Bitcoin Forum
December 04, 2016, 04:32:06 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Bitcoinica - Security?  (Read 1703 times)
Mushoz
Hero Member
*****
Offline Offline

Activity: 686


Bitbuy


View Profile WWW
January 12, 2012, 07:03:45 PM
 #1

Zhoutong, I was wondering if there are any plans in the making involving added security for your site? Looking at the average daily volume that Bitcoinica produces, there must be quite a lot of funds in that place. The thing is, if someone manages to access your account, he can easily run off with BTC, because it's not reversible. I think a lot of people would appreciate a bit of added security for their accounts. I know I would. Could you please implement one of these two solutions?

1) SMS-authentication
2) Yubikey authentication


Thank you very much!

www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
1480869126
Hero Member
*
Offline Offline

Posts: 1480869126

View Profile Personal Message (Offline)

Ignore
1480869126
Reply with quote  #2

1480869126
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480869126
Hero Member
*
Offline Offline

Posts: 1480869126

View Profile Personal Message (Offline)

Ignore
1480869126
Reply with quote  #2

1480869126
Report to moderator
incraft3817
Member
**
Offline Offline

Activity: 81


View Profile
January 12, 2012, 07:07:42 PM
 #2

He's too busy traveling and banging American girls to build security for his site.  Grin
Otoh
Donator
Legendary
*
Offline Offline

Activity: 1918



View Profile
January 12, 2012, 07:16:18 PM
 #3

yes agreed, as I'd already posted on his thread about this just a couple of hours ago

https://bitcointalk.org/index.php?topic=57291.msg687845#msg687845

even a 3 random chars drop down input for secondary verification from a long memorable phrase or paper hard copy of random chars would be good & easy enough to implement I'd imagine

because in order to get maximum protection from a zhoutonging it's tempting to park a large portion of one's BTC holdings there atm rather than say at Goxed or in one's own secure storage wallet/coded key in the cloud

...

PS I thought it was Australian girls atm btw

Node40.com is a leader in DASH hosting, dedicated exclusively to fully managed masternode hosting. Professional, organized, and responsive. I have many dozens of nodes with them.    
BTC = $c²     BTC = 1otohotohMoQoxHuxLBveQiZcV3Pji3Tc      DASH, Digital Cash = www.dash.org   
   CHARITY | MY REP | DICE
Koekiemonster
Sr. Member
****
Offline Offline

Activity: 321


Bitbuy.nl!


View Profile
January 12, 2012, 07:29:48 PM
 #4

I totally agree with the OP. I would really like some extra security.

https://www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
Bitcointalk topic over Bitbuy!
incraft3817
Member
**
Offline Offline

Activity: 81


View Profile
January 13, 2012, 12:42:42 AM
 #5

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.
teflone
Hero Member
*****
Offline Offline

Activity: 770


You're fat, because you dont have any pics on FB


View Profile
January 13, 2012, 12:45:15 AM
 #6

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

lmao..  Cheesy

For Canadians by Canadians: Canada's Bitcoin Community - https://www.coinforum.ca/
arepo
Sr. Member
****
Offline Offline

Activity: 448


this statement is false


View Profile
January 13, 2012, 12:46:01 AM
 #7

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

lawl

this sentence has fifteen words, seventy-four letters, four commas, one hyphen, and a period.
18N9md2G1oA89kdBuiyJFrtJShuL5iDWDz
Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
January 13, 2012, 12:48:10 AM
 #8

What about forcing http -> https ?  Just a suggestion.
somestranger
Hero Member
*****
Offline Offline

Activity: 485


Are You Shpongled?


View Profile
January 13, 2012, 01:07:00 AM
 #9

What about forcing http -> https ?  Just a suggestion.
It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.
Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
January 13, 2012, 01:20:45 AM
 #10

What about forcing http -> https ?  Just a suggestion.
It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.
somestranger
Hero Member
*****
Offline Offline

Activity: 485


Are You Shpongled?


View Profile
January 13, 2012, 01:26:30 AM
 #11

What about forcing http -> https ?  Just a suggestion.
It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you.
sgbett
Legendary
*
Offline Offline

Activity: 1330



View Profile
January 13, 2012, 02:38:31 AM
 #12

What about forcing http -> https ?  Just a suggestion.
It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.


http://haschinabannedbitcoin.com
Full Node: http://46.51.193.129 (BU)
"A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution" - Satoshi Nakamoto
the joint
Legendary
*
Offline Offline

Activity: 1792



View Profile
January 13, 2012, 02:42:36 AM
 #13

Use the same two-factor authentication that TradeHill uses (Duo-Security).  I love it.  It's so 21st century.

Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
January 13, 2012, 03:09:19 AM
 #14

What about forcing http -> https ?  Just a suggestion.
It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you.

What about forcing http -> https ?  Just a suggestion.
It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.



Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21   1.613423   <myip>   50.56.4.62   HTTP   956   POST /sessions HTTP/1.1  (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
    utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?
somestranger
Hero Member
*****
Offline Offline

Activity: 485


Are You Shpongled?


View Profile
January 13, 2012, 04:57:28 AM
 #15

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21   1.613423   <myip>   50.56.4.62   HTTP   956   POST /sessions HTTP/1.1  (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
    utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

Without the www it redirects to https. With it, it's http.
Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
January 13, 2012, 05:16:07 AM
 #16

let's just hope he's actually getting laid

Not sure how that's relevant in helping with Bitcoinica security flaws ?  Anyways...

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21   1.613423   <myip>   50.56.4.62   HTTP   956   POST /sessions HTTP/1.1  (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
    utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

Without the www it redirects to https. With it, it's http.

With or without the www, still http Cry

Sounds like it's time to bookmark the HTTPS login page lulz.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
January 13, 2012, 06:52:55 AM
 #17

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
January 13, 2012, 07:45:26 AM
 #18

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post).

It's going to be up in 10 minutes! Stay tuned!

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
January 13, 2012, 07:59:57 AM
 #19

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post).

It's going to be up in 10 minutes! Stay tuned!

It's LIVE! Two-factor authentication!

Announcement: https://bitcointalk.org/index.php?topic=58522.0

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
sgbett
Legendary
*
Offline Offline

Activity: 1330



View Profile
January 13, 2012, 10:25:07 AM
 #20

You know what, if there was ever any doubt about zhoutongs age, it has to be a fact!

I remember when I was 17, and someone was like "oh you need your thing to do X" and you could just sit down and bang out code and have it done in hours. It's like your brain just ebbed code and your fingers just did the best they could to keep up!

Unfortunately I never had the fortune that my hero coding actually turned into much cold hard cash (still, what's a coder gonna do otherwise.. not code!? you just keep doing it cos you love coding!) Wink

Oh yeah, course I am jealous, but I don't begrudge you anything Mr Z. I love the work you guys are doing.

I'm sure in 20 years time, as you pump out the code in a much more sedentary manner (or more likely stroll along a sunny beach) you'll look back on these good times and think, how the hell did I pull that off.

Those all-nighters just get harder and harder! Wink




http://haschinabannedbitcoin.com
Full Node: http://46.51.193.129 (BU)
"A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution" - Satoshi Nakamoto
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!