Bitcoin Forum

Economy => Marketplace => Topic started by: SgtSpike on May 09, 2011, 08:23:04 AM

Title: Introducing!
Post by: SgtSpike on May 09, 2011, 08:23:04 AM (

The site isn't entirely ready yet, but it *should* be ready enough to fully use.  I just don't yet have all of the features implemented that I'd like to see.  Give it a try, and let me know if you see any potential security problems or bugs.

The site serves two main purposes:
1. Provide a central and easy-to-use location for rating various businesses and individuals who sell or trade with bitcoins.
2. Allow users to validate that a particular bitcoin address is indeed attached to the seller they believe it should be attached to.

I decided to create the site after seeing the stickied list of "honest traders" on this forum (  It just seemed that there wasn't any way to leave feedback for someone you are trading with aside from the list on the forum and the web of trust/IRC trading.  I know that IRC trading isn't exactly user-friendly for people who haven't used IRC before.  I also know that the list on the forums can be a bit cumbersome to use and search through, and disorganized.  This website is meant to fill the hole between those two options.

Potential dangers:
- Users registering under another members name with malicious intent to deceive.  Best prevention is to ensure that you register your forum name and any business names you have at the website quickly, even if you do not plan to use the website.
- Others...?  You tell me if you can think of anything.

Future expansion
I intend to expand on this website, perhaps through use of another domain name, to allow sellers to create "listings" of items or services for sale.  I am picturing a craigslist-style catalog, but with feedback and usernames integrated.

Let me know what you think! - I am open to all constructive criticism!

Title: Re: Introducing!
Post by: joeydangerous on May 09, 2011, 10:56:17 AM
i really like this idea! I am starting to do business using bitcoin now and I'd like people to know they can trust me. I got an error message when I tried to register:
Parse error: syntax error, unexpected ';' in /homepages/44/d217581656/htdocs/bitcoinfeedback/register.php on line 7

Let me know when you figure it out, I'd like to be one of the first to register!

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 03:05:30 PM
Haha, figures, I launch it with a defect that doesn't allow anyone to register!  Fixed.  :)

Title: Re: Introducing!
Post by: speeder on May 09, 2011, 06:06:44 PM
Still broken your site.

It gave other errors though...

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 06:18:58 PM
Try now?  Fixed some other errors.  Should have done more testing after adding the anti-mysql-injection function, but I didn't know it could cause any trouble!

Title: Re: Introducing!
Post by: Insuremeplz on May 09, 2011, 07:07:56 PM
Great idea. The homepage colors make my eyes want to bleed though!

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 08:17:17 PM
Great idea. The homepage colors make my eyes want to bleed though!
Lool, what would you suggest?  I was considering changing all of the green to grayscale...  Or, click on the FAQ page, and tell me what you think of the colorscheme there.

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 09:28:03 PM
Just fixed an error where only members who had bitcoin addresses would show up in the search.  Now, all members show up in the search, regardless of whether you have assigned any bitcoin addresses to the person.

For an example of how the private bitcoin address verification works... enter 1CjoEtypZhqkBLSdfpnphNYjWyokourkxe into the search box.  My username shows up, but clicking on my username only shows a single public bitcoin address.  The above address is associated to my username, so if someone searches for that EXACT bitcoin address, my username will show up.  But there is no way for another person to find that bitcoin address on the website, thus keeping it private.

This is useful for ensuring that private bitcoin addresses stay private, so that no one but the legitimate payee can lay claim to a payment made to your account.

Title: Re: Introducing!
Post by: Insuremeplz on May 09, 2011, 09:35:05 PM
Great idea. The homepage colors make my eyes want to bleed though!
Lool, what would you suggest?  I was considering changing all of the green to grayscale...  Or, click on the FAQ page, and tell me what you think of the colorscheme there.

Anything that isn't so bright and more neutral. Color isn't bad, unless it's overwhelming.

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 09:39:45 PM
Fair enough.  I'll work on toning down the color scheme this evening.  Maybe just less saturation for the green, rather than going completely gray with it.

Thanks for the suggestion.  :)

Title: Re: Introducing!
Post by: lulzplzkthx on May 09, 2011, 09:45:14 PM
You may consider authorizing users using gribble's database. Again, somebody could signup as you on gribble, but many users already have OTC accounts, and you could make this optional "verify with #bitcoin-otc", do the same authorization gribble does, and then give a little badge on the profile if they've verified that way.

Just a suggestion.

Title: Re: Introducing!
Post by: BCEmporium on May 09, 2011, 10:02:06 PM
I'm working on a similar project, however mine isn't up to registration - a scammer wouldn't normally "sign up" to this sort of things, do he? - but to use hashing look ups instead. Still allowing people to register if they want to manage (see, not alter) their feedback, like associating more items to the same person, nick, email, url...


You're about to make a deal with someone who's address is, so you enter it for lookup and the JS library will convert it to:
2c441c6e1c73d03e1e317c46395bf45c9b0efe80 - this is what is sent to the server.

My intent was to prevent feedback harvest and browsing, displaying hashes is safer.

I put its draft here:

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 10:11:20 PM
Thanks for the suggestion lulz, I'll consider it.  I'm not terribly familiar with the OTC verification process, or how I would hook in to it, but I'll look in to it.

Interesting take BCEmporium.  No, a scammer would not sign up for this sort of thing, but that's exactly my point - if a user you are considering doing business with isn't signed up to this or another feedback/verification service, maybe you shouldn't be trusting them with your bitcoins or service/goods.

Hashing all of the content before sending is an interesting idea.  Wouldn't HTTPS accomplish the same thing though?

This is certainly a less secure method with regards to information.  It's not something that those who wish to remain anonymous would want to use, as the username, business name, website, etc, is public information that anyone on the web can see (with the exception of private bitcoin addresses that are entered).  I suppose in this way, this feedback website is meant to be more "mainstream" and "userfriendly" than the web of trust (and possibly the website you are describing).  It displays some information about a given company or person, and that helps the mainstream public trust the website and the bitcoin system as a whole.  Someone jumping right in might not want to send bitcoins to a person over an IRC channel (or really know how to use IRC in the first place), but they might be more willing to send bitcoins to someone whose bitcoin address is associated with a public profile on an established website.

Title: Re: Introducing!
Post by: BCEmporium on May 09, 2011, 10:23:41 PM
The issue I was addressing was more related to ID theft than data encryption.

Like on bitcoin-OTC you've:

john +10
andrew +8
mary +7

The simple access to this kind of list can give a scammer the chance to impersonate one of this folks in good stand, like registering to some new business with one of those nicks.
Whereas the same list hashed presents no such threat, or to a much lesser degree, as the scammer doesn't know what username he needs to impersonate.

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 10:45:35 PM
The issue I was addressing was more related to ID theft than data encryption.

Like on bitcoin-OTC you've:

john +10
andrew +8
mary +7

The simple access to this kind of list can give a scammer the chance to impersonate one of this folks in good stand, like registering to some new business with one of those nicks.
Whereas the same list hashed presents no such threat, or to a much lesser degree, as the scammer doesn't know what username he needs to impersonate.
So you're proposing a similar list to bitcoin-OTC, only it be hashed, so that another user looking to your own website wouldn't know which account to spoof?

It's a good thought, so I'd be interested to see how it does if started up.  I'm not sure that it's really fit for the mainstream or public though, but that would be something to be seen.

I'll work on proof-of-ownership for accounts if/when the situation arises.  It would likely include PMing on the forums, if they are using their forum name as the sign-up or business name, or emailing from an official website address, if they believe someone else is trying to take over their name on the website.  There's a variety of ways I could have someone prove that it is their forum name or business name.  In the meantime, I'll just continue to encourage people to "take ownership" of their accounts on the website before anyone else does.

Title: Re: Introducing!
Post by: nanotube on May 09, 2011, 10:54:35 PM
The issue I was addressing was more related to ID theft than data encryption.

Like on bitcoin-OTC you've:

john +10
andrew +8
mary +7

The simple access to this kind of list can give a scammer the chance to impersonate one of this folks in good stand, like registering to some new business with one of those nicks.
Whereas the same list hashed presents no such threat, or to a much lesser degree, as the scammer doesn't know what username he needs to impersonate.

there is a reason OTC identities are based on GPG keys rather than nicks. :) unless you manage to lift mary's private gpg key... good luck claiming her OTC identity.

Title: Re: Introducing!
Post by: Tally-ho on May 09, 2011, 11:20:14 PM
I'm not trying to step on any toes here...and perhaps I haven't thought this through completely, but why not use a 3rd party feedback system that is already in place like

Title: Re: Introducing!
Post by: SgtSpike on May 09, 2011, 11:35:52 PM
I'm not trying to step on any toes here...and perhaps I haven't thought this through completely, but why not use a 3rd party feedback system that is already in place like
No worries!  I expect my toes to be stepped on when coming up with new ideas.  :)

I wanted to create something that was bitcoin-centric.  Heatware can't tell you whether a bitcoin address is indeed associated with the user account at heatware.  I could just tell you that "oh hey, my username on heatware is blah blah", and if blah blah had a good rating, then they might believe me.

Unless, there's more to heatware than meets the eye... still, I like the idea of being able to verify that a seller/merchant is attached to a particular bitcoin address instantly.

Title: Re: Introducing!
Post by: Tally-ho on May 10, 2011, 04:23:40 AM
I'm not trying to step on any toes here...and perhaps I haven't thought this through completely, but why not use a 3rd party feedback system that is already in place like
No worries!  I expect my toes to be stepped on when coming up with new ideas.  :)

I wanted to create something that was bitcoin-centric.  Heatware can't tell you whether a bitcoin address is indeed associated with the user account at heatware.  I could just tell you that "oh hey, my username on heatware is blah blah", and if blah blah had a good rating, then they might believe me.

Unless, there's more to heatware than meets the eye... still, I like the idea of being able to verify that a seller/merchant is attached to a particular bitcoin address instantly.

Ahhh, makes sense.  Implement a little more accountability/security into the system.  I think that's a great idea that will hopefully get rid of all but the most determined of shysters.

Title: Re: Introducing!
Post by: SgtSpike on May 10, 2011, 04:25:30 AM
Glad you like the idea Tally-ho.  :)

I added the option to hide your email address.  Most people will want to enter an email address for future account verification and password retrieval/reset, but not everyone wants their email publicly displayed.  You now have the option to hide it in your account settings.

Title: Re: Introducing!
Post by: Longmarch on May 10, 2011, 05:35:45 AM
Good idea.

Tried to register, got this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 3

Title: Re: Introducing!
Post by: SgtSpike on May 10, 2011, 05:49:41 AM
Thanks Longmarch, fixed.  I borked the registration when I added the private email option.   ::)

Title: Re: Introducing!
Post by: SgtSpike on May 10, 2011, 07:13:06 AM
Gray-scaled the website for the most part, for you color-despising folk.  Let me know what you think of the new scheme.

Also, the "browse bitcointers" and Registered Members links work now... both leading to the same page.  I plan to add sort-by's on that page.

Title: Re: Introducing!
Post by: SgtSpike on May 11, 2011, 05:26:02 PM
Looking for some feedback (:D) on some questions I've been wrestling with...

1. Should I show the username of the person who leaves the feedback on another person's profile?
2. Should I make it optional whether a person wants their username to be published on feedback they leave on other people's profiles?
3. Should I allow users to rate people/companies who have not yet signed up for the site?
4. If so, would I create a false profile that anyone could fill in the information for?  In other words, should I allow anyone to create the profile, but leave it up to the company/member to "claim" the profile if they own it?

Title: Re: Introducing!
Post by: Longmarch on May 11, 2011, 06:43:19 PM
Looks good.  Easy to use.

I'm not inclined to have an opinion on any of those questions you mention.  I can see pros and cons for all of it.  Gets me thinking, though.  Will post if I have a thought that might be useful.

Title: Re: Introducing!
Post by: SgtSpike on May 11, 2011, 08:19:09 PM
Yeah, they're the kind of questions that just make me... ???  So many variables and reasons for doing and not doing each one.

Title: Re: Introducing!
Post by: SgtSpike on May 12, 2011, 06:42:01 AM
Updated the website.  You can now add in vendors/merchants/individuals if they are not currently registered on the site.  I will create a way for these persons to claim ownership of those profiles shortly.

As an example, I created a profile for Veritus101, someone who has scammed a forum member here.  I would appreciate help listing any other scammers you hear about on the website so that other people can avoid them in the future.

Title: Re: Introducing!
Post by: SgtSpike on May 12, 2011, 08:05:12 AM
Profile claiming has been implemented.  If someone else adds your business or name to the database, you can now claim it.

Also, I have now disallowed the changing of website addresses and business names.  I figured if people were leaving negative feedback on your profile, you would probably have a lot of incentive to try and change it to something else entirely to make it look like no one is leaving negative feedback for your business or screen name.

Title: Re: Introducing!
Post by: BCEmporium on May 12, 2011, 09:26:00 AM
Profile claiming has been implemented.  If someone else adds your business or name to the database, you can now claim it.

Also, I have now disallowed the changing of website addresses and business names.  I figured if people were leaving negative feedback on your profile, you would probably have a lot of incentive to try and change it to something else entirely to make it look like no one is leaving negative feedback for your business or screen name.

I would leave it to be changed, just not immediately changed. Or changed manually at request.
It may happen people with bad feedback to want to change but so does people with good. Put for an instance some guy who starts his business with a free domain, like or so, and as he succeeds buys the .com domain...

Title: Re: Introducing!
Post by: SgtSpike on May 12, 2011, 03:32:20 PM
Profile claiming has been implemented.  If someone else adds your business or name to the database, you can now claim it.

Also, I have now disallowed the changing of website addresses and business names.  I figured if people were leaving negative feedback on your profile, you would probably have a lot of incentive to try and change it to something else entirely to make it look like no one is leaving negative feedback for your business or screen name.

I would leave it to be changed, just not immediately changed. Or changed manually at request.
It may happen people with bad feedback to want to change but so does people with good. Put for an instance some guy who starts his business with a free domain, like or so, and as he succeeds buys the .com domain...
Agreed.  I will certainly make exceptions for people who contact me directly to get information changed, when it is obvious they aren't trying to hide the company from receiving negative feedback.

Also, I'm going to allow people to change it if they leave it blank during registration.

Title: Re: Introducing!
Post by: BCEmporium on May 12, 2011, 04:13:10 PM
Security issue! Critical!

Mails are displayed as is in your page, this is ground for harvest for spam crawlers.

Encode the mails with JS or PHP GD in order to prevent it.

The most simple to be this (not 100% effective, but still somewhat effective):
At the beginning of the list
<script language="javascript">
var users=new Array;
var domains = new Array;
foreach($users as $u){
$l explode("@",$u['email']);

users.push('<?php echo $l[0];?>');
domains.push('<?php echo $l[1];?>');

Within the cell that displays the email address:
<script language='javascript'>
if(users[<?php echo $row_nr;?>] != ""){
document.write(users[<?php echo $row_nr;?>] + "@" + domains[<?php echo $row_nr;?>]);
<noscript>Email protected</noscript>

Title: Re: Introducing!
Post by: SgtSpike on May 12, 2011, 04:19:15 PM
I will implement that, thanks for the heads up!

People can also, optionally, opt to hide their email addresses from the public to avoid such spam harvesting as well.  In that case, it would just be used in the future for password recovery.

Title: Re: Introducing!
Post by: SgtSpike on May 12, 2011, 05:40:10 PM
It's been implemented...!  Thanks!

Title: Re: Introducing!
Post by: BCEmporium on May 12, 2011, 05:52:55 PM
Just a small thing left, you forgot to skip the hidden emails when filling the arrays.

means something like this:

foreach($users as $u){
  $l = explode("@",$u['email']);
users.push('<?php echo $l[0];?>');
domains.push('<?php echo $l[1];?>');

Turn to this:

if($user['hidde_email'] == 0){
foreach($users as $u){
  $l = explode("@",$u['email']);
users.push('<?php echo $l[0];?>');
domains.push('<?php echo $l[1];?>');

Title: Re: Introducing!
Post by: SgtSpike on May 12, 2011, 06:07:31 PM
Good catch, thanks for poking holes in my security so I can fix them now!  :)

It should be fixed now.  No hidden emails showing up in javascript code.

Title: Re: Introducing!
Post by: BCEmporium on May 12, 2011, 06:29:30 PM
Good catch, thanks for poking holes in my security so I can fix them now!  :)

It should be fixed now.  No hidden emails showing up in javascript code.

Guess today I'm specially good on detecting security holes  ;D
Found one on my casino engine that would let people to double bet (fixed now...  ;) ). Nobody is perfect, eh?

Title: Re: Introducing!
Post by: SgtSpike on May 13, 2011, 04:32:27 AM
Nope, and certainly not myself, which is why I ask people to test it out and find holes!

New feature added:  Feedback is now calculated as a percentage of positive to positive+negative.  Neutral feedback is not counted towards the percentage, but it calculated towards the total number of feedbacks received.

I have created a test user, so anyone who wants to try it out (leaving positive/negative/neutral feedback) is welcome to leave whatever sort of ratings on the test user that you want.

Title: Re: Introducing!
Post by: BCEmporium on May 13, 2011, 03:25:57 PM
Just yet another idea:

Associate more than 1 URL with one account. Many people, like myself, has more than 1 site and URL.

Title: Re: Introducing!
Post by: SgtSpike on May 13, 2011, 04:12:48 PM
Just yet another idea:

Associate more than 1 URL with one account. Many people, like myself, has more than 1 site and URL.
I thought about that... but then again, what if the websites split out and become owned by two different people?  I suppose situations like that could be taken on a case-by-case basis.  I'd kind of like to see it be on a "per-business" basis than a "per person" basis, if the person owns more than one distinct business.


Title: Re: Introducing!
Post by: SgtSpike on May 16, 2011, 06:20:47 AM
It looks like the website is *starting* to take off - I am seeing a new registration every couple of hours or so, without any incentive attached.  Let's hope that it's reached critical mass already and will continue building on its own.  :)

Title: Re: Introducing!
Post by: SgtSpike on May 19, 2011, 05:29:11 PM
In an effort to continually improve the service, I have made a few changes:

- I can now ban people who I see are abusing the system
- Comments, Business, and a related URL are all required fields in the feedback system now.
- Usernames of the people who leave feedback are now shown publicly.  This is so you all can more easily tell if someone legitimately has 8 positive feedback, or if 7 of those were left by the same person.

I have also improved website security according to suggestions made in a security audit.  I still have more work to do on that front, but no one is going to be stealing your password or anything.

Open to further suggestions!

Title: Re: Introducing!
Post by: SgtSpike on May 24, 2011, 06:38:42 PM
Changed the sort of the Browse list to sort by number of feedback received.  The list was getting long, and I wanted people to more easily see the feedback that was being left.

Changed the color of in-content links from green to blue.

Added coloring of the feedback... green = mostly positive, yellow/brown = some positive, some negative, red = mostly negative.

Title: Re: Introducing!
Post by: BCEmporium on May 24, 2011, 07:09:05 PM
Shouldn't 0 be gray or black? I don't see why is it red, as it is neither good or bad.

Title: Re: Introducing!
Post by: SgtSpike on May 24, 2011, 08:06:57 PM
Shouldn't 0 be gray or black? I don't see why is it red, as it is neither good or bad.
(1) 0% means 1 negative feedback was received.  This should be red.
(0) 0% means 0 feedback was received.  I have changed this to gray.

Not sure if you meant just the (0) ones or not, but thought I should clarify just in case.  Thanks for the suggestion!

Title: Re: Introducing!
Post by: BCEmporium on May 24, 2011, 08:13:05 PM
Yes, the zero % over zero feedback.
Obviously a -1 still counts for 0% and it's negative (Red)