"I'm going to pitch a different take than a few others: Yes, great initiative, please keep trying things and building things, but end this project now. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. There's also very nontrivial odds of being on the wrong end of armed Federal agents, based on some of the other comments you've made here. This is a horrible, horrible first-project sort of project."
"Doing your best probably isn't enough. To have any hope you'll have to hire expensive security people and buy lots of insurance.
All you need in order to be exploited is to be using software with 0day exploits. Many known exploits are not public. In a very real sense, you are only protected to the extent that you are a small target.
As the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%. Software really is THAT insecure and bitcoin thefts are not prosecuted making it basically risk-free to steal bitcoins."
"-- spectacular failure is your destiny if you don't work very hard to prevent it
-- spectacular failure may be your destiny even if you do work very hard to prevent it"
> To the person above, here's what happened:
> - Bitcoinica has an internet mailing list called email@example.com
> - It was the email for the website and all sensitive accounts.
> - You could request a password for that email. In a production system, that
> should never be possible.
> - Several people had access to this mailing list (non-admins and business
> people included).
> - Patrick got added.
> - His personal email was compromised. Normally this shouldn't be a big deal; I
> use my personal email at internet cafes and public computers.
> - Attacker was able to request a new password and login to rackspace.
> The assumption here was that firstname.lastname@example.org did not have access to
> critical infrastructure.
> Lastly, it was my fault Patrick's email server got compromised. I had a VPS
> for programming and development which many people had access to - randoms from
> #c++ IRC, people from this forum, beginners I was teaching .etc It's a
> public VPS for development. The SSH key on there was added to Patrick's server
> because we were developing the bitcoinconsultancy.com website on there (that's
> why it's now down). My SSH key was stolen and he ssh'ed into the box.
> Then had access to his emails.
 : https://manage.rackspacecloud.com/pages/Login.jsp
"I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm only 17."
I was waiting since then to see how bad can things possibly go.
Unlike other sites where people hack for fun, bitcoin offers hackers the opportunity to get some real money.
For example, geometry was literally invented to measure land. I'm sure that when the Pythagorean theorem was discovered, some of the first "geometers" did screw up and made a wrong land measurment. Maybe some of the reaction at the time were: "Well this geometry thing is too dangerous, if one small calculus error could make me lose half my land. It will never catch on."
They didn't make offsite backups (sounds like they used to but stopped).
When the server was compromised they didn't realise that it could be deleted by the cracker.
One thing I don't understand, as these appear to have been real servers on Rackspace (you wouldn't exactly use a shared VPS, surely not?!?) couldn't they be recovered after the online "delete server" button was pressed? The top comment on the linked thread says that Rackspace had the server locked down with the only available option for the cracker to delete (which sounds very strange).
This site had a massive running profit and still went for the very cheapest option. Rackspace even offers financial services grade servers. I bet these aren't cheap though.
I doubt very much that anyone is still using the site.
Sounds like a great place to put money in.
People will always need bitcoin exchanges to convert between bitcoin and other currencies, but those don't need to be storing other people bitcoins.
In reality, this was plain amateur security practice, and if this sort of sloppiness continues, the bitcoin brand will be trampled so badly it will never get off the ground.
(1) Fixed total supply, so it can't be manipulated by central banks.
(2) Fast online transactions (e.g. Paypal, without the problems of Paypal); ease of developing all kind of Web services around this.
(3) Anonymous transactions are possible, which can be beneficial in many ways (for example, not getting taxed...)
(2) meanwhile I can buy things with one click using dollars.
(3) tax evasion, drug dealing and money laundering are not things that society generally wants to facilitate
Yes, the handful of people who understand how our banking and currency system works but aren't in a position to suckle at its teat.
But try transferring dollars electronically, or even just from one of your own accounts to another in a different bank.
Neither does society generally want to facilitate government's abuse and debasement of its currency in attempt to cover up its willful blindness to widespread financial fraud and malfeasance. Pick your poison.
In my Wells Fargo account, I can transfer to another bank's account in three clicks and about two minutes. All I had to do was set it up and prove that I own the other end. Deposits usually clear that day.
With bitcoin, you can also do all this at anytime, not just within the 9-5 Mon-Friday, no holiday bank schedules.
> The fees are dramatically cheaper (domestic wire transfers are at least $10, international are more like $30)
I pay no fee for the service I described. Not a penny.
> and there's no need to 'prove' anything.
This took a few hours, and was quite low-effort. Not a problem I'm looking to solve in my life, since I only did it once.
> With bitcoin, you can also do all this at anytime, not just within the 9-5 Mon-Friday, no holiday bank schedules.
As can I.
You can design bitcoin with a slowly increasing bounty each year, as long as the protocol is there, no central institution can control it.
(as a matter a fact, if the 50 BTC bounty were to continue indefinitely, the rate of money expansion would decrease over time)
Anyway, as you said, someone certainly could fork bitcoin to make a system where the money supply is expanded indefinitely. I don't think it would catch on, though... at least unless bitcoin has already become "accepted."
Certainly where I am you'd still be taxed you're just avoiding paying the tax by hiding your identity. Tax here (UK) is still due if you choose to barter for goods/services so I can't imagine using an unofficial currency would make the slightest difference.
However, if my clients used Bitcoins, I would receive the money in an hour or less, and pay like a $0.10 charge. Any no one would have the power to suddenly say, "oh wait, we're going to have to raise our fees".
Thousands of freelance writers, translators, programmers do a significant portion of their work with international clients. But the banking system rules out doing any job worth less than several hundred dollars, unless you want to lose 1/4 or 1/5 of your income to fees. I routinely turn down jobs that I could do in 30 minutes and make $150 because it's not worth the hassle of arranging an international wire transfer.
Do you understand now the legitimate need for this kind of currency?
Seriously, if you hate modern currencies, buy gold or silver or 20 year old scotch, hide it away...problem solved. Bitcoin was nonsense from conception.
100% legitimate uses? Well you could use it instead of Paypal and save a couple of bucks in fees but it's a lot harder than just using Paypal and there's no recourse if something goes wrong.
You don't have to create an account, add credit/debit cards and bank accounts, get verified, etc.
Definitely no recourse if things go wrong, but also no way for black hats to game direct P2P BTC payments either, like they can with PayPal's resolution and chargeback system.
Basically, I'll trade bonds in GLBSE listed mining companies for shares in DMC: ~2/3rds of a BTC worth of bonds for 1 BTC worth of DMC.
Bitcoinica royally screwed a large number of investors, and I want people to know and understand that not all of us are people out to steal their money. Some of us really are completely honest businessmen.
Perhaps I'm the only one that feels this way (I almost hope I am), but this news is making me want to put all of my money in bitcoin. it's a good time to get in on the action.
But those "investing in bitcoins" wouldn't have lost from this unless they also happen to have been speculating at Bitcoinica with them. Bitcoinica is a service where a financial product called a contract for difference (CFD) is traded.
I will never call Bitcoin a real currency until you see a platform that actually knows what it's doing. Really, I'm sorry, that's just how it is, and the Bitcoin fans that are about to show up and try to tell me otherwise are just as misled (and are inevitably going to be victims of being so myopic). If you want to call Bitcoin real money, it needs to be treated like real money. In software terms, that means it is a big deal.
There is a reason currency is regulated heavily. You are witnessing it.
Edit: Clarified that I'm not attacking Bitcoin itself.
You couldn't get away with it today, not for that long, but it was possible with "real" money, "real" banks, all government backed, at one time. And that had centralization and identity built into it. The bitcoin community isn't big enough to have serious security professionals yet, but that doesn't disqualify it as a currency market.
They get stronger.
Hobbes: without government, life has historically tended to be 'solitary, poor, nasty, brutish, and short.' As a practical matter, it's a lot easier to enjoy your liberty when your property isn't under constant assault from everyone else; by everyone pooling a little of their individual sovereignty in a government, aggregate liberty is vastly increased. It's a political economy argument at its core.
* it is assumed gov. institutions are monitoring large transactions now
And yes, it is like real money. In fact it's even more like real money then what most people use daily. Bitcoin properties are almost the same as precious metals, making it much more money-like than a fiat currency. (On which we build our bank accounts and, as yet another layer, various credit tools. At the end of the day, you start to be quite far away from "real money".) Now, if such a thing is desirable is another question entirely. Nevertheless, Bitcoin is money.
Actually, Bitcoin lacks one of the most key attributes of precious metals: precious metals have inherent value. Even if gold isn't useful as a medium of exchange, gold is still useful and has value because it has practical applications due to its high conductivity and corrosion resistance. Although gold's value is highly inflated due to speculation, gold still has a "minimum value" due to its utility in the area of electronics. If everyone one day decided "gold investment is stupid" and began dumping it, there would still be demand for gold due to the electronics market. Ditto for silver and platinum. These metals have value because you can do things with them. There will always be demand for these things, just as there will always be demand for iron, copper, and other non-precious metals.
Bitcoin is like currency in that it only has value because a group of people have collectively decided that it has value. Bitcoin's value is based on rarity, and the only thing that makes it different from traditional currency is that its rarity is guaranteed algorithmically, rather than by a centralized government.
Disclaimer: I am the developer of easywallet.org
I'll posit it's because the system we inherited—fiat currency insured by governments, poorly secured and handled by credit card companies—works just fine. Nobody would build it this way from scratch, but looking at the endless stream of fiascos with bitcoin, it's obviously better than the alternative. Bitcoin is a bad solution to a non-problem.
Bitcoin is designed to be easy to steal because cash is easy to steal.
With fiat, the muggings when using a payment card incur a 3% loss each time the currency is used, impacting every person on every transaction.
It's not like the thief subverted a flaw in bitcoin security. He ruined a crappy centralized service built on top of a decentralized system.
When someone crashed into the highway-wall when you are getting off the highway on a ramp the first time, they learned they needed to put barrels filled with water to cushion the impact.
I can't wait to see what awesome, hardened code comes out of this. :D
With that said, once a mistake is made, we can't turn back time. I love watching society get stronger and stronger. If you think about it, it's our ability to pass on and learn from our mistakes that has helped us get here today. Otherwise, who knows, we might not even have had agriculture yet.
(Which also could be good or could be bad. For example, I'm allergic to gluten -__- )
Either way, I'll end with this quick story:
(note: this is a shortened version and the story could go on forever).
That sounds great. Please provide some examples of financial systems (isn't capitalism a big experiment?) and life support systems (yeah we're not poking a stick at the environment at all...) supporting this theory.
I honestly don't have a dog in the bitcoin race, but considering it's a fairly recent invention I expect there'll be some growing pains just like everything else.
Building secure publicly accessible website that can store bitcoins is very hard. Almost all common software has multiple vulnerabilities, and the fact that stealing bitcoins once system is compromised is trivial, and, as I understand, irreversible (unlike breaking into bank website, for example, but like breaking into bank vault with cash) - this makes such task super-hard. I would be very suspicious about any professional that is not properly intimidated by such task. I'm not saying it's not doable at all - probably can be done, but if somebody claimed he did it I'd ask for a lot of proof before I give him my money.
Bitcoinica lost a huge amount of coins in March (more than this time) because they stored their wallet online, you shouldn't do this, use cold storage.
OK, Bitcionica do use cold storage, just that their hot wallet was pretty bloody big.
But what's the point in pointing out this and other fallacies in your post when you already stated that I am misled and that you're not willing to listen to me?
This kind of comment does not belong on HN. I don't care if you're PG, I would still say the same thing.
EDIT: Also, I really strong resent that you're trying to stop me from doing what I want with my time and money, which is what you're doing when you insist that bitcoin needs to be regulated. You have no right to tell me how to spend my money. Fuck off, man.
EDIT AGAIN: OP edited his comment after reading this comment, so this comment probably looks too harsh (but it wasn't originally).
To respond to your edit, regulation does not tell you how to spend your money. Regulation ensures that the systems accepting your money are designed against and proactively secured against failures such as this one, so you don't lose. FDIC insurance at your bank is an example of regulation designed to protect you. I have no interest in telling you how to spend your money; I do have an interest in the systems processing that money being reliable and safe.
I will ignore the rest of your needless incendiary comment, as it has no place on HN. You also don't need to inform everyone that I've edited my comment, as I did that for you at the base of it.
Which is kind of ridiculous, given that my response prompted you to correct something you had said.
I don't know what incendiary language you're talking about except maybe "Fuck off, man" which is tit for tat when you are advocating making something I've put money into, which is also completely harmless, illegal. I'll probably regret saying that, but that doesn't mean it wasn't deserved.
That game started being played once there were graphs of Bitcoin vs. USD and people started converting back and forth and speculating. Remember that big pop of value? Yeah, me too. I almost cashed in on it, as I had generated a shitload of BTC (~$14,000 in 'value') using a big farm. Then I questioned the safety of the sites that would be giving me the USD when I wanted it, and thought better of it. Overseas business, without real regulation, is dangerous territory. Deleted the wallet, never looked back.
Bitcoin won't be prime time until the awfully-designed, one-man-band, usually-offshore-and-questionably-legal Web sites stop. The end.
> Which is kind of ridiculous, given that my response prompted you to correct something you had said.
I didn't correct it, I reworded it because you misunderstood.
> I don't know what incendiary language you're talking about except maybe "Fuck off, man" which is tit for tat
Stuff like my comment doesn't belong, you're going to tell me even if I'm pg, fuck off, pretty much half your comment.
> when you are advocating making something I've put money into, which is also completely harmless, illegal
I never advocated for such a thing, and it is your prejudices toward the word "regulation" that are driving your responses such as this one. There is heavy regulation on motor vehicles, which is why every time you get in a car, it doesn't explode and kill you.
> I'll probably regret saying that, but that doesn't mean it wasn't deserved.
I don't deserve any harassment for sharing my opinion. Ever.
It doesn't matter who's right or wrong, debating it in this way is just not effective, and HN is not the place for it.
BTW, I completely agree with your thesis that BTC will continue to fail until it stops attracting so many thieves, crackers, and get-rich-quick con men. That's actually why I pulled out of the game. But delete 14,000 USD worth of BTC? Common on, man.
That is the only way we will ever be safe. I would put a </sarcasm> but I can't turn it off that quickly.
Let's see. Real security people will tell you it's a disaster. Real economists will tell you it's a disaster. What else do you want?
No, they won't. Bitcoin is built upon decades of battle-hardened industry-standard cryptography. The day someone cracks SHA you'll have a lot more to worry about than your Bitcoin wallet.
The only security problem with Bitcoin is people building insecure systems around it. Which of course has nothing to do with Bitcoin.
At the moment, most holders of Bitcoin are people either speculating or experimenting with it. But if Bitcoin ever becomes a more generally used medium of exchange, users don't have to hold a lot of money for it to be useful, in the same way you wouldn't keep a lot of cash in your wallet.
Like Debian's OpenSSL PRNG?
Pssh, what a lame argument.
Think about it. I can send a Bitcoin address some Bitcoins, which is equivalent to me handing someone else some cash. Anywhere you want to go from there requires an external market, and that includes:
- Accepting Bitcoins online
- Converting to Bitcoins
- Speculating with Bitcoins
So in BTC's case, inherent features = protocol, client, and miners. Supporting ecosystem = buyers, sellers, savers, merchants, exchanges, investors, speculators, banks, escrow, etc.
Further, you seem to assert, failure of parts of the supporting ecosystem causes BTC to lose value (true), and that losing value means the currency is failing (not necessarily, stochastic variables fluctuate, hard to tell the signal from the noise).
The value of a currency is fundametally a function of its demand relative to its supply (as with pretty much everything in this world). Demand for currencies increase with their utility.
For example, is it the only currency in the world you can buy oil with? If yes, utility increases -> demand increases -> value increases (ceteris paribus, no increase in supply).
In that regard, Bitcoin appears to have a strong baseline of utility in that its core technologies are relatively sound. Truthfully it's probably too soon to make that call, given potential problems with mining pool consolidation, pseudo-anonymity, etc.
But Bitcoin's core technology is so far sound enough to provide a consistent utility/demand/value/price baseline relative to the shaky, hobbyist/amateur supporting ecosystem that has sprung up around it.
So that when even its biggest exchange MtGox.com is hacked, or one of its most high-profile financial companies Bitcoinica.com is hacked and bankrupted, the BTC price in dollars continues to revert to a mean of around $5-$6, aka the BTC Baseline.
So, asserting that failures of BTC's peripheral components represent failure of the currency itself, or that BTC is not a currency because its supporting ecosystem (which the BTC devs have almost no control over) is weak, is a bit of hyperbole, and the reason for all the pushback.
Also, keep in mind that Rome wasn't built in a day. Building a new currency of any sort is difficult (ask Europe), and building one that's made of electricity and algorithms instead of gold or sovereign debt is probably one of the most difficult things in the world, and BTC is the first viable one humanity has ever seen.
Getting the core technologies right is crucial, and the BTC team has done a great job for their first try, but have another few decades of continuous improvement before it will be considered truly sound.
Asserting at this point that it has failed or succeeded is probably a bit premature. The jury will be out for a while yet. Speculate at your own risk.
For fuck's sake.
Perhaps we can design a new currency that goes back to basics. Money is just a contract between two humans, goods or services now are traded for claims on future human labor. Instead of using numbers or possession of objects, use something that can't be stolen. A system that streamlines the ancient bartering system. Trade you 100 gallons of milk for a new transmission. But instead of holding money, you perform the transaction real time. Instead of being paid in money, you get paid in receipts for goods/services performed which can be traded.
TLDR: When a merchant buys, say, a dress, from a producer, the merchant pays the producer with a note that gives the note's recipient the right to x% of the eventual sale price of the dress.
The producer can then use notes like that as a form of collateral for their own notes, which they can use like cash to pay upstream suppliers with it (fabric, thread, dye, sewing machines, etc).
Items tend to sell, or clear, within 91 days, so that is the term of the note. Eg, the note is 'self-clearing' within 91 days.
Eventually the dress will sell, and the cash/gold proceeds will remit up the chain, from merchant -> producer -> upstream suppliers, until all the notes and their derivatives are redeemed.
It's basically an alternative to bank credit that's backed by sales of real goods.
Nothing is really secure. But typically a gold vault is accompanied by a person with a gun who will shoot you if you try to take gold. There is no danger of physical harm in trying to steal Bitcoins. This is a fundamental difference.