Bitcoin Forum
December 18, 2017, 11:10:21 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
  Home Help Search Donate Login Register  
  Show Posts
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 [45] 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 ... 346 »
881  Other / Meta / Re: New HTTPS keys on: May 25, 2015, 02:54:22 PM
Hash: SHA256

Exponent: 65537 (0x10001)

882  Other / Meta / About the recent server compromise on: May 25, 2015, 02:39:49 PM
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.

Estimated time (conservative) for an attacker to break randomly-constructed passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  <all standard>
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
883  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 08:07:42 PM
In situations like TECSHARE's, you can (if you trust TECSHARE and disagree with Vod) post an additional positive rating responding to whatever Vod said. This will counteract Vod's negative rating.

The meaning of having "green" trust is now diminished and will be similar to what was previously the meaning of having black positive trust. 

Oh, good point. I changed it so that you have dark green trust if your score is 5 and dark green if your score is 15.
884  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 07:21:38 PM
It looks like no matter what if the last feedback you receive is negative then you will either have a ?? ? Trust score or a negative score.

Correct. Your trust network is assumed to consist of people who are basically reasonable. So if any trusted ratings are negative (which means "this person is probably a scammer, watch out!"), then this should be taken very seriously. That's why a single negative rating can easily cause a loss of 100+ trust points in this new algorithm. And if the most recent rating is negative, then this is a strong indicator that the person may have been running a long con which has turned into a full-blown scam.

If anyone is abusing this by reposting negative trust unnecessarily or giving out negative trust too easily, then you should remove them from your trust network.

@theymos what is the thinking behind increasing the numbers? It makes changes too much. Was it to increase the strength of DefaultTrust?

You'll get used to the larger numbers. DefaultTrust doesn't get any sort of advantage as far as I can tell.
885  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 06:57:19 PM
??? is a valid score in the new algorithm.

Doesn't that mean if someone receives a positive and a negative rating, they'll go negative if the negative is newer?

If someone has 1 positive and 1 negative, then the time doesn't matter. They'll have a score of -1.

Old -> New
+ - : -1
- + : -1
+ + - : ???
+ - + : 0
- + + : 1
+ + + : >=3
- - + : -3
+ - - : -3
- - - : -8

That seems like quite an extreme decay, ratings after 10 months are worthless? Its going to lead to a lot of reposted ratings to refresh them.

There is no decay. Ratings grow in weight from 1 to 10, then stay at 10 forever. (If the rated person has no negatives.)
886  Other / Meta / Minor trust score algorithm change on: May 20, 2015, 06:23:29 PM
The trust score numbers are now slightly different:
- The first number is the trust score.
- The second number is the number of unique users who have given that person negative feedback.
- The third number is the number of unique users who have given that person positive feedback.
- The fourth number was removed.

I also completely changed the trust score algorithm to this:
if there are no negative ratings
score = 0
for each rating, oldest to newest
if this rater has already been counted
score += min(10, round_up(months since rating))
score = unique_positive - 2^(unique_negative)
if score >= 0
start_time = time of first negative
score = unique_positive since start_time - unique_negative since start_time
if(score < 0)
return ??? (orange)

move score to range [-9999,9999]
return score

This algorithm is a little slower than the previous one. Post here if you think you see extra slowness due to this change. Maybe I need to add extra caching to compensate.

Also post here if someone has a trust score that seems wrong.

I was going to change it so that everyone with 0 trust had orange trust, but I decided that this looked bad and changed it back.
887  Other / Meta / Re: Something's wrong with BCT on: May 20, 2015, 06:18:47 PM
I was changing something. It should be fixed now. Nothing to worry about.
888  Economy / Scam Accusations / Re: MRKLYE is a scammer, scammed 20 BTC and yet has GREEN trust, FIX! on: May 20, 2015, 05:05:12 AM
People with the same trust lists can sometimes see different trust scores due to caching. Whenever your trust network (ie, the list of everyone whose ratings you trust) is calculated, this result is cached for a few hours, and the cache doesn't get invalidated even if people on your trust list update their trust lists. You can force your trust network to be recalculated by clicking "update" on the trust settings page.

Also, the trust score algorithm is pretty bad in general, so it often doesn't make much sense.
889  Other / Meta / Re: Time limits problem on: May 20, 2015, 04:36:52 AM
In my experience, the 360 second limit is reset any time, any account performs an action from a particular IP address.
Additionally, I believe that you can get around the 360 second limit by switching IP addresses

That's how stock SMF handles it, but I fixed this some time ago.
890  Other / Meta / Re: Time limits problem on: May 20, 2015, 03:41:29 AM
You must have been doing something to reset the limit. Searching, reporting, etc. Your IP doesn't matter for that once you're logged in.
891  Other / Meta / Re: Why don't I get an error message while messaging/trusting myself? on: May 17, 2015, 06:40:38 PM
It's useful if you want to send yourself a note.

Adding yourself to your trust list is harmless, do I didn't prevent it.
892  Other / Meta / Re: Would this be allowed? on: May 17, 2015, 05:27:26 AM
The problem is that if it gets (ab)used too much, it might push other topics off of the front page of its section and clutter up "recent posts" and "unread posts since last visit". If you prevent the bot and its users from making the thread an annoyance, then it's OK.

If people can post someone's name and your bot will posts stats, then that sounds fine in general, though I wouldn't want to see people posting a single person's name all the time to see how their stats change. If you warn people not to do this, then it seems reasonable for us to moderate the people who are making too-frequent requests and not the bot, though.
893  Other / Meta / Re: TheButterZone Removed From Default Trust on: May 16, 2015, 10:44:31 PM
Libeler (OP) has default trust T2, libeler's victim (me) was wiped from T2=injustice done.

You are both in the default trust network at depth 2.
894  Bitcoin / Project Development / Re: [ANN] Joinmarket - Coinjoin that people will actually use on: May 16, 2015, 06:02:46 PM
Good to see that some progress is being made on usable CoinJoin. This seems like the best CoinJoin project around currently.

Some possible ideas/improvements come to mind:
- Tor should be easier to use. Probably the default configuration should be to use Tor.
- Only Tor-friendly IRC servers should be used, and only over TLS.
- To reduce centralization, multiple IRC servers could be used. Makers would idle on all of the servers, and takers would find partners using multiple randomly-selected IRC servers. If any servers are down, Joinmarket should issue a warning, as this may be a DoS attack on the IRC server designed to funnel people to attacker-controlled servers.
- Instead of requiring NickServ registration, makers could generate an identity separately (maybe just a Bitcoin address) and communicate it on the IRC channel using public-key crypto. This is more convenient and will work across multiple IRC servers.
- In exchange for a (comparatively large) extra fee, takers could require that the unspent-outputs provided by makers be x blocks deep (I'm thinking ~1500). This reduces the Sybil risk because an attacker will only have so many bitcoins, and this requirement ties up a lot of their bitcoins for a while if a lot of takers are routinely requiring that at least some of their partners provide old bitcoins.
895  Other / Meta / Re: Default Trust Visualisation on: May 16, 2015, 03:24:15 PM
Here's the complete trust network if you want to make a larger graph:

-> is "trusts", -/> is "distrusts".
896  Other / Meta / Re: How can a hero account only have 99 posts? on: May 13, 2015, 01:55:33 AM
IIRC only Newbie, Hero, and Legendary members don't get demoted normally. Maybe I'll fix it at some point, but it's not really a big deal.
897  Other / Meta / Re: Requesting Posts be undeleted and unedited from Several Scammer Accounts on: May 11, 2015, 04:53:15 PM
You request is too broad/complicated. I can't do most of that stuff automatically.

Give me a list of topics and I'll restore posts by those users that used to be in those topics.

After I restore the posts, give me a (preferably short) list of posts that you want the edit logs for. I can't unedit posts automatically.
898  Economy / Auctions / Advertise on this forum - Round 150 on: May 11, 2015, 12:22:01 AM
The forum sells ad space in the area beneath the first post of every topic page. About 25% of ad income goes to the forum moderators as thanks for all of their work. (There are many moderators, so each moderator gets only a small amount -- moderators should be seen as volunteers, not employees.) The rest is stored in the forum's treasury (verifiably), where it sits until the forum needs it.

Ads are allowed to contain any non-annoying HTML/CSS style. No images, JavaScript, or animation. Ads must appear 3 or fewer lines tall in my browser (Firefox, 900px wide). Ad text may not contain lies, misrepresentation, or inappropriate language. Ads may not link directly to any NSFW page. Ads may be rejected for other reasons, and I may remove ads even after they are accepted.

There are 10 total ad slots which are randomly rotated. So one ad slot has a one in ten chance of appearing. Eight of the slots are for sale here. Ads appear only on topic pages with more than one post, and only for people using the default theme.

The ad lasts at least 7 days starting from when I put it up. (However, if you look at the ad history you'll see that ads usually get at least 8 days, and sometimes as many as 10, but this is random and definitely not guaranteed.)


Exact historical impression counts per slot:

Info about the current ad slots:

Ad blocking

Hero/Legendary members, Donators, VIPs, and moderators have the ability to disable ads. I don't expect many people to use this option. These people don't increase the impression stats for your ads.

I try to bypass Adblock Plus filters as much as possible, though this is not guaranteed. It is difficult or impossible for ABP filters to block the ad space itself without blocking posts. However, filters can match against the URLs in your links, your CSS classes and style attributes, and the HTML structure of your ads.

To prevent matches against URLs: I have some JavaScript which fixes links blocked by ABP. You must tell me if you want this for your ads. When someone with ABP and JavaScript enabled views your ads, your links are changed to a special randomized URL which redirects to your site when visited. People without ABP are unaffected, even if they don't have JavaScript enabled. The downsides are:
- ABP users will see the redirection link when they hover over the link, even if they disable ABP for the forum.
- Getting referral stats might become even more difficult.
- Some users might get a warning when redirecting from https to http.

To prevent matching on CSS classes/styles: Don't use inline CSS. I can give your ad a CSS class that is randomized on each pageload, but you must request this.

To prevent matching against your HTML structure: Use only one <a> and no other tags if possible. If your ads get blocked because of matching done on something inside of your ad, you are responsible for noticing this and giving me new ad HTML.

Designing ads

Make sure that your ads look good when you download and edit this test page:
Also read the comments in that file.

I will send you more detailed styling rules if you win slots in this auction (or upon request).

Auction rules

You must be at least a Jr Member to bid. If you are not a Jr Member and you really want to bid, you should PM me first. Tell me in the PM what you're going to advertise. You might be required to pay some amount in advance. Everyone else: Please quickly PM newbies who try to bid here to warn them against impersonation scammers.

Post your bids in this thread. Prices must be stated in BTC per slot. You must state the maximum number of slots you want. When the auction ends, the highest bidders will have their slots filled until all eight slots are filled.

So if someone bids for 8 slots @ 5 BTC and this is the highest bid, then he'll get all 8 slots. If the two highest bids are 8 slots @ 4 BTC and 1 slot @ 5 BTC, then the first person will get 7 slots and the second person will get 1 slot.

The notation "2 @ 5" means 2 slots for 5 BTC each. Not 2 slots for 5 BTC total.

- When you post a bid, the bids in your previous posts are considered to be automatically canceled. You can put multiple bids in one post, however.
- All bid prices must be evenly divisible by 0.05.
- The bidding starts at 0.50.
- I will end the auction at an arbitrary time no more than 12 days from now. (I will probably end the auction 1-3 days before the ads are scheduled to go up.)
- If two people bid at the same price, the person who bid first will have his slots filled first.
- Bids are considered invalid and will be ignored if they do not specify both a price and a max quantity, or if they could not possibly win any slots

If these rules are confusing, look at some of the past forum ad auctions to see how it's done.

I reserve the right to reject bids, even days after the bid is made.

You must pay for your slots within 24 hours of receiving the payment address. Otherwise your slots may be sold to someone else, and I might even give you a negative trust rating. I will send you the payment information via forum PM from this account ("theymos", user ID 35) after announcing the auction results in this thread. You might receive false payment information from scammers pretending to be me. They might even have somewhat similar usernames. Be careful.
899  Economy / Auctions / Re: Advertise on this forum - Round 149 on: May 11, 2015, 12:14:47 AM
Terribly sorry for the very over-long auction -- I completely lost track of time due to end-of-semester university stuff.

Final result:
Slots BTC/Slot Person
1 3.90 BetChain
1 3.85 SwC_Poker
1 3.85 Agorista
3 3.80 FortuneJack
2 3.80
900  Other / Meta / Re: Why can't this forum be a "trusted" community? on: May 06, 2015, 07:59:56 PM
The forum itself isn't going to mark anyone as trusted. That's for traders to decide individually.

It is possible to get trustworthy enough that most people won't require escrow. Escrow agents themselves must meet this criteria, since you're trusting them with the money (unless you're using multisig). But this requires a lot of trust because you have to trust that:
- The person isn't executing a long con.
- In case of an unexpected dispute (lost in the mail, etc.), they will handle it fairly.
- They're competent enough that you can be sure that their account isn't compromised.
- Etc.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 [45] 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 ... 346 »
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!