Bitcoin Forum
June 16, 2024, 04:24:33 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 [51] 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 ... 610 »
  Print  
Author Topic: [XCR] Crypti | Dapps | Sidechains | Dapp Store | OPEN SOURCE | 100% own code | DPoS  (Read 804614 times)
This is a self-moderated topic. If you do not want to be moderated by the person who started this topic, create a new topic.
zhile11911
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
July 10, 2014, 09:52:18 AM
 #1001



 Did the dgex and mint still provide the escrow service  ?

 bter sold nearly 87 BTC .

 Wow. congratulations from my heart

██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
RISE
coinsolidation
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250

Bitmark Developer


View Profile WWW
July 10, 2014, 09:59:22 AM
 #1002

The "third-party local program" argument is invalid because a malicious third party local program can read a passphrase input in to a web page also.
Input logging requires higher system rights than reading storage.
And sometimes the attacker has remote access to the computer (through vnc or same) and if you have opened page and the password is stored in the browser - the money is taken away. Similar case has been described by one local forum.

I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe.

This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

That is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http.

I cannot stress how bad this is, I have never seen anything so insecure in my entire life.

WTF? authentication isn't even used.. here view my balance: http://crypti.me:6040/api/getAllTransactions?accountId=15413165176907764021C

You need to do something about this now, people are buying with huge amounts of BTC!

Bitmark (reputation+money) : Bitmark v0.9.4 (release)
mcjavar
Hero Member
*****
Offline Offline

Activity: 784
Merit: 500


View Profile
July 10, 2014, 10:02:22 AM
 #1003

What do you mean, what about the raised BTC in bter until now, is there any bonus? I have been following this thread and know it had started from the posts this morning.

30% bonus will be given for all investments raised today and tomorrow.

How will I get the bonus if I buy on BTER?
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:03:53 AM
 #1004

The "third-party local program" argument is invalid because a malicious third party local program can read a passphrase input in to a web page also.
Input logging requires higher system rights than reading storage.
And sometimes the attacker has remote access to the computer (through vnc or same) and if you have opened page and the password is stored in the browser - the money is taken away. Similar case has been described by one local forum.

I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe.

This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

That is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http.

I cannot stress how bad this is, I have never seen anything so insecure in my entire life.

And? NXT had same. We can move to POST request. But how it add a lot of security?
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:04:58 AM
 #1005

What do you mean, what about the raised BTC in bter until now, is there any bonus? I have been following this thread and know it had started from the posts this morning.

30% bonus will be given for all investments raised today and tomorrow.

How will I get the bonus if I buy on BTER?

Yes.
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:06:13 AM
 #1006

I cannot stress how bad this is, I have never seen anything so insecure in my entire life.

Considering that the devs do not want to distribute a beta client before the official launch which is understandable...  I believe it is best that we provide the checksum hash of our passphrase instead of having to retrieve our account number online...  regardless of whether SSL will be available or not.


SSL will be added today Smiley
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:09:01 AM
 #1007

And we will hire security auditing soon, next 2 weeks.
xtester
Hero Member
*****
Offline Offline

Activity: 840
Merit: 500


Risk taker & Black Swan farmer.


View Profile
July 10, 2014, 10:09:28 AM
 #1008

I appreciate the effort your whole team has put into organizing everything. It already looks better than most of the IPO's out there.

As stated before, my only concern is that while you have optimized most of the things fairly well, it seems an important piece is still missing from the IPO puzzle.

The dev team has agreed that 500 btc would cover the necessary requirements for the dev fund fairly well. However, given the situation, I expect Crypti to raise at least between 800-1000 btc. Now it seems obvious that there should be a point where because of too much investment Crypti will be over diluted and over priced, and it will certainly not be good if Crypti would reach that point starting from the IPO. Further more, I think the dev team interest along with the investors interest should be among the most important things to keep in mind while deciding the IPO rules.

That said, I'm not sure why the IPO is set to last one whole month. A better option would be to set a cap of lets say 1000 btc(or whatever reasonable sum you decide) or if the cap is not reached you have an open time limit of 1 month. The idea being that after 1000 btc(or whatever sum) the IPO will go against the best interest of its investors because of over pricing and over dilution. If this should happen, both the early investors and the late investors will suffer in the process. Maybe some kind of upper cap limit(2x-3x of what is actually needed for development) could be proposed and added to ensure a basic safety net for the investors who are looking forward to joining and contributing to the project.

Any thoughts on that?
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:11:24 AM
 #1009

The "third-party local program" argument is invalid because a malicious third party local program can read a passphrase input in to a web page also.
Input logging requires higher system rights than reading storage.
And sometimes the attacker has remote access to the computer (through vnc or same) and if you have opened page and the password is stored in the browser - the money is taken away. Similar case has been described by one local forum.

I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe.

This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

That is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http.

I cannot stress how bad this is, I have never seen anything so insecure in my entire life.

WTF? authentication isn't even used.. here view my balance: http://crypti.me:6040/api/getAllTransactions?accountId=15413165176907764021C

You need to do something about this now, people are buying with huge amounts of BTC!

And yes, you can see balances of accounts. Blockexplorer too.
But, we will add SSL today and move operations with secretPhrase to POST requests.
prix
Hero Member
*****
Offline Offline

Activity: 750
Merit: 511


View Profile
July 10, 2014, 10:14:41 AM
 #1010

I understand that you have a huge IPO going on, but you owe it to those buying to ensure that their data is safe.

This is your "authentication": http://crypti.me:6040/api/unlock?secretPhrase=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

That is SCARY that is not authentication, that is a passphrase being sent in plain text in an url, over plain http.

I cannot stress how bad this is, I have never seen anything so insecure in my entire life.

WTF? authentication isn't even used.. here view my balance: http://crypti.me:6040/api/getAllTransactions?accountId=15413165176907764021C

You need to do something about this now, people are buying with huge amounts of BTC!

It's not to me. I wrote to dev already about SSL and some other problems. And they fixed part of problems.
And it's Beta, it is not necessary to use for pre-sale.

And? NXT had same. We can move to POST request. But how it add a lot of security?

I don't know how NXT client working now. But they were looking for a way to signature transactions by JS without transfer password to the remote node. And you can do same if need.
coinsolidation
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250

Bitmark Developer


View Profile WWW
July 10, 2014, 10:17:03 AM
 #1011

And yes, you can see balances of accounts. Blockexplorer too.
But, we will add SSL today and move operations with secretPhrase to POST requests.

http://crypti.me:6040/api/sendMoney?accountAddress=15413165176907764021C&amount=100&fee=0.31640625&recepient=2896597140253424866C&secretPharse=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

How is that secure? Click it to send 100 coins from an account to another one.

Bitmark (reputation+money) : Bitmark v0.9.4 (release)
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:17:53 AM
 #1012

And yes, you can see balances of accounts. Blockexplorer too.
But, we will add SSL today and move operations with secretPhrase to POST requests.

http://crypti.me:6040/api/sendMoney?accountAddress=15413165176907764021C&amount=100&fee=0.31640625&recepient=2896597140253424866C&secretPharse=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

How is that secure? Click it to send 100 coins from an account to another one.

You provide valid secretPhrase and you can send crypti Smiley


http://crypti.me:6040/api/sendMoney?accountAddress=15413165176907764021C&amount=100&fee=0.31640625&recepient=2896597140253424866C&secretPharse=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdf1hksdjfhaskdjfhksadjfhaskldf

Result:
{
  "success": false,
  "error": "Invalid passphrase, check your passphrase please"
}

And again, it's beta, we will move all operations with secretPhrase in POST and add SSL Now
Buratino
Legendary
*
Offline Offline

Activity: 1151
Merit: 1003


View Profile
July 10, 2014, 10:18:25 AM
 #1013

devs, are you guys russian?

Not all.

ok, why don't have topic in russian language?

+1

OP, please, start russian thread  Wink

coinsolidation
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250

Bitmark Developer


View Profile WWW
July 10, 2014, 10:19:37 AM
 #1014

And yes, you can see balances of accounts. Blockexplorer too.
But, we will add SSL today and move operations with secretPhrase to POST requests.

http://crypti.me:6040/api/sendMoney?accountAddress=15413165176907764021C&amount=100&fee=0.31640625&recepient=2896597140253424866C&secretPharse=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

How is that secure? Click it to send 100 coins from an account to another one.

You provide valid secretPhrase and you can send crypti Smiley


 Huh okay I cannot help here.

Bitmark (reputation+money) : Bitmark v0.9.4 (release)
crypti (OP)
Hero Member
*****
Offline Offline

Activity: 511
Merit: 500

Boris, Crypti Lead Developer, Lisk Advisor


View Profile WWW
July 10, 2014, 10:20:28 AM
 #1015

And yes, you can see balances of accounts. Blockexplorer too.
But, we will add SSL today and move operations with secretPhrase to POST requests.

http://crypti.me:6040/api/sendMoney?accountAddress=15413165176907764021C&amount=100&fee=0.31640625&recepient=2896597140253424866C&secretPharse=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdfhksdjfhaskdjfhksadjfhaskldf

How is that secure? Click it to send 100 coins from an account to another one.

You provide valid secretPhrase and you can send crypti Smiley


 Huh okay I cannot help here.

thank you - we will switch to post and ssl ASAP.
Also, we are working to bring known security expert to do a security audit for Crypti.
SyRenity
Hero Member
*****
Offline Offline

Activity: 756
Merit: 502


View Profile
July 10, 2014, 10:34:35 AM
 #1016

You provide valid secretPhrase and you can send crypti Smiley

http://crypti.me:6040/api/sendMoney?accountAddress=15413165176907764021C&amount=100&fee=0.31640625&recepient=2896597140253424866C&secretPharse=lksdjfhsdkfjsdhfksdjfhsdkjfhsdkjfhksjdfhkjsdf1hksdjfhaskdjfhksadjfhaskldf

Result:
{
  "success": false,
  "error": "Invalid passphrase, check your passphrase please"
}

And again, it's beta, we will move all operations with secretPhrase in POST and add SSL Now

To be more exact, this is part of the upcoming Crypti API to be published soon (already used by the wallet).
However you have a good point about the requests being non-secure at the moment. As Boris said, we will solve it soon by POST'ing and SSL'ing the requests.

Also note that the wallet is still on the testnet, hence no real impact will be done in case of breach (if any).
coinsolidation
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250

Bitmark Developer


View Profile WWW
July 10, 2014, 10:36:12 AM
 #1017

How is that secure? Click it to send 100 coins from an account to another one.

I understand where you're coming from at this stage but eventually all this will be done locally...  this needs to be clear because many people might think that what you're describing will always be the case.

Yes, it is important to note that it's done locally. But it's still shockingly insecure. POST and SSL will help.

Next:
Since the passphrase provided appears to be the only reference to the account, what happens if two people select the same password? same private key and account?

If this was crypti now, could I just dictionary attack the api to generate keys and gain access to accounts?  .. can I just do this http://crypti.me:6040/api/unlock?secretPhrase=test on any crypti instance to get full access to any account?

Bitmark (reputation+money) : Bitmark v0.9.4 (release)
SyRenity
Hero Member
*****
Offline Offline

Activity: 756
Merit: 502


View Profile
July 10, 2014, 10:44:59 AM
 #1018

Next:
Since the passphrase provided appears to be the only reference to the account, what happens if two people select the same password? same private key and account?

If this was crypti now, could I just dictionary attack the api to generate keys and gain access to accounts?  .. can I just do this http://crypti.me:6040/api/unlock?secretPhrase=test on any crypti instance to get full access to any account?

As the wallet is deterministic, the pass-phrase is actually used to generate your private/public keys on fly. We are going to introduce enforcement to make sure the pass-phrases are 100 or higher, ensuring there will be no collisions between users.

It's same technique used in NXT and XCP wallets.


100 characters will effectively prevent dictionary attacks, coupled with the brute-force measures that we will implement.
Wulfcastle
Hero Member
*****
Offline Offline

Activity: 546
Merit: 500



View Profile WWW
July 10, 2014, 10:47:01 AM
 #1019

Quick question, will the desktop clients for Windows be packaged as .exe's? Also from a usability perspective don't you think a 100 character pass-phrase is a bit long?
cech4204a
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250

12CDKyxPyL5Rj28ed2yz5czJf3Dr2ZvEYw


View Profile WWW
July 10, 2014, 10:49:08 AM
 #1020

This looks good, very professional looking crypto, i like it. I noticed totaly new design for the presentation, which is rare.

Bitcoin is DEAD
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 [51] 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 ... 610 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!