Bitcoin Forum
August 18, 2017, 03:06:05 PM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 ... 423 »
  Print  
Author Topic: [ANN][KARM] Karma / ₭ / X11  (Read 540168 times)
Chris180Z
Full Member
***
Offline Offline

Activity: 238


View Profile
April 26, 2014, 05:22:44 PM
 #381

Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.

Any help or links to the information? Thanks.
1503068765
Hero Member
*
Offline Offline

Posts: 1503068765

View Profile Personal Message (Offline)

Ignore
1503068765
Reply with quote  #2

1503068765
Report to moderator
1503068765
Hero Member
*
Offline Offline

Posts: 1503068765

View Profile Personal Message (Offline)

Ignore
1503068765
Reply with quote  #2

1503068765
Report to moderator
1503068765
Hero Member
*
Offline Offline

Posts: 1503068765

View Profile Personal Message (Offline)

Ignore
1503068765
Reply with quote  #2

1503068765
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1503068765
Hero Member
*
Offline Offline

Posts: 1503068765

View Profile Personal Message (Offline)

Ignore
1503068765
Reply with quote  #2

1503068765
Report to moderator
1503068765
Hero Member
*
Offline Offline

Posts: 1503068765

View Profile Personal Message (Offline)

Ignore
1503068765
Reply with quote  #2

1503068765
Report to moderator
easteagle13
Hero Member
*****
Offline Offline

Activity: 658


View Profile
April 26, 2014, 05:23:11 PM
 #382

I'm really confused about the process of signing the message for confirmation of our shares.

1. Shoud I write something in the "message" field of the third screen from this tutorial (http://imgur.com/ZGxUZCM)?
2. Should I generate the signature with a blank message?

3. If I do not perform the wallet address signature properly I can still sign any address I used to send (before the end of 26 April) Karmacoin to Karmashares LLC after the quantum period right while still having access to the 10x bonus right?


Regards

1. NO no message is needed on the signing window of the wallet.
2. YES the important thing is the GENERATED signature.
3. You can send your SIGNED message anytime before the distribution of profit share, so that gives you a lot of time.

Thanks!

1. But shouldn't the message to sign be, character by character, exactly the same message that we send in the contact form from http://karmacoin.me/contact?
Instead of a blank message?

2. Because, as I understand, the "sign message" feature of the wallet is used for proving that a specific message was written by the owner of the exchanged address.

3. Signing the complete message (that has the Karma and BTC address) avoids that someone steals the signature and then just sends a new email (using the contact form) to the Karmashares LLC team asking for the change of a new BTC address.
Therefore stealing the profits of a legit shareholder.


I may be wrong.
I just want to learn more and help the Karma team.

1. Message in http://karmacoin.me/contact? should contain your KARMA ADDRESS, BItcoin address and the SIGNATURE of your KARMA WALLET (SO IT IS NOT BLANK)

2. When you use sign function of the wallet it PROVES that the transaction of SENDING coins to karmashare originated from your wallet as proven by wallet signature.

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

TIP ME ₭ARMA:  KJeEKJv1LXHM8cYeRgQG3q87BFA4W3sTGg  FOR KARMA TRANSLATION BUDGET SEND TO: KHvkhA7RTFnG8N5RWPB48gs2y8K1od6xF4
OFF. ₭ARMA FB PAGE: https://www.facebook.com/karmacoin.me. http://lill.com
easteagle13
Hero Member
*****
Offline Offline

Activity: 658


View Profile
April 26, 2014, 05:27:14 PM
 #383

Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.

Any help or links to the information? Thanks.

SIGNATURE is only needed so that the profit share that will be sent in the future will be sent to the owner of the SIGNED WALLET that sent the COIN SHARE.

Your coins that you sent in exchange for share can be traced using your TRANSACTION DETAILS in your local wallet. look that up in the list of shares here http://karmashares.com/explorer-v01

TIP ME ₭ARMA:  KJeEKJv1LXHM8cYeRgQG3q87BFA4W3sTGg  FOR KARMA TRANSLATION BUDGET SEND TO: KHvkhA7RTFnG8N5RWPB48gs2y8K1od6xF4
OFF. ₭ARMA FB PAGE: https://www.facebook.com/karmacoin.me. http://lill.com
magpr
Legendary
*
Offline Offline

Activity: 980


Ace.TokenStars.com ― tokenizing tennis stars


View Profile
April 26, 2014, 05:44:08 PM
 #384

May be devs will do a screenshots with process of creating wallet signature and add it here and on the http://karmashares.com/ ? I think it will be good answer to many simple questions.

.TokenStars.            ▄
            █▄
           ████
           █████▄   ▄▄▄▄██

       ▄▄▄█▀████▀████████▀
██████████████████████▀
 ▀▀▀█
██████████████▀
     ▀▀▀▀
████████████▄
         █████████████▄
        ▄██████▀▀▀██████▄
        █████▀     ▀▀▀███▄
        ███▀           ▀▀▀
        █▀
       ▄▄█████████▄▄
      ███████████████
     ▄████████████▀  ▄▄▄
 ▄█  ███████████▀  ▄█████▄
▄█  ▄██████████  ▄████████▄
██  ██████████  ▄██████████
██  ██████████  ███████████
██  ██████████  ███████████
▀█  ██████████  ▀█████████▀
 ▀  ██████████▄  ▀███████▀
    ███████████▄   ▀███▀
     ▀███████████▄▄  ▀
       ▀▀█████████▀▀
ShawnLeary
Hero Member
*****
Offline Offline

Activity: 504



View Profile
April 26, 2014, 05:54:58 PM
 #385

Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.

Any help or links to the information? Thanks.


"We have the power to begin the world over again" - Thomas Paine
ptman
Sr. Member
****
Offline Offline

Activity: 364


View Profile
April 26, 2014, 05:57:15 PM
 #386

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Addresses for tipping if you think I deserve it ;-) | KARM: KKb1mH7DeWHnhFAkatkMWrQBN3fUmpyPH2 | BTC: 1AAERR1pB7JVsQRsdHP4RaGAXSJaAKHo33
ShawnLeary
Hero Member
*****
Offline Offline

Activity: 504



View Profile
April 26, 2014, 08:05:31 PM
 #387

Well I went out on a little gamble and bought 5 million of shares today as it is the last day of x10 bonus. Not willing to risk a huge amount of money, but interesting concept none the less. I suppose I wont be too downhearted if it turns out to be a scam but I would feel sorry at that point for the people who have risked a lot of money.

Never put in what you can't afford to loose.

Just did 105M, wanted to do more but had already donated 100M before Cheesy

"We have the power to begin the world over again" - Thomas Paine
ShawnLeary
Hero Member
*****
Offline Offline

Activity: 504



View Profile
April 26, 2014, 08:07:17 PM
 #388

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Well done sir!  I'm gonna tip you for this!

"We have the power to begin the world over again" - Thomas Paine
Chris180Z
Full Member
***
Offline Offline

Activity: 238


View Profile
April 26, 2014, 08:35:17 PM
 #389

Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.

Any help or links to the information? Thanks.



Thank you so much Smiley.
yurimir
Hero Member
*****
Offline Offline

Activity: 623



View Profile
April 26, 2014, 08:44:49 PM
 #390

another gif file: signature

spitfire1337
Member
**
Offline Offline

Activity: 72


View Profile
April 26, 2014, 09:17:43 PM
 #391

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing.

KARM: KW66XDSpqtdSBfCcJHnJMhNANqePxUc3iH
ptman
Sr. Member
****
Offline Offline

Activity: 364


View Profile
April 26, 2014, 09:48:14 PM
 #392

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Well done sir!  I'm gonna tip you for this!

Thanks!

I welcome all tips.
Specially if they are in Karma!

Addresses for tipping if you think I deserve it ;-) | KARM: KKb1mH7DeWHnhFAkatkMWrQBN3fUmpyPH2 | BTC: 1AAERR1pB7JVsQRsdHP4RaGAXSJaAKHo33
cryptowho
Full Member
***
Offline Offline

Activity: 182

Ask me about Karmacoin


View Profile
April 26, 2014, 10:32:42 PM
 #393

Here is an other food for thought

Remember how google website was at beginning? Facebook? First internet websites?

In time, everything will be smoothed out.


Now, how about improving our Part D?


looking for C++ coders , web-dev and coin-devs to join karmacoin team. We are trying to expand. we have so many goals. Challenge accepted?  PM me.
bcd
Sr. Member
****
Offline Offline

Activity: 252


View Profile
April 26, 2014, 11:18:31 PM
 #394

Only 45 minutes left to send your coins for 10X KarmaShares .

http://www.reddit.com/r/Karmashares/comments/23gl6g/karmashares_llc_ready_to_roll_heres_how_to_buy/
ptman
Sr. Member
****
Offline Offline

Activity: 364


View Profile
April 27, 2014, 12:30:02 AM
 #395

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing.


Your solution solves part of the possible attacks but not all.
What if the attacker intercepts an email, steals the new signature while making the original email never reach Karmashares LLC, so that he can be the first to use that signature (and therefore give his own BTC address, stealing the dividends of a Karmashares shareholder)?
I can think of some ways this can be done.

The solution is, as I suggested before, signing the complete message with the BTC and KARMA address (the signature would be written in a separated text box of the online form).

This way, and only this way, Karmashares LLC can be sure that the BTC address (to where the dividends will be sent) is provided by someone who has access to the Karma wallet that has the address that generated the transaction to Karmashares LLC.


Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.

Addresses for tipping if you think I deserve it ;-) | KARM: KKb1mH7DeWHnhFAkatkMWrQBN3fUmpyPH2 | BTC: 1AAERR1pB7JVsQRsdHP4RaGAXSJaAKHo33
ShawnLeary
Hero Member
*****
Offline Offline

Activity: 504



View Profile
April 27, 2014, 01:35:19 AM
 #396

3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing.


You totally cock blocked PTMan tip I was about to send!  So un-Karma like Wink j/k

"We have the power to begin the world over again" - Thomas Paine
Delaforetnoire
Sr. Member
****
Offline Offline

Activity: 322


Karma Team


View Profile WWW
April 27, 2014, 01:57:27 AM
 #397

Thank you for this great thought

/// ๑۩۞[ANN][ ₭ARMAtoken]
/KarmaToken - Karma Society's Currency Now Based On Counterparty Platform/ https://bitcointalk.org/index.php?topic=1667865.msg16745896#msg16745896
http://easteagle13.wixsite.com/ctgtoken * The GOOD Crypto Guild
kosmost
Sr. Member
****
Offline Offline

Activity: 322


Do Something Good Today!


View Profile WWW
April 27, 2014, 04:39:47 AM
 #398

[snip]

Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.

Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted.

Good Karma ["GOOD"] token here ∞ Rewards for customers of 700,000 retail stores in the US and millions more around the world
easteagle13
Hero Member
*****
Offline Offline

Activity: 658


View Profile
April 27, 2014, 07:25:13 AM
 #399

[snip]

Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.

Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted.

One possible safety measure regarding COMMUNICATION SECURITY is to require a registration to Karmashares.com with an email that asks for 2FA verification like google mail. Making any further requests and communication pass thru that system. (WALLET SIGNATURE, PROFIT SHARE etc) but I am sure Karmateam is preparing something in this line.

TIP ME ₭ARMA:  KJeEKJv1LXHM8cYeRgQG3q87BFA4W3sTGg  FOR KARMA TRANSLATION BUDGET SEND TO: KHvkhA7RTFnG8N5RWPB48gs2y8K1od6xF4
OFF. ₭ARMA FB PAGE: https://www.facebook.com/karmacoin.me. http://lill.com
ptman
Sr. Member
****
Offline Offline

Activity: 364


View Profile
April 27, 2014, 08:54:23 AM
 #400

You totally cock blocked PTMan tip I was about to send!  So un-Karma like Wink j/k

Sorry 'ShawnLeary', but my solution is still the only one that offers protection in the exchange of the BTC address, so I'm still the one deserving the tips ;-)

Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted.

Comparing the current signature (generated by signing an empty message) with a previous one (also generated by an empty message), like suggested by 'spitfire1337', and only accepting the new signature if different from the previous one (after checking that the new signature also belongs to the same address offcourse) is not enough.

Of course it is better than nothing but it still leaves too much possibility of cheating the system.

Please read my suggestion again, which to my knowledge is the only solution exchanged in this forum that offers total security in the transaction of the BTC address for dividends, regarding proving that the BTC address is given by the REAL owner of the Karmashares LLC.



3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.

Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing.


Your solution solves part of the possible attacks but not all.
What if the attacker intercepts an email, steals the new signature while making the original email never reach Karmashares LLC, so that he can be the first to use that signature (and therefore give his own BTC address, stealing the dividends of a Karmashares shareholder)?
I can think of some ways this can be done.

The solution is, as I suggested before, signing the complete message with the BTC and KARMA address (the signature would be written in a separated text box of the online form).

This way, and only this way, Karmashares LLC can be sure that the BTC address (to where the dividends will be sent) is provided by someone who has access to the Karma wallet that has the address that generated the transaction to Karmashares LLC.


Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.

Addresses for tipping if you think I deserve it ;-) | KARM: KKb1mH7DeWHnhFAkatkMWrQBN3fUmpyPH2 | BTC: 1AAERR1pB7JVsQRsdHP4RaGAXSJaAKHo33
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 ... 423 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!