|
I think my grandparents watch this guy. Pretty sure no one in his viewership would care about bitcoins.
|
|
|
|
|
Instead of building Bitcoin 2.0 lets just put all resources to making bitcoin succeed we haven't yet and there's still a lot of work to do. Until then all bitcoin/blockchain base currencies are a waste of time.
|
|
|
|
That can easily be solved with a proof of burn or some soft of proof of stake.
Ha! Well think about if it costed $10 for someone to put an PGP key into the DHT then that would probably solve the problem of them registering a fake one. |
|
|
|
How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.
How do they know the email address they are looking up is mine? So lets explore this, I give them a fake email that is in the key server, I get a PGP message, that I can't decrypt and if I can decrypt it I can changed anything cause it is signed. So what is the attack? No. You give Mallory your email address, she gives the server her address. The server encrypts the message with Mallory's key, she decrypts it, changes is, signs it with her key, then encrypts it with your key. You then place the order with Mallory, and send the payment to her bitcoin address. The server doesn't know how to distinguish your key from Mallory's key, and you don't know how to distinguish Mallory's key from the server's key, because that is the problem we are trying to solve. That can easily be solved with a proof of burn or some soft of proof of stake. |
|
|
|
Hi,
I've got plenty of cpu and memory but can't the search be limited to the most recent blocks too? Doing that probably wouldn't be that hard on resources. What I am thinking is to have users that are sending in a payment also submit a form through php/mysql. That form would cause the start of the search of the blockchain until it is found and confirmed. The search would only run for a certain time after a form is submitted.. The form would only be accessible after logging in.
No just use blocknotify and use a command to a program to search the blocks. But that isn't the issue, the blocks are so big now that they just take a while to search. |
|
|
|
Hi there. Hope someone can help as I am a bit stumped.  I have installed Hive on my Mac and it all works wonderfully well. I have back up running to Dropbox and TimeMachine. However I have trying to find where the wallet files are actually located on my Mac, but to no avail. I have looked for the Hive folder in the Library>ApplicationSupport, but its not there. (have unhidden all files and folders) Any idea where Hive could have installed itself? When I search for it using spotlight, absolutely nothing comes up. Befuddled.... :-) ~/Library/Application Support/Hive/BitcoinJ.network
That is where your wallet is store. |
|
|
|
How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.
How do they know the email address they are looking up is mine? So lets explore this, I give them a fake email that is in the key server, I get a PGP message, that I can't decrypt and if I can decrypt it I can changed anything cause it is signed. So what is the attack? |
|
|
|
Say I want to buy some hardware from bitcoinstore.com. I go to their website, prepare my order and check out. They send a payment request, signed by some PGP key. Now what?
So bitcoinstore's servers will look up a pgp key for you, which I am guessing since you supplied them an email would be easy in the key server. Ok, so the merchant's store software looks up the attacker's key and encrypts the store's key so that only the attacker has access to it. The attacker then decrypts it, and re-encrypts it using your actual key, then signs it using their key, which you think is the store's key. Got it.  Just kidding. What will really happen is that the attacker will look up your pubkey, encrypt their key with your key. Since you have no way to authenticate the store's key, you'll have no idea that it was swapped around. They take that public key and use it to encrypt the address, which they also signed. Your client takes this decrypts it and checks the signature, if it is good it displays a green box just like the current payment protocol.
Lets say you don't want your email hashed in the DHT. Then the bitcoind would have it's own public key which then can be sent to bitcoin store, and this would only allow a one way verification by the user and not by the site. These would be less trustworthy than the above but would still work.
Keep in mind that the problem we are trying to solve is how I authenticate a key that I've never seen before. You can't solve that problem with another unauthenticated key. How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store. |
|
|
|
|
Could be, build a gift card with a private key so it can sign the transaction.
I think this is a cool idea actually, I don't know if it technically could work.
|
|
|
|
I don't agree with the man much but gmaxwell is correct with this. <gmaxwell> go11111111111: Mike Hearn is a nice and smart guy. But he's also nearly a parody of himself with his constant recourse to centralization. I dunno, I haven't paid a lot of attention to anything he's said on privacy since he's generally been pretty hostile to it in the past.
Centralization shouldn't always be the answer, privacy much more important. |
|
|
|
First off this isn't my first bitcoin startup but this is my long term startup and first one that I feel I actually have to work at it being good. The site is https://apicoin.ioSo the first week was insane, not only did I buy a VPS that didn't work for my needs but I apparently got a life ban from a second hosting company because they didn't know that the bitcoin node was not a hacking tool. I was saved by http://www.bitronictech.net/ and he actually worked with me to get the right vps for my service. I got it up and running put my paranoid devop hat on and added all security features that I feel are must needs. Thank god I did that. As soon as I started to promote this site, and people saw I had a bitcoin node that is running on the server, I was getting about 100-200 attacks daily. Even though this bitcoin node is in disable wallet mode and is gateway to bitcoin network for other applications basically it has no money didn't stop people from trying. I was reading the server logs more often than I was reading my emails. This caused me not to sleep that much and become even more paranoid. I have fought back most of the attacks. Second week after being sure my server would survive the daily attacks. I started hammering out some long term goals. - Privacy of information that users are querying from my servers.
- Working closely with every client no matter how big or small.
- Making the most robust, secure, and reliable api to bitcoin network.
Then I started hammering out short term goals which are more like features and milestones for the site. These will not be shared. I also fixed a lot of bugs and fine tuned how the site is running. Now I don't have to baby sit it as much and setup my automatic alerts. I also didn't sleep a lot. I also joined a startup forum and was laughed at because I am doing a bitcoin startup. This just made me so much hungrier and I told them I have a lot of work to do, I have yet to be back. Third week which was last week. I woke up everyday, with the mindset of Pinkey and the Brain. To just be hungry about taking over the world. Also I talked to some cool people and went to some cool places (Can't really talk about these parts). The site is in beta and I wish the beta users would be more verbose about what is going right and what is going wrong. I hope to open up payments later this month. Which I will then use the site to have the site notify itself of payments. I hope bring on some talent, because it is just me and social media person. So what I learned these past weeks. One to always stay hungry, corny I know. I breathe, sleep and eat bitcoin, it is has fully become my life. I always on the look out for people to join the site as clients. I send out about 10 cold emails a day, and many of them are not bitcoiners but their site can benefit. I answer some support emails, and I am always looking for ways to improve the site. Feel free to leave questions in this thread. |
|
|
|
I have to agree with kjj. The PKI solution is simple and a guaranteed way of giving a proof of identity, which despite problems, has and will continue to work.
... and has lovely, juicy big back-doors. I see Gavin has moved on now that "the job" has been done. Sadly this is true. He also hasn't done much in the way of smart fees which I think should be a high priority but I guess still having that under his control is the main focus. |
|
|
|
That is not a bad offer and looks like a valuable service. For the amount of effort to learn this I'd say it is well worth it. But I am planning something where I'll need to also monitor bitmessage and probably namecoin too. So I'll get some extra mileage out of the learning curve investment.
For bitmessage I'll want to monitor the addresses, parse the data for certain tags, and then save the contents to a data base.
I'm not sure exactly how or if I'll do similar with name coin but it would be along the lines of using it to grant entry/license type privileges.
Well armoryd is very alpha and I would not recommend it being put in a production. So I would recommend for bitcoin, is to just use bitcoind with txindex=1 and just checking each block and transaction for the addresses you are looking for this will require some strong CPU and ram, but only way I can think of doing it. This should work for namecoin as well. |
|
|
|
I'm working on getting a payment process to receive payments to a web site into cold storage. I would like to be able to monitor deposits made to the address (or perhaps a number of them) after the user does a form submittal. After confirmations I will credit their account but the Bitcoin will be safely offline. I'm studying the jsonRPC PHP api and I think I can get all that working but I understand that for this to work the address needs to be in an account in that bitcoind server.
I would want any receiving addresses to be cold storage so that means the read only version of the wallet would need to be in that server. So can I or how do I create a read-only wallet and get it into the server so I can monitor for deposits to those cold storage addresses? I've looked through the command list and haven't seen anything like an "import address" command.
Thanks in advance
If you want to montior address you can use my service https://apicoin.io this is one of the features and I can help you add it if you want. |
|
|
|
Where is we used a key server that was decentralized like using a DHT, we can then not have to worry about hacks on CA's or it being expensive to start your own.
We also could use each full node be a key server and then you query everyone of them for the public key for the company you want to validate from. With majority rule on what is the correct public key.
Can't Namecoin potentially solve much or most of this problem? Namecoin can be used, I am just saying DHT because I think that would be the smallest and can easily be used along side bitcoind. But I mean this can implemented many ways in many different decentralized format. |
|
|
|
Is the blocknotify (that is set in the conf file) fired on every new block found in the chain or is it something else?
Cheers.
It takes the your command puts it into a shell by using sh -c command for every new block, it gets relayed. |
|
|
|
Say I want to buy some hardware from bitcoinstore.com. I go to their website, prepare my order and check out. They send a payment request, signed by some PGP key. Now what?
So bitcoinstore's servers will look up a pgp key for you, which I am guessing since you supplied them an email would be easy in the key server. They take that public key and use it to encrypt the address, which they also signed. Your client takes this decrypts it and checks the signature, if it is good it displays a green box just like the current payment protocol. Lets say you don't want your email hashed in the DHT. Then the bitcoind would have it's own public key which then can be sent to bitcoin store, and this would only allow a one way verification by the user and not by the site. These would be less trustworthy than the above but would still work. |
|
|
|
Because an implementation contained a bug (now fixed) you want to change the protocol? Makes no sense.
No actually I have been bringing this up for a while now, just that I felt this was another good time to remind people. Also I wasn't a fan of openssl before but this makes it sure that it is too centralized and maybe implementing another library maybe better. |
|
|
|
Well technically you can use a X509 to relay pgp information. I think a PGP certificate would be stronger and better in this case. Also X509 is weak with the signature algorithms, you don't need a link to show that. Well the subtleties do matter. X509 CAN support weak signature algorithms but it can also use require only cryptographically strong algorithms as well. openssl req -new -x509 -sha512 ...
The support for older weaker algorithms is mostly for backwards legacy support, support which isn't needed for a greenfield implementation. No reason that a particular users (or any user) would need to support weak signature algorithms. You can also use MD5 to hash PGP messages as well. If both can be implemented without CAs, both can support key servers, both can use a node network for DHT storage of public keys and/or certs then ultimately the only advantage of using PGP over SSL would be that it is more secure. Sorry you haven't shown that PGP would be more secure than self signed SSL certs. This isn't an academic debate. It is almost certain that Bitcoin will support SSL in payment protocol so it doesn't come down to PGP vs SSL it comes down to SSL vs SSL + PGP. Adding another entire dependency just because weak SSL certs might be weak (and strong ones are cryptographically unbreakable) is well not a very strong argument. Well my main focus is getting a decentralized key server, if it supports SSL first then pgp then fine. I am also not a big fan of openssl, that also is playing into it. I rather they used http://nacl.cr.yp.to/. |
|
|
|
There isn't a widely used transport layer standard for OpenPGP, which is what the protocol needs, so TLS is probably a better choice then PGP for the actual encryption.
This is very much false, all information could be encrypted using the public key of the user that wants to send the bitcoins and then decrypt by their machine. Also I wouldn't include gpg into the actually bitcoin client I would have it called out to the shell so their is a disconnect of passwords and stuff. No it's not false. TLS (per its name) happens at the transport layer. It's baked into every http library in the world. There really isn't a standard to do this for OpenPGP that anyone uses or is supported by any library. What you're proposing requires everyone to implement an ad-hoc poorly specified made-up-just-for-bip-70 encryption scheme and shoving it into the presentation layer. We are talking about two different things, you are saying I want to take the transport layer and wrap it in a PGP encryption which is not what i am talking about. I am talking taking a public key encrypting data so only that private key can read it. Two very different things. |
|
|
|
|
Show Posts
