eleuthria
Legendary
 Offline
Activity: 1750
Merit: 1007
|
 |
May 10, 2013, 05:36:16 PM |
|
Why no love for ajax/jquery?
I think the last thing most pool owners want is somebody leaving their browser open and constantly querying for stats while they're nowhere near the machine  . Just excess load for very little payoff. Referring to AJAX in this case. JQuery is nice for things like datatables and close-able alert messages. |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
|
|
|
|
|
|
|
|
No Gods or Kings. Only Bitcoin
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
Lucko
|
|
May 10, 2013, 06:11:35 PM |
|
Not that I'm planing to do that but I got a idea how to cheat a pool. You must have multiple workers or accounts with diffident difficulty. Then you send all diff 1 shares to diff 1 worker, diff 2 to diff 2 worker and so on. Are pools protecting against something like that? I'm punting this out so you can start finding protection if there is none.
|
|
|
|
|
|
roy7
|
|
May 10, 2013, 06:19:54 PM |
|
I think the last thing most pool owners want is somebody leaving their browser open and constantly querying for stats while they're nowhere near the machine . Just excess load for very little payoff. Referring to AJAX in this case. JQuery is nice for things like datatables and close-able alert messages. Ahh ok. On the interface I'm setting up for a different pool, I'm using ajax, but not for auto-updating info. I'm using tabs to organize content with, and the tab does a ajax query when you open it. Keeps the html much cleaner, can more easily reuse the "inside" code on separate pages, and the info isn't generated unless it's actually needed. In fact, I use the cache setting in ajax so the info is only loaded a single time.  Basically, I wanted lazy generation of stats only as needed with a lightweight basic page for the structure. |
|
|
|
|
kjlimo
Legendary
Offline
Activity: 2086
Merit: 1031
|
|
May 10, 2013, 06:22:52 PM |
|
Not that I'm planing to do that but I got a idea how to cheat a pool. You must have multiple workers or accounts with diffident difficulty. Then you send all diff 1 shares to diff 1 worker, diff 2 to diff 2 worker and so on. Are pools protecting against something like that? I'm punting this out so you can start finding protection if there is none.
If it makes it easier for people to cheat, then feel free not to respond, however, I don't understand how that "cheats" the pool. Can you explain without making it easier for others to cheat? I'm guessing I wouldn't be able to do what you're saying anyway... I just turn on CGminer with mostly default settings. I don't even know how or why I would want to change the difficulty on my end... |
|
|
|
eleuthria
Legendary
Offline
Activity: 1750
Merit: 1007
|
|
May 10, 2013, 06:41:54 PM |
|
Not that I'm planing to do that but I got a idea how to cheat a pool. You must have multiple workers or accounts with diffident difficulty. Then you send all diff 1 shares to diff 1 worker, diff 2 to diff 2 worker and so on. Are pools protecting against something like that? I'm punting this out so you can start finding protection if there is none.
For Stratum, that won't work since difficulty is defined per-connection, and each connection has a unique identifier in the coinbase to make all work unique to that connection. Your work wouldn't be valid on the different workers. If you ran them all through a proxy, they'd all be forced to run at the same difficulty, also eliminating this vector of attack. Getwork should have similar preventions, but the protocol itself doesn't have any type of built in protection, it would be up to the operator to prevent that type of attack. |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
Lucko
|
|
May 10, 2013, 06:50:46 PM
Last edit: May 10, 2013, 07:12:58 PM by Lucko |
|
If it makes it easier for people to cheat, then feel free not to respond,
however, I don't understand how that "cheats" the pool. Can you explain without making it easier for others to cheat?
I'm guessing I wouldn't be able to do what you're saying anyway... I just turn on CGminer with mostly default settings. I don't even know how or why I would want to change the difficulty on my end...
Well I'm more afraid that somebody is already doing it. It is a simple idea so I will respond. Well you would probably need some proxy software or something. Also my math could be off. It might even be impossible because I don't know how stratum and getwork works but if it is possible it is a problem. When you are mining you get 100% of diff 1 or higher shares, 50% diff 2 or higher shares, 33% diff 3 or higher shares and so on... So if you send all diff 1 shares to worker with diff 1 you get 50% hashrate. Now take all diff 2 and send it to a diff 2 worker. You get another 50%. Take diff 3 and send it to diff 3 worker and you get another 50%... And so on. You can multiply that to number of workers you setup... EDIT: OK so only getwork can be hacked that way... |
|
|
|
|
|
Lucko
|
|
May 10, 2013, 07:29:36 PM |
|
FYI: I recently moved from slush also and after letting things even out a bit i'm getting the same amount of btc + alt coins... just need to wait a few days for the higher payouts to balance out fewer blocks found.
hth
I remember you and I think you were the one told me about this pool right? I do realize that at this hashrate it is more of a lottery to find a block so there will be bigger differences in earnings from day to day but it even out. |
|
|
|
|
m00min
Newbie
Offline
Activity: 22
Merit: 0
|
|
May 10, 2013, 07:49:41 PM |
|
I remember you and I think you were the one told me about this pool right? I do realize that at this hashrate it is more of a lottery to find a block so there will be bigger differences in earnings from day to day but it even out.
Nope not me, I've only progressed from newbie status today so these are some of my first posts! |
|
|
|
|
|
redtwitz
|
|
May 10, 2013, 09:33:02 PM |
|
After investigating the security breach [in Vircurex] we have to come to the conclusion that the attacker has been able to get root access to the systems.
Therefore we need to assume that the wallets might have been copied, thus DO NOT deposit funds. Everyone will be getting a new set of addresses.
|
|
|
|
|
doublec (OP)
Legendary
Offline
Activity: 1078
Merit: 1005
|
|
May 10, 2013, 10:01:48 PM |
|
I think the last thing most pool owners want is somebody leaving their browser open and constantly querying for stats while they're nowhere near the machine . Just excess load for very little payoff. Referring to AJAX in this case. JQuery is nice for things like datatables and close-able alert messages. Definitely. I used to use AJAX to provide an updating hash rate back in the early days and my bandwidth and load was immense. I assume people just left it open in a browser tab and forgot about it. |
|
|
|
|
doublec (OP)
Legendary
Offline
Activity: 1078
Merit: 1005
|
|
May 10, 2013, 10:02:28 PM |
|
Not that I'm planing to do that but I got a idea how to cheat a pool. You must have multiple workers or accounts with diffident difficulty. Then you send all diff 1 shares to diff 1 worker, diff 2 to diff 2 worker and so on. Are pools protecting against something like that? I'm punting this out so you can start finding protection if there is none.
Yes, this has been catered for |
|
|
|
|
matt4054
Legendary
Offline
Activity: 1946
Merit: 1035
|
|
May 10, 2013, 10:03:00 PM |
|
After investigating the security breach [in Vircurex] we have to come to the conclusion that the attacker has been able to get root access to the systems.
Therefore we need to assume that the wallets might have been copied, thus DO NOT deposit funds. Everyone will be getting a new set of addresses.
Yes this really sucks. The fact that: 1) many of use used Vircurex for alt-MM-coins (I was even advertised with referral) 2) you just can't change payout addresses 3) Vircurex just got hacked (apparently) Together that means I can throw my account away, and lost coins. Might be Vircurex pure fail but common... it sucks, it really does. I think I will never want to depend on hosted wallets again. But running all alt-chains on your own machine is a pain too. |
|
|
|
|
|
roy7
|
|
May 10, 2013, 10:04:49 PM |
|
I don't use Vircurex but I was assuming they meant the wallets that host your coins while deposited at Vircurex. Do they have an online wallet service too?
|
|
|
|
|
doublec (OP)
Legendary
Offline
Activity: 1078
Merit: 1005
|
|
May 10, 2013, 10:09:22 PM |
|
Yes this really sucks. The fact that:
1) many of use used Vircurex for alt-MM-coins (I was even advertised with referral)
2) you just can't change payout addresses
3) Vircurex just got hacked (apparently)
Together that means I can throw my account away, and lost coins.
Might be Vircurex pure fail but common... it sucks, it really does.
I think I will never want to depend on hosted wallets again.
But running all alt-chains on your own machine is a pain too.
Yes, this is a problem. Bitparking has read only addresses and the owner of the private key for the registered address basically owns the funds. What you might be able to do is ask Vircurex for the private key for the addresses. You could import these into your own client, withdraw, then immediately transfer. It's unlikely any hacker is constantly monitoring the alt coin wallets. It may not be possible for Vircurex to provide this though. You don't need to run all alt-coins all the time on your own machine. You can run once, get an address, register with that and never run the client again until you want to use the funds. You can even withdraw from bitparking without needing to run your client. This is how I do things. Someone asked me if they could sign a message using one of the keys (ie. the bitcoin key) to prove ownership of the other addresses and have them changed. The problem with this is it leaves the pool open to social engineering. If the bitcoin key was kept on Vircurex too I don't know if it's the hacker then trying to withdraw funds from the pool. It's a bad situation. I'm open to suggestions. |
|
|
|
|
matt4054
Legendary
Offline
Activity: 1946
Merit: 1035
|
|
May 10, 2013, 10:11:33 PM |
|
I don't use Vircurex but I was assuming they meant the wallets that host your coins while deposited at Vircurex. Do they have an online wallet service too?
Nope actually not, I was referring to the deposited coins. I am leaving them just to avoid selling them at market rate when the market is low. Now I assume they're gone, and more important, I assume it would be pointless to mine any further on BitParking before I had the chance to re-create IXC and DVC wallet. I'm angry, because it's not the first time that I lose money due to the tiny bits of trust that any "coiner" must have in exchanges at some point, if he wants to use the coins for anything useful. One of my friend still has >2K euros stuck in the BTC24 fiasco. Etc, etc... Even if the coins were not stolen, any further payout send at old Vircurex address are likely to be lost as far as I understand. |
|
|
|
|
doublec (OP)
Legendary
Offline
Activity: 1078
Merit: 1005
|
|
May 10, 2013, 10:14:41 PM |
|
- Add separate sub-accounts by worker
- Protect accounts with password + 2FA to allow for withdrawal address changes
- Include the collected mining fees of each block in the payout
- A nice, responsive design web interface
Thanks for the kind words and ideas. I don't have plans to add passworded accounts as I see this as a differentiator with Bitparking - the owner of the private keys for the registered account owns the funds and it can't be changed. The Vircurex issue shows this has a downside but for those that own their own private keys they know they're safe. If I move to automatic withdraws and/or generated coins in the coinbase then even the pool wouldn't own the coins. Transaction fee payout is something I'm considering but if I do that I'll have to change to not paying orphans. Basically the transaction fees pays for the orphans - or so I'm hoping - over time. So far the pool is in debt in that area due to two early orphans when switching to DGM but we'll see. It seems that paying tx fees might be perceived as a better deal than paying orphans by users and it'll be worth switching. |
|
|
|
|
matt4054
Legendary
Offline
Activity: 1946
Merit: 1035
|
|
May 10, 2013, 10:32:52 PM |
|
Thanks for the kind words and ideas. I don't have plans to add passworded accounts as I see this as a differentiator with Bitparking - the owner of the private keys for the registered account owns the funds and it can't be changed. The Vircurex issue shows this has a downside but for those that own their own private keys they know they're safe. If I move to automatic withdraws and/or generated coins in the coinbase then even the pool wouldn't own the coins.
If BitParking wants to keep that difference it's perfectly fine, I just think the Vircurex mishap this evening show the weakness of using addresses that you don't really own (i.e. no private key for it). After 10 minutes of thinking, my solution will be radical and easy: I'll re-create another account, and this time I will use my own wallets for every coin. And I would recommend this to anyone creating an account at this point! Transaction fee payout is something I'm considering but if I do that I'll have to change to not paying orphans. Basically the transaction fees pays for the orphans - or so I'm hoping - over time. So far the pool is in debt in that area due to two early orphans when switching to DGM but we'll see. It seems that paying tx fees might be perceived as a better deal than paying orphans by users and it'll be worth switching.
If you want to keep using the fees to pay for orphans that's fine as well, but as you mentioned you are still in deficit because of them. I think there is no good reason to pay for orphans (besides speeding up payout for generated block without waiting for confirmations), while there are good reasons to pay the fees to the miners (that is supposed to become the main income eventually, in many years I mean...). So I would support the move, even if it temporarily means less revenue to the miners. |
|
|
|
|
|
roy7
|
|
May 10, 2013, 10:39:13 PM |
|
After 10 minutes of thinking, my solution will be radical and easy: I'll re-create another account, and this time I will use my own wallets for every coin. And I would recommend this to anyone creating an account at this point!
Certainly the way to go. Stay in control of your own coins. Also, Virc, Bter, and maybe other exchanges will "lose" any deposits from a new block coinbase. (They don't count as deposits any newly minted coins without an Input). It's a bug on the exchange's end but it seems widespread. If bitparking ever started paying that way, your payments would vanish. |
|
|
|
|
doublec (OP)
Legendary
Offline
Activity: 1078
Merit: 1005
|
|
May 10, 2013, 10:46:19 PM |
|
Certainly the way to go. Stay in control of your own coins. Also, Virc, Bter, and maybe other exchanges will "lose" any deposits from a new block coinbase. (They don't count as deposits any newly minted coins without an Input). It's a bug on the exchange's end but it seems widespread. If bitparking ever started paying that way, your payments would vanish. Right, every time I think "I should move to coinbase payments" my other inner voice says "but then you have the support cost of explaining to all existing users to register new non-exchange accounts". |
|
|
|
|
doublec (OP)
Legendary
Offline
Activity: 1078
Merit: 1005
|
|
May 10, 2013, 10:51:33 PM |
|
The other approach I've considered is setting up my own coin wallet service for people to generate addresses, withdraw, etc. Keeping this separate from the pool enables those who manage their own keys to be as secure as possible while the wallet service would be for those that don't care. Someone hacking the wallet service wouldn't affect the pool for example. This could be a possibility in the future if someone else doesn't do it.
|
|
|
|
|
|
