Bitcoin Forum
April 24, 2018, 07:09:48 AM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
 
  Home Help Search Donate Login Register  
  Show Posts
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [30] 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 ... 354 »
581  Economy / Auctions / Re: Advertise on this forum - Round 185 on: September 13, 2016, 05:47:12 PM
1@ 0.2

2@.02

Because you have newbie accounts, you need to PM me the details of what you're going to advertise before your bids will be accepted.

Note that I have cleared p2p to bid.

The auction continues.
582  Other / Meta / Re: Should we change our passwords? on: September 12, 2016, 01:41:28 AM
I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Currently there's no regional filtering. It isn't usually necessary, since attacks have either been possible to detect and block (automatically or manually) or SYN floods which use fake IP addresses. On a few occasions in the past I've had to block a few /16 networks for a while, but there's nothing like that active now.

I really like the idea of having a bunch of firewall servers which handle the TCP handshake and then send real traffic to the real server(s) via a GRE tunnel. Since it works at the TCP level, the firewall servers do not need the HTTPS key and aren't particularly sensitive security-wise. It doesn't protect against application-level attacks, but generally those are easier to protect against by just blacklisting or limiting misbehaving IPs. I wish that more companies would offer this service. The forum's previous DDoS protection did this, but it was some amateur operation which had its own reliability issues, making it unacceptable. Incapsula was willing to do a special deal, but their price was ridiculous. I think that someone could make money by buying a few dozen servers distributed across the globe and selling GRE-tunnel-based DDoS protection from SYN floods and maybe also bandwidth leeching (by tracking when new IPs start using way more traffic than anyone else), ideally with anycast IP addresses to distribute traffic among the firewall servers. I think that you could do it largely with standard iptables rules, though it'd be very complicated. If I was setting up a service like this, I would oversell like crazy -- each site is only actually DDoSed a very small percentage of time, so you only need enough ordinary capacity to protect against one or two active attacks --, but then have some sort of backup plan to add more servers in an emergency (maybe by spinning up EC2/DigitalOcean/Vultr instances, which are expensive compared to a dedicated server but quickly available in case more capacity is needed now).
583  Other / Meta / Re: Ancient Bitcoin Talk accounts logging in on: September 12, 2016, 01:32:23 AM
Were password hashes at the time salted?

The new password hashing scheme was implemented in July 2012. Accounts that never logged in after then still have the old hashes, which are IIRC one round of SHA-1, salted with the username. Strong passwords could survive, but it's certainly much easier to crack the old hashes than the new hashes.

When will we see Satoshi's account being used soon?

You won't, since I locked his account long ago. The password hashes leaked in 2015 aren't even his original hashes.
584  Other / Meta / Re: Bitcointalk downtime, or just me? Edit: DDoS attack confirmed as per Theymos on: September 08, 2016, 05:04:19 AM
Theymos, were there any demands linked to these attacks?

Nope.
585  Other / Meta / Re: Bitcointalk downtime, or just me? Edit: DDoS attack confirmed as per Theymos on: September 08, 2016, 02:52:37 AM
I guess they're going to do it every day at around this time until I figure out how to stop them... I've made some progress on that front, but it's not done yet.

If anyone is an actual expert in Linux networking (ie. the term "GRE tunnel" is familiar to you), I could use your help in figuring some of this stuff out.
586  Other / Meta / Re: Problems with notifications? on: September 07, 2016, 03:22:48 PM
Well there was a DDoS attack recently so maybe he changed something to try combat it. I think when I first stopped receiving them it was after a DDoS attack so maybe theymos changed something that altered the IP that the emails come from and that particular one is blocked by your provider. I think that's what happened to me as theymos told me the emails were still being sent but I certainly wasn't receiving anything as I had before.

Yes, that's what happened. I forgot about this, I'll fix it soon.
587  Bitcoin / Bitcoin Discussion / Re: Hacked BitcoinTalk Data Finally Surfaces On Dark Net on: September 06, 2016, 07:52:07 AM
What year did you change the hashing algorithm? From what I saw in the database some users who didn't logon after 2012 were not in it.

July 2012.
588  Bitcoin / Bitcoin Discussion / Re: Hacked BitcoinTalk Data Finally Surfaces On Dark Net on: September 06, 2016, 07:44:46 AM
I think that one extra step of security would be to have implemented a custom salt for every users password

Each hash has a unique 12-byte salt.

Quote
Also, from StackOverflow:

That's the same nonsense I was responding to.

Quote
Not all of the passwords in the database leak had that encryption :p

It's impossible to upgrade a user's hash until they log in, since their password isn't known. Those users never logged in since the hash algorithm was upgraded several years ago.
589  Bitcoin / Bitcoin Discussion / Re: Hacked BitcoinTalk Data Finally Surfaces On Dark Net on: September 06, 2016, 06:34:55 AM
I sent out a mass email about this right after the leak in 2015. People really should've changed their passwords then. This database has been floating around since then, so if you didn't change your password already and your password is sufficiently weak, then there's a good chance that your account would've already been compromised.

Let me just say that the encryption algorithm could've been stronger. For example, bcrypt or something like what Wordpress implements. Now THOSE are some tough hashes to crack.

That's a common misconception. There is no functional difference between bcrypt and sha256crypt, except that sha256crypt uses the industry-standard SHA-256 hash function while bcrypt uses a hash function based on the deprecated and obscure Blowfish encryption algorithm.

PHP uses a default bcrypt cost of 10, which is roughly similar to sha256crypt with rounds=1024. Python uses a default cost of 12, which is roughly similar to sha256crypt with rounds=4096. The forum uses sha256crypt with rounds=7500. The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.
590  Other / Meta / Re: Bitcointalk downtime, or just me? Edit: DDoS attack confirmed as per Theymos on: September 06, 2016, 12:23:53 AM
A DDoS attack takes a site down, it doesn't provide the attacker with any access.
591  Other / Meta / Re: Bitcointalk downtime, or just me? on: September 05, 2016, 11:31:20 PM
OMG! Is everything going to be okay? Can we expect more downtime? Please answer!

Probably there will be periodic downtime until they stop or until I figure out how to mitigate the attack.
592  Other / Meta / Re: Bitcointalk downtime, or just me? on: September 05, 2016, 10:37:32 PM
Yes, there was a DDoS attack.
593  Economy / Auctions / Re: Advertise on this forum - Round 185 on: September 05, 2016, 03:33:51 PM
Since only one person supported the change, I decided not to change the auction rules at this time. Thank you to those who gave feedback.

Again note that starting with round 184, the ad area will be slightly changed so that it has a maximum width and height, and any content outside of this space will be cut off. I don't think that most ads will typically be affected by this, but possibly certain ads will require redesign.

The change will be similar to:
Code:
<div style="display:inline-block; max-width:100%; min-width:100%; max-height:42px; overflow:hidden">
[your ad here]
</div>

At the time of this posting ad_test.html is not updated to take this into account, but it will be in a few days.
594  Economy / Auctions / Advertise on this forum - Round 185 on: September 05, 2016, 03:32:42 PM
The forum sells ad space in the area beneath the first post of every topic page. This income is used primarily to cover hosting costs and to pay moderators for their work (there are many moderators, so each moderator gets only a small amount -- moderators should be seen as volunteers, not employees). Any leftover amount is typically either saved for future expenses or otherwise reinvested into the forum or the ecosystem.

Ads are allowed to contain any non-annoying HTML/CSS style. No images, JavaScript, or animation. Ads must appear 3 or fewer lines tall in my browser (Firefox, 900px wide). Ad text may not contain lies, misrepresentation, or inappropriate language. Ads may not link directly to any NSFW page. Ads may be rejected for other reasons, and I may remove ads even after they are accepted.

There are 10 total ad slots which are randomly rotated. So one ad slot has a one in ten chance of appearing. Nine of the slots are for sale here. Ads appear only on topic pages with more than one post, and only for people using the default theme.

Duration

- Your ads are guaranteed to be up for at least 7 days.
- I usually try to keep ads up for no more than 8 or 9 days.
- Sometimes ads might be up for longer, but hopefully no longer than 12 days. Even if past rounds sometimes lasted for long periods of time, you should not rely on this for your ads.

Stats

Exact historical impression counts per slot:
https://bitcointalk.org/adrotate.php?adstats

Info about the current ad slots:
https://bitcointalk.org/adrotate.php?adinfo

Ad blocking

Hero/Legendary members, Donators, VIPs, and moderators have the ability to disable ads. I don't expect many people to use this option. These people don't increase the impression stats for your ads.

I try to bypass Adblock Plus filters as much as possible, though this is not guaranteed. It is difficult or impossible for ABP filters to block the ad space itself without blocking posts. However, filters can match against the URLs in your links, your CSS classes and style attributes, and the HTML structure of your ads.

To prevent matches against URLs: I have some JavaScript which fixes links blocked by ABP. You must tell me if you want this for your ads. When someone with ABP and JavaScript enabled views your ads, your links are changed to a special randomized bitcointalk.org URL which redirects to your site when visited. People without ABP are unaffected, even if they don't have JavaScript enabled. The downsides are:
- ABP users will see the redirection link when they hover over the link, even if they disable ABP for the forum.
- Getting referral stats might become even more difficult.
- Some users might get a warning when redirecting from https to http.

To prevent matching on CSS classes/styles: Don't use inline CSS. I can give your ad a CSS class that is randomized on each pageload, but you must request this.

To prevent matching against your HTML structure: Use only one <a> and no other tags if possible. If your ads get blocked because of matching done on something inside of your ad, you are responsible for noticing this and giving me new ad HTML.

Designing ads

Make sure that your ads look good when you download and edit this test page:
https://bitcointalk.org/ad_test.html
Also read the comments in that file.

Images are not allowed no matter how they are created (CSS, SVG, or data URI). Occasionally I will make an exception for small logos and such, but you must get pre-approval from me first.

The maximum size of any one ad is 51200 bytes.

I will send you more detailed styling rules if you win slots in this auction (or upon request).

Auction rules

You must be at least a Jr Member to bid. If you are not a Jr Member and you really want to bid, you should PM me first. Tell me in the PM what you're going to advertise. You might be required to pay some amount in advance. Everyone else: Please quickly PM newbies who try to bid here to warn them against impersonation scammers.

Post your bids in this thread. Prices must be stated in BTC per slot. You must state the maximum number of slots you want. When the auction ends, the highest bidders will have their slots filled until all nine slots are filled.

So if someone bids for 9 slots @ 5 BTC and this is the highest bid, then he'll get all 9 slots. If the two highest bids are 9 slots @ 4 BTC and 1 slot @ 5 BTC, then the first person will get 8 slots and the second person will get 1 slot.

The notation "2 @ 5" means 2 slots for 5 BTC each. Not 2 slots for 5 BTC total.

- When you post a bid, the bids in your previous posts are considered to be automatically canceled. You can put multiple bids in one post, however.
- All bid prices must be evenly divisible by 0.05.
- The bidding starts at 0.25.
- I will end the auction at an arbitrary time. Unless I say otherwise, I typically try to end auctions within a few days of 10 days from the time of this post, but unexpected circumstances may sometimes force me to end the auction anytime between 4 and 22 days from the start.
- If two people bid at the same price, the person who bid first will have his slots filled first.
- Bids are considered invalid and will be ignored if they do not specify both a price and a max quantity, or if they could not possibly win any slots

If these rules are confusing, look at some of the past forum ad auctions to see how it's done.

I reserve the right to reject bids, even days after the bid is made.

You must pay for your slots within 24 hours of receiving the payment address. Otherwise your slots may be sold to someone else, and I might even give you a negative trust rating. I will send you the payment information via forum PM from this account ("theymos", user ID 35) after announcing the auction results in this thread. You might receive false payment information from scammers pretending to be me. They might even have somewhat similar usernames. Be careful.
595  Economy / Auctions / Re: Advertise on this forum - Round 184 on: September 05, 2016, 03:26:12 PM
9 @ .75

Sorry, I won't accept your bid for reasons I explained privately.

3 @ 0.35

You're too new, PM me first next time.

Auction ended. Final result:
Slots BTC/Slot Person
2 0.70 Bitcoin Kan
1 0.60 liqui
5 0.60 KiboPlatform
1 0.50 Stunna
596  Other / Beginners & Help / Re: Verifying Bitcoin Core on: September 04, 2016, 02:59:36 AM
Will a future version prevent an older version from connecting at some later point in time?

Yes, but it's done very rarely. Versions as old as 0.3 can still connect to the network, though versions between 0.3 and 0.7 have a random chance of rejecting large blocks unless you add a special DB_CONFIG file to the data directory. (Those version numbers are from memory, and might be somewhat off.)

Except in case of some catastrophic network event such as an attack by the majority of miners, you should generally have at least 6 months of warning before a backward-incompatible change is made, and probably more like 12-24 months. The change which made versions older than 0.3 incapable of connecting to the network was done with 2 years of advance warning.
597  Other / Beginners & Help / Re: Verifying Bitcoin Core on: September 03, 2016, 10:25:46 PM
Is there an issue if still using 0.12 core version.

No, there are no known problems with 0.12.1, and both the most recent major version and the previous major version are officially supported. So 0.12 will be supported until 0.14 comes out.

I recommend waiting a few months to upgrade on sensitive systems just in case any bugs are found.
598  Other / Beginners & Help / Re: Verifying Bitcoin Core on: September 03, 2016, 08:03:51 PM
in windows

Can a little more explanation

Step by Step

 Smiley

Hold down shift and right click on empty space next to the downloaded Bitcoin installer. Click "open command window here". In the box that comes up, type certUtil -hashfile bitcoin-0.13.0-win32.zip SHA256 (if the file you downloaded has a different name, use that name instead). Push enter. The hash will be printed. Between every two characters of the hash there will be a space, but you can ignore those spaces.
599  Other / Beginners & Help / Re: Verifying Bitcoin Core on: September 03, 2016, 04:28:41 PM
Ok I tried saved the below text to a txt file:

You didn't copy-paste it correctly.

Putting it in a file as suggested will work. But in looking online, it seems to me that Ctrl-D should signal end-of-file on OSX. I don't know why it's not working. I've never used a Mac, though. Can anyone who does use OSX share their experience?

The warning about the signature not being valid is because you didn't do the lsign stuff that I mentioned in the guide.
600  Other / Beginners & Help / Re: Verifying Bitcoin Core on: August 30, 2016, 08:48:58 PM
Hashes in OP should be updated for 0.13 if possible.

Thanks, I forgot about that.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [30] 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 ... 354 »
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!