Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!
Holy scam warning Batman! Goat, why didn't you create an alias email account with an outrageously complicated password when you signed up for GLBSE 2.0? You're honestly saying you use the same email/password for multiple sites and have been doing it for years? I find it hard to believe that anyone in Bitcoin could be so naive. You hold thousands maybe tens of thousands of dollars in other people's money and you reuse a commonly used email address? I apologize, but I don't believe you are that stupid. You were around for the MtGox email address hack, you know better. This seems like either A) you setting up to scam everyone and not claim responsibility or B) you trying to create a panic in all your holdings so that you can buy them back for cheap and keep the profits. For someone with 4 listings on the GLBSE, I find this incredibly irresponsible. THIS WARNING seems to be a lot more relevant now. I would hold off on the speculation for a while. We must allow Goat a reasonable amount of time to comply with the requests. Nefario. |
|
|
|
I tried to setup online banking but it failed, said my details where wrong. I double checked my details and they where fine. I guess I'm going to have to email my bank.
Is it safe to still use the Lloyds method?
Not sure, even when Lloyds was working you're funds were lost in limbo for a week or more, it's a major reason why we moved to MetroBank which have been great. |
|
|
|
What's the easiest way to deposit to a Metro account if you don't live in London?
Online banking. This, it's really good. The most annoying part is the horrible two-factor authentication you have to do to get into your own online account. |
|
|
|
Good news everyoneAfter a lot of hard work by Patrick, deposits to our UK MetroBank account get processed on average every hour! So we heartily encourage all our users to make use of this excellent service by making deposits to MetroBank. If you're not an Intersango user, head over and give us a try, we have the best customer service and top security. Don't forget your reference code when making the deposit, and if you have any difficulty figuring out what to do, please refer to our most excellent tutorial on how to use Intersango.If you have any questions about ANYTHING, please feel free to ask or contact us at our support address: support@intersango.com
|
|
|
|
|
I'm going to add Yubikey support soon, next few hours.
likuidxd makes some very good points, security is everyones responsibility.
I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.
If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.
|
|
|
|
|
I'll look into adding one of these systems quite soon, keep in mind that GLBSE has never had any breakins so far (fingers crossed).
antirack, already had a look at DuoSecurity, the free system is limited to 10 users, then $3 a month per user
I might end up making my own as I've been looking to get started building for android for some time, and finally here would be a good reason.
Nefario.
|
|
|
|
I could also add GPGAuth as an authentication method http://gpgauth.orgHowever there is currently only a plugin for Google Chrome and no ruby server side implementation(which means I'd have to create it. So it's an option, and one I'd happily support in the current system, just not an immediate one. |
|
|
|
How difficult is it to support (optional) GPG encrypted e-mails? This is one feature I wish all services adopted.
If I remember correctly, when I was starting with GLBSE1.0 the initial crypto development it was quite a pain and something I had trouble with, it's certainly doable |
|
|
|
|
I've added captcha's to the login process.
Regarding two factor auth, this is tricky.
Actually it IS something I'd like to implement, however in it's current state it's quite pricey.
I think the only method I can think of would be to have an android app that sends a hash of the users phone number and pin to the server for a verification code or something like that. I need to look into it.
|
|
|
|
"Security questions" are often the weak point of many authentication systems. If indeed all it takes (I don't use GLBSE) is to know your birth city, that is clearly insufficient security. Ask about first pet names if you must have security questions at all, but leave biographical data that can be scraped from facebook out of it.
I'm certainly not going to be doing that. |
|
|
|
|
Regarding lost keys from 1.0
I spent A LOT OF TIME, dealing with this issue, a lot of people lost their keys, as a result the security of the system as a whole was reduced as without the keys people were unable to recover their accounts.
Cryptographically the system was really well secured, sadly people didn't look after their keys so it didn't work.
|
|
|
|
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection. You can take your password and encrypt it exactly like you encrypted your private key if you want. I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it. Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened. I can keep my password safe but he forced me to use an account that was not safe. To get the password to that account all you need to know is what city I was born in. Had I known that this feature would have been implemented I would have never used that e-mail address. Hell I doubt I would have even signed up. What do you think the title of this thread should be? I am open to changing it if you have a better idea. Just pm Nefario and ask him to change your email address? Why this drama? The drama because I've locked his account and asked for ID verification. His reply: I had also told him about a policy I'd like to implement, reducing the number of assets a single account/person can create, although I think that can wait until another time, certainly until this gets sorted out. I'll unlock it as soon as he provides this information. GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
This is complete rubbish, Chaang is using Gmail, which itself uses two factor authentication, and is as secure as any internet connected system available. It's weakness are the users, their choice of password (password strength) and whether they re-use that password. A strong, single use password is as good as it gets without adding two factor authentication (something I'm researching). Keeping in mind that all other exchanges and most other websites do the same, username/password, account recovery through email GLBSE2.0 is not exceptionally more or less secure. I'm a very reasonable person, and I find it unsettling how quickly this has been splashed across several threads on the forums. About 5 hours after I emailed him asking (asking, not demanding) for proof of identity, in a clear attempt to pressure me to unlock his account. Nefario |
|
|
|
Perhaps the GLBSE could allow companies to put up money to be bonded, similar to how companies are "bonded and insured" to protect against losses. In the event the company disappears, the money in the bond would be distributed to shareholders.
The bond could be rated as a % of total funds raised, to keep the massive companies from raising 1,000 BTC and appearing "bonded" by putting up 1 BTC.
My offline business is required to carry a very large bond, and it tends to discourage 'fly by night' companies from getting licensed and bonded to provide bad work.
Nobody liked my bonded by the GLBSE idea? i like this idea very much, as long as it is not extreme. Nefario, this would be fairly simple to implement from your end. You could give each ticker a unique address that you control and the amount would be displayed via the blockexplorer link: http://blockexplorer.com/q/getreceivedbyaddress/ENTERADDRESSHERETaking it a step further, you could have a script that calculates the total amount of funds raised by the company via sales (minus buybacks) and give a % of funds bonded by the company using the blockexplorer number above as an image on the company asset page. That would allow company owners to send funds to the bond at any time and have the bond % updated in real time. It would all be automated and would require little ongoing effort on your part. ( http://blockexplorer.com/q/getreceivedbyaddress/ENTERADDRESSHERE) / (share sales - share buybacks) = Bonded % I'll certainly consider this, would be 1 or 2 weeks before it's added. What I would also like to see would be insurance, allow share issuers to buy insurance, and shareholders to do the same. |
|
|
|
|
GLBSE has been updated to allow account recovery/password reset via email.
Please make sure you're GLBSE accounts have good passwords and your email accounts are secure. If your email is compromised then so will your GLBSE account.
Nefario.
|
|
|
|
so i changed my account to 2.0 and now i forgot my password  i miss the send me my passwort button  We now have an account recovery option, beside the login form. Keep in mind now that this means that if your email account is compromised, then so will your GLBSE account, and we will bear no responsibility for this. Nefario. |
|
|
|
-there should be an button to generate a new bitcoin address instead of it generating on its own. You should see a list of all your deposit address and be able to see the deposit history for each address
-lines around text boxes
-limit ticker length 5 chars? (before the .suffix if there is one, so ABCDE.ETF etc..)
-account history
-BTC balance on every page
-an OPTION to get emails when order is fulfilled
-account to account transfers
hot dog. Im not sure if you changed anything but I have lines around my texts boxes, assets are properly color coded, and more, all the CSS is working. Glad you're happy. Also of interest I've just added account recovery via email (the one used to sign up). This does mean that if your email account that you used to sign up with is compromised then your GLBSE account will be too. It is you're responsibility to secure both your GLBSE account and email, failing to do so will probably result in the loss of all your GLBSE stored funds, which we will not be held accountable for. Nefario. |
|
|
|
Did it pass or fail?
This says it failed:
Ticker ID Created Expired Result Yea Nay Total % pass
MU 4 2012-03-30 2012-04-01 failed 1123 70 1193 51 details
But 1123/1193 or even 1123/1320 sold is a huge pass, right?
hmmm, thats a bug. Will fix soon. |
|
|
|
|
The "phantom" dividend payment is to those who didn't have their dividend from Sunday due to a GLBSE bug on the opening of GLBSE2.0.
This has cost GLBSE about 9BTC as a few accounts that shouldn't have got the payment. The overall result is that BMMO shareholders should be very happy getting extra payments.
Nefario
|
|
|
|
does glbse know / recognize ticker.sub as a sub-asset or is that concatenated automatically if the new asset is issued by an asset manager (instead of general user)?
GLBSE knows base asset names. E.g. I have GLBSE, then only I'm allowed to create GLBSE.SUB but how? which user can (can't ) do that? is the glbse base name owned by the user or by the asset manager account? do I have to enter glbse.sub in the ticker field or is it enough to type SUB and the name would be fixed by glbse depending on the user that is issuing the asset? think I'll figure it out in dev environment It's owned by users accounts. |
|
|
|
|
Show Posts
