usagi
VIP
Hero Member
Offline
Activity: 812
Merit: 1000
13
|
|
March 07, 2013, 03:27:05 AM |
|
This is a good opportunity for a little education I suspect. If our DNS is compromised, which is entirely possible, we do not operate it: (The registrar does.) - A potential hacker could put up a clone of our login page and collect your logins and passwords. - Then the hacker could set his own /etc/hosts file and log into the real site with those logins and passwords. - Then the hacker trades all your stuff off for pennies on the dollar and withdraws all the coins and walks away. The only protection from this is to use 2-Factor authentication. If you don't already have a Yubikey or a mobile phone with Google Authenticator, NOW is the time to set it up. Do not put it off. Do it now. Actually no, 2-factor authentication is not a protection against someone getting your DNS or getting root or anything like that. It's protection against most forms of keyloggers, and that's about it. Just sayin'
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 07, 2013, 03:28:51 AM |
|
This is a good opportunity for a little education I suspect. If our DNS is compromised, which is entirely possible, we do not operate it: (The registrar does.) - A potential hacker could put up a clone of our login page and collect your logins and passwords. - Then the hacker could set his own /etc/hosts file and log into the real site with those logins and passwords. - Then the hacker trades all your stuff off for pennies on the dollar and withdraws all the coins and walks away. The only protection from this is to use 2-Factor authentication. If you don't already have a Yubikey or a mobile phone with Google Authenticator, NOW is the time to set it up. Do not put it off. Do it now. OK I have gone ahead and setup Google Authenticator on my google account, and on your site. I know that I could print off some one time use codes for my google account in case I ever lose my phone, don't have it on me etc... Will these same codes work on your site? What do I do if my phone gets stolen? Best bet is to write down the key it displays with your barcode, or print the barcode so you can re-scan it again. If your phone is stolen, you would re-scan the barcode or enter the key on your new phone, log into the site, and setup a new code. (just to be on the safe side.)
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 07, 2013, 03:37:11 AM |
|
This is a good opportunity for a little education I suspect. If our DNS is compromised, which is entirely possible, we do not operate it: (The registrar does.) - A potential hacker could put up a clone of our login page and collect your logins and passwords. - Then the hacker could set his own /etc/hosts file and log into the real site with those logins and passwords. - Then the hacker trades all your stuff off for pennies on the dollar and withdraws all the coins and walks away. The only protection from this is to use 2-Factor authentication. If you don't already have a Yubikey or a mobile phone with Google Authenticator, NOW is the time to set it up. Do not put it off. Do it now. Actually no, 2-factor authentication is not a protection against someone getting your DNS or getting root or anything like that. It's protection against most forms of keyloggers, and that's about it. Just sayin' Actually, yes, it is protection against any form of man in the middle attack. Both use a time-based nonce with protection against replay. (no key can be used twice within it's valid time window... try it, I spent a lot of time on it.) No, it is not protection if BTC-TC is rooted. That comes in the form of backups, firewalls, layers of servers (backend/frontend), and hot/cold wallets. Cheers.
|
|
|
|
superbit
|
|
March 07, 2013, 04:16:42 AM |
|
This is a good opportunity for a little education I suspect. If our DNS is compromised, which is entirely possible, we do not operate it: (The registrar does.) - A potential hacker could put up a clone of our login page and collect your logins and passwords. - Then the hacker could set his own /etc/hosts file and log into the real site with those logins and passwords. - Then the hacker trades all your stuff off for pennies on the dollar and withdraws all the coins and walks away. The only protection from this is to use 2-Factor authentication. If you don't already have a Yubikey or a mobile phone with Google Authenticator, NOW is the time to set it up. Do not put it off. Do it now. OK I have gone ahead and setup Google Authenticator on my google account, and on your site. I know that I could print off some one time use codes for my google account in case I ever lose my phone, don't have it on me etc... Will these same codes work on your site? What do I do if my phone gets stolen? Best bet is to write down the key it displays with your barcode, or print the barcode so you can re-scan it again. If your phone is stolen, you would re-scan the barcode or enter the key on your new phone, log into the site, and setup a new code. (just to be on the safe side.) If anyone can just scan the barcode how does this help if your site is hacked? They could see the QR code and install google auth on their own phone.
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 07, 2013, 04:26:40 AM |
|
This is a good opportunity for a little education I suspect. If our DNS is compromised, which is entirely possible, we do not operate it: (The registrar does.) - A potential hacker could put up a clone of our login page and collect your logins and passwords. - Then the hacker could set his own /etc/hosts file and log into the real site with those logins and passwords. - Then the hacker trades all your stuff off for pennies on the dollar and withdraws all the coins and walks away. The only protection from this is to use 2-Factor authentication. If you don't already have a Yubikey or a mobile phone with Google Authenticator, NOW is the time to set it up. Do not put it off. Do it now. OK I have gone ahead and setup Google Authenticator on my google account, and on your site. I know that I could print off some one time use codes for my google account in case I ever lose my phone, don't have it on me etc... Will these same codes work on your site? What do I do if my phone gets stolen? Best bet is to write down the key it displays with your barcode, or print the barcode so you can re-scan it again. If your phone is stolen, you would re-scan the barcode or enter the key on your new phone, log into the site, and setup a new code. (just to be on the safe side.) If anyone can just scan the barcode how does this help if your site is hacked? They could see the QR code and install google auth on their own phone. " print the barcode so you can re-scan it again" The account page won't re-display it unless you have the PIN, and as I am just now realizing, that PIN dialog should be asking for the gAuth code if gAuth is turned on... Will put that on the todo. Cheers.
|
|
|
|
iCEBREAKER
Legendary
Offline
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
|
|
March 07, 2013, 06:20:51 AM |
|
Gee, if only there was some kind of bitcoin-like, proof-of-work based DNS that was impervious to these kind of redirect shenanigans. Oh wait, .bit and namecoin are well known technologies, but too many sheeple ignored them and not it's almost too late. /THEY DIDN'T LISTEN!!!!1
|
██████████ ██████████████████ ██████████████████████ ██████████████████████████ ████████████████████████████ ██████████████████████████████ ████████████████████████████████ ████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ██████████████████████████████████ ████████████████████████████████ ██████████████ ██████████████ ████████████████████████████ ██████████████████████████ ██████████████████████ ██████████████████ ██████████ Monero
|
| "The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy." David Chaum 1996 "Fungibility provides privacy as a side effect." Adam Back 2014
|
| | |
|
|
|
poly
Member
Offline
Activity: 84
Merit: 10
Weighted companion cube
|
|
March 07, 2013, 07:10:51 AM |
|
Gee, if only there was some kind of bitcoin-like, proof-of-work based DNS that was impervious to these kind of redirect shenanigans. Oh wait, .bit and namecoin are well known technologies, but too many sheeple ignored them and not it's almost too late. /THEY DIDN'T LISTEN!!!!1 Mircea Popescu redirected it to the whitehouse.gov for lols.
|
|
|
|
superbit
|
|
March 07, 2013, 06:02:45 PM |
|
So if the Google Authenticator should only show 1 time why does it show again if I change the settings? Or is that a different key then the original time is showed in case I wanted to reset it to a new one?
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 07, 2013, 08:51:13 PM |
|
So if the Google Authenticator should only show 1 time why does it show again if I change the settings? Or is that a different key then the original time is showed in case I wanted to reset it to a new one?
It does show when changing the settings as well, but changing the settings requires the same PIN. Both those PIN requirements need to be swapped out for gAuth requirements. Will try to get that patched today. Cheers.
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 09, 2013, 01:31:04 AM |
|
Details regarding the dead mans switch and what to do if anything happens to me are now in the FAQ when logged in. Bottom line, life will go on without me.
|
|
|
|
ThickAsThieves
|
|
March 10, 2013, 06:23:24 PM |
|
Could you push through my withdrawal on ltcglobal?
Also, is it possible to get the manual limit raised and/or removed? I do a lot of day trading, and I need better liquidity.
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 11, 2013, 03:21:01 AM |
|
Could you push through my withdrawal on ltcglobal?
Also, is it possible to get the manual limit raised and/or removed? I do a lot of day trading, and I need better liquidity.
I have a way to flag users to allow a 2x higher withdrawal limit. Please PM me your username (and which exchange) if you would like this turned on for your account. Cheers.
|
|
|
|
btcash
|
|
March 11, 2013, 03:52:21 PM |
|
The status for incoming deposits is still not working. I think it is because I have multiple addresses. Used to work fine a few weeks ago when I had only one address.
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 11, 2013, 04:20:59 PM |
|
The status for incoming deposits is still not working. I think it is because I have multiple addresses. Used to work fine a few weeks ago when I had only one address.
Something happened when I increased the keypoolsize on our bitcoind. A listtransactions no longer displays in chronological order. I used to "listtransactions [account] 50" and now that brings up transactions weeks old on my account and another account I was looking at. This has broken the deposit display, and the creation of the deposit entries in the db. I'm trying to figure out if there's any way to fix it. Will keep you posted. Cheers.
|
|
|
|
DutchBrat
|
|
March 11, 2013, 04:52:38 PM |
|
Hi Burnside,
How long does the manual withdrawal take on average? Does it depend on moving Btc to a hot wallet?
Thanks
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 11, 2013, 05:30:13 PM |
|
Hi Burnside,
How long does the manual withdrawal take on average? Does it depend on moving Btc to a hot wallet?
Thanks
Depends on time of day and what the balance is in the hot wallet. I try to process them a minimum of twice a day, even on the weekends, and it does occasionally get hung up if there's not enough in the hot wallet and I have to spin up the cold wallet. Cheers.
|
|
|
|
DutchBrat
|
|
March 11, 2013, 05:34:41 PM |
|
Hi Burnside,
How long does the manual withdrawal take on average? Does it depend on moving Btc to a hot wallet?
Thanks
Depends on time of day and what the balance is in the hot wallet. I try to process them a minimum of twice a day, even on the weekends, and it does occasionally get hung up if there's not enough in the hot wallet and I have to spin up the cold wallet. Cheers. And you just processed Thanks !!!
|
|
|
|
burnside
Legendary
Offline
Activity: 1106
Merit: 1006
Lead Blockchain Developer
|
|
March 12, 2013, 02:34:52 AM |
|
Trading has been halted until I can figure out with certainty there are no implications with the blockchain fork. Impact should be minimal, we're on a customized version of 0.7.2.
Sorry about the inconvenience, but better safe than sorry.
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
March 12, 2013, 02:38:46 AM Last edit: March 12, 2013, 05:11:22 AM by TradeFortress |
|
Sounds like all the trading stops are causing the price drop (more than what would have happened if everything was calm). This isn't the end of bitcoin.
|
|
|
|
btharper
|
|
March 12, 2013, 05:09:16 AM |
|
Sounds like all the trading forks are causing the price drop. This isn't the end of bitcoin.
Nope, nothing is ending. The only problem is that there's a fork and someone trying to be malicious could attempt to spend on both networks and wait for the chain to resolve in their favor. Anyone behaving in good faith (most people) will end up on the right blockchain no matter which one they are currently on (as all valid tx's get pushed to each chain). Only malicious parties tx's will be a problem. On the technical side this is caused by the database in 0.7 only accepting so many tx's in one block. The offending block had ~1700 tx's. The current Dev recommendation is that anyone depending on being on the "right" chain (merchants, miners, pools, etc). Anyone else can keep their version and will eventually end up on the right side of everything. The fork was not caused by an attack. The offending block is not invalid on either chain (except by an implicit database commit restriction). It will get over reported the wrong way and people will freak out and then everything will return to normal.
|
|
|
|
|