They have an XSS on https://secure.trust-guard.com/ (enter a username like <img src=g onerror=alert(1)> -- yes, it won't work with chrome's XSS filter)... somehow I'm inclined to believe they are not so great.
(An attacker could exploit that in a number of ways. Here's a simple one: create a site with a domain name that looks really similar. http://secure.trustt-guard.com or something, it doesn't matter. When a user visits, autosubmit a form to https://secure.trust-guard.com with the malicious payload; the first thing it does is hide the error message and incorrect username. The user then enters username/password and attacker reads the values and sends it back to his site.)
What's worse, I can't find any way to report this. Does anyone see a link?
"Trust Guard's emphasis/value appears to be sales conversions, not security per se."
The first startup I worked for was a PCI-compliance company. So I can tell you that the only way to sell "PCI-compliance" is that the credit card companies require it, and the only way to differentiate your service is by hyping the conversions it will help with. The reason is that these companies are fundamentally selling a check in the checklist that their customers otherwise do not care about. (Alas, even requiring people to care about security doesn't actually make them care about security.) For their front page, this isn't necessarily a surprise, it really doesn't tell you anything about the company either way.
Goals aren't results. Ruxum has the goal of bringing "Wall Street-level" security to BitCoin trading. We won't have a good idea of whether they've succeeded until they've come under sustained attack by intelligent hackers for long periods of time, and stood up. (And note I said "good idea" even so, not "proof".)
I also read the security policy at https://x.ruxum.com/security . It's nice and all, and does sound to be off on a better track, but being really, really secure is hard. I'm not saying they haven't succeeded, I really don't know (or much care). I'm just commenting on how phrasing it as if it's a done deal, rather than a goal, is cognitively hazardous.
"Security measures have been built into the design and setup of our infrastructure." tells you absolutely nothing. Neither does "Disasters are never nice events and we hope they don’t happen. We also expect one will happen and have plans to recover when it does." (although it's not strictly a security issue either).
"Wall Street Level" means insured against loss. Bcrypt is good security practice. Taking responsibility for the money you hold for people is "Wall Street Level".
I'm building my own Bitcoin Exchange as we speak and I can tell you, these security measures are nice (we had most of them planned too, plus some) but real Wall Street level security is only affordable in a more mature market.
Another centralized institution profiting from the decentralized-ness of Bitcoin. Perhaps it's the direction Bitcoin will have to grow in, in order to stay alive/popular.
This is the second new Bitcoin exchange I've seen recently. The first was CampBX: http://campbx.com/
(Don't ask me why a business that's trying to get itself taken seriously as a financial exchange would choose a name containing the word "camp".)
Anyway, for the moment, as far as security goes, these new exchanges don't necessarily need "Wall Street-level" security; they just need to be perceived as probably being more secure than Mt. Gox, which, given recent events, shouldn't be difficult.
But to attract traders, they also need liquidity, which they don't have much of yet.
Assuming that their claim is true it wouldn't protect the value of bitcoins in the event of a similar incident to Mt. Gox occurring in a different exchange, would it? The value would still crash dramatically.
Contrast this with TradeHill which recently announced a two-factor login option powered by DUO Security. I'll take a guess and say that tptacek at least knows who runs DUO :-).
http://www.trust-guard.com/
I can sum up my take on this by saying I've never heard of "Trust Guard".