qberty (OP)
|
|
May 03, 2011, 11:41:40 PM |
|
You're severely misguided, and nobody is going to use your program in a sandbox, that defeats the whole purpose. Get real.
defeats the whole purpose of what? Making it open source. Wow. Profound. Why can't anyone just accept that I don't want it open source just to satisfy the fact that I have no rep on this forum. That's just sickening. Let's get real then. In reality, it's not like someone would care enough about this program to use its source to make it a million times better. People on this board want it to be open source, so they can trust it as the code can be easily sifted through and taken. In my opinion, if security was the ONLY issue here, between open source and close source, then sandboxing would actually BE a good idea. If noone would sandbox it, then they are not interested in it's security. So far noone has addressed exactly what i'm saying with a smart rebuttle. All I see, is "your not relevant","you don't make sense","make it open source","you have no rep","we can't trust you". Aside from security, theres no reason to FORCE me to make this open source for the slim chance of someone wanting to modify it. Forget it. I'll update this app because I use it myself sometimes. but this board is full of pricks.
|
|
|
|
FooDSt4mP
|
|
May 04, 2011, 12:12:16 AM |
|
You're severely misguided, and nobody is going to use your program in a sandbox, that defeats the whole purpose. Get real.
defeats the whole purpose of what? Making it open source. Wow. Profound. Why can't anyone just accept that I don't want it open source just to satisfy the fact that I have no rep on this forum. That's just sickening. Let's get real then. In reality, it's not like someone would care enough about this program to use its source to make it a million times better. People on this board want it to be open source, so they can trust it as the code can be easily sifted through and taken. In my opinion, if security was the ONLY issue here, between open source and close source, then sandboxing would actually BE a good idea. If noone would sandbox it, then they are not interested in it's security. So far noone has addressed exactly what i'm saying with a smart rebuttle. All I see, is "your not relevant","you don't make sense","make it open source","you have no rep","we can't trust you". Aside from security, theres no reason to FORCE me to make this open source for the slim chance of someone wanting to modify it. Forget it. I'll update this app because I use it myself sometimes. but this board is full of pricks. Security is necessary since we are dealing with very liquid assets. However, "sandboxing" is nontrivial in this case. If I give you access to my mining accounts, you can redirect my payout. I have to watch your API usage to ensure you don't do something I don't approve of. Stripping out personal information and dumping it on github/gitorious IS trivial. I can understand not wanting to be responsible for maintaining an open source project, but no one is asking you to do that. However, you may just find some pull requests for features on your TODO. Or not, but at least people can read through it and be convinced it is safe. If it's style you're worried about, don't be. It's practically impossible to write clean code on the first go. Any good programmer will understand that.
|
As we slide down the banister of life, this is just another splinter in our ass.
|
|
|
qberty (OP)
|
|
May 04, 2011, 01:06:28 AM |
|
Security is necessary since we are dealing with very liquid assets. However, "sandboxing" is nontrivial in this case. If I give you access to my mining accounts, you can redirect my payout. I have to watch your API usage to ensure you don't do something I don't approve of. Stripping out personal information and dumping it on github/gitorious IS trivial. I can understand not wanting to be responsible for maintaining an open source project, but no one is asking you to do that. However, you may just find some pull requests for features on your TODO. Or not, but at least people can read through it and be convinced it is safe. If it's style you're worried about, don't be. It's practically impossible to write clean code on the first go. Any good programmer will understand that.
I know what your saying, but most of these users are making it seem as if I MUST make it open source JUST to get them to use it. I don't see that as anytype of fair, compared to the others that take that same risk and still use closed source programs.
|
|
|
|
[Tycho]
|
|
May 04, 2011, 01:52:35 AM |
|
Security is necessary since we are dealing with very liquid assets. However, "sandboxing" is nontrivial in this case. If I give you access to my mining accounts, you can redirect my payout. I have to watch your API usage to ensure you don't do something I don't approve of. I want to repeat that you can't do anything bad to your payout via pool's JSON/JSON-RPC API. The only thing you can do is ask for instant payout, but only to YOUR own bitcoin address that can't be changed by API call. I'm not supporting either side, just pointing to the fact that API is intended to be harmless even if someone steals your token.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
error
|
|
May 04, 2011, 02:34:48 AM |
|
If you didn't realize by now. Software that is open source, gets no proper support, gets a gross development cycle and has no final version when multiple people are screwing with it. Whatever your defense is for making open source software has no ideal effect on what I actually develop. It's a different ballgame and Open source clearly loses to closed source. I designed this program for the END USER. Not another developer. So that's it. Enough of this open source discussion. It's not going to happen. Use this program, or don't. I don't need a big reps support.
So you wouldn't support your own program?!?!?
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
pwnyboy
|
|
May 04, 2011, 07:58:05 AM |
|
defeats the whole purpose of what? Making it open source. Wow. Profound.
No, what I was trying to convey is that sandboxing is counterintuitive. The purpose of running your application would be to place it on my desktop. If I have to sandbox it in a VM, it serves no useful purpose anymore, i.e. I'd have to window it, which would be the same value to me as simply hitting the pool's status page directly from within a web browser. Forget it. I'll update this app because I use it myself sometimes. but this board is full of pricks.
Rather than coding, you might find this more useful: http://bitcointalk.org/index.php?topic=7071.0I started using it today, as the gadget source is completely readable, and Windows Gadgets are already effectively sandboxed by their inability to interact with the system in certain ways. Best of luck with your coding if you do continue. </prick>
|
|
|
|
qberty (OP)
|
|
May 04, 2011, 08:07:34 AM |
|
No, what I was trying to convey is that sandboxing is counterintuitive. The purpose of running your application would be to place it on my desktop. If I have to sandbox it in a VM, it serves no useful purpose anymore, i.e. I'd have to window it, which would be the same value to me as simply hitting the pool's status page directly from within a web browser.
Pardon me if i'm not mistaken, but it doesn't look like you know the difference between sandboxing and vm. Let's make it a little more clear. A vm (virtual machine) would run the app within a controlled os environment. While a sandbox wrapped application, modifies the actual executable to allow it to run within the same environment but with a controlled margin. Ever heard of portable versions of software? Take a look http://www.vmware.com/products/thinapp/overview.html. You can HAVE the application right on your desktop, you can run it like normal, you don't give it any permission whatsoever to modify anything on the host. If that doesn't float your boat, ever heard of Sandboxie? http://www.sandboxie.com/ What's so counterintuitive? Please research what your talking about, or ask for clarification before making your conclusion. I could even provide pre-sandboxed versions, but again that is far from the point. Even if I gave the end user the option for it to be impossible for the application to be malicious, someone will find something to say and bash it, like for example, me not having enough rep, or being only registered for a couple days. Having said that, I do realize how new I am to this board, but I reiterate, i'm not new to the internet. I practically grew up in it. All I asked for were some people to test it, tell me what could be better, and give me more ideas. I didn't ask someone to give me tips on how open my software should be (low-end or not). And lol @ that desktop gadget. It's a nice piece of work. Oh boy, if gadgets were ever closed source or even encrypted for that matter, damn anyone on this board wouldn't even touch a single gadget. Even with the ones that come with windows lol. Still use Internet Explorer? well you must have at some point to get a new browser, but wait. Why would anyone use a closed source application? It could steal my wallet.dat, oh well, guess no exploring the internet for me. I might as well not even get windows because of the fact that it's closed source and I have NO idea what's going on behind the scenes, so I won't pay 300 bucks to grab a genuine copy. Instead, i'll move to Ubuntu, because that's open source, and i'm an end-user, I REALLY need full access to everything because it makes me feel more secure. Or better yet, I should probably close my bank accounts, paypal accounts, even e-mail accounts. Holy smokes, who knows where my information goes once it leaves my computer. PS. Is it even safe for me to use this bulletinboard system? hey, it's free right? but I can't edit it locally, or on client side. What if the database isn't even using hashs for passwords? What if it's already been modified for malicious use? /end sarcastic user of this board
|
|
|
|
error
|
|
May 04, 2011, 08:30:22 AM |
|
Are you really that much of an asshole in real life?
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
pwnyboy
|
|
May 04, 2011, 10:26:30 AM |
|
Sandboxie is interesting. To date I've only known about other more established and perhaps better-known methods like Dosbox and FreeBSD jails. My frame of reference for the term "sandbox" is also quite different than yours I'm sure; when I need to "sandbox" something I throw old hardware at it, completely side-stepping the software/virtualization layer all-together. Anyway, thanks for the tip, but I still believe you're severely misguided.
|
|
|
|
qberty (OP)
|
|
May 05, 2011, 01:23:50 AM |
|
Are you really that much of an asshole in real life?
I do believe I have offended noone. Rather, everyone has offended my own opinion over there own based on the sole ease of everyone being an open source freak on this board. I may come off as an asshole, but only to get my point across. So far, someone has yet to invalidate my opinion.
|
|
|
|
error
|
|
May 05, 2011, 12:05:57 PM |
|
Are you really that much of an asshole in real life?
I do believe I have offended noone. Rather, everyone has offended my own opinion over there own based on the sole ease of everyone being an open source freak on this board. I may come off as an asshole, but only to get my point across. So far, someone has yet to invalidate my opinion. And you have done nothing but completely ignore our legitimate concerns. Goodbye.
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
qberty (OP)
|
|
May 05, 2011, 01:20:52 PM |
|
And you have done nothing but completely ignore our legitimate concerns. Goodbye.
Unlike you, i've addressed everyones opinion with my own reasoning. And still noone has proven a real need to make this program open source.
|
|
|
|
commlinx
|
|
May 05, 2011, 02:12:24 PM |
|
This application does NOT need admin rights on any OS. There fore it cannot utilize any port access, or send any data. For Windows, specifically windows 7 which this program was designed for, it can do nothign but pull data TO the client program.
Ummm, do you know how HTTP works? To 'pull' data you need to send a request that can and usually does include other data like query strings, cookies and POST data that can be used to send other data like the contents of wallet.dat. You've pointed out that it can be sandboxed, it's a great idea for some applications and I often use virtual machines for that reason, but nobody is going to bother for the sake of something that can be easily scripted or is only a browser refresh away.
|
|
|
|
qberty (OP)
|
|
May 05, 2011, 02:17:00 PM |
|
This application does NOT need admin rights on any OS. There fore it cannot utilize any port access, or send any data. For Windows, specifically windows 7 which this program was designed for, it can do nothign but pull data TO the client program.
Ummm, do you know how HTTP works? To 'pull' data you need to send a request that can and usually does include other data like query strings, cookies and POST data that can be used to send other data like the contents of wallet.dat. You've pointed out that it can be sandboxed, it's a great idea for some applications and I often use virtual machines for that reason, but nobody is going to bother for the sake of something that can be easily scripted or is only a browser refresh away. To reiterate, this only pulls API data from either pools. And if you need to SEND/POST any data to the web, from a NATIVE application, it requires Administration. Just try it on win7. The fact that noone would bother is just my point exactly. So I don't know what the fuss is about making this open source. It's a simple program that just does things faster than opening a browser window and loading a whole webpage or sifting through an API page.
|
|
|
|
commlinx
|
|
May 05, 2011, 02:37:37 PM |
|
This application does NOT need admin rights on any OS. There fore it cannot utilize any port access, or send any data. For Windows, specifically windows 7 which this program was designed for, it can do nothign but pull data TO the client program.
Ummm, do you know how HTTP works? To 'pull' data you need to send a request that can and usually does include other data like query strings, cookies and POST data that can be used to send other data like the contents of wallet.dat. You've pointed out that it can be sandboxed, it's a great idea for some applications and I often use virtual machines for that reason, but nobody is going to bother for the sake of something that can be easily scripted or is only a browser refresh away. To reiterate, this only pulls API data from either pools. And if you need to SEND/POST any data to the web, from a NATIVE application, it requires Administration. Just try it on win7. The fact that noone would bother is just my point exactly. So I don't know what the fuss is about making this open source. It's a simple program that just does things faster than opening a browser window and loading a whole webpage or sifting through an API page. Just tried it with wget on a Windows 7 machine without admin and without installing (just copied and ran from a command line) and when I requested a random page like xxxyyyyzzz was able to see the failed request on the server, which is the equivalent of transmitting data. Other than Windows firewall messages I've never seen any native apps I've written using the winsock API need administrative privileges.
|
|
|
|
qberty (OP)
|
|
May 05, 2011, 02:44:16 PM |
|
This application does NOT need admin rights on any OS. There fore it cannot utilize any port access, or send any data. For Windows, specifically windows 7 which this program was designed for, it can do nothign but pull data TO the client program.
Ummm, do you know how HTTP works? To 'pull' data you need to send a request that can and usually does include other data like query strings, cookies and POST data that can be used to send other data like the contents of wallet.dat. You've pointed out that it can be sandboxed, it's a great idea for some applications and I often use virtual machines for that reason, but nobody is going to bother for the sake of something that can be easily scripted or is only a browser refresh away. To reiterate, this only pulls API data from either pools. And if you need to SEND/POST any data to the web, from a NATIVE application, it requires Administration. Just try it on win7. The fact that noone would bother is just my point exactly. So I don't know what the fuss is about making this open source. It's a simple program that just does things faster than opening a browser window and loading a whole webpage or sifting through an API page. Just tried it with wget on a Windows 7 machine without admin and without installing (just copied and ran from a command line) and when I requested a random page like xxxyyyyzzz was able to see the failed request on the server, which is the equivalent of transmitting data. Other than Windows firewall messages I've never seen any native apps I've written using the winsock API need administrative privileges. If you actually decompiled my application you would know it doesn't use winsock as a normal connection to pull the API. It's a custom SSL approach that encrypts the connection and passes it to winsock AFTER it's been generated, then uses winsock to pass it back. Sort of like a boomerang effect but without a big time delay that windows socket procedures are used too. I know it doesn't make sense to encrypt the connection for a simple API call, but I like to go that extra mile so nothing is too feesable. Ofcourse, any http analyzer could still see the get/port in plain text, but most software don't run off of ring0 like some debugger/analyzers do.
|
|
|
|
AntiVigilante
Member
Offline
Activity: 98
Merit: 10
|
|
May 05, 2011, 02:50:33 PM |
|
You're severely misguided, and nobody is going to use your program in a sandbox, that defeats the whole purpose. Get real.
defeats the whole purpose of what? Making it open source. Wow. Profound. Why can't anyone just accept that I don't want it open source just to satisfy the fact that I have no rep on this forum. That's just sickening. Let's get real then. In reality, it's not like someone would care enough about this program to use its source to make it a million times better. People on this board want it to be open source, so they can trust it as the code can be easily sifted through and taken. In my opinion, if security was the ONLY issue here, between open source and close source, then sandboxing would actually BE a good idea. If noone would sandbox it, then they are not interested in it's security. So far noone has addressed exactly what i'm saying with a smart rebuttle. All I see, is "your not relevant","you don't make sense","make it open source","you have no rep","we can't trust you". Aside from security, theres no reason to FORCE me to make this open source for the slim chance of someone wanting to modify it. Forget it. I'll update this app because I use it myself sometimes. but this board is full of pricks. You have no reason to keep it closed. Open sourcing costs you nothing. You are offering something someone already thought of. Your assumption that there's a slim chance people might want to edit is the thankfully dying professional elitism of the unique coder. And you are trying to drop a utility in a community bent on changing the world. We want experts not professional elitists. We want amateurs not armchair generals. Thanks, but no thanks. Enjoy the Streisand effect. It can be a bit rough.
|
|
|
|
commlinx
|
|
May 05, 2011, 03:02:05 PM |
|
I'm about to head off (late here) and I'm not trying to be an asshat, and I don't think anyone else is in the thread is either. I've written public domain and open source stuff as well as closed source so I don't hold that against you. It's just for such a simple tool it introduces a risk. We could all spend ages on it decompiling, or check what it 'normally' sends by HTTP and run in a sandbox even with a wallet to make sure it didn't steal it. But how would anyone know there wasn't some obfuscated code that wouldn't activate when it found a 10,000BTC wallet?
Don't take these comments personally, you're most probably a well meaning nice guy trying to make a contribution but given the fairly small convenience of the tool (which is quite neat) I don't think you'll find a lot of people wanting to take any risks.
|
|
|
|
qberty (OP)
|
|
May 05, 2011, 04:37:28 PM |
|
I'm not telling anyone to take risks nor endanger their wallet. I specifically said, if you don't trust this, don't use it. It's a simple rule.
I have every right to close source software I make just like anyone else. Everyone here, is just way too paranoid to realize they all use closed source software. People use WinRAR almost every day. It does a simple task of compressing a file JUST like WinAce and WinZIP which already come with windows. WinRAR has smaller functions that are widespread. Now tell me an open source program that kept it's same support team for over 2 years, plus made enough income to actually make it worth the time minus any donations.
Open source software, is for paranoid users. Any skilled programmer, can write their own program exactly like any existing program without the need to use templates from an available open source program. If a developer wanted to do better with a program, they would restart from scratch, instead of learn a different programmers perspective on the same problems. It's way too pointless, and everyone that supports open source is completely paranoid and weird beyond that fact.
Sure there are some successful open source software like Linux, and mods like Ubuntu and wordpress and all that jazz. Theres a reason why a person would use a closed source program compared to a open source program. I'd never use wordpress as a blogging system, people get exploited almost everyday. I'd never use something free like phpbb, less support, less functions, less popularity in the long run. In restrospect, vBulletin would take the cake as most popular board system, not for being free like SMF or phpbb but because it's closed source (at retail), it's massive support, and it's explosion of community involvement.
For open source I just cannot see a REAL use for it to pay off the time you spend on it. Making a closed source program FREE, already has it's own ups and downs, but open source is just like feeding kids different templates to mooch off of. Now i'm not being selfish, because I AM entitled to my own work, I don't mind sharing it. I would gladly make anything I write open source if I wasn't so bent on proving that there's no real change for the end-user, rather only other developers would make use of the fact that it's open source.
But that's where things are different. I'm not making programs for programmers. I'm making programs for users. Users, that don't want to bother with code, with complicated tasks, with monotonous details. Users, that don't care whether or not it's open source, they base their choice of software on quality. Not how it is open source. It's just not practical in the real world. Paranoia also is nothing but a mental block. It ends nowhere. Just like open source.
|
|
|
|
slush
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
May 05, 2011, 06:30:05 PM |
|
I'm not telling anyone to take risks nor endanger their wallet. I specifically said, if you don't trust this, don't use it. It's a simple rule.
And we're telling you that if you show the code (which is no-loss for you), you will have much more users and potential donations, too. Everyone here, is just way too paranoid to realize they all use closed source software. People use WinRAR almost every day.
There is almost 0% chance that WinRAR contains code stealing bitcoins. On the oposite, simple tool for Bitcoin made by unknown developer has very high probability that is malicious (as we already had those issues). The chance is even higher when the developer refuse to open his code, althought there is probably nothing magical inside which should be kept private (like special intelectual property about how to download json data and display them in window with custom skin). I think that I wrote enough and other people can decide if they want to use your app and take the risk or not, so this discussion is over for me.
|
|
|
|
|