zhile11911
|
|
July 10, 2014, 09:52:18 AM |
|
Did the dgex and mint still provide the escrow service ?
bter sold nearly 87 BTC .
Wow. congratulations from my heart
|
|
|
|
coinsolidation
|
|
July 10, 2014, 09:59:22 AM |
|
The "third-party local program" argument is invalid because a malicious third party local program can read a passphrase input in to a web page also.
Input logging requires higher system rights than reading storage. And sometimes the attacker has remote access to the computer (through vnc or same) and if you have opened page and the password is stored in the browser - the money is taken away. Similar case has been described by one local forum. I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe. This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldfThat is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http. I cannot stress how bad this is, I have never seen anything so insecure in my entire life. WTF? authentication isn't even used.. here view my balance: http://crypti.me:6040/api/getAllTransactions?accountId=15413165176907764021CYou need to do something about this now, people are buying with huge amounts of BTC!
|
|
|
|
mcjavar
|
|
July 10, 2014, 10:02:22 AM |
|
What do you mean, what about the raised BTC in bter until now, is there any bonus? I have been following this thread and know it had started from the posts this morning.
30% bonus will be given for all investments raised today and tomorrow. How will I get the bonus if I buy on BTER?
|
|
|
|
crypti (OP)
|
|
July 10, 2014, 10:03:53 AM |
|
The "third-party local program" argument is invalid because a malicious third party local program can read a passphrase input in to a web page also.
Input logging requires higher system rights than reading storage. And sometimes the attacker has remote access to the computer (through vnc or same) and if you have opened page and the password is stored in the browser - the money is taken away. Similar case has been described by one local forum. I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe. This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldfThat is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http. I cannot stress how bad this is, I have never seen anything so insecure in my entire life. And? NXT had same. We can move to POST request. But how it add a lot of security?
|
|
|
|
crypti (OP)
|
|
July 10, 2014, 10:04:58 AM |
|
What do you mean, what about the raised BTC in bter until now, is there any bonus? I have been following this thread and know it had started from the posts this morning.
30% bonus will be given for all investments raised today and tomorrow. How will I get the bonus if I buy on BTER? Yes.
|
|
|
|
crypti (OP)
|
|
July 10, 2014, 10:06:13 AM |
|
I cannot stress how bad this is, I have never seen anything so insecure in my entire life.
Considering that the devs do not want to distribute a beta client before the official launch which is understandable... I believe it is best that we provide the checksum hash of our passphrase instead of having to retrieve our account number online... regardless of whether SSL will be available or not. SSL will be added today
|
|
|
|
crypti (OP)
|
|
July 10, 2014, 10:09:01 AM |
|
And we will hire security auditing soon, next 2 weeks.
|
|
|
|
xtester
|
|
July 10, 2014, 10:09:28 AM |
|
I appreciate the effort your whole team has put into organizing everything. It already looks better than most of the IPO's out there.
As stated before, my only concern is that while you have optimized most of the things fairly well, it seems an important piece is still missing from the IPO puzzle.
The dev team has agreed that 500 btc would cover the necessary requirements for the dev fund fairly well. However, given the situation, I expect Crypti to raise at least between 800-1000 btc. Now it seems obvious that there should be a point where because of too much investment Crypti will be over diluted and over priced, and it will certainly not be good if Crypti would reach that point starting from the IPO. Further more, I think the dev team interest along with the investors interest should be among the most important things to keep in mind while deciding the IPO rules.
That said, I'm not sure why the IPO is set to last one whole month. A better option would be to set a cap of lets say 1000 btc(or whatever reasonable sum you decide) or if the cap is not reached you have an open time limit of 1 month. The idea being that after 1000 btc(or whatever sum) the IPO will go against the best interest of its investors because of over pricing and over dilution. If this should happen, both the early investors and the late investors will suffer in the process. Maybe some kind of upper cap limit(2x-3x of what is actually needed for development) could be proposed and added to ensure a basic safety net for the investors who are looking forward to joining and contributing to the project.
Any thoughts on that?
|
|
|
|
crypti (OP)
|
|
July 10, 2014, 10:11:24 AM |
|
The "third-party local program" argument is invalid because a malicious third party local program can read a passphrase input in to a web page also.
Input logging requires higher system rights than reading storage. And sometimes the attacker has remote access to the computer (through vnc or same) and if you have opened page and the password is stored in the browser - the money is taken away. Similar case has been described by one local forum. I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe. This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldfThat is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http. I cannot stress how bad this is, I have never seen anything so insecure in my entire life. WTF? authentication isn't even used.. here view my balance: http://crypti.me:6040/api/getAllTransactions?accountId=15413165176907764021CYou need to do something about this now, people are buying with huge amounts of BTC!And yes, you can see balances of accounts. Blockexplorer too. But, we will add SSL today and move operations with secretPhrase to POST requests.
|
|
|
|
prix
|
|
July 10, 2014, 10:14:41 AM |
|
It's not to me. I wrote to dev already about SSL and some other problems. And they fixed part of problems. And it's Beta, it is not necessary to use for pre-sale. And? NXT had same. We can move to POST request. But how it add a lot of security?
I don't know how NXT client working now. But they were looking for a way to signature transactions by JS without transfer password to the remote node. And you can do same if need.
|
|
|
|
|
|
Buratino
Legendary
Offline
Activity: 1151
Merit: 1003
|
|
July 10, 2014, 10:18:25 AM |
|
devs, are you guys russian?
Not all. ok, why don't have topic in russian language? +1 OP, please, start russian thread
|
|
|
|
coinsolidation
|
|
July 10, 2014, 10:19:37 AM |
|
You provide valid secretPhrase and you can send crypti okay I cannot help here.
|
|
|
|
crypti (OP)
|
|
July 10, 2014, 10:20:28 AM |
|
You provide valid secretPhrase and you can send crypti okay I cannot help here. thank you - we will switch to post and ssl ASAP. Also, we are working to bring known security expert to do a security audit for Crypti.
|
|
|
|
SyRenity
|
|
July 10, 2014, 10:34:35 AM |
|
To be more exact, this is part of the upcoming Crypti API to be published soon (already used by the wallet). However you have a good point about the requests being non-secure at the moment. As Boris said, we will solve it soon by POST'ing and SSL'ing the requests. Also note that the wallet is still on the testnet, hence no real impact will be done in case of breach (if any).
|
|
|
|
coinsolidation
|
|
July 10, 2014, 10:36:12 AM |
|
How is that secure? Click it to send 100 coins from an account to another one.
I understand where you're coming from at this stage but eventually all this will be done locally... this needs to be clear because many people might think that what you're describing will always be the case. Yes, it is important to note that it's done locally. But it's still shockingly insecure. POST and SSL will help. Next: Since the passphrase provided appears to be the only reference to the account, what happens if two people select the same password? same private key and account? If this was crypti now, could I just dictionary attack the api to generate keys and gain access to accounts? .. can I just do this http://crypti.me:6040/api/unlock?secretPhrase=test on any crypti instance to get full access to any account?
|
|
|
|
SyRenity
|
|
July 10, 2014, 10:44:59 AM |
|
Next: Since the passphrase provided appears to be the only reference to the account, what happens if two people select the same password? same private key and account? If this was crypti now, could I just dictionary attack the api to generate keys and gain access to accounts? .. can I just do this http://crypti.me:6040/api/unlock?secretPhrase=test on any crypti instance to get full access to any account? As the wallet is deterministic, the pass-phrase is actually used to generate your private/public keys on fly. We are going to introduce enforcement to make sure the pass-phrases are 100 or higher, ensuring there will be no collisions between users. It's same technique used in NXT and XCP wallets. 100 characters will effectively prevent dictionary attacks, coupled with the brute-force measures that we will implement.
|
|
|
|
Wulfcastle
|
|
July 10, 2014, 10:47:01 AM |
|
Quick question, will the desktop clients for Windows be packaged as .exe's? Also from a usability perspective don't you think a 100 character pass-phrase is a bit long?
|
|
|
|
cech4204a
|
|
July 10, 2014, 10:49:08 AM |
|
This looks good, very professional looking crypto, i like it. I noticed totaly new design for the presentation, which is rare.
|
Bitcoin is DEAD
|
|
|
|