Jered Kenna (TradeHill) (OP)
|
|
June 20, 2011, 07:40:15 AM |
|
No one likes to use captchas but site security is paramount. We've added one to our login and multiple failed attempts will now cause a lock out. This should reduce the chances of an effective brute force attack.
If you have used the same password on Mt Gox and TradeHill you should change it as soon as possible.
We are scheduled to resume trading at 10am Monday morning EST.
We will be continually reevaluating and upgrading our security.
|
moneyandtech.com @moneyandtech @jeredkenna
|
|
|
|
|
|
|
"Your bitcoin is secured in a way that is physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter a majority of miners, no matter what." -- Greg Maxwell
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
nhodges
|
|
June 20, 2011, 07:51:26 AM |
|
Cool, I can go to sleep and not worry that the trading is going to resume while my eyes are closed. :] Great talk on OnlyOneTV about forthcoming security improvements, excited to see them implemented!
|
|
|
|
ploum
|
|
June 20, 2011, 07:57:14 AM |
|
A simple but effective measure could be to force email confirmation for any withdraw.
In a longer term, I really hope to see GPG authentification required for big trades
|
|
|
|
Jered Kenna (TradeHill) (OP)
|
|
June 20, 2011, 08:12:20 AM |
|
Thanks Nhodges A simple but effective measure could be to force email confirmation for any withdraw.
In a longer term, I really hope to see GPG authentification required for big trades
We manually verify the big transfers. We held up a 2500btc transfer earlier and a few 500btc or so transfers. Most likely legit but we prefer to take the time to send an email than risk someone logging in to find their Bitcoins missing. We spent a lot of time tonight discussing different possibilities and will be implementing more features soon.
|
moneyandtech.com @moneyandtech @jeredkenna
|
|
|
willphase
|
|
June 20, 2011, 08:23:12 AM |
|
How about accepting openid them people could use google's two factor authentication?
Will
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1025
|
|
June 20, 2011, 08:25:02 AM |
|
Your captcha is useless and annoying. There are better ways to prevent oracle attacks.
If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database. Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.
Captchas were great 10 years ago, when not everyone knew how to break them. By now, they have to be nearly unreadable to be effective. Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
rebuilder
Legendary
Offline
Activity: 1615
Merit: 1000
|
|
June 20, 2011, 08:29:07 AM |
|
I second the call for two-factor authentication, though I'd prefer a list of numbers as banking sites use. Google's system uses SMS, as far as I know, and I'm not giving them my number. So, let the user print a list of one-time passcodes, a random one of which will be asked for when logging in, and when only 10 or so unused codes remain, tell the user to print a new set.
|
Selling out to advertisers shows you respect neither yourself nor the rest of us. --------------------------------------------------------------- Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
|
|
|
mikegogulski
|
|
June 20, 2011, 08:32:54 AM |
|
Your captcha is useless and annoying. There are better ways to prevent oracle attacks.
If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database. Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.
Captchas were great 10 years ago, when not everyone knew how to break them. By now, they have to be nearly unreadable to be effective. Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.
Well, that's one way to do it. Much easier is paying a kid in China $0.01 to do it for you.
|
|
|
|
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
|
|
June 20, 2011, 09:33:56 AM |
|
We are scheduled to resume trading at 10am Monday morning EST.
Where is EST relative to GMT? Not everyone lives there/knows that. (Actual answer not needed, I know how to use google but it's annoying.)
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1006
|
|
June 20, 2011, 09:38:41 AM |
|
Where is EST relative to GMT? 10 am EST = 3 pm GMT (they might have DST in EST though for example which I'm not 100% aware of - this is why you should use UTC!) Edit: Oh yes, and the Captcha is a joke!
|
|
|
|
|