A while ago I wrote that perhaps the greatest contribution the Bitcoin experiment will make to humankind is to teach you and me and our neighbors more about the realities of economics. And now I will add that the Bitcoin experiment will also contribute to greater understanding of attack surfaces and online crime. Many of the ideas about how to mine Bitcoins, store Bitcoins, and trade with Bitcoins as a medium of exchange illustrate both the strengths and weaknesses of any other medium of exchange in a world full of human beings. Seeing the discussion of Bitcoins here on Hacker News reminds me of early discussions in the 1990s of online payment systems such as PayPal, and the arguments beforehand that PayPal wouldn't have to invest a lot of time and effort (as it eventually did) building defenses against theft and fraud. If a weakness in a system is attached to a lot of money, the way to bet is to bet that someone will go looking for that weakness, even if you haven't thought of it.
As we know, each new version of speculative excess has the slogan "it's different this time". And each one is different, in some way. And you can extract various interesting particular lessons from all these newnesses - I'm sure after 2008, someone's written a deep, interesting article on the failure of the Gaussian copula but really, you didn't need to understand the heat equation and Ito's Formula to know that synthetic bonds were a problem in 2006 (I'd recommend the enlightening discussions of Doug Noland of Prudent.com from that time).
But it is important to not allow ourselves to let the details of these situations distract us from the psychological dynamics which ultimately has carried all these phenomena. This psychological dynamic allows a slightly stretching of numerous points to add up to the concrete mistakes one point can point out later as "what went wrong". And these "what went wrong then" arguments are themselves dangerous since they general are coupled with "so this time, the different thing we are doing is..." and so forth.
Essentially, understanding magician's tricks are great. But never let yourself be fooled by the belief that you know all the tricks.
And I writing with the assumption that bitcoins aren't a "medium of exchange" in any meaningful way - for example, I could directly my car for something else valuablle far more easily than I could directly trade bitcoins and cars aren't a very meaningful medium of exchange today. This is the position that I believe most serious economists take, Nobel Prize winner Paul Krugman being on record here (not that I think this is really a left-right question).
Bitcoin is not another tulip mania, as it has unique properties that surely others have already pointed out.
Paul Krugman and others do not see the whole point.
What is money? Money is information. That's all it is. Who owes what to whom.
So we could have a giant centralized computer system that tracks everyone's move. If we want a car, the computer could tell us how much we would have to work and serve society in order to deserve that car.
Now if we want to live in a somewhat free society, we obviously don't want to be tracked that way. In a free society, there will be different concepts to approach the money-as-information idea, each with their own advantages and disadvantages, and people would choose freely what to use.
For example, there is Ripple: http://en.wikipedia.org/wiki/Ripple_monetary_system , a peer-to-peer credit system. When its base unit is set to "hours of unskilled labor", it comes very close to an information system. While it makes much sense for steady business-to-business and buyer/supplier relationships, it is necessarily trust- and reputation-based, and thus may not appeal to everyone and be applicable in every scenario. Also some seem to be concerned that it might destroy friendships. ;)
Bitcoin's approach is different. It's obviously only information as well, but simulates a commodity, thus ensuring privacy to a large degree.
But it is important to not allow ourselves to let the details of these situations distract us from the psychological dynamics which ultimately has carried all these phenomena. This psychological dynamic allows a slightly stretching of numerous points to add up to the concrete mistakes one point can point out later as "what went wrong". And these "what went wrong then" arguments are themselves dangerous since they general are coupled with "so this time, the different thing we are doing is..." and so forth.
I am not sure what you're trying to say. The fact that money's value created by people merely believing it have value is not particularly insightful.
And I writing with the assumption that bitcoins aren't a "medium of exchange" in any meaningful way - for example, I could directly my car for something else valuablle far more easily than I could directly trade bitcoins and cars aren't a very meaningful medium of exchange today. This is the position that I believe most serious economists take, Nobel Prize winner Paul Krugman being on record here (not that I think this is really a left-right question).
Don't buy that assumption. For example, the majority of libertarians at Porcfest actually use bitcoin as a medium of exchange. The other money of choice are precious metals, which are beaten out by the more convenient bitcoin. BTW, how exactly can I pay my VPS with cars instead of bitcoin?
Ideas/products with excessive speculation have failed in the past. Therefore, this product will fail.
I disagree with that. It suffers from survivor bias (or actually non-survivor bias). Mackey doesn't discuss ideas with excessive speculation that ultimately succeed. The internet in the 1990s and the California gold rush both had excessive speculation, but ended up being successful... so no one refers to them as 'extraordinary delusions'.
> for example, I could directly my car for something else valuable far more easily than I could directly trade bitcoins and cars aren't a very meaningful medium of exchange today.
Are you sure about that? Bitcoins are easily divisible, a car isn't. Yes, you can take your car apart but the sum of the parts is worth much less than the whole car. Bitcoins can be easily transported and even transferred internationally. Exporting a car incurs a lot of overhead in transport fees and taxes. Even selling a car to someone on the other side of a large country might end up being too expensive.
No matter what you think of bitcoin, it should be compared to existing national currencies, gold, etc. I like the concept of bitcoin, but I believe that even risky currencies like those of (say) Mexico, Turkey, etc are a better bet than bitcoin.
>Yes, you can take your car apart but the sum of the parts is worth much less than the whole car
The opposite, actually, is true. It's not very intuitive, but yeah; I've got a '96 Nissan maxima with unrepaired body damage and what sounds like a suspension problem that I've gotta get rid of. If I wanted to sell it fast? I think I'd have a hard time getting four hundred bucks for it. (I mean, if I drove it into a car buying business and wanted to walk away with cash) But, the salvage yard where it would end up? I bet they'd make that much back selling all the windows and tires... then what they'd get for the other parts would be gravy.
I think the key to understanding this is that selling a car all at once is way less effort than selling each part individually. Sales takes effort and we're only measuring value within the context of a sale.
(nothing to do with bitcoin; I just think that this is an interesting way to point out that the way we measure value ends up giving us some non-intuitive answers to how much a thing is worth.
Just because you can't bring in gold into your car dealership, or bring in gold to buy for groceries, doesn't mean that it's worthless.
Bitcoins already have some concrete uses - gambling & drugs namely ;) And these uses won't disappear. There are also some more legitimate uses for Bitcoin coming up. Virtual goods for example.
I agree, but would expand it somewhat as it's not just Bitcoin but all of the 'virtual' videogame currencies as well (Eve and Second Life come to mind).
I wonder how many people learned a lesson from Ginko Financial collapsing [1] (a little hand wavy but around $750,000 USD pyramid scheme) and weren't conned in real life.
That pretty much sums up the demise of Bitcoin, pretty much every bitcoin "exchange" seems to be created by high school kids doing their first steps in PHP and Javascript. Wake me up when a real bank (or a renowned exchange like Ameritrade, Intrade etc) starts trading Bitcoins.
That and for me the main blocker of Bitcoin is how to exchange my currency (MXN or EUR) into Bitcoins.
While I'm not a big fan of BitCoin, I don't think this is a very good argument. You could use the same argument for banks and "get robbed". Why doesn't this happen to banks?
The difference between the bitcoin banks/cloud wallets has been that the bitcoin counterparts seldom have any law or big organization to back them but only a few hackers with a bitcoind and a web servers. Some, like the old mybitcoin.com, have been hacked mysteriously with little data released, but only millions of $ worth of bitcoins gone forevermore.
I going to pretend you are actually serious about this. Let's make a strawman that actually makes it easier to suggest that this is "the same as banks".
Let's pretend for a minute that we're dealing with a non-FDIC insured bank (like some of the original online banks), with none of the regulatory controls that obviously provide a lot of protections.
Let's pretend for a minute that the bank stupidly keeps all of its holdings as cash that are held on site at the bank. It doesn't use notes or other securities for transactions, only cash. Let's pretend that the bank also self-insures those holdings (which basically means no insurance).
Okay, so I compromise the bank's security, take every bit of cash. I disappear to some island in the Pacific with every last cent.
How badly is the bank screwed? How badly are the customers of the bank screwed?
Actually, not that badly. I only wiped out the bank's reserves. That means both the bank and its customers have a short term liquidity problem, but not necessarily a significant asset problem.
A regulated bank would have 10% of all deposits in its reserves. Unregulated banks often have far less, but let's pretend it is 10%. The bank loses 10% of its value. If it can stay solvent, then nobody loses any money, but it might take a few days before people can make withdrawals (which could cause a bank run, but that's a whole different problem). If the bank can't stay solvent, it goes bankrupt, and depositors become creditors. It'll take a while to resolve the legal process, so liquidity is killed, but when it all ends, depositors are going to get back something close to 90% of their money back.
The key thing is that the bank lends out most of the money it takes in. Even if you rob the bank of all its cash, the bulk of the "assets" of the bank are all the IOU's from lendees, which is value that is really hard to "steal", because lendees tend to only pay their lender, and then tend to do so in installments over a great deal of time.
THIS IS WRONG: Hacking Coinbase would be more akin to hacking say Visa, and redirecting all payments to you instead of the intended merchant.... if Visa's transactions were all cash based, instead of credit based... and Visa was unregulated... and even then it is kind of different because Visa is a middle man between two banks...
UPDATED: Okay, I just read they are actually storing the bitcoins in the cloud, rather than just exchange the coins between the two parties.... So actually, it's not like hacking Visa, unless Visa didn't reconcile their transactions with its customers for extended periods of time and held all of the float as cash.
So what you're saying is that banks are more stable because only a small portion of their assets are kept as reserve? In that case, what's stopping bitcoin "depositories" such as this converting the bulk of their assets to something else as well?
They can't do that because there is nowhere really safe to put the BTC. They cannot loan it out because nobody needs that much BTC, and it's unwise to invest it in USD or anything else because the currency's fickleness compared to USD(you could lose a lot of money, or possibly make some).
The problem is that the current Bitcoin "banks" aren't really banks. They're more akin to socks under a mattress than a bank.
At a very basic macro economist level, banks have two functions:
1. They are a place for clients to place their money. To incentiveize this behavior, they pay those clients interest on the money in their accounts to keep it there.
2. They take that money and give out loans to people, and charge interest over the time it takes to repay the loan.
In a healthy economy, the two feed each other. Broadly speaking, the circulation of currency works like this: People/businesses take out loans. That money is used to buy things (houses, cars, short term equipment expenses, etc.). The businesses that are paid for the goods/services pay their employees, who put the money into the bank. Note that even in this situation, banks aren't entirely necessary, because people could just buy stuff, which goes to employers, who pay employees, who buy stuff...
Bitcoin does not have either economy yet. Right now, it's used just to buy things, with BTC being converted to a "real" currency(USD, Euro, etc.) on both ends. So it's really just a single directional currency. So, right now, if I wanted to operate a Bitcoin bank, I'd have to convert it to USD or some other currency, and keep it totally separate from my liquid BTC wallets to mitigate the risk of getting hacked and the wallets getting stolen. Unfortunately, that's incredibly risky, because I would then have to deal with the exchange rate between BTC and USD.
This is not exactly true. I believe MTGox uses offline wallets for the storage of the funds, and I'd expect any other sane bank use it as well.
If someone breaks into the MTGox, they'll be only able to steal the "reserve". To get to the real money, the MTGox admin has to physically go into a vault (safe), and retreive its contents.
That isn't necessarily the fault of BTC banks though. Let us be honest here - if we (the viewing public of HN) collectively wanted to put in every effort to supplant flat currencies for BTC so nobody can print it anymore, all of us combined would not have the financial assets required to sway the supermassive giants of the world like Walmart, Amazon, Google, Apple, the big 3 car manufacturers, realtors, and more importantly than anything else, the stock markets to start trading in BTC would take the financial efforts of pretty much the entirety of the top 400 wealthiest Americans.
The markets are more resistant to currency shift than enterprises are to getting off XP and IE6. BTC will always fail because everyone is to lazy to get rid of the dollar as the reserve currency.
Well, it doesn't make them more stable, but it makes them more resilient to criminal theft.
Bitcoin "depositories" open up a pretty big can of worms if they convert their assets. Part of the point of using bitcoin is not to have to use other assets.
They could start lending bitcoins, but that's going to invite a lot of scrutiny, particularly from the regulators.
If Joe Blow rents a $20/mo. VPN and opens up the "First Federated Bank of Joblovia", chances are he isn't going to be able to take a whole lot of wire transfers to his Bank of America account before the feds move in and shut him down. In fact this is basically what happened to some of the earliest Bitcoin exchanges who were less sophisticated with how they moved currency in and out; guys like Jered from Tradehill used their personal bank accounts to take money from people, and gave them Bitcoins online. The cashflow problems and subsequent collapse stemmed more from the constant shutdown of bank accounts than from the "misunderstanding" with Dwolla as to the nature of Dwolla's chargeback policy. I think.
In any case, Bitcoin offers the ability to do exactly this: Open a completely unregulated financial institution with no accountability. Looking at this site, the first question in my head was "Where are your coins stored?" Second was, "What are the limits, and how, exactly, do you guarantee funds will transmit since every country in the world has different limits, regulations and KYC disclosures required to make that possible?"
The answer for Bitcoin businesses thus far has mostly been "don't worry about it". In Bitcoin that's slang for "I'm using my bank account, my buddy's bank account, my girlfriend's bank account...and I swear you'll get your money on time until you don't, and I'm gone, and you're fucked."
Since many people use Bitcoin specifically because it is unregulated, they won't complain to the government when their Bitcoins are stolen. What trotsky is really saying is that a Bitcoin company can just embezzle its customers' money and blame it on hackers. It's hard to know whether this has ever happened, but there have been some fairly sketchy incidents.
The truth is that all your money has already been stolen from the banks but we pretend it's still there via devaluing savings via money printing in an attempt to maintain the illusion each time the banking debt pyramid is about to collapse.
He's echoing the many, many scandals of centralized bitcoin banks that had the same thing happen over the past year. It's like the wild west out there.
google "scare quotes'' + ''dan bloom" to see inside skinny on the meaning and origins of the scare quotes term, first coined in 1934.... ! but why is SCARE part of the term? if know, email me at danbloom AT gmail
It looks nice, but I don't see anything addressing safety and security. How does this service guarantee that any money you transfer to them will be kept safe? Also, do they guarantee that if a break-in occurs like the Bitcoinica disaster, that users' monies will be returned?
Yep - sorry we should really add a page on that. We're storing wallets in the cloud so this is an important concern. Private keys are encrypted in the database. bcrypted passwords. We also offer two factor authentication for your logins:
http://blog.coinbase.com/post/25677574019/coinbase-now-offer...
We'll start keeping a majority of funds in cold storage as deposits grow (we're still in beta at the moment). And I think you're right a firm policy on this would be needed about loss of funds and what is covered. I'm interested in the idea of getting insurance through Lloyds of London or something along those lines, but haven't pursued it yet (we've just been building the prototype).
I worked on fraud prevention at Airbnb previously and we had lots of money flowing through the site and stored with us, so I'm familiar with best practices around this. I also have a healthy respect for what can go wrong, and I think as we grow we'll go through regular security audits (and much more scrutiny as we pursue licensing as a money transmitter). You certainly shouldn't trust us on face value though, it's something we'll have to earn over many years.
Please encrypt the private keys with a key K derived from the users' passwords. When a user logs in, your server-side code can compute K and access the bitcoins. When a user logs out, the server should forget K, erase it from RAM, thus leaving the bitcoins securely encrypted on-disk. Not even an attacker getting access to your infrastructure, not even you(!), could steal the bitcoins when the user is not logged in.
Not a single online wallet service actually does it this way, the right way, sigh... This mechanism could have prevented numerous thefts: MtGox, MyBitcoin, Bitcoinica, etc.
For power users, if they forget their pw, they lose their coins. Period. That's the option I would use, as someone who never lost an important pw thanks to my use of redundant password safes.
For other users, when creating an account, coinbase.com could email them a "key recovery" file (or mail them a physical QR code), with instructions to keep it permanently stored in a safe place. This key recovery file would be K encrypted with a unique IV and a key known by coinbase.com, who would not keep a copy of the key recovery file. This would satisfy all my requirements: coinbase.com would be unable to steal/access the users coins, and an attacker merely getting access to the key recovery file would be unable to do anything with it.
Like file system encryption is done. You don´t encrypt the hard drive with your pass phrase. You encrypt the encryption key to your hard drive with your passphrase. Your problem is solved with an extra key in offline storage.
In this case instead of just encrypting private keys with K (derived from user's password), you encrypt private keys with K and encrypt K with user's password. You also encrypt K with your own master key which is stored offline. You could either retrieve K manually or through a rate-limited API.
However, Estragons point about it only slowing down the attack still holds, although in Bitcoinicas case the loss would be much less, since they discovered the attack early. "not even you(!)" however is false.
At least for the MtGox and Bitcoinica thefts, this would only have slowed the attack down. All it would take is adding a password logger. Still might be a worthwhile extra line of defense, though.
What do you mean by "We'll start keeping a majority of funds in cold storage as deposits grow"?
Are you re-investing some of the deposits, and the ones that you don't touch are in this so-called "cold storage"? If yes, what percentage do you keep in cold storage, and why don't we get interest if you reinvest some of our deposits?
"Cold storage" in Bitcoin parlance is a wallet that is completely disconnected from the network. Since a "wallet" is really just a collection of private keys, one example of cold storage is to scatter pieces of the wallet (M of N splitting) in physically secure locations like safe deposit boxes.
Unless I'm misunderstanding him, what he's describing is simply "cold storage", not a fractional reserve. The putative bitcoins are still under the person's control, even if they are offline. It would only be fractional reserve lending if the person were actually lending a portion of their reserve.
But very cool site. Bitcoins are one of the things that drew me back into programming, and I'm grateful for that. (btw, are they still using json rpc for interprocess communication? it got a lot of flack, but I liked the API) But I got fed up with the volatility and the people it was attracting about a year ago and left it behind. It's good to see a legitimate business like yours getting involved (and with the ycombinator name, too!). Maybe I'll check it out again. There's a huge amount of potential there.
EDIT: My bad, I see that the parent comment was talking about fractional reserve lending. I only looked at the comment directly above your remark about reserve lending. Yeah, I'd stay away from fractional reserve lending since it's an anathema to almost everyone who uses bitcoins.
The potential was always there ever since Satoshi released the specs. The volatility is because of the nail-thin market depth, and the bubble was unavoidable (Hello 20/20 hindsight) because of that combined with some media attention and the first time occurence of a digital limited resource... Well, most people probably only thought as far as "OMFG the price is going up, I expect great returns on investment". Thankfully the price fluctuations are smaller now and we can all focus on building infrastructure and a market.
As for legitimate businesses there´s plenty. We´ve (mullvad.net) been accepting bitcoins for two years, but then again we were probably the first corporation and full-time business to do so :)
Oh, I totally agree that there are plenty of legitimate businesses using Bitcoin. I've sent you guys a lot of bitcoins over the past 1-2 years (great service, btw).
I've also paid some very professional developers and designers for high-quality work using bitcoins. Personally, I'd love for btc to take off more, since I'm a freelancer and do lots of work for overseas clients, and get hit with lots of banking fees. Btc is a fast and easy way to pay freelancers, and could be a great way to get paid by clients.
Nonetheless, I an easyjust got sick of all the hoopla surrounding Bitcoin and the constant Bitcoin heists, combined with the cluelessness of so many Bitcoin developers regarding security (not the core developers, but all the devs trying to build Bitcoin-related businesses). But perhaps it's time to give it another try.
That's nice and all, but you're loading arbitrary javascript from Olark, CloudFront and Google on your login page. So no matter how much you secure your own systems, you're reliant on several third parties securing there's too.
I'm not a security expert, but at least I have first hand experience with the Bitcoinica hack. It seems that all the security features you have mentioned are present in many Bitcoin sites, including Bitcoinica,r and they don't prevent the easiest ways of losing wallets.
Storing in the cloud is especially dangerous because for most (NOT all) cloud service providers, the front-end security (concerning authentication and authorization) is probably much weaker than your own implementation. For example, anyone can reset the password with an email, and change the root passwords of the servers. There isn't likely an option for second factor authentication.
This does not apply to cloud services with serious security considerations, such as AWS. It has IAM as well as second factor authentication. However, in Bitcoinica's case, both Linode and Rackspace don't seem to be a good choice to host wallets: Linode hack was actually a result of their customer service system compromise (i.e. possibly any support agent can reset the root passwords). While Rackspace Cloud's support staff couldn't log out the hacker and preserve the servers even when the hack was detected and password being changed.
These are really basic security features that cloud services are lacking.
You made a good point that things can be upgraded as you grow. Please do that. It's exactly what I intended to do when I launched Bitcoinica last year. But after I sold the company last year, no one really think it's an urgent thing to do because there were no performance issues, no availability issues and everything went just fine. It's important to stick to the plan, and preferably allocate a fixed portion of revenue for upgrading security features and doing audits.
I'm glad to give you more information so that you can make better decisions (just drop me an email). I have been leading Bitcoinica for half a year (until the handover in April) and I had some experience in running a Bitcoin site that scaled quite well. I'm working on a non-Bitcoin project at the moment but I really want Bitcoin to succeed.
Intent is not the same as action, and as you said, no one (including you) thought it was urgent to upgrade your security. Shortly thereafter you discovered that there are black swans.
The above is also very easy for someone (like me) to say when you´re not in the middle of it. You want to grow your business, and the benefits of working on security are hard to measure. I get it. That´s when you need to ask yourself what your priorities are, and if you´re in the business of selling turnips, or handling valuables such as bitcoins.
Brian, you are where Zhou Tong was a while ago, although there´s no hype around your service yet. It has great potential, especially with the backing of PG et al. Please don´t make the mistake of putting security on the back burner. If anything you should use it as your primary selling point.
If you´re comfortable with it, subject your internal architecture to public scrutiny. If you´re not, think really hard before you say "trade secret".
Do my bitcoins stay as my bitcoins OR do I transfer my coins to coinbase and when I want to use them you transfer the same value back? I would feel a lot more comfortable with the later where your company was liable if you got hacked.
I don't believe it would be the possible to do the former with Bitcoin, short of telling them your private keys and erasing them from your storage I guess?
Google's 2FA wasn't hacked, it was bypassed. Essentially, there was a second "door" (the account recovery flow) that wasn't protected by 2FA, and that's what the attacker used.
It doesn't matter. The point of that story is, the weak link is going to be exploited. Bitcoinica is a good example. Zhoutong said at the start he understands application security, and in fact the big attacks didn't result from exploits in his code, but from third-party vulnerabilities.
First rule of financial apps: if you're going to deal with money you should own your servers. The cloud is not an option.
Second rule: Hire a security expert and a thief. The former to keep you safe and the latter to break in before the real ones so the expert can fix the holes.
I like the service, but AWS (or the cloud in general) is the wrong infrastructure choice for it. AWS is fine for some things, but not for being a payment processor or wallet provider. It's fine if you're just accepting credit card payments through another processor.
They probably won't be able to pass the money transmitter certification on AWS, so presumably they'll migrate eventually.
Yeah, they changed PCI DSS 2.0 to allow virtual servers, specifically to let Amazon Web Services pass. PCI DSS 1.0 wouldn't work. (level 1 compliance PCI DSS 2.0 from the most trusting/forgiving QSA available, i.e. a pretty fucking low bar)
The PCI firms I know probably would not have passed them.
"Widespread Adoption"About $2 million a day (USD) is already being transacted in bitcoin. It's quickly becoming an international currency of the world.
WoW gold is a multi bullion dollar economy with daily transactions worth around around 10-100 times what BitCoin is currently doing depending on how and what you count.
ahem. There is already a large international currency that is way bigger than bitcoin (and maybe bigger than USD). Euro. (Though then we get into semantic arguments about "international")
It's very cool to see that after posting looking for a co-founder to get into YC, it looks like Brian has gotten into YC as a solo founder and by the looks of it, is doing great.
I sent his previous post looking for a co-founder to friends because Brian looked seriously formidable. Best of luck to him.
So, this is essentially yet another cloud-based bitcoin wallet?
Also, how will you comfort your customers when you get hacked and their funds are gone? That is not a hypothetical thing to ask, but very real and has happened before in the cloud-wallet bussiness.
Anyone who wants to get started with bitcoin, I suggest using the client Electrum. Written in python, light, quick and secure.
Any technical details on how wallets are protected? I think we've seen how previous bitcoin websites have fared on HN, it would be cool to know some of the details on how the BTC are going to be protected so that the problems of the past don't happen again.
Yep - sorry we should really add a page on that. We're storing wallets in the cloud so this is an important concern. Private keys are encrypted in the database. bcrypted passwords. We also offer two factor authentication for your logins:
http://blog.coinbase.com/post/25677574019/coinbase-now-offer...
We'll start keeping a majority of funds in cold storage as deposits grow (we're still in beta at the moment). I worked on fraud prevention at Airbnb previously and we had lots of money flowing through the site and stored with us, so I'm familiar with best practices around this. I also have a healthy respect for what can go wrong, and I think as we grow we'll go through regular security audits (and much more scrutiny as we pursue licensing as a money transmitter). You certainly shouldn't trust us on face value though, it's something we'll have to earn over many years.
Since you auto-focus on the email address input field... it erases the default text that reads "Your Email" so it is initially quite confusing to know what you should enter.
I had to click on the page to de-select the input, see that it said "Your Email", and then enter my email.
The way it is now, it looks like you might simply want two passwords.
I asked the following downthread but I'm afraid its going to get buried in the muck:
"Zero Transaction Fees"???
Are you refunding the bitcoin transaction fees that are builtin to the protocol[1]? If you are going to eat that cost you should say so, it seems like a good marketing point.
So we aren't including any bitcoin transaction fees by default. If you try to send a transaction below 0.01 it will never get confirmed without the fee, so we added this user interface improvement a few days ago which gives the option of including the fee if people want to:
Coinbase will make money more like an exchange down the road, 0.5% to convert money into our out of bitcoin, but once you have your money in bitcoin there are no transaction fees (it mentions this on the homepage, but admittedly it's still a bit confusing). I wish there was a better way to distinguish between an exchange fee and transaction fee (to the average consumer these may be the same thing, I'm not sure).
In general, I would like to abstract out the idea of btc fees to the average user (I think it's an unnecessary complication for someone new to bitcoin). It would be much easier to just say "no fees" - this is simple and shows a clear benefit of using bitcoin. If you have to explain to people that "sometimes there are fees, but they are a lot lower, etc" it loses some of it's punch. Right now we can do zero fees and transactions still get confirmed. In the future we may be able to do it by eating the cost and have this be a cost of doing business, but that is a decision for later.
I think that this could be the hero that Bitcoin needs. If they make it super simple / super clean they could revolutionize Bitcoin.
To the creators, have you considered adding a USD (or other currency) funding option? Since getting the Bitcoins is probably the biggest obstacle for most everyday consumers.
I like the idea, kind of a PayPal for Bitcoin. My issues would be the usual: I don't trust a new service with my bitcoins, don't know anything about their policy for data loss, etc. The about page and support pages don't really instill any confidence. If I knew I could trust them it would seem like a great service.
Are you refunding the bitcoin transaction fees that are builtin to the protocol[1]? If you are going to eat that cost you should say so, it seems like a good marketing point.
Currently, if you do not include a transaction fee, your transaction will get confirmed, but the first confirmation could take longer for a miner to pick it up - but it is very likely to still get confirmed.
As transactions per second increase and load is placed on the memory pool, those fee-less transactions may get lost and need to be resubmitted.
At the current exchange rate then any transaction below ~$0.06 might have a transaction fee of a fraction of a cent. Simple fix? Don't support incredibly small transactions, (or at least don't support large numbers of very small transactions).
[Assuming that point to point transactions that aren't doing complicated contract logic are always less than 10kB.]
My political philosophy professor used to call this "making a rule out of the exception."
How many other viable bitcoin clients are there? And what do you think the likelihood of you fee-less transaction being accepted despite a flood of fee paying transactions?
the qt client, while being the baseline of measure, is a dinosaur. I use Electrum because it does not require the maintenance of a local blockchain, start up is immediate after long darkouts. It can be fully run off-line with no network connectivity. It supports aliases like email addresses instead if complicated bitcoin addresses. It uses deterministic key generation so I can literally backup my wallet in my head with a passphrase, erase my wallet, and recreate it from my mind. Oh yea, and it allows me to make transactions without any fees. Other worthwhile clients: Armory, Multibit. They are all viable and under rapid development.
Edit: electrum can be fully run offline as in you can monitor your balance without a network connection AND you can write transactions that can then be injected into the blockchain by a networked connection. But the electrum client at no time needs to be connected to the network.
Additionally, a networked computer can contain a deseeded wallet (no keys) for securely monitoring your off-line balances.
1) How do you make a profit?
2) How do I convert to "real money"? If I can't, why should the average joe be interested in this at all? Power users can use mtgox already.
3) How do you plan to keep it legal? As I understand, there is no legal precedent about new currencies and the law is not favorable.
What advantages does this service provide over bitcoin itself? My suggestion would be to make this very clear, and definitely make sure it is explained on the About page.
My guess is that you can send bitcoins to people who don't give a shit about it or know how to use the client and they can in turn pay for things with the coins you sent. I'm thinking of sending my dad a couple just to see if he can figure it out. :)
Agreed. "Without coinbase, this is how you would use bitcoins _____..., with coinbase it looks like this instead ____." Dont assume any knowledge of bitcoins.
Definitely agree with making the advantages clear. I can see how this could be a pretty useful interface to BTC for non-technical users. I might have to try it out myself :)
If I want to sell something, how can I get my Bitcoins converted to cash, safely and reliably? I don't trust MtGox, and I don't want to long-term forex risk exposure. Is there someone who could settle Bitcoin to USD, daily in San Francisco?
A reliable BTC<->USD exchange is going to be a key requirement for any meaningfully large BTC adoption.
A year ago, when I was looking around, there was none. I have no real qualms about dropping a few bucks into BTC, but I have to be confident that I can exchange it for the ability to pay my bills.
bit-pay.com offers a service where you can accept payment in Bitcoin, which is then immediately converted to USD at the average market rate (of the last 15 minutes) and sent to your bank account. I believe the funds are available next day, I forget.
The best way to find out if bitcoin is a viable platform is for someone to forge ahead with mainstream oriented services like this. We'll all learn a ton from what happens.
Payments is a great starting point for a mainstream bitcoin serice. The user isn't going out too far on a limb to use the service because it's just a payment. This could increase the chance of adoption, and lessen the impact of something going wrong in the early days.
I'm really impressed with folks trying to make a service like this work. I find any opinionated naysaying to be really boring. Can't wait to see how it turns out. Hope there is enough traction to put it all to a real test.
I've toyed with the idea of a Bitcoin bank for a while now. Since I don't seem to be making much progress here's the final piece that I think this is missing and would really let this take off. Offer a way for your customers to spend their Bitcoins using plastic through a payment processor. The cheap startup version way of offering this would be to partner with a bank to offer your customers prepaid debit cards. On your website they would have two accounts, one with the funds avaible on the card and the other with your Bitcoin wallet. When they want to transfer funds make a market trade on behalf of them and put the money on their cards. Obviously in the long run the ideal setup would be to become a licensed money transmitter which can be ridiculously expensive in some states, and yes you need the license in each state you do business in. This is what Paypal has. As a licensed financial institution you now have the ability to offer your own debit/credit cards and you could theoretically make market trades from your customers bitcoin wallets as soon as you receive transaction requests.
Obviously this doesn't flow with the spirit of Bitcoin and why it was designed but I think it's what will be necessary for it to start gaining wide spread use.
icebraining: decentralization and optional anonymity are key selling points of Bitcoin; without these two features, it looks a lot like existing payment systems.
I know, my point is that those selling points are irrelevant to the masses, because to take advantage of them you need to run the Bitcoin client and manage your own keys, which most people won't do. So they can't "lose" anything.
Now, as for why would you use a system like this instead of one based on conventional currencies, well, don't ask me!
I'm not sure why, but I find the term "for the masses" horribly insulting and elitist. It instantly turns me off on whatever it is you're talking about and tells me absolutely nothing about the product other than you think your target market is a mass of people that aren't as smart as you.
BTC transactions are all public in the blockchain so they're not as anonymous as many think.
But as for preventing your identity from being linked to your BTC wallet? There's probably no way to prevent that if the service provider is under US jurisdiction.
You can certainly be fully anonymous with bitcoin but care must be taken... Mainly, you need to isolate your change to an identity wallet - a wallet used for specific purpose under a dedicated pseudonym. Identity of the pseudonym is protected by plausible deniability - "I bought those coins on MTGOX, but I sold some of them to some guy for cash on the street corner, that purchase wasn't me"
The more hops through a wallet (which can be created dozens of times), adds more plausible deniability and separation to any purchase.
I think Brian dated my sister back at Rice.. haha. So strange to stumble upon him here. Anyway, impressive startup resume. I'm familiar with a lot of his projects, but never connected the dots.
Too bad my comment contributes nothing to the post and it's gonna go to the bottom. Oh well..
Storing individual wallets in the cloud is better than have a single institution-wide account that holds everyone's money like MtGox did/does. With the latter, you need to roll your own secure transaction system to keep track of balances. The former uses bitcoins existing transaction record keeping, allowing the devs to focus on the already hard problem of secure authentication.
Still, centralizing a decentralized system is like trying to tame a wild animal. I can be done, but expect to get bit.
Any bitcoin related website that has you "choose a password" and not a Passphrase, and perhaps mandatory 2 stage authentication, is just asking for it.
It's that they all look similar and you like the look. You also might be looking at websites built more by hackers than by web designers. Bootstrap is great for visually clean rapid development, but that comes at the cost of individuality.
Props to Coinbase for changing the looming black top bar anyway.
The 2-minute video on their home page takes the right approach. It does not try to explain the lofty ideals of Bitcoin. It never mentions scary concepts like free banking, lack of government regulation, and crypto. It uses the word "anonymous" only once. That's the way to convince the public: a cheery talk about tangible benefits!
It will experience an inflation rate for the next 140 years or so. It is currently expanding at 50 BTC per 10 minutes. In december it will cut to 25 BTC per 10 minutes, half each 4 years after that.
Bitcoins have already been destroyed to the tune of about 80,000 BTC from disk failures, lack of backups, and forgotten keys. We will already never reach 21 million bitcoins in circulation.
It's a catch-22. While many people would agree that strict deflation is probably a bad idea, the very fact that this policy proves changeable by a popularity vote would set such an immensely worrisome precedent. It would mean that the inflation policy is in practice discretional.
That's what Bitcoin does. The protocol can't know if funds are destroyed... because they cant be. They are actually just sitting in unreachable wallets.
Right, though all wallets are reachable/stealable with sufficient compute power. This is partially why it's always a good idea to split up your holdings into many wallets.
I decided to see what they had to say to a question I had. This is the responses they gave! :3
How do you see yourself combating the rapid fluctuation of price vs value when dealing with merchants?
Brian Armstrong: good question
Brian Armstrong: two thoughts on that
Brian Armstrong: one would be an automatic withdrawal rule they could setup
Brian Armstrong: so it just gets converted automatically when it arrives and deposits once a day or something
Brian Armstrong: the other is that i think the exchange rate volatility is largely a short term problem, volatility decreases as volume of transactions increases
Brian Armstrong: so if you believe btc volume of transactions will be much higher in 5 years, then exchange rate volatility will be much lower
→Makes sense, Saw the site mentioned on hacker news, so that means you'll probally mentioned on slashdot at some point
→^.^
Brian Armstrong: at least that is my guess :)
Brian Armstrong: hope so
Brian Armstrong: maybe I should submit it?
Brian Armstrong: haven't slashdotted in a few years
→heh, you could try, though slashdot seems to be consolidated to a few power submitters lately, might try reddit?
→Where bitcoin could REALLY take off is CPU usage cycles
→Since bitcoin is fractional
Brian Armstrong: oh yeah, tiny amounts
→Instead of charging pennies per cycle, you could specify exact amounts per clock
→so instead of 1 penny per second
→.00001 per clock or whatever is the better value
→It'd be alot more precise
→It must be interesting to start a company like this. Are you / your company registered in the united states? And if so, How do you feel about their reaction to bitcoin?
Brian Armstrong: yep that'd be interesting for sure
Brian Armstrong: we're incorporated in delaware (U.S.)
Brian Armstrong: based in california
Brian Armstrong: we have the backing of really good investors who want to see innovation happen
Brian Armstrong: as long as we pursue licensing as a money transmitter (same as facebook credits, paypal, etc) i think we'll be ok
Brian Armstrong: it will def be controversial though
→I wonder how mt.gox handles it
Brian Armstrong: they are incorporated outside the U.S. (Japan I believe)
→nods
→Well, If it's ok with you, i'll post this to the hacker news article and see what kind of discussions it generates? Only with your permission of course! =^.^=
How is this different than MtGox? I don't trust MtGox, but at least they've made mistakes and have spoken publicly about how they've fixed those mistakes.
On the other hand, are these guys storing my wallet safely? How about my balance (please god, don't store it as a float)? How about my password? If they're not launching with two-factor auth I won't even give it a chance (and likely ever, honestly).
I've gotten progressively more and more pessimistic about these sorts of sites even though I like the idea of BitCoin as a currency. If security isn't heavily discussed and visible (2FA, do it!) at the launch, it will be hard for me to take this seriously.
What's wrong with storing it as a float? I'm not saying you're wrong, I just genuinely don't know. If you could explain/point me to relevant literature I'd be grateful.
Some numbers with a finite representation in base 10, 0.2, for example, don't have a finite representation in base 2.
They are rounded, and doing arithmetic on such numbers leads to compounded rounding errors that you don't want to see when dealing with money.
Another problem is that the mantissa of floating point numbers is limited (52 bits for doubles), which can lead to truncated numbers, another big no no.
Storing BTC balances as floats is something a few services have done in the past so it makes sense to ask/bring up. Since BTC have 8 decimal precision, rounding can become noticeable very quickly even in addition and subtraction even though in real, today's value, it's not such a big deal.
That's okay. I don't think I'm really representative anyway, as I'm not a professional/schooled programmer. Thanks for the link, I did try googling it myself but I didn't think to use the word "currency" so I just got a bunch of irrelevant results.
Haven't signed up, but http://blog.coinbase.com/ does mention 2FA is supported through SMS or an app called Authy. In case the founder sees this, was there any reason why Verisign's VIP app (which has native apps on more devices and seems to be the de-facto standard for banking sites) was not used?
Personally, I have no idea why they didn't just use Google Authenticator and implemented OATH/TOTP on their own servers.
Relying on a third-party for authentication seems a very bad idea, specially when there's an open algorithm that is essentially just feeding a secret and the current unix time to an HMAC-SHA1.
And what happens if someone gains access to your server or social engineers their way in with your hosting company? As far as I can tell, this has been the biggest problem with such services so far.
