I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm only 17.
Please try it out. (I can pay $1 for you if you're not willing/able to deposit, email me at info@bitcoinica.com. :-D ) You can leave any suggestions, comments, bug reports and feature requests here. I'll look through every single comment. Thanks!
Yes, I have to admit that during testing, I have spotted several errors and these may cause financial losses. Because of this, I have even deleted some features which many people consider useful (such as BTC deposit/withdrawal).
Security is a key concern for a financial system. I totally agree with your point.
The Bitcoin market is filled with exactly highly intelligent people. I will definitely pay attention to every single detail.
(If you see any bugs please email me. I will definitely appreciate that!)
Doing your best probably isn't enough. To have any hope you'll have to hire expensive security people and buy lots of insurance.
All you need in order to be exploited is to be using software with 0day exploits. Many known exploits are not public. In a very real sense, you are only protected to the extent that you are a small target.
As the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%. Software really is THAT insecure and bitcoin thefts are not prosecuted making it basically risk-free to steal bitcoins.
I've worked on financial systems before. As others have stated, if you're dealing with real money, then you have a big bulls-eye painted on your forehead, and you need to make sure that your system is hardened.
I don't know if you're already doing these things, but I'll just throw them out there and let you ignore them if you do.
Make sure you understand attack vectors and protect against them. XSS, SQL Injection, man-in-the-middle, etc. Make sure your passwords are salted and hashed.
Auditing. Can't emphasize this enough. Things will go wrong, and when they do, you need to be able to tell when, where, and why. In our case, we had shadow tables in our database where we logged changes, and then consolidated and exported that data into an auditing system. We could confirm that a user made X change at Y time from Z IP address.
Also, a bit of a newbie mistake that I see from time-to-time. Don't use double or float with money.
You can choose which features you use. For instance, I've never used the single sign on/access token functionality. The reset password, account lockouts, etc. are awesome.
Unfortunately, seeing his age put me off depositing money into the account I just created. When dealing with my money, I want a team of people with a lot of experience in security and dealing with problems under pressure. He may have this, but at 17 its unlikely. My quick evaluation may be unfair, but I'm unwilling to take that chance with money, especially after MtGox showed us all what kind of problems could occur if not enough work is put into preventing potential problems.
So, at least for now, I'll pass. Having said that, the site looks great and I wish the creator the best of luck and lots of success!
When I first decided to disclose my age, I have considered this problem. Actually this is a psychological paradox: proving myself honest doesn't always make me more trustworthy.
It's just like the warranty of your gadgets. Getting a wonderful repair service may make you feel better than having no problem at all.
I have no problems with this kind of thinking. It really doesn't matter to me. I'll prove my competency with time.
To be honest, your age isn't a problem, because the average above-average developer is still not competent to write this sort of software. If you had been doing security and financial software since birth, I might consider putting a bit of trust in the kitty to start.
I'm going to pitch a different take than a few others: Yes, great initiative, please keep trying things and building things, but end this project now. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. There's also very nontrivial odds of being on the wrong end of armed Federal agents, based on some of the other comments you've made here. This is a horrible, horrible first-project sort of project.
Let me put it this way: Would you be willing to convert the BitCoins in your system into cash, put it in your front window, and post daily pictures of the pile of cash to your Facebook account, set to public visibility? Because that's roughly what you're doing.
You're very smart, zhoutong, and your eager and polite acceptance of feedback does you great credit. But I would not attempt what you're doing, and I know a fair amount about both trading infrastructure and security.
And though your site is very impressive, I immediately spot a major omission: you say nothing about your margin call policy. Do you have one? What will you do when one of your users' accounts goes to zero, and then negative?
Yes, we have. I admit that I didn't make it visible on the site itself. But the system checks every single user every 5 seconds.
We have two metrics: net value and minimum net value. When NV < MNV, all positions are immediately liquidated. When NV < 2MNV, a warning is visible on trading panel. (Future feature: margin call email)
These metrics are completely transparent, showing in different colors to represent health status. Once you give it a try you will know.
Its not so much about proving yourself honest as proving yourself competent and skilled enough to deal with potentially disastrous (read: bankrupting) problems. If this site didn't deal with money (and potentially a LOT of money), my attitude would be very positive. The site looks very slick and well made.
Its also not really about your age either - but age is a simple indicator of experience, even if inaccurate.
I like your attitude though and wish you all the best.
I started my first startup when I was 17 (13 years ago, damn).
The problem I had then, and you have even here is that legally you're a minor and can't sign contracts.
EDIT: I noticed from your resume that you are based in Singapore - I don't know what the rules are for age of majority and similar issues... the advice below is from a US and UK law perspective given that is the more common location for people on HN. I also notice you seem to be incorporated already (which you wouldn't legally be able to do in US at 17).
Aside from the technical issues of 'spectacular failure' you might want to consider the consequences of being sued if something did go wrong. As a minor, it's probably your parents that are liable - you owe it to your parents and to your customers/users to be aware of this.
Normally for something like this you would set up an LLC to protect yourself (as they have limited liability, as the name suggests). Perhaps your parents can set you up an LLC and transfer ownership when you turn 18?
Issue #1: Singapore MOM (Ministry of Manpower)
Although your company is in Delaware you are running a business operation in Singapore, for which I'm sure you don't have a work permit, as you are in Singapore as a student.
Issue #2: Singapore MAS (Monetary Authority of Singapore) I'm willing to bet these guys would want to get clarifications about what you are doing. You are running what could fit either the Security Exchange category or the Gambling Establishment category. I assume you are not registered for neither of them.
Issue #3: Citibank Singapore
You are receiving business payments into your personal bank account at Citibank in Singapore. Again, I'm willing to bet somewhere on the Terms & Conditions you signed when you opened your account, it says you cannot use the account for business.
Note that in Singapore, failing to solve any of the 3 issues could result in:
#1 - Your student visa being revoked
#2 - Legal prosecution
I'm surprised that you having lived in Singapore don't know how strict the Singapore government would be about something like this. I can tell that you are technically gifted but I think your 2 'adult partners' really ought to have informed you about these issues.
Reduce the attack surface area. The less features the more secure. Since you are already RESTful, isolate the nice-to-have functionality from the main application.
The problem lies on margin accounts. If you use any Forex brokerage platform to trade Euro, for example, you won't get the actual Euro anyway. What you get is still US Dollars when you close your positions.
Of course, it's easier to withdraw in BTC. But it isn't too difficult to redeem in Mt. Gox and buy Bitcoins as well.
I'll try to see if BTC withdrawal is useful. But by any means, Bitcoinica is designed for trading (both investing and speculating), and the accounting currency is always USD. This makes margin trading, short selling and all kinds of complex orders possible.
I don't want to use mt.gox, I moved all my money out of them because the way they treated me and other customers, blocking my account and my money for a lot of time; that's why I'm searching for an alternative exchange.
There is another in closed beta; I can't remember the name because I keep missing their enrollment windows. But when I get to my email account I can post it here.
http://ruxum.com (also http://campbx.com). Fwiw, I've seen one or two posts over on reddit.com/r/bitcoin offering invite codes to Ruxum in the past few weeks.
Since PayPal is reversible, we don't support it currently.
However, there's something that comes into my attention: do fraudsters have any incentive to deposit money fraudulently on a trading platform? What if I limit the account's withdrawal feature for 30 days?
I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm only 17.
Please try it out. (I can pay $1 for you if you're not willing/able to deposit, email me at info@bitcoinica.com. :-D ) You can leave any suggestions, comments, bug reports and feature requests here. I'll look through every single comment. Thanks!