🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 03, 2013, 12:34:53 AM Last edit: July 03, 2013, 12:55:08 AM by TradeFortress |
|
I don't want to turn this thread too off topic, but I'll just say that all online services require trust, including Blockchain.info. Have you inspected every single line of code in the minified JS files - not the github, but what is served to you (could be individually, as Blockchain knows your wallet balance)? Every single time you signed in? It's very easy for blockchain.info (if they wanted) to take your coins - or someone else who worked on the code. I ported Blockchain.info to the Chrome Extension, and I know piuk did not diff the files I gave him. Very few people would have checked the source -- since it was the official extension on the chrome web store.
You're also trusting all the dependencies. Let's take cryptocat. I can't find the commit/issue right now, but their JS crypto library had a huge bug with entropy for key generation (or something similar - just going off my head). It was detected months later. Cryptocat's security was effectively null because of that bug -- and this is a project with paid bounties.
The actual vulnerability was tiny - it was an off by one error repeated in a loop. In a totally unrelated file, Blockchain.info could push their own address to a "send to" array/buffer, and for the UI have this off by one error. Looks correct, sign, and when Blockchain.info gives the TX back to you, they'll hide it. You're not going to find it when digging through thousands of lines of code.
You are also trusting Blockchain supply you with correct information. For example, you see a TX? On your wallet and Blockchain.info? As they are the first place everyone checks, how do you know if it never existed and was made up?
If you use the API, they have your private keys, period. Ultimately, block chain isn't secure. We don't pretend we can't take your coins because every online service - including Blockchain and Rush wallet can. If they do serve you a "send all coins to .info", sure they'll get caught but they can hide the tx for hours as they won't display it on the site while people work out why they can't spend their coins on #bitcoin-dev
I trust piuk and I don't think he will do any of that. But Blockchain.info's client sided features mean about nothing because they are able to raid at least a significant majority of coins, while there are very tangible benefits to our off chain network.
|
|
|
|
Bowjob
|
|
July 03, 2013, 12:47:14 AM |
|
This is where dooglus runs away witht he coins
|
It seemed like a good idea at the time.
|
|
|
Pale Phoenix
|
|
July 03, 2013, 12:48:44 AM |
|
Great job on the site dooglus... I came for the investment, and stayed for the gambling and chat. :-)
|
|
|
|
dooglus (OP)
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
July 03, 2013, 01:26:40 AM |
|
This is where dooglus runs away witht he coins In case anyone's worried about the counter-party risk that Just-Dice is taking on in trusting inputs.io deposits to be valid, we've frozen the balance in TF's account (the 580 BTC or whatever he had after his crazy bets of a few days ago) as collateral. That allows us to eliminate the counter-party risk entirely. With the only caveat being that his frozen coins are invested on the site, and so could be lost if we're particularly unlucky.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
BRules
|
|
July 03, 2013, 02:43:46 AM |
|
I don't want to turn this thread too off topic, but I'll just say that all online services require trust, including Blockchain.info. Have you inspected every single line of code in the minified JS files - not the github, but what is served to you (could be individually, as Blockchain knows your wallet balance)? Every single time you signed in? It's very easy for blockchain.info (if they wanted) to take your coins - or someone else who worked on the code. I ported Blockchain.info to the Chrome Extension, and I know piuk did not diff the files I gave him. Very few people would have checked the source -- since it was the official extension on the chrome web store.
You're also trusting all the dependencies. Let's take cryptocat. I can't find the commit/issue right now, but their JS crypto library had a huge bug with entropy for key generation (or something similar - just going off my head). It was detected months later. Cryptocat's security was effectively null because of that bug -- and this is a project with paid bounties.
The actual vulnerability was tiny - it was an off by one error repeated in a loop. In a totally unrelated file, Blockchain.info could push their own address to a "send to" array/buffer, and for the UI have this off by one error. Looks correct, sign, and when Blockchain.info gives the TX back to you, they'll hide it. You're not going to find it when digging through thousands of lines of code.
You are also trusting Blockchain supply you with correct information. For example, you see a TX? On your wallet and Blockchain.info? As they are the first place everyone checks, how do you know if it never existed and was made up?
If you use the API, they have your private keys, period. Ultimately, block chain isn't secure. We don't pretend we can't take your coins because every online service - including Blockchain and Rush wallet can. If they do serve you a "send all coins to .info", sure they'll get caught but they can hide the tx for hours as they won't display it on the site while people work out why they can't spend their coins on #bitcoin-dev
I trust piuk and I don't think he will do any of that. But Blockchain.info's client sided features mean about nothing because they are able to raid at least a significant majority of coins, while there are very tangible benefits to our off chain network.
When involving money, I'm kinda paranoid, I must say that I didn't use the blockchain wallet before just because, even all the bitcoin processing was client side, I have to trust that no one touch anything in the code. Then come the chrome extension (didn't know that was you, tvm for it), browsed through the code, monitored some requests, and now I'm finally confortable using the blockchain.info wallet. Forgive me if I suggested that you will run with our money, I know your reputation here on the forum and I'm pretty sure that you don't need and won't do this, but I will be much more confortable to use your service if I can see that you will profit from it too. And as you have all the private keys in the server, this probably will be a target to the hackers. and this is what really is worrying me.
|
|
|
|
Professor James Moriarty
aka TheTortoise
Sr. Member
Offline
Activity: 434
Merit: 250
|
|
July 03, 2013, 05:38:55 AM |
|
The new list at the bottom looks cool
|
|
|
|
dooglus (OP)
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
July 03, 2013, 07:21:11 AM |
|
The new list at the bottom looks cool You mean how you can see the stats updating live on the chat tab now?
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
acs26
Guest
|
|
July 03, 2013, 08:39:35 AM |
|
Doog, how much has anybody ever won on Just-Dice? (I'm guessing it was TF and his gambling-spree?)
|
|
|
|
icey
Legendary
Offline
Activity: 1578
Merit: 1000
May the coin be with you..
|
|
July 03, 2013, 02:46:37 PM |
|
Is the site down?
|
|
|
|
gog1
|
|
July 03, 2013, 02:46:57 PM |
|
Can't get to the site, is it down?
|
|
|
|
syphen
Member
Offline
Activity: 102
Merit: 10
|
|
July 03, 2013, 02:55:22 PM |
|
Site is down what do I do at work now
|
|
|
|
SpaceJelly
Member
Offline
Activity: 106
Merit: 10
|
|
July 03, 2013, 02:56:56 PM |
|
Site is down what do I do at work now errrm, here's a controversial comment.... how about work? Come on just-dice, I've got an hour to kill at work here!
|
1Je11yL4Fqw5nvaP6KUs2JDABBp29vKeEU 1JeLLyv8o7YwooSg53qEdDSPXeAT3ShQoc
|
|
|
Dabs
Legendary
Offline
Activity: 3416
Merit: 1912
The Concierge of Crypto
|
|
July 03, 2013, 03:05:02 PM |
|
|
|
|
|
Professor James Moriarty
aka TheTortoise
Sr. Member
Offline
Activity: 434
Merit: 250
|
|
July 03, 2013, 03:11:13 PM |
|
Everytime justdice is down I get so excited I bet doog is doing something awesome with it
|
|
|
|
petrescuerz
Member
Offline
Activity: 102
Merit: 10
|
|
July 03, 2013, 03:21:15 PM |
|
Site should be back up soon. Thanks for your patience guys. Deb
|
|
|
|
petrescuerz
Member
Offline
Activity: 102
Merit: 10
|
|
July 03, 2013, 03:34:15 PM |
|
And, we're back. Deb
|
|
|
|
dooglus (OP)
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
July 03, 2013, 03:37:08 PM |
|
Doog, how much has anybody ever won on Just-Dice? (I'm guessing it was TF and his gambling-spree?)
Two problems: 1) I don't really understand your question. Are you asking who has won the most BTC (ignoring losses), the most profit, the most bets, or the biggest single bet? 2) I don't really know any of the answers. I have a database with 11 million rows in it (one per bet) which bogs the server down when I query it. I need to have the server keep a separate note of interesting statistics. Is the site down?
It wasn't down, it was just very very busily stuck in an apparently endless loop. Too busy to talk to you lot, apparently. I need to try to work out why it does that, but without knowing how to trigger it, it's hard! Back now, anyway. Thanks for letting me know it was having trouble.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
dooglus (OP)
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
July 03, 2013, 03:42:23 PM |
|
Everytime justdice is down I get so excited I bet doog is doing something awesome with it I was sleeping... That's something awesome, but not related to the site. I'm wondering what to do when people contact support with things like: i reset my phone and lost my 2 factor apps and the account, can you reset my 2 factor security setting? If I reset two-factor-auth codes, what use is two-factor-auth? I can ask him to sign the address he deposited from, but a hacker in his computer could maybe do that. Imagine you lost your phone. How would you prove you were you? Then imagine your account got hacked. Would the hacker be able to make the same proof?
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
MattFoster42
Newbie
Offline
Activity: 40
Merit: 0
|
|
July 03, 2013, 04:17:39 PM |
|
A little off topic, but it's very true.
Google authenticator on iOS is not very mobile. _IF_ you encrypt your backups of your iDevice to iTunes, then the google authenticator keys will get backed up as well. If you don't, and the phone crashes/get's lost/stolen/is upgraded then *poof* codes are gone.
Even this is not really enough though IMHO, relying on iTunes backups. What if you want to change platform? What if your laptop & phone get nicked at the same time (OK, you have time machine backups right?)
You can't move the codes around. You have to tell every service you've signed up for that you have a new token. Google themeselves have a link to do it for your gmail account itself, but everything else you are in the lap of the the site provider. A lot of the time it's going to mean disabling 2FA, then re-enabling with the new token; you'd better hope you have both of them available when you do this. Mt Gox btw allows you to have multiple soft token defined.
So, to the point, based upon personal experience. Move to Authy away from Google Authenticator. Authy is fully compatible with all services that use Google Authenticator.
It has built in encrypted (if we believe them) backups of the seeds and keys. So now you have a dual recovery strategy, which is platform/device neutral. You'd better pick a strong password for your authy account mind you, and trust that they don't go under and don't backdoor the crypto. And don't forget the authy password.
Took me about 30 minutes to migrate everything from Google Authenticator to Authy (7 odd accounts). It might seem tedious at the time, but it sure as hell is a great investment when you consider what might happen if you loose the token.
2FA token recovery is hard enough for Enterprise where there is some level of fall back identity proofing. With public/consumer grade services like GAuth the problem is manifestly worse.
You _might_ convince Dooglus that you are who you saw you are. How about google? How long do you think that would take? Or Gox?
There are two types of people in the world when it comes to this kind of thing (critical backup). Those who have lost data, and those that are going to. You really need to ensure that you can recover your 2FA capability as reliably as you can recover wallet.dat - because you all have distributed, multiple, frequently updated, strongly protected or offline backups of wallet.dat don't you?
Playing with beta software here nearly caused me real problems on this one, but I have enough backups of everything that I was able to recover, with only a tiny bit of help when iTunes decided to helpfully nuke the backup I needed and I had to resort to Time Machine (did you know that iTunes just rolls the backup of your iDevice only keeping an older version at major upgrade times. Thanks for that Apple).
OK, lecture over.
Matt
Disclaimer, I've worked in IT for far too long now. Prior to my recent job change I was the Enterprise Architect for Identity/Security at a global Enterprise with over 150K employees; I have some clue what I am talking about when it comes to these things.
M
|
|
|
|
infested999
|
|
July 03, 2013, 11:52:39 PM |
|
7-4 NEVER FORGET
|
|
|
|
|