as collateral, and probably much more as the volatility spiked. He now thinks to himself, this could cost me more money than I expected and declines to post the collateral. You have no way to enforce him to pay up, so you settle the option with the amount of money that was put in as the initial margin, $0.90

I now am left with a much smaller profit than I expected and have no more exposure to btc, which will cost me now more premium to get back on as the volatility has risen as a result of the price jump

That is why regulated derivatives have central clearing houses and OTC markets see their particpants in heated discussions at the end of the business day to agree on the amount of collateral that needs to be posted

edit: such a nightmare to try and post something in this forum from my Samsung Tab !!! 

[lemonz]

Why would anyone want to crack the passwords if they've got the database?

Seriously?  To log into the accounts and withdraw the funds ($ and Bitcoin) from the users.  

I think the link that you're probably missing is that passwords are (or should be!) stored in the database after being hashed by a one way algorithm, not in plain text.  This means that by just having a copy of the database, one couldn't log into a users account.  You would have to start using the same hashing algorithm that was used to create the hash, and start hashing random strings, until you find a hash that matches one from the database.  For each match that you find, you can gain access to a user's account.

[Fireball]

Hey BitcoinOPX.


How does your marginal system works? How can one be sure that the other party actually pays, and that BitcoinOPX doesn't go default?

I had to spend significant amount of time in discussions and getting advice from people with finance educational background to figure out how to build one for the ICBIT futures market.

I wonder how you solve this problem.

[DutchBrat]

Hey BitcoinOPX.


How does your marginal system works? How can one be sure that the other party actually pays, and that BitcoinOPX doesn't go default?

I had to spend significant amount of time in discussions and getting advice from people with finance educational background to figure out how to build one for the ICBIT futures market.

I wonder how you solve this problem.

As they state on their website: if one defaults on a margin call the option position is closed and the holder of the option is being compensated with the amount of collateral that was posted... so the counterparty risk is not on BitcoinOPX but on the buyer of the option (or at least that is how I read it), see my earlier post

[memvola]

Seriously?  To log into the accounts and withdraw the funds ($ and Bitcoin) from the users.  

Ah, I was mostly focused on the "passwords are now in the open and they might get cracked in the future" scenario. I don't think it is realistic to assume that 9 character fully random passwords can be brute-forced in a practical amount of time, with the assumption that they are properly stored (bcrypt, PBKDF2, etc.), though I don't think salting is actually necessary. If they aren't properly hashed, then there is still no sense in debating password length. I'm not vouching for the service or anything, it's just that 9 random characters instead of user-supplied passwords is not a bad idea by itself, which seems to be the main reason you feel the site is insecure. We can move the debate elsewhere though, all this is probably off-topic.

[Zoomer]

The example uses 1000 coins but BitcoinOPX allows creating options of sizes 10 or 100 as well. The 7% return would apply in any case. I'm happy to answer any questions.

107% return per month results in 225% ROI per year.

My 3x7970 rig already does better at 241% ROI per year after cost and depreciation if the exchange rate stays constant.

Actually this is not the best option for me. A 5970 setup would result in ~300% ROI for me. I didn't choose this as I was hedging against the risk of reward halving making HD5xxx worth little to nothing.

Your miners are irrelevant; the ROI he is talking about will be in addition.

The only thing you give up is the increase in value if the price rises to more than the strike price. Else, it's just free money.

Essentially, you are selling your promise to sell a certain number of bitcoins at a certain price. Say, 10 coins at $6. The person you are selling your promise to can choose to call you up at anytime until the expiration date of your promise with the $60 and you'll have to sell 6 coins to her at the $60, regardless if it's $2 or $10 at mtgox at that time.

Of course, she'll not call unless mtgox is more than $6.

It wouldn't be a bad idea to get a copy of the Characteristics and Risks of Standardized Options. It is free and would give a good outline of how options in general works, and the upsides/risks involved.

[dreamwatcher]

Seriously?  To log into the accounts and withdraw the funds ($ and Bitcoin) from the users.  

Ah, I was mostly focused on the "passwords are now in the open and they might get cracked in the future" scenario. I don't think it is realistic to assume that 9 character fully random passwords can be brute-forced in a practical amount of time, with the assumption that they are properly stored (bcrypt, PBKDF2, etc.), though I don't think salting is actually necessary. If they aren't properly hashed, then there is still no sense in debating password length. I'm not vouching for the service or anything, it's just that 9 random characters instead of user-supplied passwords is not a bad idea by itself, which seems to be the main reason you feel the site is insecure. We can move the debate elsewhere though, all this is probably off-topic.

9 characters is NOTHING, in past ventures with only a couple of Nvidia GPU, one was able to brute force WPA2 encrypted handshakes with 10 character pass phrases in about 36 hours only doing passwords in the Kilos per second range.

My current mining rig can do about 3 Billion SHA256 hashes per second.

People really need to stop taking the "Hacking" they see on TV as the way it is. (Two hackers do not use the same keyboard to try and counteract a hack..LMAO)

No hacker is brute forcing the front end of a web site (7 tries is in reality kind of loose, most high security systems lock out after three, requiring contact with a systems administrator to reinstate.)

Most successful hacks are in the form of social engineering (Easier to have the owner/user hand you the keys than to pick the lock).

After that, most breaches are a result of exploiting un-patched software, finding a 0 day exploit or even something as simple as default user/password combos not being changed.

Once one has access to your server, it is just a matter of coping over what they want, and break the encryption on the database, file , etc ... locally with their multi-GH system.

[memvola]

9 characters is NOTHING, in past ventures with only a couple of Nvidia GPU, one was about to brute force WPA2 encrypted handshakes with 10 character pass phrases in about 36 hours only doing passwords in the Kilos per second range.

My current mining rig can do about 3 Billion SHA256 hashes per second.

That's why hash functions better fit for this purpose exist. (EDIT: Hmm, apparently WPA uses PBKDF2, but then again how on earth are you able to brute force 10 character random strings is beyond me.)

Most successful hacks are in the form of social engineering (Easier to have the owner/user hand you the keys than to pick the lock).

After that, most breaches are a result of exploiting un-patched software, finding a 0 day exploit or even something as simple as default user/password combos not being changed.

Once one has access to your server, it is just a matter of coping over what they want

+1

[dreamwatcher]

That's why hash functions better fit for this purpose exist. (EDIT: Hmm, apparently WPA uses PBKDF2, but then again how on earth are you able to brute force 10 character random strings is beyond me.)

Old fashioned brute force. 000000000,000000001,0000000002,0000000003..........etc......etc (well actually one assumes that the the system is using at least a 8 characters so you generally start from there, also many people use the default passwords on their ISP routers. They are random but always the same length.)

Remember, one is preforming it locally with a captured handshake sequence, so there is no network traffic or logging going on.

I remember attending a conference at a network security company recently (for the ethical hacking class I took last semester), that pointed out websites that advertise their password requirements help the hackers out, now they have parameters and do not have to use the whole range of combinations to brute force.

In fact, 7 character password you say, you just knocked the the time down to crack stolen account data exponentially, because the hacker knows the exact length of the password and only has to locally brute force that range.

[Vladimir]

Code:

#!/usr/bin/perl
use common::sense ;
use Digest;
use Data::SimplePassword;

my $user = 'username' ;
my $password = 'cleartext';

# $salt must be exactly 16 octets long
my $salt = Data::SimplePassword->new->make_password(16) ;

# $cost is an integer between 1 and 31, $hash will be 31 b64 symbols
my $hash = Digest->new('Bcrypt')->cost(15)->salt($salt)->add($password)->b64digest;

say "$user $salt $hash" ;

Here this is how you hash passwords, once and for all people, just pass username and password, calculate hash, then either store username, salt and hash in db when creating the user or changing the password, or check against the database to do auth. Just wrap it into a function or a class and you are golden.

Want to be even more cool? Make user's browser to calculate SHA256 in browser (i.e. client side javascript) then pass it to you instead of cleartext and your servers will never even see the cleartext password in the first place (but still do hashing as above, of course).

Stop pulling linkedin thing FFS!

The above code is hereby released into public domain.

THIS SOFTWARE IS PROVIDED BY THE ME "AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE I BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[memvola]

Old fashioned brute force. 000000000,000000001,0000000002,0000000003..........etc......etc (well actually one assumes that the the system is using at least a 8 characters so you generally start from there, also many people use the default passwords on their ISP routers. They are random but always the same length.)

Remember, one is preforming it locally with a captured handshake sequence, so there is no network traffic or logging going on.

Well, at cost 10 (compare to Vladimir's 15, which is a lot harder), my PC bcrypt's around 12 passwords per second. Assuming 92 symbols, you have slightly higher than 58 bits of entropy at length 9. So you'd need something 300 billion times more powerful than my PC to scan the complete range in 36 hours. Even with application specific hardware that would be impractical. Of course this assumes that the passwords are "truly" random.