There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe.
Exactly. I've argued about this before when people were suggesting that Electrum should release file hashes alongside their binaries and PGP signatures. It is always a bad idea to release hashes whether it is alongside signature or just hashes that are signed (like what core does) because it doesn't account for laziness of users and their lack of understanding. I'm sure there are many core users who have the illusion of security while skipping the signature verification. No argument from me. The concern you and ranochigo bring up is quite valid. My only fear that some people will forgo the validation all together if they keep having issues getting the PGP signature to validate. There are no instructions on Electrum's website notifying people that .asc files' names need to be changed to match the binary file name, and most people probably won't take the time to research why they're having trouble. I would venture to guess that most people who are using the GUI PGP apps like Kleopatra are not as familiar with PGP as many of us here. Apparently I need to re-write my guide on validation to mention that the signature file names need to be changed to match the binary file's name. |
|
|
|
I have already explained why I am not doing that. If you cannot understand the reason behind it then its your problem.
You gave a reason, but it doesn't make any sense. That's not exactly an explanation--but if anyone is satisfied with The reason I am not posting everything in public is that he couldnt learn from his mistakes. as a valid reason not to post evidence against someone being accused of something, they've got very low standards. My point is that you should stop beating around the bush and just present what you have here, in public, for everyone to see and judge for themselves. Colires gave a perfectly good reason for not posting his "evidence" in public. If this is an alt of OldSamurai\Rambotnic, then it's within the communities best interest to keep colires' methods of detection private. If you're concerned about false positives, ask colires to share his findings with you privately and then you can make a decision with a little more insight. BTW, Hilariousetc said something very similar about his suspicions connecting two unrelated accounts. I don't recall you telling him to post his methods in public or STFU.  BTW, I always had an inkling you two were one and the same as you just start to see these things when you spend so much time on the board, but it was all but confirmed for me when I noticed both you and QS reporting posts with the exact same phrasing. The odds of that happening between two random people is very rare and obviously not something someone else can mimic. QS also does a certain thing on all of his accounts as do you which I'm not going to give away because it's an easy habit to change but it's always the first thing I look for when I see one account that has all the hallmarks of QS. I honestly don't know whether you just see this board as too lucrative to leave it alone and do your best to try rank up an account to maximise earning potential here from whatever avenues you can, or there's something more sinister going on and you've always been trying to build up to a long con or something. |
|
|
|
Windows has a built-in certificate utility that can be used to calculate SHA512 sums. Here's an example of how to use it to find the checksum of the hashfile. You can use the same tool to calculate SHA256 and MD5 sums also. Just change the sha512 at the end of the command to sha256 or md5 to obtain those sums. CertUtil -hashfile C:\path\to\file\ledger-live-desktop-2.32.2-win.exe sha512  |
|
|
|
As for my comment about elevating my view about it all, perhaps I had some preconceptions based on prior bad experiences with forums. Well, this forum has 99 problems but helping newbies figure out issues with Bitcoin transactions isn't one of them.  I agree with nc50lc's prognosis. My suspicion is you created a transaction, but didn't broadcast it. The transaction was logged by your wallet, but didn't communicate the transaction with the blockchain. That's why your backup wallet had no record of the transaction, it was only stored locally in the main wallet. As soon as one wallet broadcasts the transaction all your other copies of that wallet will be updated the next time you synchronize them with the blockchain. I'm glad to hear your issue was resolved, and I'm glad you find this forum helpful. |
|
|
|
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)... Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!  Yes, I have noticed the same problem on my last verifications, when upgrading to the latest versions. It does not seem quite right that you have to rename the file, as it stays the same file in content, obviously. I get the green light when I verify, so I am happy, but these are the things that should make you suspicious of possible malware... This actually makes a good argument for the method used by the Bitcoin Core development group. The Bitcoin dev team uses PGP to sign a text file full of the SHA256 hashes for the various binary releases. One needs to verify the PGP signed text file, then confirm the SHA256 hash of the desired file matches the binary. It does add a verification step, but at least we wouldn't need to change any file names if we use one of the GUI PGP apps. As I posted above, their are ways to verify the signatures without changing the names of the files, but I understand that might be intimidating for folks who aren't comfortable with the command line interface. |
|
|
|
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)... Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! I've stopped using Kleopatra. It's kind of buggy and quite limited given all the control one has using the CLI. It's definitely a good tool for beginners, maybe some day they'll include a dialogue box that allows you to chose the signature file and the binary separately. These days I've just been using Windows Terminal or PowerShell and using the command line. There's no issue with files of different names; I can open a notepad window and copy/past the commands to check all the dev's signatures. Here's an example I posted a couple of months ago: gpg --verify C:\path\to\signature_file.asc C:\some\other\path\to\executable_file_with_a_different_name.exe  |
|
|
|
Update:-snip- This is a valid confirmation. As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it. Excellent. Thank you! According to your original post above, you'll need first need to download and import ThomasV's pgp key. The links posted above will get you the key, save it someplace easily accessible, and name it ThomasV.asc To import it use --import /path/to/file/ThomasV.asc. Once it's imported you can sign it using --sign 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6. Editing the key the way o_e_l_e_o suggested is a more powerful way to do it, and gives you options for trust level. Using the --sign command automatically sets the trust level to 4 (fully trusted.) |
|
|
|
Congrats on your new ink. Can't say I'm a fan of tattoos in general, and I've gotten to a ripe age without any so far. I won't say "never" but that's the direction things are going. With my luck I'd get some beautiful hula dancer tattoo That takes some courage to get a meme tattoo, and the art is pretty darn good. That's part of the rationale why this here "dude's" preference would be the henna tattoo, and I would imagine that they hurt less worser, too (not that I am speaking from experience beyond speculative observations). Even a henna tattoo is a little to "permanent" for me. |
|
|
|
You guys can still draft Taysom Hill. |
|
|
|
Risk is perfectly fine, as long as the willing participants are given awareness.
I was under the impression that a welcome message - an introduction to the trust system + scammer indifference - could bring about that awareness and could be a very simple and non-restrictive measure. I don't think your liberty is going to be compromised with a few extra hand movements as a guest. It is not unreasonable to request a landing page for guest users. I have nothing against a welcome message, nor a guest landing page. As I've said before; I think it's a good idea. I don't expect it to solve the scammer problem on this forum (I don't believe you do either,) but sure, it could prevent a few scams here and there, and it couldn't hurt either way. And no, it would have no affect on my liberty. I only brought that up because I've gotten the impression that you would be supportive of more extreme measures to prevent scams. Perhaps I misinterpreted something you wrote in the past to get that impression. Are you able to leverage people's comments in accordance to their actual content via research, or do you place some bias on their site-based reputation? Similarly to as if someone were to trust a member based on rank, the expectation of some local reputation system is perfectly reasonable. Yet, who do you actually trust? Sure, staff can be trusted to some degree, but apparently even DefaultTrust is a bad measure of trust due to the legacy of past exit scams: I would even grant that someone new, having read through enough of the forum, would rather trade (and post) elsewhere unless they wanted to scam others. I don't claim to be Joe Sixpack as I tend to believe I'm more skeptical than most (raising three daughters will do that to a man.) I've been using and visiting forums for a long time, many that focus on subjects in which I'm well versed and experienced, such as BMW motorcycles, Ford trucks, and American rifles. I've seen so many posts by users who claim to be experts only to find them spreading the most preposterous bullshit as if it's fact. I don't pay attention to site specific reputation or reviews. I assume everyone is full of shit until proven otherwise. Which other forums do you visit to where the rules are inaccessible unless you go to their forum discussion board located at the bottom of the front page, view an "Unofficial list of (official) Bitcointalk.org rules" buried within SIX sticky threads, and go all the way to rule 19 to find out that scams are not moderated? This is an excessive scavenger hunt. In fact, unless you count an warning to use escrow as a direct "scams aren't going to be removed and we're not going to do anything about them" message, then there's almost nothing said about forum policy. I'm not arguing with you about that, I think we're closer aligned on this issues than not. My argument is that there are plenty of warning signs in existence already to help newbies and guests avoid scams. There's nothing wrong with adding one more. Just don't get your hopes up, because odds are it'll be as ineffective as the current "Red Flags." Was it a programming issue, integrating a DefaultTrust rating as a guest view of trust (preferably with some description/links to explanations)? DefaultTrust is good enough for registered users, after all, and the only difference is a few minutes!
Or, is it instead a fundamental problem? I can't say for sure, I'm not an alt of theymos (or satoshi for that matter.) I always figured it had more to do members' privacy than anything else. |
|
|
|
|
Game 1: 32' 0-2 Manchester United
Game 2: 32' 0-1 Chelsea FC
|
|
|
|
How many people do you think wander into large forums with the expectation, "I need to be on my guard or else I will be scammed, because the forum allows scammers to stay here." It's one of the things that makes Bitcointalk so unique. If I have a problem with my computer, I go to Stackexchange, copy/paste some code, and it works again. The same for car related problems on specialized forums: I follow the instructions, and it solves my problem. But if you do the same on Bitcointalk, you lose your money: Honestly, it's not that cut and dry. The internet is full of misinformation, and most of us have learned to be skeptical when researching solutions to our problems. I don't blindly copy and paste code from stackexchange without researching the commands, nor do I assume that the youtube videos about misfiring Fords are going to address my specific mechanical issues. Maybe big red warning on every trading board post started by a newbie; something simple like "Scammers flourish in a free marketplace, WATCH YOUR ASS!" That might get the job done, but then again it could get ignored just like all the other giant red warning signs. This is theymos' view: Honestly, I think that someone that naïve can't be protected. Even if every inch of the page had been full of warnings, he still might've fallen for it, since he wasn't even thinking about the possibility of being given evil instructions. The scammer was a Jr Member, not some Legendary.
People like him (ie. the majority of the world population) are why we'll someday want an optional sidechain or something on top of Bitcoin which has reversible transactions (via some sort of automatic 2-of-3 escrow which expires after a while, maybe). I tend to agree with theymos, which is the point I was trying to make to actmyname. We can't protect everyone, nor can we prevent all scams. I'm in no way suggesting that we stop trying, but we're going to have to accept some risk. A quote that's often attributed to Benjamin Franklin goes something like this: "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." |
|
|
|
Lol @ Fraudiola Lol, spoken like a true LFC fan. I mean, he got beaten 3 times in a row by Chelsea's Thomas Tuchel last season so....  Why the dig on Tuchel? Something I don't know? He had a great run at PSG, and so far Chelsea looks far better since his arrival. Guardiola changed the perception of football in general, calling him a fraud is going a bit too far.
I agree that calling him a fraud is going a bit too far. He's done a great job at City, as much as I hate to admit it. Realistically, I'd love to see Guardiola sidelining Arsenal matches in place of Arteta. |
|
|
|
Don't mean to be a bummer but we talked it over and decided it's probably just best to keep things as is. Mainly because we are a newb-heavy league, some of whom have been practicing 8-team drafts already. No disrespect meant to ChiBitCTy. Next year we'll definitely do a 10-team league. @ChiBitCTy, I hope you're not offended, please don't take it personally. The decision to keep it a small, casual league was discussed from the onset, and that's what attracted me to it in the first place. Sept. 3rd, 8 PM EST
Be there or be square. Excellent, that works out great for me. Gives me just enough time to get home from work, take a fat bong hit, and log on to take my first pick... At number 8.  |
|
|
|
Wouldn't it be wiser to publish those keys on separate places? For example, they could also upload them onto Google Drive, Gitlab etc. It doesn't offer a greater security if in the same place Thomas' public key is, you put the others' too, because the compromiser could just generate seven keys more. There might be a reason behind this I can't think of at the moment. Anyway, thanks for doing it. I don't think it's a big deal that they're all in the same Git repository. The odds of both the Electrum site and the Git repository getting hacked at the same time are extremely remote. If one or the other gets hacked the binary signatures wouldn't verify. I do think it adds security to have a couple of sources from which one could download the keys, just in case one of those sources is hacked. In the OP I included redundant sources for ThomasV's key. If you're in the habit of storing other people's public keys yourself, this really only helps when you download someone's key for the first time. It would allow you to confirm that the multiple sources provide the same key, which helps confirm the key's authenticity. Once the key has been downloaded and a signature confirmed, you should store the key locally. Again, this is based on the theory that it's unlikely for multiple sites to get hacked simultaneously. |
|
|
|
How many people do you think wander into large forums with the expectation, "I need to be on my guard or else I will be scammed, because the forum allows scammers to stay here."
Maybe big red warning on every trading board post started by a newbie; something simple like "Scammers flourish in a free marketplace, WATCH YOUR ASS!" That might get the job done, but then again it could get ignored just like all the other giant red warning signs. At some point one has to accept the risks of living in a free society. We can police our own in the hope of preventing repeat offenders, and sometime we can't even do that. The only alternative is regulation and enforcement, and I doubt theymos will ever venture there. Personally, I would rather accept the risks of a free forum than the alternative. |
|
|
|
Jimmy G is terrible. I wouldn't call Garoppolo terrible. He's 22 and 8 as a starter for the Niners, and that includes two losses that he started but didn't finish due to injury. Average passer rating as a Niner is 95, which isn't great but far from terrible. He's actually pretty darn accurate passer, even if he doesn't have a big arm. His main faults are that he's prone to injuries and he's less mobile than Tom Brady. For a pocket passing type offense he'd be a great addition. I don't think it will be very long before he loses his job. Of course it's not like he really owns it atm anyhow, they are just bringing Lance in slowly like the Bears are with Fields. I agree. Shanahan has never been thrilled with Garoppolo. Shanahan is one of the most brilliant offensive architects in the league, but Garoppolo limits his creativity. He's been salivating for someone like Trey Lance who allows him to spin some gimmicky option plays. This guy is primed for a huge year. I'm def targeting him in all my leagues.
It doesn't matter who's playing QB, Aiyuk will get a lot of balls tossed his way. |
|
|
|
Maybe.. I kind of thought Vinsin was an American for some reason, maybe its just the Peter Griffin avatar, oh well. Nah, his English was shit, google translated shit at that. He said something once giving me the impression he was from eastern Europe, I figured Romania or Bulgaria. Elmanchez once claimed to be from Azerbaijan. I wasn't necessarily saying I believe they could be one person, just reminiscent of one another. Both seem to possess a calloused soul. I mean I guess its a talent to coax people out of money, but doing it 100% through lies and shit you would never want done to yourself, renders ones existence more parasitic than human.
Parasitic is great way of summing it up. It must be a pretty depressing existence. |
|
|
|
does buying copper membership affect one's ability to rank up?
None at all. I just turned mine on for the hell of it:  |
|
|
|
And just to understand it if I transfer to you my Bitcoins you will then give me pre-loaded wallets with the same amount as my deposit?
Yes, you will receive a private-key for each chip (which can be imported on a wallet, such as Electrum). Just to add to TryNinja's comments, the private keys you receive will have been pre-funded. You'll get keys that were loaded at some time before your deposit was received by chipmixer. It's a privacy feature that sets them apart from the competition, in my opinion. |
|
|
|
|
Show Posts
