Sorry to digress a little, but I'm sensitive on age issues :)

Pinkie Pie won his first $50k award by creating a 0-day sandbox escape on Chrome, by chaining 10 different vulnerabilities. He was 19 (now almost 21). Two years before, at 17, he released jailbreakme.com, all by himself, which was a 0-day able to jailbreak all iOS models shipped to date by just visiting a website.

Age means nothing by itself, but the point is correct. The problem is that we don't know how much we can trust bitcoin site owners, as most of them are relatively new with no history to inspect, closed source, and sometimes even run by anonymous users whose experience we can't inspect.

Anecdotes don't negate stereotypes, which are themselves generalizations across numerous anecdotes. And stereotyping is not by itself an invalid source of information, just less reliable than, say, a study. Everyone knows one person who negates a stereotype -- any stereotype. The existence of that person doesn't reduce the usefulness of that stereotype.

Sure, there are 18 year olds with impressive technical chops.

But do you know _anybody_ who would deposit money in a bank run exclusively by an 18 year old?

Coding skills can be created and honed by highschoolers - business, legal, and commercial experience - very much less so.

I think any skills can be created and honed by highschoolers.

But I think it's extremely rare in the cases you mentioned.

the question is, if they really know if he/she is 18 year old or something.

Outliers exist, this doesn't make them likely, age does matter far far more often than not. Generalizations have value, but they're not expected to always be true.

Sorry, didn't mean to put down the skills of young people! I'm 28 and I work on lots of security related systems, and although I understand most all of it, I wouldn't attempt to build a Bitcoin exchange without someone with years and years of hardened workplace experience. That's all I meant ;)

This is a good point and one that I considered and wish I followed up on. I'm in the "support queue" with Coinbase right now because they absconded with 10% of my bitcoin holdings for no discernible reason. In case you're concerned, I'm not the one with $150M in bitcoin - it was 1 btc that went missing (greatly appreciated in value from when I acquired it).

Because "online wallet" sites are the sort of bad idea that _needs_ to have access to the private keys. If you can spend bitcoin out of an "online wallet", the person in control of the software managing that wallet _does_ have access to your bitcoin. Even if they've tried to set things up "securely", the very best they can do is achieve Lavabit levels of security - if they (or someone coercing them) wants to, they'll get full access to your funds anytime you try to access them.

Think of them as like keeping your change on the bar - the security relies _purely_ on social conventions encouraging the bar owner, bar staff, other customers, and your friends to not take your money.

You would no more store your weekly pay, your rent money, or your new car savings on the counter at a bar - why the hell are people storing those sorts of values of bitcoin in other people's webservices?

Sure, online wallets might be _useful_, but anyone keeping any more value than they can afford to lose in one is insane (or, less critically, very poorly informed).

True.

I may be wrong here - but is the private key only required to send the money? So, if the user kept the key and it wasn't recorded on the server...or if they use some type of password hash for encrypting it, then there wouldn't be hundreds or thousands of wallets stolen at once. The user would enter their password when they want to transfer funds, the hash is calculated, private key decrypted, transaction made, and the private key is never recorded anywhere.

But, this would require the user to NEVER forget their password, or else they lose their money.

If the user kept the secret key, that's not much of an online wallet - you might as well just use your secret key at home and send it directly yourself. They could encrypt it with a password or a pin that isn't saved on their site so that you would have to enter it to decrypt the secret key. That still counts on the site not just lying and keeping it or you getting it keylogged or otherwise compromised on your side. Many online wallets do nothing of the kind, they simply have the secret key and use it to send. Someone with your password or access to the site could do the same. It's the same as a normal bank really, you have no physical/technical control over what they or someone who snuck into the bank does. You can control your access credentials (passwords, cards, account numbers, ID info, etc) and that's good and well, but there's nothing preventing it from disappearing on their side besides what they (not you) do for security.

It's possible to sign transactions offline, so that the private key never touches a device that's connected to the internet. Check out http://www.bitcointrezor.com/

How about the users keeping the key and supplying each time its need from a separate secure app? And that app wouldn't even contain the complete key, but requires they supply the last three digits each time. And they can tattoo that somewhere on their body.