|
easteagle13
|
 |
April 26, 2014, 05:23:11 PM |
|
I'm really confused about the process of signing the message for confirmation of our shares. 1. Shoud I write something in the "message" field of the third screen from this tutorial ( http://imgur.com/ZGxUZCM)?2. Should I generate the signature with a blank message? 3. If I do not perform the wallet address signature properly I can still sign any address I used to send (before the end of 26 April) Karmacoin to Karmashares LLC after the quantum period right while still having access to the 10x bonus right? Regards 1. NO no message is needed on the signing window of the wallet. 2. YES the important thing is the GENERATED signature. 3. You can send your SIGNED message anytime before the distribution of profit share, so that gives you a lot of time. Thanks! 1. But shouldn't the message to sign be, character by character, exactly the same message that we send in the contact form from http://karmacoin.me/contact?Instead of a blank message? 2. Because, as I understand, the "sign message" feature of the wallet is used for proving that a specific message was written by the owner of the exchanged address. 3. Signing the complete message (that has the Karma and BTC address) avoids that someone steals the signature and then just sends a new email (using the contact form) to the Karmashares LLC team asking for the change of a new BTC address. Therefore stealing the profits of a legit shareholder. I may be wrong. I just want to learn more and help the Karma team. 1. Message in http://karmacoin.me/contact? should contain your KARMA ADDRESS, BItcoin address and the SIGNATURE of your KARMA WALLET (SO IT IS NOT BLANK) 2. When you use sign function of the wallet it PROVES that the transaction of SENDING coins to karmashare originated from your wallet as proven by wallet signature. 3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other. |
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
easteagle13
|
|
April 26, 2014, 05:27:14 PM |
|
Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.
Any help or links to the information? Thanks.
SIGNATURE is only needed so that the profit share that will be sent in the future will be sent to the owner of the SIGNED WALLET that sent the COIN SHARE. Your coins that you sent in exchange for share can be traced using your TRANSACTION DETAILS in your local wallet. look that up in the list of shares here http://karmashares.com/explorer-v01 |
|
|
|
magpr
Legendary
 Offline
Activity: 1190
Merit: 1006
|
|
April 26, 2014, 05:44:08 PM |
|
May be devs will do a screenshots with process of creating wallet signature and add it here and on the http://karmashares.com/ ? I think it will be good answer to many simple questions. |
|
|
|
|
|
ShawnLeary
|
|
April 26, 2014, 05:54:58 PM |
|
Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.
Any help or links to the information? Thanks.
 |
"We have the power to begin the world over again" - Thomas Paine
|
|
|
|
ptman
|
|
April 26, 2014, 05:57:15 PM
Last edit: April 26, 2014, 06:25:35 PM by ptman |
|
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. |
|
|
|
|
ShawnLeary
|
|
April 26, 2014, 08:05:31 PM |
|
Well I went out on a little gamble and bought 5 million of shares today as it is the last day of x10 bonus. Not willing to risk a huge amount of money, but interesting concept none the less. I suppose I wont be too downhearted if it turns out to be a scam but I would feel sorry at that point for the people who have risked a lot of money.
Never put in what you can't afford to loose.
Just did 105M, wanted to do more but had already donated 100M before  |
"We have the power to begin the world over again" - Thomas Paine
|
|
|
|
ShawnLeary
|
|
April 26, 2014, 08:07:17 PM |
|
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. Well done sir! I'm gonna tip you for this! |
"We have the power to begin the world over again" - Thomas Paine
|
|
|
|
Chris180Z
|
|
April 26, 2014, 08:35:17 PM |
|
Am I missing something about singing my message to prove I own the shares? I can't see that info anywhere.
Any help or links to the information? Thanks.
Thank you so much  . |
|
|
|
|
yurimir
Legendary
Offline
Activity: 1554
Merit: 1044
|
|
April 26, 2014, 08:44:49 PM |
|
another gif file: signature  |
|
|
|
|
spitfire1337
Member
Offline
Activity: 168
Merit: 10
|
|
April 26, 2014, 09:17:43 PM |
|
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing. |
|
|
|
|
|
ptman
|
|
April 26, 2014, 09:48:14 PM |
|
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. Well done sir! I'm gonna tip you for this! Thanks! I welcome all tips. Specially if they are in Karma! |
|
|
|
cryptowho
Full Member
Offline
Activity: 182
Merit: 100
Ask me about Karmacoin
|
|
April 26, 2014, 10:32:42 PM |
|
Here is an other food for thought
Remember how google website was at beginning? Facebook? First internet websites?
In time, everything will be smoothed out.
Now, how about improving our Part D?
|
looking for C++ coders , web-dev and coin-devs to join karmacoin team. We are trying to expand. we have so many goals. Challenge accepted? PM me.
|
|
|
|
bcd
|
|
April 26, 2014, 11:18:31 PM |
|
|
|
|
|
|
|
ptman
|
|
April 27, 2014, 12:30:02 AM
Last edit: April 27, 2014, 01:02:39 AM by ptman |
|
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing. Your solution solves part of the possible attacks but not all. What if the attacker intercepts an email, steals the new signature while making the original email never reach Karmashares LLC, so that he can be the first to use that signature (and therefore give his own BTC address, stealing the dividends of a Karmashares shareholder)? I can think of some ways this can be done. The solution is, as I suggested before, signing the complete message with the BTC and KARMA address (the signature would be written in a separated text box of the online form).
This way, and only this way, Karmashares LLC can be sure that the BTC address (to where the dividends will be sent) is provided by someone who has access to the Karma wallet that has the address that generated the transaction to Karmashares LLC.
Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering. |
|
|
|
|
ShawnLeary
|
|
April 27, 2014, 01:35:19 AM |
|
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing. You totally cock blocked PTMan tip I was about to send! So un-Karma like  j/k |
"We have the power to begin the world over again" - Thomas Paine
|
|
|
|
Delaforetnoire
|
|
April 27, 2014, 01:57:27 AM |
|
Thank you for this great thought
|
|
|
|
|
kosmost
|
|
April 27, 2014, 04:39:47 AM |
|
[snip]
Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.
Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted. |
Workchain – Powering the Decentralized Economy
|
|
|
|
easteagle13
|
|
April 27, 2014, 07:25:13 AM |
|
[snip]
Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.
Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted. One possible safety measure regarding COMMUNICATION SECURITY is to require a registration to Karmashares.com with an email that asks for 2FA verification like google mail. Making any further requests and communication pass thru that system. (WALLET SIGNATURE, PROFIT SHARE etc) but I am sure Karmateam is preparing something in this line. |
|
|
|
|
ptman
|
|
April 27, 2014, 08:54:23 AM |
|
You totally cock blocked PTMan tip I was about to send! So un-Karma like j/k Sorry 'ShawnLeary', but my solution is still the only one that offers protection in the exchange of the BTC address, so I'm still the one deserving the tips ;-) Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted.
Comparing the current signature (generated by signing an empty message) with a previous one (also generated by an empty message), like suggested by 'spitfire1337', and only accepting the new signature if different from the previous one (after checking that the new signature also belongs to the same address offcourse) is not enough. Of course it is better than nothing but it still leaves too much possibility of cheating the system. Please read my suggestion again, which to my knowledge is the only solution exchanged in this forum that offers total security in the transaction of the BTC address for dividends, regarding proving that the BTC address is given by the REAL owner of the Karmashares LLC.
3. No one can steal your wallet signature in this method. It is TIED to your karmawallet. For example if you use MY WALLET SIGNATURE and send some coin it does not affect anything. Because the WALLET and the SIGNATURE should prove one and the other.
Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address! Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC. As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right? An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form ( http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses. This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares. The signature of a blank message is in itself proof that it was signed by the owner of the wallet. But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw. MY SOLUTION:So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form ( http://karmacoin.me/contact?). With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself. I'm just trying to help. A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved. Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing. Your solution solves part of the possible attacks but not all. What if the attacker intercepts an email, steals the new signature while making the original email never reach Karmashares LLC, so that he can be the first to use that signature (and therefore give his own BTC address, stealing the dividends of a Karmashares shareholder)? I can think of some ways this can be done. The solution is, as I suggested before, signing the complete message with the BTC and KARMA address (the signature would be written in a separated text box of the online form).
This way, and only this way, Karmashares LLC can be sure that the BTC address (to where the dividends will be sent) is provided by someone who has access to the Karma wallet that has the address that generated the transaction to Karmashares LLC.
Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering. |
|
|
|
marsu
Newbie
Offline
Activity: 3
Merit: 0
|
|
April 27, 2014, 09:31:15 AM |
|
I don't understand how signing an empty message with a random Karmacoin receiving address would prove anything? Which Karmacoin address should I sign with and how do you verify that signature? I mean that i have lots of receiving addresses in my wallet
Could someone else send a signed message about my transaction before me signed with his Karmacoin receiving address?
|
|
|
|
|
|
