Bitcoin Forum
December 08, 2016, 08:10:29 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 »  All
  Print  
Author Topic: GLBSE 2.0, Is safer now.  (Read 7671 times)
El Cabron
Gnomo
VIP
Legendary
*
Offline Offline

Activity: 840



View Profile
April 02, 2012, 11:09:18 AM
 #1

First of all I do not like to talk in public about this sort of stuff but I am doing so because I have a duty to my shareholders and people who hold my assets.  I apologize in advance. Nafario will be PMed a link to this thread.

GLBSE 1.0 was extremely solid. For the user to be at fault for a hack not only did someone need to have access to their physical computer but they also needed the password. I only kept the account on one computer and encrypted the HDD. If I got hacked it was not going to be my fault.
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!

https://bitcointalk.org/index.php?topic=60489.msg829923#msg829923

Nefario himself understand how risky this is and claims he will take no responsibility. I understand that point of view and I am going to make it very clear that I also take no responsibility!

Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Sunday morning I woke up and found that I could not get into my GLBSE account. I was almost physically ill because I knew the password I was using was correct. I had no idea what was wrong. I first checked the stock prices to see if there was a massive sell off on things I held. There was not. This made me feel better. However there is a massive amount of bitcoin in that account and I had no idea if it was still there or not. I messaged and e-mail Nefario. He did not get back to me for 24 hours and finally told me that he is having problems with my account.

I do not want to deal with level of stress again so I’m making it very clear now that I will not be held responsible for what I consider to be Nefario’s negligence. Right now I still do not have access to my account and assume no one else does either.

This whole thing just blows me away. I’m truly in shock.

Sorry El Cabron, you are banned from posting or sending personal messages on this forum.
Trolling
https://bitcointalk.org/index.php?topic=622250.msg7030081#msg7030081
1481227829
Hero Member
*
Offline Offline

Posts: 1481227829

View Profile Personal Message (Offline)

Ignore
1481227829
Reply with quote  #2

1481227829
Report to moderator
1481227829
Hero Member
*
Offline Offline

Posts: 1481227829

View Profile Personal Message (Offline)

Ignore
1481227829
Reply with quote  #2

1481227829
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481227829
Hero Member
*
Offline Offline

Posts: 1481227829

View Profile Personal Message (Offline)

Ignore
1481227829
Reply with quote  #2

1481227829
Report to moderator
1481227829
Hero Member
*
Offline Offline

Posts: 1481227829

View Profile Personal Message (Offline)

Ignore
1481227829
Reply with quote  #2

1481227829
Report to moderator
schnell
Sr. Member
****
Offline Offline

Activity: 266


View Profile
April 02, 2012, 11:31:58 AM
 #2

+1 to this. Have you got your account back yet?
I personally am not as bothered because all I have is about 40 shares of TyGrr-Bank but even then I am concerned and see no benefits of GLBSE 2.0.
Just like blockchain.info wallet, it is trusted with thousands of bitcoin, and wouldn't be nearly as popular if they didn't only store encrypted wallets on their server.

EDIT: Would it be too hard to just create your own front end for shares? It would mean you can stop people selling for inflated prices if you want, and eliminate the glbse tx fees. You could make it so you sell to and buy from you for set prices, nothing else.
Blitz­
Donator
Legendary
*
Offline Offline

Activity: 1596


"Cut Your Loose"


View Profile
April 02, 2012, 11:51:13 AM
 #3

GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection.

You can take your password and encrypt it exactly like you encrypted your private key if you want.

I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it.

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

"Bitcoin had been transformed from an anarachistic challenge to the financial status quo, to the crypto spawn of Satan, fuelled by cut-throat greed and delusions of avarice." - MatTheCat
"these people don't seem to want to stop till Bitcoin is completely destroyed and left like an old cum rag in the corner of the room." - ShroomsKit
Mushoz
Hero Member
*****
Offline Offline

Activity: 686


Bitbuy


View Profile WWW
April 02, 2012, 12:15:13 PM
 #4

One of the only reasons why I'm trading with ~10 BTC over there, rather than 100+
I'd really like this to get fixed/improved, as I'd love to learn more about trading shares and bonds (just trying things out atm).
How was the security done on GLBSE 1.0 that you needed psychical access to your computer?
And why wasn't this implemented in version 2.0?

www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
Mushoz
Hero Member
*****
Offline Offline

Activity: 686


Bitbuy


View Profile WWW
April 02, 2012, 12:38:40 PM
 #5

GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection.

You can take your password and encrypt it exactly like you encrypted your private key if you want.

I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it.

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

I can keep my password safe but he forced me to use an account that was not safe. To get the password to that account all you need to know is *censored*. Had I known that this feature would have been implemented I would have never used that e-mail address. Hell I doubt I would have even signed up.

What do you think the title of this thread should be? I am open to changing it if you have a better idea.



Can you please edit your post and remove what people need to know? You're only making it easier for people to hijack your account. I agree current security is lackluster for this site if they want to become big, but you've made your point already. No need to make it easier for people Sad

www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
Blitz­
Donator
Legendary
*
Offline Offline

Activity: 1596


"Cut Your Loose"


View Profile
April 02, 2012, 12:45:07 PM
 #6

OK, I agree that it is an issue in the sense that you should have been able to adjust prior, and people should be able to change their e-mail adress now with their GLBSE password.

But this is not an issue that has to do with whether GLBSE is safe but if your email account you registered with is safe …

One of the only reasons why I'm trading with ~10 BTC over there, rather than 100+
I'd really like this to get fixed/improved, as I'd love to learn more about trading shares and bonds (just trying things out atm).
How was the security done on GLBSE 1.0 that you needed psychical access to your computer?
And why wasn't this implemented in version 2.0?
How can you expect "this" to be fixed when you don’t even know what should be done about it? The first version of GLBSE used a long string representing your private key in addition to your password which you stored on your computer. You can do the exact same thing today and store both your email password and GLBSE password encrypted on your computer – no difference.

And the reason it got changed is that noone used GLBSE due to it, because it severely cut into usability. GLBSE 2.0 is way more popular now.

The only thing that can be done is add multifactor authentication, and it definitely should be done.

And yes, EDIT YOUR PREVIOUS POST NOW. I reported it.

"Bitcoin had been transformed from an anarachistic challenge to the financial status quo, to the crypto spawn of Satan, fuelled by cut-throat greed and delusions of avarice." - MatTheCat
"these people don't seem to want to stop till Bitcoin is completely destroyed and left like an old cum rag in the corner of the room." - ShroomsKit
roomservice
Full Member
***
Offline Offline

Activity: 190



View Profile
April 02, 2012, 12:46:02 PM
 #7

GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection.

You can take your password and encrypt it exactly like you encrypted your private key if you want.

I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it.

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

I can keep my password safe but he forced me to use an account that was not safe. To get the password to that account all you need to know is what city I was born in. Had I known that this feature would have been implemented I would have never used that e-mail address. Hell I doubt I would have even signed up.

What do you think the title of this thread should be? I am open to changing it if you have a better idea.

Just pm Nefario and ask him to change your email address? Why this drama?

"Tonight's the night. And it's going to happen again, and again. It has to happen. Nice night."
mila
Sr. Member
****
Offline Offline

Activity: 462



View Profile
April 02, 2012, 01:00:09 PM
 #8

title proposal:

bring back web keys. say no to user name / password authentication

your ad here:
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
April 02, 2012, 01:08:05 PM
 #9

title proposal:

bring back web keys. say no to user name / password authentication
Crypto keys are only as strong as the user's ability to secure his computer and his passphrase.

2 factor auth is a better idea. Yubikey, matrix card, etc. And no, "security questions" are NOT 2 factor auth.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
mila
Sr. Member
****
Offline Offline

Activity: 462



View Profile
April 02, 2012, 01:10:19 PM
 #10

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

once your email account is pwned you have a attack vector that bypasses glbse

your ad here:
Blitz­
Donator
Legendary
*
Offline Offline

Activity: 1596


"Cut Your Loose"


View Profile
April 02, 2012, 01:13:56 PM
 #11

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

once your email account is pwned you have a attack vector that bypasses glbse
Do you know how many people lost their private key and could not prove that their account was theirs on GLBSE?

I’ve told Nefario from the start that private keys are a bad idea because people cannot and will not secure them, and it actually decreases usability. He himself had a hardcore stance like you did, but he became convinced otherwise and so he built GLBSE 2.0.

Now compare the popularity of nick/pw GLBSE 2.0 with the private key original GLBSE.

"Bitcoin had been transformed from an anarachistic challenge to the financial status quo, to the crypto spawn of Satan, fuelled by cut-throat greed and delusions of avarice." - MatTheCat
"these people don't seem to want to stop till Bitcoin is completely destroyed and left like an old cum rag in the corner of the room." - ShroomsKit
guruvan
Hero Member
*****
Offline Offline

Activity: 518

ShastaFarEye Prospectors mazaclub & mazacha.in


View Profile WWW
April 02, 2012, 01:29:16 PM
 #12

2 step auth w/ google authenticator would be a good thing. Passwd + key option would be cool too. Being able to turn off email password reset would be very very nice.

using a secure email account for financial services to email you seems crucial.

I'm not sure what disturbs me the most about this thread. There are several issues to ponder. Undecided

Mine at the Maza Club! with ShastaFarEye Prospectors! Mazacoin PPS & P2pool mining, and more services coming soon!
Maza Means Money! Check yours at the mazacha.in!

Please contact me  on my  OTC registered GPG (A54E87F2) Key's email address or guruvan@shastafareye.net  and encrypt all correspondence.
mila
Sr. Member
****
Offline Offline

Activity: 462



View Profile
April 02, 2012, 01:32:07 PM
 #13

@Blitzboom I've no idea how many people lost their keys from 1.0 but I'm sure it's harder to brute force a key pair then pwning an email, if very frequently all it needs is to answer a question "did you get laid this year? y/n"

your ad here:
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
April 02, 2012, 01:34:32 PM
 #14

GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection.

You can take your password and encrypt it exactly like you encrypted your private key if you want.

I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it.

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

I can keep my password safe but he forced me to use an account that was not safe. To get the password to that account all you need to know is what city I was born in. Had I known that this feature would have been implemented I would have never used that e-mail address. Hell I doubt I would have even signed up.

What do you think the title of this thread should be? I am open to changing it if you have a better idea.

Just pm Nefario and ask him to change your email address? Why this drama?

The drama because I've locked his account and asked for ID verification.

His reply:

Sorry about this but I am not going to take the fall for this if it goes sideways.

https://bitcointalk.org/index.php?topic=75047.0

I had also told him about a policy I'd like to implement, reducing the number of assets a single account/person can create, although I think that can wait until another time, certainly until this gets sorted out.

I'll unlock it as soon as he provides this information.

Quote from: Chaang Noi (Goat)
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!

This is complete rubbish, Chaang is using Gmail, which itself uses two factor authentication, and is as secure as any internet connected system available. It's weakness are the users, their choice of password (password strength) and whether they re-use that password.

A strong, single use password is as good as it gets without adding two factor authentication (something I'm researching).

Keeping in mind that all other exchanges and most other websites do the same, username/password, account recovery through email GLBSE2.0 is not exceptionally more or less secure.

I'm a very reasonable person, and I find it unsettling how quickly this has been splashed across several threads on the forums. About 5 hours after I emailed him asking (asking, not demanding) for proof of identity, in a clear attempt to pressure me to unlock his account.

Nefario

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
BadBear
v2.0
Administrator
Legendary
*
Offline Offline

Activity: 1652



View Profile WWW
April 02, 2012, 01:35:03 PM
 #15

I'm still stuck on the whole email account with the name of x as his password (I'll be nice and not say it  Wink), that's just lazy.

1Kz25jm6pjNTaz8bFezEYUeBYfEtpjuKRG | PGP: B5797C4F

Tired of annoying signature ads? Ad block for signatures
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
April 02, 2012, 01:37:56 PM
 #16

Regarding lost keys from 1.0

I spent A LOT OF TIME, dealing with this issue, a lot of people lost their keys, as a result the security of the system as a whole was reduced as without the keys people were unable to recover their accounts.

Cryptographically the system was really well secured, sadly people didn't look after their keys so it didn't work.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
copumpkin
Donator
Sr. Member
*
Offline Offline

Activity: 266


I'm actually a pineapple


View Profile
April 02, 2012, 02:16:32 PM
 #17

"Security questions" are often the weak point of many authentication systems. If indeed all it takes (I don't use GLBSE) is to know your birth city, that is clearly insufficient security. Ask about first pet names if you must have security questions at all, but leave biographical data that can be scraped from facebook out of it.
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
April 02, 2012, 02:18:05 PM
 #18

"Security questions" are often the weak point of many authentication systems. If indeed all it takes (I don't use GLBSE) is to know your birth city, that is clearly insufficient security. Ask about first pet names if you must have security questions at all, but leave biographical data that can be scraped from facebook out of it.

I'm certainly not going to be doing that.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
April 02, 2012, 02:25:39 PM
 #19

How difficult is it to support (optional) GPG encrypted e-mails? This is one feature I wish all services adopted.
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
April 02, 2012, 03:02:00 PM
 #20

How difficult is it to support (optional) GPG encrypted e-mails? This is one feature I wish all services adopted.


If I remember correctly, when I was starting with GLBSE1.0 the initial crypto development it was quite a pain and something I had trouble with, it's certainly doable

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Pages: [1] 2 3 4 5 6 7 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!