That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site! Would advise all users to get their miners away from there ASAP A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily. B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore. C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site. Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden They probably thought worker passwords wasn't "important" enough. They aren't "important", they are a mere formality. And yet several people already had their email account compromised. The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere. I'm pretty sure that responsibility lies with the user themselves. After all, if you use the same key for your car, house, boat, storage unit, etc. who's fault is it really? Maybe it's time to start a business doing compromised password insurance... Yes, of course it's the user's responsibility. That's why I called those one-in-a-million users "dumb-asses". But if the coder is too lazy to spare one line of code to encrypt a useless password then I wouldn't trust that same coder to process my transactions. By the end of the day, this is yet another security breach and another blow to the credibility of Bitcoins. Whether you used nofeemining or not, whether you chose strong passwords or not doesn't matter, because you were still hurt by this security breach. |
|
|
|
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site! Would advise all users to get their miners away from there ASAP A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily. B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore. C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site. Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden They probably thought worker passwords wasn't "important" enough. They aren't "important", they are a mere formality. And yet several people already had their email account compromised. The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere. |
|
|
|
The designer ? He does not have to touch any chip, it can be open-sourced, and taken from good a fpga design.
Obviously this can't be open-sourced due to its very nature, because if we pooled together $300,000 for a group buy, most of it will go into the IP. Someone who didn't participate in the group buy can just run to the fab with the open source design and spend his $300,000 entirely on the hardware. The foundry can already do this, I doubt foundries would be running with the money. They usually do what they're paid to do, it's not of their concern what the chip does, except checking for IPs.
If AMD's fab, TSMC, started selling a CPU that perform exactly like Bulldozers, everyone would notice immediately. If this group buy goes through and the global hash rate sky rockets, no one will suspect that TSMC is behind the scenes pumping out more chips than what we ordered. Even if such suspicions do arise, nothing can be proven due to the anonymous nature of mining. So TSMC has nothing to lose and everything to gain. Packager ? They could be required to give back every bad chip they get.
That would work if you're willing to patrol the floor and audit every shift. Packagers have no incentives to steal now because selling the stolen goods would be very difficult like I mentioned above. However mining chips are different because they don't need to be sold. They can used to generate profit legally and anonymously. |
|
|
|
That was part of our old database.
I have no idea why that information was there and I plan on figuring out which idiot from my team did that.
I am in the process of emailing all the affected users to let them know.
Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site! Would advise all users to get their miners away from there ASAP A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily. B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore. C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site. Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden They probably thought worker passwords wasn't "important" enough. |
|
|
|
I know it must have been asked before,
Why can't we group buy fpga and get a discount ?
I would invest in any effort to get an ASIC made, currently the only thing that would be holding me back on FPGA is mhs/$ and the threats of an ASIC batch being made.
Can someone in the semi industry describe a best case scenario for a cheap ASIC + packaging, For arround ~300 000$, what are possible options. It's either: A. There's no one in this community that we can trust $300,000 with. B. People don't have enough trust to give this person/organization $300,000. Given Bitcoin mining's anonymous nature, there's really no way of knowing whether the chip designer/chip maker/chip packager/PCB assembler is ripping you off or not. The designer and foundry could secretly start their own cluster. The packager and PCB assemblers could be profitting from the "rejects". And when we're getting ripped off I doubt anyone in their right mind would donate another $300,000 to assemble a legal team to sue the offender. |
|
|
|
At least one client was shot down by Apple: https://bitcointalk.org/index.php?topic=31362.0;allBinary Rejected Aug 25, 2011 04:58 PM
Reasons for Rejection:
22.1: Apps must comply with all legal requirements in any location where they are made available to users. It is the developer's obligation to understand and conform to all local laws
Aug 25, 2011 04:58 PM. From Apple.
22.1
We found that your app contains content related to bitcoins - or facilitates, enables, or encourages an activity - that is not legal in all the locations in which the app is available, which is not in compliance with the App Store Review Guidelines.
We encourage you to review your app concept and evaluate whether you can incorporate different content and features that are in compliance with the Guidelines.
To appeal this review, please submit a request to the App Review Board. |
|
|
|
How about running 3 computers, each with their own client and blk0001.dat and a copy of your scanner. When an error occurs take a democratic vote. If the error rate is X then this system will reduce the error rate down to X*X. I hope Philip K. Dick's estate doesn't sue me for this post  |
|
|
|
Google is creating a wallet and payment service, not a currency. Thus their Wallet and Bitcoin are not mutually exclusive, and I'd expect the Google Wallet to support Bitcoin at some point.
Bitcoin and Facebook Credits are at odds.
Bitcoin and Google Wallet are not at odds.
(A keen observer may realize that this gives Google incentive to adopt/support Bitcoin in some manner, in order to undermine FB, for they are now in direct competition with each other since Google Plus launched).
Anything with the Mastercard logo on it means it's deeply tied to the current banking system mess. The Banks will pay big money to silence alternative currencies. They do print that money afterall. Remember, currently Mastercard controls all the POS systems that accept Google Wallet. Google doesn't even get a say in the matter due to their subordinate position. Their logo doesn't even appear anywhere on the sales terminal. |
|
|
|
This website is a joke, right? Large Hadron Collider will destroy Earth? http://longbets.org/382/ That's like saying "I bet one trillion USD that USD will become worthless". Except that both parties need to pay their trillion up front, and it all goes to charity no matter which party wins the bet. Oh, nvm then. Didn't know you had to pay up front. |
|
|
|
Thank God it's back online. |
|
|
|
You seem to have misunderstood me. I'll list out my personal understanding of the mybitcoin attack in chronological order:
1. mybitcoin accepts deposits after only 1 confirm. This is an intentional design flaw.
2. A few people point out this security flaw, but it largely goes unnoticed.
3. mybitcoin goes down for a week. People starts worrying and seeks explanations. This security flaw gets brought up again and most people accept the explanation with no evidence that it actually happened.
4. Tom Williams comes back, claims there's been a security breach, apologizes profusely, and offers to return half of the coins.
5. Tom Williams walks away with the other half of the coins.
If you disagree with any of the above assertions, feel free to bring it up. But I have ample evidence to back up all of my claims.
Suppose Bob wants to open a new Bitcoin service. He claims he wants to speed up the processing times so he only waits for N confirmations, where N<6. In the end he can always just say "I'm so sorry guys, I thought this attack only had a 0.0000001% chance of success, but somehow the attackers made it happen. I'm will return whatever coins are remaining." and walk away with the rest of the coins. Most people won't buy this of course, but even if just 10% of the people buys this excuse, that's 10% less people with pitchforks after Bob.
Wouldn't it be far safer if Bob just N=6 like he's supposed to?
Ahh, I understand where you are coming from now. Personally, I think your theory is nutty, for various reasons. Just one reason is that I haven't seen any evidence of #5, or for the intentionality of #1. For what it's worth, I don't really care either, so don't bother presenting whatever you have, unless it would satisfy some very high standards of evidence. At any rate, your scenario doesn't apply here, because Furyan is looking for a way to pay his miners faster than the commonly accepted 120 block coinbase delay. That is, he is looking to reduce the amount of trust that people need to have in him, not increase it. I think we can both agree that not everyone got 100% of their money back, so there are still some coins missing. I think we can both agree that there's no evidence for a double-spend attack on the hashchain, so no "hacker" could have taken the money. If Tom Williams didn't take those coins, where are they now? Note that Tom Williams is just a pseudonym. I used Tom Williams to denote whoever successfully perpetrated this social-engineering attack. |
|
|
|
This website is a joke, right? Large Hadron Collider will destroy Earth? http://longbets.org/382/ That's like saying "I bet one trillion USD that USD will become worthless". |
|
|
|
mybitcoin only waited for 1 confirms. This is a fact. I'm sorry if you think it's FUD, but a fact is still a fact.
Things don't become facts just because people say them, not even if they say them often and emphatically. And the 1 confirmation story has been questioned because no evidence to support it has ever been found. Read this post I made a week ago (below), then go look at the block forwarding mechanisms in the code. I don't buy his story at all, at least not the version I heard. Here's why. Nodes forward valid blocks. This is obviously true in the window between accepting the block and having it overturned, but it is also true after a new longest chain has been accepted. Hell, it is even true if the blocks are stale at the time they are received, if I recall correctly from reading the code a while back.
If his node had been fed blocks that were later overturned, his node would have shared those, and they would have spread across the entire network, meaning that we'd all have copies of them. Certain people that have a keen interest in the block chain, like Theymos, would have noticed proof of a spend redirection attack in the wild and would have announced it widely. I gave up on reading the crap sloshing around in the mybitcoin threads, so I might have missed it, but I'm pretty sure that I would have come across it eventually if it had been announced.
I don't necessarily think that he stole the coins, but I'm pretty sure the attack did not come through the bitcoin side of things, even if he really did count deposits after a single confirmation.
If there really had been a spend redirection attack done against mybitcoin, there would be ample evidence for it, and so far no one has presented any. The only way for there to have been an actual attack, and no evidence found is if the attacker was able to totally isolate his node by taking full control of his network connection for several days, and faking all bitcoin traffic to it for the entire duration, all without anyone noticing. And even then I'm not sure it could be done cleanly, because when the attacker had to transfer out, he would need to force mybitcoin's node to create outgoing transactions that didn't use any of the fake incoming transactions as inputs. You seem to have misunderstood me. I'll list out my personal understanding of the mybitcoin attack in chronological order: 1. mybitcoin accepts deposits after only 1 confirm. This is an intentional design flaw. 2. A few people point out this security flaw, but it largely goes unnoticed. 3. mybitcoin goes down for a week. People starts worrying and seeks explanations. This security flaw gets brought up again and most people accept the explanation with no evidence that it actually happened. 4. Tom Williams comes back, claims there's been a security breach, apologizes profusely, and offers to return half of the coins. 5. Tom Williams walks away with the other half of the coins. If you disagree with any of the above assertions, feel free to bring it up. But I have ample evidence to back up all of my claims. Suppose Bob wants to open a new Bitcoin service. He claims he wants to speed up the processing times so he only waits for N confirmations, where N<6. In the end he can always just say "I'm so sorry guys, I thought this attack only had a 0.0000001% chance of success, but somehow the attackers made it happen. I'm will return whatever coins are remaining." and walk away with the rest of the coins. Most people won't buy this of course, but even if just 10% of the people buys this excuse, that's 10% less people with pitchforks after Bob. Wouldn't it be far safer if Bob just N=6 like he's supposed to? |
|
|
|
|
Beenz was centralized and not anonymous.
|
|
|
|
By the way, I keep putting widespread in italics because it is important.
Good point - my original question was really about widespread forks. I ask because I'm looking at ways to modify our pool's payout algorithm to allow almost-immediate payout (we can't afford to eat the cost of orphaned blocks the way Deepbit does) while minimizing our risk. Seems like after 5 confirms or so we'd be reasonably certain the block would pay out so we can release the funds for it. Do you think that's a bad conclusion to draw? I know the network enforces a 120-confirm limit on generated coins but I wonder how overkill that is. Please keep in mind that this is exactly the same "optimization" mybitcoin used, except they used 1 instead of 5. How the fuck is that even close to 'exactly'.... If I read one more fucking fud comment about mybitcoin '1 confirm' trying to spread more misinfo about how they were ripped off in that manner I am going to fucking puke. (and yes, I'm-mad-bro) p.s. accepting offers to do the foot work to track down the scums responsible.(within legal means) Some of us Americans are scary muther fuggers too........... Now, as to the point, 6 would be a much safer bet. ;p mybitcoin only waited for 1 confirms. This is a fact. I'm sorry if you think it's FUD, but a fact is still a fact. |
|
|
|
By the way, I keep putting widespread in italics because it is important.
Good point - my original question was really about widespread forks. I ask because I'm looking at ways to modify our pool's payout algorithm to allow almost-immediate payout (we can't afford to eat the cost of orphaned blocks the way Deepbit does) while minimizing our risk. Seems like after 5 confirms or so we'd be reasonably certain the block would pay out so we can release the funds for it. Do you think that's a bad conclusion to draw? I know the network enforces a 120-confirm limit on generated coins but I wonder how overkill that is. Please keep in mind that this is exactly the same "optimization" mybitcoin used, except they used 1 instead of 5. |
|
|
|
The largest Canadian exchange, cavirtex.com, has been down since early this morning. Every week there's a new catastrophe; I hope to God this isn't the latest one.  |
|
|
|
Based on namecoin observations. Many people are happy to mine for *MONTHS* at a 40-50% loss because they believe in upside potential. They can't make the mental connection between being long and producing being two completely unrelated activities, in their mind mining is not at a loss until they sell.
While it's far more economical to simply spend the $ on buying BTC instead that's effort. Bank -> dwolla -> mtgox requires getting off your duff. Mining BTC to buy Namecoin is far less effort, yet people didn't bother even for 40-50% more namecoins a day. In fact, the last few weeks mining namecoins was below power price even for the 4.6 cents/kwhr people like me.
So I yes, I think we could see well below production price as the market price. And we'll be able to sustain it for months.
Or that a lot of people mine on "free" electricity. |
|
|
|
Steven Harper It's as if millions of Canadian voices suddenly cried out in terror and were suddenly silenced. |
|
|
|
|
Show Posts
