Hacker News new | comments | ask | show | jobs | submit login
Bitcoinica lost customer database, has no up to date record of trading balances (bitcointalk.org)
110 points by Estragon on May 26, 2012 | hide | past | web | favorite | 125 comments

From HN thread announcing Bitcoinica's launch, some months ago (http://news.ycombinator.com/item?id=2973301):

"I'm going to pitch a different take than a few others: Yes, great initiative, please keep trying things and building things, but end this project now. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. There's also very nontrivial odds of being on the wrong end of armed Federal agents, based on some of the other comments you've made here. This is a horrible, horrible first-project sort of project."

"Doing your best probably isn't enough. To have any hope you'll have to hire expensive security people and buy lots of insurance.

All you need in order to be exploited is to be using software with 0day exploits. Many known exploits are not public. In a very real sense, you are only protected to the extent that you are a small target.

As the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%. Software really is THAT insecure and bitcoin thefts are not prosecuted making it basically risk-free to steal bitcoins."

"-- spectacular failure is your destiny if you don't work very hard to prevent it

-- spectacular failure may be your destiny even if you do work very hard to prevent it"

The problem is that the only kind of person who would start such a project would be a person who would be immune to these warnings...

Wow, that gave me chills down my spine as I read the old thread.

genjix wrote in https://bitcointalk.org/index.php?topic=81045.msg920554#msg9...

  > To the person above, here's what happened: 
  > - Bitcoinica has an internet mailing list called info@bitcoinica.com  
  > - It was the email for the website and all sensitive accounts.  
  > - You could request a password for that email. In a production system, that
  > should never be possible.  
  > - Several people had access to this mailing list (non-admins and business
  > people included).  
  > - Patrick got added.  
  > - His personal email was compromised. Normally this shouldn't be a big deal; I
  > use my personal email at internet cafes and public computers.  
  > - Attacker was able to request a new password and login to rackspace.  
  > The assumption here was that info@bitcoinica.com did not have access to 
  > critical infrastructure.
  > Lastly, it was my fault Patrick's email server got compromised. I had a VPS
  > for programming and development which many people had access to - randoms from
  > #c++ IRC, people from this forum, beginners I was teaching .etc It's a
  > public VPS for development. The SSH key on there was added to Patrick's server
  > because we were developing the bitcoinconsultancy.com website on there (that's
  > why it's now down). My SSH key was stolen and he ssh'ed into the box.
  > Then had access to his emails.
So there you have it: it was one of those damn "Forgot Password" buttons, combined with mishandling email. The security of a server can't be better than the security of the least-secure computer with administrative access, and it looks like in this case, that was spread a little further than it should've been. This attack might've been prevented by introducing a delay: send an email saying that a password reset was requested, with a cancelable reset after several hours. But as far as I know, no one does that.

It looks to me like the root cause was reusing an SSH key on a secure system and a public system. If the SSH key was compromised, that would lead me to believe that the private key was on the public/insecure system. That is a big security no-no as well.

Amusing. Seems like these guys should be engaging a consultancy for help, not trying to start one.

And the worse thing is, you can even re-use a password reset link for Rackspace Cloud even when it has already been used. Changing passwords won't log out existing sessions either.

Specifically this[1] is the page that is used in this hacking operation.

[1] : https://manage.rackspacecloud.com/pages/Login.jsp

When its founder declared this on HN 8 months back:

"I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm only 17."


I was waiting since then to see how bad can things possibly go.

Unlike other sites where people hack for fun, bitcoin offers hackers the opportunity to get some real money.

This comment thread is full of people saying that incidents like this are mining the viability of a bitcoin currency. What many don't see is that bitcoin is an algorithmic solution to a problem a lot of people have (decentralized, untraceable money transactions). The implication of being algorithmic is that you don't have to trust people anymore, just the math. Even if this currency fails, the solution remains and will continue to be implemented.

For example, geometry was literally invented to measure land. I'm sure that when the Pythagorean theorem was discovered, some of the first "geometers" did screw up and made a wrong land measurment. Maybe some of the reaction at the time were: "Well this geometry thing is too dangerous, if one small calculus error could make me lose half my land. It will never catch on."

I'm not following. You're saying that Bitcoin's discovery is equivalent to the discovery of a new field of mathematics?

So basically they used a server that could be deleted online by getting a single password (which was acquired via an SSH key for the bitcoin server being left lying around).

They didn't make offsite backups (sounds like they used to but stopped).

When the server was compromised they didn't realise that it could be deleted by the cracker.

One thing I don't understand, as these appear to have been real servers on Rackspace (you wouldn't exactly use a shared VPS, surely not?!?) couldn't they be recovered after the online "delete server" button was pressed? The top comment on the linked thread says that Rackspace had the server locked down with the only available option for the cracker to delete (which sounds very strange).

It was a cheapo cloud VPS server, I shit you not. After getting their ass stolen for that very reason at Linode.

This site had a massive running profit and still went for the very cheapest option. Rackspace even offers financial services grade servers. I bet these aren't cheap though.

This seems to be the... 4th problem bitcoinica has had? 5th? Maybe event the 6th, why do people still use this site? Surely it has been shown on multiple occasions they can't be trusted with security.

Their database was deleted and their site has been replaced with a form asking former users how much money they remember having.

I doubt very much that anyone is still using the site.

Imagine putting your money in a bank where every day, hundreds of burglars attempt to anonymously get in and steal money that cannot be traced back to you for you to recover it.

Sounds like a great place to put money in.

I hope people stop making services like this. Bitcoin is distributed for a reason

It is rather hard to distribute a market, centralisation be it's key strength.

Not really. I mean, there's nothing centralized about dollar bills. As long as people publicly list their prices in bitcoins, everything will work out fine.

People will always need bitcoin exchanges to convert between bitcoin and other currencies, but those don't need to be storing other people bitcoins.

This isn't so much a problem with Bitcoin as much as it's a problem with under-qualified people trying to set up "banks" online.

I'd like to think that this was some sort of nefarious action from an old-guard finance company who was threatened by Bitcoin enough to resort to the enlistment of some hackers.

In reality, this was plain amateur security practice, and if this sort of sloppiness continues, the bitcoin brand will be trampled so badly it will never get off the ground.

It's already well and truly off the ground.

What problem does bitcoin solve? I've tried to understand the need for it, but just don't get it.

Here are some features that make it appealing.

(1) Fixed total supply, so it can't be manipulated by central banks.

(2) Fast online transactions (e.g. Paypal, without the problems of Paypal); ease of developing all kind of Web services around this.

(3) Anonymous transactions are possible, which can be beneficial in many ways (for example, not getting taxed...)

(1) is only a selling point to people well outside the mainstream. Most people would consider this a huge negative.

(2) meanwhile I can buy things with one click using dollars.

(3) tax evasion, drug dealing and money laundering are not things that society generally wants to facilitate

Well, I just listed some of the features that many people who like Bitcoin like about it. That other people may not care about those features is kind of irrelevant.

Until they shut it down.

(1) is only a selling point to people well outside the mainstream.

Yes, the handful of people who understand how our banking and currency system works but aren't in a position to suckle at its teat.

(2) meanwhile I can buy things with one click using dollars.

But try transferring dollars electronically, or even just from one of your own accounts to another in a different bank.

(3) tax evasion, drug dealing and money laundering are not things that society generally wants to facilitate

Neither does society generally want to facilitate government's abuse and debasement of its currency in attempt to cover up its willful blindness to widespread financial fraud and malfeasance. Pick your poison.

> But try transferring dollars electronically, or even just from one of your own accounts to another in a different bank.

In my Wells Fargo account, I can transfer to another bank's account in three clicks and about two minutes. All I had to do was set it up and prove that I own the other end. Deposits usually clear that day.

with bitcoin, transfers clear within ten minutes. The fees are dramatically cheaper (domestic wire transfers are at least $10, international are more like $30) and there's no need to 'prove' anything.

With bitcoin, you can also do all this at anytime, not just within the 9-5 Mon-Friday, no holiday bank schedules.

That wasn't the point that I was responding to (which is that it's difficult to move money around in traditional banks), but since you brought it up:

> The fees are dramatically cheaper (domestic wire transfers are at least $10, international are more like $30)

I pay no fee for the service I described. Not a penny.

> and there's no need to 'prove' anything.

This took a few hours, and was quite low-effort. Not a problem I'm looking to solve in my life, since I only did it once.

> With bitcoin, you can also do all this at anytime, not just within the 9-5 Mon-Friday, no holiday bank schedules.

As can I.

millions of honest people around the world that have lost their savings when a fiat currency changed its valuation for political reasons. you do not need to be a zealot to appreciate any attempt to create a free currency; you simply need to have a small sense of history and the world around you.

Money isn't for saving long term, it's for spending; if you want to save, buy assets. Inflation is only a problem for those who wrongly mistake money for an asset. The purpose of money is to facilitate trade, not store value.

For (1) you don't need fixed supply, just lack of central bank interference.

You can design bitcoin with a slowly increasing bounty each year, as long as the protocol is there, no central institution can control it.

(as a matter a fact, if the 50 BTC bounty were to continue indefinitely, the rate of money expansion would decrease over time)

To me personally, the point is the fixed supply, and the lack of central bank interference is just part of the means to that. I would like to be able to park money somewhere without having it lose value, and possibly even gain in value.

Anyway, as you said, someone certainly could fork bitcoin to make a system where the money supply is expanded indefinitely. I don't think it would catch on, though... at least unless bitcoin has already become "accepted."

>(3) Anonymous transactions are possible, which can be beneficial in many ways (for example, not getting taxed...) //

Certainly where I am you'd still be taxed you're just avoiding paying the tax by hiding your identity. Tax here (UK) is still due if you choose to barter for goods/services so I can't imagine using an unofficial currency would make the slightest difference.

Clearly, you've never been paid for goods or services by someone overseas. Even in this day of highly-networked banks, I have to wait 4-5 days for an international wire payment, and I get charged $12. My counterpart overseas pays $20 for the transaction, and would love to pass that cost on to me (but I refuse to pay it). Many banks charge $20 or more for incoming international wire transfers. So it can cost anywhere from $25 to $40 USD to make an international wire payment.

However, if my clients used Bitcoins, I would receive the money in an hour or less, and pay like a $0.10 charge. Any no one would have the power to suddenly say, "oh wait, we're going to have to raise our fees".

Thousands of freelance writers, translators, programmers do a significant portion of their work with international clients. But the banking system rules out doing any job worth less than several hundred dollars, unless you want to lose 1/4 or 1/5 of your income to fees. I routinely turn down jobs that I could do in 30 minutes and make $150 because it's not worth the hassle of arranging an international wire transfer.

Do you understand now the legitimate need for this kind of currency?

All the paranoia that feeds goldbugs? Take that, and mix it with a total, naked vulnerability to 2-bit hackers.

Seriously, if you hate modern currencies, buy gold or silver or 20 year old scotch, hide it away...problem solved. Bitcoin was nonsense from conception.

Anonymous cash on the internet. Nobody knows who owns each bitcoin account so you can do all sorts of things you could not otherwise. It's very similar to (for example) Pecunix, although unlike Pecunix it's not backed by gold and it's distributed which makes it hard to take down. Anything black or greymarket is suitable for bitcoin.

100% legitimate uses? Well you could use it instead of Paypal and save a couple of bucks in fees but it's a lot harder than just using Paypal and there's no recourse if something goes wrong.

It's actually easier than using PayPal, in my experience. Just open your client, copy-paste the recipient's address, hit Send, and voila, done.

You don't have to create an account, add credit/debit cards and bank accounts, get verified, etc.

Definitely no recourse if things go wrong, but also no way for black hats to game direct P2P BTC payments either, like they can with PayPal's resolution and chargeback system.

It's only easier if you already have some Bitcoin to use. Converting money to Bitcoin takes more time and effort than just using your credit card on Paypal.

Wait, is this going to happen to all of them trading sites, in turn?! Is it something to say about the kind of people that are attracted to fast and furious trading, or is it just random negligence hiveminding?

I'm still offering a deal to people bit by the Bitcoinica failure to rebuild their investment portfolios: https://bitcointalk.org/index.php?topic=77469.msg901042#msg9...

Basically, I'll trade bonds in GLBSE listed mining companies for shares in DMC: ~2/3rds of a BTC worth of bonds for 1 BTC worth of DMC.

Bitcoinica royally screwed a large number of investors, and I want people to know and understand that not all of us are people out to steal their money. Some of us really are completely honest businessmen.

This is what a market debasement looks like, ladies and gentlemen. If you can pay someone to keep Bitcoin performing poorly, you can mitigate the loss from your own failing currencies.

Perhaps I'm the only one that feels this way (I almost hope I am), but this news is making me want to put all of my money in bitcoin. it's a good time to get in on the action.

If your implication is correct, and someone is paying black hats to debase bitcoin, and nobody has any idea who is behind it so that those efforts will likely continue, then how does it follow that now is a good time to get in on the action and put all your money into BTC?

This is nothing compared to the amounts of money involved in the botched Facebook IPO. If this incident proves that Bitcoin is in trouble, then by all mean extend this reasoning to NASDAQ, and other institutions with major incidents.

Phew, good thing I haven't been investing in bitcoins..

Comically, many of Bitcoinica's customers were those who sent funds to the service to be able to go short (bet against) bitcoins.

But those "investing in bitcoins" wouldn't have lost from this unless they also happen to have been speculating at Bitcoinica with them. Bitcoinica is a service where a financial product called a contract for difference (CFD) is traded.

With all the disclosures and absolute failures of security and operations that we've seen coming out of the Bitcoin field, can we start to quell the attitude that the Bitcoin market as it stands today is a real currency market? The only people that seem to work on Bitcoin secondary trading mechanisms are people that just know how to write a Rails app, and most seem to lack security sense or reliability awareness. Personally, as a seasoned developer, even I know that I probably shouldn't write a currency trading platform alone. I'm aware of the ramifications and what can go wrong, and I'm smart enough to rule myself out.

I will never call Bitcoin a real currency until you see a platform that actually knows what it's doing. Really, I'm sorry, that's just how it is, and the Bitcoin fans that are about to show up and try to tell me otherwise are just as misled (and are inevitably going to be victims of being so myopic). If you want to call Bitcoin real money, it needs to be treated like real money. In software terms, that means it is a big deal.

There is a reason currency is regulated heavily. You are witnessing it.

Edit: Clarified that I'm not attacking Bitcoin itself.

It's a real currency market, it's just at the Bonnie and Clyde stage of its evolution. Consider how lax bank security was in the 1930s that a single couple could rob banks for years with a fraction of the sophistication of modern day bank robbers.

You couldn't get away with it today, not for that long, but it was possible with "real" money, "real" banks, all government backed, at one time. And that had centralization and identity built into it. The bitcoin community isn't big enough to have serious security professionals yet, but that doesn't disqualify it as a currency market.

The "real" banks need to increase their securities too, but luckily with every mistake like this:


They get stronger.

Which is why my comment has said, from the beginning, "as it stands today". Those interested in Bitcoin should seriously learn from those very mistakes that you're discussing, rather than re-learning them all over again.

What does is matter? Everyday people get mugged and killed over cash... do you believe cash is not a "real currency" because of this?

The difference here is that no one carries around the amount necessary to tip the balance of the economy, which is very much the case with Bitcoin sites such as Bitconica

Actually just 18.5K were stolen and it didn't affect bitcoin's valuation. We are enjoying very good stability at this moment there are very few people leverage-trading.

Bitcoin is the currency for people who've read John Locke but not Thomas Hobbes.

Your comment sounds clever, but I have read neither. Could you please elaborate?

Locke: private property is a cornerstone of liberty.

Hobbes: without government, life has historically tended to be 'solitary, poor, nasty, brutish, and short.' As a practical matter, it's a lot easier to enjoy your liberty when your property isn't under constant assault from everyone else; by everyone pooling a little of their individual sovereignty in a government, aggregate liberty is vastly increased. It's a political economy argument at its core.

So after a very brief read of Wikipedia, the voting-via-hashpower mechanism of Bitcoin seems to me to be a form of social contract, whereby users consent to be governed by the rules laid down by the majority.

Extremely roughly: Locke was an idealist of liberty; Hobbes rationalized the social contract by pointing out that people are bastards and that life without it is nasty, brutish, poor, and short.

We don't want the government restricting our freedoms (i.e. libertarianism is cool), but trying to implement that with anarchy gives bad guys the freedom to take away our own.

Bitcoin is very alive and kickin right now. The bitter truth is Bitcoin is now the de facto standard method of payment for all kinds of shady, criminal & laundering services on the net. What you got is a lawless currency, with no regulations what so ever, and no (assumed * ) oversight of trade. There so much hacking, fraud and insider scams going on, that trusting an online wallet like Bitconica is just waiting for your money to be stolen. Very hostile environment. No, this is not like "real money" at all, but it still holds value.

* it is assumed gov. institutions are monitoring large transactions now

"What you got is a lawless currency" Laws are for people, not currency. Property and contract laws still apply even with different currencies. The fact that the surrounding infrastructure is still being built can be frowned upon, but this has nothing to do with laws.

And yes, it is like real money. In fact it's even more like real money then what most people use daily. Bitcoin properties are almost the same as precious metals, making it much more money-like than a fiat currency. (On which we build our bank accounts and, as yet another layer, various credit tools. At the end of the day, you start to be quite far away from "real money".) Now, if such a thing is desirable is another question entirely. Nevertheless, Bitcoin is money.

Bitcoin properties are almost the same as precious metals, making it much more money-like than a fiat currency.

Actually, Bitcoin lacks one of the most key attributes of precious metals: precious metals have inherent value. Even if gold isn't useful as a medium of exchange, gold is still useful and has value because it has practical applications due to its high conductivity and corrosion resistance. Although gold's value is highly inflated due to speculation, gold still has a "minimum value" due to its utility in the area of electronics. If everyone one day decided "gold investment is stupid" and began dumping it, there would still be demand for gold due to the electronics market. Ditto for silver and platinum. These metals have value because you can do things with them. There will always be demand for these things, just as there will always be demand for iron, copper, and other non-precious metals.

Bitcoin is like currency in that it only has value because a group of people have collectively decided that it has value. Bitcoin's value is based on rarity, and the only thing that makes it different from traditional currency is that its rarity is guaranteed algorithmically, rather than by a centralized government.

Some value, yes, but that baseline is rather low compared to the value-as-money.

What is the difference between bitconica and the most reputable bitcoin selling site? And what do you mean online wallet site like bitconica?

You should store your wallet offline and only transfer bitcoins to an exchange at the instant you need to exchange them, and then empty the account. For purposes of this discussion, there are no "reputable" sites.

Well, you can as well use multiple wallets with different security/usage goals. For example, I use for my daily usage easywallet.org on my Android/iPhone/Computer, but for larger sums I have better storage.

Disclaimer: I am the developer of easywallet.org

Bitcoin has a lot of problems, but this one confuses me. People steal real money all the time; it's one of the things that makes it real money.

Why don't we get these kinds of responses when there's large-scale credit card fraud? "Hey people, it's just money, this shit happens. Go make more and quit crying."

I'll posit it's because the system we inherited—fiat currency insured by governments, poorly secured and handled by credit card companies—works just fine. Nobody would build it this way from scratch, but looking at the endless stream of fiascos with bitcoin, it's obviously better than the alternative. Bitcoin is a bad solution to a non-problem.

Because it's completely different? Credit cards are designed to be accountable and refundable. The credit card is sold with a guarantee that it cannot be used to steal money from me. They can do this because credit is not "real" money; it's credit.

Bitcoin is designed to be easy to steal because cash is easy to steal.

It's an amazing technical achievement, it's just not necessary or desirable. There's no music format that replicates vinyl's degradation with each performance. This is not just because it would be hard, but also because it would be undesirable. We just don't need a currency that solves non-problems and brings back solved ones: it's undesirable.

Perhaps we don't, but that is the purpose of Bitcoin: To be digital cash, with all that that entails, for better or worse.

With bitcoin, the muggings like this incur a 50% or 100% loss, impacting those who extended trust to the wrong place.

With fiat, the muggings when using a payment card incur a 3% loss each time the currency is used, impacting every person on every transaction.

That's why people with significant amount of real money usually store it in properly secured and insured banks and similar institutions, not in a locker rented from some guy they never met. Unless, of course, they can't go into a bank for some reason - like having problems with The Law.

I can only presume that Bitcoin, to what extent it's spent on real transactions, is disproportionately favored by the type of person who would not put their money in a bank account.

This incident was a bank robbery. Cash has the same problem.

It's not like the thief subverted a flaw in bitcoin security. He ruined a crappy centralized service built on top of a decentralized system.

Except banks are FDIC insured.

More like a bank designed with an overly weak vault, because nobody at the bank spent a lot of time designing a very secure vault.

Which means the currency the bank housed has a "not real" market, obviously. That's the "logical" conclusion, right?

I think this is awesome. We'll see technological evolution in its truest and rawest form happen at light speed. With every mistake and error comes a fix.

When someone crashed into the highway-wall when you are getting off the highway on a ramp the first time, they learned they needed to put barrels filled with water to cushion the impact.

I can't wait to see what awesome, hardened code comes out of this. :D

"Innovate quickly and break things" is a strategy for social networks and games, not financial platforms nor life support systems. I hate that on one hand, we have people saying "Bitcoin is a totally real currency" and accepting payments, and on the other we have sites falling like flies to vulnerabilities and the defense being "we're just learning".

I am not in any way defending, friend. Rather, I agree with you - the "innovate ... " strategy should not be in financial nor life support systems. It's unfortunate we're still bailing banks out today, and re-deciding what's good and bad for our health/medicine/etc.

With that said, once a mistake is made, we can't turn back time. I love watching society get stronger and stronger. If you think about it, it's our ability to pass on and learn from our mistakes that has helped us get here today. Otherwise, who knows, we might not even have had agriculture yet.

(Which also could be good or could be bad. For example, I'm allergic to gluten -__- )

Either way, I'll end with this quick story:


(note: this is a shortened version and the story could go on forever).

So learning from your mistakes is relevant for everything except financial platforms and life support systems? Those we need to get perfect out of the gate?

That sounds great. Please provide some examples of financial systems (isn't capitalism a big experiment?) and life support systems (yeah we're not poking a stick at the environment at all...) supporting this theory.

I honestly don't have a dog in the bitcoin race, but considering it's a fairly recent invention I expect there'll be some growing pains just like everything else.

People building financial and life support systems should not only learn from their own mistakes, they should (must) also learn from the mistakes of their predecessors. If it takes you ten times to learn how to light a charcoal grill because you're too stubborn to ask for help, that's one thing. When you're dealing with money, you have a responsibility to try a little harder. "Don't put high value ssh keys on a server shared with irc yahoos" should not be a growing pain a financial platform experiences.

This has very little to do with currency regulation, more with banking and security. It's like some guy opening a bank in an old garage with thin plaster walls, simple pin tumbler locks on the doors and regular metal closet as storage for money. One has to be really careless to put one's savings into such bank, and only reason I can imagine why people did that because it was not apparent to them.

Building secure publicly accessible website that can store bitcoins is very hard. Almost all common software has multiple vulnerabilities, and the fact that stealing bitcoins once system is compromised is trivial, and, as I understand, irreversible (unlike breaking into bank website, for example, but like breaking into bank vault with cash) - this makes such task super-hard. I would be very suspicious about any professional that is not properly intimidated by such task. I'm not saying it's not doable at all - probably can be done, but if somebody claimed he did it I'd ask for a lot of proof before I give him my money.

One of the things that makes a public website that deals with bitcoins secure is that it SHOULDN'T store them, or at least not an amount worth stealing.

Bitcoinica lost a huge amount of coins in March (more than this time) because they stored their wallet online, you shouldn't do this, use cold storage.

OK, Bitcionica do use cold storage, just that their hot wallet was pretty bloody big.

I could point out several fallacies in your post. The most obvious one is that some very, very smart people (including at least one professional Linux kernel hacker) are doing a good job working on the official bitcoin client, so it's not true that the only people working on Bitcoin stuff are Rails users.

But what's the point in pointing out this and other fallacies in your post when you already stated that I am misled and that you're not willing to listen to me?

This kind of comment does not belong on HN. I don't care if you're PG, I would still say the same thing.

EDIT: Also, I really strong resent that you're trying to stop me from doing what I want with my time and money, which is what you're doing when you insist that bitcoin needs to be regulated. You have no right to tell me how to spend my money. Fuck off, man.

EDIT AGAIN: OP edited his comment after reading this comment, so this comment probably looks too harsh (but it wasn't originally).

By "Bitcoin stuff", I mean the secondary markets that have arisen around it. That was probably a poor choice of phrase, and I'll update accordingly. I agree that Bitcoin itself is probably cryptographically strong and mostly well-designed.

To respond to your edit, regulation does not tell you how to spend your money. Regulation ensures that the systems accepting your money are designed against and proactively secured against failures such as this one, so you don't lose. FDIC insurance at your bank is an example of regulation designed to protect you. I have no interest in telling you how to spend your money; I do have an interest in the systems processing that money being reliable and safe.

I will ignore the rest of your needless incendiary comment, as it has no place on HN. You also don't need to inform everyone that I've edited my comment, as I did that for you at the base of it.

I love when two people claim each other's post has no place on HN.

I claimed his incendiary language has no place on HN, as one of the guidelines is to be civil. I did not claim his post has no place on HN. It's also just good manners to not flame someone to death for attacking something you hold dear. Be objective, and reasonable.

My problem was that you specifically said that all supports of Bitcoin who comment in response to your comment, are automatically wrong.

Which is kind of ridiculous, given that my response prompted you to correct something you had said.

I don't know what incendiary language you're talking about except maybe "Fuck off, man" which is tit for tat when you are advocating making something I've put money into, which is also completely harmless, illegal. I'll probably regret saying that, but that doesn't mean it wasn't deserved.

That part of my comment was specifically designed to annoy folks like you, because you really need to have a hard look at the safety of the currency that you love. The only people that are going to get upset about that are the zealots, and those that support Bitcoin strongly. It is that opinion which needs revision, since Bitcoin is costing people real money now with spectacular failures such as these.

That game started being played once there were graphs of Bitcoin vs. USD and people started converting back and forth and speculating. Remember that big pop of value? Yeah, me too. I almost cashed in on it, as I had generated a shitload of BTC (~$14,000 in 'value') using a big farm. Then I questioned the safety of the sites that would be giving me the USD when I wanted it, and thought better of it. Overseas business, without real regulation, is dangerous territory. Deleted the wallet, never looked back.

Bitcoin won't be prime time until the awfully-designed, one-man-band, usually-offshore-and-questionably-legal Web sites stop. The end.

> Which is kind of ridiculous, given that my response prompted you to correct something you had said.

I didn't correct it, I reworded it because you misunderstood.

> I don't know what incendiary language you're talking about except maybe "Fuck off, man" which is tit for tat

Stuff like my comment doesn't belong, you're going to tell me even if I'm pg, fuck off, pretty much half your comment.

> when you are advocating making something I've put money into, which is also completely harmless, illegal

I never advocated for such a thing, and it is your prejudices toward the word "regulation" that are driving your responses such as this one. There is heavy regulation on motor vehicles, which is why every time you get in a car, it doesn't explode and kill you.

> I'll probably regret saying that, but that doesn't mean it wasn't deserved.

I don't deserve any harassment for sharing my opinion. Ever.

Honestly, I think you both need to take a deep breath, step back and stop this conversation.

It doesn't matter who's right or wrong, debating it in this way is just not effective, and HN is not the place for it.

Yes. Please just stop.

FWIW, I really deeply regret getting into it, and I've deleted some subsequent posts I made that (fortunately) did not have responses.

Wait -- you deleted Bitcoins worth around 14,000 USD when there are exchanges (like Mt. Gox) who are very openly trying to comply with any applicable regulations, local and international, and who would have gladly exchanged your Bitcoins for real USD? Unless you're trolling or lying, that's not something I would so proudly admit. It's says a lot more about your common sense than whatever ideological statement you were trying to make.

BTW, I completely agree with your thesis that BTC will continue to fail until it stops attracting so many thieves, crackers, and get-rich-quick con men. That's actually why I pulled out of the game. But delete 14,000 USD worth of BTC? Common on, man.

I don't think this deserves a response, but I do apologize for saying "Fuck off," just because it's not worth behaving that way even if you feel like someone deserves it.

Wait, you deleted bitcoins "worth" a few thousand dollars?

Jeez, I sure hope Uncle Sam comes to protect us all from these big, mean hackers and these over-confident programmers.

That is the only way we will ever be safe. I would put a </sarcasm> but I can't turn it off that quickly.

You should be attacking Bitcoin itself.

Let's see. Real security people will tell you it's a disaster. Real economists will tell you it's a disaster. What else do you want?

> Real security people will tell you it's a disaster.

No, they won't. Bitcoin is built upon decades of battle-hardened industry-standard cryptography. The day someone cracks SHA you'll have a lot more to worry about than your Bitcoin wallet.

The only security problem with Bitcoin is people building insecure systems around it. Which of course has nothing to do with Bitcoin.

It does have something with Bitcoin. Bitcoin is a fully digital currency which isn't guaranteed by any bank or company. It requires its users to be way, way safer with their computers than almost anyone is.

Surely it depends on how much currency you happen to be holding?

At the moment, most holders of Bitcoin are people either speculating or experimenting with it. But if Bitcoin ever becomes a more generally used medium of exchange, users don't have to hold a lot of money for it to be useful, in the same way you wouldn't keep a lot of cash in your wallet.

It's based around "battle-hardened industry-standard cryptography", but that cryptography is used in a less than standard way. Remember that it doesn't matter how secure the underlying cryptographic primitives you're using are if the way you're using them is flawed.

> Bitcoin is built upon decades of battle-hardened industry-standard cryptography.

Like Debian's OpenSSL PRNG?

There is no bitcoin market because some of the trading platforms that also work as banks have a hard timing doing a good job?

Pssh, what a lame argument.

Care to refute it in any way, or are you just going to post pointless noise?

The US Dollar sucks because we had to bail out banks. NASDAQ sucks because they fumbled on Facebook's IPO. What other drawn out doomsday conclusions do I need to make?

A relevant one, for starters.

The currency and its audience are different.

Not at all. These sites that are being repeatedly compromised and yet positioned as "the market" for Bitcoin are, for all intents and purposes, the currency. Compare to USD: banks, exchanges, conversion, speculation. Without them, USD is just me handing someone else some paper, and Bitcoin is just as useless without the "market" as defined by a few hobbyist Web devs, in this case.

Think about it. I can send a Bitcoin address some Bitcoins, which is equivalent to me handing someone else some cash. Anywhere you want to go from there requires an external market, and that includes:

    - Accepting Bitcoins online
    - Converting to Bitcoins
    - Speculating with Bitcoins
ALL of those things are a "secondary market" which, in turn, increase the value of the currency. Traditional currencies have extensive support structures built around them, and those structures are heavily regulated to avoid this exact scenario. So far, Bitcoin has some hobby Web sites without any real consequences for fucking up.

This is an argument over semantics. What you seem to claiming is basically that a currency is defined by both its inherent features and its supporting ecosystem.

So in BTC's case, inherent features = protocol, client, and miners. Supporting ecosystem = buyers, sellers, savers, merchants, exchanges, investors, speculators, banks, escrow, etc.

Further, you seem to assert, failure of parts of the supporting ecosystem causes BTC to lose value (true), and that losing value means the currency is failing (not necessarily, stochastic variables fluctuate, hard to tell the signal from the noise).

The value of a currency is fundametally a function of its demand relative to its supply (as with pretty much everything in this world). Demand for currencies increase with their utility.

For example, is it the only currency in the world you can buy oil with? If yes, utility increases -> demand increases -> value increases (ceteris paribus, no increase in supply).

In that regard, Bitcoin appears to have a strong baseline of utility in that its core technologies are relatively sound. Truthfully it's probably too soon to make that call, given potential problems with mining pool consolidation, pseudo-anonymity, etc.

But Bitcoin's core technology is so far sound enough to provide a consistent utility/demand/value/price baseline relative to the shaky, hobbyist/amateur supporting ecosystem that has sprung up around it.

So that when even its biggest exchange MtGox.com is hacked, or one of its most high-profile financial companies Bitcoinica.com is hacked and bankrupted, the BTC price in dollars continues to revert to a mean of around $5-$6, aka the BTC Baseline.

So, asserting that failures of BTC's peripheral components represent failure of the currency itself, or that BTC is not a currency because its supporting ecosystem (which the BTC devs have almost no control over) is weak, is a bit of hyperbole, and the reason for all the pushback.

Also, keep in mind that Rome wasn't built in a day. Building a new currency of any sort is difficult (ask Europe), and building one that's made of electricity and algorithms instead of gold or sovereign debt is probably one of the most difficult things in the world, and BTC is the first viable one humanity has ever seen.

Getting the core technologies right is crucial, and the BTC team has done a great job for their first try, but have another few decades of continuous improvement before it will be considered truly sound.

Asserting at this point that it has failed or succeeded is probably a bit premature. The jury will be out for a while yet. Speculate at your own risk.

"It's my fault to not set up a offline backup schedule."

For fuck's sake.

Everybody fucks up their backups at least once. Of course most of us don't keep money on our servers...

Looks like a bunch of accountants and wannabe bankers bought some developing books and start to "invest" in BitCoin. They are missing the basics.

They're not necessarily accountants and business school dropouts. Never underestimate the incompetence of the average IT worker.

According to the original thread (http://news.ycombinator.com/item?id=2973301), the creator is a 17/18 year old.

No fucking kidding. This, the Mtgox hack (and insecure storage of passwords) is amateurish idiotic nonsense.

Protecting physical gold is just as hard a problem. Placing the gold inside a steel and concrete Box where only one person can open it still isn't secure. The problem is that without laws to punish people who steal, they will eventually break all of your security layers.

Perhaps we can design a new currency that goes back to basics. Money is just a contract between two humans, goods or services now are traded for claims on future human labor. Instead of using numbers or possession of objects, use something that can't be stolen. A system that streamlines the ancient bartering system. Trade you 100 gallons of milk for a new transmission. But instead of holding money, you perform the transaction real time. Instead of being paid in money, you get paid in receipts for goods/services performed which can be traded.

Adam Smith actually wrote about just such a system, which later came to be called Real Bills.


TLDR: When a merchant buys, say, a dress, from a producer, the merchant pays the producer with a note that gives the note's recipient the right to x% of the eventual sale price of the dress.

The producer can then use notes like that as a form of collateral for their own notes, which they can use like cash to pay upstream suppliers with it (fabric, thread, dye, sewing machines, etc).

Items tend to sell, or clear, within 91 days, so that is the term of the note. Eg, the note is 'self-clearing' within 91 days.

Eventually the dress will sell, and the cash/gold proceeds will remit up the chain, from merchant -> producer -> upstream suppliers, until all the notes and their derivatives are redeemed.

It's basically an alternative to bank credit that's backed by sales of real goods.

>> Placing the gold inside a steel and concrete Box where only one person can open it still isn't secure.

Nothing is really secure. But typically a gold vault is accompanied by a person with a gun who will shoot you if you try to take gold. There is no danger of physical harm in trying to steal Bitcoins. This is a fundamental difference.

I don't even run anything close to something as important as Bitcoinica and I have daily database backups. What were they thinking??

Are your daily backups set up in a way that they are impossible to delete if your server is 0wned (either offline or using some kind of write-only scheme)? If so, I think you're ahead of most people...


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact