Bitcoin Forum
December 03, 2016, 01:42:16 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: BRB, reverse-engineering Bitcoinica  (Read 1804 times)
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 02:24:40 PM
 #1


1480772536
Hero Member
*
Offline Offline

Posts: 1480772536

View Profile Personal Message (Offline)

Ignore
1480772536
Reply with quote  #2

1480772536
Report to moderator
1480772536
Hero Member
*
Offline Offline

Posts: 1480772536

View Profile Personal Message (Offline)

Ignore
1480772536
Reply with quote  #2

1480772536
Report to moderator
1480772536
Hero Member
*
Offline Offline

Posts: 1480772536

View Profile Personal Message (Offline)

Ignore
1480772536
Reply with quote  #2

1480772536
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480772536
Hero Member
*
Offline Offline

Posts: 1480772536

View Profile Personal Message (Offline)

Ignore
1480772536
Reply with quote  #2

1480772536
Report to moderator
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 03:02:01 PM
 #2

Can you copy their ToS and post it here?

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
July 13, 2012, 03:03:27 PM
 #3

Can you copy their ToS and post it here?

Will you post a link to the source code?
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 03:39:54 PM
 #4

Can you copy their ToS and post it here?

Will you post a link to the source code?

Did you miss the link here? It's in the first post.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 03:49:50 PM
 #5

Can you copy their ToS and post it here?
Here you go : http://pastebin.com/AMrABK66

The good thing is that what genjix posted contains a full git repository, meaning we see can all the different ToS versions.

hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 04:00:18 PM
 #6

Can you copy their ToS and post it here?
Here you go : http://pastebin.com/AMrABK66

The good thing is that what genjix posted contains a full git repository, meaning we see can all the different ToS versions.

Awesome thanks!

I wonder what insights we will gain from seeing under the hood just how exactly did Bitcoinca operate, it might turn out that the attack was actually a good thing and it stopped a bucket shop scam where people were unfairly losing loads of money vs the house. Of course there's no question the loss for everyone who had their funds there is very unfortunate and regrettable and wrong.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
ashleyconnor
Jr. Member
*
Offline Offline

Activity: 38


View Profile
July 13, 2012, 04:38:19 PM
 #7

Just had a quick look.

Not one test in the whole codebase.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 13, 2012, 04:59:00 PM
 #8

Just had a quick look.

Not one test in the whole codebase.
"I am a god-level programmer and every line that I write turns to gold and bows down at my feet. Unit tests? What an insult!"  Undecided

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
paulie_w
Sr. Member
****
Offline Offline

Activity: 420


View Profile
July 13, 2012, 06:49:43 PM
 #9

Just had a quick look.

Not one test in the whole codebase.

aren't unit tests a default part of rails these days?

or is that some other kind of test?
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 07:05:17 PM
 #10

Just had a quick look.
Not one test in the whole codebase.
You can't judge an app on that, tests mean you're protecting yourself against regressions.
The app was written in 4 days, I think it is an impressive piece of work despite a couple major security flaws I identified by simply having a quick look.

aren't unit tests a default part of rails these days?
or is that some other kind of test?
Rails gives you the infrastructure to easily write them since day one. But they don't just write themselves Smiley

The real facepalm flaw is the fact that production passwords are stored in the code itself. This is plain wrong.
You're effectively giving the github (or whatever source control system you use) access to all funds at all times.
And it's fucking trivial to get right, just make a deploy hook to copy the production configuration files from the production server, to the production server.

paulie_w
Sr. Member
****
Offline Offline

Activity: 420


View Profile
July 13, 2012, 07:17:32 PM
 #11

Quote
Rails gives you the infrastructure to easily write them since day one. But they don't just write themselves Smiley

The real facepalm flaw is the fact that production passwords are stored in the code itself. This is plain wrong.
You're effectively giving the github (or whatever source control system you use) access to all funds at all times.
And it's fucking trivial to get right, just make a deploy hook to copy the production configuration files from the production server, to the production server.

so, this is good material for the wiki that should be written. even if it is "fucking trivial to get right" (ie, fucking obvious).
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 07:51:34 PM
 #12

so, this is good material for the wiki that should be written. even if it is "fucking trivial to get right" (ie, fucking obvious).
It would be pointless to write this in the wiki, all the Rails security basics are widely available online.
If you want your app to be secure it's not the lack of information that's in the way.

davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 07:52:16 PM
 #13

Additionally the app itself has never been hacked (which is a little surprising Cheesy)

hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 08:10:53 PM
 #14

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 08:14:25 PM
 #15

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...
I haven't gotten there yet.
Took a bit of time to get every moving part in place to have it actually running.

hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
July 13, 2012, 08:28:16 PM
 #16

Cool, I can't wait to hear how it really worked.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
paulie_w
Sr. Member
****
Offline Offline

Activity: 420


View Profile
July 13, 2012, 08:43:59 PM
 #17

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...
I haven't gotten there yet.
Took a bit of time to get every moving part in place to have it actually running.

can you talk a bit about that?

i assume there's no easy install of all dependencies listed neatly in a Gemfile?

i would like to know how the app interfaces with the local bitcoin client or client(s).
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 09:05:02 PM
 #18

i assume there's no easy install of all dependencies listed neatly in a Gemfile?
Your assumption is incorrect Smiley

i would like to know how the app interfaces with the local bitcoin client or client(s).
It uses the bitcoiner gem which is my code (extracted from bitcoin-central) packaged by someone I don't know as a ruby gem

ashleyconnor
Jr. Member
*
Offline Offline

Activity: 38


View Profile
July 13, 2012, 10:25:53 PM
 #19

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...
I haven't gotten there yet.
Took a bit of time to get every moving part in place to have it actually running.

I installed redis but I was getting nilClass errors.

I'll give it more time later.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!