Why don't we as the bitcoin community group invest in bio-metric scanning devices for bitcoin clients  then mass produce. Everyone that was involved in the project gets a piece |
|
|
|
|
lol at first I was like wtf does flashing boxes and typing in the code help security but I read a little bit more and yes if we have a way for bitcoin clients to be set so nothing is sent with out an external device. I would probubly buy into this actually. This sounds very safe.
|
|
|
|
|
Okay everything should be operational doing some last minute touches on product reviews and rating system. Hack-A-Thon will begin at 12PST and I'll PM everyone when its ready to start
*Edit: I meant to put everything should be operation except for the forgot password because it involved mail and getting mail to send and receive is like the devil trying to get to heaven(It can happen but its going to take a lot of work! PUN INTENDED)
*Update:
I will be setting the cost of all the products to about .01 BTC this way testers can try out the shopping cart system and see if there are any vulnerabilities in that.
There is a Store Credit section in the account details if you want your BTC back just type in your return address and press the "Request Refund" button and I'll send you your "Store Credit" back. It will tell you "Please allow 2-3 days for your refund." This won't be true during testing times I'll send it back to you as soon as I see the request but shouldn't be a big deal how soon you receive it since were dealing with .01BTC's here.
Tip:Looking for security flaws and bugs.
(It willl be another 2 more hours from 12:31PM PST I just realized i didn't patch up somthing)
|
|
|
|
|
Thanks Imma try all your responses and see what happens.
And yea defiantly not running off my home computer it is a Cloud Hosting type server
|
|
|
|
I wouldn't mind a gradual increase of $1/week in the price. Keeps things running smoothly. The difficulty drop may be the harbinger of future price increases - based on the last time that happened.
Watching the charts...
A $1 every 2 weeks would be even better. Slow and steady is the way to go if we ever want this "experiment" to work, and turn into a viable currency. if it did go up slow and steady, after a while It would start to look like a safe investment, and the speculators would be all over it, driving the price up , which would cause panic buying  then eventually the surge runs out of steam... oh no! SELL! SELL! SELL! is that pattern even avoidable? Afraid not, bitcoin follows the swings generated by it's milestones good and bad. We haven't even reached V1 yet of the client, so there's a lot to happen yet. Also a few million is very little of a unit to have in circulation, any relatively small movement on an international scale can have a massive impact on price. It will be a long, long while until the price settles in to an equilibrium if ever, as bitcoin has behaved more like a commodity than a currency due to it's scarceness. Currencies fluctuate mildly(on the macro scale at least) just on the basis of their vast quantities in circulation. Thank you for explaining this as I have been trying to tell my friends for weeks why Bitcoin is going to have a hard time catching on as a "currency". Regardless it's an awesome commodity which does have it's own value. We all know Gold was a commodity when they first found that stuff  |
|
|
|
|
Post fix is the issue. I don't understand why it won't pick up on my domain name. All my emails get sent back to me.
|
|
|
|
|
1BTC if you can assist me in installing sending and receiving emails when somebody sends an email to my domain name.
Not through SSH just give me the steps through skype or something instant. I've attempted my self many times and failed.
I have squirrel mail installed and I'd like to get that working with it as well I believe I read that there is an extra step for that I'll pay 0.5BTC to help get squirrel mail installed.
|
|
|
|
|
Forgotten password won't be available for testing tomorrow. I'm still trying to figure out how to get mail to send correctly. As well as set up the receiving end
|
|
|
|
Black Ops or MAss Effect 1/2/3
Mass Effect 3 is out? Are you from the future? Speakaing of mass effect... I still need to beat 1 as when i actually owned the game(I lost it) i only got up to a few chapters in until my old video card froze up at this one part  Man i have alot of catching up to do..... How can you have played Mass Effect 2 without having finished Mass Effect 1? That must be punishable by law or something. I like importing my character from ME1 into ME2 and following the history. In ME2 they were kind of limited on the paths available because it was the middle of the trilogy, but they have said in ME3 the decissions you took in ME1 and ME2 will have a big impact in how the game ends. I haven't played ME2 yet i was just saying i need to catch up becuase im soo behind |
|
|
|
Black Ops or MAss Effect 1/2/3
Mass Effect 3 is out? Are you from the future? Speakaing of mass effect... I still need to beat 1 as when i actually owned the game(I lost it) i only got up to a few chapters in until my old video card froze up at this one part Man i have alot of catching up to do..... |
|
|
|
BORDERLANDS!
That reminds me i still need to beat that game.... darn scally-wags (aka scags) |
|
|
|
|
Edited OP for payment details I've decided.
|
|
|
|
Start Date: August 17th 12 in the afternoon PST. Use this thread to report bugs.  |
|
|
|
Thanks for the bounty! Glad I could help!
Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.
Thankfully I only have a few forms most of which everything required a #id number so they were semi safe if the attacker could guess the #id number of the shopping cart they wanted to control but I did have to do some token work on account details so packages won't get shipped in the wrong place |
|
|
|
You have no idea how much your answers have helped thank you all |
|
|
|
The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..
Or, I could post an image here...but the image isnt an image, but a URL instead. The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.
That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.
wow!? This is a crazy type of attack, I must get back to work |
|
|
|
And that's why XSRF is so dangerous because it's it's not intuitive how they work. You will have to take special care to avoid them. If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected. A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token. Also save this token as a HttpOnly cookie. When you process the POST response, check that the hidden form field token equals the token set in the user's cookie. You can also save the token in a database instead of a cookie if you prefer that route. Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all. It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it. This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all. http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.htmlThanks for this very informative article, I will be researching it to the line, It's crazy the things people come up with to hack something. Edit so As long as I don't allow any links to other websites I'm thinking I should be good. |
|
|
|
How's your site coming along anyway? I just finished patching my XSRF holes Kokjo was kind enough to rub in my face. Don't forget those! They can be nasty buggers! Even nastier than a XSS bug because the danger is subtle and may not even be obvious at first. Wow haven't heard of those attacks yet, I'm not entirely sure I'm covered but the measure I have taken before reading about that kind of attack is this. I sha512 hash the cookie authentication similar to mining farm except I have removed the annoying 30 minute session limit that was in mining farm you can browse as long as your active for up to an hour of inactivity. I'm hoping that should be enough. I'll give you guys a hint on the frame work for the hashing value..... user_ip_address.randomly_generated_secret.user_unhashed_password.auto_updating_ expiration_timestamp
Pseudo code looks something like this $CookieIp.$CookieSecret.$Password.$ExpireTimestamp
At the time of writing this, I'm finishing up the last touch and that is user reviews. I hope to start the hack-a-thon on Monday, 15th of August. Edit: all this got me thinking, I'm rewriting the login code to constantly randomly generate a "secret" every-time a page is refreshed just to make it super extra session-hijacking safe Edit2: I think I'll give some more hints to the people: I have changed my root MySql user name that mysql runs on(wont disclose what the username is) and I have the actual website running through a jailed user, there is no phpMyAdmin(to prevent bruteforce attacks on that), and I've changed my root user name login through SSH. I think I got everything covered as far as securing the actual box, I hope some hackers can prove me wrong |
|
|
|
I'm just waiting for the day I find someone to hack who has one of those 3D printers. I'd hack it and program it to make a zombie robot and have it attack the guy while he's sleeping and steal his mining rigs and all his bitcoinz!
A glimspse t future hacking endevours.... Hide yo bitcoins,hide yo wife.... Run and tell that, run and tell that, home boy ,'home boy |
|
|
|
speaking soley for myself,
i wouldnt try to bring on friends at this point....BTC is, IMO, still waaaaay to risky to try to convince friends and family to sink their hard earned cash into...ive had a couple of friends ask about it (they caught me staring at the charts) and ive explained it to them in round about terms, but thats as far as it goes.
there are better investments for loved ones to put their cash into IMO...i just dont feel safe at this point reccomending BTC to anyone who hasnt done thier due dilligence in research and/or is naive or unaware of the extreme risk involved with investing in BTC....
that said, if someone does do the research and decides to invest, i certainly wouldnt discourage them...but for now, im not trying to bring new people on until BTC's growing pains have settled out a bit.
That is a very good point, I've never thought over overly convincing a family member or a friend to have the urge to invest in to it. especially with out knowning the possible consequences of it all |
|
|
|
|
Show Posts
