Bitcoin Forum
November 09, 2024, 02:13:29 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 ... 1154 »
  Print  
Author Topic: [4+ EH] Slush Pool (slushpool.com); Overt AsicBoost; World First Mining Pool  (Read 4382609 times)
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 10, 2011, 02:17:00 PM
 #461

no, I am using google app engine (https://appengine.google.com/) free quota.

Well, nothing is for 'free'. But I won't judge this.

Quote
around 50G hashes per day per mobile phone number.

Which is 11 pool shares per day from whole GAE cluster, so average 0.033 bitcoins (or 0.01 USD) daily. Wow!

(GAE is great tool and I also use it. But it's purpose is different than crunching hashes.)

BitterTea
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252



View Profile
January 10, 2011, 02:19:09 PM
 #462

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS).  That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.
That's only ~578 khashes/second. Doesn't seem that great. Where does the hashing happen, on the mobile phones or on Google's servers? Doesn't seem like something they'd give away for free...
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 10, 2011, 02:21:54 PM
 #463

Okay, I'll try to keep it simple.  When I generate a valid block worth 50 bitcoins as part of the pool, how do you prevent me from keeping the block for myself when I find it?

If you mean 'steal it for myself and make own 50 BTC' - it is technically not possible.

If you mean 'steal it for myself and sabotage cluster' - it is possible, but you cut yourself for reward, so it is economically unsuitable for you. It was also heavily discussed on forum before, please read it before new posts on this topic.

ronaldmaustin
Full Member
***
Offline Offline

Activity: 143
Merit: 100


View Profile
January 10, 2011, 02:38:07 PM
 #464

If you mean 'steal it for myself and make own 50 BTC' - it is technically not possible.

If you mean 'steal it for myself and sabotage cluster' - it is possible, but you cut yourself for reward, so it is economically unsuitable for you. It was also heavily discussed on forum before, please read it before new posts on this topic.

I did see it before and will read it again so maybe I can clarify the question I have been trying to ask for five posts now.  I *thought* your answer was going to be that somehow the block of 50 coins that I generate for the pooled miner was signed with the key of the pooled miner and thus, to steal the block would do me no good, as it was already allocated to you before it left my computer.  Had you answered in this way, my next question was going to be how that is achieved.  I'll go back and re-read the posts and maybe after five or so more attempts I'll be able to structure my question properly.
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 10, 2011, 04:26:06 PM
 #465

Block of 50 coins that I generate for the pooled miner was signed with the key of the pooled miner.

Yes, something like this. Job received by miner contains transaction for 50BTC to pool wallet.

j16sdiz
Newbie
*
Offline Offline

Activity: 37
Merit: 0


View Profile
January 11, 2011, 12:12:28 AM
 #466

That's only ~578 khashes/second. Doesn't seem that great.

Well. You pay nothing for that 578khashes.
If you want more, it cost  $0.1 per "cpu hour" (that's around 500k hashes).

Where does the hashing happen, on the mobile phones or on Google's servers? Doesn't seem like something they'd give away for free...

It is on google's servers. The mobile phone number is for SMS verification.
Why free? It's something like flicker or picasa -- they want you to depends on theirs service and pay them someday.
pc
Sr. Member
****
Offline Offline

Activity: 253
Merit: 250


View Profile
January 11, 2011, 01:57:13 AM
 #467

I've been using the pool happily for a few days now, and I have a couple questions relating to its security:

1) Am I correct that the username/password of my workers don't actually have to be "secure", as the most that one could do with them is submit shares for me, right? And they're passed unencrypted by the miner, right?

2) Are there any plans for SSL for the web management interface? If not, it seems that an attacker could learn my account password (as opposed to a worker's password) or impersonate my session (as it seems to remember me via a cookie), and then change the bitcoin address that rewards get sent to. If I'm vigilant I might notice, but an attacker may steal quite a few bitcoins from me before I notice. I do understand that I'm getting exactly what I'm paying for here, but as the pool becomes a bigger and bigger part of the bitcoin mining system, it may be a good plan to look at as it may start to become a target.

Thanks!
gigitrix
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
January 11, 2011, 06:01:52 PM
 #468

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS).  That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.

Slush, I'm shamelessly using this technique as well. If this causes issues for your servers I would be happy to lower the getwork request rate (and slow down generation/stop using so many resources) or if it really bothers you you can remove these clients from your end of the site (I won't re-add them). I just can't say no to free bitcoins  (without free room noise and heat Grin)
BitterTea
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252



View Profile
January 12, 2011, 02:06:53 AM
 #469

Hey slush, weird question, but does the server give a response to the client when they find a valid block?
dooglus
Legendary
*
Offline Offline

Activity: 2940
Merit: 1333



View Profile
January 12, 2011, 08:46:01 AM
 #470

I tried changing the password for one of my workers.  The new password is displayed on the website, but the original password is still required when running the miner.  I even tried deleting the worker and recreating it with the new password, but the original password is still required.  Eventually I had to make a worker with a different name to get the password changed.

Also, is it possible to change my account password, as opposed to the worker passwords?

Thanks.

Chris.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
marcusaurelius
Newbie
*
Offline Offline

Activity: 37
Merit: 0



View Profile
January 12, 2011, 02:31:47 PM
 #471

is it possible for you to display the amount of btc each worker made? that would help me a lot. thanks.
dooglus
Legendary
*
Offline Offline

Activity: 2940
Merit: 1333



View Profile
January 12, 2011, 05:56:22 PM
 #472

On http://mining.bitcoin.cz/home/ is says:
Quote
"Shares do not carry over from one block to the next. When the pool mints a block, only users who worked on that block are rewarded, and only for work they did on that block."
but that doesn't seem to be the case.

I am getting rewarded for all blocks I contribute shares to, not only the ones the pool mints.  It seems that the server counts up all the shares in the current round, not just the current block.  The distinction being that a round lasts until we mint a block.  Sometimes over 20 blocks are minted by others before we get to mint one, but all the shares I contribute in the mean time also get rewarded.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
BitterTea
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252



View Profile
January 12, 2011, 06:20:52 PM
 #473

dooglus,

The current round lasts until the pool finds a new block. Everyone who contributed to finding that block gets paid based on the shares, and a new round starts.

At least that's my understanding.
lfm
Full Member
***
Offline Offline

Activity: 196
Merit: 104



View Profile
January 12, 2011, 06:34:18 PM
 #474

dooglus,

The current round lasts until the pool finds a new block. Everyone who contributed to finding that block gets paid based on the shares, and a new round starts.

At least that's my understanding.

Ya, just if your account is sub-penny the fractions get carried over to the next round
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 12, 2011, 07:14:26 PM
 #475

Today pool update:
  • Added protection against CSRF to account page.
  • Password reset feature (follow link on login page)

slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 12, 2011, 07:29:24 PM
Last edit: January 13, 2011, 11:05:59 AM by slush
 #476

1) Am I correct that the username/password of my workers don't actually have to be "secure", as the most that one could do with them is submit shares for me, right? And they're passed unencrypted by the miner, right?

Yes, with worker login/password, nobody can do something wrong (change wallet, login to profile or so). But you still should keep this secret (I mean don't post it to forum or so), because somebody can sabotage your miner's work in this way.

Pool have memory for last 12 getwork requests per worker to validate submitted share later. So when somebody will request getworks using your worker credentials during your miner's work and your miner submit valid share, it can be rejected because attacker pushed out this job from pool queue already. So, nothing strange, but simply don't spread your credentials to other people.

Quote
2) Are there any plans for SSL for the web management interface? If not, it seems that an attacker could learn my account password (as opposed to a worker's password) or impersonate my session (as it seems to remember me via a cookie),

There is SSL enabled, but only with self-signed certificate. Currently I don't plan to change it to, because startssl.com offer only weak, 128bit certificates and classic certificates are quite expensive. But if you care, you can write down certificate fingerprint...

Quote
and then change the bitcoin address that rewards get sent to. If I'm vigilant I might notice, but an attacker may steal quite a few bitcoins from me before I notice. I do understand that I'm getting exactly what I'm paying for here, but as the pool becomes a bigger and bigger part of the bitcoin mining system, it may be a good plan to look at as it may start to become a target.

I agree that security IS the concern here. Firstly I was oriented mainly to security of pool algorithm, but it looks pretty good, so I can work on frontend improvements. Today I implemented CSRF protection, which improve security against javascript attacks.

slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 13, 2011, 11:08:07 AM
 #477

Hey slush, weird question, but does the server give a response to the client when they find a valid block?

No, when miner report 'found block', it is only found pool share (block with difficulty 1). You have to check website, if you workers have some number in 'blocks' column.

slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 13, 2011, 12:13:17 PM
 #478

I tried changing the password for one of my workers.  The new password is displayed on the website, but the original password is still required when running the miner. 

Oh, I'm surprised that nobody ask for this before. Unfortunately, this is 'by design'. I mean, once worker ask for his first getwork, application load his settings to memory and keep them until application restart; it is performance optimization, because it's not possible to ask databaase 100x per second to check worker's login/password. So I plan to add periodic reload of those credentials, but even then it will take some time until credentials loaded in memory expire...

Quote
Also, is it possible to change my account password, as opposed to the worker passwords?

Now it is possible, you can reset password from login page. Still not comfortable, because you have to confirm email even if you know old password, but it works.

gene
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


View Profile
January 13, 2011, 12:55:21 PM
Last edit: January 13, 2011, 01:13:03 PM by gene
 #479

Quote
There is SSL enabled, but only with self-signed certificate. Currently I don't plan to change it to, because startssl.com offer only weak, 128bit certificates and classic certificates are quite expensive.

Those 128 bits refer to the key-length of the symmetric cipher (e.g. AES, arc4), which is quite secure and actually controlled by the webserver. The asymmetric cipher (e.g. RSA) has a much greater key-length, typically a multiple of 1024. An RSA key with length 1024 or greater is widely considered secure, although more people are going to 2048. SSL, OpenPGP, etc are considered hybrid cryptosystems since they use both types of algorithms in a complementary way.

*processing payment* *error 404 : funds not found*
Do you want to complain on the forum just to fall for another scam a few days later?
| YES       |        YES |
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
January 13, 2011, 02:28:43 PM
 #480

Those 128 bits refer to the key-length of the symmetric cipher (e.g. AES, arc4), which is quite secure and actually controlled by the webserver. The asymmetric cipher (e.g. RSA) has a much greater key-length, typically a multiple of 1024. An RSA key with length 1024 or greater is widely considered secure, although more people are going to 2048. SSL, OpenPGP, etc are considered hybrid cryptosystems since they use both types of algorithms in a complementary way.

Oh, thanks gene for explanation. I'll consider startssl certificate again.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 ... 1154 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!