Someone donated 10 BTC directly to the forum's main donation address 17RTTUAiiPqUTKtEggJPec8RxLMi2n9EZ9. (This is not what you're supposed to do if you want Donator status.) Someone is trying to claim this donation for Donator status, but they can't prove that they sent it. If you actually sent this 10 BTC, sign a message with 1ECTrZNum3ojyfDnZbkDBALtfwWL54wtZL. Otherwise, I'll give the status to the guy who already contacted me about claiming it.

Sometimes (though very rarely), there is a large chain fork. In a fork, the miners mining on what ends up being the wrong side of the fork lose their mining rewards when the chain merges again. Anyone who received those newly-mined coins (perhaps over many "generations" of transactions) will have those transactions permanently invalidated. This is very bad. To prevent this from happening, the Bitcoin network prohibits coinbase transactions (mining rewards) from being spent for 100 blocks. As a result, a fork must be longer than 100 blocks for any non-coinbase transactions to be invalidated unless there's double-spending involved. Any change to Bitcoin which would allow a valid transaction to later become invalid would break Bitcoin's robustness in this area unless such transactions had similar 100-block spending restrictions.

That would reduce Bitcoin's security/robustness model. Currently, it isn't possible for a transaction to become invalid after a chain fork of less than 100 blocks unless double-spending is involved. With threshold transactions, a long fork (due to a netsplit, bug, etc.) can cause widespread havoc by invalidating tons of transactions dependent on a threshold transaction. Maybe it'd be OK if threshold transactions had the same 100-block spending limit as coinbase transactions, but this extra complexity isn't worthwhile IMO unless there's some amazing application for these transactions.

Registration is disabled until I have time to fix some things.

This auction will be done again: see https://bitcointalk.org/index.php?topic=308632.0 .

Due to the hack, the last auction will be redone. This auction will end sometime in the next 48 hours.

In order to collect more money for the creation of good forum software and for other useful purposes, the forum is selling ad space in the area beneath the first post of every topic page.

Ads are allowed to contain any non-annoying HTML/CSS style. No images, JavaScript, or animation (no marquee or blinking). Ads must appear 3 or fewer lines tall in my browser. Ads will be prefixed with "Advertisement:". Ad text may not contain lies, misrepresentation, or inappropriate language. Ads may not link directly to any NSFW page. Ads may be rejected for other reasons.

There are 10 total ad slots which are randomly rotated. So one ad slot has a one in ten chance of appearing. Seven of the slots are for sale here. Ads appear only on topic pages with more than one post, and only for people using the default theme.

The ad lasts at least 7 days starting from when I put it up. (However, if you look at the ad history you'll see that ads frequently get 1-2 extra days, but this is random and definitely not guaranteed.)

Stats

Exact historical impression counts per slot:
https://bitcointalk.org/adrotate.php?adstats

Info about the current ad slots:
https://bitcointalk.org/adrotate.php?adinfo

Ad blocking

Hero members, Donators, VIPs, and moderators have the ability to disable ads. I don't expect many people to use this option. These people don't increase the impression counts for your ads.

I try to bypass Adblock Plus filters as much as possible, though this is not guaranteed. It is difficult or impossible for ABP filters to block the ad space itself without blocking posts. However, filters can match against the URLs in your links, your CSS classes and style attributes, and the HTML structure of your ads.

To prevent matches against URLs: I have some JavaScript which fixes links blocked by ABP. You must tell me if you want this for your ads. When someone with ABP and JavaScript enabled views your ads, your links are changed to a special randomized bitcointalk.org URL which redirects to your site when visited. People without ABP are unaffected, even if they don't have JavaScript enabled. The downsides are:
- ABP users will see the redirection link when they hover over the link, even if they disable ABP for the forum.
- Getting referral stats might become even more difficult.
- Some users might get a warning when redirecting from https to http.

To prevent matching on CSS classes/styles: Don't use inline CSS. I can give your ad a CSS class that is randomized on each pageload, but you must request this.

To prevent matching against your HTML structure: Use only one <a> and no other tags if possible. If your ads get blocked because of matching done on something inside of your ad, you are responsible for noticing this and giving me new ad HTML.

Auction rules

Post your bids in this thread. Prices must be stated in BTC per slot. You must state the max number of slots you want. When the auction ends, the highest bidders will have their slots filled until all seven slots are filled.

So if someone bids for 7 slots @ 5 BTC and this is the highest bid, then he'll get all 7 slots. If the two highest bids are 7 slots @ 4 BTC and 1 slot @ 5 BTC, then the first person will get 6 slots and the second person will get 1 slot.

The notation "2 @ 5" means 2 slots for 5 BTC each. Not 2 slots for 5 BTC total.

- When you post a bid, the bids in your previous posts are considered to be automatically canceled. You can put multiple bids in one post, however.
- All bid prices must be evenly divisible by 0.25.
- The bidding starts at 0.50.
- I will end the auction at an arbitrary time no more than 12 days from now. (I will probably end the auction 1-3 days before the ads are scheduled to go up.)
- If two people bid at the same price, the person who bid first will have his slots filled first.
- Bids are considered invalid and will be ignored if they do not specify both a price and a max quantity, or if they could not possibly win any slots

If these rules are confusing, look at some of the past forum ad auctions to see how it's done. I also post periodic status updates which should help make things clear.

You must pay for your slots within 24 hours of receiving the payment address. Otherwise your slots may be sold to someone else.

If you uploaded your avatar recently, it may have been lost in the move.

I think I fixed that.

Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license.

No, I verified its existence using my old forum backups.

That's how Satoshi set it up (maybe the SMF default), but I fixed it a while ago.

On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.

Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.

The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

The future

The forum is now on a new server inside of a virtual machine with many extra security precautions which will hopefully provide some security in depth in case there are more exploits or backdoors. Also, I have disabled much SMF functionality to provide less attack surface. In particular, non-default themes are disabled for now.

I'd like to publish the forum's current code so that it can be carefully reviewed and the disabled features can be re-enabled. SMF 1.x's license prohibits publishing the code, though, so I will have to either upgrade to 2.x, get a special copyright exception from SMF, or do the auditing myself. During this investigation, a few security disadvantages to 2.x were brought to my attention, so I don't know whether I want to upgrade if I can help it. (1.x is still supported by SMF.)

Special thanks to these people for their assistance in dealing with this issue:
- warren
- Private Internet Access
- nerta
- Joshua Rogers
- chaoztc
- phantomcircuit
- jpcaissy
- bluepostit
- All others who helped

It's tragic that an innocent person will be inprisoned by the government and that the free market has been interfered with, but I'm confident that an even better Silk Road will appear in the near future.

Didn't DPR say that he bought Silk Road from someone else? What happened to that? Was he just lying?


I'm also a "Friedmanite ancap", though I also generally believe that the NAP is a good moral rule to follow in almost all cases. Rothbard may have contributed a lot to libertarianism and economics, but his ethical theory is contradictory in some places in disturbing in others.

Even if you're an ancap purely for moral reasons, it's good to know the non-moral arguments for it: A lot of people simply disagree with the NAP, and your moral arguments will be useless against such people.

Why don't you use 0.3.19 if the current developers aren't adding anything?

Currently: With 150,399 members, I estimate that 47,903 accounts have been used by humans and 10,622 accounts are active. "Used by humans" = (received a PM and sent a PM) or at least 2 posts. "Active" = activity > 14 and logged in within the last month.


That's not being tracked anymore, so that statistic may be wrong.

MagicalTux got "free" VIP status for hosting the forum for a long time, too. I think that him plus Hal are the only free donator statuses I gave out. You'd have to do something pretty extraordinary to convince me to give out another free one.

I don't see any point in donating 5 BTC now and then 5 BTC later. You won't get Donator status until you've donated a total of at least 10 BTC. It'd be better for you to earn interest on the 5 BTC somewhere until you're ready to pay 10 BTC. The forum isn't in need of money.

For some reason, I've never seen a talk by Mike before, but he's a really fantastic speaker! This kind of stuff is what makes Bitcoin really cool.

smoothie was finally unseated as ignore champion! Jaroslaw was permabanned, though, so who knows how long his reign will last.

It's in the lower left.

He's really shy, so he doesn't want to be involved in Bitcoin now that so many people are involved (and very interested in him). He's probably working (alone) on some other interesting project now.