MoneroMooo
Legendary
 Offline
Activity: 1276
Merit: 1001
|
 |
October 08, 2016, 05:39:56 PM |
|
As I have stated before a 2 part auth should be added, I personally would like to lock it to my IP and or MAC. There are many 2 part methods that should be added.
While generally useful, I'm not sure that'd help in this particular case: - If the server is compromised, and is sending compromised JS, that JS can probably disable such checks, as well as post away your private spend key to an attacker. - If the connection is MITM'd, same considerations apply. - If your computer is compromised, the attacker can do whatever it wants. Locking to IP and/or MAC would work if any tx has to go through the server, but that is not the case here. What would help is the ability to run known good Javascript only. So something like having the Mymonero website running on an HTTP server on your local machine, and connecting to the mymonero site as normal to get new txes and relay spends. |
|
|
|
|
Hueristic
Legendary
Offline
Activity: 4522
Merit: 7051
Doomed to see the future and unable to prevent it
|
|
October 08, 2016, 05:52:31 PM |
|
As I have stated before a 2 part auth should be added, I personally would like to lock it to my IP and or MAC. There are many 2 part methods that should be added.
While generally useful, I'm not sure that'd help in this particular case: - If the server is compromised, and is sending compromised JS, that JS can probably disable such checks, as well as post away your private spend key to an attacker. - If the connection is MITM'd, same considerations apply. - If your computer is compromised, the attacker can do whatever it wants. Locking to IP and/or MAC would work if any tx has to go through the server, but that is not the case here. What would help is the ability to run known good Javascript only. So something like having the Mymonero website running on an HTTP server on your local machine, and connecting to the mymonero site as normal to get new txes and relay spends. Nothing can protect 100% yes, but each additional layer will not only create larger hurdles for the attacker it will also allow for a narrowed forensic analyzation of the attack vector as opposed to the "well we don't know but we think maybe it was a phishing site" answer we have now. Sometimes you need to just shut off vectors to find the avenue and even by adding these the attacker will be aware that the scope of their attack will become known and may therefore not strike again. This is especially true of inside jobs. Doing nothing is the wrong answer. |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
MR1
Legendary
Offline
Activity: 927
Merit: 1000
|
|
October 08, 2016, 06:00:55 PM |
|
As I have stated before a 2 part auth should be added, I personally would like to lock it to my IP and or MAC. There are many 2 part methods that should be added.
While generally useful, I'm not sure that'd help in this particular case: - If the server is compromised, and is sending compromised JS, that JS can probably disable such checks, as well as post away your private spend key to an attacker. - If the connection is MITM'd, same considerations apply. - If your computer is compromised, the attacker can do whatever it wants. Locking to IP and/or MAC would work if any tx has to go through the server, but that is not the case here. What would help is the ability to run known good Javascript only. So something like having the Mymonero website running on an HTTP server on your local machine, and connecting to the mymonero site as normal to get new txes and relay spends. So how is the tx transmitted to the XMR network if it does not go through the server? |
|
|
|
|
MoneroMooo
Legendary
Offline
Activity: 1276
Merit: 1001
|
|
October 08, 2016, 07:23:09 PM |
|
So how is the tx transmitted to the XMR network if it does not go through the server?
It does go through the server. But it does not *have* to. That is, if an attacker were to compromise some part of the chain from client to server, the attacker could induce the client to generate a transaction which would be relayed to the Monero network without going through the server. |
|
|
|
|
dEBRUYNE
Legendary
Offline
Activity: 2268
Merit: 1141
|
|
October 09, 2016, 06:47:22 PM |
|
|
|
|
|
nioc
Legendary
Offline
Activity: 1624
Merit: 1008
|
|
October 09, 2016, 07:42:17 PM |
|
It has been moved to funding required. Let's go guys. |
|
|
|
|
nioc
Legendary
Offline
Activity: 1624
Merit: 1008
|
|
October 09, 2016, 09:07:20 PM |
|
It has been moved to funding required. Let's go guys. Fully funded, that was quick. |
|
|
|
|
|
Chronobank
|
|
October 09, 2016, 09:40:34 PM |
|
It seems, anonymity again becomes an important part of our lives - Xmr - Nav - Sdc. An interesting trend....
|
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1062
Monero Core Team
|
|
October 09, 2016, 09:56:29 PM |
|
This was over subscribed, in a very short period of time. Many thanks to all who contributed. |
|
|
|
explorer
Legendary
Offline
Activity: 2016
Merit: 1259
|
|
October 09, 2016, 10:49:58 PM |
|
This was over subscribed, in a very short period of time. Many thanks to all who contributed. what happens to the overage? revise contract to suit? These requests are funding before I see them! |
|
|
|
|
nioc
Legendary
Offline
Activity: 1624
Merit: 1008
|
|
October 10, 2016, 04:01:49 AM |
|
This was over subscribed, in a very short period of time. Many thanks to all who contributed. what happens to the overage? revise contract to suit? These requests are funding before I see them! I believe the overage is used for development at the discretion of the devs. There was at least one time that funds were raised for work that was not done and it was later used to fund another request that was approved by the community. Yes this one was funded quickly, in about an hour. I saw the proposal shortly after it was posted and was lucky enough to be able to contribute. There is another proposal coming probably tomorrow for funding of the i2p, kovri project. I know nothing of the details. If I see it before you I can donate an amount of your choosing in your name and you can pay me back later. |
|
|
|
|
canth
Legendary
Offline
Activity: 1442
Merit: 1001
|
|
October 10, 2016, 02:56:46 PM |
|
Damn If I waited 2 days I would have had more dust to play with!  ...
Ya know the only Time I've ever seen Canth was the Brown Dragon in Pern, you wouldn't have to have read that have you? I've been meaning to ask you that forever and never had the keyboard handy.  It's the only place I've seen the name used as well, except for typos. I think I must have read at least 20 of Pern books when I was a kid - glad to see a fellow fan. |
|
|
|
Hueristic
Legendary
Offline
Activity: 4522
Merit: 7051
Doomed to see the future and unable to prevent it
|
|
October 10, 2016, 03:39:52 PM |
|
Damn If I waited 2 days I would have had more dust to play with! ...
Ya know the only Time I've ever seen Canth was the Brown Dragon in Pern, you wouldn't have to have read that have you? I've been meaning to ask you that forever and never had the keyboard handy. It's the only place I've seen the name used as well, except for typos. I think I must have read at least 20 of Pern books when I was a kid - glad to see a fellow fan. I think when I read them there was the first 3 and then later I read the firelizard ones but I didn't know there were more, I think I'll see if I still have them and do a re-read. I'm not sure if I'd like them as an adult but when I was a kid they enthralled me. Would definitely make a good movie. |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
dEBRUYNE
Legendary
Offline
Activity: 2268
Merit: 1141
|
|
October 10, 2016, 04:07:02 PM |
|
|
|
|
|
Hueristic
Legendary
Offline
Activity: 4522
Merit: 7051
Doomed to see the future and unable to prevent it
|
|
October 10, 2016, 06:02:58 PM |
|
|
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
October 10, 2016, 06:28:28 PM |
|
Hes asking for 34 dollars an hour right? I don't know how experienced and effective of a software developer he is, but if he is experienced and effective that sounds around about a market wage for that line of work. |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
Hueristic
Legendary
Offline
Activity: 4522
Merit: 7051
Doomed to see the future and unable to prevent it
|
|
October 10, 2016, 06:32:43 PM |
|
Hes asking for 34 dollars an hour right? I don't know how experienced and effective of a software developer he is, but if he is experienced and effective that sounds around about a market wage for that line of work. I'm betting this could be contracted out for about half that. |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
October 10, 2016, 06:40:25 PM |
|
Hes asking for 34 dollars an hour right? I don't know how experienced and effective of a software developer he is, but if he is experienced and effective that sounds around about a market wage for that line of work. I'm betting this could be contracted out for about half that. Yea maybe. Some people are worth more than others though. My wife works in food service and shes just so competent her employer pays her twice as much as her peers. Idk whether he is or isn't worth twice as much as some random chinese contractor but he might be. |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
|
graviteta
|
|
October 10, 2016, 06:44:38 PM |
|
hello moneroers, i have some xmr, i am waiting xmr price 20$, is it possible?
|
|
|
|
Hueristic
Legendary
Offline
Activity: 4522
Merit: 7051
Doomed to see the future and unable to prevent it
|
|
October 10, 2016, 06:46:32 PM |
|
Hes asking for 34 dollars an hour right? I don't know how experienced and effective of a software developer he is, but if he is experienced and effective that sounds around about a market wage for that line of work. I'm betting this could be contracted out for about half that. Yea maybe. Some people are worth more than others though. My wife works in food service and shes just so competent her employer pays her twice as much as her peers. Idk whether he is or isn't worth twice as much as some random chinese contractor but he might be. LOL, actually most of the cheap coders are from india. And it would cost probably 7k or less for that.  hello moneroers, i have some xmr, i am waiting xmr price 20$, is it possible?
Everything is possible in a universal perspective. |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
|
