So let BitcoinX attack, steal everyone's money, and have the PR mess be even 10x worse huh? He was in emergency mode as far as I am concerned, and as a Solidcoin holder a guy which bite CH Scam and now seek to pass the losses over to other's I and many others supported the move... And judging by the graphs I posted, there has been little resistance from the community.
Fix'd  |
|
|
|
But I thought solidcoin was basically unbreakable by CH's own words.
Apparently it will in version 2.0. But we all have to wait and see don't we  . It will be for sure, running only at CH's LAN without external internet connection, it will be safer than ever. It can run for millenniums without being ever hacked.  |
|
|
|
Holy! Now that you talk about it: Total time logged in: 22 days, 23 hours and 18 minutes. How are ya, the basement neighbors, going btw? |
|
|
|
|
You forgot that CH arbitrarily inserted 1K phoony blocks between block 29000 and 30000, allegedly "to pay bounties" (to himself I guess... sort of "Solicoin God's wage").
|
|
|
|
^^That's the specific reason why I brought it up.ICE's responsibility is interior enforcement not the border regions,CBP is responsible for what you mentioned !!!!
not sure what you are getting at. First he claims it was hackers and not ice, so the cert is probably a herring(yes even if he was a scammer0 ICE does and has seized domains owned by foriegn entities, you can good list of domains seized by ice to see a few. He's stating that ICE did NOT seized the domain, "Mr. Moon" pointed it there. But the fact he used that to try to "cover up", also shows he's probably American and from a place or work on a area where ICE have special "authority". It's not a sort of force to be felt everywhere. |
|
|
|
OK, so if you think that was a good measure just go over to all Open Source projects on the web and fix it... you've just probably a few billion of lines of code to go. ~ OR ~ the users could simply have it enabled - they're easily to notice when enable than when disabled actually. BTW; that last example isn't anything to exploit it, it's just a concern about context (have it properly escaped/encoded). And if you want to know how I do it, before go ad hominem, check the source at https://github.com/BCEmporium/PHPCoin |
|
|
|
Magic quotes are like your post; they should never have existed in the first place.
I'm not discussing the "wonders" of it, nor does my scripts rely on it. However, what "harm" can they do being on? To the worse you would get something like John\\'s instead of John's... So, nothing. And warn people to double check their PHP.INI because some PiDiOts think their rig is better or "so good" to let everybody be hacked is bad because... ? |
|
|
|
|
I really would love to know where you folks get those "well paid consultant" jobs!
|
|
|
|
|
OK, so lets all the folks who installed Open Sourced software software, such as this forum, be hacked because "it didn't worked properly" (mind to explain where? With something-no-one-uses SQL? Because with MySQL it did).
That's like you saying that my Yale key is not "secure enough" so you take it away leaving the front door open. Nice one!
Well... it's "Open source" so I guess you get what you paid for, isn't it?
And it's not MY SCRIPT, it's MOST of widely available webscripts around.
|
|
|
|
You may ADD OR REMOVE walls of his path
Yes, that's the "obscurity" part of your reasoning. It doesn't provide any added level of (real) security. When designing a security system all forms of added levels of complexity are risks where there might be edge cases you haven't thought about. You want as few implementation parts as possible, while still giving you a provable level of security. You really don't know what password attacks are all about, do you? It's NOT a matter of being brutte-force proof, because there's NOT and never will be such a thing. It's a matter of TIME. The part that really matters is the attack TIMELINE: 0 m - plain text passwords broken 5 m - unsalted md5 <= 12 chars broken (Rainbow); unsalted ripemd160 <= 8 chars broken... 30m - salted (plain salt) md5 <= 10 chars broken (...) 1 year - salted (plain) SHA256 <= 12 chars broken (...) This is what you can play with: TIME. If you call taken attackers time "obscurity", then it's your problem. There's no edging on encrypt/generate the salt. "Educate users" is what fascists do! There's nothing to "educate" there. Good security is passive, active security is bullshit as the user will certainly need security against its "security". Humans are the central part to take into account, not the machines. |
|
|
|
|
In passwords the attacker is attempting to «GUESS» the password. You may ADD OR REMOVE walls of his path, ENTROPY.
Such system will ADD WALLS for him to break before «GUESS» what we wants to get.
Salt alone inputs a "NO PRE-COMPUTED HASHES" wall, but it's normally plain text on itself. Your objection is like saying that ADD A WALL is wrong because you think of it to be "obscure".
|
|
|
|
Why everyone comes with "security by obscurity" without even KNOW what that stands for?! In Open Source NOTHING is "obscure", it's a class with several flavors, creating entropy, not "obscurity". Educate the users instead. This is what I call "Fascistly Imposed Security". We don't need no education
We dont need no thought control
No dark sarcasm in the classroom
Teachers leave them kids alone
Hey! Teachers! Leave them kids alone! |
|
|
|
|
Lately PHP developers had been targeted by Java moles, which came up with bogus "features" such as Private/Public declarations within classes and PDO. It's almost certain that PHP would either need to be forked or dumped at version 6 keeping this path.
Private and Public doesn't add nothing to performance, it's just that Java developers mindset is a mid-way between pure open source of PHP developers and extremely-proprietary mindset of Windows/Apple. Their only use is to prevent some other developer using "MY" class to access properties "I DON'T WANT".
Now, because these moles are getting their way, PHP ships with default EXTREMELY UNSAFE settings. Specially in this point:
magic_quotes_gpc = off -> UNSAFE;
I don't give a "F" if PDO bullshitter thinks his rig is safer than magic_quotes, by disabling it he opened more than 70% of the web to SQL injections. This is the main reason why some sites are being injected lately, people update or move the server to a new one and leave it as the defaults (has been working this far, so why bother, isn't it?)... jumping to this reef without even noticing. This is specially dangerous as many components of Joomla, Drupal, osCommerce... you name it... OS "web applications" rely on magic_quotes to prevent injections.
"It's bad practice to rely on magic_quotes_gpc"? Probably, but works and with so many people using it in such way you've to take it to account in the first place.
My bet was due to this bitcointalk got hacked, they changed from bitcoin.org to the new server and most likely did a fresh install without bothering about php.ini.
|
|
|
|
I'm not sure what you're getting at, but I don't disagree with what you've said. Although we are veering further away from the topic at hand. Are you posing a question or other interrogative or just commenting?
I'm checking and demonstrating in terms of real code what you are discussing about; Salt generation. In fact that $algorithm$salt$hash of crypt the hash:salt of many systems is a handicap on encryption. But what resembles to be the best solution on this on-demand generated salt with Open Source software would be to create a salt class with different approaches and let the site owner to select which to use within config. This way an attacker would have to guess first which salting method was used before attempt to attack, and within the availabilities to generate the salt and input; xored strings, substring of hashes, multiple round sha hashing, bitwise etc... this would may means he would grow old before achieve something, even to the weakest of passwords. |
|
|
|
So, then came the FBI and shuts down the servers...
P2P blockchain is the most powerful tool that we have today to play a alternate currency that is impossible to these fuckers (FBI/US Gov/etc) to shutdown it.
Wrong Thiago, my draft is even more resilient to that than the existing blockchain. It's P2P too, doesn't have a X Mb blockchain, however have a small Mb shared (replicated) database used to bootstrap the protocol. Eg. The nr. of needed banks to validate a transfer must be a % of the existing banks, as anyone can set up a bank at home, this number keeps changing so this central db keeps updating the bank-list and yet to be validated xfers. What makes it more resilient than the blockchain is that it's normally smaller and faster to spread. But bottom line, is the P2P replication which makes bitcoin resilient, not exactly "this" blockchain. OT: After CoinHunter came up playing God, now BCX is playing Jesus by attempting to resurrect the dead and rotten solidcoin. This makes me wonder: Who will play the Holy Spirit to close the Trinity of Solidcoin? |
|
|
|
|
Actually if I would get to something in these grounds would be totally different than bitcoin.
Here's a draft:
Client/Server environment. No blockchain.
Generation could be done by the servers (which operate as a sort of banks) based on hashing (BTC style) or uptime and effort towards the network.
2 decimals only. 0.01 to be the minimum nothing bellow it.
The currency itself would be then certificates, being the servers able to process payments by revoke those certificates against PK A and passing them to PK B. Each of those certificates would have a specific amount; 0.01, 0.05, 0.10, 0.20, 0.50,1,2,5,10,20,50,100
So basically if I'm going to pay you 43, I'll be sending you two 20 certs + 1 2 cert + 1 1 cert. My client announces it to, let's say, 10~100 banks which start to process the payment revoking those 2x20+2+1 certs I have and reissuing it to you. The trust and double spending prevention is then done by multicasting the transference through multiple "banks".
|
|
|
|
It could be called BitcoinEXpress' SolidCoin (BSC for short  ) BSC sounds OK, actually we could start to name these alt-chains BSC (BullShitCoin), YaBSC(Yet another BullShitCoin)... |
|
|
|
Lol,I guess you guys never looked at the cert. "moonco.in uses an invalid security certificate. The certificate is only valid for www.ice.gov(Error code: ssl_error_bad_cert_domain)" Yes, we did... pointing his domain at customs makes me believe that guy lives in a place where customs have more power so he's used to look at them as sort of "major authority", like harbor areas, near the border... |
|
|
|
I didn't see an answer so i'll repeat my question, would using a triple SHA512 hash of the username instead of the plain username be of any help?
As we say in portuguese: "Nim" (mix não [no] and sim [yes]) It would be better to input a random number of turns instead of fixed 3, let's say 3~6: <?php
function genSalt($username){
$rounds = mt_rand(3,6);
$salt = $username;
for($l = 0; $l < $rounds; $l++){
$salt = hash("sha512",$salt);
}
return $salt;
}
function checkPass($username,$givenpass,$hashpass){
$pointer = 0;
$salt = $username;
for($l = 0; $l < 6; $l++){
$salt = hash("sha512",$salt);
$pointer++;
if($pointer > 3){
$test = hash("sha512",$givenpass.$salt);
if($test == $hashpass) return true;
}
}
return false;
}
?>
|
|
|
|
|
If you feel like it BCX, however this grants me the privilege to bash you down hard as soon as you try to:
a) Add "phoony" blocks like those 10K
b) Input pre-magically-generated 1 M coins
c) Come to say I must call your junk by "SC", "BC" or something alike - I'll call it as I see it suits
Other than that... be happy.
|
|
|
|
|
Show Posts
