Bitcoin Forum
October 14, 2024, 05:33:36 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 »  All
  Print  
Author Topic: New Bitcoin Exchange (mtgox.com)  (Read 38488 times)
mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 01:57:19 AM
Last edit: July 23, 2010, 12:39:48 PM by mtgox
Merited by TheNewAnon135246 (1), TMAN (1)
 #1

Hi Everyone,
I just put up a new bitcoin exchange.
Please let me know what you think.
https://mtgox.com


Babylon
Hero Member
*****
Offline Offline

Activity: 938
Merit: 500

CryptoTalk.Org - Get Paid for every Post!


View Profile
July 18, 2010, 02:04:30 AM
 #2

Hi Everyone,
I just put up a new bitcoin exchange.
Please let me know what you think.
https://mtgox.com



Your trade mechanism seems to favor those buying bitcoins at the expense of those selling.  I am not certain but I believe that bitcoin market take the average between the high bid and the low ask while you set the price at the low ask.  This is not necessarially a bad thing, but I did want to point it out.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 02:15:09 AM
 #3

I should add this to the site but...
that ticker is:
Last Price:  (The price of the last successful trade)
High:  (the highest price in the last 24 hours)
Low:  (the lowest price in the last 24 hours)
Volume: (the total amount traded in the last 24 hours)

Current Lowest Buy Price  (This is the lowest buy price currently offered by another user)
Current Highest Sell Price  (This is the highest sell price currently offered by another user)

All trades are between users. So the current buy price and current low price is just what someone else entered. You can always enter a lower or higher one.

SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
July 18, 2010, 02:22:39 AM
Last edit: November 24, 2018, 04:29:19 PM by SmokeTooMuch
 #4

https://mtgox.com/users/login?username=SmokeTooMuch&password=XXXXXXX

what the fuck!?! use hashes for transmitting and saving passwords!!!!

and btw, I cant log in

sorry to say that, but until now your exchange service is just a password-ripoff service ....


BTW: I want you to delete my account and all associated info (like my password, dude!)

I will re-register when you fixed that password thing ...


EDIT 2004-02-27:
Since this post has gotten some attention from reddit I feel I should clarify a few things.
At the time of posting this I had a very naive perception of IT security. It is perfectly normal for sites to receive their users passwords in cleartext and hashing them after (server-side).
I've since learned a lot about IT security and want to apologize for the inconvenience I brought upon the service back then.
The real problem was not the un-hashed transfer, but the transfer via GET (readable in URL) as opposed to POST (non-readable in URL), so the only attack vector was an "over the shoulder attack".

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
PulsedMedia
Sr. Member
****
Offline Offline

Activity: 402
Merit: 250


View Profile WWW
July 18, 2010, 02:26:35 AM
 #5

https://mtgox.com/users/login?username=SmokeTooMuch&password=XXXXXXX

what the fuck!?! use hashes for transmitting and saving passwords!!!!

and btw, I cant log in

sorry to say that, but until now your exchange service is just a password-ripoff service ....

Well atleast POST and not GET. (Btw, 99.9% of web services transmit password from user browser to the server clear text, no JS hashing or something before transmit)

And another thing: The spread is insane. Insanely expensive to buy BC and selling BC mediocre rate for today.

http://PulsedMedia.com - Semidedicated rTorrent seedboxes
mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 02:31:00 AM
 #6

SmokeTooMuch: It is a post over https. It is secure. I'll PM you about the login issue if that is ok.

PulsedMedia: The spread is 2%. Is that too high? I think you are just looking at the difference in what two people are offering. That isn't what you should look at.

SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
July 18, 2010, 02:32:53 AM
Last edit: February 26, 2014, 11:40:08 PM by SmokeTooMuch
 #7

You can't use unhashed passwords at a site, that deals with money. That's just one big mistake you just can't make if you want to make such a thing. What if someone hacks your database ? He could steal the money and BTC funded in all your users accounts.



SmokeTooMuch: It is a post over https. It is secure. I'll PM you about the login issue if that is ok.
maybe the transmission is secured, but what's with your database ? Since you don't transmit hashes I guess the passwords get stored in clear text.

EDIT 2014-02-27:
See this post https://bitcointalk.org/index.php?topic=444.msg3876#msg3876

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 02:34:45 AM
 #8

Don't worry the passwords are hashed in the DB.

PulsedMedia
Sr. Member
****
Offline Offline

Activity: 402
Merit: 250


View Profile WWW
July 18, 2010, 02:37:31 AM
 #9

You can't use unhashed passwords at a site, that deals with money. That's just one big mistake you just can't make if you want to make such a thing. What if someone hacks your database ? He could steal the money and BTC funded in all your users accounts.

That the variable coming to server is unhashed does not say that the DB uses unhashed pws.

The password is practically always transmitted cleartext to the server, within SSL session most of the time however, on crucial things. But it does not tell is it hashed in the database or not.

The thing about if the encryption is clientside, it's trivial for any hacker to hack as the algo can be trivially disassembled and disseminated.

It's a very bad idea to transmit the password in GET variable tho.

http://PulsedMedia.com - Semidedicated rTorrent seedboxes
SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
July 18, 2010, 02:38:17 AM
Last edit: February 26, 2014, 11:41:07 PM by SmokeTooMuch
 #10

so how does it work ?

password --->encryption (ssl) ---> your site/server && decryption ---> hashing ---> saving/checking hash in db ?


as long as you receive the password unencrypted, it's just not an option for me


EDIT 2014-02-27:
See this post https://bitcointalk.org/index.php?topic=444.msg3876#msg3876

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5348
Merit: 13336


View Profile
July 18, 2010, 02:45:00 AM
 #11

Why would I use Mt. Gox instead of BitCoin Market?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
July 18, 2010, 02:47:18 AM
Last edit: February 26, 2014, 11:44:07 PM by SmokeTooMuch
 #12

you could buy BTC cheap at one of them and sell them fore more at the other exchange service (if the exchange rates fit in that pattern)

EDIT 2014-02-27:
See this post https://bitcointalk.org/index.php?topic=444.msg3876#msg3876

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 02:51:32 AM
 #13

SmokeTooMuch: Almost all sites do it this way. Are you worried that I personally will learn your password? You can just set your "password" to be the hash of your password if you are really worried.
(or use a different one for mtgox)


mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 02:53:07 AM
Last edit: July 19, 2010, 12:42:47 PM by mtgox
 #14

> Why would I use Mt. Gox instead of BitCoin Market?

It is always online, automated, the site is faster and on dedicated hosting and I think the interface is nicer.

Babylon
Hero Member
*****
Offline Offline

Activity: 938
Merit: 500

CryptoTalk.Org - Get Paid for every Post!


View Profile
July 18, 2010, 02:55:27 AM
 #15

> Why would I use Mt. Gox instead of BitCoin Market?

It is always online, the site is faster and I think the interface is nicer.
Also because, at the moment, bitcoins are cheaper on MTgox, although I am not sure if there are any actually available since with a higher bid than sell transactions should be being resolved.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
July 18, 2010, 02:57:14 AM
Last edit: February 26, 2014, 11:44:14 PM by SmokeTooMuch
 #16

SmokeTooMuch: Almost all sites do it this way. Are you worried that I personally will learn your password? You can just set your "password" to be the hash of your password if you are really worried.
(or use a different one for mtgox)

this won't prevent you from stealing your users cash and btc. pls correct me if i'm wrong.

and i say it again, i want you to delete my account and all associated data.

maybe i will re-register later, but for now i decided to not using your service.

sry for making you such a hard start into business, but it's 5 am here and i'm a bit stressed out.
will go to sleep now.


EDIT 2014-02-27:
See this post https://bitcointalk.org/index.php?topic=444.msg3876#msg3876

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
PulsedMedia
Sr. Member
****
Offline Offline

Activity: 402
Merit: 250


View Profile WWW
July 18, 2010, 03:11:56 AM
 #17

The password should be hashed in DB. It's plain stupid and ignorant not to hash them. Eventually if there's databreach and passwords are not hashed ...

It should work:
Browser -> send to server (pref SSL encrypted) -> server receives and directs to script -> script hashes (adding salt, pref static + dynamic) and saves to db or verifies from db

Security is a complex matter, but basics should be adhered to nevertheless.

http://PulsedMedia.com - Semidedicated rTorrent seedboxes
mtgox (OP)
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
July 18, 2010, 03:14:00 AM
 #18


Quote
It should work:
Browser -> send to server (pref SSL encrypted) -> server receives and directs to script -> script hashes (adding salt, pref static + dynamic) and saves to db or verifies from db

This is exactly what I'm doing. Smiley

Babylon
Hero Member
*****
Offline Offline

Activity: 938
Merit: 500

CryptoTalk.Org - Get Paid for every Post!


View Profile
July 18, 2010, 03:57:06 AM
 #19

I put up an offer to buy, it's below the ask price, so I am not surprised no transaction happened, but is it going to show up as the highest buy offer?  currently that is 0 (which I assume means nobody is buying bitcoins right now)

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
Anonymous
Guest

July 18, 2010, 04:08:00 AM
 #20

I support as many exchanges opening as possible and letting the market decide. Smiley 
Competition is great!
Pages: [1] 2 3 4 5 6 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!