GLBSE 2.0, Is safer now.

[Nefario]

I could also add GPGAuth as an authentication method
http://gpgauth.org

However there is currently only a plugin for Google Chrome and no ruby server side implementation(which means I'd have to create it.

So it's an option, and one I'd happily support in the current system, just not an immediate one.

[1714494634]

1714494634

[1714494634]

1714494634

[1714494634]

1714494634

[likuidxd]

Goat, are you preemptively passing all blame of Nefario if something goes wrong with any of your GLBSE listings here because you don't want to authenticate your account? You can personally take measures to keep your e-mail account safe if you're worried. One, for instance, is as simple a rotating passwords regularly. It is the responsibility of both of you to secure your accounts, taking no responsibility is fairly childish IMO.
My apologies, but this sounds sketchy

[Nefario]

I'm going to add Yubikey support soon, next few hours.

likuidxd makes some very good points, security is everyones responsibility.

I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.

If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.

[labestiol]

What i find most alarming in this thread is that goat doesn't want to authenticate his account...

Apart from that, having a secure email address, and single use password is a basic when money is involved...
Regarding 2 step authentication, how difficult is it to implement google authenticator ? (like bitcoinica did)

[OgNasty]

Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Holy scam warning Batman!

Goat, why didn't you create an alias email account with an outrageously complicated password when you signed up for GLBSE 2.0?  You're honestly saying you use the same email/password for multiple sites and have been doing it for years?  I find it hard to believe that anyone in Bitcoin could be so naive.  You hold thousands maybe tens of thousands of dollars in other people's money and you reuse a commonly used email address?  I apologize, but I don't believe you are that stupid.  You were around for the MtGox email address hack, you know better.  This seems like either A) you setting up to scam everyone and not claim responsibility or B) you trying to create a panic in all your holdings so that you can buy them back for cheap and keep the profits.  For someone with 4 listings on the GLBSE, I find this incredibly irresponsible.

THIS WARNING seems to be a lot more relevant now.

[Nefario]

Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Holy scam warning Batman!

Goat, why didn't you create an alias email account with an outrageously complicated password when you signed up for GLBSE 2.0?  You're honestly saying you use the same email/password for multiple sites and have been doing it for years?  I find it hard to believe that anyone in Bitcoin could be so naive.  You hold thousands maybe tens of thousands of dollars in other people's money and you reuse a commonly used email address?  I apologize, but I don't believe you are that stupid.  You were around for the MtGox email address hack, you know better.  This seems like either A) you setting up to scam everyone and not claim responsibility or B) you trying to create a panic in all your holdings so that you can buy them back for cheap and keep the profits.  For someone with 4 listings on the GLBSE, I find this incredibly irresponsible.

THIS WARNING seems to be a lot more relevant now.

I would hold off on the speculation for a while. We must allow Goat a reasonable amount of time to comply with the requests.

Nefario.

[Nefario]

I'm going to add Yubikey support soon, next few hours.

likuidxd makes some very good points, security is everyones responsibility.

I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.

If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.

Actually I changed my mind, turns out you (I) actually need to buy a Yubikey to even get started, I don't want to bother waiting.

I'll find another option. Will use Google Authenticator, actually that seems to be the perfect option.

[stochastic]

I'm going to add Yubikey support soon, next few hours.

likuidxd makes some very good points, security is everyones responsibility.

I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.

If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.

Actually I changed my mind, turns out you (I) actually need to buy a Yubikey to even get started, I don't want to bother waiting.

I'll find another option. Will use Google Authenticator, actually that seems to be the perfect option.

So is the login on GLBSE turned off for now because I can't log into my account either?

Edit:  Stupid me, I need to allow the permission to run that thing.

Thanks for the quick reply.

[Nefario]

No I added a captcha to the login page to make brute force logins difficult.

[stochastic]

First of all I do not like to talk in public about this sort of stuff but I am doing so because I have a duty to my shareholders and people who hold my assets.  I apologize in advance. Nafario will be PMed a link to this thread.

GLBSE 1.0 was extremely solid. For the user to be at fault for a hack not only did someone need to have access to their physical computer but they also needed the password. I only kept the account on one computer and encrypted the HDD. If I got hacked it was not going to be my fault.
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!

https://bitcointalk.org/index.php?topic=60489.msg829923#msg829923

Nefario himself understand how risky this is and claims he will take no responsibility. I understand that point of view and I am going to make it very clear that I also take no responsibility!

Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Sunday morning I woke up and found that I could not get into my GLBSE account. I was almost physically ill because I knew the password I was using was correct. I had no idea what was wrong. I first checked the stock prices to see if there was a massive sell off on things I held. There was not. This made me feel better. However there is a massive amount of bitcoin in that account and I had no idea if it was still there or not. I messaged and e-mail Nefario. He did not get back to me for 24 hours and finally told me that he is having problems with my account.

I do not want to deal with level of stress again so I’m making it very clear now that I will not be held responsible for what I consider to be Nefario’s negligence. Right now I still do not have access to my account and assume no one else does either.

This whole thing just blows me away. I’m truly in shock.

Does this mean you are unable to pay your dividends for your contract/bonds?

[Nefario]

It means he is unable to use his GLBSE account, it's locked.

This will all be sorted once Goat complies with my reasonable request.

[stochastic]

It means he is unable to use his GLBSE account, it's locked.

This will all be sorted once Goat complies with my reasonable request.

Hopefully he does as you are doing the right thing by requiring verification.  It is impossible to know if the person requesting login information is really the person that owns the account without some type of verification.  Sometimes I wonder if the people on these forums are really the same people posting the day before.

I hope people realize the importance of having strong passwords.  Ten to twenty years ago people could remember multiple phone numbers and I don't see any reason why someone can't remember multiple strong passwords.

[memvola]

I could also add GPGAuth as an authentication method
http://gpgauth.org

However there is currently only a plugin for Google Chrome and no ruby server side implementation(which means I'd have to create it.

So it's an option, and one I'd happily support in the current system, just not an immediate one.

I guess this would mimic the behavior of GLBSE 1.0. I liked it but it might be overkill. Also, I feel that GPG-encrypted e-mails would serve more than one purpose by addressing the danger of e-mail interception, which is IMO a valid concern. However it seems the idea doesn't excite many people.

[Nefario]

I could also add GPGAuth as an authentication method
http://gpgauth.org

However there is currently only a plugin for Google Chrome and no ruby server side implementation(which means I'd have to create it.

So it's an option, and one I'd happily support in the current system, just not an immediate one.

I guess this would mimic the behavior of GLBSE 1.0. I liked it but it might be overkill. Also, I feel that GPG-encrypted e-mails would serve more than one purpose by addressing the danger of e-mail interception, which is IMO a valid concern. However it seems the idea doesn't excite many people.

Well I think that GPG signed emails by default (and encrypted where public keys have been provided) would make it harder to do fishing attacks.

I'm going to have two-factor authentication up and running for email, password changes and withdrawals/transfers (all user optional) before I go to bed.

[guruvan]

I'm going to have two-factor authentication up and running for email, password changes and withdrawals/transfers (all user optional) before I go to bed.

 That's awesome. Thanks!

[Nefario]

How often does Goat normally post? And what timezone is he in? I've already send him an email but not heard anything from him since he post this thread.

[likuidxd]

He's in Thailand

[Nefario]

He's in Thailand

Sleeping time then, we should expect something of a reply after about 6 hours or so.

[guruvan]

Hmm. I had missed a few posts. I don't like this one bit.

(Nefario, keep up the good work, please)

[molecular]

The drama because I've locked his account and asked for ID verification.

May I ask why you locked his account?