[M4v3R]

Ugh. There are much better solutions than keeping user funds in the hot wallet (fully cold storage with manual withdrawals, multi-signature wallets), but many "reputable" businesses STILL uses them. I don't understand why. If you want to store your customers funds online, do it the right way, or don't do it at all.

[dragontamer]

You cannot automate a cold-wallet scheme.

Any automated website or tool will require a "hot wallet" of some kind. The more funds in the hot wallet, the longer the website / BTC Bank can go automatically.

Customers like having funds available to them immediately... among other things.

[michaelt]

Given the choice between being hacked, losing your reputation and millions of dollars; or having someone on call 24/7 to move USB sticks across an air gap; I'd choose the latter.

I've seen fast food joints and parking lots with 24/7 attendants, it can't possibly cost more than $100,000 a year.

[dragontamer]

THIS IS THE FUTURE EVERYONE!!!!

The future of modern banking is to return to physical transfer of funds. Instead of relying on modern networking, technology, automation, or websites... we will manually move money over a physical medium.

</sarcasm>

Without automation, how the hell is BTC supposed to be any better than cash?

[apalmer]

Uhhh let me get this right:

$10,000,000 spent to secure a bitcoin exchange to within 99.999% secure via "automation"

$100,000 spent to secure a bitcoin exchange to within 99.999% secure via physical air gap...

which makes more sense

[michaelt]

You can still do automated transactions from your hot wallet - human intervention is only required for transactions that exceed the size of the hot wallet.

And merchants who don't make enough profit to pay $20-$30 an hour to put a human in the loop can have a payment processing company do it.

Don't get me wrong, if you think bitcoin websites have done a superb job at securing their hot wallets [1,2], you're welcome to keep all your money in a hot wallet where it can be 100% cleaned out without a human lifting a finger. Good luck with that.

[1] https://bitcointalk.org/index.php?topic=83794.0 [2] http://fc13.ifca.ai/proc/1-2.pdf

[tlrobinson]

Did you really just suggest trusting millions of dollars of customer funds to the equivalent of minimum wage fast food restaurant employees?

[M4v3R]

> You cannot automate a cold-wallet scheme.

That's why I said that it would be manual. Actually, it could be semi-automatic - a script could generate all relevant transactions, and a human operator could simply confirm them few times a day by signing the transaction with his password protected private key.

> Customers like having funds available to them immediately... among other things.

Either security or convenience. This service was aimed for merchants, which are used to get their funds from payment processors much slower than in a matter of hours.

Also, that's only one of the solutions that I mentioned. Second one, which is convenient and more secure at the same time, is using multisignature wallets.

[ye]

> and a human operator could simply confirm them few times a day by signing the transaction with his password protected private key.

It's a payment system. This would be unacceptable.

[M4v3R]

I'm not talking about confirming transactions of merchant customers. I'm talking about confirming withdrawals from the merchant accounts.

[a3voices]

Any wallet that has been exposed to a computer connected to the Internet, or is sitting on one, is a "hot wallet".

[maaku]

> You cannot automate a cold-wallet scheme.

Yes, you can. You can have the hot wallet only deal with multi-signature outputs, and have these approved by separately locked down servers running behind TOR, for example, using out-of-band mechanisms for approving transactions.

[dragontamer]

>You can have the hot wallet only deal with multi-signature outputs

Then you don't have a cold-wallet scheme. You have a hot wallet scheme.

[TylerE]

You can do anything if you allow massive handwaving. ("out-of-band mechanisms for approving transactions")

[maaku]

Do I have to spell it out? The machine could be under physical control of its operators, with rate limiting restrictions lifted only by manual intervention via a GUI interface, making the low bandwidth TOR connection the only link to the outside world (and a simple one at that). Or the the verification and signing steps done via TPM so as to prevent key theft. There are other possibilities too.

This isn't handwavery. It's basic security engineering.

[TylerE]

Yes, but the whole debate was how to it automatically. Once you have someone physically intervening, your solution fails to meet the problem criteria.

[maaku]

Having people involved to resolve edge cases and possible fraud/theft is kinda the point...