ASICMINER: Entering the Future of ASIC Mining by Inventing It

[Jutarul]

Does he use Windoze 

https://bitcointalk.org/index.php?topic=99497.msg1138707#msg1138707

[1714915618]

1714915618

[SmiGueL]

GLBSE resets the session ID after login which prevents session fixation. We only whitelist certain html elements for PM's and contracts so no XSS, and we use SSL so no man in the middle session sniffing attacks. Session ID's are not predictable or unencrypted.

I don't know exactly what you mean by this, but I have Google 2FA installed.

When I log in on GLBSE en close the tab without logging out, I can re-open GLBSE after a few hours and it will come back up with me logged in, so I don't have to re-login

I do leave other tabs in my google chrome open, so I never close chrome completely

FYI

Even if you,after you totaly CLOSE Internet Explorer or Firefox, (I don't use Chrome, so can't test it) go to GLBSE your session is still active/logged in.

Actually, after you restart your computer, it is still logged in..

I have 2FA activated, but only have to fill in the auth-key when I use a 'new' computer..

As long as a 'hacker' can't use my SessionID on his own computer, I see no problem, but according to the above this ID won't change since I'm always logged in..

[Jutarul]

GLBSE resets the session ID after login which prevents session fixation. We only whitelist certain html elements for PM's and contracts so no XSS, and we use SSL so no man in the middle session sniffing attacks. Session ID's are not predictable or unencrypted.

I don't know exactly what you mean by this, but I have Google 2FA installed.

When I log in on GLBSE en close the tab without logging out, I can re-open GLBSE after a few hours and it will come back up with me logged in, so I don't have to re-login

I do leave other tabs in my google chrome open, so I never close chrome completely

FYI

Even if you,after you totaly CLOSE Internet Explorer or Firefox, (I don't use Chrome, so can't test it) go to GLBSE your session is still active/logged in.

Actually, after you restart your computer, it is still logged in..

I have 2FA activated, but only have to fill in the auth-key when I use a 'new' computer..

As long as a 'hacker' can't use my SessionID on his own computer, I see no problem, but according to the above this ID won't change since I'm always logged in..

Ok. this then qualifies as a major security hazard. We need to advice any shareholder to only run GLBSE as a dedicated user then. Otherwise cross-application hacking is possible. Especially since 2FA doesn't protect you from your shares being dumped to the market!

[memvola]

Ok. this then qualifies as a major security hazard. We need to advice any shareholder to only run GLBSE as a dedicated user then. Otherwise cross-application hacking is possible.

How does cross-application scripting (?) apply to this case?

I think the current scheme is pretty OK actually. Do you have a scenario how a session can be remotely hijacked?

[Jutarul]

Ok. this then qualifies as a major security hazard. We need to advice any shareholder to only run GLBSE as a dedicated user then. Otherwise cross-application hacking is possible.

How does cross-application scripting (?) apply to this case?

I think the current scheme is pretty OK actually. Do you have a scenario how a session can be remotely hijacked?

If you can't rely on the security settings of your browser (that's what's the case here) you have to go to the next level and put your applications into a sandbox. The easiest way to achieve that is to setup up a different user account for trusted services, e.g. for logging into email, exchanges and glbse. Another, more fancy solution is to run the insecure stuff in a virtual machine.

I know it's a hassle but if you can't rely on the security model of GBLSE you have to make your own.

I can't list you attack scenarios because it's been a while since I've been reading up on the different possible attack vectors. But sandboxing/different user accounts is an old technique which hardly breaks (unless you run the insecure stuff as root).

[Tachikoma]

This discussion about GLBSE is a useful one but I feel this topic is not the place for it. When I see updates on this topic I hope to read about developments surrounding ASICMINER. I think these GLBSE discussions would be better off in their own topic.

[memvola]

I know it's a hassle but if you can't rely on the security model of GBLSE you have to make your own.

Yes, I do run as different users when it's necessary for security. Yet I didn't really get why I shouldn't rely on GLBSE's model. I'll read about what you said about browser's settings. I won't reply again, since it's apparently off-topic.

This discussion about GLBSE is a useful one but I feel this topic is not the place for it. When I see updates on this topic I hope to read about developments surrounding ASICMINER. I think these GLBSE discussions would be better off in their own topic.

I agree. Though it became relevant because of the possibility of me paying the price as a shareholder. I guess this is best moved to PMs.

[VeeMiner]

so I decided to put some of my very limited budget in ASICMINER. It seems like a trustworthy company that can deliver and make good money in a long run. My question is if we will receive any more information about current development of this company as there hasn't been much discussion about what's going on right now in the thread. I wonder if some of the bigger shareholders have some more information that they would be willing to share with the small investors.

[imsaguy]

so I decided to put some of my very limited budget in ASICMINER. It seems like a trustworthy company that can deliver and make good money in a long run. My question is if we will receive any more information about current development of this company as there hasn't been much on subject discussion about what's going on right now in the thread. I wonder if some of the bigger shareholders have some more information that they would be willing to share with the small investors.

The board members receive emails with updates.  I don't know how much they are allowed to disclose,.

[punin]

GLBSE uses SSL from the browser to Cloudflare and from Cloudflare to the GLBSE server, cloudflare can minify JavaScript (hence the "we may change site content" in their TOS). I have a paid service with them.

OMG you're using cloudflare? So you're trusting all our wealth in hands of a SSL proxy?! I'm out!

[VeeMiner]

The board members receive emails with updates.  I don't know how much they are allowed to disclose,.

yeah, that's what I meant, I would be interested if the board members could give us some information about the recent development

[DeaDTerra]

The board members receive emails with updates.  I don't know how much they are allowed to disclose,.

yeah, that's what I meant, I would be interested if the board members could give us some information about the recent development

I can provide this info if I get a good to go from friedcat
//DeaDTerra

[zefir]

The board members receive emails with updates.  I don't know how much they are allowed to disclose,.

yeah, that's what I meant, I would be interested if the board members could give us some information about the recent development

Hi VeeMiner,

the additional information board members received so far does not exceed what is available here in the forums - at least nothing that would give you an informational advantage over non-board members. To give you a better idea, here is what has been provided so far:

1) a detailed explanation on the relation between ASICMINER and Bitfountain shares and how dividends will be distributed. This is basically a confirmation on what was already written in the IPO posts.
2) an introduction of the people behind Bitfountain, including full names, contact information, and short CV. This is basically to confirm that those people a) are real, b) are capable to deliver what is planned, and c) can be contacted for further questions.

All in all it does not provide valuable information other than a strong indication that those folks are serious and the plan sounds reasonable. I'm pretty sure friedcat will make most of those documents available to the general public at a later date (but for obvious reasons he won't post contact information to the individual developers on a searchable forum).


HTH

[LazyOtto]

Actually, zefir, merely what you have said is comforting. ty

And fits what I was expecting. The board members acting as a 'half-way house' where credibility/sincerity can be established without doing a full-monty to the entire public.

And, I hope, helping to smooth out or suggest clarification of statements before they are released to the unwashed mob who might misinterpret text presented in good faith.

[imsaguy]

Actually, zefir, merely what you have said is comforting. ty

And fits what I was expecting. The board members acting as a 'half-way house' where credibility/sincerity can be established without doing a full-monty to the entire public.

And, I hope, helping to smooth out or suggest clarification of statements before they are released to the unwashed mob who might misinterpret text presented in good faith.

+1

[friedcat]

This week I have a way more limited time replying mails and PMs. Please expect a delay as long as 1-2 days. Though much information will be released to the board members only, direct questions from the community are still welcome.

In addition, timely reply will be back normal from next Saturday. Before that, please understand that there may be some delays. Sorry for the inconvenience.

Board members could also ask my partners for answers if I couldn‘t reply very soon.

[niko]

There is obviously a race to ASICs with potentially valuable bounty at the end of the rainbow.  Could you comment on what steps have been taken by Bitfountain to ensure security and integrity of their designs?

[DiabloD3]

There is obviously a race to ASICs with potentially valuable bounty at the end of the rainbow.  Could you comment on what steps have been taken by Bitfountain to ensure security and integrity of their designs?

I am not going to publicly state the information I know, but I can tell you this: that isn't an issue.

[DutchBrat]

There is obviously a race to ASICs with potentially valuable bounty at the end of the rainbow.  Could you comment on what steps have been taken by Bitfountain to ensure security and integrity of their designs?

I am not going to publicly state the information I know, but I can tell you this: that isn't an issue.

Maybe it is in the best interest of everyone to not be updated publicly or at all until the ASICs are happily hashing away

BFL isn't saying anything until they have a product and we wouldn't want them rushing out their products (even far below spec) because they read in some thread on some forum that ASICMINER was 3 weeks from mining and producing....

Then again: I would like to know there's actually some progress being made... maybe that could be the role of the board-members

It is 1 thing to trust the people behind ASICMINER whom I have never met/seen (I'm not saying I don't trust you !!!), but it would instil more trust if a couple of the more noticeable board members tell us everything is going as hoped, without giving away any timelines...

I gotta think about this further....

[imsaguy]

Then again: I would like to know there's actually some progress being made... maybe that could be the role of the board-members

It is 1 thing to trust the people behind ASICMINER whom I have never met/seen (I'm not saying I don't trust you !!!), but it would instil more trust if a couple of the more noticeable board members tell us everything is going as hoped, without giving away any timelines...

There have been ongoing discussions between board members on the email list and I've not seen anything to indicate things aren't proceeding according to plan.