Conclusion...
11:35:02 <SuSEno> what do you think about the announcement regarding the extension of deadline for submission of the examination result ?
11:35:09 <SuSEno> is it good news?
11:35:15 <SuSEno> anarchystar?
11:40:07 <anarchystar> i see lnovy is still on his crusade
11:40:53 <lnovy> so why won't you explain... if your intentions are good... I must be doing bad thing no?
11:41:09 <anarchystar> explain what exactly?
11:41:21 <Chillance> oh, cool
11:41:35 <Chillance> could we work this out guys
11:41:46 <lnovy> I've already explained to you multiple times what the issues are and how dangerous this is
11:41:47 → tekto joined (~root@xu1.p5k.de)
11:42:00 <Chillance> yea, so anarchystar why not try to make it more secure man?
11:42:03 <lnovy> there is no legitimate usage for what you are doing
11:42:17 <lnovy> so people _will_ presume you are trying to scam them
11:42:23 <anarchystar> tell me the issue one by one
11:43:07 <lnovy> issue number one:
http://balance.mtgoxleaks.org/github/Replace%20email%20with%20autogenerated%20token%20%c2%b7%20Issue%20%237%20%c2%b7%20mtgoxbalance_mtgoxbalance%20%c2%b7%20GitHub.html11:43:47 <Chillance> anarchystar, lnovy just want to make is more secure
11:43:51 <lnovy> usign email addresses for this purporse is a privacy leak...
11:44:03 <lnovy> it's not more secure... it's more dangerous
11:44:39 <SuSEno> more dangerous so anybody can steal our Goxcoin? LoL
11:45:26 <lnovy> SuSEno: if you don't understand this, keep your mouth shut
11:45:40 <lnovy> issue number two:
http://balance.mtgoxleaks.org/github/PGP%20signing%20of%20downloaded%20page%20content%20%c2%b7%20Issue%20%239%20%c2%b7%20mtgoxbalance_mtgoxbalance%20%c2%b7%20GitHub.html11:45:51 <anarchystar> 1 at a time
11:45:56 <lnovy> ok... go on
11:46:14 <SuSEno> go on... I don't have any objection with my e-mail address
11:46:15 <anarchystar> +im on a cellphone
11:46:27 ⇠faouanima quit (~faouanima@uz4.co) Remote host closed the connection
11:46:40 <lnovy> "I have nothing else to do" so I will wait
11:46:45 <Chillance> SuSEno, I still think we should make it as secure as possible
11:46:52 <anarchystar> 1) i dont understand why its 'vulnerable to leaking' unless we get hacked
11:47:36 <anarchystar> 2) if we do get hacked, you have an email, a username and a balance - which is worth exactly nothing
11:47:47 <lnovy> For example Man in the middle attack or because you can just have bad intentions yourself
11:48:15 <lnovy> as I've said... there is much more what is gained than this tripplet
11:48:40 <Chillance> but if there is a solution, why not implement it? besides, isn't this supposed to be open source? also, the new exchange is supposed to be more transparent right anarchystar ?
11:48:49 <anarchystar> do explain yourself.. what is gained that is priceless
11:48:55 <anarchystar> ?
11:49:24 <anarchystar> Chillance: i will answer that after im done with him
11:49:38 <lnovy> you are able to store email address + mtgox username and in the cases of nonzero btc balance you can actually locate users balance outside mtgox... and it's possible for most identities even with zero balance... also with some more trickery, you are able to connect users mtgox identity to his other online identities
11:50:01 <lnovy> (i'm citing myself, I've already told you this)
11:50:20 <Chillance> anarchystar, Im sure lnovy just want it to be more secure, and also make it more secure for a user ala "Trust no one" principle
11:50:31 <lnovy> Chillance: +1
11:50:56 <lnovy> the only the proposed system can be trusted is that you don't trust any of it's part
11:51:11 <lnovy> it's the same principle Open Transactions trust model is based on
11:51:27 <lnovy> the only way
11:51:33 <Chillance> anarchystar, you should talk to Steve Gibsson
http://twit.tv/sn11:51:42 <Chillance>
11:51:44 <anarchystar> ok so basically if i have someones email address and their balance i might reference it to the blockchain and find out (maybe) where the money was sent from
11:53:07 <lnovy> not only that... you can see when and how he was trading, when he and to which address was he sending coins, where his coins came from ect.
11:53:09 <Stormeyes> Dunno if you can actually track other ppl with just a random email addy and the info from gox.... inside gox ok... but still if we want to join his new exchange i will have to give him more then just an email addy i am sure
11:53:17 → tholu joined (~tholu@p5B0B7AC7.dip0.t-ipconnect.de)
11:53:18 <lnovy> this informations are valued more than gold
11:53:39 <anarchystar> please tell why its worth more than gold
11:53:47 <Stormeyes> lnovy: he will need my ID, adress etc etc before i can partake in the new exchange anyways which is way more onfo then he gets now
11:53:47 <lnovy> Stormeyes: it is possible to connect your identity with for example facebook one... pretty easily
11:53:49 <anarchystar> i still dont see any value
11:54:03 <Stormeyes> lnovy and ? he can do that when he gets my ID etc too
11:54:10 <Dr-G3> if you have some tax info to hide in the info, don't bother you're already getting fucked :p
11:54:38 <anarchystar> cause if its worth more than gold we better close down all exchsnges right now
11:54:41 <lnovy> Stormeyes: but he cannot easily connect that with your mtgox account... this can be done using mtgoxbalance.org
11:54:51 <Stormeyes> If you give him the balance info you are agreeing to participate in either a lawsuit or a new exchange in both cases i need to id myself to him or the new exchange will start with trouble
11:55:05 <lnovy> Stormeyes: no
11:55:16 <lnovy> Stormeyes: the site mtgoxbalance.org is not saying anything like that
11:55:33 <lnovy> MtGox Balance gets your balance information directly from MtGox.
11:55:34 <lnovy> This allows charitable initiatives to make sure your claim is real.
11:55:41 <Stormeyes> what other reason to give your info there then lnovy ? for show ?
11:56:06 <Stormeyes> they still will need an ID to make sure they dont pay to thieves etc and if they do to be able to find them later
11:56:27 <Stormeyes> balance site is not 100% proof since it got hacked
11:56:31 <lnovy> Stormeyes: the purporse of the system was to have a somewhat permanent trusted system that you can use to prove your balance to others if you want
11:56:37 <Stormeyes> (the Gox db i mean)
11:56:50 <lnovy> because that is not possible right now without giving out your password/session
11:56:52 <Chillance> lnovy, well, we have 2 different things. one being more clear on the mtgoxbalance.org, and the second is applying more security right?
11:57:37 non2_ → non2
11:57:38 <Stormeyes> Just put a big warning on the site for ppl that rather have their privacy then possible charity to get anything back
11:57:44 <lnovy> Chillance: I'm primarly insisting on the security/privacy side...
11:57:55 <Chillance> btw, that Steve Gibsson I linked to REALLY knows what he is talking about.. he should be included
11:58:06 <Chillance> but, he might be too busy
11:58:17 <Stormeyes> You yourself give away your ID to anyone so i am suprised that you might think any privacy really still exists
11:58:35 — Stormeyes thinks privacy is an illusion
11:58:42 <lnovy> Stormeyes: I've proposed exactly this...
11:58:52 <Chillance> ok, here is the thing. we have a solution to better the mtgoxbalance security right?
11:58:58 <Chillance> why not just do that?
11:59:19 <anarchystar> lnovy: we need the email for ADDED security: if you sign up at a charity, that charity will send an email confirmation.. if we just give a random token, anyone can steal that and how will you ever proove that it was yours after that?
11:59:24 <lnovy> Chillance: I've proposed that multiple times
12:00:27 <lnovy> anarchystar: you can give user a token issuing token... he will use this to issue a one-shot token to be used for confirmation
12:00:34 <Chillance> how about signing data? like using RSA?
12:00:43 <lnovy> Chillance: i've proposed that also....
12:00:47 <anarchystar> lnovy: come again?
12:00:48 <padawan123> lnovy when are u planning to remove my ban on mtgox-talk?
12:01:21 <anarchystar> Chillance: im pro signing data and i think thats a great idea
12:01:35 <padawan123> i know u like childish game but it s enough now don t u think?
12:01:36 <Chillance> anarchystar, you have a security expert there?
12:01:36 <lnovy> anarchystar: you give user a token and if he want's to prove his balance to charity, he puts the token to your side and another token is generated... this one is send to charity and is usable for only one fetch of balance
12:01:49 <lnovy> padawan123: blow me
12:02:17 <padawan123> blow me?
12:02:29 <lnovy> this is a principle used in kerberos authentication/authorization system
12:03:05 <anarchystar> lnovy: this token how user friendly? id rather have signing
12:03:54 <lnovy> anarchystar: i've also proposed this signing... you just pack the downloaded data with trusted timestamp, sign it and give this to user...
12:03:59 <lnovy> nothing is stored
12:04:11 <lnovy> and only the user can now choose who to show his balance
12:04:11 <anarchystar> also signing is issue if private key gets hacked, all becomes worthless
12:04:30 <lnovy> that's why the system is designed to be multi-party
12:04:46 <lnovy> you need more servers to sign your balance to be thrust worthy
12:04:55 <anarchystar> yes i know you proposed mant things, but we concluded that asking for email is really not that bad and it was going too far
12:05:46 <anarchystar> we can end up with nsa type but were talking about charity, an (self chosen) email and a balance
12:06:10 <anarchystar> i think thats enough security
12:06:36 <lnovy> again... the system to be trusted... you need it to be multiparty... and you cannot assure that other parties are playing fair
12:07:15 <Chillance> so, as it stands now people has to trust anarchystar only then?
12:07:27 <anarchystar> yes, if someone else besides me would start a charity, and they dont trust me, then it becomes relevabt
12:07:47 <lnovy> besides that... the idea of charity trusting balance sheet of mtgox is stupid... mtgox could have and probably did faked some balances for obvious reasons
12:07:50 <anarchystar> unfortunately i have yet to see any other initiatives
12:08:15 <Chillance> yes, I dont think anarchystar is trying to scam people at all
12:08:41 <Stormeyes> anarchystar: one reason there arent any other initiatives is because no one knows if/what we lost yet i think
12:08:44 <lnovy> Chillance: I never said that also... the problem is that the way the system is designed, somebody will scam people
12:08:52 <lnovy> and the blame will come back to us
12:09:04 <Chillance> but still, I agree with the "trust no one" principle.. I mean, why not if you can right?
12:09:13 <lnovy> Chillance: +1
12:09:13 <anarchystar> also stare at one point at the wall all day and you come up with 100 problems while its just a wall
12:09:26 <Stormeyes> lnovy but those ppl will be known by name etc so hard to scam when you can be found easily
12:09:29 <vocodork> i don't get why the actual mtgox login isn't enough
12:09:47 <vocodork> can check balances there
12:09:49 ⇠``rawr quit (uid23285@gateway/web/irccloud.com/x-rttbdspyqujkrrxe) Quit: Connection closed for inactivity
12:09:51 <Stormeyes> vocodork you dont wanna give that out
12:09:53 <lnovy> these are not just some corner cases problem... these are basic and founding principles of good privacy and security system
12:10:11 <anarchystar> lnovy: which scam? explain a scam
12:10:17 <lnovy> Stormeyes: not really... anyone can run a site... no need to place your name there
12:10:47 <vocodork> tbh my alarm bells went off too when i saw mtgoxbalance.org
12:11:22 <lnovy> anarchystar: you have said that you are not going to leak or abuse any privacy information you are gaining this way... how you can make sure other instances of the system will not do otherwise?
12:11:51 <Chillance> yea, and what if you got hacked?
12:12:18 <Chillance> or you have the data offsite?
12:12:39 <Chillance> that would actually be smart
12:12:48 <anarchystar> i dont need to run this site nor put my reputation at risk, i dont need to give 10% to gox holders.. there is no gain for me except maybe slight good press
12:13:05 <lnovy> that is not the question
12:13:33 <lnovy> you are running it... for system to be trusted, you need other instances that you have no control over... how do you make them not abuse the information?
12:13:36 <anarchystar> lnovy: theres no other sites besides yours
12:13:40 <padawan123> anachystar in fact i suggest u give more than 10/100
12:13:45 <Chillance> again, Im sure lnovy appreciate the effort, but just want it to be secure.
12:13:52 <lnovy> anybody can make such instance, code is opensource
12:13:57 ⇠_ImI_ quit (~ImI2000@HSI-KBW-37-209-86-166.hsi15.kabel-badenwuerttemberg.de) Quit: _ImI_
12:14:02 <anarchystar> and we pulled the source
12:14:12 <Stormeyes> padawan23: you should go collect for the red cross etc.. ppl give a euro/dollar and you grab their wallet and chose ??
12:14:13 <lnovy> that doesn't make them non opensource
12:14:16 <padawan123> or have other to participate in it
12:14:28 <lnovy>
https://github.com/mtgoxbalance/mtgoxbalance see... still there
12:15:09 <anarchystar> lnovy: i cant be responsible if u submit info to a scam site
12:15:13 <Stormeyes> lnovy: think even i can make a site to look like that and get the info from those who enter it....
12:15:32 <Stormeyes> you cant stop ppl from being stupid, not checking who what where etc
12:15:40 <Stormeyes> and nothing is fullproof
12:15:52 <lnovy> anarchystar: from the point of view of the person who will get scammed, you are responsible, that's the think I'm trying to protect you from from the start
12:16:05 ⇠mikkom quit (~mikkom@host-109-204-128-69.tp-fne.tampereenpuhelin.net) Ping timeout: 265 seconds
12:16:21 <Chillance> I think there are 2 ways to do this then. either closed and we trust anarchystar .. or some distributed system (that needs to be updated to be more secure) where trust relies on ... well, isnt this like BTC transactions?
12:16:22 <lnovy> Stormeyes: you can interlink "trusted" sites to each other
12:16:46 <lnovy> Chillance: it more like open transaction, not btc transactions
12:16:46 <Stormeyes> to protect an email adres and a ballance ?
12:17:00 <anarchystar> lnovy: i dont know, its their domain name - bitstamp is not a scam although ppl submitted same info as gox there
12:17:04 <lnovy> Stormeyes: no, much more than that
12:17:42 → mikkom joined (~mikkom@host-109-204-128-69.tp-fne.tampereenpuhelin.net)
12:17:45 <anarchystar> lnovy: im not so sure about the 'much more than that'
12:17:47 <lnovy> well I don't need to help you... I just want...
12:18:08 <Stormeyes> lnovy what do they store besides email and balance ?
12:18:12 <lnovy> anarchystar: because you obviously are not that good at this privacy topic, sorry
12:18:34 <anarchystar> lnovy: facts or its unfounded
12:18:39 <Stormeyes> and maybe session key if he's a bad boy
12:19:02 <Stormeyes> but session key should be worthless if you follow instructions and kill the cookie right ?
12:19:06 <lnovy> anarchystar: you have just proven that... you are creating beginners privacy issues
12:19:18 <anarchystar> lnovy: facts?
12:19:59 <anarchystar> i can say i have proven x but that doesnt mean anything without facts
12:20:29 <anarchystar> Stormeyes: yes
12:20:58 <Stormeyes> So besides balance and email what else do you have ?
12:21:09 <anarchystar> you tell me why balance and -random- email is so sacred
12:21:32 <anarchystar> its why we have a discussion in the first place
12:22:17 <Stormeyes> just advice ppl to get a new ano email and even then if you start to use it to receive help i think you should be forced to ID yourself in case some hacker did change and addid himself as a creditor
12:22:21 → dsfa14 joined (~dsfa14@unaffiliated/dsfa14)
12:22:28 <Stormeyes> added
12:22:40 <Stormeyes> or changed his/her balance
12:22:43 <lnovy> anarchystar: read this
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf12:22:53 <anarchystar> even if its not a random email., its not a big deal
12:23:27 <lnovy> the simple fact that you are not finding it a big deal proves that you don't understand the topic
12:23:51 <anarchystar> well then you explain to everyone why its a big deal
12:24:07 <anarchystar> cause i still didnt get any decent reasons
12:24:10 <lnovy> The practice of minimizing the use, collection, and retention of PII is a basic privacy principle.
12:24:13 <lnovy> 47
12:24:16 <lnovy> By
12:24:18 <lnovy> limiting PII collections to t
12:24:21 <lnovy> he least amount necessary to conduct its mission, the organization may limit
12:24:24 <lnovy> potential negative consequences in the event of a data breach involving PII. Organizations should
12:24:27 <lnovy> consider the total amount of PII used, collected, and maintained, as well as the
12:24:30 <lnovy> types and categories of PII
12:24:32 <lnovy> used, collected, and maintained. This general concept is often abbreviated as the ―minimum necessary‖
12:24:33 <anarchystar> time to kill ur facebook
12:24:35 <lnovy> principle. PII collections should only be made where such collections are essential to meet the authorized
12:24:38 <lnovy> business purpose
12:24:41 <lnovy> and mission of the organization. If the PII serves no current business purpose, then the
12:24:44 <lnovy> PII should no longer be used or collected.
12:24:59 <lnovy> you are saying, when facebook is bad, I can be too?
12:25:32 → meelos joined ⇠toffoo quit
12:26:01 <Chillance> anarchystar, do you have some security expert in your team? I mean, at least for the new exchange right? why not have him take a look at this?
12:26:18 <Dr-G3> if you want participate from anarchys work you have to agree to his conditions end of story
12:26:29 <anarchystar> that doesnt tell me anything except the obvious, in this case an email is the best choice for later verification - also its about user friendliness - again, an email and a balance are not worth as much as you are making it to be
12:27:19 ⇠meelos quit (~meelos@90.208.215.125) Client Quit
12:27:29 <lnovy> If the PII serves no current business purpose, then the PII should no longer be used or collected. // You don't have any business purpose for the email do you?
12:27:38 <anarchystar> Chillance: security expert - we have security experts in it and programming and we follow all standard guidelines
12:27:57 <anarchystar> lnovy: yes i do and i explained it
12:28:08 <Stormeyes> lnovy: the email is for new etc and prob to announce his new exchange where you can use that data....
12:28:14 → _ImI_ joined (~ImI2000@HSI-KBW-37-209-86-166.hsi15.kabel-badenwuerttemberg.de)
12:28:14 <lnovy> you don't following SP800-122, which is like a book for basic school
12:28:16 <anarchystar> its to allow a charity to verify you
12:28:20 <Stormeyes> news
12:28:26 <anarchystar> and yes indeed for news
12:29:07 <Stormeyes> I am pretty happy receiving the blogposts etc on that adres so i dont have to refresh the pages every 5 min myself
12:29:55 <anarchystar> ok lnovy i think we both have our ideas but lets put it to rest - i think its clear now
12:30:37 <anarchystar> i dont see serious harm in a random email (even if not random) and a balance
12:30:41 <lnovy> anarchystar: will you please update you F.A.Q. with the warning that you are storing the username and email and this can be connected with things I have mentioned? And also specify the policy of disclosure of this informations to third parties? If you do, I will bother you no more... And you will be safe from any claims also...
12:31:05 <Chillance> yes, I think the info on the site needs to be more clear then
12:31:24 <lnovy> I will even put down the github repo in that case
12:31:35 <Chillance> explicitly say random email
12:31:45 <Chillance> that you can access still ofcourse
12:31:47 <Chillance>
12:31:53 <anarchystar> lnovy: i can add that info, as long as its within reason (let me explain)
12:31:55 <Chillance> not one of those one timer emails
12:32:16 <Chillance> username is hashed though
12:32:23 <Chillance> no?
12:32:26 <lnovy> Chillance: no
12:32:29 <anarchystar> facebook does not have to add a warning that it might attract stalkers that could then come to kill you
12:32:33 <Chillance> aha, oh well
12:33:11 <Chillance> well, just make it clear anyway
12:33:31 <lnovy> anarchystar: well.. but he does have this...
https://www.facebook.com/about/privacy/12:33:55 <lnovy> and this...
https://www.facebook.com/full_data_use_policy12:34:00 <anarchystar> lnovy: sure i will add a privacy policy
12:34:17 <anarchystar> ill ask laoban lol
12:35:10 <lnovy> if you add the policy and the warning about connection to leaked database, I'm perfectly ok with that... I'm also asking to remove my name from the footer and that's it.
12:35:28 <Stormeyes> Sounds like a solution
ppl will know the risks if the data would get stolen/abused or whatever but i agree with anarchystar the chanceit happends*usefullness is a low risk
12:36:17 <lnovy> well I have my own theory what you are using this data for, but that will be shown by the time
12:36:48 <Chillance> what would that be lnovy ?
12:37:02 <lnovy> Chillance: I won't disclose that
12:37:19 <lnovy> it's just too crazy
12:37:40 <Chillance> bah, so tired of conspiracy theories and fud..
12:37:53 <Chillance> post it on reddit
12:38:16 <Chillance> seems to me like the way to do it these days..
12:38:50 <Chillance> I suppose you wont be using the mtgoxbalance service then lnovy ?
12:39:35 <Stormeyes> dont think he is worried about his info he posts that online all the time
12:39:43 <lnovy> I don't need it for anything
12:40:02 <lnovy> but anarchystar has my data, I've already submited them
12:40:23 <padawan123> he is op in mtgox-talk so he dont need anyone
12:40:32 <padawan123> he can op as he wants
12:40:39 <padawan123> and decide who to kick and ban
12:40:56 <lnovy> nice poem, was that hard to compose?
12:41:12 <padawan123> he need only the selve on his head
12:41:33 <lnovy> there is a clear difference between sieve and colander
12:41:41 <padawan123> will u ban me from here as well?
12:42:03 <padawan123> u lack of credibility
12:42:06 <Stormeyes> padawan123 prob not if you act as an adult
12:42:08 <lnovy> wut? where are you banned?
12:43:35 <Chillance> well, great anarchystar and lnovy solved that
12:44:17 <lnovy> well... it's completly different system than it was in the start, but whatever
12:44:46 <Chillance> yea, well, this way works too I guess...
12:45:09 <anarchystar>
