Bitcoin Forum
November 12, 2024, 11:39:36 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: rated  (Read 4652 times)
usagi (OP)
VIP
Hero Member
*
Offline Offline

Activity: 812
Merit: 1000


13


View Profile
August 20, 2012, 10:30:24 PM
Last edit: October 06, 2012, 03:52:43 PM by usagi
 #1

rated
bitcoinbear
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
August 20, 2012, 10:35:52 PM
 #2

Hi,

It looks like a functioning wallet, but I am a bit unsure how it keeps anything safe, since there is no password? Couldn't anybody just type in your username and spend your coins for you?

CryptoNote needs you! Join the elite merged mining forces right now here in Fantomcoin topic: https://bitcointalk.org/index.php?topic=598823.0
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
August 21, 2012, 02:17:10 AM
 #3

No https? No thanks.

I strongly recommend against using this system - or even logging in - until they have at least basic security in place.

The 23 of you who have already logged in to this system should take steps now to ensure the security of everything else you have. That means change all your passwords, etc.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
JWU42
Legendary
*
Offline Offline

Activity: 1666
Merit: 1000


View Profile
August 21, 2012, 02:27:41 AM
 #4

No https? No thanks.


+10000000

nhodges
Sr. Member
****
Offline Offline

Activity: 322
Merit: 251


View Profile
August 21, 2012, 09:09:41 AM
 #5

Is the Sailor Moon thing supposed to instill confidence in prospective users? I totally think it's working, lol.

2weiX
Legendary
*
Offline Offline

Activity: 2058
Merit: 1005

this space intentionally left blank


View Profile
August 21, 2012, 09:16:03 AM
 #6

made account
how to fund?

fall down boom?
ThomasV
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
August 21, 2012, 04:33:26 PM
 #7

mybitcoin.com anyone?

Electrum: the convenience of a web wallet, without the risks
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
August 21, 2012, 09:09:26 PM
 #8

Quote
Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with 199.48.69.241 instead of an attacker who generated his own certificate claiming to be 199.48.69.241.
Lolok, have all my BTC plox. YOUR BITCOINS ARE NOW DIAMONDS. SELF-CERT DIAMONDS.
wachtwoord
Legendary
*
Offline Offline

Activity: 2338
Merit: 1136


View Profile
August 21, 2012, 09:15:34 PM
 #9

I added a password and now it says it is locked. Why?
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
August 21, 2012, 10:50:06 PM
 #10


Lol it's an alpha release. What did you expect?

You're proposing to handle other people's bitcoins. But I see little evidence that you've spent much time working on the system security. Though you are throwing around lots of buzzwords. Ironic for someone who claims to have lost money in the MyBitcoin compromise.

If you just wanted to demonstrate some interesting functionality, you could have run the thing on testnet.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
bitcoinbear
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
August 22, 2012, 02:52:58 PM
Last edit: August 22, 2012, 04:12:33 PM by bitcoinbear
 #11

Is there any protection for the users from you just taking all the bitcoins and dissapearing, like mybitcoin did? I seem to remember a place called something like strongcoin which encrypted the keys so only the user could acces the bitcoins, the site manager never had any access to the coins.

Another question: I don't see it now, but in the future will you add functionality to import/export keys or access things like cassiacius coins?

CryptoNote needs you! Join the elite merged mining forces right now here in Fantomcoin topic: https://bitcointalk.org/index.php?topic=598823.0
byronbb
Legendary
*
Offline Offline

Activity: 1414
Merit: 1000


HODL OR DIE


View Profile
August 22, 2012, 03:55:19 PM
 #12

No Https you have to be out of your mind. BOOM.

rapeghost
Sr. Member
****
Offline Offline

Activity: 419
Merit: 250



View Profile
August 22, 2012, 04:22:34 PM
 #13

No Https you have to be out of your mind. BOOM.

Lol.. someone's not too quick.
rapeghost
Sr. Member
****
Offline Offline

Activity: 419
Merit: 250



View Profile
August 22, 2012, 04:23:23 PM
 #14

usagi has been a customer of mine for a while and we've had some trading related transactions.

If i had any use for this service, I would definitely use it and not have any trust reservations (about usagi anyway)
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
August 22, 2012, 06:23:24 PM
 #15

Quote
Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with 199.48.69.241 instead of an attacker who generated his own certificate claiming to be 199.48.69.241.
Lolok, have all my BTC plox. YOUR BITCOINS ARE NOW DIAMONDS. SELF-CERT DIAMONDS.

This post makes no sense. Who are you quoting?

And why?
I am quoting Google Chrome's warning. It should be self-explanatory for a web-dev such as yourself.
Getting back on topic, HTTPS. Do you even know why HTTPS is important? HTTPS uses a SSL certificate as proof that the information which you supply cannot be intercepted by a third party. That's it. What nimda said was wrong, as you should know. But if you know this, why are you complaining? Again, this is just an alpha release. There is simply no way someone has set up a sniffer or has cut cables and is listening to hotwallet right now. We don't even have a hundred users and there just aren't that many bitcoins in the system. (Yes, there are bitcoins in the system. How many? Not tellin').

But sure, I see the value in HTTPS for a production site. It only takes 10 or 20 minutes to set up SSL. Not a priority for an alpha release, but I did it over my coffee break yesterday. Had to be done at some point. Anyways, I guess I should thank you for the tip but please, if you "see no evidence" that just means you don't know what to look for... if you have something real to say though, I'm right here and will fix it ASAP. That's why I am doing this, and coming to the community for advice. To make a better system.
usagi seems to love referring to me by name, rather than the substance of my posts. I do find humor, however, in the fact that I was quoting Google Chrome, a fairly reputable (Roll Eyes) web-browser.
The fact of the matter is that the blue part up there is misleading. Have you ever used GPG? It's the same concept. The problem is thus:
1. I create a keypair and a malicious version of hotwallet
2. I sign my malicious end and claim that the signature is from hotwallet.
3. I, the third party, intercept the information you supply.
4. Well, who are you to know any better?

SSL only works when a trusted third party signs your keypair. Then this happens:
1. I create the malicious stuff
2. I sign my malicious end
3. You check with the trusted third party (e.g. Verisign). They say "oh no, that's not really Hotwallet's keypair!"
4. You don't lose any personal info or bitcoins.

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
August 22, 2012, 10:35:08 PM
 #16

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
https://i.imgur.com/tcB37.png

Stop being a dink.
"No, u"
Insults like that carry no useful information and add nothing to this thread.
Quote
That warning is for sites you've been to before.
The warning contains information pertinent to all websites, and I've never been to Hotwallet before.
Quote
If you know it's a new site, an alpha site, which hasn't registered a certificate...

it's okay.
You're handling other people's money. Real money.
Quote
Just accept the certificate.
Hell no. That's saying "just trust me." I will never "just trust" anyone, especially not in Bitcoin land.
Quote
Seriously nimda you're getting a bad rep for being a know it all tattletale.
Cool. I couldn't care less about my "tattletale" reputation. I "tattle" on potential scammers in the Lending forums too. Look how many people have MNW on ignore, yet they trust his word in a 5000+ BTC bet. The important part is...
I don't scam people, nor am I careless with their money.
That's the only part of my rep I care about.
Quote
Accept the certificate, leave, and come back the next day.
Bad idea
Quote
No new message? That means....

it's okay.
No, it means you're the same person who said he was hotwallet the day before. In a nutshell, it's basically me "signing" your cert.
You're handling other people's money. Real money. And security should come first. Even before domain names.

Quote
Try to understand -- it's a new site. I'm still working on it. I don't even have a hostname yet.
I understand that perfectly. However, security should come first, because you're handling other people's money.
Quote
If you feel the government (or worse, hackerz) are waiting around for you to access a startup web wallet for the first time and the lack of me paying $20 or whatever to get a signed certificate raises all sorts of red flags in your mind causing you not to use said web service, you SERIOUSLY need to re-evaluate your security priorities. It's just not that important. I mean fuck, you could encrypt your hard drive with truecrypt and use a 128 character password if you wanted to. It's not going to make you any safer.
Those red flags are popping up all over the place. They're not just "face-value" warnings though. It's not just "oh, this could be a man-in-the-middle attack." Rather, it's "oh, this service is using SSL improperly. I wonder if other aspects of its security are done correctly? Passwords? Storage of BTC?"

Look at all the holes in BitDayTrade. Did you see the Reddit post exposing its flaws? It claimed to use bcrypt, but that was a lie. A lie which was only brought to light when other security flaws were discovered. This is why I have no money on either platform.

Don't take spectators exposing security flaws as personal insults. Take them as suggestions, and use them to improve your service. It's called feedback, and feedback is the main reason that developers even have this pre-release stage that Hotwallet is currently in.
Deafboy
Hero Member
*****
Offline Offline

Activity: 482
Merit: 502



View Profile WWW
August 22, 2012, 10:50:10 PM
 #17

VIP, Sr. Member? How did this happen?
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
August 22, 2012, 10:57:49 PM
 #18

He donated 50 BTC to the forums and made a couple hundred posts. I think that's irrelevant to the subject at hand, though.
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
August 23, 2012, 06:27:13 AM
 #19

Actually I was thinking about spending the day at Starbucks tomorrow firesheeping.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
August 23, 2012, 01:26:15 PM
 #20

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
https://i.imgur.com/tcB37.png

Stop being a dink.
"No, u"
Insults like that carry no useful information and add nothing to this thread.

You're wrong. They communicate that you're pissing me off and likely many others.
Well, I guess it does communicate that much.
Quote
A lot of your ideas are frankly stupid and have only a tenuous connection to reality. I've explained to you why your idea of 'risked capital' is wrong (for example) due to opportunity cost and related counterparty risk
I've already used multiple examples to show that my model is mathematically correct. The "PPT Paying 7.5% Weekly" is just the most simple of these. Additionally, "opportunity cost" or "time value" is factored in to the more complex version of the model. The "PPT Paying 7.5% Weekly" example contains a time value of just over 1%. However, if the time value were 0% (omitted), the value of YARR and related securities would actually be higher. This is why I omitted it -- it's simple and portrays YARR in a better light. But then...
Quote
and you changed what you said to justify the same idea.
I, based on your suggestions, elaborated and expanded on my representation of the model.
But this thread isn't about my mathematical analyses. If you would like, I can find the time to engage you in a formal mathematical debate. If it were worth it to me, I'd even write up a whitepaper. The idea, however, is simple enough that I do not think it merits a whitepaper.

As for counterparty risk, this is something which is mostly subjective and must be evaluated by each investor. It is, however, simple enough to factor in as a variable; I can show this if you intend to take up my debate offer.

Quote
That's right, you have a rep for ignoring what people say and justifying your own behavior and ideas.
If you say so. I hope you'll notice, however, that instead of ignoring what you're saying, I am splitting up the quote and responding to every last bit of it.
Quote
The "No u" is classic. You're a cheap troll.
Of course the "No u" is classic. That's why I quoted it: it was an attempt to show how worthless insults are. If I were trying to cheaply troll this thread, I'd be insulting you more. However, it would seem that whether or not I am consciously trying to troll you, it's working. (Judging by the number of names you've called me in this thread.)

Quote
If you can't understand that this is a new site
I understand that perfectly
Quote
and that HTTPS was NOT invented to ensure "who you are talking to"
So tell me, how does HTTPS prevent man-in-the-middle attacks?
Quote
then you're a real doofus.
That's a new one
Quote
I've obviously been around here much longer than you
Yep, and neither of us has gotten the scammer tag yet. Hallelujah.
Quote
and I kinda think you're jealous that I am a creative individual
I much enjoy your creations, especially the fact that you have the courage to create something so involved as an insurance company. You should step back for a moment, however, and look at the word "feedback." Not all feedback needs to be positive; negative feedback, when done correctly, is often termed "constructive criticism." My analysis of each insured pirate bond was neutral feedback. When you contested things such as the market price, I was bewildered. The fact exists that at a certain point in time, it was impossible to get shares of YARR on the open market for less than 1.89. Arguing about that seems rather pointless.
Quote
while your special skill is being rita repulsa news reporter on bitcointalk.org.
Who was it who cried wolf about Bitcoinica? Would you call them "rita repulsa?"
I have other "special skills" which I have successfully sold on bitcointalk.org, including GPG tutoring and programming. Aside from that, I enjoy reading posts from "Answer the question above with a question" to "[Full Disclosure] CVE-2012-2459 (block merkle calculation exploit)."
Quote
Quote
That warning is for sites you've been to before.
The warning contains information pertinent to all websites, and I've never been to Hotwallet before.

No, it does not. If you've never been to a website before it does not make sense to assume someone is doing a man in the middle attack. For what purpose? To gather data that.... doesn't exist?   To learn what login you..... don't have?
How about "sniff your login credentials on account creation?" That would work...

Quote
It's clear you're not going to shut up about this
I'll shut up when the issue is fixed
Quote
so go ahead and have your fun
Thanks
Quote
I'll just ignore you.
Have fun with that. lalalala I'm not listening!
Quote
I mean it's clear that you're antisocial
Do you need a picture of me skydiving with friends with a shoe on my head?
Quote
and are only interested in your crusade against perceived injustices.
Actually, my crusade against MPEX interests me more ATM. You know, the options exchange run by a law-breaking, content-stealing Romanian who runs a net loss business and hosts porn?
Quote
Every time something's not quite right there's nimda, pointing it out for all to see. There's quite a few people around here just like you.
Well that's great. I'm glad that potential scammers in lending are pointed out preemptively, that BitDayTrade's security flaws are being exposed, and that people have noticed that VanillaWallet is not open-source and MtGox has apparent solvency issues. Surely these haven't been pointed out by the same guy?

Quote
Quote
Accept the certificate, leave, and come back the next day.

Quote
No new message? That means....

it's okay.
No, it means you're the same person who said he was hotwallet the day before. In a nutshell, it's basically me "signing" your cert.

B I N G O

What can I say? GOOD JOB, MARCO! Keep fishin'!
Thanks. I'm not going to sign your cert, however. In fact, I haven't even signed theymos' public key.

Don't take spectators exposing security flaws as personal insults. Take them as suggestions, and use them to improve your service. It's called feedback, and feedback is the main reason that developers even have this pre-release stage that Hotwallet is currently in.
Quote
It's not a FUCKING security flaw nimda. Here's a hint. Even if I have SSL and use LUKS and encrypt everything on the server people can STILL hack the system with a motherfucking AM/FM RADIO from outside the fucking BUILDING if I don't use a god damn FARADAY CAGE! But that's paranoid shit -- you know, like pretending there's hackers out to get you and do a man in the middle attack on you to a website you've never even been to before!
Lol
If hotwallet becomes popular, "do[ing] a man in the middle attack on you to a website you've never even been to before" can become a viable way to make money. Especially if its owner says "oh just ignore that warning."
Quote
Seriously, try out the system. Don't deposit any bitcoins in your account? I don't fucking CARE! But please don't come on here and whine about SSL. It's stupid and pointless. Go, find a REAL security flaw -- because you know real security is all about compartmentalization -- and get back to me. This SSL bullshit is noob wannabe shit nimda. Get with the program. You obviously aren't even familiar with SSL spoofing (or you're an unethical asshole). So don't bother. Please, you're just going to make yourself look stupid again.

You wanna talk security? There are dozens of people trying to crack hotwallet right now, not flapping their lips queefing on a forum just talking about it. I've had over 50 SSL injection attacks in the last 3 days on the login page alone. What's the point of getting an independently certified SSL certificate if you can be hacked in some other way or of there's some other gaping security flaw? I loved it when you said that you were wondering what other security holes there were. Yeah I can imagine. All you do is wonder. Like the guy that said he doesn't see any evidence that it's secure. Well frankly I'm not surprised.
I'll come back to this last bit; I g2g.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!