rated

[usagi]

rated

[bitcoinbear]

Hi,

It looks like a functioning wallet, but I am a bit unsure how it keeps anything safe, since there is no password? Couldn't anybody just type in your username and spend your coins for you?

[error]

No https? No thanks.

I strongly recommend against using this system - or even logging in - until they have at least basic security in place.

The 23 of you who have already logged in to this system should take steps now to ensure the security of everything else you have. That means change all your passwords, etc.

[JWU42]

No https? No thanks.

+10000000

[nhodges]

Is the Sailor Moon thing supposed to instill confidence in prospective users? I totally think it's working, lol.

[2weiX]

made account
how to fund?

fall down boom?

[ThomasV]

mybitcoin.com anyone?

[nimda]

Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with 199.48.69.241 instead of an attacker who generated his own certificate claiming to be 199.48.69.241.

Lolok, have all my BTC plox. YOUR BITCOINS ARE NOW DIAMONDS. SELF-CERT DIAMONDS.

[wachtwoord]

I added a password and now it says it is locked. Why?

[error]

No https? No thanks.

+10000000

Lol it's an alpha release. What did you expect?

You're proposing to handle other people's bitcoins. But I see little evidence that you've spent much time working on the system security. Though you are throwing around lots of buzzwords. Ironic for someone who claims to have lost money in the MyBitcoin compromise.

If you just wanted to demonstrate some interesting functionality, you could have run the thing on testnet.

[bitcoinbear]

Is there any protection for the users from you just taking all the bitcoins and dissapearing, like mybitcoin did? I seem to remember a place called something like strongcoin which encrypted the keys so only the user could acces the bitcoins, the site manager never had any access to the coins.

Another question: I don't see it now, but in the future will you add functionality to import/export keys or access things like cassiacius coins?

[byronbb]

No Https you have to be out of your mind. BOOM.

[rapeghost]

No Https you have to be out of your mind. BOOM.

Lol.. someone's not too quick.

[rapeghost]

usagi has been a customer of mine for a while and we've had some trading related transactions.

If i had any use for this service, I would definitely use it and not have any trust reservations (about usagi anyway)

[nimda]

Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with 199.48.69.241 instead of an attacker who generated his own certificate claiming to be 199.48.69.241.

Lolok, have all my BTC plox. YOUR BITCOINS ARE NOW DIAMONDS. SELF-CERT DIAMONDS.

This post makes no sense. Who are you quoting?

And why?

I am quoting Google Chrome's warning. It should be self-explanatory for a web-dev such as yourself.

Getting back on topic, HTTPS. Do you even know why HTTPS is important? HTTPS uses a SSL certificate as proof that the information which you supply cannot be intercepted by a third party. That's it. What nimda said was wrong, as you should know. But if you know this, why are you complaining? Again, this is just an alpha release. There is simply no way someone has set up a sniffer or has cut cables and is listening to hotwallet right now. We don't even have a hundred users and there just aren't that many bitcoins in the system. (Yes, there are bitcoins in the system. How many? Not tellin').

But sure, I see the value in HTTPS for a production site. It only takes 10 or 20 minutes to set up SSL. Not a priority for an alpha release, but I did it over my coffee break yesterday. Had to be done at some point. Anyways, I guess I should thank you for the tip but please, if you "see no evidence" that just means you don't know what to look for... if you have something real to say though, I'm right here and will fix it ASAP. That's why I am doing this, and coming to the community for advice. To make a better system.

usagi seems to love referring to me by name, rather than the substance of my posts. I do find humor, however, in the fact that I was quoting Google Chrome, a fairly reputable () web-browser.
The fact of the matter is that the blue part up there is misleading. Have you ever used GPG? It's the same concept. The problem is thus:
1. I create a keypair and a malicious version of hotwallet
2. I sign my malicious end and claim that the signature is from hotwallet.
3. I, the third party, intercept the information you supply.
4. Well, who are you to know any better?

SSL only works when a trusted third party signs your keypair. Then this happens:
1. I create the malicious stuff
2. I sign my malicious end
3. You check with the trusted third party (e.g. Verisign). They say "oh no, that's not really Hotwallet's keypair!"
4. You don't lose any personal info or bitcoins.

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:

[nimda]

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
https://i.imgur.com/tcB37.png

Stop being a dink.

"No, u"
Insults like that carry no useful information and add nothing to this thread.

That warning is for sites you've been to before.

The warning contains information pertinent to all websites, and I've never been to Hotwallet before.

If you know it's a new site, an alpha site, which hasn't registered a certificate...

it's okay.

You're handling other people's money. Real money.

Just accept the certificate.

Hell no. That's saying "just trust me." I will never "just trust" anyone, especially not in Bitcoin land.

Seriously nimda you're getting a bad rep for being a know it all tattletale.

Cool. I couldn't care less about my "tattletale" reputation. I "tattle" on potential scammers in the Lending forums too. Look how many people have MNW on ignore, yet they trust his word in a 5000+ BTC bet. The important part is...
I don't scam people, nor am I careless with their money.
That's the only part of my rep I care about.

Accept the certificate, leave, and come back the next day.

Bad idea

No new message? That means....

it's okay.

No, it means you're the same person who said he was hotwallet the day before. In a nutshell, it's basically me "signing" your cert.
You're handling other people's money. Real money. And security should come first. Even before domain names.

Try to understand -- it's a new site. I'm still working on it. I don't even have a hostname yet.

I understand that perfectly. However, security should come first, because you're handling other people's money.

If you feel the government (or worse, hackerz) are waiting around for you to access a startup web wallet for the first time and the lack of me paying $20 or whatever to get a signed certificate raises all sorts of red flags in your mind causing you not to use said web service, you SERIOUSLY need to re-evaluate your security priorities. It's just not that important. I mean fuck, you could encrypt your hard drive with truecrypt and use a 128 character password if you wanted to. It's not going to make you any safer.

Those red flags are popping up all over the place. They're not just "face-value" warnings though. It's not just "oh, this could be a man-in-the-middle attack." Rather, it's "oh, this service is using SSL improperly. I wonder if other aspects of its security are done correctly? Passwords? Storage of BTC?"

Look at all the holes in BitDayTrade. Did you see the Reddit post exposing its flaws? It claimed to use bcrypt, but that was a lie. A lie which was only brought to light when other security flaws were discovered. This is why I have no money on either platform.

Don't take spectators exposing security flaws as personal insults. Take them as suggestions, and use them to improve your service. It's called feedback, and feedback is the main reason that developers even have this pre-release stage that Hotwallet is currently in.

[Deafboy]

VIP, Sr. Member? How did this happen?

[nimda]

He donated 50 BTC to the forums and made a couple hundred posts. I think that's irrelevant to the subject at hand, though.

[error]

Actually I was thinking about spending the day at Starbucks tomorrow firesheeping.

[nimda]

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
https://i.imgur.com/tcB37.png

Stop being a dink.

"No, u"
Insults like that carry no useful information and add nothing to this thread.

You're wrong. They communicate that you're pissing me off and likely many others.

Well, I guess it does communicate that much.

A lot of your ideas are frankly stupid and have only a tenuous connection to reality. I've explained to you why your idea of 'risked capital' is wrong (for example) due to opportunity cost and related counterparty risk

I've already used multiple examples to show that my model is mathematically correct. The "PPT Paying 7.5% Weekly" is just the most simple of these. Additionally, "opportunity cost" or "time value" is factored in to the more complex version of the model. The "PPT Paying 7.5% Weekly" example contains a time value of just over 1%. However, if the time value were 0% (omitted), the value of YARR and related securities would actually be higher. This is why I omitted it -- it's simple and portrays YARR in a better light. But then...

and you changed what you said to justify the same idea.

I, based on your suggestions, elaborated and expanded on my representation of the model.
But this thread isn't about my mathematical analyses. If you would like, I can find the time to engage you in a formal mathematical debate. If it were worth it to me, I'd even write up a whitepaper. The idea, however, is simple enough that I do not think it merits a whitepaper.

As for counterparty risk, this is something which is mostly subjective and must be evaluated by each investor. It is, however, simple enough to factor in as a variable; I can show this if you intend to take up my debate offer.

That's right, you have a rep for ignoring what people say and justifying your own behavior and ideas.

If you say so. I hope you'll notice, however, that instead of ignoring what you're saying, I am splitting up the quote and responding to every last bit of it.

The "No u" is classic. You're a cheap troll.

Of course the "No u" is classic. That's why I quoted it: it was an attempt to show how worthless insults are. If I were trying to cheaply troll this thread, I'd be insulting you more. However, it would seem that whether or not I am consciously trying to troll you, it's working. (Judging by the number of names you've called me in this thread.)

If you can't understand that this is a new site

I understand that perfectly

and that HTTPS was NOT invented to ensure "who you are talking to"

So tell me, how does HTTPS prevent man-in-the-middle attacks?

then you're a real doofus.

That's a new one

I've obviously been around here much longer than you

Yep, and neither of us has gotten the scammer tag yet. Hallelujah.

and I kinda think you're jealous that I am a creative individual

I much enjoy your creations, especially the fact that you have the courage to create something so involved as an insurance company. You should step back for a moment, however, and look at the word "feedback." Not all feedback needs to be positive; negative feedback, when done correctly, is often termed "constructive criticism." My analysis of each insured pirate bond was neutral feedback. When you contested things such as the market price, I was bewildered. The fact exists that at a certain point in time, it was impossible to get shares of YARR on the open market for less than 1.89. Arguing about that seems rather pointless.

while your special skill is being rita repulsa news reporter on bitcointalk.org.

Who was it who cried wolf about Bitcoinica? Would you call them "rita repulsa?"
I have other "special skills" which I have successfully sold on bitcointalk.org, including GPG tutoring and programming. Aside from that, I enjoy reading posts from "Answer the question above with a question" to "[Full Disclosure] CVE-2012-2459 (block merkle calculation exploit)."

That warning is for sites you've been to before.

The warning contains information pertinent to all websites, and I've never been to Hotwallet before.

No, it does not. If you've never been to a website before it does not make sense to assume someone is doing a man in the middle attack. For what purpose? To gather data that.... doesn't exist?   To learn what login you..... don't have?

How about "sniff your login credentials on account creation?" That would work...

It's clear you're not going to shut up about this

I'll shut up when the issue is fixed

so go ahead and have your fun

Thanks

I'll just ignore you.

Have fun with that. lalalala I'm not listening!

I mean it's clear that you're antisocial

Do you need a picture of me skydiving with friends with a shoe on my head?

and are only interested in your crusade against perceived injustices.

Actually, my crusade against MPEX interests me more ATM. You know, the options exchange run by a law-breaking, content-stealing Romanian who runs a net loss business and hosts porn?

Every time something's not quite right there's nimda, pointing it out for all to see. There's quite a few people around here just like you.

Well that's great. I'm glad that potential scammers in lending are pointed out preemptively, that BitDayTrade's security flaws are being exposed, and that people have noticed that VanillaWallet is not open-source and MtGox has apparent solvency issues. Surely these haven't been pointed out by the same guy?

Accept the certificate, leave, and come back the next day.

No new message? That means....

it's okay.

No, it means you're the same person who said he was hotwallet the day before. In a nutshell, it's basically me "signing" your cert.

B I N G O

What can I say? GOOD JOB, MARCO! Keep fishin'!

Thanks. I'm not going to sign your cert, however. In fact, I haven't even signed theymos' public key.

Don't take spectators exposing security flaws as personal insults. Take them as suggestions, and use them to improve your service. It's called feedback, and feedback is the main reason that developers even have this pre-release stage that Hotwallet is currently in.

It's not a FUCKING security flaw nimda. Here's a hint. Even if I have SSL and use LUKS and encrypt everything on the server people can STILL hack the system with a motherfucking AM/FM RADIO from outside the fucking BUILDING if I don't use a god damn FARADAY CAGE! But that's paranoid shit -- you know, like pretending there's hackers out to get you and do a man in the middle attack on you to a website you've never even been to before!

Lol
If hotwallet becomes popular, "do[ing] a man in the middle attack on you to a website you've never even been to before" can become a viable way to make money. Especially if its owner says "oh just ignore that warning."

Seriously, try out the system. Don't deposit any bitcoins in your account? I don't fucking CARE! But please don't come on here and whine about SSL. It's stupid and pointless. Go, find a REAL security flaw -- because you know real security is all about compartmentalization -- and get back to me. This SSL bullshit is noob wannabe shit nimda. Get with the program. You obviously aren't even familiar with SSL spoofing (or you're an unethical asshole). So don't bother. Please, you're just going to make yourself look stupid again.

You wanna talk security? There are dozens of people trying to crack hotwallet right now, not flapping their lips queefing on a forum just talking about it. I've had over 50 SSL injection attacks in the last 3 days on the login page alone. What's the point of getting an independently certified SSL certificate if you can be hacked in some other way or of there's some other gaping security flaw? I loved it when you said that you were wondering what other security holes there were. Yeah I can imagine. All you do is wonder. Like the guy that said he doesn't see any evidence that it's secure. Well frankly I'm not surprised.

I'll come back to this last bit; I g2g.