Bitcoin Forum
November 02, 2024, 06:07:28 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 [40] 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ... 139 »
  Print  
Author Topic: [BTC-TC] Virtual Community Exchange [CLOSED]  (Read 316506 times)
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
June 01, 2013, 07:52:35 AM
 #781

You should add a trollbox to your site! You can use CoinChat - simply iframe it with the "j:yourroom" part so they'll automatically be in your room. If you create it, you have full moderation powers like kicking people.

Some third party clients for coinchat:

http://chromaticcreative.net/bitcoin/moobot/flatapp.php#

http://whiskers75.github.io/whiskchat/index.html

They're all responsive and can fit into any size.
ThickAsThieves
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
June 01, 2013, 08:20:58 AM
 #782

You should add a trollbox to your site! You can use CoinChat - simply iframe it with the "j:yourroom" part so they'll automatically be in your room. If you create it, you have full moderation powers like kicking people.

Some third party clients for coinchat:

http://chromaticcreative.net/bitcoin/moobot/flatapp.php#

http://whiskers75.github.io/whiskchat/index.html

They're all responsive and can fit into any size.

Please don't add chat.
Garr255
Legendary
*
Offline Offline

Activity: 938
Merit: 1000


What's a GPU?


View Profile
June 01, 2013, 09:47:52 AM
 #783

Please don't add chat.
^

“First they ignore you, then they laugh at you, then they fight you, then you win.”  -- Mahatma Gandhi

Average time between signing on to bitcointalk: Two weeks. Please don't expect responses any faster than that!
Newscastix
Sr. Member
****
Offline Offline

Activity: 349
Merit: 250


View Profile
June 01, 2013, 09:53:50 AM
 #784


+1

Especially not by embedding/iframing 3rd party sites you have no control of like proposed above.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
June 01, 2013, 10:11:56 AM
 #785

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue
btharper
Sr. Member
****
Offline Offline

Activity: 389
Merit: 250



View Profile
June 01, 2013, 10:41:25 AM
 #786


No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go.  This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out.  Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders.  For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data.  I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.



Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails.  Wink  Way too many on most assets.
Why not send the following data: (add or subtract to your liking)

GPG(Btct.co key)-Sign({trade:{time:<timestamp>, asset:<Asset name>, qty:<+-number traded based on buy/sell>, bal:<new balance>}
,info:{GPG(issuers key)-encrypt({nonce:<incremented value>, user:<userid in 12h emails>, from:{0:{user:<user id of other side of the txn>, qty:<number>},<n>{user:.., qty:..}} ) }

No new emails are required (but some extra processing and data per email, and extra work for issuers, but that's true in any system). This transmits (securely) everything the buyer needs to to prove they have new shares (asset name, how many, how many they have now). The issuer (but not the buyer or seller) can decrypt the portion containing everything about what user(s) sold their shares and how many. Userids are linked to the email that's normally sent out. The nonce assures correct ordering of separate transactions (even if the timestamp is identical), and allows the issuer to know at least how many transactions are missing based on holes from the highest nonce (but not later transactions with higher nonce's). The nonce should also be included in the emails so the issuer knows where the next one starts (generating the email should increment and get it's own unique nonce to create a clear before and after, no >=/<= confusion). Additionally if you wanted to the encrypted portion could also contain data for n previous transactions (not including ones before the email if one was sent just before the emailed txn) to help fill in the pieces faster for issuers, but increasing overhead and complexity of server side code.

Only issue that's glaring at me is if the key is compromised then there's no way to verify anything, but that's a larger problem anyway.
btharper
Sr. Member
****
Offline Offline

Activity: 389
Merit: 250



View Profile
June 01, 2013, 10:44:54 AM
 #787

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue
Between security concerns (founded in truth, founded in paranoia, or unfounded) and potential to be seen as a spambox I'm not sure everyone would enjoy it at all. It could be possible to make a browser plugin to add boxes to sites that could use this as an initial offering. Taking the far end of an opt-in system.
Newscastix
Sr. Member
****
Offline Offline

Activity: 349
Merit: 250


View Profile
June 01, 2013, 03:36:21 PM
 #788

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue

Even if the iframed stuff is isolated, it is still embedded and the html/flash/java within the iframe is executed.

I just need to hack the chat provider and i can have any content displayed in within the iframe. Great for malicious code/java/etc.

And everything of that is beyond the control of the owner/admin of btctc.

burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
June 01, 2013, 04:07:59 PM
 #789

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue

There's always #bitcoin-assets on Freenode.  Wink
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
June 01, 2013, 04:23:03 PM
 #790


No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go.  This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out.  Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders.  For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data.  I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.



Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails.  Wink  Way too many on most assets.
Why not send the following data: (add or subtract to your liking)

GPG(Btct.co key)-Sign({trade:{time:<timestamp>, asset:<Asset name>, qty:<+-number traded based on buy/sell>, bal:<new balance>}
,info:{GPG(issuers key)-encrypt({nonce:<incremented value>, user:<userid in 12h emails>, from:{0:{user:<user id of other side of the txn>, qty:<number>},<n>{user:.., qty:..}} ) }

No new emails are required (but some extra processing and data per email, and extra work for issuers, but that's true in any system). This transmits (securely) everything the buyer needs to to prove they have new shares (asset name, how many, how many they have now). The issuer (but not the buyer or seller) can decrypt the portion containing everything about what user(s) sold their shares and how many. Userids are linked to the email that's normally sent out. The nonce assures correct ordering of separate transactions (even if the timestamp is identical), and allows the issuer to know at least how many transactions are missing based on holes from the highest nonce (but not later transactions with higher nonce's). The nonce should also be included in the emails so the issuer knows where the next one starts (generating the email should increment and get it's own unique nonce to create a clear before and after, no >=/<= confusion). Additionally if you wanted to the encrypted portion could also contain data for n previous transactions (not including ones before the email if one was sent just before the emailed txn) to help fill in the pieces faster for issuers, but increasing overhead and complexity of server side code.

Only issue that's glaring at me is if the key is compromised then there's no way to verify anything, but that's a larger problem anyway.

That's a great idea, issuing a key per issuer.  No real flaws as far as I can tell.

I've thought about the compromised key issue a bit.  Things always get ugly if the box gets rooted.

Thank you for that!
furuknap
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250

http://coin.furuknap.net/


View Profile WWW
June 01, 2013, 05:10:32 PM
 #791

Burnside, did you change anything with the CSS just now? In IE I now get this:

http://imgur.com/kgQK8SS

Looks good in FF, though.

.b

btharper
Sr. Member
****
Offline Offline

Activity: 389
Merit: 250



View Profile
June 01, 2013, 05:29:33 PM
 #792


No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go.  This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out.  Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders.  For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data.  I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.



Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails.  Wink  Way too many on most assets.
Why not send the following data: (add or subtract to your liking)

GPG(Btct.co key)-Sign({trade:{time:<timestamp>, asset:<Asset name>, qty:<+-number traded based on buy/sell>, bal:<new balance>}
,info:{GPG(issuers key)-encrypt({nonce:<incremented value>, user:<userid in 12h emails>, from:{0:{user:<user id of other side of the txn>, qty:<number>},<n>{user:.., qty:..}} ) }

No new emails are required (but some extra processing and data per email, and extra work for issuers, but that's true in any system). This transmits (securely) everything the buyer needs to to prove they have new shares (asset name, how many, how many they have now). The issuer (but not the buyer or seller) can decrypt the portion containing everything about what user(s) sold their shares and how many. Userids are linked to the email that's normally sent out. The nonce assures correct ordering of separate transactions (even if the timestamp is identical), and allows the issuer to know at least how many transactions are missing based on holes from the highest nonce (but not later transactions with higher nonce's). The nonce should also be included in the emails so the issuer knows where the next one starts (generating the email should increment and get it's own unique nonce to create a clear before and after, no >=/<= confusion). Additionally if you wanted to the encrypted portion could also contain data for n previous transactions (not including ones before the email if one was sent just before the emailed txn) to help fill in the pieces faster for issuers, but increasing overhead and complexity of server side code.

Only issue that's glaring at me is if the key is compromised then there's no way to verify anything, but that's a larger problem anyway.

That's a great idea, issuing a key per issuer.  No real flaws as far as I can tell.

I've thought about the compromised key issue a bit.  Things always get ugly if the box gets rooted.

Thank you for that!
You could use btc-otc for people already active there, or just insist that all issuers be active there and use those keys. Either way you don't have to worry about creating and distributing the keys yourself.

As far as the compromised key issue, all I can think of is getting another server to sign a timestamp + btct.co data at the cost of another extra step. Depending on how the mail system is setup now (I'm assuming one for trading activity that tells a mail server to send things), and assuming rooting one wouldn't mean definitely or possibly owning both servers you could have the trade machine sign transaction data and the mail server sign data+timestamp. Then as long as both servers aren't rooted you can't forge a timestamp that supersedes the correct data.
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
June 01, 2013, 05:54:24 PM
 #793

Burnside, did you change anything with the CSS just now? In IE I now get this:

http://imgur.com/kgQK8SS

Looks good in FF, though.

.b

What's wrong with that?  Looks great to me!   Grin

Problem seems to be that all of a sudden IE wants to render it in compatibility mode.  (compatible with what?  IE 3?)

I added some code in the header and it seems better now.

Code:
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7; IE=EDGE" />

Cheers.
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
June 01, 2013, 06:07:25 PM
 #794

You could use btc-otc for people already active there, or just insist that all issuers be active there and use those keys. Either way you don't have to worry about creating and distributing the keys yourself.

As far as the compromised key issue, all I can think of is getting another server to sign a timestamp + btct.co data at the cost of another extra step. Depending on how the mail system is setup now (I'm assuming one for trading activity that tells a mail server to send things), and assuming rooting one wouldn't mean definitely or possibly owning both servers you could have the trade machine sign transaction data and the mail server sign data+timestamp. Then as long as both servers aren't rooted you can't forge a timestamp that supersedes the correct data.

I'm thinking I'll create a key pair for all issuers when the security is created, then let them override it if they want.  That way the users with existing keys should be good to go.

The mail setup would have to be altered significantly to do the staged signing, but it's a great idea.  I'll have to think about it a bit.

Cheers.


btharper
Sr. Member
****
Offline Offline

Activity: 389
Merit: 250



View Profile
June 01, 2013, 07:19:09 PM
 #795

You could use btc-otc for people already active there, or just insist that all issuers be active there and use those keys. Either way you don't have to worry about creating and distributing the keys yourself.

As far as the compromised key issue, all I can think of is getting another server to sign a timestamp + btct.co data at the cost of another extra step. Depending on how the mail system is setup now (I'm assuming one for trading activity that tells a mail server to send things), and assuming rooting one wouldn't mean definitely or possibly owning both servers you could have the trade machine sign transaction data and the mail server sign data+timestamp. Then as long as both servers aren't rooted you can't forge a timestamp that supersedes the correct data.

I'm thinking I'll create a key pair for all issuers when the security is created, then let them override it if they want.  That way the users with existing keys should be good to go.

The mail setup would have to be altered significantly to do the staged signing, but it's a great idea.  I'll have to think about it a bit.

Cheers.
All told, that should work well too, although the difference between per security and per user might matter (complicated by issuers using multiple accounts across multiple assets and personal trading).

Glad I could help you with a fun, challenging weekend project.
Skrapps
Newbie
*
Offline Offline

Activity: 42
Merit: 0



View Profile
June 01, 2013, 07:34:00 PM
 #796

I have a suggestion: Can there be a way to add some optional requirements/settings for the 'Withdraw to- Address Lock' and/or 'Internal Transfers'? Maybe options such as email confirmations, or some other verification (besides the PIN)?

My situation: I locked my withdraw address to an offline, paper address, thinking that I would probably reinvest most of my dividends and wouldn't need to withdraw anything for awhile. However I changed my mind, some other investments on other sites caught my eye, and I wanted to make a few purchases with earned dividends - though I didn't want to load and use the offline wallet yet.

Instead, I created another account and internally transferred my spare BTC to the new account. Within some odd minutes I had my coin off of btct.co.

I know there is already quite a bit of security in place, and that if an attacker had my PIN and 2FA then my email probably is compromised as well, though I still feel irksome that I was able to contradict an earlier decision of mine. Not that I'm asking you to save me from myself, not your job to watchdog the users and safeguard against self-sabotage. Though I can't see much downside if there were a few more options a user could place on his account, if implementation was easy and it didn't increase things too much on your end.

Could one have a time-specific withdraw lock (maybe a week or month, etc), delays or confirmations for internal transfers (or maybe securities only transfers), etc?

Regardless, love the site and the work you put into it is admirable. Thanks!
blurden
Newbie
*
Offline Offline

Activity: 34
Merit: 0


View Profile
June 03, 2013, 12:31:49 AM
 #797

as the clients grow more available on bitcoinx - would you have any interest into converting ASICMINER-PT to a colored bitcoin system? I've only scratched the surface on the concept myself - but it seems to be a pretty exciting idea...
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
June 03, 2013, 12:38:10 AM
 #798

as the clients grow more available on bitcoinx - would you have any interest into converting ASICMINER-PT to a colored bitcoin system? I've only scratched the surface on the concept myself - but it seems to be a pretty exciting idea...

I probably would 't run the PT outside btct.co.

I think in this thread the question would be whether or not the entire site would support the colored coin system somehow.  It is pretty exciting, but I'm not really sure how they could be integrated exactly.
burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
June 03, 2013, 12:49:31 AM
 #799

I have a suggestion: Can there be a way to add some optional requirements/settings for the 'Withdraw to- Address Lock' and/or 'Internal Transfers'? Maybe options such as email confirmations, or some other verification (besides the PIN)?

My situation: I locked my withdraw address to an offline, paper address, thinking that I would probably reinvest most of my dividends and wouldn't need to withdraw anything for awhile. However I changed my mind, some other investments on other sites caught my eye, and I wanted to make a few purchases with earned dividends - though I didn't want to load and use the offline wallet yet.

Instead, I created another account and internally transferred my spare BTC to the new account. Within some odd minutes I had my coin off of btct.co.

I know there is already quite a bit of security in place, and that if an attacker had my PIN and 2FA then my email probably is compromised as well, though I still feel irksome that I was able to contradict an earlier decision of mine. Not that I'm asking you to save me from myself, not your job to watchdog the users and safeguard against self-sabotage. Though I can't see much downside if there were a few more options a user could place on his account, if implementation was easy and it didn't increase things too much on your end.

Could one have a time-specific withdraw lock (maybe a week or month, etc), delays or confirmations for internal transfers (or maybe securities only transfers), etc?

Regardless, love the site and the work you put into it is admirable. Thanks!

Definitely an interesting issue.  Seems like we have a few options:

- apply the same limits to internal transfers as we do to withdrawals.
- allow outgoing internal transfers (shares and coins) to be permanently locked as well
- make all withdrawals manual

I'm leaning toward that second option.
FloatesMcgoates
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
June 03, 2013, 04:14:04 AM
 #800

Any idea if TAT.VIRTUALMINE will be approved for trade? I might want to buy in at IPO prices and would rather do it here than at bitfunder
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 [40] 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ... 139 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!