areebmajeed (OP)
|
|
March 16, 2013, 07:28:18 AM |
|
I got a idea to create a website where Bitcoin users can post their Bitcoin address and names. It would be like a database for those who would like to post their Bitcoin address publicly.
|
|
|
|
|
areebmajeed (OP)
|
|
March 16, 2013, 10:49:13 AM |
|
Yeah! This is great and better.
|
|
|
|
qxzn
|
|
March 17, 2013, 04:52:41 AM |
|
|
|
|
|
qxzn
|
|
March 17, 2013, 05:01:06 AM |
|
There is http://qcl.me which uses encryption so you know your address can't be changed by a hacker or third party, and the site is self alerting to these errors. I don't see how crypto can really help you here. If a hacker gains control of the qcl.me server, there's nothing you can do to stop him from answering queries with his own bitcoin address.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
March 17, 2013, 05:11:31 AM |
|
There is http://qcl.me which uses encryption so you know your address can't be changed by a hacker or third party, and the site is self alerting to these errors. I don't see how crypto can really help you here. If a hacker gains control of the qcl.me server, there's nothing you can do to stop him from answering queries with his own bitcoin address. That is true, but in that case you would notice it, cause after creating your short address url, you would are then sent to the page, unless the hacker wants to do coding, and it would just be more of a headache. The pages for are also hashed and checked upon each load, that hash resides in memory, so this again would be super unlikely. But you still don't trust me, there is an api, do your own querying. But trust me this is the safes shortener their is currently did a lot of research before creating this, it isn't a fly by wire site.
|
|
|
|
qxzn
|
|
March 18, 2013, 03:15:38 AM |
|
I don't see how crypto can really help you here. If a hacker gains control of the qcl.me server, there's nothing you can do to stop him from answering queries with his own bitcoin address.
That is true, but in that case you would notice it, cause after creating your short address url, you would are then sent to the page, unless the hacker wants to do coding, and it would just be more of a headache. security by hope-the-badguy-doesn't-code. The pages for are also hashed and checked upon each load
"hashed and checked" by whom? , that hash resides in memory, so this again would be super unlikely. But you still don't trust me, there is an api, do your own querying. But trust me this is the safes shortener their is currently did a lot of research before creating this, it isn't a fly by wire site.
Uh, ok.
|
|
|
|
qxzn
|
|
March 18, 2013, 05:22:23 PM |
|
No, it would be very difficult to actually change the whole system to work like you said.
To demonstrate how easy it is to do what I'm saying, I spent a few minutes throwing together a tiny php script that responds to all qcl requests with the same bitcoin address: http://qcl.phauna.org/It's not complete. It doesn't let you add new mappings, and doesn't have the FAQ page, but with another few minutes I might be able to redirect those requests to your original site. Even still, this did not take any knowledge of crypto to put together nor was it much of a headache. If I had access to your DNS or web server I could have all your traffic redirecting to whatever bitcoin address I want. The pages for are also hashed and checked upon each load
"hashed and checked" by whom? The System checks it self, but the database is entirely hashed with a crypto-random salt and encrypted based on the short name, this would prove incredibly diffcult to try and change. Now your static page, I can't talk too much about it as it would give away some security things, but it is hash by the system upon SSH upload of site, and I use keyfiles to login into the SSH so it always knows it is it me. That hash is placed in memory, never touching the hard drive. This is then checked upon each loading with a special program that I have written. Maybe so, and maybe all that fancy crypto you're using is doing something other than giving you a headache. But what it's not doing is stopping a hacker from responding to all queries with whatever bitcoin address he wants. , that hash resides in memory, so this again would be super unlikely. But you still don't trust me, there is an api, do your own querying. But trust me this is the safes shortener their is currently did a lot of research before creating this, it isn't a fly by wire site.
Uh, ok. It really doesn't get too much more secure then this, if I had maybe special hardware to hold the database offline. So yeah. I see you run thewalletlist.com, with a guy whose site was hacked. Can you talk about your security? Do you have a verifiable database like my system? I wasn't trying to get personal here, sorry if I've made you upset. As for thewalletlist.com, we don't use any "verifiable database" or fancy internal crypto for our system, because as I've just demonstrated, it wouldn't matter if we got hacked. What we do employ, however, is SSL which will at least notify users that something is awry if someone hijacks our DNS. There are probably a few other security practices we could employ to harden and alert against someone attacking our server, but as this is an experimental idea and we only have a handful of users, it's hard to justify pouring a lot of work into it until we get a little validation from the marketplace that it's a useful service.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
March 18, 2013, 06:11:55 PM |
|
No, it would be very difficult to actually change the whole system to work like you said.
To demonstrate how easy it is to do what I'm saying, I spent a few minutes throwing together a tiny php script that responds to all qcl requests with the same bitcoin address: http://qcl.phauna.org/It's not complete. It doesn't let you add new mappings, and doesn't have the FAQ page, but with another few minutes I might be able to redirect those requests to your original site. Even still, this did not take any knowledge of crypto to put together nor was it much of a headache. If I had access to your DNS or web server I could have all your traffic redirecting to whatever bitcoin address I want. The pages for are also hashed and checked upon each load
"hashed and checked" by whom? The System checks it self, but the database is entirely hashed with a crypto-random salt and encrypted based on the short name, this would prove incredibly diffcult to try and change. Now your static page, I can't talk too much about it as it would give away some security things, but it is hash by the system upon SSH upload of site, and I use keyfiles to login into the SSH so it always knows it is it me. That hash is placed in memory, never touching the hard drive. This is then checked upon each loading with a special program that I have written. Maybe so, and maybe all that fancy crypto you're using is doing something other than giving you a headache. But what it's not doing is stopping a hacker from responding to all queries with whatever bitcoin address he wants. , that hash resides in memory, so this again would be super unlikely. But you still don't trust me, there is an api, do your own querying. But trust me this is the safes shortener their is currently did a lot of research before creating this, it isn't a fly by wire site.
Uh, ok. It really doesn't get too much more secure then this, if I had maybe special hardware to hold the database offline. So yeah. I see you run thewalletlist.com, with a guy whose site was hacked. Can you talk about your security? Do you have a verifiable database like my system? I wasn't trying to get personal here, sorry if I've made you upset. As for thewalletlist.com, we don't use any "verifiable database" or fancy internal crypto for our system, because as I've just demonstrated, it wouldn't matter if we got hacked. What we do employ, however, is SSL which will at least notify users that something is awry if someone hijacks our DNS. There are probably a few other security practices we could employ to harden and alert against someone attacking our server, but as this is an experimental idea and we only have a handful of users, it's hard to justify pouring a lot of work into it until we get a little validation from the marketplace that it's a useful service. Very well done, except you don't think people would notice that it only showing a different address after they click submit? That is your flaw, after the submit I see it is a different address, then what is submitted, so at that point I wouldn't give the link out. For DNS hijacking, I employ some security measures but now we are talking about going to great lengths to take over a site, that is probably not worth that. The cyptro isn't giving me a headache it is giving me the ability to not be trusted which is what bitcoin is all about. I am not upset, I love debating security. I just thought it was funny that you employ no security and have someone that had a site hacked and coins stolen, helping you. I also like how you think that the "fancy" internal crypto does nothing, hey lets why use "fancy" crypto just store passwords in plaintext... I like that you need validation from the market place to then get the kick in your ass to actually build your site out LOL That isn't how it works, you really should have done research, but now knowing that you don't have a verifiable database, I can't see anyone using it and that is sad.
|
|
|
|
qxzn
|
|
March 19, 2013, 01:42:35 AM |
|
Very well done, except you don't think people would notice that it only showing a different address after they click submit? That is your flaw, after the submit I see it is a different address, then what is submitted, so at that point I wouldn't give the link out.
Of course it's a different address, because I haven't taken over qcl.me. The point is that if I *did* hack your server or DNS, it would be trivial to put up a site that doled out bogus addresses, and yes, with all the right URLs. You continue to claim that this is somehow not true, even though I've just demonstrated that with 5 minutes of work I can get 90% of the way there. Please note also that I'm not claiming that thewalletlist.com isn't susceptible to this sort of attack. It is. I think it's important for site operators to only claim their site is as secure as it actually is. For DNS hijacking, I employ some security measures but now we are talking about going to great lengths to take over a site, that is probably not worth that. The cyptro isn't giving me a headache it is giving me the ability to not be trusted which is what bitcoin is all about.
I am not upset, I love debating security. I just thought it was funny that you employ no security and have someone that had a site hacked and coins stolen, helping you.
I also like how you think that the "fancy" internal crypto does nothing, hey lets why use "fancy" crypto just store passwords in plaintext...
Of course we don't store passwords in plaintext. We use bcrypt like anyone sensible. What I don't do is make up some crypto that I can't / am not willing to explain and then claim that my site is somehow impervious to hacking. I like that you need validation from the market place to then get the kick in your ass to actually build your site out LOL That isn't how it works, you really should have done research, but now knowing that you don't have a verifiable database, I can't see anyone using it and that is sad.
Don't get me wrong -- I think the security practices are decent at thewalletlist.com. Bcrypt passwords, public-key authentication to the server, etc. But I will also confess there's a little more we could do, in particular in terms of setting off alarms if there was a breach of security. I'm confident enough that for reasonable amounts of coin, I'm happy to tell people "send it to my thewalletlist.com address." I would not ask someone to send 1000 bitcoins without triple-checking the address, whether it was determined through thewalletlist.com, qcl.me, or any other service.
|
|
|
|
qxzn
|
|
March 19, 2013, 01:49:31 AM |
|
I like that you need validation from the market place to then get the kick in your ass to actually build your site out LOL That isn't how it works
To a degree you're right, but there's another side to it as well. Nobody would bother hacking our site right now, because with only a handful of users they're not going to earn any coin by doing so. So we're not a target. Once we have a significant number of users, the story starts to change.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
March 19, 2013, 02:01:41 AM |
|
Very well done, except you don't think people would notice that it only showing a different address after they click submit? That is your flaw, after the submit I see it is a different address, then what is submitted, so at that point I wouldn't give the link out.
Of course it's a different address, because I haven't taken over qcl.me. The point is that if I *did* hack your server or DNS, it would be trivial to put up a site that doled out bogus addresses, and yes, with all the right URLs. You continue to claim that this is somehow not true, even though I've just demonstrated that with 5 minutes of work I can get 90% of the way there. Please note also that I'm not claiming that thewalletlist.com isn't susceptible to this sort of attack. It is. I think it's important for site operators to only claim their site is as secure as it actually is. For DNS hijacking, I employ some security measures but now we are talking about going to great lengths to take over a site, that is probably not worth that. The cyptro isn't giving me a headache it is giving me the ability to not be trusted which is what bitcoin is all about.
I am not upset, I love debating security. I just thought it was funny that you employ no security and have someone that had a site hacked and coins stolen, helping you.
I also like how you think that the "fancy" internal crypto does nothing, hey lets why use "fancy" crypto just store passwords in plaintext...
Of course we don't store passwords in plaintext. We use bcrypt like anyone sensible. What I don't do is make up some crypto that I can't / am not willing to explain and then claim that my site is somehow impervious to hacking. I like that you need validation from the market place to then get the kick in your ass to actually build your site out LOL That isn't how it works, you really should have done research, but now knowing that you don't have a verifiable database, I can't see anyone using it and that is sad.
Don't get me wrong -- I think the security practices are decent at thewalletlist.com. Bcrypt passwords, public-key authentication to the server, etc. But I will also confess there's a little more we could do, in particular in terms of setting off alarms if there was a breach of security. I'm confident enough that for reasonable amounts of coin, I'm happy to tell people "send it to my thewalletlist.com address." I would not ask someone to send 1000 bitcoins without triple-checking the address, whether it was determined through thewalletlist.com, qcl.me, or any other service. Now your just slandering my security that I employ, that isn't cool. Also I wasn't talking about the URL obviously I was talking about the bitcoin address, if I submit a bitcoin address, I get a completely different bitcoin address, I think people would notice that. Also I didn't make up any crypto, hashing and salting to cover up the shortname, yet still look it up, and AES-256 to encrypted using the shortname and a different salt, are straight forward techniques. Now that is different from saying I just made up some crypto to make it sound secure. I would never do that, and you can guarantee, I would stand by that with my rep. Also I never said it was impervious to a hacking, that would be impossible, but I have made it very difficult, and probably not worth the time of hacker. That would be the correct way to say it, and the only way I have said it during this entire thread. Also with my rep I can say that sending 1000 coin with my service is probably the most secure out of the two and don't require much checking. Now stop with the slander and discuses this like you were doing before otherwise, I will stop responding cause that is just dirty. I like that you need validation from the market place to then get the kick in your ass to actually build your site out LOL That isn't how it works
To a degree you're right, but there's another side to it as well. Nobody would bother hacking our site right now, because with only a handful of users they're not going to earn any coin by doing so. So we're not a target. Once we have a significant number of users, the story starts to change. Ladies and gentlemen this is the kind of security that is employed on a sub par site, for a sub par user. I think that is an insult, to your project and the users that use it, and I hope they see that. When you think a hacker will hack it then you will do something. I always have security in my mind, if 1 person is using it or a million, that what makes my service superior to yours.
|
|
|
|
qxzn
|
|
March 19, 2013, 02:32:52 AM |
|
Now your just slandering my security that I employ, that isn't cool. Also I wasn't talking about the URL obviously I was talking about the bitcoin address, if I submit a bitcoin address, I get a completely different bitcoin address, I think people would notice that.
Oh, sorry, I didn't describe how to use my mockup. Go to http://qcl.me/1. Then try http://qcl.phauna.org/1. That's all I've implemented -- the lookups from short name to long name. No alerts go off telling the user that the address they are looking up belongs to a hacker. I'm not trying to slander, sorry if I've overstepped, or misunderstood you. I'm happy to give your security measures the benefit of the doubt. All I'm saying is that a hacker who owned your server or DNS could respond to queries with his own address(es), and it wouldn't be hard for the hacker to do it. Also with my rep I can say that sending 1000 coin with my service is probably the most secure out of the two and don't require much checking. Now stop with the slander and discuses this like you were doing before otherwise, I will stop responding cause that is just dirty.
Okay, that's your business. Personally, I think the level of paranoia for sending thousands of coin should be sufficiently high not to trust *any* third party site to give you the address, regardless of their security practices. Ladies and gentlemen this is the kind of security that is employed on a sub par site, for a sub par user. I think that is an insult, to your project and the users that use it, and I hope they see that. When you think a hacker will hack it then you will do something. I always have security in my mind, if 1 person is using it or a million, that what makes my service superior to yours.
I plan and hope to stay well ahead of the curve. It doesn't make sense for me to be as secure as the NSA right now. Maybe you'll understand if I put it another way. There is a cost to each security measure. For a million bucks I could make the service very very difficult to attack, but it's obviously not worth that right now. The measures we've taken are a good match for the size and scope of the project right now. ... my service superior to yours.
oh, is that what this is about to you? I see our two services as not really competing -- they do different things (yours is a shortener, mine is an email-keyed database). If that's what this discussion is about for you, I'm done. I'm happy to let the marketplace decide.
|
|
|
|
BitPirate
Full Member
Offline
Activity: 238
Merit: 100
RMBTB.com: The secure BTC:CNY exchange. 0% fee!
|
|
March 19, 2013, 02:45:16 AM |
|
I'm actually with qxcn on this. The weakest link here is your DNS. Bit of social engineering at more than one failure point and you're in. Encryption isn't going to count for much.
You're actually providing a sort DNS service -- people using familiar names to look up an address. DNS for bitcoin. That needs *a lot* of trust.
This is a service that BitCoin desperately needs to drive adoption, but I don't see how it can be provided by a single party. No-one would trust a single company to run the Internet's DNS. Why should they trust someone for BTC?
In terms of trust, can you really run DNS on top of a web site? DNS should be the most basic, trusted service there is.
I think getting a Bitcoin DNS into the P2P network is what we really should be looking at.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
March 19, 2013, 02:56:11 AM |
|
Now your just slandering my security that I employ, that isn't cool. Also I wasn't talking about the URL obviously I was talking about the bitcoin address, if I submit a bitcoin address, I get a completely different bitcoin address, I think people would notice that.
Oh, sorry, I didn't describe how to use my mockup. Go to http://qcl.me/1. Then try http://qcl.phauna.org/1. That's all I've implemented -- the lookups from short name to long name. No alerts go off telling the user that the address they are looking up belongs to a hacker. I'm not trying to slander, sorry if I've overstepped, or misunderstood you. I'm happy to give your security measures the benefit of the doubt. All I'm saying is that a hacker who owned your server or DNS could respond to queries with his own address(es), and it wouldn't be hard for the hacker to do it. Dude you just said I use some fancy crypto to make it sound secure... That is slander, that is how I am taking it. DNS take over is very hard to do especially since the hosting, is hosting the DNS name servers and it would require taking over my account which the password is very strong, and a different username then this. It really unfeasible. Also with my rep I can say that sending 1000 coin with my service is probably the most secure out of the two and don't require much checking. Now stop with the slander and discuses this like you were doing before otherwise, I will stop responding cause that is just dirty.
Okay, that's your business. Personally, I think the level of paranoia for sending thousands of coin should be sufficiently high not to trust *any* third party site to give you the address, regardless of their security practices. If you realized my service is to help the level of paranoia people that would being sending 1 or 1000 coins and checking sites and address a million times. Ladies and gentlemen this is the kind of security that is employed on a sub par site, for a sub par user. I think that is an insult, to your project and the users that use it, and I hope they see that. When you think a hacker will hack it then you will do something. I always have security in my mind, if 1 person is using it or a million, that what makes my service superior to yours.
I plan and hope to stay well ahead of the curve. It doesn't make sense for me to be as secure as the NSA right now. Maybe you'll understand if I put it another way. There is a cost to each security measure. For a million bucks I could make the service very very difficult to attack, but it's obviously not worth that right now. The measures we've taken are a good match for the size and scope of the project right now. ... my service superior to yours.
oh, is that what this is about to you? I see our two services as not really competing -- they do different things (yours is a shortener, mine is an email-keyed database). If that's what this discussion is about for you, I'm done. I'm happy to let the marketplace decide. Actually that has nothing to do with anything my service is better in the encryption, market doesn't doesn't decide on facts, I am just stating facts. Also you don't need to spend $1million just more time
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
March 19, 2013, 02:57:35 AM |
|
I'm actually with qxcn on this. The weakest link here is your DNS. Bit of social engineering at more than one failure point and you're in. Encryption isn't going to count for much.
You're actually providing a sort DNS service -- people using familiar names to look up an address. DNS for bitcoin. That needs *a lot* of trust.
This is a service that BitCoin desperately needs to drive adoption, but I don't see how it can be provided by a single party. No-one would trust a single company to run the Internet's DNS. Why should they trust someone for BTC?
In terms of trust, can you really run DNS on top of a web site? DNS should be the most basic, trusted service there is.
I think getting a Bitcoin DNS into the P2P network is what we really should be looking at.
If you think you can change my DNS with social engineering please try, someone has already tried to hack it, and has failed... so please if you think DNS is the weakest point, then go ahead change it and own me, make me eat my words. Also I am very trustworthy, and you don't even need to trust me cause that is what my system brings.
|
|
|
|
BitPirate
Full Member
Offline
Activity: 238
Merit: 100
RMBTB.com: The secure BTC:CNY exchange. 0% fee!
|
|
March 19, 2013, 03:00:59 AM |
|
And you think the entire market is going to trust this position? For either of you?
Seriously, this needs a collaborative effort to built bcDNS into the protocol. We need to have simple bitcoin addresses people can send money to. It will help drive adoption and make us all rich.
But unfortunately, I don't think this is the way.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
March 19, 2013, 03:05:01 AM |
|
And you think the entire market is going to trust this position? For either of you?
Seriously, this needs a collaborative effort to built bcDNS into the protocol. We need to have simple bitcoin addresses people can send money to. It will help drive adoption and make us all rich.
But unfortunately, I don't think this is the way.
This isn't forever, but this is better than the other ways, of just using firstbits which encourages more spam on the blockchain and payb.tc which we have no idea how it is stored. You have could easily put me out of business with a BCdns system, yet no one has taken that up so this is the best of centralized storing.
|
|
|
|
|