Fireball (OP)
|
|
June 09, 2013, 12:08:50 AM |
|
Good news everyone! We just launched Bitcoin difficulty futures, DIFF-9.13It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course.
|
|
|
|
picobit
|
|
June 09, 2013, 06:01:48 PM |
|
Good news everyone! We just launched Bitcoin difficulty futures, DIFF-9.13It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course. OK, so that is a new one, and not seen in other markets. But is it a financial instrument, or just betting??
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
June 09, 2013, 10:14:55 PM |
|
Good news everyone! We just launched Bitcoin difficulty futures, DIFF-9.13It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course. OK, so that is a new one, and not seen in other markets. But is it a financial instrument, or just betting?? There have been difficulty futures on mpex and bitfunder since at least early this year. of course I welcome this move.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Fireball (OP)
|
|
June 09, 2013, 11:14:39 PM |
|
Good news everyone! We just launched Bitcoin difficulty futures, DIFF-9.13It's going to be an interesting financial instrument, happy trading! Questions are welcome, of course. OK, so that is a new one, and not seen in other markets. But is it a financial instrument, or just betting?? There have been difficulty futures on mpex and bitfunder since at least early this year. of course I welcome this move. Could you link to the bitfunder spec/trading page regarding the difficulty futures? I can't find it.
|
|
|
|
newminer7950
|
|
June 10, 2013, 06:03:09 AM |
|
Hi! I recieve error "UNABLE_TO_VERIFY_LEAF_SIGNATURE" when try to connect to your server. This error raised only on my Ubuntu computer, but dont raise on windows (on the same javascript program in node.js). What may be a reason of this error (nearly 4 month ago I dont recieve this error on my linux computer, but then it was stop working) Thank
|
Donations: 1BKA3FsvrZzznSJueXbx3qokHYqmwe9QQC
|
|
|
picobit
|
|
June 10, 2013, 03:15:19 PM |
|
Could you link to the bitfunder spec/trading page regarding the difficulty futures? I can't find it.
Search for iDiff, that is part of the name. They settle significantly sooner than September, so it is not a useful indication of what the price at icbit should be
|
|
|
|
Fireball (OP)
|
|
June 14, 2013, 08:26:04 PM |
|
A june BTC/USD futures contract (BUM3) was just settled. Open interest was 6007 contracts (or multiplying by two, 12014 total open positions). Settlement price is $101.99 (MtGox VWAP). And, total trading volume for this contract is an amazing $1'046'060. Futures market is getting volume, finally!
Also, S&P500 futures was settled today at 1626.75 (spot price of S&P500 index reported in the moment of settlement). It's total trading volume is quite low, only 677 contracts were traded so far, however it's an important financial instrument, and has a lot of potential in it. It is replaced by the September futures, ESU3.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
June 18, 2013, 12:44:35 AM Last edit: June 18, 2013, 06:53:37 PM by Stephen Gornick |
|
Now, along with minor visual improvements, this page is going to require a one time password to be entered for any withdrawal operation, if you have tied Google Authenticator to your account.
I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password. Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?
|
|
|
|
boomerlu
Newbie
Offline
Activity: 50
Merit: 0
|
|
June 18, 2013, 01:30:28 PM |
|
I get the feeling this exchange needs more marketing.
|
|
|
|
Fireball (OP)
|
|
June 18, 2013, 04:25:46 PM |
|
I get the feeling this exchange needs more marketing.
That's so true! ;-)
|
|
|
|
qxzn
|
|
June 20, 2013, 02:59:29 AM |
|
I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.
I have done this many times, I'm sure I'm not messing up the password.
|
|
|
|
Fireball (OP)
|
|
June 20, 2013, 08:33:37 AM |
|
I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.
I have done this many times, I'm sure I'm not messing up the password.
Do you have Google Auth enabled for your account?
|
|
|
|
picobit
|
|
June 21, 2013, 10:40:26 AM |
|
I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.
Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?
This is serious. That means that 2FA protection for withdrawal is nonexistent. I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.
|
|
|
|
Fireball (OP)
|
|
June 21, 2013, 12:45:07 PM |
|
I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.
Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?
This is serious. That means that 2FA protection for withdrawal is nonexistent. I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems. No, it's not. I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings. Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
June 21, 2013, 03:06:33 PM |
|
I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.
Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!
Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds. Steps: From a browser instance after clearing cache, cookies, etc: Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password). Response: "Your code isn't valid." Step 2: Click "Request new password" button. Step 3: Login using single use login sent via e-mail Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.] "Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped." Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button. Step 6: Withdraw funds using new TOTP secret from Google Authenticator
|
|
|
|
qxzn
|
|
June 21, 2013, 07:49:55 PM |
|
I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.
I have done this many times, I'm sure I'm not messing up the password.
Do you have Google Auth enabled for your account? No.
|
|
|
|
Fireball (OP)
|
|
June 22, 2013, 10:59:09 PM |
|
I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.
Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!
Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds. Steps: From a browser instance after clearing cache, cookies, etc: Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password). Response: "Your code isn't valid." Step 2: Click "Request new password" button. Step 3: Login using single use login sent via e-mail Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.] "Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped." Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button. Step 6: Withdraw funds using new TOTP secret from Google Authenticator Thanks a lot. We are in the process of fixing this by updating and improving the GA login code. I will publish results here ASAP.
|
|
|
|
picobit
|
|
June 24, 2013, 06:21:02 AM |
|
I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.
Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!
Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds. Steps: From a browser instance after clearing cache, cookies, etc: Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password). Response: "Your code isn't valid." Step 2: Click "Request new password" button. Step 3: Login using single use login sent via e-mail Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.] "Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped." Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button. Step 6: Withdraw funds using new TOTP secret from Google Authenticator Of course the really difficult thing is to stop vulnerabilities like this, and still have a recovery path in case somebody loose their GA secret. I just to my horror realized that on an iPhone the GA secrets are backed up in a way that they can only be restored on the same device. Secure, but troublesome if I loose the device.
|
|
|
|
myself
Legendary
Offline
Activity: 938
Merit: 1000
chaos is fun...…damental :)
|
|
July 01, 2013, 07:54:08 AM |
|
Hey OP +Tycho did you guys considered LTC(BTCLTC) and doing the settlements in LTC and BTC ?
|
Los desesperados publican que lo inventó el rey que rabió, porque todo son en el rabias y mas rabias, disgustos y mas disgustos, pezares y mas pezares; si el que compra algunas partidas vé que baxan, rabia de haver comprado; si suben, rabia de que no compró mas; si compra, suben, vende, gana y buelan aun á mas alto precio del que ha vendido; rabia de que vendió por menor precio: si no compra ni vende y ván subiendo, rabia de que haviendo tenido impulsos de comprar, no llegó á lograr los impulsos; si van baxando, rabia de que, haviendo tenido amagos de vender, no se resolvió á gozar los amagos; si le dan algun consejo y acierta, rabia de que no se lo dieron antes; si yerra, rabia de que se lo dieron; con que todo son inquietudes, todo arrepentimientos, tododelirios, luchando siempre lo insufrible con lo feliz, lo indomito con lo tranquilo y lo rabioso con lo deleytable.
|
|
|
ThePok
|
|
July 01, 2013, 08:27:14 AM |
|
If ICBIT starts settlement in Litecoins, i leave
|
|
|
|
|