This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.

Does anybody have a quick link to info on the 2FA?

Hey - there was a theft on the service and Nefario has refused to provide any information about the thief - he basically did nothing!
He didn't even give the name of the account that "bought" the 2443 of ASICMINER assets at 0.00021 BTC!
Not to mention reverting the transaction - c'mon, how hard would that be?
Considering the above, every sane person would assume that he was actually involved in the theft.

But since the topic says "GLBSE 2.0 open for testing", to prevent my post from being deleted again because of an alleged and ever valid reason of "off-topic", I will suggest at the end that maybe it was a bug that Nefario should investigate?

Ok.

I am the victim of the ASICMINER theft.  My nature is not to sling sh*t around - particularly when a hacker gets in and no one can definitively point out the method used for the hack.

Also, GLBSE is a great enabler of Bitcoin denominated economic activity.  Props to Nefario for that.

I am only responding on this topic because I see that someone feels just like I do.  Someone takes a loss of thousands of dollars and no one cares to do anything about it if it would only cost ~30 BTC to revert.

With that said I'm super pissed.  Yes, I'm super pissed at GLBSE.  I am also pissed at myself for not doing the right thing and taking pro-active measures to prevent account compromise by enabling 2FA for both login, transfers and withdrawals.  You are not protected from session attacks if you don't enable 2FA for every single GLBSE activity.  Do it.

Since the compromise of my GLBSE account I have set up all sort of IP logging activity just to review and verify that I'm not on a Botnet or compromised by a trojan of any sort. 
My system is quiet.  Nothing unusual. 

3000 shares of ASICMINER asset were transferred to me on 8/23.  An hour later I logged in to web freenode #bitcoin-otc.  I cannot say for certain whether I manually killed my GLBSE session.  I do know that no browser window was open to GLBSE.  I remained logged in to #bitcoin-otc for a few hours.  Later in the evening people were posting of a dump of ASICMINER asset.  I logged in to GLBSE account to find the asset liquidated for ~ %1 of it's value. 

Absolutely nothing occurred on that day out of the ordinary other than visiting freenode.  I have relatively few apps on the system and less running at any one time.  I am not a security expert, but I take precautions and I've never been infected in any obvious way or by report of antivirus or by any insane amount of TCP activity.

So, what I had suspected and with Nefario also pointing out the same possibility is that I was a victim of Session Fixation.  Someone hijacked my GLBSE session.

Nefario's position on this is that attacks of this nature, Session Fixation, are not the responsibility of GLBSE, but admitting at the same time that additional security precautions could be taken on the GLBSE web application side that could make it more difficult to accomplish session related attacks.

At this point I did two things.  Looked up Web security whitepapers.  Found one stating "Session Fixation, ultimately, can only effectively be countered by the Web application (which would include the client side scripting) in how it controls session generation and invalidation."  Ok, fine.  At this point I'm thinking if I close my browser window what happens to my GLBSE session.  If my session was hijacked that would have been the obvious way to get in.  Opened up my Chrome console and looked at the session ID's.  Session ID's persisted across browser windows with a 48 hour browser side expiration period.  Of course, there could be a shorter session expiration period on the web app side.

Two thoughts occurred to me.

Why isn't Javascript used to invalidate sessions when the DOM for the page destroyed?
Why isn't 2FA a requirement for every single GLBSE activity?

I'm angry because it's entirely too easy to commit fraud and get away with it in a system of Bitcoin and GLBSE that allows or enforces anonymity and instantaneous transfers. 
The feeling I got from the incident is one of "use at your own risk." 

5. The Users of the Exchange take full responsibility for their own actions, and any consequences resulting from those actions. It is the Users' own responsibility to determine the risks involved in depositing funds with the Exchange, creating assets, executing trades, or any other activity or action related to the use of the Exchange, or any of its current services.
6. The Exchange is currently beta release software, and as such the Exchange assumes no responsibility or liability for any losses that may be incurred if the Exchange is taken offline to deal with any problems that may arise. The Exchange makes no guarantees as to the correct functioning of its services until it is removed from beta release, although the Exchange will do its best to ensure it is functioning correctly. The Users use the Exchange at their own risk.

Yes!

161gEQewAVp6CFnoY5198vHchrbWLQytG7

I just looked him up. I wouldn't have invested in him. I only invest in funds that pay regular dividends. I watch to see that they have paid dividends for a long time without missing one. I also pay attention to detail. You can tell a lot about a person's character by how much effort they put into the little things: how much care they put into their website, developing their Google spreadsheet etc. There are always a lot of clues. In the end, I trust my instincts, but I feel pretty confident that I can spot a person who is sincere versus one who is not.

Doesn't it bother you Nefario that people access GLBSE though CloudFlare, which creates a technical risk of a man-in-the middle attack, since CloudFlare has access to an unencrypted connection?

I mean, I do understand the reasons and all the advantages of using CloudFlare, but I am wondering about your reasoning to trust this specific service.
As much as I do trust you, I wouldn't want to discover one day that my money has been withdrawn to a different address from the one I entered into the form and there is no way to prove it...
I hope you understand my concerns.

It is highly unlikely that all (remaining) users agree to a partial payout. Especially after some are repaid in full. Time is ticking. Bitlane's refund was due last Friday, which triggers Vandroiy's bet Friday next week - 2 weeks grace. (Matthew's bet started counting from Monday this week and will resolve at September 10th tops - 3 weeks grace).

Then you should have read Matt's rules before betting with Matt in Matt's thread.  Too late now, you're in.

Post in this thread how much you're committing and I will double that amount you commit (maximum of 10,000BTC in bets allowed in this thread total) if Pirate does not pay out in 3 weeks as he described in his thread.

The moment your account is closed you’ll receive your coins plus any interest accrued up to the hour it was sent.

This is difficult to clarify, but I'll do my best in good faith:

If he owes 100% and only pays back 90% without agreement to investors, -that- is fraud and a failure to pay back. I would obviously lose the bet.
If he owes 100% and only pays back 90% but the investors agreed to it, -that- is the agreement and therefor he has paid it back. I would win the bet.
If he owes 100% and pays back 100%, I would win the bet.
If he owes 100% and does not pay anything anything back, I would lose the bet.


I'm trying my best to be smart about my clarifications, but if you need any more clarification, please ask and give examples so I can better explain. This is all on good faith of course, I don't want to get into legal arguments "But you said if he paid back on 12oclock and that was EST not KST" and other bullshit. This is about whether he is a scammer/ponzi or not, not about whether you can cheat the system for a cheap profit.

I can't help but feel this entire thread is just a way to see if people, fresh off of losing money to Pirate, will once again risk large sums will no proof that the counterparty has the ability or inclination to pay other than some vague handwaving.

FAQ
Many people asks us why we don't offer the same as other mining operations or requests something different, basically wanting more mining bonds. We are simply not offering bonds, but an alternative. We will try to explain why we chose that structure. You can judge whether that makes sense to you and if it is what you are looking for.

Q. Why should I wait for the equipment delivery when I can get hashing now? Why should I wait for returns?
Answer: Because you are actually buying the equipment with others. You have a right to 100% of the equipment's sale if it is voted to be sold if and when people want to stop the operation. You get lower administrative fees and better advantages that way for waiting some time and pre-funding your own equipment instead of buying a fraction of a current mining operation.

Q. Why 40% reinvested? What if I want 100% proceeds? Why not issue more share to replace equipment and just give people 100% of mining now?
Answer: Because under that model, we would get more and more shares for simply replacing the equipment, basically keeping the same hashing power for a growing amount of share while still having to sell as many shares at the same price for each replacement. Shares dilution would occur and the operation would die out since people don't pay for the replacement of the equipment power associated to their shares. Getting new shares sales to pay for the replacement of the hashing of your old shares would not be right. Equipment needs to be replaced and extra equipment added for the shares to gain value and the operation to grow. You also need growing hashing power to compete with increasing difficulty.

Q. But other mining operations offer 100%+ Perpetual PPS paid right now! Why would I need to reinvest 40%?
Answer: You get 100%+ PPS on a specific hashing power from current miners' hardware who would then buy with your funds more hashing power then you actually bought with it. This extra hashing they buy is usually an undisclosed amount on which they get their profit and pay for the replacement needed to keep it a perpetual bond. You get 100% of the hashing they agreed to give you. With us, you know the fees are a low 10% because it is a service we provide and you funded the equipment in advance. Although the dividends are a bit lower, the 40% reinvested is all equipment that is added to YOUR part in the hashing power. It's a long term investment with a growth plan. Look at the planned numbers here: Expected hashing and returns

Q. It looks interesting, but I am afraid others won't buy or like it. What if shares don't sell fast enough and my funds are withheld for a long period until we can purchase equipment?
Answer: There's a maximum period for the IPO of 2 months (Ending June 23rd).* .