
Flexcoin is shutting down - stirno
http://flexcoin.com
======
mpclark
As somebody who has been closely watching NFC for years, I find this side of
the Bitcoin business interesting.

People moan that NFC has been "just around the corner" for the best part of a
decade, and some even think that it has missed its opportunity (it hasn't,
btw), because it has taken so long to bring to market. This is largely because
of the in-built security, and the demands it places on participants' business
models.

These Bitcoin exchanges and other service providers, on the other hand, seem
to have been put together with great haste. They seem to have little-to-no
oversight, a high risk profile, untested systems, not much institutional
experience -- and there's no safety net for customers.

It illustrates why the "old" financial services industry is so cautious when
it comes to electronic money. "Move fast and break things" may work for all
sorts of businesses, but it's not a good mantra if you're handling money.

~~~
astrodust
New mantra: "Move fast, break things, and lose hundreds of millions of dollars
by being reckless."

~~~
Kenji
Correction: New mantra: "Move fast, break things, and lose hundreds of
millions of _other people's_ dollars by being reckless."

------
oddshocks
Their ironic last tweet before shutting down:
[https://twitter.com/flexcoin/status/438355933777756160](https://twitter.com/flexcoin/status/438355933777756160)

~~~
rglover
If they really were hacked, this was the catalyst for it happening.

PSA: Don't peacock.

~~~
phaed
Yep, this was pretty much a dare to hackers everywhere.

------
uptown
Nice of them to link to their terms of service. The relevant section being:

"We have taken every precaution to defend your bitcoins from hackers and/or
intruders. However, Flexcoin Inc is not responsible for insuring any bitcoins
stored in the Flexcoin system. You are entering into this agreement with
Flexcoin Inc. You agree to not hold Flexcoin Inc, or Flexcoin Inc's
stakeholders, or Flexcoin Inc's shareholders liable for any lost bitcoins."

~~~
lanoozi
Is something like this a legal ToS in the US?

Also, one can argue that if they had truly taken every precaution then either
intruders would not be able to break in or they are prepared for such a
scenario. Evidently, neither was the case.

In other industries standards and "recommendations" exist to state a set of
measures companies have to set up in order to be "secure"

~~~
aroch
Yes, just like a non-FDIC insured bank can tell you 'too bad, too sad' if
they're robbed and your money was stolen. Unless you're specifically insured
against loss, banks aren't obliged to give you money lost due to robbery
unless you some how prove the robbery was the result of, say, gross
negligence.

~~~
jamesaguilar
> Yes, just like a non-FDIC insured bank

Are there such things? In practice, are they a significant portion of the
banking market?

~~~
dragonwriter
Yes, some state (rather than federal) banks are not FDIC insured. (Also,
credit unions are a lot like banks and are not FDIC insured, but most of them
are CUA insured, which is functionally the same thing.)

------
wil421
Bitcoin seems way too prone to being stolen or exploited for me to ever take
it seriously. I dont have the same problems with exchanging real money,
investing real money, and withdrawing real money.

~~~
JulianMorrison
I think coders just haven't got it through their head yet that _BTC is cash_.
You do not keep more than an operating float of cash behind the counter. You
keep it in the vault. And if that makes large cash transactions have to run
asynchronously, well, too bad.

All of these companies have been operating as if keeping heaping wads of cash
behind the counter was fine, merely because it was convenient.

~~~
acdha
> You do not keep more than an operating float of cash behind the counter. You
> keep it in the vault.

You're still making a fundamentally invalid comparison: with cash, your
security threats are still limited to people who are nearby and have both the
time and means to move large amounts of currency. Bitcoin allows anyone in the
world to steal amounts which would require a large team with dump-trucks in
the real world even if the bank completely screwed up their security design.

~~~
Consultant32452
One million dollars in $100 bills is 10,000 bills. A bill is 0.010922 cm in
thickness. That would be 109.2 cm. That would be a stack of bills just over 3
1/2 feet high if you made a single stack. You could probably fit a million
bucks in a decent sized brief case and could definitely fit it inside a duffle
bag. It doesn't take dump-trucks to steal a million bucks.

~~~
acdha
In addition to what petit_robert pointed out about the Mt. Gox theft being
orders of magnitude larger, you're assuming the densest available US currency
and that it's conveniently pre-packaged for easy shipment.

What we're actually talking about, however, is like being able to teleport
into a bank anywhere in the world, wave a magic wand which converts everything
on the premises into tightly packaged $100 bills, and teleporting back out of
the country. In the real world, running out the door with a bunch of duffel
bags and people shouting tends to attract a lot of attention and make escape a
lot harder than closing a network connection.

~~~
Consultant32452
I fail to see how 99% of USD, which are just records in a database, is
different than bitcoins in that regard then. The failure I would argue is in
the original analogy of taking physical money to begin with.

~~~
shalmanese
Because electronic money transactions are reversible. If you can convince the
right people that a transaction was illegitimate, it can be reversed and you
can be made whole.

------
bitJericho
This doesn't happen with regular cash because banks usually take this loss and
pass it onto their customers as fees. The exchanges that have closed operate
too unintelligently to be able to survive an attack. Almost 900 bitcoins in
hot storage? That's almost 500,000 dollars being left in the open. It's like a
bank keeping 500,000 dollars in a vault with no lock, no security, and no
laws... With p2p coins, hot storage should be just enough for the day's
operations and no more. Overdrew for the day? Make the customers wait, it's
worth it for the safety.

~~~
slaxman
Bitcoin n00b here.

What exactly is a hot wallet/storage?

~~~
patio11
In the real financial world, matching and settlement occur asynchronously from
each other, on different systems. Matching is "X tried to buy Y at Z, Q tried
to sell Y at Z, their orders match." Settlement is physically delivering Y to
X while physically debiting Z from Q.

Bitcoin developers haven't quite cottoned onto the wisdom of separating these
functions architecturally. (One of many advantages is "If your matching system
is compromised, you shut it down and investigate, but no money actually
leaves. The settlement system is in your back office and much more protected
than the matching system, because the settlement system doesn't have to talk
to customers directly.")

Bitcoin developers instead have developed a security pattern called hot
wallet/cold wallet, where BTC which are available to the system are "hot" and
BTC which are not available to the system are "cold." The idea is that, in any
given day, you might only require 2% or so of your company's total reserves to
go in or out. You keep the private keys to, say, 5% of it on the live system.
That's your hot wallet. You keep the private keys to the remaining 95%
somewhere else. That's your cold wallet. Even if your live system is rooted,
you should not (the thinking goes) lose the private keys to the cold wallet.

The Bitcoin community widely believes that this pattern is sufficient to
prevent events like the recent Mt. Gox debacle, where the system was
compromised and both the hot wallet and cold wallet were drained.

~~~
minimax
_Bitcoin developers haven 't quite cottoned onto the wisdom of separating
these functions architecturally._

I'm not sure this is true. Any off blockchain transaction is basically an
unsettled (and therefore reversible) bitcoin transaction. So for example,
trades on bitcoin exchanges and payments between web wallets will have
separate and distinct settlement phases. Generally bitcoin enthusiasts gloss
over this though, because they don't like the idea of reversible transactions.

The current maximum transaction rate for the bitcoin networks is something
like seven transactions per second. So either they'll have to figure out how
to increase that or move to a more conventional clearing and settlement system
if bitcoin-as-a-payment-network ever takes off in real size.

~~~
thomasz
> The current maximum transaction rate for the bitcoin networks is something
> like seven transactions per second

What? I'm not entirely sure that I understand this correctly: Do you say that
the whole bitcoin network, with all that computing power, can't compute more
than __7 transactions __per second?

~~~
gwern
The limit here is one of design: each block is currently limited to X MB, each
transaction takes Y bytes, and each block is designed to happen every Z
minutes; for Bitcoin's current values of 1MB (expected to be raised at some
point if the size becomes a limit), something like 1k, and 10 minutes, that
works out to 7 transactions per second.

Altcoins which have chosen blocktimes of say 1 minute will be able to do more
transactions per second, and ones which lift the 1MB cap likewise.

------
jordigh
One thing I don't get is... why is everyone storing their bitcoins in someone
else's house? Why not store them yourself? To own bitcoins is to own a
cryptographic private key. Why is everyone trusting someone else with the
ownership of these keys?

~~~
skwirl
Probably for the same reason most people don't store cash under their mattress
and store it in a bank instead.

Of course, storing Bitcoins on your laptop is even more risky than storing
cash under your mattress. Someone has to physically enter my house to steal
the cash, but to steal my bitcoins? All they need is a virus, spyware, out of
date OS, out of date router firmware, out of date NAS firmware, a zero day
exploit, etc. and they can drain me of my coins from anywhere in the world.

Then of course there is the risk of simply losing the coins. An accidental
deletion. A hard drive failure. Losing a laptop or having it stolen. You have
to back everything up, you have to back it up offsite, and you have to trust
the offsite backup. You have to keep your machines securely locked down.

All of this requires the user to be quite tech savvy. This will never change
for storing coins locally... so if Bitcoin is going to be the "currency of the
future" to be used by the masses then secure banks and exchanges have to be a
thing. They also have to be a thing for lending and investing, anyway.

~~~
walden42
I keep mine in a brain wallet. I can lose my house and my bank account, but my
coins will always be in my head (and anyone else's head I share it with).
That's something to think about.

~~~
jordigh
Yeah, like an electrum seed?

~~~
walden42
Yep.

------
ibmthrowaway218
Existing discussion (with 111) comments:

[https://news.ycombinator.com/item?id=7339313](https://news.ycombinator.com/item?id=7339313)

------
luka-birsa
What I find interesting is that BTC market does not care about Flexcoin
shutting down - prices continue to soar to USD 700 after the MtGox induced
drop to ~ USD 500.

For me this actually shows promise of real market stabillity in the long run.
Image what would happen if a real bank failed in a normal country. Or image
what would happen to USD if the largest world bank would fail (destroying 12%
of worldwide supply of USD) and nobody would bail them out? Would the drop be
worse than 10-20%?

~~~
gwern
As makes sense. I follow Bitcoin news, and I hadn't even heard of Flexcoin or
this other Poloniex.

------
Ethan_Mick
I'm more and more convinced the only safe way to keep your bitcoins is on your
own computer. I have 1 BTC, and it's currently hanging out in my hard drive,
with a wallet backup on another hard drive. I suddenly feel much safer.

~~~
gpcz
When you say your 1 BTC is on your hard drive, do you mean it's on the hard
drive of a running Internet-connected computer? If so, how do you address the
threat of malware that searches for wallet files?

------
antihero
I was wondering when people would start to realise how easy a target all these
sites that store BTC would be. I mean, I trust the banks with my money because
they are legally liable for it. Some random website, where you can't audit the
code and there's no real legal process for recovery of assets? Yeah that's a
great system.

The whole point of state-backed currency is to provide stability and make it
so there's money you can trust - not some wild west cross-your-fingers system.
Yes, countries have failed (e.g. hyperinflation), but at least there are
extremely powerful institutions in place who's remit is to prevent that at all
cost.

~~~
ilamont
This is what the Mt. Gox website said on its front page until last week:

 _You can quickly and securely trade bitcoins with other people around the
world with your local currency!_

Sadly, I think many people trust such marketing claims, partially because they
_assume_ the people behind the site know what they are doing, they _assume_
the laws of a developed host economy like Japan are strong enough to prevent
companies from making false claims (even while the market itself is
unregulated), and, most importantly, _they want to believe it will benefit
them_.

------
platelets
If you have money to piss away then buy some Bitcoins. I'm waiting for an
awesome inforgraphic on the amount on money stolen and the likelihood of your
bitcoins being stolen.

~~~
JohnTHaller
There are 12.4 million bitcoins in existence right now . 750,000 were stolen
in the mtgox heist. 174,000 were confiscated by the government from Silk Road
and its owner. So, just from these 2 incidents, 7.5% of the bitcoins in
existence have either been stolen or seized by the US government. Considering
the regular occurrences of thefts from both exchanges and from malware
stealing it from people's computers, the percentage is likely much higher.

~~~
eterm
Don't forgot all the coins held by the cryptolocker virus writers.

Much of bitcoin is underwritten by illegal activity.

------
brianbreslin
So here is what I've learned in dealing with crypto: most of this stuff is NOT
written by security experts, the level of code out there is not expertly
developed. Lots of this stuff is written by patching together random stuff, or
hastily built. This won't be the last robbery story we see for a while. If btc
wants to be taken seriously they need to create security standards.

------
billyhoffman
These are very young companies, working with a good that has huge price
volatility, resulting in them holding vast amounts of wealth. Ignoring the
social, political, and economic debates around bitcoin, these companies have
enormous risk and are high profile targets, and have varying ability to
protect themselves. All this leads to uncertainty.

So then why don't these Bitcoin companies embrace ridiculous amounts of
information disclosure and transparency?

Don't tell me you "take every precaution." Detail what precautions you are
taking. Name an external pentesting firm that tests your infrastructure
quarterly. Post their findings a few months after you have address the issues.
Open Source everything that you can. Offer bug bounties paid in BTC for
security issues discovered. Discuss, in detail, your hot/cold wallet storage
setup. Do offensive analysis to determine the most likely attack scenarios,
and publish them, along with the layer defense you have put in place to
mitigate the risk.

------
thrillgore
Why haven't the major bitcoin banks/exchanges banded together and made a set
of standards, akin to PCI-DSS to define security standards and implementations
for these services? You would think that everyone would do it after MtGox
sank. This is starting to leave bad joke territory and I hope it doesn't
happen to Coinbase.

~~~
gnaritas
It can't happen to Coinbase, they're doing it right with 98% of funds in cold
storage[1] and they allowed an outside security audit to prove it.

[1] [http://antonopoulos.com/2014/02/25/coinbase-
review/](http://antonopoulos.com/2014/02/25/coinbase-review/)

~~~
Aqueous
I'm hoping for an actually independent security audit, because antonopolous,
despite competing with CoinBase, has a stake in the entire nascent system
being considered trustworthy, and therefore a conflict of interest. I'm not
saying he wasn't telling the truth - I believe what he says about verifying
that CoinBase was in control of its cold storage wallets - but I'm hoping that
independent banking authorities can learn enough about BitCoin to conduct
independent audits themselves, so that people who have no skin in the game can
truly verify that CoinBase's cold storage procedures are adequate.

------
junto
Guardian has an article on this as well:
[http://www.theguardian.com/technology/2014/mar/04/bitcoin-
ba...](http://www.theguardian.com/technology/2014/mar/04/bitcoin-bank-
flexcoin-closes-after-hack-attack)

------
gtirloni
Bitcoin is money. The vast knowledge of handling money is within the financial
industry. The Bitcoin crowd do not trust the financial industry, they fight
them man. The Bitcoin crowd pays to learn the hard way. News at 11.

------
goldenkey
And another one bites the dust (due to hacking.) These bitcoin businesses are
budding and then thudding far too often.

'We got hacked by ourselves, thank you for contributing to the magnitude of
our initial private offering.'

------
wehadfun
What I don't understand is why can't the bitcoins can not be seized and
returned. If the feds can seize bitcoins obtained illegally through drugs why
can't they seize bitcoins obtained illegally through stealing?

~~~
jordigh
To own a bitcoin is to own the cryptographic private key that holds those
bitcoins. If the bitcoins moved to a new address, then you would need the
private keys of the new address. They can be acquired, but it's difficult,
since hiding a crypto key is a lot easier than hiding cash.

~~~
unclebucknasty
And, to answer the other part of your parent's question (regarding how the
Feds can seize bitcoin), it was always my presumption that the Feds merely
used their legal authority to compel their targets to turn over their bitcoin
(i.e. private keys, etc.).

EDIT: Now that I think of it, it seems like I read somewhere that, with Mt Gox
in particular, the Feds seized their ~$5M in BTC a while back by having them
transfer it to a wallet under their control. Can anyone corroborate this?

~~~
wmf
You could just Google it. The Feds seized a bank account holding 5M USD
belonging to MtGox's customers.

~~~
unclebucknasty
> _You could just Google it._

Thanks. I'd never heard of Google. What a fantastic invention!

Sadly, though, it doesn't appear to help as much with vague recollections, and
certainly doesn't seem to pass the Turing test where actual discussion is
concerned.

In any event, it appears that I've mixed it up with Silk Road, where actual
bitcoin was seized.

Turns out that it takes a bit more "Googling" (I think I've coined a new verb
for this new Google thing) to determine that you have something wrong vs.
corroborating that something is true.

This all gives me a new idea. I haven't quite fleshed it out yet, but I am
tentatively calling it a "discussion forum".

------
bkd
I had about $1 at Flexcoin - not enough to move into cold storage and not
enough to move back out. Doesn't matter now of course.

------
Cless
Notice how all these sites use PHP?

------
sp332
Is 896 BTC a lot to have in a hot wallet?

~~~
nly
Depends on your instant withdrawal limits. If you want to allow your customers
to withdraw many coins instantly then you need many coins in an open wallet
ready to give them.

