Bitcoin Forum
December 08, 2016, 06:18:50 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: GLBSE back up and market open.  (Read 3625 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 20, 2011, 04:19:16 AM
 #1

As a result of the Mt. Gox breakin we're running a security audit, and have moved all our users bitcoin to secure storage.

See here for more informaiton.

http://glbse.com/forum/viewtopic.php?f=14&t=62

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1481221130
Hero Member
*
Offline Offline

Posts: 1481221130

View Profile Personal Message (Offline)

Ignore
1481221130
Reply with quote  #2

1481221130
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481221130
Hero Member
*
Offline Offline

Posts: 1481221130

View Profile Personal Message (Offline)

Ignore
1481221130
Reply with quote  #2

1481221130
Report to moderator
bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 20, 2011, 10:52:24 PM
 #2

Thanks Nefario,

Good luck on the audit; I appreciate the approach.


----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 21, 2011, 03:17:29 AM
 #3

We we're certainly ready to bring GLBSE back up again.

However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.

Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.

It's going to add hours(6-12 depending) onto bringing GLBSE back up.

What you can look forward to will be to access GLBSE fully over SSL, using a self signed certificate, and the knowledge that our system has been hardended against breakin and exploitation.

We take the security of our users bitcoin seriously.

Nefario.


PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
BioMike
Legendary
*
Offline Offline

Activity: 1258


View Profile
June 21, 2011, 05:05:49 AM
 #4

However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.

Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.

As far as I know the account data was leaked through an auditor, so servers weren't rooted. Second, I think kalyhost has many physical servers around the globe, so they don't need to be on the same server as MtGox (I guess the MtGox server was dedicated anyway).

Got any link to support those claims?
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 21, 2011, 05:13:15 AM
 #5

However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.

Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.

As far as I know the account data was leaked through an auditor, so servers weren't rooted. Second, I think kalyhost has many physical servers around the globe, so they don't need to be on the same server as MtGox (I guess the MtGox server was dedicated anyway).

Got any link to support those claims?

These are not claims that we're making, but risks we perceive from the information we've gathered, risks that I'm not willing to take with other peoples money(my users). We know that we are not on the same server as Mt.Gox for sure, and this is not what we think to be the risk.

I'm afraid that I can't say anymore.

Nefario.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
BioMike
Legendary
*
Offline Offline

Activity: 1258


View Profile
June 21, 2011, 05:27:15 AM
 #6

Ok, so a better safe then sorry case.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
June 21, 2011, 08:51:58 AM
 #7

We we're certainly ready to bring GLBSE back up again.

However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.

Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.

It's going to add hours(6-12 depending) onto bringing GLBSE back up.

What you can look forward to will be to access GLBSE fully over SSL, using a self signed certificate, and the knowledge that our system has been hardended against breakin and exploitation.

We take the security of our users bitcoin seriously.

Nefario.


Sorry to get off topic but how was your service at kalyhost? I purchased a vps server and i recieved automated messages saying my server was up and gave me the details but it wasent up the whole month. I sent letters to their 24/7 support, no replies the only service i got was at the end of the month which was an automated message stating my server will be taken down if i dont pay for the next month.
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 21, 2011, 09:05:49 AM
 #8

I did have trouble with the first VPS I'd gotten from them, the install hadn't worked.

But they resolved it quick enough(in a day or so I think).

Apart from that I've not had any trouble.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 23, 2011, 01:09:32 PM
 #9

We're up and open.

I've had cuddlefish do some poking and penetration testing on the servers and so far no obvious holes.

Everything is over SSL now, all traffic to glbse.com will be redirected to https.

The certificate is self signed (so on first visiting it will pop up a warning).

This now means that you can use the keypair generation on the server (built into the web client) without the worry of it being sniffed.

A few of the URL's have changed a little, and once we get our networking issues sorted out we'll update them.

The web client is available at https://glbse.com/client/glbse/

We have also update the command line client so that it's able to operate over SSL, to be able to use the command line client please use git to update the files.

If you're not on git(Windows user?) please download these two files into the black-market directory.

https://gitorious.org/black-market/black-market-client/blobs/raw/master/server.crt
https://gitorious.org/black-market/black-market-client/blobs/raw/master/bmc.py

From then on everything should be the same, with the exception that everything to the server is encrypted.

Nefario.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 23, 2011, 02:06:36 PM
 #10

We're almost ready to launch, however our servers are having some network trouble, and as a result glbse.com is down.

I've had cuddlefish do some poking and penetration testing on the servers and so far no obvious holes.

Everything is over SSL now, all traffic to glbse.com will be redirected to https.

The certificate is self signed (so on first visiting it will pop up a warning).

This now means that you can use the keypair generation on the server (built into the web client) without the worry of it being sniffed.

A few of the URL's have changed a little, and once we get our networking issues sorted out we'll update them.

The web client is available at https://glbse.com/client/glbse/

We have also update the command line client so that it's able to operate over SSL, to be able to use the command line client please use git to update the files.

If you're not on git(Windows user?) please download these two files into the black-market directory.

https://gitorious.org/black-market/black-market-client/blobs/raw/master/server.crt
https://gitorious.org/black-market/black-market-client/blobs/raw/master/bmc.py

From then on everything should be the same, with the exception that everything to the server is encrypted.

Nefario.

You can get a CA generated SSL cert from many places (www.networksolutions.com, www.godaddy.com) for a few hundred dollars. I highly recommend this as it will prevent your site from being flagged by Google/Chrome as being malicious. Also, what kind of pen testing did you do? Did you use a Nessus scan or MetaSploit stuff? Do you have any IDS/IPS software installed? Do you have a secured wallet stored offline? I think banks are required to keep 10% of their deposits in-house, so it might be wise to follow a similar protocol.

Are you running multiple servers, one for DB and one for web? Are you actively monitoring all access logs? Do you have anything in place that will send out alerts should something fishy happen (such as someone selling 500k BTC at once)? I'd want to make very large trades moderated. Are you tracking IPs to try and check for suspicious activity (much like Gmail does), so if I have an IP that originates from San Fran, CA, and then log in from South Korea, it should deny all write/execute access to the account until it's verified. It'd be nice to see a simplified version of how the data is protected and what security checks are in place (no need to get into the specific software/services used, just what they do).

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 23, 2011, 03:49:25 PM
 #11

Just to let people know, don't use GLBSE just yet, running tests at the moment to ensure all is working as it should.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 23, 2011, 05:51:38 PM
 #12

GLBSE is back up and open for business.

In answer to your comments TheVirus,
We will be getting a CA signed certificate, it's not the top priority ATM(Also using self signed cert prevent's our traffic being sniffed if a CA is compromised, I wonder how big a worry this is for actual GLBSE users though).

I'm not sure what the testing was actually, this was cuddlefish's doing (cuddlefish, could you fill us in).
No IDS yet.
I do keep a secure backup of the wallet offline.
The wallet on system has full funds ATM, this is because we're still using bitcoind's accounts (along with our own) to ensure we've got two sets of books so we can see where any problems arise when there's a difference.

DB is on the same server as webserver, however the DB has no identifying information or passwords, just a list of public keys. Not even emails. We try to keep identifying information we keep to an absolute min.

Also the server is chrooted with non root process permissions.

We have logs (of course) but no active monitoring system(bar myself). We also keep records of ip's, and use denyhosts.

We have no limits on transfer or trading once it's authorised by the user.

To be able to steal from a single users account (as opposed to breaking into the actual system) would require the attacker to get ahold of the users private key on their home machine. Once they have this there is no way to prove that they are  not indeed the user. The private key is the users only proof of ownership of the account.

Unless we begin recording identifying information there is nothing we can do if the private key is compromised.

We do of course also disable root access for ssh, have long and unique passwords for each user on the system, and have a strictish firewall policy.

The security setup is going to change as time goes on bringing improvements.

On our list of security todo:
Have the DB on a separate machine of the app server.
Have fractional reserves kept in the system wallet (with the rest stored securly offline).
Have an intrusion detection system.
Begin using SELinux.
Active log monitoring.

Any idea's for improving security is much appreciated(low hanging fruit preferable).

Nefario.



PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 23, 2011, 06:35:15 PM
 #13

GLBSE is back up and open for business.

In answer to your comments TheVirus,
We will be getting a CA signed certificate, it's not the top priority ATM(Also using self signed cert prevent's our traffic being sniffed if a CA is compromised, I wonder how big a worry this is for actual GLBSE users though).

I'm not sure what the testing was actually, this was cuddlefish's doing (cuddlefish, could you fill us in).
No IDS yet.
I do keep a secure backup of the wallet offline.
The wallet on system has full funds ATM, this is because we're still using bitcoind's accounts (along with our own) to ensure we've got two sets of books so we can see where any problems arise when there's a difference.

DB is on the same server as webserver, however the DB has no identifying information or passwords, just a list of public keys. Not even emails. We try to keep identifying information we keep to an absolute min.

Also the server is chrooted with non root process permissions.

We have logs (of course) but no active monitoring system(bar myself). We also keep records of ip's, and use denyhosts.

We have no limits on transfer or trading once it's authorised by the user.

To be able to steal from a single users account (as opposed to breaking into the actual system) would require the attacker to get ahold of the users private key on their home machine. Once they have this there is no way to prove that they are  not indeed the user. The private key is the users only proof of ownership of the account.

Unless we begin recording identifying information there is nothing we can do if the private key is compromised.

We do of course also disable root access for ssh, have long and unique passwords for each user on the system, and have a strictish firewall policy.

The security setup is going to change as time goes on bringing improvements.

On our list of security todo:
Have the DB on a separate machine of the app server.
Have fractional reserves kept in the system wallet (with the rest stored securly offline).
Have an intrusion detection system.
Begin using SELinux.
Active log monitoring.

Any idea's for improving security is much appreciated(low hanging fruit preferable).

Nefario.




I've run a Nessus scan and poked around a bit with Metasploit. The key auth (instead of password) does excellent things for the actual app's security.

The only thing I've noticed is a lack of syn cookies, which if enabled would prevent a certain type of DoS.

marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2100



View Profile
June 23, 2011, 08:29:24 PM
 #14


took a look around GLBSE ... interesting project you are developing there... when will GLBSE be listed on the GLBSE, I could buy some shares of that? Smiley

Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 23, 2011, 09:00:06 PM
 #15


took a look around GLBSE ... interesting project you are developing there... when will GLBSE be listed on the GLBSE, I could buy some shares of that? Smiley

We're not selling ATM, I guess when we need funding then it will happen the, but we will be putting some other projects up.

Nefario.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
sal002
Sr. Member
****
Offline Offline

Activity: 462


View Profile WWW
June 24, 2011, 04:33:11 PM
 #16

Updated (on the Vmware image) and get this error:

Server error: server certificate verification failed.  CAfile: server.crt CRLfile: none

Find the coin to mine (with JSON API and charting) at http://www.coinchoose.com
http://www.multipool.in - Always mine the most profitable coin
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
July 01, 2011, 02:26:24 PM
 #17

Update of the webclient is now live, now it allows you to securely keep the keys for multiple accounts stored on your local machine in the browser.

https://glbse.com/client/glbse/index.html

The old client is available here if you prefer.

https://glbse.com/client/glbse_old/index.html

If there are any issues post them in any one of these threads, I'm watching them.

http://forum.bitcoin.org/index.php?topic=13055.80

http://forum.bitcoin.org/index.php?topic=19853.0

I appologise to anyone who didn't get your issues fixed in a timely manner over the last week, that is totally my fault.

Currently I'm the only one who is in a possition to resolve those issues, and was traveling for a few days. This is something We're hoping to resolve as we go forward.

Nefario.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
July 04, 2011, 05:54:03 PM
 #18

Web client has been updated.

Issues caused by the release last week have been fixed.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
July 06, 2011, 04:38:45 PM
 #19

Some of the chart subpages (Trade History/Market depth) seem to still be broken, also the database below the charts still don't seem to include all transactions since the start of GLBSE. I guess this has low priority but I still wanted to report it. Keep up the great work! Smiley

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
July 07, 2011, 01:48:34 AM
 #20

Some of the chart subpages (Trade History/Market depth) seem to still be broken, also the database below the charts still don't seem to include all transactions since the start of GLBSE. I guess this has low priority but I still wanted to report it. Keep up the great work! Smiley

charts had the readings backwards for a week or two, and has recorded that information. Thats what's being seen.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!