Hey great that Tosaki ]I[ is so talkative  |
|
|
|
Any Bitcoin-Related Android App might just sit there, waiting for the next 0day to become available to wipe all my Spinners, Myceliums, Schildbachs, MtGoxes that have more access than the app originally asked for. A criminal could empty all these in one second with code he introduces in the next update and that is triggered by a timestamp. No prior wrong behavior can help you assess the security of this app.
I think your right. It might help if the other Apps (Spinners, Myceliums, Schildbachs, MtGoxes..) are prepared for unauthorized access. For example by an encryption process besides the default android internal storage one. But to be realistic: I use Mycelium and the fact it is open source makes it about 1% safer than your app as I doubt that more than 1% of the users actually compiled it themselves. I don't know if there is a way but theoretically it should be possible to sign an app with a merchant key and still allow others to review if the APK is in fact compiled from the open source code, so with updates that don't come from the repository could sound an alarm with people who prefer using the market.
What if you compiled yourself, but didn't read through the complete source code? Did you check the checksum after downloading? What if the server got compromised and the checksum is already up to date? What if the server checking the key gets compromised too? Maybe you read the code but didn't find the security hole? How do the most open source projects check, what and by whom is checked into the repository? Is there an established process / guide line for doing that? 1% more or less security is for nothing if you loose your bitcoins. :-/ maybe we shouldn't use anything at all. :-o Google (Mike Hearn? Ping!) should have a feature to distribute trusted open source apps. Some mechanism where they directly upon request by a maintainer pull the head of the master branch from a githubcode.google repo. Sure, I don't read all the code but: If a repo lays untouched for months on github I feel quite confident some other dev would have noticed malicious revisions, so as I generally trust github and their timestamps (I wanted to check if you can fake these), I feel safish when I compile from source. |
|
|
|
Here is one thread that has info about this: https://bitcointalk.org/index.php?topic=242335.0There are several others. The forum's search function isn't too good. But if you google the 3 terms bitcointalk.org selling accounts you will find others. Most likely google will find you anything but complaining about something and leaving it to the readers to google it really sux. If I take the time to rise awareness of some subject, I should also take the time to at least provide one link backing my point. What is the forum officials/theymos' point on that? Where does he state his point? Why is it a problem? Sure, google can find that but I got lost an hour on the meta forum reading other stuff thanx to this unspecific post. |
|
|
|
If the seller has not read the order, all bitcoins will be refunded immediately.
That's great to know! Kind of "no harm done"-policy, although "no harm done" is not quite right if it was auction style. If I don't like the price reached, I ask my friend to outbid and cancel? Please at least add one condition like 24h for auction style. We
Ah, so today you are the ""official"" Tosaki? Mind putting something into your sig or name or whatever. With services constantly changing owners it gets a bit confusing else. We will also refund orders when the seller has not set the order status to "shipped".
I normally set the status shipped about hours after visiting the post office (and maybe meeting friends and coming home late), so I would be quite pissed if a transaction "never happened" just because I didn't set it to shipped while it was still in my hands, which is technically lying. |
|
|
|
boah! please! Now we have one OP complaining about a post he didn't link with an answer with a link to a thread without a link again! What do you smoke??? "I read that shooting my neighbor is now perfectly legal. Please explain, why! I'm seriously shocked!" |
|
|
|
Mike thanks and keep up the good work. You are very dedicated to let us know what's going on and I love that. We need people to teach others about the bitcoin and while all people registered here to the forum consider themselves experts of bitcoin in front of their families, there's only some 0.1% who actually know the code and details and can teach the other experts about these fascinating details. (What I miss a bit is some teasers to actually get my hands dirty. I saw links to the code maybe twice. I'm pretty sure that more people would get involved in working on the code if there were more invitations like that. After all there must be tons of developers on the forum dedicating their brainz to other stuff, like posting on the forum  ) |
|
|
|
|
if i trust a person i look at his links. when the first thing i notice about a person are his links, this is bad for my trust. Forum activity: 5 Sig: donate me here, get free bitcoins there .... wtf???
therefor my slowly curated list of links is one ad for my baby an other bitcoin stuff people should know about.
|
|
|
|
|
Any Bitcoin-Related Android App might just sit there, waiting for the next 0day to become available to wipe all my Spinners, Myceliums, Schildbachs, MtGoxes that have more access than the app originally asked for. A criminal could empty all these in one second with code he introduces in the next update and that is triggered by a timestamp. No prior wrong behavior can help you assess the security of this app.
But to be realistic: I use Mycelium and the fact it is open source makes it about 1% safer than your app as I doubt that more than 1% of the users actually compiled it themselves. I don't know if there is a way but theoretically it should be possible to sign an app with a merchant key and still allow others to review if the APK is in fact compiled from the open source code, so with updates that don't come from the repository could sound an alarm with people who prefer using the market.
|
|
|
|
Trust in what sense? I think most noobs even trust bitcoin in the sense that "we" can't just print up more money. It's pretty easy to build that trust because everyone should be able to see that this would've happened a long time ago if it was possible.
Everyone (including us) has some "trust issues" when it comes to bitcoin holding its value in the future, though. This is also easy to understand by looking at an exchange rate chart.
I think he was referring to the fact that we all know how to trust a bitcoin transaction where as most people don't know how to verify and trust a dollar transaction yet they trust it implicity more than any bitcoin transaction. Yes. Thanx. |
|
|
|
Thanx for linking me to the bitcointalk profile that was traded at least twice, which fact my post was a sarcastic reference to. |
|
|
|
Tosaki needs to spend some more money on better hosting.  Which Tosaki? |
|
|
|
Proposals for MYCELIUM feature improvements (in no particular order): (feature (3) is particularly important I think to allow having full control of your keys when spending...was mentioned before in this thread) (1)- Settings: Allow specifying a PASSPHRASE that will be used when exporting a priv key, which will then be AES256 encrypted, preferably using an algo that makes the exported encrypted key also decodable by a standard linux library function like ssss (and say in docu which one) or other open source tools. Of course importing such passphrase protected keys shall be possible, too. Note that the passphrase is for protecting the exported keys, not to be confused with the PIN used to protect the app (and the priv keys) on this phone. (2)- Include a possibility to sweep in keys (e.g. from a btc voucher) and transfer the balance of the sweeped-in key to one of the own keys, then move the sweeped-in key to list of sweeped-in keys for your records. The default label for this sweeped-in key is the date&time. (3)- Support three ways how to spend (send) bitcoins: EITHER send normal (input keys and change addresses will be selected automatically by the app), OR send by scanning priv key from paper wallet w/o saving that priv key to flash memory (change addr = that key itself), OR send from user-specified key(s): open list of the keys with checkboxes on the left and radiobuttons on the right: So user has to check all keys to be used as input for the following transaction, at least one. At the top of screen show the nb of currently checked (=selected) keys and the cumulated balance of all so-checked addresses=max amount to be spent. On the right-hand side the user must select the change address by the radio buttons (exactly one address, hence radio-buttons instead of check boxes). (4)- Settings: Allow to specify the default tx fee (and also allow to set/modify the tx fee in the actual spend dialog) (5)- Settings: Allow to specify language, like in bitcoin spinner. Many users prefer english instead of a bad translation, sometimes also because translation strings are longer and lead to malformated screen output because less thoroughly tested (so happened with bitcoinSpinner for me), so always good to be able to select the language of the user interface. (6)- Separate the addressbooks: (a) own addresses (with or w/o priv keys, like in mycelium v.0.56) (b) addresses where I am sending funds to, i.e. my normal "list of contacts/friends/business partners/..." (c) watch addresses (like (b), but showing the addresses' balances from the blockchain. These addresses can be grouped hierarchically in "watch-only wallets" and can be input in bulks by importing txt files containing a list of addresses separated by comma or newline. (d) The list of sweeped-in keys (see item (2) above) can be considered a 4th kind of "addressbook". (7)- Possibility to export (and of course also to import) the addressbooks to a txt file that is human-readable/editable. (  - Settings: Standard mode or Expert mode. Standard mode hides many options like "multiple keys" or "watch-only keys" or "addressbook (c)/(d)" or sweep-in key feature (2) from user interface. Only the expert mode opens up the full features. Advantage: App is easy to use for beginners/"normal" users. But for users wishing to use all features and to be able to manage all keys and have full control, it is possile with expert mode. The default, after installing the app, is the standard mode. (9) Support of protocol for Electrum Server approved. I like that list  the sending address window could have one more option though. Consider I want to pay 5BTC and have 5 addresses with 1.2BTC each. I want to be able to select the 5 addresses but return the new BTC to a new address, leaving me with now 5 empty (sweeped, not to be used again) addresses and a new spending address that I might or might not receive funds to. This way Mycelium would at barely any extra costs (for the client) have a comparable anonymity as bitcoinqt. |
|
|
|
In retrospect looking at the evidence it's highly likely he didn't get the bills from the atm and instead slipped them in the stack. However since I didn't check at the time I can't prove anything so I give the buyer the benefit of the doubt.Honestly since it was only 40$ I don't really care enough to try to press charges I just kindof took it as a lesson learned.I just left some questionable feedback to encourage other sellers to check their bills and bought a 15$ counterfeit pen with a uv light. Already did a deal today and the buyer had no problems with me doing a quick mark check on the bills it takes no time and isn't expensive.
Impressive! So the scammer risked years in prison for $20? Tough shit. It's ironic how we all know way better how to trust a bitcoin than how to trust a paper bill, yet everybody else trusts paper way more than our funny money. |
|
|
|
Because you're spreading fear of money being lost to one of the guys. Ooops, one of the guys is you... ok, that changes the picture a bit. Sorry.
I don't "spread fear". I let Tosaki know that there is fear of loosing money to a platform that never ever should have held that money in the first place to make him consider alternatives. Just as SatoshiDice has provably fair gambling, why not have a provably fair auction platform aka an auction platform that can't run with your money? It would be a huge first and I bet it will be the future. The minute an auction platform comes up with this feature I will switch to it in a heart beat as loosing money to whoever "tosaki" is today is my biggest concern with bitmit. And I don't even have sums at stake like those 15Ƀ we just read here. |
|
|
|
Sorry that it takes longer than expected to bring the site back online. We are forced by our hoster to setup ddos protection service and hoster is setting up relocation of server.
in times like these (where emails to your support bounce) - it really would be helpful to tweet http://twitter.com/bitmitnet an update, or post something on your FB page. or post something here. why these walled gardens? this forum is publicly readable. |
|
|
|
|
Tosaki did you look into microtransaction channels? I hope you soon offer escrow without third party risk, at least for those people willing to use a software that allows this. I'm sure you would get huge support both in man power and in cash to develop a solution suitable for your service if you make it open source.
If you are an honest person you should have no interest having all this money laying around on your server or in cold storage and with a mechanism that allows you to negotiate payments that can at your server's discretion only go to the buyer or the seller with in the latter case a fee for you, there would be much less an incentive to hack you than there is now.
|
|
|
|
I really need Bitmit to come back up soon. I have 15 Bitcoins in escrow from a sale I made that I need.
What's the ETA on this? Thanks.
Sounds like one of my orders - hope that you have already shipped!Oh, so I hope the money lost in escrow is legally yours, not mine lol! ftfy you're mean Why? He's mean! "Hope you already shipped" means "I assume that the probability of not getting your money soon would have made you not ship the good, neither. I hope you missed the fact and sent anyway, making you the fool who waits for his money, not me.". Why exactly am I mean? |
|
|
|
Why do you keep saying XBT when almost everyone uses BTC?
XBT, BTC, Ƀ, these are all the same thing and you should understand them. The one that gets used most, will win in every day life. Some argue that XBT will win as the rule for non-governmental money is X… like in XAG and XAU. My fav is Ƀ as it's easily typed once you know the code ctrl-u + 243. BTC is good, too. XBT it will be if the others insist in it. Just be easy with whatever and please don't insist in your choice being the best. Time will tell. |
|
|
|
Hello, I've just started looking at LocalBitcoins.com for an online buy funded from within the US. I'm having a little trouble sorting through and understanding all the available funding options, and their costs. I see many funding options listed - including OKPay, MoneyGram, Western Union, bank transfers from specific banks, etc. Is there somewhere I can easily find out more about the cost and restrictions of each funding option, without researching each one individually? I'm a little overwhelmed by the funding options. I've tried doing the research myself, but some of the funding options (like MoneyGram) offer different services at different fees. I'm not sure even which service is correct. Sorry for the noob question, and thanks in advance for any helpful response Here's a suggestion: Try to find someone local on localbitcoins.com and meet him. Most traders doing local trades are friendly guys who are also happy to explain stuff to you. They want to spread the bitcoin love. You pay him cash and he'll give you bitcoin (you don't have to use localbitcoins.com wallet or escrow). If you have a smartphone or laptop, you can have a wallet on that und receive the money directly... a lot less complicated. (Don't give him the cash before your wallet says: "1 confirmation" as a precaution). Fun fact: two of the people I sold bitcoins to, came without a clue about bitcoin, so with one I went to an internet café where I helped him set up a hosted wallet (telling him 10 times how bad an idea it is to do that in an internet café but for demonstrative purpose at this small sum, .. blablabla) and another listened to how bitcoin works and we agreed for him to mail me an address once he has a wallet set up. I could have stolen the cash from both, easily and I know there are people that would, so be careful. Else I agree that most people are very very friendly and talkative when it comes to bitcoin. |
|
|
|
I really need Bitmit to come back up soon. I have 15 Bitcoins in escrow from a sale I made that I need.
What's the ETA on this? Thanks.
Sounds like one of my orders - hope that you have already shipped!Oh, so I hope the money lost in escrow is legally yours, not mine lol! ftfy |
|
|
|
|
Show Posts
