 Show Posts
|
|
Pages: [1] 2 3 4 »
|
I've got a solution... we use an anonymous crowd escrow. Just wacking out the details and I'll get back to y'all.
I will break it with Sybil attack. Try again! |
|
|
|
Internet debates are about convincing the reader, not the opponent.
And I'm still trying to convince myself whether or not Gavin has or has not or will or will not visit the CIA.  It is all just an elaborate ruse intended to make us think in that direction... *cough* |
|
|
|
Notice a common thread with all the negative press lately? It's all about the lack of security and confidence. Using Bitcoin securely and effectively is so complicated even the Loonix geeks are getting pwned.If a piece of software is too complicated to use correctly that is a failure in the design and/or implementation and should not be considered the fault of the user. It's easy to pass the blame but this won't improve our situation one iota. There is a whole domain of software and security engineering associated with this subject "Usable Security" that has its roots all the way back in "Why Johnny Can't Encrypt". How many of you use PGP encryption? Show of hands? (See, they still don't have it right: http://scholar.google.com/scholar?q=why+johnny+can't+encrypt&oi=scholart) Next month is a great conference on this topic: "Symposium On Usable Privacy and Security (SOUPS)" http://cups.cs.cmu.edu/soups/2011/I'd donate some coins to fund developer attendance at SOUPS. Too late for the early-bird discount, but worthwhile at any price. I posted this in the bitcoin forum and not the technical / developer forum because they don't seem to care. Maybe if enough of us impressed upon the bitcoin developers the dire and immediate importance of usable security in Bitcoin we could focus improvements along this angle instead of all that pie sky B.S. scattered over github like tornado detritus. Here's to hoping... |
|
|
|
... it certainly works with companies like google. They offer $1337 for security vuln reporting which is a pittance compared to the gain of selling exploits on the black market, but they pay out in the majority of breaches: it usually isn't found in the wild.
This is a good point because reputation/accolades can be a far more valuable motivator than even the largest jackpot. That $1337 ("elite") payment from one of the biggest companies in the online business garners significant bragging rights far beyond the measly monetary value handed over. These no-name exchanges are operating from the opposite angle - they've got no clout or history and would need to compensate by upping the pot and/or adding other incentives. Not to mention, again, that a bounty on the end product is the wrong way to approach security. It can play a part, but effective security is a process that starts before development, continues through operations, and is continuously applied as long as the business remains a going concern. |
|
|
|
...
So you are saying you wouldn't take the chance at walking off with tends of thousands of dollars worth of hard to trace currency?
Correct. I don't need to steal and greed doesn't motivate me. The only difference between "white hat" and "black hat" is that one has decided the risk isn't worth the reward.
Not true. And if the only thing keeping you from unethical and malicious behavior is fear of punishment then you will never understand the mindset of those who don't make their decisions based on such selfish and simplistic arithmetic. |
|
|
|
Well, if you can get to the passwords ...
Let me make this real clear: SHA256 is part of the cryptographic underpinnings of bitcoin itself. All the client software and exchangers and third party sites and password practices of users themselves are a completely different problem and horribly insecure by comparison. But SHA256? No worries. It won't be broken in a way useful for forging bitcoin transactions any time this decade, and probably not this century or the next... |
|
|
|
You mean aside from the incentive to walk away with thousands of dollars worth of bitcoins?
Those are blackhat incentives. You need to make the incentive large for skilled whitehats to care. And really, looking for weakness after the fact is already a losing position. The exchanges need to build security in from the start, and actually have a process for secure development and operations that continues along with the exchange itself. No easy "let's just make a bounty" solutions for this problem.... |
|
|
|
To whom it may concern:
Please make your bitcoin jokes funnier next time, so I know they're jokes.
How do you know when someone tells a bitcoin joke? NO ONE LAUGHS! Hahahah... heh.. oh. Nevermind. |
|
|
|
I don't use my login or password on any other sites!hahaha,, wait.. that isn't funny. 
|
|
|
|
Wait, what is that site called?? ...  |
|
|
|
Hellooooooo ladies. Check out my collection of motherboards and video cards with fans pointed at them. That's right, I'm burning through about fifteen dollars a day worth of electricity. You might say I'm something of a high roller...
*swoon* |
|
|
|
|
Just waiting on you, cothoms. Locking topic...
|
|
|
|
...
My mother is a southern baptist fundamentalist christian who thinks that things like social security numbers represent the mark of the beast, if I got a TATTOO of a code that represented money..
Hehehe, she'll go into conniptions. I'll send another coin if you freak her out with it.  |
|
|
|
Time's up! Winners didn't even have to try... easiest money ever? Congrats! Winners are: Paper Canteen cothoms Webengers Samantha2011 PM me an addr for your coins! Thanks for playing |
|
|
|
Since this thread is dead, I'll jump in. At least the numbers are on my side =)
Yes indeed. 10 minutes left! |
|
|
|
... This thread will be open for 1 hour and I'll pick five winners. 50 minutes left. I'm picking five winners no matter what, so at least post an address and you may get a coin for nothing! (Or PM me an address in reference to this thread.) |
|
|
|
... a display built into the unit is absolutely critical. Without it, there can be no security at all.
Not quite true. You just need some mechanism to convey amount out-of-band. Banks have been successful using amounts SMS'ed to a phone or robo-dialed to an automated voice system, for example. Not really a "secure display" and certainly not integrated into the point-of-sale unit / terminal. Yet still absolutely effective. |
|
|
|
The faucet is kinda boring and I've got some coin to dispense. So, what would you do for a bitcoin? This thread will be open for 1 hour and I'll pick five winners. |
|
|
|
.... unless I'm mistaken they don't make smartcards with neat little screens on them. You have to pay more for "secure display" capabilities but such devices do exist. |
|
|
|
...
Basically when properly used the keys cant be stolen, transactions are restricted to the card owner; in other words the current issues of wallet theft would not be possible, that is without a rubber hose.
...
The reason I started this thread is I am curious how much interest there would be in something like this.
When per-account/transaction authentication is supported it would be nice to be able to use a smartcard or other trusted store (TPM, HSM, etc.) to launch the client (open encrypted wallet) and authorize transactions. With the recent malware attacks on wallets themselves, attacking locally running bitcoind processes to make fraudulent transactions is sure to come next. Multi-factor authentication and authorization as with smartcard systems you mention would be a convenient way to nullify this risk. |
|
|
|
|
