Bitcoin Forum
December 14, 2024, 12:53:42 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
  Print  
Author Topic: [Beta] myB.TC short names for Bitcoin  (Read 5928 times)
organofcorti
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1007


Poor impulse control.


View Profile WWW
June 14, 2011, 08:02:58 AM
 #41

I'm sure you're a trustworthy guy and I can see a bunch of posts from you, but I'm concerned about security (as you are). In a way, what you're doing needs the same security as banking sites. So...

1. Will you be storing passwords in clear or as salted hashes?

2. 2 factor id: Think you can get Last Pass or Yubikey working on your site?

I hope I don't come off as paranoid, but what you're doing *will* catch on, and if someone hacks you (silently) all those fractions of bitcoins from donations will become a pretty bitpenny :p for someone.

I fully intend to sign up as soon as you can convince my fluttering nerves that my (prolly non-existent) donations will safe, and prevent me from swooning.


Bitcoin network and pool analysis 12QxPHEuxDrs7mCyGSx1iVSozTwtquDB3r
follow @oocBlog for new post notifications
jerfelix (OP)
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
June 14, 2011, 07:01:52 PM
 #42

I'm sure you're a trustworthy guy and I can see a bunch of posts from you, but I'm concerned about security (as you are). In a way, what you're doing needs the same security as banking sites. So...

1. Will you be storing passwords in clear or as salted hashes?

2. 2 factor id: Think you can get Last Pass or Yubikey working on your site?

I hope I don't come off as paranoid, but what you're doing *will* catch on, and if someone hacks you (silently) all those fractions of bitcoins from donations will become a pretty bitpenny :p for someone.

I fully intend to sign up as soon as you can convince my fluttering nerves that my (prolly non-existent) donations will safe, and prevent me from swooning.


1. I use django's auth module, which uses salted hash passwords.  See https://docs.djangoproject.com/en/dev/topics/auth/

2. I have a plan for 2-factor id, but wasn't planning on integrating Last Pass or Yubikey (not in the current plan).  I was thinking more along the lines of allowing users to "lock" their page, and the only way to change it is to unlock it, and the only way to unlock it is through additional authentication.  The easiest implementation would be to email the user an "unlock key"  to the email address that I have on file, that's good for an hour.  Not exactly 2-factor authentication - more like double security with 1-factor - requiring the hacker to have to have guessed the password on my system, as well as hacking the user's email system.

There are several weaknesses in the security right now, but #1 above,  isn't one of them.  Basically, you need to trust:

-  me  (I can be lying, above.  I may actually store the passwords in plaintext and post them on a bulletin board in Times Square.  You just don't know.  Also, I can change your wallet ID at any time, regardless of how I store passwords; it's just a SQL database!)
-  the security of my system (if someone hacks my database, or physically hacks the system in person, no matter what measures I have in place for user security, all bets are off)
-  the security measures I put in place (such as my plan on #2)
-  A bunch of stuff between you and me - network / middle men.
-  Basic user security (do you have a good password, for instance.  I have few requirements here).


Right now, there are many potential attack vectors, and no system is perfect.  But if the system gets popular, you can bet I'll be adding additional layers.

Without providing a roadmap for hackers, I can tell you that it's not a perfect system now.  I'll be taking steps that I feel are appropriate based on the popularity of the service.  The ones that come to mind immediately are: 

-  SSL
-  Account Lock-out on too many bad passwords
-  "locking" mechanism mentioned above
-  notification of users when their page changes
-  random verification of pages from an external source (to monitor for unexpected changes)

---

There are a lot of people (including you) who put their Wallet ID in their signature of their posts.  These people are essentially trusting the forum managers, the forum software itself, the server that the software is running on, etc.  It seems a hacker can come in a change all those ID's to their own, and no one would notice.

I'm thinking that I need to manage security so that I stay at least a step ahead of forum signatures.  I am not aiming for "Bank level security" at this point.  I do know something about security, as I have consulted with fortune 500 companies on their system security, and have given numerous presentations and papers on system security, and even acted as an expert witness in a reasonably highly publicized court case regarding matters of security.  One paper that I co-authored is (last time I checked) a foot note in Wikipedia on a Security-related article (on phishing for passwords, of all things!)

So I hope you find this somewhat comforting.
tomfluff
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
June 14, 2011, 07:23:51 PM
 #43

Looks like a pretty cool idea, I immediately signed up

After looking at other peoples myb.tc links I though the pages looked pretty horrible and your service seems to offer no customisation options.

Then when I realised you were looking for 0.10btc to register a shortname I closed the tab

Without more features this service is worthless to me. Features such as customisable myb.tc pages. This could be changing the colour scheme from the horrid default.

And also maybe a pay now button and features to invoice or request money from other myb.tc users.

at the minute it looks like the site took < 1 hour to implement and could be easily recreated by someone else.


You've got the right domain name, the right idea, the right style. Just keep updating the site and make it worth the 0.1btc Smiley

ps. I liked the pun on the front page

Quote
It's simple if you can remember where the "dot" goes.    It's myB.TC
Two digits to the right of the "decimal". It almost makes cents! :-)
jerfelix (OP)
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
June 14, 2011, 07:45:42 PM
 #44

You've got the right domain name, the right idea, the right style. Just keep updating the site and make it worth the 0.1btc Smiley
Thanks for the feedback. 
I see that you are relatively new to the forums (user number 17000 or so). 

What you may have missed is that I gave away short name registrations to all registered forum users whose names conformed to my naming constraints.  I used the list of forum users which was about 11000 users at the time.

I put the .1 BTC obstacle in place purely as a deterrent to keep people from registering a few hundred shortnames each, and it has worked.  Trust me, there's a plan here, including many more features.  Making .1 BTC off of shortnames wouldn't be a very good living - it's just a deterrent.

I'll probably grab the next 10,000 forum users' names one of these days - I've been reluctant to do that, since the forums are so slow lately - they don't need me to slow them down any!



Lightspeed
Full Member
***
Offline Offline

Activity: 126
Merit: 100



View Profile
June 14, 2011, 08:22:55 PM
 #45

5 BTC?

You've lost the plot and gone money mad bro.

Overclocking = money? Greatest full time hobby ever!
1AR2eheP4nckS3tuzZHG6ARYndeddxmeDg
jerfelix (OP)
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
June 14, 2011, 09:22:47 PM
 #46

5 BTC?
You've lost the plot and gone money mad bro.
Nothing under 4 letters is cheap while in Beta. 
Once again, it's a deterrent, during Beta.

As I mentioned earlier, I pre-registered over 10,000 for freebies.
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 12:53:02 AM
 #47

This one has less features, but it's quick and free: http://payb.tc

Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!