[4+ EH] Slush Pool (slushpool.com); Overt AsicBoost; World First Mining Pool

[slush]

no, I am using google app engine (https://appengine.google.com/) free quota.

Well, nothing is for 'free'. But I won't judge this.

around 50G hashes per day per mobile phone number.

Which is 11 pool shares per day from whole GAE cluster, so average 0.033 bitcoins (or 0.01 USD) daily. Wow!

(GAE is great tool and I also use it. But it's purpose is different than crunching hashes.)

[BitterTea]

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS).  That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.

That's only ~578 khashes/second. Doesn't seem that great. Where does the hashing happen, on the mobile phones or on Google's servers? Doesn't seem like something they'd give away for free...

[slush]

Okay, I'll try to keep it simple.  When I generate a valid block worth 50 bitcoins as part of the pool, how do you prevent me from keeping the block for myself when I find it?

If you mean 'steal it for myself and make own 50 BTC' - it is technically not possible.

If you mean 'steal it for myself and sabotage cluster' - it is possible, but you cut yourself for reward, so it is economically unsuitable for you. It was also heavily discussed on forum before, please read it before new posts on this topic.

[ronaldmaustin]

If you mean 'steal it for myself and make own 50 BTC' - it is technically not possible.

If you mean 'steal it for myself and sabotage cluster' - it is possible, but you cut yourself for reward, so it is economically unsuitable for you. It was also heavily discussed on forum before, please read it before new posts on this topic.

I did see it before and will read it again so maybe I can clarify the question I have been trying to ask for five posts now.  I *thought* your answer was going to be that somehow the block of 50 coins that I generate for the pooled miner was signed with the key of the pooled miner and thus, to steal the block would do me no good, as it was already allocated to you before it left my computer.  Had you answered in this way, my next question was going to be how that is achieved.  I'll go back and re-read the posts and maybe after five or so more attempts I'll be able to structure my question properly.

[slush]

Block of 50 coins that I generate for the pooled miner was signed with the key of the pooled miner.

Yes, something like this. Job received by miner contains transaction for 50BTC to pool wallet.

[j16sdiz]

That's only ~578 khashes/second. Doesn't seem that great.

Well. You pay nothing for that 578khashes.
If you want more, it cost  $0.1 per "cpu hour" (that's around 500k hashes).

Where does the hashing happen, on the mobile phones or on Google's servers? Doesn't seem like something they'd give away for free...

It is on google's servers. The mobile phone number is for SMS verification.
Why free? It's something like flicker or picasa -- they want you to depends on theirs service and pay them someday.

[pc]

I've been using the pool happily for a few days now, and I have a couple questions relating to its security:

1) Am I correct that the username/password of my workers don't actually have to be "secure", as the most that one could do with them is submit shares for me, right? And they're passed unencrypted by the miner, right?

2) Are there any plans for SSL for the web management interface? If not, it seems that an attacker could learn my account password (as opposed to a worker's password) or impersonate my session (as it seems to remember me via a cookie), and then change the bitcoin address that rewards get sent to. If I'm vigilant I might notice, but an attacker may steal quite a few bitcoins from me before I notice. I do understand that I'm getting exactly what I'm paying for here, but as the pool becomes a bigger and bigger part of the bitcoin mining system, it may be a good plan to look at as it may start to become a target.

Thanks!

[gigitrix]

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS).  That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.

Slush, I'm shamelessly using this technique as well. If this causes issues for your servers I would be happy to lower the getwork request rate (and slow down generation/stop using so many resources) or if it really bothers you you can remove these clients from your end of the site (I won't re-add them). I just can't say no to free bitcoins  (without free room noise and heat )

[BitterTea]

Hey slush, weird question, but does the server give a response to the client when they find a valid block?

[dooglus]

I tried changing the password for one of my workers.  The new password is displayed on the website, but the original password is still required when running the miner.  I even tried deleting the worker and recreating it with the new password, but the original password is still required.  Eventually I had to make a worker with a different name to get the password changed.

Also, is it possible to change my account password, as opposed to the worker passwords?

Thanks.

Chris.

[marcusaurelius]

is it possible for you to display the amount of btc each worker made? that would help me a lot. thanks.

[dooglus]

On http://mining.bitcoin.cz/home/ is says:

"Shares do not carry over from one block to the next. When the pool mints a block, only users who worked on that block are rewarded, and only for work they did on that block."

but that doesn't seem to be the case.

I am getting rewarded for all blocks I contribute shares to, not only the ones the pool mints.  It seems that the server counts up all the shares in the current round, not just the current block.  The distinction being that a round lasts until we mint a block.  Sometimes over 20 blocks are minted by others before we get to mint one, but all the shares I contribute in the mean time also get rewarded.

[BitterTea]

dooglus,

The current round lasts until the pool finds a new block. Everyone who contributed to finding that block gets paid based on the shares, and a new round starts.

At least that's my understanding.

[lfm]

dooglus,

The current round lasts until the pool finds a new block. Everyone who contributed to finding that block gets paid based on the shares, and a new round starts.

At least that's my understanding.

Ya, just if your account is sub-penny the fractions get carried over to the next round

[slush]

Today pool update:

• Added protection against CSRF to account page.
• Password reset feature (follow link on login page)

[slush]

1) Am I correct that the username/password of my workers don't actually have to be "secure", as the most that one could do with them is submit shares for me, right? And they're passed unencrypted by the miner, right?

Yes, with worker login/password, nobody can do something wrong (change wallet, login to profile or so). But you still should keep this secret (I mean don't post it to forum or so), because somebody can sabotage your miner's work in this way.

Pool have memory for last 12 getwork requests per worker to validate submitted share later. So when somebody will request getworks using your worker credentials during your miner's work and your miner submit valid share, it can be rejected because attacker pushed out this job from pool queue already. So, nothing strange, but simply don't spread your credentials to other people.

2) Are there any plans for SSL for the web management interface? If not, it seems that an attacker could learn my account password (as opposed to a worker's password) or impersonate my session (as it seems to remember me via a cookie),

There is SSL enabled, but only with self-signed certificate. Currently I don't plan to change it to, because startssl.com offer only weak, 128bit certificates and classic certificates are quite expensive. But if you care, you can write down certificate fingerprint...

and then change the bitcoin address that rewards get sent to. If I'm vigilant I might notice, but an attacker may steal quite a few bitcoins from me before I notice. I do understand that I'm getting exactly what I'm paying for here, but as the pool becomes a bigger and bigger part of the bitcoin mining system, it may be a good plan to look at as it may start to become a target.

I agree that security IS the concern here. Firstly I was oriented mainly to security of pool algorithm, but it looks pretty good, so I can work on frontend improvements. Today I implemented CSRF protection, which improve security against javascript attacks.

[slush]

Hey slush, weird question, but does the server give a response to the client when they find a valid block?

No, when miner report 'found block', it is only found pool share (block with difficulty 1). You have to check website, if you workers have some number in 'blocks' column.

[slush]

I tried changing the password for one of my workers.  The new password is displayed on the website, but the original password is still required when running the miner. 

Oh, I'm surprised that nobody ask for this before. Unfortunately, this is 'by design'. I mean, once worker ask for his first getwork, application load his settings to memory and keep them until application restart; it is performance optimization, because it's not possible to ask databaase 100x per second to check worker's login/password. So I plan to add periodic reload of those credentials, but even then it will take some time until credentials loaded in memory expire...

Also, is it possible to change my account password, as opposed to the worker passwords?

Now it is possible, you can reset password from login page. Still not comfortable, because you have to confirm email even if you know old password, but it works.

[gene]

There is SSL enabled, but only with self-signed certificate. Currently I don't plan to change it to, because startssl.com offer only weak, 128bit certificates and classic certificates are quite expensive.

Those 128 bits refer to the key-length of the symmetric cipher (e.g. AES, arc4), which is quite secure and actually controlled by the webserver. The asymmetric cipher (e.g. RSA) has a much greater key-length, typically a multiple of 1024. An RSA key with length 1024 or greater is widely considered secure, although more people are going to 2048. SSL, OpenPGP, etc are considered hybrid cryptosystems since they use both types of algorithms in a complementary way.

[slush]

Those 128 bits refer to the key-length of the symmetric cipher (e.g. AES, arc4), which is quite secure and actually controlled by the webserver. The asymmetric cipher (e.g. RSA) has a much greater key-length, typically a multiple of 1024. An RSA key with length 1024 or greater is widely considered secure, although more people are going to 2048. SSL, OpenPGP, etc are considered hybrid cryptosystems since they use both types of algorithms in a complementary way.

Oh, thanks gene for explanation. I'll consider startssl certificate again.