[~1000 GH/sec] BTC Guild - 0% Fee Pool, LP, SSL, Full Precision, and More

[Veldy]

It was setup to do "round robin" load balancing [presumably passing out an address to the least loaded server ... not sure if it had any intelligence to know which servers could handle more load than others].  I remember the message about it pointing to central.  I haven't seen it on the site recently though, so I assumed it was back to doing what it should be.  Either way, Central has always been the best for me anyway.

He turned it off because it couldnt handle the connections.

Right, but WHY couldn't it?  Was it because each pool server could handle different loads than others and the DNS round robin was very simple so that the weaker servers were getting overloaded?  Or was it because the DNS balancer itself couldn't handle it [that seems unlikely].  That is why I made a post within the last hour about load balancing.  Deepbit manages it pretty well [but doesn't suffer the limitations of push pool forcing restarts when server changes occur]. 

[gentakin]

eleuthria already posted the explanation:
Mining clients don't cache server IPs, so they're doing fresh DNS lookups for every getwork request, so it's possible that the server changes during a mining session. If the miner requests work from the UK server and then later submits the result to the NL server, things go wrong.

[eleuthria]

If you used the same (or similar) username and the same password on BTC Guild as you do on MtGox, change it immediately.  The leak at MtGox already has many people proving the hashed passwords in the database can be brute forced into their original plaintext.

[BitMinerN8]

So if you have not heard about the Mt. Gox incident you may want to take a look.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

As a general practice it would be best to change any password(s) that you used that were the same as Mt. Gox. You might also want to check out this site and maybe utilize "password haystacking" to beef up your password security.

https://www.grc.com/haystack.htm

[zimpixa]

Last submitted share statistics arent correctly shown, at least for uscentral server (cant check for others).

EDIT:
Looks normal again.

[eleuthria]

Fixed US Central's last share time.  It wasn't running ntpd to keep time's sync'd up regularly.

[Veldy]

eleuthria already posted the explanation:
Mining clients don't cache server IPs, so they're doing fresh DNS lookups for every getwork request, so it's possible that the server changes during a mining session. If the miner requests work from the UK server and then later submits the result to the NL server, things go wrong.

Oh, my bad.  I didn't see the answer to that [and yes, that is obvious in hind sight and not to mention that the source of the DNS query is likely another DNS and not the mining software].  Sorry for the extra posts.  My idea about syncing by account is obviously stupid as well since it needs the IP address BEFORE it can send worker authentication.  Smack me upside the head with a stupid stick.

[Veldy]

So if you have not heard about the Mt. Gox incident you may want to take a look.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

As a general practice it would be best to change any password(s) that you used that were the same as Mt. Gox. You might also want to check out this site and maybe utilize "password haystacking" to beef up your password security.

https://www.grc.com/haystack.htm

MD5 I suppose? That hasn't been considered secure for a long time now.  SHA1 is what I think has become the defacto standard.

EDIT:  It seems that they blasted my account entirely!  I am sure they must have it "stored" somewhere.  Anyway, message sent.  Fortunately, I had a balance of less than $10USD and no bitcoins at all.  I think it may just stay that way forever [if I get the account restored properly, the balance will drop to $0.00].

[CubedRoot]

So if you have not heard about the Mt. Gox incident you may want to take a look.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

As a general practice it would be best to change any password(s) that you used that were the same as Mt. Gox. You might also want to check out this site and maybe utilize "password haystacking" to beef up your password security.

https://www.grc.com/haystack.htm

MD5 I suppose? That hasn't been considered secure for a long time now.  SHA1 is what I think has become the defacto standard.

EDIT:  It seems that they blasted my account entirely!  I am sure they must have it "stored" somewhere.  Anyway, message sent.  Fortunately, I had a balance of less than $10USD and no bitcoins at all.  I think it may just stay that way forever [if I get the account restored properly, the balance will drop to $0.00].

How were you even able to login to check your account?  They have had logins unavailable at Mt.Gox for several hours now in an effort to restore accounts in what they are calling a "roll back".  I have been trying all day to login to my Mt.Gox account to check my balances.

[kjj]

MD5 I suppose? That hasn't been considered secure for a long time now.  SHA1 is what I think has become the defacto standard.

It is all in the way it gets used.  MD5 is perfectly fine for passwords, when used properly.

eleuthria, please make sure you aren't doing anything strange when storing passwords.  Your best bet is to use the crypt() function built into PHP, and make sure you are generating a proper (random) salt string to force MD5, Blowfish or SHA.

[IlbiStarz]

So if you have not heard about the Mt. Gox incident you may want to take a look.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

As a general practice it would be best to change any password(s) that you used that were the same as Mt. Gox. You might also want to check out this site and maybe utilize "password haystacking" to beef up your password security.

https://www.grc.com/haystack.htm

MD5 I suppose? That hasn't been considered secure for a long time now.  SHA1 is what I think has become the defacto standard.

EDIT:  It seems that they blasted my account entirely!  I am sure they must have it "stored" somewhere.  Anyway, message sent.  Fortunately, I had a balance of less than $10USD and no bitcoins at all.  I think it may just stay that way forever [if I get the account restored properly, the balance will drop to $0.00].

How were you even able to login to check your account?  They have had logins unavailable at Mt.Gox for several hours now in an effort to restore accounts in what they are calling a "roll back".  I have been trying all day to login to my Mt.Gox account to check my balances.

You can't, all accounts have been disabled, and the site is down anyway.
There is a .csv file out online, with everyone's username, email, and hashed password (which I think is already broken) from Mt. Gox.

Go read some threads on the bitcoin discussion subforum.

[eleuthria]

Stats are now fixed for some people that had problems.  I re-sync'd the worker database after UK was taken down and NL2 was put up.  Some workers were set to hidden and later un-hidden on the main server.  This change did not filter into the slave servers so the stats were not being sent to My Account/API.

Regarding our password security:
  All user submitted data to BTC Guild is run through prepared queries to prevent SQL Injection attacks.  Nobody will be feeding bad data into a form, API query, or general page with GET/POST data that will be able to pull down our database information or modify it.

  User passwords are stored using a hash of the original password, and salted with various miscellaneous user data information, system variables at the time of launch, AND a salt string stored on the server that is inaccessible via an HTTP request or SQL.  The only way to obtain ALL of the salt information used on a password would be ALL of the following:
  1) Getting the full user database pulled down AND
  2) Getting the full code used to prepare a salt for the password AND
  3) Accessing the shell to obtain the local system file which contains additional salt data

The shell is IP Blocking SSH and SQL connections from any IP address that is not mine, adding yet another hurdle an attacker would have to somehow bypass to obtain before they could begin attempting to reverse engineer passwords from the stored hashes.

[Veldy]

So if you have not heard about the Mt. Gox incident you may want to take a look.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

As a general practice it would be best to change any password(s) that you used that were the same as Mt. Gox. You might also want to check out this site and maybe utilize "password haystacking" to beef up your password security.

https://www.grc.com/haystack.htm

MD5 I suppose? That hasn't been considered secure for a long time now.  SHA1 is what I think has become the defacto standard.

EDIT:  It seems that they blasted my account entirely!  I am sure they must have it "stored" somewhere.  Anyway, message sent.  Fortunately, I had a balance of less than $10USD and no bitcoins at all.  I think it may just stay that way forever [if I get the account restored properly, the balance will drop to $0.00].I

How were you even able to login to check your account?  They have had logins unavailable at Mt.Gox for several hours now in an effort to restore accounts in what they are calling a "roll back".  I have been trying all day to login to my Mt.Gox account to check my balances.

I wasn't.  Isn't that what I said?  I made a trade there (against my better judgement, but volume was so low on trade hill when I wanted to do this that I decide to use Mtgox.  I just remember the change left in my account (which I believe was a little over $7).  I didn't withdraw it since I didn't see the point of paying a fee of any kind when I was likely to cash in coins at some point and I would just withdraw it then.  So if it isn't obvious, I made a coin purchase our there would have been no "change".  I sold much of my mining proceeds when prices were in the $35+ range and with the recent correction I essentially "rebalanced" my bitcoin position (which was all based on mined coins anyway).  The trade and coin withdrawal was late on 6/17 CDT.  Care for any more details of my personal business?

My point is, if you are going to infer something, in this case that I logged in and checked my balance, then you better pay more care and attention.  Inferences are much more dangerous than implications, especially since you clearly did not entirely comprehend my post when I said my account is gone, because that is EXACTLY what I mean.

[Veldy]

Stats are now fixed for some people that had problems.  I re-sync'd the worker database after UK was taken down and NL2 was put up.  Some workers were set to hidden and later un-hidden on the main server.  This change did not filter into the slave servers so the stats were not being sent to My Account/API.

Regarding our password security:
  All user submitted data to BTC Guild is run through prepared queries to prevent SQL Injection attacks.  Nobody will be feeding bad data into a form, API query, or general page with GET/POST data that will be able to pull down our database information or modify it.

  User passwords are stored using a hash of the original password, and salted with various miscellaneous user data information, system variables at the time of launch, AND a salt string stored on the server that is inaccessible via an HTTP request or SQL.  The only way to obtain ALL of the salt information used on a password would be ALL of the following:
  1) Getting the full user database pulled down AND
  2) Getting the full code used to prepare a salt for the password AND
  3) Accessing the shell to obtain the local system file which contains additional salt data

The shell is IP Blocking SSH and SQL connections from any IP address that is not mine, adding yet another hurdle an attacker would have to somehow bypass to obtain before they could begin attempting to reverse engineer passwords from the stored hashes.

With all the layers it is almost irrelevant, but is the hash MD5 or something considered secure?  MD5 has been deemed inferior for quite awhile now.  It sounds like you use some unique way to make the salt and key very difficult to determine, and that implies encryption and not a one way hash like MD5 or SHA1.  So, I am afraid that I did not quite follow what was hashed and stored in the database.  Clearly running a lot of crypto and getting a hash of the result for every login would be expensive, do that is why I ask.

[kjj]

With all the layers it is almost irrelevant, but is the hash MD5 or something considered secure?  MD5 has been deemed inferior for quite awhile now.  It sounds like you use some unique way to make the salt and key very difficult to determine, and that implies encryption and not a one way hash like MD5 or SHA1.  So, I am afraid that I did not quite follow what was hashed and stored in the database.  Clearly running a lot of crypto and getting a hash of the result for every login would be expensive, do that is why I ask.

The weaknesses in MD5 are largely overhyped.  It is still just fine when used in a salted + iterated password hash system.  Even shitty old DES would be fine in this system, if not for the tiny keyspace.

[||bit]

Still new with bitcoin.

How long does it take for bitcoins to be received? I asked to be paid out about a day ago... And the wallet account on my PC still reads 0.00... that is, the amount was not received from BTCGuild - though the acocunt says it DID pay it out. I clicked to be payed from BTCGuild for "0.75" bitcoins. Also, I did not like the fact that BTCGuild left in the smaller fractions of what was mined..only it would send .75...not the entire .75XXXXXX .. Seems the only way it can all be sent out is if it was an exactly zero after the third decimal place.

I was just tyring to observe the process occur for now...but this isn't promising...Can bitocoins really be lost that easily?

A summary of what happened:

1. spent a couple days mining... on and off.. amount went up to 0.75xxxxxxx bitcoins... I clicked payout and it(BTCGuild) only sent .75....so, it reads.
2. when I had it sent, I deliberately left bitcoin.exe program on my PC off to see if the bitcoin would be received sometime after it was sent to my wallet account.

So, either I have to leave my wallet the moment funds are sent or something....not sure if that is true....but if I did not receive the .75 coins by now and should have, then bitcoins can apparently be easily lost...so, this would be a major flaw...but I'm probably missing something....or am I?

Yes, I did verify my bitcoin address on BTCGuild was the sme as the one on the bitcoin.exe on my computer.

[kjj]

Does your node (the client software on your computer) have the entire block chain downloaded and processed?  It won't show your balance correctly if it isn't done.

You can also go to bitcoin block explorer (google it) and search for your payment address.

And yeah, the payments are only down to the hundredth of a bitcoin, which is a bit silly.  I don't know why he hasn't changed that yet.

[||bit]

Does your node (the client software on your computer) have the entire block chain downloaded and processed?  It won't show your balance correctly if it isn't done.

You can also go to bitcoin block explorer (google it) and search for your payment address.

And yeah, the payments are only down to the hundredth of a bitcoin, which is a bit silly.  I don't know why he hasn't changed that yet.

I guess it hasn't. When I started it up earlier, it didn't show the block chain increasing...so, I figured it might have updated. To try to "stimulate" something, I clicked "generate coins" in the menu, and it started to increase the block chain count... I turned it off, and the count was still increasing..so, I guess it didn't have it all yet.

Where can I find the latest block chain count? or how to explore it?

Thanks.

[kjj]

There are a bunch of sites that show the current block count.  Right now it is 131,977.

Play with the block explorer a bit.  Search for your address and you'll be able to tell if there was a payment sent to it or not.

[eleuthria]

You can also refer to http://www.bitcoincharts.com/bitcoin/ to see a list of transactions not yet included in a block.

Your payments will show up, but they can be slow to get their first confirmation since we do not pay transaction fees (we would've paid more than the pool generated by now).