Bitcoin Forum
March 28, 2024, 12:30:17 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1]
  Print  
Author Topic: GLBSE switching DNS servers, may cause issues  (Read 2152 times)
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
May 15, 2012, 02:45:20 AM
 #1

As part of using cloudflares service (to protect and speed up GLBSE for users) we're required to change the DNS servers for the domain.

This means that over the next 24 hours there may be connection issues as a result(name not resolving). This is also responsible for the SSL errors or warnings users may be experiencing.

We're sorry for any inconvenience caused but believe this is a move for the better, the end result will be a much faster service for users.


PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1711629017
Hero Member
*
Offline Offline

Posts: 1711629017

View Profile Personal Message (Offline)

Ignore
1711629017
Reply with quote  #2

1711629017
Report to moderator
1711629017
Hero Member
*
Offline Offline

Posts: 1711629017

View Profile Personal Message (Offline)

Ignore
1711629017
Reply with quote  #2

1711629017
Report to moderator
In order to get the maximum amount of activity points possible, you just need to post once per day on average. Skipping days is OK as long as you maintain the average.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711629017
Hero Member
*
Offline Offline

Posts: 1711629017

View Profile Personal Message (Offline)

Ignore
1711629017
Reply with quote  #2

1711629017
Report to moderator
1711629017
Hero Member
*
Offline Offline

Posts: 1711629017

View Profile Personal Message (Offline)

Ignore
1711629017
Reply with quote  #2

1711629017
Report to moderator
1711629017
Hero Member
*
Offline Offline

Posts: 1711629017

View Profile Personal Message (Offline)

Ignore
1711629017
Reply with quote  #2

1711629017
Report to moderator
drakahn
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
May 15, 2012, 02:55:49 AM
 #2

Would this have caused my account to not work at all?

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
May 15, 2012, 03:25:54 AM
 #3

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

-- BinaryMage -- | OTC | PGP
drakahn
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
May 15, 2012, 03:38:14 AM
 #4

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

I could not log in, Nefario has fixed it for me but i have no idea what was wrong.

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
May 15, 2012, 03:38:52 AM
 #5

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

I could not log in, Nefario has fixed it for me but i have no idea what was wrong.

Perhaps some database records got garbled. Anyway, glad it's fixed.

-- BinaryMage -- | OTC | PGP
Deafboy
Hero Member
*****
Offline Offline

Activity: 482
Merit: 502



View Profile WWW
May 15, 2012, 03:52:09 AM
 #6

Isn't involving 3rd party in communication with glbse a potential security threat?
Cloudflare is providing good and valuable service, but look at the recent incident with Linode (slush's pool and Bitcoinica targeted) and Rackspace (Bitcoinica).
Trust is weakness. We already need to trust GLBSE, issuers of shares, and now also Cloudflare.
Is faster loading of images on website really worth it?
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
May 15, 2012, 03:54:03 AM
 #7

Isn't involving 3rd party in communication with glbse a potential security threat?
Cloudflare is providing good and valuable service, but look at the recent incident with Linode (slush's pool and Bitcoinica targeted) and Rackspace (Bitcoinica).
Trust is weakness. We already need to trust GLBSE, issuers of shares, and now also Cloudflare.
Is faster loading of images on website really worth it?

CloudFlare doesn't host wallets, Linode and Rackspace did. Major difference there.

All CloudFlare does, IIRC, is provide a passthrough server to protect against DDOS and the like and provide analytics services.

-- BinaryMage -- | OTC | PGP
Deafboy
Hero Member
*****
Offline Offline

Activity: 482
Merit: 502



View Profile WWW
May 15, 2012, 04:20:32 AM
 #8

I am aware of what cloudflare do and how. But there is still small possibility of someone exploiting Cloudflares service and provide a cached copy of edited html document instead of original. And there is no need to steal wallet.dat to get money out there.
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
May 15, 2012, 04:27:56 AM
 #9

I am aware of what cloudflare do and how. But there is still small possibility of someone exploiting Cloudflares service and provide a cached copy of edited html document instead of original. And there is no need to steal wallet.dat to get money out there.

It's probably astronomically less than the possibility of the GLBSE server being hacked, but you are correct, a chance does exist. I suspect that the DDOS protection and speedup will be worth it to the majority of users, however.

-- BinaryMage -- | OTC | PGP
sunnankar
Legendary
*
Offline Offline

Activity: 1031
Merit: 1000



View Profile WWW
May 15, 2012, 12:45:22 PM
 #10

It's probably astronomically less than the possibility of the GLBSE server being hacked, but you are correct, a chance does exist. I suspect that the DDOS protection and speedup will be worth it to the majority of users, however.

Nefario needs to build in some additional security tools, things besides only the cumbersome and annoying two factor authentication, and once a good option is decided on it should probably take top priority. Things like:

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.

Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1006


View Profile
May 15, 2012, 01:10:07 PM
 #11

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.
1. As long as one can read the API key, one could empty an account much faster anyways. Also if an email account is compromised too (as it is often the case), these passwords would just get reset/changed.

2. Email is not secure at all.

3. It requires a mobile phone afaik...

4. Great, and who decides that an account can/should be frozen? Account owner can be the "hacker", GLBSE would disrupt trading, GLBSE on request of account owner would mean the request could be forged. The delaying payouts thing can also be used to grief account holders... and if it can be changed later, it will be - or it will create lots of support requests if it can't.

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
REF
Hero Member
*****
Offline Offline

Activity: 529
Merit: 500


View Profile
May 15, 2012, 01:40:27 PM
 #12

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.
1. As long as one can read the API key, one could empty an account much faster anyways. Also if an email account is compromised too (as it is often the case), these passwords would just get reset/changed.

2. Email is not secure at all.

3. It requires a mobile phone afaik...

4. Great, and who decides that an account can/should be frozen? Account owner can be the "hacker", GLBSE would disrupt trading, GLBSE on request of account owner would mean the request could be forged. The delaying payouts thing can also be used to grief account holders... and if it can be changed later, it will be - or it will create lots of support requests if it can't.
3. google auth can be done with a phone app, yubikey is a usb.

4. I wouldn't have a problem with a mandatory 1hour(personally I wouldnt even mind 24hrs) wait time on all withdrawals before they get processed. Its maybe a little annoying to some people but it may turn out to be just enough time to prevent massive theif. I think it would be better to be a site wide feature rather than account based.
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
May 15, 2012, 03:21:56 PM
 #13

3. google auth can be done with a phone app, yubikey is a usb.

4. I wouldn't have a problem with a mandatory 1hour(personally I wouldnt even mind 24hrs) wait time on all withdrawals before they get processed. Its maybe a little annoying to some people but it may turn out to be just enough time to prevent massive theif. I think it would be better to be a site wide feature rather than account based.

3. How is a Yubikey more secure than Google Auth? Both require physical possession of the device you own and both are extremely unlikely to get hacked. The latter is just cheaper and more convenient.

4. 1 hour I could tolerate, but I doubt it would be enough to prevent thievery; Nefario can't individually process each withdrawal, and a lot of BTC is transferred in and out of GLBSE daily. 24 hours would do more, but it would be an extreme inconvenience to people who need to move funds around quickly.

-- BinaryMage -- | OTC | PGP
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
May 15, 2012, 04:13:52 PM
 #14

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

I could not log in, Nefario has fixed it for me but i have no idea what was wrong.

Perhaps some database records got garbled. Anyway, glad it's fixed.

No, he wasn't solving the captcha after the failed login.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
gabbynot
Sr. Member
****
Offline Offline

Activity: 341
Merit: 250


View Profile
May 15, 2012, 04:17:49 PM
 #15

I would assume that most of GLBSE's BTC is kept in cold storage.

Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
May 15, 2012, 04:25:37 PM
 #16

It's probably astronomically less than the possibility of the GLBSE server being hacked, but you are correct, a chance does exist. I suspect that the DDOS protection and speedup will be worth it to the majority of users, however.

Nefario needs to build in some additional security tools, things besides only the cumbersome and annoying two factor authentication, and once a good option is decided on it should probably take top priority. Things like:

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.

Regarding making accounts more secure.
Once a users email has been compromised, and two factor authentication is not enabled there is no way for us to tell the difference between the hacker and the real account owner.

I am going to be adding more security features that will hopefully prevent accounts getting cleared out, but the above mentioned won't do much except piss off users.

We only keep a small fraction of BTC on our server, nearly all of it is in cold storage, I think GLBSE isn't really a worthwhile target for attackers. There isn't much to steal.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
REF
Hero Member
*****
Offline Offline

Activity: 529
Merit: 500


View Profile
May 15, 2012, 05:23:46 PM
 #17

3. google auth can be done with a phone app, yubikey is a usb.

4. I wouldn't have a problem with a mandatory 1hour(personally I wouldnt even mind 24hrs) wait time on all withdrawals before they get processed. Its maybe a little annoying to some people but it may turn out to be just enough time to prevent massive thief. I think it would be better to be a site wide feature rather than account based.

3. How is a Yubikey more secure than Google Auth? Both require physical possession of the device you own and both are extremely unlikely to get hacked. The latter is just cheaper and more convenient.

4. 1 hour I could tolerate, but I doubt it would be enough to prevent thievery; Nefario can't individually process each withdrawal, and a lot of BTC is transferred in and out of GLBSE daily. 24 hours would do more, but it would be an extreme inconvenience to people who need to move funds around quickly.
I didnt say either was more secure. Im not sure what you read, all I did was point out one was on a phone the other a usb. It appeared sukrim said yubikey was on a phone and its not so I was clearing that up. Although there is a yubikey app im not sure how it works I think you still need the yubikey usb and you can then add it to a phone.

If nerfario was awake it might be enough time to shut everything down and cancel pending transitions. Think about bitcoincia zhoutong was awake and was able to react quickly to prevent further damage. I didnt say he should individually process each transaction. Make them wait in limbo for an hour before they are processed automatically. I know it wouldnt help if the private keys got stolen but it is still another hurtle at least in the way of hacked accounts.
sunnankar
Legendary
*
Offline Offline

Activity: 1031
Merit: 1000



View Profile WWW
May 15, 2012, 06:37:24 PM
 #18

Regarding making accounts more secure.
Once a users email has been compromised, and two factor authentication is not enabled there is no way for us to tell the difference between the hacker and the real account owner.

I am going to be adding more security features that will hopefully prevent accounts getting cleared out, but the above mentioned won't do much except piss off users.

We only keep a small fraction of BTC on our server, nearly all of it is in cold storage, I think GLBSE isn't really a worthwhile target for attackers. There isn't much to steal.

Perhaps adding a security question to distinguish between hacker/owner would be a viable option.

Another option would be to have a withdrawal address unable to be added for X hours/days and that period, once set, could only be increased to a max of like 30 days or something. Same with an email address and allow users to add additional contact info, if they want.

I also think increased security burdens should be voluntary since it may not be worth the hassle if you have 3BTC in the account but if you have 3000BTC.

I agree there is a balance between security and usabilty. But currently I feel GLBSE is too insecure. Just making it less likely a thief could profit even if they compromise an account goes a long way towards deterence.

Dalkore
Legendary
*
Offline Offline

Activity: 1330
Merit: 1026


Mining since 2010 & Hosting since 2012


View Profile WWW
May 15, 2012, 06:45:37 PM
 #19

As part of using cloudflares service (to protect and speed up GLBSE for users) we're required to change the DNS servers for the domain.

This means that over the next 24 hours there may be connection issues as a result(name not resolving). This is also responsible for the SSL errors or warnings users may be experiencing.

We're sorry for any inconvenience caused but believe this is a move for the better, the end result will be a much faster service for users.



Thank you for the heads up.   Glad to see your taking steps to improve the service.

Dal

Hosting: Low as $60.00 per KW - Link
Transaction List: jayson3 +5 - ColdHardMetal +3 - Nolo +2 - CoinHoarder +1 - Elxiliath +1 - tymm0 +1 - Johnniewalker +1 - Oscer +1 - Davidj411 +1 - BitCoiner2012 +1 - dstruct2k +1 - Philj +1 - camolist +1 - exahash +1 - Littleshop +1 - Severian +1 - DebitMe +1 - lepenguin +1 - StringTheory +1 - amagimetals +1 - jcoin200 +1 - serp +1 - klintay +1 - -droid- +1 - FlutterPie +1
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!