The scheme is so standard from pgp, gpg, bcrypt, truecrypt etc it should be obvious.


The password (or in this case, passphrase) is as secure as the user chooses. ANY is better than none, because even a weak one needs some effort and custom tools to crack.


Then, write it down.


So you put lots of money in a bitcoin wallet and then don't use it?

People tend to be careful when it comes to money. If they aren't, they only have themselves to blame. I can't see how other peoples' idiocy is an excuse to hinder my security.


The first sentence makes no sense whatsoever. And I don't care how vast his network is, he is not going to crack my password in the remaining lifetime of the universe.

Nope, apart from Oracle Java we are all open source. Linux/Eclipse/gcc/PostgreSQL/Apache/Tomcat etc...

English is not my native language, though.   

Sounds to me like you have split the business logic between the DB and the web server? I guess you could call that increased security, but I see it mostly as a complication.

An ecommerce project I've been working on for the past couple of years has 3 layers. The DB is separate from the business logic which is separate from the web app... The BLL isn't internet accessible, and the DB isn't accessible even from the web server at all. The BLL and the web app talk to one another via an XML API.


The DB is probably doing most of the work anyway, so are you sure it's improving performance?

Jesus, how hard can it be to understand.

unencrypted :
- thief steals your hard drive : wallet.dat up for grabs be it linux or windows or w/e
- thief hacks your PC : wallet.dat up for grabs be it linux or windows or w/e
- get a trojan : trivial to add a couple of lines of code to an existing one to steal wallet.dat
Average time needed to steal all user's coins : microseconds

encrypted:
- thief steals your hard drive : thief more or less s.o.o.l
- thief hacks your PC : thief needs to grab wallet.dat, install a keylogger and wait patiently until user makes a payment, which could be today, next week, or never
- get a trojan : needs to target Bitcoin specifically and wait until a payment is made as above
Average time needed to steal all user's coins : days to weeks

FWIW, there are ways to evade the most common keyloggers. KeePass, for instance, has implemented one such system: http://sourceforge.net/projects/keepass/forums/forum/329220/topic/4198801

Also, AFAIK, encrypting wallet.dat doesn't prevent you from doing any other security measures you might find necessary.

NOT encrypting wallet.dat means that to be safe from the kids' friends, 0-day exploits and the occasional 'oops, shouldn't have downloaded that' you need some sort of security scheme, which probably involves encryption and passwords anyways. And how were you going to spend coins without unencrypting the keys, again?

The $10 psychological barrier is big... But I think it's probable that we'll see $11 - $12 in the next couple of days. I don't think the big sell-off has even started yet. A lot of miners out there who need to pay their installments.

121h and counting... Hashrate seems to fluctuate a lot between 12 - 18.

It actually showed lowest ask 15, highest bid 17.51 at some stage. Weird.

Now it's starting to look normal.  16.99/15.02

Takes minutes to get to the trade page. Looks like their database is crushing under the # of users.

Not really. Bitcoin has a lot sexier name.

"Namecoin" is awful.

Great project!

Btw. "but only recently have exchange marketplaces exchange marketplaces" ?

Who need anonymous, decentralized DNS?

How about:
Sites like Wikipedia
Chinese freedom of speech sites
Muslim women's rights organizations

Then, who do you think might like almost free DNS?

Yet there is a demand for domain names.

See, the general public don't need to understand the inner workings of namecoins any more than they need to understand the inner workings of, say, a web server, to browse the web.

All that's needed is demand for namecoins. Whether or not it's there, no one really knows yet.

1. Somewhere between $1 and $100
2. I expect Bitcoin price to get more stable over time. I think the possibility of a complete crash is close to 0.
3. Yes. If I had $10k to spare, I'd invest at least $500 in a heartbeat. I'd never invest all of it in just any one thing, though.
4. I think we will be seeing prices between $10 and $20 for a while.
5. Once mtgox opens, I expect there to be a short term dip in prices, which is when I'd buy my first $500 worth of coins, in small batches (hopefully getting a pretty good average along the bottom of the curve), and then take it from there.

Think Wikileaks.

Also, I think the idea is that eventually it'll be almost free (though free market laws would still apply, I suppose).

You could still argue it has more value tham Bitcoin, since namecoin = bitcoin + dns.

Initially, I thought it might have more staying power than Bitcoin, but obviously that depends largely on the publicity it gets. Currently, it isn't getting any.

You're 100 % wrong. It is VERY important to take people who talk about suicide seriously.

Almost everyone who ends up committing suicide talks about it beforehand. It can be for a variety of reasons, but it's generally thought of as the last desperate call for help.

Also, compared with the rest, people with a history of depression are orders of magnitude more likely to commit suicide. Roughly 15 % of people with diagnosed depression end up killing themselves.

It is very important that the OP's depression is treated. That should be the #1 priority. Even if he's not yet too serious about what he says.

Namecoin will skyrocket if one or more of these happen:
- someone (maybe bitcoin/namecoin collective) buys the .bit tld so it works universally
- an easy way to enable .bit support for the major OSs is created (some sort of installer, probably)
- some high-traffic porn/torrent site start to use a .bit domain

Prepared statements, yes, stored procs, NO.

SPs never really increase security (unless you are talking about the DA's job security), but they do complicate the design. Therefore, you shouldn't use them "just because". Most apps these days use some form of ORM and a minimal set of sprocs, if any.


Security though obscurity isn't real security. The hacker isn't going to look at your headers and then run a specific exploit script; they'll just run them all and then some. My Apache logs are full of attempts to exploit IIS vulnerabilities, every day.

Also you can't really expect the client to honor any particular headers, either. (You should still use the security attributes, ofc, just don't count on them working).


- Don't invent your own cryptography.
- Use the Unix crypt scheme with a NIST approved algorithm for password hashing.
- Require strong passwords.
- Introduce some sort of one-time password scheme in addition to the static one.
- Don't do wish-it-was-two-factor. It's just unnecessary if not embarrasing.


There is no need to purge anything if you follow a proper release managment process.

You should have at least three different environments: development, QA and production. Dev never sees the production data, and it's where you do all your development and most of your analysis. QA is a replica of the production, used for testing the releases before moving them into production. QA can also serve as a backup when production goes down.

You can have different kinds of access schemes, but basically only a select few should have any type of access to production (or QA) DB or OS (or even apps).


You could use a 48+ hour average or something.

There could be rules to detect suspicious activity (sudden spikes in volume etc) which could trigger safety measures, such as seizing trade and withdrawals completely until the activity has been audited.

They keep changing the location to confuse the hackers!

Dictionary words are always a bad idea, even though you are correct that length does always make a password stronger.


Don't.

There's a huge difference between having to brute force through 65^n and 95^n. Though you don't really need that many. The passwords that I need to type often look like bab+ef+qeo+feo+F9!. It's still pretty fast to type. Most of my passwords are KeePass generated, though...

You should change your bad ways.

36 here fwiw. Good age. I have friends from 17 to 70 and nothing feels weird.