Dam...  that sux man...  bitmarket.eu should remove the payfail option entirely.

Trying to warn people is like....

Getting a 10% discount is not a prize.  That's so lame and just screams of CHEAP and SCAM.

Prizes should be freebies with no obligation to 'buy' something to actually get a lame discount on something that was originally overpriced.  Most people would know the difference between 'prize' and 'scam' and never return.

  Sorry to start trouble here with the bot thing...I wouldn't write a bot for this myself either, but I did want to bring it to the OP's attention that sooner rather than later, someone world.

I think the only way to defeat bot scraping here would be to have to type in the captcha before you can see if the flower is open or not.

I do like her idea and admire her for her generosity and hope she has fun with it.

If it was me though, I would have 10 x .1 BTC prizes a day...or even 20 x.05 BTC....probably get more frequent visitors like that...idk.

But anyway, keep up the good work!

Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.

Yes...you are absolutely correct.  I thought the guy has been dead long enough that his works would be in the public domain by now.  I thought it was 20 years after death, but after researching, it's 50 years...or 120 years if the work was made on behalf of a corporation. (USA law)

Oh well...  I won't post any more of his work.  But if you're still looking to read more of his work, many of his books have been available for free download since 2004 here:  http://vivien23.uw.hu/index.html

The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.

Cool site...and a great idea to put a banner or something there to help pay for the btc prize!

Is that the place on East Church St by the animal hospital?...idk...just taking a stab in the dark. 

And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html

Seems to be working fine now.

I just put Isaac Asimov's Foundation Trilogy on there...my all-time favorite read.

"Called forth to stand trial on Trantor for allegations of Treason (for foreshadowing the decline of the Galactic Empire), Seldon explains that his science of Psychohistory foresees many alternatives, all of which result in the Galactic Empire eventually falling. If humanity follows their current path, the Empire will fall and thirty thousand years of turmoil will overcome humanity before a second Empire arises. However, an alternative path allows for the intervening years to only be one thousand, if Seldon is allowed to collect the most intelligent minds and create a compendium of all human knowledge, titled Encyclopedia Galactica."

Check it out!  Only .1 BTC!
http://www.downloadcoin.com/content.php?dist=42&d=101

  How's your site coming along anyway?

I just finished patching my XSRF holes Kokjo was kind enough to rub in my face.    Don't forget those!  They can be nasty buggers!  Even nastier than a XSS bug because the danger is subtle and may not even be obvious at first.

I'm just waiting for the day I find someone to hack who has one of those 3D printers.  I'd hack it and program it to make a zombie robot and have it attack the guy while he's sleeping and steal his mining rigs and all his bitcoinz!

THIS--^   

I'm in Canada and I can see my dot!!!  Finally I'm famous!  Yay!

and no...I'm not the big one... sigh...

I'm rooting for Jake.  I think he'll do the right thing.

I'd too hate to see him OD on the smack he bought with coins he stole from an honest man....cuz karma is a bitch like that.

Hi again guys and gals!

I'm still making progress on my exchange....BitSwaps!

I want to get all the main trading APIs coded and tested before the site actually goes live, so I've been working a bit on that the past week.

The APIs currently use GET for testing, but I can easily change them to POSTs when the time comes.

I would just like to know if my JSON is properly being output, and would like some feedback on what other APIs you would like to see implemented before the exchange goes live.

You can log in with a demo account or get more info here: https://bitswaps.appspot.com/apiinfo

I'm also going to add something like websockets called 'channels' so you won't have to poll the server to get market updates.  More info on that here: http://code.google.com/appengine/docs/python/channel/overview.html  That looks easy peasy to implement.

But, first I want to make sure what I have works...then possibly work with 1 or 2 ppl to finish building and testing the rest of the APIs.

If you're interested, just check out the site and send your comments to me in IM or post them here.  I'll notice them faster if you send in IM.

Thanks!

How come when I do a google map search for North Korea missle sites I get Washington DC?

http://maps.google.ca/maps?hl=en&q=north+korea+missile+sites&bav=on.2,or.r_gc.r_pw.&biw=1024&bih=605&um=1&ie=UTF-8&sa=N&tab=wl

Swish...thats cool stuff.  You can't learn anything like that where I'm at.  They have crappy Microsoft Training as a computer science course...it's pathetic to say the least.

This is a steel town.  We have a steel mill and if you don't work there, you don't make any money.

Any banks and corporations in town have all their head offices and IT departments based in Toronto...it's fucked...if you want to work here, you can't live here....You have to live in Toronto and they fly you here if they need you.

Anyway....I made this thread just for fun and to vent a bit...but the bounty is STILL open!

I'll check this thread again when I return from my nap under the bridge!

We Have a contender!  Someone who can program a VIC-20!

I love BASIC myself...  GOSUB FTW!

However, rolling a 'Swisher' when you need it, while you need it, is a talent to be admired indeed.



 

[FAIL]
[/FAIL]

He's passed out on the sofa chair in my front porch...  wtf u want man?