

Introducing Bitcoinica API (The first RESTful Bitcoin Trading API) - zhoutong
http://blog.bitcoinica.com/posts/19

======
JoachimSchipper
Note: there was a lot of discussion about security etc last time Bitcoinica
came up (<http://news.ycombinator.com/item?id=2973301>).

patio11: "My semi-amateurish opinion is that as a non-registered securities
dealer with all accounts having margin capabilities the (near 100%) likelihood
of your Rails app exploitably broken is not the key source of risk to your
business." (<http://news.ycombinator.com/item?id=2974695>)

See also e.g. <http://news.ycombinator.com/item?id=2974032> and
<http://news.ycombinator.com/item?id=2973429> plus tptacek's reply to
<http://news.ycombinator.com/item?id=2973732>.

On the other hand, Bitcoinica may not be less secure than Mt. Gox...

~~~
zhoutong
I'm actually quite serious about security. But I still feel that the security-
related discussions are too overwhelming. Of course I know that nothing is
100% secure, but I can make my bottom-line high.

This is not my first project. I have been coding in Rails for almost 3 years,
with some failed projects. I also know some security basics because I have
hacked websites before (non-destructive).

There is always relative security. Ruby on Rails itself is a relatively secure
framework. Rails sites have been much less frequently hacked than PHP sites.
(Because everything is well wrapped.) I'm also very conservative about using
Rails (rarely override methods myself, not even toughing find_by_sql even when
it's the easy way).

Passwords are stored hashed and salted using BCrypt. Although no explicit
security auditing has been done, all the Rails app logs (including requests
and IP addresses) are extracted and backed up nightly. Soft-deleting is
enabled for all operations, etc.

I'm not distracting myself from the real problem, but I have to say that I'm
not that kind of random kids who write crappy apps for fun.

My use of Heroku is also partly because of security. I use Mac and know a bit
of Linux, but I know I can't really set up a Linux box and be sure about the
security. Instead I have chosen Heroku's integrated, read-only and cloud-based
platform.

Sorry for not replying most of the security-related comments. Not because I
can't face opposing arguments, but instead, I think they are valuable.

However, I hope everyone can be a little bit more reasonable and realistic.
Since nothing is secure, security is everyone's problem. Although I don't have
anything to prove my security experience, at least this is not the first time
I deal with money. I once developed a mini payment gateway (PayPal and credit
card) for my friend who used it to process transactions totaling more than
$50,000. There're a lot of fraudulent orders, which means that people have an
incentive to steal, but the payment system itself has been safe.

I can understand that people are skeptical considering my age (or even my
Chinese name). But will the Bitcoin community be better off if I shut down the
project now? I have chosen Bitcoin because its low barrier to entry and open
community, not because I have no bottom-line or security concerns.

What I really want to disagree is the view that I must end this project now.
There are basically too many people emailing me just to thank me for
delivering the features that the big guys (Mt. Gox and TradeHill) can't finish
in months.

I have taken the extreme minimalistic approach in development of Bitcoinica -
no Bitcoin wallets and no unusable features. I make it a pure trading platform
- you can't even do money laundering on Bitcoinica. System wise, I don't have
to SSH the server to configure anything, and I don't have to even see the
database credentials myself.

Anyway, I completely accept all the negative viewpoints about Bitcoinica, but
I just want to explain clearly that I may not be the person everyone's
thinking about.

~~~
tptacek
The term of art for responses like this is "jazz hands".

Sorry. Security isn't "everybody's job". You've chosen to advertise a
financial application. Security is your job. In a very real sense: sucks to be
you.

~~~
zhoutong
I'm not sure whether you're referring to a part of my comment or the whole
comment.

What I mean is, security is every financial platform owner's big challenge.
This includes banks, escrow service providers, payment processors and
e-commerce solution providers. Sometimes it's hard to know how secure a system
is before anything happens. But I have already explained my experience,
ability, current situation, my strategy, how my product works, my objectives
and what I have done to the public to help everyone make informed choices.

Not everyone will like every single product. I have been careful about
everything I can.

~~~
tptacek
I think you think these multi-paragraph responses you're writing are
convincing.

I think the best thing I can do for you is to be blunt about how unconvincing
they are.

Very few people with Rails or appsec experience will read them and think that
you know what you're doing with regards to security.

You should not be taking "thousands and thousands of dollars" from people.
Full stop.

~~~
timsally
I agree with everything that has been said so far, with the exception of the
conclusion. I don't have a problem with zhoutong taking money. People putting
their money in Bitcoin are investing in a _currency that is two years old_.
Said another way, a currency that is younger than a $15 bottle of wine. All
players in such a market by definition lack reputation, lack experience in
handling currency, and lack experience in running a financial institution.
Yes, zhoutong doesn't understand security and yes he is hand-waving. Yes, he
needs to do his best to secure his app. Yes, he should invest money in an
audit when it can afford it (if only because a security audit maps directly to
better business for a financial institution). But do I feel bad for users who
are putting their money into Bitcoinica? Not really. Trading in a currency
that is only two years old is the NFL. Dealing with young and inexperienced
financial institutions is part of the game if you chose to enter such a risky
market.

------
LeafStorm
My problem with Bitcoin is that it is skewed to favor early adopters, but
every two weeks or so one hears about a huge Bitcoin site being cracked, a
State Department investigation, or a possible vulnerability, or something like
that.

So, while the concept sounds interesting, it's very likely that if I get in
early I will lose all of my Bitcoins to some exploit, and that if I get in
late I will not be able to rack up enough Bitcoins to buy anything.

~~~
feydr
there is definitely a very high risk but there is definitely a very high
reward -- the keyword here is 'speculation' -- nothing wrong with it as long
as you know that that is what it really is

------
rb2k_
Great work! I think I will have a lot of fun hacking away on this (yay,
weekend project).

The only downside is that while I have no idea how I would be able to get a
small amount of money (?25 Euros?) to the site. Bank transfers don't run on
the weekends and while there is a bunch of ways to get money to mtgox, I don't
know if any of them can be fueled by paypal/google checkout/amazon
payments/... which operate on the weekends

~~~
zhoutong
That's the common downside of all Bitcoin Trading Platforms. Currently it's
virtually impossible to have all three criteria of a good online payment
system other than Bitcoin:

\- Instantly available

\- Reliable (maybe law-regulated, bank-operated or systematically-controlled)

\- Non-reversible

------
masklinn
> Quotes API Returns latest quote(s) for a given currency pair.

> Ticker:

> URI: GET <https://www.bitcoinica.com/api/quotes/[currency_pair].json>

That's RPC over HTTP, not a RESTful API.

edit: well, apparently HN sides with meaningless keyword-babble, great.

~~~
zhoutong
The request is not transmitted in JSON. So it's not JSON-RPC at least.

[http://en.wikipedia.org/wiki/Representational_state_transfer...](http://en.wikipedia.org/wiki/Representational_state_transfer#RESTful_web_services)

\- The URI is RESTful. (Explicit collection and member actions, with common
namespace.)

\- Supports both JSON and XML. (Internet media types)

\- Bitcoinica API utilizes three of the four RESTful Web Services methods -
GET, POST and DELETE. (HTTP methods)

But I'm not sure about the hypertext part, because I don't understand what
hypertext means here. Is Bitcoinica's interface considered hypertext-driven?

~~~
masklinn
> The request is not transmitted in JSON. So it's not JSON-RPC at least.

I don't count that as a positive, since it would at least prevent them from
calling it restful.

> The URI is RESTful. (Explicit collection and member actions, with common
> namespace.)

URIs can not be RESTful, this does not even make sense.

> Supports both JSON and XML. (Internet media types)

Supporting "JSON" and "XML" is completely useless: they're meta-format, in and
of itself outputting "JSON" is completely meaningless as it does _not_ tell
the client anything.

Defining the exact media types returned (which this API description barely
does) is the vast majority of a RESTful application's documentation. In fact,
it should be all of the documentation save for a single URL, which is the
API's root entry point.

> Bitcoinica API utilizes three of the four RESTful Web Services methods -
> GET, POST and DELETE. (HTTP methods)

Better, but still not sufficient to make an API restful. Plus orders are
created via a POST, that's not correct, the semantics of POST are updating
(creation is PUT)

> But I'm not sure about the hypertext part, because I don't understand what
> hypertext means here.

And you don't think that might be an issue in your judgment?

> Is Bitcoinica's interface considered hypertext-driven?

No, and being hypertext-driven is the most important criteria of a RESTful
application.

~~~
mckoss
POST semantics can be used to CREATE as well. And PUT can also be used to
UPDATE.

PUT semantics are more like "update_or_create". POST is like "create_child".

[http://stackoverflow.com/questions/630453/put-vs-post-in-
res...](http://stackoverflow.com/questions/630453/put-vs-post-in-rest)

------
marcf
REST trading APIs? Not exactly HFT. :-)

~~~
pgroves
Maybe that's a feature not a bug.

