I know the feeling  I support you in either way, you're doing a great job. Thanks. Wipe it, start clean, and don't worry about it. You're providing a voluntary service, not a paid one, so no one has the right to complain, and a clean, perfectly working system is better than a messy patched up one.
Yes at least now at least now I can be sure the blockchain is completely consistent. I'm able to log into my wallet now, but it shows 0.00 BTC. I had some 8 or so. Will I get them back or are they lost forever?
Wallet data is absolutely fine, it is the blockchain that is screwed up. When it's finished syncing your balance will be correctly displayed again. ETA about 2-3 hours. All transaction fees have been removed from My Wallet, the service is now completely free. I am taking a bit of a break from development but will be adding advertisements to payment notifications at some point in future. |
|
|
|
|
Yesterday there was a problem with the database, I thought I had fixed it by importing a backup from a few days ago. But it looks like the script indexes are out of sync with the transaction indexes. I'm not sure what to do, I think the only option is to reimport the entire blockchain - but then all previous orphaned block data and ip address data will be lost.
I'm so tired of this, I'm supposed to be taking a break from bitcoin development for a bit.
|
|
|
|
Wallet seems to be having issues.  Apologies, should be ok now. Out of curiosity, why shouldn't your address lookup APIs be used for payment processing?
Because they include 0 confirmation transactions and in some rare circumstances unconfirmed double spends. |
|
|
|
|
Can someone point me to an address where this bug is occurring please.
|
|
|
|
|
Site will be up and down for the next few hours. Making some schema changes.
|
|
|
|
so they should appear in blockexplorer when it comes back?
No, block explorer never shows unconfirmed transactions. , so not a real hurry, just as long as it happens. Unfortunately there is no way to tell if it will ever happen, but if your not in a rush I would leave it 48 hours and if not try again. |
|
|
|
Blockchain.info removes transactions which have been unconfirmed for more than 12 hours - so that is why it appeared and disappeared. But if the node accepted it then it means it was signed and broadcast correctly, so the issue is probable with fees. I would suggestion trying it again with a 0.005 BTC transaction fee ( which is the minimum). It is possible that Eligius may still mine it as they accept transactions with lower fees. |
|
|
|
I see. But that leaves me in the dark about the cause!
I wasn't checking whether the outpoint of an input was null, so all newly generated coins were showing as double spends. It was a problem with the site, nothing to do with spinner. The bug was only active for a minute or two, before Rassah reported it. Down again?
Looks like tomcat may have stalled for a bit, a rogue spider is causing heavy load.  |
|
|
|
I assume you aren't planning to backload more accurate timestamps (e.g. the time from the block header) and that I should work around this myself?
Sorry no, I don't have any automated way to fix this. You could work around it by fetching the block and getting the correct timestamp. I suppose that is slightly better. It's still one factor authentication though.
The email has to come from the email address registered with the account and the Secret phrase can be as long/random as you want it to be. I'm open to suggestions for better ways to verify the true owner of an account, but this is an anonymous service so asking for any real life identification is out of the question. ----- There have been an increasing number of double spends recently. I'm worried this could be an attempt to exploit blockchain.info's liberal display of transactions. Any address page or transaction will now have a warning attached when a double spend is detected: https://blockchain.info/tx/591b3e1d38e928d35bfef19751da0377b16646ba8af482422d6a0983598da0b9q/getreceivedbyaddress may include unconfirmed double spends in some circumstances. You should not use this to process payments, or at the very least cross check with blockexplorer as well. |
|
|
|
Transactions per Day is going high - thats fine - or do you count all that payouts from p2pool-blocks to the users as one Transaction pro Reciver?
P2Pool payouts are counted as one transactions. I'm pleased to see it increasingly a lot lately, if it carries on this rate we will soon back at June levels. Good indicator imo. |
|
|
|
|
Ok were back. It started as what I thought was a bad firewall rule, but was actually a more serious failure of one machine. But everything is back online now and there has been absolutely no dataloss.
Again apologies for the downtime. Pool stats will be screwed up for a while.
Google authenticator support coming later today.
|
|
|
|
|
The server is ready to go again, but unfortunately i'm not going to make it back to the datacenter tonight. I could probably get the site online again with two servers, but then I'd just have to undo the changes in the morning + It's valentines night and i've got none optional dinner plans.
9:00 AM GMT tomorrow it will be back up. Really sorry for any My Wallet users who cannot access their account, if you are in dire need to make a transaction and don't have a backup let me know your wallet identifier and i'll send you a backup and instructions on how to get your keys into bitcoind.
|
|
|
|
|
The engineer told me that machine 3 wouldn't boot after being reset so I drove down to pick it up. I've got it at home now and it boots fine but there is something not quite right with it. When I enable the firewall it locks up, even though the rules are fine. I am going to reinstall the OS then take it back down.
Just to be clear there is no data loss, but this server acts as the "Management node" for the MySQL cluster and it site won't start without it.
|
|
|
|
|
Having a few problems with the Site this morning. In light of the recent hackings I was changing all passwords and closing any none essential ports - In doing so I've managed to lock myself out one of the servers. I'm waiting for someone at the colo to restart it now, should be back up in an hour or so.
Edit: Engineer has confirmed he is on his way, should be approx ~20 mins.
Edit 2: The engineer at the datacenter said machine 3 wouldn't boot after being reset. I drove down to pick it up and am having a look at it now. Appears to boot fine, disk repair says everything is ok. However when i enable the firewall everything locks up.
|
|
|
|
How is this any more secure than any other e-wallet that actually stores the users keys?
Because full server hacks are less common than database leaks. To have any significant effect the hacker's malicious code would have to go unnoticed for an extended period of time and it would only effect users who logged in with both their main password and second password during this time. You also can't make your own backup incase the operator ever goes AWOL. I'm not saying it is infallible, but it is better than storing keys. The first point about TLS doesn't apply, all content is sent over SSL. Also a secure key store is also not needed. Yes the runtime is malleable but it as not as easy to inject malicious js as that article suggests. Very little user provided data is printed on My Wallet pages and it is checked at multiple points for validity. Anyone is more than welcome to review our server side code for XSS vulnerabilities ( https://raw.github.com/zootreeves/blockchain.info/master/WalletServlet.java). The site is vulnerable to malicious browser extensions, if any are discovered I will act accordingly. The RNG uses the native window.crypto extension if available and is seeded with every mouse click and key press. I am dubious whether this can actually be exploited in practice. You can also create a watch only wallet and scan your private keys from a paper wallet in "offline mode", in this case you are protected from any malicious javascript and do not need to trust blockchain.info at all. How do i quickly enter 30+ character address into this thing? Manually? Should seller send me an email so i can copy/paste it?
You can enter the firstbits which are typically 5-6 characters. Native iPhone app will be available soon. |
|
|
|
Thank You for the good feedback. I still have big plans for it, wait until Split key is done then it will be easy to use and zero-trust. I suggest everybody else do the same. Desktop-based clients are a dead-end path. The browser is the inevitable future.
I think Desktop clients will still have their place. But the blockchain is reaching a size now where merkel tree pruning or an unspent ledger needs to be implemented ASAP. |
|
|
|
This looks pretty nifty. I noticed on that BTCServ hack that the small part gets spent twice to merge into a 40 BTC address. It would be useful to know what addresses payments get combined with as that may give clues about wallet (like a "back-link" on an address). I have no idea how it could be fit in a diagram because it would get "hairy" fast.
My hypothesis is that the coins change hands at the 40 BTC merge as the ip addresses switch from Germany to U.S. Maybe you could hover over a node to show any new inputs. Also the "Purity" of the coins (i.e. how much they have been mixed with the other transactions) could be represented by the thickness of the line. So, that means the hacker either is close topologically by default or has added manually BTCServ IP as a peer? If the hacker is manually relaying thru BTCServ that's a bit like rubbing salt in a wound! Or another interpretation is that it's still controlled by BTCServ, though obviously not provably.
Or maybe the attacker sent some change back to BTCServe for some reason. I guess no matter how good future tools like this get it will still be almost impossible to prove anything. |
|
|
|
|
Show Posts
