Devcoin

[Kumala]

Any exchange already up?

By the way, how am I to read the security requirement of:

3) Passwords should be hashed at least 10,000 times.

Would sha2(UserPassword+UserID+12 digit random number + the_exchanges_secret_word)   qualify?
Or do I need to loop over this 10000 times (with adding the loop counter to the string before hasing again?

[1714910751]

1714910751

[btc_artist]

By the way, how am I to read the security requirement of:

3) Passwords should be hashed at least 10,000 times.

Would sha2(UserPassword+UserID+12 digit random number + the_exchanges_secret_word)   qualify?
Or do I need to loop over this 10000 times (with adding the loop counter to the string before hasing again?

Use bcrypt. Here's an open source PHP implementation.

[Unthinkingbit]

Hi Shads,

btw the most recent commit of poolserverj should remove the restriction of a single aux chain.  Can't test it properly though until there's another merged mining capable chain.

That's great news.  Now all we need is for merged mining code to be developer further and some more alternate coins to support it.



Hi Kumala,

Any exchange already up?

No.  One person said that he would work on it, but there hasn't been any progress reported.  If two people make an exchange, the first will get the full bounty and the second will get 3/4 of the bounty.

By the way, how am I to read the security requirement of:

3) Passwords should be hashed at least 10,000 times.

Would sha2(UserPassword+UserID+12 digit random number + the_exchanges_secret_word)   qualify?
Or do I need to loop over this 10000 times (with adding the loop counter to the string before hasing again?

You would need to hash this 10,000 times (with the added loop counter to the string).  In pseudo code, something like:

hash = ''
for i in xrange(10000):
  hash = sha2(hash + UserPassword + UserID + 12 digit random number + the_exchanges_secret_word + str(i))

would qualify.

Bcrypt, as Btc_novice suggested, would be better.



Hi Btc_novice,

Use bcrypt. Here's an open source PHP implementation.

Indeed that would be better.  Thanks for the suggestion and links.

You get an informative post bounty, which is 1/5 of a generation share.  Please post a devcoin address and you'll be added to the next receiver list.

[btc_artist]

Hi Btc_novice,

Use bcrypt. Here's an open source PHP implementation.

Indeed that would be better.  Thanks for the suggestion and links.

You get an informative post bounty, which is 1/5 of a generation share.  Please post a devcoin address and you'll be added to the next receiver list.

Glad to help.

As for a devcoin address, I don't have one yet.  I'm just getting started with bitcoin and litecoin, and haven't had time to investigate other alternative crypto currencies yet.

[Kumala]

Use bcrypt. Here's an open source PHP implementation.

I'll probably pursue the loop I was mentioning above. Though I found a library that offers bcrypt for the framework I use, but I am trying to keep the source of my Exchange as lean as possible with as few dependency as possible. Every additional library and external code is ultimately a risk in the sense of potential additional vulnerabilities, version dependency (who knows if it will be maintained in the future, etc.).

Lets see, need to wrap up some other features I am currently implementing and testing. Another Chain, will probably also mean an upgrade of memory of the servers.

[Unthinkingbit]

Hi Btc_novice

Glad to help.

As for a devcoin address, I don't have one yet.  I'm just getting started with bitcoin and litecoin, and haven't had time to investigate other alternative crypto currencies yet.

As soon as you get one, post it in the devcoin thread and you'll be added to that receiver round.



Hi Kumala,

I'll probably pursue the loop I was mentioning above. Though I found a library that offers bcrypt for the framework I use, but I am trying to keep the source of my Exchange as lean as possible with as few dependency as possible.
..

That's fine.  I suggest adding a prefix to the hash so that'll it will be a bit easier to upgrade when a better function is used or the loop number is increased.  So in pseudo code, something like:

hash = ''
for i in xrange(10000):
  hash = sha2(hash + UserPassword + UserID + 12 digit random number + the_exchanges_secret_word + str(i))
hash = 'sha2-10000_' + hash

[Kumala]

The exchange is up and running, I have added Devcoin to www.vircurex.com

[Unthinkingbit]

Hi Kumala,

The exchange is up and running, I have added Devcoin to www.vircurex.com

Awesome!

Your exchange qualifies for the four share exchange bounty:
https://bitcointalk.org/index.php?topic=34586.msg552141#msg552141

Furthermore, of the extra eight share security bounties:

1) Strong passwords are required.
2) If there are repeated attempts to login, login should be slowed or a captcha should be used if it's not already.
3) Passwords should be hashed at least 10,000 times.
4) There should be an off site backup, at least 100 kilometers away from the site.
5) Deposits need at least six confirmations before they can be exchanged.

After using I can see that it qualifies for:

1) Strong passwords
5) At least six confirmations

Unfortunately I did not put values on the parts of the security bounties, so I'll do that now:

1) Strong passwords, 2 shares
2) Login should be slowed or a captcha, 2 shares
3) Passwords should be hashed repeatedly, 2 shares
4) Off site backup, 1 share
5) Six plus confirmations, 1 share

So the total bounty that I can see it qualifies for is 4 + 2 for strong passwords + 1 for confirmations = 7 shares.  By the options of five million devcoins (MDVC) per share or ten bitcoins per share, whichever you prefer, from the Bounties Summary at:
https://bitcointalk.org/index.php?topic=34586.msg591984#msg591984

You have the option of 7 generation shares, or 35 million devcoins, or 70 bitcoins.  Please post your preference and corresponding coin address.

To get the remaining security bounties, if the exchange qualifies for some or all additional security bounties, please send me some evidence for each by personal message:

2) An explanation of a defense against repeated login attempts.
3) A code snippet for repeated password hashing.
4) A way of proving that you have an off site backup.


Note to all traders:

I placed some token devcoin buy orders to test the exchange, however I will not place substantial buy orders until there is devcoin merged mining, because until there is merged mining devcoin is not a safe coin.  I recommend that no one else place substantial devcoin buy orders until there is merged mining.

If someone really wants to buy a substantial amount of devcoins before then, they can post a request in the thread to buy devcoins in return for someone's generation shares.  If devcoin has to be restarted because of an attack or code failure, the shares could be resent, although there is no guarantee.

[Kumala]

Hi Unthinkingbit,

1. If you enter the wrong passwort more than 3 times, a Captch shows up (for the next 5 minutes) that you require to enter in order to proceed with the login.
2. On the OS level I use fail2ban to capture attempts to crack the SSH username and password
3. Backup policy: the wallets get backuped up daily, the appplication database gets backed up every 10 minutes (currently full database backup due to its "small' size).
Further backup enhancements are planned: every order execution, withdrawal or deposit will be emailed to an admin account, this will then also allow a recovery with 0 data loss.

I'll send you the code snipplets and an extract from the backup script via PM,

7 generation shares, my DVC address: 1FCJgGYirQ4w2uA3rcE2zwVnD8LVwm8fbB

Thanks
Kumala

[caston]

I'm interested in offering a bounty for an illustrated short story for project in-utero (http://www.in-utero.org) which is a spin-off of Rejuvepedia. (http://www.rejuvepedia.org)

I was thinking of making it something like 5 million DVC + 2000 TBX + 2000 LTC. The bounty may be split amongst the writer and the illustrator if they are different people.

This is not the official announcement of course but would a mixed bounty be ok?

best regards,

Chris

[Unthinkingbit]

Hi Kumala,

Hi Unthinkingbit,

1. If you enter the wrong passwort more than 3 times, a Captch shows up (for the next 5 minutes) that you require to enter in order to proceed with the login.
2. On the OS level I use fail2ban to capture attempts to crack the SSH username and password
3. Backup policy: the wallets get backuped up daily, the appplication database gets backed up every 10 minutes (currently full database backup due to its "small' size).
Further backup enhancements are planned: every order execution, withdrawal or deposit will be emailed to an admin account, this will then also allow a recovery with 0 data loss.

I'll send you the code snipplets and an extract from the backup script via PM,

Thanks for sending the code snippets and backup script extract.  You demonstrated that your exchange meets all requirements for the secure exchange bounty.  Your award is 12 generation shares, which will be around 60 million DVC.  If there end up being more than 36 contributor groups in round 5 and therefore your share turns out to be less than 60 million DVC, I will cover the difference.

7 generation shares, my DVC address: 1FCJgGYirQ4w2uA3rcE2zwVnD8LVwm8fbB

You'll get 12 generation shares, starting in round 5.

By the way I sent 1,000,000 DVC for address confirmation because I assumed that you wanted devcoins upfront rather than generation shares, I didn't notice that you wrote generation shares until now.  Consider them a bonus 

[Kumala]

They arrived, many thanks.

[Unthinkingbit]

Hi Caston,

I was thinking of making it something like 5 million DVC + 2000 TBX + 2000 LTC. The bounty may be split amongst the writer and the illustrator if they are different people.

This is not the official announcement of course but would a mixed bounty be ok?

best regards,

Chris

A mixed bounty would be ok.

You can do whatever you want with your devcoins.

[Unthinkingbit]

Hi Kumala,

They arrived, many thanks.

You're welcome.

Thanks for choosing to take the bounty straight from generation, it means less accounting work for me 

[caston]

I've started writing the draft announcement for the project in-utero bounty.

http://www.in-utero.org/index.php/topic,6.msg6.html

I will revise it and add more details tomorrow. I have probably added far to much information (for background) in some parts and not enough in others.

I will also need to describe the requirements better for the story and the illustrations.

The next bounty will be for an animation of the rejuvenation processes that will be uploaded to youtube.

[btc_artist]

Out of curiosity, what is everybody's take on the purpose and goals of devcoin? (Especially Unthinkingbit's opinion)

[caston]

Out of curiosity, what is everybody's take on the purpose and goals of devcoin? (Especially Unthinkingbit's opinion)

The way I see it it's a token currency to allow open source projects to trade resources and to pay people for contributions. When you start an open source project you have ideas that there will
be lots of people helping you just because you made it open source yet the reality is that many projects have just one or two developers doing most of the work. Devcoin allows people to help kickstart new or further develop existing projects and get some outside help.

[Unthinkingbit]

The round 5 receiver files are now up:
http://galaxies.mygamesonline.org/receiver_5.csv
https://raw.github.com/Unthinkingbit/charity/master/receiver_5.csv
http://devcoinblockexplorer.info/receiver/receiver_5.csv

They are based on the account 5 file at:
https://raw.github.com/Unthinkingbit/charity/master/account_5.csv

New awards will go into round 6.

Note: there are 38 receiver lines in round 5, so each receiver line gets a minimum of int(4,000 / 38) * 45,000 DVC = 4,725,000 DVC.  The maximum shortfall of Kumula's exchange bounty is 12 * (5,000,000 - 4,725,000) DVC = 3,300,000 DVC.  So I sent 3,300,000 DVC to cover it, in block 17299:
http://107.20.193.62:2750/tx/9dc97fc1cd8d38f31dc810f7899ef3ba68fd672c11cb1f04f1d32f299fd724cb

[btc_artist]

Out of curiosity, what is everybody's take on the purpose and goals of devcoin? (Especially Unthinkingbit's opinion)

The way I see it it's a token currency to allow open source projects to trade resources and to pay people for contributions. When you start an open source project you have ideas that there will
be lots of people helping you just because you made it open source yet the reality is that many projects have just one or two developers doing most of the work. Devcoin allows people to help kickstart new or further develop existing projects and get some outside help.

Thanks for the response.  It seems to me that devcoin has a fatal flaw-- 90% of the benefits go directly to a select group of people (approved by whom?), thus ensuring it would never get adopted as a currency/means of barter by the greater population. Also, what is the motivation to mine it for the greater population?  Or perhaps I'm not understanding it correctly?

[Unthinkingbit]

This is an update of the wiki bounty.

For the bounty, the developer can choose from either the offered generation shares (minimum five million devcoins), or five million devcoins per share upfront or ten bitcoins per share, whichever you prefer will get generation shares.

Edit: There are now three wikis, and another is not needed; so the options of the devcoins upfront, or bitcoins, have been cancelled. The developer would only get generation shares.


The bounty is for an open source wiki where the contributors get a share of the advertising revenue, converted to devcoins, plus devcoin generation shares.  The developer who makes the wiki gets four generation shares (20 MVDC or 40 BTC).  If the wiki also has some kind of advertising, the developer will get an additional four shares (20 MVDC or 40 BTC).

There are three potential ways of getting advertising revenue:

1) A bitcoin advertising network like Operation Fabulous:
http://www.operationfabulous.com/

2) Handling bitcoin advertising directly.

3) Set up a cooperative in a tax free jurisdiction and connect to regular ad networks.

It doesn't matter what method is used.  All that matters is that only text or picture ads will be accepted, there will be only one ad group on each page, and no malware, porn or scammy stuff.

Whoever sets up the wiki will get a share of the generation to administer it.  However, they do not have total control over the website, they are just administering it for what will eventually be a democratic cooperative.  Of course, they will be part of that cooperative.  There are no notability requirements for the wiki, only the usual no malware, porn or scammy stuff.

If more than one person makes the wiki, the second will get three quarters of the bounty, the third two quarters of the bounty and the fourth one quarter of the bounty.  The next developers would have to maintain a backup of the first wiki, if the first wiki failed for some reason they would bring their wiki to the fore.