Bitcoin Forum
June 22, 2024, 07:21:35 AM *
News: Voting for pizza day contest
 
  Home Help Search Login Register More  
  Show Posts
Pages: « 1 2 3 4 5 6 7 8 [9] 10 »
161  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 31, 2010, 08:31:20 PM
D҉ataWraith,

DNS is the simplest of protocols, all it does is to have a database, cache or forward to next DNS a request.

Basically goes like this:

you type: nslookup www.somesite.com

You computer goes to your resolv.conf or network config, according to your OS, pick your Nameserver and say:

«Hey! Dude! What the hell means www.somesite.com?»

The Nameserver looks it up if has it on its cache or database will reply: «Yo! Man! That's 123.123.123.123», if not will look it up and reply if find or will say «M'a man, there's no such a thing on the internet as far as I can tell!».

However someone may spoof the Nameserver and reply to your computer with a wrong address, which your computer will take for "the real deal".

The issue with DNSSEC is that, thus it's usable for root and authoritarian nameservers, it isn't for clients.
The difference?
Normally you must read on a ns lookup:
Reply without authority
www.somesite.com 123.123.123.123

This means the server that's replying to you knows where www.somesite.com is, but it's not the nameserver for such domain. - This is what your ISP NS's do normally.
On the other side you've the authority nameservers, means those whose the domain is registered to. Those update the root servers and yes, between those two, makes perfect sense update the root servers under a secure line to prevent some other nameserver as present itself as an authority to a domain it's not - which would spoof the address internet wide.

Now... clients does A LOT of DNS requests, it's normal that when you visit a page that page to have items stored somewhere else. For each "some where else" your computer does a DNS request... now just imagine if it has to negociate a certificate with the nameserver before.

As for attacks, it's something you must count on, but I do prefer to have users aware of the danger rather than go Fascist like imposing limitations to what they can do.
Security has to be moderate by the hazard, you probably would check your wallet every minute on a bus to see if it's still on your pocket if you carry like $1000, but you don't if you carry just 1 or 2 bucks. Likewise it would make the same sense to protect a computer bank-like if the user just has there a couple of pirate MP3.  Grin

162  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 31, 2010, 09:42:41 AM
Sure does, that's what a certificate does: Hey! You're on www.somewebsite.com and the data is crypted.
The question is that, imagine somewebsite is meant to be at 123.123.123.123 and someone else spoofed DNS for it to resolve to 123.123.123.124, then your browser will believe it is at www.somewebsite.com - even if it's phishing.
And for free certificates, they might include the security they want, but no browser recognizes their root CA's, so it makes them as worthable (and will raise the very same alerts) a self-signed certificate.

DNSSEC is yet another piece of junk. That probably would never come to be nothing but a project. Issues of practical life, negociating crypt algorithms reduces performance and DNS is a really heavy duty service. So, if someone tries to implement DNSSEC as a standard, internet would probably become as slow as Tor is.

And if someone doesn't want the one he's paying to to know his address, probably the person that's receiving the payment doesn't want to show his address either. Therefore they simply DON'T use DCC Pay, but P2P Pay. Easy... as long as both options are there.

I'm up to choices not to paranoia. Paranoia in security isn't of any value add, paranoia is just that... paranoia. Reduces life quality, grants nothing and prevents people from live.
Yes, someone may steal your data, as someone may steal your wallet on the bus with the very same outcome. There're some security elementals, but you can't keep looking over your shoulder (specially because you probably will miss to see the electrical post in front of you).  Grin
163  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 30, 2010, 08:02:53 PM
Leave Tor aside, that would be more "Man in the Center" rather than "Man in the Middle".  Grin
As for the attacks on websites with BC addresses, you may deface them, and you may spoof even without the server's Private Key. Normally people don't look to the CA, so as long as the CA is recognized it will ring no bells - and within this "world", specially for Tor users, Verisign Certificates aren't the normal thing, but CACert and other free services alike (means also many users are already used to press "Continue" on invalid certificate flags).

If by anymeans you got the server's private key then it doesn't make no difference, for your browser that Certificate is signing that address and, as far as DNS can tell, that server is there.

Edit:
To not mention the obvious: If you know the destination's IP Address why on Hell you would need to use Tor to pay?? And if the address would be something like <some unreadable hash>.onion then you wouldn't need SSL, because inner Tor data is already crypted.
164  Bitcoin / Bitcoin Discussion / Re: betting with bitcoins...... on: May 30, 2010, 05:12:33 PM
Botnets aren't just for DDoS, it can be used for other purpouses - can perform anything its master tells them to - including download BC Client and cast votes.

But I'm not being critic, the issue is that you're using votes on polls generated by the system to a bet system. That's a noway thing to do.

One thing is:

Who will win the next game?
- Team A
- Draw
- Team B

This is what uncertain future event stands for.

Other thing would be:

What's your favorite color?
-Red
-Yellow
-Green
-Blue

This is an opinion cast or survey, and it makes no sense to bet on its outcome. Because you're starting a question yourself for a non-event and use the number of replies as the outcome, which becomes a redudancy and a result "ad populum".
Opinions Ad Populum are natural fallacies, like "Many people believes in God" - such has no influence at all to determine whether God exists or not. People beliefs and likes/dislikes doesn't qualify then to create valid results on itsown about anything.  Wink
165  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 30, 2010, 04:36:51 PM

That brings up another possible man-in-the-middle attack for HTTP connections:  if you see a Bitcoin address on a non-secure web page, you can't be sure that you're seeing the correct address (a man-in-the-middle might have replaced it with THEIR Bitcoin address).  And ditto for sending your Bitcoin address to somebody to request payment (e.g. send it via email or in your forum signature and it might get replaced before being displayed to people who want to send you money).


And if you leave your house you can be hit by a car. Oh! Wait! If you remain at home a plane may crash over your roof.  Grin

MiM attacks that can perform defacing can perform it on all the ways - with or without SSL. Like spoof your DNS and make your browser believe to be seeing the "right page".
The only way to be 100% secure on informatics is to be offline with the computer switched off from power. As long as it is on, there're a few "thousands" of possibilities and... sh*t happens.  Wink
166  Economy / Marketplace / Re: World's FIRST Bitcoin Lottery! on: May 30, 2010, 04:05:28 PM
You can use any flavor:

Lotto 6/49
Euromillions 5/50+2/9
or anyother

I was once thinking on create a sports (Soccer) 1X2 betting system, but on such time it was with Euros and... taken bet with that currency is "somewhat" illegal on my country and I couldn't afford a P.O. Box on Cayman Islands (and hire micro-dwarfs to work in the "office"  Grin ), I drop the project.

Maybe I can revive it for BCs.
167  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 30, 2010, 03:56:57 PM
theymos:

Like I said; if it worth it.

There're some random vars to add too, as to know when someone will send something.
But, yes, TLS would be nice, why make things easier to steal when we can do it a bit harder? TLS adds some good security without cut too much usability.

I wouldn't care for ISP's anyway, if you mistrust them that much as I said before, you rather not make a phone call anymore on your life, taken telecom companies can easily tap it. But for those using proxies, some user-run proxies, yes, authenticate over plain text for those is a russian roulette.
168  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 30, 2010, 01:57:41 PM
Quote from: gavinandresen
I don't see the security risk of being able to intercept or eavesdrop on a Bitcoin transfer.

When sending to an IP address, BitCoin contacts the IP address without any authentication/encryption and requests a new BitCoin address, which is also sent back in plaintext. You then send the BitCoins to that address in the normal way. A man in the middle can intercept this request and send back their BitCoin address. You will then securely transfer BitCoins to the wrong person.

But a man in the middle can also intercept the key negociation for OpenSSL and decrypt the packets.
If BC goes as payment standard other attacks may come along, as forging hashes.

This round about for the eternal question: Does it worth it?
Like Windows and Linux, none is safer than the other, Windows has registry, in time it has autoexec.bat, but so does Linux have .bashrc, inetd, xined and several ways to put "crap on boot", to not mention Linux is OpenSource and this may be a security hole because Open Source doesn't mean "Open only for the right people", but "Open for the wrong as well". Still the number of virus and malaware for Windows is astronomical compared with those available for Linux. Why? Simple... Windows has the biggest market share. If it happens to be the other way around than it would be more profitable to make crap for Linux than Windows things would go the otherway around.
169  Bitcoin / Bitcoin Discussion / Re: betting with bitcoins...... on: May 30, 2010, 01:41:46 PM
For entering a bet ...one has to vote in atleast one betting result...this will eliminate the need of incentive........There won't be spamming because one node votes once for an event................If spammers can forge the system then it also means that they can also forge the bitcoin generation system by generating coins on several PCs for one hash address..........

Well, my friend:

If for entering a bet one has to already bet at least once it means the system will never start. Since noone would be able to start the first poll.

Spammers can't "forge results" but get people to vote for "their bet", also those with botnets would have a huge advantage here.
As for generate BC, sure, perfectly possible, you can have several machines generating BC's and output them all to a single address upon creation. Just the value of BC and the uncertain whether and when you'll create some makes such system not profitable.

In the end; you can't run bets on polls generated by the betting system itself. Bet has to be on something the betting system isn't related or can't predict the outcome. That's the essence...  Wink
170  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 29, 2010, 04:42:49 PM
It's not just an issue with proxies. Since there's no authentication, any "man in the middle" can intercept your BitCoin transfer, including your ISP and other people on your wireless connection. It's like logging into your bank's website without HTTPS.

BitCoin should use an authentication method like SSH: the receiver signs the BitCoin address and other info with a permanent public key, the hash of the public key is displayed to the sender before any transfer, and the receiver makes this hash known through other trusted channels.

Sure, encryption would be a good feature, TLS for an instance.
About ISP's, and mainstream internet, if you don't trust them you rather not make also a phone call anymore.
But isn't quite "like login to a bank without HTTPS", one can intercept a single BC transfer but doesn't get the hability to start further bitcoin transfers on hisown; which would happen if it was your bank login instead.

Still there's room for both: DCC and Address transfers. Such relies more on "who and why" are you paying than the payment itself.
171  Economy / Trading Discussion / Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? on: May 29, 2010, 11:56:28 AM
Actually no, transfering coins via IP address isn't encrypted. When you transfer coins to an IP, the recipient creates a new address just for that transaction and tells you to transfer coins to that address. A malicious exit node could sniff all Bitcoin traffic and intercept those transactions easily.

So for everyone: DO NOT USE IP ADDRESSES AS DESTINATIONS, ALWAYS USE BITCOIN ADDRESSES.

That's not "for everyone", but for those up to buy or sell some stuff more... strange.
I believe the core aim of BC is to be an easy to carry non-centralized currency, anonimity is a surplus not a mandatory field. Otherwise we would rather call it TorPay.
So, unless the transaction is for the a new pedo movie, some crack shipment or some stuff alike, there's no reason to use Tor, and therefore no exit nodes and no proxies. In the end trimming your advice: If you're up to make a "non conventional" payment over Tor, use the destination's BC Address, if you're buying or selling something normal, use IP or BC address.  Wink

Then we've the eternal ballance: Usability x Security. Too much security = too few usability (the most secure computer in the planet is... anyone since it's switched off) and too much usability = too few security. Ballance is better than paranoia.  Wink
172  Bitcoin / Bitcoin Discussion / Re: betting with bitcoins...... on: May 29, 2010, 10:29:36 AM
Betting has to be concise on a specific event, not abstract. Therefore it makes no much sense, looks like some odd sort of "ad Populum".
Eg. "What will be the outcome of game A", "Who will be the next president of B".
You can't run betting on polls when those polls are generated by the betting system itself, 'cause that would result on the same always: the best spamer wins and I doubt someone is up to promote spam around.  Grin A «guess the number I'm thinking» game would make more sense than that.  Grin
173  Economy / Economics / Re: Calculating Bitcoin Value... on: May 29, 2010, 06:29:04 AM
I believe that you're also looking to BC in a linear mode, as if it was always generating bitcoins chunk after chunk when instead it runs more like a sort of "lottery". You can generate 50 bc/day, 200 bc/day or... none, and as the network grows this last thing is the most likely to happen.
Also as the network grows the "proof-of-work" grows along, bc generators may start to run up to the next year or next 2 years, or rather not run them at all, taken they would take 1 month to update and process the existing nodes.

What the network seams also to miss is a way to generate high input of transactions, services, games, stuff to spend and earn BC's and make it flow.
174  Bitcoin / Development & Technical Discussion / Hostnames instead of IP Addresses on: May 29, 2010, 04:38:52 AM
At least the Windows client seams unable to resolve hostnames - or doesn't even try, pops up an "Invalid Address" right away.

This is a huge setback taken most people have dynamic IP Addresses. Therefore, instead of "123.123.123.123" only it should be added the hability to send also to "someone-accepting-bitcoins.somedomain.sometld".
175  Bitcoin / Bitcoin Discussion / Re: betting with bitcoins...... on: May 29, 2010, 04:32:07 AM
Using the bitcoin client as a bet broker would make it a "token bet place" and not a "currency".
But you can make a bet site based on bitcoins, just like my casino runs on it.
176  Economy / Marketplace / Re: BitCoin Casino (Beta mode) on: May 28, 2010, 02:40:52 PM
Quote
What's the char code/html code of such character?!

&#x0e3f; - Thai currency symbol Baht

In blackjack, the game died when I split a hand and won blackjack on both. It's probably a bug for the game to even give me that; the odds are astronomical.

Also, Aristocrat Slots seems to be giving out way too much money. I've found it to be reliably (though slowly) profitable; I've made at least 500 BC from it already (and then lost it all on other games...).

Oh, that's what that symbol is, bahts. Didn't know, been to Indonesia and Singapore but never to Thailand.  Grin

Yes, indeed, I've to review the entire Blackjack engine that came along, it seams to have some bugs. For me it already showed up two diamond jacks saying "Dealer have blackjack".  Grin Also came with a bug on the roullette that allowed bets with negative ballance (fixed).

About the Aristocrat, is about as profitable as any other slots, no bugs, just odds.
177  Economy / Marketplace / Re: BitCoin Casino (Beta mode) on: May 28, 2010, 12:10:48 PM
What do you mean use bitcoin cents as sign?

I think he meant that you could replace the $-signs with ฿-signs. That's the currency-symbol the community adopted for bitcoin. I think it's using Unicode though, and the website does not declare the required content encoding currently. Changing that could be as simple as adding a <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> header, but it might be more difficult if the database depends on the encoding somehow.

What's the char code/html code of such character?!
178  Economy / Marketplace / Re: BitCoin Casino (Beta mode) on: May 28, 2010, 12:06:07 PM
I lost 40 bitcoins, so it works perfectly Grin

Man... you used "the system" in the roullette. I've to say "sorry, but «the system» doesn't work". Not online and not on real casinos. Loose and double up = loose^2. Luckily it was bitcoins, if it were Euros or USD would be much worse.  Wink

Put things this way: If «the system», be it on the roullette or blackjack, would work casinos would bankrupt. But "the system" has a big "hole", as you loose you double up, but if you start with 1 and loose 10 times in a row you would be loosing 1+2+4+8+16+32+64+128+256+512 = 1023, and would need to find 1024 for the next bet.
To make it "worse", machines are programmed to let win according to the casino's bank. This means if the casino has waged 1000 and, like mine, is set to pay up 98% (and this is pretty much, taken regular casinos pay up 80 to 85%), there's no way somebody will win a hand over 980. Ok, in your case you already put the bank 98% of 1023, but meanwhile someone playing on the slots just get 100, this means the bank got 100 short.
And then you have the "winning coefficient", it exists to prevent a single player from take the whole bank at once - which would leave the other players with nothing left to be won. This secondary system is set for 70% - means per hand at maximum you may wage 70% of the whole casino's bank.

In fact, in the casino, players play against each others leaving some margin to the house, nobody plays against the house.

Anyway, as I manually fed the bank with my own BC, here's the statistics so far:

TOTAL PROFIT: -493.53
 Grin
179  Economy / Marketplace / Re: BitCoin Casino (Beta mode) on: May 28, 2010, 05:54:13 AM
sir arthur...
my username is -spndr7 and i have checked my 1 BC deposit..plz check the same...

spndr7: Deposits: 1 bc, games played: none, withdraws: 1 bc  Grin
Checked and withdraw done.
180  Economy / Marketplace / Re: BitCoin Casino (Beta mode) on: May 27, 2010, 04:11:22 PM
Ok, it works.
But I can't understand how you can handle it if you have to to it manually.
Is it a good idea to use bitcoin cents as a sign?

Well, casino (normal ones that is) does handle a lot of payments manually - those who come by wire transfer. Isn't that different, even thus that "From: Unknown" is a bit... maybe there should be a way to prevent the sender from "vanish".

What do you mean use bitcoin cents as sign?
Pages: « 1 2 3 4 5 6 7 8 [9] 10 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!